Group Project Case Study Scenario

You are a contracting officer's technical representative, a Security System Engineer, SSE, at a military hospital. Your department's leaders are adopting a new medical health care database management system. And they've tasked you to put together a team to create a request for proposal for which different vendors will compete to build and provide to the hospital. A Request For Proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions. To complete the RFP, you must determine the technical and security specifications for the system. You'll write the requirements for the overall system and also provide evaluation standards that will be used in rating the vendor's performance. Your learning will help you determine your system's requirements. As you discover methods of attack, you'll write prevention and remediation requirements for the vendor to perform. Additionally, you'll produce a report detailing a test plan and remediation results. This document will accompany the RFP and will include security guidelines for vendors. You must identify the different vulnerabilities the database should be hardened against. You have a good relationship with the vendors in determining these requirements for the procurement. You'll work in partnership in your teams to define test protocol of the database management system and to devise remediation. These results will be incorporated into the test plan and remediation results and will also be part of the RFP. Work in partnership teams to test and validate the remediation and attacks and to create the RFP. Introduction to the Project Today’s health care systems incorporate databases for more effective and efficient management of patient health care. The databases are prone to cyberattack and must be designed and built with security controls from the beginning of the life cycle. Though much can be accomplished hardening the database earliest in the life cycle, much of the security is added after the fact, forcing hospital and healthcare IT professionals to try to catch up to the threats. It is becoming more critical that database security requirements are defined at the requirements stage of acquisition and procurement. Through specific security requirements and testing and sharing of test and remediation data, system security engineers and other acquisition personnel can collaborate more effectively with vendors wishing to fulfill and build health care database systems. Your team will submit the following deliverables for this project: An RFP about 12-15 pages double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations. There is no penalty for using additional pages. Include a minimum of three references. Include a reference list with the report. A set of about 5-10 PowerPoint slides as an executive overview briefing that reflects the key elements of your team report. An MS-Excel lab template of results. Your RFP should also detail a test plan and remediation results (TPRR). When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission. 1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment. 1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation. 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas. 1.8: Create clear oral messages. 2.1: Identify and clearly explain the issue, question, problem under consideration. 2.2: Locate and access sufficient information to investigate the issue or problem. 2.3: Evaluate the information in logical manner to determine value and relevance. 2.4: Consider and analyze information in context to the issue or problem. 2.5: Develop well-reasoned ideas, conclusions, checking against relevant criteria. 4.1: Lead and participate in a diverse group accomplish projects and assignments. 4.2: Plan and execute a project, articulating clear objectives and goals for the team. 4.3: Contribute to projects, assignments, or goals as an engaged member of a team. 4.4: Demonstrate diversity and inclusiveness in a team setting. 9.4: Manages and supports the acquisition life cycle and cybersecurity products used in the organization’s design, development, and maintenance of its infrastructure to minimize potential risks and vulnerabilities. STEPS Step 1: Provide an Overview for Vendors As the liaison between your hospital and potential vendors, it is your duty to provide vendors with an overview of your organization. Work with your teammates to establish information about your hospital. Conduct independent research on hospital database management. Think about the hospital's different organizational needs. What groups or individuals will use the database, and for what purposes? To be completed by a designated team member: Discuss the types of data that may be stored in the system, and discuss the importance of keeping this data secure. Include this information in the RFP. After the overview is complete, move to the next step, where the team will provide context for the vendors with an overview of needs. Step 2: View Access Log and Provide Context for the Work Now that the team has provided vendors with an overview of your hospital’s needs, you will provide the vendors with a context for the work that is needed. To be completed by a designated team member Provide the context of the work that is being asked for. You are closest to the application and implementation, and you are giving guidance to the vendors by determining the attributes of the database and describing the environment in which it would be operable. It is important to understand the vulnerability of a relational database management system (RDBMS). To that end, read about security concerns common to all RDBMSs. Then, provide the security concepts and concerns for databases. As a standard, the database with the information for medical personnel and emergency responders needs to identify at least three, no more than five, security assurance and security functional requirements of the database. Include this in the RFP. In the next step, the team will provide security standards for the vendors. Step 3: Provide Vendor Security Standards In the previous step, the team provided context for tasks in the RFP. In this step, the team will provide a set of internationally recognized standards for the competing vendors to incorporate into the manufacturing of the database and security mechanisms. These standards will serve additionally as metrics of security performance to measure the security processes incorporated in the product. To prepare, read the following resources: Database Models Common Criteria (CC) for information technology security evaluation evaluated assurance levels (EALs) continuity of service To be completed by a designated team member: Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks. Include this in the RFP. In the next step, the team will describe defense models for the RFP. Step 4: Describe Defense Models Now that team members have established security standards for the RFP, they will now focus on defense models. As the contracting officer's technical representative (COTR), you can provide an approximate timeline for delivery since the networking environment will have numerous users and classes of access to be granted. To be completed by a designated team member: Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles. Then, read these resources on the enclave computing environment. Explain how it relates to the defensive principles. The network domains should be at different security levels and have different accesses, as well as different read and write permissions using non-members of the enclave to taint access to resources and information in the enclave, or vice versa. Read these resources on enclave computing: enclave/computing environment cyber operations in DoD policy and plans In the enclave computing environment, define enclave boundary defense and include enclave firewalls separating databases and networks. This can be fictional or modeled after an existing model, using your IEEE standard citation format. Define the different environments you expect the databases to be working in and the security policies applicable. Provide this information in the RFP. In the next step, the team will consider database defenses. Step 5: Explore Database Defensive Methods- LAB EXPERIMENT You have identified ways of protecting databases. Now, explore how these may be done on a MySQL database. Review any of the previous resources as you perform a Workspace lab. The lab will give you an opportunity to see some of the threats and risks to databases. Then, it will allow you to try some of the protective techniques and preventive measures discussed. Do the lab and collaborate on defensive methods that should be used in protecting databases. Also include information about threats and risk that need to deal with and possible recommendation to these threats. You will include this in your submission of the RFP. In the next step, the team will provide a requirement statement. Step 6: Provide a Requirement Statement for System Structure To be completed by a designated team member (YOU): In the previous step, you identified defense requirements for the vendor. The next part of the RFP will focus on the structure of the system. The database will have a web input interface that the patient and other health care providers will use to see the data, glean information from the data, and modify and update the data in the database. Provide requirement statements that direct the vendors to demonstrate that the section of the system is part of a larger system or that memory is part of a larger memory block, and that the access and restrictions are integrated across the components or integrated with external media. State these requirements in the context of the medical database, and include it all in the RFP. In the next step, you will outline security components. Step 7: Provide Operating System Security Components In the previous step, you composed a requirement statement regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms. Begin by first reading these resources on operating system security. To be completed by a designated team member (YOU): Then, provide requirements for the segmentation by operating system rings to ensure that processes do not affect each other. Provide an example of such a process in your requirement that could violate the segmentation mechanism and make sure the requirement statement you provide prevents that from occurring. Specify requirements statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. Describe the expected security gain from incorporating this TPM. In addition, provide requirements statements that ensure the trusted computing base (TCB). Give examples of components to consider in the TCB and provide requirements of how to ensure protection of these components, such as authentication procedures and antimalware protection. To familiarize with yourself with these concepts, review the following resources: trusted computing trusted computing base You will include this in the RFP. In the following step, you will write requirements for levels of security. Step 8: Write Requirements for Multiple Independent Levels of Security The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Since you are determining and incorporating the requirements into the RFP, in your role as SSE, you are also devising prototyping test plans and executing tests against sample databases to determine the requirements for access, access control, identification and authentication, and the security models that define read and write access. Access to the data is accomplished using security concepts and security models that ensure confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge. The health care database should have capabilities for multiple independent levels of security (MILS). Your organization plans on expanding the user base of the database, and the web interface and the database read, write, and access controls should be built incorporating security models. To be completed by a designated team member: Write requirement statements for MILS in your database. Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula model and and the Chinese Wall model. Indicate any limitations for the application of these models. Review the content of the following resources. As you’re reading, note which cybersecurity models are most beneficial to your database. multiple independent levels of security (MILS) cybersecurity models insecure handling Include requirement statements regarding the vendor’s insecure handling solutions. They are to be accounted for in whatever security model the vendor chooses to incorporate, based on the definitions of the security model that you included with the requirements statement. Include this in the RFP. Step 9: Include Access Control Concepts, Capabilities In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems. Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control. To be completed by a designated team member: Provide requirements statements for the vendor regarding access control concepts, authentication, and direct object access. Include the requirement statement in the RFP. In the next step, you will create a test plan and review your remediation efforts, as well as come up with a report for vendors. Step 10: Create a Test Plan and Review Remediation Results; Create Report for Vendors In this step, you will define test protocol for vendors. You are aware of several possible vulnerabilities to database asset security, and you will create the test procedure for testing that vulnerability and providing remediation of that vulnerability for the test and remediation results report (TPRR). The TPRR will be included in the RFP for the vendors to use to demonstrate hardening against those vulnerabilities. Read these resources in preparation for creating a test plan and remediation: error handling and information leakage insecure handling cross-site scripting (XSS/CSRF) flaws SQL injections memory leakage insecure configuration management authentication (with a focus on broken authentication) access control (with a focus on broken access control) To be completed by a designated team member: As a group, review these TPRR guidelines: Guideline for Creating a Test Plan and Remediation Results (TPRR) Report. Add this document into the RFP.