WHAT IS CIS RAM? CIS RAM is an information security risk assessment method that helps organizations design and evaluate their implementation of the CIS Controls. CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments. And because CIS RAM is based on the DoCRA Standard, its risk assessments meet the requirements of established information security risk assessment standards and demonstrate whether safeguards are “reasonable” and “appropriate” as regulators and judges often require.
WHAT IS THE DoCRA STANDARD? DoCRA (or “Duty of Care Risk Analysis”) is a method for analyzing risk as regulators and judges expect it to be done. Regulations and judicial “balancing tests” expect that organizations consider the likelihood and degree of harm they may cause themselves and others, and to use safeguards that reduce those risks – as long as those safeguards are not overly burdensome.
DoCRA can be used to analyze cybersecurity risks using any variety of control standards or regulatory requirements. HALOCK uses DoCRA methods to analyze risks with ISO 27001/27002, NIST Special Publications 800-53, the HIPAA Security Rule, GDPR, 23 NYCRR Part 500, 201 CMR 17.00, the NIST Cybersecurity Framework, and even maturity model-based controls models, such as FFIEC CAT.
RISK ASSESSMENTS CAN BE TOO COMPLEX OR TOO SIMPLE. WHAT ABOUT CIS RAM AND DoCRA?
CIS RAM provides three different risk analysis approaches to support organizations of three levels of capability. Organizations that are new to risk analysis can use instructions for modeling foreseeable threats against the CIS Controls as the organization generally applies them. Experienced organizations can follow instructions for modeling threats against information assets to determine how the CIS Controls should be configured to protect them. Expert organizations are provided instructions for analyzing risks based on “attack paths” (similar to “kill chains”) using CIS’ Community Attack Model.
WHY ANOTHER RISK ASSESSMENT METHOD?
While there are multiple, established risk assessment standards, CIS RAM is the first to provide very specific instructions for analyzing information security risk in a way that regulators define as “reasonable,” and judges evaluate as “due care.” CIS RAM emphasizes balance between the harm that security incidents may cause others and the burden of safeguards; the foundation of “reasonableness.” Do you know reasonable?
IS CIS RAM A REPLACEMENT FOR THE OTHER RISK ASSESSMENT STANDARDS?
CIS RAM conforms to established information security risk assessment standards, such as ISO 27005, NIST SP 800-30, OCTAVE, and RISK IT. These standards all use similar forms of risk modeling. But CIS RAM supplements these standards by providing very detailed instructions and templates for quickly designing and conducting an information security risk assessments. As a result, CIS RAM risk assessments support established standards, and produce analysis that regulators and legal authorities expect to see.
DOES THE RISK ASSESSMENT TAKE LONG TO COMPLETE?
New users are able to design their risk assessment within their first day of following the CIS RAM instructions, including analysis of several risks. The amount of time the organization takes after that largely depends on the scope of their assessment, and the level of instructions they are following.
WHY IS CIS RAM SO LARGE?
CIS RAM includes three sets of detailed instructions for organizations of varying risk assessment capabilities. Each organization will select a section of the CIS RAM that applies most to them, so typical users will only read a portion of the document. And because CIS RAM provides many detailed illustrations to guide its readers step-by-step, a risk assessment can typically be designed within a day, and risk analysis can start right away. Organizations that wish to understand the basics and full lifecycle of a CIS RAM risk assessment may first read CIS RAM Express Edition. The Express Edition may provide some experienced organizations all they need to start their “duty of care”-based risk assessment.
ISN’T A GAP ASSESSMENT GOOD ENOUGH?
Because the CIS Controls are already prioritized by their criticality in preventing cyber attacks, a CIS Controls gap assessment already has risk built in. However, each organization faces its own risks, and has its own level of resources to invest against security incidents. CIS RAM helps organizations determine whether their use of CIS Controls is sufficient against the likelihood of impacts in their environment, and whether proposed safeguards are more burdensome than the risk they are designed to prevent. This helps translate security concerns into business terms, and helps regulators and legal authorities determine whether safeguards are reasonable and demonstrate due care.
AREN’T RISK ASSESSMENTS JUST SUBJECTIVE EXERCISES?
Risk assessments have often been conducted as guess-work, using “high,” “medium,” and “low” rankings of identified gaps. CIS RAM helps organizations associate risk scores with the potential of harm that may come to themselves and to others. Additionally, CIS RAM provides guidance on estimating foreseeability so both impacts and likelihoods can be communicated in simple language to technical and non-technical people.
CAN CIS RAM or DoCRA BE USED TO EVALUATE non-CIS CONTROLS?
The risk analysis methods described in CIS RAM and Duty of Care Risk AnalysisDoCRA conform to established security frameworks, such as ISO 27000, NIST Special Publications, the NIST Cybersecurity Framework, and risk assessment requirements described in PCI DSS. Security controls that come from these and other standards can effectively be risk assessed using the CIS RAM methods. And because CIS RAM and DoCRA align with risk assessment guidance for regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act’s Safeguards Rule, Federal Trade Commission guidance on risk assessments, Massachusetts 201 CMR 17.00, GDPR, and 23 NYCRR Part 500, specifications from these regulations can also be included in a risk assessment.
CAN I USE A DIFFERENT RISK ASSESSMENT METHOD TO ASSESS CIS CONTROLS?
Yes. CIS does not require CIS RAM as the sole method for assessing information security risk. CIS does recommend reviewing the Principles and Practices listed in CIS RAM and CIS RAM Express Edition to be sure that information security risk assessments are meaningful to non-technical management, to regulators, and to legal authorities.
I USE A MATURITY MODEL TO ASSESS MY RISK. IS THAT COMPATIBLE WITH CIS RAM and DoCRA?
Many organizations have supplemented maturity model analysis (such as FFIEC CAT and the CSF from HITRUST) using DoCRA’s methods. Organizations may use each control maturity score as an indicator of how likely a control failure may be – making maturity a factor in the risk calculation – or they may use CIS RAM or DoCRA-based analysis to let their organization know how to prioritize their investment in cybersecurity maturity, and whether to accept the risk of staying at a certain maturity level.
ARE CIS RAM AND DoCRA COMPATIBLE WITH PROBABILITY MODELS?
For organizations that conduct risk assessment using probability analysis (i.e. use of Bayesian statistics, Monte Carlo simulations, or similar analysis) risk analysis that is based on ordinal values may appear to be a mismatch. However, CIS RAM provides simple examples for bridging the two approaches so organizations can receive the benefits of evidence-based risk analysis with the duty-of-care approach to demonstrate reasonableness.
WHY DO I NEED TO DOWNLOAD CIS RAM FROM CISECURITY.ORG?
CIS has set up a sign in process as part of the CIS RAM download in which they ask for some basic information about the downloader, and to offer the opportunity to sign up to be informed of developments on the CIS Controls and CIS RAM. CIS uses the information to better understand how CIS RAM is being used and who is using it; this information is extremely helpful to CIS as they update CIS RAM and develop associated documents like the CIS RAM Workbook.