Security Requirements Documentation

My first Capstone class, involved a project with several components. Foremost, on the list, was the creation of documentation outlining the Security Requirements for a fictional company.

However, the documentation was only a small part of a much larger design. The course's purpose was to assess our skills, so we were asked to complete three main tasks: build a working database, install all necessary components for a working server, and implement security throughout the system. All steps and processes had to be thoroughly supported with documentation.

Considering our timeframe and resources, our design was simple. A small clinic, called Health Done Right, with doctors, nurses, staff, and clients would be best. We had to build the entire system from scratch. As you can expect, all the necessary steps for creating a well working database were involved. We designed an Entity Relationships Diagram (ERD), assured normalization, and prepared for implementation.

After some debate, my small group determined that an Apache Server implementation would be best. Given our experience, it did not take long to have Apache up and running. We easily installed MySQL, and uploaded our database to the server.

Now to say we did not have a hitch would be untrue. Due to lab restrictions, outside access was a bit challenging, but with a little resourcefulness a fully working server with a database implemented was working proudly.

Although, it may not seem like it, the main component of the whole project was the documentation. It was important to explain and justify all steps taken along the way, but even more important was the Security Requirements documentation.

All the necessary components were on board: assets, dataflow charts, misuse case diagrams, Role Based Access Control (RBAC) tables, STRIDE table for threats and vulnerabilities, and policies outlining sensitivity classifications and guidelines.

All in all, it was a fairly extensive document. I wish I could share it, but due to some FERPA guidelines, only the security-minded people reading this would understand, I can't.

Suffice to say, we got an A and passed the course. Everything worked well, because, simply, we wouldn't settle for anything less.