National Institute of Standards and Technology releases Using Business Impact Analysis to Inform Risk Prioritization and Response

June 11, 2022 |

The National Institute of Standards and Technology (“NIST”) has released the draft Using Business Impact Analysis to Inform Risk Prioritization and Response the Abstract.

The NIST states:

Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses can be easily expanded to consider other cyber-risk compromises and remedies.

This initial public draft of NIST IR 8286D provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.

The Abstract provides:

Some of the interesting issues:

  • Risk is measured in terms of impact on enterprise mission, so it is vital to understand the various information and technology (IT) assets whose functions enable that mission.
  • for corporations, IT assets have a direct influence on enterprise capital and valuation, and IT risks can have a direct impact on the balance sheet or budget.
  • it is both vital and challenging to determine the conditions that will truly impact a mission.
  • it is highly important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.
  • the Business Impact Analysis (BIA) examines the potential impact associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets and stores the results in the BIA
  • an asset criticality or resource dependency assessment identifies and prioritizes the information assets that support the enterprise’s critical missions.
  • assessments of asset sensitivity identify and prioritize information assets that store, process, or transmit information that must not be modified or disclosed to unauthorized In the cybersecurity realm,
  • BIA serves as a nexus for understanding risk and it provides a basis for risk appetite and tolerance values as part of the enterprise risk
  • expanding use of the BIA to include confidentiality and integrity considerations supports comprehensive risk  analysis. 
  • the basis of asset valuation on enterprise impact helps to better align risk decisions to enterprise risk CSRM/ERM integration helps to complete the risk analysis.
  • The BIA process enables system owners to record the benefits provided by an asset by dconsidering the contribution to the enterprise, particularly in terms of mission, finance, and reputational Informed about how each asset supports enterprise value, system owners can then work with risk managers to determine the implications of uncertainty on those
  • it is more critical than ever to have centralized and reliable asset information recorded in the BIA Register since enterprises increasingly rely on various types of information and communications technology (ICT) resources, which are increasingly targeted
  • the BIA process provides information that can be consistently recorded in a centralized registry of important asset management information. This information is valuable for protecting the asset, detecting cyber events, responding quickly to potential issues, and recovering services.
  • public- and private-sector enterprises must maintain a continual understanding of potential business impacts, the risk conditions that might lead to those impacts, and the steps being taken.
  • use of the BIA methodology to categorize the criticality and sensitivity of enterprise assets enables effective risk management and the subsequent integration of reporting and monitoring at the enterprise level to ensure that risk and resource utilization are optimized in light of the value of those assets


Leave a Reply

Verified by MonsterInsights