I was surprised and pleased, surprised and flattered, and then disappointed by a new publication by NIST (the US Department of Commerce’s National Institute of Standards and Technology).
NIST published NISTIR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response this month.
I have been saying that in order to understand how a cyber breach might affect the business, a business impact analysis (such as contingency planners have been using for decades) should be performed. The analysis should be a joint effort between operating management (who understand the business) and the technical teams (who understand how a breach might happen).
I was surprised and pleased that NIST decided to respond with this new guidance, even to the extent of using some of my language.
The Abstract says:
While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).
While I noticed that NIST…
