Solved

Web Database Contract, How much to build something like this. A estimate is fine.

Posted on 2014-07-28
5
178 Views
Last Modified: 2014-08-08
To Create a Database for Customer Input (Secure Web Based)
      1. Project Goal
      2. Setup and Structure – Brief Scope Of Work
      3. Development Costs
      4. Maintenance

      1. Project Goal Customer requires secure, web-based, data management portal for the collection of client information across various programs.
Website Project Highlights:
      1. Web based for universal access via standard web browser
      2. Compatible with desktop and mobile OS (Windows, iPad, iPhone, Android)
      3. Layered security
      a. Secure login and session time-outs (auto-logout)
      b. SSL in-transit encryption of all web pages
      c. Select database fields private-key encryption
      d. Separate user logins with login tracking
      e. Multi-level user access rights
      4. VPS hosting with HIPPA compliant provider

      2. Structure – Brief Scope Of Work The purpose of the website is to facilitate management of client information into a central and secure data management portal.

Hosting
Developer will create a Virtual Private Server with a HIPPA compliant hosting provider. The VPS server will house the web server, database server, firewall, and other necessary hosting software. At project completion Developer will hand off the responsibilities of hosting to Customer IT department.
Developer will be responsible:
      1. All access to secure information will take place over https (secure http) using a valid SSL certificate.
      2. Any database systems will block connections via firewall rules except from your website server.
      3. Select database information will be encrypted with a private key.
      4. Security scans will be done by the provider to identify possible and emerging security flaws in the web applications and scripts.
 

Customer will be responsible:
      1. Providing a valid DNS name for the hosting (https://secure.customer.org or similar).
      2. Provide a name, contact, and responsible party for the SSL certificate signing.
      3. Maintaining the VPS server after Customer releases the program to Customer.

Database Structure Setup
Developer will create all the necessary databases, tables, and encryption routines
Developer will be responsible:
      1. Setup all master database tables and login tables
      2. Create all user and rights management tables
      3. Create all data collection tables (approximately 28 programs as stated by customer)
      4. Create all tracking and auditing tables
      5. Import existing customer data into the appropriate data collection tables from CSV, TXT, or compatible Excel spreadsheet. Data must be provided in a usable, manageable data format.

CUSTOMER will be responsible
      1. Providing the table structure for each of the 28 programs (collected data)
      2. Providing existing client data in usable data format to import.
      3. Generate a private key for database encryption (32 unique characters)

Website Programming
Developer will create all the necessary website pages required for this project. Pages include and are not limited to html, cfml, cfm, ajax, jQuery, and other support pages. Developer will also develop all security scripts and database scripts necessary to complete the project.
Website Data
It is assumed there are 28 program areas as described by Customer. Customer will be required to provide a complete breakdown of all the fields (data collection) necessary in each of the 28 programs. A preliminary breakdown of the data collected is below, however, it is not considered complete. Developer understands that fields may be omitted and/or added for each of the 28 programs
MIS#, Client name (first, last), case manager (first, last), admit date, coor services plan exp date, coor ser due date, cin#, mcl issue date, ins, bic/ssn, dob, pfi due date, client phone, sfpr, diagnosis, goals, address (address, city, state, zip)  

Website User Levels and Rights
The website data entry and management will be separated into 28 “programs” with varying degrees of add/edit/view rights dependent upon user level. Only 3 sample program setups are shown below. (PHI = Personal Health Information)
ADMINISTRATORPROGRAM MANAGERProgram 1KEYER(Data Entry)STAFFSTAFFSTAFFPROGRAM MANAGERProgram 2KEYER(Data Entry)STAFFSTAFFSTAFFSTAFFKEYER(Data Entry)PROGRAM MANAGERProgram 3KEYER(Data Entry)STAFFPrograms 4-28ViewerViewerViewerPHI Level 1PHI Level 1PHI Level 3PHI Level 4PHI Level 3PHI Level 3PHI Level 2PHI Level 3
Administrator – Top level user. Assigned global rights over all users in all programs
Program Manager – Sub level user. Has right only within the assigned program.
Keyer – Data entry user. Ability to add/edit/delete data within a program
Staff – Ability to view data assigned to them with a program. PHI level assignment restricts as to what data is viewable on their screen.
Viewer – Temporary “view only” account. Can view data from any staff account within a program. No edit ability. Limited.
*General Note - Data is never deleted but rather ‘archived’. Data deleted will be removed from screens but is archived as necessary for later retrieval.  

ADMINISTRATOR
The administrator is the top tier level.
      1. Add/Edit/Delete Add/Edit/Delete PROGRAM MANAGERS
      2. Add/Edit/Delete KEYERS
      3. Add/edit/delete STAFF
      4. Enter/edit/delete client data for any program
      5. View data for any program

PROGRAM MANAGER
The program manager is a sub-level administrator. They have the similar functions of an administrator but are only limited to items within their program group.
      1. Add/Edit/Delete KEYERS
      2. Add/edit/delete STAFF
      3. Enter/edit/delete client data within selected program
      4. View data within selected program

KEYER
The keyer is a data entry account. Keyers have the ability to enter and edit information but they cannot edit or create users.
      1. Add/Edit/Delete client information
      2. Add/Edit/Delete KEYERS
      3. Add/edit/delete STAFF
      4. Enter/edit/delete client data for assigned program
      5. View data for assigned program

STAFF
The staff account is a ‘view only’ account. It can only view client data assigned to that account. The data displayed on the screen is described by the 4 levels of PHI (provided by Customer).
      1. View data for assigned program

VIEWER
The viewer account is a ‘view-only’ account. It is similar to the staff account as it can only view data information; however, it is NOT limited by the PHI and can view all data in the assigned program.
0
Comment
Question by:joevisokey
  • 2
5 Comments
 

Author Comment

by:joevisokey
Comment Utility
I Understand that, I was just trying to get a feel from professionals on an estimate of what it would cost. Thank you.
0
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
These requirements are a good start, but not enough - at least for me - to produce an estimate.    If a client handed this to me, I'd need to do additional discovery before I'd provide an estimate.

It doesn't look like a huge project.  I'd say more than US$5K, and less than US$50K - just based on what is in front of me.  That includes additional requirement gathering, specifications, coding, and testing.

I don't think it would take a lot more to be able to produce a reasonable estimate, but hard to say without actually talking to the client.

Hope that helps.

Check out my EE profile: http://www.experts-exchange.com/members/Gary_The_IT_Pro.html
0
 
LVL 69

Assisted Solution

by:ScottPletcher
ScottPletcher earned 250 total points
Comment Utility
I agree: there is too much left unanswered here to do a full estimate.

But I'd say the quote would definitely be above $5,000, particularly given the number of security levels.  Just making that alone work properly will take some strong effort.
0
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 250 total points
Comment Utility
@ScottPletcher:  I agree that $5K isn't a good starting point, and that this is likely more.  I wasn't giving an estimate as much as making the point that the range is wide.

Personally, I don't see the role-based authorization requirements as that big a deal.  This is apparently a ColdFusion application (due to the mention of cfm/cfml), and Coldfusion has a built-in authorization and authentication framework, which includes role-based security.  Even without ColdFusion, there is no need to build authorization from scratch - there are plenty of tools and techniques available to implement authorization that meets these requirements without reinventing the wheel.

For me, one of the potentially "big" expensive requirements is this one:

Security scans will be done by the provider to identify possible and emerging security flaws in the web applications and scripts.

"Security scans" is ambiguous.  It could refer to active or passive vulnerability scanning of the running application, penetration testing, source code vulnerability scans, or some combination of the above.  I'd want a detailed explanation of this requirement, including any specific required tools, reporting, and client acceptance criteria.  Licensing certain source vulnerability scanning tools alone, for example, can cost tens of thousands of dollars.  The alternative is to hire a security firm to assist with security scans, and that can be very expensive, too.

Just one in a list of reasons that there is no way to estimate this based on the information provided.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now