Web Database Contract, How much to build something like this. A estimate is fine.

Posted on 2014-07-28
Medium Priority
Last Modified: 2014-08-08
To Create a Database for Customer Input (Secure Web Based)
      1. Project Goal
      2. Setup and Structure – Brief Scope Of Work
      3. Development Costs
      4. Maintenance

      1. Project Goal Customer requires secure, web-based, data management portal for the collection of client information across various programs.
Website Project Highlights:
      1. Web based for universal access via standard web browser
      2. Compatible with desktop and mobile OS (Windows, iPad, iPhone, Android)
      3. Layered security
      a. Secure login and session time-outs (auto-logout)
      b. SSL in-transit encryption of all web pages
      c. Select database fields private-key encryption
      d. Separate user logins with login tracking
      e. Multi-level user access rights
      4. VPS hosting with HIPPA compliant provider

      2. Structure – Brief Scope Of Work The purpose of the website is to facilitate management of client information into a central and secure data management portal.

Developer will create a Virtual Private Server with a HIPPA compliant hosting provider. The VPS server will house the web server, database server, firewall, and other necessary hosting software. At project completion Developer will hand off the responsibilities of hosting to Customer IT department.
Developer will be responsible:
      1. All access to secure information will take place over https (secure http) using a valid SSL certificate.
      2. Any database systems will block connections via firewall rules except from your website server.
      3. Select database information will be encrypted with a private key.
      4. Security scans will be done by the provider to identify possible and emerging security flaws in the web applications and scripts.

Customer will be responsible:
      1. Providing a valid DNS name for the hosting (https://secure.customer.org or similar).
      2. Provide a name, contact, and responsible party for the SSL certificate signing.
      3. Maintaining the VPS server after Customer releases the program to Customer.

Database Structure Setup
Developer will create all the necessary databases, tables, and encryption routines
Developer will be responsible:
      1. Setup all master database tables and login tables
      2. Create all user and rights management tables
      3. Create all data collection tables (approximately 28 programs as stated by customer)
      4. Create all tracking and auditing tables
      5. Import existing customer data into the appropriate data collection tables from CSV, TXT, or compatible Excel spreadsheet. Data must be provided in a usable, manageable data format.

CUSTOMER will be responsible
      1. Providing the table structure for each of the 28 programs (collected data)
      2. Providing existing client data in usable data format to import.
      3. Generate a private key for database encryption (32 unique characters)

Website Programming
Developer will create all the necessary website pages required for this project. Pages include and are not limited to html, cfml, cfm, ajax, jQuery, and other support pages. Developer will also develop all security scripts and database scripts necessary to complete the project.
Website Data
It is assumed there are 28 program areas as described by Customer. Customer will be required to provide a complete breakdown of all the fields (data collection) necessary in each of the 28 programs. A preliminary breakdown of the data collected is below, however, it is not considered complete. Developer understands that fields may be omitted and/or added for each of the 28 programs
MIS#, Client name (first, last), case manager (first, last), admit date, coor services plan exp date, coor ser due date, cin#, mcl issue date, ins, bic/ssn, dob, pfi due date, client phone, sfpr, diagnosis, goals, address (address, city, state, zip)  

Website User Levels and Rights
The website data entry and management will be separated into 28 “programs” with varying degrees of add/edit/view rights dependent upon user level. Only 3 sample program setups are shown below. (PHI = Personal Health Information)
Administrator – Top level user. Assigned global rights over all users in all programs
Program Manager – Sub level user. Has right only within the assigned program.
Keyer – Data entry user. Ability to add/edit/delete data within a program
Staff – Ability to view data assigned to them with a program. PHI level assignment restricts as to what data is viewable on their screen.
Viewer – Temporary “view only” account. Can view data from any staff account within a program. No edit ability. Limited.
*General Note - Data is never deleted but rather ‘archived’. Data deleted will be removed from screens but is archived as necessary for later retrieval.  

The administrator is the top tier level.
      1. Add/Edit/Delete Add/Edit/Delete PROGRAM MANAGERS
      2. Add/Edit/Delete KEYERS
      3. Add/edit/delete STAFF
      4. Enter/edit/delete client data for any program
      5. View data for any program

The program manager is a sub-level administrator. They have the similar functions of an administrator but are only limited to items within their program group.
      1. Add/Edit/Delete KEYERS
      2. Add/edit/delete STAFF
      3. Enter/edit/delete client data within selected program
      4. View data within selected program

The keyer is a data entry account. Keyers have the ability to enter and edit information but they cannot edit or create users.
      1. Add/Edit/Delete client information
      2. Add/Edit/Delete KEYERS
      3. Add/edit/delete STAFF
      4. Enter/edit/delete client data for assigned program
      5. View data for assigned program

The staff account is a ‘view only’ account. It can only view client data assigned to that account. The data displayed on the screen is described by the 4 levels of PHI (provided by Customer).
      1. View data for assigned program

The viewer account is a ‘view-only’ account. It is similar to the staff account as it can only view data information; however, it is NOT limited by the PHI and can view all data in the assigned program.
Question by:joevisokey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 40227139
I Understand that, I was just trying to get a feel from professionals on an estimate of what it would cost. Thank you.
LVL 35

Expert Comment

by:Gary Patterson
ID: 40227357
These requirements are a good start, but not enough - at least for me - to produce an estimate.    If a client handed this to me, I'd need to do additional discovery before I'd provide an estimate.

It doesn't look like a huge project.  I'd say more than US$5K, and less than US$50K - just based on what is in front of me.  That includes additional requirement gathering, specifications, coding, and testing.

I don't think it would take a lot more to be able to produce a reasonable estimate, but hard to say without actually talking to the client.

Hope that helps.

Check out my EE profile: http://www.experts-exchange.com/members/Gary_The_IT_Pro.html
LVL 69

Assisted Solution

by:Scott Pletcher
Scott Pletcher earned 1000 total points
ID: 40228045
I agree: there is too much left unanswered here to do a full estimate.

But I'd say the quote would definitely be above $5,000, particularly given the number of security levels.  Just making that alone work properly will take some strong effort.
LVL 35

Accepted Solution

Gary Patterson earned 1000 total points
ID: 40229079
@ScottPletcher:  I agree that $5K isn't a good starting point, and that this is likely more.  I wasn't giving an estimate as much as making the point that the range is wide.

Personally, I don't see the role-based authorization requirements as that big a deal.  This is apparently a ColdFusion application (due to the mention of cfm/cfml), and Coldfusion has a built-in authorization and authentication framework, which includes role-based security.  Even without ColdFusion, there is no need to build authorization from scratch - there are plenty of tools and techniques available to implement authorization that meets these requirements without reinventing the wheel.

For me, one of the potentially "big" expensive requirements is this one:

Security scans will be done by the provider to identify possible and emerging security flaws in the web applications and scripts.

"Security scans" is ambiguous.  It could refer to active or passive vulnerability scanning of the running application, penetration testing, source code vulnerability scans, or some combination of the above.  I'd want a detailed explanation of this requirement, including any specific required tools, reporting, and client acceptance criteria.  Licensing certain source vulnerability scanning tools alone, for example, can cost tens of thousands of dollars.  The alternative is to hire a security firm to assist with security scans, and that can be very expensive, too.

Just one in a list of reasons that there is no way to estimate this based on the information provided.

Featured Post

Stack Overflow Podcast - Developer Story

Welcome to the Stack Overflow podcast recorded Thursday July 20 at Stack Overflow Headquearters in NYC. Your hosts today are podcast regulars Jay Hanlon, David Fullerton, and Ilana Yitzhaki, plus the quite irregular Matt Sherman (Stack Overflow Engineering Manager extraordinaire)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to leverage one TLS certificate to encrypt Microsoft SQL traffic and Remote Desktop Services, versus creating multiple tickets for the same server.
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question