A simple guide to how the FISA/FISASCORE helps organizations limit liability.

Disclaimer: SecurityStudio is not a law firm. For specific legal questions, please seek the advice of a licensed attorney.

Introduction

Although we aren’t lawyers, we’ve been involved in enough breaches, incidents, and legal proceedings to offer good advice about how a FISASCORE can help you limit liability after a breach, or avoid it altogether.

If you’d like to skip the background information and learn about the importance of the FISA assessment in protecting you from legal liability, go to the FAQs.

You will have a breach

They say that there’s no guarantees in information security. This is not true. There are at least two of them.

The first guarantee is a breach. You are guaranteed to have a breach. Factually, no matter what you do, no matter how much money you spend, and no matter how blinky your blinky lights are, you cannot possibly prevent a breach with 100% certainty. A breach is guaranteed, given enough time.

The second guarantee is after a breach occurs, you must defend yourself. It’s human nature to look for someone to blame and to hold someone accountable in bad situations such as a data breach. You’ll need a defense in the boardroom, with customers, with regulators, in the court of public opinion, and/or the court of law. Our “accusers” are board members, customers, regulators, the public, and those who perceive that they’ve been done wrong (represented legal counsel).

We’ll collectively call this group the “accusers”. They have a right to accuse you/us because they’ve been negatively affected by the situation.

So, what about liability?

Liability is related to negligence. Where there is negligence, there’s liability.

A failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances.  The behavior usually consists of actions but can also consist of omissions when there is some duty to act (e.g., a duty to help victims of one’s previous conduct). (Source: Cornell Law School – https://www.law.cornell.edu/wex/negligence)

A key question from our accusers will be “what did you do to prevent this (breach) from happening?” The common follow-up question is “did you do what a reasonable person would do in similar circumstances?” The first question determines your actions the second question determines if your actions were negligent.

Liability with/without FISA

A reasonable person understands the importance of an information security risk assessment. The risk assessment shows that the organization has taken information security seriously enough to diagnose its problems. Diagnosis of problems is always the first step towards improving (or fixing) your problems. Spending money to fix something without a diagnosis can add to the hurt (liability) because you have less basis to defend how and why you’ve spent the information security budget that you have.

You must perform a diagnosis before fixing problems. Fixing problems without a diagnosis is illogical and irresponsible. Can you fix a car without a diagnosis? The answer is no. You also can’t fix information security without a diagnosis (FISA/FISASCORE).

The result of not conducting an information security risk assessment is ignorance. Ignorance rears its ugly head for several reasons, and most of the reasons are based on false logic. We’ve heard the false logic in statements such as:

  • If I know about the problems, then I’ll have to fix them.
  • I don’t want to know about information security because then I’d have to address it.

Ignorance is less defensible than it’s ever been given today’s current threats. Some will argue that ignorance isn’t defensible at all.

With a FISA assessment and a FISASCORE® the organization can show that it took a reasonable step in preventing the breach by diagnosing problems in their own security program. This simple step limits liability.

Three additional features of the FISA/FISASCORE® that reduce liability more:

  1. The assessment is objective, meaning the assessor doesn’t only rely on his/her own opinions. Defending opinions is much harder than defending objective yes/no, true/false questions.
  2. The assessment is scored. Scoring is important to show future improvements, and improvements improve defensibility.
  3. The FISA/FISASCORE® is used by more than 1,000 other organizations. There’s always more defense in the herd.

To summarize, no risk assessment means more liability (probably). Performing an information security risk assessment, such as FISA/FISASCORE means less liability (probably).

FAQs

Q. Can a FISASCORE help me in a lawsuit?

A. Absolutely. The FISASCORE® shows that the organization takes information security seriously and that it’s willing to tackle their problems (as opposed to ignoring them).

Q. When can a FISASCORE hurt me in a lawsuit?

A. The only time we’ve seen or hypothesized that a FISASCORE® could hurt you is if you have a low/poor score, and you haven’t done anything about it. Here’s a real example.

An organization does a FISA and received a FISASCORE of 479 (scale 300 – 850). The organization reviewed the results and created a simple roadmap to make security better (and improve their score). After three months, the FISASCORE raised to a 501. A 501 is still poor, but the improvement from a 479 makes this organization much more defensible. If the organization had just sat on their 479 FISASCORE® without making any improvements, the FISASCORE® could have potentially hurt them.

Q. If I don’t do an information security risk assessment, such as FISA/FISASCORE®, am I more liable?

A. The likely answer is yes. In our opinion, and the opinion of most others, a risk assessment is a required first step in information security and it’s also a required step in confirming the effectiveness of the information security. Logically, these additional questions make sense:

  • How can you possibly know where your risk is if you haven’t assessed it? 
  • How do you know if your information security investments are being spent wisely, where they will have the most positive effect?

The FISA/FISASCORE were built to provide capable, but easy-to-understand guidance to organizations for improving information security and proving due care.

Conclusion

There are many questions posed in this brief article. They were included on purpose. When you’re facing your accusers after a data breach (which is guaranteed), you will need to have your own answers. Consider each of these questions posed in this article and prepare your own answers ahead of time. Don’t wait until you lose control of the message. If you haven’t done an information security risk assessment, like the FISA/FISASCORE, know that you are probably less defensible and you’re more likely to be found liable. That’s just the truth.

About SecurityStudio

SecurityStudio is a collaborative company that provides common sense, best-in-class information security tools to the information security community. We invite partners, organizations, and people from all walks to participate in our mission of “fixing the broken industry.”

Cyber insurance is a rapidly-growing extension of the insurance industry. Data is now an important possession the same way your car and home are. However, insurance companies are having challenges in determining how much to charge and how much coverage that gets you. Luckily, there’s a metric for that.

FISASCORE® is a comprehensive assessment that measures your organization’s information security risk. It was created because of a recognized need in the information security industry for a common language people could use to be on the same page about security. Built on the widely unsterstood credit score scale, FISASCORE measures four different types of controls and give you the score to litmus test and starting point for improvements. Every organization should have a FISASCORE and here is why.

1. FISASCORE is easy to understand.

Information security is a complex discipline with many moving parts, but FISASCORE simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to understand what FISASCORE is telling you. One simple number represents your overall risk, and additional indicators show where your most significant risks are.

2. FISASCORE can tell you what everyone else is doing.

Hundreds of organizations have received their FISASCORE and this allows for good, fact-based comparisons. One of the common questions we receive about information security is, “What is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd.

3. With a FISASCORE, you can track progress.

FISASCORE is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or worse; they never stay the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered through the FISASCORE.

fisascore-scale

The average FISASCORE is 567.72. An “acceptable” level of security is 660.

4. FISASCORE is objective.

FISASCORE is maintained by an independent organization that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, the score is also objective. FISASCORE is calculated through the measurement of thousands of objective characteristics that take much of the guesswork and opinion out of the equation.

5. FISASCORE is credible.

FISASCORE was developed over the course of more than 15 years through the work of seasoned information security practitioners and is now on its fifth major release. FISASCORE is based on generally well-accepted information security standards. The criteria for measurement are all referenceable to the NIST Cybersecurity Framework (CSF), and its supporting standards: NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.

6. FISASCORE represents risk.

Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. FISASCORE represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats, resulting in likelihoods and impacts of bad events.

7. FISASCORE is comprehensive.

Fundamental to FISASCORE is our definition of information security: The application of administrative, physical, and technical controls to protect the confidentiality, integrity and availability of information. There are four phases within FISASCORE:

• Phase 1 – Administrative Controls
• Phase 2 – Physical Controls
• Phase 3 – Internal Technical Controls
• Phase 4 – External Technical Controls

All four parts of the information security program must work well together. A weakness in one control can lead to a collapse of all others. The phases are further segmented into sections, and the sections are further segmented into controls. The final FISASCORE report is presented both high level and then digs deep in the details.

8. There is fast-growing community support for FISASCORE.

The partner community behind FISASCORE is critical to its success. Partners works to generate FISASCOREs for their clients, but the partner community is also vital to future improvements and considerations. The partner community participates in further improvements of the methodology, shares critical information, and evangelizes the need for a common information security language (provided by FISASCORE). Our partners include IT service companies, CPA firms, insurance brokers and security consulting companies.

9. FISASCORE is an indicator of future losses.

As FISASCORE continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. FISASCORE provides the framework for predicting future information security losses accurately, using the best information available. Today FISASCORE is tied to research conducted by the Ponemon Institute for loss data.

10. FISASCORE is a competitive advantage.

Information security as a competitive advantage? Yes, absolutely! FISASCORE is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.

 

 

fisascore