Center for Internet Security
CIS RAM v2.0 (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps enterprises plan and justify their implementation of CIS Critical Security Controls (CIS). Learn about the CIS RAM family of documents, a free tool, providing step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment.
“The CIS RAM is a powerful tool to guide the prioritization and implementation of the CIS Controls, and complements their technical credibility with a sound business risk-decision process,” said Tony Sager, Senior Vice President and Chief Evangelist at CIS. “We see the CIS RAM as a method that enterprises of all maturity levels can use.”
Through an ongoing partnership, CIS RAM v2.0 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.
What you will learn:
- How CIS RAM was updated to a family of documents starting with Core and Implementation Group 1 (IG1)
- How CIS RAM automates risk analysis by using the VERIS Community Database
- Why regulators are referencing CIS RAM to demonstrate reasonable security
- How CIS RAM helps technology executives make business decisions
- The basic steps IG1 organizations will take to conduct risk assessments using CIS RAM 2.0
Valecia Stocchetti, Sr. Cybersecurity Engineer, CIS
Valecia Stocchetti is a Sr. Cybersecurity Engineer for the CIS Controls at the Center for Internet Security. Valecia comes to CIS from the eCommerce field where she worked complex financial fraud cases. She is a graduate from the University of Albany with a degree in Digital Forensics. Prior to joining the CIS Controls team, Valecia worked in the MS/EI-ISAC Computer Emergency Response Team (CERT), where she managed CERT and spearheaded multiple forensic investigations and incident response engagements for the MS/EI-ISAC SLTT community. In her current role, she works with various attack models and data, including the MITRE ATT&CK framework, to help validate and prioritize the CIS Controls. Valecia holds many certifications, including GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA), and GIAC Security Essentials Certification (GSEC). While she enjoys all things InfoSec, she particularly finds the Cybercrime and Espionage fields fascinating, which is what led her to this career in the first place.
Chris Cronin, Partner, HALOCK Security Labs, and Chair, DoCRA Council
Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council. He is the principal author of the DoCRA Standard and CIS RAM, Center for Internet Security’s Risk Assessment Method. Chris’ clients include Fortune 100 companies, large and mid-sized organizations, start-ups, litigators, and regulators. Since 2010 Chris has helped his clients manage their information security risks to an evidence-based, reasonable level. Chris’ work as an expert witness has helped his clients, regulators, and litigators evaluate the reasonableness of security controls and programs during regulatory oversight or post-breach legal action. Chris is frequent speaker and cybersecurity writer. He collaborates with peers in industry collaboratives and think tanks, including Sedona Conference, to help bring equity and due care to cybersecurity and risk management.
Conal Gallagher, CIO and CISO, Flexera
Conal Gallagher is the CIO and CISO at Flexera. He joined the company in 2017 as CISO and has since taken on a joint CIO/CISO role, responsible for information security, business applications, and IT operations. Conal has held IT leadership roles in the corporate sector for over 10 years, with another decade focusing on the security realm, leading security and compliance efforts at companies like Genesys and Rovi. Conal has a BS in Computer Science Systems from Wentworth Institute of Technology, an MBA from Regis University, and holds a multitude of industry certifications, including Certified Chief Information Security Officer (CCISO), Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), Certified Information Privacy Manager (CIPM) and Project Management Professional (PMP).
Phil Langlois, Data Breach Investigations Report (DBIR) Author, Verizon
Philippe Langlois is currently working as the lead engineer and author of the Verizon Data Breach Investigations Report (DBIR). Prior to joining Verizon, he worked at CIS leading various data driven projects, such as the CIS Controls and the MS-ISAC Nationwide Cyber Security Review. When not working or recreationally programming, he enjoys the great outdoors of Upstate New York with his wife and two dogs.
Tim Murphy, Deputy Attorney General, Commonwealth of Pennsylvania
Tim is a Deputy Attorney General for the Pennsylvania Office of Attorney General. He primarily focuses on privacy, data protection, and cybersecurity issues throughout the Commonwealth and participates on numerous multistate investigations involving nationwide data breaches. In addition, he litigates various consumer protection matters involving the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Mr. Murphy earned his Juris Doctor from Villanova University School of Law, Master of Education from Lehigh University, and Bachelor of Science from the University of Pittsburgh.