Risk Management

Introduction
Reviews can be divided into two categories, technical and management. A technical review is concerned with the technical quality of the system, whereas a management review evaluates progress, the resources plan and associated business case. The reason for separating technical and management reviews is that the requirements of each type of review are fundamentally different, and the respective audiences will be concerned with very different issues. This section provides a guide to the different types of review, which may be employed to ensure that quality objectives are met.

Degree of review formality
The degree of formality adopted during review will depend upon several factors. These include:
- The culture of the Information Service department.
- The quality objectives that have been set.
- The risks associated with developing the project.

Download Free Potential Failure Modes and Effects Analysis (FMEA) Templates

1. Select the process FMEA team
2. Develop a process map and identify all process steps
3. List all the key process outputs to satisfy internal and external customer requirements
4. For each process step, list key process inputs
5. For the process define matrix relating product outputs to process variables
6. Rank the inputs
7. For each process input, list ways that it can vary (causes) and identify associated failure modes and effects

1. Business drivers:
Business drivers represent constraints placed on by external elements. They can be viewed as business objectives with metrics. The drivers measure value, risk, and economic cost. Value drivers determine the worth of assets, of the system to the business, and of the business itself. Risk drivers involve compliance, corporate structure, corporate image, and the risk tolerance of the company. Economic drivers determine productivity impact, competitive advantage, and system cost.

2. IT drivers:
IT drivers represent operational constraints in the general IT environment. For example, the complexity of a system, including its environment, that is exposed to internal and external threats presents risks that the organization must address.

Comparison of eight Governance Risk Control (GRC) Regulatory Compliances from Health Insurance Portability and Accountability Act (HIPAA), European Union Data Protection Directive (EUDPD), AICPA Generally Accepted Privacy Principles (GAPP), Payment Card Industry Data Security Standard (PCI DSS, ISO 27002 Code of Practice for Information Security Management, COBIT, The Sarbanes-Oxley Act of 2002 (SOX), Gramm-Leach-Bliley Act (GLBA)

1. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA includes among its components privacy and security rules for the handling of personal and medical information within the health care industry. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) that result from efforts to streamline the health care system in the United States and mandate the standardization of electronic transactions, code sets, and identifiers. The privacy and security rules for this act are detailed and prescriptive. Although the regulation focuses on organizations in the U.S. health care industry, it can extend to other organizations if they engage in certain activities, such as managing employee group health plans, or providing services to organizations that this regulation directly affects. If your organization is in the United States and maintains a health plan for its employees, HIPAA most likely applies to the collected and stored information. The U.S. Health and Human Services department (HHS) Office for Civil Rights (OCR) enforces HIPAA regulations.

HIPAA (Health Insurance Portability and Accountability Act) Standard requires covered entities to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. The Contingency Plan standard includes five implementation specifications

1. Data Backup Plan
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

2. Disaster Recovery Plan
Establish (and implement as needed) procedures to restore any loss of data.