Diving Deeper into CIS RAM v1.0 FAQ – Part 2
By Chris Cronin, Partner, HALOCK Security Labs
CIS RAM v1.0 (Center for Internet Security Risk Assessment Method), a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment. CIS RAM v1.0 was developed by HALOCK Security Labs in partnership with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
Hundreds of people attended our launch event and had a lot of great questions about CIS RAM. Here are responses to some of the questions.
How long does CIS RAM take?
That depends on the scope of assets you include in the risk assessment (no surprise there, for sure). CIS RAM drafts were reviewed in part by having test teams follow its instructions. These teams were able to assemble a custom-built risk register containing some sample risks within a day, and were able to complete a full risk register within a week.
How do we get non-technical management to agree to do this kind of assessment?
We have seen a number of approaches work:
- Approach an executive or high-level manager who expresses a need for security, a manager who is sensitive to excessive costs, and a manager who is responsible for compliance, contracts, or security. Show them page 60 of CIS RAM Version 1. One page demonstrates how reasonable risk can be defined in a business-savvy way. Show them a few examples in your risk register. This usually does the trick.
- Try to define these risk assessment criteria on your own, and evaluate your risks following the instructions in CIS RAM. Show the risks to the managers described above. Ask them if you got the risk assessment criteria definitions right, because you may not be reflecting risk and safeguard plans correctly. Very often managers see that they have something to gain (or potentially lose) if they do not participate in defining risk assessment criteria and will jump in to “fix” it.
- Talk to managers who have a vested interest in the security of systems, applications, and processes. Ask them to help review your impact estimates (“Do you think it’s as serious as I think it is?”). And discuss with them the safeguards you are evaluating (“Can we live with this safeguard?” “Would we break your processes or frustrate your customers?”).
Are regulators responding well to this?
So far, the Office of Civil Rights (OCR) of the Department of Health and Human Services has provided positive feedback when covered entities provide them a DoCRA-based risk analysis to explain their security programs and corrective actions – even after a breach. While some regulators will likely continue to prioritize a set of security controls that address industry-specific weaknesses, we continue to work with regulators and other legal authorities to help them understand and adopt the methods used in CIS RAM. Be sure to speak with counsel to be sure your risk assessment criteria and risk assessment prepare you well for regulatory oversight.
Has this actually been used in court yet?
Duty of Care Risk Analysis (DoCRA), which CIS RAM is based on, has been successfully used in litigation to help explain the use of risk assessments for determining whether a control was “reasonable.” Court room multi-factor balancing tests that CIS RAM prepares its users to excel in have been used successfully in a data breach case in Pennsylvania.
Dittman v. UPMC is a lawsuit by employees of University of Pittsburgh Medical Center who suffered identity theft after a breach of their human resources application. Both the trial court and the appellate court found that UPMC was not negligent in the breach. The utility of employment (the “mission”) outweighed the foreseeable harm from a data breach (the “obligation”). As of this writing, the case is at the Pennsylvania Supreme Court, and we are awaiting a decision of the appeal there. You should speak with counsel to be certain that your risk assessment criteria and risk assessment will support you in case of litigation.
Is there a table of threats and vulnerabilities aligned with CIS Controls that we can use?
No, but let’s all get on a CIS WorkBench community and develop one! Seriously! We know that many consultancies have developed in-house tools to manage the quality of their advisory services and deliverables, but isn’t open source better? Who wants to take this on?
How can I get involved?
- Follow the steps to register if you don’t already have an account
- After account validation by CIS, you will receive a welcome email
- Join a community
- Search for the CIS Controls community by typing in the search bar
About the Author
Chris Cronin is an information security consultant who helps organizations manage their information security risks. He is a Partner at HALOCK Security Labs and the principal author of CIS RAM, a risk assessment method for reasonable implementation and evaluation of CIS Controls.