Archive

When an interested party comes knocking after a breach, are you prepared to show your security program was reasonable and appropriate? The recently published Duty of Care Risk Analysis standard and related methods are now available for organizations to leverage. Terry Kurzynski, Senior Partner from HALOCK Labs, contributing author of the Center for Internet Security’s Risk Assessment Method (CIS RAM) and founding Board Member of the DoCRA Council (Duty of Care Risk Analysis), will present the facts on how to prepare your organization for scrutiny from any and all interested parties. Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. Most decisions are made ad hoc leaving the organizations open to fines and class action lawsuits related to an incident. In all breach/incident cases there is always a control or configuration that could have prevented the breach. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others (outside of the organization) and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see. Are you performing your duty?

The Incident Response Readiness (IRR) Essentials Package provides you with all of the elements to develop your company’s incident response readiness program quickly plus a consulting team to help you navigate your specific technical questions and mitigate risk throughout the process. You receive Incident Response Program components with directions, templates, cyber security training, and advisory services that guide you along the development process.

We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur. Learn about cyber threats.

  

CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.