What is “reasonable” information security?

Many regulations and contracts require organizations to implement reasonable security or appropriate security. So a common question information security professionals ask is, “What is reasonable? What is appropriate?” 

One answer to this, of course, is that reasonable or appropriate security is whatever your risk assessment tells you would be the right level of controls. Another is to look at what regulators have said either in guidance or resulting from their regulatory actions. 

In this blog post, we’ll do the latter and look at an example to better understand and provide a starting point for reasonable information security.

Reminder: This is a blog post, not legal advice. To determine what’s legally reasonable or appropriate for your organization, consult with a lawyer who is qualified and licensed in your jurisdiction.

• Elements of reasonable information security
• Implement information security best practices
• Benchmark your security policies and programs for reasonable security

To understand the key components of reasonable security, let’s look at an example: The 2023 Consent Agreement between ACI Worldwide (ACI) and the Consumer Financial Protection Bureau (CFPB). 

A consent order is an agreement between a regulator and an organization. It draws a line under an incident, commits the organization to future activities, and aims to convince the regulator that similar incidents won’t occur in the future.

I’m not going to delve into why ACI had to agree to a consent order with the CFPB (but suffice to say it is perhaps the epitome of why you should never use live data in a test environment). What’s really of interest to us here is that the CFPB defined what it considers to be the basis of “reasonable security” in the ACI consent order. There are three parts to their definition.

You must write down any information security you do in security policies and other documents, such as incident response plans, post mortems, and threat modeling results. 

This step is fairly straightforward, and anyone in the Governance, Risk, and Compliance (GRC) team would support it. After all, if you don’t write down what you do, then you likely won’t repeat it the same way—and you won’t be able to provide evidence to anyone that you knew what you were supposed to be doing.

The ACI order also maintains that information security must be “sufficient” to ensure the confidentiality, integrity and availability of your data and systems. The key word here is sufficient. You can determine whether your security is sufficient through practices such as threat modeling and risk assessments. 

If you take a literal approach to the CFPB’s definition of reasonable security, it may sound like an organization that experiences a breach of confidentiality, integrity, or availability has insufficient information security. Therefore, their information security is also not reasonable.

However, I don’t think this is what the CFPB intends, which is why their requirements for an information security program are based on regular risk assessments, threat modeling, and control testing. 

In a completely different regulatory environment, the Court of Justice of the European Union (CJEU) addressed this question in respect to the General Data Protection Regulation (GDPR). The CJEU was asked whether an organization that experienced a confidentiality breach of personal data could automatically be assumed to not have appropriate information security practices. (In Europe, the word appropriate is typically used in place of reasonable).

The court’s answer was a firm no. A data breach does not automatically mean an organization’s security measures were not appropriate. What is appropriate for any organization can only be determined by referencing a risk assessment.

The third and final leg of the CFPB’s definition of reasonable security states that the security you do must be “technically substantiated by the latest knowledge, widely held within the Information Security Research Community.” 

This is the really interesting part, because risk assessments, threat modeling, and documented policies are primarily internal-focused exercises. However, according to this definition, regulators also expect organizations to maintain a continuous external focus and awareness.

Another key phrase is latest knowledge. We work in a changing threat and vulnerability environment, so you need to regularly review and update your policies, threat models, and risk assessments in response to external information.

Any information security you do must also be based on knowledge that is widely held within the Information Security Research Community. At this stage, you’re probably wondering who this community is and how many people need to believe something for it to be widely held.

Luckily, the ACI consent order helps us. The community consists of other information security practitioners, academics, and researchers. Widely held means the knowledge is publicly shared at conferences, in publications, and in guidance from the government, such as the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA). 

To summarize, reasonable information security is:

• Written down in policies and other documents
• Based on risk assessments and threat models
• Based on published standards and/or guidance
• Updated with information provided at conferences, in publications, and via government advisories

As well as defining what’s reasonable, the ACI consent order covers additional requirements or best practices for data security.

The consent order requires an information security program that implements the defined reasonable security. The program demands risk assessments, threat modeling, control assurance, penetration testing, training, and third-party supplier management. In essence, what you’d already expect to find in a mature information security organization.

I’d be remiss if I didn’t point out the consent order’s expectation that information security professionals are qualified and given “security updates and training sufficient to defend against relevant security risks.” 

Pluralsight Skills provides the education needed for popular security qualifications such as CISSP, CISM, and C|EH, along with regular updates about new vulnerabilities and emerging threats.

Of course, the ACI consent order doesn’t apply to you—but it’s a great example of what a US regulator expects reasonable information security to look like. 

If I was working as a CISO or Head of Information Security or GRC, I’d take all the elements of the consent order and benchmark my policies and program against them to make sure they aligned with a regulator’s view of reasonable security and how it’s implemented. 

To learn more, explore my Pluralsight courses.