top of page

CIS: What is "Reasonable Security"

Reasonable Security Elements

The Center for Internet Security (CIS) has published its view on what "Reasonable Security" means, following a number of high-profile breaches in the US, but what exactly is reasonable cybersecurity?

There is no one-size-fits-all answer, as the specific steps a business needs to take will vary depending on its size, industry, and risk profile. However, there are some general principles that all businesses should follow.


What is "Reasonable Security"

Whether you are considering "Reasonable Security" as referred to in various statutes or regulations or considering proportional security in terms of commitment to your own stakeholders, a clear definition of what is meant by these terms would be useful.

The CIS has released its definition of what is meant by "Reasonable Security". This definition is useful not only to those within the US, but also to organisations globally, in being able to express their approach to proportional security for their organisation.

Fundamentally, when considering how best to address cyber security, organisations need to consider their context:

  • Size and scale of the organisation

    • Number of employees (IT and non-IT Users)

    • Geographical locations

    • Supply Chain

  • Nature and scope of the activities of the organisation

    • What services are provided, and to whom

    • What type of information is created, collected, processed or transferred

    • Sensitivity of that information

  • Resources available to the organisation

    • Skilled resources in terms of cyber/IT Security, Data Protection, Resilience

    • Availability of tools to improve information security and reduce vulnerabilities

    • Budgets to acquire new tools, services or staff

Alignment to Security Frameworks

The CIS definition, whilst aligned to their own CIS Critical Security Controls, does stipulate that "Reasonable Security" can be achieved through alignment to many of the security frameworks out there. Whilst these frameworks can be quite complex, and detailed they all can be broken into the following common-sense components:

  1. Know your environment

    1. What assets (Hardware/Software) does your organisation manage or rely upon?

    2. What data is created, collected, stored, processed, transferred?

    3. Where are your high-value assets?

  2. Account and configuration management

    1. What access is required to those assets and data?

    2. How is this access provisioned, managed and revoked?

    3. How are privileged accounts protected?

    4. Are all accounts protected through Multi-Factor Authentication?

    5. Would you know if an account has been compromised and misused?

  3. Security tools

    1. What preventative tools have been implemented (EndPoint AV, Email filtering, Web browsing controls)

    2. What monitoring is in place?

    3. How are teams alerted to suspected security violations?

    4. How do you validate your security tools and configurations are effective?

  4. Data recovery

    1. How is data backed up?

    2. Is it separated from your environment, to protected it in case of a breach?

    3. Have restoration activities been tested?

  5. Security awareness

    1. How do you train your staff in understanding the threats they face day-to-day and within the organisation?

    2. How do you validate that understanding, such as through phishing simulations?

    3. How do you influence their security behaviours, on top of training and simulations?

  6. Business processes and outsourcing

    1. Do you perform Due Diligence on suppliers to ensure they maintain security best practices for the services they provide to you?

    2. How do you validate the effectiveness of providers you outsource business processes to?

    3. Do you include those suppliers in your incident response and business continuity plans?


The industry has long spoken of security hygiene, best practice and reasonable security.

The key benefit, for those bound by the term of "Reasonable Security" is having a definition against which they can evaluate their own posture and identify areas for improvement, and ultimately defence, should they suffer a successful cyber attack.

Get in touch today if you wish to discuss how to assess your security posture, and identify areas for improvement to meet the defintion of "Reasonable Security" or to achieve security proporational to your business context.


Commenting has been turned off.
bottom of page