Step 4: Describe Defense Models
Now that you have established security standards for the RFP, you will define the use of defense models.
This information is important since the networking environment will have numerous users with different levels of access.
Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles.
Explain the importance of understanding these principles. To further your understanding, click the link and read the resources that I provided you.
Read the resources on enclave computing environment that I provided you.:
Explain how enclave computing relates to defensive principles. The network domains should be at different security levels, have different levels of access, and different read and write permissions.
Define enclave computing boundary defense.
Include enclave firewalls to separate databases and networks.
Define the different environments you expect the databases to be working in and the security policies applicable.
Step 5: Provide a Requirement Statement for System Structure
In the previous step, you identified defense requirements for the vendor. In this step of the RFP, you will focus on the structure of the system.
Provide requirement statements for a web interface to:
1. Allow patients and other health care providers to view, modify, and update the database.
2. Allow integrated access across multiple systems.
3. Prevent data exfiltration through external media.
State these requirements in the context of the medical database.
In the next step, you will outline operating system security components.
Step 6: Provide Operating System Security Components
In this step, you will provide the operating system security components that will support the database and the security protection mechanisms.
Read these resources on operating system security. Then:
1. Provide requirements for segmentation by operating system rings to ensure processes do not affect each other.
2. Provide one example of a process that could violate the segmentation mechanism. Ensure your requirement statements prevent such a violation from occurring.
Specify requirement statements that include a trusted platform module (TPM), in which a cryptographic key is supplied at the chip level. In those specifications:
1. Describe the expected security gain from incorporating TPM.
2. Provide requirement statements that adhere to the trusted computing base (TCB) standard.
3. Provide examples of components to consider in the TCB.
4. Provide requirements of how to ensure protection of these components, such as authentication procedures and malware protection.
Read the resources on trusted computing that I provided you.
