The URL can be used to link to this page

Home My WebLink About1903 Solutions LLC; 2015-03-25;AGREEMENT FOR PENETRATION TESTING SERVICES 1903 Solutions, LLC THIS AGREEMENT is made and entered into as of the e^S'^ day of r^ajrc/\ , 20/S, by and between the CITY OF CARLSBAD, a municipal corporation, ("City"), and 1903 Solutions, LLC, ("Contractor"). RECITALS A. City requires the professional services of a technology integrator that is experienced in providing a technical network services for City technologies and security assessments designed to identify critical security issues in the City's network that could be vulnerable while utilizing engineers that have a current security background clearance where necessary. B. Contractor has the necessary experience/resources in providing professional services and advice related network services and penetration testing to validate host configurations and produce a list of known vulnerabilities existing on City systems. C. Contractor has submitted a proposal to City and has affirmed its willingness and ability to perform such work. NOW, THEREFORE, in consideration of these recitals and the mutual covenants contained herein, City and Contractor agree as follows: 1. SCOPE OF WORK City retains Contractor to perform, and Contractor agrees to render, those services (the "Services") that are defined in attached Exhibit "A", which is incorporated by this reference in accordance with this Agreement's terms and conditions. 2. STANDARD OF PERFORMANCE While performing the Services, Contractor will exercise the reasonable professional care and skill customarily exercised by reputable members of Contractor's profession practicing in the Metropolitan Southern California Area, and will use reasonable diligence and best judgment while exercising its professional skill and expertise. 3. TERM The term of this Agreement will be effective for a period of one (1) year from the date first above written. The City Manager may amend the Agreement to extend it for three (three) additional one (1) year periods or parts thereof in an amount not to exceed twenty five thousand dollars ($25,000) per Agreement year. Extensions will be based upon a satisfactory review of Contractor's performance, City needs, and appropriation of funds by the City Council. The parties will prepare a written amendment indicating the effective date and length of the extended Agreement. 4. TIME IS OF THE ESSENCE Time is of the essence for each and every provision of this Agreement. 5 COMPENSATION The total fee payable for the Services to be performed during the initial Agreement term will not exceed twenty five thousand dollars ($25,000). No other compensation for the Services will be allowed except for items covered by subsequent amendments to this Agreement. The City City Attorney Approved Version 1/30/13 reserves the right to withhold a ten percent (10%) retention until City has accepted the work and/or Services specified in Exhibit "A". Incremental payments, if applicable, should be made as outlined in attached Exhibit "A". 6. STATUS OF CONTRACTOR Contractor will perform the Services in Contractor's own way as an independent contractor and in pursuit of Contractor's independent calling, and not as an employee of City. Contractor will be under control of City only as to the result to be accomplished, but wili consult with City as necessary. The persons used by Contractor to provide services under this Agreement will not be considered employees of City for any purposes. The payment made to Contractor pursuant to the Agreement will be the full and complete compensation to which Contractor is entitled. City will not make any federal or state tax withholdings on behalf of Contractor or its agents, employees or subcontractors. City will not be required to pay any workers' compensation insurance or unemployment contributions on behalf of Contractor or its employees or subcontractors. Contractor agrees to indemnify City within thirty (30) days for any tax, retirement contribution, social security, overtime payment, unemployment payment or workers' compensation payment which City may be required to make on behalf of Contractor or any agent, employee, or subcontractor of Contractor for work done under this Agreement. At the City's election. City may deduct the indemnification amount from any balance owing to Contractor. 7. SUBCONTRACTING Contractor will not subcontract any portion of the Services without prior written approval of City. If Contractor subcontracts any of the Services, Contractor will be fully responsible to City for the acts and omissions of Contractor's subcontractor and of the persons either directly or indirectly employed by the subcontractor, as Contractor is for the acts and omissions of persons directly employed by Contractor. Nothing contained in this Agreement will create any contractual relationship between any subcontractor of Contractor and City. Contractor will be responsible for payment of subcontractors. Contractor will bind every subcontractor and every subcontractor of a subcontractor by the terms of this Agreement applicable to Contractor's work unless specifically noted to the contrary in the subcontract and approved in writing by City. 8. OTHER CONTRACTORS The City reserves the right to employ other Contractors in connection with the Services. 9. INDEMNIFICATION Contractor agrees to indemnify and hold harmless the City and its officers, officials, employees and volunteers from and against all claims, damages, losses and expenses including attorney's fees arising out of the performance of the work described herein caused by any negligence, recklessness, or willful misconduct of the Contractor, any subcontractor, anyone directly or indirectly employed by any of them or anyone for whose acts any of them may be liable. The parties expressly agree that any payment, attorney's fee, costs or expense City incurs or makes to or on behalf of an injured employee under the City's self-administered workers' compensation is included as a loss, expense or cost for the purposes of this section, and that this section will survive the expiration or eariy termination of this Agreement. 10. INSURANCE Contractor will obtain and maintain for the duration of the Agreement and any and all amendments, insurance against claims for injuries to persons or damage to property which may City Attorney Approved Version 1/30/13 arise out of or in connection with performance of the services by Contractor or Contractor's agents, representatives, employees or subcontractors. The insurance will be obtained from an insurance carrier admitted and authorized to do business in the State of California. The insurance carrier is required to have a current Best's Key Rating of not less than "A-:VH". OR with a surplus line insurer on the State of California's List of Eligible Surplus Line Insurers (LESLI) with a rating in the latest Best's Key Rating Guide of at least "A:X". 10.1 Coveraaes and Limits. Contractor will maintain the types of coverages and minimum limits indicated below, unless Risk Manager or City Manager approves a lower amount. These minimum amounts of coverage will not constitute any limitations or cap on Contractor's indemnification obligations under this Agreement. City, its officers, agents and employees make no representation that the limits of the insurance specified to be carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If Contractor believes that any required insurance coverage is inadequate. Contractor will obtain such additional insurance coverage, as Contractor deems adequate, at Contractor's sole expense. 10.1.1 Commercial General Liabilitv Insurance. $1,000,000 combined single-limit per occurrence for bodily injury, personal injury and property damage. If the submitted policies contain aggregate limits, general aggregate limits will apply separately to the work under this Agreement or the general aggregate will be twice the required per occurrence limit. 10.1.2 Automobile Liabilitv. (if the use of an automobile is involved for Contractor's work for City). $1,000,000 combined single-limit per accident for bodily injury and property damage. 10.1.3 Workers' Compensation and Emplover's Liabilitv. Workers' Compensation limits as required by the California Labor Code. Workers' Compensation will not be required if Contractor has no employees and provides, to City's satisfaction, a declaration stating this. 10.1.4 Professional Liabilitv. Errors and omissions liability appropriate to Contractor's profession with limits of not less than $1,000,000 per claim. Coverage must be maintained for a period of five years following the date of completion of the work. I I If box is checked, Professional Liability City's Initials Contractor's Initials Insurance requirement is waived. 10.2. Additional Provisions. Contractor will ensure that the policies of insurance required under this Agreement contain, or are endorsed to contain, the following provisions: 10.2.1 The City will be named as an additional insured on Commercial General Liability which shall provide primary coverage to the City. 10.2.2 Contractor will obtain occurrence coverage, excluding Professional Uability, which will be written as claims-made coverage. 10.2.3 This insurance will be in force during the life of the Agreement and any extensions of it and will not be canceled without thirty (30) days prior written notice to City sent by certified mail pursuant to the Notice provisions of this Agreement. 10.3 Providinq Certificates of Insurance and Endorsements. Prior to City's execution of this Agreement, Contractor will furnish certificates of insurance and endorsements to City. City Attorney Approved Version 1/30/13 10.4 Failure to Maintain Coveraqe. If Contractor fails to maintain any of these insurance coverages, then City will have the option to declare Contractor in breach, or may purchase replacement insurance or pay the premiums that are due on existing policies in order to maintain the required coverages. Contractor is responsible for any payments made by City to obtain or maintain insurance and City may collect these payments from Contractor or deduct the amount paid from any sums due Contractor under this Agreement. 10.5 Submission of Insurance Policies. City reserves the right to require, at any_time, complete and certified copies of any or all required insurance policies and endorsements. 11. BUSINESS LICENSE Contractor will obtain and maintain a City of Carisbad Business License for the term of the Agreement, as may be amended from time-to-time. 12. ACCOUNTING RECORDS Contractor will maintain complete and accurate records with respect to costs incurred under this Agreement. All records will be cleariy identifiable. Contractor will allow a representative of City during normal business hours to examine, audit, and make transcripts or copies of records and any other documents created pursuant to this Agreement. Contractor will allow inspection of all work, data, documents, proceedings, and activities related to the Agreement for a period of three (3) years from the date of final payment under this Agreement. 13. OWNERSHIP OF DOCUMENTS All work product produced by Contractor or its agents, employees, and subcontractors pursuant to this Agreement is the property of City. In the event this Agreement is terminated, all work product produced by Contractor or its agents, employees and subcontractors pursuant to this Agreement will be delivered at once to City. Contractor will have the right to make one (1) copy of the work product for Contractor's records. 14. COPYRIGHTS Contractor agrees that all copyrights that arise from the services will be vested in City and Contractor relinquishes all claims to the copyrights in favor of City. 15. NOTICES The name of the persons who are authorized to give written notices or to receive written notice on behalf of City and on behalf of Contractor under this Agreement. For Citv For Contractor Name Tina Steffan Name Albert C Brunelle Title Chief Technology Officer Title President Department Information Technology Address 6440 Lusk Blvd City of Carlsbad San Dieao. CA 92121 Address 1635 Faraday Avenue Phone No. 619-2016-7127 Carlsbad, CA 92008 Email Al.brunelle(g)1903solutions.com Phone No. 760-602-2454 City Attorney Approved Version 1/30/13 Each party will notify the other immediately of any changes of address that would require any notice or delivery to be directed to another address. 16. CONFLICT OF INTEREST Contractor shall file a Conflict of Interest Statement with the City Clerk in accordance with the requirements of the City of Carisbad Conflict of Interest Code. The Contractor shall report investments or interests in all four categories. 17. GENERAL COMPLIANCE WITH LAWS Contractor will keep fully informed of federal, state and local laws and ordinances and regulations which in any manner affect those employed by Contractor, or in any way affect the performance of the Services by Contractor. Contractor will at all times observe and comply with these laws, ordinances, and regulations and will be responsible for the compliance of Contractor's services with all applicable laws, ordinances and regulations. Contractor will be aware of the requirements of the Immigration Reform and Control Act of 1986 and will comply with those requirements, including, but not limited to, verifying the eligibility for employment of all agents, employees, subcontractors and consultants whose services are required by this Agreement. 18. DISCRIMINATION AND HARASSMENT PROHIBITED Contractor will comply with all applicable local, state and federal laws and regulations prohibiting discrimination and harassment. 19. DISPUTE RESOLUTION If a dispute should arise regarding the performance of the Services the following procedure will be used to resolve any questions of fact or interpretation not otherwise settled by agreement between the parties. Representatives of Contractor or City will reduce such questions, and their respective views, to writing. A copy of such documented dispute will be forwarded to both parties involved along with recommended methods of resolution, which would be of benefit to both parties. The representative receiving the letter will reply to the letter along with a recommended method of resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory to the aggrieved party, a letter outlining the disputes will be forwarded to the City Manager. The City Manager will consider the facts and solutions recommended by each party and may then opt to direct a solution to the problem. In such cases, the action of the City Manager will be binding upon the parties involved, although nothing in this procedure will prohibit the parties from seeking remedies available to them at law. 20. TERMINATION In the event of the Contractor's failure to prosecute, deliver, or perform the Services, City may terminate this Agreement for nonperformance by notifying Contractor by certified mail of the termination. If City decides to abandon or indefinitely postpone the work or services contemplated by this Agreement, City may terminate this Agreement upon written notice to Contractor. Upon notification of termination, Contractor has five (5) business days to deliver any documents owned by City and all work in progress to City address contained in this Agreement. City will make a determination of fact based upon the work product delivered to City and of the percentage of work that Contractor has performed which is usable and of worth to City in having the Agreement completed. Based upon that finding City will determine the final payment of the Agreement. City Attorney Approved Version 1/30/13 Either party upon tendering thirty (30) days written notice to the other party may terminate this Agreement. In this event and upon request of City, Contractor will assemble the work product and put it in order for proper filing and closing and deliver it to City. Contractor will be paid for work performed to the termination date; however, the total will not exceed the lump sum fee payable under this Agreement. City will make the final determination as to the portions of tasks completed and the compensation to be made. 21. COVENANTS AGAINST CONTINGENT FEES Contractor warrants that Contractor has not employed or retained any company or person, other than a bona fide employee working for Contractor, to solicit or secure this Agreement, and that Contractor has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift, or any other consideration contingent upon, or resulting from, the award or making of this Agreement. For breach or violation of this warranty. City will have the right to annul this Agreement without liability, or, in its discretion, to deduct from the Agreement price or consideration, or otherwise recover, the full amount of the fee, commission, percentage, brokerage fees, gift, or contingent fee. 22. CLAIMS AND LAWSUITS By signing this Agreement, Contractor agrees that any Agreement claim submitted to City must be asserted as part of the Agreement process as set forth in this Agreement and not in anticipation of litigation or in conjunction with litigation. Contractor acknowledges that if a false claim is submitted to City, it may be considered fraud and Contractor may be subject to criminal prosecution. Contractor acknowledges that California Government Code sections 12650 et seq., the False Claims Act applies to this Agreement and, provides for civil penalties where a person knowingly submits a false claim to a public entity. These provisions inciude false claims made with deliberate ignorance of the false information or in reckless disregard of the truth or falsity of information. If City seeks to recover penalties pursuant to the False Claims Act, it is entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges that the filing of a false claim may subject Contractor to an administrative debarment proceeding as the result of which Contractor may be prevented to act as a Contractor on any public work or improvement for a period of up to five (5) years. Contractor acknowledges debarment by another jurisdiction is grounds for City to terminate this Agreement. 23. JURISDICTIONS AND VENUE Any action at law or in equity brought by either of the parties for the purpose of enforcing a right or rights provided for by this Agreement will be tried in a court of competent jurisdiction in the County of San Diego, State of California, and the parties waive all provisions of law providing for a change of venue in these proceedings to any other county. 24. SUCCESSORS AND ASSIGNS It is mutually understood and agreed that this Agreement will be binding upon City and Contractor and their respective successors. Neither this Agreement nor any part of it nor any monies due or to become due under it may be assigned by Contractor without the prior consent of City, which shall not be unreasonably withheld. 25. ENTIRE AGREEMENT This Agreement, together with any other written document referred to or contemplated by it, along with the purchase order for this Agreement and its provisions, embody the entire Agreement and understanding between the parties relating to the subject matter of it. In case of conflict, the terms of the Agreement supersede the purchase order. Neither this Agreement nor any of its provisions may be amended, modified, waived or discharged except in a writing signed by both parties. City Attorney Approved Version 1/30/13 26. AUTHORITY The individuals executing this Agreement and the instruments referenced in it on behalf of Contractor each represent and warrant that they have the legal power, right and actual authority to bind Contractor to the terms and conditions of this Agreement. CONTRACTOR CITY OF CARLSBAD, a municipal corporation of the State of California (sign here) Albert C Brunelle. President By: (print name/title) (sign here) (print name/title) By: City Monagor Ojmin • SoTl/^(!^% City of Carisbad fDt'r^ctoT Charles McBride ATTEST: BARBARA ENGLESON City Clerk If required by City, proper notarial acknowledgment of execution by contractor must be attached. If a corporation, Agreement must be signed by one corporate officer from each of the following two groups. Group A Chairman, President, or Vice-President Group B Secretary, Assistant Secretary, CFO or Assistant Treasurer Otherwise, the corporation must attach a resolution certified by the secretary or assistant secretary under corporate seal empowering the officer(s) signing to bind the corporation. APPROVED AS TO FORM: CELIA A. BREWER, City Attorney BY: ssistant City Attorney City Attorney Approved Version 1/30/13 EXHIBIT "A' SCOPE OF SERVICES Geographic Locations Travel will not be required for this engagement; all work will be performed remotely. Basic Penetration Test The external testing includes the following scope: • Up to 20 external IP addresses • Testing will be sub-contracted to Dell SecureWorks and from a Dell SecureWorks technical testing facilities Testing Timelines and Schedules • Remote manual testing and assessment will occur Monday-Friday, 8 a.m.-8 p.m. Eastern time • Work required outside of these normal business hours will incur an upcharge to be approved by customer in writing and before the work in commericed. Out of Scope Locations, devices, and personnel not specifically listed are out of scope. Note: If any IP addresses, hosts, facilities or web applications within scope are owned or hosted with a service provider or other third party, it will be necessary for you to obtain permission from that party before Dell SecureWorks will perform testing in writing or through email. Or you may provide a suitable alternate testing environment. Work Basic Penetration Test The objective of a basic penetration test is to validate host configurations and produce a list of known vulnerabilities existing on in-scope systems. The testing includes exploitation of vulnerabilities to reduce false positives. Pre-Engagement A critical component of a Dell SecureWorks engagement is to cleariy establish and agree to the rules of engagement. During our initial scheduling and kickoff sessions, the rules of engagement for the testing are established. Topics to be covered include: • Goals and objectives for the testing • Definition of scope, validation of targets • Testing timelines and schedules • Rules of engagement, levels of effort and risk acceptance • Reporting requirements and deliverables, timelines and milestones • Key personnel, roles and responsibilities, escalation rules and emergency planning • Our source IP address ranges, tools and techniques The consultant will send a confirmation email following project kick-off to ensure agreement on these items. City Attorney Approved Version 1/30/13 Execution A technical network security assessment is designed to identify critical flaws in your network that an attacker could exploit. Testing may include any networked device, including firewalls, routers or other network infrastructure devices, intrusion detection and prevention systems, web servers, email systems, virtual private networking (VPN) systems, etc. We will use a combination of automated and manual scanning with commercial and publicly available tools, as well as custom scripts and applications that we have developed. The types of vulnerabilities typically detected by this testing include: • Microsoft Windows, Linux, and Unix operating system vulnerabilities and patches • Known and published host application and service vulnerabilities, such as: 0 Apache, Microsoft IIS, IBM WebSphere and other web servers o SMTP (email) Servers 0 Remote access services, such as SSH, Telnet, RDP 0 Other server services (NTP, FTP, SSL wrappers, etc.) • Network device vulnerabilities, such as firewalls, VPNs, routers • Thousands of other vulnerabilities Automated tools can greatly assist in reducing work effort and costs associated with repetitive and time-consuming tasks, but manual techniques and analysis are also performed in each step to have the greatest understanding of your environment. Manual validation of findings reduces false positives; manual vulnerability testing reduces false negatives. False positives on a report lead to wasted effort in remediation. False negatives can expose an organization to risk of intrusion. Basic Penetration Test Step I: Scope Validation We will validate the target list provided. This is a safety measure and will ensure the accuracy of subsequent findings. We may perform such activities as: • Ping sweeps, port scans and route tracing • Footprinting of networks and systems • Internet domain name registration searches • Internet registry number searches • Domain name service (DNS) lookups Basic Penetration Test Step ll: Enumeration and Vulnerability Mapping Enumeration involves actively trying to identify services running, applications used, version numbers, service banners, etc. Testing in this phase is at a more noticeable level of activity, which might reveal that we are performing types of reconnaissance activities that typically precede an attack. In vulnerability mapping, the consultant will take what has been learned about the environment and attempt to determine vulnerabilities that are present. Some vulnerabilities will be apparent just using the information learned from the first two steps. However, many vulnerabilities can only be investigated with probe-and-response testing. In this type of test, the consultant sends data to a service or application and looks for a certain response that indicates a vulnerability may be present. Automated scanning tools occasionally fail to report some vulnerabilities, so we conduct additional manual testing, which does not rely on automated scanning. A testing methodology City Attorney Approved Version 1/30/13 that solely relies on automated scan results can give a false sense of security. Basic Penetration Test Step III: Vulnerability Exploitation Automated scanning tools often report false positives - reported vulnerabilities that are not actually present. For vulnerabilities discovered through automated scanning, we take steps to ensure report findings are accurate. This step ensures that the vulnerabilities reported are an accurate representation of your environment. Without this often overiooked step, time may be wasted attempting to remediate vulnerabilities that don't exist. The exploitation phase of a penetration test focuses solely on establishing access to a system or resource by bypassing security restrictions. The goal is to further validate vulnerabilities by executing known exploits and observing the results. The consultant will devise and develop possible attacks and testing methods. We will give more emphasis to attacks that cannot or typically have not been carried out by automated means, as well as those that would expose you to the highest risk (reputation, direct loss, liability, compliance) if compromised by a malicious attacker. As appropriate, testing will include various attacks, such as buffer overflows, format string attacks, arbitrary code execution and default credentials. We may also attempt customize attacks, which may be unique to your systems or configurations. However, we will not perform Denial of Service (DOS) attacks, bruteforcing passwords, complex password guessing, or other high-impact/low-value testing without specific written approval. A Note on Web Aoolications Web applications are characteristically the most vulnerable applications, and Dell SecureWorks has services designed to thoroughly test and assess web application security. If we find web applications within the range of IP address within scope for this project, we will perform testing on the web application server, not on the application itself. This testing should not be considered a comprehensive or focused test of your web application. Extemal Basic Penetration Test - Remote Retest and Attestation Once your report has been accepted as final, you will have up to ninety (90) days to remediate identified, high-risk issues and contact Dell SecureWorks to schedule a retest. Upon notifying Dell SecureWorks that these issues have been remediated, we will schedule a retest of only the high-risk findings to confirm your successful remediation. Assuming that all high-risk issues have been remediated, we will issue a brief attestation letter, with legal disclaimers, that attests to the scope of testing, and that at the end of the overall testing period, no high-risk issues remained. If no high-risk findings are found, no revalidation will be performed and we will issue a brief attestation letter, with legal disclaimers, that attests to the scope of testing, and that during the testing period, no high-risk issues were identified. The project will be finalized upon issuance of the letter. This covers ONE retest of only the high-risk findings. All testing will be done remotely against external hosts defined above. Onsite testing is out of scope. If onsite revalidation is desired, a new Statement of Work must be prepared. We anticipate that you will have remediated these findings within ninety (90) days and will contact us to perform the retest of high-risk findings; otherwise the project will be considered final. Deliverables City Attorney Approved Version 1/30/13 10 Draft and Final Report The deliverable will include a report section that describes the discovered host vulnerabilities, ranked by risk. Though an effort will be made to remove false positives, the limit on aggressive testing during this engagement will make many types of validation impossible. In cases where we have reason to believe a finding may be a true-positive, but cannot validate it, we will err on the side of caution and include it in the report. Dell SecureWorks uses its own proprietary risk ranking methodology, which is designed to be easy to understand. This methodology presents risks as High, Medium and Low based on many factors, including ease of exploitation, information obtained or access granted. Should we discover any findings of a critical nature (those which may indicate past, current or imminent breaches), we will stop testing and report what we have found immediately. Findings that are anecdotal and not directly related to risk (such as lookups or traceroutes) will not be included in the report. Dell SecureWorks will provide preliminary draft findings to the technical point of contact for review and clarification. The final report will be issued after review and discussion are complete. Presentation of the findings and exact deliverables are custom tailored to the type of work performed, and to customer needs. Final reporting and deliverables will be defined during the project, as well as interim or ad-hoc reporting. Dell SecureWorks deliverables typically follow a standard format with two sections: The first section is targeted toward a non-technical audience - Senior Management, Auditors, Board of Directors and other concerned parties: • Executive summary: A jargon and buzz-word free true executive-level summary. • Summary of findings and recommendations: Describes the environment and high-level findings and root causes. We make recommendations based on potential risk to your organization. • Remediation priority recommendations: Prioritizes high-risk findings based on severity of risk including recommendation for curative actions. The second section is targeted to technical staff and provides more granular detail: • Summary of methods: Contains details specific to the engagement methodology. • Detailed findings and recommendations: Documents the details of any findings, as well as recommendations for remediation. Evidence of controls and information sufficient to replicate the findings is included. Recommendations are based on these root causes and prioritized for a risk-based remediation with an estimation of relative work effort. Any strong controls in place that have been identified are described, as well as their impact to the security of the organization. Descriptions of techniques used and the causes of success or failure are detailed, as appropriate. • Attachments: Provides details and specific examples, including screen shots, technical details, code excerpts and other relevant observations. This section also contains documents or data that are relevant but do not fit in other categories. Report Timing Within three weeks of concluding the work described above, we will issue a draft formal report to your point of contact. The three weeks following delivery of this draft report are your opportunity to provide comments concerning the nature and scope of the engagement to be included in the report. If there are no comments in the three-week comment period, we will City Attorney Approved Version 1/30/13 11 finalize the report for distribution. If no changes are required, we encourage you to accept the formal report prior to the three- week waiting period to expedite final delivery. Timing and Fees Total not-to-exceed fees for this engagement are: $11,700.00 USD Basic External Penetration Test $9,620.00 Retest to Validate Remediation $2,080.00 Terms for this engagement • 30 percent billable before commencement • 50 percent billable after the draft report is delivered 20 percent billable after re-scan report is delivered Out-of-Pocket Expenses The fees outlined in the scope of services include all incidental out-of-pocket expenses such as report preparation and reproduction, faxes, copying, etc. The out-of-pocket expenses are NOT included, such as those related to transportation, meals and lodging to travel to pertorm any of the services, which are NOT applicable for this scope. Scheduling and Reporting Services outiined within this statement of work require a minimum of 2 weeks advance notification to schedule. SecureWorks will make commercially reasonable efforts to meet Carisbad's requests for dates and times for the contracted work to be performed, including the work to be performed during Carisbad's designated downtime windows, after business hours, meeting Carlsbad deliverable deadlines, and other Carisbad scheduling requests. Email confirmation of an agreed upon schedule, sent by SecureWorks, confirmed and returned by email by the Carisbad, shall constitute formal acceptance of such schedule. Fee changes do not apply to re-scheduling of work that does not require travel by SecureWorks. Within three weeks of completing the portion of our engagement outlined in the statement of work section SecureWorks will issue a draft formal report to Carlsbad's designated point of contact. Carisbad shall have three weeks from delivery of such draft to provide comments concerning the nature and scope of the engagement to be included in the report. If there are no comments received from Carisbad in the three week period following delivery, the report shall be deemed final and SecureWorks will finalize for distribution. The designated Carisbad contact will receive an email confirmation from SecureWorks upon the completion of work performed under this Statement of Work. Unless otherwise notified in writing by such Carisbad contact within thirty (30) days of such email confirmation, all of the work pertormed under this Statement of Work shall be deemed complete at the time of such email confirmation and if there is a remaining balance owed by Carlsbad, Carisbad shall be invoiced and Carisbad agrees to pay such invoice in accordance with the terms hereunder. Assumptions SecureWorks has made the following assumptions: City Attorney Approved Version 1/30/13 12 • SecureWorks will contact Carisbad's designated representative within five business days after the execution of this Statement of Work to schedule a time for the services outlined hereunder to be performed. The services will be scheduled to commence at least 2 weeks from such initial communication between SecureWorks and Carisbad's designated representative. • For the purpose of testing, each in-scope IP is considered to be a separate host, regardless of potential load balancing, firewalling, etc. • Customer testing windows allow adequate time for performance of work. • Required resources are scheduled and available. • Replies to all document requests and other information are timely and in accordance with the delivery dates established in the planning phase. • Carisbad's team is available to participate in the project. This is crucial to timely and successful completion. Applicable to Onsite Services: No onsite services are included. Applicable to Security Services: Should Work that includes security scanning, testing, assessment, forensics, or remediation Services ("Security Services"), SecureWorks may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities. Upon fully executed contract and agreed upon schedule, the City of Carlsbad authorizes SecureWorks to perform such Security Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services or otherwise approved by Carlsbad from time to time) on network resources with the IP Addresses identified by Carisbad on the agreed to schedule and with notification to Carlsbad. Carlsbad represents that, if Carisbad does not own such network resources, it will have obtained consent and authorization from the applicable third party, in form and substance satisfactory to SecureWorks, to permit SecureWorks to provide the Security Services. SecureWorks shall perform Security Services during a timeframe mutually agreed upon with Carisbad. The Security Services, such as penetration testing or vulnerability assessments, may also entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded applications but will exclude intentional and deliberate Denial of Service Attacks. Furthermore, Carlsbad acknowledges that the Security Services described herein could possibly result in service interruptions or degradation regarding the Carisbad's systems and accepts those risks and consequences. Upon fully executed contract and agreed upon schedule for these types of activities, the City of Carisbad authorizes SecureWorks to provide any or all the Security Services with respect to the Carisbad's systems. The City of Carisbad acknowledges it is their responsibility to restore network computer systems to a secure configuration after SecureWorks' testing. Applicable to Compliance Services: Should Work that includes compliance testing or assessment or other similar compliance advisory Services ("Compliance Services"), Carisbad understands that, although SecureWorks' Compliance Services may discuss or relate to legal issues, SecureWorks does not provide legal advice or services, none of such Services shall be deemed, construed as or constitute legal advice and that Carisbad is ultimately responsible for retaining its own legal counsel to provide legal advice. Furthermore, any written summaries or reports provided by SecureWorks in connection with any Compliance Services shall not be deemed to be legal opinions and may not and should not be relied upon as proof, evidence or any guarantee or assurance as to Carisbad's legal or regulatory compliance. Applicable to PCI Compliance Services: Should a Statement of Work include PCI compliance auditing, testing or assessment or other similar PCI compliance advisory Consulting Services ("PCI Compliance Services"), Carlsbad understands that SecureWorks' PCI Compliance City Attorney Approved Version 1/30/13 13 Services do not constitute any guarantee or assurance that security of Carlsbad's systems, networks and assets cannot be breached or are not at risk. These Services are an assessment, as of a particular date, of whether Carisbad's systems, networks and assets, and any compensating controls meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks of a security breach of Carisbad's systems, networks and assets. Furthermore, SecureWorks is not responsible for updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of subsequent changes to Carlsbad's systems, networks and assets after the date of SecureWorks' final report, absent a signed Statement of Work expressly requiring the same. City Attorney Approved Version 1/30/13 14 Donna Heraty From: Donna Heraty Sent: Friday, March 27, 2015 9:19 AM To: 'al.brunelle@1903solutions.com' Cc: Tammy McMinn Subject: REVISED - Form 700 - Conflict of Interest Dear Consultant: Regarding your agreement with the City of Carisbad for penetration testing services - // your agreement states: Contractor shall file a Conflict of Interest Statement with the City Cleric in accordance with the requirements of the City of Carlsbad Conflict of Interest Code. The Contractor shall report investments or interest in ail four categories. It has been determined by the City Clerk's Office that you are not required to file a Conflict of Interest Statement as mentioned in your agreement with the City of Carlsbad. A copy of this email will be added to your file memorializing this decision. Should you have any questions, please do not hesitate to contact me. Kindest regards, Ccityof Carlsbad Shelley Collins, CMC Assistant City Clerk City Clerk's Office City of Carisbad 1200 Carisbad Village Drive Carisbad, CA 92008-1949 www.carisbadca.gov 760-434-2917 I Shellev.Collins(5)carlsbadca.gov Connectjtv/f/, ws Facebook | Twitter | You Tube | Flickr | Pinterest | Enews