HomeMy WebLinkAboutC-7700-1 - PSA for Information Security Assessment Servicesi
0
r PROFESSIONAL SERVICES AGREEMENT
WITH ILLUMANT, LLC FOR
INFORMATION SECURITY ASSESSMENT SERVICES
THIS PROFESSIONAL SERVICES AGREEMENT ("Agreement') is made and
entered into as of this 1st day of July, 2019 ("Effective Date"), by and between the CITY
OF NEWPORT BEACH, a California municipal corporation and charter city ("City"), and
ILLUMANT, LLC, a California LLC ("Consultant'), whose address is 431 Florence
Street, Suite 210, Palo Alto, California 94301, and is made with reference to the
following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of California with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of City.
B. City desires to engage Consultant to provide information security assessment
services ("Project').
C. Consultant possesses the skill, experience, ability, background, certification and
knowledge to provide the professional services described in this Agreement.
D. City has solicited and received a proposal from Consultant, has reviewed the
previous experience and evaluated the expertise of Consultant, and desires to
retain Consultant to render professional services under the terms and conditions
set forth in this Agreement.
NOW, THEREFORE, it is mutually agreed by and between the undersigned
parties as follows:
1. TERM
The term of this Agreement shall commence on the Effective Date, and shall
terminate on December 31, 2019, unless terminated earlier as set forth herein.
2. SERVICES TO BE PERFORMED
Consultant shall diligently perform all the services described in the Scope of
Services attached hereto as Exhibit A and incorporated herein by reference ("Services"
or "Work"). City may elect to delete certain Services within the Scope of Services at its
sole discretion.
3. TIME OF PERFORMANCE
3.1 Time is of the essence in the performance of Services under this
Agreement and Consultant shall perform the Services in accordance with the schedule
included in Exhibit A. In the absence of a specific schedule, the Services shall be
performed to completion in a diligent and timely manner. The failure by Consultant to
strictly adhere to the schedule set forth in Exhibit A, if any, or perform the Services in a
diligent and timely manner may result in termination of this Agreement by City.
3.2 Notwithstanding the foregoing, Consultant shall not be responsible for
delays due to causes beyond Consultant's reasonable control. However, in the case of
any such delay in the Services to be provided for the Project, each party hereby agrees
to provide notice within two (2) calendar days of the occurrence causing the delay to the
other party so that all delays can be addressed.
3.3 Consultant shall submit all requests for extensions of time for performance
in writing to the Project Administrator as defined herein not later than ten (10) calendar
days after the start of the condition that purportedly causes a delay. The Project
Administrator shall review all such requests and may grant reasonable time extensions
for unforeseeable delays that are beyond Consultant's control.
3.4 For all time periods not specifically set forth herein, Consultant shall
respond in the most expedient and appropriate manner under the circumstances, by
hand -delivery or mail.
4. COMPENSATION TO CONSULTANT
4.1 City shall pay Consultant for the Services on a fixed fee not -to -exceed
basis in accordance with the provisions of this Section and the Schedule of Billing Rates
attached hereto as Exhibit B and incorporated herein by reference. Consultant's
compensation for all Work performed in accordance with this Agreement, including all
reimbursable items and subconsultant fees, shall not exceed Fifty Thousand Dollars
and 00/100 ($50,000.00), without prior written authorization from City. No billing rate
changes shall be made during the term of this Agreement without the prior written
approval of City.
4.2 Consultant shall submit invoices to City upon completion of milestones as
outlined in Exhibit B, describing the Work performed. Consultant's bills shall include the
name of the person who performed the Work, a brief description of the specific task in
the Scope of Services to which it relates, the date the Services were performed, the
number of hours spent on all Work billed on an hourly basis, and a description of any
reimbursable expenditures. City shall pay Consultant no later than thirty (30) calendar
days after approval of the monthly invoice by City staff.
4.3 City shall reimburse Consultant only for those costs or expenses
specifically identified in Exhibit B to this Agreement or specifically approved in writing in
advance by City.
4.4 Consultant shall not receive any compensation for Extra Work performed
without the prior written authorization of City. As used herein, "Extra Work" means any
Work that is determined by City to be necessary for the proper completion of the
Project, but which is not included within the Scope of Services and which the parties did
not reasonably anticipate would be necessary at the execution of this Agreement.
Illumant, LLC Page 2
Compensation for any authorized Extra Work shall be paid in accordance with the
Schedule of Billing Rates as set forth in Exhibit B.
5. PROJECT MANAGER
5.1 Consultant shall designate a Project Manager, who shall coordinate all
phases of the Project. This Project Manager shall be available to City at all reasonable
times during the Agreement term. Consultant has designated Billens (Bill) Crow to be
its Project Manager. Consultant shall not remove or reassign the Project Manager or
any personnel listed in Exhibit A or assign any new or replacement personnel to the
Project without the prior written consent of City. City's approval shall not be
unreasonably withheld with respect to the removal or assignment of non -key personnel.
5.2 Consultant, at the sole discretion of City, shall remove from the Project
any of its personnel assigned to the performance of Services upon written request of
City. Consultant warrants that it will continuously furnish the necessary personnel to
complete the Project on a timely basis as contemplated by this Agreement.
5.3 If Consultant is performing inspection services for City, the Project
Manager and any other assigned staff shall be equipped with a cellular phone to
communicate with City staff. The Project Manager's cellular phone number shall be
provided to City.
6. ADMINISTRATION
This Agreement will be administered by the City Manager's Office. City's Senior
IT Analyst or designee shall be the Project Administrator and shall have the authority to
act for City under this Agreement. The Project Administrator shall represent City in all
matters pertaining to the Services to be rendered pursuant to this Agreement.
7. CITY'S RESPONSIBILITIES
To assist Consultant in the execution of its responsibilities under this Agreement,
City agrees to provide access to and upon request of Consultant, one copy of all
existing relevant information on file at City. City will provide all such materials in a
timely manner so as not to cause delays in Consultant's Work schedule.
8. STANDARD OF CARE
8.1 All of the Services shall be performed by Consultant or under Consultant's
supervision. Consultant represents that it possesses the professional and technical
personnel required to perform the Services required by this Agreement, and that it will
perform all Services in a manner commensurate with community professional standards
and with the ordinary degree of skill and care that would be used by other reasonably
competent practitioners of the same discipline under similar circumstances. All
Services shall be performed by qualified and experienced personnel who are not
employed by City. By delivery of completed Work, Consultant certifies that the Work
Illumant, LLC Page 3
conforms to the requirements of this Agreement, all applicable federal, state and local
laws, and legally recognized professional standards.
8.2 Consultant represents and warrants to City that it has, shall obtain, and
shall keep in full force and effect during the term hereof, at its sole cost and expense, all
licenses, permits, qualifications, insurance and approvals of whatsoever nature that is
legally required of Consultant to practice its profession. Consultant shall maintain a City
of Newport Beach business license during the term of this Agreement.
8.3 Consultant shall not be responsible for delay, nor shall Consultant be
responsible for damages or be in default or deemed to be in default by reason of strikes,
lockouts, accidents, acts of God, or the failure of City to furnish timely information or to
approve or disapprove Consultant's Work promptly, or delay or faulty performance by
City, contractors, or governmental agencies.
9. HOLD HARMLESS
9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend
and hold harmless City, its City Council, boards and commissions, officers, agents,
volunteers and employees (collectively, the "Indemnified Parties') from and against any
and all claims (including, without limitation, claims for bodily injury, death or damage to
property), demands, obligations, damages, actions, causes of action, suits, losses,
judgments, fines, penalties, liabilities, costs and expenses (including, without limitation,
attorneys' fees, disbursements and court costs) of every kind and nature whatsoever
(individually, a Claim; collectively, "Claims"), which may arise from or in any manner
relate (directly or indirectly) to any breach of the terms and conditions of this
Agreement, any Work performed or Services provided under this Agreement including,
without limitation, defects in workmanship or materials or Consultant's presence or
activities conducted on the Project (including the negligent, reckless, and/or willful acts,
errors and/or omissions of Consultant, its principals, officers, agents, employees,
vendors, suppliers, consultants, subcontractors, anyone employed directly or indirectly
by any of them or for whose acts they may be liable, or any or all of them).
9.2 Notwithstanding the foregoing, nothing herein shall be construed to
require Consultant to indemnify the Indemnified Parties from any Claim arising from the
sole negligence or willful misconduct of the Indemnified Parties. Nothing in this
indemnity shall be construed as authorizing any award of attorneys' fees in any action
on or to enforce the terms of this Agreement. This indemnity shall apply to all claims
and liability regardless of whether any insurance policies are applicable. The policy
limits do not act as a limitation upon the amount of indemnification to be provided by
Consultant.
10. INDEPENDENT CONTRACTOR
It is understood that City retains Consultant on an independent contractor basis
and Consultant is not an agent or employee of City. The manner and means of
conducting the Work are under the control of Consultant, except to the extent they are
Illumant, LLC Page 4
limited by statute, rule or regulation and the expressed terms of this Agreement. No
civil service status or other right of employment shall accrue to Consultant or its
employees. Nothing in this Agreement shall be deemed to constitute approval for
Consultant or any of Consultant's employees or agents, to be the agents or employees
of City. Consultant shall have the responsibility for and control over the means of
performing the Work, provided that Consultant is in compliance with the terms of this
Agreement. Anything in this Agreement that may appear to give City the right to direct
Consultant as to the details of the performance of the Work or to exercise a measure of
control over Consultant shall mean only that Consultant shall follow the desires of City
with respect to the results of the Services.
11. COOPERATION
Consultant agrees to work closely and cooperate fully with City's designated
Project Administrator and any other agencies that may have jurisdiction or interest in the
Work to be performed. City agrees to cooperate with the Consultant on the Project.
12. CITY POLICY
Consultant shall discuss and review all matters relating to policy and Project
direction with City's Project Administrator in advance of all critical decision points in
order to ensure the Project proceeds in a manner consistent with City goals and
policies.
13. PROGRESS
Consultant is responsible for keeping the Project Administrator informed on a
regular basis regarding the status and progress of the Project, activities performed and
planned, and any meetings that have been scheduled or are desired.
14. INSURANCE
Without limiting Consultant's indemnification of City, and prior to commencement
of Work, Consultant shall obtain, provide and maintain at its own expense during the
term of this Agreement or for other periods as specified in this Agreement, policies of
insurance of the type, amounts, terms and conditions described in the Insurance
Requirements attached hereto as Exhibit C, and incorporated herein by reference.
15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS
Except as specifically authorized under this Agreement, the Services to be
provided under this Agreement shall not be assigned, transferred contracted or
subcontracted out without the prior written approval of City. Any of the following shall
be construed as an assignment: The sale, assignment, transfer or other disposition of
any of the issued and outstanding capital stock of Consultant, or of the interest of any
general partner or joint venturer or syndicate member or cotenant if Consultant is a
partnership or joint -venture or syndicate or co -tenancy, which shall result in changing
the control of Consultant. Control means fifty percent (50%) or more of the voting
Illumant, LLC Page 5
power or twenty-five percent (25%) or more of the assets of the corporation, partnership
ori oint-venture.
16. SUBCONTRACTING
The subcontractors authorized by City, if any, to perform Work on this Project are
identified in Exhibit A. Consultant shall be fully responsible to City for all acts and
omissions of any subcontractor. Nothing in this Agreement shall create any contractual
relationship between City and any subcontractor nor shall it create any obligation on the
part of City to pay or to see to the payment of any monies due to any such
subcontractor other than as otherwise required by law. City is an intended beneficiary
of any Work performed by the subcontractor for purposes of establishing a duty of care
between the subcontractor and City. Except as specifically authorized herein, the
Services to be provided under this Agreement shall not be otherwise assigned,
transferred, contracted or subcontracted out without the prior written approval of City.
17. OWNERSHIP OF DOCUMENTS
17.1 Each and every report, draft, map, record, plan, document and other
writing produced, including but not limited to, websites, blogs, social media accounts
and applications (hereinafter "Documents"), prepared or caused to be prepared by
Consultant, its officers, employees, agents and subcontractors, in the course of
implementing this Agreement, shall become the exclusive property of City, and City
shall have the sole right to use such materials in its discretion without further
compensation to Consultant or any other party. Additionally, all material posted in
cyberspace by Consultant, its officers, employees, agents and subcontractors, in the
course of implementing this Agreement, shall become the exclusive property of City,
and City shall have the sole right to use such materials in its discretion without further
compensation to Consultant or any other party. Consultant shall, at Consultant's
expense, provide such Documents, including all logins and password information to City
upon prior written request.
17.2 Documents, including drawings and specifications, prepared by
Consultant pursuant to this Agreement are not intended or represented to be suitable
for reuse by City or others on any other project. Any use of completed Documents for
other projects and any use of incomplete Documents without specific written
authorization from Consultant will be at City's sole risk and without liability to
Consultant. Further, any and all liability arising out of changes made to Consultant's
deliverables under this Agreement by City or persons other than Consultant is waived
against Consultant, and City assumes full responsibility for such changes unless City
has given Consultant prior notice and has received from Consultant written consent for
such changes.
17.3 All written documents shall be transmitted to City in formats compatible
with Microsoft Office and/or viewable with Adobe Acrobat.
Illumant, LLC Page 6
18. CONFIDENTIALITY
All Documents, including drafts, preliminary drawings or plans, notes and
communications that result from the Services in this Agreement, shall be kept
confidential unless City expressly authorizes in writing the release of information.
19. INTELLECTUAL PROPERTY INDEMNITY
Consultant shall defend and indemnify City, its agents, officers, representatives
and employees against any and all liability, including costs, for infringement or alleged
infringement of any United States' letters patent, trademark, or copyright, including
costs, contained in Consultant's Documents provided under this Agreement.
20. RECORDS
Consultant shall keep records and invoices in connection with the Services to be
performed under this Agreement. Consultant shall maintain complete and accurate
records with respect to the costs incurred under this Agreement and any Services,
expenditures and disbursements charged to City, for a minimum period of three (3)
years, or for any longer period required by law, from the date of final payment to
Consultant under this Agreement. All such records and invoices shall be clearly
identifiable. Consultant shall allow a representative of City to examine, audit and make
transcripts or copies of such records and invoices during regular business hours.
Consultant shall allow inspection of all Work, data, Documents, proceedings and
activities related to the Agreement for a period of three (3) years from the date of final
payment to Consultant under this Agreement.
21. WITHHOLDINGS
City may withhold payment to Consultant of any disputed sums until satisfaction
of the dispute with respect to such payment. Such withholding shall not be deemed to
constitute a failure to pay according to the terms of this Agreement. Consultant shall
not discontinue Work as a result of such withholding. Consultant shall have an
immediate right to appeal to the City Manager or designee with respect to such disputed
sums. Consultant shall be entitled to receive interest on any withheld sums at the rate
of return that City earned on its investments during the time period, from the date of
withholding of any amounts found to have been improperly withheld.
22. ERRORS AND OMISSIONS
In the event of errors or omissions that are due to the negligence or professional
inexperience of Consultant which result in expense to City greater than what would
have resulted if there were not errors or omissions in the Work accomplished by
Consultant, the additional design, construction and/or restoration expense shall be
borne by Consultant. Nothing in this Section is intended to limit City's rights under the
law or any other sections of this Agreement.
Illumant, LLC Page 7
23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS
City reserves the right to employ other Consultants in connection with the
Project.
24. CONFLICTS OF INTEREST
24.1 Consultant or its employees may be subject to the provisions of the
California Political Reform Act of 1974 (the "Act") and/or Government Code §§ 1090 et
seq., which (1) require such persons to disclose any financial interest that may
foreseeably be materially affected by the Work performed under this Agreement, and (2)
prohibit such persons from making, or participating in making, decisions that will
foreseeably financially affect such interest.
24.2 If subject to the Act and/or Government Code §§ 1090 et seg., Consultant
shall conform to all requirements therein. Failure to do so constitutes a material breach
and is grounds for immediate termination of this Agreement by City. Consultant shall
indemnify and hold harmless City for any and all claims for damages resulting from
Consultant's violation of this Section.
25. NOTICES
25.1 All notices, demands, requests or approvals, including any change in
mailing address, to be given under the terms of this Agreement shall be given in writing,
and conclusively shall be deemed served when delivered personally, or on the third
business day after the deposit thereof in the United States mail, postage prepaid, first-
class mail, addressed as hereinafter provided.
25.2 All notices, demands, requests or approvals from Consultant to City shall
be addressed to City at:
Attn: Senior Solutions Advisor
City Manager's Office/IT
City of Newport Beach
100 Civic Center Drive
PO Box 1768
Newport Beach, CA 92658
25.3 All notices, demands, requests or approvals from City to Consultant shall
be addressed to Consultant at:
Attn: Billens Crow
Illumant, LLC
431 Florence Street, Suite 210
Palo Alto, CA 94301
Illumant, LLC Page 8
26. CLAIMS
Unless a shorter time is specified elsewhere in this Agreement, before making its
final request for payment under this Agreement, Consultant shall submit to City, in
writing, all claims for compensation under or arising out of this Agreement. Consultant's
acceptance of the final payment shall constitute a waiver of all claims for compensation
under or arising out of this Agreement except those previously made in writing and
identified by Consultant in writing as unsettled at the time of its final request for
payment. Consultant and City expressly agree that in addition to any claims filing
requirements set forth in the Agreement, Consultant shall be required to file any claim
Consultant may have against City in strict conformance with the Government Claims Act
(Government Code sections 900 et seq.).
27. TERMINATION
27.1 In the event that either party fails or refuses to perform any of the
provisions of this Agreement at the time and in the manner required, that party shall be
deemed in default in the performance of this Agreement. If such default is not cured
within a period of two (2) calendar days, or if more than two (2) calendar days are
reasonably required to cure the default and the defaulting party fails to give adequate
assurance of due performance within two (2) calendar days after receipt of written
notice of default, specifying the nature of such default and the steps necessary to cure
such default, and thereafter diligently take steps to cure the default, the non -defaulting
party may terminate the Agreement forthwith by giving to the defaulting party written
notice thereof.
27.2 Notwithstanding the above provisions, City shall have the right, at its sole
and absolute discretion and without cause, of terminating this Agreement at any time by
giving no less than seven (7) calendar days' prior written notice to Consultant. In the
event of termination under this Section, City shall pay Consultant for Services
satisfactorily performed and costs incurred up to the effective date of termination for
which Consultant has not been previously paid. On the effective date of termination,
Consultant shall deliver to City all reports, Documents and other information developed
or accumulated in the performance of this Agreement, whether in draft or final form.
28. STANDARD PROVISIONS
28.1 Recitals. City and Consultant acknowledge that the above Recitals are
true and correct and are hereby incorporated by reference into this Agreement.
28.2 Compliance with all Laws. Consultant shall, at its own cost and expense,
comply with all statutes, ordinances, regulations and requirements of all governmental
entities, including federal, state, county or municipal, whether now in force or hereinafter
enacted. In addition, all Work prepared by Consultant shall conform to applicable City,
county, state and federal laws, rules, regulations and permit requirements and be
subject to approval of the Project Administrator and City.
Illumant, LLC Page 9
28.3 Waiver. A waiver by either party of any breach, of any term, covenant or
condition contained herein shall not be deemed to be a waiver of any subsequent
breach of the same or any other term, covenant or condition contained herein, whether
of the same or a different character.
28.4 Integrated Contract. This Agreement represents the full and complete
understanding of every kind or nature whatsoever between the parties hereto, and all
preliminary negotiations and agreements of whatsoever kind or nature are merged
herein. No verbal agreement or implied covenant shall be held to vary the provisions
herein.
28.5 Conflicts or Inconsistencies. In the event there are any conflicts or
inconsistencies between this Agreement and the Scope of Services or any other
attachments attached hereto, the terms of this Agreement shall govern.
28.6 Interpretation. The terms of this Agreement shall be construed in
accordance with the meaning of the language used and shall not be construed for or
against either party by reason of the authorship of the Agreement or any other rule of
construction which might otherwise apply.
28.7 Amendments. This Agreement may be modified or amended only by a
written document executed by both Consultant and City and approved as to form by the
City Attorney.
28.8 Severability. If any term or portion of this Agreement is held to be invalid,
illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining
provisions of this Agreement shall continue in full force and effect.
28.9 Controlling Law and Venue. The laws of the State of California shall
govern this Agreement and all matters relating to it and any action brought relating to
this Agreement shall be adjudicated in a court of competent jurisdiction in the County of
Orange, State of California.
28.10 Equal Opportunity Employment. Consultant represents that it is an equal
opportunity employer and it shall not discriminate against any subcontractor, employee
or applicant for employment because race, religious creed, color, national origin,
ancestry, physical handicap, medical condition, marital status, sex, sexual orientation,
age or any other impermissible basis under law.
28.11 No Attorneys' Fees. In the event of any dispute or legal action arising
under this Agreement, the prevailing party shall not be entitled to attorneys' fees.
28.12 Counterparts. This Agreement may be executed in two (2) or more
counterparts, each of which shall be deemed an original and all of which together shall
constitute one (1) and the same instrument.
[SIGNATURES ON NEXT PAGE]
Illumant, LLC Page 10
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed
on the dates written below.
APPROVED AS TO FORM:
CITY ATTORNEY'S OFFICE
Date: 6/l9% Zo 11
By: lv, 'a.�
Fob: Aaron C. Harp W •i9 d9
City Attorney
ATTEST:
Date: �.� • I
jasz 1',
Brown
City Clerk
CITY OF NEWPORT BEACH,
a California municipal corporation
Date: 12.101i 01
By:
Grace K. Leung �—
City Manager
CONSULTANT: Illumant, LLC, a
California LLC
Date: 6/20/19
By _.
Matija Siljak
Manager
Date: 6/20//19�7�/
By:
G i�l
Mark Snodgrass
Manager
[END OF SIGNATURES]
Attachments: Exhibit A — Scope of Services
Exhibit B — Schedule of Billing Rates
Exhibit C — Insurance Requirements
Illumant, LLC Page 11
EXHIBIT A
SCOPE OF SERVICES
Illumant, LLC Page A-1
Requested Services
Our core services comprise a complete baseline analysis of all in -scope information assets, including full vulnerability
assessment with manual validation and penetration testing.
All services are offered a la carte. Newport Beach may elect to engage Illumant for some or all of the service components
below as needed.
Perimeter Security This assessment involves the enumeration of vulnerabilities and risks that are accessible from
Assessment (PSA) the Internet —the "hacker's perspective" — and includes expert manual validation and
penetration testing. Illumant starts by using a cross section of best -of -breed scanning tools to
harvest vulnerability data. Our experts then validate all results to eliminate false positives and
uncover any other vulnerabilities that may have initially escaped detection. To the extent
possible (without damaging systems or data) identified vulnerabilities are exploited to assess
their real severity, the level of exposure they may allow, and the potential impact of a breach.
Targets of this assessment include servers, applications (without credentials — see note),
firewalls, routers, load balancers, VPNs, and any other perimeter or Internet -facing information
assets. Protection measures are evaluated in terms of their ability to maintain the
confidentiality, integrity and availability of networks, systems, applications, and data. As part
of the PSA, penetration testing (without credentials) is performed on critical applications.
The types of security issues identified during the PSA include SQL injection, URL injection, CSRF
injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, insecure direct object
references, security misconfigu rations, sensitive data exposure, missing function level access
controls, buffer overflows, missing patches, vulnerable versions, insecure credentials, and
many others. Goals for the exercise include unauthorized access and privilege escalation as
well as an analysis of availability (DOS) risks.
Note: For in-depth, credentialed and non -credentialed testing of applications see our Web
Application Security Assessment — WASA.
Scope: The PSA will target Newport Beach's approximately 54 externally addressable systems.
Critical Asset Security This internal assessment involves the enumeration of vulnerabilities and risks that are
Assessment (CASA) accessible from within the network perimeter, behind border firewalls. Similar to external
assessments, like the PSA, Illumant starts by using scanning tools to harvest vulnerability data.
Our experts then validate all results to eliminate false positives and uncover any other
vulnerabilities that may have initially escaped detection. To the extent possible (without
damaging systems or data) identified vulnerabilities are exploited to assess their real severity,
the level of exposure they offer, and the potential impact of a breach.
Targets of this assessment include servers, applications, portals, routers, switches, and any
other critical internal systems. Testing may include Internet -facing systems, but viewed
internally without filtering by firewalls. Protection measures are evaluated in terms of their
ability to maintain the confidentiality, integrity and availability of networks, systems,
applications, and data and to repel internal threats and attack propagation.
Note: Depending on the specifics of the in -scope environment, the CASA and LANSA (if selected)
deliverables may be combined into a single report. This allows the client to view all affected
systems for a given finding in one report rather than searching through multiple reports.
Scope: The CASA will target up to 350 internal servers and infrastructure devices.
LAN Security This internal assessment involves the enumeration of vulnerabilities and risks that are
Assessment (LANSA) accessible from within the network perimeter, behind border firewalls, on end-user LANs.
Similar to external assessments, like the PSA, Illumant starts by using scanning tools to harvest
vulnerability data. Our experts then validate all results to eliminate false positives and uncover
any other vulnerabilities that may have initially escaped detection. To the extent possible
(without damaging systems or data) identified vulnerabilities are exploited to assess their real
severity, the level of exposure they offer, and the potential impact of a breach.
Targets of this assessment include desktops, laptops, workstations, LAN servers, LAN switches,
and LAN-based systems. Protection measures are evaluated in terms of their ability to
maintain the confidentiality, integrity and availability of networks, systems, applications, and
data and to repel internal threats and attack propagation.
Notes: Testing of end-user systems is performed with credentials to evaluate the security
within the end -user's context including patch -levels, vulnerable applications and out-of-date
OSs.
Note: Depending on the specifics of the in -scope environment the CASA (if selected) and LANSA
deliverables may be combined into a single report. This allows the client to view all affected
systems for a given finding in one report rather than searching through multiple reports.
Scope: The LANSA will target the approximately 700 workstations. lllumant will report on a
representative sample of laptops and desktops, and report specifically on any vulnerable
outliers.
Web Application The WASA includes credentialed and/or non -credentialed vulnerability assessment and
Security Assessment penetration testing of web -based and intranet applications to validate security and protection
(WASA) against outside attackers, malware, lateral and vertical privilege escalation and account
hijacking. Testing covers injection (URL, SQL, LDAP, cookie etc.), authentication, session
management, cross -site scripting, object/function access control, data exposure,
misconfigu rations, vulnerable components/frameworks/libraries, forged redirect/forwards,
cookie security, hashing and more.
Notes: Testing assesses against OWASP Top 10 and beyond to ensure baseline coverage and
more. For production systems, lllumant takes care not to run potentially destructive exploits.
Scope: The WASA will target 80 applications with and without credentials.
Social Engineering— Gaining access to facilities maybe the easiest way to gain access to an organization's networks
Physical Option and information. The physical testing option for social engineering enhances the social
(Tailgating) engineering exercise to test physical security and employee awareness of physical social
engineering threats.
For the tailgating portion of Social Engineering, Illumant will try to gain access to facilities by
tailgating, impersonation, or simply by slipping past security or through unlocked or
unattended entries. This exercise will help organizations adjust their physical security and
awareness programs to further protect sensitive information
Scope: Illumant will target 1 location.
Risk Assessment (RA) The risk assessment is a top down analysis of an organization's security posture. Leveraging
vulnerability data and security information gathered through other assessment components,
along with data collected through targeted questionnaires and interviews, Illumant performs a
quantitative and qualitative risk analysis to determine the top threats to information security,
the biggest vulnerabilities, and the largest opportunities for risk reduction through cost -benefit
analysis.
Illumant uses a proprietary risk evaluation model that provides the basis for a report which
describes key assets, threats and vulnerabilities, and recommendations for risk mitigation. The
model can be used for scenario planning and to revalidate the organization's security posture
after risk mitigation activities.
The risk assessment adds an important strategic level of analysis to security planning, helps to
align security goals with overall organizational objectives. This global context is something
lacking in most of our competitor's offerings.
Scope: Illumant will conduct up to 3 interviews far this analysis.
After completion of the assessment and analysis, a report will be prepared that contains summary information, graphical
data, and detailed technical analysis along with action items to facilitate remediation. Before any final deliverables are
submitted Illumant will engage key Newport Beach team members to review draft reports and to discuss results and
incorporate relevant feedback and context into the report. This hands-on process will allow the organization to derive the
maximum value from the assessment and associated report and ensures that all concerns are addressed appropriately.
Methodology
This section presents in more detail the methodology we employ for each of our services. Additionally, it lists the
information and access we will need to be able to effectively perform the work.
Description
External vulnerability assessment, manual validation and penetration testing of Internet facing networks, systems, sites and
applications (aka the hacker's perspective). Includes identification, manual validation and benign exploitation of vulnerabilities, along
with actionable remediation recommendations for improved security.
Highlights
• Scanning to create a baseline of vulnerabilities and security
risks
• Testing can be performed overtly or covertly (w or w/o
informing IT and security personnel)
• Best -of -breed open source and commercial vulnerability
ha rvesting tools
o A cross section is used to limit exposure to the
limitations of any single tool, and reap the
benefits the strengths each tool provides
• Manual validation to eliminate false positives, confirm
findings
• Manual testing to find additional vulnerabilities not found by
scanning tools
• Penetration testing through custom-designed and pre-
existing exploits to test real severity
0 Illumant's pen testing and manual testing
techniques are continually updated through
research and participation in hacker forums
and conferences (e.g. BlackHat, DEFCON,
SANS)
• Classification of severity of findings
• Remediation recommendations
• Benchmark analysis of results vs industry
• Retesting (within 6 months of initial test)
Targets
• Internet -facing networks, systems, applications, services,
ports, protocols:
• Websites
• Web applications (non -credentialed testing)
o For credentialed testing see Web Application
Security Assessment (WASA)
• Servers
• VPNs
• Firewalls
• Border routers
• Internet -facing services (FTP, Telnet, SSH, and many more)
• 100,000+ known vulnerabilities, client -specific vulnerabilities
in custom applications, configurations and software
Scoping:
• Illumant provides scoping worksheets
• Client provides in -scope target networks, system IPs, URLs
• Testing can be information with or without informing other IT or security personnel (overtly or covertly) to test response
protocols and readiness.
Enumeration/Recon:
0 Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications,
• Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS,
applications, services, and their respective versions
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source
tools and scripts
• Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations
of any single tool
• 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and
commercially maintained vulnerability databases
Manual validation and manual testing:
• Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives
• Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom
configuration, custom designs, custom applications, and use of purpose-built scripts
Penetration testing and exploitation:
• Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non-
destructive (will not corrupt data or configurations, will not cause availability issues).
• Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf
applications
Findings:
• PSA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF
injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object
references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing
patches, vulnerable versions and many more
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
• Ratings are benchmarked against thousands of previous assessments.
Vulnerability Databases
Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP
Tools
Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite, Nikto
Notes
A retest is provided with 6 months of the initial test to assist with validation of remediation efforts.
Internet-facing web applications are tested as part of this test without credentials. For full credentialed application testing (gray box
testing), see the Web Application Security Assessment (WASA).
Description
Internal, unfiltered vulnerability analysis and penetration testing of mission -critical applications, systems and networks for validation of
layered -security and defense in depth.
Highlights
• Scanning to create a baseline of vulnerabilities and security
risks
• Best -of -breed open source and commercial vulnerability
harvesting tools
0 A cross section is used to limit exposure to the
limitations of any single tool, and reap the benefits the
strengths each tool provides
• Manual validation to eliminate false positives, confirm
findings
• Manual testing to find additional vulnerabilities not found by
scanning tools
• Penetration testing through custom-designed and pre-
existing exploits to test real severity
o Illumant's pen testing and manual testing techniques are
continually updated through research and participation
in hacker forums and conferences (e.g. BlackHat,
DEFCON, SANS)
• Classification of severity of findings
• Remediation recommendations
• Benchmark analysis of results vs industry
Methodology
Scoping:
• Illumant provides scoping worksheets
• Client provides in -scope target networks, system IPs, URLs
Enumeration/Recon:
Targets
• Internal networks, systems, applications, services, ports,
protocols:
• Web sites
• Web applications (non -credentialed testing)
o For credentialed testing see Web Application Security
Assessment (WASA)
• Servers
• VPNs
• Firewalls
• Border routers
• 100,000+ known vulnerabilities, unique vulnerabilities from
custom designs, configurations and software
• Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications,
systems, versions, and OS guesses
• Manual review of IPs, ports, and URLs to refine information about in scope target systems including function, manufacturer, OS,
applications, services, and their respective versions
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target networks, systems and applications using best -of -breed commercial and open -source
tools and scripts
• Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations
of any single tool
• 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and
commercially maintained vulnerability databases
Manual validation and manual testing:
• Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives
• Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom
configuration, custom designs, custom applications, and use of purpose-built scripts
Penetration testine and exploitation:
• Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non-
destructive (will not corrupt data or configurations, will not cause availability issues).
• Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf
applications
Findings:
• CASA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF
injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object
references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing
patches, vulnerable versions and many more
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Vulnerability Databases
Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP
Tools
Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, INTO Spider, Burp Suite
Notes
Testing forthe CASA is performed without credentials to test susceptibility to attack propagation by outside attackers, or insiders with
lower privileges or without authorization. For credentialed testing of applications see our WASA (Web applications). For credentialed
testing of other critical assets see our platform -specific reviews, e.g.: MSSA (Microsoft servers), NixSA (UNIX/Linux servers), ADSA
(Active Directory), etc. For credentialed testing of the user computing environment, see our LAN Security Assessment (LANSA). These
other credentialed tests include full reporting on patch levels.
LAN Security Assessment (LANSA)
Description
Internal, unfiltered vulnerability analysis and penetration testing of desktops, laptops and other LAN-based systems for validation of
end-user computing system security.
Highlights Targets
• Scanning to create a baseline of vulnerabilities and security • LANs, desktops, workstations, laptops, printers, LAN devices,
risks applications, services, ports, protocols from within firewalls
• Best-of-breed open source and commercial vulnerability boundaries — unfiltered analysis:
harvesting tools 0 Desktops
0 A cross section is used to limit exposure to the 0 Workstations
limitations of any single tool, and reap the benefits the o Laptops
strengths each tool provides 0 LAN servers
• Manual validation to eliminate false positives, confirm o Switches
findings 0 Printers
• Manual testing to find additional vulnerabilities not found by o Other LAN Devices
scanning tools • 100,000+ known vulnerabilities, unique vulnerabilities from
• Penetration testing through custom-designed and pre- custom designs, configurations and software
existing exploits to test real severity
0 Illumant's pen testing and manual testing techniques are
continually updated through research and participation
in hacker forums and conferences (e.g. BlackHat,
DEFCON, SANS)
• Classification of severity of findings
• Remediation recommendations
• Benchmark analysis of results vs industry
Methodology
Scoping:
• Illumant provides scoping worksheets
• Client provides in-scope target networks, system IPs, URLs
Enumeration/Recon:
• Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications,
systems, versions, and OS guesses
• Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS,
applications, services, and their respective versions
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source
tools and scripts
• Credentialed testing of desktops, laptops and work stations to validate OS and application versions, and missing patches.
• Multiple tools are used to provide the widest possible initial baseline for additional analysis
• 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and
commercially maintained vulnerability databases
• End-user system vulnerabilities include: Default credentials, malware sweeps, security misconfiguration, sensitive data
exposure, backdoors, trojans, viruses, vulnerable applications, out-of-date OSs, missing patches, and many more.
• For LAN servers and other devices vulnerabilities tested may also include: CGI abuses, buffer overflows, default credentials, SOL
injection, URL injection, CSRF injection, directory traversal, AJAX vulnerabilities, insecure direct object references, missing
function level access control, buffer overflows, etc.
I validation and manual testing:
Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives
Additional expert manual testing to identify vulnerabilities not detected by automated scanners due to custom configuration,
custom designs and custom applications using purpose-built scripts
Penetration testing and exploitation:
Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non-
destructive (will not corrupt data or configurations, will not cause availability issues).
Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf
applications
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Vulnerability Databases
M
it
r
e
org CVC, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP
Tools ........_. _.__
Qualys, Nessus, NeXpose, Saint, Metas
Notes
LAN-based systems may be numerous.
vulnerable outliers, as well.
ZAP. NTO
Illumant specifies vulnerabilities that affect all or most systems, and calls out exceptionally
Testing of end-user systems is performed with credentials to evaluate the security within the end -user's context including patch -levels,
vulnerable applications and out-of-date OSs.
Description
Credentialed and non -credentialed vulnerability assessment and penetration testing of web -based and intranet applications to validate
security and protection against outside attackers, malware, privilege escalation and account hijacking.
Highlights
• Web service/application testing
• With and/or without credentials
• Testing with cross section of best -of -breed tools
• Manual validation and penetration testing using expert, state -
of -the art techniques and methodologies
• Vulnerability targets:
o Logic flaws
o Lateral and vertical privilege escalation
o Injection (SQL, LDAP, URL...(
o Authentication
o Session management (Session Hijacking)
o XSS/CSRF
o Misconfigu rations
o Vulnerable components
o Forged forward and redirects
o Malware
o more
• Test against OWASP Top 10
• Remediation recommendations
Scoping:
• Client provides in -scope target applications/URLs
Targets
• Web applications
o Users from all permissions categories
o Registration processes
o Login pages
o All links/URLs
o All input fields
o All application workflows
• Privileged objects and functionality
• Testing may be performed on production systems, or in a sandbox/development environment
• For production systems, testing is performed outside of peak hours and tests are limited to non-destructive testing
• Credentials/test accounts to be provided if credentialed testing is required. Accounts should represent sample of all user
account/permissions types/privilege levels.
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target applications using best -of -breed commercial and open -source application security
analysis tools
• Multiple tools are used to provide a maximally broad initial baseline for subsequent analysis
• Vulnerabilities identified in the following areas: Injection, authentication, session management, XSS/CSRF, misconfigurations,
vulnerable components, forged forwards and redirects
• Automated testing performed with and without credentials to baseline public- and private -side app functionality. Tests for
unauthorized access, lateral and vertical privilege escalation, session hijacking and lateral account traversal
Manual validation and manual testing:
• Manual validation of results of automated testing to discard false positives and test the severity of confirmed vulnerabilities.
• For confirmed vulnerabilities, Illumant runs known and custom designed exploits and attempts to propagate attacks to retrieve
sensitive information or verify possibility of pivoting to other targets
• Illumant follows a separate thorough manual testing plan to test each application for vulnerabilities. This step is performed to
uncover vulnerabilities missed by automated tools. This happens frequently particularly with custom or internally developed
• Illumant's manual testing plan draws from best -practices standards (e.g. OWASP) as well as years of experience.
• Manual testing includes walkthrough of all workflows, including registration and login, and other application specific workflows
• All links, URLs, input fields are tested for logic flaws that could expose sensitive information, or allow for lateral or vertical
escalation of privileges.
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Standards
OWASP, WAHH
Tools
Scanner, ZAP, Nikto, NexDose. Metasoloit. internal tools
Notes
Testing assesses against OWASP Top 10 and beyond to ensure baseline coverage and more. For production systems, Illumant takes
care not to run potentially destructive exploits.
Description
Beyond just phishing, targets the human element through multiple attack vectors to test awareness of users to potential security
threats, by performing simulated phishing, planted media, pretext calling, and social networking attacks.
• Social engineering
• Simulated attacks
• Phishing
• Planted media (mail, USB -drops, etc.)
• Pretext calling
• Social networking
• Tailgating (optional)
• Security awareness
• Comparison to baseline of similar organizations
Methodology
Targets
• Employees
• Users
• Managers
• Departments (HR, finance, administration, customer
service/support, engineering, ...)
• Knowledgeability about security
• Awareness of security threats
Scoping:
• Illumant gathers preliminary target list through blind enumeration on Internet (demonstrates exposure to targeted phishing)
• Illumant provide simulated attack vector scenarios with assigned targets for final review
• Client vets target list to remove sensitive personnel, and supplies additional targets as desired. Client approves simulated attack
vectors
Testing:
• Illumant runs simulated attack vectors against targets per the scoping phase above
• Full response data is collected including which targets responded and all sensitive data and access that was provided as a result
Simulated attack vectors
• Phishing
o An email is sent which is intended to deceive the target by coaxing them into following a link or opening an attachment.
The link may lead to a fake page that looks legitimate which prompts the target to provide sensitive info (e.g. credentials),
or may launch benign malware to simulate how an infection might be spread. Similarly an attachment when opened may
deliver this benign malware as well.
o Examples: Fake IT person sends link to fake webmail site to gather username/password, fake internship seeker sends
resume which launches benign malware
• Pretext Calling
o A phone call is placed to a target. The call script is designed to emulate a real scenario, for instance to impersonate a real
caller/client, or otherwise create a compelling reason for the target to divulge sensitive info, including client data,
passwords, or other sensitive info.
o Examples: Fake client asking for info, fake IT person asking for system/password info, fake vendor asking for sensitive info
• Social Networking
o A profile for a user is created on a social network (e.g. Linkedln) that purports that the users belongs to the target
company or a vendor of the target company. The fake profile asks for connections to the target company and then sends
a message request info or requesting that they follow a link which acts like the phishing attack above
o Examples: Fake IT manager profile for target company asks for uses to log into a fake test site to gather usernames and
passwords, fake vendor profile asks for target to share info about phone or IT systems
• Planted Media
o CDs or USBs are planted or emailed to the employees at the target company enticing the user to insert/open the media
and files within. When opened, malware is launched which orovides access to the emolovee's comouter.
o Examples: USB in parking lot contains fake salary info and when opened launches malware, CD in mail contains regulatory
info for review and when opened launches malware
• Physical Security/ Tailgating (optional)
o Facilities and properties are visited
o Attempts are made to tailgate into offices and sensitive areas,
o Impersonation of delivery personnel or visitors, contractors, etc. is used to attempt gain unauthorized access
o Attempts are made to identify / access unlocked or unsupervised entries
Reporting:
• All responses to simulated attacks or tracked including each target's responses, the information divulged, or the level of access
provided
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Tools ._...._.... __ ....___-
Call scripts, phishing templates, pseudo-malware (non-destructive, memory -only script that simulates malware and informs Illumant
when documents are opened).
Notes
An organization may wish to test all employees or a representative sample
Description
Combination of qualitative and quantitative analysis to determine the top threats to information security, biggest vulnerabilities, and
largest opportunities for risk reduction through cost -benefit analysis.
Highlights I Targets
• Top down risk assessment
Sensitive data
• Inventory of critical assets
o
Customer data
• Identification and severity of vulnerabilities
o
ePHI
• Enumeration of threats
o
Financial info
• Calculation of risk
o
SSNs
• Risk factors
o
CCNs
o Confidentiality
• Critical
systems
o Integrity
o
Servers
o Availability
o
Applications
• Cost -benefit analysis of risk remediation efforts
o
Databases
o
Laptops
o
Desktops
o
USBs, DVDs, etc
Methodology
Data gathering:
• Client provides relevant compliance requirements along with time slots for interviews and all relevant documentation
• Illumant interview IT personnel and risk assessment stakeholders about:
o Assets: Illumant identifies the sensitive data at the organization including ePHI, CCNs, SSNs, customer data, financial
information, IP to learn where it resides, how it is received and transmitted, how it is processed, and which systems are
involved
o Controls/vulnerabilities: Controls are discussed in terms of which are in place, how mature they are, and which control
gaps exist (vulnerabilities)
Analysis:
• Identify and Document Potential Threats and Vulnerabilities
As part of the risk assessment process, organizations must identify and document reasonably anticipated threats to sensitive
data. Illumant risk assessment methodology includes a threat model that includes the following:
o Natural threats such as floods, earthquakes, tornadoes, and landslides.
o Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based
attacks, malicious software upload, and unauthorized access to sensitive data) or unintentional (e.g., inadvertent data
entry or deletion and inaccurate data entry) actions.
o Environmental threats such as power failures, pollution, chemicals, and liquid leakage.
Illumant will review these threats with the organization in the context of their assets and infrastructure to determine the extent
to which the organization could be subject to impact by these threats.
As part of Illumant's model, we have identified vulnerabilities that could be triggered or exploited by the threats above to create
a risk of inappropriate access to or disclosure of sensitive data. Illumant will explore the presence of these vulnerabilities with
the organization to determine how threats to sensitive data are augmented by any vulnerabilities that have been identified at
the organization.
• Assess Current Security Measures
Illumant will perform an evaluation of the security measures addressed/implemented at the organization that may help to
reduce risk to inappropriate disclosure of sensitive data.
• Determine the Likelihood of Threat Occurrence
Based on the evaluation of threats coupled with vulnerability information and security measures, Illumant's security model
provides data for analysis of the likelihood of threat occurrence for each threat identified. Quantitative risk assessment
techniques are used in the model, and every threat/vulnerability pair is considered and ranked from most to least likely.
• Determine the Potential Impact of Threat Occurrence
Using the likelihood information generated above, and the inventory of sensitive data assets gathered in the first phase, Illumant
will generate an analysis of the potential impact on the organization of each possibly threat/vulnerability/asset triplet from a
criticality standpoint.
For instance, a high-likelihood threat triggering or exploiting an existing vulnerability, that is unmitigated by existing security
measures, and targeting a system with a high concentration of sensitive data would be considered extremely critical. Whereas,
if the threat or risk were mitigated by the presence of security measures, this would lower the criticality rating of the impact of
the threat.
• Determine the Level of Risk
By comparing and aggregating the impacts of threat occurrence above, our model provides an overall risk analysis for the entity
in terms of criticality.
• Most importantly, however, this analysis provides a list of corrective, or risk mitigating actions that can be taken to reduce risk.
These corrective actions are prioritized by cost-benefit to describe which actions provide the maximum risk mitigation relative to
the effort or cost.
Reporting:
• The findings of the risk assessment, including the details of the inputs, outputs and analysis of each step above will be
documented in a final report.
• A summary section at the beginning of the report provides a management-consumable analysis of our findings and highlights
any issues identified during the process of risk analysis.
• The report includes specific remediation recommendations prioritized by cost-benefit.
Tools
Proprietary analytical risk assessment model and questionnaires
Notes
While the Risk Assessment can be performed entirely independently, it also complements technical and other organizational
assessments, by refning the analysis with findings from other reports.
Reports
The findings are compiled into confidential reports with both executive and technical summaries, as well as comprehensive
actionable recommendations. In addition, we provide full technical details concerning vulnerabilities and other findings.
Remediation advice is presented for the vulnerabilities that are uncovered. An "Action Items" list is generated and
additional recommendations for enhancing security and efficiency are presented.
Illumant's security team will formally present the highlights of the report to Newport Beach. The presentation will contain
both an executive -level overview and technical details of the state of the organization's networks. The meeting or
conference call will provide an opportunity to discuss the findings in detail, as well as to discuss remediation options with
Illumant's Expert Security Analysts.
EXHIBIT B
SCHEDULE OF BILLING RATES
Illumant, LLC Page B-1
Professional Fees and Billing
Our fees are based on our consultants' level of experience and skill and the time and effort required to complete the
assessment. The following section shows our rates for each project component. These rates exclude travel and out-of-
pocket expenses.
All services are offered a la carte.
Core Services
Fees
Perimeter Security Assessment (PSA)
Up to 54 externally accessible systems
$ 9,000
Critical Asset Security Assessment (CASA)
Up to 350 servers and infrastructure devices
$ 15,000
LAN Security Assessment (LANSA)
Up to 700 workstations (reporting on representative units and outliers)
$ 9,500
Web Application Security Assessment (WASA) —Timebox 80hr
Critical applications (with and without credentials)
$ 12,500
Social Engineering— Physical Option (Tailgating)
Up to 1 target facility
$ 3,000
Risk Assessment (RA)
Interviews with up to 3 I personnel, questionnaire
$ 7,700
Discount
-$6,700
Total
$ 50,000
Free differential assessments are provided (for PSAs only) within 6 months of each initial assessment. This acts as a follow
up to validate remediation efforts. Any new vulnerabilities detected during the differential assessment will also be
reported.
Payment Terms
For fixed fee engagements:
A 30% retainer fee is due at the start of the engagement. A milestone payment of 50% is due upon completion of draft
results. The remaining 20% is due upon delivery of the final reports. With the exception of the retainer, payments are due
Net 10 days from the invoice date. Fees do not include travel and expenses.
For hourly services:
Fees will be billed bi-weekly on a time and materials basis payments are due Net 10 days from the invoice date. Fees do
not include travel and expenses.
EXHIBIT C
INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES
1. Provision of Insurance. Without limiting Consultant's indemnification of City, and
prior to commencement of Work, Consultant shall obtain, provide and maintain at
its own expense during the term of this Agreement, policies of insurance of the
type and amounts described below and in a form satisfactory to City. Consultant
agrees to provide insurance in accordance with requirements set forth here. If
Consultant uses existing coverage to comply and that coverage does not meet
these requirements, Consultant agrees to amend, supplement or endorse the
existing coverage.
2. Acceptable Insurers. All insurance policies shall be issued by an insurance
company currently authorized by the Insurance Commissioner to transact
business of insurance in the State of California, with an assigned policyholders'
Rating of A- (or higher) and Financial Size Category Class VII (or larger) in
accordance with the latest edition of Best's Key Rating Guide, unless otherwise
approved by the City's Risk Manager.
3. Coverage Requirements
A. Workers' Compensation Insurance. Consultant shall maintain Workers'
Compensation Insurance, statutory limits, and Employer's Liability
Insurance with limits of at least one million dollars ($1,000,000) each
accident for bodily injury by accident and each employee for bodily injury
by disease in accordance with the laws of the State of California, Section
3700 of the Labor Code.
Consultant shall submit to City, along with the certificate of insurance, a
Waiver of Subrogation endorsement in favor of City, its City Council,
boards and commissions, officers, agents, volunteers and employees.
B. General Liability Insurance. Consultant shall maintain commercial general
liability insurance, and if necessary umbrella liability insurance, with
coverage at least as broad as provided by Insurance Services Office form
CG 00 01, in an amount not less than one million dollars ($1,000,000) per
occurrence, two million dollars ($2,000,000) general aggregate. The
policy shall cover liability arising from premises, operations, personal and
advertising injury, and liability assumed under an insured contract
(including the tort liability of another assumed in a business contract).
C. Automobile Liability Insurance. Consultant shall maintain automobile
insurance at least as broad as Insurance Services Office form CA 00 01
covering bodily injury and property damage for all activities of Consultant
arising out of or in connection with Work to be performed under this
Agreement, including coverage for any owned, hired, non -owned or rented
vehicles, in an amount not less than one million dollars ($1,000,000)
combined single limit each accident.
Illumant, LLC Page C-1
D. Professional Liability (Errors & Omissions) Insurance. Consultant shall
maintain professional liability insurance that covers the Services to be
performed in connection with this Agreement, in the minimum amount of
one million dollars ($1,000,000) per claim and two million dollars
($2,000,000) in the aggregate. Any policy inception date, continuity date,
or retroactive date must be before the Effective Date of this Agreement
and Consultant agrees to maintain continuous coverage through a period
no less than three years after completion of the Services required by this
Agreement.
4. Other Insurance Requirements. The policies are to contain, or be endorsed to
contain, the following provisions:
A. Waiver of Subrogation. All insurance coverage maintained or procured
pursuant to this Agreement shall be endorsed to waive subrogation
against City, its City Council, boards and commissions, officers, agents,
volunteers and employees or shall specifically allow Consultant or others
providing insurance evidence in compliance with these requirements to
waive their right of recovery prior to a loss. Consultant hereby waives its
own right of recovery against City, and shall require similar written express
waivers from each of its subconsultants.
B. Additional Insured Status. All liability policies including general liability,
excess liability, pollution liability, and automobile liability, if required, but
not including professional liability, shall provide or be endorsed to provide
that City, its City Council, boards and commissions, officers, agents,
volunteers and employees shall be included as insureds under such
policies.
C. Primary and Non Contributory. All liability coverage shall apply on a
primary basis and shall not require contribution from any insurance or self-
insurance maintained by City.
D. Notice of Cancellation. All policies shall provide City with thirty (30)
calendar days' notice of cancellation (except for nonpayment for which ten
(10) calendar days' notice is required) or nonrenewal of coverage for each
required coverage.
5. Additional Agreements Between the Parties. The parties hereby agree to the
following:
A. Evidence of Insurance. Consultant shall provide certificates of insurance
to City as evidence of the insurance coverage required herein, along with
a waiver of subrogation endorsement for workers' compensation and other
endorsements as specified herein for each coverage. Insurance
certificates and endorsement must be approved by City's Risk Manager
prior to commencement of performance. Current certification of insurance
shall be kept on file with City at all times during the term of this
Illumant, LLC Page C-2
Agreement. City reserves the right to require complete, certified copies of
all required insurance policies, at any time.
B. City's Right to Revise Requirements. City reserves the right at any time
during the term of the Agreement to change the amounts and types of
insurance required by giving Consultant sixty (60) calendar days' advance
written notice of such change. If such change results in substantial
additional cost to Consultant, City and Consultant may renegotiate
Consultant's compensation.
C. Enforcement of Agreement Provisions. Consultant acknowledges and
agrees that any actual or alleged failure on the part of City to inform
Consultant of non-compliance with any requirement imposes no additional
obligations on City nor does it waive any rights hereunder.
D. Requirements not Limiting. Requirements of specific coverage features or
limits contained in this Section are not intended as a limitation on
coverage, limits or other requirements, or a waiver of any coverage
normally provided by any insurance. Specific reference to a given
coverage feature is for purposes of clarification only as it pertains to a
given issue and is not intended by any party or insured to be all inclusive,
or to the exclusion of other coverage, or a waiver of any type. If the
Consultant maintains higher limits than the minimums shown above, the
City requires and shall be entitled to coverage for higher limits maintained
by the Consultant. Any available insurance proceeds in excess of the
specified minimum limits of insurance and coverage shall be available to
the City.
E. Self-insured Retentions. Any self-insured retentions must be declared to
and approved by City. City reserves the right to require that self-insured
retentions be eliminated, lowered, or replaced by a deductible. Self-
insurance will not be considered to comply with these requirements unless
approved by City.
F. City Remedies for Non -Compliance. If Consultant or any subconsultant
fails to provide and maintain insurance as required herein, then City shall
have the right but not the obligation, to purchase such insurance, to
terminate this Agreement, or to suspend Consultant's right to proceed until
proper evidence of insurance is provided. Any amounts paid by City shall,
at City's sole option, be deducted from amounts payable to Consultant or
reimbursed by Consultant upon demand.
G. Timely Notice of Claims. Consultant shall give City prompt and timely
notice of claims made or suits instituted that arise out of or result from
Consultant's performance under this Agreement, and that involve or may
involve coverage under any of the required liability policies. City assumes
no obligation or liability by such notice, but has the right (but not the duty)
to monitor the handling of any such claim or claims if they are likely to
involve City.
Illumant, LLC Page C-3
H. Consultant's Insurance. Consultant shall also procure and maintain, at its
own cost and expense, any additional kinds of insurance, which in its own
judgment may be necessary for its proper protection and prosecution of
the Work.
Illumant, LLC Page C-4
CERTIFICATE OF INSURANCE
CHECKLIST
City of Newport Beach
This checklist is comprised of requirements as outlined by the City of Newport Beach. *
Date Received: 6/25/19 Dept./Contact Received From: Jennifer
Date Completed: 6/28/19 Sent to: Jennifer By: Jan
Company/Person required to have certificate: Illumant LLC
Type of contract: Other
I. GENERAL LIABILITY
EFFECTIVE/EXPI RATION DATE: 1/25/19 —1 /25/20
A.
INSURANCE COMPANY: Sentinel Insurance Company
B.
AM BEST RATING (A-: VII or greater): A+/ XV
INSURANCE COMPANY: Sentinel Insurance Company
C.
ADMITTED Company (Must be California Admitted):
B.
Is Company admitted in California?
® Yes ❑ No
D.
LIMITS (Must be $11M or greater): What is limit provided?
$2M/$4M
E.
ADDITIONAL INSURED ENDORSEMENT — please attach
® Yes ❑ No
F.
PRODUCTS AND COMPLETED OPERATIONS (Must
Is Company admitted in California?
include): Is it included? (completed Operations status does
❑ No
D.
not apply to Waste Haulers or Recreation)
❑ Yes ❑ No
G.
ADDITIONAL INSURED FOR PRODUCTS AND
UM, $2M min for Waste Haulers): What is limits provided?
COMPLETED OPERATIONS ENDORSEMENT (completed
E
Operations status does not apply to Waste Haulers)
❑ Yes ❑ No
H.
ADDITIONAL INSURED WORDING TO INCLUDE (The City
(What is limits provided?)
its officers, officials, employees and volunteers): Is it
included?
® Yes ❑ No
I.
PRIMARY & NON-CONTRIBUTORY WORDING (Must be
❑ No
G.
included): Is it included?
® Yes ❑ No
J.
CAUTION! (Confirm that loss or liability of the named insured
H.
HIRED AND NON -OWNED AUTO ONLY:
is not limited solely by their negligence) Does endorsement
® Yes
❑ No
include "solely by negligence" wording?
❑ Yes ® No
K.
ELECTED SCMAF COVERAGE (RECREATION ONLY):
® N/A ❑ Yes ❑ No
L.
NOTICE OF CANCELLATION:
❑ N/A ® Yes ❑ No
II. AUTOMOBILE LIABILITY
EFFECTIVE/EXPIRATION DATE: 1/25/19— 1/25/20
A.
INSURANCE COMPANY: Sentinel Insurance Company
B.
AM BEST RATING (A-: VII or greater) A+/ XV
C.
ADMITTED COMPANY (Must be California Admitted):
Is Company admitted in California?
® Yes
❑ No
D.
LIMITS - If Employees (Must be $1M min. BI & PD and $500,000
UM, $2M min for Waste Haulers): What is limits provided?
$2,000,000
E
LIMITS Waiver of Auto Insurance / Proof of coverage (if individual)
(What is limits provided?)
N/A
F.
ADDITIONAL INSURED WORDING:
❑ N/A
❑ Yes
❑ No
G.
PRIMARY & NON-CONTRIBUTORY WORDING:
❑ N/A
❑ Yes
❑ No
H.
HIRED AND NON -OWNED AUTO ONLY:
❑ N/A
® Yes
❑ No
I.
NOTICE OF CANCELLATION:
❑ N/A
® Yes
0 No
III. WORKERS' COMPENSATION
EFFECTIVE/EXPIRATION DATE: 12/15/18-12/15/19
A.
INSURANCE COMPANY: Hartford Insurance Company of the Midwest
B.
AM BEST RATING (A-: VII or greater): A+/XV
C.
ADMITTED Company (Must be California Admitted):
® Yes
❑ No
D.
WORKERS' COMPENSATION LIMIT: Statutory
M Yes
❑ No
E.
EMPLOYERS' LIABILITY LIMIT (Must be $1 M or greater)
$1,000,000
F.
WAIVER OF SUBROGATION (To include): Is it included?
M Yes
❑ No
G.
SIGNED WORKERS' COMPENSATION EXEMPTION FORM:
M N/A ❑ Yes
❑ No
H.
NOTICE OF CANCELLATION:
❑ N/A M Yes
❑ No
ADDITIONAL COVERAGE'S THAT MAYBE REQUIRED
IV. PROFESSIONAL LIABILITY 9/20/18-9/20/19 BEAZLEY INSURANCE COMPANY
Rated: A / XIII, Admitted Limits: $3M ❑ N/A M Yes ❑ No
V POLLUTION LIABILITY
V BUILDERS RISK
HAVE ALL ABOVE REQUIREMENTS BEEN MET?
IF NO, WHICH ITEMS NEED TO BE COMPLETED?
Broker of record for the City of Newport Beach
6/28/19
Date
M N/A ❑ Yes ❑ No
M N/A ❑ Yes ❑ No
M Yes ❑ No
RISK MANAGEMENT APPROVAL REQUIRED (Non -admitted carrier rated less than _
Self Insured Retention or Deductible greater than $ ) ❑ N/A ❑ Yes ❑ No
Reason for Risk Management approval/exception/waiver:
Approved:
Risk Management Date
* Subject to the terms of the contract.