Maintaining the confidentiality, integrity, and availability (CIA) of assets is the basis of information security. As security and privacy practitioners, maintaining the CIA of personally identifiable information (PII) and protected health information (PHI) is of the highest priority. We use the objectives of confidentiality, integrity, and availability—the CIA triad—as a framework for assessing how different security policies, processes, and tools affect the overall security posture of a system. When discussing assets in the information and privacy security world, we are talking about data assets. They can exist in many forms but are commonly stored in digital form or as physical copies. Maintaining the CIA aspects of the information is crucial regardless of data format. Ensuring that CIA expectations are met requires evaluating all the supporting technologies and mechanisms in the data process (creation, use, storage, and archiving). The interrelated nature of data systems makes it more challenging to ensure a comprehensive assessment of security controls over the data.

Risk management frameworks provide security practitioners with a set of guidelines and best practices intended to reduce the organization’s exposure to a wide range of compromises. The use of frameworks allows the organization to assess its security posture and maturity and take it to a desired level while creating an auditable, repeatable system for managing information assets. Risk frameworks protect the confidentiality, integrity, and availability of the organization and its data. Many risk frameworks exist, including the NIST Risk Management Framework (RMF), the Information Security Management System defined in the ISO 27000 series, and the Information Technology Infrastructure Library (ITIL), among others. Some of them, such as ISO 27799:2016–Health Informatics, include specific healthcare-related topics, whereas others are more general. The healthcare security professional should be familiar with leading risk frameworks and utilize them to improve policies and procedures, implement security controls, and build business continuity plans in the organization.

Performing risk assessment is only an initial part in the risk management process. The more complicated aspect is choosing and implementing controls that are best suited to the organization’s needs. ​Every organization has different needs, requirements, and resources for addressing the findings in the risk assessment. Control choice can vary based on geographic location, existing staffing levels, contractual requirements, and so on. ​This module provides insight as to how controls are chosen.

The risk management process’s objective is to identify risks and address them to protect the business. There are four general approaches to respond to risk. In this module, we will review these four approaches and consider when and how they are used.