Every investment, business operation, or transaction involves some form of risk. Risk is the likelihood that a threat will exploit a vulnerability, which may result in a compromise of information and information assets (Alali et al., 2018). Given the omnipresence of risk to every business operation, risk management is crucial in securing every organization’s critical asset. Thus risk assessment which is the first step of risk management involves the identifying threats and vulnerabilities within an organization that could be taken advantage of by intruders to compromise information and information systems, analyzing the impact of the risk to the business, and classifying the risk while proposing mitigating controls (Bilal et al., 2020). Several risk assessment models exist which serve as a guide in conducting risk assessments. However, this post will focus on the Center for Internet Security Risk Assessment Method (CIS RAM).
What is CIS RAM
CIS RAM is a risk assessment method that is aimed at helping organizations implement and assess security risk postures against the 18 CIS Critical Security Controls (CIS Controls) (CIS, 2022). Thus, the CIS RAM serve as a guide to organizations in the public or private sector for the planning and justification of the implementation of CIS critical security controls. It also confirms and supplements the NIST SP 800-30, ISO/IEC 27005, and Risk Information Technology (IT) which are established security risk assessment methods. With CIS RAM, risk and safeguards are evaluated using ‘due care’ and ‘reasonable safeguard’ concepts, which are used by regulators and the legal authorities to determine whether an organization acts as a ‘reasonable person in the event of a dispute (CIS, 2022).
The foundation of the CIS RAM is the Duty of Care Risk Analysis standards (DoCRA), which uses risk assessment methods that are understood by legal authorities, regulators, and Information security practitioners (CIS, 2022). DoCRA comprises three principles and ten practices that serve as a guide to risk assessment. While the principles examine characteristics of risk assessments that align with regulatory and legal frameworks, the practices describe the various components of risk assessment that facilitate the accomplishment of the principles.
3 CIS RAM DoCRA Principles
- The interest of all parties affected by the risk must be considered during a risk analysis.
- Risk must be significantly lowered to a level not requiring a remedy to any party.
- Safeguards must not be more burdensome than the risk they are protecting against.
10 CIS RAM DoCRA Practices
- Risk analysis must consider the possibility that threats could create magnitudes of impacts.
- Tolerance levels are stated and applied to each factor in risk analysis.
- Impact and likelihood scores state the concerns of interested parties, authorities, and the assessing organization qualitatively.
- Impact and likelihood are derived using a quantitative technique that compares evaluated risks, safeguards, and risk acceptance criteria.
- Impact definition ensures the magnitude of harm to all parties is the same.
- Impact definitions should streamline the boundary between magnitudes acceptable to all parties and those that are not.
- Impact definitions should address the organization’s mission, objectives, and obligations.
- Risk analysis examines current controls together with safeguards using a standard of care.
- Risk analysis is done using evidence to evaluate risks and safeguards by subject matter experts (SME).
- Risk assessments cannot evaluate all foreseeable risks, so they must be recurrent to identify and address risks over time.
CIS RAM Risk Assessment Process
The CIS RAM risk assessment process involves the following five steps:
- Developing the risk assessment and acceptance criteria specifies how risk is evaluated and accepted.
- Risk modeling involves evaluating the current implementation of the CIS controls that prevent or detect threats.
- Risk evaluation estimates the expectancy and impact of future security breaches and determines if the identified risk could be acceptable.
- Recommend CIS Safeguards to reduce unacceptable risk.
- Perform a risk analysis of the recommended CIS safeguards to ensure the risk posed by them is low and does not create an undue burden.
Alali, M., Almogren, A., Hassan, M. M., Rassan, I. A., & Bhuiyan, M. Z. A. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, 74, 323-339. https://doi.org/10.1016/j.cose.2017.09.011
Bilal, M., Gani, A., Liaqat, M., Bashir, N., & Malik, N. (2020). Risk assessment across life cycle phases for small and medium software projects. Journal of Engineering Science and Technology, 15(1), 572-588.
CIS. (2022). CIS RAM (Risk Assessment Method). Center for Internet Security. https://www.cisecurity.org/insights/white-papers/cis-ram-risk-assessment-method#:~:text=CIS%20RAM%20(Center%20for%20Internet,CIS%20Controls)%20cybersecurity%20best%20practices.