What Is “Reasonable Security”?
If your information is breached and your case goes to litigation, you will be asked to demonstrate “due care.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. The CIS RAM method helps your organization demonstrate the right level of due care.
Justification for CIS RAM
- Helps organizations prioritize and implement CIS controls reasonably
- Provides a method to develop risk criteria that meet the standard of due care as expected by the appropriate authorities
- Creates consensus among interested parties
- Provides instructions, worksheets and exercises to guide you through your risk assessment; three different sets of materials support tiers of risk maturity found in the National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Integrates with the CIS Community Attack Model to model complex threats
The Right Amount of Security
CIS recommends that organizations use CIS RAM to evaluate and plan their implementation of CIS Controls — the prioritized set of actions put into place to protect organizations and data from known cyberattacks.
Risk analysis helps shape and customize controls to address the internal and external challenges that organizations face. Too often, organizations rely solely on gap assessments to determine the severity of their vulnerabilities, but remediating all gap assessment deficiencies can lead to over-securing and over-investing.
On the other hand, remediating the risks identified through a CIS RAM assessment results in the security you need for the investment you can afford. CIS RAM enables you to apply exactly the right amount of security — not too much, not too little — while striking a balance between staying safe and ensuring that your organization can conduct business as usual.