CIS Logo
tagline: Confidence in the Connected World

3 Things You’ll Learn Conducting a Cyber Risk Assessment with CIS RAM

For organizations who are conducting their first cyber risk assessment, it can be challenging to know where to start. CIS RAM (Center for Internet Security Risk Assessment Method) helps organizations conduct a risk assessment based on established legal principles for reasonableness and information security standards for analyzing risk. Put simply, CIS RAM helps you answer the questions:

1. What are my organization’s risks?
2. How acceptable are these risks?
3. How can we mitigate against potential threats?

In this blog post, we’ll examine three things you’ll learn conducting a cyber risk assessment with CIS RAM.

1. Develop criteria

In order to protect your organization from threats like malware and spearphishing, you’ll need to assess the risk surface. Organizations should start by defining risk assessment criteria. CIS RAM recommends using criteria that can be understood by all parties and describe the risk to the organization as well as any outside parties who may be affected. Collaborate with business leaders and legal counsel to ensure that any risk criteria are developed in a way that can be understood by all.

Questions about CIS RAM? Email controlsinfo@cisecurity.org.

2. Evaluate acceptable risk

  1. CIS RAM helps organizations understand which risks are acceptable. In order for a risk to be acceptable per CIS RAM, it must be both appropriate and reasonable:Appropriate risk: The likelihood of an impact must be acceptable to all foreseeably affected parties.
  2. Reasonable risk: The risk posed by a safeguard must be less than or equal to the risk it protects against.

By putting risks in context, organizations can identify gaps in their security processes. For example, one organization might measure the likelihood of the risk of Business Email Compromise (BEC) as a 6 on a scale of 10 (6/10). However, the risk of the safeguard – in this case, training employees to avoid the BEC scam – is 2/10. Because the risk of the safeguard is lower than the risk of the scam itself, the risk of BEC for this organization would be unacceptable.

risk-assessment-CIS-RAM

3. Model appropriate safeguards

CIS RAM helps teams examine multiple risks to an environment, including cyber risks, and determine an appropriate course of action for each. By balancing risks and safeguards, organizations are able to effectively assess risks and review solutions for each. When one security control, solution, or safeguard doesn’t work, it’s easy to model another, recalculate, and try again.

Join the CIS RAM Community on CIS WorkBench

Taking the next step

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.