Among the required implementation specifications are the dutiesto (a) conduct a risk evaluation and (b) implement measures to reduce risk to a reasonable level. This is essentially the technique of risk management,which we will study at length in Part III of this book. In adopting a risk-focused approach to information security, the Security Rule follows whatis today an orthodox approach to compliance enforcement.