What is “reasonable” information security?

Many regulations and contracts require organizations to implement reasonable security or appropriate security. So a common question information security professionals ask is, “What is reasonable? What is appropriate?” 

One answer to this, of course, is that reasonable or appropriate security is whatever your risk assessment tells you would be the right level of controls. Another is to look at what regulators have said either in guidance or resulting from their regulatory actions. 

In this blog post, we’ll do the latter and look at an example to better understand and provide a starting point for reasonable information security.

Reminder: This is a blog post, not legal advice. To determine what’s legally reasonable or appropriate for your organization, consult with a lawyer who is qualified and licensed in your jurisdiction.

To understand the key components of reasonable security, let’s look at an example: The 2023 Consent Agreement between ACI Worldwide (ACI) and the Consumer Financial Protection Bureau (CFPB). 

A consent order is an agreement between a regulator and an organization. It draws a line under an incident, commits the organization to future activities, and aims to convince the regulator that similar incidents won’t occur in the future.

I’m not going to delve into why ACI had to agree to a consent order with the CFPB (but suffice to say it is perhaps the epitome of why you should never use live data in a test environment). What’s really of interest to us here is that the CFPB defined what it considers to be the basis of “reasonable security” in the ACI consent order. There are three parts to their definition.

You must write down any information security you do in security policies and other documents, such as incident response plans, post mortems, and threat modeling results. 

This step is fairly straightforward, and anyone in the Governance, Risk, and Compliance (GRC) team would support it. After all, if you don’t write down what you do, then you likely won’t repeat it the same way—and you won’t be able to provide evidence to anyone that you knew what you were supposed to be doing.

If you take a literal approach to the CFPB’s definition of reasonable security, it may sound like an organization that experiences a breach of confidentiality, integrity, or availability has insufficient information security. Therefore, their information security is also not reasonable.

However, I don’t think this is what the CFPB intends, which is why their requirements for an information security program are based on regular risk assessments, threat modeling, and control testing. 

In a completely different regulatory environment, the Court of Justice of the European Union (CJEU) addressed this question in respect to the General Data Protection Regulation (GDPR). The CJEU was asked whether an organization that experienced a confidentiality breach of personal data could automatically be assumed to not have appropriate information security practices. (In Europe, the word appropriate is typically used in place of reasonable).

The court’s answer was a firm no. A data breach does not automatically mean an organization’s security measures were not appropriate. What is appropriate for any organization can only be determined by referencing a risk assessment.

The third and final leg of the CFPB’s definition of reasonable security states that the security you do must be “technically substantiated by the latest knowledge, widely held within the Information Security Research Community.” 

This is the really interesting part, because risk assessments, threat modeling, and documented policies are primarily internal-focused exercises. However, according to this definition, regulators also expect organizations to maintain a continuous external focus and awareness.

Another key phrase is latest knowledge. We work in a changing threat and vulnerability environment, so you need to regularly review and update your policies, threat models, and risk assessments in response to external information.

Any information security you do must also be based on knowledge that is widely held within the Information Security Research Community. At this stage, you’re probably wondering who this community is and how many people need to believe something for it to be widely held.

Luckily, the ACI consent order helps us. The community consists of other information security practitioners, academics, and researchers. Widely held means the knowledge is publicly shared at conferences, in publications, and in guidance from the government, such as the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA).