Skip to main content

Security Controls

Overview

Security is a foundational design principle of the Secure Controlled Guns and Ammunition Inventory Management System (SCGAIMS). Given the sensitive nature of firearms and ammunition inventories, the system incorporates multiple security controls intended to strengthen accountability, prevent unauthorized access, improve auditability, and support security governance objectives.

The security architecture was developed in direct response to deficiencies identified during investigations into inventory accountability failures and unauthorized access incidents involving controlled assets.

The security controls implemented within SCGAIMS focus on:

  • Identity Assurance
  • Access Control
  • Accountability
  • Auditability
  • Data Integrity
  • Secure Development Practices
  • Secret Management
  • Operational Governance

Security Objectives

SCGAIMS was designed to support the following security objectives:

Confidentiality

Protect sensitive inventory and operational information from unauthorized disclosure.


Integrity

Prevent unauthorized modification of inventory records, investigations, and audit information.


Availability

Ensure authorized users can access system resources when required.


Accountability

Associate all significant actions with authenticated users.


Non-Repudiation

Provide evidence of user actions through audit records.


Traceability

Maintain complete visibility into inventory movement and transaction history.


Identity and Access Management

Overview

Identity and Access Management (IAM) controls regulate access to SCGAIMS resources by ensuring users are authenticated and authorized before performing operations.

The system utilizes Auth0 as its centralized Identity Provider (IdP).


Auth0 Integration

Auth0 provides:

Identity Management

Authentication

Role Assignment

Permission Management

Future MFA Support

Benefits

The use of a centralized Identity Provider:

  • Reduces credential management complexity
  • Supports secure authentication
  • Enables centralized user administration
  • Improves governance and oversight

Authentication Controls

Current Implementation

Auth0 environment configured with:

SCGAIMS API

SCGAIMS Web Application

Roles

Permissions

Users

Future Authentication Features

Planned enhancements include:

Multi-Factor Authentication (MFA)

Users will be required to provide an additional verification factor before access is granted.

Examples:

Authenticator Applications

Push Notifications

One-Time Passwords

Step-Up Authentication

High-risk operations may require re-authentication.

Examples include:

Issue Inventory

Return Inventory

Resolve Investigations

Authorization Controls

Role-Based Access Control (RBAC)

SCGAIMS implements a Role-Based Access Control model.

Permissions are assigned to roles rather than individual users.


Administrative Role

Capabilities include:

Manage Inventory

View Audit Logs

Resolve Investigations

System Administration

Supervisor Role

Capabilities include:

Review Investigations

Review Transactions

Audit Oversight

Officer Role

Capabilities include:

Issue Inventory

Return Inventory

Operational Activities

Security Benefits

RBAC supports:

  • Least Privilege
  • Separation of Duties
  • Reduced Insider Risk
  • Improved Accountability

Principle of Least Privilege

The Principle of Least Privilege (PoLP) is applied throughout the system.

Users receive only the permissions necessary to perform their operational responsibilities.


Benefits

Reduced Attack Surface

Improved Accountability

Reduced Misuse Risk

Improved Security Governance

Separation of Duties

SCGAIMS separates operational responsibilities across different user roles.

Examples include:

Officers
Issue and Return Inventory

Supervisors
Review Investigations

Administrators
Manage System Configuration

This reduces opportunities for unauthorized activity and strengthens oversight.


Inventory Validation Controls

Purpose

Inventory validation prevents invalid inventory transactions from being processed.


Issuance Validation

Before inventory is issued the system verifies:

Inventory Exists

Inventory Availability

Valid Quantity Requested

Return Validation

Before returns are processed the system verifies:

Associated Issue Record Exists

Returned Quantity Provided

Transaction Integrity

Benefits

Improved Inventory Accuracy

Reduced Data Errors

Improved Accountability

Discrepancy Detection Controls

Purpose

Discrepancy controls detect situations where returned inventory does not match originally issued inventory.


Logic

The system evaluates:

Quantity Issued

vs

Quantity Returned

Example

Issued: 120 rounds

Returned: 100 rounds

Result:

Discrepancy Flag = True

Security Benefits

Improved Accountability

Early Anomaly Detection

Improved Auditability

Improved Oversight

Investigation Controls

Purpose

Discrepancies are managed through investigation workflows.


Investigation Lifecycle

Open

Review

Resolution

Closure

Security Benefits

Formal Accountability Process

Documented Findings

Operational Oversight

Historical Retention

Audit Logging Controls

Overview

Audit logging is one of the most significant security controls within SCGAIMS.

All significant business operations generate audit records.


Logged Activities

Examples include:

Inventory Issued

Inventory Returned

Investigation Resolved

Inventory Updated

Administrative Activity

Audit Attributes

Audit records may contain:

User Identifier

Action

Timestamp

Target Entity

Additional Details

Benefits

Audit logs support:

Accountability

Investigations

Compliance Reviews

Forensic Analysis

Security Monitoring

Data Integrity Controls

Relational Database Design

SCGAIMS utilizes PostgreSQL with relational constraints.


Integrity Mechanisms

Primary Keys

Foreign Keys

Referential Integrity

Validation Rules

Benefits

Improved Consistency

Data Quality

Relationship Integrity

Reduced Data Corruption

Database Security

PostgreSQL Platform

SCGAIMS stores operational data in PostgreSQL hosted through Supabase.


Security Features

Managed Infrastructure

Access Restrictions

Cloud-Based Availability

Administrative Controls

Secret Management

Purpose

Sensitive credentials are never hardcoded within the application source code.


Environment Variables

The system utilizes environment variables for secure