WHAT IS "REASONABLE" SECURITY?
If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.”
This is the language judges use to describe "reasonable." Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. The CIS RAM method can help your organization demonstrate "due care".
WHAT IS CIS RAM?
CIS (The Center for Internet Security) and HALOCK Security Labs have co-developed the CIS Risk Assessment Method (RAM) to help organizations justify investments for reasonable implementation of the CIS Controls. CIS RAM helps organizations define their acceptable level of risk, and to prioritize and implement the CIS Controls to manage their risk.
WHO IS CIS RAM FOR?
CIS RAM provides three different approaches to support organizations of three levels of capability. Organizations that are new to risk analysis can use instructions for modeling foreseeable threats against the CIS Controls as the organizations generally applies tham. Experienced organizations can follow instructions for modeling threats against information assets to determine how the CIS Controls should be configured to protect them. Expert organizations are provided instructions for analyzing risks based on "attack paths" (similar to "kill chains") using CIS' Community Attack Model.
AN INDUSTRY WITH MANY INTERESTED PARTIES - EACH WITH A UNIQUE SET OF CHALLENGES
Information security professionals need to satisfy many interested parties, all of which have vastly different concerns. Addressing the concerns of these interested parties creates a set of unique challenges.
 |
 |
 |
Learn more about CIS RAM. Complete the form, and download the DoCRA Checklist.
HALOCK Security Labs
1834 Walden Office Square | Suite 200 Schaumburg, IL 60173
P: 8042124352
CIS RAM IS THE SOLUTION
CIS RAM addresses these challenges in the following ways:
- CIS RAM provides a method for evaluating risk by calculating the likelihood of an impact to customers, business objectives, and external entities (regulators, vendors, etc.).
- CIS RAM provides a method to “draw a line” at an organization’s Acceptable Risk Definition, with risks below the line adhering to due care and risks above the line requiring risk treatment.
- Together these principles provide organizations with a concise and defendable process to accept or address risk.
WHY CIS RAM? CIS RAM:
- Helps organizations prioritize and implement CIS Controls reasonably.
- Provides a method to develop risk criteria that demonstrates due care as expected by authorities.
- Creates consensus among interested parties.
- Provides instructions, worksheets, and exercises to guide you through your risk assessment. Three different sets of materials support the tiers of risk maturity found in the NIST Cybersecurity Framework.
- Integrates with CIS Community Attack Model to model complex threats.
THE CIS RAM HELPS YOU APPLY THE RIGHT AMOUNT OF SECURITY
Risk analysis helps shape and customize controls to address the internal and external challenges that organizations face. Too often organizations rely on gap assessments to determine the severity of their vulnerabilities. The CIS RAM enables you to apply just the right amount of security — not too much, not too little — striking a balance between keeping you safe and ensuring your organization can conduct business as usual.
Remediating all gap assessment deficiencies can lead to over-securing and over-investing, while remediating risks identified in a CIS RAM Assessment can lead to applying just the right amount of security and investment.
IS CIS RAM A REPLACEMENT FOR THE OTHER RISK ASSESSMENT STANDARDS?
CIS RAM is based on the DoCRA standard (Duty of Care Risk Analysis). It conforms to established information security risk assessment standards, such as ISO 27005, NIST SP 800-30, OCTAVE, and RISK IT. These standards all use similar forms of risk modeling. But CIS RAM supplements these standards by providing very detailed instructions and templates for quickly designing and conducting an information security risk assessments. As a result, CIS RAM risk assessments support established standards, and produce analysis that regulators and legal authorities expect to see.
WHAT IS DoCRA?
The Duty of Care Risk Analysis Standard (“DoCRA” or “the Standard”) presents principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities - such as regulators and judges - and to other parties who may be harmed by those risks. Regulators expect that the burden of safeguards should be balanced against an organization’s mission. Attorneys and judges similarly use balancing tests to determine whether foreseeable harm could have been prevented by safeguards that would pose a reasonable burden. Conventional risk analysis has neglected to include these significant perspectives. DoCRA describes how these perspectives may be included in conventional risk analysis methods.
WHY ANOTHER RISK ASSESSMENT METHOD?
While there are multiple, established risk assessment standards, CIS RAM is the first to provide very specific instructions for analyzing information security risk in a way that regulators define as "reasonable," and judges evaluate as "due care." CIS RAM emphasizes balance between the harm that security incidents may cause others and the burden of safeguards; the foundation of "reasonableness."
DOES THE RISK ASSESSMENT TAKE LONG TO COMPLETE?
New users are able to design their risk assessment within their first day of following the CIS RAM instructions, including analysis of several risks. The amount of time the organizations takes after that largely depends on the scope of their assessment, and the level of instructions they are following.
ISN'T A GAP ASSESSMENT GOOD ENOUGH?
Each organization faces its own risks, and has its own level of resources to invest against security incidents. CIS RAM helps organizations determine whether their use of CIS Controls is sufficient against the likelihood of impacts in their environment, and whether proposed safeguards are more burdensome than the risk they are designed to prevent. This helps translate security concerns into business terms, and helps regulators and legal authorities determine whether safeguards are reasonable and demonstrate due care. Establish reasonable security safeguards with this approach.
AREN'T RISK ASSESSMENTS JUST SUBJECTIVE EXERCISES?
Risk assessments have often been conducted as guess-work, using "high,", "medium,", and "low" rankings of identified gaps. CIS RAM helps organizations associate risk scores with the potential of harm that may come to themselves and to others. Additionally, CIS RAM provides guidance on estimating foreseeability so both impacts and likelihoods can be communicated in simple language to technical and non-technical people.
WHY IS CIS RAM SO LARGE?
CIS RAM includes three sets of detailed instructions for organizations of varying risk assessment capabilities. Each organization will select a section of the CIS RAM that applies most to them, so typical users will only read a portion of the document. And because CIS RAM provides many detailed illustrations to guide its readers step-by-step, a risk assessment can typically be designed within a day, and risk analysis can start right away. Organizations that wish to understand the basics and full lifecycle of a CIS RAM risk assessment may first read CIS RAM Express Edition. The Express Edition may provide some experienced organizations all they need to start their "duty of care"-based risk assessment.
WHAT IF MY ORGANIZATION SUPPLEMENTS CIS CONTROLS WITH OTHER STANDARDS?
The risk analysis methods described in CIS RAM conform to established security frameworks, such as ISO 27000, NIST Special Publications, the NIST Cybersecurity Framework, and risk assessment requirements described in CPI DSS. Security controls that come from these and the other standards can effectively be risk assessed using the CIS RAM methods. And because CIS RAM aligns with risk assessment guidance for regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act's Safeguards Rule, Federal Trade Commission guidance on risk assessments, Massachusetts 201 CMR 17.00, GDPR, and 23 NYCRR Part 500, specifications from these regulations can also be included in a CIS Controls risk assessment.
IS CIS RAM FREE?
Yes, CIS RAM is free to use by anyone to improve their own cybersecurity.
WHERE CAN I GET MORE INFORMATION ON DoCRA and CIS RAM?
You can learn more about DoCRA at www.docra.org.
To get more information on CIS RAM, complete the form to set up a review on how the method can provide balance to your security strategy. You can also send an email to CISRAM@HALOCK.com.
WHAT RESOURCES ARE AVAILABLE FOR CIS RAM?
To help you get started, please access these resources:
©HALOCK Security Labs. All Rights Reserved.
Coming: CIS RAM & CIS RAM Express
CIS RAM Executive Prospectus
Other HALOCK Services
Coming:Foreseeable Threat Index Newsletter
 |
 |
 |
 |
 |
|
|
|
 |
|
| ||
To ensure this is a valid request and not an automated SPAM reply, please provide your answer to the simple math question below:
|
|||
| Check to state you have read and agree to our Terms & conditions * | |||
 processing
|
|||
| submitting form data..... |
 |