OpenMRS Security Assessment Wiki Assessment Template B
As of 5/4, your project WIKI page should include the content described below. You should earn at least 25 points during this phase. The next phase, OpenMRS Security Assessment Wiki Assessment Template C, is due 5/6.
Contents |
Identify the Assessment Area Here
Authors
The instructor will be compiling all of the submissions for this assignment into a report that will be made publicly available. If you wish public recognition for your contribution, you should create an OpenMRS ID at https://id.openmrs.org and then include your OpenMRS ID and optionally your name here.
Scope
This was described in a previous phase
Assets
List the assets that you are assessing. Make sure to consider:
- Any data that identifies users (PII).
- Any data related to treatments, medical conditions, charges or payments (PHI).
- Any data related to security, like usernames and passwords (SEC).
- Any code that provides important access to any of the above.
- Any supporting hardware and software that an attacker might be able to use for a different purpose.
For each asset, use the following template. (1 point per asset plus 1 point per threat)
Name of Asset
Type of Asset: (Pick Hardware, Software, Data, Communications)
Class: (Pick PII, PHI, SEC, Other)
Value of Asset: Pick from
- Insignificant
- Minor
- Moderate
- Major
- Critical
Describe the asset in a sentence or a paragraph.
Threat Agents:
- Describe a specific threat agent who would plausibly attack this asset.
- Put each threat agent on its own line.
Threats:
- Probability*Severity Thinking of all the above threat agents, list the plausible threat scenarios, one on each line. (Replace Probability with the subjective likelihood that the threat will happen, e.g. LIKELY. Replace Severity with the seriousness if the threat does happen, e.g. DOOMSDAY.)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License