CST 620 Bethesda University of California Military Hospital of America Discussion

User Generated

ZhzzlP2010

Computer Science

CST 620

Bethesda University of California

CST

Question Description

I’m studying for my Cyber Security class and don’t understand how to answer this. Can you help me study?

Unformatted Attachment Preview

Project 5. Transcript Database Security Assessment You are a contracting officer's technical representative, a security system engineer, at a military hospital. Your department's leaders are adopting a new medical health care database management system. And they've tasked you to create a request for proposal for which different vendors will compete to build and provide to the hospital. A request for proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions. To complete the RFP, you must determine the technical and security specifications for the system. You'll write the requirements for the overall system and also provide evaluation standards that will be used in rating the vendor's performance. Your learning will help you determine your system's requirements. As you discover methods of attack, you'll write prevention and remediation requirements for the vendor to perform. You must identify the different vulnerabilities the database should be hardened against. Modern health care systems incorporate databases for effective and efficient management of patient health care. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle. Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and health care IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement. System security engineers and other acquisition personnel can effectively assist vendors in building better health care database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical health care database management system. Step 1: Provide an Overview for Vendors As the contracting officer's technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospital's different organizational needs. What departments or individuals will use the Security Concerns Common to All RDBMSs, and for what purposes? Provide an overview with the types of data that may be stored in the system and the importance of keeping these data secure. Include this information in the RFP. After the overview is complete, move to the next step to provide context for the vendors with an overview of needs. Step 2: Provide Context for the Work Now that you have provided vendors with an overview of your hospital's needs, you will provide the vendors with a context for the work needed. Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate. Details are important in order for the vendors to provide optimal services. It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs. • • • • • • • error handling and information leakage insecure handling cross-site scripting (XSS/CSRF) flaws SQL injections insecure configuration management authentication (with a focus on broken authentication) access control (with a focus on broken access control) Describe the security concepts and concerns for databases. Identify at least three security assurance and security functional requirements for the database that contain information for medical personnel and emergency responders. Include this information in the RFP. In the next step, you will provide security standards for the vendors. Step 3: Provide Vendor Security Standards In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes. Read the following resources to prepare: • • • • database models Common Criteria (CC) for information technology security evaluation evaluated assurance levels (EALs) continuity of service Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks. Include these security standards in the RFP. In the next step, you will describe defense models for the RFP. Step 4: Describe Defense Models Now that you have established security standards for the RFP, you will define the use of defense models. This information is important since the networking environment will have numerous users with different levels of access. Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles. Read these resources on enclave computing environment: • • enclave/computing environment cyber operations in DoD policy and plans Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions. Define enclave computing boundary defense. Include enclave firewalls to separate databases and networks. Define the different environments you expect the databases to be working in and the security policies applicable. Provide this information in the RFP. In the next step, you will consider database defenses. Step 6: Provide a Requirement Statement for System Structure In the previous step, you identified defense requirements for the vendor. In this step of the RFP, you will focus on the structure of the system. Provide requirement statements for a web interface to: 1. Allow patients and other health care providers to view, modify, and update the database. 2. Allow integrated access across multiple systems. 3. Prevent data exfiltration through external media. State these requirements in the context of the medical database. Include this information in the RFP. In the next step, you will outline operating system security components. Step 7: Provide Operating System Security Components In the previous step, you composed requirement statements regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms. Read these resources on operating system security. Then: 1. Provide requirements for segmentation by operating system rings to ensure processes do not affect each other. 2. Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring. Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. In those specifications: 1. Describe the expected security gain from incorporating TPM. 2. Provide requirement statements that adhere to the trusted computing base (TCB) standard. 3. Provide examples of components to consider in the TCB. 4. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection. Read the following resources to familiarize yourself with these concepts: • • trusted computing trusted computing base Include this information in the RFP. In the following step, you will write requirements for levels of security. Step 8: Write Requirements for Multiple Independent Levels of Security The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Access to the data is accomplished using security concepts and security models that ensure confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge. The healthcare database should be able to incorporate multiple independent levels of security (MILS) because the organization plans to expand the number of users. Write requirement statements for MILS for your database in the RFP. 1. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula Model, and the Chinese Wall Model. 2. Indicate any limitations for the application of these models. Read the following resources and note which cybersecurity models are most beneficial to your database: • • • multiple independent levels of security (MILS) cybersecurity models insecure handling Include requirement statements for addressing insecure handling of data. Include this information in your RFP. In the next step, you will consider access control. Step 9: Include Access Control Concepts, Capabilities In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems. Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control. Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access. Include the requirement statements in the RFP. In the next step, you will incorporate additional security requirements and request vendors to provide a test plan. Step 10: Include Test Plan Requirements In the previous step, you defined access control requirements. Here, you will define test plan requirements for vendors. Incorporate a short paragraph requiring the vendor to propose a test plan after reviewing these guidelines for a test and remediation results (TPRR) report. Provide requirements for the vendor to supply an approximate timeline for the delivery of technology. Step 11: Compile the RFP Document In this final step, you will compile the RFP for a secure health care database management system. Review the document to make sure nothing is missed before submission. Submit the following deliverables to your assignment folder. Deliverables • • An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report. An MS-Excel spreadsheet with lab results. Check Your Evaluation Criteria Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title. • • • • • • • • • • • 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation. 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas. 1.8: Create clear oral messages. 2.1: Identify and clearly explain the issue, question, or problem under critical consideration. 2.2: Locate and access sufficient information to investigate the issue or problem. 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem. 2.4: Consider and analyze information in context to the issue or problem. 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks. 4.2: Demonstrate the ability to plan and execute a project, articulating clear objectives and goals for the team. 9.4: Manages and supports the acquisition life cycle, including planning, determining specifications, selecting, and procuring information and communications technology (ICT) and cybersecurity products used in the organization's design, development, and maintenance of its infrastructure to minimize potential risks and vulnerabilities.
Purchase answer to see full attachment
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.Hey Buddy! Your assignment is completed. Have a look at it! 😇In case of any revisions you need, please feel free to ask me. 🎅

Running Head: REQUEST FOR PROPOSAL PAPER

Request for Proposal Paper
Name
Date
Institution

1

REQUEST FOR PROPOSAL PAPER

2

Overview for Vendors
The organization seeking a request for proposal is a military hospital of America. This
military hospital gladly upholds military recipients and leads the world by changing the
instructing and practice of military medication. In any case, this military hospital can't keep on
giving incredible and quality consideration to their patients if they can't guarantee the security
and accessibility of their patient’s Protected Health Information (PHI). Therefore, in teamwork
with their System Security Engineers (SSEs) Group is looking for a proposition to progress all
wellbeing records to another clinical medical care data set administration framework to keep up
with Electronic Health Records (EHR). There is a critical need to change all wellbeing records to
EHR because of the new cyberattacks on the medical services Industry.
The distinctive hierarchical requirements of this military hospital request RFP for gauges
on playing out a capacity, conveying the innovation, and offering assistance or increasing staff.
The RFP will tailor to each try and is basic in its realm of contracting and for obtainment and
acquisitions.
Security System Engineer (SSE) will decide the specialized and security details for their
new military hospital information base administration framework. The RFP will lay out the
necessities for the general framework and give assessment principles that will be utilized in
rating likely vendor's presentations. Additionally, SSE will find strategies for assault,
counteraction, and remediation prerequisites for likely vendors. The RFP will likewise
incorporate the test conventions of the data set administration framework and remediation
methodologies. Further, the sort of information that is put away in the framework is arranged as
PHI that incorporates secret and touchy data about understanding's records. It is unimaginably
significant for this information to be secured through consistent prerequisites so it stays

REQUEST FOR PROPOSAL PAPER

3

classified and accessible to the approved workforce. Patients are depending on this military
hospital for guaranteeing the secrecy, accessibility, and uprightness of their PHI. This military is
not set in stone to forestall a cyberattack or information misfortune and will keep on making it
their most elevated mission to help their patients.
Work Context for Venders
The setting of what is generally anticipated of the new clinical medical care data set
spotlights the security parts of relational database management systems (RDBMS) safety
apprehensions. Since the RDBMS coordinates and oversees information tables with data on
clinical staff, crisis administrations, and PHI, guaranteeing the security of the RDBMS is
absolutely critical. Numerous RDBMSs have implicit security controls and instruments, and the
data in the information store is genuinely compromised. Confirmation, consent, job, and access
to the executives, and encryption should be carried out to moderate security concerns and
diminish the danger of unapproved access. The weaknesses and security issues normal to all
RDBMSs incorporate unapproved admittance to put away information, exfiltration of touchy
information, and robbery of information because of outside and inside dangers. Data set security
is the strategy that ensures and gets the information base against deliberate or inadvertent
dangers. Security Affirmation of an IT framework is the degree of trust one has that the
framework accurately meets its utilitarian particulars, and doesn't perform accidental capacities
that undermine its security. Since current IT frameworks are incredibly complicated,
appropriated, and frequently not under unitary control, specialized strategies for surveying the
SA of frameworks are even more workmanship than science. Information security is integral to
the RDBMS and security highlights prerequisites ought to incorporate ideas like anomaly
detection (AD) and intrusion 4 detection (ID). The intrusion, anomaly detection system, and the

REQUEST FOR PROPOSAL PAPER

4

anomaly response system are the security useful necessities of the information base.
Development and capacity to back up a data set through full reinforcement is the fundamental
security confirmation of RDBMS. Howard College Hospital (HUH) will carry out customary
reinforcements in its SOPs for the time being development reinforcements and week after week
full reinforcements its SOP's in case of a cataclysmic event or basic framework disappointment,
it is feasible to guarantee the respectability of the full reinforcement data set by support up the
data set in an ideal way that can be utilized to reestablish the data set. Daily reinforcements
consider quicker and less asset escalated reinforcements, which likewise give steady and solid
apparatuses to incidentally recuperating erased information.
Security Standards for Venders to Incorporate
Data set security is principally worried about shielding data sets from a wide range of
assaults, dangers, unapproved access. It covers and authorizes the security of every one of its
parts like an information base workers, put away information, data set administration
frameworks, and other data set applications. Forestalls compromise of data set accessibility,
uprightness, or secrecy. This incorporates different sorts of controls like administration, physical,
and specialized controls. It manages data-related security, PC security, and hazard the board.
Data set security additionally implies applying a wide scope of information-related security
limitations to guard all data. Answerable for characterizing and deciphering the data set model
construction. It handles the most common way of putting away, getting to, and refreshing
information in a DBMS.
Disaster recuperation and coherence of administration are one in the equivalent. It is a
subset of the bigger cycle of business coherence arranging. Catastrophe recuperation is the
means taken by an organization in continuing activities in case of an overwhelming cataclysmic

REQUEST FOR PROPOSAL PAPER

5

event, man-made occurrence, or natural fiasco. It centers on the IT or innovation frameworks
supporting the basic business capacities.
Defense Models
Enclave processing depends on the possibility of safeguard top to bottom where
associations apply different degrees of organization, information, and foundation isolation.
Making interior "enclaves" for creation and information preparing frameworks empowers
associations to get their fundamental resources from different dangers better than they could be
utilizing more conventional edge-driven security executions.
Firewalls and guards are enclave limit security gadgets situated between a
neighborhoods, that the venture framework has a prerequisite to ensure, and a wide region
network that is outside the control of the undertaking framework. Their basic role is to control
admittance to the neighborhood from the external wide region organization and to control access
from the neighborhood to the wide region organization. In many examples, they are likewise
utilized inside the neighborhood to give a degree of access control between various sub-networks
inside the neighborhood.
An Enclave is a part of an inner organization that is partitioned from the remainder of the
organization. The reason for an organization enclave is to restrict inner admittance to a part of an
organization. It is important when the arrangement of assets varies from those of the overall
organization's environmental factors. Commonly, enclaves are not openly available. Interior
availability is conf...

jnx_fbyhgvbaf (7333)
New York University

Similar Content

Related Tags