OpenMRS Security Assessment Wiki Assessment Template B
(Initial template) |
m |
||
(6 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | As of | + | As of ..., your project WIKI page should include the content described below. You should earn at least 25 points during this phase. The next phase, [[OpenMRS Security Assessment Wiki Assessment Template C]], is due .... |
= Identify the Assessment Area Here = | = Identify the Assessment Area Here = | ||
Line 23: | Line 23: | ||
Class: (Pick PII, PHI, SEC, Other) | Class: (Pick PII, PHI, SEC, Other) | ||
− | Value of Asset: Pick | + | Value of Asset: (Pick Insignificant, Minor, Moderate, Major, Critical) |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
Describe the asset in a sentence or a paragraph. | Describe the asset in a sentence or a paragraph. | ||
Threat Agents: | Threat Agents: | ||
− | * Describe a specific threat agent who would plausibly attack this asset | + | * Describe a specific threat agent who would plausibly attack this asset, each threat agent on its own line. |
− | + | ||
Threats: | Threats: | ||
− | * '' | + | * ''Risk'' (Pick based on the Likelihood and Severity, using the chart below.) ''[Likelihood'' (Pick Rare, Unlikely, Possible, Likely, Almost Certain) ''* Severity'' (Pick Insignificant, Minor, Moderate, Major, Catastrophic, Doomsday) '']'' Thinking of all the above threat agents, list the plausible threat scenarios, one on each line. |
+ | |||
+ | {| | ||
+ | |- | ||
+ | | ||Insignificant || Minor || Moderate || Major || Catastrophic || Doomsday | ||
+ | |- | ||
+ | | Rare || Low ||Low || Medium || High || High || Extreme | ||
+ | |- | ||
+ | | Unlikely || Low || Low || Medium || High || Extreme || Extreme | ||
+ | |- | ||
+ | | Possible || Low || Medium || High || Extreme || Extreme || Extreme | ||
+ | |- | ||
+ | | Likely || Medium || High || High || Extreme || Extreme || Extreme | ||
+ | |- | ||
+ | | Almost Certain || High || High || Extreme || Extreme || Extreme || Extreme | ||
+ | |} | ||
+ | |||
+ | Source: W. Stallings and L. Brown, ''Computer Security: Principles and Practice,'' 3rd ed, Pearson, 2015, p. 505. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | -------------------- | ||
+ | This work by [[User:Scrain|Steven P. Crain]] ([http://www.google.com/recaptcha/mailhide/d?k=01kQLVRud4_G4fLVvieRmptw==&c=xzrJ5nOx65OjeB8B5xOwSUCBUqxRQDpU96mG9Bes_GQ= ...@plattsburgh.edu]) is licensed under a | ||
+ | [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License] | ||
+ | |||
+ | [[File:Creativecommons-by-nc-sa-40.png]] | ||
+ | |||
+ | [[Category:OpenMRS]] |
Latest revision as of 11:01, 28 January 2017
As of ..., your project WIKI page should include the content described below. You should earn at least 25 points during this phase. The next phase, OpenMRS Security Assessment Wiki Assessment Template C, is due ....
Contents |
Identify the Assessment Area Here
Authors
The instructor will be compiling all of the submissions for this assignment into a report that will be made publicly available. If you wish public recognition for your contribution, you should create an OpenMRS ID at https://id.openmrs.org and then include your OpenMRS ID and optionally your name here.
Scope
This was described in a previous phase
Assets
List the assets that you are assessing. Make sure to consider:
- Any data that identifies users (PII).
- Any data related to treatments, medical conditions, charges or payments (PHI).
- Any data related to security, like usernames and passwords (SEC).
- Any code that provides important access to any of the above.
- Any supporting hardware and software that an attacker might be able to use for a different purpose.
For each asset, use the following template. (1 point per asset plus 1 point per threat)
Name of Asset
Type of Asset: (Pick Hardware, Software, Data, Communications)
Class: (Pick PII, PHI, SEC, Other)
Value of Asset: (Pick Insignificant, Minor, Moderate, Major, Critical)
Describe the asset in a sentence or a paragraph.
Threat Agents:
- Describe a specific threat agent who would plausibly attack this asset, each threat agent on its own line.
Threats:
- Risk (Pick based on the Likelihood and Severity, using the chart below.) [Likelihood (Pick Rare, Unlikely, Possible, Likely, Almost Certain) * Severity (Pick Insignificant, Minor, Moderate, Major, Catastrophic, Doomsday) ] Thinking of all the above threat agents, list the plausible threat scenarios, one on each line.
Insignificant | Minor | Moderate | Major | Catastrophic | Doomsday | |
Rare | Low | Low | Medium | High | High | Extreme |
Unlikely | Low | Low | Medium | High | Extreme | Extreme |
Possible | Low | Medium | High | Extreme | Extreme | Extreme |
Likely | Medium | High | High | Extreme | Extreme | Extreme |
Almost Certain | High | High | Extreme | Extreme | Extreme | Extreme |
Source: W. Stallings and L. Brown, Computer Security: Principles and Practice, 3rd ed, Pearson, 2015, p. 505.
This work by Steven P. Crain (...@plattsburgh.edu) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License