Reasonable Security: Getting on the same page

What Is Reasonable Security?

Reasonable Security is appropriate cybersecurity protection for your organization. Based on your size, data types, and risk profile, reasonable security can be a legal standard of care and a cybersecurity best practice, both of which show that you took defensible steps to protect information.

As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. We are finding more references to ‘reasonableness’ in breach litigation and security programs. The goal is to have all relevant teams involved in analyzing the appropriate risk for your unique business environment. It is a positive sign that there are increased efforts to incorporate all perspectives to mitigate risk and manage cyber threats – and finding a common language to do so. And more importantly, developing a security program holistically.

The Duty of Care Risk Analysis (DoCRA) standard provides guidance in implementing reasonable security. CIS RAM is based upon this standard. HALOCK has seen many clients benefit from practicing their duty of care. Other experts have referenced DoCRA and CIS RAM in their cybersecurity and risk publications. A few titles are featured below.

European Telecommunications Standards Institute (ETSI)– ETSI TR 103 935 V1.1.1

by ETSI

“It is paramount that the fundamental principles that inform the treatment of risk should be clearly understood by all stakeholders. In that regard, the work of the DoCRA Council that authors, maintains, and distributes standards and methods pertaining to the analysis and management of risk are relevant. More specifically, the Duty of Care Risk Analysis [i.21] standard that presents principles and practices for analysing risks so that risk assessors equitably evaluate the interests of all parties potentially affected by risks.”

Taking Testing Seriously: The Rapid Software Testing Approach

by James Bach, Michael Bolton

“Two examples are ISO13485 and the proposed Duty of Care Risk Analysis Standard (www.docra.org).”

The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership

by Walt Powell

“In cybersecurity, demonstrating both duty of care and reasonableness is essential for building a legally defensible security program. This is where the Duty of Care Risk Analysis (DoCRA) standard comes in. DoCRA offers a structured way to evaluate risks and safeguards, ensuring your actions align with legal and regulatory expectations. What makes DoCRA stand out is that it addresses the interests of everyone potentially impacted by the risks, not just the organization. It helps balance the burden of implementing safeguards with the organization’s mission, a key factor that regulators and courts consider when evaluating security practices.”

Artificial Intelligence for Sustainable Applications

by K. Umamaheswari, ‎ B. Vinoth Kumar, ‎ S. K. Somasundaram 

“Cybersecurity standards like FAIRTM, DoCRA, SBoM, STIXTM, TAXIITM, OpenC2, and CACAO are discussed in the paper.”

Advances in Software Engineering, Education, and E-Learning

by Fernando G. Tinetti, Hamid R. Arabnia, Leonidas Deligiannidis, Quoc-Nam Tran

CISO COMPASS

Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

by Todd Fitzgerald

“CIS RAM is the first control standard to be applied to the new Duty of Care Risk Analysis Standard (DoCRA). It will be interesting to see how the acceptance of DoCRA progresses and the achieved level of adoption between the legal and security communities as it directly marries the risk assessment techniques noted in the Risk Management chapter, the legal practices noted in the security incident and it’s the law chapters, and this chapter on the security controls frameworks. There are clearly benefits of morphing to a more seamless conversation between the cybersecurity, legal, and business communities.”

Cybersecurity: Ethics, Legal, Risks, and Policies

By Ishaani Priyadarshini, Chase Cotton

“Another challenging aspect of cyber insurance and risk management is determining the acceptable risk for each organization. A ‘duty of care’ approach may be essential for protecting all interested parties like judges, regulators, executives, and the public who can be influenced by those risks. The duty of care risk analysis standard (DoCRA) lists principles and practices for balancing security, business objectives, and compliance, while developing security controls.”

Cyber Risk Management

Prioritize Threats, Identify Vulnerabilities and Apply Controls

By Christopher J Hodson

“CIS RAM focuses on the concepts of due care and appropriateness, via a ‘Duty of Care Risk Analysis’ (DoCRA) model.”

“The CIS RAM interoperates well with established risk frameworks such as ISO 27005 and NIST 800-30 and provides a set of control recommendations to evidence due care and appropriateness through templates, exercises and practical examples. CIS RAM also assists the organization in the creation of a risk register, something which can be overlooked.”

“CIS RAM’s principles and practices align to law, regulations and security standards. They are based on three overarching principles which are pragmatic and should be considered in any adoption of a risk management framework (Center for Internet Security, 2018):

1. Risk analysis must consider the interests of all parties that may be harmed by the risk.
2. Risks must be reduced to a level that authorities and potentially affected parties would find appropriate.
3. Safeguards must not be more burdensome that the risks they protect against.”

Creating an Information Security Program from Scratch

By Walter Williams

“The Center for Internet Security developed CIS RAM based on their Critical Security Controls standard; however, it conforms to the standards established by ISO 27005, NIST SP 800-30, and RISK IT so that an organization looking to implement the critical security controls could have a standards-based means to determine what of the sub controls of the standard they would implement, and which would be deemed not acceptable.

CIS RAM is also based on the notion of Duty of Care Risk Analysis (DoCRA). This is an independent standard (https://docra.org) which represents principles and practices for analyzing risks that addresses the interests of all impacted parties.”

National University of Singapore – Risk Assessment | Information Systems

by Yang Lu

“CIS Risk Assessment Method (RAM) V2.1  Uses the Duty of Care Risk Analysis Standard8 (DoCRA) as its foundation”

PCI DSS An Integrated Data Security Standard Guide

by Jim Seaman

“Try using concise methodologies to effectively articulate the results of your risk assessments, such as ….

CIS RAM (Center for Internet Security Risk Assessment Method) …”

The Risk Management Handbook

by David Hillson

“Center for Internet Security Risk Assessment Method (CIS RAM) (CIS, 2022) whose main focus is managing risk related to the CIS Critical Security Controls and is a qualitative risk assessment methodology.”

Soft Computing Applications

Proceedings of the 8th International Workshop Soft Computing Applications (SOFA 2018), Vol. I

by Lakhmi C. Jain, Marius Mircea Balas, Shahnaz N. Shahbazova, Valentina Emilia Balas

Georgia Government Finance Officers Association (GGFOA)

Useful Links

Cyber Security Useful Links:

1. The Duty of Care Risk Analysis (DOCRA – DOCRA) and the CIS Risk Assessment Method (RAM) v2.1 for CIS Controls v8 (cisecurity.org).  
   1. If you want to gain a little more info, here is a link to an hour-long video (very well done and extremely thought provoking, especially towards the end) that explains this idea of risk management related to cyber risk reviews.  The video is from 2018, though the concept is very relevant to what we were discussing and adds another consideration for school districts to explore.  CIS RAM: This Math will Save You HALOCK Cyber Security Summit Chicago (wistia.com)

Tactical Objective: Strategic Decoding the Art of Military Precision

By Fouad Sabry · 2024

“DoCRA examines risks and their protections and considers the interests of all parties potentially affected by such risks.”

The Herff Jones Assurance of Discontinuance (AOD)

The New York Attorney General, December 2022

DNA Diagnostics Center, Inc. Assurance of Voluntary Compliance 

Attorney General of the State of Ohio 2023

“risk assessment criteria must conform to an information security risk assessment method that is provided by information security bodies (e.g., NIST Special Publications 800-30, The Sedona Conference Commentary on a Reasonable Security Test (February 202L),ISO 27005, Duty of Care Risk Analysis Standard (“DoCRA”), or Center for Intemet Security Risk Assessment Method (“CIS RAM”) Version 2.0) “

Cyber-Safety in Healthcare IOT

By Duncan Sparrell · 2019

Network Scanning Cookbook

Practical Network Security Using Nmap and Nessus 7

By Sairam Jetty · 2018

“The following are some of the standards in the market to which relevant organizations are expected to be compliant:

• ETSI cybersecurity technical committee (TC CYBER)
• ISO/IEC 27001 and 28002
• CISQ
• DoCRA
• NERC
• NIST”

• CA Civ Code § 1798.81.5

“(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Is Reasonable Security the Same as Compliance?

No. Compliance meets minimum standards, but reasonable security shows you went above and beyond with due care.