The URL can be used to link to this page

Home My WebLink AboutC-7864-1 - PSA for Information Security Assessment Retesting Services1 CO �- PROFESSIONAL SERVICES AGREEMENT WITH ILLUMANT, LLC FOR V INFORMATION SECURITY ASSESSMENT RETESTING SERVICES THIS PROFESSIONAL SERVICES AGREEMENT ("Agreement') is made and entered into as of this 15th day of June, 2020 ("Effective Date"), by and between the CITY OF NEWPORT BEACH, a California municipal corporation and charter city ("City"), and ILLUMANT, LLC, a California limited liability company ("Consultant'), whose address is 431 Florence Street, Suite 210, Palo Alto, California 94301, and is made with reference to the following: RECITALS A. City is a municipal corporation duly organized and validly existing under the laws of the State of California with the power to carry on its business as it is now being conducted under the statutes of the State of California and the Charter of City. B. City desires to engage Consultant to provide information security assessment retesting services ("Project'). C. Consultant possesses the skill, experience, ability, background, certification and knowledge to provide the professional services described in this Agreement. D. City has solicited and received a proposal from Consultant, has reviewed the previous experience and evaluated the expertise of Consultant, and desires to retain Consultant to render professional services under the terms and conditions set forth in this Agreement. NOW, THEREFORE, it is mutually agreed by and between the undersigned parties as follows: fi��:L41 The term of this Agreement shall commence on the Effective Date, and shall terminate on December 31, 2020, unless terminated earlier as set forth herein. 2. SERVICES TO BE PERFORMED Consultant shall diligently perform all the services described in the Scope of Services attached hereto as Exhibit A and incorporated herein by reference ("Services" or "Work"). City may elect to delete certain Services within the Scope of Services at its sole discretion. 3. TIME OF PERFORMANCE 3.1 Time is of the essence in the performance of Services under this Agreement and Consultant shall perform the Services in accordance with the schedule included in Exhibit A. In the absence of a specific schedule, the Services shall be performed to completion in a diligent and timely manner. The failure by Consultant to strictly adhere to the schedule set forth in Exhibit A, if any, or perform the Services in a diligent and timely manner may result in termination of this Agreement by City. 3.2 Notwithstanding the foregoing, Consultant shall not be responsible for delays due to causes beyond Consultant's reasonable control. However, in the case of any such delay in the Services to be provided for the Project, each party hereby agrees to provide notice within two (2) calendar days of the occurrence causing the delay to the other party so that all delays can be addressed. 3.3 Consultant shall submit all requests for extensions of time for performance in writing to the Project Administrator as defined herein not later than ten (10) calendar days after the start of the condition that purportedly causes a delay. The Project Administrator shall review all such requests and may grant reasonable time extensions for unforeseeable delays that are beyond Consultant's control. 3.4 For all time periods not specifically set forth herein, Consultant shall respond in the most expedient and appropriate manner under the circumstances, by hand -delivery or mail. 4. COMPENSATION TO CONSULTANT 4.1 City shall pay Consultant for the Services on a flat fee not -to -exceed basis in accordance with the provisions of this Section and the Schedule of Billing Rates attached hereto as Exhibit B and incorporated herein by reference. Consultant's compensation for all Work performed in accordance with this Agreement, including all reimbursable items and subconsultant fees, shall not exceed Eleven Thousand One Hundred Dollars and 00/100 ($11,100.00), without prior written authorization from City. No billing rate changes shall be made during the term of this Agreement without the prior written approval of City. 4.2 Consultant shall submit invoices for payment, as described by the milestones in Exhibit B, to City describing the Work performed the milestone period. Consultant's bills shall include the name of the person who performed the Work, a brief description of the Services performed and/or the specific task in the Scope of Services to which it relates, the date the Services were performed, the number of hours spent on all Work billed on an hourly basis, and a description of any reimbursable expenditures. City shall pay Consultant no later than thirty (30) calendar days after approval of the monthly invoice by City staff. 4.3 City shall reimburse Consultant only for those costs or expenses specifically identified in Exhibit B to this Agreement or specifically approved in writing in advance by City. 4.4 Consultant shall not receive any compensation for Extra Work performed without the prior written authorization of City. As used herein, "Extra Work" means any Work that is determined by City to be necessary for the proper completion of the Project, but which is not included within the Scope of Services and which the parties did not Illumant, LLC Page 2 reasonably anticipate would be necessary at the execution of this Agreement. Compensation for any authorized Extra Work shall be paid in accordance with the Schedule of Billing Rates as set forth in Exhibit B. 5. PROJECT MANAGER 5.1 Consultant shall designate a Project Manager, who shall coordinate all phases of the Project. This Project Manager shall be available to City at all reasonable times during the Agreement term. Consultant has designated Billens (Bill) Crow to be its Project Manager. Consultant shall not remove or reassign the Project Manager or any personnel listed in Exhibit A or assign any new or replacement personnel to the Project without the prior written consent of City. City's approval shall not be unreasonably withheld with respect to the removal or assignment of non -key personnel. 5.2 Consultant, at the sole discretion of City, shall remove from the Project any of its personnel assigned to the performance of Services upon written request of City. Consultant warrants that it will continuously furnish the necessary personnel to complete the Project on a timely basis as contemplated by this Agreement. 5.3 If Consultant is performing inspection services for City, the Project Manager and any other assigned staff shall be equipped with a cellular phone to communicate with City staff. The Project Manager's cellular phone number shall be provided to City. 6. ADMINISTRATION This Agreement will be administered by the City Manager's Office. City's Senior IT Analyst or designee shall be the Project Administrator and shall have the authority to act for City under this Agreement. The Project Administrator shall represent City in all matters pertaining to the Services to be rendered pursuant to this Agreement. 7. CITY'S RESPONSIBILITIES To assist Consultant in the execution of its responsibilities under this Agreement, City agrees to provide access to and upon request of Consultant, one copy of all existing relevant information on file at City. City will provide all such materials in a timely manner so as not to cause delays in Consultant's Work schedule. 8. STANDARD OF CARE 8.1 All of the Services shall be performed by Consultant or under Consultant's supervision. Consultant represents that it possesses the professional and technical personnel required to perform the Services required by this Agreement, and that it will perform all Services in a manner commensurate with community professional standards and with the ordinary degree of skill and care that would be used by other reasonably competent practitioners of the same discipline under similar circumstances. All Services shall be performed by qualified and experienced personnel who are not employed by City. By delivery of completed Work, Consultant certifies that the Work conforms to the Illumant, LLC Page 3 requirements of this Agreement, all applicable federal, state and local laws, and legally recognized professional standards. 8.2 Consultant represents and warrants to City that it has, shall obtain, and shall keep in full force and effect during the term hereof, at its sole cost and expense, all licenses, permits, qualifications, insurance and approvals of whatsoever nature that is legally required of Consultant to practice its profession. Consultant shall maintain a City of Newport Beach business license during the term of this Agreement. 8.3 Consultant shall not be responsible for delay, nor shall Consultant be responsible for damages or be in default or deemed to be in default by reason of strikes, lockouts, accidents, acts of God, or the failure of City to furnish timely information or to approve or disapprove Consultant's Work promptly, or delay or faulty performance by City, contractors, or governmental agencies. 9. HOLD HARMLESS 9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend and hold harmless City, its City Council, boards and commissions, officers, agents, volunteers and employees (collectively, the "Indemnified Parties") from and against any and all claims (including, without limitation, claims for bodily injury, death or damage to property), demands, obligations, damages, actions, causes of action, suits, losses, judgments, fines, penalties, liabilities, costs and expenses (including, without limitation, attorneys' fees, disbursements and court costs) of every kind and nature whatsoever (individually, a Claim; collectively, "Claims"), which may arise from or in any manner relate (directly or indirectly) to any breach of the terms and conditions of this Agreement, any Work performed or Services provided under this Agreement including, without limitation, defects in workmanship or materials or Consultant's presence or activities conducted on the Project (including the negligent, reckless, and/or willful acts, errors and/or omissions of Consultant, its principals, officers, agents, employees, vendors, suppliers, consultants, subcontractors, anyone employed directly or indirectly by any of them or for whose acts they may be liable, or any or all of them). 9.2 Notwithstanding the foregoing, nothing herein shall be construed to require Consultant to indemnify the Indemnified Parties from any Claim arising from the sole negligence or willful misconduct of the Indemnified Parties. Nothing in this indemnity shall be construed as authorizing any award of attorneys' fees in any action on or to enforce the terms of this Agreement. This indemnity shall apply to all claims and liability regardless of whether any insurance policies are applicable. The policy limits do not act as a limitation upon the amount of indemnification to be provided by Consultant. 10. INDEPENDENT CONTRACTOR It is understood that City retains Consultant on an independent contractor basis and Consultant is not an agent or employee of City. The manner and means of conducting the Work are under the control of Consultant, except to the extent they are limited by statute, rule or regulation and the expressed terms of this Agreement. No civil Illumant, LLC Page 4 service status or other right of employment shall accrue to Consultant or its employees. Nothing in this Agreement shall be deemed to constitute approval for Consultant or any of Consultant's employees or agents, to be the agents or employees of City. Consultant shall have the responsibility for and control over the means of performing the Work, provided that Consultant is in compliance with the terms of this Agreement. Anything in this Agreement that may appear to give City the right to direct Consultant as to the details of the performance of the Work or to exercise a measure of control over Consultant shall mean only that Consultant shall follow the desires of City with respect to the results of the Services. 11. COOPERATION Consultant agrees to work closely and cooperate fully with City's designated Project Administrator and any other agencies that may have jurisdiction or interest in the Work to be performed. City agrees to cooperate with the Consultant on the Project. 12. CITY POLICY Consultant shall discuss and review all matters relating to policy and Project direction with City's Project Administrator in advance of all critical decision points in order to ensure the Project proceeds in a manner consistent with City goals and policies. 13. PROGRESS Consultant is responsible for keeping the Project Administrator informed on a regular basis regarding the status and progress of the Project, activities performed and planned, and any meetings that have been scheduled or are desired. 14. INSURANCE Without limiting Consultant's indemnification of City, and prior to commencement of Work, Consultant shall obtain, provide and maintain at its own expense during the term of this Agreement or for other periods as specified in this Agreement, policies of insurance of the type, amounts, terms and conditions described in the Insurance Requirements attached hereto as Exhibit C, and incorporated herein by reference. 15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS Except as specifically authorized under this Agreement, the Services to be provided under this Agreement shall not be assigned, transferred contracted or subcontracted out without the prior written approval of City. Any of the following shall be construed as an assignment: The sale, assignment, transfer or other disposition of any of the issued and outstanding capital stock of Consultant, or of the interest of any general partner or joint venturer or syndicate member or cotenant if Consultant is a partnership or joint -venture or syndicate or co -tenancy, which shall result in changing the control of Consultant. Control means fifty percent (50%) or more of the voting power or twenty-five percent (25%) or more of the assets of the corporation, partnership or joint -venture. Illumant, LLC Page 5 16. SUBCONTRACTING The subcontractors authorized by City, if any, to perform Work on this Project are identified in Exhibit A. Consultant shall be fully responsible to City for all acts and omissions of any subcontractor. Nothing in this Agreement shall create any contractual relationship between City and any subcontractor nor shall it create any obligation on the part of City to pay or to see to the payment of any monies due to any such subcontractor other than as otherwise required by law. City is an intended beneficiary of any Work performed by the subcontractor for purposes of establishing a duty of care between the subcontractor and City. Except as specifically authorized herein, the Services to be provided under this Agreement shall not be otherwise assigned, transferred, contracted or subcontracted out without the prior written approval of City. 17. OWNERSHIP OF DOCUMENTS 17.1 Each and every report, draft, map, record, plan, document and other writing produced, including but not limited to, websites, blogs, social media accounts and applications (hereinafter "Documents"), prepared or caused to be prepared by Consultant, its officers, employees, agents and subcontractors, in the course of implementing this Agreement, shall become the exclusive property of City, and City shall have the sole right to use such materials in its discretion without further compensation to Consultant or any other party. Additionally, all material posted in cyberspace by Consultant, its officers, employees, agents and subcontractors, in the course of implementing this Agreement, shall become the exclusive property of City, and City shall have the sole right to use such materials in its discretion without further compensation to Consultant or any other party. Consultant shall, at Consultant's expense, provide such Documents, including all logins and password information to City upon prior written request. 17.2 Documents, including drawings and specifications, prepared by Consultant pursuant to this Agreement are not intended or represented to be suitable for reuse by City or others on any other project. Any use of completed Documents for other projects and any use of incomplete Documents without specific written authorization from Consultant will be at City's sole risk and without liability to Consultant. Further, any and all liability arising out of changes made to Consultant's deliverables under this Agreement by City or persons other than Consultant is waived against Consultant, and City assumes full responsibility for such changes unless City has given Consultant prior notice and has received from Consultant written consent for such changes. 17.3 All written documents shall be transmitted to City in formats compatible with Microsoft Office and/or viewable with Adobe Acrobat. 18. CONFIDENTIALITY All Documents, including drafts, preliminary drawings or plans, notes and communications that result from the Services in this Agreement, shall be kept confidential unless City expressly authorizes in writing the release of information. Illumant, LLC Page 6 19. INTELLECTUAL PROPERTY INDEMNITY Consultant shall defend and indemnify City, its agents, officers, representatives and employees against any and all liability, including costs, for infringement or alleged infringement of any United States' letters patent, trademark, or copyright, including costs, contained in Consultant's Documents provided under this Agreement. 20. RECORDS Consultant shall keep records and invoices in connection with the Services to be performed under this Agreement. Consultant shall maintain complete and accurate records with respect to the costs incurred under this Agreement and any Services, expenditures and disbursements charged to City, for a minimum period of three (3) years, or for any longer period required by law, from the date of final payment to Consultant under this Agreement. All such records and invoices shall be clearly identifiable. Consultant shall allow a representative of City to examine, audit and make transcripts or copies of such records and invoices during regular business hours. Consultant shall allow inspection of all Work, data, Documents, proceedings and activities related to the Agreement for a period of three (3) years from the date of final payment to Consultant under this Agreement. 21. WITHHOLDINGS City may withhold payment to Consultant of any disputed sums until satisfaction of the dispute with respect to such payment. Such withholding shall not be deemed to constitute a failure to pay according to the terms of this Agreement. Consultant shall not discontinue Work as a result of such withholding. Consultant shall have an immediate right to appeal to the City Manager or designee with respect to such disputed sums. Consultant shall be entitled to receive interest on any withheld sums at the rate of return that City earned on its investments during the time period, from the date of withholding of any amounts found to have been improperly withheld. 22. ERRORS AND OMISSIONS In the event of errors or omissions that are due to the negligence or professional inexperience of Consultant which result in expense to City greater than what would have resulted if there were not errors or omissions in the Work accomplished by Consultant, the additional design, construction and/or restoration expense shall be borne by Consultant. Nothing in this Section is intended to limit City's rights under the law or any other sections of this Agreement. 23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS City reserves the right to employ other Consultants in connection with the Project. Illumant, LLC Page 7 24. CONFLICTS OF INTEREST 24.1 Consultant or its employees may be subject to the provisions of the California Political Reform Act of 1974 (the "Act") and/or Government Code §§ 1090 et seq., which (1) require such persons to disclose any financial interest that may foreseeably be materially affected by the Work performed under this Agreement, and (2) prohibit such persons from making, or participating in making, decisions that will foreseeably financially affect such interest. 24.2 If subject to the Act and/or Government Code §§ 1090 et seg., Consultant shall conform to all requirements therein. Failure to do so constitutes a material breach and is grounds for immediate termination of this Agreement by City. Consultant shall indemnify and hold harmless City for any and all claims for damages resulting from Consultant's violation of this Section. 25. NOTICES 25.1 All notices, demands, requests or approvals, including any change in mailing address, to be given under the terms of this Agreement shall be given in writing, and conclusively shall be deemed served when delivered personally, or on the third business day after the deposit thereof in the United States mail, postage prepaid, first- class mail, addressed as hereinafter provided. 25.2 All notices, demands, requests or approvals from Consultant to City shall be addressed to City at: Attn: IT Operations Supervisor City Manager's Office/IT City of Newport Beach 100 Civic Center Drive PO Box 1768 Newport Beach, CA 92658 25.3 All notices, demands, requests or approvals from City to Consultant shall be addressed to Consultant at: Attn: Billens Crow Illumant, LLC 431 Florence Street, Suite 210 Palo Alto, CA 94301 26. CLAIMS Unless a shorter time is specified elsewhere in this Agreement, before making its final request for payment under this Agreement, Consultant shall submit to City, in writing, all claims for compensation under or arising out of this Agreement. Consultant's acceptance of the final payment shall constitute a waiver of all claims for compensation under or arising out of this Agreement except those previously made in writing and Illumant, LLC Page 8 identified by Consultant in writing as unsettled at the time of its final request for payment. Consultant and City expressly agree that in addition to any claims filing requirements set forth in the Agreement, Consultant shall be required to file any claim Consultant may have against City in strict conformance with the Government Claims Act (Government Code sections 900 et seq.). 27. TERMINATION 27.1 In the event that either party fails or refuses to perform any of the provisions of this Agreement at the time and in the manner required, that party shall be deemed in default in the performance of this Agreement. If such default is not cured within a period of two (2) calendar days, or if more than two (2) calendar days are reasonably required to cure the default and the defaulting party fails to give adequate assurance of due performance within two (2) calendar days after receipt of written notice of default, specifying the nature of such default and the steps necessary to cure such default, and thereafter diligently take steps to cure the default, the non -defaulting party may terminate the Agreement forthwith by giving to the defaulting party written notice thereof. 27.2 Notwithstanding the above provisions, City shall have the right, at its sole and absolute discretion and without cause, of terminating this Agreement at any time by giving no less than seven (7) calendar days' prior written notice to Consultant. In the event of termination under this Section, City shall pay Consultant for Services satisfactorily performed and costs incurred up to the effective date of termination for which Consultant has not been previously paid. On the effective date of termination, Consultant shall deliver to City all reports, Documents and other information developed or accumulated in the performance of this Agreement, whether in draft or final form. 28. STANDARD PROVISIONS 28.1 Recitals. City and Consultant acknowledge that the above Recitals are true and correct and are hereby incorporated by reference into this Agreement. 28.2 Compliance with all Laws. Consultant shall, at its own cost and expense, comply with all statutes, ordinances, regulations and requirements of all governmental entities, including federal, state, county or municipal, whether now in force or hereinafter enacted. In addition, all Work prepared by Consultant shall conform to applicable City, county, state and federal laws, rules, regulations and permit requirements and be subject to approval of the Project Administrator and City. 28.3 Waiver. A waiver by either party of any breach, of any term, covenant or condition contained herein shall not be deemed to be a waiver of any subsequent breach of the same or any other term, covenant or condition contained herein, whether of the same or a different character. 28.4 Integrated Contract. This Agreement represents the full and complete understanding of every kind or nature whatsoever between the parties hereto, and all preliminary negotiations and agreements of whatsoever kind or nature are merged herein. No verbal agreement or implied covenant shall be held to vary the provisions herein. Illumant, LLC Page 9 28.5 Conflicts or Inconsistencies. In the event there are any conflicts or inconsistencies between this Agreement and the Scope of Services or any other attachments attached hereto, the terms of this Agreement shall govern. 28.6 Interpretation. The terms of this Agreement shall be construed in accordance with the meaning of the language used and shall not be construed for or against either party by reason of the authorship of the Agreement or any other rule of construction which might otherwise apply. 28.7 Amendments. This Agreement may be modified or amended only by a written document executed by both Consultant and City and approved as to form by the City Attorney. 28.8 Severability. If any term or portion of this Agreement is held to be invalid, illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining provisions of this Agreement shall continue in full force and effect. 28.9 Controlling Law and Venue. The laws of the State of California shall govern this Agreement and all matters relating to it and any action brought relating to this Agreement shall be adjudicated in a court of competent jurisdiction in the County of Orange, State of California. 28.10 Equal Opportunity Employment. Consultant represents that it is an equal opportunity employer and it shall not discriminate against any subcontractor, employee or applicant for employment because race, religious creed, color, national origin, ancestry, physical handicap, medical condition, marital status, sex, sexual orientation, age or any other impermissible basis under law. 28.11 No Attorneys' Fees. In the event of any dispute or legal action arising under this Agreement, the prevailing party shall not be entitled to attorneys' fees. 28.12 Counterparts. This Agreement may be executed in two (2) or more counterparts, each of which shall be deemed an original and all of which together shall constitute one (1) and the same instrument. [SIGNATURES ON NEXT PAGE] Illumant, LLC Page 10 IN WITNESS WHEREOF, the parties have caused this Agreement to be executed on the dates written below. APPROVED AS TO FORM: CITY ATTORNEY'S OFFICE Date: to • K, do By: k� m) (",, A n C. Harp ' 4 *yv Ci Attorney ATTEST: 7 0. "2-0Date: Leilani 1. Brown City Clerk CITY OF NEWPORT BEACH, a California m mci al corporation Date:/// Z6Zo By: w/ z' Micheal Wojciechowski IT Operations Supervisor CONSULTANT: Illumant, LLC, a California limited liability company Date: 6/5/2020 By. Mat Siljak Manager Date: 6/5/2020 By: Mark Snodgrass Manager [END OF SIGNATURES] Attachments: Exhibit A - Scope of Services Exhibit B - Schedule of Billing Rates Exhibit C - Insurance Requirements Illumant, LLC Page 11 EXHIBIT A SCOPE OF SERVICES Illumant, LLC Page A-1 This section presents in more detail the methodology we employ for each of our services. Additionally, it lists the information and access we will need to be able to effectively perform the work. Perimeter Security Assessment & Penetration Testing (PSA) Description External vulnerability assessment, manual validation and penetration testing of Internet facing networks, systems, sites and applications (aka the hacker's perspective). Includes identification, manual validation and benign exploitation of vulnerabilities, along with actionable remediation recommendations for improved security. Highlights Targets • Scanning to create a baseline of vulnerabilities and security • Internet -facing networks, systems, applications, services, risks ports, protocols: • Testing can be performed overtly or covertly (w or w/o • Web sites informing IT and security personnel) • Web applications (non -credentialed testing) • Best -of -breed open source and commercial vulnerability o For credentialed testing see Web Application harvesting tools Security Assessment (WASA) o A cross section is used to limit exposure to the • Servers limitations of any single tool, and reap the • VPNs benefits the strengths each tool provides • Firewalls • Manual validation to eliminate false positives, confirm • Border routers findings • Internet -facing services (FTP, Telnet, SSH, and many more) • Manual testing to find additional vulnerabilities not found by • 100,000+ known vulnerabilities, client -specific vulnerabilities scanning tools in custom applications, configurations and software • Penetration testing through custom-designed and pre- existing exploits to test real severity 0 Illumant's pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry • Retesting (within 6 months of initial test) Methodology Scoping: • Illumant provides scoping worksheets • Client provides in -scope target networks, system IPs, URLs • Testing can be information with or without informing other IT or security personnel (overtly or covertly) to test response protocols and readiness. Enumeration/Recon: • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations of any single tool • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and commercially maintained vulnerability databases Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom configuration, custom designs, custom applications, and use of purpose-built scripts Penetration testing and exploitation: • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf applications Findings: • PSA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing patches, vulnerable versions and many more Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. • Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVO, Rapid7, OWASP Tools Qualys, Nessus, NeXpose, Saint, Metasp_loit, _ZAP, NTO Spider, Burp Suite, Nikto Notes A retest is provided with 6 months of the initial test to assist with validation of remediation efforts. Internet-facing web applications are tested as part of this test without credentials. For full credentialed application testing (gray box testing), see the Web Application Security Assessment (WASA). Description Internal, unfiltered vulnerability analysis and penetration testing of mission -critical applications, systems and networks for validation of layered -security and defense in depth. Highlights • Scanning to create a baseline of vulnerabilities and security risks • Best -of -breed open source and commercial vulnerability harvesting tools o A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides • Manual validation to eliminate false positives, confirm findings • Manual testing to find additional vulnerabilities not found by scanning tools • Penetration testing through custom-designed and pre- existing exploits to test real severity o Illumant's pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEPCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry Methodology Scoping: • Illumant provides scoping worksheets • Client provides in -scope target networks, system IPs, URLs Enumeration/Recon: Targets • Internal networks, systems, applications, services, ports, protocols: • Web sites • Web applications (non -credentialed testing) o For credentialed testing see Web Application Security Assessment (WASA) • Servers • VPNs • Firewalls • Border routers • 100,000+ known vulnerabilities, unique vulnerabilities from custom designs, configurations and software • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, and URLs to refine information about in scope target systems including function, manufacturer, 05, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best -of -breed commercial and open -source tools and scripts • Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations of any single tool • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and commercially maintained vulnerability databases Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom configuration, custom designs, custom applications, and use of purpose-built scripts Penetration testing and exploitation: .41 ;tp° 4 • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf applications Findings: • CASA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing patches, vulnerable versions and many more Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, RapW, OWASP ......... Tools Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite Notes Testing for the CASA is performed without credentials to test susceptibility to attack propagation by outside attackers, or insiders with lower privileges or without authorization. For credentialed testing of applications see our WASA (Web applications). For credentialed testing of other critical assets see our platform -specific reviews, e.g.: MSSA (Microsoft servers), NixSA (UNIX/Linux servers), ADSA (Active Directory), etc. For credentialed testing of the user computing environment, see our LAN Security Assessment (LANSA). These other credentialed tests include full reporting on patch levels. LAN Security Assessment (LANSA) Description Internal, unfiltered vulnerability analysis and penetration testing of desktops, laptops and other LAN-based systems for validation of end-user computing system security. Highlights Targets • Scanning to create a baseline of vulnerabilities and security • LANs, desktops, workstations, laptops, printers, LAN devices, risks applications, services, ports, protocols from within firewalls • Best-of-breed open source and commercial vulnerability boundaries— unfiltered analysis: harvesting tools 0 Desktops o A cross section is used to limit exposure to the 0 Workstations limitations of any single tool, and reap the benefits the 0 Laptops strengths each tool provides o LAN servers • Manual validation to eliminate false positives, confirm o Switches findings 0 Printers • Manual testing to find additional vulnerabilities not found by o Other LAN Devices scanning tools • 100,000+ known vulnerabilities, unique vulnerabilities from • Penetration testing through custom-designed and pre- custom designs, configurations and software existing exploits to test real severity o Illumant's pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g. BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry Methodology Scoping: • Illumant provides scoping worksheets • Client provides in-scope target networks, system IPs, URLs Enumeration/Recon: • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Credentialed testing of desktops, laptops and work stations to validate 05 and application versions, and missing patches. • Multiple tools are used to provide the widest possible initial baseline for additional analysis • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and commercially maintained vulnerability databases • End-user system vulnerabilities include: Default credentials, malware sweeps, security m isconfigu ration, sensitive data exposure, backdoors, trojans, viruses, vulnerable applications, out-of-date 05s, missing patches, and many more. • For LAN servers and other devices vulnerabilities tested may also include: CGI abuses, buffer overflows, default credentials, SQL injection, URL injection, C5RF injection, directory traversal, AJAX vulnerabilities, insecure direct object references, missing function level access control, buffer overflows, etc. Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners due to custom configuration, custom designs and custom applications using purpose-built scripts Penetration testing and exploitation: • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf applications Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools Oualys,. Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite Notes LAN-based systems maybe numerous. Illumant specifies vulnerabilities that affect all or most systems, and calls out exceptionally vulnerable outliers, as well. Testing of end-user systems is performed with credentials to evaluate the security within the end -user's context including patch -levels, vulnerable applications and out-of-date OSs. Description Credentialed and non -credentialed vulnerability assessment and penetration testing of web -based and intranet applications to validate security and protection against outside attackers, malware, privilege escalation and account hijacking. Highlights • Web service/application testing • With and/or without credentials • Testing with cross section of best -of -breed tools • Manual validation and penetration testing using expert, state - of -the art techniques and methodologies • Vulnerability targets: o Logic flaws o Lateral and vertical privilege escalation o Injection (SQL, LDAP, URL...) o Authentication o Session management (Session Hijacking) o XSS/CSRF o Misconfigurations o Vulnerable components o Forged forward and redirects o Malware o more • Test against OWASP Top 10 • Remediation recommendations Methodology Targets • Webapplications o Users from all permissions categories o Registration processes o Login pages o All links/URLs o All input fields o All application workflows Privileged objects and functionality Scoping: • Client provides in -scope target applications/URLs • Testing may be performed on production systems, or in a sandbox/development environment • For production systems, testing is performed outside of peak hours and tests are limited to non-destructive testing • Credentials/test accounts to be provided if credentialed testing is required. Accounts should represent sample of all user account/permissions types/privilege levels. Vulnerability Analysis/Harvesting: • Automated scanning of in scope target applications using best -of -breed commercial and open -source application security analysis tools • Multiple tools are used to provide a maximally broad initial baseline for subsequent analysis • Vulnerabilities identified in the following areas: Injection, authentication, session management, X55/CSRF, misconfigu rations, vulnerable components, forged forwards and redirects • Automated testing performed with and without credentials to baseline public- and private -side app functionality. Tests for unauthorized access, lateral and vertical privilege escalation, session hijacking and lateral account traversal Manual validation and manual testing: • Manual validation of results of automated testing to discard false positives and test the severity of confirmed vulnerabilities. • For confirmed vulnerabilities, Illumant runs known and custom designed exploits and attempts to propagate attacks to retrieve sensitive information or verify possibility of pivoting to other targets • Illumant follows a separate thorough manual testing plan to test each application for vulnerabilities. This step is performed to uncover vulnerabilities missed by automated tools. This happens frequently particularly with custom or internally developed • IIlumant's manual testing plan draws from best -practices standards (e.g. OWASP) as well as years of experience. • Manual testing includes waIkthrough of all workflows, including registration and login, and other application specific workflows • All links, URLs, input fields are tested for logic flaws that could expose sensitive information, or allow for lateral or vertical escalation of privileges. Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Standards OWASP, WAHH Tools Nessus, Qualys Web Application Scanner, ZAP, Nikto, Nexpose, Metasploit, internal tools Notes Testing assesses against OWASP Top 10 and beyond to ensure baseline coverage and more. For production systems, Illumant takes care not to run potentially destructive exploits. ii,'„ill;llll Reports Information Security Assessment Retesting Services Proposal Prepared for City of Newport Beach May 15, 2020 The findings are compiled into confidential reports with both executive and technical summaries, as well as comprehensive actionable recommendations. In addition, we provide full technical details concerning vulnerabilities and other findings. Remediation advice is presented for the vulnerabilities that are uncovered. An "Action Items' list is generated and additional recommendations for enhancing security and efficiency are presented. Illumant's security team will formally present the highlights of the report to Newport Beach. The presentation will contair both an executive -level overview and technical details of the state of the organization's networks. The meeting or conference call will provide an opportunity to discuss the findings in detail, as well as to discuss remediation options with Illumant's Expert Security Analysts. Illumant Security Assessment and Compliance www. Ilumant-eom 331 Florence Street, Suite 210, Palo Alto, California 94301 Info@illumantcom +1.6509615911 (main) at. 650.961.5912 (faxl page 16 EXHIBIT B SCHEDULE OF BILLING RATES Illumant, LLC Page B-1 Our fees are based on our consultants' level of experience and skill and the time and effort required to complete the assessment. The following section shows our rates for each project component. These rates exclude travel and out-of- pocket expenses. All services are offered a la carte. Core Services Fees Perimeter Security Assessment (PSA) - Retest Up to 54 externally accessible systems $ 2,700 Critical Asset Security Assessment (CASA) - Retest Up to 350 servers and infrastructure devices $ 4,500 LAN Security Assessment (LANSA) - Retest Up to 700 workstations (reporting on representative units and outliers) $ 2,850 Web Application Security Assessment (WASA) — Retest Critical applications (with and without credentials) $ 3,750 Discount— Choose all and receive PSA Retest free -$2,700 Total $ 11,100 Free differential assessments are provided (for PSAs only) within 6 months of each initial assessment. This acts as a follow up to validate remediation efforts. Any new vulnerabilities detected during the differential assessment will also be reported. Payment Terms For fixed fee engagements: A 30% retainer fee is due at the start of the engagement. A milestone payment of 50% is due upon completion of draft results. The remaining 20% is due upon delivery of the final reports. With the exception of the retainer, payments are due Net 10 days from the invoice date. Fees do not include travel and expenses. A discount of 20% (the amount of the final payment) is offered for each service component for which a three-year contract is selected. This discount is available up until receipt of the final payment for the project. This provides the opportunity to review final deliverables before committing to a 3 -year term. EXHIBIT C INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES 1. Provision of Insurance. Without limiting Consultant's indemnification of City, and prior to commencement of Work, Consultant shall obtain, provide and maintain at its own expense during the term of this Agreement, policies of insurance of the type and amounts described below and in a form satisfactory to City. Consultant agrees to provide insurance in accordance with requirements set forth here. If Consultant uses existing coverage to comply and that coverage does not meet these requirements, Consultant agrees to amend, supplement or endorse the existing coverage. 2. Acceptable Insurers. All insurance policies shall be issued by an insurance company currently authorized by the Insurance Commissioner to transact business of insurance in the State of California, with an assigned policyholders' Rating of A- (or higher) and Financial Size Category Class VII (or larger) in accordance with the latest edition of Best's Key Rating Guide, unless otherwise approved by the City's Risk Manager. 3. Coverage Requirements. A. Workers' Compensation Insurance. Consultant shall maintain Workers' Compensation Insurance, statutory limits, and Employer's Liability Insurance with limits of at least one million dollars ($1,000,000) each accident for bodily injury by accident and each employee for bodily injury by disease in accordance with the laws of the State of California, Section 3700 of the Labor Code. Consultant shall submit to City, along with the certificate of insurance, a Waiver of Subrogation endorsement in favor of City, its City Council, boards and commissions, officers, agents, volunteers and employees. B. General Liability Insurance. Consultant shall maintain commercial general liability insurance, and if necessary umbrella liability insurance, with coverage at least as broad as provided by Insurance Services Office form CG 00 01, in an amount not less than one million dollars ($1,000,000) per occurrence, two million dollars ($2,000,000) general aggregate. The policy shall cover liability arising from premises, operations, personal and advertising injury, and liability assumed under an insured contract (including the tort liability of another assumed in a business contract). C. Automobile Liability Insurance. Consultant shall maintain automobile insurance at least as broad as Insurance Services Office form CA 00 01 covering bodily injury and property damage for all activities of Consultant arising out of or in connection with Work to be performed under this Agreement, including coverage for any owned, hired, non -owned or rented vehicles, in an amount not less than one million dollars ($1,000,000) combined single limit each accident. Illumant, LLC Page C-1 D. Professional Liability (Errors & Omissions) Insurance. Consultant shall maintain professional liability insurance that covers the Services to be performed in connection with this Agreement, in the minimum amount of one million dollars ($1,000,000) per claim and two million dollars ($2,000,000) in the aggregate. Any policy inception date, continuity date, or retroactive date must be before the Effective Date of this Agreement and Consultant agrees to maintain continuous coverage through a period no less than three years after completion of the Services required by this Agreement. 4. Other Insurance Requirements. The policies are to contain, or be endorsed to contain, the following provisions: A. Waiver of Subrogation. All insurance coverage maintained or procured pursuant to this Agreement shall be endorsed to waive subrogation against City, its City Council, boards and commissions, officers, agents, volunteers and employees or shall specifically allow Consultant or others providing insurance evidence in compliance with these requirements to waive their right of recovery prior to a loss. Consultant hereby waives its own right of recovery against City, and shall require similar written express waivers from each of its subconsultants. B. Additional Insured Status. All liability policies including general liability, excess liability, pollution liability, and automobile liability, if required, but not including professional liability, shall provide or be endorsed to provide that City, its City Council, boards and commissions, officers, agents, volunteers and employees shall be included as insureds under such policies. C. Primary and Non Contributory. All liability coverage shall apply on a primary basis and shall not require contribution from any insurance or self-insurance maintained by City. D. Notice of Cancellation. All policies shall provide City with thirty (30) calendar days' notice of cancellation (except for nonpayment for which ten (10) calendar days' notice is required) or nonrenewal of coverage for each required coverage. 5. Additional Agreements Between the Parties. The parties hereby agree to the following: A. Evidence of Insurance. Consultant shall provide certificates of insurance to City as evidence of the insurance coverage required herein, along with a waiver of subrogation endorsement for workers' compensation and other endorsements as specified herein for each coverage. Insurance certificates and endorsement must be approved by City's Risk Manager prior to commencement of performance. Current certification of insurance shall be kept on file with City at all times during the term of this Agreement. The certificates and endorsements for each insurance policy shall be signed by a person authorized by that insurer to bind coverage on its behalf. At least Illumant, LLC Page C-2 fifteen (15) days prior to the expiration of any such policy, evidence of insurance showing that such insurance coverage has been renewed or extended shall be filed with the City. If such coverage is cancelled or reduced, Consultant shall, within ten (10) days after receipt of written notice of such cancellation or reduction of coverage, file with the City evidence of insurance showing that the required insurance has been reinstated or has been provided through another insurance company or companies. City reserves the right to require complete, certified copies of all required insurance policies, at any time. B. City's Right to Revise Requirements. City reserves the right at any time during the term of the Agreement to change the amounts and types of insurance required by giving Consultant sixty (60) calendar days' advance written notice of such change. If such change results in substantial additional cost to Consultant, City and Consultant may renegotiate Consultant's compensation. C. Enforcement of Agreement Provisions. Consultant acknowledges and agrees that any actual or alleged failure on the part of City to inform Consultant of non-compliance with any requirement imposes no additional obligations on City nor does it waive any rights hereunder. D. Requirements not Limiting. Requirements of specific coverage features or limits contained in this Section are not intended as a limitation on coverage, limits or other requirements, or a waiver of any coverage normally provided by any insurance. Specific reference to a given coverage feature is for purposes of clarification only as it pertains to a given issue and is not intended by any party or insured to be all inclusive, or to the exclusion of other coverage, or a waiver of any type. If the Consultant maintains higher limits than the minimums shown above, the City requires and shall be entitled to coverage for higher limits maintained by the Consultant. Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage shall be available to the City. E. Self-insured Retentions. Any self-insured retentions must be declared to and approved by City. City reserves the right to require that self-insured retentions be eliminated, lowered, or replaced by a deductible. Self- insurance will not be considered to comply with these requirements unless approved by City. F. City Remedies for Non -Compliance. If Consultant or any subconsultant fails to provide and maintain insurance as required herein, then City shall have the right but not the obligation, to purchase such insurance, to terminate this Agreement, or to suspend Consultant's right to proceed until proper evidence of insurance is provided. Any amounts paid by City shall, at City's sole option, be deducted from amounts payable to Consultant or reimbursed by Consultant upon demand. Illumant, LLC Page C-3 G. Timely Notice of Claims. Consultant shall give City prompt and timely notice of claims made or suits instituted that arise out of or result from Consultant's performance under this Agreement, and that involve or may involve coverage under any of the required liability policies. City assumes no obligation or liability by such notice, but has the right (but not the duty) to monitor the handling of any such claim or claims if they are likely to involve City. H. Consultant's Insurance. Consultant shall also procure and maintain, at its own cost and expense, any additional kinds of insurance, which in its own judgment may be necessary for its proper protection and prosecution of the Work. Illumant, LLC Page C-4 Biddle, Jennifer From: Franceschini, Melanie Sent: Wednesday, July 29, 2020 5:28 PM To: Biddle, Jennifer Subject: FW: Compliance Alert -Vendor Number FV00000154 -----Original Message ----- From: Customer Service <customerservice@ebix.com> Sent: Wednesday, July 29, 2020 5:28 PM To: Franceschini, Melanie <MFranceschini@newportbeachca.gov>; Insurance <insurance@newportbeachca.gov> Cc: sagar@ebix.com Subject: Compliance Alert -Vendor Number FV00000154 [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. This Account has moved from non-compliant to COMPLIANT status and is currently in compliance for certificate of insurance requirements. FV00000154 Illumant, LLC Sent by Ebix, designated insurance certificate reviewer for the City of Newport Beach.