Business impact analyses (BIAs) have been traditionally used for
business continuity and disaster recovery (BC/DR) planning to understand the
potential impacts of outages that compromise IT infrastructure. However, BIA
analyses can be easily expanded to consider outages related to cyber risks and
issues attributable to confidentiality and integrity.
NIST Interagency Report (IR) 8286D, Using Business
Impact Analysis to Inform Risk Prioritization and Response,
goes beyond availability to also include confidentiality and integrity impact
analyses. This fifth publication in the NIST IR 8286 document series, Integrating Cybersecurity and
Enterprise Risk Management, discusses the identification and
management of risk as it propagates from system to organization and from
organization to enterprise, which in turn better informs Enterprise Risk
Management deliberations. NIST IR 8286D expands typical BIA discussions to
inform risk prioritization and response by quantifying the organizational
impact and enterprise consequences of compromised IT Assets.
NIST IR 8286D pairs with several other reports:
- NIST IR
8286, Integrating
Cybersecurity and Enterprise Risk Management (ERM) –
foundational document that describes high-level processes - NIST IR
8286A, Identifying
and Estimating Cybersecurity Risk for Enterprise Risk Management –
describes risk identification and analysis - NIST IR
8286B, Prioritizing
Cybersecurity Risk for Enterprise Risk Management –
describes methods for applying enterprise objectives to prioritize the
identified risks and, subsequently, to select and apply the appropriate
responses - NIST IR
8286C, Staging
Cybersecurity Risks for Enterprise Risk Management and Governance
Oversight – describes how information, as recorded
in cybersecurity risk registers (CSRRs), may be integrated as part of a
holistic approach to ensuring that risks to information and technology are
properly considered for the enterprise risk portfolio.
The NIST IR 8286 series enables risk practitioners to integrate
CSRM activities more fully into the broader enterprise risk processes. Because
information and technology comprise some of the enterprise’s most valuable
resources, it is vital that directors and senior leaders have a clear understanding
of cybersecurity risk posture at all times. It is similarly vital that those
identifying, assessing, and treating cybersecurity risk understand enterprise
strategic objectives when making risk decisions.
The authors of the NIST IR 8286 series hope that these
publications will spark further industry discussion. As NIST continues to
develop frameworks and guidance to support the application and integration of
information and technology, many of the series’ concepts will be considered for
inclusion.