U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST IR 8286D (Initial Public Draft)

Using Business Impact Analysis to Inform Risk Prioritization and Response

Date Published: June 9, 2022
Comments Due: July 18, 2022 (public comment period is CLOSED)
Email Questions to: nistir8286@nist.gov

Author(s)

Stephen Quinn (NIST), Nahla Ivy (NIST), Matthew Barrett (CyberESI Consulting Group), Larry Feldman (Huntington Ingalls Industries), Daniel Topper (Huntington Ingalls Industries), Gregory Witte (Huntington Ingalls Industries), Robert Gardner (New World Technology Partners)

Announcement

Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses can be easily expanded to consider other cyber-risk compromises and remedies.

This initial public draft of NIST IR 8286D provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.

NOTE: A call for patent claims is included on page iii of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

Business Impact Analysis; Cybersecurity Risk Management; Cybersecurity Risk Register; Enterprise Risk Management; Information and Communications Technology
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.IR.8286D.ipd
Download URL

Supplemental Material:
See NISTIR 8286 Supplemental Material

Other Parts of this Publication:
IR 8286
IR 8286A
IR 8286B
IR 8286C
IR 8286C

Document History:
06/09/22: IR 8286D (Draft)
11/17/22: IR 8286D (Final)