Requirements

Introduction
Reviews can be divided into two categories, technical and management. A technical review is concerned with the technical quality of the system, whereas a management review evaluates progress, the resources plan and associated business case. The reason for separating technical and management reviews is that the requirements of each type of review are fundamentally different, and the respective audiences will be concerned with very different issues. This section provides a guide to the different types of review, which may be employed to ensure that quality objectives are met.

Degree of review formality
The degree of formality adopted during review will depend upon several factors. These include:
- The culture of the Information Service department.
- The quality objectives that have been set.
- The risks associated with developing the project.

1. Business drivers:
Business drivers represent constraints placed on by external elements. They can be viewed as business objectives with metrics. The drivers measure value, risk, and economic cost. Value drivers determine the worth of assets, of the system to the business, and of the business itself. Risk drivers involve compliance, corporate structure, corporate image, and the risk tolerance of the company. Economic drivers determine productivity impact, competitive advantage, and system cost.

2. IT drivers:
IT drivers represent operational constraints in the general IT environment. For example, the complexity of a system, including its environment, that is exposed to internal and external threats presents risks that the organization must address.

Comparison of eight Governance Risk Control (GRC) Regulatory Compliances from Health Insurance Portability and Accountability Act (HIPAA), European Union Data Protection Directive (EUDPD), AICPA Generally Accepted Privacy Principles (GAPP), Payment Card Industry Data Security Standard (PCI DSS, ISO 27002 Code of Practice for Information Security Management, COBIT, The Sarbanes-Oxley Act of 2002 (SOX), Gramm-Leach-Bliley Act (GLBA)

1. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA includes among its components privacy and security rules for the handling of personal and medical information within the health care industry. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) that result from efforts to streamline the health care system in the United States and mandate the standardization of electronic transactions, code sets, and identifiers. The privacy and security rules for this act are detailed and prescriptive. Although the regulation focuses on organizations in the U.S. health care industry, it can extend to other organizations if they engage in certain activities, such as managing employee group health plans, or providing services to organizations that this regulation directly affects. If your organization is in the United States and maintains a health plan for its employees, HIPAA most likely applies to the collected and stored information. The U.S. Health and Human Services department (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.

Objectives:
- The organization assigns the most restrictive set of rights/privileges or accesses needed by users for the performance of specified tasks; and
- The information system enforces the most restrictive set of rights/privileges or accesses needed by users

Action Steps:
- Examine access control policy, procedures addressing least privilege,

One important behavior of doctors is that they tend to be highly mobile. Doctors perform patient rounds in a hospital or travel from their offices to clinics or other hospitals. As a result, any solution must incorporate the mobility they require. Along with this mobility comes the challenge of being able to interface with various devices and systems. Given that hospitals, clinics, offices, and other places where doctors will need access to information will all have different systems, a solution for security must incorporate the factor of a homogenous system base.

Another aspect of doctor interactions is that many administrative tasks, such as claims processing and billing, are not directly managed by the doctor, but rather delegated to a trusted administrative assistant. As a result, issues of confidentiality and nonrepudiation must take into account that a patient’s information will be handled by numerous individuals whom the doctor trusts to keep it confidential.