CIS RAM v2.1 for Implementation Group 3 (IG3) Workshop

Previously Aired: Tuesday, June 21, 2022 | 2:00 PM ET

CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is a free information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). It provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators.

CIS RAM v2.1 includes three different approaches to support enterprises of three levels of capability in alignment with the CIS Controls Implementation Groups (IGs): IG1, IG2, and IG3. The third of many documents in the CIS RAM v2.1 family, CIS RAM v2.1 for IG3, is now available for download. It's designed to help enterprises in IG3 build and improve upon their cybersecurity program. CIS RAM v2.1 for IG3 helps enterprises understand how well prepared they are for the most and least commonly reported threats that cause security incidents.

CIS developed CIS RAM v2.1 through an ongoing partnership with HALOCK Security Labs. HALOCK and CIS first collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. Since then, HALOCK had been providing CIS RAM methods with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders.

CIS is a founding member of the DoCRA Council, an organizations which maintains the risk analysis standard that CIS RAM v1.0 is built upon.

What attendees learned in this webinar:

  • An overview of how to conduct a risk assessment using CIS RAM v2.1 for IG3
  • A step-by-step tutorial of the activities an IG3 enterprise will take to conduct a risk assessment using CIS RAM v2.1, including:
  • How the Center for Internet Security’s Community Defense Model (CDM) v2.0 was integrated into CIS RAM 2.1 for IG3 to assist in threat modeling




Valecia Stocchetti, Sr. Cybersecurity Engineer for the CIS Controls at the Center for Internet SecurityValecia Stocchetti is a Sr. Cybersecurity Engineer for the CIS Controls at the Center for Internet Security. Valecia comes to CIS from the eCommerce field where she worked complex financial fraud cases. She is a graduate from the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Valecia worked in the MS/EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements for the MS/EI-ISAC SLTT community. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Valecia holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). While she enjoys all things InfoSec, she particularly finds the Cybercrime and Espionage fields fascinating, which is what led her to this career in the first place.



Headshot of Chris Cronin, partner at HALOCK Security Labs and Chair of the DoCRA CouncilChris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council. He is the principal author of the DoCRA Standard and CIS RAM, Center for Internet Security’s Risk Assessment Method. Chris’ clients include Fortune 100 companies, large- and mid-sized organizations, start-ups, litigators, and regulators. Since 2010, Chris has helped his clients manage their information security risks to an evidence-based, reasonable level. Chris’ work as an expert witness has helped his clients, regulators, and litigators evaluate the reasonableness of security controls and programs during regulatory oversight or post-breach legal action. Chris is a frequent speaker and cybersecurity writer. He collaborates with peers in industry collaboratives and think tanks, including Sedona Conference, to help bring equity and due care to cybersecurity and risk management.