Basics Of The CIS Risk Assessment Method and Reasonable Controls

Cyber risk is increasing. As noted by a recent security study, it took companies an average of 206 days to detect a data breach — even when detected within the first 100 days, containment costs were nearly $6 million. Regulators and government agencies, meanwhile, now expect the implementation of “reasonable” security measures that leverage “due care” in safeguarding data and assets.

That’s why the Center for Internet Security (CIS) developed CIS Controls — a “prioritized set of actions to protect your organization and data from known cyber attack vectors.” In partnership with CIS, HALOCK created the CIS Risk Assessment Method (CIS RAM) to help organizations implement CIS Controls in alignment with business missions, objectives and collective obligations.

Let’s break down the basics.

What Is CIS RAM?

As noted above, CIS RAM was developed by HALOCK Security Labs in partnership with CIS. It is designed to help businesses assess their current risk profile and effectively implement CIS Controls to meet reasonable security and due care responsibilities as currently interpreted by regulatory bodies and litigators.

Simply put, CIS RAM offers a straightforward way for companies to build CIS-compliant security safeguards that are both reasonable and appropriate for their business IT environment.

Existing Standards: CIS Controls

Currently, CIS Controls address three broad areas:

  • Basic Controls — These include inventory and control of hardware and software assets, continuous vulnerability management and controlled use of admin privileges.
  • Foundational CIS Controls — Such as email and web browser protections, malware defenses and wireless access control.
  • Organizational CIS Controls — More advanced controls such as penetration tests, incident response management and user security training.

Multiple Use Cases

CIS RAM includes three approaches to assist organizations at differing stages of cybersecurity development. Businesses new to cyber security risk assessments can use CIS RAM to model foreseeable threats against current CIS Controls in place (if any), while more experienced organizations can discover how best to configure CIS Controls for improved protection. Finally, expert organizations can use the framework to analyze threat “attack paths” and develop new security strategies.

Key Benefits of CIS RAM

CIS RAM is designed to help organizations create a balance between the need for cybersecurity safeguards and the ability to operate businesses day-to-day.

In addition to meeting established risk assessment standards such as ISO 27005, NIST SP 800-30 and RISK IT, CIS RAM has received positive feedback from the Office of Civil Rights of the Department of Health and Human Services. CIS RAM’s foundation, the Duty of Care Risk Analysis (DoCRA) framework, was also used in litigation to demonstrate the efficacy of risk assessments in developing reasonable data breach controls.

Do you know “reasonable” for your organization?

Cyber risk is on the rise. Make sure you’re prepared — leverage CIS RAM to assess your current security posture and streamline the implementation of CIS Controls. HALOCK partners with you to establish reasonable security controls based on your organization’s mission, objectives, and obligations.

Reasonable Security CIS RAM
Listen to the Reasonable Security Podcast