Score Risks
Learning Objectives
After completing this unit, you’ll be able to:
- Identify information assets, Safeguards, and vulnerabilities.
- Evaluate current Safeguard Maturity.
- Describe how the Center for Internet Security, Inc.’s (CIS®) Risk Assessment Method (RAM) automatically scores risks.
This module was produced in collaboration with the CIS. Learn more about partner content on Trailhead.
Before You Start
If you completed The Center for Internet Security's Risk Assessment Method module, then you already know how to develop Risk Assessment and Acceptance Criteria. Now let’s talk about how to use the Center for Internet Security, Inc.’s (CIS) Risk Assessment Method (RAM) to model and evaluate risks and recommend and evaluate CIS Safeguards.
Throughout this module, we capitalize common words when referring to a specific component of CIS RAM Version 2.1.
Identify Information Assets, Safeguards, and Vulnerabilities
As a cybersecurity risk manager, you can model risks by associating information assets with the CIS Safeguards that protect them, the vulnerabilities that may be present, and the threats that can compromise these information assets. CIS RAM helps analyze risk by describing the component steps regardless of sequence.
- Identify an information asset or asset class, such as a specific firewall or a set of similarly managed firewalls, an application, or a set of identically configured servers, and more.
- Identify threats that can compromise the Confidentiality, Integrity, and Availability (CIA) of those information assets or Asset Classes.
- List CIS Safeguards that protect the information asset or Asset Class against foreseeable threats.
- Indicate if you have implemented the CIS Safeguards in the environment and how you have implemented them.
- Consider any vulnerabilities that may exist related to each Safeguard and Asset Class. You, as a cybersecurity risk manager, should take care to consider what can go wrong, even if you have implemented Safeguards. Safeguards can have vulnerabilities such as errors in administration, new threats, intentional harm, failed systems, and insufficient skills or resources.
Let’s check in with Sean, the risk assessor at Custom Car Company (CCC), as he continues to fill out his Risk Register in CIS RAM for Implementation Group 2 (IG2) Version 2.1 (v2.1) Companion Workbook.
Using the workbook, Sean first selects an Asset Class such as Enterprise, Devices, Applications, Data, Network, or Users.
Next, he describes the Asset Name. He selects the CIS Safeguard # and Title that applies to the Asset Class he selected. He then documents how CCC has implemented that Safeguard, including optionally adding Evidence of Implementation, and states any Vulnerabilities that may be exploited by a threat.
This table represents just a few examples of the information Sean inputs.
| Asset Class |
Applications |
Applications |
Applications |
|---|---|---|---|
| Asset Name |
CarCore |
CarCore |
CarCore |
| CIS Safeguard # |
2.1 |
2.2 |
2.3 |
| CIS Safeguard Title |
Establish and Maintain a Software Inventory |
Ensure Authorized Software is Currently Supported |
Address Unauthorized Software |
| Our Implementation |
We use a software asset management tool that monitors for applications installed on all servers and end-user systems. |
A software asset management tool validates that installed applications are currently supported and that the organization implements current versions. |
The software asset management tool identifies installed applications that were not permitted and alerts the Operations (Ops) team. The Ops team removes unapproved applications within 5 business days. |
| Vulnerabilities |
We track the deployment of installed software (including type, version, and patches); however, we have no method to automatically scan, download, and deploy vendor-specific patches. |
None observed. |
Users have administrative rights to install software on their laptops, but we don’t enforce security reviews on that software before installation. |
Now that Sean has documented CCC’s assets, associated CIS Safeguards, and Vulnerabiliites, he next turns to evaluate the current maturity of CIS Safeguards at CCC.
Evaluate Current Safeguard Maturity
As the next step in evaluating risks, Sean selects a score of 1 through 5 designating the reliability of each Safeguard’s effectiveness against threats, using the following definitions.
- He did not implement the Safeguard, or implemented it inconsistently.
- He implemented the Safeguard fully on some assets, or partially on all assets.
- He implemented the Safeguard on all assets.
- He tested the Safeguard and corrected inconsistencies.
- He has put in place mechanisms for the Safeguard to ensure consistent implementation over time.
He populates the Safeguard Maturity Score column in the risk register with his selections.
| Asset Class |
Applications |
Applications |
Applications |
|---|---|---|---|
| Asset Name |
CarCore |
CarCore |
CarCore |
| CIS Safeguard # |
2.1 |
2.2 |
2.3 |
| CIS Safeguard Title |
Establish and Maintain a Software Inventory |
Ensure Authorized Software is Currently Supported |
Address Unauthorized Software |
| Our Implementation |
We use a software asset management tool that monitors for applications installed on all servers and end-user systems. |
The software asset management tool validates that installed applications are currently supported and that the organization has implemented current versions. |
The software asset management tool identifies installed applications that were not permitted and alerts the Operations (Ops) team. The Ops team removes unapproved applications within 5 business days. |
| Vulnerabilities |
We track the deployment of installed software (including type, version, and patches); however, we have no method to automatically scan, download, and deploy vendor-specific patches. |
None observed |
Users have administrative rights to install software on their laptops, but we don’t enforce security reviews on that software before installation. |
| Safeguard Maturity Score |
3 |
5 |
4 |
Automatically Score Risks
The VERIS Community Database Index
Sean now has documented CCC’s assets, their associated Vulnerabilities, and the maturity of CCC’s current CIS Safeguard implementation in protecting against those Vulnerabilities.
CIS RAM Version 2.1 (v2.1) Companion Workbook automatically calculates a value to represent how commonly a related threat causes reported cybersecurity incidents. The VERIS Community Database (VCDB) Index column displays this number. This score evaluates the commonality of a threat that a given Safeguard prevents.
Expectancy Score
CIS RAM v2.1 Companion Workbook also automatically calculates an Expectancy Score by comparing the commonality of reported threats to the maturity of the Safeguards that prevent the threats.
For more detailed information on how the CIS RAM Version 2.1 (v2.1) Companion Workbook calculates the Expectancy Score, see Appendix C of the CIS-RAM for Implementation Group 2 (IG2) v2.1 PDF.
Impacts
Recall that in The Center for Internet Security's Risk Assessment Method module, Sean defined Mission Impact, Operational and Financial Objectives Impact, and Obligations Impact for each Asset Class (Enterprise, Devices, Applications, Data, Network, Users), as part of the process of estimating inherent risk criteria. The CIS RAM v21 Companion workbook automatically populates these magnitudes of harm.
Risk Score and Risk Level
Once Sean populates the Safeguard Maturity Score column of CIS RAM v2.1 Companion Workbook, the workbook automatically populates Risk Score and Risk Level.
The workbook calculates the Risk Score by multiplying the Expectancy Score by the highest Impact Score. The resulting Risk Level is either green, yellow, or red. These colors indicate whether the risk evaluated as “acceptable” as Sean described it in his Risk Acceptance Criteria in the previous module.
- Green indicates that the risk evaluates as acceptable.
- Yellow indicates that the risk is unacceptably high, but not urgent.
- Red indicates that the risk is urgent.
Sean’s completed Risk Register now looks like this:
| Asset Class |
Applications |
Applications |
Applications |
|---|---|---|---|
| Asset Name |
CarCore |
CarCore |
CarCore |
| CIS Safeguard # |
2.1 |
2.2 |
2.3 |
| CIS Safeguard Title |
Establish and Maintain a Software Inventory |
Ensure Authorized Software is Currently Supported |
Address Unauthorized Software |
| Our Implementation |
We use a software asset management tool that monitors for applications installed on all servers and end-user systems. |
A software asset management tool validates that installed applications are currently supported and that the organization has implemented current versions. |
AppXYZControl identifies installed applications that were not permitted and alerts the Operations (Ops) team. The Ops team removes unapproved applications within 5 business days. |
| Vulnerabilities |
We track the deployment of installed software (including type, version, and patches); however, we have no method to automatically scan, download, and deploy vendor-specific patches. |
None observed |
Users have administrative rights to install software on their laptops, but we don’t enforce security reviews on that software before installation. |
| Safeguard Maturity Score |
3 |
5 |
4 |
| VCDB Index |
2 |
2 |
2 |
| Expectancy Score |
2 |
1 |
2 |
| Impact to Mission |
4 |
4 |
4 |
| Impact to Operational Objectives |
2 |
2 |
2 |
| Impact to Financial Objectives |
4 |
4 |
4 |
| Impact to Obligations |
5 |
5 |
5 |
| Risk Score |
10 |
5 |
10 |
| Risk Level |
Yellow |
Green |
Yellow |
Knowledge Check
Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.
Sum It Up
Sean now has a better understanding of the Risk Levels associated with each Asset Class at CCC. Next, let’s follow along with Sean as he plans his Risk Treatment activities, prioritizing higher value risks over lower value risks.
