CST620_Project 5: Database Security Assessment
You are a contracting officer’s technical representative, a Security System Engineer, SSE, at a military hospital. Your department’s leaders are adopting a new medical health care database management system. And they’ve tasked you to put together a team to create a request for proposal for which different vendors will compete to build and provide to the hospital. A Request for Proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions. To complete the RFP, you must determine the technical and security specifications for the system. You’ll write the requirements for the overall system and provide evaluation standards that will be used in rating the vendor’s performance. Your learning will help you determine your system’s requirements. As you discover methods of attack, you’ll write prevention and remediation requirements for the vendor to perform. Additionally, you’ll produce a report detailing a test plan and remediation results. This document will accompany the RFP and will include security guidelines for vendors. You must identify the different vulnerabilities the database should be hardened against. You have a good relationship with the vendors in determining these requirements for the procurement. You’ll work in partnership in your teams to define test protocol of the database management system and to devise remediation. These results will be incorporated into the test plan and remediation results and will also be part of the RFP. Work in partnership teams to test and validate the remediation and attacks and to create the RFP.
SECURITY STANDARDS REQUIREMENTS
[Integrate information from step 3. Provide the vendor a set of internationally recognized standards to incorporate into manufacturing database and mechanisms. These will serve as metrics of security performance to measure security processes incorporated into product. Read about database models, Common Criteria (CC) for information technology security evaluation, Evaluated Assurance Levels (EALs) and Continuity of Service. Be sure to address concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks.]
- : Provide vendor security standards
- To be completed by a designated team member
- State everything as requirements in context of the medical database
- Provide set of internationally recognized standards to incorporate into manufacturing database and mechanisms
- Serve as metrics of security performance to measure security processes incorporated into product
- Read about
- Database models
- Common Criteria (CC) for information technology security evaluation
- Evaluated Assurance Levels (EALs)
- Continuity of Service
- Address concepts and issues with respect to
- Disasters and disaster recovery
- Mission continuity
- Threats
- Cyberattacks
- TEST PLAN AND REMEDIATION RESULTS (TPRR)
- [Integrate information from Step 10. Create a test plan and review remediation results and Create report for vendors. First review 1) error handling and information leakage; 2) insecure handling; 3) cross-site scripting (XSS/CSRF) flaws; 4) SQL injections; 5) memory leakage; 6) insecure configuration management; 7) authentication (with a focus on broken authentication); 8) access control (with a focus on broken access control); and 9) guideline for Creating a Test Plan and Remediation Results (TPRR) Report. Define test protocol for vendors. Make them aware of several possible vulnerabilities to database asset security. Create test procedure for testing that vulnerability that provide remediation of that vulnerability for the TPRR. Vendors will use TPRR to demonstrate hardening against those vulnerabilities.]
- : Include access control concepts, capabilities
- To be completed by a designated team member
- State everything as requirements in context of the medical database
- Focus on access control
- Vendor will need to demonstrate capabilities to enforce to database management systems
- Identification
- Authentication
- Access
- Authorization
- Vendor must
- Identify types of access control capabilities
- How they execute access control
- Provide requirement statements for vendor regarding
- Access control concepts
- Authentication
- Direct object access