To fill the gap created by the lack of a national, statutory, cross-sector minimum standard of information security in this country, a group of tech and legal experts wrote a guide for lawyers and courts, as well as businesses, auditors, and regulators to help define reasonable cybersecurity when the compromise of protected information gives rise to litigation or regulatory action. https://bit.ly/3UBLdwD #reasonablecybersecurity #CISControls #cybersecurity

While there is no comprehensive U.S. law defining reasonable cybersecurity in all settings, this guide offers principles that may be used in interpreting and applying the laws that do exist.

To fill the gap created by the lack of a national, statutory, cross-sector minimum standard of information security in this country, a group of tech and legal experts wrote a guide for lawyers and courts, as well as businesses, auditors, and regulators to help define reasonable cybersecurity when the compromise of protected information gives rise to litigation or regulatory action. #reasonablecybersecurity #CISControls #cybersecurity

What is considered reasonable cybersecurity? This guide can provide some information

A cyber security incident can happen to anyone.

What do you do when federal and state statutes, regulations, policies, and caselaw reference "reasonable" cybersecurity but don't specify how to meet it? You work with recognized technical cybersecurity and legal experts to define it. #cybersecurity #reasonableness

The United States lacks a national standard for information security, resulting in various efforts by federal and state governments that fail to specify what organizations must do to meet the standard of reasonable cybersecurity. To address this issue, the Center for Internet Security (CIS) has published a guide in collaboration with experts to provide practical guidance for organizations seeking to develop a cybersecurity program that satisfies the general standard. This guide aims to assist cybersecurity professionals, businesses, and consumers in assessing whether an organization's program meets the standard in cases of litigation or regulatory action. It also aims to reduce litigation resulting from data breaches by identifying minimally adequate information security protections. The guide offers principles that can be used in interpreting and applying existing laws and regulations and provides an example of how one framework, the CIS Critical Security Controls, can be implemented to ensure reasonable cybersecurity measures are taken.

A Guide to Defining Reasonable Cybersecurity uses existing constructs from law and the cybersecurity community to define reasonableness. https://bit.ly/3UBLdwD #reasonablecybersecurity #CISControls #cybersecurity

From CIS: Ungated download, robust whitepaper for "reasonable" overall with "common sense" section--includes current state regs... https://lnkd.in/gEnS3-63 "critical baseline to assist counselors, cybersecurity consultants, auditors, and regulators, as well as lawyers, litigants, and courts"

Interesting new resource from CIS - this document attempts to answer the question of what constitutes "reasonable" cybersecurity measures for US companies, who have to contend with a lack of consistent national legislation in this important area. Worth a read, especially for smaller, more resource constrained organizations who need to make every cybersecurity dollar count.