.

Secure Project Planning

<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Mon Nov 27, 2006 12:42 pm

Secure Project Planning

Security in Project Planning.

I recently had the opportunity to work on a project involving patient health information covered by HIPAA and the ability to transfer that information from one device to another securely.  I was asked to make the project as secure as possible, and when I was done I was very satisfied with the finished product.  I also noticed that my finished product was very different (and much more inclusive) than my first draft.

This led me to think that maybe I should have some kind of project planning template.  For every application that we are going to deploy we need to have some kind of security policy in place that guides how the data will be used, stored, transferred and disposed of.  I'd like to present to you what I have developed so far, and see if any of you have anything you think should be added to it.  I know this is a hacking site, and most of us are interested in how to ethically gain access to systems, but the whole purpose for ethical hacking is to ultimately create more secure systems.

Non-technical headings:
  Legal Framework
  Ownership of Data
  Notification Procedure
  Training Plan
  Sanctions for violation

The Non-technical headings are sections of the project policy that don't contain technical details, but still have important information that needs to be understood by everyone using the finished application or system.  The Legal Framework gives a short description of any federal, state, and local laws that govern this kind of data, and any institutional policies that also need to be taken into consideration for this system.  The project plan should include a training plan to ensure that all users are aware of the policies and should spell out any sanctions for violating the policy.  The project plan should also include some statement about who the owner of the data is and what requirements must be met for the data to be shared with others.  One of the most important non-technical sections is the notification procedure, which tells the end user who to call in the event that data is lost or stolen.

Technical considerations
  Physical Security
  Data at Rest
  Data in Motion
  Detection

In the technical considerations section we examine each piece of the application or system that is going to touch our data and we write out the requirements for each of these devices.  What are the physical security requirements for our servers?  Are these requirements different from the desktops?  What needs to be encrypted?  Do the backup tapes need special consideration?  How are we going to encrypt data in motion?

Questions this raises...
What has been left out?  Are there additional technical considerations that need to be taken to protect the data?  Is this model granular enough?  For example, to protect data at rest I use encryption, anti-virus software, anti-spyware software, authentication requirements and what access-controls are needed.  Is that too much for one category?  I'm sure this isn't a comprehensive list of considerations for project planning, but I hope that it will spur a good conversation and make all of our projects better.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Tue Nov 28, 2006 12:20 am

Re: Secure Project Planning

Looks good so far and I understand how painful HIPPA can be. I would add:

  Code:
Technical considerations
   Physical Security
   Data at Rest
   Data in Motion
   Detection

+ Loss Prevention
+ Data Accountability
+ Data Classification

Keep up the good work and thanks for sharing your project template.

Slimjim100
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software