With the increase in technology the risk management has become necessary for the organizations in order to keep the data and information safe from cyber attacks and breaches. Governance is basically the structure, which the company uses to protect the resources and controls the IT decision making. The areas of risk are identified before decision making and hence are managed accordingly.
This report analyses the processes for risk management and response plans. Assessing the need for the top-down approach for the security system of the organization and identifying the issues of the non-compliance to an IT regulation and hence displaying the impacts of the same.
1. Process for Risk Management and Response Plan
Risk management is basically the internal and external influence faced by the organization that makes it uncertain to understand the extent in which the organization can achieve or exceed their objectives (Glendon, Clarke & McKenna, 2016). Risk management is important because without it any firm cannot define its objective for the future. Its main purpose is to identify the risks, reduce or allocate the risks, provide a solution for better decision making and response plan accordingly (McNeil, Frey & Embrechts, 2015). Risk management in Information system (Taking an organization as example like: ABC Heathcare) assists in consoling the property values and claims policies, exposure of information, providing the tracker and management of reporting capabilities that enable the users to monitor and control the cost of risk management.
Process of Risk Management includes management of policies, procedures and practical work on the task, establishing the identifying, context, assessing, analyzing, treating, communicating and monitoring (AS/NZS ISO 31000:2009) (Marcelino-Sádaba et al, 2014). Risk Management objectives:
Identifying the Risk-Identifying the inhibits ability to meet the objective like prolonged IT network outage, delay of provisional important information, failure to seize a commercial opportunities or some other things that mat enhance to meet objectives.
Identifying the Cause- The causes that may force things to occur in the organization.
Identifying the Controls- Identifying the controls that may have been in place and are aimed for reduction likelihood of the risks from happening in the first place (Ayyub, 2014). And if it happens what measures should be taken to reduce the impact are to be justified.
Establishing the likelihood and Consequence Descriptions-The consequences descriptors, depends upon then context of the analysis. If the analysis relate to the working unit of any financial loss or losses of a key staff member would have greater impact on the working unit.
Establishing the Risk Rating Descriptive- It overviews the meaning like Low, Moderate, High or Extremely risky that needs to be decided (Pritchard & PMP, 2014).
Adding other controls- Risks that are rated high or extreme must have addition controls applied to it, to reduce the rate of risk to acceptable level.
Making a decision- After detecting the risk, still there are some risks rated as high and a decision must be made, weather to go ahead or stop the activity.
Monitoring and review- Monitoring the risks and regular review of the risk profile plays a key role of an effective risk management (Aven, 2015).
Risk Responses have five major points:
- Retain/accept the risks; 2.Risk occurrence is reduced; 3. Consequences of the risk occurring is reduced; 4. Risk transfer and 5. Avoiding the risk (Young& Leveson, 2014).
2. Need for top-down approach for security
Top-down approach may lead to insignificant solutions as insufficient data in hand, for identifying the exact nature of risks and what should be its mitigation exercise.
Top-down approach has three main steps in ABC Healthcare:
First Step: Risk analysis- Risk identified as employee’s misuse of product or misbehavior with the patient.
Second Step: The attachment of the risks with processes- The identified risk are hence attached to the entity’s activities process according to priority.
Third Step: Evaluation and prioritize of risks- Selecting the priority of the major risk the action is taken accordingly and it has a two dimensional graph (frequency/impact) in the form of matrix of criticality (Young & Leveson, 2014).
3. Issues of Non-Compliance
Here in the given organization (ABC Healthcare) the Non-Compliance are detected as violating the HIPAA (Health Insurance Portability and Accountability) rules. Failure to comply in the organization can result in civil and criminal penalties (Kostopoulos, Gounaris & Rizomyliotis, 2014).
3.1. Identification of non-compliance in IT regulation
Training in use of new technologies are somewhat violated. Lower maintenance may cost in the reputation of the organization resulting in customer loss (Kostopoulos, Gounaris & Rizomyliotis, 2014). In any health care organization violation of HIPAA like releasing unauthorized health information through carelessness, providing someone else’s information to other person is known to be a violation. This sometimes happens when two or more people have similar name.
3.2. Impact of non-compliance
HIPAA Act of 1996, was passed for protecting an employee’s health insurance coverage when people used to loss or change their jobs. It has provision that ensures the confidentiality and privacy of identifiable health issues. HIPAA is enforced by HHS Office for Civil Rights, concentrating on Privacy and Security rules. Enforcement of the rule was enforced April 14 2003 onwards. Failure of the HIPAA penalized in degree of violation levels are I). The lowest level: where the individual is unaware of the violation. Minimum cost $100, II). The highest level: due to willful negligence. Maximum cost $50,000, III) additional charges applicable repeat violation (Kostopoulos, Gounaris & Rizomyliotis, 2014).
4. Cyber law noncompliance
- Identifying instances of Cyber Law non-compliance: Failure to comply in the organization can result in civil and criminal penalties. Here in the given organization the Non-Compliance are detected as violating the HIPAA and HITECH rules. Proper training in use of new technologies are somewhat violated. Lower maintenance may cost in the reputation of the organization resulting in customer loss.
- Impact of non-compliance: Failure of the HIPAA penalized in degree of violation levels are I) The lowest level: where the individual is unaware of the violation. Minimum cost $100, II) The highest level: due to willful negligence (Kostopoulos, Gounaris& Rizomyliotis, 2014). Maximum cost $50,000, III) additional charges applicable repeat violation.
5. Use-of-Technology Policies
Comparing and contrasting the use-of-technology policies:
SANS Institute Acceptable Use
Policy ISSA Acceptable use
Protect the reports to be theft, data loss or unauthorized party to interact
Perform laws, highest ethical principles
Access, Use and share information up to the authorized extent
Maintain Security, responsibilities with honesty
Network maintenance follows Infosec Audit Policy
Maintain reputation of the company
Devices accessing internet comply with minimum access policy
Perform any professional activities
Emails, passwords, employee database are kept protected
Not intentionally injure college or the ethic of the organization
Acceptable Aspects for the Organization: To meet the need of the organization the policies that can be adopted is the SANS policies. This policy will help in building the authority stricter and can have more experienced people conducting in the events. The policy prohibits irresponsible activities around the organization (Young & Leveson,2014). This will protect the reputation of the healthcare organization and the IT network will be more secure from data breaches and hacking.
Risk management plays an integral part in good management. This application of risk management allows the improvement in better decision making and process. Keeping the data safe and avoiding all kinds of data breaching in the organization. Effective risk management hence have the involvement of systematic application of policies management, procedures, practices and should include a very clear understanding of the roles and responsibilities. HIPAA sets the standard for protecting sensitive patient data and refers to those standards that protect individual medical records and other PHI. Ensuring protection and on violating these rules may lead one in serious issue.
Glendon, A. I., Clarke, S., & McKenna, E. (2016). Human safety and risk management. Crc Press.
McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts, techniques and tools. Princeton university press.
Marcelino-Sádaba, S., Pérez-Ezcurdia, A., Lazcano, A. M. E., & Villanueva, P. (2014). Project risk management methodology for small firms. International Journal of Project Management, 32(2), 327-340.
Ayyub, B. M. (2014). Risk analysis in engineering and economics. CRC Press.
Aven, T. (2015). Risk analysis. John Wiley & Sons.
Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.
Young, W., & Leveson, N. G. (2014). An integrated approach to safety and security based on systems theory. Communications of the ACM, 57(2), 31-35.
Kostopoulos, G., Gounaris, S., & Rizomyliotis, I. (2014). How to reduce the negative impact of customer non-compliance: an empirical study. Journal of Strategic Marketing, 22(6), 513-529.