This week's lesson involved more of the business and financial aspects of information security. Companies want to be protected but they also want to know exactly how much that protection will cost.  Why?

Because the cost to secure them could be greater that incurring the actual threat. Strange? Possibly but it could be true. 

Now, there are different layers to be considered when we talk about information security protections: 

1. How much would a single incident cost the company?
2. How many times a year would it be anticipated for this incident to occur?
3. How much money would this incident cost the business?
4. How much does an annual solution cost?

Information security professionals have to be well rounded in not only areas of security but the financial impacts that a business leader must pay.  That may be the MOST unpleasant part of the conversation but it is obviously one of the MOST important parts. 

Helpful and detailed information like being able to articulate the cost benefit analysis is also added skill we need. 

This article gives some helpful insight on analyzing costs and why they are important for information security. 

http://www.notablesoftware.com/Papers/SecCost.html

Week 11 is all about Personnel and Security.

I was in management for over 4 years and have been in management role at my current job for over 2 years.

Security issues with employees is such a sensitive topic because employees sometimes feel offended if you request company property as if you suspect them of wrong doing. It is also sensitive because usually during either a termination or a layoff or even a resignation, there are emotions involved.

However, managers need to be sure that they handle terminations appropriately and professionally.

When medical facilities are involved, there is an additional layer added to this complex situation. Employees must be reminded that he or she still have an ethical responsibility to keep information confidential that was learned during the course of their employment.

An employee could think that their confidentiality is void once they are terminated but that just is not the case.

This article helps provide some additional information security insight for terminating employees in the healthcare industry.

http://www.hcpro.com/content/42936.pdf