For anyone who’s spent time looking at data security laws and regulations, you can’t help but come across the words “reasonable security”, or its close cousin “appropriate security”. You can find this legal verbiage in state breach notification laws, in HIPAA’s Security Rule (“reasonable and appropriate” security), in FERPA, and many other federal data security laws and guidances. So what does it mean?
Therein lies a story. Not being too specific about security controls in these laws turns out to have been a good thing. It indirectly forced security industry to look at larger and more general issues involving data security.
I’m getting a little ahead of myself. Fortunately, I’m standing on the shoulders of legal giants. As I discovered, the meaning of reasonable security came about when the US federal government tried to come up with an initial definition of appropriate security safeguards. If you want to learn more and get the full story, legal eagles should review this illuminating white paper.
Secret Origins of Reasonable Security Revealed!
Back in the early days of the Internet (circa 2001), regulators were trying to interpret the Gramm Leach Bliley Act’s (GBLA) vague words that financial institutions had to “insure the security and confidentiality of customer information”. Their final analysis can be found in this important source document “Guidelines Establishing Standards for Safeguarding Customer Information”.
The government didn’t want to force a specific standard or controls; instead they came up with more general ideas on how to implement a security program. And here’s the essence of the plan, which should look familiar to many of us:
- Identify Information Assets – Identify the corporate information assets that need to be protected
- Conduct a Periodic Risk Assessments – Identify and assess internal and external risks to the security, confidentiality, and/or integrity of its information assets
- Implement Controls to Manage Risk – Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment,
- Monitor the Program – Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment
- Review and Adjust -Always look at new threats or analyze breaches, minimally on an annual basis.
In the aforementioned legal analysis, you can read more about how the GLBA guidelines influenced FTC regulators and then US states in interpreting “reasonable security.”
Reasonable Security: It’s a Process
In case it’s escaped your notice, the above “definition” of reasonable security is a not a thing, but a … process. In other words, you’re always conducting reasonable security!
It’s helpful to compare the above GLBA list worked out in the dot com days to NIST’s more current Critical Infrastructure Security (CIS) Framework. Hint: it’s the same thing!
Let’s keep in mind that NIST CIS is a framework. That means it’s also not tied to specific security controls. This goes back to the idea from the regulators to not force private industry to adopt one data standard over another.
The CIS Framework documentation conveniently maps the process into several different standards, including NIST 800.53, SANS CSC , ISO 27001, and more. In fact, it was such a good idea that states are starting to consider NIST CIS as “black letter” law for their own data security laws.
And it is a good idea! In short: it allows IT groups to conform to the “reasonable security” definition by leveraging whatever existing standard they’re relying on. The NIST CIS framework will show them the controls in the standard they need to implement in order to have reasonable security. NIST CIS also makes it clear that you’re always in the process — you go back to the beginning and reassess your security profile based on whatever new information you’ve learned.
Varonis Is On It!
The CIS framework is a giant meta-standard and a good resource for those planning security solution. Varonis supports the NIST CIS framework. In fact, we’ve companies comply with many security laws and standards, including HIPAA , PCI DSS and others.
We’ve gone a step further. We also have our own operational journey that’s based heavily on NIST’s process approach. It works in conjunction with our products, and it will set the stage for keeping you in compliance with state and federal data laws, as well as many security standards. You’ll be future-proofed no matter what comes your way!