NIST Pushes More Use of Impact Analysis

NIST, everyone’s favorite publisher of cybersecurity standards, is asking for public comment on another good idea: how to use business impact analysis to guide your risk prioritization and response efforts. 

Performing a business impact analysis (BIA) is already an important element of business continuity and disaster recovery planning. True, most cybersecurity and data privacy frameworks don’t expressly require a BIA (the ISO 22301 standard for business continuity is one notable exception) — but they’re still seen as implied necessity. You can’t develop a disaster response plan without knowing how a disaster might affect business operations, and a BIA provides that insight.

Now NIST is circulating a draft piece of guidance that would expand the use of BIAs to help with other elements of cybersecurity risk management. Specifically, the guidance would help companies use BIAs to understand all the consequences of compromised IT assets, not just consequences related to business continuity; and then use that knowledge to improve their risk management and disaster response programs.

I know, the subject might sound esoteric, but it’s more important than it first seems. Take the SEC’s plans for expanded cybersecurity disclosure requirements as an example. If the SEC proceeds as expected, companies will need to disclose “material cybersecurity incidents” within four days of deciding that the incident was indeed material. 

Well, how would one make such a determination? And how would you make those determinations at scale, since modern corporations suffer cybersecurity incidents all the time? By having a disciplined, rigorous process that can illuminate what financial, compliance, and operational consequences come after an attack… which is what a BIA does.

The people most interested in this possible expansion of BIAs will be CISOs, IT auditors, and risk managers, and probably some curious supply chain and audit professionals, too. Compliance and data privacy professionals, however, should also keep one eye on this idea; since ultimately it could affect how you perform risk assessments and demonstrate compliance with HIPAA, GDPR, and various other cybersecurity or privacy regulations.

NIST unveiled its draft guidance last week. Public comments are due by July 18.

Why Is NIST Doing This?

We’re doing this, NIST says, because cybersecurity attacks have become more sophisticated, and the potential consequences for a business have therefore become more diverse. For example, a ransomware attack might lock you out of crucial systems, which threatens continuity; but the attacker might also threaten to post the hijacked data to the web, which threatens confidentiality.

A company will need to guard against both threats from that single attack. That’s certainly possible, but you would need a keen understanding of both the operational threat (getting locked out of key systems) and the compliance threat (seeing your confidential data shotgunned onto the Internet) that are afoot here. So you would want to perform a BIA of both. 

Or, as NIST phrases things in its typically abstruse fashion:

Enterprise stakeholders can also use the BIA process to identify enterprise resources that use critical information types. In addition to internal reasons for protecting critical and sensitive information, enterprises may also need to categorize assets for mandatory external compliance. Many regulations and contractual requirements stipulate that certain critical and sensitive information must be protected, so the BIA determination helps to understand where those mandates apply.

At this point, you might be asking the perfectly reasonable question, “Ummm, aren’t audit and compliance teams already using BIAs to assess compliance risk?” 

The best answer at the moment is kinda sorta. Most audit and compliance teams do grasp the concept that to take a risk-based approach to cybersecurity, you need to understand what impact various types of attacks would have. They’re just shaky on performing BIAs in a rigorous, comprehensive manner, since you need to bring together several different parts of the enterprise — legal, security, compliance, operating units — to get a useful result.

To overcome that challenge, NIST says, organizations should adopt that rigorous, comprehensive approach we mentioned above. Again, straight from NIST’s tortured prose:

To gain the enterprise benefits of BIAs for consistent prioritization and risk assessment, there must be a consistent application of the processes and forms used. When impact analysis is performed in a structured and repeatable manner, the impact assertions and resulting decisions are more reliable… As with many elements of risk management, it is usually more important to be consistent than to be exactly precise in analytic results.

That last sentence (the only one you don’t need a degree in semiotics to understand) is worth repeating. It is usually more important to be consistent than to be exactly precise in analytic results.

That is especially true in today’s environment, where both cybersecurity risks and compliance obligations are changing all the time. Your risk management system doesn’t need to be perfect. It does need to be pretty good and pretty fast. 

How Business Impact Analysis Works

The rest of the NIST guidance is more a deep dive into how a business impact analysis should happen. We don’t need to take that deep dive ourselves here and now. The important points are as follows. 

First, as always, senior management needs to define what the organization’s mission actually is: the most important business objectives, including financial and compliance goals. Then a somewhat larger group of executives need to ask, “What IT assets are necessary to accomplish the mission?” 

Source: NIST

Then you keep broadening the lens. Engage in a rigorous process (perhaps with yet more executives from further down the org chart) to ask: what could happen when those assets are jeopardized? Those are your risks. NIST calls them “Level 3 activities” in a business impact analysis,  and they should be added to a cybersecurity risk register. See nifty NIST chart, at right. 

You get the idea. BIAs can be expanded beyond tools to measure threats against availability, to include threats against data integrity and confidentiality as well. But success will hinge on performing BIAs in a systematic way, rather than reinventing the process every time a security incident happens. 

Leave a Comment

You must be logged in to post a comment.