Identification and Authentication

GBI – John Davis & Peter Schwarz

Team – Group 4 (Chase Guss, Alexander Apodaca, Matthew Ulloa, Tamer Rabea, and Hernan Hernandez)

April 29th, 2022

Executive Summary

The purpose of this paper is to propose an audit on GBI’s company and suggest things that should be looked into when given the opportunity to audit their system in the area of identification and authentication. It would take approximately four month to complete the audit if given full access to GBI’s systems. Our objective is to go in depth into your systems policies on identification and authentication and depict who is allowed into your company. We will interview employees and see how much access they are granted and if they are required to have the necessary authorization that your company provides them. We want to ensure that we can spot out anyone that has the necessary credentials and does not exceed their necessities for your company. By the end of this audit, we would be able to explain how we would appropriately modify your systems and ensure the safekeeping of all data and information for your company. We would break it down into a table of significant issues, types, and priorities. If GBI decides to use Team Four as their auditor, we will provide dates that we can implement all solutions by.

Table of Contents

Page 1 – Cover page

Page 2 – Executive Summary

Page 3 – Table of contents

Statement of Problem: the “Why?”

In 2001, two companies merged into one and formed what we know as GBI. Global Bike Inc. is a North American and German company run by co-CEOs John Davis and Peter Schwarz. As the name implies, the company builds innovative bikes made to outperform others and last for a long time. In terms of responsibilities, Davis handles selling the products, and Schwarz deals with manufacturing the product. Departments such as marketing, IT, HR, service and support, finance, and sales make up Davis’ portion of the company. He is the money maker. Schwarz manages research, the designs of the bikes, getting supplies, and other manufacturing groups. He is the money spender. 

GBI wants a Department of Defense contract, and to be granted this contract, they must meet the level three requirements of the CMMC. GBI needs a CMMC audit. The Cybersecurity Maturity Model Certification audit will carefully dissect GBI’s cyber hygiene under the “Identity and Authorization” domain. This domain categorizes the best procedures and practices the company needs to follow. The identity and authorization domain deals with employee logins, access to resources, passwords, etc.  GBI must face this cyber challenge, and we can provide the audit as a company.

Technology has ingrained itself into everyday business and will continue to do so. With this technology comes good and evil. On the one hand, we have information systems that handle vast portions of data, but on the other hand, we have hackers who want to steal that data for many reasons. A CMMC audit would test the company’s cyber hygiene and point out what can be improved to prevent data from being stolen and business stopping because one employee inserted a thumb drive into their computer. The audit brings GBI one step closer to protecting their company, employee, and customer data. While preserving the company and its assets, this audit gives the potential of allowing GBI to work with the DOD and expand its business. If the company fails to reach level three of the CMMC, GBI still receives an audit that tells them what gaps need to be filled to reach that level. This may be for expanding work opportunities, but cyber security is critical currently in today’s climate.

Objectives: the “What?”

During the scope of the project, our objective will be to propose an audit for Global Bike Inc. We intend to finish the audit within four months and by doing so, we shall be able to ensure your business maintains its proper working environment. We will be able to spread our work in a timely manner to allow your company to meet its daily requirements. By the time we are done with this project, we will have a thorough understanding of the company systems and policies. The company must meet the requirement of good cyber hygiene according to the CMMC guidelines. We can assure that our company will take the proper steps and procedures throughout the auditing process, which will ultimately decide whether GBI is certified to be at the level three CMMC and be granted a DOD contract. 

· Design specifications in specific, quantitative terms. For example, “The plate must be rotated three times at a speed of between 1 and 3 rev/s” or “Control the temperature of a 1 liter non-insulated standard glass beaker of water to 37.5 ± 0.5oC for three hours without temperature deviation.”

· Critical design issues, constraints, limitations.

Technical Approach: the “How?”

Our goal will be to completely analyze their systems. We will be focusing on identities and authentications. First thing we will do is identify all the system users. Identify the processes acting on behalf of the system and identify all the devices that are accessing the companies systems. After doing so, we will want to review all Identification and authentication policies and procedures. We will review the system security plans and system design documentation. We will need to review the configuration settings and any other policies associated with it. We would need a copy of audit logs and records, and a list of system accounts. After reviewing all of these documents and policies, we would want to get some interviews with personnel that work in system operations, information security, system or network administrators, and system developers. We would then be able to evaluate the organizational process for identifying and authenticating users. We would also evaluate the mechanisms and process that supports the identification and authentication process.

Following that we would determine if the identity of each user is authenticated or verified as a prerequisite to system access, ensure its acting on behalf of a user is authenticated or verified to access the system.

By doing so, we would be able to source out any challenges the company may be enduring. We would be able to come with a plan to get over these challenges. Our objective is to ensure that there are policies in place and that the company is abiding by them. Everyone that requires access to the systems for the company should be given a certain level of clearance. With this comes responsibility and trust. Users may be granted access based on their level of clearance. That being said, we would break down all policies and pinpoint the job specifications for every person through the chain of command. We can then interview employees around the company and ensure that they are following their job specifications. After that, we need to ensure that the employees are given access based on their identity and authentication clearance level. 

Design Process

1)  Process OverviewThe design process will consist of reviewing documents, password logs, security logs, configuration settings, policies, and other information relevant to identity and authentication. Anything found that has any significance towards policy, procedure, and relevant information that can help our audit. We will also be conducting interviews to establish if our findings match the everyday business workflow. 

The identity and authentication domain has one capability and eleven practices that certifies companies under CMMC. There are two practices in level one, five in level two, and four in level three. We will approach the audit one practice at a time, dividing our time based on the CMMC levels. 

Capability 

“Grant access to authenticated entities”

2) Step by step guide of design process

3)  What are the benefits and advantages of employing a structured approach to design?

Having a structured approach to design will keep everything uniform. We will be able to track every step we take and plan ahead according to the designs and findings we come across. We will document everything as we find things that work well, work okay, and do not work at all. There will be a process organization responsibility matrix that will easily breakdown the moving parts that work well or have value of being in the company.4)  How will you generate solution concepts?We will generate solutions by auditing the policy, interviewing employees and administration. We shall test all of our findings and prepare a final report.

5)  How will you analyze the performance of your solution?We will be able to ensure who needs access to what and why it might be potentially damaging to your company. GBI process would know there assets would be more secure and not have the potential to risk losing money on places it should not be allocated to.

6)  How will you decide on the best alternative?Upon completion of the audit we are proposing, once finished we would have a breakdown chart of areas in which they are in compliance with. We will be able to explain to them which areas they are not in compliance with and that they need to fix it by the next meeting to gain compliance and meet the standards for CMMC. We would not be able to change anything for them, if in doing so, we would no longer be able to audit them.

Specific recommendations for this section include the following:First, describe your overall design process in general terms. A one-page synopsis of Chapter 1 in the Hyman text would be appropriate here.

· Provide at least three possible solution alternatives and document your methodology to choose the best alternative. Include illustrations such as Figure 1. Try to be as inclusive and creative as possible with your ideas. Strive to achieve at least one non-conventional or “out of the box” alternative.

· List and describe all the analytical, or computational tools you will employ to analyze your design, such as ProEngineer®, SolidWorks®, MathCAD, and MATLAB.

· List and detail all the experimental procedures you will use to test your design concepts.

· Evaluate your alternatives based on how well they satisfy the design specifications. Explain the selection criteria by which you will evaluate design alternatives in specific, quantitative terms, such as cost, weight, reliability, ease of use, and ease of manufacture. A matrix table can clearly illustrate this information.

· If possible at this time, rank your solution concepts and list the pros and cons of each. At minimum, state what further information or additional work is needed in order to arrive at a final solution alternative.

· If any solution is totally unfeasible (or may have been tried before), state the reason for its elimination.

Project Management: “How and When?”

The Project Management section describes how the project will be managed, including a detailed timetable with milestones. Specific items to include in this section are as follows:

a. Description of task phases (typical development tasks: Planning, Concept Development, System-Level Design, Detailed Design, Testing and Refinement, Production)

Phases of the Project Development

· Planning (Submission of the proposal) April 24th. From April 24th to May 30, 2022 We will be able to meet with owners of GBI and discuss project details and ensure we can meet time frames and plan accordingly for the project to meet its time restraints.

· Audit/Review / May 1st to May 30th, will be time for our Team to come in to audit and review policies and documents pertaining to identity and authentication. We will prepare ourselves during this period and prepare interview questions. This would allow GBI time to plan for employees to spare approximately 1-4 hours for interviews based on the scope of their assignment.

· Interviews June 1st to June 31st all employees will be scheduled with two of our team members and we will interview accordingly based on positions. Our fifth person will be responsible for ensuring all interviews will be on the proper schedule and comparing the notes from each interview. We will compare our findings based on policies and form every interview.

Responsibilities for each team member

· Team member 1- Project administrator, oversees the project and meets with the company. Reviews policy and interviews. Coordinates the tests amongst the rest of the team. Team member 1 will set up all interviews and divide the work amongst the team members to ensure nothing is repetitive and or missed.

· Team member 2 – Responsible for reviewing policies, auditing, interviewing, and testing.

· Team member 3 – Responsible for reviewing policies, auditing, interviewing, and testing.

· Team member 4 – Responsible for reviewing policies, auditing, interviewing, and testing.

· Team member 5 – Responsible for reviewing policies, auditing, interviewing, and testing.

Gantt Chart

Attached is a gantt chart with a basic timeline and the procedure of how and when things will be completed. This project should take approximately four months in time and we will be able to spread it in a timely manner to allow your employees to find coverage during times of interviews and reviewing documents.

ii. Each milestone is to be labeled with a titleiii. Schedule all tasks not just “Design” or “Testing.” Break this schedule down tospecific assignments. 

iv. Each task is to be labeled with a title and person or persons assigned to the task.

v. Subdivide larger items so that no task is longer than about one week

vi. Link tasks which are dependent on the completion of a previous task.

vii. Continue to update your schedule throughout your project. This tool is important for organizing and viewing the progress of your project.

viii. Where possible, avoid a serial timeline (one task at a time, which must be completed before the next task can proceed).

Deliverables

We will provide a document at the end that will show an overview of our findings. It will be color coordinated and reflect the CMMC guidelines. Red will indicate critical. Vulnerabilities will be listed inside the highlighted section that correlate with the identification and authorization domain. Critical means that the exploitation of this vulnerability could cause catastrophic damage to the company’s reputation, workflow, operations, etc. Anything in orange would be a less severe vulnerability, but with the potential to be exploited and cause minor workflow issues. Green will indicate that no vulnerabilities were found. With this information it is up to GBI to decide how and if they would want to fix these problems. After the audit, we can offer our services to fix these vulnerabilities and implement proper security controls. GBI would get a 15% discount on this specific service. If accepted, we would not be able to audit GBI in the future.  

The culmination of the proposal negotiation with your sponsor will be a completed “Deliverables Agreement.” In this section, provide a detailed description of what you are providing and when you will provide it. Be as specific as possible. Possible items include

Detailed design drawings (specify Computer Aided Design format) Physical prototype

Scale model

Engineering analysis (Finite Element Analysis, MATLAB, etc.) Economic analysis (return on investment calculations)

Detailed description of test procedures

Data from experiments

Computer program code, flowchart, documentation Circuit diagrams

User-friendly instructions including training for personnel

Budget: “How Much?”

Provide your best estimate of how project funds will be spent for your first design. For an example, see Table 2. The sponsor will allow for only this amount. At this time, you need to know the details for your initial design. You can divide up your budget into some major categories, such as equipment, materials, supplies, shipping (if Hershey), and Learning Factory costs (that is, for the computerized numerical control, rapid prototyping, etc). Remember: You are spending sponsor dollars and the sponsor needs to see that the money is spent wisely. If additional funds or resources are needed from your sponsor compared to their original “request for proposals,” ask for them here but justify the request.

The amount for our budget will be 150,000 for the audit if we are chosen, there might be an additional 10-20% charge during the process if errors are made by your company or employees refusing to comply with the orders given in a timely manner. Below is a breakdown of where the funds will be supplied.

Budget Breakdown

Personnel/ Labor – 100,000 amongst 5 employees over a four month period, 5 employees, earning equal wages 20,000 each for a four month period.

Supplies – 25,000 – Technology and implementation

Transportation- 10,000 – Gas, stays, vehicle wear

Programs – 15,000 – system authentications

0. Read all ordering requirements for each company. Some companies have a minimum order amount so you need to be aware of this in advance.

1. You’ll need to have all (100%) your items ordered and reconciled by the week before spring break for your first design.

2. Additional funds will not be released after this day without written justification for the deviation (that is, why do you need to go with your alternate choice? What went wrong with the first design?).†

Table 2: Requested items and funds for initial design.

Item

Vacuum Pump

Flow Pump

Water Filter Whirlpool 23/32" Plywood 4'x8'

4" Ondine Rainmaker Acrylic Tubing 5' (OD 8") "8" Flange (13" OD)

Supplier Catalog No#

McMaster Carr IJ-60825 Northern Tool CJX-689 Lowe's Hardware WHER25 Lowe's Hardware none Smartbargain.com 129808 McMaster Carr 8486K626 McMaster Carr KD-ERW

Quantity

Unit Price

$183.47 $139.99 $33.73 $24.95 $19.99 $236.70 $44.24 Total

Total $188.72

$156.62 $33.73 $24.95 $37.86

$250.95 $44.24 $737.07

Communication and Coordination with Sponsor

Point of Contact: 

GBI is to provide their policy documents in regards to security. This includes documents regarding passwords, authentication, how users are authorized, etc. They are also to provide any recurring scripts and access to logs and files. 

We will meet with our point of contact at least once per week for at least a half hour to inform of progress, who we need to speak with and to rearrange the schedule if there is a conflict for either party or employee. Parties must be able to meet either in person or via zoom. 

Response to e-mail and phone communications should be prompt and done within 24 hours, barring weekends having a 48 hour window. In the case of e-mail or phone communications in which there is only information given and no questions either asked or that arose; parties will send a message of acknowledgement. 

The final report will be given to the CEO and head of IT (look on ARRIS). If there is an issue it must be presented to us within 72 hours and we will work to resolve it. Our conclusions will be drawn based on evidence and word of mouth alone is not sufficient.

Special Topics

Our company will meet with GBI, during the initial meeting we can discuss handling of confidential information. We need access to all policies and procedures that relate to identity and authentication. These things may require information about the employees, employers, and company as a whole. We will discuss the parameters of the project and what our team will be able to utilize. Our team will ensure the privacy of all information regarding employees, employers, and the company itself. We will agree to secure all information when we are done with the project and we will ensure we do not take any information and use it for personal gain. Our company will write up a contract with GBI and both parties will agree to the terms before the start of an audit. If the contract is voided, the project will be terminated and our company will no longer have access to GBI’s information systems. We pride ourselves in maintaining integrity and confidentiality during the work process.

Any loaned equipment to our company will be returned on a daily basis, unless specifically requested by our management team and agreement with GBI’s management. We will not retain systems overnight nor transport them off the facility.

Team Qualifications: the “Who?”

In a paragraph for each person, establish the team qualifications for the project. Highlight any specific job or course experiences that are relevant to the project.

Alexander Apodaca

Chase Guss – 7 years of working as a Supervisor in my current line of duty as a Corporal for the Sheriff’s department. I would maintain computers and technology for my station that I was assigned to. Familiar with Linux, Windows, and Mac OS’s. Utilized a Raspberry Pi to link it to an outside network, from my pc at home I was able to gain access into the Raspberry Pi and access the outside network from a distance and monitor traffic, viewing users that have access to certain things or if they weren't working and just surfing the web. I received a certificate in AccessData Certified Examiner. I would run audits of over one hundred personnel in our department and ensure their training records were up to date and placing them in the right categories. I would also be responsible for ensuring that they are given access to department drives when logging into their user on department systems. I would ensure that they can access the files they need and no more than that.

Hernan Hernadez

Tamer Rabea

Matthew Ulloa

Include a one-page resume of each team member in the Appendix. Do not include your hobbies.

† If your first approach has problems you should be ready to switch to your alternate. To do this switch, you will need to submit a revised “Full Proposal.” 

Ethical and Legal Compliance Statement 

As a company, we strive to maintain a trusting relationship with any company we do business with. Our company will follow all federal and state laws applicable to GBI’s data. Any work done with GBI will comply with all laws and ethical business codes… 

Arbitration Clause:

Any disputes that arise should be resolved civilly. In the event of arbitration, it is to take place in San Bernardino County. … ..