STATEMENT OF WORK - RSASTATEMENT OF WORK
Project Name:
RSA
Seller Representative:
Carlos Henley
8503218771
carlhen @cdw.com
Customer Name:
CITY OF CLEARWATER
CDW Affiliate:
CDW Government, LLC.
Date Requested:
June 15, 2018
Solution Architect:
Mikela Lea
Seller Services Manage .,
Faruk Azam
This statement of work ("S tatement of Work" or"SOW")is made and enteredinto on the date this SOW is signed
by both parties (the "SOW Fffectire Date") by and between the undersigned, CDW Govemment, LLC.
("Provider", "Seller"and "vie") and CITYOF CLEARWATER ("Customer" and "you").
PROJECT DESCRIPTION
PROJECT SCOPE
The Rapid Security Assessment (RSA) is a security assessment designed to balance the need for thorough and
reliable security testing with the demands of short timelines and limited budgets. During this as ses sment, we us e
commercially available vulnerability scanners, proprietary tools developed by our security engineers, an d tools
created by the open s ource community to identify and document existing weaknesses, and provide our advice for the
remediation of vulnerabilities identified during the course of th a engagement Where appropriate, the engineers may
exploit vulnerabilities in order to more accurately determine the risk to your environment. The RSA report is a
hybrid of the engineers' observations of the current state ofy our network security and their inte rp re t at io ns of the
data gathered by the s canners.
The RSA consists of up to four parts, as described below.
SCOPE OPTIONS
PART A: INTERNET SECURITY TESTING
The engineers will scan Intemet-visible hosts, identify services running on the hosts, and conduct testing for
vulnerabilities to known exploits. Test results will be manually validated, as necessary, in an effort to minimize
false -positive reporting. Where appropriate, the engineers may exploit vulnerabilities in order to more accurately
determine the risk to yourenvironment The Internet Test portion of the RSA offering is limited to 40 targets.
PART B: INTERNAL SECURITY TESTING
The Internal Assessment contains multiple tasks.
1. Internal Vulneralality Scan - The engineers will scan your internal network, identify services running on
the hosts, and conduct testing for vulnerabilities to known exploits. Testresults will be manually validated,
Page 1
Proprietary and Confidential CDW, LLC.
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
as necessary, in an effort to minimize false -positive reporting. The Intemal Test portion of the RSA
offering is limited to 1,000 targets.
2. Penetration Testing — Penetration testing of key organizational IT assets willbe performed, in an attempt
to gain access to these key assets and provide documentation on the path to access.
3. Domain Security and Password Audit— An audit ofpasswordsandpassword-relatedpolicies used within
the organization will be performed, with guidance provided on potentialinnrovements. This itemis
limited to asingle Active Directory domain.
4. Authenticated Scan — Up to 50 workstations willbe tested via an authenticated scan. The results of this
scan, once v alidated, should provide a good snapshot of workstation security.
PART C: WIRELESS SECURITY TESTING
The engineers will scan the 802.11 -based signalcloud around your networktesting for ways th at outsiders co uld
eavesdrop on your wireless communications, break authentication or cryptographic protocols, or impersonate
elements of your wireless infrastructure. The W ireless Test portion of the offering is limited to one p hysical site (the
same site at which Part B will take place).
PART D: SOCIAL ENGINEERING PHISHING EXERCISE
Social Engineering is a process in which access is gained to a network using People, Process oftenc o mb in ed with
technology. Various types of social engineering can be used by a hostile party to exploit a network. Seller will only
demonstrate non -malicious and non -harmful Social Engineering Techniques to demonstrate these possible
vulnerabilities. Wepropose a Spear Phis hing Attack ag ainst the employees (computer users) of Customer network.
The exercise will include the following items.
• Social Engineering&(SpearPhishing)exploitagainsttheusersofusersofCustomernetwork.
• Email addresses can be nrined fro mthe Internet or Customer can provide list of the user email addresses.
• The collection of the responses willbe provided within the report. Customercan designate if they want to
include. or omit user names and password content in the report.
PROJECT KICKOFF — KEY ACTIVITIES
1. IP Addresses to be scanned will be shared fromCus tomer to Seller. Any addresses to exclude will be
discussed. Anytime -of -day exclusions to scanning will be discussed.
2. For Part B, a pre -arranged time and date for an end to the penetration testing task will be discussed. If the
engineers are unsuccessful in uncovering valid administrative credentials by this time, Customer will
provide valid credentials at this prearranged time to allow the domain security and password audit and
authenticated scan to be conpleted.
CUSTOMER RESPONSIBILITIES
1. Forpart A and B, customer will provide Customer EP addresses to be scanned. By providing these
addresses, Customer acknowledges permission for scanning and penetration testing to take place.
2. For part B, if the penetration test is unsuccessful in uncovering valid administrative credentials, Customer
will provide valid credentials at a prearranged time to allow the domain security and password audit and
authenticated scan to be completed.
3. Obtain any necessary permis sion for testing of systems hosted or managed by third parties.
PROJECT ASSUMPTIONS
Page 2
Proprietary and Confidential
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
CDW, LLC.
1. A target is defined to be a systemto be scanned. Often. there is a one-to-one mapping between an IP
address and a target. However, there are situations, such as name -based virtual web hosting. where there
are multiple targets that map to one IP address.
2. Forpart A, the number of Intemet-facing targets to be scanned is capped at 40.
3. Forpart B, the number of internal targets to be scanned is capped at 1,000.
4. Forpart B, the domain security and password audit taskis limited to a single Active Directory domain.
5. Forpart B, the number of workstations to be scanned during the authenticated scan is capped at 50.
6. Forpart B, the domain security and password audit as well as the authenticated scan require a level of
privilege in the environment It is the intent to acquire this privilege during the penetration test. However,
if the necessary level ofprivilege is not gained, it is assun d that Customer will provide credentials at a
pre-arrangedtime to allow these parts of the engagement to proceed. If the credentials are notprovided in
a timely fashion. the domain security and password audit and authenticated scan will be removed fromthe
proiect's scope.
7. While rare, network scanning can potentially have an adverse effect on a host. It is understood that Seller
bears no liability for any loss of service to a host during this engagement due to network scanning.
8. Assessment activities may include attacks against end-user ellen ts, such as email -based attacks (where
these attacks focus on technical is sues rather than user behavior). Note that this does not include credential
phishing unless phishing is specifically included in the project scope.
9. It is assumed that Cus tomer's IT staff will be aware of Seller's assessment activities and will not actively
interfere with or attempt to actively defend against Seller's attacks and as sessment activities. Active
interference by Customer staffin Seller's assessment activities may result in limited results fromthe
assessment or a reduction in scope. In this event, a change order may be needed to increase the project cost
and/or timeline in order to complete the full original scope of the assessment
10. Post -remediation scans or retesting of findings are out of scope for this project and may incur additional
cost.
ITEM(S) PROVIDED TO CUSTOMER
The following will be provided to Customerby the completion of this project:
Rapid S ecurity Assessment Report — The report outlines theefforts undertaken by the engineers and provides
customized security findings and recommendations for improvement
The report includes:
• An executive summary showing the effectiveness of your security controls,
• Summarized high-levelrecommendations and a rating of the overall ris k of the environment.,
• An outline of the efforts made by the engineers, highlighting attacks that were successfulorotherwisepose
higherrisks
• Summaries of more widespread issues, with detailed itemized lists of weaknesses presented when
appropriate, and
• A section listing recommendations, orderedbypriority and by the estimated cost to fix them, with high-
priority, low-cost items at the top of the list.
Seller prides itself on the quality and usefulness of this report. Although automated scanners are used d uring the
assessment, the report is not simply a reproduction of output fro mautomated tools.
Due to the sensitive nature of this report, we will convey to you a pas sword -encrypted file. Only members o f o ur
as sessment teamhave access to the report.
Page 3
Proprietary and Confidential CDW, LLC.
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
Once we have delivered the report, we will solicit your feedback. If necessary, we will revise the rep o rt. Once the
report is finalized, we will conduct a project wrap-up call to walk through the project one final time and ensure th at
any remaining questions are addressed.
Services not specified in this SOW are considered out of scope and will be addressed with a separate SOW or
Change Order.
PROJECT MANAGEMEN T
Seller will assign aproject management resource to performthe following activities during the project:
• Kickoff Meeting. Review SOW including project objectives and schedule, logistics, identify and confirm
project participants and dis cuss project prerequisites.
• Project Schedule or Plan. A project schedule that details the schedule andresources assigned to the
project.
• Weekly Status Meetings and Reports. Status meetings will be conducted on a weekly basis. During these
meetings, Seller and you will discuss action items, tasks completed tasks outstanding, issues and conduct a
budgetreview.
• Change Management. When a change toa project occurs, Seller's project change control process will be
utilized.
• Project Closure Meeting. The projectteamwill meet to recap the project activities, pmviderequired
documentation, discuss any next steps, and formally close the project.
PROJECT SCHEDULING
Customer and Seller, who will jointly manage this project, will together develop timelines for an anticipated
schedule ("Anticipated Schedule") based on Seller's project management methodolo gy . Any dates, deadlines,
timelines or schedules contained in the Anticipated Schedule, in this SOW or otherwise, are estimates only, and the
Parties will not rely on themfor purposes other than initial planning.
TOTAL FEES
The total fees due and pay able under this SOW ("Total Fees") include bothfees for Seller's performance of work
("Service Fees") and any other related costs and fees specified in the Expenses section ("Expenses"). Unless
otherwise specified, taxes will be invoiced but are not included in any numbers orcalculations provided herein.
Seller will invoice for the Total Fees.
SERVICES FSS
Services Fees hereunder are FIXED FEES. The Services Fees will be invoiced depending upon the scope option
selectedby Customer, as indicated by a checkmarkor initial next to the desired scope option and associated price in
Table 1 below. CUSTOMER MUST SELECT AND INDICATE ONE OPTION AT THE TIME OF
SIGNATURE
Services fees will be invoiced upon project completion.
Table 1- Services Fees Options
Page 4
Proprietary and Confidential
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
CDW, LLC.
EXPENSES
Neither travel time nor direct expenses will be billed for this project.
Two (2) weeks' advance notice from Customer is requiredforany necessary travel by Seller personnel.
CUSTOMER -DESIGNATED LOCATIONS
Seller will provide Services benefiting the locations specified on the attached Exhibit (" Customer -Designated
Locations").
PROJECT -SPECIFIC TERMS
1. Customer is responsible forproviding all physical and communications access, privileges, environmental
conditions, properly functioning hardware and software, qualified personnel, project details, material
information, decisions/directions, and personnel and stakeholder interviews that are reasonably necessary to
assistandaccommodate Seller's performance of the Services C' Customer Components").
2. Seller is not responsible for delays in performance directly caused by the unavailability of the Customer
Components and will have the right to invoice Customer for any time Seller's thereby idled or reassigned
personnel would have spenton the project (calculated according to the rates specified under Professional
Services Fees).
3. Seller may invoice Customer for any additional or different services prompted by Customer's inability to
timely provide the Customer Components.
4. Customer will provide in advance and in writing, and Seller will follow, all applicable Customer safety and
security rules andprocedures.
5. Customer will secure and maintain the confidentiality of all Seller personnel information.
6. When Services are performed at a Customer -Designated Location, the site will be secure; Seller is not
responsible for lost or stolen equipment
7. Both parties have the right to terminate this SOW uponwritten notice to the other party.
Page 5
Proprietary and Confidential
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
CDW, LLC.
SOW TERMS AND CONDITIONS
CONTACT PERSON(S)
Each Party will appoint a person to act as that Party's point of contact (` Contact Person") as the time for
performance nears and will communicate that person's name and information to the other Party's Contact Pe rs on.
The Customer Contact Pers on is authorized to approve materials and Services providedby Seller, and Seller may
rely on the decisions and approvals made by the Cus tomer Contact Pers on (excep t that Seller understands th at
Cus tomer may require a different person to sign any Change Orders amending this SOW). The Customer Con tact
Person will manage all communications with Seller, and when Services are performed at a Cu s tomer -De s ig nated
Location, the Cus tomer Contact Person will be present or available.
The Parties' Contact Persons shall be authorized to approve changes in personnel and associated rates for Services
under this SOW.
PAYMENT TERMS
Except as otherwise agreed by the Parties, customerwill pay invoices containing amounts authorized by this SOW
within thirty (30) days ofreceipt. Any objections to an invoice mustbe made to the Seller Cont act Pers on within
fifteen (15) days after the invoice date.
EXPIRATION AND TERMINATION
This SOW expires and will be of no force or effect unless it is signed by Cus tomer, tran s ferre d in its entirety to
Seller so that it is received within thirty (30) days fromthe date written on its coverpage, and then signed by Seller,
except as otherwise agreedby Seller. This SOW can be terminated by Seller without cause upon at least fo urte en
(14) days' advance written notice.
CHANGE ORDERS
This SOW may be modified or amended only in a writing drafted by Seller, generally in the formprovidedby Seller
and signedby both Customer and Seller C Change Order"). Each Change Order will be of no force oraffect until
signed by Customer, transferred in its entirety to Seller so that it is received within thirty (30) days fromthe date o n
its coverpage and then signed by Seller, except as otherwise agreed by Seller.
In the eventofa conflict between the terms and conditions set forth in a fully -executed Change Order and those set
forth in this SOW or a prior fully -executed Change Order, the terns and conditions of the most recent fully -executed
Change Order shall prevail.
MISCELLANEOUS AND SIGNATURES
This SOW shall be governed by that certain Sourcewell (formerly NJPA) Vendor Agreement 100614#CDW
between CDW Government LLC and Sourcewell effective December 1, 2014 (the "Agreement"). If there is a
conflict between this SOW and the Agreement, then the Agreement will control, except as expressly amended in this
SOW by specific reference to the Agreement. References in the Agreement to a SOW or a Work Order apply to this
SOW. This SOW is the proprietary and confidential information of Seller, provided however, nothing in this SOW
or the Agreement shallprevent Customer fromdisclos ing Seller's proprietary and confidential in fo rma tion to the
extent required by law.
Page 6
Proprietary and Confidential CDW, LLC.
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
SIGNATURES
In acknowledgement that the parties below have read and understood this Statementof W ork and agree to be bound
by it, each party has caused this Statement of Work to be signed and transferred by its respective authorized
representative.
CDW Government, LLC.
By: L i1ttei7 :s' ef 41.�en
signature
Name: Stephanie Santander
C1TY OF CLFARWATFR
By:
Signature
Name:
Date: June 26 2018 Date:_th
� r
Mailing Address: Mailing Address:
230 N. Milwaukee Avenue, Vernon Hills, IL. 60061 Street:
City/ST/ZIP:
❑ A purchase order for payment hereunder is attached. Billing Contact:
❑ A purchase order is not required for payment Street:
hereunder. City/ST/ZIP:
❑ The following PSM has given approval:
Faruk Azam
Approved as to form: Attest:
Owen Kohler
By: UYAItt 0A64 -1411 -it
William B. Horne II
City Manager
Rosemarie Call
Assistant City Attorney City Clerk
Page 7
Proprietary and Confidential
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
CDW, LLC.
EXHIBIT A.
CUSTOMER -DESIGNATED LOCATIONS
Seller will provide Services benefiting the following locations ("Customer-DesignatedLocations").
Table 2 - Customer -Designated Locations
Headquarters
100 S Myrtle Ave
Clearwater, FL 33756
121 Assessment
❑ Configuration
❑ Design
❑ Implementation
0 Project Management
0 Staff Augmentation
0 Support
❑ Training
❑ CustomWork
Page 8
Proprietary and Confidential
Version: 1
Contract Number: 31974
Drafted by: Desiree Pagan
CDW, LLC.