The National Institute of Standards and Technology (NIST) is releasing a publication that it said will help organizations to identify those systems and components that are most vital and which may need additional security or other protections.
NIST Internal Report (NISTIR) 8179, Criticality Analysis Process Model: Prioritizing Systems and Components proposes a unique model, called the Criticality Analysis Process Model, which is based on existing methods and approaches but is tailored specifically to the needs of information security and privacy risk managers. Criticality Analysis is regularly called out as a best practice and is referenced in various risk management guidance; this publication provides guidance on how to conduct such an analysis and provides a needed tool for better managing risk.
In modern computing, complex systems and systems-of-systems are integral to the functioning of society and businesses, it becomes increasingly important to be able to understand and manage risks that these systems and components may present to the missions that they support. However, organizations have finite resources; it is not possible to apply equal protection to all assets. This publication describes a comprehensive Criticality Analysis Process Model — a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.
A criticality analysis can help organizations identify and better understand the systems, subsystems, components, and subcomponents that are most essential to their operations and the environment in which they operate. That understanding facilitates better decision making related to the management of an organization’s information assets, including information security and privacy risk management, project management, acquisition, maintenance and upgrade decisions, NIST said.
The Criticality Analysis Process Model is intended to be used as a component of a holistic risk management approach that considers all risks, including information security and privacy risks, to prioritize and tailor controls to those risks. The Model can be used with a variety of risk management standards and guidelines and in conjunction with systems and software engineering, project management, and auditing/attestation frameworks.
Download NISTIR 8179 (DOI)
Suggested Supplemental Material:
Process Model (XML)
Process Model Diagram (pdf)
Process Model Diagram (SVG)