The Duty of Care Risk Analysis Standard (“DoCRA”)

Define Reasonable Security for your Organization. Implement CIS RAM




If you need help to assess your plan and move toward the DoCRA Standard, a DoCRA GAP Assessment and Roadmap can assist you towards compliance.

During the project a senior HALOCK resource will spend a business day on-site at your company to understand your environment, mission, priorities, and role of information security. Deliverables: DoCRA Gap Assessment Report and Roadmap for Implementing DoCRA at your organization.

DoCRA Risk Assessment Reasonable



If you need to transition the organization’s security programs to the DoCRA Standard, the DoCRA Upgrade Solution can help.

During DoCRA Upgrade projects, HALOCK works with organizations to define their risk assessment and risk acceptance criteria by conducting a workshop with senior management and executives. HALOCK then re-evaluates the organization’s known risks and vulnerabilities using the new criteria by using evidence-based likelihood estimation tools, such as HALOCK’s Industry Threat (HIT) Index. HALOCK will then help design risk treatment safeguards that evaluate as reasonable risks that result in acceptable risk.

DoCRA Upgrade Risk Assessment



If you need to implement a DoCRA process from the ground up and to design the risk treatment safeguard, the DoCRA Risk Assessments solution can help.

HALOCK’s Duty of Care Risk Assessments support our clients’ needs to comply with regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act, GDPR, 23 NYCRR Part 500 and 201 CMR 17.00. And because our risk assessments conform to established risk assessment standards, NIST Special Publications and Cyber Security Framework, CIS Controls, ISO 27001, CCPA, and PCI DSS are also supported.

DoCRA Risk Assessment Reasonable Security


The HALOCK Security Briefing is a review of significant events, trends, and movements that will influence how you manage cybersecurity, risk, and compliance. Our clients receive periodic overviews with an extensive report file on the topics discussed. This insightful document also includes reference links throughout the report for easy navigation and deeper research. 

Reasonable Security Litigation

Herff Jones Assurance of Voluntary Compliance, PA; pg.5 – DoCRA

Herff Jones Assurance of Discontinuance, NY; pg. 5 – DoCRA

DNA Diagnostics Assurance of Voluntary Compliance, OH; pg. 7 – DoCRA


2024 DBIR Findings & How the CIS Critical Security Controls Can Help to Mitigate Risk to Your Organization

June 11, 2024 | 2:00 P.M. – 3:00 P.M. ET


Glossary for DoCRA Terms and definitions aligned with legislation and requirements to establish reasonable security.

Appropriate risk: Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low.

Assessing organizations: Organizations that analyze risks that they may pose to others.

Authorities: Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.

Due care: A degree of protection that a reasonable person applies to protect others from harm.

Duty of care: The responsibility of one party to prevent harm to others.

Duty of Care Risk Analysis: Describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks.

Executive Order 12866: Required the regulations balance cost and benefit; controls must not cost more than the risk to others.

Impact: The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.

Interested parties: Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.

Likelihood: The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.

Reasonable Person: Someone who thinks through the likelihood and impact of threats that might create harm and designs safeguards that are not more burdensome than those risks.

Reasonable safeguards: Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.

Risk Acceptance Criteria: The likelihood of an impact that the organization equates with appropriate risk.

Threat: An act or an omission that may create harm.

Vulnerability: A weakness or lack of a safeguard that may permit a threat to create harm.

SOURCE: The Duty of Care Risk Analysis Standard

Contact Us