Define Enterprise Parameters
Learning Objectives
After completing this unit, you’ll be able to:
- Explain how to document Enterprise Parameters using a Risk Register.
- Develop criteria for evaluating risk Expectancy.
- Define Risk Acceptance Criteria.
- Identify Inherent Risk Criteria.
Use Enterprise Parameters to Estimate Impacts
Now that Sean has defined the Impact Criteria for Custom Car Company’s (CCC) Mission, Operational and Financial Objectives, and Obligations, he turns to the next step in defining the Risk Assessment Criteria: defining Enterprise Parameters. He begins by filling out a Risk Register (a useful record for storing your cybersecurity risks), which he will use to evaluate risks and recommendations.
Document the Risk Register Header
Sean takes the following steps to complete the Risk Register.
- State the name of the organization.
- Describe the scope of the organization that the Risk Register contains.
- Enter the date that the Risk Register was last updated.
| Enterprise Risk Assessment Criteria | Enterprise Name: | CCC |
|
Scope: |
All assets |
|
|
Last Completed (Date): |
June 30, 2022 |
Impact Criteria
Having completed the Risk Register Header, Sean then populates the Risk Register with the Impact Criteria he defined in the previous unit.
| Impact Scores | Mission | Operational Objectives | Financial Objectives | Obligations |
|---|---|---|---|---|
|
Definition |
||||
|
1. Negligible |
All orders are produced within specifications, on time, and without unplanned effort. |
We have ranked #1 in all categories in the annual Custom Car World magazine poll. |
We don’t pay attention to a problem if it resulted in an unexpected US$1,000 impact. We normally ignore budget variances smaller than this amount. This is the maximum impact we can suffer and call it Negligible. |
No customers suffer due to a loss of our competitive advantage. |
|
2. Acceptable |
All orders are produced within specifications and on time, but some may require unplanned effort to stay within tolerance metrics. |
We have ranked #1 in only one category of Custom Car World magazine poll for only 1 year. |
We won’t invest to prevent an unexpected impact of $10,000. This is the maximum unexpected cost we find acceptable. |
One or few customers may be concerned about our potential loss of competitive advantage, but no harm results. |
|
3. Unacceptable |
Few orders each quarter (outside of our tolerance metrics) may miss targets but could be corrected with adjustments or discounts. |
We have not ranked #1 in any category of Custom Car World Magazine poll for 1 year. |
Unexpected losses of $10,000 up to $500,000 take an entire fiscal year to recover from. |
One or few customers suffer due to a minor loss of our competitive advantage, but they could be made whole within a fiscal year. |
|
4. High |
We repeatedly miss targets outside of tolerance metrics, requiring regular adjustments or discounts per quarter, or requiring significant reinvestment to operate regularly within our tolerance metrics. |
We have not ranked in the top three in any category of Custom Car World magazine poll for 2 years or more. |
Beyond $500,000 in unexpected losses, we need to make significant changes to how we do business (for example, through layoffs, new efficiencies, or investments) to recover from that loss. If we suffered unexpected losses of $5,000,000, it puts us out of business. |
Many customers suffer due to a minor loss of our competitive advantage, or one to few customers suffer harm that requires significant business investment or planning to recover. |
|
5. Catastrophic |
We could not meet our Mission. |
We’re unable to rank well in the annual Custom Car World magazine poll. |
There’s no reason to provide a value for this impact magnitude, since once we cross into this territory, the sky's the limit for how much we could suffer. |
We aren't able to protect our customers from losses due to intellectual property theft. |
Document Criteria for Evaluating Risk Expectancy
Now that he has imported the Impact Criteria, Sean’s next step in defining the Risk Assessment Criteria is to document criteria for evaluating risk Expectancy. The Center for Internet Security, Inc. (CIS®) Risk Assessment Method (RAM) Version 2.1 (v2.1) does not consider Expectancy to mean the probability or frequency that something may happen, but the most likely way an eventual security incident will occur. The CIS RAM provides a default model for distinguishing between degrees of Expectancy, as shown below.
| Expectancy Score | Expectancy | Criteria |
|---|---|---|
|
1 |
Remote |
Safeguard reliably prevents the threat. |
|
2 |
Unlikely |
Safeguard reliably prevents most occurrences of the threat. |
|
3 |
As likely as not |
Safeguard prevents as many threat occurrences as it misses. |
|
4 |
Likely |
Safeguard prevents few threat occurrences. |
|
5 |
Certain |
Safeguard does not prevent threat occurrences. |
Establish Risk Acceptance Criteria
Now that Sean has finished developing CCC’s Risk Assessment Criteria, he begins establishing the organization's Risk Acceptance Criteria. The risk acceptance criteria is a rule CCC can use for when to accept or address cybersecurity risks. The criteria helps inform CCC of when to invest against cybersecurity risks.
Sean remembers that in the CIS RAM, Risk = Impact x Expectancy. He consults with CCC leadership and begins documenting the organization's Risk Acceptance Criteria as follows: “CCC will invest against risks that are ‘Expected but not common’ (Expectancy is ‘3’) and that causes an unacceptably high impact (Impact is ‘3’ or above).”
| Impact Threshold | x | Expectancy Threshold | = | Risk Threshold |
|---|---|---|---|---|
|
3 |
x |
3 |
= |
9 |
|
…therefore |
||||
|
Acceptable Risk |
< |
9 |
||
Estimate Inherent Risk Criteria
The CIS RAM also makes use of the concept of Inherent Risk, which is the impact that occurs when a threat compromises an unprotected asset, with no Safeguards in place. To estimate Inherent Risk Criteria, Sean estimates the highest impact that an attack on CCC’s information assets could create. For example, Sean estimates that the Inherent Risk Criteria of the application that CCC depends on to operate the AI technology of the cars it manufactures is the loss of those operations.
Sean also estimates the Inherent Risk Criteria for all the asset classes (enterprise, devices, applications, data, network, users) at CCC. He asks himself, “What is the highest impact to the Mission, Operational Objectives, Financial Objectives, and Obligations that each asset type could cause?” and populates the table below.
| Asset Class | Mission Impact | Operational Objectives Impact | Financial Objectives Impact | Obligations Impact |
|---|---|---|---|---|
|
Enterprise |
4 |
4 |
5 |
5 |
|
Devices |
2 |
1 |
3 |
3 |
|
Applications |
4 |
2 |
4 |
5 |
|
Data |
3 |
4 |
5 |
2 |
|
Network |
3 |
4 |
3 |
1 |
|
Users |
3 |
3 |
4 |
4 |
The CIS RAM treats the calculation of Inherent Risk Criteria differently for different Implementation Groups (IGs). Refer to the version of CIS RAM for your IG for specific instructions.
Sean is now finished with defining the Risk Assessment and Risk Acceptance Criteria for CCC. In the next module, Sean states the Maturity Score of their implementation of each CIS Safeguard. Then the Workbook creates a Risk Score by associating inherent risks with the commonality of attacks that the Safeguard prevents, and the Safeguard’s capability.
Knowledge Check
Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the steps to define Enterprise Parameters in the left column next to the correct order on the right. When you finish ordering all the items, click Submit to check your work. If you’d like to start over, click Reset.
Great work!
Sum It Up
In this module, you’ve been introduced to the CIS RAM and how to use it to define Risk Assessment and Acceptance Criteria. In the next module, Risk and Safeguard Modeling and Evaluation, you learn how to model and evaluate risks and recommend CIS Safeguards to better protect your organization.
Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Learning Hub on Trailhead.
