The URL can be used to link to this page

Home My WebLink AboutIllumant LLC; 2026-01-27; Page 1 City Attorney Approved Version 5/30/2025 AGREEMENT FOR SECURITY ASSESMENT SERVICES ILLUMANT, LLC THIS AGREEMENT (“Agreement”) is made and entered into as of the ______________ day of _________________________, 2026, by and between the City of Carlsbad, California, a municipal corporation ("City") and Illumant, LLC, a California limited liability company, ("Contractor"). RECITALS A. City requires the professional services of a consultant that is experienced in information technology security assessment services. B. Contractor has the necessary experience in providing professional services and advice related to information technology security assessment services. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained in this Agreement, City and Contractor agree as follows: 1. SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services ("Services") that are defined in attached Exhibit "A," which is incorporated by this reference in accordance with this Agreement’s terms and conditions. 2. STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the United States of America, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3. TERM The term of this Agreement will be effective for a period of one (1) year and six (6) months from the date first above written. 4. TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5. COMPENSATION The total fee payable for the Services to be performed during the initial Agreement term shall not exceed thirty-six thousand five hundred twenty-five dollars ($36,525). No other compensation for the Services will be allowed except for items covered by subsequent amendments to this Agreement. Payment terms are Net 30 unless otherwise provided in Exhibit “A” or agreed to in writing by the parties. City reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A." Incremental payments, if applicable, should be made as outlined in attached Exhibit "A." Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 27th January Page 2 City Attorney Approved Version 5/30/2025 6. STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under the control of City only as to the result to be accomplished, but will consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. The payment made to Contractor pursuant to this Agreement will be the full and complete compensation to which Contractor is entitled. City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. At City’s election, City may deduct the indemnification amount from any balance owing to Contractor. 7. SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. 8. OTHER CONTRACTORS City reserves the right to employ other Contractors in connection with the Services. 9. INDEMNIFICATION Contractor agrees to defend (with counsel approved by City), indemnify, and hold harmless the City and its officers, elected and appointed officials, employees and volunteers from and against all claims, damages, losses and expenses including attorneys fees arising out of the performance of the work described in this Agreement caused by any negligence, recklessness, or willful misconduct of Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. If Contractor’s obligation to defend, indemnify, and/or hold harmless arises out of Contractor’s performance as a “design professional” (as that term is defined under California Civil Code Section 2782.8), then, and only to the extent required by California Civil Code Section 2782.8, which is fully incorporated in this Agreement, Contractor’s indemnification obligation shall be limited to claims that arise out of, pertain to, or relate to the negligence, recklessness, or willful misconduct of Contractor, and, upon Contractor obtaining a final adjudication by a court of competent jurisdiction. Contractor’s liability for such claim, including the cost to defend, shall not exceed Contractor’s proportionate percentage of fault. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Page 3 City Attorney Approved Version 5/30/2025 The parties expressly agree that any payment, attorneys fee, costs or expense City incurs or makes to or on behalf of an injured employee under City’s self-administered workers’ compensation program is included as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or early termination of this Agreement. 10. CONFIDENTIALITY 10.1 Confidential Information. “Confidential Information” means any information or data derived from Contractor’s vulnerability assessment, penetration testing, and any other information that a reasonable person would consider confidential. 10.2 Confidentiality Obligations. Contractor agrees: (i) not to disclose any Confidential Information to any employees, subcontractors, or any third parties except only as necessary to provide the Services hereunder; (ii) to bind such employees, subcontractors, or third parties by confidentiality obligations no less stringent than those set forth in this Agreement; (iii) not to use any Confidential Information for any purposes except carrying out responsibilities under this Agreement; and (iv) to keep the Confidential Information confidential using the same degree of care such Contractor uses to protect its own confidential information; provided, however, that Contractor shall use at least reasonable care. These confidentiality obligations are a material term of this Agreement. 11. INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may arise out of or in connection with performance of the services by Contractor or Contractor’s agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VII"; OR with a surplus line insurer on the State of California’s List of Approved Surplus Line Insurers (LASLI) with a rating in the latest Best’s Key Rating Guide of at least “A:X”; OR an alien non-admitted insurer listed by the National Association of Insurance Commissioners (NAIC) latest quarterly listings report. 11.1 Coverages and Limits. Contractor will maintain the types of coverages and minimum limits indicated below, unless Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate, Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. The full limits available to the named insured shall also be available and applicable to City as an additional insured. 11.1.1 Commercial General Liability (CGL) Insurance. Insurance written on an “occurrence” basis, including personal and advertising injury, with limits no less than $2,000,000 per occurrence. If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location or the general aggregate limit shall be twice the required occurrence limit. 11.1.2 Automobile Liability. (if the use of an automobile is involved for Contractor's work for City). $2,000,000 combined single-limit per accident for bodily injury and property damage. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Page 4 City Attorney Approved Version 5/30/2025 11.1.3 Workers' Compensation and Employer's Liability. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. 11.1.4 Professional Liability. Errors and omissions liability appropriate to Contractor’s profession with limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. 11.2 Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 11.2.1 City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to City. 11.2.2 Contractor will obtain occurrence coverage, excluding Professional Liability, which will be written as claims-made coverage. 11.2.3 If Contractor maintains higher limits than the minimums shown above, City requires and will be entitled to coverage for the higher limits maintained by Contractor. Any available insurance proceeds in excess of the specified minimum limits of insurance and coverage will be available to City. 11.2.4 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. 11.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. 11.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain the required coverages. Contractor is responsible for any payments made by City to obtain or maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 11.5 Submission of Insurance Policies. City reserves the right to require, at any time, complete and certified copies of any or all required insurance policies and endorsements. 12. BUSINESS LICENSE Contractor will obtain and maintain a City of Carlsbad Business License for the term of the Agreement, as may be amended from time-to-time. 13. ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement. All records will be clearly identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Page 5 City Attorney Approved Version 5/30/2025 documents, proceedings, and activities related to the Agreement for a period of four (4) years from the date of final payment under this Agreement. 14. OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for Contractor’s records. 15. COPYRIGHTS Contractor agrees that all copyrights that arise from the services will be vested in City and Contractor relinquishes all claims to the copyrights in favor of City. 16. NOTICES The name of the persons who are authorized to give written notice or to receive written notice on behalf of City and on behalf of Contractor under this Agreement are: For City: For Contractor: Name Maria Callander Name Billens Crow Title IT Director Title Sr. Solutions Advisor Dept IT Address 431 Florence St, Suite 210 CITY OF CARLSBAD Palo Alto, CA 94301 Address 1635 Faraday Ave. Phone 640.961.591 Carlsbad, CA 92008 Email billens@illumant.com Phone 442-339.2454 Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. 17. CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. Contractor shall report investments or interests as required in the City of Carlsbad Conflict of Interest Code. Yes ☐ No ☒ If yes, list the contact information below for all individuals required to file: Name Email Phone Number Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 City Attorney Approved Version 5/30/2025 Page 6 18. GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal, state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 19. CALIFORNIA AIR RESOURCES BOARD (CARB) ADVANCED CLEAN FLEETS REGULATIONS Contractor’s vehicles with a gross vehicle weight rating greater than 8,500 lbs. and light-duty package delivery vehicles operated in California may be subject to the California Air Resources Board (CARB) Advanced Clean Fleets regulations. Such vehicles may therefore be subject to requirements to reduce emissions of air pollutants. For more information, please visit the CARB Advanced Clean Fleets webpage at https://ww2.arb.ca.gov/our-work/programs/advanced-clean-fleets. 20. DISCRIMINATION, HARASSMENT, AND RETALIATIONPROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination, harassment, and retaliation. 21. DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 22. TERMINATION In the event of Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding City will determine the final payment of the Agreement. City may terminate this Agreement by tendering thirty (30) days written notice to Contractor. Contractor may terminate this Agreement by tendering thirty (30) days written notice to City. In the event of Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 City Attorney Approved Version 5/30/2025 Page 7 termination of this Agreement by either party and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. 23. COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty, City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 24. CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code Sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions include false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorneys fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. 25. JURISDICTION AND VENUE This Agreement shall be interpreted in accordance with the laws of the State of California without regard to, or application of, choice of law rules or principles. Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 26. SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 City Attorney Approved Version 5/30/2025 Page 8 27. THIRD PARTY RIGHTS Nothing in this Agreement should be construed to give any rights or benefits to any party other than City and Contractor. 28. ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in a writing signed by both parties. This Agreement may be executed in counterparts. 29. IT ADDENDUM By this reference in accordance with this Agreement’s terms and conditions the IT Addendum attached is incorporated into the Agreement. [Signature Page to Follow] Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 City Attorney Approved Version 5/30/2025 Page 9 30. AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. Executed by Contractor this___________ day of _______________________, 2026. CONTRACTOR CITY OF CARLSBAD, a municipal corporation of the State of California Illumant, LLC, a California limited liability company By: By: (sign here) IT Director (print name/title) ATTEST: By: SHERRY FREISINGER, City Clerk (sign here) By: Morgen Fry Assistant City Clerk (print name/title) If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Group B Chairman, Secretary, President, or Assistant Secretary, Vice-President CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CINDIE K. McMAHON, City Attorney BY: _____________________________ Deputy City Attorney Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Matija Siljak Director 22nd January Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 1 Exhibit “A” Our core services comprise a complete baseline analysis of all in-scope information assets, including full vulnerability assessment with manual validation and penetration testing. No penetration tests shall be conducted on any third party hosted system(s). Illumant will work with City to determine whether a particular internal network and system has a third-party hosting component. Additional in-depth assessment services are offered for platform-specific reviews to compare configurations with best practices. All services are offered a la carte. Carlsbad may elect to engage Illumant for some or all of the service components below as needed. Core Services Advanced Black Box Penetration Testing (BBPen) Illumant uses custom variants of technical and social engineering exploits to simulate a real- world cyber-attack against your organization to test the effectiveness of existing measures to protect you against real cyber-attacks. The test, a “capture the flag” exercise, will attempt obtain predetermined targets from within the client’s network, completely blind, without and form of prior authorization or access. The vectors for inclusion in the BBPen are below. • internet-based technical exploits: • social engineering exploits Illumant will conduct external penetration testing and social engineering opportunistically, in order to achieve internal access. Should Illumant not achieve that access in a reasonable timeframe, Illumant will provide a device for continuing opportunistic testing from the internal compromise perspective. Scope: For each vector to be included in the BBPen the corresponding assessment must be purchased, as well: • Internet-based technical: PSA • Social Engineering: Soc Eng Examples of targets to be included: • System info the demonstrates internal access • Valid credentials • Proof of execution of code on internal systems • Target file or information (TBD) Blind Visibility and Exposure Analysis (BVEA) Without any assistance from the customer, our experts will attempt to identify all Internet- accessible networks systems, sites, applications and services; and any information about the company gleaned from public databases, forums and chat rooms that might be sensitive in nature, or useful in crafting a cyber-attack. Requested Services Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 2 The purpose of this exercise is to describe the client’s cyber-attack surface, to make the customer aware of all assets and information which are currently visible from the Internet (the organization’s “Internet footprint”) and therefore exposed to possible Internet-based threats. Illumant also searches organizational and non-organization sites and sources to identify sensitive information that may have been exposed, or any chatter about the organization relating to security or planned attacks from chat rooms and forums. Furthermore, both lists, block lists, and web reputation sites, are inspected to serve as a leading indicator of malware infections with the client’s systems. Notes: This assessment is typically performed prior to the Perimeter Security Assessment & Penetration Testing and serves to confirm assessment targets and scope for the subsequent testing. Scope: This is a blind test and requires no input from the client. Once the test has been completed the results will be reviewed with the client to confirm that all in-scope networks and systems have been properly identified. Perimeter Security Assessment (PSA) This assessment involves the enumeration of vulnerabilities and risks that are accessible from the Internet – the “hacker’s perspective” – and includes expert manual validation and penetration testing. Illumant starts by using a cross section of best-of-breed scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data) identified vulnerabilities are exploited to assess their real severity, the level of exposure they may allow, and the potential impact of a breach. Targets of this assessment include servers, applications (without credentials – see note), firewalls, routers, load balancers, VPNs, and any other perimeter or Internet-facing information assets. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications, and data. As part of the PSA, penetration testing (without credentials) is performed on critical applications; provided that for any internet-facing third party applications, Illumant will consult with Carlsbad to determine scope of penetration. The types of security issues identified during the PSA include SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, insecure direct object references, security misconfigurations, sensitive data exposure, missing function level access controls, buffer overflows, missing patches, vulnerable versions, insecure credentials, and many others. Goals for the exercise include unauthorized access and privilege escalation as well as an analysis of availability (DOS) risks. Note: For in-depth, credentialed, and non-credentialed testing of applications see our Web Application Security Assessment – WASA. Scope: The PSA will target Carlsbad' approximately 100 externally addressable systems. Social Engineering (Soc Eng) Just about every major security breach that has been featured in the news of the past decade has involved a social engineering component – Target, Sony, JP Morgan, etc. Coupled with technical penetration techniques, the two attack vectors provide a lethal recipe for successfully breaching an organization and gaining unauthorized access to sensitive information. Social Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 3 engineering is typically the piece that give the attacker a foothold within the organization from where they can propagate their attacks to gain real access to sensitive information. Beyond just phishing, the Social Engineering exercise targets the human element using multiple attack vectors to test awareness of users to potential security threats. Illumant conducts simulated phishing, planted media, pretext calling, and social networking attacks against a sample of the organization’s users. Some companies prefer that the entire workforce be tested, others prefer that a representative sample be used. Illumant consults with the client during the proposal process to select the most appropriate sample size is chosen. Scope: Illumant together with Carlsbad will select a representative sample of individuals for social engineering testing across the organization. Additional Services Critical Asset Security Assessment (CASA) This internal assessment involves the enumeration of vulnerabilities and risks that are accessible from within the network perimeter, behind border firewalls. Similar to external assessments, like the PSA, Illumant starts by using scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data) identified vulnerabilities are exploited to assess their real severity, the level of exposure they offer, and the potential impact of a breach. Targets of this assessment include servers, applications, portals, routers, switches, and any other critical internal systems. Testing may include Internet-facing systems but viewed internally without filtering by firewalls. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications, and data and to repel internal threats and attack propagation. Note: Depending on the specifics of the in-scope environment, the CASA and LANSA (if selected) deliverables may be combined into a single report. This allows the client to view all affected systems for a given finding in one report rather than searching through multiple reports. Scope: The CASA will target internal servers and infrastructure devices. Post BBPEN Testing for maximal critical vuln identification. LAN Security Assessment (LANSA) This internal assessment involves the enumeration of vulnerabilities and risks that are accessible from within the network perimeter, behind border firewalls, on end-user LANs. Similar to external assessments, like the PSA, Illumant starts by using scanning tools to harvest vulnerability data. Our experts then validate all results to eliminate false positives and uncover any other vulnerabilities that may have initially escaped detection. To the extent possible (without damaging systems or data) identified vulnerabilities are exploited to assess their real severity, the level of exposure they offer, and the potential impact of a breach. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 4 Targets of this assessment include desktops, laptops, workstations, LAN servers, LAN switches, and LAN-based systems. Protection measures are evaluated in terms of their ability to maintain the confidentiality, integrity and availability of networks, systems, applications, and data and to repel internal threats and attack propagation. Notes: Testing of end-user systems is performed with credentials to evaluate the security within the end-user’s context including patch-levels, vulnerable applications and out-of-date OSs. Note: Depending on the specifics of the in-scope environment, the CASA (if selected) and LANSA deliverables may be combined into a single report. This allows the client to view all affected systems for a given finding in one report rather than searching through multiple reports. Scope: The LANSA will target the workstations. Illumant will report on a representative sample of laptops and desktops, and report, specifically on any vulnerable outliers. Post BBPEN Testing for maximal critical vuln identification. Wireless Security Assessment (WSA) Ensures protection against unauthorized access to wireless networks and wireless data, as well as segregation of guest access from private networks and systems. The WSA identifies potential backdoors through rogue access points; assesses corporate, guest, and point-to-point wireless LAN deployments to identify weaknesses in architecture, configuration, authentication, and encryption including identification of rogue access points; and verifies that authentication and encryption prevent unauthorized access or traffic snooping. Notes: The WSA may be performed on-site or off-site via remote access to a testing laptop. The latter saves on the cost of service. Scope: The WSA will target 3 SSIDs. Post BBPEN Testing for maximal critical vuln identification After completion of the assessment and analysis, a report will be prepared that contains summary information, graphical data, and detailed technical analysis along with action items to facilitate remediation. Before any final deliverables are submitted Illumant will engage key Carlsbad team members to review draft reports and to discuss results and incorporate relevant feedback and context into the report. This hands-on process will allow the organization to derive the maximum value from the assessment and associated report and ensure that all concerns are addressed appropriately. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 5 This section presents in more detail the methodology we employ for each of our services. Additionally, it lists the information and access we will need to be able to effectively perform the work. Blind Visibility & Exposure Analysis (BVEA) Description Blind Internet footprint analysis to ensure that only the information and systems needed for business purposes are exposed to the Internet. Recommendations are provided to minimize cyber-attack surface. Highlights • Blind reconnaissance • Internet footprint analysis to describe/help minimize cyber- attack surface • Reputation analysis • Block lists and bot lists review • Chat, forum and deep web searches • Network redundancy analysis • Domain ownership review • Exposure rating • Remediation recommendations Targets • Footprint/Internet-facing systems: o Networks o Web sites and applications o Servers, routers, firewalls, etc. • Chatter and sensitive info o Forums (tech support, etc.) o Chat rooms/IRC, dark web • Public Internet information databases o Name servers, information aggregators • Reputation databases Block lists, bot lists, web reputation sites Methodology Network and systems enumeration: • Blind analysis - Illumant uses only the name of the company as a starting point • Web searches and recursive spidering of web sites to identify related sub-organizations, domains, and sub-domains • Search of Internet-information and domain registration databases to identify netblocks and domain ownership – review for proper configuration, redundancy, ownership records • Inventory of exposed sites and services Sensitive information searches: • Review of organizational sites, servers, tech support forums and other chat rooms to identify sensitive technical and organizational data that is sensitive, or could be useful in crafting a cyber-attack • Dark web, IRC and hacker chatroom and forum searches to identify evidence of planned or successful attacks or intrusions against the organization Reputation analysis or bot list/block-list review • Review of block lists and web reputation sites as an indicator of infection by malware • Review of bot net lists as indicator of potential infection by bots or trojans Reporting: • Findings are described in the report including full technical details of each exposure or sub-optimal configuration. • Recommendations are provided to reduce exposures and minimize the cyber-attack surface without compromising organizational effectiveness • Findings are summarized to provide a high-level overview of the organization’s footprint and exposures. Ratings are benchmarked against thousands of previous assessments. Internet Information Databases ARIN, InterNIC, APNIC, RIPE NCC, LACNIC, AfriNIC, IANA, Robtex, Who.is Tools Web crawlers/spiders, whois, NMAP, IRC search engines, forum search engines, block lists, reputation lists, botnet lists Notes The BVEA is performed blind with only the company name as a starting point, to mimic what a hacker would see during a malicious reconnaissance exercise. Methodology Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 6 Perimeter Security Assessment & Penetration Testing (PSA) Description External vulnerability assessment, manual validation and penetration testing of Internet facing networks, systems, sites, and applications (aka the hacker’s perspective). Includes identification, manual validation, and benign exploitation of vulnerabilities, along with actionable remediation recommendations for improved security. Highlights • Scanning to create a baseline of vulnerabilities and security risks • Testing can be performed overtly or covertly (w or w/o informing IT and security personnel) • Best-of-breed open source and commercial vulnerability harvesting tools o A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides • Manual validation to eliminate false positives, confirm findings • Manual testing to find additional vulnerabilities not found by scanning tools • Penetration testing through custom-designed and pre- existing exploits to test real severity o Illumant’s pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g., BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry • Retesting (within 6 months of initial test) Targets • Internet-facing networks, systems, applications, services, ports, protocols: • Web sites • Web applications (non-credentialed testing) o For credentialed testing see Web Application Security Assessment (WASA) • Servers • VPNs • Firewalls • Border routers • Internet-facing services (FTP, Telnet, SSH, and many more) • 100,000+ known vulnerabilities, client-specific vulnerabilities in custom applications, configurations, and software Methodology Scoping: • Illumant provides scoping worksheets • Client provides in-scope target networks, system IPs, URLs • Testing can be information with or without informing other IT or security personnel (overtly or covertly) to test response protocols and readiness. Enumeration/Recon: • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations of any single tool Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 7 • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open-source vulnerability databases and commercially maintained vulnerability databases Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom configuration, custom designs, custom applications, and use of purpose-built scripts Penetration testing and exploitation: • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom and off-the shelf applications Findings: • PSA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing patches, vulnerable versions and many more Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. • Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite, Nikto Notes Internet-facing web applications are tested as part of this test without credentials. For full credentialed application testing (gray box testing), see the Web Application Security Assessment (WASA). Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 8 Critical Asset Security Assessment (CASA) Description Internal, unfiltered vulnerability analysis and penetration testing of mission-critical applications, systems, and networks for validation of layered-security and defense in depth. Highlights • Scanning to create a baseline of vulnerabilities and security risks • Best-of-breed open source and commercial vulnerability harvesting tools o A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides • Manual validation to eliminate false positives, confirm findings • Manual testing to find additional vulnerabilities not found by scanning tools • Penetration testing through custom-designed and pre- existing exploits to test real severity o Illumant’s pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g., BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry Targets • Internal networks, systems, applications, services, ports, protocols: • Web sites • Web applications (non-credentialed testing) o For credentialed testing see Web Application Security Assessment (WASA) • Servers • VPNs • Firewalls • Border routers • 100,000+ known vulnerabilities, unique vulnerabilities from custom designs, configurations, and software Methodology Scoping: • Illumant provides scoping worksheets • Client provides in-scope target networks, system IPs, URLs Enumeration/Recon: • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, and URLs to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Multiple tools are used to provide the widest possible initial baseline for additional analysis and limit exposure to the limitations of any single tool • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open-source vulnerability databases and commercially maintained vulnerability databases Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners, often due to custom configuration, custom designs, custom applications, and use of purpose-built scripts Penetration testing and exploitation: Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 9 • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom and off-the shelf applications Findings: • CASA findings include: CGI abuses, buffer overflows, default credentials, malware sweeps, SQL injection, URL injection, CSRF injection, directory traversal, auth vulnerabilities, AJAX vulnerabilities, backdoors, trojans, viruses, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, buffer overflows, missing patches, vulnerable versions and many more Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite Notes Testing for the CASA is performed without credentials to test susceptibility to attack propagation by outside attackers, or insiders with lower privileges or without authorization. For credentialed testing of applications see our WASA (Web applications). For credentialed testing of other critical assets see our platform-specific reviews, e.g.: MSSA (Microsoft servers), NixSA (UNIX/Linux servers), ADSA (Active Directory), etc. For credentialed testing of the user computing environment, see our LAN Security Assessment (LANSA). These other credentialed tests include full reporting on patch levels. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 10 LAN Security Assessment (LANSA) Description Internal, unfiltered vulnerability analysis and penetration testing of desktops, laptops, and other LAN-based systems for validation of end-user computing system security. Highlights • Scanning to create a baseline of vulnerabilities and security risks • Best-of-breed open source and commercial vulnerability harvesting tools o A cross section is used to limit exposure to the limitations of any single tool, and reap the benefits the strengths each tool provides • Manual validation to eliminate false positives, confirm findings • Manual testing to find additional vulnerabilities not found by scanning tools • Penetration testing through custom-designed and pre- existing exploits to test real severity o Illumant’s pen testing and manual testing techniques are continually updated through research and participation in hacker forums and conferences (e.g., BlackHat, DEFCON, SANS) • Classification of severity of findings • Remediation recommendations • Benchmark analysis of results vs industry Targets • LANs, desktops, workstations, laptops, printers, LAN devices, applications, services, ports, protocols from within firewalls boundaries – unfiltered analysis: o Desktops o Workstations o Laptops o LAN servers o Switches o Printers o Other LAN Devices • 100,000+ known vulnerabilities, unique vulnerabilities from custom designs, configurations, and software Methodology Scoping: • Illumant provides scoping worksheets • Client provides in-scope target networks, system IPs, URLs Enumeration/Recon: • Port mapping (ping sweeps, connection sweeps and malformed packet sweeps) to identify target services and applications, systems, versions, and OS guesses • Manual review of IPs, ports, URLs, to refine information about in scope target systems including function, manufacturer, OS, applications, services, and their respective versions Vulnerability Analysis/Harvesting: • Automated scanning of in scope target networks, systems and applications using best-of-breed commercial and open-source tools and scripts • Credentialed testing of desktops, laptops, and workstations to validate OS and application versions, and missing patches. • Multiple tools are used to provide the widest possible initial baseline for additional analysis • 100,000+ vulnerabilities are analyzed, including all known vulnerabilities across open-source vulnerability databases and commercially maintained vulnerability databases • End-user system vulnerabilities include: Default credentials, malware sweeps, security misconfiguration, sensitive data exposure, backdoors, trojans, viruses, vulnerable applications, out-of-date OSs, missing patches, and many more. • For LAN servers and other devices vulnerabilities tested may also include: CGI abuses, buffer overflows, default credentials, SQL injection, URL injection, CSRF injection, directory traversal, AJAX vulnerabilities, insecure direct object references, missing function level access control, buffer overflows, etc. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 11 Manual validation and manual testing: • Expert manual review of vulnerabilities identified to confirm validity of identified vulnerabilities and discard false positives • Additional expert manual testing to identify vulnerabilities not detected by automated scanners due to custom configuration, custom designs and custom applications using purpose-built scripts Penetration testing and exploitation: • Illumant identifies and attempts all known exploits against confirmed vulnerabilities. These are limited to exploits that are non- destructive (will not corrupt data or configurations, will not cause availability issues). • Illumant attempts to craft custom exploits targeting custom designs, custom configurations, as well as custom and off-the shelf applications Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture and security rating of the target systems. Ratings are benchmarked against thousands of previous assessments. Vulnerability Databases Mitre.org CVE, CERT, OSVDB, Security Focus Bugtraq, NVD, Rapid7, OWASP Tools Qualys, Nessus, NeXpose, Saint, Metasploit, ZAP, NTO Spider, Burp Suite Notes LAN-based systems may be numerous. Illumant specifies vulnerabilities that affect all or most systems, and calls out exceptionally vulnerable outliers, as well. Testing of end-user systems is performed with credentials to evaluate the security within the end-user’s context including patch-levels, vulnerable applications and out-of-date OSs. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Information Security Assessment Services Proposal Prepared for City of Carlsbad Illumant | Security Assessment and Compliance 431 Florence Street, Suite 210, Palo Alto, California 94301 +1.650.961.5911 (main) | +1.650.961.5912 (fax) www.illumant.com info@illumant.com page 12 Wireless Security Assessment (WSA) Description Ensures protection against unauthorized access to wireless networks and traffic, as well as segregation of guest access from corporate networks and systems. Also identifies potential backdoors through rogue access points. Highlights • Enumeration of all active SSIDs • Evaluation of auth/encryption strength for authorized wireless networks • Assessment of isolation of guest wireless • Enumeration of vulnerabilities with wireless infrastructure • Review of guest/user wireless account provisioning protocols • Identification of rogue access points • Evaluation of access achievable through rogue wireless • Remediation recommendations Targets • Authorized employee wireless networks • Guest wireless networks/supporting infrastructure • Special purpose wireless networks • Point-to-point wireless networks • Auth/encryption protocol/implementation vulnerabilities • Network segregation issue • Rogue access points/networks Methodology Scoping: • Client provides in-scope target facilities and enumerates authorized employees, special purpose, and guest wireless networks • Client provides credentials for accessing guest wireless • Testing may be performed on-site and in person, or remotely via testing laptop Enumeration: • Illumant uses specialty wireless adapters for the broadest spectrum for analysis of wireless networks, including workstation networks and point-to-point networks • Best-of-breed wireless scanners are used to enumerate SSIDs • Results are compared against list of authorized networks • Neighbors networks are excluded through supplementary information and signal strength analysis Security Analysis: • Illumant reviews the authentication and encryption protocols of authorized networks through packet data analysis and compares them against best practices noting weaknesses. • Illumant looks at security at various of stages: post-association, pre-authentication, and post-authentication including vulnerability analysis of supporting systems (e.g., DHCP, DNS, gateways, routers, access points, auth servers, etc.) • Isolation of guest networks from internal resources is tested to confirm proper network segregation. • Rogue devices are accessed when possible to test the level of exposure Reporting: • Findings are described in the report including full technical details of each vulnerability and exploit. • Findings are summarized to provide a high-level overview of the security posture Tools CommView for WiFi, Vistumbler, InSSIDer, Kismet, NMAP, Nessus, Orinoco ABGN adapter, laptop with virtual wireless test environment Notes The WSA may be performed on-site or off-site via remote access to a testing laptop. The latter saves on the cost of service. Remote testing may require relocation of the laptop during testing. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Reports The findings are compiled into confidential reports with both executive and technical summaries, as well as comprehensive actionable recommendations. In addition, we provide full technical details concerning vulnerabilities and other findings. Remediation advice is presented for the vulnerabilities that are uncovered. An “Action Items” list is generated and additional recommendations for enhancing security and efficiency are presented. Illumant’s security team will formally present the highlights of the report to Carlsbad. The presentation will contain both an executive-level overview and technical details of the state of the organization’s networks. The meeting or conference call will provide an opportunity to discuss the findings in detail, as well as to discuss remediation options with Illumant’s Expert Security Analysts. Our fees are based on our consultants’ level of experience and skill and the time and effort required to complete the assessment. The following section shows our rates for each project component. These rates exclude travel and out-of- pocket expenses. If travel and out-of-pocket expenses are required, an amendment will be executed by both parties to include such costs, which will not be incurred without prior written authorization from City. All services are offered a la carte. Core Services Fees Advanced Black Box Penetration Testing (BBPen) This fee is independent of the success or failure of the penetration test. The BBPen requires purchase of the BVEA, PSA, and Soc Eng services above corresponding to the desired vectors for the penetration test. $ 7,500 Blind Visibility and Exposure Analysis (BVEA) No assistance from client required $ 2,500 Perimeter Security Assessment (PSA) Externally accessible systems $ 9,375 Social Engineering (Soc Eng) Sample of staff chosen approved in advance $ 6,500 Wireless Security Assessment (WSA) Up to 3 SSIDs $ 4,400 Critical Asset and LAN Security Assessment (CASA+LANSA) Internal servers, workstations, and infrastructure devices $ 6,250 Total $ 36,525 Free differential assessments are provided (for PSAs only) within 6 months of each initial assessment. This acts as a follow up to validate remediation efforts. Any new vulnerabilities detected during the differential assessment will also be reported. Payment Terms Illuminant will submit invoices as follows: (i) 20% retainer fee; (ii) 60% due upon completion of draft results; and (iii) 20% upon delivery of final reports. All invoices are due within 30 days from Carlsbad’s receipt of an invoice. If hourly services are required, an amendment will be executed by both parties to include such costs. Fees will be billed bi- weekly on a time and materials basis payments are due within 30 days of Carlsbad’s receipt of the invoice. Fees do not include travel and expenses, which will not be incurred without prior written authorization from Carlsbad. Professional Fees and Billing Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 IT ADDENDUM The City of Carlsbad (“City”) and Illumant, LLC (“Contractor”) are using the standard form agreement provided by the Contractor. Nevertheless, the parties agree that this addendum is a part of the form agreement (“Agreement”), and amends and modifies the Agreement as provided below: 1. Payment. Notwithstanding anything in the Contractor’s form to which this Addendum is attached, the payments to be made by the City for all goods, services and other deliverables under this Agreement shall not exceed $36,525. 2. Independent Contractor. In its performance under this Agreement, the Contractor and the agents and employees of Contractor act and will act in an independent capacity and not as an agent or employee of the City. 3. Inapplicable Terms. Because the City cannot accept certain standard clauses that may appear in the Agreement as a matter of law and policy, the Contractor agrees that no provision described below which appears in the Agreement shall be of any force and effect against the City: a. Requiring the City to obtain or maintain any form of insurance. b. Renewing or extending the Agreement beyond its initial term or duration other than by mutual agreement of the parties. c. Requiring or stating that the terms of this Agreement, or the terms of the Contractor’s online forms or agreements, shall prevail over the terms of this addendum in the event of conflict. d. Requiring the City to indemnify, defend, or hold the Contractor harmless against claims of any kind or nature. e. Requiring the application of laws other than California law in interpreting or enforcing the Agreement, including this addendum, or requiring or permitting litigation arising under the Agreement in the courts of any state other than California, nor any venue other than San Diego County. f. Requiring the City to pay liquidated damages, indirect, special, punitive, incidental or consequential damages, including without limitation lost profits, lost revenue, lost business opportunities, loss of data, interruption of business, regardless of the theory of liability, even if City has been advised of the possibility of such damages. g. Requiring the City to pay any type of contract termination fee. h. Limiting the liability of the Contractor for actual damage to City property or for personal injury. i. Disclaiming negligence in violation of public policy. j. Permitting unilateral modification of this Agreement by the Contractor or deeming the City to agree to a modification by means other than affirmatively signing a modification to the Agreement. k. Requiring the City to engage in binding arbitration. l. Obligating the City to pay court costs, costs of collection, or attorneys’ fees. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 m. Requiring the City to withhold information from the public contrary to the requirements of the California Public Records Act (CA Government Code § 6250 et seq.) and the California Civil Discovery Act (California Code of Civil Procedure § 2016.010 et seq.). n. Requiring City to provide notice prior to disclosure of government records subject to California Public Records Act (CA Government Code § 6250 et seq.) and the California Civil Discovery Act (California Code of Civil Procedure § 2016.010 et seq.). o. Imposing interest on late payments or requiring interest to be paid on disputed amounts. p. Limiting the City’s ability to terminate the Agreement by providing thirty (30) days written notice to Contractor. 4. Technology Terms and Conditions. In addition, the Agreement is hereby amended to include the following Information Technology Terms and Conditions: a. Data Location and Ownership. The Contractor shall provide its services to the City and its end users solely from data centers in the continental United States. Storage of City Data at rest shall be located solely in data centers in the United States. Contractor will notify the City of any plans to relocate its hosted services to another data center. Contractor shall not allow personnel or subcontractors to store City Data on portable devices, including personal computers, except for devises that are used and kept only at its U.S. data centers. The Contractor shall permit its personnel and subcontractors to access City Data remotely only as required to provide technical user support or other customer support. The City will own all right, title and interest in City Data that is related to the services provided by this Agreement. b. Data Protection. Contractor shall ensure there is no inappropriate or unauthorized use of City Data at any time. To this end, Contractor shall safeguard the confidentiality, integrity, and availability of City Data within its control using security technologies and techniques in accordance with standard industry practices for such data. In no event may Contractor’s action or inaction result in any situation that is less secure than the security Contractor provides for its own systems and data. c. Data Breach Responsibilities. This section only applies when there is a breach of City Data within the possession or control of Contractor. Contractor shall: (1) promptly notify City within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it confirms that there is or reasonably believes that there has been a data breach; (2) cooperate with the City as reasonably requested by the City to investigate and resolve the data breach and provide daily updates; (3) quarantine the data breach and ensure secure access to City Data; (4) promptly implement necessary remedial measures; and (5) document responsive actions taken related to the data breach. d. Background Checks. As permitted or required by law, the Contractor shall conduct criminal background checks and not utilize any staff, including subcontractors, to fulfill the obligations of the Agreement who have been convicted of any crime of dishonesty, including but not limited to criminal fraud, or otherwise convicted of any felony or any Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The Contractor shall promote and maintain an awareness of importance of securing the City’s information among the Contractor’s employee and agents. e. Patent, Copyright and Trade Secret Indemnity. To the fullest extent permitted by law, Contractor will indemnify, defend, and hold harmless the City, its officers, elected and appointed officials, employees, and volunteers from any and all third-party claims, costs (including without limitation reasonable attorneys’ fees), damages, and losses for infringement or violation of any U.S. Intellectual Property Right by any product or service provided by this Agreement. With respect to claims arising from software manufactured by a third party and sold by Contractor as reseller, Contractor will pass through to the City such indemnity rights as it receives from such third party and will cooperate in its enforcement. i. Aside from Contractor’s indemnification obligation, should the product or services or any part thereof become, or in Contractor’s reasonable opinion be likely to become, the subject of a claim for infringement of a third party intellectual property right, then Contractor shall, at its sole option and expense: (i) procure for City the right to use and access the infringing or potentially infringing item(s) of the service or product (“Infringing Item”) free of any liability for infringement; or (ii) replace or modify the Infringing Item with a non-infringing substitute otherwise materially complying with the functionality of the replaced system; or (iii) if neither of the foregoing is reasonably practicable, terminate the right to use and access the Infringing Item and refund a prorated amount of any amount already paid. However, in the event Contractor exercises option (iii), Contractor shall provide Customer with ninety (90) days of use and access to the Infringing Item prior to termination. f. Warranty. Contractor warrants that the appliable product and services (1) will substantially conform to the requirements of the Agreement; (2) will be free of material defects and will be performed with professional care and skill; (3) will be free, at the time of delivery, of harmful code (e.g., computer viruses, worms, trap doors, time bombs, disabling code, or any similar malicious mechanism designed to interfere with the intended operation of, or cause damage to, computers, data, or software; (4) will not infringe or violate any U.S. Intellectual Property Right; and (5) if software, perform in accordance with the software license and accompanying manuals and other printed documents. Further, to the extent Contractor is legally able to do so, Contractor warrants it will pass through any applicable third-party warranties to the City and will reasonably cooperate in enforcing them. g. Cyber Liability Insurance. At all times during the performance of work under this Agreement and for sixty (60) months following the date of Agreement termination, the Contractor will carry and maintain, at its own expense, Cyber Liability insurance with limits of not less than $1,000,000 per occurrence or claim, and $2,000,000 aggregate. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 5. City’s Limitation on Liability. The City’s liability for damages to Contractor for any cause whatsoever arising out of or relating to this Agreement, and regardless of the theory of liability shall be limited to the total fees paid or payable by City to Contractor for the twelve- month period immediately preceding the date the cause of action arose. The existence of more than one claim shall not expand such limit. This limitation will apply notwithstanding any failure of any essential purpose of any limited remedy. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 1/21/2026 Leavitt Pacific Insurance Brokers, Inc. License #0D79674 1570 The Alameda, Suite 101 San Jose CA 95126 CL Central (408)288-6262 (408)364-8100 clclpib@leavitt.com Illumant LLC 431 Florence ST STE 201 Palo Alto CA 94301 Hartford Underwriters Insurance Company 30104 Hartford Insurance Company of Midwest 37478 Lloyd's of London R85202 26.27 GL, 25.26 WC, Prof. A X X X X 57SBAAY8YUM 1/25/2026 1/25/2027 2,000,000 1,000,000 10,000 2,000,000 4,000,000 4,000,000 A X X 57SBAAY8YUM 1/25/2026 1/25/2027 2,000,000 A X X X 10,000 57SBAAY8YUM 1/25/2026 1/25/2027 3,000,000 3,000,000 B 57WBCNG0526 12/15/2025 12/15/2026 X 1,000,000 1,000,000 1,000,000 C Professional Liability ESOO40505893 9/20/2025 9/20/2026 Each Claim $5,000,000 E&O Tech & Cyber Retention $5,000 City of Carlsbad is named additional insured with respects to general liabiliy on a primary and non-contributory basis with waiver of subrogation as per company form SS00080405. City of Carlsbad 1635 Faraday Avenue Carlsbad, CA 92008 T zcBohanon/TABOHA The ACORD name and logo are registered marks of ACORD CERTIFICATE HOLDER ©1988-2014 ACORD CORPORATION.All rights reserved. ACORD 25 (2014/01) AUTHORIZED REPRESENTATIVE CANCELLATION DATE (MM/DD/YYYY)CERTIFICATE OF LIABILITY INSURANCE LOCJECTPRO-POLICY GEN'L AGGREGATE LIMIT APPLIES PER: OCCURCLAIMS-MADE COMMERCIAL GENERAL LIABILITY PREMISES (Ea occurrence)$DAMAGE TO RENTED EACH OCCURRENCE $ MED EXP (Any one person)$ PERSONAL &ADV INJURY $ GENERAL AGGREGATE $ PRODUCTS - COMP/OP AGG $ $RETENTIONDED CLAIMS-MADE OCCUR $ AGGREGATE $ EACH OCCURRENCE $UMBRELLA LIAB EXCESS LIAB DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) INSRLTR TYPE OF INSURANCE POLICY NUMBER POLICY EFF(MM/DD/YYYY)POLICY EXP(MM/DD/YYYY)LIMITS PERSTATUTE OTH-ER E.L.EACH ACCIDENT E.L. DISEASE - EA EMPLOYEE E.L. DISEASE - POLICY LIMIT $ $ $ ANY PROPRIETOR/PARTNER/EXECUTIVE Ifyes,describe underDESCRIPTION OF OPERATIONS below (Mandatory in NH)OFFICER/MEMBER EXCLUDED? WORKERS COMPENSATION AND EMPLOYERS' LIABILITY Y / N AUTOMOBILE LIABILITY ANY AUTO ALL OWNED SCHEDULED HIRED AUTOS NON-OWNEDAUTOSAUTOS AUTOS COMBINED SINGLE LIMIT BODILY INJURY (Per person) BODILY INJURY (Per accident) PROPERTY DAMAGE $ $ $ $ THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. INSD ADDL WVD SUBR N / A $ $ (Ea accident) (Per accident) OTHER: THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: INSURED PHONE(A/C, No, Ext): PRODUCER ADDRESS:E-MAIL FAX(A/C, No): CONTACTNAME: NAIC # INSURER A : INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : INSURER(S)AFFORDING COVERAGE SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. INS025 (201401) Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 Terrorism TERR $254.00 Surcharges SURC $36.00 Territory 3 Differential TDP03 -$95.00 Experience Mod Factor 1 EXP01 -$7.00 Waiver of Subrogation WVSUB $250.00 Increased employer's liability INEL $150.00 Expense constant EXCNT $200.00 Premium discount PDIS -$46.00 ADDITIONAL COVERAGES Ref #Description Edition DateForm No.Coverage Code Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Ref #Description Coverage Code Form No.Edition Date Limit 1 Limit 2 Limit 3 Deductible Amount Deductible Type Premium Copyright 2001, AMS Services, Inc.OFADTLCV Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Form SL 30 32 06 21 Page 1 of 3 © 2021, The Hartford (May include copyrighted material of Insurance Services Office, Inc., with its permission) BLANKET ADDITIONAL INSURED BY CONTRACT This endorsement modifies insurance provided under the following: BUSINESS LIABILITY COVERAGE FORM Except as otherwise stated in this endorsement, the terms and conditions of the Policy apply. A.The following is added to Section C.WHO IS AN INSURED: Additional Insureds When Required By Written Contract, Written Agreement Or Permit The person(s)or organization(s)identified in Paragraphs a.through f.below are additional insureds when you have agreed,in a written contract or written agreement,or when required by a written permit issued by a state or governmental agency or subdivision or political subdivision that such person or organization be added as an additional insured on your Coverage Part,provided the injury or damage occurs subsequent to the execution of the contract or agreement, or the issuance of the permit. A person or organization is an additional insured under this provision only for that period of time required by the contract, agreement or permit. However,no such person or organization is an additional insured under this provision if such person or organization is included as an additional insured by any other endorsement issued by us and made a part of this Coverage Part. The insurance afforded to such additional insured will not be broader than that which you are required by the contract, agreement, or permit to provide for such additional insured. The insurance afforded to such additional insured only applies to the extent permitted by law. The limits of insurance that apply to additional insureds are described in Section D.LIABILITY AND MEDICAL EXPENSES LIMITS OF INSURANCE.How this insurance applies when other insurance is available to an additional insured is described in the Other Insurance Condition in Section E.LIABILITY AND MEDICAL EXPENSES GENERAL CONDITIONS. a.Vendors Any person(s)or organization(s)(referred to below as vendor),but only with respect to "bodily injury"or "property damage"arising out of "your products"which are distributed or sold in the regular course of the vendor's business and only if this Coverage Part provides coverage for "bodily injury"or "property damage" included within the "products-completed operations hazard". (1)The insurance afforded to the vendor is subject to the following additional exclusions: This insurance does not apply to: (a)"Bodily injury"or "property damage"for which the vendor is obligated to pay damages by reason of the assumption of liability in a contract or agreement.This exclusion does not apply to liability for damages that the vendor would have in the absence of the contract or agreement; (b)Any express warranty unauthorized by you; (c)Any physical or chemical change in the product made intentionally by the vendor; (d)Repackaging,except when unpacked solely for the purpose of inspection,demonstration,testing,or the substitution of parts under instructions from the manufacturer,and then repackaged in the original container; (e)Any failure to make such inspections,adjustments,tests or servicing as the vendor has agreed to make or normally undertakes to make in the usual course of business,in connection with the distribution or sale of the products; (f)Demonstration,installation,servicing or repair operations,except such operations performed at the vendor's premises in connection with the sale of the product; Policy Number: 57SBAAY8YUM Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Form SL 30 32 06 21 Page 2 of 3 © 2021, The Hartford (May include copyrighted material of Insurance Services Office, Inc., with its permission) (g)Products which,after distribution or sale by you,have been labeled or relabeled or used as a container, part or ingredient of any other thing or substance by or for the vendor; or (h)"Bodily injury"or "property damage"arising out of the sole negligence of the vendor for its own acts or omissions or those of its employees or anyone else acting on its behalf.However,this exclusion does not apply to: (i)The exceptions contained in Paragraphs (d) or (f); or (ii)Such inspections,adjustments,tests or servicing as the vendor has agreed to make or normally undertakes to make in the usual course of business,in connection with the distribution or sale of the products. (2)This insurance does not apply to any insured person or organization from whom you have acquired such products, or any ingredient, part or container, entering into, accompanying or containing such products. b.Lessors Of Equipment (1)Any person or organization from whom you lease equipment;but only with respect to their liability for "bodily injury","property damage"or "personal and advertising injury"caused,in whole or in part,by your maintenance, operation or use of equipment leased to you by such person or organization. (2)With respect to the insurance afforded to these additional insureds,this insurance does not apply to any "occurrence" which takes place after you cease to lease that equipment. c.Lessors Of Land Or Premises (1)Any person or organization from whom you lease land or premises,but only with respect to liability arising out of the ownership, maintenance or use of that part of the land or premises leased to you. (2)With respect to the insurance afforded to these additional insureds, this insurance does not apply to: (a)Any "occurrence"which takes place after you cease to lease that land or be a tenant in that premises; or (b)Structural alterations,new construction or demolition operations performed by or on behalf of such person or organization. d.Architects, Engineers Or Surveyors (1)Any architect,engineer,or surveyor,but only with respect to liability for "bodily injury","property damage" or "personal and advertising injury"caused,in whole or in part,by your acts or omissions or the acts or omissions of those acting on your behalf: (a)In connection with your premises; (b)In the performance of your ongoing operations performed by you or on your behalf; or (c)In connection with "your work"and included within the "products-completed operations hazard",but only if: (i)The written contract,written agreement or permit requires you to provide such coverage to such additional insured; and (ii)This Coverage Part provides coverage for "bodily injury"or "property damage"included within the "products-completed operations hazard". (2)With respect to the insurance afforded to these additional insureds,the following additional exclusion applies: This insurance does not apply to "bodily injury","property damage"or "personal and advertising injury" arising out of the rendering of or the failure to render any professional services, including: (i)The preparing,approving,or failure to prepare or approve,maps,shop drawings,opinions, reports, surveys, field orders, change orders, designs or drawings and specifications; or (ii)Supervisory, surveying, inspection, architectural or engineering activities. This exclusion applies even if the claims allege negligence or other wrongdoing in the supervision, hiring,employment,training or monitoring of others by an insured,if the “bodily injury”,“property Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352 THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Form SL 30 32 06 21 Page 3 of 3 © 2021, The Hartford (May include copyrighted material of Insurance Services Office, Inc., with its permission) damage”,or “personal and advertising injury”arises out of the rendering of or the failure to render any professional service. e.State Or Governmental Agency Or Subdivision Or Political Subdivision Issuing Permit (1)Any state or governmental agency or subdivision or political subdivision,but only with respect to operations performed by you or on your behalf for which the state or governmental agency or subdivision or political subdivision has issued a permit. (2)With respect to the insurance afforded to these additional insureds, this insurance does not apply to: (a)"Bodily injury","property damage"or "personal and advertising injury"arising out of operations performed for the federal government, state or municipality; or (b)"Bodily injury" or "property damage" included within the "products-completed operations hazard". f.Any Other Party (1)Any other person or organization who is not in one of the categories or classes listed above in Paragraphs a.through e.above,but only with respect to liability for "bodily injury","property damage"or "personal and advertising injury"caused,in whole or in part,by your acts or omissions or the acts or omissions of those acting on your behalf: (a)In the performance of your ongoing operations performed by you or on your behalf; (b)In connection with your premises owned by or rented to you; or (c)In connection with "your work"and included within the "products-completed operations hazard",but only if: (i)The written contract,written agreement or permit requires you to provide such coverage to such additional insured; and (ii)This Coverage Part provides coverage for "bodily injury"or "property damage"included within the "products-completed operations hazard". (2)With respect to the insurance afforded to these additional insureds,the following additional exclusion applies: This insurance does not apply to "bodily injury","property damage"or "personal and advertising injury" arising out of the rendering of,or the failure to render,any professional architectural,engineering or surveying services, including: (a)The preparing,approving,or failure to prepare or approve,maps,shop drawings,opinions,reports, surveys, field orders, change orders, designs or drawings and specifications; or (b)Supervisory, surveying, inspection, architectural or engineering activities. This exclusion applies even if the claims allege negligence or other wrongdoing in the supervision,hiring, employment,training or monitoring of others by an insured,if the “bodily injury”,“property damage”,or “personal and advertising injury”arises out of the rendering of or the failure to render any professional service described in Paragraphs f.(2)(a) or f.(2)(b) above. Docusign Envelope ID: 477E7E84-5EFE-4C55-8DFF-A050E7F64352