WORK AUTHORIZATION NO. 4 CONTRACT FOR PROFESSIONAL ACCOUNTING SERVICES

Transcription

1 WORK AUTHORIZATION NO. 4 CONTRACT FOR PROFESSIONAL ACCOUNTING SERVICES THIS WORK AUTHORIZATION is made pursuant to the terms and conditions of Article 5 of the Professional Accounting Services Contract No. 601CT (the Agreement ) entered into by and between the State of Texas on September 15, 2015, acting by and through the Texas Department of Transportation (the State), and Deloitte & Touche LLP (Deloitte & Touche). PART I. Vendor will perform professional services as specifically described in Exhibit B, which is attached hereto and made a part of this Work Authorization. In addition to any other responsibilities of the State set forth in the Agreement, State shall perform those responsibilities and activities detailed in Exhibit A, which is attached hereto and made a part of this Work Authorization. PART II. The Not to Exceed Amount payable under this Work Authorization, as defined in Section 5.4 of the Agreement, is $129, The pricing model for this work authorization is time and materials, based upon loaned staff for 689 hrs. as follows: Resource Rate Hours Total #1 Manager $220 6 weeks * 40 hrs./week = 240 hrs. $52,800 #2 Senior Consultant $170 6 weeks * 40 hrs./week= 240 hrs. $40,800 #3 Consultant $150 4 weeks * 40 hrs./week= 160 hrs. $24,000 #4 Senior Manager $240 7 weeks * 5 hrs./week = 35 hrs $8,400 #5 Principal $280 7 weeks * 2 hrs./week = 14 hrs $3,920 Total 689 hrs. $129,920 PART III. Payment to Vendor for services established under this Work Authorization shall be made in accordance with Articles 3 thru 5 of the Agreement. PART IV. This Work Authorization shall become effective on the date of the final acceptance of the parties hereto and shall terminate on October 19, PART V. This Work Authorization does not waive the parties responsibilities and obligations provided under the Agreement.

2 IN WITNESS WHEREOF, this Work Authorization is executed in duplicate counterparts and hereby accepted and acknowledged below. DELOTTE & TOUCHE LLP THE STATE OF TEXAS (Signature) (Signature) Michael Wyatt Linda Sexton (Printed Name) (Printed Name) Principal, Cyber Risk Depty Dir Toll Operations Div, (Title) (Title) /29/2018 (Date) (Date) LIST OF EXIBITS Exhibit A Services to be provided by the State Exhibit B Services to be provided by the Vendor

3 EXHIBIT A SERVICES TO BE PROVIDED BY THE STATE The following are services and/or resources the Department of Transportation will provide to support the execution of the Work Authorization No 4 (PO 601CT ): Direct oversight and guidance of Deloitte & Touche LLP personnel Review and approval of contractor applications reviews performed by Deloitte & Touche LLP personnel Provide Deloitte & Touche personnel to access the facility, as necessary, to execute the scope of work as outlined in EXHIBIT B Provide Deloitte & Touche access to TXDOT systems and tools, as needed, to execute the scope of work as outlined in EXHIBIT B Identify the TXDOT and third party stakeholders who need to participate in this assessment Obtain approval from the third party organization to allow Deloitte & Touche perform the assessment Identify a TXDOT personnel to function as the trusted agent. The "trusted agent" is expected to o Identify and prioritize target servers, network ranges and web applications, including those of third party systems o Make decisions to proceed with applicable vulnerability scans and other assessment activities, including coordination with third parties o Work with stakeholders to gather information and details required for the execution of the scans, including credentials, server, database and application access o Review the assessment reports and control as needed distribution of the reports. The sensitive nature of information contained in the reports requires a key stakeholder being responsible for managing the communication aspects o Identify time period for communication to the appropriate stakeholders for high severity gaps identified in production environment o Coordinate and authorize Deloitte s engagement staff access to TXDOT and third party IT components considered for vulnerability testing o Review and attest the systems testing agreement prior to performing the initial vulnerability scanning activity o Approving the time window for performing the vulnerability scans. In order to avoid interruptions, approve testing windows during non business hours unless TXDOT requires such testing during business hours. Review and approve the system testing agreement prior to Deloitte & Touche performing the vulnerability scanning activity

4 EXHIBIT B SERVICES TO BE PROVIDED BY VENDOR The following outlines the services and scope of work to be performed by Deloitte & Touche LLP in support of Work Authorization No 4 (PO 601CT ): Provide security risk assessment of the TXDOT systems (TxTag and Vector), and it s underlying server infrastructure. This security risk assessment will include: o Understand business and system landscape Define the systems and data sources that contain cardholder information Document business requirements that support the systems and processes with cardholder information Review data paths and integration with other systems where cardholder information is exchanged Obtain and review the last annual PCI assessment report, in addition to the current remediation plan. o Conduct vulnerability scanning Obtain and review the last four quarters of vulnerability scan findings Conduct a vulnerability assessment of the two web applications (TxTag and Vector containing around 100 web pages) and its support server infrastructure (a total of 14 servers). The vulnerability assessment will be conducted using automated testing tools like IBM AppScan and Tenable Nessus. The vulnerability assessment will be performed on the non production test environment Depending on the gaps identified, conduct a security configuration review of selected IT infrastructure components. o Perform safeguards review Conduct a workshop with system stakeholders to review the network and application architecture Conduct 8 10 workshops with system stakeholders to review implementation Payment Card Industry (PCI) Data Security Standards (DSS) v3.2.1 safeguards on the in scope IT infrastructure (described in the vulnerability scanning task). The following areas will be reviewed: Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy. o Report Findings Conduct two workshops with systems stakeholders to review gaps and severity Work with the systems stakeholders to document and submit the gap analysis report.

5 Perform the security risk assessment during from the hours of 8:00 am to 5:00 pm or as agreed to, Monday thru Friday, for seven weeks. The proposed timeline is illustrated in the below figure: A progress report will accompany each invoice showing the percentage of Work Completed to date under the applicable Work Authorization. Provide TxDOT trusted agent with the following work products o Weekly progress reports indicating the accomplishments for that week, planned activities for the next two weeks, risks and issues o Interim reports vulnerability scan report and safeguards review report provided to TxDOT as the outcome of those activities o Final gap analysis report describing the findings and potential risk levels. We will use TxDOT s risk rating criteria for the identified gaps.

6 Certificate Of Completion Envelope Id: D1DDF1A AB2B719294F6B9FF8 Status: Completed Subject: Please DocuSign: Security Risk Assesment W A 4.pdf Source Envelope: Document Pages: 5 Signatures: 1 Envelope Originator: Certificate Pages: 1 Initials: 0 Andy Juarez AutoNav: Enabled EnvelopeId Stamping: Enabled 125 E. 11th Street Austin, TX Time Zone: (UTC-06:00) Central Time (US & Canada) andy.juarez@txdot.gov IP Address: Record Tracking Status: Original 8/29/2018 8:11:56 AM Holder: Andy Juarez andy.juarez@txdot.gov Location: DocuSign Signer Events Signature Timestamp Linda Sexton Linda.Sexton@txdot.gov Depty Dir, Toll Operations Div Texas Department of Transportation Security Level: , Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Signature Adoption: Uploaded Signature Image Using IP Address: Sent: 8/29/2018 8:15:49 AM Viewed: 8/29/2018 8:27:36 AM Signed: 8/29/2018 8:30:46 AM In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Sent Hashed/Encrypted 8/29/2018 8:15:50 AM Certified Delivered Security Checked 8/29/2018 8:27:36 AM Signing Complete Security Checked 8/29/2018 8:30:46 AM Completed Security Checked 8/29/2018 8:30:46 AM Payment Events Status Timestamps