This week's lesson centered around Risk Management. I personally was surprised at the depth this topic was covered in an information security class. My exposure to risk management until recently had only been in regards to providing healthcare or medical documentation. But after this week's reading and assignments, I've broadened my understanding of risk management, especially pertaining to information security.
First, it should not be ignored that there are risks in every genre but particularly in information security, one needs to determine how to address, mitigate and resolve these risks.
Secondly, various strategies should be used on how to approach risk management plans for information security. The needs and structure of the organization or other factors could drive this.
Thirdly, constructing a risk management plan identifying vulnerabilities and likelihoods is not a one and done process. It's ongoing.
I read an article from the Office of Civil Rights (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf), which had a really neat point.
It suggested that that "A truly integrated risk analysis and management process is performed as new
technologies and business operations are planned, thus reducing the effort required to
address risks identified after implementation" (OCR, 2010).
While I figured that new technologies should encourage reevaulation of processes, I had not included a change in business operations as a driver.
I think the big picture comment for when to re-evaluate processes is "whenever it's necessary". If a new technology warrants a revamp to the entire risk management strategy, then it should happen. If a new business process impacts the risk management process, then it should change.
This guidance on when to review the process is a great nugget of information for a question that could seemingly have a static answer.
Sunday, October 20, 2013
Sunday, October 13, 2013
It is broke, fix it?
This weeks assignment involved reviewing recommendations for issues identified in the Verizon Data Breach Investigations report.
So, I find things like this interesting because when you have an issue that is identified in the company, how do you evaluate when/how to fix it?
For example, in this report, a lot of problems were identified. However, in order to fix most of them would require process changes and financial expenses. So, the system is broke - do we fix it?
Well, that depends... What's at stake? Are lives on the line? Possibly. Are customer accounts vulnerable? Maybe. Will we lose business? Perhaps.
Better question - Can we be a company with integrity if we do not fix known issues to avoid possible breaches? No.
I know ethics is covered later in the book but here's my take - companies will often do detailed analysis on issues and find all kinds of gaps. The problem that follows is their willingness to resolve and correct these deficits because of cost. However, in order to maintain some level of integrity, any reasonable business owner must fix issues, no matter the cost because we have an obligation to do so.
So, I find things like this interesting because when you have an issue that is identified in the company, how do you evaluate when/how to fix it?
For example, in this report, a lot of problems were identified. However, in order to fix most of them would require process changes and financial expenses. So, the system is broke - do we fix it?
Well, that depends... What's at stake? Are lives on the line? Possibly. Are customer accounts vulnerable? Maybe. Will we lose business? Perhaps.
Better question - Can we be a company with integrity if we do not fix known issues to avoid possible breaches? No.
I know ethics is covered later in the book but here's my take - companies will often do detailed analysis on issues and find all kinds of gaps. The problem that follows is their willingness to resolve and correct these deficits because of cost. However, in order to maintain some level of integrity, any reasonable business owner must fix issues, no matter the cost because we have an obligation to do so.
Sunday, October 6, 2013
This week was all about security training. From 2006 - 2008, I was a compliance auditor and HIPAA auditor. I provided HIPAA training to all new employees and annual training to established employees at a medical school and its partner medical practices. I thoroughly enjoyed that job because I was able to help open employee eyes to real security threats.
I remember sitting in the training as a new employee myself years before and now I was on the other side.
What did I learn?
I learned that security training is designed to make you aware and then make you apply. It does no good to train employees about security breaches if I do not share with them how they can make practical use of the information given.
A trainer is only as good as the information that he/she provides and is only as good as the information that is retained.
Employees or attendees should walk away saying "now I know what to do so X doesn't happen to me".
I wish more trainers would transfer knowledge and not just information...
I remember sitting in the training as a new employee myself years before and now I was on the other side.
What did I learn?
I learned that security training is designed to make you aware and then make you apply. It does no good to train employees about security breaches if I do not share with them how they can make practical use of the information given.
A trainer is only as good as the information that he/she provides and is only as good as the information that is retained.
Employees or attendees should walk away saying "now I know what to do so X doesn't happen to me".
I wish more trainers would transfer knowledge and not just information...
Subscribe to:
Posts (Atom)