Question

Risk Management in a Business ModelLearning Objectives and OutcomesCreate a report documenting various aspects of how risk management impacts the business model.ScenarioYou work for a large, private health care organization that has server, mainframe, and RSA user access. For the third week in a row, Sean comes into your office at 5:00 p.m. on Friday and needs you to write a report describing some of the risks associated with not having all the security items in place. He needs you to research a generic risk management policy template and use that as a starting point to move forward. He also asked you to search for risk outcome examples from organizations similar to theirs.The task is due over the weekend.You realize that your organization does not have much in the way of an information security strategy, and is missing many of what you think are critical components. Your organization is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and follows other external compliance requirements.Assignment Requirements Research templates, and look for risk outcome examples from organizations of a similar type as your organization. Write a report identifying the risks associated with the current position your organization is in, and how your organization can mitigate risk by using information security systems policies. Include an introduction explaining the following: Who? What? When? Why? Be sure to add a conclusion with a rationale detailing how risks can be mitigated. Reference your research so that Sean may add or refine this report before submission to senior management.

Answer 1

The question is explained in detailed way in explanation section and in attached files.

Step-by-step explanation:

The HIPAA Security Rule is designed to be flexible and appropriate for our organization’s particular size, structure, and inherent risks to business and personal information. Risk analysis is meant to be an ongoing process, during which we regularly review our records to track access to business and personal systems and data. With this in mind, I recommend that we expand our information security strategy to include more than just what is required in HIPAA. Just as a reminder below is the HIPAA ecompliance and implementation strategy that we came up with last week as given in attached file 1.

There are several areas in IT security that the above is incomplete or insufficient in. We recommend implementing several more complete or alternative controls in order to protect our systems, patients, employees, contractors, vendors, and assets beyond the HIPAA minimum requirements. The below section describes what the Centers for Medicare and Medicaid Services (CMS) recommend as additional areas to focus on in the effort to increase an organization's security. (See the attached file # example of some of the areas that we should monitor beyond what HIPAA requires are given in attached file # 03.