Consultant: Duty of Care for Cybersecurity
I am responsible for helping clients implement and maintain a risk assessment.
- Is designed to help organizations prioritize and implement CIS Controls reasonably.
- Establishes a method to develop risk criteria that meets duty of care as expected by legal and regulatory authorities.
- Creates a common language, method and understanding so that interested parties can address security and compliance together vs. competing viewpoints.
- Provides instructions, worksheets and exercises to help bring you through your risk assessment. Three different sets of materials are provided to support the tiers of risk maturity.
- Integrates the CIS Community Attack Model for complex threats.
If you leverage CIS RAM for your client you will have the ability to:
- Evaluate risk by calculating potential impact to an organization’s customers, business objectives, and external entities (regulators, vendors, etc.).
- “Draw a line” at an organization’s Acceptable Risk Definition, with risks below the line adhering to duty of care and risks above the line requiring risk treatment.
- Provide the organization with a concise and defendable process to Accept the risks below their Acceptable Risk Definition and Treat (and prioritize) the risks above their Acceptable Risk Definition.
To assess your clients’ risk method against the Duty of Care Risk Analysis standard (DoCRA), step through the DoCRA checklist. If you are looking for assistance in bringing your clients’ risk method in line with DoCRA (DoCRA.org), we can help.