Scenario

You have just been hired as the security manager of Medical Credentials Company (MCC), reporting to the Chief Information Officer (CIO). MCC is a kind of clearinghouse for doctors, hospitals, and group practices. It stores and distributes information on its clients, including sensitive information on previous malpractice lawsuits or disciplinary action. MCC is converting from an in-house database to a distributed database, which can be queried by telecommuting employees and clients. This change requires a high level of security. It is your responsibility to provide your engineers with the security requirements and at the same time convince senior management that the system being developed is robust and secure enough to protect this sensitive information. After careful examination of the database requirements and security requirements, you decide that compliance with the current accreditation/authorization process (NIST 800-37 RMF) would sufficiently protect the database from intrusion and tampering.

Project Background

Your CIO asked you to identify security controls in the Information Assurance (IA) family that are relevant to the database, using your sound reasoning and professional judgment. Based on the assumption that your system is a moderate, moderate, moderate… which of the IA family controls do you believe would be relevant to the database and why? Using NIST SP 800-53, create a table. Include columns for the control, the description, and comments. Be sure to include comments in your matrix regarding why or why not the control applies. (NOTE: not all of the controls should be applicable).

The project deliverables for Week 3 are as follows:

WEEK 3: Appendix Development Section: (600-700 WORDS)

· Introduction

· Explain the content that should go into the appendix (Appendix F: Security requirements Traceability Matrix)

· A justification as to why or why not the controls apply

· CONCLUSION

· REFERENCE