RSA Conference insights - "Due care" Security Liability

Thus far, the most interesting session that I have attended at the RSA Conference is a session called "Due Care" Security Liability. The session was presented by Thomas Smedinghoff, a lawyer from Baker & McKenzie in Chicago. The session talked about the definition (or rather lack thereof) for regulatory compliance and "reasonable security". Though I took 4 pages of notes, there were two extremely interesting and important points that resonate with me from this session.

1. The process of doing an asset assessment, risk assessment, security program development, and ongoing security assessment/monitoring/adjustment is just as important as the technical, administrative, and physical measures that are put in to place. Everything about the process must be documented.
2. For organizations that are affected by regulatory compliance, the CEO/CFO/Board of Directors/Upper Management ultimately bear the responsibility for the technical, administrative, and physical measures that are developed and deployed. If your senior management are not involved, then they should be.