Database Security Assessment

I. Overview – Devise a Request for Proposal (RFP) for securing a new database
a. Devise overview of hospital organization
b. Research hospital database management
II. Tasks Context Requirements
a. Devise context of the work that is being asked for
i. Determine the attributes of the database
ii. Describe the environment in which it will operate
b. Security concerns to all relational database management systems (RDBMS)
c. Provide security concepts and concerns for databases
III. Security Standards Requirements
a. Provide set of internationally recognized standards to incorporate into manufacturing database and mechanisms
b. Security performance to measure security processes incorporated into product
c. Incorporate
i. Database models
ii. Common Criteria (CC) for information technology security evaluation
iii. Evaluated Assurance Levels (EALs)
iv. Continuity of Service
d. Address concepts and issues with respect to
i. Disasters and disaster recovery
ii. Mission continuity
iii. Threats
iv. Cyberattacks
IV. Defense Requirements
a. Defense Models
b. Provide approximate timeline for delivery
c. State overall strategy for defensive principles
i. Explain importance of principles
d. Define enclave boundary defense
e. Defensive Methods
f. Devise defensive methods that should be used in protecting databases
g. Include information on threats, risks and possible recommendations to these threats
V. Operating System Security Components Requirements
a. Review operating system resources
b. Requirements for segmentation by operating system rings
i. Provide example of such as
1. Process that could violate the segmentation mechanism
2. Prevents from happening
ii. Specify requirement statements that include
1. Trusted platform module (TPM)
2. A cryptographic key is supplied at chip level
3. Describe expected security gain from incorporating this TPM
iii. Provide requirements statements that ensure trusted computing base (TCB)
1. Give examples of components to consider in the TCB
iv. Provide requirements of how to ensure protection of these components
1. Such as authentication procedures and antimalware protection
v. Review
1. Trusted computing
2. Trusted computing base
VI. MILS Requirements
a. Devising prototyping test plans and executing tests against sample databases to determine requirements for
i. Access
ii. Access control
iii. Authentication
iv. Security models that define read and write access
b. Access to data accomplished using security concepts and security models
i. Ensure confidentiality and integrity of data
c. Health care database should have capabilities for multiple independent levels of security (MILS)
d. Organization plans on expanding
i. User base of the database
ii. Web interface
iii. Database read, write and access controls should be built incorporating security models
e. Write requirement statement for MILS in database
i. Review
1. Multiple independent levels of security (MILS)
2. Cybersecurity models
3. Insecure handling
ii. Address:
1. Definitions and stipulations for cybersecurity models
2. The Biba Integrity Model
3. The Bell-LaPadula Model
4. The Chinese Wall Model
5. Any limitations for the application of these models
VII. Access Control Requirements
a. Address access control
b. Vendor will need to demonstrate capabilities to enforce to database management systems
i. Identification
ii. Authentication
iii. Access
iv. Authorization
VIII. TPRR
a. Define test protocol for vendors
b. Aware of several possible vulnerabilities to database asset security
c. Vendors use TPRR to demonstrate hardening against those vulnerabilities
d. Address:
i. Error handling and information leakage
ii. Insecure handling
iii. Cross-site scripting (XSS/CSRF) flaws
iv. SQL injections
v. Memory leakage
vi. Insecure configuration management
vii. Authentication (with a focus on broken authentication)
viii. Access control (with a focus on broken access control)
ix. Guideline for Creating a Test Plan and Remediation Results (TPRR)
IX. Summary
X. References