OpenMRS Security Assessment Wiki Assessment Template B

From Foss2Serve
Revision as of 19:42, 30 June 2016 by Scrain (Talk | contribs)
Jump to: navigation, search

As of ..., your project WIKI page should include the content described below. You should earn at least 25 points during this phase. The next phase, OpenMRS Security Assessment Wiki Assessment Template C, is due ....

Contents

Identify the Assessment Area Here

Authors

The instructor will be compiling all of the submissions for this assignment into a report that will be made publicly available. If you wish public recognition for your contribution, you should create an OpenMRS ID at https://id.openmrs.org and then include your OpenMRS ID and optionally your name here.

Scope

This was described in a previous phase

Assets

List the assets that you are assessing. Make sure to consider:

  1. Any data that identifies users (PII).
  2. Any data related to treatments, medical conditions, charges or payments (PHI).
  3. Any data related to security, like usernames and passwords (SEC).
  4. Any code that provides important access to any of the above.
  5. Any supporting hardware and software that an attacker might be able to use for a different purpose.

For each asset, use the following template. (1 point per asset plus 1 point per threat)

Name of Asset

Type of Asset: (Pick Hardware, Software, Data, Communications)

Class: (Pick PII, PHI, SEC, Other)

Value of Asset: (Pick Insignificant, Minor, Moderate, Major, Critical)

Describe the asset in a sentence or a paragraph.

Threat Agents:

  • Describe a specific threat agent who would plausibly attack this asset, each threat agent on its own line.

Threats:

  • Risk (Pick based on the Likelihood and Severity, using the chart below.) [Likelihood (Pick Rare, Unlikely, Possible, Likely, Almost Certain) * Severity (Pick Insignificant, Minor, Moderate, Major, Catastrophic, Doomsday) ] Thinking of all the above threat agents, list the plausible threat scenarios, one on each line.
Insignificant Minor Moderate Major Catastrophic Doomsday
Rare Low Low Medium High High Extreme
Unlikely Low Low Medium High Extreme Extreme
Possible Low Medium High Extreme Extreme Extreme
Likely Medium High High Extreme Extreme Extreme
Almost Certain High High Extreme Extreme Extreme Extreme

Source: W. Stallings and L. Brown, Computer Security: Principles and Practice, 3rd ed, Pearson, 2015, p. 505.




This work by Steven P. Crain (...@plattsburgh.edu) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Creativecommons-by-nc-sa-40.png

Personal tools
Namespaces
Variants
Actions
Events
Learning Resources
HFOSS Projects
Evaluation
Navigation
Toolbox