CIS-Risk Assessment Method

Cybersecurity risk analysis is an essential process for protecting organizations from cybercriminals. If done correctly, the organization has considered how well prepared for the most (and least) foreseeable events.
CIS RAM (Center for Internet Security Risk Assessment Method) is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Critical Security Controls (CIS Controls) cybersecurity best practices. CIS RAM provides a model of cybersecurity risk analysis that helps enterprises combine the interests of business, legal and regulatory authorities, and information security practitioners. The Center for Internet Security® Risk Assessment Method (CIS RAM) objective is to help enterprises plan and justify their implementation of CIS Critical Security Controls® (CIS Controls®) Versions 7.1 and 8, whether those controls are fully or partially operating.
CIS RAM provides a data-informed construct to make the analysis consistent and reality-based. Further, CIS RAM helps enterprises evaluate and plan for risks using natural language to communicate complex cybersecurity matters so that nontechnical executives can make informed decisions. Supplemental documents in the CIS RAM family will demonstrate methods for conducting risk assessments. One document for each Implementation Group (IG1, IG2, and IG3) will be the anchor in the CIS RAM family.

Background

HALOCK Security Labs and CIS collaborated to develop CIS RAM based on their experience helping clients and legal authorities resolve cybersecurity and due care issues. It is a vendor-neutral, open, industry-wide approach and is openly available to the entire cybersecurity community.

CIS RAM Principles and Practices

CIS RAM uses the Duty of Care Risk Analysis Standard (DoCRA) as its foundation. DoCRA presents risk evaluation methods familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and ten practices that guide risk assessors in developing this universal translator for their enterprise.

Principles:

1. Risk analysis must consider the interests of all parties that may be harmed by the risk.
2. Risks must be reduced to a level that would not require a remedy to any party.
3. Safeguards must not be more burdensome than the risks they protect against.

Practices:

1. Risk analysis considers the likelihood that threats could create magnitudes of impact.
2. Tolerance thresholds are stated in plain language and are applied to each factor in a risk analysis.
3. Impact and likelihood scores have a qualitative component that concisely states the concerns of interested parties, authorities, and the assessing organization.
4. Impact and likelihood scores are derived by a quantitative calculation that permits comparability among all evaluated risks, safeguards, and against risk acceptance criteria.
5. Impact definitions ensure that the magnitude of harm to one party is equated with the magnitude of harm to others.
6. Impact definitions should have an explicit boundary between those magnitudes acceptable to all parties and those that would not be.
7. Impact definitions address; the organization’s mission or utility to explain why the organization and others engage in risk, the organization’s self-interested objectives, and the organization’s obligations to protect others from harm.
8. Risk analysis relies on a standard of care to analyze current controls and recommended safeguards.
9. Risk is analyzed by subject matter experts who use evidence to evaluate risks and safeguards.
10. Risk assessments cannot evaluate all foreseeable risks. Therefore, risk assessments re-occur to identify and address more risks over time.