Database Security Assessment

You are a contracting officer’s technical representative, a security system engineer, at a military hospital. Your department’s leaders are adopting a new medical health care database management system. And they’ve tasked you to create a request for proposal for which different vendors will compete to build and provide to the hospital.

A request for proposal, or RFP, is when an organization sends out a request for estimates on performing a function, delivering a technology, or providing a service or augmenting staff. RFPs are tailored to each endeavor but have common components and are important in the world of IT contracting and for procurement and acquisitions.

To complete the RFP, you must determine the technical and security specifications for the system. You’ll write the requirements for the overall system and also provide evaluation standards that will be used in rating the vendor’s performance. Your learning will help you determine your system’s requirements.

As you discover methods of attack, you’ll write prevention and remediation requirements for the vendor to perform. You must identify the different vulnerabilities the database should be hardened against.

Deliverables

• An RFP, about 10 to 12 pages, in the form of a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. There is no penalty for using additional pages. Include a minimum of six references. Include a reference list with the report.
• An MS-Excel spreadsheet with lab results.

There are 11 steps in this project. You will begin with the workplace scenario and continue with Step 1: “Provide an Overview for Vendors.

“Modern health care systems incorporate databases for effective and efficient management of patient health care. Databases are vulnerable to cyberattacks and must be designed and built with security controls from the beginning of the life cycle.

Although hardening the database early in the life cycle is better, security is often incorporated after deployment, forcing hospital and health care IT professionals to play catch-up. Database security requirements should be defined at the requirements stage of acquisition and procurement.

System security engineers and other acquisition personnel can effectively assist vendors in building better health care database systems by specifying security requirements up front within the request for proposal (RFP). In this project, you will be developing an RFP for a new medical health care database management system.

Parts of your deliverables will be developed through your learning lab. You will submit the following deliverables for this project

:Start HereStep 1: Provide an Overview for Vendors

Step 2: Provide Context for the Work

Step 3: Provide Vendor Security Standards

Step 4: Describe Defense Models

Step 5: Explore Database Defensive Methods

Step 6: Provide a Requirement Statement for System Structure

Step 7: Provide Operating System Security Components

Step 8: Write Requirements for Multiple Independent Levels of Security

Step 9: Include Access Control Concepts, Capabilities

Step 10: Include Test Plan Requirements

Step 11: Compile the RFP Document

Transcript

You are an enterprise security architect for a company in a semiconductor manufacturing industry where maintaining competitive advantage and protecting intellectual property is vital. You’re in charge of security operations and strategic security planning. Your responsibilities include devising the security protocols for identification, access, and authorization management.

You recently implemented cryptography algorithms to protect the information organization. Leadership is pleased with your efforts and would like you to take protection methods even further. They’ve asked you to study cyberattacks against different cryptography mechanisms and deploy access control programs to prevent those types of attacks.

“We’d like you to create plans for future security technology deployments,” says one senior manager, “and provide documentation so that others can carry out the deployments.” A director chimes in: “But you should also devise a method for ensuring the identification, integrity, and nonrepudiation of information in transit at rest and in use within the organization.”

As the enterprise security architect, you are responsible for providing the following deliverables:

Create a network security vulnerability and threat table in which you outline the security architecture of the organization, the cryptographic means of protecting the assets of the organizations, the types of known attacks against those protections, and means to ward off the attacks. This document will help you manage the current configuration of the security architecture.

Create a Common Access Card, CAC deployment strategy, in which you describe the CAC implementation and deployment and encryption methodology for information security professionals.

Create an email security strategy in which you provide the public key/private key hashing methodology to determine the best key management system for your organization. These documents will provide a security overview for the leadership in your company.

Close

Encryption uses cryptographic algorithms to obfuscate data. These complex algorithms transform data from human-readable plaintext into encrypted cipher text. Encryption uses the principles of substitution and permutation to ensure that data is transformed in a nondeterministic manner by allowing the user to select the password or a key to encrypt a message. The recipient must know the key in order to decrypt the message, translating it back into the human-readable plaintext.

There are six steps that will lead you through this project. After beginning with the workplace scenario, continue to Step 1: IT Systems Architecture.

The deliverables for this project are as follows:

1- Create a single report in Word document format. This report should be about 10 pages long, double-spaced, with citations in APA format. Page count does not include diagrams or tables. The report must cover the following:

network security and threat table

Common Access Card deployment strategy

email security strategy

2- In a Word document, share your lab experience and provide screenshots to demonstrate that you performed the lab.

Competencies

Your work will be evaluated using the competencies listed below.

1.5: Use sentence structure appropriate to the task, message and audience.

1.6: Follow conventions of Standard Written English.

1.7: Create neat and professional looking documents appropriate for the project or presentation.

2.1: Identify and clearly explain the issue, question, or problem under critical consideration.

2.2: Locate and access sufficient information to investigate the issue or problem.

2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.

2.4: Consider and analyze information in context to the issue or problem.

3.2: Employ mathematical or statistical operations and data analysis techniques to arrive at a correct or optimal solution.

5.1: Knowledge of procedures, tools, and applications used to keep data or information secure, including public key infrastructure, point-to-point encryption, an

Start Here

Step 1: IT Systems ArchitectureStep

2: Plan of ProtectionStep

3: Data Hiding Technologies

Step 4: Create the Network Security Vulnerability and Threat Table

Step 5: Access Control Based on Smart Card Strategies

Step 6: The Email Security Strategy smart cards.

Software Development Life Cycle for Data in the Cloud Computing Environment

Each team member is a security software architect in a cloud service provider company, assigned to a project to provide the client with data integrity and confidentiality protections for data in transit that will be using applications in the cloud. Your client is an HR company that is moving HR applications and HR data into a community cloud, sharing tenancy with other clients. Your company has set up a software as a service, SAS, offering for its client base.

The data that the HR company will be pushing to and from the cloud will contain sensitive employee information, such as personally identifiable information, PII. You will have to address sensitive data and transit issues of the client data using the HR applications stored in the cloud, and provide a life cycle management report that includes solutions to the cloud computing architect of your company.

The team will decide on a team leader, who may divide sections to complete by small groups of team members. You decide to make an outline of the report, and to use the phases of the software development lifecycle, SDLC, as a basis for the report. The outline includes the following: examine the cloud computing environment and determine the protection techniques and how they will be applied to components within the cloud to ensure end-to-end protection of data in transit. Consider what security techniques and methods are applicable, and tailor the software development life cycle methodology for the cloud computing environment.

Select the best methods and techniques for protecting confidentiality and integrity of data in transit, and apply principles to the whole study approach. These are the software development life cycle phases to use as the report outline: initiating projects/defining scope, functional design, analysis and planning, system design specifications, software development, installation/implementation, tailoring, operation and maintenance, and disposal. Work in partnership teams to create the report.

CloseStart HereStep 1: Initiate the Project and Define Its Scope

Step 2: Begin Functional Analysis and Design—Use SQUARE for Requirements Information GatheringStep 

3: Learn Different Ways to Secure Data in the CloudSte

p 4: Provide Analysis and Planning for Evaluating Technologies

Step 5: Create System Design Specifications

Step 6: Explain the Software Development Plan

Step 7: Provide a Plan for Testing and Integration

Step 8: Adapt and Deploy Software as a Service

Step 9: Provide a Plan for Operations and Maintenance

Step 10: Create a Disposal Plan

Step 11: Final Report Review and Submission

Step 6: Explain the Software Development Plan

Now that the team has identified system specifications, provide an explanation of the software development need and the plan for software development, if any.

Identify different design and development considerations for the system.

Include this explanation in the final report.

Step 7: Provide a Plan for Testing and Integration

In the previous step, the team explained the software development plan. In this step, the team will develop a plan for testing and integration.

Include test plans for the various devices that will be used to access the system. The following should be included in the plan:

1. Include testing for software functions as well as compatibility with other software that may exist on those devices.
2. Include cloud data transactions as well as data transactions outside the cloud.
3. Provide research and justification for applying data confidentiality and data integrity protections.
4. Consider examples of technologies and/or techniques that can be used to protect the data in transit.
5. Provide the expected results from implementing these technologies and/or techniques.

Mobile Application Threat Modeling

You are a cyber threat analyst at a mobile applications company. One morning, your supervisor, Dan, tells you about a mobile application security project that is already under way, but needs more guidance. Because of your success on previous projects, he wants your help.

Your expertise and oversight will enable the mobile app team to meet its approaching deadline. “Mobile applications and their security are on the technology roadmap for our organization. Of course, this means we need to be well-informed of mobile application security management,” Dan says.

“Without the proper threat modeling, leadership can’t be sure of the issues that lie ahead. I want you to oversee the project and manage the team,” Dan says. “We’d also like you to contribute to this project by preparing a report for senior management.” The report should include threat models to this technology as well as remediation for management to consider. The report should give senior management a greater understanding of mobile application security and its implementation.

Your report should consist of the following sections: mobile application architecture, mobile data, threat agent identification, methods of attack, and possible controls. The goal is to convince senior managers that your proposals will benefit the companThreat modeling begins with a clear understanding of the system in question. There are several areas to consider when trying to understand threats to an application. The areas of concern include the mobile application structure, the data, identifying threat agents and methods of attack, and controls to prevent attacks. The threat model should be created with an outline or checklist of items that need to be documented, reviewed, and discussed when developing a mobile application.

In this project, you will create a threat model. There are seven steps that will lead you through this project, beginning with the scenario as it might occur in the workplace, and continuing with Step 1: “Describe Your Mobile Application Architecture.”

The following are the deliverables for this project:

Deliverables

• Threat Model Report: An eight- to 10-page double-spaced Word document with citations in APA format. The report should include your findings and any recommendations for mitigating the threats found. The page count does not include figures, diagrams, tables, or citations.
• Lab Report: A Word document sharing your lab experience along with screenshots.

Competencies

Your work will be evaluated using the competencies listed below.

• 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
• 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
• 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
• 1.4: Tailor communications to the audience.
• 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
• 2.2: Locate and access sufficient information to investigate the issue or problem.
• 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
• 6.3: Specify security solutions based on knowledge of principles, procedures, and tools of data management, such as modeling techniques, data backup, data recovery, data directories, data warehousing, data mining, data disposal, and data standardization processes.

If you succeed, leadership will move forward with its plan for mobile applications.

Step 1: Describe Your Mobile Application Architecture

Step 2: Define the Requirements for Your Mobile Application

Step 3: Identify Threats and Threat Agents

Step 4: Identify Methods of Attack

Step 5: Analyze Mobile Application Threats

Step 6: Consider Controls

Step 7: Complete Your Threat Model