Web Database Contract, How much to build something like this. A estimate is fine.

To Create a Database for Customer Input (Secure Web Based)
      1. Project Goal
      2. Setup and Structure – Brief Scope Of Work
      3. Development Costs
      4. Maintenance

      1. Project Goal Customer requires secure, web-based, data management portal for the collection of client information across various programs.
Website Project Highlights:
      1. Web based for universal access via standard web browser
      2. Compatible with desktop and mobile OS (Windows, iPad, iPhone, Android)
      3. Layered security
      a. Secure login and session time-outs (auto-logout)
      b. SSL in-transit encryption of all web pages
      c. Select database fields private-key encryption
      d. Separate user logins with login tracking
      e. Multi-level user access rights
      4. VPS hosting with HIPPA compliant provider

      2. Structure – Brief Scope Of Work The purpose of the website is to facilitate management of client information into a central and secure data management portal.

Developer will create a Virtual Private Server with a HIPPA compliant hosting provider. The VPS server will house the web server, database server, firewall, and other necessary hosting software. At project completion Developer will hand off the responsibilities of hosting to Customer IT department.
Developer will be responsible:
      1. All access to secure information will take place over https (secure http) using a valid SSL certificate.
      2. Any database systems will block connections via firewall rules except from your website server.
      3. Select database information will be encrypted with a private key.
      4. Security scans will be done by the provider to identify possible and emerging security flaws in the web applications and scripts.

Customer will be responsible:
      1. Providing a valid DNS name for the hosting (https://secure.customer.org or similar).
      2. Provide a name, contact, and responsible party for the SSL certificate signing.
      3. Maintaining the VPS server after Customer releases the program to Customer.

Database Structure Setup
Developer will create all the necessary databases, tables, and encryption routines
Developer will be responsible:
      1. Setup all master database tables and login tables
      2. Create all user and rights management tables
      3. Create all data collection tables (approximately 28 programs as stated by customer)
      4. Create all tracking and auditing tables
      5. Import existing customer data into the appropriate data collection tables from CSV, TXT, or compatible Excel spreadsheet. Data must be provided in a usable, manageable data format.

CUSTOMER will be responsible
      1. Providing the table structure for each of the 28 programs (collected data)
      2. Providing existing client data in usable data format to import.
      3. Generate a private key for database encryption (32 unique characters)

Website Programming
Developer will create all the necessary website pages required for this project. Pages include and are not limited to html, cfml, cfm, ajax, jQuery, and other support pages. Developer will also develop all security scripts and database scripts necessary to complete the project.
Website Data
It is assumed there are 28 program areas as described by Customer. Customer will be required to provide a complete breakdown of all the fields (data collection) necessary in each of the 28 programs. A preliminary breakdown of the data collected is below, however, it is not considered complete. Developer understands that fields may be omitted and/or added for each of the 28 programs
MIS#, Client name (first, last), case manager (first, last), admit date, coor services plan exp date, coor ser due date, cin#, mcl issue date, ins, bic/ssn, dob, pfi due date, client phone, sfpr, diagnosis, goals, address (address, city, state, zip)  

Website User Levels and Rights
The website data entry and management will be separated into 28 “programs” with varying degrees of add/edit/view rights dependent upon user level. Only 3 sample program setups are shown below. (PHI = Personal Health Information)
Administrator – Top level user. Assigned global rights over all users in all programs
Program Manager – Sub level user. Has right only within the assigned program.
Keyer – Data entry user. Ability to add/edit/delete data within a program
Staff – Ability to view data assigned to them with a program. PHI level assignment restricts as to what data is viewable on their screen.
Viewer – Temporary “view only” account. Can view data from any staff account within a program. No edit ability. Limited.
*General Note - Data is never deleted but rather ‘archived’. Data deleted will be removed from screens but is archived as necessary for later retrieval.  

The administrator is the top tier level.
      1. Add/Edit/Delete Add/Edit/Delete PROGRAM MANAGERS
      2. Add/Edit/Delete KEYERS
      3. Add/edit/delete STAFF
      4. Enter/edit/delete client data for any program
      5. View data for any program

The program manager is a sub-level administrator. They have the similar functions of an administrator but are only limited to items within their program group.
      1. Add/Edit/Delete KEYERS
      2. Add/edit/delete STAFF
      3. Enter/edit/delete client data within selected program
      4. View data within selected program

The keyer is a data entry account. Keyers have the ability to enter and edit information but they cannot edit or create users.
      1. Add/Edit/Delete client information
      2. Add/Edit/Delete KEYERS
      3. Add/edit/delete STAFF
      4. Enter/edit/delete client data for assigned program
      5. View data for assigned program

The staff account is a ‘view only’ account. It can only view client data assigned to that account. The data displayed on the screen is described by the 4 levels of PHI (provided by Customer).
      1. View data for assigned program

The viewer account is a ‘view-only’ account. It is similar to the staff account as it can only view data information; however, it is NOT limited by the PHI and can view all data in the assigned program.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

joevisokeyAuthor Commented:
I Understand that, I was just trying to get a feel from professionals on an estimate of what it would cost. Thank you.
Gary PattersonVP Technology / Senior Consultant Commented:
These requirements are a good start, but not enough - at least for me - to produce an estimate.    If a client handed this to me, I'd need to do additional discovery before I'd provide an estimate.

It doesn't look like a huge project.  I'd say more than US$5K, and less than US$50K - just based on what is in front of me.  That includes additional requirement gathering, specifications, coding, and testing.

I don't think it would take a lot more to be able to produce a reasonable estimate, but hard to say without actually talking to the client.

Hope that helps.

Check out my EE profile: http://www.experts-exchange.com/members/Gary_The_IT_Pro.html
Scott PletcherSenior DBACommented:
I agree: there is too much left unanswered here to do a full estimate.

But I'd say the quote would definitely be above $5,000, particularly given the number of security levels.  Just making that alone work properly will take some strong effort.
Gary PattersonVP Technology / Senior Consultant Commented:
@ScottPletcher:  I agree that $5K isn't a good starting point, and that this is likely more.  I wasn't giving an estimate as much as making the point that the range is wide.

Personally, I don't see the role-based authorization requirements as that big a deal.  This is apparently a ColdFusion application (due to the mention of cfm/cfml), and Coldfusion has a built-in authorization and authentication framework, which includes role-based security.  Even without ColdFusion, there is no need to build authorization from scratch - there are plenty of tools and techniques available to implement authorization that meets these requirements without reinventing the wheel.

For me, one of the potentially "big" expensive requirements is this one:

Security scans will be done by the provider to identify possible and emerging security flaws in the web applications and scripts.

"Security scans" is ambiguous.  It could refer to active or passive vulnerability scanning of the running application, penetration testing, source code vulnerability scans, or some combination of the above.  I'd want a detailed explanation of this requirement, including any specific required tools, reporting, and client acceptance criteria.  Licensing certain source vulnerability scanning tools alone, for example, can cost tens of thousands of dollars.  The alternative is to hire a security firm to assist with security scans, and that can be very expensive, too.

Just one in a list of reasons that there is no way to estimate this based on the information provided.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.