CIS RAM includes three sets of detailed instructions for organizations of varying risk assessment capabilities. Each organization will select a section of the CIS RAM that applies most to them, so typical users will only read a portion of the document. And because CIS RAM provides many detailed illustrations to guide its readers step-by-step, a risk assessment can typically be designed within a day, and risk analysis can start right away. Organizations that wish to understand the basics and full lifecycle of a CIS RAM risk assessment may first read CIS RAM Express Edition. The Express Edition may provide some experienced organizations all they need to start their “duty of care”-based risk assessment.
Because the CIS Controls are already prioritized by their criticality in preventing cyber attacks, a CIS Controls gap assessment already has risk built in. However, each organization faces its own risks, and has its own level of resources to invest against security incidents. CIS RAM helps organizations determine whether their use of CIS Controls is sufficient against the likelihood of impacts in their environment, and whether proposed safeguards are more burdensome than the risk they are designed to prevent. This helps translate security concerns into business terms, and helps regulators and legal authorities
determine whether safeguards are reasonable
and demonstrate due care
AREN’T RISK ASSESSMENTS JUST SUBJECTIVE EXERCISES?
Risk assessments have often been conducted as guess-work, using “high,” “medium,” and “low” rankings of identified gaps. CIS RAM helps organizations associate risk scores with the potential of harm that may come to themselves and to others. Additionally, CIS RAM provides guidance on estimating foreseeability so both impacts and likelihoods can be communicated in simple language to technical and non-technical people.
CAN CIS RAM or DoCRA BE USED TO EVALUATE non-CIS CONTROLS?
The risk analysis methods described in CIS RAM and DoCRA
conform to established security frameworks, such as ISO 27000
, NIST Special Publications
, the NIST Cybersecurity Framework
, and risk assessment requirements described in PCI DSS
. Security controls that come from these and other standards can effectively be risk assessed using the CIS RAM methods. And because CIS RAM and DoCRA align with risk assessment guidance for regulations such as the HIPAA
Security Rule, Gramm Leach Bliley Act’s Safeguards Rule, Federal Trade Commission guidance on risk assessments, Massachusetts 201 CMR 17.00, GDPR, and 23 NYCRR Part 500
, specifications from these regulations can also be included in a risk assessment.
CAN I USE A DIFFERENT RISK ASSESSMENT METHOD TO ASSESS CIS CONTROLS?
Yes. CIS does not require CIS RAM as the sole method for assessing information security risk. CIS does recommend reviewing the Principles and Practices listed in CIS RAM and CIS RAM Express Edition to be sure that information security risk assessments are meaningful to non-technical management, to regulators, and to legal authorities
I USE A MATURITY MODEL TO ASSESS MY RISK. IS THAT COMPATIBLE WITH CIS RAM and DoCRA?
Many organizations have supplemented maturity model analysis (such as FFIEC CAT and the CSF from HITRUST) using DoCRA’s methods. Organizations may use each control maturity score as an indicator of how likely a control failure may be – making maturity a factor in the risk calculation – or they may use CIS RAM or DoCRA-based analysis to let their organization know how to prioritize their investment in cybersecurity maturity, and whether to accept the risk of staying at a certain maturity level.
ARE CIS RAM AND DoCRA COMPATIBLE WITH PROBABILITY MODELS?
For organizations that conduct risk assessment using probability analysis (i.e. use of Bayesian statistics, Monte Carlo simulations, or similar analysis) risk analysis that is based on ordinal values may appear to be a mismatch. However, CIS RAM provides simple examples for bridging the two approaches so organizations can receive the benefits of evidence-based risk analysis with the duty-of-care approach to demonstrate reasonableness.
WHY DO I NEED TO DOWNLOAD CIS RAM FROM CISECURITY.ORG?
CIS has set up a sign in process as part of the CIS RAM download
in which they ask for some basic information about the downloader, and to offer the opportunity to sign up to be informed of developments on the CIS Controls and CIS RAM. CIS uses the information to better understand how CIS RAM is being used and who is using it; this information is extremely helpful to CIS as they update CIS RAM and develop associated documents like the CIS RAM Workbook.
ARE CIS RAM AND DoCRA FREE?
Yes, CIS RAM and DoCRA are free to use by anyone to improve their own cybersecurity.