Reasonability and defensibility are common themes in audits, legal contracts, regulations, and security assessments of information risk management and security (IRMS) programs, capabilities, and controls. The term “commercially reasonable” frequently appears in contractual agreements and regulatory guidelines, signifying common standards for security capabilities and controls. “Commercially reasonable” seems straightforward in principle, but it leaves room for interpretation for both the examiner and the examinee. There are often widely differing opinions on what is considered reasonable and defensible by industry-leading experts, IRMS leaders, organizational leaders, security auditors, assessors, and examiners. This divergence of opinions can pose significant challenges for auditors, chief information security officers (CISOs), risk and security professionals, and leadership teams in discerning when they have fulfilled their responsibilities and identifying areas requiring further attention and investment.
Overall, the goal of most organizations is to ensure they have defensible information risk and security programs, capabilities, and controls. Organizations want to ensure that they would prevail positively with minimal or no negative consequences from any review or scrutinization of their IRMS program, capabilities, and controls even if they have experienced a material security incident that is disclosed to and/or investigated by a third party.
The only consistency in information risk and security is change. This change can be seen in the adversarial community constantly evolving its methods and tactics; organizations regularly evolving their business practices, processes, and technologies; and external groups such as regulatory bodies and industry consortiums systematically updating their standards and guidance. It can also be seen in the public’s expectation for information and cybersecurity protections to continue to protect business availability, personally identifiable information (PII), protected health information (PHI), critical infrastructure, and the privacy and protection of the data of individuals. It is imperative for organizations to regularly assess and update their IRMS programs to meet these expectations and protect against emerging threats. There are five key considerations that organizations can use when evaluating their IRMS programs, capabilities, and controls for reasonability and defensibility:
1. Map the organization’s information risk management and security program, capabilities, and controls to the organization’s information risk profile.
An information risk profile (IRP) documents the types, amounts, and priority of information risk that an organization finds acceptable and unacceptable, effectively defining its information risk appetite. An effective IRP is developed collaboratively with numerous stakeholders throughout the organization, including business leaders, data and process owners, enterprise risk management professionals, internal and external auditors, and the legal, compliance, privacy, and IRMS teams.
The terms “reasonable” and “defensible” do not always mean that control implementation is fully complete or mature. In many cases, an organization’s capabilities can be defensible if it can demonstrate meaningful and material progress in the implementation and/or maturity of capabilities and controls. If not complete, a strategy and roadmap that shows how it will be able to complete the implementation and effectively sustain capabilities should be provided. An effective information risk and security strategy should be able to demonstrate prioritization of the implementation of capabilities and controls in alignment with material threats and vulnerabilities to the organization, its information risk appetite, and overall business benefits that are identified in its IRP.
2 . Use threat and vulnerability analysis to evaluate controls against current attack methods, tactics, and trends.
The organization must have a clear understanding of the material threats and vulnerabilities that have a high probability of being realized and if realized will have a material impact on its business and data. With this insight in hand, the organization should be able to demonstrate how its information risk and security controls and capabilities will be able to effectively address risk. The most effective way to accomplish this is to conduct scenario-based threat and vulnerability analysis against key business processes and activities. It is easy for risk and security professionals to postulate the threats and vulnerabilities that they feel are most important based on their experiences. Unfortunately, these assertions can often be disputed by dissenters who may not have the same level of confidence in the security professionals’ assertions. However, by using data-driven and evidence-based analysis, the credibility and focus of the strategy will significantly increase.
The use of threat and vulnerability analysis supports the concept of defensibility by demonstrating an organization’s rationale for implementing specific security measures or accepting risk based on specific threats and/or vulnerabilities of which it is aware. Even if a dissenter disagrees with the results of the analysis, an organization can still demonstrate that it made a reasonable effort to identify threats and vulnerabilities of material concern and make informed decisions about them.
3. Review common industry and government standards, guidelines, and requirements and evaluate capabilities and controls against them.
When organizations are looking for guidance on what would be considered defensible for their information risk and security programs and capabilities, they often turn to industry and government standards, guidelines, and requirements. This can be an effective strategy as these materials are often cited in security audits and assessments and include detailed control objectives and requirements. Organizations frequently find it necessary to evaluate and synergize their capabilities and controls with both universal guidelines, which are designed to be applicable across a wide range of industries and organizations, and guidance that is industry- and standard-specific.
Examples of common industry and government standards guidelines and requirements that organizations can use to identify current security-related control and capability requirements include but are not limited to:
- The International Organization for Standardization (ISO) 2700x library of standards
- The US National Institute of Standards (NIST) Cyber Security Framework (CSF) and Special Publication 800-53
- The American Institute of Certified Public Accountants (AICPA) SOC 2
Examples of industry-specific guidance often cited include:
- The Payment Card Industry (PCI) Data Security Standard (DSS) for the protection of payment card data
- The US Healthcare Insurance Portability and Accountability Act (HIPAA) security rule for the protection of PHI
- The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Resource Guide for Financial Institutions
If an organization maps its information risk and security capabilities and controls to the applicable industry and government standards for its business type and activities, it can demonstrate that it has thoughtfully identified what IRMS capabilities and controls it believes it needs to have in place.
4. Monitor and review case law and industry and government actions.
The current expectation for reasonability and defensibility of IRMS programs and capabilities can often be identified by monitoring legal case law and decisions for security-related cases, and actions and judgments against organizations by regulatory organizations. While standards are guidelines that set clear expectations of requirements for organizations, it is the decisions, actions, and judgments that identify the current expectation for the implementation, maturity, and ongoing use of these requirements. Until they are case tested, many organizations do not have a clear understanding of what will be enforced and to what degree there is a risk of noncompliance.
The US Federal Trade Commission (FTC) and Security and Exchange Commission (SEC) have both taken stronger steps to enforce security related regulations and requirements in recent years. Their actions can be used as a barometer for organizations to understand current expectations for IRMS capabilities and controls. In some cases, they have taken direct action on individual enterprise leaders who they believe did not implement and maintain appropriate security capabilities and controls for their organization. This level of scrutiny and action can help IRMS professionals communicate the potential consequences of noncompliance and the need for proper security capabilities and controls to their leadership teams and constituents.
5. Monitor and demonstrate the effectiveness of IRMS control and capabilities.
The implementation and existence of IRMS capabilities and controls do not necessarily translate into their effectiveness or make an organization defensible. A common assumption among many enterprises and IRMS leaders is that showcasing the existence of prescribed or expected security capabilities and controls serves as evidence of reasonable intent to provide IRMS capabilities and controls to their organization and interested parties. Unfortunately, the constant evolution of adversarial activities and advancements in their tactics requires organizations to do more than simply implement suitable capabilities and controls. It also compels them to consistently maintain and mature these measures to keep pace with evolving threats.
Security instrumentation and attack surface management tools can assist an organization in assessing the effectiveness of its technical security capabilities. These tools continuously simulate known or expected attack behaviors and activities against an organization’s security capabilities and controls. The results of this testing provide valuable intelligence to the organization and assist it in answering control effectiveness questions such as:
- What portions of the attack can the organization’s existing security controls identify and block?
- What security intelligence information about attacks and attacker activity would be generated by an organization’s detective security capabilities and controls?
- How effective are an organization’s security event and incident response processes and capabilities in defending against probable and realistic attack scenarios?
The answers to these questions support an organization's defensibility by demonstrating that it is validating its assumptions of protection and control effectiveness instead of trusting without reasonable assurance.
Conclusion
Reasonability and defensibility of IRMS capabilities and controls will always be difficult for organizations to prove to interested parties with objective data alone. Proactive reviews by assessors (either internal or external) can provide some degree of measurement of the defensibility of an organization’s IRMS program, capabilities, and controls. Unfortunately, it is often the case that an organization will not fully understand the defensibility of its IRMS program, capabilities, and controls until they are investigated by a third party who believes that it was negligent in meeting its obligations and seeks to prove this with the intent to impose negative consequences on responsible individuals and/or the entire organization. The best way for an organization to demonstrate the reasonability and defensibility of its capabilities is to have a thoughtful approach supported by independently recognized methods, tactics, and data.