Congratulations to NIST for recognizing that what matters is not risk to information assets, but risk to enterprise objectives. Or so it might seem at first glance when you read their draft Using Business Impact Analysis to Inform Risk Prioritization and Response.
But first, I want to thank and congratulate Matt Kelly, editor of Radical Compliance, for his summary of the NIST draft. (I recommend subscribing to his newsletter.)
A well-run business impact analysis (BIA) that involves multiple parties from the business as well as IT is absolutely essential.
In fact, a BIA should be mandatory and not just recommended. It helps management understand how a cyber event or other disaster might affect the business.
My only quibble with Matt’s analysis is that it is management’s responsibility to perform a BIA and then maintain it, and internal audit’s responsibility to ensure management has done so.
However, I have many quibbles, in some cases severe criticisms, of NIST.
But first, I want to share my experience with BIAs.
As a vice president in IT for a couple of financial institutions (and occasional acting CIO), my team was responsible not only for information security but also for both IT contingency planning and business resumption planning.
Data services can be lost or degraded as the result of multiple…
