BOX 5.1 Risk Assessment
In conducting a risk assessment, organizations consider the following:
These considerations must be balanced against:
SOURCE: Computer Science and Telecommunications Board, National Research Council. 1991. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C., adapted from pp 59-60
als, committees, or departments for developing specific procedures and mechanisms by which the policy is to be implemented (see Chapter 4)
Confidentiality policies describe the overall approach to be taken in balancing access to information against protection of information They may also provide details about the organization's risk assessment so that readers can understand why certain behaviors and procedures are important.
Organizations often have a number of datasets that management considers confidential: individual health information, financial data, business plans, employee files, outcomes research, and so on. Each of these datasets may be considered corporate assets and their disclosure may result in a financial disadvantage or loss to the organization. Although this perspective can provide strong incentives for protecting health information, health data are qualitatively different from proprietary corporate information and entail unique risks and liabilities Confidentiality poli-