Join us today Tuesday, June 21, 2022 at 1:00 PM ET for the CIS RAM v2.1 workshop. HALOCK partner Chris Cronin will be presenting the latest release which includes Implementation Group 3 (IG3).
CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is a free information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). It provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators.
CIS RAM v2.1 includes three different approaches to support enterprises of three levels of capability in alignment with the CIS Controls Implementation Groups (IGs): IG1, IG2, and IG3. The third of many documents in the CIS RAM v2.1 family, CIS RAM v2.1 for IG3, is now available for download. It’s designed to help enterprises in IG3 build and improve upon their cybersecurity program. CIS RAM v2.1 for IG3 helps enterprises understand how well prepared they are for the most and least commonly reported threats that cause security incidents.
CIS developed CIS RAM v2.1 through an ongoing partnership with HALOCK Security Labs. HALOCK and CIS first collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. Since then, HALOCK had been providing CIS RAM methods with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders.
CIS is a founding member of The DoCRA Council, an organizations which maintains the risk analysis standard that CIS RAM v1.0 is built upon.
What attendees will learn in this webinar:
- An overview of how to conduct a risk assessment using CIS RAM v2.1 for IG3
- A step-by-step tutorial of the activities an IG3 enterprise will take to conduct a risk assessment using CIS RAM v2.1, including:
- How to complete the Impact Criteria Survey
- Defining Impact Areas (Mission, Operational Objectives, Financial Objectives, Obligations)
- Defining Impact Magnitudes (Negligible, Acceptable, Unacceptable, High, Catastrophic)
- How to complete the Enterprise Parameters
- Defining criteria for Impact, Expectancy, and Risk Acceptance
- How to complete a Risk Register
- Identifying and evaluating risks using the CIS Controls
- Understanding Risk Treatment to reduce risks to an acceptable level
- How you can apply both a quantitative and qualitative approach to a CIS RAM risk assessment
- How to complete the Impact Criteria Survey
- How the Center for Internet Security’s Community Defense Model (CDM) v2.0 was integrated into CIS RAM 2.1 for IG3 to assist in threat modeling
HOST/MODERATOR: Valecia Stocchetti is a Sr. Cybersecurity Engineer for the CIS Controls at the Center for Internet Security. Valecia comes to CIS from the eCommerce field where she worked complex financial fraud cases. She is a graduate from the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Valecia worked in the MS/EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements for the MS/EI-ISAC SLTT community. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Valecia holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). While she enjoys all things InfoSec, she particularly finds the Cybercrime and Espionage fields fascinating, which is what led her to this career in the first place.
PRESENTER: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council. He is the principal author of the DoCRA Standard and CIS RAM, Center for Internet Security’s Risk Assessment Method. Chris’ clients include Fortune 100 companies, large- and mid-sized organizations, start-ups, litigators, and regulators. Since 2010, Chris has helped his clients manage their information security risks to an evidence-based, reasonable level. Chris’ work as an expert witness has helped his clients, regulators, and litigators evaluate the reasonableness of security controls and programs during regulatory oversight or post-breach legal action. Chris is a frequent speaker and cybersecurity writer. He collaborates with peers in industry collaboratives and think tanks, including Sedona Conference, to help bring equity and due care to cybersecurity and risk management.
SOURCE: The Center for Internet Security, Inc. (CIS®)
Download the SANS Cybersecurity Leadership | Version 8 of the CIS Critical Security Controls Poster
The 18 CIS Critical Security Controls
Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).
CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 11: Data Recovery
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skills Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
SOURCE: The Center for Internet Security, Inc. (CIS®)