Purpose

This course project is intended to assess your ability to comprehend and apply the basic concepts related to information security management, access controls, and identity management.

Required Source Information and Tools

Web References: Links to web references in the Instructor Guide and related materials are subject to change without prior notice. These links were last verified on March 21, 2024.

The following tools and resources will be needed to complete this project:

• Course textbook
• Access to the Internet

Learning Objectives and Outcomes

Successful completion of this project will ensure that you can design an access control and identity management system. To be able to do so, you need to be able to do the following:

• Develop a plan for conducting an infrastructure assessment.
• Create a risk assessment plan.
• Create a plan for implementing role-based access control (RBAC).
• Research single sign-on (SSO) solutions.
• Describe a solution for remote access.
• Develop procedures for the physical security of facilities, including biometrics.
• Create a plan for testing access controls.
• Create a plan for monitoring access controls.

Overall Project Scenario

Big Tire Transport is a U.S. logistics company that operates a large fleet of trucks and is responsible for the movement of goods across the 48 contiguous states. Big Tire has accounts with companies of all sizes, as well as the U.S. federal government and several U.S. state government agencies.

The Big Tire headquarters is centrally located in Kansas City, Missouri. After a recent merger with a competitor, the company has employees in the following locations:

• Kansas City, Missouri, 500 employees
• Minneapolis, Minnesota, 200 employees
• Memphis, Tennessee, 150 employees
• Reno, Nevada, 175 employees
• El Paso, Texas, 250 employees

Due to the merger, the systems in each location differ. The headquarters location has fairly new computing equipment (workstations and servers) and runs Windows 10 on client computers and the latest edition of Windows Server on most servers. The other locations run a mix of current and outdated Windows-based software, and much of the hardware is outdated.

The main assets at the Big Tire headquarters location are housed in a data center. The assets consist of:

Four Microsoft Windows Server application servers (the current version of Windows Server)

• Two email servers running Microsoft Exchange
• Two Linux web servers
• Microsoft Active Directory
• Accounting and financial software
• Logistics software

Other software, such as customer relationship management (CRM), are cloud services that Big Tire subscribes to each month.

Last year, Big Tire suffered two network compromises at the headquarters location that led to the disclosure of sensitive and strategic information on contracts and mergers. More recently, the Minneapolis location dealt with an insider destroying corporate data that could not be restored because the backup media contained errors. The Memphis location experienced a 4-day network outage due to a successful ransomware attack.

You play the role of an IT security architect. Your boss, the company chief information office (CIO), relies on you for infrastructure planning and input on proposals to senior management.

Your goals for this project are to:

• Develop a plan for assessing infrastructure assets and risks.
• Develop a plan to implement role-based access control (RBAC) to ensure confidentiality, integrity, and availability.
• Research and describe single sign-on (SSO) and determine whether it is feasible for implementation for Big Tire locations.
• Address secure remote access requirements for users and physical security for facilities.
• Recommend RBAC tests and a plan for ongoing network monitoring to ensure RBAC is working properly.
• Develop and submit reports to the CIO that address all requirements within each scenario.

Deliverables

This project is divided into several parts, as follows:

• Project Part 1: Infrastructure Assessment and Risk Assessment
• Project Part 2: Role-Based Access Control (RBA) and Single Sign-On (SSO)
• Project Part 3: Remote Access and Physical Security
• Project Part 4: Testing and Monitoring

Project Part 1: Infrastructure Assessment and Risk Assessment

Scenario

The CIO recently made a strategic presentation to the executive management team to assess the infrastructure assets (hardware, software, databases, and types of sensitive information) and risks. Funding has been approved for both assessments. The CIO wants you to create a high-level plan for the infrastructure assessment and the risk assessment.

Tasks

Create a two-part report to the CIO that addresses the following:

1.     A plan for conducting an infrastructure assessment of all company locations

2.     A plan for conducting an IT risk assessment of all company locations

Each plan should include the following:

• Purpose and importance
• The scope and boundaries of the plan
• (Risk assessment only) At least five issues the plan will address upon completion
• A list of typical threats and vulnerabilities
• A high-level outline of major steps to be taken
• A proposed schedule

Required Resources

• Internet access
• Course textbook

Submission Requirements

• Format: Microsoft Word (or compatible)
• Font: Arial, size 12, double-spaced
• Citation Style: Follow your school’s preferred style guide (The latest version of APA style)
   
• Length: 2 to 4 pages

Self-Assessment Checklist

• I developed an effective plan to assess the infrastructure of all company locations.
• I developed an effective plan to assess the IT risk of all company locations.
• I created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.
• I followed the submission guidelines.

Project Part 2: Role-Based Access Control (RBAC) and Single Sign-On (SSO)

Scenario

Big Tire currently relies on access control lists (ACLs) for control over what users can access and what actions they can carry out. As the company has grown, ACLs have proven to be very time-consuming for IT staff to maintain.

You believe RBAC, used as a company-wide access control system, is superior to ACLs in terms of security and administrative overhead. RBAC user roles and permissions make it easy to perform role assignments because individual users no longer have unique access rights. Instead, they have privileges that conform to the permissions assigned to their specific role or job function.

Your CIO also asked you to research and report on the feasibility of SSO.

Tasks

Create a two-part report to the CIO that addresses the following:

1.     A high-level plan for implementing RBAC or an RBAC-like solution at each Big Tire location

2.     A description of SSO and a determination of whether it is feasible for implementation at Big Tire

The RBAC plan should include the following:

• Purpose and importance
• A description of the technology
• Advantage of RBAC over ACLs
• How RBAC can mitigate risks to the IT infrastructure’s confidentiality, integrity, and availability
• A high-level outline of major implementation steps
• A scheme for RBAC roles
  • Create a simple scheme that maps roles to applications in the data center
    • Assume a more granular scheme will be created in the future
• Some roles to consider in your scheme are Administrative, Accounting, HR, Manager, Sales and Marketing, Driver, and Technical, although you can use other roles if desired
• Any related projects that may need to run before, during, or after the implementation
• A proposed schedule
• The SSO section should include the following:
• Purpose and importance
• A description of the technology
• Your recommendation as to whether SSO is feasible
• If so, the type of solution do you recommend

Required Resources

• Internet access
• Course textbook

Submission Requirements

• Format: Microsoft Word (or compatible)
• Font: Arial, size 12, double-spaced
• Citation Style: Follow your school’s preferred style guide (The latest version of APA style)
   
• Length: 2 to 4 pages

Self-Assessment Checklist

• I developed a high-level plan for implementing RBAC or an RBAC-like solution at each Big Tire location.
• I wrote a description of SSO and determined whether it is feasible for implementation at Big Tire.
• I created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.
• I followed the submission guidelines.

Project Part 3: Remote Access and Physical Security

Scenario

The Big Tire CIO wants users at all company locations and trusted business partners to be able to access applications hosted in the data center, such as the logistics and accounting applications. A remote access solution that provides a good user experience working with the logistics application would be ideal. A previous attempt to access the application over a virtual private network (VPN) connection was abandoned due to very slow response time.

The CIO also wants improved and uniform physical security at all locations, which should include some type of smart card and/or programmable locks for all office buildings and garages.

Finally, the CIO wants all employees, including drivers using mobile devices, to use biometrics, tokens, fobs, or authenticator apps for access to all websites that offer it as a factor in multifactor authentication. The chosen access control should be convenient for employees and cost-effective.

Tasks

Create a three-part report to the CIO that addresses the following:

• A high-level plan for implementing remote access to applications hosted in the data center
• A high-level plan for implementing physical security at Big Tire locations
• A high-level plan for cost-effective multifactor authentication for websites

Required Resources

• Internet access
• Course textbook

Submission Requirements

• Format: Microsoft Word (or compatible)
• Font: Arial, size 12, double-spaced
• Citation Style: Follow your school’s preferred style guide (The latest version of APA style)
   
• Length: 2 to 4 pages

Self-Assessment Checklist

• I developed a high-level plan for implementing remote access to applications hosted in the data center.
• I developed a high-level plan for implementing physical security at Big Tire locations.
• I developed a high-level plan for cost-effective multifactor authentication for websites.
• I created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.
• I followed the submission guidelines.

Project Part 4: Testing and Monitoring

Scenario

Access control systems are constantly under surveillance and attack. An attacker who gains control of an access control system can leverage that access to gain entry to other systems in the enterprise. Frequent testing of access control systems ensures that weaknesses are found and can be dealt with before they are exploited.

Network monitoring is a critical IT process where all networking components, such as routers, switches, firewalls, and servers, are monitored for faults, performance, and anomalies to detect possible intruders or attacks.

Tasks

Create a two-part report to the CIO that addresses the following:

• A high-level plan for testing RBAC and physical security (building access)
• Include the type of tests to be performed and the frequency
• A high-level plan for ongoing network monitoring to ensure the RBAC solution is working properly
• Network monitoring is to be performed at each Big Tire location

Required Resources

• Internet access
• Course textbook

Submission Requirements

• Format: Microsoft Word (or compatible)
• Font: Arial, size 12, double-spaced
• Citation Style: Follow your school’s preferred style guide (The latest version of APA style)
   
• Length: 2 to 4 pages

Self-Assessment Checklist

• I developed an effective plan to test RBAC and physical security controls at Big Tire.
• I developed an effective plan for network monitoring at Big Tire.
• I created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.
• I followed the submission guidelines.