Insights
Applications, devices, technology and service provisioning are the bread and butter of IT, but any information security professional knows that risk management is equally important.
There is no point in an IT advisor implementing a service if it poses too much risk to the organization. This is why, for example, many companies prevent access to social media sites--the benefits of access do not outweigh the risk.
Information Security professionals have a duty to balance the business, legal, and regulatory challenges against the benefits to the overall health of the firm. This covers the authenticity of data, the integrity of data, and privacy provisions for data, to mention just a few.
The Center for Internet Security states, “CIS RAM is an information security risk assessment method that helps organizations design and evaluate their implementation of the CIS Controls™. CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments so they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. Because information risks vary from one organization to the next, CIS RAM helps model “reasonable” uses of the CIS Controls to address the mission, objectives, and obligations of each environment.”
CIS (Center for Internet Security) and HALOCK Security Labs developed the CIS Risk Assessment Method, known as CIS RAM. It is designed to assist organizations in justifying investments for “reasonable” implementation of the CIS Controls.
Chris Cronin (HALOCK Security Labs) wrote a fascinating blog post on why they decided to give away their intellectual property, allowing everyone to access and benefit from its research and development in balancing cyber security against availability.
CIS RAM, by design, can assist organizations in defining their acceptable level of risk, as well as prioritizing and implementing the CIS Controls to manage their risk. CIS RAM is based on the DoCRA, or the Duty of Care Risk Analysis standard, which is recognized by most, if not all, interested parties from regulators to partners as a reasonable and appropriate implementation of security controls within an environment.
More specifically, DoCRA is a method for analyzing risk, similar to the approach used by regulators and judges. According to the CIS RAM FAQs, “Regulations and judicial ‘balancing tests’ expect that organizations consider the likelihood and degree of harm they may cause themselves and others, and to use safeguards that reduce those risks--as long as those safeguards are not overly burdensome.“
CIS RAM provides three different risk analysis models, each designed to support organizations according to their risk analysis maturity:
A keyword for CIS RAM is “reasonable.” CIS RAM has baked into its foundations the concept of multiple stakeholders representing different interests: executives, legal representatives, regulators, customers, suppliers, and investors. This is a key benefit to CIS RAM, and one of its benefits is improved communications. CIS RAM helps to generalize the cybersecurity language and terminology in order to remove inter-discipline communications hurdles.
Whether you want to implement CIS controls or harmonize with other controls such as PCI, NIST, GDPR, or ISO, CIS RAM’s duty-of-care risk analysis could help you streamline your security while meeting the requirements set by various regulators.
For instance, the risk analysis methods described in CIS RAM and DoCRA conform to established security frameworks, such as ISO 27000, NIST Special Publications, the NIST Cybersecurity Framework, and risk assessment requirements described in PCI DSS. In other words, you can risk-assess other standards using the CIS RAM methods. CIS RAM and DoCRA also align with risk assessment guidance for regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act’s Safeguards Rule, Federal Trade Commission guidance on risk assessments, Massachusetts 201 CMR 17.00, GDPR, and 23 NYCRR Part 500. Specifications from these regulations can also be included in a risk assessment.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
Discover how a virtual Chief Information Security Officer (vCISO) with AI expertise can help companies with cybersecurity challenges and unlock business value in AI-driven environments....
Our experts provide commentary and analysis on the multifaceted and global impacts of tariff and trade policies....
Digital forensic experts can help attorney protect intellectual property from the rising risks of data theft, misappropriation, and exfiltration....