Recommend Safeguards
Learning Objectives
After completing this unit, you’ll be able to:
- Identify how to reduce risks that evaluate to unacceptably high scores by improving or applying a Center for Internet Security, Inc. (CIS®) Safeguard.
- Describe how to estimate how much you expect a Safeguard to cost.
Risk Treatment
Now that Sean has evaluated Custom Car Company’s (CCC’s) risks, he now focuses on those that are unacceptably high, in order to reduce them by improving a Center for Internet Security, Inc. (CIS) Safeguard, or by applying a new CIS Safeguard.
Not only do Sean and the Security team at CCC need to make choices about which CIS Safeguard they will use to address a risk, but they also need to evaluate their recommended CIS Safeguards to determine whether they effectively reduce risks while not creating new, unacceptable risks.
Sean performs these tasks by first evaluating the recommendations using the same Risk Assessment Criteria that he used to evaluate the risk. He continues to fill out the Risk Register as follows. See the description below for a detailed explanation of how he populates each column.
| Risk Treatment Option | Risk Treatment Safeguard | Risk Treatment Safeguard Title | Risk Treatment Safeguard Description | Our Planned Implementation | Risk Treatment Safeguard Maturity Score | Risk Treatment Safeguard Expectancy Score | Risk Treatment Safeguard Impact to Mission | Risk Treatment Safeguard Impact to Operational Objectives | Risk Treatment Safeguard Impact to Financial Objectives | Risk Treatment Safeguard Impact to Obligations | Risk Treatment Safeguard Risk Score | Reasonable and Acceptable |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Reduce |
2.1 |
Establish and Maintain a Software Inventory |
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. |
Permit script scripting tools and compilers on only protected systems administrator computers. |
5 |
1 |
4 |
2 |
2 |
4 |
4 |
Yes |
|
Accept |
2.2 |
Ensure Authorized Software is Currently Supported |
Ensure that the organization only designates currently supported software as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
4 |
2 |
2 |
4 |
Yes |
||||
|
Reduce |
2.3 |
Address Unauthorized Software |
Either remove unauthorized software from use on enterprise assets or document an exception. Review monthly, or more frequently. |
Permit script engines on only systems administrator computers. |
5 |
1 |
4 |
2 |
2 |
4 |
4 |
Yes |
Risk Treatment Option
First, Sean reviews each risk in the Risk Register and decides whether to reduce or accept the risk. He knows he should select to reduce all unacceptably high risks. Risks below his Risk Acceptance Criteria can be marked as Accept. He documents each risk decision in the Risk Treatment Options column of the Risk Register.
Risk Treatment Safeguard
The CIS Risk Assessment Method (RAM) for Implementation Group 2 (IG2) Version 2.1 (v2.1) Companion Workbook automatically populates the next three columns—Risk Treatment Safeguard, Risk Treatment Safeguard Title, and Risk Treatment Safeguard Description—based on the CIS Safeguard from the Risk Analysis step we covered in the previous unit.
Planned Implementation
Next, Sean has the option to use the Our Planned Implementation column to state how CCC expects to implement the Safeguard. He refers back to the Risk Analysis he completed in the previous unit, and notices that the risks associated with Safeguards 2.1 and 2.3 are unacceptably high. He documents what CCC will do to implement and operate the Risk Treatment Safeguard.
Since the risks were too high, CCC’s does not implement the associated Safeguards well enough to provide confidence that they effectively protect the CarCore application. CCC’s planned implementation will raise the Safeguard’s Maturity.
Risk Treatment Safeguard Maturity Score
Next, Sean uses the Risk Treatment Safeguard Maturity Score column to state the degree of confidence he has that the Safeguard is effective. He uses the same Maturity Score guidance he used in the Risk Analysis. After selecting a score of 1 to 5, his Risk Treatment Safeguard Risk Score in the second-to-last column will be automatically calculated by multiplying the highest Risk Treatment Impact Score—Impact to Mission, Objectives (Operational or Financial), and Obligations—by the Risk Treatment Safeguard Expectancy Score. The Workbook automatically calculates the Risk Treatment Safeguard Expectancy Score to represent how commonly the related threat causes a cybersecurity incident, given the planned Safeguard.
The CIS RAM for IG2 v2.1 Companion Workbook also automatically calculates the Reasonable and Acceptable score. Acceptable means that the Risk Treatment Safeguard Risk Score is below the Acceptable Risk Score that Sean defined in The Center for Internet Security's Risk Assessment Method module. Reasonable means that the Risk Treatment Safeguard Risk Score is equal to or below the Risk Score calculated in the previous unit.
In this example, CCC was able to plan for Reasonable and Acceptable Safeguard implementations for all of its Risk Treatment Safeguards. In the case that CCC found that its resulting risk was not Reasonable or Acceptable, the company needs to find a way to make the Risk Treatment Safeguard consistent, perhaps by automating the Safeguard or improving the accountability associated with the Safeguard.
Cost Analysis
Now that Sean has determined whether the planned Safeguards are reasonable and acceptable, he next turns to estimate how much he expects each Safeguard to cost.
CIS RAM for IG2 v2.1 Companion Workbook includes a cost analysis for the Risk Treatment Safeguard. The Workbook includes optional columns for estimating the Risk Treatment Safeguard Cost along with the quarter and year that CCC will schedule the Safeguard to be implemented. Sean uses this cost analysis to plan his budget for each Risk Treatment Safeguard. He populates the Cost Analysis in the Risk Register as follows.
| Risk Treatment Option | Risk Treatment Safeguard | Risk Treatment Safeguard Title | Risk Treatment Safeguard Description | Our Planned Implementation | Risk Treatment Safeguard Maturity Score | Risk Treatment Safeguard Cost | Implementation Quarter | Implementation Year |
|---|---|---|---|---|---|---|---|---|
|
Reduce |
2.1 |
Establish and Maintain a Software Inventory |
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. |
Permit script scripting tools and compilers on only protected systems administrator computers. |
5 |
$ |
Q2 |
2022 |
|
Accept |
2.2 |
Ensure Authorized Software is Currently Supported |
Ensure that the organization only designates currently supported software as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
|||||
|
Reduce |
2.3 |
Address Unauthorized Software |
Either remove unauthorized software from use on enterprise assets or document an exception. Review monthly, or more frequently. |
Permit script engines only on systems administrator computers. |
5 |
$ |
Q2 |
2022 |
In this example, CCC expected its Risk Treatment Safeguards for 2.1 and 2.3 to cost no money, and that the company can implement the Safeguards in Q2 of 2022.
Recall that in The Center for Internet Security’s Risk Assessment Method module, Sean stated the limit for acceptable impacts to CCC’s Financial Objectives as $10,000. CCC implements the Safeguards, because their budgeted Risk Treatment Safeguard plan as outlined above for 2022 is $0.
Sum It Up
Cybersecurity risk analysis is an inexact but important process. By completing this process, Sean has considered how well prepared CCC is for the most (and least) foreseeable events, and how badly CCC or others could be harmed. He has also thought about how CIS Controls and Safeguards can make CCC more prepared for those foreseeable threats, while making sure that CCC, and those it protects, will be OK.
Along with the information you reviewed in The Center for Internet Security's Risk Assessment Method, you’ve now learned how to use CIS RAM v2.1 to conduct a duty of care risk analysis to meet your cybersecurity goals.
Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Learning Hub on Trailhead.
