Technology Risk Management and the Law, Research Paper Example

Part of the nature of business is the possibility that something may go wrong that impacts an organization’s ability to meet its goals and objectives. This is referred to as risk. Organizational risks vary and can appear in any area of a business such as information technology (IT). Managing risk in this area entails reducing the probability of risks occurring (Edmead, 2007). This is done by identifying, documenting, measuring, evaluating, mitigating, and monitoring risks to keep them at a minimum. This is known as the risk management process (DeLoach, 2012).

The Risk Management Process

A good organizational strategy includes an effective risk management process that includes “a clear purpose, reliable inputs, well-designed activities and value-added outputs” (DeLoach, 2012, para. 2). Without a risk management plan, an organization is open to all types of possible negative events occuring that could effectively cause havoc within the organization, specifically within its IT department which is one of the most vulerable areas in an organization. Managing possible risks so they do not turn into probable risks is the key to more secure technology operations. An effective risk management process also involves prepardness, response, recovery, and relief plans (Solomon, 1986). The risk management process is governed by federal and state laws that apply in specific contexts. According to Edmead (2007), the goal of the risk management process is eliminating negative risks or reducing them to acceptable levels, as well as transferring risks through insurance contracts or third party vendors for added security, to protect company assets.

Federal Laws and Technology Risk Management

On the federal level, technology risks management includes protecting the interests of home land security and national economic security through information security governed by the E-Government Act signed into law in 2002 (NIST, 2012). Risk management for information technology on a federal level involves each government agency such as the FDA and the departments of agriculture, energy, or defense (Risk Assessment and Risk Management, 1997), and the Federal Information Security Management Act (FISMA) requires each government agency to have an agency-wide information security program to secure information and assets. Federal regulatory compliance is required in specific areas of organizational operations to ensure the safety and security of the public, such as with periodic risk assessments, policies and procedures, security awareness training, and response procedures (NIST, 2012).

State Laws Regarding Risk Management

Each state is required to comply with federal regulations regarding managing risks to protect the state’s IT assets and business operations (Statewide Information Technology Policy, 2004). An example of information technology laws at the state level is those that protect the state from cybercrimes. The Computer Fraud and Abuse Act of 1986 prohibits malicious or unauthorized use of computer software or hardware, as well as online communications to engage in illegal activities such as information theft by use of the Internet (OLE).

Conclusion

It is important for organizations on both the federal and state levels to implement effective information technology risk management programs to address potential threats to the organization. There is nothing worse than companies folding because they were unprepared for preventable risks that turned into major problems. The risk management process should be sound with checks and balances in place to control how risks are identified and managed, to effectively protect all government agencies and the people concerned.

References

Statewide Information Technology Policy. (2004, November). North Carolina. Retrieved from https://rmp.scio.nc.gov/public/docs/Information%20Technology%20Risk%20Management%20Policy%20with%20Guidelines.pdf

DeLoach, J. (2012, January 10). Key Elements of the Risk Management Process. Retrieved from Corporate Compliance Insights: http://www.corporatecomplianceinsights.com/key-elements-of-the-risk-management-process/

Edmead, M. T. (2007, May). Understanding the Risk Management Process. Retrieved from Internal Auditor: http://www.theiia.org/intAuditor/itaudit/archives/2007/may/understanding-the-risk-management-process/

Effio, D. G., Kroner, O., Maier, A., Hayes, W., Willis, A., & Strawson, J. (2013, January). A Look at State-Level Risk Assessment in the United States: Making Decisions in the Absence of Federal Risk Values. Risk Analysis, 33(1), 54-67.

NIST. (2012, May 16). Computer Security Division. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/groups/SMA/fisma/overview.html

OLE. (n.d.). Prosecuting Computer Crimes. (S. Eltringham, Ed.) Office of Legal Education Executive Office for United States Attorneys. Retrieved from http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf

Solomon, K. A. (1986). Comparing Risk Management Practices at the Local Levels of Government with those at the State and Federal Levels. Santa Monica, CA: The RAND Corporation. Retrieved from http://www.rand.org/content/dam/rand/pubs/papers/2008/P7263.pdf

The Presidential/Congressional Commission on Risk Assessment and Risk Management. (1997). Risk Assessment and Risk Management in Regulatory Decision-Making. Final Report, Volume 2. Retrieved from http://www.riskworld.com/Nreports/1997/risk-rpt/volume2/pdf/v2epa.PDF