DoCRA (Duty of Care Risk Analysis)
As the cybersecurity industry grows, so do the concepts and terms to help us manage security policies and business objectives. This edition of ‘What is the Meaning of This?’ focuses on duty of care, reasonableness, and CIS RAM.
Appropriate A condition in which risks to information assets will not foreseeably create harm that is greater than what the organization or interested parties can tolerate.
Appropriate risk Risk that, as evaluated and stated, would appear to an organization, its interested parties, and authorities as acceptably low. The likelihood of an impact must be acceptable to all foreseeably affected parties.
Asset Class A group of information assets that are evaluated as one set based on their similarity. “Servers,” “end-user computers,” “network devices” are examples, as are “email servers,” “web servers” and “authentication servers.”
Authorities Usually regulators or judges who may evaluate reasonableness of safeguards as compared to harm to others and may impose penalties as a result of their evaluation.
Attack Path Model A description of how a specific attack path may occur within an environment.
Burden The negative impact that a safeguard may pose to the organization, or to others.
Business Owners Personnel who own business processes, goods, or services that information technologies support. i.e. customer service managers, product managers, sales management.
CIS RAM An information security risk assessment method based on DoCRA that helps organizations design and evaluate their implementation of the CIS Controls. It helps model “reasonable” uses of the CIS Controls to address the mission, objectives, and obligations of each organization’s specific environment.
Constituents Individuals or organizations that may be benefit from effective security over information assets, or may be harmed if security fails.
Control A documented method for protecting information assets using technical, physical, or procedural safeguards.
Control Objective The intended outcome of a control.
Due Care The amount of care that a reasonable person would take to prevent foreseeable harm to others.
Duty of care The responsibility of one party to prevent harm to others.
Duty of Care Risk Analysis Standard (DoCRA) Principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks. It provides a foundation to develop reasonable security and safeguards based on an organization’s mission, objective, and social responsibility.
Principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. DoCRA describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities – such as regulators and judges – and to other parties who may be harmed by those risks. It provides a foundation to develop reasonable security and safeguards based on an organization’s mission, objective, and social responsibility.
Impact The magnitude of harm that may be suffered by any party as a result of a threat. Can be stated qualitatively and quantitatively.
Interested parties Individuals or organizations that may benefit by engaging in risk or that may be harmed if risk is realized.
Inherent Risk The likelihood of an impact occurring when a threat compromises an unprotected asset.
Key Risk Indicator Aggregations and trending analysis of measures that management may use to understand their risk status.
Likelihood The frequency, commonality, or foreseeability of a threat creating an impact. Can be stated qualitatively and quantitatively.
Reasonable Risk The risk posed by a safeguard must be less than or equal to the risk it protects against.
Reasonable safeguards Protections against the foreseeability or magnitude of risks that do not pose a burden that is greater than the risk it protects against.
Residual Risk The risk that remains after a safeguard is applied. This concept is not directly used by CIS RAM, but implies that risk is lowered when a safeguard is applied. Residual risk does not take into account potential negative impacts to the organization when safeguards are applied.
Risk An estimation of the likelihood that a threat will create an undesirable impact. In terms of this method, risk may be expressed as the product of a likelihood and an impact.
Risk Acceptance Criteria The likelihood of an impact that the organization equates with appropriate risk.
Risk Analysis The process of estimating the likelihood that an event will create an impact. The foreseeability of a threat, the expected effectiveness of safeguards, and an evaluated result are necessary components of risk analysis. Risk analysis may occur during a comprehensive risk assessment, or as part of other activities such as change management, vulnerability assessments, system development and acquisition, and policies exceptions.
Risk Assessment A comprehensive project that evaluates the potential for harm to occur within a scope of information assets, controls, and threats.
Risk Evaluation The mathematical component of risk analysis that estimates the likelihood and impact of a risk, and compares it to acceptable risk.
Risk Management A process for analyzing, mitigating, overseeing, and reducing risk.
Risk Treatment Option The selection of a method for addressing risks. Organizations may choose to Accept, Reduce, Transfer, or Avoid risks.
Risk Treatment Plan A comprehensive project plan for implementing risk treatment recommendations.
Risk Treatment Recommendations A listing of safeguards or processes that may be implemented and operated to reduce the likelihood and/or impact of a risk.
Safeguard Technologies, processes, and physical protections that prevent or detect threats against information assets. Safeguards are implementations of controls.
Safeguard Risk The risk posed by recommended safeguards. An organization’s mission or objectives may be negatively impacted by a new security control. These impacts must be evaluated to understand their burden on the organization, and to determine whether the burden is reasonable.
Security An assurance that characteristics of information assets are protected. Confidentiality, Integrity, and Availability are common security characteristics. Other characteristics of information assets such as velocity, authenticity, and reliability may also be considered if these are valuable to the organization and its constituents.
Threat An act or an omission that may create harm.
Threat Model A description of how a threat could compromise an information asset, given the current safeguards and vulnerabilities around the asset.
Vulnerability A weakness that could permit a threat to compromise the security of information assets.
Frequently Asked Questions (FAQ) on Reasonable Security
Why is “Reasonable” Security Important?
“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.
Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.
Organizations with reasonable security:
- Have a better chance of avoiding regulatory action after a breach
- Are better positioned during litigation and investigations
- Have more support from cyber insurance carriers and adjusters
- Instill more confidence with clients, partners, and stakeholders
What Laws and Regulations Reference “Reasonable Security”?
In the United States, a variety of state and federal laws and regulations require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:
California Consumer Privacy Act (CCPA / CPRA)
“(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.”
“(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
“(e) A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”
“(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
“requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information”
Illinois Personal Information Protection Act (PIPA)
(a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
(b) A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
“(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;”
Controllers must “Use reasonable safeguards to secure personal data.”
“the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
Federal Trade Commission (FTC) Safeguards Rule
“What does a reasonable information security program look like?”
General Data Protection Regulation (GDPR)
“every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”
How Do You Demonstrate Reasonable Security?
The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.
A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.
Key elements include:
- Risk identification: What data, systems, and processes are impacted?
- Threat and vulnerability analysis: What risks are credible and foreseeable?
- Impact assessment: What could cause harm to customers, partners, or operations?
- Control evaluation: What safeguards are reasonable under current conditions?
- Documentation: Written records of your findings, decisions, and mitigations.
Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.
Is Reasonable Security the Same as Compliance?
No. Compliance meets minimum standards, but reasonable security shows you went above and beyond with due care.
What Is the Duty of Care Risk Analysis (DoCRA)?
The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:
“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”
DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.
How Does HALOCK Help Organizations Demonstrate Reasonable Security?
HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.
HALOCK assessment helps you to:
- Identify, quantify, and prioritize cyber risks
- Select and balance controls with business impact
- Document a reasonable security posture for regulators, courts, and clients
- Establish an accountability and continuous improvement process
Learn how Duty of Care Risk Analysis (DoCRA) can help you achieve reasonable security:
What is Duty of Care Risk Analysis (DoCRA) for Cybersecurity?
What is Duty of Care Risk Analysis (DoCRA) for General Counsel?
What is Duty of Care Risk Analysis (DoCRA) for Regulators?
What is Duty of Care Risk Analysis (DoCRA) for Auditors?
What is Duty of Care Risk Analysis (DoCRA) for Executives?
What is Duty of Care Risk Analysis (DoCRA) for Risk Managers?
