Meet CIS RAM: the new balanced infosecurity framework

Applications, devices, technology and service provisioning are the bread and butter of IT, but any information security professional knows that risk management is equally important.

There is no point in an IT advisor implementing a service if it poses too much risk to the organization. This is why, for example, many companies prevent access to social media sites – the benefits of access does not outweigh the risk.

Information Security professionals have a duty to balance the business, legal and regulatory challenges against the benefits to the overall health of the firm. This covers authenticity of data, integrity of data, privacy provisions for data, to mention just a few.

What is CIS RAM?

The Center for Internet Security states “CIS RAM is an information security risk assessment method that helps organizations design and evaluate their implementation of the CIS Controls™. CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments so they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. Because information risks vary from one organization to the next, CIS RAM helps model “reasonable” uses of the CIS Controls to address the mission, objectives, and obligations of each environment.”

CIS (Center for Internet Security) and HALOCK Security Labs developed the CIS Risk Assessment Method, known as CIS RAM. It is designed to assist organizations in justifying investments for “reasonable” implementation of the CIS Controls.

HALOCK Security Labs, Chris Cronin wrote a fascinating blog post on why they decided to give away their intellectual property, allowing everyone to access and benefit from its research and development in balancing cyber security against availability.  

CIS RAM, by design, can assist organizations in defining their acceptable level of risk, as well as prioritizing and implementing the CIS Controls to manage their risk.  CIS RAM is based on the DoCRA, or the Duty of Care Risk Analysis standard, which is recognized by most – if not all – interested parties from regulators to partners as a reasonable and appropriate implementation of security controls within an environment.

More specifically, DoCRA is a method for analyzing risk, similar to the approach used by regulators and judges. According to the CIS RAM FAQs “Regulations and judicial ‘balancing tests’ expect that organizations consider the likelihood and degree of harm they may cause themselves and others, and to use safeguards that reduce those risks – as long as those safeguards are not overly burdensome. “

CIS RAM provides three different risk analysis models, each designed to support organization according to their risk analysis maturity:

  • Organizations that are new to risk analysis can use guidelines to model foreseeable threats against the CIS Controls.
  • Experienced organizations can use them to modeling threats against information assets, configuring CIS Controls to protect them.
  • Expert organizations can analyze risks based on “attack paths” with the CIS Community Attack Model.

A keyword for CIS RAM is “reasonable.” CIS RAM has baked into its foundations the concept of multiple stakeholders representing different interests: executives, legal representatives, regulators, customers, suppliers, investors. This is a key benefit to CIS RAM, and one of its benefits is improved communications. CIS RAM helps to generalize the cybersecurity language and terminology in order to remove inter-discipline communications hurdles.

Whether you want to implement CIS controls or harmonize with other control such as PCINISTGDPR, or ISO, CIS RAM’s duty-of-care risk analysis could help you streamline your security, while meeting the requirements set by various regulators.

For instance, the risk analysis methods described in CIS RAM and DoCRA conform to established security frameworks, such as ISO 27000, NIST Special Publications, the NIST Cybersecurity Framework, and risk assessment requirements described in PCI DSS. In other words, you can risk assessed other standards using the CIS RAM methods. CIS RAM and DoCRA also align with risk assessment guidance for regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act’s Safeguards Rule, Federal Trade Commission guidance on risk assessments, Massachusetts 201 CMR 17.00, GDPR, and 23 NYCRR Part 500, specifications from these regulations can also be included in a risk assessment.

Learn more!

Contact TBG Security if you would like more information on how CIS RAM guidedance can help your organization.

*featured image repurposed from
Previous ArticleWhat is an information security framework and why do I need one? Next ArticleVulnerability Assessment, Penetration Testing and Red Teams Explained