Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Recommends changes to the company’s security management policies based on info b

ID: 3640810 • Letter: R

Question

Recommends changes to the company’s security management policies based on info below.

iTrust New Requirements

1. Add role: emergency responder. Currently the only roles in iTrust are licensed health care professional, unlicensed health care professional (a.k.a secretarial support), administrator and patient. The need for another role has arisen: emergency responder (ER). An emergency responder is defined as follows: police, fire, emergency medical technicians (EMTs), and other medically trained emergency responders who provide care while at, or in transport from, the site of an emergency. The only capability provided to an ER is access to an emergency report for a patient that provides basic but important information such as: allergies, blood type, recent short-term diagnoses, long term, chronic illness diagnoses, prescription history, and immunization history. The patient is sent an email to notify them of the viewing of their records by an emergency responder.

2. Find qualified licensed health care professional. A patient has just been diagnosed with a condition and wants to find the licensed health care professionals (LHCPs) in the area who have handled that condition. The patient chooses 'My Diagnoses” and is presented with a listing of all their own diagnoses, sorted by diagnosis date (more recent first). The patient can select a diagnosis and will be presented with the LHCPs in the patient's living area (based upon the first three numbers of their zip code) who have handled this diagnosis in the last three years. The list is ranked by the quantity of patients the LHCP has treated for that diagnosis (each patient is only counted once regardless of the number of office visits). For each LHCP, the following information is displayed:
i. Name of LHCP linked to contact information for that LHCP
ii. The quantity of unique patients treated by that LHCP for that diagnosis (each patient is only counted once regardless of the number of office visits)
iii. List of all prescriptions given by that LHCP for that diagnosis
iv. List of all laboratory procedures ordered by that LHCP for that diagnosis
v. The LCHP's average visit satisfaction
vi. The LHCP's average treatment satisfaction

3. Update diagnosis code table. The American Medical Association has decided that beginning January 1, 2010 all diagnoses must be coded with ICD-10 rather than ICD-9CM. These new codes need to be saved for eventual use by the iTrust application.
4. View access log. A patient can view a listing of the names of licensed health care professionals that viewed or edited their medical records and the date the viewing/editing occurred is displayed.

Explanation / Answer

Step 1: Calibrate value of database tables ? Which iTrust database table would be least attractive to an attacker? ? Which iTrust database table would be most attractive to an attacker? ? Use your planning poker cards to assign relative point values for the “value” of each database table, giving a 1 to the least attractive. ? Circle the database tables in Table 1 and put the value points in the appropriate column. ? There are your “value” endpoints for the rest of the exercise. Step 2: Calibrate ease of attack for requirements ? Which requirement adds functionality that will make an attack easiest? ? Which requirement adds functionality that will make attack hardest? ? Use your planning poker cards to assign relative point values for the “ease” of each requirement. – Assign the least attractive a 1 if you think the theme adds no new risk. ? Record ease values in Table 3. ? There are your “ease” endpoints for the rest of the exercise. Step 3: Compute security risk of requirements ? For each requirement: – Identify database tables used in that requirement and record in Table 2. For each: » Table already have a “value”? Use it. » Table doesn’t have a “value”? “Poker” a value and put it in Tables 1 and 2 – Put sum of database values in Table 3. – “Poker” a value for ease points for each theme and record in Table 3. – Compute security risk in Table 3 by multiplying value by ease. Step 4: Risk Ranking and Discussion ? Rank your risks. ? Any surprises? Satisfied with values you gave? ? What plans would you put in place now that you are more aware of the security risk? Anticipated Results of Protection Poker ? Explicit result (20%): – Relative security risk assessment ? Side effects/implicit results (80%): – Greater awareness understanding of security implications of requirement – Allocation of time to build security into new functionality “delivered” at end of iteration (appropriate to relative risk) – Knowledge sharing and transfer of security information

Related Questions

Recognition: Given an identifier, decide whether it is a legal one? Evaluate the
Question #3569616
Recognition: Given an identifier, decide whether it is a legal one? Evaluate the
Question #3569811
Recognize the factors that influence enzymatic activity, and how they influence
Question #97763
Recognize the following major structures and know how changing the structure wil
Question #191503
Recognize the impact of engineering solutions in a global social context Explain
Question #1714918
Recognize the impact of engineering solutions in a global social context Explain
Question #3662345
Recognize the impact of engineering solutions in an economic context Explain (60
Question #3662839
Recognize the importance of microorganisms in water and sewage treatment plants.
Question #150470

Navigate

Previous
Recommending Controls You will have the opportunity in this Discussion to recomm
Next
Reconcile Fund Statements to Statement of Activities The following information i

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.