ABSTRACT
The most effective and defensible information security program is one that strictly adheres to a
disciplined risk management methodology. Legal authorities warn that laws and regulations regarding
information protection and privacy will continue to evolve over the next decade. These rules will
continue to dictate how firms and government agencies protect and safeguard customer privacy
information. The most effective and efficient way to guarantee compliance to these laws and regulations
is through the adoption of risk management systems. Such a framework will provide a foundational
information security management system leading to compliance and risk reduction and mitigation.
Many functional areas within an organization practice risk management and deal with various aspects of
risk management, including information security, business continuity planning (BCP), disaster recovery
planning (DRP), insurance, finance, and internal auditing, to name a few. Risk management is the critical
first step leading to a successful and compliant implementation of the HIPAA Security Rule.