Database security assessment. Overview for the Vendors

As a security architect and cryptography specialist for Superior Health Care, you're familiar with the information systems throughout the company and the ranges of sensitivity in the information that is used, stored and transmitted. You're also expected to understand health care regulations and guidelines because you're responsible for advising the chief information security officer, or CISO, on a range of patient services, including the confidentiality and integrity of billing, payments, and insurance claims processing, as well as the security of patient information covered under the Health Insurance Portability and Accountability Act, or HIPAA.
You also have a team of security engineers, SEs, that help implements new cryptographic plans and policies and collaborates with the IT deployment and operations department during migrations to new technology initiatives. This week, the CISO calls you into his office to let you know about the company's latest initiative.
"We're implementing eFi, web-based electronic health care, and that means we need to modernize our enterprise key management system during the migration,” he says. The CISO asks for an enterprise key management plan that identifies the top components, possible solutions, comparisons of each solution, risks and benefits, and proposed risk mitigations.
Step 1: Provide an Overview for Vendors
As the contracting officer's technical representative (COTR), you are the liaison between your hospital and potential vendors. It is your duty to provide vendors with an overview of your organization. To do so, identify information about your hospital. Conduct independent research on hospital database management. Think about the hospital's different organizational needs. What departments or individuals will use the Security Concerns Common to All RDBMS, and for what purposes?
Step 2: Provide Context for the Work
Now that you have provided vendors with an overview of your hospital's needs, you will provide the vendors with a context for the work needed.
Since you are familiar with the application and implementation, give guidance to the vendors by explaining the attributes of the database and by describing the environment in which it will operate.
It is important to understand the vulnerability of a relational database management system (RDBMS). Read the following resources about RDBMSs.
error handling and information leakage
insecure handling
cross-site scripting (XSS/CSRF) flaws
SQL injections
memory leakage
insecure configuration management
Provide an overview including the types of data that may be stored in the system and the importance of keeping these data secure. Include this information in the RFP.
Step 3: Provide Vendor Security Standards
In the previous step, you added context for the needed work. Now, provide a set of internationally recognized standards that competing vendors will incorporate into the database. These standards will also serve as a checklist to measure security performance and security processes.
Read the following resources to prepare:
Database Models
Common Criteria (CC) for information technology security evaluation
evaluated assurance levels (EALs)
continuity of service
Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks.
Include these security standards in the RFP.
Step 4: Describe Defense Models
Now that you have established security standards for the RFP, you will define the use of defense models. This information is important since the networking environment will have numerous users with different levels of access.
Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles.
Read these resources on enclave computing environment:
enclave/computing environment
cyber operations in DoD policy and plans
Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions.
Define enclave computing boundary defense.
Include enclave firewalls to separate databases and networks.
Define the different environments you expect the databases to be working in and the security policies applicable.
Provide this information in the RFP.
Step 5: Provide a Requirement Statement for System Structure
In the previous step, you identified defense requirements for the vendor. In this step of the RFP, you will focus on the structure of the system.
Provide requirement statements for a web interface to:
Allow patients and other healthcare providers to view, modify, and update the database.
Allow integrated access across multiple systems.
Prevent data exfiltration through external media.
State these requirements in the context of the medical database. Include this information in the RFP.
Step 6: Provide Operating System Security Components
In the previous step, you composed requirement statements regarding the system setup. In this step, you will provide the operating system security components that will support the database and the security protection mechanisms.
Read these resources on operating system security. Then:
Provide requirements for segmentation by operating system rings to ensure processes do not affect each other.
Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring.
Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. In those specifications:
Describe the expected security gain from incorporating TPM.
Provide requirement statements that adhere to the trusted computing base (TCB) standard.
Provide examples of components to consider in the TCB.
Provide requirements of how to ensure the protection of these components, such as authentication procedures and malware protection.
Read the following resources to familiarize yourself with these concepts:
trusted computing
trusted computing base
Include this information in the RFP.
In the following step, you will write requirements for levels of security.
Step 7: Write Requirements for Multiple Independent Levels of Security
The previous step required you to identify operating system security components to support the database. For this step, you will focus on identification, authentication, and access. Access to the data is accomplished using security concepts and security models that ensure the confidentiality and integrity of the data. Refer to access control and authentication to refresh your knowledge.
Step 8: Include Access Control Concepts, Capabilities
In the previous step, you wrote requirements for multiple levels of security, including the topics of identification, authentication, and access. In this step, you will focus on access control. The vendor will need to demonstrate capabilities to enforce identification, authentication, access, and authorization to the database management systems.
Include requirement statements in the RFP that the vendor must identify, the types of access control capabilities, and how they execute access control.
Provide requirement statements for the vendor regarding access control concepts, authentication, and direct object access.
Include the requirement statements in the RFP.
In the next step, you will incorporate additional security requirements and request vendors to provide a test plan.
The healthcare database should be able to incorporate multiple independent levels of security (MILS) because the organization plans to expand the number of users.
Write requirement statements for MILS for your database in the RFP.
Include the definitions and stipulations for cybersecurity models, including the Biba Integrity Model, Bell-LaPadula Model, and the Chinese Wall Model.
Indicate any limitations for the application of these models.
Read the following resources and note which cybersecurity models are most beneficial to your database:
multiple independent levels of security (MILS)
cybersecurity models
insecure handling
Include requirement statements for addressing insecure handling of data.
Include this information in your RFP.
Step 9: Include Test Plan Requirements
In the previous step, you defined access control requirements. Here, you will define test plan requirements for vendors.
Incorporate a short paragraph requiring the vendor to propose a test plan after reviewing these guidelines for a test and remediation results (TPRR) report.
Provide requirements for the vendor to supply an approximate timeline for the delivery of technology.
Note: In text-citation, end product and time of delivery is very important for this paper. Thank you