As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. We are finding more references to ‘reasonableness’ in breach litigation and security programs. The goal is to have all relevant teams involved in analyzing the appropriate risk for your unique business environment. It is a positive sign that there are increased efforts to incorporate all perspectives to mitigate risk and manage cyber threats – and finding a common language to do so. And more importantly, developing a security program holistically.
The Duty of Care Risk Analysis (DoCRA) standard provides guidance in implementing reasonable security. CIS RAM is based upon this standard. HALOCK has seen many clients benefit from practicing their duty of care. Other experts have referenced DoCRA and CIS RAM in their cybersecurity and risk publications. A few titles are featured below.
Navigating Cybersecurity Leadership Challenges with Insights from Pioneers
by Todd Fitzgerald
“CIS RAM is the first control standard to be applied to the new Duty of Care Risk Analysis Standard (DoCRA). It will be interesting to see how the acceptance of DoCRA progresses and the achieved level of adoption between the legal and security communities as it directly marries the risk assessment techniques noted in the Risk Management chapter, the legal practices noted in the security incident and it’s the law chapters, and this chapter on the security controls frameworks. There are clearly benefits of morphing to a more seamless conversation between the cybersecurity, legal, and business communities.”
By Ishaani Priyadarshini, Chase Cotton
“Another challenging aspect of cyber insurance and risk management is determining the acceptable risk for each organization. A ‘duty of care’ approach may be essential for protecting all interested parties like judges, regulators, executives, and the public who can be influenced by those risks. The duty of care risk analysis standard (DoCRA) lists principles and practices for balancing security, business objectives, and compliance, while developing security controls.”
Prioritize Threats, Identify Vulnerabilities and Apply Controls
By Christopher J Hodson
“CIS RAM focuses on the concepts of due care and appropriateness, via a ‘Duty of Care Risk Analysis’ (DoCRA) model.”
“The CIS RAM interoperates well with established risk frameworks such as ISO 27005 and NIST 800-30 and provides a set of control recommendations to evidence due care and appropriateness through templates, exercises and practical examples. CIS RAM also assists the organization in the creation of a risk register, something which can be overlooked.”
“CIS RAM’s principles and practices align to law, regulations and security standards. They are based on three overarching principles which are pragmatic and should be considered in any adoption of a risk management framework (Center for Internet Security, 2018):
- Risk analysis must consider the interests of all parties that may be harmed by the risk.
- Risks must be reduced to a level that authorities and potentially affected parties would find appropriate.
- Safeguards must not be more burdensome that the risks they protect against.”
By Walter Williams
“The Center for Internet Security developed CIS RAM based on their Critical Security Controls standard; however, it conforms to the standards established by ISO 27005, NIST SP 800-30, and RISK IT so that an organization looking to implement the critical security controls could have a standards-based means to determine what of the sub controls of the standard they would implement, and which would be deemed not acceptable.
CIS RAM is also based on the notion of Duty of Care Risk Analysis (DoCRA). This is an independent standard (https://docra.org) which represents principles and practices for analyzing risks that addresses the interests of all impacted parties.”