What Is ‘Reasonable Security’?
If your information is breached and your case goes to litigation, you will be asked to demonstrate “due care.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. The CIS risk assessment method helps your organization demonstrate the right level of due care.
Justification for CIS RAM
HALOCK and CIS designed the CIS risk assessment method to provide utility for both advanced practitioners and companies new to the assessment process. Experienced cybersecurity professionals can use CIS RAM to model threats against information assets and determine the ideal implementation of CIS controls. Organizations conducting initial risk analysis, meanwhile, can leverage CIS RAM’s instructions to model foreseeable threats and define actionable information security controls lists.
No matter your level of risk assessment experience, CIS RAM offers multiple benefits, including:
- Helps organizations prioritize and implement CIS controls reasonably.
- Provides a method to develop risk criteria that meet the standard of due care as expected by the appropriate authorities.
- Creates consensus among interested parties.
- Provides instructions, worksheets and exercises to guide you through your risk assessment; three different sets of materials support tiers of risk maturity found in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Integrates with the CIS Community Attack Model to model complex threats.
The Right Amount of Security
Risk analysis helps shape and customize controls to address the internal and external challenges that organizations face. Too often, organizations rely solely on gap assessments to determine the severity of their vulnerabilities, but remediating all gap assessment deficiencies can lead to over-securing and over-investing.
Effectively evaluating potential risk and your need for security controls is about finding balance. If assessments aren’t extensive enough, new deployments could fail to meet the standards of due care and reasonable security, putting your organization at risk of data breaches and potential legal action. If assessments are too extensive, you could spend substantial time and money safeguarding your network against incredibly unlikely security events. The result? Marginally improved defenses that may interfere with day-to-day operations and consume significant IT resources.
Using CIS RAM to evaluate and plan CIS implementation provides a “just right” assessment of risks and potential safeguards, allowing your company to readily define its CIS information security controls list — the prioritized set of actions put into place to protect organizations and data from known cyberattacks.
Risk Assessment Done Right
Remediating the risks identified through a CIS RAM assessment results in the security you need for the investment you can afford. CIS RAM enables you to apply exactly the right amount of security — not too much, not too little — striking a balance between staying safe and ensuring your organization can conduct business as usual.
Do you know reasonable?