Articles and write ups in the industry about Duty of Care Risk Analysis (DoCRA)
The Center for Internet Security, Inc. (CIS®)
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources.
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
The Sedona Conference Working Group 11 (WG11) has provided the definition for reasonable security. In February 2021, The Sedona Conference released its Commentary on a Reasonable Security Test to help the regulatory and litigation communities “move the law forward in a reasoned and just way.” We now have a test for reasonable security practices that brings together the traditions of regulators, litigators, and information security communities to balance burdens of safeguards against the risk of harm to ourselves and others.
UPDATE ON REASONABLE SECURITY
The Sedona Conference – an influential think tank that advices attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.
Measuring Reasonable Security
NATIONAL LAW REVIEW
Finding a Test for Reasonable Security Practices: Embrace Complexity and Specifics
“A working group of the Sedona Conference has proposed a solid answer to these questions. By its own description, the Sedona Conference is a nonpartisan, nonprofit research and educational institute dedicated to the advanced study of specific law and policy, including privacy and data security law. The Conference has just published a set of commentary on a reasonable security test. The paper is worth reading.”
What is Reasonable Cyber Security
The panel provided an overview of the risk-based analysis process that substantiates the method, and presented the legal, regulatory, and security best-practice history that informs the method. Each participant presented why the method successfully substantiates the term “reasonable” in their work and provided anecdotes that illustrate how it has been used on their experience. The panel described a practical method that organizations can use for defining how the term “reasonable” applies to them, all attendees received an immediately applicable, and tangible benefit from the session.
DoCRA Council Board Chair, Chris Cronin, participated in the panel discussing reasonable security. The webinar provides a full perspective from legal, security, insurance, and regulatory views. The recording is now available at the NetDiligence website.
- Terms and Definitions
- Various Standards of Reasonableness and Duty of Care
- Risk-Based Analysis and Best Practices
- Communicating to and Working with the Policyholder.
- Andrew Maher (M), AXIS
- Chris Cronin, HALOCK Security Labs
- Doug Meal, Orrick LLP
- Timothy Murphy, Office of Attorney General for the Commonwealth of Pennsylvania
A few key Q&As from the webinar:
Are there any risk frameworks which quantify risk in the way you’re describing?
CIS RAM by Center for Internet Security provides explicit instructions for how to do risk analysis to demonstrate balance and reasonableness. ISO 27005, NIST 800-30 imply or state that risk analysis should consider risk to self, interested parties, and mission (what courts may think of as “utility”).
Various carriers offer complementary risk engineering services, but insured’s rarely use the opportunity. If carrier’ make their terms subject to, there is push back saying that other markets are not requiring it. Do you think that carriers as a whole should push harder on requiring risk engineering to be completed?
Yes! As an information security practitioner I see regulators and customers respond very well when they see a focused effort on risk reduction over time. The NetDiligence report shows the majority of claims payouts going to liabilities. One of the things I love about insurance is that when it manages risk, everyone wins.
Does PA recognize CIS controls for assessment ?
Yes, PA listed CIS controls by name in a recent settlement along with other industry-appropriate control standards such as NIST and ISO 27001.
Are there cases I can review to better understand Reasonable security?
Pennsylvania’s settlement with Orbitz and Expedia, https://www.attorneygeneral.gov/wp-content/uploads/2019/12/19-12-12-Orbitz-AVC-EFILING.pdf
I am in Medical Technology Cybersecurity. We follow NIST and CIS Controls within the hospitals risk appetite and budget. Less funds available due to Covid19 and reduced revenue.
It would be highly questionable whether “less funds available” would be considered a valid reason for not employing data security measure that would otherwise be considered “reasonable” under industry standards, applicable statutes/regulations, or cost-benefit analysis.
Additionally from Chris:
If you use CIS Controls, then also look at CIS RAM the risk assessment method. They show you how to do this risk analysis.
View the recording.
NATIONAL LAW REVIEW
Approaching Reasonable Security for Regulatory Requirements such as The SHIELD Act, CCPA, California’s Internet of Things (IoT) and more
Executives and directors need quantitative measurements – such as likelihood of loss and hard-dollar financial impact – to make more informed decisions about security risks. (CIS RAM)
CIS® (Center for Internet Security, Inc.)
CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon. CIS RAM FAQs