2 Free Courses for Learning a Proven Risk Assessment Method
Our team has already worked with Salesforce Trailhead to release an introduction to our CIS Critical Security Controls (CIS Controls) v8. Much of that course revolved around Implementation Group 1 (IG1), or what we define as essential cyber hygiene. Specifically, it discussed how maintaining an inventory of assets, implementing access controls, defending against malware, raising security awareness, and other activities help to support essential cyber hygiene.
We’ve now partnered with Trailhead to release a new trail. It's designed to help enterprises implement the CIS Controls using the CIS Risk Assessment Method (RAM). Let’s explore how below.
Elevate Your Understanding of Risk
Our new trail consists of two modules. They are as follows:
The Center for Internet Security's Risk Assessment Method
The purpose of this module is to walk you through CIS RAM. It consists of three 10-minute parts.
- The first, "Explore the Risk Assessment Method," outlines our work with risk assessment methods, reviews key terminology associated with CIS RAM v2.1, and discusses Duty of Care Risk Analysis (DoCRA) principles and practices.
- The second part, "Develop Impact Criteria," covers Risk = Impact x Expectancy, a calculation included in CIS RAM v2.1. It also describes how to begin developing Impact Criteria using the CIS RAM for IG2 v2.1 Companion Workbook.
- This leads us to "Define Enterprise Parameters," the last part of the module. It provides an overview of using a Risk Register to document Enterprise parameters, developing criteria for evaluating risk Expectancy, defining Risk Acceptance Criteria, and identifying Inherent Risk Criteria.
Risk and Safeguard Modeling and Evaluation
The second module focuses on how you can use CIS RAM to evaluate the maturity of your CIS Safeguard implementation program. It consists of two 10-minute parts.
- The first, "Score Risks," explains how you can identify assets, Safeguards, and vulnerabilities to evaluate your program's Safeguard maturity. It also reveals how CIS RAM automatically scores risks for you.
- The second, "Recommend Safeguards," focuses in on what you can do with those risk scores. It begins by linking unacceptably high risk scores to opportunities for implementing or improving the implementation of a CIS Safeguard. It then goes over how you can estimate the cost of increasing your CIS Safeguard maturity.
Why a Risk Assessment Method Is Needed
Using a risk assessment method like CIS RAM, you can take a more strategic approach to risk than you otherwise could. It demystifies risk by helping you frame it in terms of your customers, business objectives, and external entities (such as vendors). This enables you to define which risks are acceptable to your enterprise.
It also serves an important function should your enterprise fall victim to a breach. CIS RAM creates a defendable process to identify "reasonableness," that is, which risks are appropriate to your business and to interested parties at the time of the security incident. By using a risk assessment method, you can prove before a judge that you exercised "due care" to address those risks. This can help you minimize your liability for the breach.
A Turning Point
Think of the two courses discussed above as a turning point in your enterprise's security program. Through CIS RAM, your enterprise can calculate risk in alignment with essential cyber hygiene. This will help you to balance your security requirements as your business priorities evolve.