5 3 6 5 M a e A n n e A v e . S u i t e .docx

5 3 6 5
M a e
A n n e
A v e .
S u i t e
A -‐ 2 9 ,
R e n o ,
N e v a d a
8 9 5 2 3
San
Joaquin
Valley
Market
Research
Study
Request
For
Proposals

March
15
08 Fall
Central Valley Market Research Study
Request For Proposal
Request for Proposal 1
Table of Contents
1.
GENERAL
INFORMATION
2
1.1.
CORPORATE
OVERVIEW
2
1.2.
PURPOSE
OF
RESEARCH
PROJECT
3

1.3.
PROJECT
LOTS
AVAILABLE
3
1.4.
CONTACT
INFORMATION/SUBMISSION
4
2.
PROPOSAL
TERMS
AND
CONDITIONS
4
2.1.
LIABILITIES
OF
AGENCY
4
2.2.
CONFIDENTIALITY
AND
RFP
OWNERSHIP
4
2.3.
PROPOSAL

PROCESS
MANAGEMENT
5
2.4.
SECURITY-‐NON
DISCLOSURE
AGREEMENT
5
3.
PROPOSAL
SUBMISSION
REQUIREMENTS
6
3.1.
PARTICIPATION
6
3.2.
RESPONSE
&
PROJECT
SCHEDULE
6
3.3.
PROPOSAL
EVALUATION
PROCESS
7
3.4.

FIRM
PRESENTATION
8
3.4.1.
CONTRACT
NEGOTIATIONS
8
3.4.2.
PROJECT
MANAGEMENT
9
4.
PROPOSAL
SUBMISSION
FORMAT
10
5.
FIRM
PROFILE
AND
REFERENCES
11
5.1.
DEMONSTRATED
UNDERSTANDING
OF
AGENCY
REQUIREMENTS

11
5.2.
TECHNICAL
APPROACH
11
5.3.
TECHNICAL
CAPABILITIES
11
5.4.
MANAGERIAL
CAPACITY
12
5.5.
DEMONSTRATED
EXPERIENCE/REFERENCES
12
6.
SAMPLE
QUESTIONNAIRE
13
7.
NON-‐DISCLOSURE
AGREEMENT
16

1. General Information
1.1. Corporate Overview
Customers have been enjoying the great taste of Port of Subs®
sandwiches for 40
years. In 1972, two brothers from New Jersey opened a modest
submarine shop in
Sparks, Nevada called the “Sub Shop”. John Larsen, a Public
Accountant who had
been advising the Sub Shop owners, seized the opportunity to
purchase an interest in
the business and later bought the business in 1975. After taking
the helm, Larsen
sponsored a community-wide contest to choose a name for the
Sub Shop to
differentiate it from imitators. In a review of more than 10,000
contest entries, Larsen
chose the name…”Port of Subs®”.
Between 1975 and 1985 the Larsens developed ten company-
owned units. Throughout
the years many people approached them asking for units in other
cities because the
quality and taste of their products was outstandingly unique.

Therefore, with the help of
Francorp, the nation’s largest franchise consulting firm, the
company began franchising
in 1985.
Over the years, the Port of Subs® brand has become
synonymous with quality
sandwich making and superior customer service. Port of Subs®
made-fresh-to-order
sandwiches are prepared while the customer looks on. The
unique taste comes from
freshly sliced, top quality meats and cheeses, freshly baked
breads and zesty dressings
and spices. Port of Subs® also offers breakfast grillers, Sliced
Fresh Grillers™, fresh
salads, chips, an extensive line of party trays, desserts and a
variety of refreshing
beverages.
Currently Port of Subs® has more than 140 units open in seven
Western states. Over
the years Port of Subs® has developed a proven, effective
system of operation that will
give you the edge necessary to create a thriving business.
1.2. Purpose of Research Project

Port of Subs® (herein after, ‘the Agency’) is now soliciting
proposals from qualified and
licensed entities to provide marketing research that randomly
surveys the San Joaquin
Valley market region from Modesto to Bakersfield. All
proposals submitted in response
to this solicitation must conform to the requirements and
specifications outlined within
this document and any attachments.
The Agency seeks to improve customer satisfaction, increase
market share, and
increase revenue throughout the region by gaining a better
understanding of our
customers, specifically:
• Customer Satisfaction
• Brand Awareness
• Customer perception of the Port of Subs® brand
• Competitive advantages of our major competitors in the region
All research received by the chosen firm(s) will become the
property of the Agency and
will be used by the Agency to make changes that will aid our
company’s continued
success.
1.3. Project Lots Available
The following project lots represent the available work
available for the firm to propose

services for. The firm should carefully review and indicate
which lots they are interested
in providing services for. The firm may propose services for any
number of the lots listed
below. The Agency reserves the right to extend an offer for the
lot(s) the firm has
successfully demonstrated past performance and understanding
of the project.
A. Customer Satisfaction Research
B. Brand Awareness and Perception
C. Competitor Evaluation
D. Effective Marketing Strategies For Region
1.4. Contact Information/Submission
All questions/concerns related to this project should be directed
to:

Chase Schwarzwalter
Marketing Manager
San Joaquin Valley Region
Phone: 775-747-0555
Email: [email protected]
All firms are to ensure delivery of the proposal in duplicate to
the following address prior
to 5:00pm (PST) on April 20, 2015.
Chase Schwarzwalter
5365 Mae Anne Ave.
Suite A-29
Reno, Nevada 89523
2. Proposal Terms and Conditions
The following subsections include the terms and conditions the
firm is to understand
and agree to. Failure to agree to any terms or conditions will
void the proposal
submission of the firm.
2.1. Liabilities of Agency
This RFP is only an invitation for proposal and no contractual
obligation on behalf of the
Agency whatsoever shall arise from the RFP process unless and
until a formal contract
is signed between the Agency and the firm.

This RFP does not commit the Agency to pay any cost incurred
in the preparation or
submission of any proposal or to procure or contract for any
services.
2.2. Confidentiality and RFP Ownership
This RFP is both confidential and proprietary to the Agency,
and the Agency reserves
the right to recall the RFP in its entirety or in part. Firms cannot
and agree that they will
not duplicate, distribute or otherwise disseminate or make
available this document or
the information contained in it without the express written
consent of the Agency.
Firms shall not include or reference this RFP in any publicity
without prior written
approval from the client, which, if granted, shall be granted by
the individual named
above. Firms must accept all of the foregoing terms and
conditions without exception.
All responses to the RFP will become the property of the
Agency and will not be
returned.

2.3. Proposal Process Management
The Agency reserves the right to accept or reject any and all
proposals, to revise the
RFP, to request one or more re-submissions or clarification
from one or more firms, or
to cancel the process in part or whole. No firm is obligated to
respond to or to continue
to respond to the RFP after the submission and closing date.
The Agency will, at its discretion, award the contract to the
responsible vendor
submitting the best proposal that complies with the RFP. The
Agency may, at its sole
discretion, reject any or all proposals received or waive minor
defects, irregularities, or
informalities therein.
2.4. Security-Non Disclosure Agreement
The firms, as part of the proposal, should sign the non-
disclosure agreement to
safeguard the confidentiality of the Agency’s business
information and data.

3. Proposal Submission Requirements
3.1. Participation
All firms interested in submitting a proposal for any lots must
confirm their participation
within 14 days of receiving this solicitation by submitting an
Intent To Respond. A failure
to confirm will denote that the firm is not interested in
participating and the Agency
requires and immediate return of this Request for Proposals.
All communication, including the Intent to Respond, should be
sent to the email
listed in Section 1.4.
3.2. Response & Project Schedule
Response Schedule
March 19, 2015 RFP made available to firms

April 2, 2015 Deadline for all questions/clarifications
April 20, 2015 Response to RFP Deadline (5:00pm)
April 21-24, 2015 Bids to be evaluated. Firms may be invited
to present solution during this time.
April 27, 2015 Contracts extended to chosen Firm(s)
Project Schedule
April 28- May 1, 2015 Contract Negotiation & Project
Clarification
May 2 – May 22, 2015 Research and Analysis
May 25, 2015 Presentation of findings by Firm(s)
June 1, 2015 Distribution of findings to regional store
owners
3.3. Proposal Evaluation Process

All submissions will be evaluated based on the following
criteria listed in order of
priority. Incomplete sections will result in immediate
disqualification for the Firm.
No. Max Point Value Factor Type Factor Description
1 15 Objective The Proposed Costs of the overall project(s).
2 15 Subjective (Technical)
The Demonstrated Understanding of the
Requirements.
The Appropriateness of the Technical Approach and
the Quality of the Work Plan
4 20 Subjective (Technical) The Firm’s Technical Capabilities.
The Firm’s Demonstrated Experience in performing
similar work and the Firm’s Demonstrated
Successful Past Performance of work substantially
similar to that required by this solicitation.
The Overall Quality and Professional Appearance
of the Proposal, based upon the opinion of the
evaluator(s).

Total 100 Points
Each proposal received will first be evaluated for
responsiveness (i.e. meets the
minimum of the requirements) Then an evaluation packet will
be prepared for each
evaluator(s), including the following documents:
• Instructions to Evaluators
• Proposal Tabulation Form
• Recap of each proposer’s responsiveness
• Copy of all pertinent RFP documents
The Agency anticipates that it will select a minimum of a three-
person committee to
evaluate each of the responsive “hard copy” proposals submitted
in response to this
RFP. PLEASE NOTE: No proposer shall be informed at any
time during or after the
RFP process as to the identity of any evaluation committee
member. If, by chance, a
proposer does become aware of the identity of such person(s)
he/she SHALL NOT
make any attempt to contact or discuss with such person
anything related to this RFP.
Failure to abide by this requirement may (and most likely will)
cause such proposer(s) to
be eliminated from consideration for award.

The following table shows the point range for the evaluation
criteria:
Points Awarded Range
5 10 15 20 25
Excellent 5 8-9 13-15 17-20 21-25
Very Good 4 7-8 10-12 13-16 16-20
Good 3 5-6 7-9 9-12 11-15
Average 2 3-4 4-6 5-8 6-10
Poor 0-1 0-2 0-3 0-4 0-5
To be considered to receive an award a proposer must receive
an average score of at
least 70 points (of the total 100 points possible).
If an award is completed, all proposers will receive by e-mail a
Notice of Results of
Evaluation. Such notice shall inform all proposers of:
• Which proposer received the award
• Where each proposer placed in the process as a result of the
evaluation of the
proposals received
• The cost or financial offers received from each proposer; -
Each proposer’s right
to a debriefing and to protest.

3.4. Firm Presentation
If required, the firms will be asked to make presentations to the
Agency. The Agency
shall not be under any obligation to bear any part of the
expenses incurred by the basic
partners for the presentations.
3.4.1. Contract Negotiations
At the completion of the selection process, the Agency will
enter into negotiations
with the selected firm. Firms should also be aware that the
following documents
would be included (but not limited to) as attachments to the
final contract:
• This Request for Proposal.
• The firm’s proposal in response – both technical and
commercial
• Any modifications to the proposal.
• An implementation Plan identifying the tasks to be completed
with milestones,
the assigned responsibilities, and the scheduled completion
dates.

3.4.2. Project Management
The firm will provide at least but not limited to the following
information to the
Agency:
• The description of the different phases of the project,
• The methodology and approach Specific list of the
deliverables by phase
the firm intends to provide along the project.
• Key performance indicators proposed for service delivery.
Section 4 on Next Page
4. Proposal Submission Format

It is preferable and recommended that the proposer bind the
proposal submittals in such
a manner that the Agency can, if needed, remove the binding
(i.e. “comb-type;” etc.) or
remove the pages from the cover (i.e. 3-ring binder; etc.) to
make copies, and then
conveniently return the proposal submittal to its original
condition.
The following page includes a list of the content required, but
not limited to, be included
in the final proposal:
1.0 Signed cover letter
2.0 Firm Overview
• Brief History
• Mission Statement
• Current Scope of Work
3.0 Proposed Services (chosen from Lots Available for
Proposal)
4.0 Breakdown Of Project Cost
4.1. Total Cost to Agency
4.2. Itemized Cost List
4.3. Billing Process
5.0 Firm Profile and References (Outlined in Section 5 of RFP)
5.1. Demonstrated Understanding of Agency Requirements
5.2. Technical Approach
5.3. Technical Capabilities
5.4. Managerial Capacity
5.5. Demonstrated Experience/References

6.0 Firm’s Proposed Ideas to Improve Research
7.0 Survey and/or Other Research Methods to be Used
8.0 Equal Employment Opportunity Statement
5. Firm Profile and References
5.1. Demonstrated Understanding of Agency Requirements
The Firm should demonstrate their understanding of the
project(s) they are proposing
on. Please include the following:
1. Understanding of the terms of the RFP and proposal
submission
2. Overall understanding of the Agency’s background and
current state.
3. Understanding of the Project(s) the Agency wishes to bid on.
4. Understanding of project schedule

5.2. Technical Approach
The Firm should address the following key points:
1. Provide information on your current workload and how you
would accommodate
this project.
2. Describe in detail the process you would follow.
3. Outline the project schedule you would implement to meet
the expected
deadlines. Describe the methods you would use to maintain this
schedule.
4. Describe your method for consensus building, including your
role, the
methodology employed, the outcome, and a contact person for a
recent project
where you employed this method.
5. Describe the types of problems you have encountered on
similar projects, and
explain what you did to resolve the problems and what you
would do differently to
avoid such problems on future projects.
6. Describe how your firm can add value to this project and the
process and include
examples of situations from comparable projects where the
owner realized
tangible value.
5.3. Technical Capabilities

The Firm should briefly explain each of these key points:
1. Personnel
a. List the professional and support positions and number of
personnel in each
position.
b. Provide an organizational chart, including resumes of all
personnel who would
be committed to this project. Provide specific information as to
their
experience on projects similar to this one. For the project
manager and
project architects identified as part of the project team, provide
the name and
phone number of two (three, four, your call) clients with whom
the architect
has worked on a similar building project.
c. List professional consultants outside your firm whom you
propose would
provide services not available in your firm. Provide specific
information
documenting their work on similar projects.

2. Procedures for maintaining levels of service to all clients and
contracts.
3. Equipment and materials available for use on the proposed
project.
5.4. Managerial Capacity
The Firm must attach current resumes for any owners, partners,
or managers that will
be directly managing the project(s) being bid on.
5.5. Demonstrated Experience/References
The firm should include the following:
1. A minimum of 3 projects of substantially similar scope and
workload. Include for
each:
a. Company Name
b. Mission Statement
c. Company Size
d. Area Serviced
e. Project Description (approximately 500 words)
2. 3 additional client references (may be different types of
projects). Include for
each:
a. Partner Name & Title
b. Phone Number
c. Mailing Address

6. Sample Questionnaire
The following limited sample questionnaire is the direction the
Agency expects Firms to
pursue in regard to:
• Customer attitudes and perceptions of Port of Subs®
• And Customer Satisfaction
The agency expects a 98% chance of statistical accuracy
Port of Subs® Customer Survey
The purpose of this survey is to help Port of Subs® better
understand their customers and
provide the greatest experience possible. Your answers are
important to us. Thank you for
taking the time to fill out the survey.
1. What is your age?
❏ Under 18
❏ 19-25

❏ 26-30
❏ 31-40
❏ 41-50
❏ 51-60
❏ 61-70
❏ 71-80
❏ Over 80
2. What is your gender?
❏ Male
❏ Female
❏ Other
3. How did you hear about us?
❏ Advertisement
❏ Social Media
❏ Yelp or similar app
❏ Another person
❏ I hadn’t heard of Yogurt Etc. prior to my first visit
❏ Other
4. How many times have you visited Port of Subs in the
past 12 months?
❏ This is my first visit
❏ 1-3
❏ 4-10
❏ 10+
Please indicate your level of agreement with the following
statements.
S

tr
on
gl
y
D
is
ag
re
e
D
is
ag
re
e
N
eu
tr
al
A
gr
ee

S
tr
on
gl
y
A
gr
ee
6. Port of Subs restaurants are always clean. ☐ ☐ ☐ ☐ ☐
7. The quality of food is excellent. ☐ ☐ ☐ ☐ ☐
8. The portion size is satisfactory. ☐ ☐ ☐ ☐ ☐
9. The food is a good value for the money spent. ☐ ☐ ☐ ☐ ☐
10. I enjoyed the amount of choices Port of Subs provides. ☐ ☐
☐ ☐ ☐
11. The service was fast ☐ ☐ ☐ ☐ ☐
12. The service was friendly ☐ ☐ ☐ ☐ ☐
13. Overall, I am satisfied with my Port of Subs experience. ☐
☐ ☐ ☐ ☐
14. I will return to Port of Subs in the next 3 months or less. ☐
☐ ☐ ☐ ☐
15. I will tell a friend about Port of Subs. ☐ ☐ ☐ ☐ ☐
16. How many times per week do you eat out? ________
17. How many times per week do you eat at Port of Subs?
___________
Thank You!

The following simulated response table and charts represent the
type of information the
Agency wishes to receive, along with the firm’s analysis of the
findings.
0
2
4
6
8
10
12

14
16
Strongly
Disagree
Disagree
Neutral
Agree
Strongly
Agree
Port
of
Subs
Restuarants
are
always
clean

0
2
4
6
8
10
12
14
16
18
Strongly
Disagree

Disagree
Neutral
Agree
Strongly
Agree
Port
of
Subs
Staff
is
Friendly
0
2
4
6
8
10
12

Strongly
Disagree
Disagree
Neutral
Agree
Strongly
Agree
I
will
tell
a
friend
about
Port
of
Subs

7. Non-Disclosure Agreement
All work performed pursuant to this RFP must conform and
comply with all applicable
local, state and federal codes, statues, laws and regulations.
How
many
times
per
week
do
you
eat
out?
0
1
2
3
4
5

6+
How
many
times
per
week
do
you
eat
at
Port
of
Subs?
0
1
2
3
4
5

6+
11
Software Assurance CSS321
Software Assurance Process –
Management’s Role
John Doe Jr.
22 March 2017
Contents
Background 3
Product Overview 3

Departmental Organization 4
System Design Life Cycle 4
Software Assurance
Techniques……………………………………………………………
………………………………………………5
Desktop applications 5
Web Application and Database Application 6
Security in Nontraditional Development
Models………………………..………………………………7
Summary of the major steps and potential threats 8
Policies and processes that reduce threats 10
Security Static Analysis
Tools…………………………………………………………………
………...11
System Design 11
Software Assurance Policies and Processes 13
Static Code Analysis
Tools…………………………………………………………………
…………. 15
Software Assurance Process – Management’s Role (New
Content)………………………………….18
Bibliography…………………………………………………………
…………………………………...19
Background

ABC is a software development company. It is a medium
enterprise that has a wide range of clients from all over the
country. The company has its headquarters in Miami, Florida
and branches in the United States. The company is making plans
to expand out of the United States beginning with Mexico and
Canada. ABC focuses on the development of customer made
application software. This means that most of the software
created in the firm is specifically requested by the clients.
However, some generic software is also created which can later
be purchased by a client and re-engineered to fit their specific
needs. The software assurance guidelines used by the company
are specific to the type of software made. Desktop applications
have different assurance specifications from web applications.
The guidelines specified will be implemented from development
all the way to the client organization. The software guidelines
can only be efficient when both the developers and the users
adhere to them.
Product Overview
The company does provide a number of software applications
for the government. These applications include Account Pro,
which is accounting software. It is desktop software and it is
very optimal. The company also provides the government with a
police record system. This application is web based and it relies
heavily on the internet and the local area networks of the police
stations. The application is optimized by a database that stores
all of the information.
Departmental Organization
The firm is organized into four different departments. The first
department deals with installation and maintenance of software.
This is the after sale services department. This department is
vital in the company since software often require patchwork and
maintenance. The second department is the specifications
research department. This department work hand in hand with

the clients to determine the software that the clients require
most and they communicate these requirements to the
development department that is made up of developers who code
and test the applications. The marketing and sales department
ensures that the company has good public relations and stays
relevant among the clients.
System Design Life Cycle
The system design life cycle that is used in the organization is
quite traditional and standard. The first phase is planning and
information gathering. In this phase the system requirements are
gathered and information is gathered from the users. In the next
phase, this information is organized and the system is proposed
that will be able to solve the problems. Next is the design phase
where the coding is done to develop the system. After coding,
the system is taken into testing and debugging. If it is optimal,
it is taken into the implementation phase where it is introduced
to the clients. Maintenance is the last phase that requires
updates and patches which leads us back to the first stage and it
becomes a cycle (Avison and Shah, 2007).
Software Assurance Techniques
The guidelines are applied in the phases by ensuring that the
specifications gathered are exactly what the client wants. The
system design and coding is optimized by debugging and testing
and the people who will be in contact with the system are
supposed to be trained in the implementation phase so that they
are able to use the system optimally and avoid performing tasks
that may be detrimental to the application.
ABC Company produces software that is consumed by the
United States government. The company produces desktop, web
and database applications. The software that the company

produces will be analyzed in this section to determine the
security and performance risks associated with all of these
applications as well as the possible implications that these risks
may have to the clients. For each risk, techniques for software
assurance will be proposed and how these techniques can be
applied to ensure that the application is optimized at all times.
Desktop applications
ABC Company offers a wide range of desktop applications.
However, the most robust of all these applications that have
been sold to the government is the Account Pro application.
This is software that is installed to a workstation computer and
it enables the user to be able to perform complex accounting
functions rather easily. However, the person manipulating it
must have both accounting and information technology
knowledge so that he or she can be able to manipulate the
software well. The software does not do all the accounting
independently and it requires the expertise of an accountant to
be able to function best. This accountant must also be
conversant with information technology knowledge in order to
operate the application.
The application has all the characteristics of a desktop
application. This means that it is at a lower risk of intrusion
from the internet and other forms of attacks. However, it is still
cumbersome to install and maintain. This is why maintenance
and installation has to be done independently on every
workstation. The ease of access is also reduced since the user
has to move to the physical location of the computer with the
application in order to access it (Lee et.al, 2008). This makes
the use of desktop applications unfavorable due to the
cumbersome nature.
However, the application is very robust and optimized as far as
security is concerned. Guidelines such as the use of user
authentication have been put in place to make sure that
unauthorized users don't get access to the application. The main
threat that the clients face while using this application is

however, not from third party intrusion but rather from it
becoming out-dated (Lee et.al, 2008). This can reduce the
general productivity of the application making it harder for it to
be used to solve most if not all of the accounting problems of
the client. This will make it inefficient.
The application can become out-dated and after five to 10 years,
it will no longer satisfy the organization needs that had been
identified. Thus, to mitigate this threat, regular maintenance is
done on the application and any new requirements are added to
the application. This maintenance and patchwork is an aftersales
service that the government is happy to pay for.
Web Application and Database Application
The web applications sold by the company are often optimized
by a database thus making them two in one. The developers
prefer php platform to develop these web based applications and
the database server most used is SQL. The two platforms work
well together once linked to create an optimal application. The
company sold a web based application to the police department
in south Miami that has been able to help them keep records of
the statements made by the public and the arrests that have been
made on these statements. This system has also helped them
keep record of the development of these cases.
Such a system is easier to use than a desktop application since
you can be able to access it from anywhere as long as you have
internet connection and access the police local area network. It
is also easier to install and maintain since the installation is
done on a central server and all the users access it in a client-
server architecture. This means that the users access it through a
web browser (Meier et.al, 2013).
However, this application comes with a high risk of third party
intrusion. This means that the application can be accessed by an
unauthorized third party. Such access can cause the organization
of the client to be vulnerable and their records to be tampered
with. This can cause unprecedented losses. To handle this, the
application does have user authentication and user accounts

with logs to help monitor the activities of each user and identify
unusual activity. However, the LAN in the police department
also needs to be optimized with firewalls and honeypots (Meier
et.al, 2013) to ensure that any third party that tries to access the
network and thus the application through hacking or cracking is
not able to do so.
Another threat that the clients may experience is the need for
scaling. The records will increase in number and with time, the
department will require a larger database with a larger capacity
so as to be able to hold all the records available. This scaling is
done through maintenance by slowly expanding the database as
the requirements of the user increase. The functionality of the
application is also updated regularly.
Security in Nontraditional Development
Models
Software security involves combining several strategies to
develop integrity, privacy, availability, usability and
confidentiality. There are various non-traditional development
models that can be used to achieve these objectives and various
ways to reduce security threats using agile development models
such as Scrum. ABC Corporation will use the scrum
methodology. Scrum provides a firm with freedom to execute
most operations. One of its most important aspects is the
elimination of a regular manager. The following is the overview
of the important concepts involved in the model (Avison and
Shah, 2007).Summary of the major steps and potential threats
The Scrum team has three roles. The first one is the Product
Owner that represents the stakeholders and clients. The Scrum
master, on the other hand, helps in eliminating problems, while
the Developers have the skills to transport products within the
system. Stories are the needs that are stated from the
perspective of the clients. Product Backlog is a list of

requirements, stories, and objects that need completion so that
they can provide end- product. Tasks and subtasks represent
steps created based on backlog items. In the sprint planning, the
members of the team select objects that need to be finished in
the subsequent sprint from backlog (Lee et.al, 2008). Sprint
works as the platform in which tasks are completed. It is during
the sprints where items are redefined, deleted or added.
The Daily Scrum is where team members meet and discuss the
previous achievements and focus on the upcoming activities.
The definition of done is a criterion to examine whether items
are ready after a test is performed. The sprint review occurs at
the final stage; the teams check for any issues that emerged
after completion of every sprint (Avison and Shah, 2007). The
sprint retrospective is where the members of the team look at
the final product and do reviews. It is at this point where
members can reflect on the activities and make suggestions for
further developments.
This is a summary of the steps involved in the Scrum operation.
First, product own develops a wish list known as a product
backlog. Secondly, in the sprint planning, the team takes the top
priorities from the wish list and describes the ways of
implementing the pieces. Thirdly, the team takes some time like
four weeks to ensure completion of the task. It is important to
understand that the team will have daily meetings to ensure
there is satisfactory progress. The Scrum master has the
function of making sure the team focuses on the primary goal
(Meier et.al, 2013). During the end of the sprint, the task will
be completed and can be transported to the clients or presented
to the stakeholders for assessment. In the end, there will be
sprint review and a retrospective.
When dealing with Scrum there are various security
threats. For instance, in each Sprint approach, there are issues
with security flaws that might allow hackers to access the
crucial information of the company. In this case, there is a need
to employ experts to help in the management of the risks.
Another mitigation strategy is the addition of extra testers to

perform regular checkups on the system. Another risk that might
occur is the lack of enough time to address potential security
threats. An example of a risk is the emergence of viruses that
might adversely affect critical information. In such a case the
clients will be informed of the occurrence of the issue and look
for a way to stop any further destruction by the virus. The firm
will also have to input other resources to address the problem
(Lee et.al, 2008). In summary, if a threat is critical, there will
be a need to carry out an urgent action. The critical issue will
have to be dealt with on a daily basis to ensure there are
effective measures in place to stop the threat. The organization
members will have to notify the senior management of the risk.
On the other hand, when the issue is minimal, the review of the
system would be carried out quarterly.Policies and processes
that reduce threats
There are various security regulations provided to minimize
risks. The first activity is the development of artifacts. They
include security architecture, the definition of security threats,
risk analysis, and the process of setting guidelines to reduce
effects of the risks. ABC Company should have a group of
security developers that will be in charge of maintaining
security; this is crucial because duties will be delegated to the
members of the team and a single individual will not perform
many tasks (Meier et.al, 2013). First, there is a need to provide
training on particular technologies like database engines,
frameworks, and operating systems. Secondly in order to reduce
threats is to provide a proper review of the interface, code and
test case. Another policy that is critical to the reduction of
security threats is to utilize security testing to ensure everything
is secure. The other process is the establishment of safety audits
at any particular time in the project. Finally, reviews are
developed after completion of objects in the backlog and time
checks are developed at control points.

Security Static Analysis
System Design
ABC Company has produced a number of electronic medical
systems. These medical systems are capable of aiding
government hospitals in the keeping of their records and other
administrative purposes that help the hospitals give better care
to their customers and be more efficient in the giving of health
services to their clients. These medical information systems are
usually comprehensive systems that may vary in scope
depending on the various needs of the hospital.
A generic Medical Information System has the capacity to
capture patient information. This means that it has a database to
hold patient information from the name, address, date of birth,
address and sex. This data is held in a database and it is
accessible remotely by the patients. Each patient is able to view
the data that the hospital is holding about them and they can
request for it to be edited or deleted. This data is also not to be
shared without the consent of the patient or her for a purpose
that the patient isn't aware of. This is in accordance with federal
legislation about the privacy of medical data held by medical
institutions. The Health Information Portability and
Accountability Act HIPAA is the legislation that the system
designers have to have in mind while creating this entity in the
database and component within the system (Keyhani et.al,
2008).
The system also requires a component that will hold company
information. This will have the data of the employees of the
organisation and the roles that they play within the

organization. This includes rank and the amount of time they
have worked with the hospital as well as other information such
as name, date of birth, sex, address and department. This
component is key since it will be used to create access levels
for the various users so as to improve the security of the
information in the system.
There needs to be a component that will capture the physician
comments about the patients. This will be a component that will
be updated each time the patient visits the hospital. The patient
progress will be captured in this component within the system.
The company is also connected to other components within the
system.
The next component that should be present in an electronic
medical system is the laboratory component. This component is
able to capture the laboratory results of each patient who is
given special tests. These laboratory results need to be held in a
different component from the component that capture physician
comments since the data is more technical and the fields may
cause redundancy in the physician comments component. Thus,
it is best to have a relationship to this component instead of
combining these components (Keyhani et.al, 2008).
The scan component is able to capture the information regarding
the scans that have been performed as well as the comments
regarding these scans. This component is also able to store
image information of the exact scans. It is going to have a
relationship with the physician comments component. This way,
the data will be captured without making the data in the
physician comments component redundant or having null fields.
The finance component is the final component of most medical
systems. This component is able to capture the cost of the
services rendered by the hospital and the payments. If the
patient is done on the spot, this component's functions end
there. Otherwise, the component allows for billing an insurance
claim to the insurance provider that covers the patient.
Software Assurance Policies and Processes

The system may have a number of security issues if it isn't
optimised. The first component described of patients may be the
most difficult component to create with regards to security
issues. This is so since it allows for the patients to access it
remotely so that they can view the information that the hospital
is holding. This makes the system vulnerable since hackers can
easily gain access to user information. Therefore, optimising
this component will include thorough authentication measures.
This includes the use of usernames and passwords and pins. The
patients must be advised that they should not share their
passwords and pins with any other person. The pins should also
expire on a weekly basis so that the clients will be prompted to
create another pin or password. This will help reduce the
amount of hacking through this portal.
The employee component is also one that will help the rest of
the system to be optimised. This component will be able to
capture the information of the employees and from this
information; user access levels will be created. This means that
the employees will only have access to functions and data in the
system that are relevant with their job description. This means
that depending on the department of the employee and the rank
that they have within the hospital, they can access different
components and functionality within the system. This helps
reduce the amount of unauthorised access to the data in the
system.
The integrity of the data in the system is also going to be
optimised using keys. The primary key allows for there to be
only one such data value within an attribute. This will be used
to reduce duplication. Through the use of this primary key,
relationships will be established with other components within
the system (Evans, 2012). This will create foreign keys. This
way, the information in the system will be optimised. It is
important that the data in the system be accurate, timely in
terms of access and relevant in terms of use.
Another concern that preoccupies the software designers is the
relevance of the system with the needs of the clients. It is

therefore, important to make the system as specific to the client
needs as possible. This means that most of the components are
created as tasks. After they have been developed, they are then
taken back to the client for approval. This means that the model
follows the steps involved in the Scrum operation.
Static Code Analysis Tools
Static Code Analysis is the process of trying to find
vulnerabilities in code. These vulnerabilities are often general
guidelines that enable you to zero in on the problem. These
techniques for analysing source are often derived from compiler
technologies. This means that they are similar to the process of
debugging code using a compiler. There are a couple of
guidelines that have to be put in place while using these
techniques.
First, the techniques are likely to give a general guideline on
where the vulnerability exists in the code and not the exact
place. This means that one has to zero in on the issue manually.
Also, the techniques have false positives where they may
indicate the presence of a vulnerability where one doesn't exist
and false negatives where vulnerabilities may occur yet the tool
may not detect it. This means that the tools should not be
trusted as the only method of finding errors since this may lead
to more errors during compilation.
The tools are also not able to find authentication problems and
access control issues. This means that the developers of the
system have to be very wise with their use of these tools due to
the vast authentication and access needs of the system. The
analysts also need to have all the libraries and necessary
compilation instructions for them to be able to use these tools
optimally.
On the plus side, these tools have a high level of scalability and
they can be used with just about any software. They can also be
done repetitively like on nightly builds to ensure that all

additions to the code have minimal vulnerabilities. They can
also find a number of vulnerabilities in code that will be major
problems in the compilation (Chess and McGraw, 2014).
Techniques that can be used include data flow analysis, control
flow graph and taint analysis. The data flow analysis collects
information about data in software as it is running. The control
flow graph represents the software in nodes that analyses the
paths of the code. The taint analysis is done with user inputs
where inputs have to be sanitizer lest they are vulnerabilities.
Sample Code.
PatientAccount.h
Software Assurance Process – Management’s Role
(New Content)
Bibliography

Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S.,
Escamilla, R., & Murukan, A. (2013). Improving web
application security: threats and countermeasures. Microsoft
Corporation, 3.
Lee, D. C., Crowley, P. J., Baer, J. L., Anderson, T. E., &
Bershad, B. N. (2008, April). Execution characteristics of
desktop applications on Windows NT. In ACM SIGARCH
Computer Architecture News (Vol. 26, No. 3, pp. 27-38). IEEE
Computer Society.
Avison, D. E., & Shah, H. U. (2007). The information systems
development life cycle: A first course in information systems.
McGraw-Hill.
Evans, J. A. (2012). U.S. Patent No. 6,347,329. Washington,
DC: U.S. Patent and Trademark Office.
Keyhani, S., Hebert, P. L., Ross, J. S., Federman, A., Zhu, C.
W., & Siu, A. L. (2008). Electronic health record components
and the quality of care. Medical care, 46(12), 1267-1272.
Chess, B., & McGraw, G. (2014). Static analysis for security.
IEEE Security & Privacy, 2(6), 76-79.
PATIENT
PKPATIENT ID
NAME
ADDRESS
CONTACT
INSURANCE PROVIDER
DATE OF BIRTHE
EMPLOYEES
PKEMPLOYEE ID
NAME
ADDRESS
DATE OF BIRTH
EMPLOYMENT DATE
DEPARTMENT

PHYSICIAN COMMENTS
PKCONSULTATION ID
FK1PATIENT ID
FK2EMPLOYEE ID
REFERAL STATUS
COMMENTS
MEDICATION
FK3BILL ID
FK4LAB ID
FK5SCAN ID
LABOTATORY
PKLAB ID
TEST DETAILS
TEST RESULTS
COMMENTS
FK1BILL ID
SCANS
PKSCAN ID
SCAN DETAILS
IMAGES
COMMENTS
FK1BILL ID
FINANCE
PKBILL ID
DETAILS
COMMENTS
ENTITY RELATIONSHIP DIAGRAM
Table
#include "PatientAccount.h"
#include <string>
#include <cstring>
using std::string;

/* the usage of strncpy_s over strncpy is security
enhancement
as strncpy_s ensures that the entered values are actually
strings over
although its harder to work with functions without counted
"n" its much safer
and memory optimised to work with those strings fuctions
with n for this case
this is the adopted standard for all string constructors in this
project
*/
PatientAccount::PatientAccount(int patientid, string name,
string address, int contact, string insurer int DOB)
{
setPatientNumber(patientid);
setName(name);
setAddress(address);
setContact(contact);
setInsurer(insurer);
setDOB(DOB);
}
void PatientAccount::setPatientNumber(int patientid)
{
patientid = patno;
}

5 3 6 5 M a e A n n e A v e . S u i t e .docx

Recommended

Recommended

More Related Content

Similar to 5 3 6 5 M a e A n n e A v e . S u i t e .docx

Similar to 5 3 6 5 M a e A n n e A v e . S u i t e .docx (20)

More from alinainglis

More from alinainglis (20)

Recently uploaded

Recently uploaded (20)

5 3 6 5 M a e A n n e A v e . S u i t e .docx