Due Diligence to a Standard of Care

I'm not sure its legitimate (or legal) for me to use the tag-line Due Diligence to a Standard of Care in my business anymore.

That tagline was something I started using long before my brief stint at Microsoft, where "standard of care" seemed to really take off.  It was my mantra as a CISO, because it sent the message that securing everything was just not feasible, but doing that which could be legally considered reasonable was at least an achievable target.  It didn't stop me from having a boss whose performance objective for me as a CISO was "no hacks, no leaks" but I think most people understood the message that "due diligence to a standard of care" meant.

I did not originate the phrase.  Donn Parker, founder of the International Information Integrity Institute at SRI International over two decades ago, first promoted the idea of establishing a security framework that could be defended as 'due care' vs conducting formalized risk assessments for every decision.   He was right:  we can't secure everything and if we did a formal risk assessment for every security decision, we would get nothing else done.  Theoretically, we should be able to establish a reasonable standard of care for our clients' business, and put in place processes and techniques to demonstrate due diligence to that standard of care on an ongoing basis.

Here is where a license to practice law would be very more than handy:  defining what is "reasonable" and what would constitute "due diligence" to a prudent individual.  What "standard" should we adopt?  ITIL?  ISO27001 (and the rest of the 27000 series?)  CobiT?  How does an information security professional determine that reasonable measures were taken to ensure the integrity of information in e-discovery?  How does one defend technical architectures and supporting processes for reasonable measures to detect nefarious behavior in the network?  You get the idea... these recommendations have gone beyond the role of the information security professional and require the advice of a qualified legal professional.  How much about information security can we advise, and how much requires us to work under the oversight of the legal profession?  It won't be long before the answer is: "We can't say much."

When I started in information security (mid-80s-ish) we were just beginning to get a whiff of data security laws, mostly pertaining to information of interest to the US Federal Government.  Probably could count legislation relating to digital data protection on half the fingers of one hand, if that.

Today, we need software services to follow pending US legislation on information security and privacy because there is so much of it to track.  The volume is exploding and while I'm excited about some legislative "teeth", codification of information security advice into statutes is having an interesting secondary effect on those of us who consult full-time: for us to give advice on what constitutes "compliance" in a field where compliance can be defined by statutes is effectively practicing law without a license (perhaps I should get legal advice before I offer this opinion)!  We have healthcare information handling laws, data protection laws for personal information, privacy laws most of which are at the State level.  The Senate Bill S.773 that was introduced earlier this year and sent to Committee for CyberSecurity was an attempt to introduce new legislation at the Federal level to "ensure the continued free flow of commerce within the United States and with its global trading partners..." but it has not emerged from Committee.  May it never be (that will be a topic for another post!)

For those of you in the Seattle area, I will be teaming up again with the CEO of Legicrawler, Beckie Krantz, JD, to give a presentation on compliance with information security and privacy laws in the US on January 19th, 2010.  Information on the session is below - registration for the event is through the Puget Sound chapter of ISACA.