Following the recommendation of the BHIS team, I’m diving in the twenty CIS Controls, using my household as a proxy of an organization.
The CIS Controls™ are a community-built set of prioritized cybersecurity guidance.
The CIS Controls are a prioritized set of actions that help protect organizations and its data from known cyber attack…
While I was browsing the CIS website, I also found their risk management tool, CIS RAM (Risk Assessment Method).
Controls are part of the risk mitigation phase of a broader risk management initiative:
Therefore, let’s start at the beginning of the circle and use CIS RAM to do a self-assessment.
CIS Risk Assessement Method (CIS RAM)
CIS RAM (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that…
CIS RAM is an interesting method at many levels. It conforms and supplements standards like ISO 27005, NIST Special Publications 800–30, or RISK IT. It also bridges two different risk analysis methods: the well known method found is U.S. regulations and InfoSec standards: Risk = impact + likelyhood, and the less known “Calculus of Negligence” or “Learned Hand Rule” and as such incorporates principles and practices from Duty of Care Risk Analysis.
The Duty of Care Risk Analysis Standard[…] presents principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. […] the basis for determining whether the organizations bear responsibility and liability often centers on the concepts of a “duty of care” and “due care.” Duty of care risk analysis helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves.
CIS RAM puts emphasis on the multiple dimension of Impacts (in the classic Risk = Impact x Likelihood) , resulting in this definition of risk:
Risk = Max (Mission Impact, Objectives Impact, Obligations Impact) x Likelihood.
CIS RAM also replace the concept of Residual Risk, the reduced risk left after mitigation, by Safeguard Risk:
The purpose behind evaluating residual risk this way is to address the fact that new controls often have unintended consequences. […] Security controls may reduce the risk to security obligations by controlling access to data, but may increase the risk to the organization’s mission which requires sharing the
data. Legal decisions and regulations consider these excessive safeguards as “burdens” because they may harm the organization that is trying to protect the data.
By evaluating safeguard risk using the same criteria that are used to evaluate risks, organizations will be more cognizant of the true cost of controls […].
The risk analysis provided in the CIS RAM is at its root a question of balance between the potential of future harm against the certain burden of a safeguard. Regulators and litigators have long considered this balance as key to acting as a “reasonable person.”
Here is an example:
Information security controls are very often considered to be a hindrance to business. Users often complain that security controls get in the way of productivity, efficiency, ease of collaboration and communication, and other business-impacting concerns. Organizations should take these complaints seriously. Fortunately, regulators have provided organizations with a means to
evaluate these concerns. Moreover, courts consider the burden of safeguards in lawsuits and would understand the reasoning that this risk analysis provides.
By evaluating risks and their recommended safeguards using the same criteria, organizations ensure that risk analysis addresses the concerns of all parties within and outside of their organization, and provides evidence of their conscientious decision to regulators and judges.
Security management capability tiers
CIS RAM uses NIST Cybersecurity Framework Tiers. The Tiers indicate:
how an organization views cybersecurity risk and the processes in place to manage that risk.
— NIST Cybersecurity Framework