Implementing legally-compliant “reasonable security” requires the development of an appropriate comprehensive information security program. While much has been written about developing an information security program from a technical perspective, this chapter will focus on the legal requirements.
As noted in Chapter 4, developing a legally-compliant information security program involves an iterative process that requires that a company do the following:
Identify its information and system assets.
Conduct periodic risk assessments to:
✓ identify the specific threats to those assets the company faces,
✓ identify its vulnerabilities to those threats, and
✓ estimate the resulting harm if a threat materializes ...