Risk Management Program

Reach and Maintain Acceptable Risk

How do you balance the numerous risk requirements? From internal to external parties, we can address those security, compliance, and cost challenges in the evolving age of risk.

Managing The Risk Needs of Many

HALOCK’s contribution in defining ‘reasonable security’ through CIS RAM, DoCRA, and the legal standard for reasonable controls offers comprehensive insight on how to continually mitigate your risk.

Why HALOCK for Your Risk Management Program?

HALOCK’s unique insight offers a streamlined approach to establish reasonable risk, help prioritize investment and establish alignment across your organization.

What are the Risk Management Components and Process?

You receive expert insight, resources, and the option for the ground-breaking GRC portal to manage risk – Reasonable Risk.

Benefit from Intellectual Property

A streamlined resource that enables you to determine your risk threshold and establish reasonable security.

GRC Portal:
Reasonable Risk

What your seasoned security staff do to help mitigate risk and support your compliance and security requirements.

Risk Remediation
Services

Risk Manage Your Security with Confidence

Risk management is not a one-time event—it’s a continuous process. Cyber threats don’t operate on a schedule, and risk can shift from manageable to critical in the blink of an eye. Whether you’re facing routine business operations or a sudden cybersecurity breach, your ability to manage your organization’s risk effectively can determine the long-term health of your organization.

But how do you risk manage a complex environment where stakeholders have conflicting priorities?

Introducing Duty of Care Risk Analysis (DoCRA)

HALOCK’s Risk Management Program, grounded in the principles of DoCRA, provides a balanced and defensible way to manage cyber risk. DoCRA (Duty of Care Risk Analysis) is a standards-based methodology that helps organizations assess and justify their cybersecurity controls in a way that is legally defensible, ethically sound, and operationally practical.

With DoCRA, your organization can:

  • Prioritize security investments based on business impact

  • Align controls with compliance mandates (HIPAA, PCI DSS, CCPA, etc.)

  • Address the needs of all stakeholders—from executives and legal teams to customers and regulators

  • Justify that your risk decisions are reasonable and acceptable

  • Avoid over- or under-securing your environment

  • Strengthen your position for cyber insurance eligibility and claims

  • Demonstrate ongoing risk management to auditors and board members

 

Reasonable Risk Management in Action

HALOCK’s Risk Management Program applies DoCRA to help you identify your most critical threats and implement safeguards that do not create greater harm than the threats themselves. The goal? Achieve “reasonable security”—a legal and practical threshold that meets regulatory expectations and protects your organization from unnecessary liability.

This means:

  • Balancing risk mitigation with business objectives

  • Applying controls that are appropriate to the harm they are meant to prevent

  • Managing cyber risk as a strategic asset—not just a technical task

 

Protect What Matters Without Overburdening Your Organization

Risk is inevitable, but how you “risk manage it” is what defines your resilience. Implement a risk strategy that supports your mission, fulfills your duty of care, and strengthens trust with customers, partners, and regulators.

 

Download the brochure

 

reasonable security

Frequently Asked Questions (FAQ) on Reasonable Security

Why is “Reasonable” Security Important?

“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.

Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.

Organizations with reasonable security:

  • Have a better chance of avoiding regulatory action after a breach
  • Are better positioned during litigation and investigations
  • Have more support from cyber insurance carriers and adjusters
  • Instill more confidence with clients, partners, and stakeholders

 

What Laws and Regulations Reference “Reasonable Security”?

In the United States, a variety of state and federal laws and regulations require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:

“(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.”

“(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”

“(e) A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”

 

“(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

 

“requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information”

 

 (a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.    

(b) A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

 

“(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;”

 

Controllers must “Use reasonable safeguards to secure personal data.”

 

“the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”

 

“What does a reasonable information security program look like?”

 

“every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”

 

How Do You Demonstrate Reasonable Security?

The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.

A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.

Key elements include:

  1. Risk identification: What data, systems, and processes are impacted?
  2. Threat and vulnerability analysis: What risks are credible and foreseeable?
  3. Impact assessment: What could cause harm to customers, partners, or operations?
  4. Control evaluation: What safeguards are reasonable under current conditions?
  5. Documentation: Written records of your findings, decisions, and mitigations.

Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.

 

Is Reasonable Security the Same as Compliance?

No. Compliance meets minimum standards, but reasonable security shows you went above and beyond with due care.

 

What Is the Duty of Care Risk Analysis (DoCRA)?

The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:

“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”

DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.

 

How Does HALOCK Help Organizations Demonstrate Reasonable Security?

HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.

HALOCK assessment helps you to:

  • Identify, quantify, and prioritize cyber risks
  • Select and balance controls with business impact
  • Document a reasonable security posture for regulators, courts, and clients
  • Establish an accountability and continuous improvement process

 

reasonable DoCRA

 

Review Your Risk Profile and Achieve Reasonable Security