CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8
Risk assessments are valuable tools for understanding the threats enterprises face, allowing them to organize a strategy and build better resiliency and business continuity, all before a disaster occurs. Preparation is key – after all, the worst time to plan for a disaster is during a disaster.
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources.
When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM lets enterprises of varying security capabilities navigate the balance between implementing security controls, risks, and enterprise needs.
CIS RAM Can Help Your Enterprise Demonstrate “Due Care”
If you experience a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. At the core of CIS RAM is the Duty of Care Risk (DoCRA) methodology, which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise.
CIS RAM helps you answer questions like:
- What are my enterprise’s risks?
- What constitutes “due care” or “reasonableness?”
- How much security is enough?
What’s New for CIS RAM v2.0
CIS RAM is made up of a family of documents, with CIS RAM Core at the foundation of it all. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt RAM’s principles and practices for their environment.
As previously mentioned, CIS RAM uses DoCRA, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise.
And now, CIS RAM v2.0 helps enterprises estimate the likelihood of security incidents by using data about real world cybersecurity incidents. We have evolved our thinking about threat likelihood so instead of asking, “how likely is it that this risk will occur” we now ask, “when a security incident occurs, what is the most likely way it will happen here?” CIS RAM now uses data from the Veris Community Database to help each enterprise automatically estimate that likelihood by comparing the real-world incident data to the resilience of their deployment of each CIS Safeguard.
CIS RAM v2.0 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups: IG1, IG2, and IG3. One document for each Implementation Group will be the anchors in the CIS RAM family and will be available for both v8 and v7.1 of the CIS Critical Security Controls. Each document will have a workbook with a corresponding guide. The first of many documents in the CIS RAM v2.0 family, CIS RAM v2.0 for Implementation Group 1 and CIS RAM v2.0 for Implementation Group 1 Workbook are now available for download and will help enterprises in IG1 to build their cybersecurity program. These IG1 documents automate much of the risk assessment process so that enterprises with little or no cybersecurity expertise can become aware of their risks, and know which to address first.
All CIS RAM documents have material to help readers accomplish their risk assessments, and include the following: examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.0 for IG2 and IG3.
The CIS RAM Core Process
CIS RAM Core risk assessments involve the following activities:
- Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
- Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats.
- Evaluating the Risks: Estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
- Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.
- Evaluating Recommended CIS Safeguards: Risk-analyze the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden.
Enterprises that use CIS RAM and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.