AUTHOR: The Center for Internet Security, Inc. (CIS®)
Laws, regulations, and information security standards all tell us to demonstrate “reasonable” security. However, a breach should not be the first time we try to define “reasonableness.” If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that the risk is reasonable to the enterprise and other interested parties at the time of the breach.
The Center for Internet Security (CIS) Risk Assessment Method v2.1 (CIS RAM v2.1) can help your enterprise demonstrate due care. CIS RAM v2.1 is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). Enterprises accomplish this by first defining their acceptable level of risk, and then managing that risk after implementation of the Controls. Few enterprises can apply all Controls to all their environments and information assets. That’s because some Controls, while offering effective security, may do so at the cost of necessary efficiency, collaboration, utility, productivity, or available budget and other resources.
CIS RAM v2.1 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups (IGs): IG1, IG2, and IG3. The second of many documents in the CIS RAM v2.1 family, CIS RAM v2.1 for IG2, is now available for download and will help enterprises in IG2 to build and improve upon their cybersecurity program. IG2 assists enterprises managing IT infrastructure of multiple departments with differing risk profiles, aiming to help them cope with increased operational complexity.
When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM enables enterprises of varying security capabilities to navigate the balance between implementing security controls, risks, and the broader needs of their enterprise.
What to expect in CIS RAM v2.1 for IG2
Risk assessments may be conducted in a variety of ways. They may focus initially on recommended CIS Controls to identify vulnerabilities within a given scope, they may focus primarily on determining how well protected those assets are by the CIS Controls, or they may focus first on known threats to see how they would play out in an environment. Risk assessments may also vary in methodology, using quantitative analysis (purely numerical representations of risk) or qualitative analysis (ranked value statements). CIS RAM v2.1 for IG2 focuses on a set of CIS Safeguards within the CIS Controls, and combines both qualitative and quantitative analyses.
CIS RAM v2.1 for IG2 was designed to help enterprises conduct a risk assessment if they have expertise in developing, managing and configuring systems, applications, and networks. IG2 enterprises are able to understand how asset classes are configured and managed, and are able to evaluate risks associated with separate asset classes, rather than the enterprise as a whole.
CIS RAM for IG2 assists these enterprises by significantly automating risk estimations and threat models. It reduces the complexity of risk analysis by providing the following:
- A simple format for stating an enterprise’s Impact Criteria and range of magnitudes of Impact that you or others may suffer
- Guidance for stating your enterprise’s Risk Acceptance Criteria
- A fixed definition for Expectancy Criteria
- A simple Risk Register
- Automated Expectancy calculation based on the commonality of reported threats and the Maturity of the enterprise’s Safeguards
As with all CIS RAM v2.1 modules, documents for both v8 and v7.1 of the CIS Critical Security Controls will be available. CIS RAM v2.1 for IG2 provides a workbook along with a corresponding guide. These documents have material to help readers accomplish their risk assessments, and include examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.1 for IG3.
CIS RAM Core
As previously mentioned, CIS RAM is made up of a family of documents. The foundation of all of these documents is CIS RAM Core. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM.
CIS RAM uses the Duty of Care Risk Analysis (DoCRA) standard, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise, and are the core tenets upon which the CIS RAM family of documents is built. Enterprises that use CIS RAM for IG2 and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2021 – 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
Taking the Next Step
Ready to conduct a cyber risk assessment? Download CIS RAM v2.1 for IG2 for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.
Join the CIS RAM Community on CIS WorkBench
Attend our CIS RAM v2.1 webinar on Tuesday, February 8, 2021 at 2 PM EST
Questions about CIS RAM? Email controlsinfo@cisecurity.org.