Why Do Laws and Regulations Require Risk Assessments for Achieving Compliance?
Businesses are often surprised to find that regulations are designed to be reasonable. Since 1993, Executive Order 12866 has required that regulations be overseen using cost-benefit analysis; a requirement that regulators interpret as “risk.” In its most practical application, risk-based security simply requires that safeguards are no more burdensome than the risk they protect against. And it’s not just regulators who say so.
Judges in negligence cases – including data breach cases – use “multi-factor balancing tests” to determine whether safeguards were reasonable protections against the foreseeability of harm. These balancing tests are very close in design to information security risk assessment standards such as ISO 27005, NIST SP 800-30, RISK IT, and DoCRA, an emerging standard for assessing risk in accordance with judicial and regulatory expectations. The Center for Internet Security adopted DoCRA as CIS RAM, the first information security risk assessment method that is explicitly based on duty of care analysis.
Why are risk assessments so commonly required?
Regulators, judges, and information security standards bodies know that there is no one perfect way to secure systems and information. They all know that certain safeguards can be helpful to some organizations while crippling others. They know that effective controls in one environment can create wide-open vulnerabilities in another. And most organizations just cannot operate while being “fully compliant” with any one security standard.
HALOCK guides our clients through Risk Assessments so that they can identify, in a clear, repeatable manner, what parts of their organization they must prioritize to address both compliance and security. And using HALOCK’s “Foreseeable Threat Index” HALOCK’s clients know what threats to consider in their industry, how common those threats are in creating security incidents, and how they compare to their peers who have suffered from security incidents.
HALOCK’s risk assessments support clients with the following security and compliance needs:
• ISO/IEC 27001/27002/27005
• NIST Special Publications / FIPS
• PCI DSS
• HIPAA Security Rule
• Gramm Leach Bliley Safeguards Rule
• Massachusetts 201 CMR Part 17.00
• Meaningful Use
• And recovery from security incidents overseen by regulatory agencies, such as the Federal Trade Commission, Department of Health and Human Services Office for Civil Rights, and others.