Archive
InfraGard SuperCon: Getting to Reasonable – What regulators and judges want to see from every organization
When an interested party comes knocking after a breach, are you prepared to show your security program was reasonable and appropriate? The recently published Duty of Care Risk Analysis standard and related methods are now available for organizations to leverage. Terry Kurzynski, Senior Partner from HALOCK Labs, contributing author of the Center for Internet Security’s Risk Assessment Method (CIS RAM) and founding Board Member of the DoCRA Council (Duty of Care Risk Analysis), will present the facts on how to prepare your organization for scrutiny from any and all interested parties. Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. Most decisions are made ad hoc leaving the organizations open to fines and class action lawsuits related to an incident. In all breach/incident cases there is always a control or configuration that could have prevented the breach. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others (outside of the organization) and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see. Are you performing your duty?
Cyber Security Summit Threat Forecasting: Using Open Source Data to Foresee Your Next Breach
We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur. Learn about cyber threats.
Cyber Security Summit Presentation: CMMC and CCPA. Using Duty of Care Risk to Comply With New Challenges
CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.
Is There Such a Thing as Reasonable Privacy?
“A Privacy Guide: Is There Such a Thing as Reasonable Privacy?” on how to implement privacy reasonably and mitigate risk.
(ISC)2 Security Congress | The Questions a Judge Will Ask You When You are Sued for a Data Breach | Getting to Reasonable Security
What is reasonable security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.