The Duty of Care Risk Analysis Standard (“DoCRA”)
The Duty of Care Risk Analysis Standard (“DoCRA” or “the Standard”) presents principles and practices for analyzing risks to establish reasonable security controls based on an organization’s mission, objectives, and obligations. DoCRA-based CIS RAM can help implement the CIS Controls reasonably.
DoCRA (or “Duty of Care Risk Analysis”) is a method for analyzing risk as regulators and judges expect it to be done. Regulations and judicial “balancing tests” expect that organizations consider the likelihood and degree of harm they may cause themselves and others, and to use safeguards that reduce those risks – as long as those safeguards are not overly burdensome.
Duty of Care Risk Analysis (DoCRA) can be used to analyze cyber security risks using any variety of control standards or regulatory requirements. The CIS Controls Risk Assessment Method (CIS RAM) is based upon DoCRA, and DoCRA has been successfully used in litigation to help explain the use of risk assessments for determining whether a control was “reasonable.” HALOCK uses DoCRA methods to analyze risks with ISO 27001/27002, NIST Special Publications 800-53, the HIPAA Security Rule, GDPR, 23 NYCRR Part 500, 201 CMR 17.00, the NIST Cybersecurity Framework, and even maturity model-based controls models, such as FFIEC CAT. We partner with you to establish reasonable and appropriate risk.
DO YOU KNOW REASONABLE?
DOCRA GAP ASSESSMENT AND ROADMAP
If you need help to assess your plan and move toward the DoCRA Standard, a DoCRA GAP Assessment and Roadmap can assist you towards compliance.
During the project a senior HALOCK resource will spend a business day on-site at your company to understand your environment, mission, priorities, and role of information security. Deliverables: DoCRA Gap Assessment Report and Roadmap for Implementing DoCRA at your organization.
DOCRA UPGRADE SOLUTION
If you need to transition the organization’s security programs to the DoCRA Standard, the DoCRA Upgrade Solution can help.
During DoCRA Upgrade projects, HALOCK works with organizations to define their risk assessment and risk acceptance criteria by conducting a workshop with senior management and executives. HALOCK then re-evaluates the organization’s known risks and vulnerabilities using the new criteria by using evidence-based likelihood estimation tools, such as HALOCK’s Industry Threat (HIT) Index. HALOCK will then help design risk treatment safeguards that evaluate as reasonable risks that result in acceptable risk.
DOCRA RISK ASSESSMENT
If you need to implement a DoCRA process from the ground up and to design the risk treatment safeguard, the DoCRA Risk Assessments solution can help.
HALOCK’s Duty of Care Risk Assessments support our clients’ needs to comply with regulations such as the HIPAA Security Rule, Gramm Leach Bliley Act, GDPR, 23 NYCRR Part 500 and 201 CMR 17.00. And because our risk assessments conform to established risk assessment standards, NIST Special Publications and Cyber Security Framework, CIS Controls, ISO 27001, CCPA, and PCI DSS are also supported.
KEEPING YOU INFORMED – HALOCK SECURITY BRIEFING FOR CLIENTS
The HALOCK Security Briefing is a review of significant events, trends, and movements that will influence how you manage cybersecurity, risk, and compliance. Our clients receive periodic overviews with an extensive report file on the topics discussed. This insightful document also includes reference links throughout the report for easy navigation and deeper research.
Reasonable Security Litigation
Herff Jones Assurance of Voluntary Compliance, PA; pg.5 – DoCRA
Herff Jones Assurance of Discontinuance, NY; pg. 5 – DoCRA
DNA Diagnostics Assurance of Voluntary Compliance, OH; pg. 7 – DoCRA
ANALYZING RISK FOR REASONABLE AND APPROPRIATE SAFEGUARDS
Glossary for DoCRA Terms and definitions aligned with legislation and requirements to establish reasonable security.
Appropriate risk: Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low.
Assessing organizations: Organizations that analyze risks that they may pose to others.
Authorities: Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.
Due care: A degree of protection that a reasonable person applies to protect others from harm.
Duty of care: The responsibility of one party to prevent harm to others.
Duty of Care Risk Analysis: Describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks.
Executive Order 12866: Required the regulations balance cost and benefit; controls must not cost more than the risk to others.
Impact: The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.
Interested parties: Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.
Likelihood: The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.
Reasonable Person: Someone who thinks through the likelihood and impact of threats that might create harm and designs safeguards that are not more burdensome than those risks.
Reasonable safeguards: Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.
Risk Acceptance Criteria: The likelihood of an impact that the organization equates with appropriate risk.
Threat: An act or an omission that may create harm.
Vulnerability: A weakness or lack of a safeguard that may permit a threat to create harm.