Every organization is unique with its own set of policies and procedures. So, each organization must interpret HIPAA Security regulations in light of the human, procedural, environmental, technical and cultural impacts that can occur. Your organization's IT assets are exposed to various threats. It is estimated that more than 70% of threats comes from internal sources. Therefore, you should start an assessment from the inside - out.

However, that does not preclude the outside world from being as equally threatening. The very moment we connect to the Internet, transmit data, communicate via wireless technology and send an email -- hackers, former employees, contractors, suppliers, competitors and customers all become threats to our IT environment.

If you work in a high tech environment, you would hear constant threats about viruses, worms, hackers and the like. However, if you are not in high tech, these issues are closely held secrets. And sometimes management is quiet about incidents due to the fear of losing clients or patients. In a competitive environment where IT systems are a critical component to business operations, one cannot afford to loose data and have a break down.

Educating top management on the need for effective Information Security Management and its benefits is crucial. Here are 10 other elements, which address key areas of Information Security Management.

1. Information Security Policy for the Organization

Do we have one? The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It must be something that can be implemented, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural, and technical.

2. Creation of a Information Security Infrastructure

A management structure needs to be established to initiate, implement, and control information security within the organization. There needs to be proper procedures for approval of the information security policy, assignment of the security roles, and coordination of security across the entire organization. This could be a new position - Security Officer - or a combined role with the Privacy Officer, depending on the size and complexity of the organization.