Databases Reference
In-Depth Information
RISK MANAGEMENT: DEFINING AND MANAGING
RISKS USING DATA-RELATED CONTROLS TO
ENSURE SECURITY AND COMPLIANCE
Organizations and key stakeholders must focus attention and resources
toward ensuring the security of personally identifiable data and mitigat-
ing the risks of disclosure of those data. Protecting data from disclosure
and protecting the privacy of personally identifiable data is directly cor-
related to compliance with various federal, state, and local regulations.
Stakeholders and risk managers have to conduct comprehensive vulner-
ability and risk assessments related to intentional and unintentional use
of data and develop strategies for mitigating such risks. This will require
investments in technological tools for conducting effective assessments
and proactive data governance strategies.
The need for managing risks, ensuring privacy, and compliance are
largely driven by stricter regulations by the government over the public
and private sectors. Examples of a few key regulations that impact the
need for managing data and the associated risks are:
• Sarbanes-Oxley (SOX) of 2002, which calls for stricter financial gov-
ernance and accountability. This act (Corporate responsibility, 15 USC
7201) was enacted after the infamous Enron and WorldCom scandals.
The act called for the implementation of the Securities and Exchange
Commission, which regulates corporate and financial records. There
are now huge penalties associated with incidences of abuse and fail-
ure to disclose pertinent financial data to regulators upon request.
• Health Information Portability and Accountability Act (HIPAA) of
1996, revised in 2010, regulates the use and disclosure of Protected
Health Information (PHI). HIPAA (Public Law 140-191, 104th Con-
gress) forced the healthcare industry to establish national standards for
the use of electronic data during care delivery. Not only does HIPAA
mandate that health plans, providers, and their respective employees
develop and implement specific procedures for securing the privacy of
patients' protected health information (PHI), but the act mandates that
these entities notify patients about their privacy rights and any unin-
tended disclosures of their PHI. Thus, all applicable organizations are
required to adopt policies and procedures, implement and track these
policies, and educate their respective workforce on these policies. As
Search WWH ::
Custom Search