HomeMy WebLinkAboutC-7864-1 - PSA for Information Security Assessment Retesting Services1
CO
�- PROFESSIONAL SERVICES AGREEMENT
WITH ILLUMANT, LLC FOR
V INFORMATION SECURITY ASSESSMENT RETESTING SERVICES
THIS PROFESSIONAL SERVICES AGREEMENT ("Agreement') is made and
entered into as of this 15th day of June, 2020 ("Effective Date"), by and between the CITY
OF NEWPORT BEACH, a California municipal corporation and charter city ("City"), and
ILLUMANT, LLC, a California limited liability company ("Consultant'), whose address is
431 Florence Street, Suite 210, Palo Alto, California 94301, and is made with reference
to the following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of California with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of City.
B. City desires to engage Consultant to provide information security assessment
retesting services ("Project').
C. Consultant possesses the skill, experience, ability, background, certification and
knowledge to provide the professional services described in this Agreement.
D. City has solicited and received a proposal from Consultant, has reviewed the
previous experience and evaluated the expertise of Consultant, and desires to
retain Consultant to render professional services under the terms and conditions
set forth in this Agreement.
NOW, THEREFORE, it is mutually agreed by and between the undersigned parties
as follows:
fi���:L41
The term of this Agreement shall commence on the Effective Date, and shall
terminate on December 31, 2020, unless terminated earlier as set forth herein.
2. SERVICES TO BE PERFORMED
Consultant shall diligently perform all the services described in the Scope of
Services attached hereto as Exhibit A and incorporated herein by reference ("Services"
or "Work"). City may elect to delete certain Services within the Scope of Services at its
sole discretion.
3. TIME OF PERFORMANCE
3.1 Time is of the essence in the performance of Services under this Agreement
and Consultant shall perform the Services in accordance with the schedule included in
Exhibit A. In the absence of a specific schedule, the Services shall be performed to
completion in a diligent and timely manner. The failure by Consultant to strictly adhere to
the schedule set forth in Exhibit A, if any, or perform the Services in a diligent and timely
manner may result in termination of this Agreement by City.
3.2 Notwithstanding the foregoing, Consultant shall not be responsible for
delays due to causes beyond Consultant's reasonable control. However, in the case of
any such delay in the Services to be provided for the Project, each party hereby agrees
to provide notice within two (2) calendar days of the occurrence causing the delay to the
other party so that all delays can be addressed.
3.3 Consultant shall submit all requests for extensions of time for performance
in writing to the Project Administrator as defined herein not later than ten (10) calendar
days after the start of the condition that purportedly causes a delay. The Project
Administrator shall review all such requests and may grant reasonable time extensions
for unforeseeable delays that are beyond Consultant's control.
3.4 For all time periods not specifically set forth herein, Consultant shall
respond in the most expedient and appropriate manner under the circumstances, by
hand -delivery or mail.
4. COMPENSATION TO CONSULTANT
4.1 City shall pay Consultant for the Services on a flat fee not -to -exceed basis
in accordance with the provisions of this Section and the Schedule of Billing Rates
attached hereto as Exhibit B and incorporated herein by reference. Consultant's
compensation for all Work performed in accordance with this Agreement, including all
reimbursable items and subconsultant fees, shall not exceed Eleven Thousand One
Hundred Dollars and 00/100 ($11,100.00), without prior written authorization from City.
No billing rate changes shall be made during the term of this Agreement without the prior
written approval of City.
4.2 Consultant shall submit invoices for payment, as described by the
milestones in Exhibit B, to City describing the Work performed the milestone period.
Consultant's bills shall include the name of the person who performed the Work, a brief
description of the Services performed and/or the specific task in the Scope of Services to
which it relates, the date the Services were performed, the number of hours spent on all
Work billed on an hourly basis, and a description of any reimbursable expenditures. City
shall pay Consultant no later than thirty (30) calendar days after approval of the monthly
invoice by City staff.
4.3 City shall reimburse Consultant only for those costs or expenses specifically
identified in Exhibit B to this Agreement or specifically approved in writing in advance by
City.
4.4 Consultant shall not receive any compensation for Extra Work performed
without the prior written authorization of City. As used herein, "Extra Work" means any
Work that is determined by City to be necessary for the proper completion of the Project,
but which is not included within the Scope of Services and which the parties did not
Illumant, LLC Page 2
reasonably anticipate would be necessary at the execution of this Agreement.
Compensation for any authorized Extra Work shall be paid in accordance with the
Schedule of Billing Rates as set forth in Exhibit B.
5. PROJECT MANAGER
5.1 Consultant shall designate a Project Manager, who shall coordinate all
phases of the Project. This Project Manager shall be available to City at all reasonable
times during the Agreement term. Consultant has designated Billens (Bill) Crow to be its
Project Manager. Consultant shall not remove or reassign the Project Manager or any
personnel listed in Exhibit A or assign any new or replacement personnel to the Project
without the prior written consent of City. City's approval shall not be unreasonably
withheld with respect to the removal or assignment of non -key personnel.
5.2 Consultant, at the sole discretion of City, shall remove from the Project any
of its personnel assigned to the performance of Services upon written request of City.
Consultant warrants that it will continuously furnish the necessary personnel to complete
the Project on a timely basis as contemplated by this Agreement.
5.3 If Consultant is performing inspection services for City, the Project Manager
and any other assigned staff shall be equipped with a cellular phone to communicate with
City staff. The Project Manager's cellular phone number shall be provided to City.
6. ADMINISTRATION
This Agreement will be administered by the City Manager's Office. City's Senior
IT Analyst or designee shall be the Project Administrator and shall have the authority to
act for City under this Agreement. The Project Administrator shall represent City in all
matters pertaining to the Services to be rendered pursuant to this Agreement.
7. CITY'S RESPONSIBILITIES
To assist Consultant in the execution of its responsibilities under this Agreement,
City agrees to provide access to and upon request of Consultant, one copy of all existing
relevant information on file at City. City will provide all such materials in a timely manner
so as not to cause delays in Consultant's Work schedule.
8. STANDARD OF CARE
8.1 All of the Services shall be performed by Consultant or under Consultant's
supervision. Consultant represents that it possesses the professional and technical
personnel required to perform the Services required by this Agreement, and that it will
perform all Services in a manner commensurate with community professional standards
and with the ordinary degree of skill and care that would be used by other reasonably
competent practitioners of the same discipline under similar circumstances. All Services
shall be performed by qualified and experienced personnel who are not employed by City.
By delivery of completed Work, Consultant certifies that the Work conforms to the
Illumant, LLC Page 3
requirements of this Agreement, all applicable federal, state and local laws, and legally
recognized professional standards.
8.2 Consultant represents and warrants to City that it has, shall obtain, and shall
keep in full force and effect during the term hereof, at its sole cost and expense, all
licenses, permits, qualifications, insurance and approvals of whatsoever nature that is
legally required of Consultant to practice its profession. Consultant shall maintain a City
of Newport Beach business license during the term of this Agreement.
8.3 Consultant shall not be responsible for delay, nor shall Consultant be
responsible for damages or be in default or deemed to be in default by reason of strikes,
lockouts, accidents, acts of God, or the failure of City to furnish timely information or to
approve or disapprove Consultant's Work promptly, or delay or faulty performance by
City, contractors, or governmental agencies.
9. HOLD HARMLESS
9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend
and hold harmless City, its City Council, boards and commissions, officers, agents,
volunteers and employees (collectively, the "Indemnified Parties") from and against any
and all claims (including, without limitation, claims for bodily injury, death or damage to
property), demands, obligations, damages, actions, causes of action, suits, losses,
judgments, fines, penalties, liabilities, costs and expenses (including, without limitation,
attorneys' fees, disbursements and court costs) of every kind and nature whatsoever
(individually, a Claim; collectively, "Claims"), which may arise from or in any manner relate
(directly or indirectly) to any breach of the terms and conditions of this Agreement, any
Work performed or Services provided under this Agreement including, without limitation,
defects in workmanship or materials or Consultant's presence or activities conducted on
the Project (including the negligent, reckless, and/or willful acts, errors and/or omissions
of Consultant, its principals, officers, agents, employees, vendors, suppliers, consultants,
subcontractors, anyone employed directly or indirectly by any of them or for whose acts
they may be liable, or any or all of them).
9.2 Notwithstanding the foregoing, nothing herein shall be construed to require
Consultant to indemnify the Indemnified Parties from any Claim arising from the sole
negligence or willful misconduct of the Indemnified Parties. Nothing in this indemnity shall
be construed as authorizing any award of attorneys' fees in any action on or to enforce
the terms of this Agreement. This indemnity shall apply to all claims and liability
regardless of whether any insurance policies are applicable. The policy limits do not act
as a limitation upon the amount of indemnification to be provided by Consultant.
10. INDEPENDENT CONTRACTOR
It is understood that City retains Consultant on an independent contractor basis
and Consultant is not an agent or employee of City. The manner and means of
conducting the Work are under the control of Consultant, except to the extent they are
limited by statute, rule or regulation and the expressed terms of this Agreement. No civil
Illumant, LLC Page 4
service status or other right of employment shall accrue to Consultant or its employees.
Nothing in this Agreement shall be deemed to constitute approval for Consultant or any
of Consultant's employees or agents, to be the agents or employees of City. Consultant
shall have the responsibility for and control over the means of performing the Work,
provided that Consultant is in compliance with the terms of this Agreement. Anything in
this Agreement that may appear to give City the right to direct Consultant as to the details
of the performance of the Work or to exercise a measure of control over Consultant shall
mean only that Consultant shall follow the desires of City with respect to the results of the
Services.
11. COOPERATION
Consultant agrees to work closely and cooperate fully with City's designated
Project Administrator and any other agencies that may have jurisdiction or interest in the
Work to be performed. City agrees to cooperate with the Consultant on the Project.
12. CITY POLICY
Consultant shall discuss and review all matters relating to policy and Project
direction with City's Project Administrator in advance of all critical decision points in order
to ensure the Project proceeds in a manner consistent with City goals and policies.
13. PROGRESS
Consultant is responsible for keeping the Project Administrator informed on a
regular basis regarding the status and progress of the Project, activities performed and
planned, and any meetings that have been scheduled or are desired.
14. INSURANCE
Without limiting Consultant's indemnification of City, and prior to commencement
of Work, Consultant shall obtain, provide and maintain at its own expense during the term
of this Agreement or for other periods as specified in this Agreement, policies of insurance
of the type, amounts, terms and conditions described in the Insurance Requirements
attached hereto as Exhibit C, and incorporated herein by reference.
15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS
Except as specifically authorized under this Agreement, the Services to be
provided under this Agreement shall not be assigned, transferred contracted or
subcontracted out without the prior written approval of City. Any of the following shall be
construed as an assignment: The sale, assignment, transfer or other disposition of any
of the issued and outstanding capital stock of Consultant, or of the interest of any general
partner or joint venturer or syndicate member or cotenant if Consultant is a partnership or
joint -venture or syndicate or co -tenancy, which shall result in changing the control of
Consultant. Control means fifty percent (50%) or more of the voting power or twenty-five
percent (25%) or more of the assets of the corporation, partnership or joint -venture.
Illumant, LLC Page 5
16. SUBCONTRACTING
The subcontractors authorized by City, if any, to perform Work on this Project are
identified in Exhibit A. Consultant shall be fully responsible to City for all acts and
omissions of any subcontractor. Nothing in this Agreement shall create any contractual
relationship between City and any subcontractor nor shall it create any obligation on the
part of City to pay or to see to the payment of any monies due to any such subcontractor
other than as otherwise required by law. City is an intended beneficiary of any Work
performed by the subcontractor for purposes of establishing a duty of care between the
subcontractor and City. Except as specifically authorized herein, the Services to be
provided under this Agreement shall not be otherwise assigned, transferred, contracted
or subcontracted out without the prior written approval of City.
17. OWNERSHIP OF DOCUMENTS
17.1 Each and every report, draft, map, record, plan, document and other writing
produced, including but not limited to, websites, blogs, social media accounts and
applications (hereinafter "Documents"), prepared or caused to be prepared by Consultant,
its officers, employees, agents and subcontractors, in the course of implementing this
Agreement, shall become the exclusive property of City, and City shall have the sole right
to use such materials in its discretion without further compensation to Consultant or any
other party. Additionally, all material posted in cyberspace by Consultant, its officers,
employees, agents and subcontractors, in the course of implementing this Agreement,
shall become the exclusive property of City, and City shall have the sole right to use such
materials in its discretion without further compensation to Consultant or any other party.
Consultant shall, at Consultant's expense, provide such Documents, including all logins
and password information to City upon prior written request.
17.2 Documents, including drawings and specifications, prepared by Consultant
pursuant to this Agreement are not intended or represented to be suitable for reuse by
City or others on any other project. Any use of completed Documents for other projects
and any use of incomplete Documents without specific written authorization from
Consultant will be at City's sole risk and without liability to Consultant. Further, any and
all liability arising out of changes made to Consultant's deliverables under this Agreement
by City or persons other than Consultant is waived against Consultant, and City assumes
full responsibility for such changes unless City has given Consultant prior notice and has
received from Consultant written consent for such changes.
17.3 All written documents shall be transmitted to City in formats compatible with
Microsoft Office and/or viewable with Adobe Acrobat.
18. CONFIDENTIALITY
All Documents, including drafts, preliminary drawings or plans, notes and
communications that result from the Services in this Agreement, shall be kept confidential
unless City expressly authorizes in writing the release of information.
Illumant, LLC Page 6
19. INTELLECTUAL PROPERTY INDEMNITY
Consultant shall defend and indemnify City, its agents, officers, representatives
and employees against any and all liability, including costs, for infringement or alleged
infringement of any United States' letters patent, trademark, or copyright, including costs,
contained in Consultant's Documents provided under this Agreement.
20. RECORDS
Consultant shall keep records and invoices in connection with the Services to be
performed under this Agreement. Consultant shall maintain complete and accurate
records with respect to the costs incurred under this Agreement and any Services,
expenditures and disbursements charged to City, for a minimum period of three (3) years,
or for any longer period required by law, from the date of final payment to Consultant
under this Agreement. All such records and invoices shall be clearly identifiable.
Consultant shall allow a representative of City to examine, audit and make transcripts or
copies of such records and invoices during regular business hours. Consultant shall allow
inspection of all Work, data, Documents, proceedings and activities related to the
Agreement for a period of three (3) years from the date of final payment to Consultant
under this Agreement.
21. WITHHOLDINGS
City may withhold payment to Consultant of any disputed sums until satisfaction of
the dispute with respect to such payment. Such withholding shall not be deemed to
constitute a failure to pay according to the terms of this Agreement. Consultant shall not
discontinue Work as a result of such withholding. Consultant shall have an immediate
right to appeal to the City Manager or designee with respect to such disputed sums.
Consultant shall be entitled to receive interest on any withheld sums at the rate of return
that City earned on its investments during the time period, from the date of withholding of
any amounts found to have been improperly withheld.
22. ERRORS AND OMISSIONS
In the event of errors or omissions that are due to the negligence or professional
inexperience of Consultant which result in expense to City greater than what would have
resulted if there were not errors or omissions in the Work accomplished by Consultant,
the additional design, construction and/or restoration expense shall be borne by
Consultant. Nothing in this Section is intended to limit City's rights under the law or any
other sections of this Agreement.
23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS
City reserves the right to employ other Consultants in connection with the Project.
Illumant, LLC Page 7
24. CONFLICTS OF INTEREST
24.1 Consultant or its employees may be subject to the provisions of the
California Political Reform Act of 1974 (the "Act") and/or Government Code §§ 1090 et
seq., which (1) require such persons to disclose any financial interest that may
foreseeably be materially affected by the Work performed under this Agreement, and (2)
prohibit such persons from making, or participating in making, decisions that will
foreseeably financially affect such interest.
24.2 If subject to the Act and/or Government Code §§ 1090 et seg., Consultant
shall conform to all requirements therein. Failure to do so constitutes a material breach
and is grounds for immediate termination of this Agreement by City. Consultant shall
indemnify and hold harmless City for any and all claims for damages resulting from
Consultant's violation of this Section.
25. NOTICES
25.1 All notices, demands, requests or approvals, including any change in
mailing address, to be given under the terms of this Agreement shall be given in writing,
and conclusively shall be deemed served when delivered personally, or on the third
business day after the deposit thereof in the United States mail, postage prepaid, first-
class mail, addressed as hereinafter provided.
25.2 All notices, demands, requests or approvals from Consultant to City shall
be addressed to City at:
Attn: IT Operations Supervisor
City Manager's Office/IT
City of Newport Beach
100 Civic Center Drive
PO Box 1768
Newport Beach, CA 92658
25.3 All notices, demands, requests or approvals from City to Consultant shall
be addressed to Consultant at:
Attn: Billens Crow
Illumant, LLC
431 Florence Street, Suite 210
Palo Alto, CA 94301
26. CLAIMS
Unless a shorter time is specified elsewhere in this Agreement, before making its
final request for payment under this Agreement, Consultant shall submit to City, in writing,
all claims for compensation under or arising out of this Agreement. Consultant's
acceptance of the final payment shall constitute a waiver of all claims for compensation
under or arising out of this Agreement except those previously made in writing and
Illumant, LLC Page 8
identified by Consultant in writing as unsettled at the time of its final request for payment.
Consultant and City expressly agree that in addition to any claims filing requirements set
forth in the Agreement, Consultant shall be required to file any claim Consultant may have
against City in strict conformance with the Government Claims Act (Government Code
sections 900 et seq.).
27. TERMINATION
27.1 In the event that either party fails or refuses to perform any of the provisions
of this Agreement at the time and in the manner required, that party shall be deemed in
default in the performance of this Agreement. If such default is not cured within a period
of two (2) calendar days, or if more than two (2) calendar days are reasonably required
to cure the default and the defaulting party fails to give adequate assurance of due
performance within two (2) calendar days after receipt of written notice of default,
specifying the nature of such default and the steps necessary to cure such default, and
thereafter diligently take steps to cure the default, the non -defaulting party may terminate
the Agreement forthwith by giving to the defaulting party written notice thereof.
27.2 Notwithstanding the above provisions, City shall have the right, at its sole
and absolute discretion and without cause, of terminating this Agreement at any time by
giving no less than seven (7) calendar days' prior written notice to Consultant. In the
event of termination under this Section, City shall pay Consultant for Services
satisfactorily performed and costs incurred up to the effective date of termination for which
Consultant has not been previously paid. On the effective date of termination, Consultant
shall deliver to City all reports, Documents and other information developed or
accumulated in the performance of this Agreement, whether in draft or final form.
28. STANDARD PROVISIONS
28.1 Recitals. City and Consultant acknowledge that the above Recitals are true
and correct and are hereby incorporated by reference into this Agreement.
28.2 Compliance with all Laws. Consultant shall, at its own cost and expense,
comply with all statutes, ordinances, regulations and requirements of all governmental
entities, including federal, state, county or municipal, whether now in force or hereinafter
enacted. In addition, all Work prepared by Consultant shall conform to applicable City,
county, state and federal laws, rules, regulations and permit requirements and be subject
to approval of the Project Administrator and City.
28.3 Waiver. A waiver by either party of any breach, of any term, covenant or
condition contained herein shall not be deemed to be a waiver of any subsequent breach
of the same or any other term, covenant or condition contained herein, whether of the
same or a different character.
28.4 Integrated Contract. This Agreement represents the full and complete
understanding of every kind or nature whatsoever between the parties hereto, and all
preliminary negotiations and agreements of whatsoever kind or nature are merged herein.
No verbal agreement or implied covenant shall be held to vary the provisions herein.
Illumant, LLC Page 9
28.5 Conflicts or Inconsistencies. In the event there are any conflicts or
inconsistencies between this Agreement and the Scope of Services or any other
attachments attached hereto, the terms of this Agreement shall govern.
28.6 Interpretation. The terms of this Agreement shall be construed in
accordance with the meaning of the language used and shall not be construed for or
against either party by reason of the authorship of the Agreement or any other rule of
construction which might otherwise apply.
28.7 Amendments. This Agreement may be modified or amended only by a
written document executed by both Consultant and City and approved as to form by the
City Attorney.
28.8 Severability. If any term or portion of this Agreement is held to be invalid,
illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining
provisions of this Agreement shall continue in full force and effect.
28.9 Controlling Law and Venue. The laws of the State of California shall govern
this Agreement and all matters relating to it and any action brought relating to this
Agreement shall be adjudicated in a court of competent jurisdiction in the County of
Orange, State of California.
28.10 Equal Opportunity Employment. Consultant represents that it is an equal
opportunity employer and it shall not discriminate against any subcontractor, employee
or applicant for employment because race, religious creed, color, national origin,
ancestry, physical handicap, medical condition, marital status, sex, sexual orientation,
age or any other impermissible basis under law.
28.11 No Attorneys' Fees. In the event of any dispute or legal action arising under
this Agreement, the prevailing party shall not be entitled to attorneys' fees.
28.12 Counterparts. This Agreement may be executed in two (2) or more
counterparts, each of which shall be deemed an original and all of which together shall
constitute one (1) and the same instrument.
[SIGNATURES ON NEXT PAGE]
Illumant, LLC Page 10
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed
on the dates written below.
APPROVED AS TO FORM:
CITY ATTORNEY'S OFFICE
Date: to • K, do
By: k� m) (",,
A n C. Harp ' 4 *yv
Ci Attorney
ATTEST: 7 0. "2-0Date:
Leilani 1. Brown
City Clerk
CITY OF NEWPORT BEACH,
a California m mci al corporation
Date:/// Z6Zo
By: w/ z'
Micheal Wojciechowski
IT Operations Supervisor
CONSULTANT: Illumant, LLC, a
California limited liability company
Date: 6/5/2020
By.
Mat Siljak
Manager
Date: 6/5/2020
By:
Mark Snodgrass
Manager
[END OF SIGNATURES]
Attachments: Exhibit A - Scope of Services
Exhibit B - Schedule of Billing Rates
Exhibit C - Insurance Requirements
Illumant, LLC Page 11
EXHIBIT A
SCOPE OF SERVICES
Illumant, LLC Page A-1
This section presents in more detail the methodology we employ for each of our services. Additionally, it lists the
information and access we will need to be able to effectively perform the work.
Perimeter Security Assessment
& Penetration Testing (PSA)
Description
External vulnerability assessment, manual validation and penetration testing of Internet facing networks, systems, sites and
applications (aka the hacker's perspective). Includes identification,
manual validation and benign exploitation of vulnerabilities, along
with actionable remediation recommendations for improved security.
Highlights
Targets
• Scanning to create a baseline of vulnerabilities and security
• Internet -facing networks, systems, applications, services,
risks
ports, protocols:
• Testing can be performed overtly or covertly (w or w/o
• Web sites
informing IT and security personnel)
• Web applications (non -credentialed testing)
• Best -of -breed open source and commercial vulnerability
o For credentialed testing see Web Application
harvesting tools
Security Assessment (WASA)
o A cross section is used to limit exposure to the
• Servers
limitations of any single tool, and reap the
• VPNs
benefits the strengths each tool provides
• Firewalls
• Manual validation to eliminate false positives, confirm
• Border routers
findings
• Internet -facing services (FTP, Telnet, SSH, and many more)
• Manual testing to find additional vulnerabilities not found by
• 100,000+ known vulnerabilities, client -specific vulnerabilities
scanning tools
in custom applications, configurations and software
• Penetration testing through custom-designed and pre-
existing exploits to test real severity
0 Illumant's pen testing and manual testing
techniques are continually updated through
research and participation in hacker forums
and conferences (e.g. BlackHat, DEFCON,
SANS)
• Classification of severity of findings
• Remediation recommendations
• Benchmark analysis of results vs industry
• Retesting (within 6 months of initial test)
Methodology
Scoping:
• Illumant provides scoping worksheets
• Client provides in -scope target networks, system IPs, URLs
• Testing can be information with or without informing other IT
or security personnel (overtly or covertly) to test response
protocols and readiness.
Enumeration/Recon:
• Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications,
systems, versions, and OS guesses
• Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS,
applications, services, and their respective versions
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source
tools and scripts
• Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations
of any single tool
• 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and
commercially maintained vulnerability databases
Manual validation and manual testing:
• Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives
• Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom
configuration, custom designs, custom applications, and use of purpose-built scripts
Penetration testing and exploitation:
• Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non-
destructive (will not corrupt data or configurations, will not cause availability issues).
• Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf
applications
Findings:
• PSA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF
injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object
references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing
patches, vulnerable versions and many more
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
• Ratings are benchmarked against thousands of previous assessments.
Vulnerability Databases
Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVO, Rapid7, OWASP
Tools
Qualys, Nessus, NeXpose, Saint, Metasp_loit, _ZAP, NTO Spider, Burp Suite, Nikto
Notes
A retest is provided with 6 months of the initial test to assist with validation of remediation efforts.
Internet-facing web applications are tested as part of this test without credentials. For full credentialed application testing (gray box
testing), see the Web Application Security Assessment (WASA).
Description
Internal, unfiltered vulnerability analysis and penetration testing of mission -critical applications, systems and networks for validation of
layered -security and defense in depth.
Highlights
• Scanning to create a baseline of vulnerabilities and security
risks
• Best -of -breed open source and commercial vulnerability
harvesting tools
o A cross section is used to limit exposure to the
limitations of any single tool, and reap the benefits the
strengths each tool provides
• Manual validation to eliminate false positives, confirm
findings
• Manual testing to find additional vulnerabilities not found by
scanning tools
• Penetration testing through custom-designed and pre-
existing exploits to test real severity
o Illumant's pen testing and manual testing techniques are
continually updated through research and participation
in hacker forums and conferences (e.g. BlackHat,
DEPCON, SANS)
• Classification of severity of findings
• Remediation recommendations
• Benchmark analysis of results vs industry
Methodology
Scoping:
• Illumant provides scoping worksheets
• Client provides in -scope target networks, system IPs, URLs
Enumeration/Recon:
Targets
• Internal networks, systems, applications, services, ports,
protocols:
• Web sites
• Web applications (non -credentialed testing)
o For credentialed testing see Web Application Security
Assessment (WASA)
• Servers
• VPNs
• Firewalls
• Border routers
• 100,000+ known vulnerabilities, unique vulnerabilities from
custom designs, configurations and software
• Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications,
systems, versions, and OS guesses
• Manual review of IPs, ports, and URLs to refine information about in scope target systems including function, manufacturer, 05,
applications, services, and their respective versions
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target networks, systems and applications using best -of -breed commercial and open -source
tools and scripts
• Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations
of any single tool
• 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and
commercially maintained vulnerability databases
Manual validation and manual testing:
• Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives
• Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom
configuration, custom designs, custom applications, and use of purpose-built scripts
Penetration testing and exploitation:
.41
;tp° 4
• Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non-
destructive (will not corrupt data or configurations, will not cause availability issues).
• Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf
applications
Findings:
• CASA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF
injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object
references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing
patches, vulnerable versions and many more
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Vulnerability Databases
Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, RapW, OWASP
.........
Tools
Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite
Notes
Testing for the CASA is performed without credentials to test susceptibility to attack propagation by outside attackers, or insiders with
lower privileges or without authorization. For credentialed testing of applications see our WASA (Web applications). For credentialed
testing of other critical assets see our platform -specific reviews, e.g.: MSSA (Microsoft servers), NixSA (UNIX/Linux servers), ADSA
(Active Directory), etc. For credentialed testing of the user computing environment, see our LAN Security Assessment (LANSA). These
other credentialed tests include full reporting on patch levels.
LAN Security Assessment (LANSA)
Description
Internal, unfiltered vulnerability analysis and penetration testing of desktops, laptops and other LAN-based systems for validation of
end-user computing system security.
Highlights Targets
• Scanning to create a baseline of vulnerabilities and security • LANs, desktops, workstations, laptops, printers, LAN devices,
risks applications, services, ports, protocols from within firewalls
• Best-of-breed open source and commercial vulnerability boundaries— unfiltered analysis:
harvesting tools 0 Desktops
o A cross section is used to limit exposure to the 0 Workstations
limitations of any single tool, and reap the benefits the 0 Laptops
strengths each tool provides o LAN servers
• Manual validation to eliminate false positives, confirm o Switches
findings 0 Printers
• Manual testing to find additional vulnerabilities not found by o Other LAN Devices
scanning tools • 100,000+ known vulnerabilities, unique vulnerabilities from
• Penetration testing through custom-designed and pre- custom designs, configurations and software
existing exploits to test real severity
o Illumant's pen testing and manual testing techniques are
continually updated through research and participation
in hacker forums and conferences (e.g. BlackHat,
DEFCON, SANS)
• Classification of severity of findings
• Remediation recommendations
• Benchmark analysis of results vs industry
Methodology
Scoping:
• Illumant provides scoping worksheets
• Client provides in-scope target networks, system IPs, URLs
Enumeration/Recon:
• Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications,
systems, versions, and OS guesses
• Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS,
applications, services, and their respective versions
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source
tools and scripts
• Credentialed testing of desktops, laptops and work stations to validate 05 and application versions, and missing patches.
• Multiple tools are used to provide the widest possible initial baseline for additional analysis
•
100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open source vulnerability databases and
commercially maintained vulnerability databases
• End-user system vulnerabilities include: Default credentials, malware sweeps, security m isconfigu ration, sensitive data
exposure, backdoors, trojans, viruses, vulnerable applications, out-of-date 05s, missing patches, and many more.
• For LAN servers and other devices vulnerabilities tested may also include: CGI abuses, buffer overflows, default credentials, SQL
injection, URL injection, C5RF injection, directory traversal, AJAX vulnerabilities, insecure direct object references, missing
function level access control, buffer overflows, etc.
Manual validation and manual testing:
• Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives
• Additional expert manual testing to identify vulnerabilities not detected by automated scanners due to custom configuration,
custom designs and custom applications using purpose-built scripts
Penetration testing and exploitation:
• Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non-
destructive (will not corrupt data or configurations, will not cause availability issues).
• Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom on off -the shelf
applications
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Vulnerability Databases
Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP
Tools
Oualys,. Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite
Notes
LAN-based systems maybe numerous. Illumant specifies vulnerabilities that affect all or most systems, and calls out exceptionally
vulnerable outliers, as well.
Testing of end-user systems is performed with credentials to evaluate the security within the end -user's context including patch -levels,
vulnerable applications and out-of-date OSs.
Description
Credentialed and non -credentialed vulnerability assessment and penetration testing of web -based and intranet applications to validate
security and protection against outside attackers, malware, privilege escalation and account hijacking.
Highlights
• Web service/application testing
• With and/or without credentials
• Testing with cross section of best -of -breed tools
• Manual validation and penetration testing using expert, state -
of -the art techniques and methodologies
• Vulnerability targets:
o Logic flaws
o Lateral and vertical privilege escalation
o Injection (SQL, LDAP, URL...)
o Authentication
o Session management (Session Hijacking)
o XSS/CSRF
o Misconfigurations
o Vulnerable components
o Forged forward and redirects
o Malware
o more
• Test against OWASP Top 10
• Remediation recommendations
Methodology
Targets
• Webapplications
o Users from all permissions categories
o Registration processes
o Login pages
o All links/URLs
o All input fields
o All application workflows
Privileged objects and functionality
Scoping:
• Client provides in -scope target applications/URLs
• Testing may be performed on production systems, or in a sandbox/development environment
• For production systems, testing is performed outside of peak hours and tests are limited to non-destructive testing
• Credentials/test accounts to be provided if credentialed testing is required. Accounts should represent sample of all user
account/permissions types/privilege levels.
Vulnerability Analysis/Harvesting:
• Automated scanning of in scope target applications using best -of -breed commercial and open -source application security
analysis tools
• Multiple tools are used to provide a maximally broad initial baseline for subsequent analysis
• Vulnerabilities identified in the following areas: Injection, authentication, session management, X55/CSRF, misconfigu rations,
vulnerable components, forged forwards and redirects
• Automated testing performed with and without credentials to baseline public- and private -side app functionality. Tests for
unauthorized access, lateral and vertical privilege escalation, session hijacking and lateral account traversal
Manual validation and manual testing:
• Manual validation of results of automated testing to discard false positives and test the severity of confirmed vulnerabilities.
• For confirmed vulnerabilities, Illumant runs known and custom designed exploits and attempts to propagate attacks to retrieve
sensitive information or verify possibility of pivoting to other targets
• Illumant follows a separate thorough manual testing plan to test each application for vulnerabilities. This step is performed to
uncover vulnerabilities missed by automated tools. This happens frequently particularly with custom or internally developed
• IIlumant's manual testing plan draws from best -practices standards (e.g. OWASP) as well as years of experience.
• Manual testing includes waIkthrough of all workflows, including registration and login, and other application specific workflows
• All links, URLs, input fields are tested for logic flaws that could expose sensitive information, or allow for lateral or vertical
escalation of privileges.
Reporting:
• Findings are described in the report including full technical details of each vulnerability and exploit.
• Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems.
Ratings are benchmarked against thousands of previous assessments.
Standards
OWASP, WAHH
Tools
Nessus, Qualys Web Application Scanner, ZAP, Nikto, Nexpose, Metasploit, internal tools
Notes
Testing assesses against OWASP Top 10 and beyond to ensure baseline coverage and more. For production systems, Illumant takes
care not to run potentially destructive exploits.
ii,'„ill;llll
Reports
Information Security Assessment Retesting Services Proposal
Prepared for City of Newport Beach
May 15, 2020
The findings are compiled into confidential reports with both executive and technical summaries, as well as comprehensive
actionable recommendations. In addition, we provide full technical details concerning vulnerabilities and other findings.
Remediation advice is presented for the vulnerabilities that are uncovered. An "Action Items' list is generated and
additional recommendations for enhancing security and efficiency are presented.
Illumant's security team will formally present the highlights of the report to Newport Beach. The presentation will contair
both an executive -level overview and technical details of the state of the organization's networks. The meeting or
conference call will provide an opportunity to discuss the findings in detail, as well as to discuss remediation options with
Illumant's Expert Security Analysts.
Illumant Security Assessment and Compliance www. Ilumant-eom
331 Florence Street, Suite 210, Palo Alto, California 94301 Info@illumantcom
+1.6509615911 (main) at. 650.961.5912 (faxl page 16
EXHIBIT B
SCHEDULE OF BILLING RATES
Illumant, LLC Page B-1
Our fees are based on our consultants' level of experience and skill and the time and effort required to complete the
assessment. The following section shows our rates for each project component. These rates exclude travel and out-of-
pocket expenses.
All services are offered a la carte.
Core Services
Fees
Perimeter Security Assessment (PSA) - Retest
Up to 54 externally accessible systems
$ 2,700
Critical Asset Security Assessment (CASA) - Retest
Up to 350 servers and infrastructure devices
$ 4,500
LAN Security Assessment (LANSA) - Retest
Up to 700 workstations (reporting on representative units and outliers)
$ 2,850
Web Application Security Assessment (WASA) — Retest
Critical applications (with and without credentials)
$ 3,750
Discount— Choose all and receive PSA Retest free
-$2,700
Total
$ 11,100
Free differential assessments are provided (for PSAs only) within 6 months of each initial assessment. This acts as a follow
up to validate remediation efforts. Any new vulnerabilities detected during the differential assessment will also be
reported.
Payment Terms
For fixed fee engagements:
A 30% retainer fee is due at the start of the engagement. A milestone payment of 50% is due upon completion of draft
results. The remaining 20% is due upon delivery of the final reports. With the exception of the retainer, payments are due
Net 10 days from the invoice date. Fees do not include travel and expenses.
A discount of 20% (the amount of the final payment) is offered for each service component for which a three-year contract
is selected. This discount is available up until receipt of the final payment for the project. This provides the opportunity to
review final deliverables before committing to a 3 -year term.
EXHIBIT C
INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES
1. Provision of Insurance. Without limiting Consultant's indemnification of City, and
prior to commencement of Work, Consultant shall obtain, provide and maintain at
its own expense during the term of this Agreement, policies of insurance of the
type and amounts described below and in a form satisfactory to City. Consultant
agrees to provide insurance in accordance with requirements set forth here. If
Consultant uses existing coverage to comply and that coverage does not meet
these requirements, Consultant agrees to amend, supplement or endorse the
existing coverage.
2. Acceptable Insurers. All insurance policies shall be issued by an insurance
company currently authorized by the Insurance Commissioner to transact
business of insurance in the State of California, with an assigned policyholders'
Rating of A- (or higher) and Financial Size Category Class VII (or larger) in
accordance with the latest edition of Best's Key Rating Guide, unless otherwise
approved by the City's Risk Manager.
3. Coverage Requirements.
A. Workers' Compensation Insurance. Consultant shall maintain Workers'
Compensation Insurance, statutory limits, and Employer's Liability
Insurance with limits of at least one million dollars ($1,000,000) each
accident for bodily injury by accident and each employee for bodily injury by
disease in accordance with the laws of the State of California, Section 3700
of the Labor Code.
Consultant shall submit to City, along with the certificate of insurance, a
Waiver of Subrogation endorsement in favor of City, its City Council, boards
and commissions, officers, agents, volunteers and employees.
B. General Liability Insurance. Consultant shall maintain commercial general
liability insurance, and if necessary umbrella liability insurance, with
coverage at least as broad as provided by Insurance Services Office form
CG 00 01, in an amount not less than one million dollars ($1,000,000) per
occurrence, two million dollars ($2,000,000) general aggregate. The policy
shall cover liability arising from premises, operations, personal and
advertising injury, and liability assumed under an insured contract (including
the tort liability of another assumed in a business contract).
C. Automobile Liability Insurance. Consultant shall maintain automobile
insurance at least as broad as Insurance Services Office form CA 00 01
covering bodily injury and property damage for all activities of Consultant
arising out of or in connection with Work to be performed under this
Agreement, including coverage for any owned, hired, non -owned or rented
vehicles, in an amount not less than one million dollars ($1,000,000)
combined single limit each accident.
Illumant, LLC Page C-1
D. Professional Liability (Errors & Omissions) Insurance. Consultant shall
maintain professional liability insurance that covers the Services to be
performed in connection with this Agreement, in the minimum amount of
one million dollars ($1,000,000) per claim and two million dollars
($2,000,000) in the aggregate. Any policy inception date, continuity date,
or retroactive date must be before the Effective Date of this Agreement and
Consultant agrees to maintain continuous coverage through a period no
less than three years after completion of the Services required by this
Agreement.
4. Other Insurance Requirements. The policies are to contain, or be endorsed to
contain, the following provisions:
A. Waiver of Subrogation. All insurance coverage maintained or procured
pursuant to this Agreement shall be endorsed to waive subrogation against
City, its City Council, boards and commissions, officers, agents, volunteers
and employees or shall specifically allow Consultant or others providing
insurance evidence in compliance with these requirements to waive their
right of recovery prior to a loss. Consultant hereby waives its own right of
recovery against City, and shall require similar written express waivers from
each of its subconsultants.
B. Additional Insured Status. All liability policies including general liability,
excess liability, pollution liability, and automobile liability, if required, but not
including professional liability, shall provide or be endorsed to provide that
City, its City Council, boards and commissions, officers, agents, volunteers
and employees shall be included as insureds under such policies.
C. Primary and Non Contributory. All liability coverage shall apply on a primary
basis and shall not require contribution from any insurance or self-insurance
maintained by City.
D. Notice of Cancellation. All policies shall provide City with thirty (30)
calendar days' notice of cancellation (except for nonpayment for which ten
(10) calendar days' notice is required) or nonrenewal of coverage for each
required coverage.
5. Additional Agreements Between the Parties. The parties hereby agree to the
following:
A. Evidence of Insurance. Consultant shall provide certificates of insurance to
City as evidence of the insurance coverage required herein, along with a
waiver of subrogation endorsement for workers' compensation and other
endorsements as specified herein for each coverage. Insurance certificates
and endorsement must be approved by City's Risk Manager prior to
commencement of performance. Current certification of insurance shall be
kept on file with City at all times during the term of this Agreement. The
certificates and endorsements for each insurance policy shall be signed by
a person authorized by that insurer to bind coverage on its behalf. At least
Illumant, LLC Page C-2
fifteen (15) days prior to the expiration of any such policy, evidence of
insurance showing that such insurance coverage has been renewed or
extended shall be filed with the City. If such coverage is cancelled or
reduced, Consultant shall, within ten (10) days after receipt of written notice
of such cancellation or reduction of coverage, file with the City evidence of
insurance showing that the required insurance has been reinstated or has
been provided through another insurance company or companies. City
reserves the right to require complete, certified copies of all required
insurance policies, at any time.
B. City's Right to Revise Requirements. City reserves the right at any time
during the term of the Agreement to change the amounts and types of
insurance required by giving Consultant sixty (60) calendar days' advance
written notice of such change. If such change results in substantial
additional cost to Consultant, City and Consultant may renegotiate
Consultant's compensation.
C. Enforcement of Agreement Provisions. Consultant acknowledges and
agrees that any actual or alleged failure on the part of City to inform
Consultant of non-compliance with any requirement imposes no additional
obligations on City nor does it waive any rights hereunder.
D. Requirements not Limiting. Requirements of specific coverage features or
limits contained in this Section are not intended as a limitation on coverage,
limits or other requirements, or a waiver of any coverage normally provided
by any insurance. Specific reference to a given coverage feature is for
purposes of clarification only as it pertains to a given issue and is not
intended by any party or insured to be all inclusive, or to the exclusion of
other coverage, or a waiver of any type. If the Consultant maintains higher
limits than the minimums shown above, the City requires and shall be
entitled to coverage for higher limits maintained by the Consultant. Any
available insurance proceeds in excess of the specified minimum limits of
insurance and coverage shall be available to the City.
E. Self-insured Retentions. Any self-insured retentions must be declared to
and approved by City. City reserves the right to require that self-insured
retentions be eliminated, lowered, or replaced by a deductible. Self-
insurance will not be considered to comply with these requirements unless
approved by City.
F. City Remedies for Non -Compliance. If Consultant or any subconsultant fails
to provide and maintain insurance as required herein, then City shall have
the right but not the obligation, to purchase such insurance, to terminate this
Agreement, or to suspend Consultant's right to proceed until proper
evidence of insurance is provided. Any amounts paid by City shall, at City's
sole option, be deducted from amounts payable to Consultant or reimbursed
by Consultant upon demand.
Illumant, LLC Page C-3
G. Timely Notice of Claims. Consultant shall give City prompt and timely notice
of claims made or suits instituted that arise out of or result from Consultant's
performance under this Agreement, and that involve or may involve
coverage under any of the required liability policies. City assumes no
obligation or liability by such notice, but has the right (but not the duty) to
monitor the handling of any such claim or claims if they are likely to involve
City.
H. Consultant's Insurance. Consultant shall also procure and maintain, at its
own cost and expense, any additional kinds of insurance, which in its own
judgment may be necessary for its proper protection and prosecution of the
Work.
Illumant, LLC Page C-4
Biddle, Jennifer
From: Franceschini, Melanie
Sent: Wednesday, July 29, 2020 5:28 PM
To: Biddle, Jennifer
Subject: FW: Compliance Alert -Vendor Number FV00000154
-----Original Message -----
From: Customer Service <customerservice@ebix.com>
Sent: Wednesday, July 29, 2020 5:28 PM
To: Franceschini, Melanie <MFranceschini@newportbeachca.gov>; Insurance <insurance@newportbeachca.gov>
Cc: sagar@ebix.com
Subject: Compliance Alert -Vendor Number FV00000154
[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
This Account has moved from non-compliant to COMPLIANT status and is currently in compliance for certificate of
insurance requirements. FV00000154 Illumant, LLC
Sent by Ebix, designated insurance certificate reviewer for the City of Newport Beach.