OpenMRS Security Assessment 2

From Foss2Serve
(Difference between revisions)
Jump to: navigation, search
(Comments:)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
{| border="1"
 
|-
 
|'''Title''' ||OpenMRS Security Assessment 2
 
|-
 
|'''Overview''' || Students interview members of the OpenMRS community to gather information for the security assessment.
 
|-
 
|'''Prerequisite Knowledge''' || Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. They also need an introductory knowledge of using Wikis and Internet Relay Chat (IRC) for Humanitarian Free and Open Source Software (HFOSS) project communication.
 
|-
 
|'''Learning Objectives''' ||
 
#    Students gain familiarity with editing documents in a wiki, which is commonly used for HFOSS documentation.
 
# Students become familiar with the range of information for security assessment that can be acquired through interviews.
 
# Students learn to make interview questions valuable and meaningful.
 
# Students learn to be aware of the social aspects of appropriate interviewing.
 
# Students learn how OpenMRS uses Inernet Relay Chat (IRC) to communicate.
 
# Students learn how to use IRC properly for HFOSS projects.
 
# Students gain experience conducting interviews for security assessments.
 
|}
 
  
=== Background: ===
+
{{Learning Activity Overview
 +
|title=
 +
OpenMRS Security Assessment 2
 +
|overview=
 +
Students interview members of the OpenMRS community to gather information for the security assessment.
 +
|prerequisites=
 +
Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. They also need an introductory knowledge of using Wikis and Internet Relay Chat (IRC) for Humanitarian Free and Open Source Software (HFOSS) project communication.
 +
|objectives=
 +
# Edit documents in a wiki, which is commonly used for HFOSS documentation.
 +
# Be familiar with the range of information for security assessment that can be acquired through interviews.
 +
# Make interview questions valuable and meaningful.
 +
# Be aware of the social aspects of appropriate interviewing.
 +
# Know how OpenMRS uses Internet Relay Chat (IRC) to communicate.
 +
# Use IRC properly for HFOSS projects.
 +
# Conduct interviews for security assessments.
 +
|process skills=
 +
}}
 +
 
 +
=== Background ===
 +
 
 
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
 
OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with [http://www.hhs.gov/ocr/privacy/index.html Department of Health and Human Services regulations] authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)
  
Line 28: Line 30:
  
  
=== Directions: ===
+
=== Directions ===
  
 
In this assignment, you will be preparing for and conducting interviews. We will use the [[OpenMRS Security Assessment Wiki Interview Questions Template]] to organize and coordinate the interviews. This assignment must be completed in groups of 3–4 students.
 
In this assignment, you will be preparing for and conducting interviews. We will use the [[OpenMRS Security Assessment Wiki Interview Questions Template]] to organize and coordinate the interviews. This assignment must be completed in groups of 3–4 students.
Line 74: Line 76:
 
This part of the assignment is worth 30 points. Record your conversations on the [[OpenMRS Security Assessment Wiki Interview Questions Template]], under the appropriate questions.
 
This part of the assignment is worth 30 points. Record your conversations on the [[OpenMRS Security Assessment Wiki Interview Questions Template]], under the appropriate questions.
  
=== Deliverables: ===
+
=== Deliverables ===
 +
 
 
# Students propose questions on a common Wiki page.
 
# Students propose questions on a common Wiki page.
 
# Students submit a paragraph describing the activity they observed in the OpenMRS IRC channel over the course of an hour.
 
# Students submit a paragraph describing the activity they observed in the OpenMRS IRC channel over the course of an hour.
Line 80: Line 83:
  
  
=== Assessment: ===
+
=== Assessment ===
How will the activity be graded?
+
+
How will learning will be measured?
+
  
Include sample assessment questions/rubrics.
+
Part 1: Any group that proposes at least one question on the course WIKI gets full credit.
  
 +
Part 2: The short document will be assessed.
 +
 
{| border="1" class="wikitable"
 
{| border="1" class="wikitable"
 
! Criteria
 
! Criteria
Line 94: Line 96:
 
! Level 4 (exceptional)
 
! Level 4 (exceptional)
 
|-
 
|-
| '''The purpose of the project'''
+
| '''IRC/Talk Observation Document'''
|  
+
| No evidence of having observed the IRC and Talk communications.
|  
+
| Poorly written document showing minimal reflection.
|
+
| Well-written paragraph discussing the activity in the IRC, content on the talk pages, and briefly addressing the differences in about 1 sentence.
|
+
| Multiple coherent paragraphs addressing the content, similarities and differences with strong evidence of reflection.
  
|-
+
|}
| '''Why the project is open source'''
+
|
+
|
+
|
+
|
+
  
|}
+
Part 3: The results posted on the Web page will be assessed. Grading is entirely based on participation. (Full credit if they document having asked the question and no credit if they do not document asking the question.)
  
 
=== Comments: ===
 
=== Comments: ===
Line 118: Line 115:
 
There is a risk with this assignment that students may be banned from the IRC or talk systems. This can happen if they are mischievous, inquisitive, accidentally clueless. One time using this assignment, the whole site was banned from using the IRC, with no clear justification. The instructor should be in touch with OpenMRS in advance to negotiate how the student interactions will be policed.
 
There is a risk with this assignment that students may be banned from the IRC or talk systems. This can happen if they are mischievous, inquisitive, accidentally clueless. One time using this assignment, the whole site was banned from using the IRC, with no clear justification. The instructor should be in touch with OpenMRS in advance to negotiate how the student interactions will be policed.
  
=== Additional Information: ===
+
=== Additional Information ===
{| border="1"
+
 
|-
+
{{Learning Activity Info
|'''ACM Knowledge Area/Knowledge Unit''' || What ACM Computing Curricula 2013 knowledge area and units does this activity cover? [[ACM_Body_of_Knowledge]]
+
|acm unit=
|-
+
SP/Professional Communication
|'''ACM Topic''' || What specific topics are addressed? The Computing Curriucula 2013 provides a list of topics - https://www.acm.org/education/CS2013-final-report.pdf
+
|acm topic=
|-
+
Dynamics of oral, written, and electronic team and group communication (cross-reference
|'''Level of Difficulty''' || Is this activity easy, medium or challenging?
+
HCI/Collaboration and Communication/group communication; SE/Project Management/team participation); Utilizing collaboration tools (cross-reference HCI/Collaboration and Communication/online communities;
|-
+
IS/Agents/collaborative agents)
|'''Estimated Time to Completion''' ||  10 Hours
+
|difficulty=
|-
+
easy
|'''Materials/Environment''' ||
+
|time=
 +
3 hours
 +
|environment=
 
# The instructor needs to create or otherwise provide access to a Wiki that the students can edit. Create a base page for this series of assignments, possibly based on the [[OpenMRS Security Assessment Wiki Template]], and then create a page for this specific assignment, [[OpenMRS Security Assessment Wiki Interview Questions Template]].  
 
# The instructor needs to create or otherwise provide access to a Wiki that the students can edit. Create a base page for this series of assignments, possibly based on the [[OpenMRS Security Assessment Wiki Template]], and then create a page for this specific assignment, [[OpenMRS Security Assessment Wiki Interview Questions Template]].  
 
# Students need an IRC client, such as [http://chatzilla.hacksrus.com/ ChatZilla].
 
# Students need an IRC client, such as [http://chatzilla.hacksrus.com/ ChatZilla].
|-
+
|author=
|'''Author''' || Steven P. Crain  
+
Steven P. Crain  
|-
+
|source=
|'''Source''' || N/A
+
N/A
|-
+
|license=
|'''License''' || [[File:Creativecommons-by-nc-sa-40.png]] This activity is licensed under a [http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License].
+
{{License CC BY NC SA}}
|}
+
}}
  
 
=== Suggestions for Open Source Community: ===
 
=== Suggestions for Open Source Community: ===
Suggestions for an open source community member who is working in conjunction with the instructor.
+
* ''Suggestions for an open source community member who is working in conjunction with the instructor.''
 
+
 
+
--------------------
+
This work is licensed under a
+
[http://creativecommons.org/licenses/by-nc-sa/4.0/ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License]
+
 
+
[[File:Creativecommons-by-nc-sa-40.png]]
+
  
[[Category: Learning_Activity]]
+
[[Category:Learning Activity]]
[[Category: OpenMRS]]
+
[[Category:OpenMRS]]
[[Category: Privacy_and_Security]]
+
[[Category:Privacy and Security]]
 +
[[Category:Good Draft]]

Latest revision as of 11:04, 8 September 2018


Title

OpenMRS Security Assessment 2

Overview

Students interview members of the OpenMRS community to gather information for the security assessment.

Prerequisites

Students must have had a broad exposure to computer security, including Confidentiality-Integrity-Availability, Authentication-Authorization-Auditing, security design principles, database-specific security considerations and the risk assessment process. They also need an introductory knowledge of using Wikis and Internet Relay Chat (IRC) for Humanitarian Free and Open Source Software (HFOSS) project communication.

Learning
Objectives
After successfully completing this activity, the learner should be able to:
  1. Edit documents in a wiki, which is commonly used for HFOSS documentation.
  2. Be familiar with the range of information for security assessment that can be acquired through interviews.
  3. Make interview questions valuable and meaningful.
  4. Be aware of the social aspects of appropriate interviewing.
  5. Know how OpenMRS uses Internet Relay Chat (IRC) to communicate.
  6. Use IRC properly for HFOSS projects.
  7. Conduct interviews for security assessments.
Process Skills
Practiced


Background

OpenMRS is an open-source medical record management system. It is very popular in some parts of the world, but requires work to make it compatible with Department of Health and Human Services regulations authorized by the Health Insurance Portability and Accountability Act (HIPAA). This series of assignments aims to identify specific changes that are required to achieve HIPAA compliance to use OpenMRS in the context of a small medical practice or hospital. (Larger medical practices and hospitals typically have more complex situations and unique risks that require them to conduct their own assessment.)

Before beginning this assignment, students should be familiar with the material in a computer security textbook on risk assessment. We used Stallings and Brown, Computer Security: Principles and Practice, 3rd ed., Prentice Hall, 2015, chapter 14.

In this assignment, students use a Wiki to organize the questions they created in OpenMRS Security Assessment 1, in preparation for interviewing members of the OpenMRS community in OpenMRS Security Assessment 3. Wikis are commonly used by Free and Open Source Software projects for their documentation, so this assignment provides valuable experience with this tool.

The interviews themselves are conducted using Internet Relay Chat (IRC), a tool that enables open source developers all over the world communicate instantly, even if they have very low Internet bandwidth.


Directions

In this assignment, you will be preparing for and conducting interviews. We will use the OpenMRS Security Assessment Wiki Interview Questions Template to organize and coordinate the interviews. This assignment must be completed in groups of 3–4 students.

Part 1

Due date: This part can be due a day or so OpenMRS Security Assessment 1.

Edit the OpenMRS Security Assessment Wiki Interview Questions Template, adding the questions that you prepared in part 5 of Project 4. I provided a bunch of categories of questions, based on the kinds of questions that are normally asked in a risk assessment like this. Feel free to add additional categories if your question does not really fit well. If another team asked a similar question, you do not need to add it again.

If another team has put a question in the wrong category, or if you think it could be worded better, please make the appropriate changes. This is a WIKI, after all.

Participation in this section is worth 10 points.

The instructor will review each of the proposed questions, and will approve questions that are respectful, appropriate and useful for this security assessment.

Part 2

Deadline: About 3 days after part 1. This allows 1 day for the instructor to review the questions and another 2 days for students to sign up.

Sign up for at least 2 approved questions per team by editing the WIKI page. See the instructions in the Template section at the bottom of the WIKI. You are not allowed to steal a question that another team has already signed up for.

Like most open source projects, OpenMRS uses IRC for much of the communication with developers and users. Read the OpenMRS IRC information. Work through the activity, Introduction to IRC: connect to the IRC server irc.freenode.net; chose an IRC handle that ends with "_psu"; join channel #OpenMRS; spend an hour lurking and watching the discussion that is happening in the IRC channel. During this time, it is important that your whole team is connected (either personally or as a group) and paying attention to the activity on IRC.

OpenMRS also uses the Talk WIKI for communication. This does not see as much real-time interaction, but provides for longer conversations. Take some time as a group to explore the conversations that have taken place here.

Write a short document (one to three paragraphs, 20 pts) that discusses:

  1. What was going on in the IRC channel during this time.
  2. What kinds of conversations took place in the Talk site?
  3. What are the differences between the use of IRC and Talk pages?

Part 3 Due Tuesday 4/28

Connect again to the IRC channel #OpenMRS on Freenode. Lurk long enough to make sure that it seems appropriate to ask your interview questions. (Do not try to ask your questions while another team is asking questions or if something else important is being discussed.)

  1. Use a handle that ends with "_psu," mostly so you can coordinate with your classmates.
  2. Introduce yourself, saying that you are working on a class project at Plattsburgh State University. At the same time, ask one of your questions.
  3. Wait for a reply. If there is no reply, make note on the course WIKI that there was no reply and try again about 3 hours later. If there is still no reply, record your second attempt on the course WIKI and you have completed the assignment.
  4. If the reply raises other thoughts or questions, carry on a conversation with the other person or people on IRC that explores their answer in more detail.
  5. Record the conversation on the course WIKI.
  6. Find an appropriate place on the Talk pages to ask your second question. Ask it there. Put the link to the Talk page on the course WIKI.
  7. If anyone responds to your question on the Talk page, copy the discussion into the course WIKI.

This part of the assignment is worth 30 points. Record your conversations on the OpenMRS Security Assessment Wiki Interview Questions Template, under the appropriate questions.

Deliverables

  1. Students propose questions on a common Wiki page.
  2. Students submit a paragraph describing the activity they observed in the OpenMRS IRC channel over the course of an hour.
  3. Students report the results of their interviews on the common Wiki page.


Assessment

Part 1: Any group that proposes at least one question on the course WIKI gets full credit.

Part 2: The short document will be assessed.

Criteria Level 1 (fail) Level 2 (pass) Level 3 (good) Level 4 (exceptional)
IRC/Talk Observation Document No evidence of having observed the IRC and Talk communications. Poorly written document showing minimal reflection. Well-written paragraph discussing the activity in the IRC, content on the talk pages, and briefly addressing the differences in about 1 sentence. Multiple coherent paragraphs addressing the content, similarities and differences with strong evidence of reflection.

Part 3: The results posted on the Web page will be assessed. Grading is entirely based on participation. (Full credit if they document having asked the question and no credit if they do not document asking the question.)

Comments:

Throughout this assignment, it refers to "Plattsburgh State University" and "_psu." These should be replaced with appropriate references to whatver school is using the assignment.

This assignment was not nearly as successful as I had hoped. I did not coordinate with the OpenMRS community before the assignment, and the IRC channels were too quiet when the students attempted this. The students found this very frustrating, as they were looking forward to talking to real OpenMRS developers!

The second time I ran the course, I had the students interact with both IRC and the OpenMRS Talk system. The result was more satisfying, but still needs some work.

There is a risk with this assignment that students may be banned from the IRC or talk systems. This can happen if they are mischievous, inquisitive, accidentally clueless. One time using this assignment, the whole site was banned from using the IRC, with no clear justification. The instructor should be in touch with OpenMRS in advance to negotiate how the student interactions will be policed.

Additional Information

ACM BoK
Area & Unit(s)

SP/Professional Communication

ACM BoK
Topic(s)

Dynamics of oral, written, and electronic team and group communication (cross-reference HCI/Collaboration and Communication/group communication; SE/Project Management/team participation); Utilizing collaboration tools (cross-reference HCI/Collaboration and Communication/online communities; IS/Agents/collaborative agents)

Difficulty

easy

Estimated Time
to Complete

3 hours

Environment /
Materials
  1. The instructor needs to create or otherwise provide access to a Wiki that the students can edit. Create a base page for this series of assignments, possibly based on the OpenMRS Security Assessment Wiki Template, and then create a page for this specific assignment, OpenMRS Security Assessment Wiki Interview Questions Template.
  2. Students need an IRC client, such as ChatZilla.
Author(s)

Steven P. Crain

Source

N/A

License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Creativecommons-by-nc-sa-40.png


Suggestions for Open Source Community:

  • Suggestions for an open source community member who is working in conjunction with the instructor.
Personal tools
Namespaces
Variants
Actions
Events
Learning Resources
HFOSS Projects
Evaluation
Navigation
Toolbox