Thu. Mar 28th, 2024

Content Assessment: Managing Enterprise Risk? Using Business Impact Analysis to Inform Risk Prioritization and Response (NIST)

Information - 92%
Insight - 91%
Relevance - 93%
Objectivity - 94%
Authority - 93%

93%

Excellent

A short percentage-based assessment of the qualitative benefit of the new paper from NIST on the use of business impact analysis to inform risk prioritization and response.

Editor’s Note: NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Department of Commerce that focuses on promoting innovation and industrial competitiveness. NIST develops and maintains technical standards and guidelines that help ensure the security, interoperability, and reliability of information systems and technologies. NIST is important to cybersecurity, information governance, and legal discovery professionals because its standards and guidelines provide a common framework for organizations to follow in order to protect their information systems and data from threats. This includes standards for cybersecurity, data privacy, and information governance, as well as guidelines for managing electronic records and conducting legal discovery. The recently published NIST Interagency report, Using Business Impact Analysis to Inform Risk Prioritization and Response, explores and presents considerations for using business impact analysis (BIA) to develop a broad understanding of the potential impact of any type of loss on the mission of an enterprise. The report may be beneficial for cybersecurity, information governance, and legal discovery professionals seeking to better understand how to consider how Cybersecurity Risk Management (CSRM) and Enterprise Risk Management (ERM) through the construct of an integrated BIA process.


NIST Interagency Report*

Using Business Impact Analysis to Inform Risk Prioritization and Response

By Stephen Quinn, Nahla Ivy, Julie Chua, Matthew Barrett, Larry Feldman, Daniel Topper, Greg Witte, R. K. Gardner

Abstract

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong). The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

Read the original announcement.

Audience

The primary audience for this publication includes public- and private-sector cybersecurity professionals at all levels who understand cybersecurity but may be unfamiliar with the details of enterprise risk management (ERM). The secondary audience includes both federal and non-Federal Government corporate officers, high-level executives, ERM officers and staff members, and others who understand ERM but may be unfamiliar with the details of cybersecurity. All readers are expected to gain an improved understanding of how CSRM and ERM complement and relate to each other as well as the benefits of integrating their use

Introduction (Extract)

Risk is measured, at least in part, in terms of impact on the enterprise mission and the likelihood of events, so it is vital to understand the various information and communications technology (ICT) assets whose functions enable that mission, as well as any potential uncertainties that jeopardize those assets. Each asset has a value to the enterprise. For government enterprises, many of those ICT assets are key components for supporting critical services provided to citizens. For corporations, ICT assets directly influence enterprise capital and valuation, and ICT risks can directly impact the balance sheet or budget. For each type of enterprise, it can be challenging to determine what conditions will truly impact the mission. Today’s government agencies continue to provide critical services, yet they must also adhere to priority directives from senior leaders. In the commercial world, mission priority is often driven by long-term goals as well as impacts on the next quarter’s earnings call. Therefore, it is important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.

The NIST Interagency Report (IR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. The series of publications demonstrates how to better integrate cybersecurity with ERM. The series helps entities effectively quantify, finance, and drive their cybersecurity programs commensurate with enterprise risk exposure, as well as shareholder and stakeholder value. It highlights the need for ongoing bidirectional communication between ERM and risk programs, recognizing that risk disciplines both inform and receive direction from ERM. Specifically, the communication of risk appetite statements from the ERM portfolio is a way for risk programs to better identify and monitor risks using a variety of related methods, such as risk tolerance statements, key performance indicators, key risk indicators, and controls. The NIST IR 8286 series also formalizes the use of risk registers to communicate risks and risk responses between program and portfolio levels. It highlights industry best practices for coordination by elevating risks within an organization for oversight and escalating risks within an organization for higher-level ownership.


Read the Complete Report: NIST Interagency Report – Using Business Impact Analysis to Inform Risk Prioritization and Response (PDF) – Mouseover to Scroll

NIST.IR.8286D - Business Impact Analysis

Read the original publication.


*Shared with permission.

Reference: Quinn, S., Ivy, N., Chua, J., Barrett, M., Witte, G., Feldman, L., Topper, D. and Gardner, R. (2022), Using Business Impact Analysis to Inform Risk Prioritization and Response, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8286D, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935699 (Accessed December 6, 2022)


Additional Reading

Source: ComplexDiscovery

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Midjourney, and DALL-E, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.