Archive

When an interested party comes knocking after a breach, are you prepared to show your security program was reasonable and appropriate? The recently published Duty of Care Risk Analysis standard and related methods are now available for organizations to leverage. Terry Kurzynski, Senior Partner from HALOCK Labs, contributing author of the Center for Internet Security’s Risk Assessment Method (CIS RAM) and founding Board Member of the DoCRA Council (Duty of Care Risk Analysis), will present the facts on how to prepare your organization for scrutiny from any and all interested parties. Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. Most decisions are made ad hoc leaving the organizations open to fines and class action lawsuits related to an incident. In all breach/incident cases there is always a control or configuration that could have prevented the breach. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others (outside of the organization) and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see. Are you performing your duty?

We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur. Learn about cyber threats.

  

CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.

“A Privacy Guide: Is There Such a Thing as Reasonable Privacy?” on how to implement privacy reasonably and mitigate risk.
  

What is reasonable security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

This presentation helps establish reasonable security by reviewing judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.

Midwest Cyber Security Alliance (MCSA) reviews the California Consumer Privacy Act CCPA to understand the potential penalties and risks of noncompliance.

Unlike most regulations you may be familiar with, the PCI DSS is enforced by contract – here is a quick look at the process; learn more about how you can be PCI compliant and manage risk.

Duty of Care Risk Analysis

• How to define “reasonable” security controls that makes sense to business, judges, and regulators.
• Design and run a risk assessment that is meaningful to technicians, business, and authorities.
• Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened

Business decision-makers juggle countless variables and make risk decisions using “due care” and “reasonableness.” Learn best practices on how to apply duty of care to your specific organization.