Calendar

Upcoming events and important dates regarding cybersecurity as well as the Duty of Care Risk Analysis (DoCRA)


Wisconsin Health Information Management Association (WHIMA)

May 12, 2022

What is your Duty of Care? How do you define “reasonable” security safeguards? When do I know that I have done enough? Organizations need a method to establish acceptable risk for the business, regulators, and all interested parties – a method that considers harm outside the company, defines acceptable risk, and examines the burden of proposed safeguards. Duty of Care Risk Analysis, leveraged by the Center for Internet Security’s Risk Assessment Methods (CIS-RAM), translates these requirements into business terms to develop reasonable security controls.

Presenter: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor Board Member of the DoCRA Council


RSA 2022

June 7, 2022

Securing the budget you require in a transforming world is more difficult than ever. This session will cover the four major questions budget approvers need answered and how utilizing the Duty of Care Risk Analysis (DoCRA) methodology will help you deliver the information to secure the budget you really need.

Speaker: Jim Mirochnik


MER Conference

May 11, 2022

No organization can achieve airtight, hermetically sealed security, so the legal standard for compliance with most data security regulations is that the security measures in place be “reasonable.” But what does that mean? The Sedona Conference’s Working Group 11 on Data Security and Privacy Liability published a Commentary in 2021 that evaluates what “legal test” a court or regulatory body should apply, or what other approach it should follow, where the issue is whether the organization has met that legal obligation. A Contributing Editor to the Commentary will summarize its main points and address your questions.

Key Issues This Presentation Will Address  

  • How to define reasonable security for your organization
  • Using “reasonable” to manage risk and compliance
  • Using “reasonable” to defend your security when things go wrong

Key Takeaways from this Presentation  

For two decades U.S. law has frustrated organizations by requiring that cybersecurity and privacy controls be “reasonable.” Regulators and litigators have signaled that if we could demonstrate this elusive standard that they would nod and let us pass after personal information was breached on our watch. But neither business nor regulators could articulate what “reasonable” meant, leaving organizations frustrated, confused, and fined, and the lawyers, once again, blamed. This session will demonstrate the Test for Reasonable Security in a way that IG, legal, cybersecurity, compliance, and privacy officers will be able to use in their own environments.

Presenter: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council


RIMS 2022

April 11, 2022

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach.

Presenter: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council

View the recording


MER Conference

The Center for Internet Security, Inc. (CIS®

February 8, 2022

CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM, a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators.

Through an ongoing partnership, CIS RAM v2.1 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.

What Attendees will Learn:

  • An overview of how to conduct a risk assessment using CIS RAM 2.1 for IG2.
  • A step-by-step tutorial of the activities an IG2 enterprise will take to conduct a risk assessment using CIS RAM 2.1, including:
      • How to complete the Impact Criteria Survey
      • Defining Impact Areas (Mission, Operational Objectives, Financial Objectives, Obligations)
      • Defining Impact Magnitudes (Negligible, Acceptable, Unacceptable, High, Catastrophic)
      • How to complete the Enterprise Parameters
      • Defining criteria for Impact, Expectancy, Risk Acceptance, and Inherent Risk
      • How to complete a Risk Register
      • Identifying and evaluating risks using the CIS Controls
      • Understanding Risk Treatment to reduce risks to an acceptable level
      • How you can apply both a quantitative and qualitative approach to a CIS RAM risk assessment

Host/Moderator: Valecia Stocchetti is a Sr. Cybersecurity Engineer for the CIS Controls

Presenter: Chris Cronin is a partner at HALOCK Security Labs and Chair of the DoCRA Council


(ISC)² Silicon Valley Chapter meeting

November 9, 2021

What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight, and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Learning Objectives:

  • Define risk assessment criteria so they allow for comparison, reflect the organization’s values, and will hold up to public scrutiny.

  • Model and select threats that are relevant to information assets and controls.

  • Estimate the likelihood of risks.

This presentation is an update of the one he presented at (ISC)² 2019 Security Congress.


CIS Risk Assessment Method (RAM) v2.0 Webinar

November 17, 2021

CIS Risk Assessment Method v2.0 Webinar Registration

CIS RAM v2.0 (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps enterprises plan and justify their implementation of CIS Critical Security Controls (CIS). Learn about the CIS RAM family of documents, a free tool, providing step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment.


National Association of Attorneys General (NAAG)

November 8-10, 2021

NAAG Consumer Protection Fall Conference

The NAAG Consumer Protection Fall Conference will take place from Nov. 8-10, 2021, in Washington, DC. With the support of the NAAG Consumer Protection Committee, this conference will address pressing and relevant issues related to consumer protection. Sessions during the public portion of the conference will include panels on 3rd party seller platforms, non-fungible tokens (NFTs), and ransomware, as well as a panel of attorneys general.

On Monday, November 8, registration opens for the public at 11:30 a.m., with lunch and a panel of attorneys general starting at noon. The public portion of the conference concludes with a reception that ends at 7:00 p.m. The private, nonprofit, and government sectors are invited to attend the public portion of the conference.


 RSA Conference 2021

May 18, 2021

Virtual session followed by live discussion

Forecasting Threats is Way Easier Than You Think

Innovations by cybersecurity attackers intimidate managers into thinking that they cannot forecast attacks, but publicly sourced data shows that forecasting has more to do with knowing how organizations handle sensitive assets than with attacker innovations. The presenter will show how the audience can use an unmistakable pattern in the data to plan their security programs.

SPEAKER: Chris Cronin


RSA Conference 2021

May 19, 2021

Virtual

Your Breached Controls May Have Been Reasonable After All

Panelists
Bill Sampson, Partner at Shook Hardy & Bacon LLP
Phyllis Lee, Senior Director for Controls The Center for Internet Security, Inc. (CIS®)
Chris Cronin, Partner at HALOCK Security Labs
Jim Trilling, Attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC)
David Cohen, Counsel at Orrick, Herrington & Sutcliffe

DATE: May 19, 2021 – Wednesday, 10:45 Pacific Time

SESSION CODE: CXO-W08


PAST EVENTS


Midwest Cyber Security Alliance Virtual Meeting

February 18, 2021, 3:30 – 5:30 p.m. CST

Live Webcast Seminar

They Know You Can’t Get to 100% Compliance … and That’s Okay (HIPAA, CCPA/CPRA, GDPR, 23 NYCRR Part 500, CMMC, PCI, FISMA, FERPA) Keeping Your Eye on the Prize – Translating “Reasonable Security” into Real Data Protection

Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.

To address these issues, the next Midwest Cyber Security Alliance virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.

Understanding and leveraging the legal definition of “reasonable” will certainly have its advantages — please join Foley and HALOCK Security Labs on Thursday, February 18, 2021, for a discussion on what it is and how it can be applied to your organization.

Speakers:

Jennifer L. Urban, CIPP/US 
Moderator
Partner
Foley & Lardner LLP

Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
Senior Partner
HALOCK Security Labs


National Foundation for Judicial Excellence: 2020 Annual Judicial Symposium

October 15, 2020, 3:15pm

Online

Judging Efforts to Protect Personal Information: What Test Should Apply?

In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit vacated the FTC’s order that LabMD implement the FTC-designed security program on grounds it required an “indeterminable standard of reasonableness.” The panel will discuss LabMD, Inc. and the most promising standard that has emerged in the wake of it—one based upon a duty of care risk analysis. Such an approach has been adopted by the Center for Internet Security, and it has been used by Pennsylvania’s OAG in a settlement with Expedia. It is also the subject of an important, current study by the Sedona Conference; and two members from the Sedona Conference will be part of the panel.

PANELISTS
Chris Cronin, Halock Security Labs, Schaumburg, IL
William R. Sampson, Shook Hardy & Bacon LLP, Kansas City, MO


Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule

July 13, 2020, 9:00am

Online

The workshop will explore some of the issues raised in response to amendments the FTC has proposed making to the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. In 2019, the FTC sought comments on the proposed amendments to the Safeguards Rule. PANELIST: Chris Cronin


Online Meeting on The Sedona

NetDiligence Cyber Risk Summit 2020

July 7, 2020, 12:00-1:00pm

Online

PANELIST: Chris Cronin

What is Reasonable Cyber Security?

TOPICS: Terms and Definitions, Various Standards of Reasonableness and Duty of Care, Risk-Based Analysis and Best Practices, Communicating to and Working with the Policyholder.

PANELISTS:

Andrew Maher (M), AXIS

Chris Cronin, Halock Security Labs

Doug Meal, Orrick LLP

Timothy Murphy, Office of Attorney General for the Commonwealth of Pennsylvania


Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance

June 24, 2020, 1:00pm EDT

A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.

As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.

PANELIST: Chris Cronin


RSA Conference 2020

Feb 28, 2020 – San Francisco, 8:30am

Moscone Center

SPEAKER: Jim Mirochnik

Securing the Budget You Need! Translating Security Risks to Business Value.

InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets.


RIMS 2020 Annual Conference

May 5, 2020 – DC, 3:50pm

Thought Leader Theater

SPEAKER: Chris Cronin

The Questions a Judge Will Ask You After a Data Breach

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.

CyberNext Summit 2019 – KuppingerCole Analysts

OCT 9, 2019 – DC, 9:30am

SPEAKER: Chris Cronin

The Questions a Judge Will Ask You After a Data Breach

This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.

Attendees will learn:

  • How to define “reasonable” in a way that makes sense to business, judges, and regulators.
  • How to design and run a risk assessment that is meaningful to technicians, business, and authorities.
  • Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened.

(ISC)² Security Congress: The Questions a Judge Will Ask You After a Data Breach – What is Reasonable

OCT 30, 2019 – Orlando, 1:45-2:45pm 

SPEAKER: Terry Kurzynski

What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Learning Objectives:

  • Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
  • Model and select threats that are relevant to information assets and controls.
  • Estimate the likelihood of risks.

The Sedona Conference Working Group 11 Midyear Meeting 2019

SEP 18, 2019 – Canada

Panelist & Group Member: Chris Cronin

Proactive privacy and security governance: Complying with global data privacy and security regulations 


Healthcare Compliance Association (HCCA) – The Questions a Judge will ask you after a Data Breach

June 25, 2019 – Webinar 

SPEAKER: Tod Ferran


American Health Lawyers Association (AHLA) Webinar:  “Adopting Duty of Care Risk Analysis to Drive GRC

June 5, 2019 – Webinar 

SPEAKERS: Terry Kurzynski & Jennifer Rathburn of Foley & Lardner


Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019

MAY 30, 2019 – Cleveland 

PANELIST: Chris Cronin


NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method

NOV 9, 2018  

PANELIST: Chris Cronin


UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA

OCT 18, 2018  

SPEAKERS: Terry Kurzynski with Foley & Lardner


CISO GROUP MEETING – DoCRA

OCT 23, 2018 – Chicago, 3:00-5:00pm 

Reserve your seat at info@docra.org.


DoCRA USER GROUP MEETING & WEBINAR Q1 2019

FEB 13, 2019 – Chicago & Webinar

Reserve your seat at info@docra.org.


WEBINARS

OCT 17, 2018

UW E-Business Consortium, University of Wisconsin-Madison – Cyber-Defense Strategies and Solutions: Preparing for a Cyber-breach: From Forensics to Litigation

NOV 7, 2018

LOUISIANA HOSPITAL ORGANIZATION – Acceptable Security Risk and Negligence: It’s a Fine Line

Duty of Care Risk Assessment (DoCRA): Preparing and Evaluating Risk Assessments for Reasonable Person Defenses

This presentation will cover an emerging approach for defining reasonableness in cybersecurity that uses “due care” as its basis. Referencing case law, regulatory oversight, and the recently-released CIS RAM (Center for Internet Security Risk Assessment Method), the speaker will explore the future implications of this emerging approach toward defining reasonableness.

NOV 7, 2018

NIST Cybersecurity Risk Management Conference 2018

Evaluating ‘Reasonable’ Cyber Risk Using the Center for Internet Security Risk Assessment Method

Center for Internet Security published a new risk assessment method in April 2018 that enables organizations to conduct risk assessments so they are meaningful to both internal and external audiences: regulators, litigators, cyber security specialists, and non-technical managers. The Center for Internet Security Risk Assessment Method (CIS RAM) provides detailed and practical guidance that builds on NIST 800-30, and is consistent with regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The
proposed panel discussion will feature the authors of CIS RAM who will present the method, its basis in security frameworks and law, and case studies that illustrate its use in legal and non-legal contexts.