OpenMRS Security Assessment Wiki Template

From Foss2Serve
(Difference between revisions)
Jump to: navigation, search
m
m
 
(5 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
We are breaking down our security and HIPAA risk assessment into smaller groups, based on the part of OpenMRS we are studying and the aspect of compliance we are focusing on. Each team should create a page for itself by copying the contents from the [[OpenMRS Security Assessment Wiki Assessment Template A]].  
 
We are breaking down our security and HIPAA risk assessment into smaller groups, based on the part of OpenMRS we are studying and the aspect of compliance we are focusing on. Each team should create a page for itself by copying the contents from the [[OpenMRS Security Assessment Wiki Assessment Template A]].  
  
This assessment is broken into a series of assignments. Since each team faces a different set of challenges, the assignments have a flexible allocation of points. Surplus points on any part will earn extra credit.
+
This assessment is broken into a series of assignments. Since each team faces a different set of challenges, the assignments have a flexible allocation of points. Surplus points on any part can offset points needed on other parts.
  
== Assignemnts ==
+
== Assignments ==
# '''Assignment 2:''' (due 4/28) [[OpenMRS Security Assessment Wiki Interview Questions Template]]
+
# '''Assignment 2:''' (due ...) [[OpenMRS Security Assessment Wiki Interview Questions Template]]
# '''Assignment 3:''' (due 5/1) [[OpenMRS Security Assessment Wiki Assessment Template A]]
+
# '''Assignment 3:''' (due 4-7 days later) [[OpenMRS Security Assessment Wiki Assessment Template A]]
# '''Assignment 4:''' (due 5/4) [[OpenMRS Security Assessment Wiki Assessment Template B]]
+
# '''Assignment 4:''' (due 5-7 week later) [[OpenMRS Security Assessment Wiki Assessment Template B]]
# '''Assignment 5:''' (due 5/6) [[OpenMRS Security Assessment Wiki Assessment Template C]]
+
# '''Assignment 5:''' (due 1 week later) [[OpenMRS Security Assessment Wiki Assessment Template C]]
# '''Assignment 6:''' (due 5/8) [[OpenMRS Security Assessment Wiki Assessment Template D]]
+
# '''Assignment 6:''' (due 2-3 days later) [[OpenMRS Security Assessment Wiki Assessment Template D]]
  
== WebApp ==
+
== Reference Application ==
OpenMRS comes with an example user interface called the WebApp. Most users of OpenMRS just use this basic user interface, so we will be auditing its security.
+
OpenMRS comes with an example user interface alternately called the WebApp, reference application or legacy user interface. Most users of OpenMRS just use this reference user interface, so we will be auditing its security.
  
{|
+
'''WebApp Auth Team''' Studying how authentication and access control are and should be used to control use of the WebApp to access or change PHI.
|| Setup Instructions
+
|-
+
|| Install MySQL. Follow the OpenMRS instructions for installing OpenMRS. Find and follow additional instructions for acquiring the source code for the WebApp module.
+
|}
+
  
[[WebApp Auth Team]] Studying how authentication and access control are and should be used to control use of the WebApp to access or change PHI.
+
'''WebApp Audit Team'''  Look at the auditing capability provided with the WebApp.  
  
[[WebApp Confidentiality Team]] Studying how the WebApp ensures the confidentiality of PHI.
+
'''WebApp Confidentiality Team''' Studying how the WebApp ensures the confidentiality of PHI.
 
+
[[WebApp Audit Team]]  Look at the auditing capability provided with the WebApp.  
+
  
 
== API ==
 
== API ==
 
The core of the OpenMRS is a set of Java classes that provide controlled access to the PHI in the database.
 
The core of the OpenMRS is a set of Java classes that provide controlled access to the PHI in the database.
 
{|
 
|| Setup Instructions
 
|-
 
|| Follow the instructions for developers who want to work on the core api, which involves cloning the source repository using GIT. Do not try to install the API and get it working: you do not have time! You will be using code review as your assessment method.
 
|}
 
 
   
 
   
[[API Auth Team]] Studying how authentication and access control are and should be used to control  access to or change or PHI through the API.
+
'''API Auth Team''' Studying how authentication and access control are and should be used to control  access to or change or PHI through the API.
  
[[API Audit Team]] Studying how the API does and should audit access to and change of PHI.
+
'''API Audit Team''' Studying how the API does and should audit access to and change of PHI.
  
=== Database ===
+
'''API Confidentiality Team''' Studying how the API ensures the confidentiality of PHI.
 +
 
 +
 
 +
== Database ==
 
The PHI is all stored in a MySQL database.
 
The PHI is all stored in a MySQL database.
  
{|
+
'''Database Auth Team''' Studying how authentication and access control are and should be used in the database.  
|| Setup Instructions
+
|-
+
|| Install MySQL. Follow the OpenMRS instructions for installing OpenMRS.
+
|}
+
  
[[Database Auth Team]] Studying how authentication and access control are and should be used in the database.  
+
'''Database Audit Team''' (is Awesome!) Studying how the database does and should audit access to and change of PHI.  
  
[[Database Audit Team is Awesome!]] Studying how the database does and should audit access to and change of PHI.  
+
'''Database Confidentiality Team''' Studying how the database ensures the confidentiality of PHI.
  
[[Database Confidentiality Team]] Studying how the database ensures the confidentiality of PHI.
 
  
 
--------------------
 
--------------------
Line 60: Line 46:
  
 
[[File:Creativecommons-by-nc-sa-40.png]]
 
[[File:Creativecommons-by-nc-sa-40.png]]
 +
 +
[[Category:OpenMRS]]

Latest revision as of 11:03, 28 January 2017

Contents

OpenMRS Security Assessment Wiki

We are breaking down our security and HIPAA risk assessment into smaller groups, based on the part of OpenMRS we are studying and the aspect of compliance we are focusing on. Each team should create a page for itself by copying the contents from the OpenMRS Security Assessment Wiki Assessment Template A.

This assessment is broken into a series of assignments. Since each team faces a different set of challenges, the assignments have a flexible allocation of points. Surplus points on any part can offset points needed on other parts.

Assignments

  1. Assignment 2: (due ...) OpenMRS Security Assessment Wiki Interview Questions Template
  2. Assignment 3: (due 4-7 days later) OpenMRS Security Assessment Wiki Assessment Template A
  3. Assignment 4: (due 5-7 week later) OpenMRS Security Assessment Wiki Assessment Template B
  4. Assignment 5: (due 1 week later) OpenMRS Security Assessment Wiki Assessment Template C
  5. Assignment 6: (due 2-3 days later) OpenMRS Security Assessment Wiki Assessment Template D

Reference Application

OpenMRS comes with an example user interface alternately called the WebApp, reference application or legacy user interface. Most users of OpenMRS just use this reference user interface, so we will be auditing its security.

WebApp Auth Team Studying how authentication and access control are and should be used to control use of the WebApp to access or change PHI.

WebApp Audit Team Look at the auditing capability provided with the WebApp.

WebApp Confidentiality Team Studying how the WebApp ensures the confidentiality of PHI.

API

The core of the OpenMRS is a set of Java classes that provide controlled access to the PHI in the database.

API Auth Team Studying how authentication and access control are and should be used to control access to or change or PHI through the API.

API Audit Team Studying how the API does and should audit access to and change of PHI.

API Confidentiality Team Studying how the API ensures the confidentiality of PHI.


Database

The PHI is all stored in a MySQL database.

Database Auth Team Studying how authentication and access control are and should be used in the database.

Database Audit Team (is Awesome!) Studying how the database does and should audit access to and change of PHI.

Database Confidentiality Team Studying how the database ensures the confidentiality of PHI.



This work by Steven P. Crain (...@plattsburgh.edu) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Creativecommons-by-nc-sa-40.png

Personal tools
Namespaces
Variants
Actions
Events
Learning Resources
HFOSS Projects
Evaluation
Navigation
Toolbox