The URL can be used to link to this page

Home My WebLink Aboutconsultant services IT974-176-04-1 = Consultant Services -IT (TruSecure Corporation) Page 1 of 1 Consultant Services -IT (TruSecure Corporation) 974-176-04-1 Effective: 7/15/2003 through 7/14/2004 Certification Legal Information Exhibit A - Specifications Exhibit B - Price Sheet Exhibit C - Ordering Instructions Complete Contract http://www.myflorida.com/st_contracts/974176041/ 3/15/2004 FLORIDA DEPARTMENT OF MANAGEMENT SERVICES A4yF7crfde.com 1N JEB BUSH Governor WILLIAM S. SIMON Secretary Suite 315 CERTIFICATION OF CONTRACT TITLE: Consultant Services -IT (TruSecure Corporation) CONTRACT NO.: 974-176-04-1 ITN NO.: 974-176 EFFECTIVE: See Contract Paragraph 1.03, Term, and 2.36, Effective Date SUPERSEDES: 974-176-02-1 CONTRACTOR(S): TruSecure Corporation (C) ANY QUESTIONS, SUGGESTIONS, OR CONTRACT SUPPLIER PROBLEMS WHICH MAY ARISE SHALL BE BROUGHT TO THE ATTENTION OF MAUREEN LIVINGS AT (850) 488-2103, SUNCOM 278-2103, E-MAIL: Iivingm(u7 dms.state.Il. us A. AUTHORITY - Upon affirmative action taken by the State of Florida Department of Management Services, a contract has been executed between the State of Florida and the designated contractors. B. EFFECT - This contract was entered into to provide economies in the purchase of Consultant Services -IT by all State of Florida agencies and institutions. Therefore, in compliance with Section 287,042, Florida Statutes, all purchases of these commodities shall be made under the terms, prices, and conditions of this contract and with the suppliers specified. C. ORDERING INSTRUCTIONS - All purchase orders shall be issued in accordance with the attached ordering instructions. Purchaser shall order at the prices indicated, exclusive of all Federal, State and local taxes. All contract purchase orders shall show the State Purchasing contract number, product number, quantity, description of item, with unit prices extended and purchase order totaled. (This requirement may be waived when purchase is made by a blanket purchase order.) State Purchasing • 4050 Esplanade Way, Suite 350, Tallahassee, Florida 32399-0950 TELEPHONE: 850-488-8440 • FAX: 850-488-5498 D. CONTRACTOR PERFORMANCE - Agencies shall report any vendor failure to perform according to the requirements of this contract on Complaint to Vendor, form PUR 7017. Should the vendor fail to correct the problem within a prescribed period of time, then form PUR 7029, Request for Assistance, is to be filed with this office. E. SPECIAL AND GENERAL CONDITIONS - Special and general conditions are enclosed for your information. Any restrictions accepted from the supplier are noted on the ordering instructions. State Purchasing has awarded the IT Consulting contracts on a non-exclusive basis to qualified vendors, but purchasing officers shall seek competition between IT consulting vendors for purchases over $25,000, and in all accordance with contract paragraph 1.06, titled "Deliverables". The consulting vendor rates published in the contracts are ceiling rates, and to the extent practicable, agencies should negotiate lower rates depending on the complexity and duration of a proposed project. Where procurement is sought and only one source is available from State Tenn Contracts, the agency/entity shall document this file as to the conditions and circumstances warranting this decision. F. CONTRACT APPRAISAL FORM - State Contract Appraisal, form PUR 7073 should be used to provide your input and recommendations for improvements in the contract to State Purchasing for receipt no later than 90 days prior to the expiration date of this contract. Authorized Signature ML/sec Attachments (date) Exhibit "A" — Portfolio of Services Security Assurance Services TruSecure Security Assurance Services (SAS) help your organization identify and mitigate risk to your critical IT assets, then help you maintain an essential level of security health across your enterprise on an ongoing basis, Unlike solutions offered by security software vendors, consulting firms, and other managed security service providers, TruSecure's Security Assurance Services are fixed -fee, annualized programs that utilize and integrate a patent -pending automated software model, database and professional analyst team to regularly map your IT infrastructure against a proven set of essential security practices. Once TruSecure recommended controls are implemented and maintained, your organization may earn industry - recognized certification, providing you with confidence, assurance and a guarantee that your organization's mission -critical e-business systems, networks, applications and physical environments are fully protected against cyber-threats and other criminal breaches. Our certification seal is recognized worldwide as confirmation to your partners, auditors and customers that your organization has made security a top priority. Managed Security Services TruSecure Managed Security Services (MSS) provide around the clock, cost-effective monitoring, management and maintenance of your technical security infrastructure. TruSecure can remotely monitor, manage and maintain all aspects of your security infrastructure, or only assist you with monitoring the components that you consider especially important. TruSecure MSS is a premier provider of holistic, robust, systems -based managed security solutions. We have built a state of the art security operations center (SOC), staffed 24x7x365 with top -tier certified security experts. This carrier -class management system provides security management using industry -leading tools and technologies coupled with our proven, documented operational processes and procedures. Our unique blend of service provider and security expertise minimizes your risk and overall expense, while allowing you to focus on the success of your business. Managing, monitoring, and maintaining a robust security posture can be difficult, time-consuming, and very expensive. Technology is dynamic and constantly changing, creating an endless variety of possible threats. And while information security is critical to your business' success, it is not your core business. TruSecure can help, because security is all we do. Security Assurance Services An effective enterprise security posture requires a multi -layered approach that addresses the technical, policy and physical layers. Unfortunately, with limited staffing and budget, growing organizations, constantly evolving network environments, and an increasingly connected economy, most organizations fail to implement basic security hygiene, leaving them vulnerable to a wide array of common risks. TruSecure's Security Assurance Services provide a defined program of assessments, support and essential security practices that ensure that organizations effectively address security as a holistic, continuous, and enterprise -wide effort. By leveraging exhaustive risk research, automated tools and processes, and efficient methodologies, TruSecure's Security Assurance Services are able to achieve dramatic risk reduction while using the people and products already in place. 17 Department SAS Product Description TruSecure Enterprise TruSecure Enterprise is a comprehensive security assurance and certification program that addresses all aspects of pro -active information security, from network and system analysis to physical and policy inspection. The program integrates multiple security practices and procedures to help you identify and mitigate risk to your critical IT assets, and then assists you in maintaining an essential level of security "health" across your enterprise. Compliance with our set of Essential Security Practices results in industry -recognized certification, providing you with confidence and assurance that your mission -critical e-business systems, networks, applications and physical environments are protected against all forms of threats. The TruSecure certification seal confirms to your customers, partners and auditors that your organization has made security a top priority. TruSecure Perimeter TruSecure Perimeter is a powerful security assurance and certification program that focuses on the security "health" of your perimeter network and devices -- your first line of protection against threats from the outside world. The program integrates multiple security practices and procedures to help you identify and mitigate risk to your critical IT assets, and then assists you in maintaining an essential level of security "health" across your DMZ. Compliance with our set of Essential Security Practices results in industry -recognized certification, providing you with confidence and assurance that your mission -critical networks and physical environments are protected against the most damaging forms of external threats. The TruSecure certification seal confirms to your customers, partners and auditors that your organization has made security a top priority. TruSecure Service Provider TruSecure Service Provider is a comprehensive security assurance and certification program designed to meet the needs of Managed Service Providers: ensuring effective security of your environment, differentiating yourself from your competitors, and inspiring confidence among your customers and prospects. TruSecure Service Provider is the only security assurance solution available that provides independent testing and verification across all the dimensions of the managed services you offer. Combined with the testing and review of your standard offerings, TruSecure Service Provider confirms to customers, partners and auditors that you have made security a top priority. SiteSecure SiteSecure is a security assurance and certification program targeted at the small- to medium-sized businesses that addresses all aspects of information security, from network and system analysis to physical and policy evaluation. The program acts as an extension to your business, integrating multiple security practices and procedures to help you identify and mitigate risk to your critical IT assets, then assisting you in maintaining an essential level of security "health" across your business infrastructure. Compliance with our set of Essential Practices results in industry -recognized certification, providing you with confidence and assurance that your mission -critical e-business systems, networks, applications and physical environments are protected against major forms of threats. The SiteSecure seal confirms to your customers, partners and auditors that your organization has made security a top priority. 18 Department tractor TruSecure investigative Response In today's legal climate, companies need to protect themselves from not only electronic threats from the Internet, but also lawsuits from shareholders, partners and competitors. This is the strong rationale behind companies instituting their own investigation of an incident prior to involving the appropriate law enforcement agency. Having an investigative response capability at your disposal is a critical advantage in company protection. The TruSecure Investigative Response offering provides you with the ability to call upon an experienced investigative team to provide computer forensics in support of investigations. Additionally, it provides companies that have recently experienced an event with the ability to get world -class computer forensics investigators involved and ready to provide evidentiary gathering, analysis and more importantly, effective mitigations to stop repeat events from occurring. TruSecure Certification and Guarantees Successful compliance with current TruSecure Essential Practices results in TruSecure Certification of your network for the remainder of the contract period, as well as activation of your TruSecure Insurance Guarantee. Certification includes the use of the TruSecure Certified Logo to demonstrate that your company has taken the necessary steps to significantly reduce risk. TruSecure is the industry's only comprehensive security assurance service backed by "hacker" insurance. Under this protection, TruSecure customers are compensated if their certified site is breached, as described further within our Statement of Services contract. Managed Security Services MSS Service Descriptions Outsourced Services Many companies claim to provide managed security services, but only TruSecure provides true comprehensive remote monitoring, management, and maintenance. We don't just wait for security incidents to occur and then inform you they happened after the fact. We proactively work to keep your security posture strong, and if an incident does occur, we find it, fix it, and take steps to prevent it from happening again. We provide around the clock monitoring of your entire security infrastructure, including the occurrence of security events and the health of security devices. We manage the configuration and functionality of each security device, and the connection between each device and our SOC. Finally, TruSecure provides turnkey remote maintenance of your security infrastructure. We ensure your infrastructure is current with the latest patches and updates_ We track all devices, and maintain secure backups of each device's configuration files. All of this is accomplished by utilizing a heavily automated operational support system and carrier -class management system, which, is built on a robust and scalable technical infrastructure. TruSecure provides flexible levels of service and modular service components so that you only have to buy what you need. Our Shadow suite of services is comprehensive enough to allow complete remote management of all your security needs, but modular enough to permit precise out -tasking of specific components of your security infrastructure. Service levels are available in a tiered structure that allows you to balance the responsiveness you require against the level of investment you wish to make, and upgrades are easily accommodated. 19 Department Our Shadow suite of managed security services focuses on identifying, controlling, and monitoring your security risks. We understand your environment - identify and control access points to your network - and monitor, alert and respond against unwanted behavior. TruSecure's Shadow Suite of services combines best -of - breed products, best -practice operational processes, and world -class security expertise to give you the best in information protection. We can support the infrastructure that you currently have, or help fill the gaps. The Shadow suite of services includes: • ShadowWall is a flexible and comprehensive managed firewall solution. This service guards your perimeter and controls access to your infrastructure with a remotely managed, maintained and monitored firewall. • ShadowGuard is a managed network and host based intrusion detection solution. This service examines network traffic and host files for anomalous and threatening behavior. Most importantly, it alerts you to suspected attacks as they occur. • ShadowMail is an email content and virus control solution. This service automatically scans all incoming and outgoing email for viruses or questionable content. It blocks virus attacks at the gateway before they ever reach or damage your network. Each of our services is available as a stand-alone product, or as part of an integrated holistic business solution. Our Managed Security Services are provided on a subscription basis and are fully customizable to fit your company's security needs. Monitoring Services You've spent time and money implementing security products designed to protect the networks and applications enabling you to conduct business in a networked world. You expect these security precautions to guard against threats, and alert you when your perimeter is breached. Unfortunately, attacks are not always easy to identify, and they can come at any time, day or night. Real dangers are difficult to pinpoint because security devices can produce hundreds, or even thousands, of alerts on a weekly basis, and the volume of the false alarms can drown out subtle but serious dangers. In contrast, most organizations overlook the value devices such as routers and web servers can provide; they may contain important data about intrusions or threats that is frequently overlooked. Monitoring, reviewing and analyzing the huge volumes of data these devices produce requires substantial time and specialized security expertise. TruSecure's Watch Suite of security monitoring services provides for the detection, analysis, and response to threats to your information security, all in near real time. Our expert analysts monitor and evaluate the security status of your infrastructure and the health and welfare of your perimeter devices, security or otherwise, 24x7x365 from our carrier -class Security Operations Center. We pinpoint legitimate threats to your business and immediately alert the appropriate personnel to take prompt action to minimize your risk. Optimizing Your Infrastructure TruSecure doesn't replace your security infrastructure; we make it better. Investment in technical security solutions is a good beginning, but it isn't enough. if you don't watch for security events and monitor the health and welfare of your security devices on a continual basis, you are not getting the true return on your investment. Working Around the Clock, So You Don't Have To It is not cost-effective for most businesses to staff 24x7x365 in an effort to bring monitoring in-house. And even if you wanted to build a robust monitoring capability internally, finding and retaining a staff of security 20 Department professionals is a daunting task. Partnering with TruSecure gives you all of the benefits of our highly trained experts for a fraction of the cost. You avoid the expense of creating your own secure operations center, and you free your IT staff to focus on strategic business initiatives, instead of forcing them to keep up with the ever - changing security landscape. Turn Data Into Information TruSecure's experienced security analysts monitor your device data 24x7x365. We use a combination of automated systems and detailed expert analysis to separate the critical events from the false alarms, If an event requires immediate action, we notify you based on a pre -defined escalation path and enable you to take the appropriate steps to protect your infrastructure. 1. TruSecure's collection system aggregates log data and alerts generated by the customer -premise firewalls, IDSs, VPNs, other security devices and applications, as well as critical network infrastructure elements. 2. TruSecure's management system uses intelligent analysis to eliminate duplicate events, false positives, and to discern the root cause of complicated problems. 3. TruSecure's security engineers, based in our 24x7 Security Operations Center (SOC), investigate each event and notify the customer in accordance with customized escalation procedures. Comprehensive Reporting Information is of limited value if you are unable to quickly and effectively leverage it to manage your business. TruSecure provides comprehensive reporting and analysis of all event activity that we monitor. Our Secure Web Interface not only allows you to view current activities, but also keeps a historical repository of past information, allowing you to access valuable trending data. The Watch Suite of Security Monitoring Services • SecureWatch is a remote 24x7x365 monitoring service for your security infrastructure, including firewalls, intrusion detection systems, and other security devices. This service supplements your existing security investment by providing security and health monitoring and expert analysis, while leaving management, maintenance and response in the hands of your existing IT staff. • OverWatch is a remote 24x7x365 monitoring and analysis service that monitors non -security devices for security events. This service extracts important information about threats and vulnerabilities from your critical network devices, such as routers, web servers, mail servers, and DNS servers. Functionality TruSecure provides flexible levels of service and modular service components so you only have to buy what you need. Our Shadow suite of services is comprehensive enough to allow complete remote management of all your security needs, but modular enough to permit precise out -tasking of specific components of your security infrastructure. Service levels are available in a tiered structure that allows you to balance the responsiveness you require against budgetary constraints. Our vendor -neutral and ISP-independent services are delivered using industry -leading commercial products. We do not make security products, so we are free to recommend and support the solution that is best for you. Since we are not tied to a specific ISP, you can change Internet service providers without affecting the delivery ofFruSecure Managed Services. TruSecure can be provided anywhere in the world. Seamless support of multiple, geographically dispersed branch offices is easily accommodated. 21 Department professionals is a daunting task. Partnering with TruSecure gives you all of the benefits of our highly trained experts for a fraction of the cost. You avoid the expense of creating your own secure operations center, and you free your 1T staff to focus on strategic business initiatives, instead of forcing them to keep up with the ever - changing security landscape. Turn Data Into Information TruSecure's experienced security analysts monitor your device data 24x7x365. We use a combination of automated systems and detailed expert analysis to separate the critical events from the false alarms. If an event requires immediate action, we notify you based on a pre -defined escalation path and enable you to take the appropriate steps to protect your infrastructure. 1. TruSecure's collection system aggregates log data and alerts generated by the customer -premise firewalls, IDSs, VPNs, other security devices and applications, as well as critical network infrastructure elements. 2. TruSecure's management system uses intelligent analysis to eliminate duplicate events, false positives, and to discern the root cause of complicated problems. 3. TruSecure's security engineers, based in our 24x7 Security Operations Center (SOC), investigate each event and notify the customer in accordance with customized escalation procedures. Comprehensive Reporting Information is of limited value if you are unable to quickly and effectively leverage it to manage your business. TruSecure provides comprehensive reporting and analysis of all event activity that we monitor. Our Secure Web Interface not only allows you to view current activities, but also keeps a historical repository of past information, allowing you to access valuable trending data. The Watch Suite of Security Monitoring Services • SecureWatch is a remote 24x7x365 monitoring service for your security infrastructure, including firewalls, intrusion detection systems, and other security devices. This service supplements your existing security investment by providing security and health monitoring and expert analysis, while leaving management, maintenance and response in the hands of your existing IT staff. • OverWatch is a remote 24x7x365 monitoring and analysis service that monitors non -security devices for security events. This service extracts important information about threats and vulnerabilities from your critical network devices, such as routers, web servers, mail servers, and DNS servers. Functionality TruSecure provides flexible levels of service and modular service components so you only have to buy what you need. Our Shadow suite of services is comprehensive enough to allow complete remote management of all your security needs, but modular enough to permit precise out -tasking of specific components of your security infrastructure. Service levels are available in a tiered structure that allows you to balance the responsiveness you require against budgetary constraints. Our vendor -neutral and ISP-independent services are delivered using industry -leading commercial products. We do not make security products, so we are free to recommend and support the solution that is best for you. Since we are not tied to a specific ISP, you can change Internet service providers without affecting the delivery ofTruSecure Managed Services. TruSecure can be provided anywhere in the world. Seamless support of multiple, geographically dispersed branch offices is easily accommodated. 21 Department Management TruSecure also provides 24x7x365 management of our clients' security infrastructure. We manage the configuration and functionality of each security device, and the connection between each device and our SOC. Management of the security infrastructure involves correcting any problems that have been detected, and making any changes that are required to ensure the optimum functionality of the system. This includes making changes to the configuration or operation of a managed device based on an alert received by the monitoring system. For example, if a device is running out of available memory and sends an alert to the monitoring system, we may manage that issue by remotely increasing the size of the swap file on the device, increasing the available memory. Management also includes making configuration changes based on modifications to the client's infrastructure, or because of a direct change request by the client. For example, a client adds a new server in the DMZ, and requires that we modify the rules on the firewall to allow traffic to and from that server. Additionally, it includes managing the vendor or manufacturer support relationship to complete any necessary repairs to the physical devices. Maintenance Finally, TruSecure provides comprehensive maintenance of our clients' security infrastructure. We make sure our clients' infrastructure is up to date with the latest patches and updates, and we also track all devices and maintain secure backups of each device's configuration files. We proactively maintain each security device by tracking newly identified vulnerabilities, identifying patches or fixes, thoroughly testing each patch or fix in our labs, and then remotely applying the patch or tix to the appropriate security devices. This includes fixes necessary to mitigate security vulnerabilities and patches required by the operating system or application to maximize functionality. We also maintain an asset database with complete information on the hardware, software and configuration files for each device that we manage. We perform regular backups of all pertinent configuration files, so that in the event of a problem we have the capability to quickly restore full operational capability. Service Level Agreements TruSecure's managed security services are available in three distinct levels: Standard, Enhanced, and Premium. The specific details of each Service Level Agreement (SLA) are based on the level of service selected. Our SLA's are summarized in the following chart: 23 Department !;;ii 1 r., A, i wt 1i :,ffa ! ,r it l r t i1, ., I:ftn i ct,t l•i 1,",efff Maximum time in respond to customer inquiry NTE 1 hour NTE 30 minutes NTki 15 minutes Throe Pillars system availability 94.9045 99,99°i, 99.49e°4 Service provisioning N7E 30days NTE 30 days N E 30days edawlfi+fl only Included Configuration Changes per 20 40 60 owlfali and Slrudox•Paarol Incident Response & Risk Immediate Immediate Immediate Notify client of Incident Not to exceed I hour Not to exceed 30 minutes Not to exceed 15 minutes Handle con uration ehan es Not le meted 2 hours Not to exceed 1 hour Not to exceed 30 minutes Backup configuration files Monthly Weekly Weekly & alter each change Restore configuration files Net to exceed 24 hours Net to exceed 12 hours Not to meted 3 hours I nixes • ..tcheslrxes Nol to exceed 72 hours Not to exceed 48 hours Not to exceed 36 hours Sean managed device for No Monthly & mitigation of discovered vulnerability Weekly & mltlgatlon of discovered vulnerability Notify diem ofoutape Not to exceed I hour Not to exceed 30 minutes Not to exceed l5 minutes Log storage Event data stored throne calendar month Event data stored for one calendar month vent data stored for One calendar month - Log data stored up to 10 per device online storage; Unlimited ofiline/archival storage Rponing frequency Monthly Weekly Daily Reporting content Standard Enhanced Custom H W loeak/ux Per Vendor Agreetseut Per Vendor Agreement Per Vtmdor Agreement . douvtfa!! Not to exceed 2 hours Apply necessary virus signature Not to exceed 72 hours Reporting fieque tey Monthly R •.rein! *ogee tncidera Response & Risk Standard Immediate Immediate Immediate Notify client of NTE I hour NTE 30minutes NTE 15minutes hLdeefv, pliant nfrudnon MYF t hive, NTF in nninp.c r.rrF 14...;nv0.. Log storage Event data stored for one calendar month Event data stored for one calendar month Event data stored throne calendar nnmlt; Log data stared up to 16 per device online storage; Unl imitcd offl ne/archival Reporting frequency Monthly Weekly Daily Reporting content Custom LiteP7i f'uatrorge4iitiateilself-mama Unlimited Unlimited Unlimited Custom scans with historical trending N/A Monthly Monthly Expert analysis of custom aeans NIA N/A Monthly Reporting Frequency WA Monthly Monthly / Implementation and Delivery SAS TruSecure Security Assurance Services are industry unique programs that comprise of a number of different types of critical security assessment and analysis services, including risk assessments, physical inspections, documentation and policy reviews, as well as other analyses. Our objective is to work with you to advance your organization toward a more sound security posture, based on a set of well -vetted controls that focus on the essential aspects of information security. As such, this is a collaborative effort between TruSecure and Insert Company Name, and is a process that is achieved over time. In order for you to understand the flow of the 24 Department `+j1' "actor pl'ocess, a sample timetable of the types of services TruSecure conducts during the course of the program is displayed below. This chart is simply a representation of all of the deliverables of the TruSecure service; however, the final Statement of Services will detail the final timetable and services, by product. * NOTE: The Timeframes below are punroximete, and are intended to provide you with an idea as to the amount of time you might expect to complete the TruSecure security assurance program, as well as the expectations of bath TruSecure and your organization In achieving success.** Not all deliverables are available in each in product. A Statement of Services will detail the final timetable and list of service deliverables 4.A. !+ 4 + ��/�� ; i �,' .'.'Y i','I-�,,T �r , s ; P; e6' `y/ ;H`'Y'":.,. �„ hl 4' � �d .n',�"` � Fr• , • (rF ail � f rni K-!ln ,,�i5M�4 t� M f r 1 t J d X�' I 4 v w. fi F - � l�s�c+ „. $ ',��s {' y 1�!'i?�11 ' r �e i' ,J. ,, ^:Fr:.,„°.,,' �7y:F„�'e �'F.1 p oMl v.,.�f ,.tom. lix?'1n 9i^,41J,, {} .hR„7: .rfC '. tills S/if h, Li 1 me h 7e x, , [ Y y e+r,y e� yaraM�:. ., Welcome Package Week 1 Package includes: • Customer Services Team contact information • TruSecure Risk Monitor & Alerts access information, if applicable • Getting Started with TruSecure CD-ROM • Desktop Risk Assessment Tool, if applicable • SecurlD Tokenls for access to Customer Portal N/A Initial Conference Call Weeks 1-2 TruSecure will: • Explain process • Set expectations • introduce Customer Services Team • Request required client contact list • Request telephone number ranges for War Dial, if applicable • Schedule Technical Conference Call, if applicable N/A Initial Perimeter Discovery Scan Weeks 2-3 TruSecurc will: • Complete port scan using appropriate tools • Upload data to the Enterprise Risk Manager (ERM) console, if applicable Client will: • implement "Default Deny" strategy, per PDSR/PCR recommendations Perimeter Discovery Scan Report (PDSR) or Perimeter Check Report (PCR) Technical Conference Call (lf applicable) Weeks 2-3 TruSecure will: • Review intemal topologies • Review Technical Conference Call questionnaire • Assist w/Default Deny implementation from PDSR Client will: • Provide internal & network topologies • Ensure appropriate staff is available TruSeeure & Client together will: • Determine best time for On -Site Data Collection and internal DMZ Risk Assessment, if applicable On•Site Data Collection (If applicable) Internal Risk Assessment (If applicable) Weeks 4-6 TruSecure will: • Conduct interviews to identify and label critical assets • Run proprietary and commercial data collection and assessment tools • Collect policy documentation • Upload data to ERM console Client will: • Provide network access • Answer interview questions Internal Risk Assessment Report Initial Perimeter Risk Assessment Weeks 5-8 TruSecure will: • Complete Perimeter Risk Assessment using proprietary and commercial tools • Upload data to ERM, if applicable • Validate ports & services identified in PDSR have been closed or mitigated prior to Perimeter Risk Assessment Client will: • Mitigate vulnerabilities per TruSecure recommendations Perimeter Risk Assessment Report Desktop Risk Assessment (If applicable) Weeks 6-8 TruSecure will: • Collect data from Desktop Risk Assessment tool • Upload information to ERM Client will: • Run tool to produce data Desktop Risk Assessment Report /`� / 1 25 Enterprise Risk Manager (ERM) Web Console (1fapplicable) Weeks 6-8 Client will: • Complete ERM Profile Wizard via the web Essential Practices Eval. (On site) (If applicable) Weeks 8-12 TruSecure will: • Validate Essential Practices compliance (technical, physical, administrative) • Document noncompliant issues • Upload data to ERM Client will: • Ensure the appropriate partie_iptints are available during the visit, Follow-up Perimeter Risk Assessment Weeks 12-15 TruSecure will: • Complete second Perimeter Risk Assessment to verity vulnerabilities have been mitigated • Upload data to ERM Continuing Perimeter Risk Assesstent Report (2h4) War Dial (If applicable) Weeks 12-15 TruSccure will: • Complete pre -certification War Dial procedure • Upload data to ERM War Dial Report Mitigation of Opem Issues (if applicable) Weeks 12-15 Client will: • Implement recommendations to comply with Essential Practices (required for certification) Certification (if applicable) Weeks 15-18 TruSccure will: • Present client with Certification Award & Plaque • Deliver Certification Report • Link cast logo to verification database • Provide synopsis of completed actions • Provide information on continuing process Certification Report Continuing Perimeter Risk Assessment (If applicable) Post Cert. TruSecure will: • Complete Perimeter Risk Assessments • Upload data to ERM Continuing Perimeter Risk Assessment Report Follow-up On -site Data Collection (If applicable) blasts! Risk Assessment (If applicable) Post Cert. TruSecure will: • Coordinate Follow-up On -Site Data Collection • Complete data collection and assessments with appropriate tools • Upload data to ERM Internal Risk Assessment Report Essential Practices Valid. (On site) ( if applicable) Post Cert. TruSecure will: • Validate Essential Practices compliance (technical, physical, administrative) for maintaining certification • Document non -compliant issues, if required • Update data in ERM Client will: • Ensure the appropriate participants are available during the visit, Follow-up War Dial (If applicable) Post Cert. TruSecure will: • Complete War Dial procedure • Upload data to ERM War Dial Report Follow-up Desktop Risk Assessment (if applicable) Post Cert. TruSecure will: • Collect data from Desktop Risk Assessment tool • Upload information to ERM Client wilt: • Run tool to produce data Desktop Risk Assessment Report Continuing Perimeter Risk Assessment (If applicable) Post Cert. TruSecure will • Complete Perimeter Risk Assessment • Upload data to ERM Continuing Perimeter Risk Assessment Report (4mh) MSS During the Transition TruSecure will work together with Insert Company Name to evaluate your relevant security infrastructure and develop a plan to mitigate any gaps or deficiencies that would interfere with TruSecure's ability to provide the specified managed services, The hardware, software, and support costs that will be required are outlined in Section 7 of this document. The price of this project has been determined based on the assumptions section of this proposal. The Transition phase is comprised of 5 fundamental steps. 26 Department Co !!motor • Requirements Analysis — TruSecure formally reviews the information gathered during the creation of the proposal and identifies any additional information that is required. • Design — Once TruSecure has obtained all necessary technical specifications and other relevant information; TruSecure will develop a specific design for the overall managed security solution and each managed device. • provisioning - After Insert Company Name has accepted the design; TruSecure will procure any necessary hardware and software or if so designated, the customer procures all required components. All procured hardware and software will be shipped directly to TruSecure's Norcross, GA, facility for configuration and testing. If the customer has preexisting software licenses that TruSecure will be reusing, they will send all necessary license information to TruSecure to allow TruSecure to configure the equipment using the existing licenses. TruSecure will stage and configure all necessary systems and will then test the functionality of the devices to ensure that all configurations were properly completed and the device is completely ready to be deployed on the customer premises. • Deployment - TruSecure will notify designated customer contact when service is ready to be deployed. Insert Company Name will be provided with secure access to TruSecure's customer web portal to allow full access to the new service, including reporting, trouble ticket generation, and all information related to Insert Company Name's managed security services. TruSecure and Insert Company Name will agree to a specific date when the service is expected to start. • Acceptance - Upon completion of service deployment, TruSecure will seek acknowledgement from Insert Company Name that the transition phase has been satisfactorily completed. If Insert Company Name does not respond within five days, and TruSecure has satisfactory visibility into all deployed devices, TruSecure will assume that the transition phase is complete. Miscellaneous Assumptions During the creation of this proposal, certain information was obtained from the client follows is a summary of the information either gathered by TruSecure staff or provided by Insert Company Name that was used to generate the scope of work and associated pricing. In the event any of this information is inaccurate, the pricing for TruSecure services or solutions may change. 1. Prompt physical access to all appropriate facilities, as well as an escort if one is deemed necessary, for the execution of the task will be provided. 2. TruSecure will be provided with any information, data, designs, access, or documentation required to perform the services. 3. All appropriate personnel will be available in a timely fashion to provide information and other support requested by TruSecure to deliver on this proposal. 4. Access to all appropriate data center facilities, cabinets, servers, or other network equipment will be provided as necessary for the execution of this task. 5. TruSecure will install Secure Data Agent(s) as necessary to deploy our service. 6. The following be provided; a minimum of 2U 19" rack space with all support facilities customary in a data center, including power, UPS, and a dedicated POTS line to support TruSecure's Secure Data Agent. 27 Department 7. All work completed out of scope will be billed at the rate of $250/hour on a time and materials basis. 8. Insert Company Name will purchase and maintain current support contracts for both hardware maintenance and software subscriptions for all equipment subscribed to ShadowWall or ShadowPatrol services. Support contracts will be renewed on an annual basis at the sole responsibility of the client. 28 Department Exhibit "B" — Labor Categories/Rates Schedule Floor Price - Primary Site International Location Additional Building Additional Enterprise Location Additional Enterprise Location - Branch office Monthly Scanning per Class C Additional Location - Hosted External Class C (block of 5) up to 60 External Class C (block of 5) Above 60 Segmented internal Networks - under plateau Each Additional Segment over 10 29 Primary Site - Any location that is responsible for the management of its own network and $78,795.00 data. Additional fee for any site (primary or additional site) that is outside of the $8,000.00 continental US. Primary Site includes two buildings within a campus. Additional buildings within the campus are charged this fee. A campus is $4,000.00 defined as building within a one -mile radius. An additional Enterprise location that has an internal network and its own external Internet connection, but relies on a Primary Site for management of its data and network $36,995.00 infrastructure. An additional Enterprise location without an external Internet connection that relies on a Primary Site for network and data $24,000.00 management. Quarterly scanning of the external networks is $4,995.00 included in the Floor Price of Enterprise. An additional Enterprise location located in a commercial data center but relies on a Primary Site for network and data $26,000.00 management. Ten Class C networks are included in the $16,000.00 Floor Price of Enterprise. Ten Class C networks are included in the $5,886.00 Floor Price of Enterprise. $0.00 $2,000,00 Ten Internal Network Segments are included in the Floor Price of Enterprise. internal Network Segments refers to the total number of partitions In the network. Typically, segmentation happens at a Class C level via a router, with one Class C being segmented from another. There are Instances, though, where a single Class C network could be split into multiple segments. Department Eaatbxppnis S b Ara+ n e y 11111/y1�,r _,IR � i �55z'� f t ar._.�,��jf� FA li ga:—v 1 , ,%:!I 4 r} �I � . ,T 1F5`4 1, ;•-v` " �r�l S . � 1" f oustit Yns/,e:^w.A�:",I.�'X �,, :i '�„yn3i:,..,,: rY� ..,2.�, f ',.�.c,+,�''r .n, ...;. ,..:e h,, �I.. ',.,Cf,+JlI'MO..h W:A�.,�, ..:4 ,. ...,: III-,,1.-�'� 4�.,-n ''':G „ae:'Z External Class B Each T.I.C.S.A. voucher (see description below) Additional War Dial Block (1,000 Numbers) Additional Tokens for the Enterprise Risk Manager Regulatory Reviews BS 7799 Report ISO 17799 Report � y�?i�4�dlU�„IY2 Floor Price - Primary Site International Location Additional Perimeter Location Additional Perimeter Location - Hosted Additional Building Monthly Scanning per Class C $389,576.00 $225.00 $2,500.00 $75.00 $0.00 $8, 000.00 $8,000.00 Nor, er, er fo.0 Artisan:. 30 A Class B network consist of 254 Class Cs. It Is advised that the scope get narrowed down to what specifically is being used and should be certified or have an Architectural Review engagement with TruSecure TES to narrow the exposure prior to a certification program. 1000 War -dial numbers are included In each block. One block is Included in the Floor Price of Enterprise. Two tokens are included in the Floor Price for each Primary Site. HIPAA and GLB status reporting is included in Enterprise. ;fora Primary Site - Any location that is responsible for the management of its own network $57,795.00 perimeter infrastructure. Additional fee for any site (primary or additional site) that Is outside of the $6,000,00 continental US. An additional Perimeter location that has its own external internet connection, but relies on a Primary Site for management of Its data and $26,000.00 network infrastructure, An additional Perimeter location located in a commercial data center but relies on a Primary Site for network and data $22,000.00 management. Primary Site includes two buildings within a campus. Additional buildings within the campus are charged this fee. A campus is $4,000.00 defined as building within a one -mile radius. Quarterly scanning of the external networks is $4,995.00 included In the Floor Price of Perimeter. Department External Class C (block of 5) up to 10 External Class C (block of 5) Above 10 External Class B Additional Tokens for the Enterprise Risk Manager P rirriotor 5.0 Pricinsi$ Ten Class C networks are included in the $16,000.00 Floor Price of Perimeter. Ten Class C networks are included in the $5,886.56 Floor Price of Perimeter. A Class B network consist of 254 Class Cs. It Is advised that the scope get narrowed down to what specifically is being used and should be certified or have an Architectural Review engagement with TruSecure TES to narrow $389,576.00 the exposure prior to a certification program. Two tokens are included in the Floor Price for $75.00 each Primary Site. Stivite Provider:5,0 Pricln kolg[0:egr.W.7 vomit' mnrr o 4 4 #' jx S�r 'r" Core infrastructure - Primary Site Additional Site Managed Firewall Module Dedicated Hosting Module Additional Host Regulatory Reviews BS 7799 Report ISO 17799 Report Management Stations International Locations Additional Tokens for the Enterprise Risk Manager 3I The primary facility housing the Network Operations Center (NOC) where customer $52,395.00 management services are being provided. Any additional NOC location providing customer management services not $27,000.00 considered the primary facility. The Managed Firewall Module and Dedicated Hosting Module pricing is applied once per $31,495.00 contract, not per location. The Managed Firewall Module and Dedicated Hosting Module pricing is applied once per $31,495.00 contract, not per location. Scanning of up to 25 Hosts is included in the price of Service Provider Core Infrastructure, $200.00 additional hosts may be purchased. HIPAA and GLB status reporting Is Included in $0.00 Enterprise. $8,000.00 $8,000.00 Review of two management stations and associated routers used to manage the NOC operations are included with Services Provider Core Infrastructure, See SOS for $500.00 listing of defined management stations. Additional fee for any site (primary or additional site) that is outside of the $8,000.00 continental US. Two tokens are included in the Floor Price for $75.00 each Primary Site. Department t ire -tor List Price PreSale w/ Enterprise (Contract Value < $150,000) PreSale w/ Enterprise (Contract Value = $150,000 - $250,000) PreSale w/ Enterprise (Contract Value > $250,000) PreSale w/ MSS Floor Price -1st Site Experian/Equifax Floor Price Additional Site PC Count Add -On: 51-100 PCs/Site PC Count Add -On: 101-250 PCs/Site PC Count Add -On: 251-400 PCs/Slte PC Count Add -On: 401-700 PCs/Site PC Count Add -On: 701-1200 PCs/Site Additional Class C $60,000.00 $20,000.00 $35000.00 $50,000.00 $30,000,00 SiteSecure Prici,n $11,995.00 $8, 995.00 $7,995.00 $4, 000.00 $8, 000.00 $14,000.00 $22,000.00 $31,000.00 $3,200.00 The Floor Price for SiteSecure includes one location with up to 50 desktops and one Class C network. Tru:'SeCur 1 A Security Practitioner Certifications TruSecure ICSA Certified Security Associate (T.I.C.S.A.) 32 itaJ�. .:_, T.I.C.S.A. represents the base level of certification, and is designed for the system or network administrator who may be responsible for the security administration of systems or networks in an enterprise as an additional duty along -side their regular responsibilities. This certification is designed for professionals with a background in $295.00 computers and networking. Department Exhibit "C" - ORDERING INSTRUCTIONS NOTE: ALL ORDERS SHOULD BE DIRECTED TO: SPURS VENDOR NUMBER: F 25-1639918-002 VENDOR: TruSecure Corp. (C ) STREET ADDRESS OR P. O. BOX: 13650 Dulles Technology Dr., Ste. 500 CITY, STATE, ZIP: Herndon, VA 20171 TELEPHONE: 703.480.8200 ORDERING FAX NO.: 703.480.8340 SERVICES INFORMATION: DIRECT INQUIRY TO: NAME AND TITLE: Chris Loria ADDRESS: 205 Scientific Drive CITY, STATE, ZIP: Norcross, GA 30092 TELEPHONE: 678-728-1017 URL HOME PAGE ADDRESS: trusecure.com ELECTRONIC MAIL ADDRESS: cloriaAtrusecure.com Rev. 06/06/02 33 Department eactor