Date Published: June 9, 2022
Comments Due:
Email Questions to:
Author(s)
Stephen Quinn (NIST), Nahla Ivy (NIST), Matthew Barrett (CyberESI Consulting Group), Larry Feldman (Huntington Ingalls Industries), Daniel Topper (Huntington Ingalls Industries), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)
Announcement
Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses can be easily expanded to consider other cyber-risk compromises and remedies.
This initial public draft of NIST IR 8286D provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide broad understanding of the potential impacts to the enterprise mission from any type of loss. The management of enterprise risk requires a comprehensive understanding of the mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).
The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and to evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for ERM/CSRM process, as described in the NISTIR 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.
While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide broad understanding of the potential impacts to the enterprise mission from any type of loss. The management of enterprise risk...
See full abstract
While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide broad understanding of the potential impacts to the enterprise mission from any type of loss. The management of enterprise risk requires a comprehensive understanding of the mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).
The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and to evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for ERM/CSRM process, as described in the NISTIR 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.
Hide full abstract
Keywords
Business Impact Analysis; Cybersecurity Risk Management; Cybersecurity Risk Register; Enterprise Risk Management; Information and Communications Technology
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
