The Duty of Care Risk Analysis Standard (“DoCRA”)

Define Reasonable Security for your Organization



If you need help to assess your plan and move toward the DoCRA Standard, a DoCRA GAP Assessment and Roadmap can assist you towards compliance.

During the project a senior HALOCK resource will spend a business day on-site at your company to understand your environment, mission, priorities, and role of information security. Deliverables: DoCRA Gap Assessment Report and Roadmap for Implementing DoCRA at your organization.

DoCRA Risk Assessment Reasonable



If you need to transition the organization’s security programs to the DoCRA Standard, the DoCRA Upgrade Solution can help.

During DoCRA Upgrade projects, HALOCK works with organizations to define their risk assessment and risk acceptance criteria by conducting a workshop with senior management and executives. HALOCK then re-evaluates the organization’s known risks and vulnerabilities using the new criteria by using evidence-based likelihood estimation tools, such as HALOCK’s Industry Threat (HIT) Index. HALOCK will then help design risk treatment safeguards that evaluate as reasonable risks that result in acceptable risk.

DoCRA Upgrade Risk Assessment



If you need to implement a DoCRA process from the ground up and to design the risk treatment safeguard, the DoCRA Risk Assessments solution can help.

HALOCK’s Duty of Care Risk Assessments support our clients’ needs to comply with regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act, GDPR, 23 NYCRR Part 500 and 201 CMR 17.00. And because our risk assessments conform to established risk assessment standards, NIST Special Publications and Cyber Security Framework, CIS Controls, ISO 27001, CCPA, and PCI DSS are also supported.

DoCRA Risk Assessment Reasonable Security

HALOCK also supports you and your legal team with Regulatory Advisory, Advisory & Strategic Planning, Breach Response, Litigation, Post Breach Risk Assessment services.

Try our comprehensive approach to risk with our Risk Management Program.

Reasonable Security References

In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation. 

PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.

RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. 

RSA CONFERENCE 2022: A Proven Methodology to Secure the Budget You Need in a Transforming World  |  Recording of Presentation


Glossary for DoCRA Terms and definitions aligned with legislation and requirements to establish reasonable security.

Appropriate risk: Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low.

Assessing organizations: Organizations that analyze risks that they may pose to others.

Authorities: Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.

Due care: A degree of protection that a reasonable person applies to protect others from harm.

Duty of care: The responsibility of one party to prevent harm to others.

Duty of Care Risk Analysis: Describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks.

Executive Order 12866: Required the regulations balance cost and benefit; controls must not cost more than the risk to others.

Impact: The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.

Interested parties: Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.

Likelihood: The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.

Reasonable Person: Someone who thinks through the likelihood and impact of threats that might create harm and designs safeguards that are not more burdensome than those risks.

Reasonable safeguards: Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.

Risk Acceptance Criteria: The likelihood of an impact that the organization equates with appropriate risk.

Threat: An act or an omission that may create harm.

Vulnerability: A weakness or lack of a safeguard that may permit a threat to create harm.

SOURCE: The Duty of Care Risk Analysis Standard

Contact Us