Cyber Security Question

Content Type

User Generated

User

Cnxrgpu

Subject

Computer Science

School

University of Maryland Global Campus

Description

Unformatted Attachment Preview

Database Security Assessment You are a contracting officer's technical representative, a security system engineer, at a military hospital. Your department's leaders are adopting a new medical health care database management system. And they've tasked you to create a request for proposal for which different vendors will compete to build and provide to the hospital. A request for proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions. To complete the RFP, you must determine the technical and security specifications for the system. You'll write the requirements for the overall system and also provide evaluation standards that will be used in rating the vendor's performance. Your learning will help you determine your system's requirements. As you discover methods of attack, you'll write prevention and remediation requirements for the vendor to perform. You must identify the different vulnerabilities the database should be hardened against. Deliverables • An RFP, about 10 to 12 pages, in the form of a doublespaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report. Provide an Overview for Vendors Provide vendors with an overview of your organization Identify which departments or individuals will use the Security Concerns Common to All RDBMS, and for what purposes Include the types of data that may be stored in the system and the importance of keeping these data secure Provide Context for the Work Explain the attributes of the database and describe the environment in which it will operate Describe the security concepts and concerns for databases Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders Provide Vendor Security Standards Provide a set of internationally recognized standards that competing vendors will incorporate into the database Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks Describe Defense Models Define the use of defense models Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles Explain the importance of understanding these principles Explain how enclave computing relates to defensive principles. Define enclave computing boundary defense, include enclave firewalls to separate databases and networks. Define the different environments you expect the databases to be working in and the security policies applicable Explore Database Defensive Methods Include information about threats, risks, and possible recommendation strategies to these threats. Provide a Requirement Statement for System Structure State requirement statements for a web interface to do the following, all in the context of the medical database a) Allow patients and other healthcare providers to view, modify, and update the database. b) Allow integrated access across multiple systems. c) Prevent data exfiltration through external media. Provide Operating System Security Components Provide requirements for segmentation by operating system rings to ensure processes do not affect each other Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring. Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. Include the specifications below Describe the expected security gain from incorporating TPM. Provide requirement statements that adhere to the trusted computing base (TCB) standard. Provide examples of components to consider in the TCB. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection. Write Requirements for Multiple Independent Levels of Security Write requirement statements for MILS for your database in the RFP. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula Model, and the Chinese Wall Model. Indicate any limitations for the application of these models. Include requirement statements for addressing insecure handling of data. Include Access Control Concepts, and Capabilities Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control. Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access. Include Test Plan Requirements Incorporate a short paragraph requiring the vendor to propose a test plan Provide requirements for the vendor to supply an approximate timeline for the delivery of technology.
Purchase answer to see full attachment

Explanation & Answer:

12 pages

Tags: Database security realtional database Database Security Assessment Request for Proposal National Military Hospital health care to armed forces

User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.

1

Database Security Assessment Request for Proposal
Student Name
Course name:
University name:
Professor's info:

2

Overview for Vendors
The National Military Hospital (NMH) offers health care to armed forces members and
other eligible beneficiaries. People who benefit from this medical system are members of the
military(reserves and active duty), their families, veterans, retired, civilians working in the
Defence Ministry, and non-military civilian employees (Bricknell & Cain, 2020). The NMH
assists military personnel and improves military medical education and practice. The Privacy
Rule by HIPAA requires the protection of all personally recognizable health info. (Snell, 2017).
The hospital is searching for a vendor to implement health care database management content to
manage the electronic medical records with the help of a security system engineer.
A database is an archive of organized data that may be expanded, updated, and accessed
easily (Health Data in the Information Age, 1994). The military hospital's database will store the
patient's personal information and health information. Medical diagnoses, names, treatment
regimens, residences, and social security numbers are among the information contained in the
database. Administrative support workers and healthcare professionals will have access to the
database. Therefore, all private data must be kept secure. The medical personnel, including
physicians and nurses, will require access to the database to change, update, and examine patient
data to make proper diagnoses and create treatment regimens.
On the other hand, medical personnel must be barred from obtaining sensitive patient
data such as social security numbers and addresses. On the other hand, the administrative
personnel will need access to patient information such as social security numbers, billing, and
home addresses to perform necessary billing functions while restricting access to patient health
information. Furthermore, the military hospital would wish to create a web page for patients to

3

have remote access to their health and personal data while guaranteeing that only authorized
personnel may modify patient data.
Inadequate security controls in healthcare databases may lead to data breaches. These
data breaches, however, expose patients to economic difficulties, mental anguish, and social
stigma. (Healthcare Data Breaches - The Costs and Solutions, 2018). The expense of having a
patient's personal and medical records stolen can be high. There are also the costs of lost revenue
if unhappy patients seek care at other institutions and the costs of investigations, remedies, and
potentially class-action lawsuits (Nass, 2009).
Context for the Work
The hospital anticipates that its new database system will be secure, well-organized, and
expandable, allowing simple queries to retrieve all patient information. Furthermore, the HIPAA
privacy act mandates that all personally identifiable patient data be kept private.
The hospital database's functional security needs include:
a. Database injection attacks, in which a hacker interferes with the database queries that
an application performs to its database (What is SQL Injection? 2021 Tutorial & Examples | Web
Security Academy)
b. Malware is a type of software used to steal private data from legitimate users via
infected devices.
c. Denial of service where an attacker floods a database with requests, causing it to fail to
fulfill legitimate users' queries (IBM Cloud Education, 2019)

4

The database must also safeguard the security of the hospital's patents. The hospital must
restrict access so that only authorized hospital personnel can access the database system and the
patient's sensitive personal information. The hospital also asks staff to authenticate their
identities using methods such as two-factor authentication. Furthermore, the hospital requires the
integrity and backup of all data contained in the database.
Vendor Security Standards
Common Criteria for information technology security evaluation
Common Criteria is an international computer security standard used to evaluate a
computer system by defining the extent to which the system and its resources are secured.
Common criteria are a way of assessing the security of software. The Common Criteria attempts
to reassure that owners, users, and clients took a computer security solution's specification,
implementation, and assessment seriously and thoroughly. The CC was formed as a result of
collaboration between six governments. (Blancco, 2021).
To have a product reviewed; vendors must submit a Security Target description. The
Security Target will be assessed against the Security Functional Requirements. This procedure
enables the product's vendor to customize it to the anticipated capabilities. Vendors may assert
that the target product meets one or more of the Protection Profiles.
Evaluated assurance levels
A system or an IT product's evaluated assurance levels (EAL1 through EAL7) are a
numerical grade assigned following a Common Criteria examination. It is a standard measure
that has been in use since 1999. The EAL level does not indicate the system's security; instead, it

5

shows the level at which the system was tested. The higher levels are designed to assure users
that the system's main security measures are being applied correctly. To obtain Common Criteria
certification, the higher the assurance level, the more assurance standards must be met
(Wikipedia Contributors, 2021).
Disaster recovery and Continuity of service
Disaster recovery and Continuity of Services are essential in an organization's planning
for unanticipated hazards. Disaster recovery is the step-by-step method an organization follows
in the case of a disaster that disrupts normal business operations. In such an incident, measures
taken include recovering the server from backups and providing a Local Area Network (LAN) to
fulfill a business's urgent needs. (Sullivan et al., 2017).
The actions taken by an organization to prevent and recover from potential hazards to a
business are referred to as Continuity of service. It protects the safety of employees and assets
and...