The Integrated Information Security Standard of Care?

That’s what I call this. It’s more fully justified and explained in Christiansen, An Integrated Standard of Care for Healthcare Information Security (2005):

Integrated Information Security Standard of Care


1. An information security duty of care exists when an entity:

a. Uses an information system to create, store, process or transmit information, and

b. The entity is required by law to protect that information against unauthorized disclosure, use, or alteration (i.e., it is protected information).

2. An entity is “required by law” to protect information when such a duty is established by:

a. A statutory, regulatory or contractual provision; or

b. The existence of a legal obligation of the entity to act for the benefit of a party who may be harmed by the unauthorized disclosure, use, or alteration of the protected information.

3. The information security duty of care is satisfied by the implementation of an information security program consisting of:

a. Organizational policies governing the use or disclosure, and/or the protection of the confidentiality, integrity and/or availability of protected information, and/or accountability for transactions or events affecting he confidentiality, integrity and/or availability of protected information, which are consistent with the requirements of applicable law.

b. Information system program policies, procedures, practices, and governance structures (controls) which:implement the foregoing organizational policies, and whose objective is to provide reasonable assurance that the information system is operated and functions so that:

(i) No disclosure or use of protected information is made by an individual, application, or device, unless that disclosure or use is authorized by organizational policy,

(ii) Protected information is reasonably available to individuals, applications, and/or devices in order to serve an authorized purpose under organizational policy, and

(iii) Protected information is not altered by an individual, application, and/or device except as authorized under organizational policy.

c. Administrative, physical, and technical information safeguards which are implemented as part of the information system program and are intended to provide reasonable protection against reasonably identifiable threats to protected information.

4. The controls and safeguards implemented for purposes of an information security program meet the standard of care if:

a. They provide a reasonable assurance of compliance with applicable organizational policies.

b. They are reasonably consistent with the controls and safeguards implemented by reasonably comparable entities using reasonably comparable information systems (peer organizations), unless

(i) The controls and/or safeguards implemented by peer organization fail to take into account known threats that can be readily addressed by reasonably available controls or safeguards, or

(ii) The operating environments and/or operational objectives of peer organizations differ materially from those of the implementing organization; and

c. The costs and burdens of the controls and safeguards are reasonably proportionate to the risks of harm to parties (with legal interests in protected information) that are created by use of the information system for the purposes, or under the conditions, that create such risks.