Reasonable Security 2022


To guide you on your information security management journey, we have compiled the following list of information security references. We also have added links to several nonprofits providing relevant information and support.


Identifying Your Information Security Risk Profile.

Previous Reasonable Security Conferences

A Reasonable Approach to Reasonable Security, the Sequel: Our 2021 Conference

CybersecureLA 2020: A Reasonable Approach to Reasonable Security: Our 2020 conference.

The Threat Landscape

Internet Crime Reports – FBI Internet Crime Complaint Center (IC3)

Verizon Data Breach Investigations Report (DBIR) 2021

Legal References

The Sedona Conference Commentary on a Reasonable Security Test: The Sedona Conference Working Group on Data Security and Privacy Liability (WG11) developed this Commentary to address what “legal test” a court or other adjudicative body should apply in a situation where a party has, or is alleged to have, a legal obligation to provide “reasonable security” for personal information, and the issue is whether the party in question has met that legal obligation. February 2021.

SecureTheVillage Resources

Minimum Reasonable Information Security Practices: A set of basic information security practices intended to serve as a floor on reasonableness for CCPA; if you are not managing these security practices then your practices are inadequate, June 30, 2019.

Updates on the Evolving Security and Privacy Legal Landscape with Jordan Fisher: A SecureTheVillage webinar, recorded January 14, 2021.

The California Consumer Privacy Act (CCPA), Part 1: Law and Risk Management: A SecureThe Village webinar, recorded April 4, 2019.

The California Consumer Privacy Act (CCPA), Part 2: Managing Data Privacy: A SecureThe Village webinar, recorded May 2, 2019.

The California Consumer Privacy Act (CCPA), Part 3: Minimum Reasonable Security Practices: A SecureThe Village webinar, recorded June 6, 2019.

Operational Security References

Center for Internet Security

Center for Internet Security Controls, Version 8: New in 2021, the CIS Controls are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both fully cloud and hybrid environments.

Center for Internet Security Risk Assessment Method: An information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls™ cybersecurity best practices.

National Institute of Standards & Technology (NIST)

NIST Cybersecurity Framework: The NIST Cyber Security Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

Risk Management Framework for Information Systems and Organizations, 800-37r2: A comprehensive technical guide to risk management aligned to the NIST Cyber Security Framework.

Security and Privacy Controls for Information Systems and Organizations, 800-53r5: This technical publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, 800-171 R2: Foundational technical requirements for the protection of Controlled Unclassified Information (CUI). Compliance with 800-171 is a key requirement for CCMC certification.

SecureTheVillage Resources

Center for Internet Security Version 8 with Barry Weber and Stan Stahl: Recording of SecureTheVillage’s Technology and Security Management Happy Hour, June 22, 2021.

How to Protect Your Company without Breaking The Bank: A presentation by Stan Stahl to the Technology Association of Louisville, Ky. Recorded June 18, 2021.

Information Risk Management – The Rosetta Stone of Cybersecurity: A presentation by Stan Stahl to the Financial Services Cybersecurity Roundtable. Recorded June 18, 2021.

Cybersecurity Without Boiling the Ocean: A SecureTheVillage webinar hosted by Stan Stahl with guest Barry Weber. Recorded March 11, 2021.

Embracing the New Mindset: Governing Your Business’ Cyber and Privacy Risk: A SecureTheVillage webinar hosted by founder Stan Stahl with panelists George Usi and Jordan Fisher. Recorded August 13, 2020.

How to Protect Your Company without Breaking The Bank: A panel discussion with Kierstin Todt of the Cyber Readiness Institute and Stan Stahl on cybersecurity strategies and tactics for small and medium size business. Recorded at the Wall Street Journal PRO Cybersecurity Symposium, San Diego, CA, January 9, 2020.

Preparing for CMMC Certification: A SecureTheVillage webinar hosted by Stan Stahl on the requirements for CMMC certification with panelist Chris Rose. Recorded April 9, 2019.

Minimum Reasonable Information Security Practices: A description of security practices that might be considered a “reasonableness floor” for organizations subject to CCPA.  If you are not doing these things, then you may not have reasonable security procedures and practices. Spring 2019.

Securing The Human: A SecureTheVillage webinar hosted by Stan Stahl with panelists Kimberly Pease and Robert Braun. Recorded September 16, 2018.

Information Security Management Resource Kit: A collection of more than 30 SecureTheVillage webinars hosted by founder Stan Stahl with links to external resources, providing a path for ongoing learning and education in managing cyber risk.Topics covered include conducting risk assessments, cyber insurance, third-party management, incident response & business continuity, legal responsibilities, information classification and control, securing the human, and governance, leadership & culture.

Cyber Risk / Insurance References

SecureTheVillage Resources

Navigating the Strange World of Cyber Risk, Cyber Exposures, and Cyber-Gotchas: A SecureThe Village webinar hosted by Stan Stahl with panelists Jason Meshekow and Kurt Suhs. Recorded on October 20, 2020.

Cyber Risk Management: A SecureTheVillage webinar hosted by Stan Stahl with panelists Howard Miller and Charla Griffy-Brown. Recorded July 25, 2019.

Managing Cyber-Risk and Insurance: A SecureTheVillage webinar hosted by Stan Stahl with panelist Howard Miller. Recorded January 17, 2019.

Cybersecurity Nonprofits

The Cyber Readiness Institute: At the Cyber Readiness Institute (CRI), our mission is simple: empower small and medium-sized enterprises with free tools and resources to help them become more secure and resilient. When we’re all cyber ready, we’re all cyber strong. CRI provides the free Cyber Readiness Program to guide small and medium-sized enterprises to become cyber ready. It also offers the free Cyber Leader Certification Program as a personal professional credential that can be achieved after completing the Cyber Readiness Program.

Sightline Security: The Cybersecurity Company for Nonprofit and Mission-Based Organizations. Sightline Security equips and empowers mission-based and nonprofit organizations to integrate cybersecurity with confidence.

Cybercrime Support Network: The mission of the Cybercrime Support Network is to serve individuals and small businesses impacted by cybercrime. We envision a society where everyone has the knowledge, skills, and resources needed to recognize and defend against cybercrime.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge