CIS RAM and Use with Regulatory Frameworks

By Chris Cronin, Partner, HALOCK Security Labs

CIS RAM is an information security risk assessment method that helps organizations conduct cyber risk assessments. You can use CIS RAM’s step-by-step instructions, templates, and examples to meet the requirements of established information security risk assessment standards, legal authorities, and regulators. CIS RAM was developed by HALOCK Security Labs in partnership with CIS.

Frameworks and Compliance

The CIS Controls were used as the foundation to CIS RAM. The CIS Controls address common threats as identified by a community of practitioners. They are simply stated, clear, practical, and explicit.

Organizations often use multiple frameworks to guide their cybersecurity strategy. The organizational policies and workflows laid out in the CIS Controls were developed to work well as stand-alone resources or as companions to additional frameworks.

GDPR

CIS RAM can be used to comply with the GDPR – but talk to your counsel about how much you’ll get out of it. GDPR is still untested ground. There are requirements for an impact assessment, and the impact assessment is described as a risk assessment. And since many GDPR requirements are not immediately practical for many companies, they should be prepared to show how they are addressing the risks of these un-achievable requirements. Given the newness of the regulation, we are cautiously optimistic about its applicability.

New York DFS Regulation

CIS RAM can be used for the New York DFS Regulation. Give the regulation a read (23 NYCRR Part 500) and you will see that many of the requirements are to be applied based on a risk assessment. While the regulation is not specific about the risk assessment methods to be used, any risk assessment should be based on a standard of care (e.g., CIS Controls), should be effective against foreseeable harm, and should not be overly burdensome. Review these criteria with your counsel so you are confident in your use of CIS RAM for this purpose.

HIPAA

Risk assessments are the basis for HIPAA Security Rule compliance, especially to determine whether “Addressable” specifications are reasonable and appropriate. Two specific items that are worth noting in regard to HIPAA:

It makes sense to supplement the Security Rule specifications with the CIS Controls to evaluate risks. The specifications are helpful, but not as comprehensive as most environments need.
Also look to NIST SP 800-53, NIST SP 800-171, ISO 27001 Annex A, and other standards to identify controls that support the administrative and physical specifications in the Security Rule.

About the Author

Chris Cronin is an information security consultant who helps organizations manage their information security risks. He is a Partner at HALOCK Security Labs and the principal author of CIS RAM, a risk assessment method for reasonable implementation and evaluation of CIS Controls.