Business impact analyses (BIAs) have been traditionally used for business continuity and disaster recovery (BC/DR) planning to understand the potential impacts of outages that compromise IT infrastructure. However, BIA analyses can be easily expanded to consider outages related to cyber risks and issues attributable to confidentiality and integrity.
NIST Interagency Report (IR) 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response, goes beyond availability to also include confidentiality and integrity impact analyses. This fifth publication in the NIST IR 8286 document series, Integrating Cybersecurity and Enterprise Risk Management, discusses the identification and management of risk as it propagates from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. NIST IR 8286D expands typical BIA discussions to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.
NIST IR 8286D pairs with several other reports:
- NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – foundational document that describes high-level processes
- NIST IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management – describes risk identification and analysis
- NIST IR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management – describes methods for applying enterprise objectives to prioritize the identified risks and, subsequently, to select and apply the appropriate responses
- NIST IR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight – describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio.
The NIST IR 8286 series enables risk practitioners to integrate CSRM activities more fully into the broader enterprise risk processes. Because information and technology comprise some of the enterprise’s most valuable resources, it is vital that directors and senior leaders have a clear understanding of cybersecurity risk posture at all times. It is similarly vital that those identifying, assessing, and treating cybersecurity risk understand enterprise strategic objectives when making risk decisions.
The authors of the NIST IR 8286 series hope that these publications will spark further industry discussion. As NIST continues to develop frameworks and guidance to support the application and integration of information and technology, many of the series’ concepts will be considered for inclusion.
