Defining "Reasonable" Security with a Risk Assessment Method
Laws, regulations, and information security standards all tell us to demonstrate “reasonable” security. However, a breach should not be the first time we try to define “reasonableness.” If you do suffer a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language that judges use to describe "reasonableness." If a court ruling finds you failed to demonstrate due care, you could be subject to significant non-compliance penalties, legal fees, and/or other fines.
Using Risk Assessments
Enterprises can use a risk assessment to demonstrate which controls are "reasonable" to implement, meaning that they've done their due diligence and taken sufficient care to protect themselves and their concerned parties against a breach. But, it can be challenging to know where to start.
This is where the Center for Internet Security Risk Assessment Method (CIS RAM) v2.1 can help. CIS RAM v2.1 is an information risk assessment method designed to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls) – all while keeping relevant risks and business needs in mind. It's also designed to be consistent with more formal security frameworks and their associated risk assessment methods.
When using CIS RAM v2.1, enterprises begin by defining their acceptable level of risk and then managing that risk after implementing the CIS Controls. Few enterprises can apply all Controls to all of their environments and information assets, however. While some Controls offer effective security, they may do so at the cost of necessary efficiency, collaboration, utility, productivity, or available budget and other resources.
Fortunately, CIS RAM v2.1 provides three different approaches to support enterprises at three levels of capability that align with the CIS Controls' Implementation Groups (IGs) – IG1, IG2, and IG3. IG3 Safeguards assist enterprises with IT security experts to secure sensitive and confidential data and aims to prevent and/or lessen the impact of sophisticated attacks.
The third document in the CIS RAM v2.1 family, CIS RAM v2.1 for IG3, helps enterprises in IG3 to build and improve upon their cybersecurity program. It also helps them to demonstrate that the risk is reasonable to the enterprise and appropriate to other parties if and when a breach occurs.
What to Expect in CIS RAM v2.1 for IG3
Enterprises may conduct risk assessments in a variety of ways. They may focus initially on recommended CIS Controls to identify vulnerabilities within a given scope, they may focus on determining how well they've protected those assets using the CIS Controls, or they may focus first on known threats to see how they would play out in an environment. Risk assessments may also vary in methodology, depending on whether they're using quantitative analysis (purely numerical representations of risk) or qualitative analysis (ranked value statements).
CIS RAM for IG3 is specifically designed to help enterprises conduct a risk assessment if they have expertise in developing, managing, and configuring systems, applications, and networks, and if they are capable of modeling threats against those systems. It also supports enterprises that understand how to configure and manage asset classes as well as evaluate how different threats create different risks. It does this by integrating the five Attack Types – Ransomware, Malware, Web Application Hacking, Insider and Privilege Misuse, and Targeted Intrusions – from the CIS Community Defense Model (CDM) v2.0, thereby helping enterprises assess their risk against the most common types of attacks.
What's more, CIS RAM for IG3 assists enterprises by significantly automating risk estimations and threat models. It reduces the complexity of risk analysis by providing:
- A simplified format for stating an enterprise’s Impact Criteria and range of magnitudes of Impact that you or others may suffer
- Guidance for stating your enterprise’s Risk Acceptance Criteria
- A fixed definition for Expectancy Criteria
- A simplified Risk Register
- Automated Expectancy calculation based on the commonality of reported threats and the maturity of the enterprise’s Safeguards
- Mapping to the CDM v2.0 to assist in threat modeling
CIS RAM v2.1 for IG3 uses v8 of the CIS Controls and comes with a workbook and a corresponding guide. These documents help readers accomplish their risk assessments, and include examples, templates, exercises, background material, and further guidance on risk analysis techniques.
While CIS RAM for IG3 is the last major document to be released, we are actively working on developing other CIS RAM modules that can help supplement the risk assessment process. For those interested in helping with these efforts, contact us at [email protected].
CIS RAM Core
CIS RAM is made up of a family of documents. The foundation of all of these documents is CIS RAM Core. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM.
CIS RAM uses the Duty of Care Risk Analysis (DoCRA) standard. It presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals for creating a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise and that function as the core tenets upon which the CIS RAM family of documents is built. Enterprises that use CIS RAM for IG3 and CIS RAM Core can then develop a plan and set expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years, receiving positive feedback from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS first collaborated to bring the methods to the public as CIS RAM v1.0 in 2018 and now v2.1 in 2021-2022. For its part, CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard upon which CIS RAM is built.
Taking the Next Step Toward Reasonable Security
Ready to conduct a cyber risk assessment? Download CIS RAM v2.1 for IG3 for step-by-step processes, example walk-throughs, and more. It’s free for any enterprise to use to conduct a cyber risk assessment.
Join the CIS RAM Community on CIS WorkBench.
View a recording of our CIS RAM v2.1 for IG3 workshop below.
Questions about CIS RAM? Email [email protected] with any questions you might have.