Cis ram for cis controls v7

Version 1.0 – April 2018 i

Version 1.0 Center for Internet Security® Risk Assessment Method

For Reasonable Implementation and Evaluation of CIS ControlsTM

Version 1.0 – April 2018 i

CIS RAM - Center for Internet Security® Risk Assessment Method (Version 1.0)

April 2018

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc- nd/4.0/legalcode). CIS RAM also incorporates the CIS Controls™ Version 7, which is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode). To further clarify the Creative Commons license related to the CIS Controls and CIS RAM, you

are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls or CIS RAM, you may not distribute the modified materials. Commercial use of the CIS Controls or CIS RAM is subject to the prior approval of CIS® (Center for Internet Security, Inc.).

Background and Acknowledgements The original content of CIS RAM was developed by HALOCK Security Labs. It is based on their extensive experience helping clients and legal authorities deal with cybersecurity and due care issues. Recognizing the universal need for a vendor-neutral, open, industry-wide approach to these issues, HALOCK Security Labs approached CIS to make this work openly available to the entire cybersecurity community. This generous contribution of intellectual property (and the extensive work to generalize and tailor it to the CIS Controls) has been donated to CIS and is now available and maintained as a CIS community-supported best practice.

As with all CIS work, we welcome your feedback, and we also welcome volunteers who wish to participate in the evolution of this and other CIS products.

CIS gratefully acknowledges the contributions provided by HALOCK Security Labs and the DoCRA Council in developing CIS RAM and the CIS RAM Workbook.

Significant contributions to Version 1 of CIS RAM were made by:

Principal Author: Chris Cronin. Partner, HALOCK Security Labs

Contributing Authors: Jim Mirochnik, Terry Kurzynski, and David Andrew, Partners, HALOCK Security Labs. Erik Leach and Steve Lawn, HALOCK Security Labs. Paul Otto, Attorney, Hogan Lovells US LLP.

Review and vetting was provided by multiple members of the CIS staff.

Version 1.0 – April 2018 ii

Table of Contents

Foreword ................................................................................................................................... iv Who this risk assessment method is for................................................................................... iv What this document provides .................................................................................................. v The role of professional judgment ........................................................................................... v

Author’s Introduction ............................................................................................................... vi

Structure of the Document ...................................................................................................... vii

Glossary .................................................................................................................................. viii

Risk Assessment Method Examples ....................................................................................... x

Chapter 1: Risk Analysis Primer .............................................................................................. 2 CIS Risk Assessment Method for Due Care ............................................................................ 3 Evolving Risk Analysis Methods .............................................................................................. 7 Overview of the CIS Risk Assessment Method ........................................................................ 9 Selecting A Tier for Your Risk Assessment Instructions ......................................................... 12

Chapter 2: Control-Based Risk Assessment Instructions for Tier 1 Organizations............. 15 The Risk Assessment Project ............................................................................................... 15 Defining the Scope & Scheduling Sessions ........................................................................... 17 Defining Risk Assessment Criteria ........................................................................................ 21 Defining Risk Acceptance Criteria ......................................................................................... 25 A Control-Based Risk Assessment Process .......................................................................... 27 Risk Treatment Recommendations ....................................................................................... 38

Chapter 3: Asset-Based Risk Assessment Instructions for Tier 2 Organizations ............... 48 The Risk Assessment Project ............................................................................................... 48 Defining the Scope & Scheduling Sessions ........................................................................... 49 Defining Risk Assessment Criteria ........................................................................................ 53 Defining Risk Acceptance Criteria ......................................................................................... 59 An Asset-Based Risk Assessment Process ........................................................................... 61 Risk Treatment Recommendations ....................................................................................... 74

Chapter 4: Threat-Based Risk Assessment Instructions for Tiers 3 and 4 Organizations ... 84 The Risk Assessment Project ............................................................................................... 84 Defining Risk Assessment Criteria ........................................................................................ 85 Defining Risk Acceptance Criteria ......................................................................................... 92 A Threat-Based Risk Assessment Process............................................................................ 94 Risk Treatment Recommendations ..................................................................................... 110

Chapter 5: Risk Analysis Techniques .................................................................................. 116 Risk Analysis Techniques ................................................................................................... 116 Introduction ......................................................................................................................... 116 Defining Impacts for Tier 1 organizations ............................................................................. 116 Defining Impacts for Tier 2, Tier 3, and Tier 4 organizations ................................................ 121 Estimating Likelihood Through “Defense-Readiness” Analysis ............................................. 127 Using Probability with Duty of Care Risk Analysis ................................................................ 129

Version 1.0 – April 2018 iii

Noting How Realized Risk Might be Detected ...................................................................... 133 Leveraging Duty of Care Risk Analysis for Maturity Models ................................................. 135 Interview Techniques .......................................................................................................... 136 Evaluating Inherent Risk ..................................................................................................... 139 Root Cause Analysis ........................................................................................................... 140

Helpful Resources ................................................................................................................ 142

Contact Information .............................................................................................................. 143

Version 1.0 – April 2018 iv

Foreword The objective of the Center for Internet Security® Risk Assessment Method (“CIS RAM”) is to help organizations plan and justify their implementation of CIS ControlsTM Version 7, whether those controls are fully or partially operating. Few organizations can apply all controls to all information assets, because – while reducing some risks – security controls also introduce new risks to efficiency, collaboration, utility, productivity, or available funds and resources. Laws, regulations, and information security standards all consider the need to balance security against an organization’s purpose and its objectives, and require risk assessments to find and document that balance. The risk assessment method described here provides a basis for communicating cybersecurity risk among security professionals, business management, legal authorities, and regulators using a common language that is meaningful to all parties. The CIS RAM conforms to and supplements established information security risk assessment standards, such as ISO/IEC 27005,1 NIST Special Publication 800-30,2 and RISK IT.3 By conforming to these standards, the CIS RAM helps the reader conduct risk assessments according to established standards. By supplementing these standards, the CIS RAM helps its readers evaluate risks and safeguards using the concept of “due care” and “reasonable safeguards” that the legal community and regulators use to determine whether organizations act as a “reasonable person.” The CIS® designed and prioritized the CIS Controls so that they would prevent or detect the most common causes of cybersecurity events as determined by a community of information security professionals. As a result, CIS Controls V7 has risk considerations at its core. But because risks vary from one organization to the next, the risk analysis methods described in this document can assist organizations in applying the CIS Controls so that they reasonably and defensibly address the unique risks and resources at each organization.

Who this risk assessment method is for

Cybersecurity risk assessments are important tools for organizations that help them evaluate and prioritize their risks, but also to determine when their risks are acceptable. This risk assessment method is designed to be practical for a broad population of users, whether they are novices to cybersecurity issues, capable of recognizing cybersecurity concerns, or experts. Organizations that must demonstrate “reasonable” safeguards and risk management for regulatory, contractual, or security management purposes may benefit from the use of the method. Additionally, the CIS RAM is designed to promote meaningful communications and consensus among technicians, non-technical management, security experts, risk managers, as well as legal and regulatory professionals.

1 ISO/IEC 27005:2011 provided by the International Organization for Standardization. 2 NIST Special Publications 800-30 Rev. 1 provided by the National Institute of Standards and Technology. 3 RISK IT Framework provided by ISACA.

Version 1.0 – April 2018 v

What this document provides

The CIS RAM guides readers to conduct risk assessments in a way that match the expectations stated in laws, regulations, and information security standards. The CIS RAM accomplishes this by providing instructions, templates, examples, and exercises to demonstrate its methods. These substantiate the framework of a risk assessment.

The role of professional judgment

Using CIS RAM, the reader will be able to rapidly develop a risk register that communicates reasonableness to many authorities and experts, but the reader will also need to bring their professional judgment (theirs and the judgment of collaborating experts) to the task. Professional judgment will help organizations determine the scope and boundaries of the risk assessment, to define the organization’s mission, objectives, and obligations, to decide which risks will be evaluated, to identify foreseeable threats, and to recommend risk treatment safeguards.

Version 1.0 – April 2018 vi

Author’s Introduction The information security community, regulators, attorneys, and managers all understand that perfect cybersecurity is not possible. Even as organizations implement safeguards that are as practical as CIS Controls V7, there are limitations to the degree that organizations can implement security safeguards. Limited security resources (money, experts, and time), competing business priorities, and the ever-changing threat landscape make it difficult for organizations to completely implement a cybersecurity standard equally to all information assets. Even without these challenges, organizations must operate in somewhat vulnerable environments to fulfill their mission and achieve their objectives. For example, the security value of encryption is obvious, yet information at some point must be unencrypted to serve its purpose. And sometimes information must be unencrypted to enforce other security safeguards, such as data loss prevention. But how does an organization know whether to accept the risk of those moments and transactions when information is unencrypted? And how does it determine whether other supporting safeguards are appropriately protecting the unencrypted information? There is no single answer to that question or to other “grey area” cybersecurity questions that organizations regularly encounter. To assist organizations in their security efforts, laws, regulations, the courts, and information security professionals tell us to use risk assessments to answer for ourselves whether we should accept or reduce risks. Cybersecurity safeguards must be reasonable and appropriate. They must reduce the risk of harm to organizations and to others, but they also must not create too great a burden on the organizations that use those safeguards. The terms “reasonable” and “appropriate” are loaded with many legal, regulatory, expert, and business meanings. But these meanings can be addressed, documented, and justified using a well-constructed risk assessment. By using the CIS RAM as part of their cybersecurity program, organizations will be more able to adopt CIS Controls V7 in a way that can be successfully demonstrated as reasonable and appropriate to internal management, authorities, security experts, and legal counsel who have an interest in the organization’s success. The CIS RAM document is designed to guide organizations step-by-step through their risk assessment, regardless of their experience in conducting these assessments. We encourage readers to work through each chapter that is suited for their organization, and to follow along with the exercises, worksheets, and examples until their risk register is complete.

Chris Cronin Partner, HALOCK Security Labs Chair, DoCRA Council

Version 1.0 – April 2018 vii

Structure of the Document Center for Internet® Security Risk Assessment Method (CIS RAM) is a documented process for conducting risk assessments that address requirements for security, business, regulations, and duty of care requirements. This document will describe the risk assessment method using the following components:

• Instructions are the major portion of the CIS RAM. Instructions provide step-by-step guidance for conducting a risk assessment as a project. Three sets of instructions are provided that address the risk assessment method for organizations based on their risk management maturity. Instructions may be further customized and adapted by each organization according to their needs. Risk assessment techniques are provided at the end of the document to help organizations further develop their risk assessment capabilities.

• Principles state the necessary and fundamental rules for assessing risks according to this method. The principles are the fundamental characteristics of a risk assessment that translates security concerns to regulatory, legal, and business expectations. As organizations customize instructions and templates for their organization, these principles should remain. Risk assessment processes that are developed and conducted without adherence to these principles cannot be considered as “conforming” to the method.

• Examples demonstrate processes and steps. Examples will be accompanied by explanatory scenarios to show the reader how each step is to be conducted. Examples are provided both in this document, and in a separate document, the CIS_RAM_Workbook for ease of use.

• Templates model the risk assessment steps, risk analysis methods, and reporting. Templates will assist in rapid adoption of the method’s processes by each organization, and will provide for consistent risk assessment practices between organizations. Templates are provided in a separate document, the CIS_RAM_Workbook for easy adoption of CIS RAM.

• Exercises encourage the reader to apply what they’ve learned in the instructions by using the provided templates to design and conduct their own risk assessment.

• Background notes explain why a risk assessment step is taken, or why a principle is applied. Background commentary enables risk practitioners to describe to interested parties how their risk assessment addresses the needs of interested parties and authorities.

• The Glossary provides definitions for specialized terms used in this document. Because risk management methods vary and audiences have variable experience in risk management, the glossary will ensure consistent term usage and meaning.

--

This guide includes references a selection of controls from CIS Controls V7 as examples of safeguards that are specifically selected to help protect organizations. Since such resources change from time to time, please contact CIS or refer to our website for the most recent information. (www.cisecurity.org)

Version 1.0 – April 2018 viii

Glossary Appropriate: A condition in which risks to information assets will not foreseeably create harm that is greater than what the organization or interested parties can tolerate. Asset Class: A group of information assets that are evaluated as one set based on their similarity. “Servers,” “end-user computers,” “network devices” are examples, as are “email servers,” “web servers” and “authentication servers.” Attack Path: A series of activities and information assets within the lifecycle of a security incident. Attack Path Model: A description of how a specific attack path may occur within an environment. Burden: The negative impact that a safeguard may pose to the organization, or to others. Business Owners: Personnel who own business processes, goods, or services that information technologies support. i.e. customer service managers, product managers, sales management. Constituents: Individuals or organizations that may be benefit from effective security over information assets, or may be harmed if security fails. Control: A documented method for protecting information assets using technical, physical, or procedural safeguards. Control Objective: The intended outcome of a control. Due Care: The amount of care that a reasonable person would take to prevent foreseeable harm to others. Duty of Care: The responsibility to ensure that no harm comes to others while conducting activities, offering goods or services, or performing any acts that could foreseeably harm others. Impact: The harm that may be suffered when a threat compromises an information asset. Impact Score: The magnitude of impact that can be suffered. This is stated in plain language and is associated with numeric scales, usually from ‘1’ to ‘3’ or ‘1’ to ‘5’. Impact Type: A category of impact that estimates the amount of harm that may come to a party or a purpose. The CIS RAM describes three impact types; Mission, Objectives, and Obligations. Information Asset: Information or the systems, processes, people, and facilities that facilitate information handling. Inherent Risk: The likelihood of an impact occurring when a threat compromises an unprotected asset. Key Risk Indicator: Aggregations and trending analysis of measures that management may use to understand their risk status. Likelihood: The degree to which a threat is expected to create an impact. May be stated in terms of frequency, foreseeability, or probability. Measure: A repeatable, evidence-based indication that a safeguard achieves its control objective. Observed Risk: The current risk as it appears to the risk assessor. Probability: The product of statistical analysis that estimates the likelihood of an event. Reasonable: A condition in which safeguards will not create a burden to the organization that is greater than the risk it is meant to protect against. Residual Risk: The risk that remains after a safeguard is applied. This concept is not directly used by CIS RAM, but implies that risk is lowered when a safeguard is applied. Residual risk does not take into account potential negative impacts to the organization when safeguards are applied. Risk: An estimation of the likelihood that a threat will create an undesirable impact. In terms of this method, risk may be expressed as the product of a likelihood and an impact.

Version 1.0 – April 2018 ix

Risk Analysis: The process of estimating the likelihood that an event will create an impact. The foreseeability of a threat, the expected effectiveness of safeguards, and an evaluated result are necessary components of risk analysis. Risk analysis may occur during a comprehensive risk assessment, or as part of other activities such as change management, vulnerability assessments, system development and acquisition, and policies exceptions. Risk Assessment: A comprehensive project that evaluates the potential for harm to occur within a scope of information assets, controls, and threats. Risk Evaluation: The mathematical component of risk analysis that estimates the likelihood and impact of a risk, and compares it to acceptable risk. Risk Management: A process for analyzing, mitigating, overseeing, and reducing risk. Risk Treatment Option: The selection of a method for addressing risks. Organizations may choose to Accept, Reduce, Transfer, or Avoid risks. Risk Treatment Plan: A comprehensive project plan for implementing risk treatment recommendations. Risk Treatment Recommendations: A listing of safeguards or processes that may be implemented and operated to reduce the likelihood and/or impact of a risk. Safeguard: Technologies, processes, and physical protections that prevent or detect threats against information assets. Safeguards are implementations of controls. Safeguard Risk: The risk posed by recommended safeguards. An organization’s mission or objectives may be negatively impacted by a new security control. These impacts must be evaluated to understand their burden on the organization, and to determine whether the burden is reasonable. Security: An assurance that characteristics of information assets are protected. Confidentiality, Integrity, and Availability are common security characteristics. Other characteristics of information assets such as velocity, authenticity, and reliability may also be considered if these are valuable to the organization and its constituents. Standard of Care: A set of practices, controls, or requirements that are known to improve outcomes and reduce failures for practitioners of a specialized field or profession. Steward: Personnel who are responsible for the security and proper operations of information assets, (e.g. database administrator, records manager, or network engineer). Threat: A potential or foreseeable event that could compromise the security of information assets. Threat Model: A description of how a threat could compromise an information asset, given the current safeguards and vulnerabilities around the asset. Vulnerability: A weakness that could permit a threat to compromise the security of information assets.

Version 1.0 – April 2018 x

Risk Assessment Method Examples CIS RAM provides three sets of instructions that each describe a full risk assessment project. Each set of instructions is designed for organizations of varying information security management capabilities to increase the method’s usefulness. All three sets of instructions present a fictional organization that is conducting an information security risk assessment, and that improves its risk management capabilities over time. The example organization begins the risk assessment in the first set of instructions as a security novice with little involvement by business management. After a year of improving their security posture and abilities, they assess risk in the second set of instructions using more refined reasoning and methods, and in collaboration with business management. Finally, they mature enough as a capable organization to take on complex risk analysis in the third set of instructions. The example organization described in this document manufactures and services medical devices (“diary devices”) that read biological information from patients that wear the devices. The organization works in clinical environments to support the patients as well as the devices, and as a result carries private health information about the patients. Because they work with military and veterans’ organizations, many of their patients are active or former members of the armed forces. As a result, the organization poses heightened risk and requires heightened scrutiny over their cybersecurity controls. The example organization is hypothetical and is not based on a known organization, technology, or service. But the risks they encounter are commonly seen and managed by many types of organizations. Example materials related to the example organization are provided in the document CIS_RAM_Workbook in re-usable templates.

The reader will best develop an understanding of the risk assessment method by following along with the workbook, and by entering their own examples in the spaces provided within each sample worksheet.

Version 1.0 – April 2018 1

Center for Internet Security® Risk Assessment Method

CIS RAM Version 1.0

April 2018

Version 1.0 – April 2018 2

Chapter 1: Risk Analysis Primer CIA RAM describes a method for cybersecurity risk analysis that includes methods that are new to most readers. Chapter 1 will provide an explanation and description of new concepts, language, and processes to provide the reader with a solid foundation for the remaining chapters.

After completing Chapter 1, the reader will be directed to one of three chapters that provide instructions for conducting risk assessments. Chapters 2, 3, and 4 present processes, materials, and examples that are suitable for organizations with varying degrees of capability for conducting risk assessments.

After completing the instructions chapters, all readers will benefit from the guidance, tips, and deep dives presented in Chapter 5.

Version 1.0 – April 2018 3

CIS Risk Assessment Method for Due Care Introduction

Laws, regulations, and information security standards do not expect that the public can or will prevent all information security incidents. They instead make us responsible for looking ahead to what might go wrong, and to use safeguards that are not overly burdensome to prevent that harm. That is the essence of Duty of Care Risk Analysis4 (“DoCRA”) that the CIS RAM is based on.

• Since 1993, all US regulations – whether or not they are related to information security – require risk analysis to achieve a cost-benefit balance while achieving compliance.5

• Information security standards have called on the public to use risk analysis when designing security controls that match their environment.6

• Judges have used a “duty of care balance test” to determine liability in data breach cases.7

• The Federal Trade Commission has consistently required that organizations use risk assessments to determine the reasonableness of their security controls.8

• The General Data Protection Regulation (“GDPR”) that requires privacy protections for EU residents, and bases its security requirements on risk analysis.9

Experts and authorities consistently require organizations to secure information and systems as much as they can to prevent harm to others, but not to allow safeguards to be overly burdensome to them or the public. And they point to risk assessments as the way to find the balance.

4 Also known the DoCRA Standard. https://www.docra.org. 5 Executive Order 12866” signed in 1993 requires all federal regulation to be enforced using cost- benefit analysis. The Office of Management and Budget enforces the order in part by requiring that regulated organizations use risk assessments to identify effective controls that are “reasonable.” 6 See ISO/IEC 27001:2013, NIST SP 800-53 Rev. 4, PCI-DSS v3.2 7 See Dittman v. UPMC, 154 A.3d 318 (Pa. Super. Ct. 2017), In re: Target Corporation Customer Data Security Breach Litigation, Memorandum and Order, MDL No. 14-2522 (D. Minn. 2014) 8 Federal Trade Commission. “Commission Statement Marking the FTC’s 50th Data Security Settlement.” www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf 9 General Data Protect Regulation. Directive 95/46/EC.

Version 1.0 – April 2018 4

Basis in Law and Regulation CIS RAM’s risk analysis method was designed to provide common ground for security specialists and business managers, and for legal and regulatory authorities who must evaluate the sufficiency of security safeguards. Risk analysis became the basis of regulatory law in 1993 when President Bill Clinton signed an executive order, E.O. 12866,10 that required regulations to be enforced using a cost-benefit analysis. The Office of Management and Budget determined that the best way to achieve cost- benefit analysis was to embed risk analysis in all existing and new regulations. Starting in 1999 the United States began enforcing regulations with information security and privacy requirements that used risk analysis as the basis for compliance. The Gramm-Leach- Bliley Act Safeguards Rule,11 the HIPAA Security Rule,12 and the Federal Trade Commission all required that organizations conduct risk assessments to define their own compliance goals. Risk assessments should help organizations determine for themselves the likelihood and impact of threats that could harm the public, and ensure that safeguards would not be overly burdensome. This risk analysis has been commonly described as “Risk = Impact x Likelihood.” At about this time this same idea emerged independently among a separate set of professionals. Domestic and international information security standards bodies developed risk assessment methods such as NIST Special Publications 800-30, ISO 27005, and RISK IT to help the public assess risks in information technology environments. These information security standards also used the same equation used by U.S. regulators – “Risk = Impact x Likelihood” – to express the foreseeability of harm that might come to information and information systems. In parallel with the development of these two efforts (and since earlier in the twentieth century) attorneys and judges debated in court rooms and in law journals about how to determine whether someone acted as a “reasonable person” when a plaintiff sued for damages. These debates led to the creation of the “Learned Hand Rule”13 (aka “the Calculus of Negligence”). The Hand Rule, as it is now known, states that a burden to prevent harm should not be greater than the probability of harm times the liability after a harmful event; or mathematically stated, B <= P x L. Courts (variably) have extended this rule to “duty of care balancing tests” that determine whether lack of foresight and less-than-reasonable safeguards led to harm. But while these disciplines – law, information security, and regulations – all drew on a common definition of risk, each seemed to be unaware of the other’s risk analysis methods. Even so, each discipline searched for a universal translator that would allow the entire community of experts and authorities to understand one another. The CIS RAM provides that universal translator.

10 Executive Order 12866 – Regulatory Planning and Review, 58 FR 51735; October 4, 1993 11 Gramm Leach Bliley Act Safeguards Rule 16 CFR Part 314 12 HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part 164 13 U.S. v. Carroll Towing, 159 F.2d 169 (2d Cir. 1947)

Version 1.0 – April 2018 5

CIS RAM Principles and Practices CIS RAM adopts the three principles and ten practices from Duty of Care Risk Analysis. The three principles state the characteristics of risk assessments that align to regulatory and legal expectations. The ten practices describe features of risk assessments that make the three principles achievable. Principles

1. Risk analysis must consider the interests of all parties that may be harmed by the risk. 2. Risks must be reduced to a level that authorities and potentially affected parties would

find appropriate. 3. Safeguards must not be more burdensome than the risks they protect against.

Practices

1. Risk analysis considers the likelihood that certain threats could create magnitudes of impact.

2. Risks and safeguards are evaluated using the same criteria so they can be compared. 3. Impact and likelihood scores have a qualitative component that concisely states the

concerns of interested parties, authorities, and the assessing organization. 4. Impact and likelihood scores are derived by a numeric calculation that permits

comparability among all evaluated risks, safeguards, and against risk acceptance criteria. 5. Impact definitions ensure that the magnitude of harm to one party is equated with the

magnitude of harm to others. 6. Impact definitions should have an explicit boundary between those magnitudes that

would be acceptable to all parties and those that would not be. 7. Impact definitions address; the organization’s mission or utility to explain why the

organization and others engage risk, the organization’s self-interested objectives, and the organization’s obligations to protect others from harm.

8. Risk analysis relies on a standard of care to analyze current controls and recommended safeguards.

9. Risk is analyzed by subject matter experts who use evidence to evaluate risks and safeguards.

10. Risk assessments cannot evaluate all foreseeable risks. Risk assessments re-occur to identify and address more risks over time.

Version 1.0 – April 2018 6

Table 1 aligns these principles and practices with the three disciplines of law, regulations, and information security standards.

Table 1 - CIS RAM Principles and Practices Alignment to Law, Regulations, and Security Standards

CIS RAM and DoCRA Principles and Practices

Law

Regulations Security

Standards

Risk analysis must consider the interests of all parties that may be harmed by the risk.

Risks must be reduced to a level that authorities and potentially affected parties would find appropriate.

Safeguards must not be more burdensome than the risks they protect against.

Risk analysis considers the likelihood that certain threats could create magnitudes of impact.

Risks and safeguards are evaluated using the same criteria so they can be compared.

Impact and likelihood scores have a qualitative component that concisely states the concerns of interested parties, authorities, and the assessing organization.

Impact and likelihood scores are derived by a numeric calculation that permits comparability among all evaluated risks, safeguards, and against risk acceptance criteria.

Impact definitions ensure that the magnitude of harm to one party is equated with the magnitude of harm to others.

Impact definitions should have an explicit boundary between those magnitudes that would be acceptable to all parties and those that would not be.

Impact definitions address; the organization’s mission or utility to explain why the organization and others engage risk, the organization’s self-interested objectives, and the organization’s obligations to protect others from harm.

Risk analysis relies on a standard of care to analyze current controls and recommended safeguards.

Risk is analyzed by subject matter experts who use evidence to evaluate risks and safeguards.

Risk assessments cannot evaluate all foreseeable risks. Risk assessments re-occur to identify and address more risks over time.

Key: Fully addressed Partially addressed Not addressed

Organizations that conduct risk assessments using the CIS RAM will have a plan for implementing CIS Controls V7 that is reasonable, and defensible to authorities and experts alike.

Version 1.0 – April 2018 7

Evolving Risk Analysis Methods

Evolving Classic Risk Concepts To bridge information security risk analysis with legal and regulatory expectations, CIS RAM builds on and extends a few classic risk analysis concepts. This section will briefly describe how CIS RAM evolves risk evaluation, and definitions for “impact,” risk acceptance, and residual risk.

Calculating Risk Includes Multiple Impacts CIS RAM uses the classic risk assessment calculation “Risk = Impact x Likelihood” with a few modifications. Most significantly, risk is calculated by multiplying a likelihood value by multiple impact values. These multiple impacts include impacts to the organization’s objectives, it’s mission, and is obligations to protect others. Organizations should be aware of the many ways that information security risk can create harm.

The risk calculation used by CIS RAM resembles the structure below: “Risk = Max (Mission Impact, Objectives Impact, Obligations Impact) x Likelihood.” The instructions provided later in this document clearly describe how this calculation works. Organizations that use this extended calculation will consistently consider the many ways that information security risks can create harm.

Impact Definitions Include Harm to Multiple Parties To ensure fairness and balance, impact definitions will include potential harm to individuals and organizations that may be impacted by risks. Impacts and impact magnitudes will be stated in qualitative and quantitative form to easily communicate levels of risk to all interested parties, and in a way that matters to each party.

Risk Acceptance Is Clearly Defined CIS RAM provides organizations with clear guidance for defining acceptable risk that appears fair to authorities and interested parties, and that can be consistently applied to all information security risks. Acceptable risk will consider whether a observed risk is “appropriate” (all potentially affected parties would agree that the risk is acceptable), and whether a recommended safeguard is “reasonable” (it does not create more of a burden than the risk it protects against). By expanding the definition of risk acceptance by these two factors, organizations will have an easily communicated rationale for accepting risk, or for prioritizing unacceptable risk.

“Residual Risk” is Known As “Safeguard Risk” “Residual risk” has traditionally meant the reduced amount of risk that remains after a security control has been implemented. Organizations have generally used “residual” to declare how a planned security safeguard presents acceptable risk. CIS RAM evolves the notion of a “residual risk” to “safeguard risk” to describe the risk that a new safeguard may pose. The purpose behind evaluating residual risk this way is to address the fact that new controls often have unintended consequences. Recall that impact definitions will be based on multiple factors, such as an organization’s mission, its objectives, and its obligations (described in more detail later in the document). Security controls may reduce the risk to security obligations by controlling access to data, but may increase the risk to the organization’s mission which requires sharing the data. Legal decisions and regulations consider these excessive safeguards as “burdens” because they may harm the organization that is trying to protect the data.

Version 1.0 – April 2018 8

By evaluating safeguard risk using the same criteria that are used to evaluate risks, organizations will be more cognizant of the true cost of controls, and will have a defensible way of stating whether recommended controls are overly burdensome to them or the public.

Evolving Risk Acceptability Figure 1 illustrates how CIS RAM evaluates “appropriate” risk using a simplified risk statement. In this scenario, an organization is analyzing a risk of a lost device, and estimates the likelihood and expected impact of the loss. Impact definitions estimate potential harm to the organization, and to others. Using a scale of ‘1’ to ‘3’, the organization multiplies the likelihood score by the higher of the two impact scores to arrive at a risk score of ‘6’. In this example, an acceptable risk would be less than ‘4’, so the score of ‘6’ is not appropriate. “Others” would not accept the possibility of this risk. Note: The CIS RAM provides extensive guidance on how likelihood and impact scoring and acceptable risk criteria are defined. The values in Figure 1 and Figure 2 are provided simply for illustrative purposes.

Figure 1 - Simplified Risk Model Showing Inappropriate Risk

In Figure 2 the inappropriately high risk is matched with a recommended safeguard to encrypt all devices. Because a safeguard is evaluated using the same criteria as the risk, the organization is evaluating the burden of the safeguard. In this case, they believe there is a small likelihood (‘1’) of a notable cost impact (‘2’). As a result, the safeguard risk calculates as ‘2’ which is lower than the observed risk it is addressing (‘6’). As a result, this safeguard is reasonable.

Figure 2 – Simplified Risk Model Showing a Reasonable Safeguard

Version 1.0 – April 2018 9

Is This Extended Analysis Worthwhile? Put simply, yes. Information security controls are very often considered to be a hindrance to business. Users often complain that security controls get in the way of productivity, efficiency, ease of collaboration and communication, and other business-impacting concerns. Organizations should take these complaints seriously. Fortunately, regulators have provided organizations with a means to evaluate these concerns. Moreover, courts consider the burden of safeguards in lawsuits and would understand the reasoning that this risk analysis provides. By evaluating risks and their recommended safeguards using the same criteria, organizations ensure that risk analysis addresses the concerns of all parties within and outside of their organization, and provides evidence of their conscientious decision to regulators and judges.

Overview of the CIS Risk Assessment Method

Using Risk Assessments to Design and Evaluate CIS Controls V7 CIS Controls V7 was designed to address the most common causes of security incidents in the general public. As a result, the CIS Controls are to a degree risk-prioritized, especially if organizations implement the first five CIS Controls before implementing the remaining 15. However, each organization has special circumstances, including the potential harm they may cause to others, the need to operate somewhat vulnerable systems based on their mission, the needs of their constituents, their available resources, and the foreseeability of threats in their industry. The risk assessment method described by CIS RAM will help organizations determine whether their implementation of CIS Controls V7 – or their de-prioritization or customization of controls – is reasonable and appropriate given security, legal, and regulatory considerations. This risk assessment method describes multiple ways that organizations may evaluate, assess, and design safeguards using the CIS Controls.

• In some cases, organizations may start simply and list the Controls to determine whether their information assets are sufficiently resilient against foreseeable threats.

• More capable organizations may list their information assets first, then consider whether associated CIS Controls sufficiently protect those assets against foreseeable threats.

• Organizations with a command of how threats operate may start with a list of known or foreseeable threats against information assets and determine how controls should be implemented to address them.

Each of these approaches relies on the organization’s ability to conduct that kind of analysis. And those abilities depend on the involvement of business management in information security, the availability of time and resources to examine information assets and risks, and the expertise of the personnel for conducting the analysis. Regardless, this risk assessment method will provide a model for organizations to evaluate risk based on the harm they may pose to themselves or their constituency, and to determine whether the burden of each of the CIS Controls – implemented as safeguards – are appropriate.

Risk Assessment Process A risk assessment is a project that analyzes the risk posed by a set of information assets, and recommends safeguards to address unacceptably high risks. While the order of events in a risk assessment project will vary from organization to organization, the following activities are generally applied:

Version 1.0 – April 2018 10

Analyze the Observed risk • Define the Scope: Identify information assets that are being assessed as well as the owners

and stewards of the information assets. • Schedule Sessions: Schedule the interviews and sessions for evidence review. • Develop the Risk Assessment and Acceptance Criteria: Establish and define the criteria for

evaluating and accepting risk. • Gather Evidence: Interview personnel, review documents, and observe safeguards. • Model the Risks: Evaluate the current safeguards that would prevent or detect foreseeable

threats against the security of information assets. • Risk Evaluation: Estimate the likelihood and impact of security breaches to calculate the risk

score, then determine whether identified risks are acceptable.

Propose Safeguards • Propose Safeguards: Recommend safeguards from CIS Controls V7 that would reduce

unacceptable risks. • Evaluate Proposed Safeguards: Risk-analyze the recommended safeguards to ensure that

they pose acceptably low risks without creating an undue burden.

Risk Assessment Criteria Risk analysis requires a consistent, repeatable method for estimating and evaluating risk. Risk assessment criteria provide organizations with measures for consistently rating the likelihood and impact of foreseeable threats that may compromise the security of information assets. Risk assessment criteria are often thought of in terms of a 3 x 3 grid or a 5 x 5 grid, with each dimension representing either “likelihood” values or “impact” values. While scores of ‘1’ through ‘3’ or ‘1’ though ‘5’ are convenient for calculating risk as a product, they are not meaningful by themselves. So criteria must also have a plain-language component that describes levels of impact and likelihood that are meaningful to the organization. Risk assessment criteria in a simplified format may appear similar to this:

Table 2 - Simplified Impact Criteria

Impact Score Impact Score Defined 1 No or minimal harm would result.

2 Harm would not be tolerable.

3 Harm may not be recoverable.

Table 3 - Simplified Likelihood Criteria

Likelihood Score Likelihood Score Defined 1 Not foreseeable.

2 Expected to occur.

3 Regular occurrence.

Version 1.0 – April 2018 11

Risk Acceptance Criteria Laws and regulations require that organizations apply “reasonable” and “appropriate” safeguards to ensure that the resulting risk is acceptable. The acceptability of risk can be demonstrated using risk analysis that addresses the tolerability of the risk and the burden of safeguards that protect against the risk. While every organization will define its own risk tolerance, this method provides a process for doing so using plain language and simple math. An example of defining risk acceptability is provided in Table 4 using the simplified impact and likelihood criteria from above. Organizations will develop their risk acceptance criteria by first defining what unacceptable risk is. In this case the organization has determined its risk acceptance criteria by first deciding that it will not accept a risk that may cause intolerable harm (as indicated by the red box).

Table 4 - Simplified Impact Criteria for Risk Acceptance

Impact Score Impact Level Impact Score Defined 1 Acceptable No or minimal harm would result.

2 Unacceptable Harm would not be tolerable.

3 High Harm may not be recoverable.

Then the organization determined that a threat that is expected to occur (and to create harm) must be avoided (as indicated in the red box in Table 5).

Table 5 - Simplified Likelihood Criteria for Risk Acceptance

Likelihood Score Likelihood Score Defined

1 Not expected to occur

2 Expected to occur

3 Regular occurrence

And finally, the organization combined these limits to express their acceptable risk in both plain language, and in mathematical terms.

Table 6 – Risk Acceptance Criteria

Version Definitions of Acceptable Risk

Plain language We must reduce risks that are expected to create intolerable harm.

Mathematical Acceptable Risk < 2 x 2; or Acceptable Risk < 4

Version 1.0 – April 2018 12

Background – “Reasonableness” and Risk Analysis The “reasonable person” is used in law as a hypothetical person – or legal fiction – who embodies the sum of our traditions, values, and responsibilities for taking care not to harm others while we engage in public life. The reasonable person has been used in cases to evaluate appropriate behavior for activities such as building and maintaining structures, offering goods and services, or handling assets such as information and information technologies. A reasonable person can engage in activities for their own benefit, but must take care, using appropriate precautions, not to harm others in the process. In litigation, a judge will often use a “duty of care” or “multi-factor” balancing test to determine the degree to which a defendant was acting reasonably when a plaintiff was harmed. And in regulations organizations must apply “reasonable” safeguards to protect others from harm. A judge’s duty of care balancing test is very similar in structure to this risk assessment method. An organization will consider foreseeable threats that their business may cause others. They will determine how effectively they prevent that harm by using CIS Controls V7 as a standard for appropriate cybersecurity practices. They will estimate the likelihood and impact of the expected harm of a foreseeable threat, and they will consider alternative safeguards that effectively lower risks without being overly burdensome. In this way, judges and cybersecurity practitioners use the same language to describe reasonable cybersecurity practices. In similar fashion, a regulator will ask regulated organizations to demonstrate the reasonableness of their safeguards by reviewing the organization’s risk register. Since 1993 US federal regulations require that regulatory rules are not overly burdensome to the public, and that a “cost-benefit” analysis is performed to determine whether regulatory actions are overly burdensome and appropriate to protect the public. Regulatory agencies, including those that govern cybersecurity rules and regulations, require risk assessments as the method for balancing the potential harm to others against the cost of safeguards.

Selecting A Tier for Your Risk Assessment Instructions

This document is designed to be useful for organizations with varying levels of security management capabilities. These capability levels align with Framework Implementation Tiers (“Tiers”) as defined by the NIST Cybersecurity Framework.14 The Tiers indicate “how an organization views cybersecurity risk and the processes in place to manage that risk.”15 The Tiers are defined by NIST in the following way (abbreviated). Tier 1: Partial