OpenMRS Security Assessment Wiki Interview Questions Template
OpenMRS Survey Questions
In Assignment 1, you each came up with some questions that you would like to ask OpenMRS users.
In Assignment 2, you will be interviewing real OpenMRS users and developers, so we want to make sure that you are organized, respectful and ready to have a great interview experience.
In the following assignments, you will be conducting a risk assessment on one of the OpenMRS Security Assessment Wiki Template.
This project has the following deadlines:
|...||Add the questions from your Assignment 1 in the appropriate categories.|
|Form teams of 1–2 students.|
|About 3 days later||Sign up for 2 approved questions per team.|
|About 4-7 days later||Complete the interviews and record the responses on this page.|
I have provided a few questions that you can use as examples, both in terms of the content and formatting. If other students have put questions in the wrong category or if you can make them better questions, please do so!
OpenMRS General Objectives
List questions that probe the objectives of OpenMRS and of the health care providers who use it.
We know that the number one purpose of OpenMRS users is to care for their patients. What other factors go into their purpose? (Source: Crain)
OpenMRS General Policies
List questions that probe general policies of OpenMRS or of the health care providers who use it.
The focus is on things that we might overlook yet have an influence of security.
In practice, how do most people evaluate if using OpenMRS is right for them? (Source: Dong)
OpenMRS General Risk Profile
List questions that probe how extensive attacks are on OpenMRS deployments, and how that could change in the future, especially if deployed in the U.S.
Are there any statistics on how many security breaches have involved OpenMRS? (Source: Crain)
OpenMRS Risk Appetite
List questions that probe how OpenMRS and its users would cope with a terrible security breach.
What are the consequences to a medical practice of a security failure in OpenMRS? (Source: Stallings, p. 490)
IT Security Objectives
List questions that address security goals.
While the OpenMRS development team correctly worry about Access Control, are there plans or intentions of aiming more at other important controls such as establishing a strong configuration backup policy and enabling detailed auditing of privileged commands? (Source: Miguel, Narciso)
IT Security Strategies
List questions that address strategies OpenMRS is taking to achieve adequate security.
Where can I find documentation from previous security assessments for OpenMRS? (Source: Crain)
IT Security Policies
List questions that address policies related to security.
When does the responsibility of security pass from the programmer to the user?(Source: Eisenhardt)
List questions that probe the rights patients should have over access to and use of data about them.
OpenMRS User Rights
List questions that probe rights the users of OpenMRS should have regarding the data they collect in OpenMRS.
List questions that probe the parts of OpenMRS and its data that are indispensable, or that would be of value to an attacker.
What key aspects of a medical practice require OpenMRS support in order to operate efficiently? (Source: Stallings, p. 490)
What tasks can only be performed with OpenMRS support? (Source: Stallings, p. 490)
Which essential decisions depend on the accuracy, currency, integrity or availability of data managed by OpenMRS? (Source: Stallings, p. 490)
What data created, managed by, processed and stored by OpenMRS need protection? (Source: Stallings, p. 490)
OpenMRS User/Developer Security Awareness
List questions pertaining to how OpenMRS might increase awareness of the importance of security among users and developers.
Are there currently any known situations where users are routinely trying to circumvent security measures (for example, I read that people were often given too many permissions)? (Source: Torres)
This work by Steven P. Crain (...@plattsburgh.edu) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License