Business impact analyses (BIAs) have been traditionally used for business continuity and disaster recovery (BC/DR) planning to understand the potential impacts of outages that compromise IT infrastructure. However, BIA analyses can be easily expanded to consider outages related to cyber risks and issues attributable to confidentiality and integrity.
NIST Interagency Report (IR) 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response, goes beyond availability to also include confidentiality and integrity impact analyses. This fifth publication in the NIST IR 8286 document series, Integrating Cybersecurity and Enterprise Risk Management, discusses the identification and management of risk as it propagates from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. NIST IR 8286D expands typical BIA discussions to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.
NIST IR 8286D pairs with several other reports:
The NIST IR 8286 series enables risk practitioners to integrate CSRM activities more fully into the broader enterprise risk processes. Because information and technology comprise some of the enterprise’s most valuable resources, it is vital that directors and senior leaders have a clear understanding of cybersecurity risk posture at all times. It is similarly vital that those identifying, assessing, and treating cybersecurity risk understand enterprise strategic objectives when making risk decisions.
The authors of the NIST IR 8286 series hope that these publications will spark further industry discussion. As NIST continues to develop frameworks and guidance to support the application and integration of information and technology, many of the series’ concepts will be considered for inclusion.