ITL Bulletin: Putting Things First - a Model Process for Criticality Analysis (June 2018)   [open pdf - 171KB]

Alternate Title: Information Technology Laboratory (ITL) Bulletin: Putting Things First - a Model Process for Criticality Analysis (June 2018)

This document is the Information Technology Laboratory (ITL) Bulletin for June 2018 from the National Institute of Standards and Technology. From the Introduction: "In the modern world, where complex systems-of -systems are integral to the functioning of businesses and society, it is increasingly important to be able to understand and manage risks that these systems and components may present to the missions that they support. Where resources are finite, it is not possible to apply equal protection to all assets for every type of risk - especially since those assets are increasingly complex, interdependent, and externally provided. Risk management can be improved with processes and techniques to prioritize assets for a detailed risk analysis and for applying information security and privacy controls. Existing standards and guidelines provide only high-level and scattered guidance about how to prioritize systems and components relative to organizational goals. Additionally, these existing standards and guidelines are most often focused on prioritizing projects according to organizational goals, or prioritizing components according to system functionality. A broader approach is needed to avoid an incomplete understanding of the potentially critical nature of a component to organizational goals. NIST [National Institute of Standards and Technology] Internal Report (NISTIR) 8179, Criticality Analysis Process Model, describes a comprehensive model ('the Model') for prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals. The Model adopts and adapts concepts presented in publications regarding business and risk management, engineering principles, safety applications, and cyber supply chain. The authors of NISTIR 8179 researched and compared various existing methods to develop an approach specifically to the needs of information security and privacy risk management."

Public Domain
Retrieved From:
National Institute of Standards and Technology: http://www.nist.gov/
Media Type:
Help with citations