NIST Releases IR 8286D: Using Business Impact Analysis to Inform Risk Prioritization and Response

 Business impact analyses (BIAs) have been traditionally used for
business continuity and disaster recovery (BC/DR) planning to understand the
potential impacts of outages that compromise IT infrastructure. However, BIA
analyses can be easily expanded to consider outages related to cyber risks and
issues attributable to confidentiality and integrity.

NIST Interagency Report (IR) 8286D, Using Business
Impact Analysis to Inform Risk Prioritization and Response
goes beyond availability to also include confidentiality and integrity impact
analyses. This fifth publication in the NIST IR 8286 document series, Integrating Cybersecurity and
Enterprise Risk Management
, discusses the identification and
management of risk as it propagates from system to organization and from
organization to enterprise, which in turn better informs Enterprise Risk
Management deliberations. NIST IR 8286D expands typical BIA discussions to
inform risk prioritization and response by quantifying the organizational
impact and enterprise consequences of compromised IT Assets.

NIST IR 8286D pairs with several other reports:

The NIST IR 8286 series enables risk practitioners to integrate
CSRM activities more fully into the broader enterprise risk processes. Because
information and technology comprise some of the enterprise’s most valuable
resources, it is vital that directors and senior leaders have a clear understanding
of cybersecurity risk posture at all times. It is similarly vital that those
identifying, assessing, and treating cybersecurity risk understand enterprise
strategic objectives when making risk decisions.

The authors of the NIST IR 8286 series hope that these
publications will spark further industry discussion. As NIST continues to
develop frameworks and guidance to support the application and integration of
information and technology, many of the series’ concepts will be considered for