Norman Marks on Governance, Risk Management, and Internal Audit

I was surprised and pleased, surprised and flattered, and then disappointed by a new publication by NIST (the US Department of Commerce’s National Institute of Standards and Technology).

NIST published NISTIR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response this month.

I have been saying that in order to understand how a cyber breach might affect the business, a business impact analysis (such as contingency planners have been using for decades) should be performed. The analysis should be a joint effort between operating management (who understand the business) and the technical teams (who understand how a breach might happen).

I was surprised and pleased that NIST decided to respond with this new guidance, even to the extent of using some of my language.

The Abstract says:

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).

While I noticed that NIST remains focused on assessing risk to information assets, instead of to enterprise objectives or (as they say) the enterprise mission, I was surprised and flattered to read the following in the Acknowledgments:

The authors also thank… individual commenters Simon Burson and Norman Marks.

But the guidance is disappointing.

The Abstract continues with:

The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

There are some good sections, like this from the Executive Summary:

Risk is measured in terms of impact on enterprise mission, so it is vital to understand the various information and technology (IT) assets whose functions enable that mission. Each asset has a value to the enterprise. For government enterprises, many of those IT assets are key components for supporting critical services provided to citizens. For corporations, IT assets directly influence enterprise capital and valuation, and IT risks can have a direct impact on the balance sheet or budget. For each type of enterprise, it is both vital and challenging to determine the conditions that will truly impact a mission. Government agencies must provide critical services while adhering to priority directives from senior leaders. In the commercial world, mission priority is often driven by long-term goals and factors that might impact the next quarter’s earnings call. Therefore, it is highly important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.

However, they continue to justify the use of a cybersecurity risk register and a focus on managing and mitigating risk to information assets:

The NIST Interagency Report (IR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. Another critical artifact of risk management that serves as both a construct and a means of communication with the risk register is the Business Impact Analysis (BIA) Register. The BIA examines the potential impacts associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets and stores the results in the BIA Register. An asset criticality or resource dependency assessment identifies and prioritizes the information assets that support the enterprise’s critical missions. Similarly, assessments of asset sensitivity identify and prioritize information assets that store, process, or transmit information that must not be modified or disclosed to unauthorized parties. In the cybersecurity realm, the use of the BIA has historically been limited to calculations of quality-based and time-based objectives for incident handling (including continuity of operations and disaster recovery).

Because the BIA serves as a nexus for understanding risk (which is the measurement of uncertainty on the mission), it provides a basis for risk appetite and tolerance values as part of the enterprise risk strategy. That guidance supports performance and risk metrics based on the relative value of enterprise assets to communicate and monitor Cybersecurity Risk Management (CSRM) activities, including measures determined to be key performance indicators (KPIs) and key risk indicators (KRIs). The BIA supports asset classification that drives requirements, risk communications, and monitoring.

There is value in understanding what systems and data need to be protected, but NIST is still not assessing the risk to the mission (the business) of a breach: the range of potential effects and their likelihoods.

This is how I see the issue:

1. The organization needs to prevent, to the extent that is reasonably possible, a cyber breach. However, the entrance point of a breach is not necessarily in a critical information asset.
2. It should invest in cyber commensurate with the risk to the business. That requires understanding the range of potential effects and their likelihoods.
3. The potential effects of a breach should be minimized where possible, using tools and techniques such as encryption, backup or even redundant systems, etc. Understanding the critical information assets is necessary to do this well.
4. The organization needs to be able to respond and recover promptly from a breach, minimizing any damage. This requires knowing that a breach has occurred (a major problem since past breaches have not been discovered for up to a year), what has been affected (also a major challenge), and taking appropriate actions to restore service – including reprocessing transactions, etc., communicating with third parties, and more.

If there is a risk tolerance or other criteria that should be used to assess whether the level of cyber risk is acceptable, it should be based on the level of risk to the business, not to individual information assets.

I am concerned that a focus on risk to information assets will not enable:

• An intelligent determination of the appropriate level of business investment in cyber risk prevention, resilience, and response
• The ability to make an informed and intelligent decision on whether to take the cyber risk involved in an early rollout of a new product because of the potential for reward.
• The protection of non-critical assets that can be a gateway to access to critical ones.
• The consideration of all sources of business risk, including but not limited to cyber, when making strategic and tactical business decisions.

There is value in understanding which information assets are critical to the business, but only once the level of risk to the business of a breach is understood.

Once the level of investment in cyber has been determined, then and only then does understanding which information assets are critical have value. It can help allocate resources between them.

However, I return to the point that a vulnerability to a non-critical asset can lead to damage to a critical one.

It’s a long time since I was responsible for information security at a major financial institution, so maybe I am missing something.

Your comments and insights would be appreciated.