Information security management system

Effortless Admin's security policies and procedures

Print

​3​ Risk Management Policy

This policy establishes the scope, objectives, and procedures of EA’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.

​3.1​ Risk Management Policies

  1. It is the policy of EA to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of the EA’s information security program.
  2. Risk analysis and risk management are recognized as important components of EA’s corporate compliance program and information security program.
    1. Risk assessments are done throughout product life cycles:
    2. Before the integration of new system technologies and before changes are made to EA physical safeguards; and
      1. These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the EA Platform.
    3. While making changes to EA physical equipment and facilities that introduce new, untested configurations.
    4. EA performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.
  3. EA implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
    1. Ensure the confidentiality, integrity, and availability of all ePHI EA receives, maintains, processes, and/or transmits for its Customers;
    2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
    3. Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
    4. Ensure compliance by all workforce members.
  4. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and EA’s Security Officer.
  5. All EA workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation, as outlined in the EA Roles Policy.
  6. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of EA’s Security Officer (or other designated employee), and the identified Risk Management Team.
  7. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.
  8. The details of the Risk Management Process, including risk assessment, discovery, and mitigation, are outlined in detail below. The process is tracked, measured, and monitored using the following procedures:
    1. The Security Officer or the Privacy Officer initiates the Risk Management Procedures by creating an Issue in the Asana Compliance Review Activity (CRA) Project.
    2. The Security Officer or the Privacy Officer is assigned to carry out the Risk Management Procedures.
    3. All findings are documented in approved spreadsheet that is linked to the Issue.
    4. Once the Risk Management Procedures are complete, along with corresponding documentation, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    5. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
  9. The Risk Management Procedure is monitored on a quarterly basis using Asana reporting to assess compliance with above policy.

​3.2​ Risk Management Procedures

​3.2.1​ Risk Assessment

The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

​3.2.2​ Risk Mitigation

Risk mitigation involves prioritizing, evaluating and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of EA Platform ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

​3.2.3​ Risk Management Schedule

The two principle components of the risk management process - risk assessment and risk mitigation - will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of EA’s information security program:

​3.3​ Process Documentation

Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.

< Previous Next >