The Duty of Care Risk Analysis Standard (“DoCRA”)
DO YOU KNOW REASONABLE?
DOCRA GAP ASSESSMENT AND ROADMAP
If you need help to assess your plan and move toward the DoCRA Standard, a DoCRA GAP Assessment and Roadmap can assist you towards compliance.
During the project a senior HALOCK resource will spend a business day on-site at your company to understand your environment, mission, priorities, and role of information security. Deliverables: DoCRA Gap Assessment Report and Roadmap for Implementing DoCRA at your organization.
DOCRA UPGRADE SOLUTION
If you need to transition the organization’s security programs to the DoCRA Standard, the DoCRA Upgrade Solution can help.
During DoCRA Upgrade projects, HALOCK works with organizations to define their risk assessment and risk acceptance criteria by conducting a workshop with senior management and executives. HALOCK then re-evaluates the organization’s known risks and vulnerabilities using the new criteria by using evidence-based likelihood estimation tools, such as HALOCK’s Industry Threat (HIT) Index. HALOCK will then help design risk treatment safeguards that evaluate as reasonable risks that result in acceptable risk.
DOCRA RISK ASSESSMENT
If you need to implement a DoCRA process from the ground up and to design the risk treatment safeguard, the DoCRA Risk Assessments solution can help.
HALOCK’s Duty of Care Risk Assessments support our clients’ needs to comply with regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act, GDPR, 23 NYCRR Part 500 and 201 CMR 17.00. And because our risk assessments conform to established risk assessment standards, NIST Special Publications and Cyber Security Framework, CIS Controls, ISO 27001, CCPA, and PCI DSS are also supported.
HALOCK also supports you and your legal team with Regulatory Advisory, Advisory & Strategic Planning, Breach Response, Litigation, Post Breach Risk Assessment services.
Learn about our comprehensive approach to risk with our Risk Management Program.
Reasonable Security Resources & References
- DoCRA Checklist
- The Sedona Conference Commentary on a Reasonable Security Test, Public Comment Version
- Infragard Presentation: Getting to Reasonable – What Regulators and Judges Want to See from Every Organization
- Cyber Security Summit Presentation: CMMC and CCPA. Using Duty of Care Risk to Comply With New Challenges
- Foley Health Care Law Today Podcast: HIPAA Risk Analysis 2.0 Duty of Care Risk Analysis
- SANS Security Leadership Poster 5 Keys for Building a Cybersecurity Program & CIS Controls
ANALYZING RISK FOR REASONABLE AND APPROPRIATE SAFEGUARDS
Glossary for DoCRA Terms and definitions aligned with legislation and requirements to establish reasonable security.
Appropriate risk: Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low.
Assessing organizations: Organizations that analyze risks that they may pose to others.
Authorities: Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.
Due care: A degree of protection that a reasonable person applies to protect others from harm.
Duty of care: The responsibility of one party to prevent harm to others.
Executive Order 12866: Required the regulations balance cost and benefit; controls must not cost more than the risk to others.
Impact: The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.
Interested parties: Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.
Likelihood: The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.
Reasonable Person: Someone who thinks through the likelihood and impact of threats that might create harm and designs safeguards that are not more burdensome than those risks.
Reasonable safeguards: Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.
Risk Acceptance Criteria: The likelihood of an impact that the organization equates with appropriate risk.
Threat: An act or an omission that may create harm.
Vulnerability: A weakness or lack of a safeguard that may permit a threat to create harm.