Traditional business impact analyses (BIAs) have been successfully
used for business continuity and disaster recovery (BC/DR) by triaging damaged
infrastructure recovery actions that are primarily based on the duration and
cost of system outages (i.e., availability compromise). However, BIA analyses
can be easily expanded to consider other cyber-risk compromises and remedies.
This initial
public draft of NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and
Response, provides comprehensive asset confidentiality and
integrity impact analyses to accurately identify and manage asset risk
propagation from system to organization and from organization to enterprise,
which in turn better informs Enterprise Risk Management deliberations. This document
adds expanded BIA protocols to inform risk prioritization and response by
quantifying the organizational impact and enterprise consequences of
compromised IT Assets.
The public comment period for this draft is open through July 18,
2022. See the publication
details for a copy of the draft and instructions for submitting
comments.
NOTE: A call for patent claims is included on page iii of this
draft. For additional information, see Information Technology Laboratory (ITL) Patent Policy–Inclusion
of Patents in ITL Publications.