Several years ago, many within the finance, banking and retail sectors were guilty of security for compliance sake. Regulations such as the Payment Card Industry (PCI) standard, and US Sarbanes-Oxley Act laid out specific expectations for organizations. But obviously they didn’t offer unique prescriptions for how individual organizations could best protect their information. Those who were proactive went beyond the regulations to take a comprehensive and balanced approach to safeguarding information. Others checked it off their list, and many ultimately paid the price.
Fast forward to 2014, and history is repeating itself in healthcare.
HIPAA-HITECH regulations are being more strictly enforced, and many organizations are caught up in how they can complete their checklist. Meanwhile, they are losing sight of what the regulations are encouraging in the first place: effectively managing their risk. And many are paying for it as reported data breaches pile up and financial and reputational costs skyrocket.
A checklist mentality leads to an incomplete and insufficient approach to risk management. For instance, some organizations spend the bulk of their time and investment purchasing and installing technology solutions to protect data. Applying the latest technologies is a good idea. And it’s much easier to get investment and support in this area because it’s a tangible purchase and therefore you can more readily demonstrate value. But technology alone is not the answer, only a foundational element.
You must ensure equal time and emphasis is dedicated to policies, procedures, people and safeguards (typically where technology comes in). You must adequately weight both external and internal threats. And you need to be able to systematically track, measure, enforce and report on your risk management efforts.
What does a comprehensive approach to information risk management look like?
At a high level, it must incorporate all of the following:
Governance, Awareness of Benefits and Value
Including processes and controls that ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives.
People, Skills, Knowledge & Culture
Including board and senior level engagement, creating a risk-aware workforce and establishing risk management discipline across the organization
Process, Documentation, Discipline & Repeatability
Including predictable, measurable, controlled and standards-based processes, protocols and procedures
Use of Standards, Technology Tools/Scalability
Including automation of risk management workflows and key activities and controls monitoring
Engagement, Delivery & Operations
Including embedding risk issues in decision making and using a consistent framework for continuously improving risk management programs and processes
Because we live with a dynamic, constantly changing “threat landscape” protecting all sensitive information assets requires a well-honed risk management process.
This means identifying all information assets as well as possible exposures. In the process, you must understand all the threats that exist, your weaknesses in protecting against them and the controls that you have – or have not – put in place to help mitigate the exploitation of these weaknesses.
Additionally, having a comprehensive approach to information risk management requires that you continuously assess the risk environment and address new or changing risks as they appear. This is not a “one and done” scenario. At least not when it’s done properly.
So will you be content with your checklist? Or will you transform mere compliance efforts into comprehensive risk management practices? Your answer has very real consequences for your bottom line and your reputation. Will you learn from history, or will you repeat it?