write my assignment 30722

System Security Certification and Accreditation through the following scenario. APA FORMAT

Scenario

You have just been hired as the security manager of Medical Credentials Company (MCC), reporting to the Chief Information Officer (CIO). MCC is a kind of clearinghouse for doctors, hospitals, and group practices. It stores and distributes information on its clients, including sensitive information on previous malpractice lawsuits or disciplinary action. MCC is converting from an in-house database to a distributed database, which can be queried by telecommuting employees and clients. This change requires a high level of security. It is your responsibility to provide your engineers with the security requirements and at the same time convince senior management that the system being developed is robust and secure enough to protect this sensitive information. After careful examination of the database requirements and security requirements, you decide that compliance with the current accreditation/authorization process (NIST 800-37 RMF) would sufficiently protect the database from intrusion and tampering.

Project Background

After your initial meeting with the CIO, she is close to agreeing that the database system needs to comply with an accreditation/authorization process. She needs to understand that the Orange Book is the precursor to current methodologies. She understands the general ideas behind the process, but needs you to explain the NIST 800-37 (RMF) process: the different roles and how the process works in six steps.

Assignment Description

Review the provided scenario and create the shell for the case study

The project deliverables are as follows:

WEEK 1: Case Study Outline: (600-700 WORDS)

·      Introduction

·      The organizational profile

·      Project Goals

·      Compliance with C-2 Criteria

·      Assurance and the Orange Book: Explain how the Orange Book is the precursor to current accreditation and authorization methodologies.

·      B-3 Criteria Compliance

·      Explain the NIST 800-37 (RMF) process:  6 steps and the roles involved in each step. 

·      REFERENCE

WEEK2

Project Background

Becoming better acquainted with the history of accreditation and authorization has made you aware that you need to start planning tasks in order to complete a system authorization in a timely manner. In addition, you need to clarify the additional assurance provided to justify the extra resources to your CIO.

The project deliverables for week 2 are as follows:

Week 2: The DITSCAP Process: (600-700 WORDS)

The History of Accreditation and Authorization Section:

·      Analyze the differences in the types of authorization.

·      Explain how the authorization process applies to the new database system.

·      Give your CIO a brief clarification of the additional assurance provided by the NIST RMF process, to justify the extra time and money for additional tasks.

·      REFERENCE

WEEK 3

Project Background

Your CIO asked you to identify security controls in the Information Assurance (IA) family that are relevant to the database, using your sound reasoning and professional judgment. Based on the assumption that your system is a moderate, moderate, moderate… which of the IA family controls do you believe would be relevant to the database and why? Using NIST SP 800-53, create a table. Include columns for the control, the description, and comments. Be sure to include comments in your matrix regarding why or why not the control applies. (NOTE: not all of the controls should be applicable).

The project deliverables for Week 3 are as follows:

WEEK 3: Appendix Development Section: (600-700 WORDS)

·      Introduction

·      Explain the content that should go into the appendix

·      A justification as to why or why not the controls apply

·      CONCLUSION

·      REFERENCE

Week 4

Project Background

The CIO is concerned with the number of security controls that they will have to implement for the database. She wants to know if all of the controls have to be implemented all at one time or if a phased approach can be used. Luckily, you know about the priority codes assigned to each control, which are explained in the NIST 800-53 Rev 4, Appendix G. Explain this process along with the Plan of Actions and Milestones (POA&M) process to the CIO. Don’t forget to illustrate how this relates to the Continuous Monitoring (Step 6: Monitor) Phase of RMF.

The project deliverables for week 4 are as follows:

Week 4: The Common Criteria System (600-700 WORDS)

• The NIST 800-37 RMF (continued) Section:
• Explain the priority codes assigned to security controls
• Explain the POA&M process and how it relates to Continuous Monitoring
• C-2 Orange Book Protection Profile

·       REFERENCE

WEEK 5

Project Background

In an IT security networking meeting, you join a group discussion the Common Criteria. Now you’re going to have to move up to the Common Criteria. You will need to focus on the Protection Profile (PP). A Protection Profile contains the necessary security requirements to achieve the operational functionality and assurance for a generic product or system of the designated category.

You’re in front of your CIO and she is not pleased that you have changed direction. You have explained the fundamentals to her, and now she is asking more detailed questions. This week you will respond to questions from your CIO.

The project deliverables are as follows:

WEEK 5: The EAL Ratings in the Common Criteria (600-700 WORDS)

·      What is the value of the Evaluation Assurance Level ( EAL) rating in the CC model?

·      There is a treaty that requires the signatory nations to accept CC evaluations of products (U.S. and most European countries) from one country to another up to EAL4. Why is EAL4 a breakpoint?

·      REFERENCE