One of the main purposes of implementing a vulnerability management program is to generate awareness regarding security risk exposure, and the far-reaching impacts these exposures can have on the enterprise. While the requirements placed on covered entities by HIPAA security rules help to provide the needed justification for a comprehensive VMP implementation, it is still crucial to ensure that upper management is in support of any initiatives related to the program. Assessing, reporting, and resolving problem areas are a collaborative effort that can extend across multiple departments and levels within an organization. On occasion, the effects of these actions can be far-reaching and may result in system downtime or unavailability. It is for these reasons that the entire enterprise must be informed not only of the program, but also the practical and business purposes that it addresses.

By laying the framework for a VMP, an organization is making a statement about the importance of identifying and reducing risk exposure. It is within this framework that all practices governed by the program should be outlined and defined in detail. Although organizations are free to pick and choose which specific actions will be included in their respective VMP, total value is achieved, and due diligence proved, through a complete implementation of all items identified below:

  • Documentation of business critical assets

  • Identification of acceptable risk exposure

  • Identification of parties accountable for program exceptions, deviations, and remediation

  • Procedures for conducting assessments

  • Procedures for response and remediation

  • Review of security policies and procedures

  • Quantitative and qualitative reporting

  • End- user education

After identifying the plan's scope, a realistic and achievable time frame must be established in which the plan can be developed and executed upon. Designing and implementing the plan may require efforts as short as one month, or up to one year, depending on the size of the organization. The key to setting the right time frame involves open communication with all affected parties, and ensuring that each group has a full understanding of exactly what responsibilities and issues over which they will retain authority.

HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net