You’re also expected to understand health care regulations and guidelines because you’re responsible for advising the chief information security officer, or CISO, on a range of patient services, including the confidentiality and integrity of billing, payments, and insurance claims processing, as well as the security of patient information covered under the Health Insurance Portability and Accountability Act, or HIPAA.
You also have a team of security engineers, SEs, that help implement new cryptographic plans and policies and collaborate with the IT deployment and operations department during migrations to new technology initiatives.
This week, the CISO calls you into his office to let you know about the company’s latest initiative.
“We’re implementing eFi, web-based electronic health care, and that means we need to modernize our enterprise key management system during the migration,” he says.
The CISO asks for an enterprise key management plan that identifies the top components, possible solutions, comparisons of each solution, risks and benefits, and proposed risk mitigations.
The plan will help create an enterprise key management system.
The SEs would be responsible for the implementation, operation, and maintenance of the plan and system.
The CISO also wants you to come up with an enterprise key management policy that provides processes, procedures, rules of behavior, and training.
The new web-based system needs to be running in a month. So, you’ll have a week to put together your enterprise key management plan and the accompanying policy.
Software Development Life Cycle for Data in the Cloud Computing EnvironmentEach team member is a security software architect in a cloud service provider company, assigned to a project to provide the client with data integrity and confidentiality protections for data in transit that will be using applications in the cloud. Your client is an HR company that is moving HR applications and HR data into a community cloud, sharing tenancy with other clients. Your company has set up a software as a service, SAS, offering for its client base.
The data that the HR company will be pushing to and from the cloud will contain sensitive employee information, such as personally identifiable information, PII. You will have to address sensitive data and transit issues of the client data using the HR applications stored in the cloud, and provide a life cycle management report that includes solutions to the cloud computing architect of your company.
The team will decide on a team leader, who may divide sections to complete by small groups of team members. You decide to make an outline of the report, and to use the phases of the software development lifecycle, SDLC, as a basis for the report. The outline includes the following: examine the cloud computing environment and determine the protection techniques and how they will be applied to components within the cloud to ensure end-to-end protection of data in transit. Consider what security techniques and methods are applicable, and tailor the software development life cycle methodology for the cloud computing environment.
Select the best methods and techniques for protecting confidentiality and integrity of data in transit, and apply principles to the whole study approach. These are the software development life cycle phases to use as the report outline: initiating projects/defining scope, functional design, analysis and planning, system design specifications, software development, installation/implementation, tailoring, operation and maintenance, and disposal. Work in partnership teams to create the report.Request for Proposal
Provide an introduction using the project scenario and incorporating some if not all of the following: You are a military hospital team, led by a Security System Engineer (SSE), assigned to create a Request for Proposal (RFP) along with a test plan and remediation results (TPRR). The SSE’s division is seeking a vendor to build them a new medical health care database management system (DBMS). The team must determine the DBMS technical and security specifications and test plan and incorporate them into the RFP. The RFP will include an overview of the organization, DBMS functional requirements, security standards, defense models and defensive methods, DBMS structure, levels of security, access control, and a TPRR.
Provide vendors with an overview of your organization. Work with your teammates to establish information about your hospital. If you want to use Tables or Figures, please put them at the bottom of this report in the appropriate section. Refer to Table X or Figure X (assign a number) and then further discuss the area.
Hospital Database Management
Conduct independent research on hospital database management. Think about the hospital’s different organizational needs. What groups or individuals will use the database, and for what purposes?
Discuss the types of data that may be stored in the system, and discuss the importance of keeping this data secure. Include this information in the RFP.
DBMS Operating Environment
Provide the context of the work that is being asked for. You are closest to the application and implementation, and you are giving guidance to the vendors by determining the attributes of the database and describing the environment in which it would be operable.
DBMS Security Concerns
Discuss your security concerns for the DBMS based on your reading and understanding of vulnerabilities commonly known to affect databases.
DBMS Security Functional Requirements
Identify no less than three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders.
Functional requirement #1. Identify and discuss a security assurance and security functional requirement for the DBMS. Be sure to use this specific format.
Functional requirement #2. Identify and discuss a security assurance and security functional requirement for the DBMS. Be sure to use this specific format.
Functional requirement #3. Identify and discuss a security assurance and security functional requirement for the DBMS. Be sure to use this specific format.
Internationally Recognized Security Standards
In this section you will discuss a set of internationally recognized standards that competing vendors will incorporate into manufacturing of the DBMS. Pay particular attention to the three sub-sections noted below.
Disasters and Disaster Recovery
Address DBMS standards with respect to disasters and disaster recovery.
Address DBMS standards with respect to mission continuity.
Threats and Cyberattacks
Address DBMS standards with respect to threats and cyberattacks.
Discuss requirements for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles.
Explain how enclave computing relates to the defensive principles. The network domains should be at different security levels and have different accesses, as well as different read and write permissions.
Define enclave boundary defense and include enclave firewalls separating databases and networks. This can be fictional or modeled after an existing model, using your IEEE standard citation format. Define the different environments you expect the databases to be working in and the security policies applicable.
Database Defensive Methods
Use information learned from the Lab work to discuss defensive methods that should be used in protecting your DBMS. Explore defensive methods that should be used in protecting databases. Include information about threats, risks, and possible recommendation strategies to these threats.
Focus on the structure of the system and include a description of how you anticipate the DBMS web interface to work. For example, you would expect the web interface to allow a patient and other health care providers to see their data, glean information from the data, and be able to modify and update the data in the database. What other expectations would you want from the web interface?
Operating System Security Components
Be sure to research DBMS Operating systems before writing this section. Discuss the operating system security components that will support the DBMS and the security protection mechanisms.
Provide requirements for the segmentation by operating system rings to ensure that processes do not affect each other. Provide an example of such a process in your requirement that could violate the segmentation mechanism and make sure the requirement statement you provide prevents that from occurring.
Trusted Platform Module
Provide a very brief explanation of what a trusted platform module (TPM) is and then specify requirements for a TPM, in which a cryptographic key is supplied at the chip level. Describe the expected security gain from incorporating this TPM. In addition, provide requirements statements that ensure the trusted computing base (TCB). Give examples of components to consider in the TCB and provide requirements of how to ensure protection of these components, such as authentication procedures and antimalware protection.
Multiple Independent Levels of Security
The healthcare DBMS should be able to incorporate multiple independent levels of security (MILS) because the organization plans to expand the number of users. Write requirements for MILS and include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula model and the Chinese Wall model. Indicate any limitations for the application of these models.
The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the DBMS. Provide requirements for the vendor to identify types of access control capabilities, how they execute access control, authentication, and direct object access.
In the vendor response, you will want them to include a test plan and timeline for
delivery of the DBMS. Be sure to read up on what is typically included in a test plan and remediation results report (TPRR). Then in this section you can suggest the vendor include the following in their test plan (and describe what they are): test conditions for cybersecurity models (Bell-LaPadula, Biba, Chinese Wall, etc.), test conditions for cross-site scripting (XSS/CSRF) flaws, test conditions for SQL injections, and remediation actions to be performed for any security violations found during testing.
Be sure to summarize your paper nicely by reminding the reader about the project scenario, purpose for the RFP, and which main points were covered within the RFP. As a reminder those main points were the overview of the organization, functional requirements, security standards, DBMS structure, levels of security, access control, and the test plan.
Aleisa, N. (2015). A comparison of the 3DES and AES encryption standards. International Journal of Security and Its Applications 9(7). doi: 10.14257/ijsia.2015.9.7.21
Defense Human Resource Activity. (n.d.). Common Access Card (CAC) Security. Retrieved from http://cac.mil/common-access-card/cac-security
Kent, K., Chevalier, S., Grance, T.,