Upcoming events and important dates regarding cybersecurity as well as the Duty of Care Risk Analysis (DoCRA)
NetDiligence Cyber Risk Summit
February 21, 2023
- Prove You are Ready: Using the test Pre- & Post-Breach
- Good Test results: Why it is a Valuable Tool!
- How Test Documentation Prevails in Standing Up to Litigation & Claims
Panelists:
- Chris Cronin, HALOCK Security Labs
- Doug Meal, Orrick LLP
- Timothy Murphy, Pennsylvania Office of the Attorney General
RECORDING NOW AVAILABLE
Join us on Tuesday, June 21, 2022 at 1:00 PM ET for the CIS RAM v2.1 workshop. DoCRA Chair Chris Cronin will be presenting the latest release which includes Implementation Group 3 (IG3).
CIS RAM v2.1 includes three different approaches to support enterprises of three levels of capability in alignment with the CIS Controls Implementation Groups (IGs): IG1, IG2, and IG3. The third of many documents in the CIS RAM v2.1 family, CIS RAM v2.1 for IG3, is now available for download. It’s designed to help enterprises in IG3 build and improve upon their cybersecurity program. CIS RAM v2.1 for IG3 helps enterprises understand how well prepared they are for the most and least commonly reported threats that cause security incidents.
CIS developed CIS RAM v2.1 through an ongoing partnership with HALOCK Security Labs. HALOCK and CIS first collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. Since then, HALOCK had been providing CIS RAM methods with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders.
CIS is a founding member of the DoCRA Council, an organizations which maintains the risk analysis standard that CIS RAM v1.0 is built upon.
Presenter: Chris Cronin
RSA 2022
June 7, 2022
Securing the budget you require in a transforming world is more difficult than ever. This session will cover the four major questions budget approvers need answered and how utilizing the Duty of Care Risk Analysis (DoCRA) methodology will help you deliver the information to secure the budget you really need.
Speaker: Jim Mirochnik
Wisconsin Health Information Management Association (WHIMA)
May 12, 2022
What is your Duty of Care? How do you define “reasonable” security safeguards? When do I know that I have done enough? Organizations need a method to establish acceptable risk for the business, regulators, and all interested parties – a method that considers harm outside the company, defines acceptable risk, and examines the burden of proposed safeguards. Duty of Care Risk Analysis, leveraged by the Center for Internet Security’s Risk Assessment Methods (CIS-RAM), translates these requirements into business terms to develop reasonable security controls.
Presenter: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor Board Member of the DoCRA Council
MER Conference
May 11, 2022
No organization can achieve airtight, hermetically sealed security, so the legal standard for compliance with most data security regulations is that the security measures in place be “reasonable.” But what does that mean? The Sedona Conference’s Working Group 11 on Data Security and Privacy Liability published a Commentary in 2021 that evaluates what “legal test” a court or regulatory body should apply, or what other approach it should follow, where the issue is whether the organization has met that legal obligation. A Contributing Editor to the Commentary will summarize its main points and address your questions.
Key Issues This Presentation Will Address
- How to define reasonable security for your organization
- Using “reasonable” to manage risk and compliance
- Using “reasonable” to defend your security when things go wrong
Key Takeaways from this Presentation
For two decades U.S. law has frustrated organizations by requiring that cybersecurity and privacy controls be “reasonable.” Regulators and litigators have signaled that if we could demonstrate this elusive standard that they would nod and let us pass after personal information was breached on our watch. But neither business nor regulators could articulate what “reasonable” meant, leaving organizations frustrated, confused, and fined, and the lawyers, once again, blamed. This session will demonstrate the Test for Reasonable Security in a way that IG, legal, cybersecurity, compliance, and privacy officers will be able to use in their own environments.
Presenter: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council
RIMS 2022
April 11, 2022
In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach.
Presenter: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council
The Center for Internet Security, Inc. (CIS®)
February 8, 2022
CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM, a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators.
Through an ongoing partnership, CIS RAM v2.1 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.
What Attendees will Learn:
- An overview of how to conduct a risk assessment using CIS RAM 2.1 for IG2.
- A step-by-step tutorial of the activities an IG2 enterprise will take to conduct a risk assessment using CIS RAM 2.1, including:
-
- How to complete the Impact Criteria Survey
- Defining Impact Areas (Mission, Operational Objectives, Financial Objectives, Obligations)
- Defining Impact Magnitudes (Negligible, Acceptable, Unacceptable, High, Catastrophic)
- How to complete the Enterprise Parameters
- Defining criteria for Impact, Expectancy, Risk Acceptance, and Inherent Risk
- How to complete a Risk Register
- Identifying and evaluating risks using the CIS Controls
- Understanding Risk Treatment to reduce risks to an acceptable level
- How you can apply both a quantitative and qualitative approach to a CIS RAM risk assessment
-
Host/Moderator: Valecia Stocchetti is a Sr. Cybersecurity Engineer for the CIS Controls
Presenter: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council
(ISC)² Silicon Valley Chapter meeting
November 9, 2021
What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight, and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
Learning Objectives:
-
Define risk assessment criteria so they allow for comparison, reflect the organization’s values, and will hold up to public scrutiny.
-
Model and select threats that are relevant to information assets and controls.
-
Estimate the likelihood of risks.
This presentation is an update of the one he presented at (ISC)² 2019 Security Congress.
November 17, 2021
CIS Risk Assessment Method v2.0 Webinar Registration
CIS RAM v2.0 (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps enterprises plan and justify their implementation of CIS Critical Security Controls (CIS). Learn about the CIS RAM family of documents, a free tool, providing step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment.
November 8-10, 2021
NAAG Consumer Protection Fall Conference
The NAAG Consumer Protection Fall Conference will take place from Nov. 8-10, 2021, in Washington, DC. With the support of the NAAG Consumer Protection Committee, this conference will address pressing and relevant issues related to consumer protection. Sessions during the public portion of the conference will include panels on 3rd party seller platforms, non-fungible tokens (NFTs), and ransomware, as well as a panel of attorneys general.
On Monday, November 8, registration opens for the public at 11:30 a.m., with lunch and a panel of attorneys general starting at noon. The public portion of the conference concludes with a reception that ends at 7:00 p.m. The private, nonprofit, and government sectors are invited to attend the public portion of the conference.
May 18, 2021
Virtual session followed by live discussion
Forecasting Threats is Way Easier Than You Think
Innovations by cybersecurity attackers intimidate managers into thinking that they cannot forecast attacks, but publicly sourced data shows that forecasting has more to do with knowing how organizations handle sensitive assets than with attacker innovations. The presenter will show how the audience can use an unmistakable pattern in the data to plan their security programs.
SPEAKER: Chris Cronin
RSA Conference 2021
May 19, 2021
Virtual
Your Breached Controls May Have Been Reasonable After All
Panelists
Bill Sampson, Partner at Shook Hardy & Bacon LLP
Phyllis Lee, Senior Director for Controls The Center for Internet Security, Inc. (CIS®)
Chris Cronin, Partner at HALOCK Security Labs
Jim Trilling, Attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC)
David Cohen, Counsel at Orrick, Herrington & Sutcliffe
DATE: May 19, 2021 – Wednesday, 10:45 Pacific Time
SESSION CODE: CXO-W08
PAST EVENTS
Midwest Cyber Security Alliance Virtual Meeting
February 18, 2021, 3:30 – 5:30 p.m. CST
Live Webcast Seminar
Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.
To address these issues, the next Midwest Cyber Security Alliance virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.
Understanding and leveraging the legal definition of “reasonable” will certainly have its advantages — please join Foley and HALOCK Security Labs on Thursday, February 18, 2021, for a discussion on what it is and how it can be applied to your organization.
Speakers:
Jennifer L. Urban, CIPP/US
Moderator
Partner
Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
Senior Partner
HALOCK Security Labs
National Foundation for Judicial Excellence: 2020 Annual Judicial Symposium
October 15, 2020, 3:15pm
Online
Judging Efforts to Protect Personal Information: What Test Should Apply?
In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit vacated the FTC’s order that LabMD implement the FTC-designed security program on grounds it required an “indeterminable standard of reasonableness.” The panel will discuss LabMD, Inc. and the most promising standard that has emerged in the wake of it—one based upon a duty of care risk analysis. Such an approach has been adopted by the Center for Internet Security, and it has been used by Pennsylvania’s OAG in a settlement with Expedia. It is also the subject of an important, current study by the Sedona Conference; and two members from the Sedona Conference will be part of the panel.
PANELISTS
Chris Cronin, Halock Security Labs, Schaumburg, IL
William R. Sampson, Shook Hardy & Bacon LLP, Kansas City, MO
Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule
July 13, 2020, 9:00am
Online
The workshop will explore some of the issues raised in response to amendments the FTC has proposed making to the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. In 2019, the FTC sought comments on the proposed amendments to the Safeguards Rule. PANELIST: Chris Cronin
Online Meeting on The Sedona
NetDiligence Cyber Risk Summit 2020
July 7, 2020, 12:00-1:00pm
Online
PANELIST: Chris Cronin
What is Reasonable Cyber Security?
TOPICS: Terms and Definitions, Various Standards of Reasonableness and Duty of Care, Risk-Based Analysis and Best Practices, Communicating to and Working with the Policyholder.
PANELISTS:
Andrew Maher (M), AXIS
Chris Cronin, Halock Security Labs
Doug Meal, Orrick LLP
Timothy Murphy, Office of Attorney General for the Commonwealth of Pennsylvania
Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance
June 24, 2020, 1:00pm EDT
A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.
As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.
PANELIST: Chris Cronin
RSA Conference 2020
Feb 28, 2020 – San Francisco, 8:30am
Moscone Center
SPEAKER: Jim Mirochnik
Securing the Budget You Need! Translating Security Risks to Business Value.
InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets.
RIMS 2020 Annual Conference
May 5, 2020 – DC, 3:50pm
Thought Leader Theater
SPEAKER: Chris Cronin
The Questions a Judge Will Ask You After a Data Breach
In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.
CyberNext Summit 2019 – KuppingerCole Analysts
OCT 9, 2019 – DC, 9:30am
SPEAKER: Chris Cronin
The Questions a Judge Will Ask You After a Data Breach
This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.
Attendees will learn:
- How to define “reasonable” in a way that makes sense to business, judges, and regulators.
- How to design and run a risk assessment that is meaningful to technicians, business, and authorities.
- Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened.
(ISC)² Security Congress: The Questions a Judge Will Ask You After a Data Breach – What is Reasonable
OCT 30, 2019 – Orlando, 1:45-2:45pm
SPEAKER: Terry Kurzynski
What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
Learning Objectives:
- Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
- Model and select threats that are relevant to information assets and controls.
- Estimate the likelihood of risks.
The Sedona Conference Working Group 11 Midyear Meeting 2019
SEP 18, 2019 – Canada
Panelist & Group Member: Chris Cronin
Proactive privacy and security governance: Complying with global data privacy and security regulations
Healthcare Compliance Association (HCCA) – The Questions a Judge will ask you after a Data Breach
June 25, 2019 – Webinar
SPEAKER: Tod Ferran
American Health Lawyers Association (AHLA) Webinar: “Adopting Duty of Care Risk Analysis to Drive GRC”
June 5, 2019 – Webinar
SPEAKERS: Terry Kurzynski & Jennifer Rathburn of Foley & Lardner
Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019
MAY 30, 2019 – Cleveland
PANELIST: Chris Cronin
NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method
NOV 9, 2018
PANELIST: Chris Cronin
UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA
OCT 18, 2018
SPEAKERS: Terry Kurzynski with Foley & Lardner
CISO GROUP MEETING – DoCRA
OCT 23, 2018 – Chicago, 3:00-5:00pm
Reserve your seat at info@docra.org.
DoCRA USER GROUP MEETING & WEBINAR Q1 2019
FEB 13, 2019 – Chicago & Webinar
Reserve your seat at info@docra.org.
WEBINARS
OCT 17, 2018
UW E-Business Consortium, University of Wisconsin-Madison – Cyber-Defense Strategies and Solutions: Preparing for a Cyber-breach: From Forensics to Litigation
NOV 7, 2018
LOUISIANA HOSPITAL ORGANIZATION – Acceptable Security Risk and Negligence: It’s a Fine Line
This presentation will cover an emerging approach for defining reasonableness in cybersecurity that uses “due care” as its basis. Referencing case law, regulatory oversight, and the recently-released CIS RAM (Center for Internet Security Risk Assessment Method), the speaker will explore the future implications of this emerging approach toward defining reasonableness.
NOV 7, 2018
NIST Cybersecurity Risk Management Conference 2018
Evaluating ‘Reasonable’ Cyber Risk Using the Center for Internet Security Risk Assessment Method
Center for Internet Security published a new risk assessment method in April 2018 that enables organizations to conduct risk assessments so they are meaningful to both internal and external audiences: regulators, litigators, cyber security specialists, and non-technical managers. The Center for Internet Security Risk Assessment Method (CIS RAM) provides detailed and practical guidance that builds on NIST 800-30, and is consistent with regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The
proposed panel discussion will feature the authors of CIS RAM who will present the method, its basis in security frameworks and law, and case studies that illustrate its use in legal and non-legal contexts.