互联网安全中心（CIS）：2024年美国网络安全标准合理性定义指南报告（英文版）

In the United States, there is no national, statutory, cross-sector minimum standard for information security.1 No national law defines what would be considered reasonable security in matters involving data breaches. The federal and state governments have various statutes, regulations, policies, and caselaw covering elements of cybersecurity, like data breach notification and data privacy. But all of these efforts fail to specify what an organization must do to meet the standard of reasonable