Modern Business Impact Analysis must address confidentiality, integrity, and availability of mission-essential assets

• 26 Jul 2023
• Scott,  John,  Michael,  Brendan,  Paul,  Todd

• Article
• 0

  Comment

The National Institute of Security and Standards (NIST) published NIST 8286 (Integrating Cybersecurity and Enterprise Risk Management (ERM)) in October 2020, which focused on cybersecurity risk. The standard explains that “risk managers may also leverage a Business Impact Analysis (BIA) template that can be used to consistently evaluate, record, and monitor the criticality and sensitivity of enterprise assets.” NIST 8286A - Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management - published in November 2021, went on to state that “a BIA can help document many aspects of the value of an asset …” and “assets are not limited to technology; they include … critical data, intellectual property, …”. NIST further expanded on this concept in November 2022 with NIST 8286D - Using Business Impact Analysis to Inform Risk Prioritization and Response.

Several members of the BCI USA Chapter gathered to discuss 8286D and what it means to our work as BC professionals. This paper focuses on the results of that collaborative discussion which the contributors hope provides further insight and actionable good practice.

Mission-Essential 

BIA has long focused on prioritising business activities and dependent resources in order to identify business continuity priorities and requirements. Prioritisation seeks to define the extent of business activity disruption from financial, legal, reputational, and other impact type perspectives. The assets, or resources, that business activities rely upon are in turn prioritised based on their relevance to each activity, especially for those activities with high value impact scores. In the early days of BIAs, resource focus was on application systems. But, as a discipline, we have expanded our perspective to include other resources, such as workplace, non-commodity equipment, workforce, and third-party services.

Now we are in the era of increasingly complex cyberattacks and maliciously compromised data, we are seeing organizations being faced with situations that are “beyond tolerable periods of disruption”. This is particularly the case when mission-essential business activities (i.e., the business activities that keep the lights on) suddenly halt. This challenge has brought further attention to the value that business continuity brings to a comprehensive enterprise risk management (ERM) programme.

Confidentiality, Integrity, and Availability 

Building on the principal that BIAs have traditionally included a focus on resource availability, NIST 8286D states: “expanding use of the BIA to include confidentiality and integrity considerations supports comprehensive risk analysis.” So, in simple terms, this means that BIAs need to address confidentiality and integrity as appropriate to the resource types being identified and prioritised in a BIA. Conceivably, it is possible for a resource with low availability requirements to be at the top of the confidentiality or integrity priority list. 

Meanwhile, NIST 8286A states: “a BIA can help document many aspects of the value of an asset …”

• “Would a lack of availability of the asset interrupt the enterprise’s ability to fulfill its mission or result in costly downtime?”
• “Would the lack of confidentiality, integrity, or availability of the asset undermine public or consumer confidence or trust in the enterprise?” 

In essence, the NIST 8286 series is bringing attention to understanding what activities and resources drive the mission of the organization and what resources would threaten that mission if their confidentiality, integrity, or availability were at risk.

Additional key concepts from NIST 8286D

• “… it is important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.”
• “executives identify the products and business processes that are essential to the successful operation of the enterprise … and senior leaders identify the enterprise-level assets that enable those functions.”
• “the BIA-determined criticality and sensitivity of a system will influence risk management requirements and thereby drive CSRM [Cyber Security Risk Management] prioritisation and risk remediation.”
• “The BIA provides a solid foundation for identifying, monitoring, and communicating about potential impacts related to the loss of confidentiality, integrity, and availability.”
• “Analysis of potential impact needs to begin with consideration of the mission impact of a loss or degradation of the asset from an enterprise perspective.”
• Asset valuation:
  • “… an asset’s value is directly dependent on the extent to which it helps achieve the organization’s objectives …”
  • “Consistent asset valuation and impact analyses are important elements of enterprise risk strategy.”

What we concluded about 8286-ing BIAs

• If one of the goals of a BIA is to prioritise business activities, then relating them to the enterprise mission should be a key factor in the prioritisation algorithm or approach. 
• Maintaining BIA focus on enterprise mission is essential as it keeps what’s important to senior leadership in perspective. Therefore, consider the following:
  • Understand the enterprise mission upfront by speaking to people at the top levels of the enterprise before starting the BIA or BIA refresh. 
  • Leverage the terms and language they care about and will resonate with them.
  • Don’t be constrained by the common impact types such as financial, reputational, and legal.  Consider impacts as noted in 8286D, such as lost future revenue, share prices, trust, and competitive advantage. And perhaps deferred revenue and market share as well.
  • Keep departmental BIA discussions in context of the enterprise mission but still understand what the departments do, some of which may be important but not vital or essential to enterprise mission attainment.
  • Recognise that some business activities directly support the mission, some indirectly, and others may only be key to the operational ecosystem / well-being / efficiency / compliance of the enterprise.
  • A mission-centric BIA approach should help getting closer to what matters most to senior leadership, and to engaging them in the business continuity related work that follows.
• Consider using the mission aligned phrases from 8286D such as "mission enabling", "mission-essential assets", and "mission objectives".
• Recognize that the CIA triad fits well into a BIA process:
  • Availability applies to applications and other resources/assets
  • Integrity & confidentiality apply to data (both structured and unstructured), whether business facing or IT supporting (e.g., identity and access management).
• Consider data as a separate asset class or resource category separate from the application systems that utilise the data.
• When prioritising resources, extend the thinking beyond RTO-focused availability values. Factor in confidentiality and integrity. 
• It is generally recognised that BIAs provide information valuable to disaster recovery and business continuity programmes. But they can also add value to data backup, cyber security, and vendor risk management programmes. Where possible, integrate your BIA efforts with those programmes to expand the overall value of the BIA across your enterprise.
• Integration with ERM. ERM provides an assessment of the overall likelihood and annualised impact of a specific risk scenario (e.g., ransomware attack). However, ERM does not have visibility into individual components and their unique vulnerabilities. The BIA provides ERM with a nuanced view of a risk scenario, providing a more realistic understanding of the complexities at component-level impacts.

More on

• Information technology and Cyber Security