The purpose of the Risk Management Assignment Policy is:
- To identify sources capable of conducting the risk analysis;
- To ensure the risk analysis is conducted without any bias and that the information presented is objective and presents a realistic status of the organization.
Procedure: In accordance with current guidelines it is our intention to conduct a risk analysis as follows:
- A risk analysis shall be conducted once per year. Exceptions to the annual analysis include:
- Prior to substantial changes in the environment a risk assessment or impact analysis must be conducted.
- The occurrence of an event or incident warranting the reevaluation of risks requires an immediate risk assessment.
- All risk analysis shall be coordinated with the HIPAA Security Officer;
- In order to ensure objectivity, whenever possible, we shall subcontract this task to a subcontractor experienced in risk analysis;
- If a subcontractor is not available to conduct a risk analysis in a timely fashion we may conduct the risk analysis using internal resources;
- Internal resources for risk analysis may not be used more than two years in a row.
- The Security Manager shall be responsible for the completion of the risk analysis in a timely fashion.
- Security Manager may recommend and coordinate risk analysis with a reliable and experienced subcontractor.
- Findings of the risk analysis shall be documented and given to the Security Manager within 30 days of concluding the assessment.
- Within 90 days of receiving the results of the risk assessment the security manager shall implement measures to remediate vulnerabilities and sufficiently reduce risk exposure.
- Remediation activities.
- Submit the risk remediation plan to the appropriate data security office who shall forward a copy of the mitigation plan to the HIPAA Security Officer.
- Provide written exemption or extension requests for any vulnerability that, due to business or technology constraints, it cannot remediate in the allotted time (5.1.4). All such requests must be approved by the appropriate data security office, HIPAA Security Officer and Risk Management.
- Data produced from the risk assessment shall be kept confidential.