60 Minutes to a Better Risk Assessment Outcome with CIS RAM
Want to know more about risk analysis? Check out the presentation below by Chris Cronin, a partner at Halock Security Labs and Chair of the DoCRA Council. In roughly one hour, Chris explains how CIS RAM v1.0 (Risk Assessment Method) can help organizations understand and prepare for cybersecurity risks. He highlights that:
- All organizations should conduct a risk assessment
- Risk assessments should be based on Duty of Care
Watch the presentation
A bit about risk assessments
There are several risk assessment methods available that help organizations identify cyber threats and vulnerabilities, estimate the likelihood of events, and establish standards of care. However, only duty of care risk analysis (DoCRA) seeks the balance between harm that may come to others, and the burden of safeguards to protect them. Because DoCRA speaks the language of business, regulators, and litigators, it also assures the business that security priorities are aligned with what matters.
The Principles
CIS RAM and DoCRA are guided by three primary principles:
- Risk analysis must consider the interests of all parties that may be harmed by the risk.
- Risks must be reduced to a level that authorities and potentially affected parties would find appropriate.
- Safeguards must not be more burdensome than the risks they protect against.
How does CIS RAM fit into the risk discussion?
CIS RAM provides users a risk assessment method for analyzing their information security posture. It is based on the DoCRA standard, which defines an acceptable risk based on duty of care. CIS RAM provides templates and examples to help organizations create their own risk assessments.
The risk assessment method offers three levels of instruction and guidance for organizations. It can help organizations that are either starting out in risk analysis, proficient in cybersecurity management, or subject matter experts. Any organization can conduct a meaningful risk assessment by following the detailed directions and using the templates provided in CIS RAM.
Tips for using CIS RAM
Be prepared to compare unlike things
Organizations and people suffer harm differently from one another. CIS RAM prepares you for comparing these different impacts equitably.
Be prepared to collaborate
CIS RAM is at its best when people collaborate. Executives may help define the criteria for defining and accepting risk. Non-technical information handlers may let you know why some safeguards would make them less effective and may have an excellent alternative to recommend.
Get ready to accept risk
CIS RAM provides detailed, tested guidance on defining the conditions for accepting risk. Built upon evaluation methods used by regulators, litigators, and business leaders, risk acceptance will be easy to communicate to various parties.
Start small
You may have a lot of systems and assets to assess, but maybe you just need a handful of problems to resolve at the beginning. Follow CIS RAM’s instructions for setting up a risk register and process just a few CIS Controls™ and systems to answer those pressing questions. Then expand to other systems and controls when you are ready.
Upgrade your current security assessments with duty-of-care components
Chapter 5 of CIS RAM v1.0 shows how alternative risk evaluation methods can be incorporated into the DoCRA principles that CIS RAM is built upon.
Remember to evaluate potential harm not just to your organization, but to others as well
In cybersecurity, we are not just protecting our own organizations. We are protecting anyone who can be harmed by a security failure. CIS RAM shows you how to include others in your risk analysis while keeping everyone’s needs in balance.