IT disaster recovery, cloud computing and information security news

New guidance from NIST: Using Business Impact Analysis to Inform Risk Prioritization and Response

Details

The US NIST has developed new guidance on how to use the business impact analysis process to consider outages related to cyber risks and issues attributable to confidentiality and integrity.

NIST Interagency Report (IR) 8286D, ‘Using Business Impact Analysis to Inform Risk Prioritization and Response’ is the fifth publication in the NIST IR 8286 document series, ‘Integrating Cybersecurity and Enterprise Risk Management', which discusses the identification and management of risk as it propagates from system to organization and from organization to enterprise, which in turn better informs enterprise risk management deliberations.

Using Business Impact Analysis to Inform Risk Prioritization and Response expands typical BIA discussions to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT assets.

Abstract (verbatim):

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong). The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

More details.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Root Cause Analysis
The Business Continuity Business Case

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.