Why Do Laws and Regulations Require Risk Assessments for Achieving Compliance?
Businesses are often surprised to find that regulations are designed to be reasonable. Since 1993, Executive Order 12866 has required that regulations be overseen using cost-benefit analysis; a requirement that regulators interpret as “risk.” In its most practical application, risk-based security simply requires that safeguards are no more burdensome than the risk they protect against. And it’s not just regulators who say so.
Judges in negligence cases – including data breach cases – use “multi-factor balancing tests” to determine whether safeguards were reasonable protections against the foreseeability of harm. These balancing tests are very close in design to information security risk assessment standards such as ISO 27005, NIST SP 800-30, RISK IT, and DoCRA, an emerging standard for assessing risk in accordance with judicial and regulatory expectations. The Center for Internet Security adopted DoCRA as CIS RAM, the first information security risk assessment method that is explicitly based on duty of care analysis.
Why are risk assessments so commonly required?
Regulators, judges, and information security standards bodies know that there is no one perfect way to secure systems and information. They all know that certain safeguards can be helpful to some organizations while crippling others. They know that effective controls in one environment can create wide-open vulnerabilities in another. And most organizations just cannot operate while being “fully compliant” with any one security standard.
HALOCK guides our clients through Risk Assessments so that they can identify, in a clear, repeatable manner, what parts of their organization they must prioritize to address both compliance and security. And using HALOCK’s “Foreseeable Threat Index” HALOCK’s clients know what threats to consider in their industry, how common those threats are in creating security incidents, and how they compare to their peers who have suffered from security incidents.
HALOCK’s risk assessments support clients with the following security and compliance needs:
• ISO/IEC 27001/27002/27005
• NIST Special Publications / FIPS
• PCI DSS
• HIPAA Security Rule
• Gramm Leach Bliley Safeguards Rule
• Massachusetts 201 CMR Part 17.00
• Meaningful Use
• And recovery from security incidents overseen by regulatory agencies, such as the Federal Trade Commission, Department of Health and Human Services Office for Civil Rights, and others.
In addition to the Risk Assessment, HALOCK offers a full suite of Risk Treatment and Risk Management programs to help you achieve and maintain compliance.
Sign up for HALOCK's Foreseeable Threat Index Newsletter.
What the Foreseeable Threat Index Tells Us
HALOCK’s Foreseeable Threat Index provides our clients with an understanding of the prominence of breachcausing threats that occur in their industry. The index is a product of HALOCK’s FTI Heuristic applied public data sources and HALOCK’s collected intelligence on non-reported breaches. The FTI provides our clients with insight into what assets and functions within their organization may most likely cause harm. Because the FTI aligns those threats with security control standards, security practitioners can also ensure that their security and compliance programs focus on what matters most. The Foreseeable Threat Index is not predictive, but it allows our clients to approach their security and compliance efforts using a “due care” model. When organizations think through the threats that cause the most reported breaches in their industry, and their security plans and controls address those threats to an appropriate degree, then they can demonstrate to interested parties that their priorities are appropriate for their risk.