You have just been hired as the security manager of Medical Credentials Company (MCC), reporting to the Chief Information Officer (CIO). MCC is a kind of clearinghouse for doctors, hospitals, and group practices. It stores and distributes information on its clients, including sensitive information on previous malpractice lawsuits or disciplinary action. MCC is converting from an in-house database to a distributed database, which can be queried by telecommuting employees and clients. This change requires a high level of security. It is your responsibility to provide your engineers with the security requirements and at the same time convince senior management that the system being developed is robust and secure enough to protect the this sensitive information. After careful examination of the database requirements and security requirements, you decide that compliance with the current accreditation/authorization process (NIST 800-37 RMF) would sufficiently protect the database from intrusion and tampering.
Project Background After your initial meeting with the CIO, she is close to agreeing that the database system needs to comply with an accreditation/authorization process. She needs to understand that the Orange Book is the precursor to current methodologies. She understands the general ideas behind the process, but needs you to explain the NIST 800-37 (RMF) process: the different roles and how the process works in six steps. Key Assignment In an IT security networking meeting, you join a group discussion the Common Criteria. Now you’re going to have to move up to the Common Criteria. You will need to focus on the Protection Profile (PP). A Protection Profile contains the necessary security requirements to achieve the operational functionality and assurance for a generic product or system of the designated category. You’re in front of your CIO and she is not pleased that you have changed direction. You have explained the fundamentals to her, and now she is asking more detailed questions. This week you will respond to questions from your CIO. Finally, you will further refine the Case Study Report to produce the Final Key Assignment. Updates may be based on peer and instructor feedback. The project deliverables are: • Update the Case Study Report title page with new date and project name. • Update previously completed sections based on instructor feedback. • The EAL ratings in the Common Criteria: o What is the value of the Evaluation Assurance Level ( EAL) rating in the CC model? o There is a treaty that requires the signatory nations to accept CC evaluations of products (U.S. and most European countries) from one country to another up to EAL4. Why is EAL4 a breakpoint?