A review of the regulatory requirement your safeguards must create a reasonable risk without being overly burdensome. It highlights the necessity of conducting cost-benefit tests for rules and enforcement since 1993, as mandated by Executive Order 12866. Risk assessments are essential to evaluate the reasonableness of safeguards, and standard controls are reviewed to protect information assets. The Sedona Conference paper elaborates on the Reasonable Security test, emphasizing the importance of demonstrating the reasonableness of safeguards through cost-benefit analysis. Learn about Duty of Care Risk Analysis (DoCRA).

Analyze Your Risk

 

TRANSCRIPT

Remember that the regulation requires that safeguards create a reasonable risk.

The basis for this requirement is Executive Order 12866.

Since nineteen ninety three, regulators have been required to apply a cost benefit test to rules and enforcement.

The regulation requires risk assessments to determine whether safeguards are reasonable.

The way we conduct risk assessments is to review how well our information assets are protected by standard controls.

We compare those controls to data about the threats that commonly occur to determine the likelihood of incidents, and we’d look at the potential harm to ourselves and to the public to determine whether those incidents would create an unacceptable harm to the public.

If they would, then we apply controls that would reduce that harm to acceptable levels, but by using safeguards that are no more burdensome to us than the risk would be to others.

You can see how this test is explained in the Sedona Conference paper, Commentary on a Reasonable Security Test, state enforcement actions against Wawa, Herff Jones, DNA Diagnostics, and Hannah Anderson, and the HIPAA Security Rules requirements for reasonable and appropriate safeguards, and also the Federal Trade Act that authorized the Federal Trade Commission (FTC).

If you have a concern about a safeguard we use, please demonstrate using a cost benefit test why the safeguard is not reasonable.

You can learn more about how our analysis meets regulatory reasonableness by going to resources at docra.org, by talking to our experts at HALOCK Security Labs or reasonablerisk.com, or by looking at CIS RAM at cisecurity.org.