Information Security Assessment

advertisement
DELL SECUREWORKS CONSULTING SERVICES AGREEMENT
STATEMENT OF WORK NUMBER #____
This STATEMENT OF WORK (“SOW”), effective as of Insert Date is made pursuant to the [Master Services
Agreement], [Consulting Services Agreement] [Consulting Services Addendum] dated Insert Date by and between
Dell Corporation Limited trading as Dell SecureWorks with its registered office address at Dell House, Cain Road,
Bracknell, Berkshire RG12 1LF (“Dell SecureWorks”) and Insert Company Name with its principal place of
business located at Insert Company Location (“Client”).
1.0Scope
Geographic Locations
Some work for this engagement may be performed remotely, as necessary and appropriate. The scope of this
engagement includes travel to the following areas:


XYZ
City, State, Zip Code
XYZ
City, State, Zip Code
-
Corporate
Headquarters
Data
Centre
Information Security Assessment
The scope of the engagement includes the following:





Up to XX servers
Up to XX workstations
Up to XX systems that handle Personally Identifiable Information (PII)
Up to XX interview/elicitation sessions to complete onsite
Assessment will be performed from one of the facilities listed in the Geographic Locations section above
Testing timelines and schedules
All onsite manual testing and assessment work will occur Monday-Friday, 8 a.m. – 6 p.m. local time. Work required
outside of these normal business hours will incur an upcharge, to be approved by customer in advance. Automated
testing may be performed outside of this window if it can be scheduled in advance.
All remote manual testing and assessment work will occur Monday-Friday, 8 a.m. – 8 p.m. local time. Work
required outside of these normal business hours will incur an upcharge, to be approved by customer in advance.
Automated testing may be performed outside of this window if testing can be scheduled in advance.
Out of Scope

Locations, devices or personnel not specifically listed as in scope is out of scope.
Note: If any IP addresses, hosts, facilities or web applications within scope are owned or hosted with a service
provider or other third party, it will be necessary for you to obtain permission from that party before Dell
SecureWorks will perform testing in writing or through email. Or you may provide a suitable alternate testing
environment.
1 of 7
2.0Statement of Work
2.1
Information Security Assessment
Dell SecureWorks will review your Information Security Program to assess its compliance with regulatory
requirements and best practices. This includes reviewing policies, standards, guidance, procedures and other
documents. Spot checks will be performed of controls in place where appropriate.
Risk Assessment and Treatment
IT controls result from an effective risk assessment process. Therefore, the ability to mitigate IT risks is dependent
upon risk assessments and risk analysis. We will assess whether operations and senior management has identified,
measured, controlled and monitored technology to avoid risks that threaten the safety and soundness of your
institution. We will assess that you have planned for use of technology, assessed the risk associated with technology,
decided how to implement the technology and established a formal process to measure and monitor risk that is taken
on. We will assess that you have:




An effective planning process that aligns IT and business objectives
An on-going risk assessment process that evaluates the environment and potential changes
Technology implementation procedures that include appropriate controls
Measurement and monitoring efforts that effectively identify ways to manage risk exposure
Security Policy
We will assess if management has set clear policy direction in line with business objectives and if it demonstrates
support and commitment to information security through:


Information security policy documentation
Review of information security policy
Information Security Organisation
We will assess organisational aspects of your security program through a review of:





Management commitment
Information security coordination
Assignment of roles and responsibilities
Authorisation processes
Communication strategies
Service Provider Oversight
We will evaluate your controls over service provider arrangements and determine whether such arrangements
provide an effective means to support the institution’s technology needs while retaining your responsibility for
managing risk. We will evaluate the following areas:



SSAE 16 (formerly SAS-70) reviews
Due diligence
Control and security service level agreements
Asset Management
We will assess the controls surrounding the protection of your assets. We will review documentation regarding:


Responsibility for assets
Information categorization
2 of 7
Personnel Security
We will evaluate controls over legitimate users and their access and credentialing for system access necessary to
perform their duties. Because of their internal access levels and intimate knowledge of financial institution
processes, authorised users pose a potential threat to systems and data. We will evaluate the following areas:




Background checks and screening
Confidentiality, non-disclosure and authorised use agreements
Job descriptions
Training
Physical Security
We will assess your ability to maintain the confidentiality, integrity and availability of information, and evaluate the
assurances provided by physical access controls. We will review:



Data centre security
Cabinet and vault security
Physical security
Communications and Operations Management
We will assess the controls surrounding:










Operational procedures
Service delivery management
System planning and acceptance
Protection against malicious and mobile code
Back-up and restore
Network security management
Media handling
Exchange of information
E-commerce service delivery
Monitoring
Logical and Administrative Access Control
We will assess the logical and administrative access controls, and evaluate their ability is to restrict access to system
resources. We will review the following areas:







Business requirements for access control
User access management
User responsibilities
Network access controls
Operating system access controls
Application and information access controls
Mobile computing and communications
Systems Development, Acquisition and Maintenance
We will evaluate your system development, acquisition and maintenance functions and assess the establishment of
security controls into software prior to development, acquisition and implementation. We will review controls in the
following areas:





Security requirements of information systems
Correct processing in applications
Cryptography
Security of system files
Security in development and support processes
3 of 7

Technical vulnerability management
Incident Management
We will assess your capability to detect and react to an intrusion into your information systems. Security systems
must restrict access and protect against the failure of those access restrictions. But detection and response
capabilities must detect and react to intrusions when those systems fail. This control area is critical for an effective
response program. We will evaluate the following areas:



Intrusion detection capabilities
Intrusion response capabilities
Incident handling procedures (including risk escalation and notification)
Business Continuity
We will evaluate your business continuity plans, including whether the plan contains significant security and
availability considerations. Business continuity plans will be reviewed as an integral part of the security process.
Compliance
We will determine if controls are in place that will protect against breach of law, regulatory, contract obligations or
security requirements. Controls we will review include:



Compliance with legal requirements
Compliance with security policies, standards and technical compliance
Information systems audit
3.0Deliverables
3.1
Draft and Final Report
Dell SecureWorks will provide preliminary draft findings to the technical point of contact for review and
clarification. The final report will be issued after review and discussion are complete. Presentation of the findings
and exact deliverables are custom tailored to the type of work performed, and to customer needs. Final reporting and
deliverables will be defined during the project, as well as interim or ad-hoc reporting. Dell SecureWorks
deliverables typically follow a standard format with two sections:
The first section is targeted toward a non-technical audience - Senior Management, Auditors, Board of Directors
and other concerned parties:






Executive summary: A jargon and buzz-word free true executive-level summary.
Summary of findings and recommendations: Describes the environment and high-level findings and root
causes. We make recommendations based on risk to your organisation.
Risk analysis matrix: Details high-risk findings with recommendations for curative actions.
Remediation priority matrix: Prioritises high-risk finding remediation is prioritised based on severity of
risk to business processes, not just technology.
Remediation work effort matrix: Provides “level of effort” estimates to remediate high-risk findings. A
detailed project plan is included if appropriate.
Controls in place matrix: Acknowledge existing controls for your most critical risks.
The second section is targeted to technical staff and provides more granular detail:


Summary of methods: Contains details specific to the engagement methodology.
Detailed findings and recommendations: Documents the details of any findings, as well as
recommendations for remediation. Evidence of controls and information sufficient to replicate the findings
is included. Recommendations are based on these root causes and prioritised for a risk-based remediation
with an estimation of relative work effort. Any strong controls in place that have been identified are
described, as well as their impact to the security of the organisation.
4 of 7

3.2
Attachments: Provides details and specific examples, including screen shots, technical details, code
excerpts and other relevant observations. This section also contains documents or data that are relevant but
do not fit in other categories.
Report Timing
Within three weeks of concluding the work described above, we will issue a draft formal report to your point of
contact. The three weeks following delivery of this draft report are your opportunity to provide comments
concerning the nature and scope of the engagement to be included in the report. If there are no comments in the
three-week comment period, we will finalise the report for distribution. If no changes are required, we encourage
you to accept the formal report prior to the three week waiting period to expedite final delivery.
4.0Timing and Fees
4.1
Fees
The work shall be delivered as a fixed price engagement and limited to a maximum of <insert> days.
The cost of this engagement excluding expenses is £ZZZ
Including expenses, client's total payments under this SOW shall be limited to a maximum of £ZZZZ excluding
VAT.
Terms for this engagement;
 X% billed at point Y
The work is estimated as requiring <insert> days. This SOW is a Time & Materials engagement with an estimated
cost of £ZZZZ excluding VAT based on a daily billing rate of £XXXXX. The final amount shall be determined on
the basis of the actual amount of time spent on the work. The Parties shall agree any increase of the cost limit in
advance, in writing. Client will be invoiced monthly for work activity conducted against this SOW.
The price for the engagement is based on the target environment as discussed with Dell SecureWorks. If the
assumptions, client responsibilities and parameters within the scope of work used to develop this proposal are found
to be incorrect, or to have changed, the parties agree to pursue resolution through change management.
If any of the assumptions used in developing this proposal (including, time on tasks, locations and service
consumption) and relied upon by Dell SecureWorks vary by +/- five (5%) percent, Dell SecureWorks reserves the
right to adjust the pricing to reflect such changes.
Any additional work required beyond our current estimate will be added to our invoices at the daily billing rate
given above.
The following conditions apply to this SOW;
4.2
●
The fees outlined in our scope of services include all incidental out-of-pocket expenses including report
preparation and reproduction, faxes, copying, etc.
●
The fees outlined in our scope of services do NOT include out-of-pocket travel expenses, including
reasonable transportation, meals and lodging expenses incurred to perform any of the services outlined
hereunder. Such reasonable out of pocket expenses will be added at cost to Client’s invoice.
●
Terms for payments are net 30.
●
VAT, at the prevailing rate, will be added to all applicable charges.
Timing
Dell SecureWorks will make commercially reasonable efforts to meet Client’s requests for dates and times for the
contracted work to be performed. The fees do not include weekend or after hours work. Such work can only be
5 of 7
scheduled by mutual agreement, in advance. After hours and weekend work will be conducted at 1.5 times our
quoted rate. Email confirmation of an agreed upon schedule, sent by Dell SecureWorks, confirmed by email by the
Client, shall constitute formal acceptance of such schedule. Once scheduling of any work has been mutually agreed
upon, and the schedule is formally accepted by the Client, changes by the Client within 2 weeks of the project
initiation will incur a one day rate re-scheduling fee for each instance.
Dell SecureWorks has made the following assumptions in creating this SOW:
4.3
●
Client resources are scheduled and available to Dell SecureWorks;
●
Client has provided suitable workspace for Dell SecureWorks’ staff and equipment,
●
Client’s computer systems and network for testing, building access, etc. is made available to Dell
SecureWorks; and
●
Client replies to all document requests and other information in a timely manner.
Term
The term of this SOW and the Services hereunder shall commence on the date this SOW is executed by both parties
and terminate on the date which is one (1) year thereafter.
5.0 Disclaimers
Applicable to Security Services: Should a Statement of Work include security scanning, testing, assessment,
forensics, or remediation Services (“Security Services”), Client understands that Dell SecureWorks may use various
methods and software tools to probe network resources for security-related information and to detect actual or
potential security flaws and vulnerabilities. Client authorises Dell SecureWorks to perform such Security Services
(and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services or
otherwise approved by Client from time to time) on network resources with the IP Addresses identified by Client.
Client represents that, if Client does not own such network resources, it will have obtained consent and authorisation
from the applicable third party, in form and substance satisfactory to Dell SecureWorks, to permit Dell SecureWorks
to provide the Security Services. Dell SecureWorks shall perform Security Services during a timeframe mutually
agreed upon with Client. The Security Services, such as penetration testing or vulnerability assessments , may also
entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded
applications but will exclude intentional and deliberate Denial of Service Attacks. Furthermore, Client
acknowledges that the Security Services described herein could possibly result in service interruptions or
degradation regarding the Client’s systems and accepts those risks and consequences. Client hereby consents and
authorises Consultant to provide any or all the Security Services with respect to the Client’s systems. Client further
acknowledges it is the Client’s responsibility to restore network computer systems to a secure configuration after
Consultant testing.
Applicable to Compliance Services: Should a Statement of Work include compliance testing or assessment or
other similar compliance advisory Services (“Compliance Services”), Client understands that, although Dell
SecureWorks' Compliance Services may discuss or relate to legal issues, Dell SecureWorks does not provide legal
advice or services, none of such Services shall be deemed, construed as or constitute legal advice and that Client is
ultimately responsible for retaining its own legal counsel to provide legal advice, Furthermore, any written
summaries or reports provided by Dell SecureWorks in connection with any Compliance Services shall not be
deemed to be legal opinions and may not and should not be relied upon as proof, evidence or any guarantee or
assurance as to Client’s legal or regulatory compliance.
Applicable to PCI Compliance Services: Should a Statement of Work include PCI compliance auditing, testing or
assessment or other similar PCI compliance advisory Consulting Services (“PCI Compliance Services”), Client
understands that Dell SecureWorks' PCI Compliance Services do not constitute any guarantee or assurance that
security of Client’s systems, networks and assets cannot be breached or are not at risk. These Services are an
assessment, as of a particular date, of whether Client’s systems, networks and assets, and any compensating controls
meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks
of a security breach of Client’s systems, networks and assets. Furthermore, Dell SecureWorks is not responsible for
updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of subsequent
6 of 7
changes to Client’s systems, networks and assets after the date of Dell SecureWorks’ final report, absent a signed
Statement of Work expressly requiring the same.
Purchase Orders: This Statement of Work is agreed to by the parties. Any terms and conditions attached to, or
described within any purchase order outside of this Statement of Work by Client in connection with this Statement
of Work are null and void.
Applicable to Onsite Services: Notwithstanding employees’ placement at the Client location, Dell SecureWorks
retains the right to control the work of the employee. For international travel, Onsite Services may require additional
documentation, such as Visas, visitor invitations, etc. which may affect timing and out of pocket costs.
DELL CORPORATION LIMITED
Insert Company Name
By:_________________________
By:_____________________________
Title:_______________________
Title:___________________________
_____________________________
Date
________________________________
Date
7 of 7
Download