This week's lesson centered around Risk Management. I personally was surprised at the depth this topic was covered in an information security class. My exposure to risk management until recently had only been in regards to providing healthcare or medical documentation. But after this week's reading and assignments, I've broadened my understanding of risk management, especially pertaining to information security.
First, it should not be ignored that there are risks in every genre but particularly in information security, one needs to determine how to address, mitigate and resolve these risks.
Secondly, various strategies should be used on how to approach risk management plans for information security. The needs and structure of the organization or other factors could drive this.
Thirdly, constructing a risk management plan identifying vulnerabilities and likelihoods is not a one and done process. It's ongoing.
I read an article from the Office of Civil Rights (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf), which had a really neat point.
It suggested that that "A truly integrated risk analysis and management process is performed as new
technologies and business operations are planned, thus reducing the effort required to
address risks identified after implementation" (OCR, 2010).
While I figured that new technologies should encourage reevaulation of processes, I had not included a change in business operations as a driver.
I think the big picture comment for when to re-evaluate processes is "whenever it's necessary". If a new technology warrants a revamp to the entire risk management strategy, then it should happen. If a new business process impacts the risk management process, then it should change.
This guidance on when to review the process is a great nugget of information for a question that could seemingly have a static answer.
No comments:
Post a Comment