847.221.0200  Main Office
800.925.0559  INCIDENT RESPONSE HOTLINE
CIS RAM Image

CIS RAM

LEARN MORE HOW CIS RAM CAN GIVE YOU THE BALANCE OF SECURITY, COMPLIANCE, AND BUSINESS GOALS


WHAT IS "REASONABLE"?

Information security professionals face more than technical challenges in our work. We also face business, legal, and regulatory challenges. When we explain to executives, attorneys, and auditors why safeguards are appropriate even if they are not 100% applied, we should be able to describe that using their terms. CIS RAM helps organizations evaluate and design their use of CIS Controls so they reduce technical risks in a way that management, regulators, and legal authorities understand. CIS RAM aligns with the “multi-factor” balancing tests used by judges, and “reasonable” standards embedded in regulations. Because reasonableness balances business interests with the public interest, executives can begin to speak the language of cybersecurity security with more confidence.
 

WHAT IS CIS RAM?

CIS (Center for Internet Security) and HALOCK Security Labs have co-developed the CIS Risk Assessment Method (RAM) to help organizations justify investments for "reasonable" implementation of the CIS Controls. CIS RAM helps organizations define their acceptable level of risk, and to prioritize and implement the CIS Controls to manage their risk.  CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and recognized by attorneys, regulators, and interested parties alike for its ability to demonstrate reasonable and appropriate implementation of controls.

AN INDUSTRY WITH MANY INTERESTED PARTIES - EACH WITH A UNIQUE SET OF CHALLENGES

Information Security and Risk professionals are faced with the need to satisfy many interested parties, all of which have vastly different concerns.  Whether an Executive, Attorney, Regulator, Customer/Supplier or IT Security Professional, the DoCRA based CIS RAM addresses the unique challenges of multiple interested parties.  

WHY CIS RAM?

  • Helps organizations prioritize and implement CIS Controls reasonably.
  • Provides a method to develop risk criteria that demonstrates due care as expected by legal authorities.
  • Creates consensus among interested parties.
  • Provides instructions, worksheets, and exercises to guide you through your risk assessment. Three different sets of materials support the tiers of risk maturity found in the NIST Cybersecurity Framework.
  • Integrates with CIS Community Attack Model for complex threats.

 

THE CIS RAM HELPS YOU APPLY THE RIGHT AMOUNT OF SECURITY

Learn how you can implement for your organization with just the right amount of security — not too much, not too little — striking a balance between keeping you safe and ensuring your organization can conduct business as usual. 

WHAT IF I DON'T USE CIS CONTROLS?

CIS RAM is based on "duty of care" risk analysis which applies to any security standard or regulation.

Regardless of your industry, CIS RAM guides users for compliance and balance with all regulatory requirements such as HIPAA Security Rule, PCI DSS, Massachusettes 201 CMR 17.00, SOX Audit Standard 5, and FISMA. CIS RAM conforms to ISO 27005 and NIST 800-30. Learn more about this risk assessment methodology with HALOCK and schedule a demonstration for your specific business needs.

Find out more about the DoCRA Standard, resources, CIS RAM, and how to implement at the CIS RAM FAQs.


CIS RAM WEBINAR

Attend the webinar to learn more about CIS RAM.

DATE: April 30th at 10:00AM EDT
REGISTER for the event

Questions?
Contact us at
cisram@halock.com.