The URL can be used to link to this page

Home My WebLink AboutC-7700-1 - PSA for Information Security Assessment Servicesi 0 r PROFESSIONAL SERVICES AGREEMENT WITH ILLUMANT, LLC FOR INFORMATION SECURITY ASSESSMENT SERVICES THIS PROFESSIONAL SERVICES AGREEMENT ("Agreement') is made and entered into as of this 1st day of July, 2019 ("Effective Date"), by and between the CITY OF NEWPORT BEACH, a California municipal corporation and charter city ("City"), and ILLUMANT, LLC, a California LLC ("Consultant'), whose address is 431 Florence Street, Suite 210, Palo Alto, California 94301, and is made with reference to the following: RECITALS A. City is a municipal corporation duly organized and validly existing under the laws of the State of California with the power to carry on its business as it is now being conducted under the statutes of the State of California and the Charter of City. B. City desires to engage Consultant to provide information security assessment services ("Project'). C. Consultant possesses the skill, experience, ability, background, certification and knowledge to provide the professional services described in this Agreement. D. City has solicited and received a proposal from Consultant, has reviewed the previous experience and evaluated the expertise of Consultant, and desires to retain Consultant to render professional services under the terms and conditions set forth in this Agreement. NOW, THEREFORE, it is mutually agreed by and between the undersigned parties as follows: 1. TERM The term of this Agreement shall commence on the Effective Date, and shall terminate on December 31, 2019, unless terminated earlier as set forth herein. 2. SERVICES TO BE PERFORMED Consultant shall diligently perform all the services described in the Scope of Services attached hereto as Exhibit A and incorporated herein by reference ("Services" or "Work"). City may elect to delete certain Services within the Scope of Services at its sole discretion. 3. TIME OF PERFORMANCE 3.1 Time is of the essence in the performance of Services under this Agreement and Consultant shall perform the Services in accordance with the schedule included in Exhibit A. In the absence of a specific schedule, the Services shall be performed to completion in a diligent and timely manner. The failure by Consultant to strictly adhere to the schedule set forth in Exhibit A, if any, or perform the Services in a diligent and timely manner may result in termination of this Agreement by City. 3.2 Notwithstanding the foregoing, Consultant shall not be responsible for delays due to causes beyond Consultant's reasonable control. However, in the case of any such delay in the Services to be provided for the Project, each party hereby agrees to provide notice within two (2) calendar days of the occurrence causing the delay to the other party so that all delays can be addressed. 3.3 Consultant shall submit all requests for extensions of time for performance in writing to the Project Administrator as defined herein not later than ten (10) calendar days after the start of the condition that purportedly causes a delay. The Project Administrator shall review all such requests and may grant reasonable time extensions for unforeseeable delays that are beyond Consultant's control. 3.4 For all time periods not specifically set forth herein, Consultant shall respond in the most expedient and appropriate manner under the circumstances, by hand -delivery or mail. 4. COMPENSATION TO CONSULTANT 4.1 City shall pay Consultant for the Services on a fixed fee not -to -exceed basis in accordance with the provisions of this Section and the Schedule of Billing Rates attached hereto as Exhibit B and incorporated herein by reference. Consultant's compensation for all Work performed in accordance with this Agreement, including all reimbursable items and subconsultant fees, shall not exceed Fifty Thousand Dollars and 00/100 ($50,000.00), without prior written authorization from City. No billing rate changes shall be made during the term of this Agreement without the prior written approval of City. 4.2 Consultant shall submit invoices to City upon completion of milestones as outlined in Exhibit B, describing the Work performed. Consultant's bills shall include the name of the person who performed the Work, a brief description of the specific task in the Scope of Services to which it relates, the date the Services were performed, the number of hours spent on all Work billed on an hourly basis, and a description of any reimbursable expenditures. City shall pay Consultant no later than thirty (30) calendar days after approval of the monthly invoice by City staff. 4.3 City shall reimburse Consultant only for those costs or expenses specifically identified in Exhibit B to this Agreement or specifically approved in writing in advance by City. 4.4 Consultant shall not receive any compensation for Extra Work performed without the prior written authorization of City. As used herein, "Extra Work" means any Work that is determined by City to be necessary for the proper completion of the Project, but which is not included within the Scope of Services and which the parties did not reasonably anticipate would be necessary at the execution of this Agreement. Illumant, LLC Page 2 Compensation for any authorized Extra Work shall be paid in accordance with the Schedule of Billing Rates as set forth in Exhibit B. 5. PROJECT MANAGER 5.1 Consultant shall designate a Project Manager, who shall coordinate all phases of the Project. This Project Manager shall be available to City at all reasonable times during the Agreement term. Consultant has designated Billens (Bill) Crow to be its Project Manager. Consultant shall not remove or reassign the Project Manager or any personnel listed in Exhibit A or assign any new or replacement personnel to the Project without the prior written consent of City. City's approval shall not be unreasonably withheld with respect to the removal or assignment of non -key personnel. 5.2 Consultant, at the sole discretion of City, shall remove from the Project any of its personnel assigned to the performance of Services upon written request of City. Consultant warrants that it will continuously furnish the necessary personnel to complete the Project on a timely basis as contemplated by this Agreement. 5.3 If Consultant is performing inspection services for City, the Project Manager and any other assigned staff shall be equipped with a cellular phone to communicate with City staff. The Project Manager's cellular phone number shall be provided to City. 6. ADMINISTRATION This Agreement will be administered by the City Manager's Office. City's Senior IT Analyst or designee shall be the Project Administrator and shall have the authority to act for City under this Agreement. The Project Administrator shall represent City in all matters pertaining to the Services to be rendered pursuant to this Agreement. 7. CITY'S RESPONSIBILITIES To assist Consultant in the execution of its responsibilities under this Agreement, City agrees to provide access to and upon request of Consultant, one copy of all existing relevant information on file at City. City will provide all such materials in a timely manner so as not to cause delays in Consultant's Work schedule. 8. STANDARD OF CARE 8.1 All of the Services shall be performed by Consultant or under Consultant's supervision. Consultant represents that it possesses the professional and technical personnel required to perform the Services required by this Agreement, and that it will perform all Services in a manner commensurate with community professional standards and with the ordinary degree of skill and care that would be used by other reasonably competent practitioners of the same discipline under similar circumstances. All Services shall be performed by qualified and experienced personnel who are not employed by City. By delivery of completed Work, Consultant certifies that the Work Illumant, LLC Page 3 conforms to the requirements of this Agreement, all applicable federal, state and local laws, and legally recognized professional standards. 8.2 Consultant represents and warrants to City that it has, shall obtain, and shall keep in full force and effect during the term hereof, at its sole cost and expense, all licenses, permits, qualifications, insurance and approvals of whatsoever nature that is legally required of Consultant to practice its profession. Consultant shall maintain a City of Newport Beach business license during the term of this Agreement. 8.3 Consultant shall not be responsible for delay, nor shall Consultant be responsible for damages or be in default or deemed to be in default by reason of strikes, lockouts, accidents, acts of God, or the failure of City to furnish timely information or to approve or disapprove Consultant's Work promptly, or delay or faulty performance by City, contractors, or governmental agencies. 9. HOLD HARMLESS 9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend and hold harmless City, its City Council, boards and commissions, officers, agents, volunteers and employees (collectively, the "Indemnified Parties') from and against any and all claims (including, without limitation, claims for bodily injury, death or damage to property), demands, obligations, damages, actions, causes of action, suits, losses, judgments, fines, penalties, liabilities, costs and expenses (including, without limitation, attorneys' fees, disbursements and court costs) of every kind and nature whatsoever (individually, a Claim; collectively, "Claims"), which may arise from or in any manner relate (directly or indirectly) to any breach of the terms and conditions of this Agreement, any Work performed or Services provided under this Agreement including, without limitation, defects in workmanship or materials or Consultant's presence or activities conducted on the Project (including the negligent, reckless, and/or willful acts, errors and/or omissions of Consultant, its principals, officers, agents, employees, vendors, suppliers, consultants, subcontractors, anyone employed directly or indirectly by any of them or for whose acts they may be liable, or any or all of them). 9.2 Notwithstanding the foregoing, nothing herein shall be construed to require Consultant to indemnify the Indemnified Parties from any Claim arising from the sole negligence or willful misconduct of the Indemnified Parties. Nothing in this indemnity shall be construed as authorizing any award of attorneys' fees in any action on or to enforce the terms of this Agreement. This indemnity shall apply to all claims and liability regardless of whether any insurance policies are applicable. The policy limits do not act as a limitation upon the amount of indemnification to be provided by Consultant. 10. INDEPENDENT CONTRACTOR It is understood that City retains Consultant on an independent contractor basis and Consultant is not an agent or employee of City. The manner and means of conducting the Work are under the control of Consultant, except to the extent they are Illumant, LLC Page 4 limited by statute, rule or regulation and the expressed terms of this Agreement. No civil service status or other right of employment shall accrue to Consultant or its employees. Nothing in this Agreement shall be deemed to constitute approval for Consultant or any of Consultant's employees or agents, to be the agents or employees of City. Consultant shall have the responsibility for and control over the means of performing the Work, provided that Consultant is in compliance with the terms of this Agreement. Anything in this Agreement that may appear to give City the right to direct Consultant as to the details of the performance of the Work or to exercise a measure of control over Consultant shall mean only that Consultant shall follow the desires of City with respect to the results of the Services. 11. COOPERATION Consultant agrees to work closely and cooperate fully with City's designated Project Administrator and any other agencies that may have jurisdiction or interest in the Work to be performed. City agrees to cooperate with the Consultant on the Project. 12. CITY POLICY Consultant shall discuss and review all matters relating to policy and Project direction with City's Project Administrator in advance of all critical decision points in order to ensure the Project proceeds in a manner consistent with City goals and policies. 13. PROGRESS Consultant is responsible for keeping the Project Administrator informed on a regular basis regarding the status and progress of the Project, activities performed and planned, and any meetings that have been scheduled or are desired. 14. INSURANCE Without limiting Consultant's indemnification of City, and prior to commencement of Work, Consultant shall obtain, provide and maintain at its own expense during the term of this Agreement or for other periods as specified in this Agreement, policies of insurance of the type, amounts, terms and conditions described in the Insurance Requirements attached hereto as Exhibit C, and incorporated herein by reference. 15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS Except as specifically authorized under this Agreement, the Services to be provided under this Agreement shall not be assigned, transferred contracted or subcontracted out without the prior written approval of City. Any of the following shall be construed as an assignment: The sale, assignment, transfer or other disposition of any of the issued and outstanding capital stock of Consultant, or of the interest of any general partner or joint venturer or syndicate member or cotenant if Consultant is a partnership or joint -venture or syndicate or co -tenancy, which shall result in changing the control of Consultant. Control means fifty percent (50%) or more of the voting Illumant, LLC Page 5 power or twenty-five percent (25%) or more of the assets of the corporation, partnership ori oint-venture. 16. SUBCONTRACTING The subcontractors authorized by City, if any, to perform Work on this Project are identified in Exhibit A. Consultant shall be fully responsible to City for all acts and omissions of any subcontractor. Nothing in this Agreement shall create any contractual relationship between City and any subcontractor nor shall it create any obligation on the part of City to pay or to see to the payment of any monies due to any such subcontractor other than as otherwise required by law. City is an intended beneficiary of any Work performed by the subcontractor for purposes of establishing a duty of care between the subcontractor and City. Except as specifically authorized herein, the Services to be provided under this Agreement shall not be otherwise assigned, transferred, contracted or subcontracted out without the prior written approval of City. 17. OWNERSHIP OF DOCUMENTS 17.1 Each and every report, draft, map, record, plan, document and other writing produced, including but not limited to, websites, blogs, social media accounts and applications (hereinafter "Documents"), prepared or caused to be prepared by Consultant, its officers, employees, agents and subcontractors, in the course of implementing this Agreement, shall become the exclusive property of City, and City shall have the sole right to use such materials in its discretion without further compensation to Consultant or any other party. Additionally, all material posted in cyberspace by Consultant, its officers, employees, agents and subcontractors, in the course of implementing this Agreement, shall become the exclusive property of City, and City shall have the sole right to use such materials in its discretion without further compensation to Consultant or any other party. Consultant shall, at Consultant's expense, provide such Documents, including all logins and password information to City upon prior written request. 17.2 Documents, including drawings and specifications, prepared by Consultant pursuant to this Agreement are not intended or represented to be suitable for reuse by City or others on any other project. Any use of completed Documents for other projects and any use of incomplete Documents without specific written authorization from Consultant will be at City's sole risk and without liability to Consultant. Further, any and all liability arising out of changes made to Consultant's deliverables under this Agreement by City or persons other than Consultant is waived against Consultant, and City assumes full responsibility for such changes unless City has given Consultant prior notice and has received from Consultant written consent for such changes. 17.3 All written documents shall be transmitted to City in formats compatible with Microsoft Office and/or viewable with Adobe Acrobat. Illumant, LLC Page 6 18. CONFIDENTIALITY All Documents, including drafts, preliminary drawings or plans, notes and communications that result from the Services in this Agreement, shall be kept confidential unless City expressly authorizes in writing the release of information. 19. INTELLECTUAL PROPERTY INDEMNITY Consultant shall defend and indemnify City, its agents, officers, representatives and employees against any and all liability, including costs, for infringement or alleged infringement of any United States' letters patent, trademark, or copyright, including costs, contained in Consultant's Documents provided under this Agreement. 20. RECORDS Consultant shall keep records and invoices in connection with the Services to be performed under this Agreement. Consultant shall maintain complete and accurate records with respect to the costs incurred under this Agreement and any Services, expenditures and disbursements charged to City, for a minimum period of three (3) years, or for any longer period required by law, from the date of final payment to Consultant under this Agreement. All such records and invoices shall be clearly identifiable. Consultant shall allow a representative of City to examine, audit and make transcripts or copies of such records and invoices during regular business hours. Consultant shall allow inspection of all Work, data, Documents, proceedings and activities related to the Agreement for a period of three (3) years from the date of final payment to Consultant under this Agreement. 21. WITHHOLDINGS City may withhold payment to Consultant of any disputed sums until satisfaction of the dispute with respect to such payment. Such withholding shall not be deemed to constitute a failure to pay according to the terms of this Agreement. Consultant shall not discontinue Work as a result of such withholding. Consultant shall have an immediate right to appeal to the City Manager or designee with respect to such disputed sums. Consultant shall be entitled to receive interest on any withheld sums at the rate of return that City earned on its investments during the time period, from the date of withholding of any amounts found to have been improperly withheld. 22. ERRORS AND OMISSIONS In the event of errors or omissions that are due to the negligence or professional inexperience of Consultant which result in expense to City greater than what would have resulted if there were not errors or omissions in the Work accomplished by Consultant, the additional design, construction and/or restoration expense shall be borne by Consultant. Nothing in this Section is intended to limit City's rights under the law or any other sections of this Agreement. Illumant, LLC Page 7 23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS City reserves the right to employ other Consultants in connection with the Project. 24. CONFLICTS OF INTEREST 24.1 Consultant or its employees may be subject to the provisions of the California Political Reform Act of 1974 (the "Act") and/or Government Code §§ 1090 et seq., which (1) require such persons to disclose any financial interest that may foreseeably be materially affected by the Work performed under this Agreement, and (2) prohibit such persons from making, or participating in making, decisions that will foreseeably financially affect such interest. 24.2 If subject to the Act and/or Government Code §§ 1090 et seg., Consultant shall conform to all requirements therein. Failure to do so constitutes a material breach and is grounds for immediate termination of this Agreement by City. Consultant shall indemnify and hold harmless City for any and all claims for damages resulting from Consultant's violation of this Section. 25. NOTICES 25.1 All notices, demands, requests or approvals, including any change in mailing address, to be given under the terms of this Agreement shall be given in writing, and conclusively shall be deemed served when delivered personally, or on the third business day after the deposit thereof in the United States mail, postage prepaid, first- class mail, addressed as hereinafter provided. 25.2 All notices, demands, requests or approvals from Consultant to City shall be addressed to City at: Attn: Senior Solutions Advisor City Manager's Office/IT City of Newport Beach 100 Civic Center Drive PO Box 1768 Newport Beach, CA 92658 25.3 All notices, demands, requests or approvals from City to Consultant shall be addressed to Consultant at: Attn: Billens Crow Illumant, LLC 431 Florence Street, Suite 210 Palo Alto, CA 94301 Illumant, LLC Page 8 26. CLAIMS Unless a shorter time is specified elsewhere in this Agreement, before making its final request for payment under this Agreement, Consultant shall submit to City, in writing, all claims for compensation under or arising out of this Agreement. Consultant's acceptance of the final payment shall constitute a waiver of all claims for compensation under or arising out of this Agreement except those previously made in writing and identified by Consultant in writing as unsettled at the time of its final request for payment. Consultant and City expressly agree that in addition to any claims filing requirements set forth in the Agreement, Consultant shall be required to file any claim Consultant may have against City in strict conformance with the Government Claims Act (Government Code sections 900 et seq.). 27. TERMINATION 27.1 In the event that either party fails or refuses to perform any of the provisions of this Agreement at the time and in the manner required, that party shall be deemed in default in the performance of this Agreement. If such default is not cured within a period of two (2) calendar days, or if more than two (2) calendar days are reasonably required to cure the default and the defaulting party fails to give adequate assurance of due performance within two (2) calendar days after receipt of written notice of default, specifying the nature of such default and the steps necessary to cure such default, and thereafter diligently take steps to cure the default, the non -defaulting party may terminate the Agreement forthwith by giving to the defaulting party written notice thereof. 27.2 Notwithstanding the above provisions, City shall have the right, at its sole and absolute discretion and without cause, of terminating this Agreement at any time by giving no less than seven (7) calendar days' prior written notice to Consultant. In the event of termination under this Section, City shall pay Consultant for Services satisfactorily performed and costs incurred up to the effective date of termination for which Consultant has not been previously paid. On the effective date of termination, Consultant shall deliver to City all reports, Documents and other information developed or accumulated in the performance of this Agreement, whether in draft or final form. 28. STANDARD PROVISIONS 28.1 Recitals. City and Consultant acknowledge that the above Recitals are true and correct and are hereby incorporated by reference into this Agreement. 28.2 Compliance with all Laws. Consultant shall, at its own cost and expense, comply with all statutes, ordinances, regulations and requirements of all governmental entities, including federal, state, county or municipal, whether now in force or hereinafter enacted. In addition, all Work prepared by Consultant shall conform to applicable City, county, state and federal laws, rules, regulations and permit requirements and be subject to approval of the Project Administrator and City. Illumant, LLC Page 9 28.3 Waiver. A waiver by either party of any breach, of any term, covenant or condition contained herein shall not be deemed to be a waiver of any subsequent breach of the same or any other term, covenant or condition contained herein, whether of the same or a different character. 28.4 Integrated Contract. This Agreement represents the full and complete understanding of every kind or nature whatsoever between the parties hereto, and all preliminary negotiations and agreements of whatsoever kind or nature are merged herein. No verbal agreement or implied covenant shall be held to vary the provisions herein. 28.5 Conflicts or Inconsistencies. In the event there are any conflicts or inconsistencies between this Agreement and the Scope of Services or any other attachments attached hereto, the terms of this Agreement shall govern. 28.6 Interpretation. The terms of this Agreement shall be construed in accordance with the meaning of the language used and shall not be construed for or against either party by reason of the authorship of the Agreement or any other rule of construction which might otherwise apply. 28.7 Amendments. This Agreement may be modified or amended only by a written document executed by both Consultant and City and approved as to form by the City Attorney. 28.8 Severability. If any term or portion of this Agreement is held to be invalid, illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement shall continue in full force and effect. 28.9 Controlling Law and Venue. The laws of the State of California shall govern this Agreement and all matters relating to it and any action brought relating to this Agreement shall be adjudicated in a court of competent jurisdiction in the County of Orange, State of California. 28.10 Equal Opportunity Employment. Consultant represents that it is an equal opportunity employer and it shall not discriminate against any subcontractor, employee or applicant for employment because race, religious creed, color, national origin, ancestry, physical handicap, medical condition, marital status, sex, sexual orientation, age or any other impermissible basis under law. 28.11 No Attorneys' Fees. In the event of any dispute or legal action arising under this Agreement, the prevailing party shall not be entitled to attorneys' fees. 28.12 Counterparts. This Agreement may be executed in two (2) or more counterparts, each of which shall be deemed an original and all of which together shall constitute one (1) and the same instrument. [SIGNATURES ON NEXT PAGE] Illumant, LLC Page 10 IN WITNESS WHEREOF, the parties have caused this Agreement to be executed on the dates written below. APPROVED AS TO FORM: CITY ATTORNEY'S OFFICE Date: 6/l9% Zo 11 By: lv, 'a.� Fob: Aaron C. Harp W •i9 d9 City Attorney ATTEST: Date: �.� • I jasz 1', Brown City Clerk CITY OF NEWPORT BEACH, a California municipal corporation Date: 12.101i 01 By: Grace K. Leung �— City Manager CONSULTANT: Illumant, LLC, a California LLC Date: 6/20/19 By _. Matija Siljak Manager Date: 6/20//19�7�/ By: G i�l Mark Snodgrass Manager [END OF SIGNATURES] Attachments: Exhibit A — Scope of Services Exhibit B — Schedule of Billing Rates Exhibit C — Insurance Requirements Illumant, LLC Page 11 EXHIBIT A SCOPE OF SERVICES Illumant, LLC Page A-1 Requested Services Our core services comprise a complete baseline analysis of all in -scope information assets, including full vulnerability assessment with manual validation and penetration testing. All services are offered a la carte. Newport Beach may elect to engage Illumant for some or all of the service components below as needed. Perimeter Security This assessment involves the enumeration of vulnerabilities and risks that are accessible from Assessment (PSA) the Internet —the "hacker's perspective" — and includes expert manual validation and penetration testing. Illumant starts by using a cross section of best -of -breed scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data) identified vulnerabilities are exploited to assess their real severity, the level of exposure they may allow, and the potential impact of a breach. Targets of this assessment include servers, applications (without credentials — see note), firewalls, routers, load balancers, VPNs, and any other perimeter or Internet -facing information assets. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications, and data. As part of the PSA, penetration testing (without credentials) is performed on critical applications. The types of security issues identified during the PSA include SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, insecure direct object references, security misconfigu rations, sensitive data exposure, missing function level access controls, buffer overflows, missing patches, vulnerable versions, insecure credentials, and many others. Goals for the exercise include unauthorized access and privilege escalation as well as an analysis of availability (DOS) risks. Note: For in-depth, credentialed and non -credentialed testing of applications see our Web Application Security Assessment — WASA. Scope: The PSA will target Newport Beach's approximately 54 externally addressable systems. Critical Asset Security This internal assessment involves the enumeration of vulnerabilities and risks that are Assessment (CASA) accessible from within the network perimeter, behind border firewalls. Similar to external assessments, like the PSA, Illumant starts by using scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data) identified vulnerabilities are exploited to assess their real severity, the level of exposure they offer, and the potential impact of a breach. Targets of this assessment include servers, applications, portals, routers, switches, and any other critical internal systems. Testing may include Internet -facing systems, but viewed internally without filtering by firewalls. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications, and data and to repel internal threats and attack propagation. Note: Depending on the specifics of the in -scope environment, the CASA and LANSA (if selected) deliverables may be combined into a single report. This allows the client to view all affected systems for a given finding in one report rather than searching through multiple reports. Scope: The CASA will target up to 350 internal servers and infrastructure devices. LAN Security This internal assessment involves the enumeration of vulnerabilities and risks that are Assessment (LANSA) accessible from within the network perimeter, behind border firewalls, on end-user LANs. Similar to external assessments, like the PSA, Illumant starts by using scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data) identified vulnerabilities are exploited to assess their real severity, the level of exposure they offer, and the potential impact of a breach. Targets of this assessment include desktops, laptops, workstations, LAN servers, LAN switches, and LAN-based systems. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications, and data and to repel internal threats and attack propagation. Notes: Testing of end-user systems is performed with credentials to evaluate the security within the end -user's context including patch -levels, vulnerable applications and out-of-date OSs. Note: Depending on the specifics of the in -scope environment the CASA (if selected) and LANSA deliverables may be combined into a single report. This allows the client to view all affected systems for a given finding in one report rather than searching through multiple reports. Scope: The LANSA will target the approximately 700 workstations. lllumant will report on a representative sample of laptops and desktops, and report specifically on any vulnerable outliers. Web Application The WASA includes credentialed and/or non -credentialed vulnerability assessment and Security Assessment penetration testing of web -based and intranet applications to validate security and protection (WASA) against outside attackers, malware, lateral and vertical privilege escalation and account hijacking. Testing covers injection (URL, SQL, LDAP, cookie etc.), authentication, session management, cross -site scripting, object/function access control, data exposure, misconfigu rations, vulnerable components/frameworks/libraries, forged redirect/forwards, cookie security, hashing and more. Notes: Testing assesses against OWASP Top 10 and beyond to ensure baseline coverage and more. For production systems, lllumant takes care not to run potentially destructive exploits. Scope: The WASA will target 80 applications with and without credentials. Social Engineering— Gaining access to facilities maybe the easiest way to gain access to an organization's networks Physical Option and information. The physical testing option for social engineering enhances the social (Tailgating) engineering exercise to test physical security and employee awareness of physical social engineering threats. For the tailgating portion of Social Engineering, Illumant will try to gain access to facilities by tailgating, impersonation, or simply by slipping past security or through unlocked or unattended entries. This exercise will help organizations adjust their physical security and awareness programs to further protect sensitive information Scope: Illumant will target 1 location. Risk Assessment (RA) The risk assessment is a top down analysis of an organization's security posture. Leveraging vulnerability data and security information gathered through other assessment components, along with data collected through targeted questionnaires and interviews, Illumant performs a quantitative and qualitative risk analysis to determine the top threats to information security, the biggest vulnerabilities, and the largest opportunities for risk reduction through cost -benefit analysis. Illumant uses a proprietary risk evaluation model that provides the basis for a report which describes key assets, threats and vulnerabilities, and recommendations for risk mitigation. The model can be used for scenario planning and to revalidate the organization's security posture after risk mitigation activities. The risk assessment adds an important strategic level of analysis to security planning, helps to align security goals with overall organizational objectives. This global context is something lacking in most of our competitor's offerings. Scope: Illumant will conduct up to 3 interviews far this analysis. After completion of the assessment and analysis, a report will be prepared that contains summary information, graphical data, and detailed technical analysis along with action items to facilitate remediation. Before any final deliverables are submitted Illumant will engage key Newport Beach team members to review draft reports and to discuss results and incorporate relevant feedback and context into the report. This hands-on process will allow the organization to derive the maximum value from the assessment and associated report and ensures that all concerns are addressed appropriately. Methodology This section presents in more detail the methodology we employ for each of our services. Additionally, it lists the information and access we will need to be able to effectively perform the work. Description External vulnerability assessment, manual validation and penetration testing of Internet facing networks, systems, sites and applications (aka the hacker's perspective). Includes identification, manual validation and benign exploitation of vulnerabilities, along with actionable remediation recommendations for improved security. Highlights • Scanning to create a baseline of vulnerabilities and security risks • Testing can be performed overtly or covertly (w or w/o informing IT and security personnel) • Best -of -breed open source and commercial vulnerability ha rvesting tools o A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides • Manual validation to eliminate false positives, confirm findings • Manual testing to find additional vulnerabilities not found by scanning tools • Penetration testing through custom-designed and pre- existing exploits to test real severity 0 Illumant's pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry • Retesting (within 6 months of initial test) Targets • Internet -facing networks, systems, applications, services, ports, protocols: • Websites • Web applications (non -credentialed testing) o For credentialed testing see Web Application Security Assessment (WASA) • Servers • VPNs • Firewalls • Border routers • Internet -facing services (FTP, Telnet, SSH, and many more) • 100,000+ known vulnerabilities, client -specific vulnerabilities in custom applications, configurations and software Scoping: • Illumant provides scoping worksheets • Client provides in -scope target networks, system IPs, URLs • Testing can be information with or without informing other IT or security personnel (overtly or covertly) to test response protocols and readiness. Enumeration/Recon: 0 Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, • Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations of any single tool • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and commercially maintained vulnerability databases Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom configuration, custom designs, custom applications, and use of purpose-built scripts Penetration testing and exploitation: • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf applications Findings: • PSA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing patches, vulnerable versions and many more Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. • Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite, Nikto Notes A retest is provided with 6 months of the initial test to assist with validation of remediation efforts. Internet-facing web applications are tested as part of this test without credentials. For full credentialed application testing (gray box testing), see the Web Application Security Assessment (WASA). Description Internal, unfiltered vulnerability analysis and penetration testing of mission -critical applications, systems and networks for validation of layered -security and defense in depth. Highlights • Scanning to create a baseline of vulnerabilities and security risks • Best -of -breed open source and commercial vulnerability harvesting tools 0 A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides • Manual validation to eliminate false positives, confirm findings • Manual testing to find additional vulnerabilities not found by scanning tools • Penetration testing through custom-designed and pre- existing exploits to test real severity o Illumant's pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry Methodology Scoping: • Illumant provides scoping worksheets • Client provides in -scope target networks, system IPs, URLs Enumeration/Recon: Targets • Internal networks, systems, applications, services, ports, protocols: • Web sites • Web applications (non -credentialed testing) o For credentialed testing see Web Application Security Assessment (WASA) • Servers • VPNs • Firewalls • Border routers • 100,000+ known vulnerabilities, unique vulnerabilities from custom designs, configurations and software • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, and URLs to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best -of -breed commercial and open -source tools and scripts • Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations of any single tool • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and commercially maintained vulnerability databases Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom configuration, custom designs, custom applications, and use of purpose-built scripts Penetration testine and exploitation: • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf applications Findings: • CASA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing patches, vulnerable versions and many more Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, INTO Spider, Burp Suite Notes Testing forthe CASA is performed without credentials to test susceptibility to attack propagation by outside attackers, or insiders with lower privileges or without authorization. For credentialed testing of applications see our WASA (Web applications). For credentialed testing of other critical assets see our platform -specific reviews, e.g.: MSSA (Microsoft servers), NixSA (UNIX/Linux servers), ADSA (Active Directory), etc. For credentialed testing of the user computing environment, see our LAN Security Assessment (LANSA). These other credentialed tests include full reporting on patch levels. LAN Security Assessment (LANSA) Description Internal, unfiltered vulnerability analysis and penetration testing of desktops, laptops and other LAN-based systems for validation of end-user computing system security. Highlights Targets • Scanning to create a baseline of vulnerabilities and security • LANs, desktops, workstations, laptops, printers, LAN devices, risks applications, services, ports, protocols from within firewalls • Best-of-breed open source and commercial vulnerability boundaries — unfiltered analysis: harvesting tools 0 Desktops 0 A cross section is used to limit exposure to the 0 Workstations limitations of any single tool, and reap the benefits the o Laptops strengths each tool provides 0 LAN servers • Manual validation to eliminate false positives, confirm o Switches findings 0 Printers • Manual testing to find additional vulnerabilities not found by o Other LAN Devices scanning tools • 100,000+ known vulnerabilities, unique vulnerabilities from • Penetration testing through custom-designed and pre- custom designs, configurations and software existing exploits to test real severity 0 Illumant's pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry Methodology Scoping: • Illumant provides scoping worksheets • Client provides in-scope target networks, system IPs, URLs Enumeration/Recon: • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Credentialed testing of desktops, laptops and work stations to validate OS and application versions, and missing patches. • Multiple tools are used to provide the widest possible initial baseline for additional analysis • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and commercially maintained vulnerability databases • End-user system vulnerabilities include: Default credentials, malware sweeps, security misconfiguration, sensitive data exposure, backdoors, trojans, viruses, vulnerable applications, out-of-date OSs, missing patches, and many more. • For LAN servers and other devices vulnerabilities tested may also include: CGI abuses, buffer overflows, default credentials, SOL injection, URL injection, CSRF injection, directory traversal, AJAX vulnerabilities, insecure direct object references, missing function level access control, buffer overflows, etc. I validation and manual testing: Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives Additional expert manual testing to identify vulnerabilities not detected by automated scanners due to custom configuration, custom designs and custom applications using purpose-built scripts Penetration testing and exploitation: Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf applications Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases M it r e org CVC, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools ........_. _.__ Qualys, Nessus, NeXpose, Saint, Metas Notes LAN-based systems may be numerous. vulnerable outliers, as well. ZAP. NTO Illumant specifies vulnerabilities that affect all or most systems, and calls out exceptionally Testing of end-user systems is performed with credentials to evaluate the security within the end -user's context including patch -levels, vulnerable applications and out-of-date OSs. Description Credentialed and non -credentialed vulnerability assessment and penetration testing of web -based and intranet applications to validate security and protection against outside attackers, malware, privilege escalation and account hijacking. Highlights • Web service/application testing • With and/or without credentials • Testing with cross section of best -of -breed tools • Manual validation and penetration testing using expert, state - of -the art techniques and methodologies • Vulnerability targets: o Logic flaws o Lateral and vertical privilege escalation o Injection (SQL, LDAP, URL...( o Authentication o Session management (Session Hijacking) o XSS/CSRF o Misconfigu rations o Vulnerable components o Forged forward and redirects o Malware o more • Test against OWASP Top 10 • Remediation recommendations Scoping: • Client provides in -scope target applications/URLs Targets • Web applications o Users from all permissions categories o Registration processes o Login pages o All links/URLs o All input fields o All application workflows • Privileged objects and functionality • Testing may be performed on production systems, or in a sandbox/development environment • For production systems, testing is performed outside of peak hours and tests are limited to non-destructive testing • Credentials/test accounts to be provided if credentialed testing is required. Accounts should represent sample of all user account/permissions types/privilege levels. Vulnerability Analysis/Harvesting: • Automated scanning of in scope target applications using best -of -breed commercial and open -source application security analysis tools • Multiple tools are used to provide a maximally broad initial baseline for subsequent analysis • Vulnerabilities identified in the following areas: Injection, authentication, session management, XSS/CSRF, misconfigurations, vulnerable components, forged forwards and redirects • Automated testing performed with and without credentials to baseline public- and private -side app functionality. Tests for unauthorized access, lateral and vertical privilege escalation, session hijacking and lateral account traversal Manual validation and manual testing: • Manual validation of results of automated testing to discard false positives and test the severity of confirmed vulnerabilities. • For confirmed vulnerabilities, Illumant runs known and custom designed exploits and attempts to propagate attacks to retrieve sensitive information or verify possibility of pivoting to other targets • Illumant follows a separate thorough manual testing plan to test each application for vulnerabilities. This step is performed to uncover vulnerabilities missed by automated tools. This happens frequently particularly with custom or internally developed • Illumant's manual testing plan draws from best -practices standards (e.g. OWASP) as well as years of experience. • Manual testing includes walkthrough of all workflows, including registration and login, and other application specific workflows • All links, URLs, input fields are tested for logic flaws that could expose sensitive information, or allow for lateral or vertical escalation of privileges. Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Standards OWASP, WAHH Tools Scanner, ZAP, Nikto, NexDose. Metasoloit. internal tools Notes Testing assesses against OWASP Top 10 and beyond to ensure baseline coverage and more. For production systems, Illumant takes care not to run potentially destructive exploits. Description Beyond just phishing, targets the human element through multiple attack vectors to test awareness of users to potential security threats, by performing simulated phishing, planted media, pretext calling, and social networking attacks. • Social engineering • Simulated attacks • Phishing • Planted media (mail, USB -drops, etc.) • Pretext calling • Social networking • Tailgating (optional) • Security awareness • Comparison to baseline of similar organizations Methodology Targets • Employees • Users • Managers • Departments (HR, finance, administration, customer service/support, engineering, ...) • Knowledgeability about security • Awareness of security threats Scoping: • Illumant gathers preliminary target list through blind enumeration on Internet (demonstrates exposure to targeted phishing) • Illumant provide simulated attack vector scenarios with assigned targets for final review • Client vets target list to remove sensitive personnel, and supplies additional targets as desired. Client approves simulated attack vectors Testing: • Illumant runs simulated attack vectors against targets per the scoping phase above • Full response data is collected including which targets responded and all sensitive data and access that was provided as a result Simulated attack vectors • Phishing o An email is sent which is intended to deceive the target by coaxing them into following a link or opening an attachment. The link may lead to a fake page that looks legitimate which prompts the target to provide sensitive info (e.g. credentials), or may launch benign malware to simulate how an infection might be spread. Similarly an attachment when opened may deliver this benign malware as well. o Examples: Fake IT person sends link to fake webmail site to gather username/password, fake internship seeker sends resume which launches benign malware • Pretext Calling o A phone call is placed to a target. The call script is designed to emulate a real scenario, for instance to impersonate a real caller/client, or otherwise create a compelling reason for the target to divulge sensitive info, including client data, passwords, or other sensitive info. o Examples: Fake client asking for info, fake IT person asking for system/password info, fake vendor asking for sensitive info • Social Networking o A profile for a user is created on a social network (e.g. Linkedln) that purports that the users belongs to the target company or a vendor of the target company. The fake profile asks for connections to the target company and then sends a message request info or requesting that they follow a link which acts like the phishing attack above o Examples: Fake IT manager profile for target company asks for uses to log into a fake test site to gather usernames and passwords, fake vendor profile asks for target to share info about phone or IT systems • Planted Media o CDs or USBs are planted or emailed to the employees at the target company enticing the user to insert/open the media and files within. When opened, malware is launched which orovides access to the emolovee's comouter. o Examples: USB in parking lot contains fake salary info and when opened launches malware, CD in mail contains regulatory info for review and when opened launches malware • Physical Security/ Tailgating (optional) o Facilities and properties are visited o Attempts are made to tailgate into offices and sensitive areas, o Impersonation of delivery personnel or visitors, contractors, etc. is used to attempt gain unauthorized access o Attempts are made to identify / access unlocked or unsupervised entries Reporting: • All responses to simulated attacks or tracked including each target's responses, the information divulged, or the level of access provided • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Tools ._...._.... __ ....___- Call scripts, phishing templates, pseudo-malware (non-destructive, memory -only script that simulates malware and informs Illumant when documents are opened). Notes An organization may wish to test all employees or a representative sample Description Combination of qualitative and quantitative analysis to determine the top threats to information security, biggest vulnerabilities, and largest opportunities for risk reduction through cost -benefit analysis. Highlights I Targets • Top down risk assessment Sensitive data • Inventory of critical assets o Customer data • Identification and severity of vulnerabilities o ePHI • Enumeration of threats o Financial info • Calculation of risk o SSNs • Risk factors o CCNs o Confidentiality • Critical systems o Integrity o Servers o Availability o Applications • Cost -benefit analysis of risk remediation efforts o Databases o Laptops o Desktops o USBs, DVDs, etc Methodology Data gathering: • Client provides relevant compliance requirements along with time slots for interviews and all relevant documentation • Illumant interview IT personnel and risk assessment stakeholders about: o Assets: Illumant identifies the sensitive data at the organization including ePHI, CCNs, SSNs, customer data, financial information, IP to learn where it resides, how it is received and transmitted, how it is processed, and which systems are involved o Controls/vulnerabilities: Controls are discussed in terms of which are in place, how mature they are, and which control gaps exist (vulnerabilities) Analysis: • Identify and Document Potential Threats and Vulnerabilities As part of the risk assessment process, organizations must identify and document reasonably anticipated threats to sensitive data. Illumant risk assessment methodology includes a threat model that includes the following: o Natural threats such as floods, earthquakes, tornadoes, and landslides. o Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to sensitive data) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions. o Environmental threats such as power failures, pollution, chemicals, and liquid leakage. Illumant will review these threats with the organization in the context of their assets and infrastructure to determine the extent to which the organization could be subject to impact by these threats. As part of Illumant's model, we have identified vulnerabilities that could be triggered or exploited by the threats above to create a risk of inappropriate access to or disclosure of sensitive data. Illumant will explore the presence of these vulnerabilities with the organization to determine how threats to sensitive data are augmented by any vulnerabilities that have been identified at the organization. • Assess Current Security Measures Illumant will perform an evaluation of the security measures addressed/implemented at the organization that may help to reduce risk to inappropriate disclosure of sensitive data. • Determine the Likelihood of Threat Occurrence Based on the evaluation of threats coupled with vulnerability information and security measures, Illumant's security model provides data for analysis of the likelihood of threat occurrence for each threat identified. Quantitative risk assessment techniques are used in the model, and every threat/vulnerability pair is considered and ranked from most to least likely. • Determine the Potential Impact of Threat Occurrence Using the likelihood information generated above, and the inventory of sensitive data assets gathered in the first phase, Illumant will generate an analysis of the potential impact on the organization of each possibly threat/vulnerability/asset triplet from a criticality standpoint. For instance, a high-likelihood threat triggering or exploiting an existing vulnerability, that is unmitigated by existing security measures, and targeting a system with a high concentration of sensitive data would be considered extremely critical. Whereas, if the threat or risk were mitigated by the presence of security measures, this would lower the criticality rating of the impact of the threat. • Determine the Level of Risk By comparing and aggregating the impacts of threat occurrence above, our model provides an overall risk analysis for the entity in terms of criticality. • Most importantly, however, this analysis provides a list of corrective, or risk mitigating actions that can be taken to reduce risk. These corrective actions are prioritized by cost-benefit to describe which actions provide the maximum risk mitigation relative to the effort or cost. Reporting: • The findings of the risk assessment, including the details of the inputs, outputs and analysis of each step above will be documented in a final report. • A summary section at the beginning of the report provides a management-consumable analysis of our findings and highlights any issues identified during the process of risk analysis. • The report includes specific remediation recommendations prioritized by cost-benefit. Tools Proprietary analytical risk assessment model and questionnaires Notes While the Risk Assessment can be performed entirely independently, it also complements technical and other organizational assessments, by refning the analysis with findings from other reports. Reports The findings are compiled into confidential reports with both executive and technical summaries, as well as comprehensive actionable recommendations. In addition, we provide full technical details concerning vulnerabilities and other findings. Remediation advice is presented for the vulnerabilities that are uncovered. An "Action Items" list is generated and additional recommendations for enhancing security and efficiency are presented. Illumant's security team will formally present the highlights of the report to Newport Beach. The presentation will contain both an executive -level overview and technical details of the state of the organization's networks. The meeting or conference call will provide an opportunity to discuss the findings in detail, as well as to discuss remediation options with Illumant's Expert Security Analysts. EXHIBIT B SCHEDULE OF BILLING RATES Illumant, LLC Page B-1 Professional Fees and Billing Our fees are based on our consultants' level of experience and skill and the time and effort required to complete the assessment. The following section shows our rates for each project component. These rates exclude travel and out-of- pocket expenses. All services are offered a la carte. Core Services Fees Perimeter Security Assessment (PSA) Up to 54 externally accessible systems $ 9,000 Critical Asset Security Assessment (CASA) Up to 350 servers and infrastructure devices $ 15,000 LAN Security Assessment (LANSA) Up to 700 workstations (reporting on representative units and outliers) $ 9,500 Web Application Security Assessment (WASA) —Timebox 80hr Critical applications (with and without credentials) $ 12,500 Social Engineering— Physical Option (Tailgating) Up to 1 target facility $ 3,000 Risk Assessment (RA) Interviews with up to 3 I personnel, questionnaire $ 7,700 Discount -$6,700 Total $ 50,000 Free differential assessments are provided (for PSAs only) within 6 months of each initial assessment. This acts as a follow up to validate remediation efforts. Any new vulnerabilities detected during the differential assessment will also be reported. Payment Terms For fixed fee engagements: A 30% retainer fee is due at the start of the engagement. A milestone payment of 50% is due upon completion of draft results. The remaining 20% is due upon delivery of the final reports. With the exception of the retainer, payments are due Net 10 days from the invoice date. Fees do not include travel and expenses. For hourly services: Fees will be billed bi-weekly on a time and materials basis payments are due Net 10 days from the invoice date. Fees do not include travel and expenses. EXHIBIT C INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES 1. Provision of Insurance. Without limiting Consultant's indemnification of City, and prior to commencement of Work, Consultant shall obtain, provide and maintain at its own expense during the term of this Agreement, policies of insurance of the type and amounts described below and in a form satisfactory to City. Consultant agrees to provide insurance in accordance with requirements set forth here. If Consultant uses existing coverage to comply and that coverage does not meet these requirements, Consultant agrees to amend, supplement or endorse the existing coverage. 2. Acceptable Insurers. All insurance policies shall be issued by an insurance company currently authorized by the Insurance Commissioner to transact business of insurance in the State of California, with an assigned policyholders' Rating of A- (or higher) and Financial Size Category Class VII (or larger) in accordance with the latest edition of Best's Key Rating Guide, unless otherwise approved by the City's Risk Manager. 3. Coverage Requirements A. Workers' Compensation Insurance. Consultant shall maintain Workers' Compensation Insurance, statutory limits, and Employer's Liability Insurance with limits of at least one million dollars ($1,000,000) each accident for bodily injury by accident and each employee for bodily injury by disease in accordance with the laws of the State of California, Section 3700 of the Labor Code. Consultant shall submit to City, along with the certificate of insurance, a Waiver of Subrogation endorsement in favor of City, its City Council, boards and commissions, officers, agents, volunteers and employees. B. General Liability Insurance. Consultant shall maintain commercial general liability insurance, and if necessary umbrella liability insurance, with coverage at least as broad as provided by Insurance Services Office form CG 00 01, in an amount not less than one million dollars ($1,000,000) per occurrence, two million dollars ($2,000,000) general aggregate. The policy shall cover liability arising from premises, operations, personal and advertising injury, and liability assumed under an insured contract (including the tort liability of another assumed in a business contract). C. Automobile Liability Insurance. Consultant shall maintain automobile insurance at least as broad as Insurance Services Office form CA 00 01 covering bodily injury and property damage for all activities of Consultant arising out of or in connection with Work to be performed under this Agreement, including coverage for any owned, hired, non -owned or rented vehicles, in an amount not less than one million dollars ($1,000,000) combined single limit each accident. Illumant, LLC Page C-1 D. Professional Liability (Errors & Omissions) Insurance. Consultant shall maintain professional liability insurance that covers the Services to be performed in connection with this Agreement, in the minimum amount of one million dollars ($1,000,000) per claim and two million dollars ($2,000,000) in the aggregate. Any policy inception date, continuity date, or retroactive date must be before the Effective Date of this Agreement and Consultant agrees to maintain continuous coverage through a period no less than three years after completion of the Services required by this Agreement. 4. Other Insurance Requirements. The policies are to contain, or be endorsed to contain, the following provisions: A. Waiver of Subrogation. All insurance coverage maintained or procured pursuant to this Agreement shall be endorsed to waive subrogation against City, its City Council, boards and commissions, officers, agents, volunteers and employees or shall specifically allow Consultant or others providing insurance evidence in compliance with these requirements to waive their right of recovery prior to a loss. Consultant hereby waives its own right of recovery against City, and shall require similar written express waivers from each of its subconsultants. B. Additional Insured Status. All liability policies including general liability, excess liability, pollution liability, and automobile liability, if required, but not including professional liability, shall provide or be endorsed to provide that City, its City Council, boards and commissions, officers, agents, volunteers and employees shall be included as insureds under such policies. C. Primary and Non Contributory. All liability coverage shall apply on a primary basis and shall not require contribution from any insurance or self- insurance maintained by City. D. Notice of Cancellation. All policies shall provide City with thirty (30) calendar days' notice of cancellation (except for nonpayment for which ten (10) calendar days' notice is required) or nonrenewal of coverage for each required coverage. 5. Additional Agreements Between the Parties. The parties hereby agree to the following: A. Evidence of Insurance. Consultant shall provide certificates of insurance to City as evidence of the insurance coverage required herein, along with a waiver of subrogation endorsement for workers' compensation and other endorsements as specified herein for each coverage. Insurance certificates and endorsement must be approved by City's Risk Manager prior to commencement of performance. Current certification of insurance shall be kept on file with City at all times during the term of this Illumant, LLC Page C-2 Agreement. City reserves the right to require complete, certified copies of all required insurance policies, at any time. B. City's Right to Revise Requirements. City reserves the right at any time during the term of the Agreement to change the amounts and types of insurance required by giving Consultant sixty (60) calendar days' advance written notice of such change. If such change results in substantial additional cost to Consultant, City and Consultant may renegotiate Consultant's compensation. C. Enforcement of Agreement Provisions. Consultant acknowledges and agrees that any actual or alleged failure on the part of City to inform Consultant of non-compliance with any requirement imposes no additional obligations on City nor does it waive any rights hereunder. D. Requirements not Limiting. Requirements of specific coverage features or limits contained in this Section are not intended as a limitation on coverage, limits or other requirements, or a waiver of any coverage normally provided by any insurance. Specific reference to a given coverage feature is for purposes of clarification only as it pertains to a given issue and is not intended by any party or insured to be all inclusive, or to the exclusion of other coverage, or a waiver of any type. If the Consultant maintains higher limits than the minimums shown above, the City requires and shall be entitled to coverage for higher limits maintained by the Consultant. Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage shall be available to the City. E. Self-insured Retentions. Any self-insured retentions must be declared to and approved by City. City reserves the right to require that self-insured retentions be eliminated, lowered, or replaced by a deductible. Self- insurance will not be considered to comply with these requirements unless approved by City. F. City Remedies for Non -Compliance. If Consultant or any subconsultant fails to provide and maintain insurance as required herein, then City shall have the right but not the obligation, to purchase such insurance, to terminate this Agreement, or to suspend Consultant's right to proceed until proper evidence of insurance is provided. Any amounts paid by City shall, at City's sole option, be deducted from amounts payable to Consultant or reimbursed by Consultant upon demand. G. Timely Notice of Claims. Consultant shall give City prompt and timely notice of claims made or suits instituted that arise out of or result from Consultant's performance under this Agreement, and that involve or may involve coverage under any of the required liability policies. City assumes no obligation or liability by such notice, but has the right (but not the duty) to monitor the handling of any such claim or claims if they are likely to involve City. Illumant, LLC Page C-3 H. Consultant's Insurance. Consultant shall also procure and maintain, at its own cost and expense, any additional kinds of insurance, which in its own judgment may be necessary for its proper protection and prosecution of the Work. Illumant, LLC Page C-4 CERTIFICATE OF INSURANCE CHECKLIST City of Newport Beach This checklist is comprised of requirements as outlined by the City of Newport Beach. * Date Received: 6/25/19 Dept./Contact Received From: Jennifer Date Completed: 6/28/19 Sent to: Jennifer By: Jan Company/Person required to have certificate: Illumant LLC Type of contract: Other I. GENERAL LIABILITY EFFECTIVE/EXPI RATION DATE: 1/25/19 —1 /25/20 A. INSURANCE COMPANY: Sentinel Insurance Company B. AM BEST RATING (A-: VII or greater): A+/ XV INSURANCE COMPANY: Sentinel Insurance Company C. ADMITTED Company (Must be California Admitted): B. Is Company admitted in California? ® Yes ❑ No D. LIMITS (Must be $11M or greater): What is limit provided? $2M/$4M E. ADDITIONAL INSURED ENDORSEMENT — please attach ® Yes ❑ No F. PRODUCTS AND COMPLETED OPERATIONS (Must Is Company admitted in California? include): Is it included? (completed Operations status does ❑ No D. not apply to Waste Haulers or Recreation) ❑ Yes ❑ No G. ADDITIONAL INSURED FOR PRODUCTS AND UM, $2M min for Waste Haulers): What is limits provided? COMPLETED OPERATIONS ENDORSEMENT (completed E Operations status does not apply to Waste Haulers) ❑ Yes ❑ No H. ADDITIONAL INSURED WORDING TO INCLUDE (The City (What is limits provided?) its officers, officials, employees and volunteers): Is it included? ® Yes ❑ No I. PRIMARY & NON-CONTRIBUTORY WORDING (Must be ❑ No G. included): Is it included? ® Yes ❑ No J. CAUTION! (Confirm that loss or liability of the named insured H. HIRED AND NON -OWNED AUTO ONLY: is not limited solely by their negligence) Does endorsement ® Yes ❑ No include "solely by negligence" wording? ❑ Yes ® No K. ELECTED SCMAF COVERAGE (RECREATION ONLY): ® N/A ❑ Yes ❑ No L. NOTICE OF CANCELLATION: ❑ N/A ® Yes ❑ No II. AUTOMOBILE LIABILITY EFFECTIVE/EXPIRATION DATE: 1/25/19— 1/25/20 A. INSURANCE COMPANY: Sentinel Insurance Company B. AM BEST RATING (A-: VII or greater) A+/ XV C. ADMITTED COMPANY (Must be California Admitted): Is Company admitted in California? ® Yes ❑ No D. LIMITS - If Employees (Must be $1M min. BI & PD and $500,000 UM, $2M min for Waste Haulers): What is limits provided? $2,000,000 E LIMITS Waiver of Auto Insurance / Proof of coverage (if individual) (What is limits provided?) N/A F. ADDITIONAL INSURED WORDING: ❑ N/A ❑ Yes ❑ No G. PRIMARY & NON-CONTRIBUTORY WORDING: ❑ N/A ❑ Yes ❑ No H. HIRED AND NON -OWNED AUTO ONLY: ❑ N/A ® Yes ❑ No I. NOTICE OF CANCELLATION: ❑ N/A ® Yes 0 No III. WORKERS' COMPENSATION EFFECTIVE/EXPIRATION DATE: 12/15/18-12/15/19 A. INSURANCE COMPANY: Hartford Insurance Company of the Midwest B. AM BEST RATING (A-: VII or greater): A+/XV C. ADMITTED Company (Must be California Admitted): ® Yes ❑ No D. WORKERS' COMPENSATION LIMIT: Statutory M Yes ❑ No E. EMPLOYERS' LIABILITY LIMIT (Must be $1 M or greater) $1,000,000 F. WAIVER OF SUBROGATION (To include): Is it included? M Yes ❑ No G. SIGNED WORKERS' COMPENSATION EXEMPTION FORM: M N/A ❑ Yes ❑ No H. NOTICE OF CANCELLATION: ❑ N/A M Yes ❑ No ADDITIONAL COVERAGE'S THAT MAYBE REQUIRED IV. PROFESSIONAL LIABILITY 9/20/18-9/20/19 BEAZLEY INSURANCE COMPANY Rated: A / XIII, Admitted Limits: $3M ❑ N/A M Yes ❑ No V POLLUTION LIABILITY V BUILDERS RISK HAVE ALL ABOVE REQUIREMENTS BEEN MET? IF NO, WHICH ITEMS NEED TO BE COMPLETED? Broker of record for the City of Newport Beach 6/28/19 Date M N/A ❑ Yes ❑ No M N/A ❑ Yes ❑ No M Yes ❑ No RISK MANAGEMENT APPROVAL REQUIRED (Non -admitted carrier rated less than _ Self Insured Retention or Deductible greater than $ ) ❑ N/A ❑ Yes ❑ No Reason for Risk Management approval/exception/waiver: Approved: Risk Management Date * Subject to the terms of the contract.