What is "Reasonable" Security?

By Michael Lines on September 8, 2016 (Last Updated on April 6, 2017 )

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Michael Lines


reasonable_security.jpg

 

"If organizations choose to amass data, and then fail to uphold their responsibilities as data stewards, they are also culpable."

California Attorney General 2016 Data Breach Report

 

How much is enough? This question has plagued boards, CIOs, and management ever since information security became a topic on the agenda. And with the constant and ever growing proliferation of threats and new technologies, the challenge of keeping up has become exponentially harder. Do you need new people, processes, and technology to address every new threat that arises? Where does it all end?

Thankfully, the state of California has brought some clarity to the issue by setting what I consider to be a reasonable definition for what that security baseline should be. 

 

Under California’s information security statute, organizations that own, license, or maintain personal information about a California resident are required to use ''reasonable security procedures and practices… to protect personal information from unauthorized access, destruction, use, modification, or disclosure.'' Federal laws also require ''reasonable'' or ''appropriate'' security measures for specific types of data.

 

With the 2016 California Data Breach Report, the California Attorney General has now set the bar for what constitutes "reasonable" and "appropriate" security measures as adoption of all 20 controls set forth in the Center for Internet Security’s (CIS) Critical Security Controls. Failure to implement these controls would de facto constitute a lack of reasonable security

 

Considering that practically all businesses maintain personal data regarding their customers, and considering California is the world's eighth largest economy (just the state itself), the chances that businesses around the world have information about a California resident in their databases is fairly high.

 

Boards and executive management should now be looking at their information security risk assessments and associated programs to see if they cover all of the CIS security controls.

 

This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.

Submit a Comment

Get latest articles directly in your inbox, stay up to date