SRA 440W Phase 1 – Requirements Gathering Project Definition Report (PDR) &

SRA 440W

Phase 1 – Requirements Gathering

Project Definition Report (PDR) & Format

GROUP 4: SHREK Inc.

Scope Definition:

SHREK Inc. will provide policies and procedures as well as software solutions to aid Service Provider in maintaining data security, counter insider threats and alleviate compliance concerns. We are also to research thoroughly third-party COTS (Commercial Off The Shelf) packages/solutions that can be utilized to track local and remote employees.

Project statement of work (SoW):

Information Security Policies and Training SHREK Inc. Will…

Develop and implement IS policies and training covering remote as well as local employees, managerial staff, and upper management.

Develop protocols/training for upper management to follow when hiring employees or when employees leave the company.

Design and write Information Security Policies for routine activities (e.g., backup policies, data movement policies, logon/logoff policies, 2FA (2 Factor Authentication), and so on.

Write procedures that are to be taken in case violations of company security policies.

Compliance & Insider Threat mitigation SHREK Inc. Will…

Develop material (e.g., formally written documents, PowerPoints, whitepapers, etc.) to show what the Service Provider is doing to develop a strong information security program to address compliance concerns.

Develop a protocol/methodology that can be used by Service Provider to minimize the possibility of insider threats.

Tracking of Local and Remote Employees SHREK Inc. Will…

Propose a package that best in terms of resources required to install and run, cost, the security and protection it provides, and the ability to handle both remote and local employees.

Provide initial training and written procedures of use followed with ongoing support by third-party vendor.

Scope Verification

CONSULTING AGREEMENT

PARTIES

This Service Contract Agreement (hereinafter referred to as the “Agreement”) is entered into on 06/01/2022 (the “Effective Date”), by and between SHREK Inc, with an address of 745 Lion Drive, Happy Valley Pennsylvania 16802 (hereinafter referred to as the “Consultant”), and Service Provider, with an address of 14897 Buena Vista Court Suite 75, Chula Vista California, 91914 (hereinafter referred to as the “Client”) (collectively referred to as the “Parties”).

CONSIDERATION

The Parties agree that the Consultant will provide the services attached hereunder, whereas the Client will in return provide compensation for such services and expertise.

SERVICES

The Consultant’s services are summarized below:

Information Security Policies and Training

Compliance and Insider Threat mitigation

System usage tracking software for local and remote employees

RETAINER

The amount of $150,000.00 will be due at the time of contract signing, with the remaining balance of $50,000.00 due upon final acceptance of project materials.

The Parties agree that the payments are to be made via cashier’s check and sent to the following address SHREK Inc, 745 Lion Drive, Happy Valley PA16802

TERM

This Agreement shall be effective on the date of signing this Agreement (hereinafter referred to as the “Effective Date”) and will end on satisfactory completion of project.

Upon the end of the term of the Agreement, this Agreement will not be automatically renewed for a new term.

TERMINATION

This Agreement may be terminated in case the following occurs:

Immediately in case one of the Parties breaches this Agreement.

At any given time by providing a written notice to the other party 30 days prior to terminating the Agreement.

RELATIONSHIP BETWEEN THE PARTIES

Hereby, the Parties agree that the Consultant in this Agreement is an independent contractor where the Consultant provides the services hereunder and acts as an independent contractor.

Under no circumstances shall the Consultant be considered an employee.

Whereas this Agreement does not create any other partnership between the Parties.

EXCLUSIVITY

The Parties agree and understand that this Agreement is not exclusive and that the Parties are entitled to enter into other similar agreements with other parties.

OWNERSHIP

The Parties agree that all work created by the Consultant in terms of performing the services will remain the exclusive property of the Client, who can use it without any restrictions.

CONFIDENTIALITY

All terms and conditions of this Agreement and any materials provided during the term of the Agreement must be kept confidential by the Consultant unless the disclosure is required pursuant to process of law.

Disclosing or using this information for any purpose beyond the scope of this agreement, or beyond the exceptions set forth above, is expressly forbidden without the prior consent of the Client.

DISPUTE RESOLUTION

Any dispute or difference whatsoever arising out of or in connection with this agreement shall be submitted to Arbitration in accordance with, and subject to the laws of, the state of California.

GOVERNING LAW

This Agreement shall be governed by and construed in accordance with the laws of the state of California.

SEVERABILITY

In an event where any provision of this Agreement is found to be void and unenforceable by a court of competent jurisdiction, then the remaining provisions will remain to be enforced in accordance with the Parties’ intention.

ENTIRE AGREEMENT

This Agreement contains the entire agreement and understanding among the Parties hereto with respect to the subject matter hereof, and supersedes all prior agreements, understandings, inducements, and conditions, express or implied, oral, or written, of any nature whatsoever with respect to the subject matter hereof. The express terms hereof control and supersede any course of performance and/or usage of the trade inconsistent with any of the terms hereof.

AMENDMENTS

The Parties agree that any amendments made to this Agreement must be in writing and they must be signed by both Parties to this Agreement.

As such, any amendments made by the Parties will be applied to this Agreement.

SIGNATURE AND DATE

The Parties hereby agree to the terms and conditions set forth in this Agreement and such is demonstrated throughout by their signatures below:

CLIENT

Name:____________________________

Signature:_________________________

Date:_____________________________

CONSULTANT

Name:____________________________

Signature:_________________________

Date:_____________________________

Scope Identification

Changes requested by the client will be made in writing to Richard Ribicki (SHREK Inc team lead) for evaluation. After evaluation, an estimate of cost will be returned to client within 5 business days for approval.

2.Stakeholder Identification: (Kenny Gambrell)

Stakeholders of the SHREK Inc., Service Provider IT Security collaboration are as follows

Employees (local and remote) of Service Provider

Managerial staff of Service Provider

Upper Management of Service Provider

Third Party Vendor of tracking software

SHREK Inc. Team

Richard Rybicki -Team leader, Cost/Benefit Analysis, Project Goals and Objectives

Andrew Herrera – Limitations/Constraints, Scope Exclusions

Jessica Paulson – Operational Feasibility

Kenny R. Gambrell – Project statement of work (SoW), Stakeholder Identification

Chelsea Coia – Project Outcome and Final Deliverables

All parties at Service Provider that use information technology whether it be a PC for daily work, and tablet, cell phone, or time keeping computer tied to the Service Provider network will need training on the need of and how to accomplish a more secure system. Management, both midlevel and above, will need to be trained in the new policies of on-boarding, vetting new employees, countering insider threats and off-boarding outgoing employees to help maintain a secure IT (Information Technology) system. The management levels will also need to be trained concerning the tracking software in both functionality and capabilities so that compliance issues do not become a concern.

Perform Cost/Benefit Analysis:

Costs:

The cost completion will take approximately 14 weeks with a completion date of August 7th to be completed by the SHREK Inc team. Along this path of completion, the client can use the major milestone sheet shown below in the Project Goals and Objectives section. This will keep the client informed and we have confidence in our timeline with the completion dates. The total cost will be about $250,000. The time to train the entire group of stakeholders and the annual cost of doing so will be about $20,000. Next will be the compliance and insider threat mitigation for the team. This will cost approximately another $50,000. Lastly would be system usage tracking software for local and remote employees. This will cost approximately another $30,000.

Benefits:

The benefits associated with SHREK Inc will be hefty due to backend software upkeep and development. The client will receive services such as backup policies, data movement policies, logon/logoff policies and 2FA. These benefits will ensure that the client will have peace of mind that their product will be protected and backed up by cloud in case of an event such as ransomware or malware. The benefits behind the training will be a greater customer confidence and a streamlined training process. As for the compliance and insider threat mitigation for the team the benefits will provide more knowledge of the industry and give them insight into what threats may be of concern for the company. Lastly the system usage tracking software for the local and remote employees will provide a way to track what the employees are doing remotely and ensure they are using the most of company time.

Project Schedule:

Due Date

Assignment

Time needed (Approx.)

Costs

June 5

Project Definition report

1 week

150,000

June 26

Solutions Alternatives Document

2 Weeks

20000

July 10

Developed Solution for Problem 1

2 Weeks

20000

July 24

Developed Solution for Problem 2 & 3

2 Weeks

10000

August 7

Final Report & Executive Summary

1 Week

200,000 Total

August 7

Implementation Phase Document

Project Goals and Objectives:

Due Date

Assignment

Expected Completion Date

June 5

Project Definition report

June 4

June 26

Solutions Alternatives Document

June 25

July 10

Developed Solution for Problem 1

July 9

July 24

Developed Solution for Problem 2 & 3

July 23

August 7

Final Report & Executive Summary

August 6

August 7

Implementation Phase Document

August 6

Operational Feasibility:

Information security policies and procedures, along with compliance and insider threat mitigation recommendations will be presented to the Service Provider’s upper management, supervisors, and employees in separate training sessions proportionate to the level of responsibility. After their initial training, a presentation of procedure documentation as well as all training materials will be turned over to the Service Provider to continue in their normal onboarding and semi-annual training packages. After the procedures are written and the training is conducted on the new third-party system, SHREK Inc. will provide 24/7 support and updates per the service contract for any issues that the Service Provider may run into.

Limitations/Constraints:

Implementing this plan while acknowledging limitations and constraints is vital to its success. To implement solutions such as policies, and most importantly, training for remote and local managerial staff, and upper management requires a specific number of resources. As this is a large undertaking, the number of resources will be unknown in terms of how many people must be trained, where they are located, and who will conduct this training. The process for developing protocols and training for hiring will be a limitation as well. As we are employees of Shrek Incorporated and not Service Provider our understanding of the hiring process is limited. Being uniformed of the specific candidate human resources needs, a limitation on creating protocols and training for this issue will be puzzling. Next, to develop a protocol that can be utilized by Service Provider to minimize insider threats, it is a necessity to understand the past-history of insider-threat occurrences. Without knowing how, and who these people are, it will become a strenuous effort to create a methodology to protect against these issues and future insider and outsider threats that could present itself in the future. Lastly, the cost of implementing training will never be known to an exact number thus it may increase over time depending on people, and resources and every changing variables throughout the company. Understanding what is needed to specifically train these employees may increase the required capital to carry out this solution.

Scope Exclusions:

Within this project implementation, there will be few exclusions relating to the scope of this project. The first will be human error, as this occurs often throughout the world. When implementing policies or utilizing training, issues created due to the incorrect utilization of training in a specific situation, we will not be able to recognize this as a problem to solve. This directly weighs on the managerial staff conducting important operations, and when conducted incorrectly, may impact on the security of these systems. Another issue that may arise during the implementation of this plan is employees leaving the company due to non-agreement to the proposed plan. Although extremely rare, this may be a situation that will arise. As this is a personal decision that relies heavily on a person’s thoughts, it is a situation that cannot be helped. Which we will be excluding this from our scope.

Project Outcome and Final Deliverables:

There are several outcomes for this project that will be accounted for as deliverables to the client. The first deliverable is the project definition report. Here, the consultant will develop and submit a project definition to the client. In the project definition, the consultant will provide policies and procedures to the client which will act as a guide for the client to acquire solutions that will help the client maintain data security. This document will also provide definitions of the key project deliverables and their estimated dates of submission alongside the name of the leaders in the project deliverable. For instance, this document will include information about staff training and information, mitigation of insider threats and staff compliance, and essential resources use material and documents on employee tracing both in the organization and those working from home.

In addition to the project definition report, this project will deliver a document on solutions alternatives. There are three problems identified in the project and there will be a solutions document for each problem. However, solutions documents for problems 2 and 3 will be submitted in the same week. The solutions themselves will also be developed besides the report. These include the development of backup support which helps to secure the organization’s data in the event unlikely threats occur like data breaches or malware. Lastly, the project will deliver the final report and an executive summary. This document summarizes or contains all key requirements of the project. This as such combines all other documents delivered in phases, with revisions that reflect the time and material changes throughout the course of the project. An executive summary is also provided to establish an official summary of the various elements that went into the implementation of the project and that are also contained in the body of the final report. Without loss of generality a security policies document, final security assessment report, recovery plan, and data backup will be delivered. Lastly, this project will deliver the implementation phase document. This document provides a stage-by-stage guideline on how the project will be implemented in the client’s organization. This includes such elements as employee training, screening of employees to identify potential threats, and also updating the client’s rules, policies and guidelines.

1