Table of Contents 1.1 Service Service Activity Subscription and Managed Service Management
|
|
- Oswald Antony Wade
- 6 years ago
- Views:
Transcription
1 Table of Contents 1.1 Service Service Activity Subscription and Managed Service Management Services Activity Annual Subscription and Managed Service Management I EN Page 1 of 17
2 Service Description Managed Security Services X-Force Red Offensive Security Testing Services The services described herein are governed by the terms and conditions of the agreement specified in the Order Document for IBM Security Services ( Order Document ). If there is a conflict between the terms in the documents, the terms of the Order Document prevail over those of this document, and the terms of this document prevail over those of the agreement specified in the Order Document ("the Agreement"). Capitalized terms not otherwise defined in this document are defined in the Agreement or any other referenced document, and have the same meaning in this document as ascribed to them therein. This document describes the Services and incorporates by reference the following contract document(s). The terms and conditions contained in the incorporated document(s) are in addition to the terms and conditions contained herein. Contract Document(s) Document # Managed Security Services General Provisions I The document(s) identified above are located at: From this security services contract documents portal, Client selects the applicable country to access the above documents. If any documents are not accessible, please request a copy from Client's IBM sales contact. 1.1 Service X-Force Red Offensive Security Testing Services provide both tool-based and manual security testing across applications, network, hardware/embedded devices and human. X-Force Red includes a suite of service levels, of which the Client may utilize for the charges specified in the Order Document. The following describes the available X-Force Red Offensive Security Testing Services. Application security testing involves manual penetration testing, code review and vulnerability assessments of web, mobile, terminal, client-server, mainframe and middleware platforms. Application Security Testing Services include various levels of testing including tool-based unvalidated, raw scanning, validated vulnerability assessments, manual penetration testing, tool-based unvalidated, raw source code scanning and manual source code reviews on internal and external web, mobile, terminal, client-server, mainframe and middleware platforms. This level of Service involves Application Vulnerability Scanning, Application Vulnerability Assessment, Application Penetration Testing and Manual source code review of application, as described in the service activities below. Network security testing involves manual penetration tests and vulnerability assessments of internal, external, Wi-Fi and other radio frequencies, and supervisory control and data acquisition (SCADA) systems. Network Security Testing Services assess the security of devices from a network perspective, focusing on exposed services, configuration, and infrastructure. This level of Service involves Network Vulnerability Assessment and Network Penetration Testing Services, as described in the service activities below. Hardware security testing involves security tests that span the digital and physical realms, including Internet of Things, wearable devices, point-of-sale systems, ATMs, automotive systems, video equipment, self-checkout kiosks and other devices. This level of Service involves Hardware and Device Penetration Testing, as described in the service activities below. Human security testing involves simulations of phishing campaigns, social engineering, ransomware and physical security violations to determine risks of human behavior. This level of Service involves Standard Physical security testing/social engineering (onsite), Advanced Physical Security Testing (onsite), Standard Social Engineering Test (remote), Advanced Social Engineering Test (remote), Standard Phishing Security Testing, Advance Phishing Security Testing and Targeted/Spear-Phishing Campaign, as described in the service activities below. MSS X-Force Red Offensive Security Testing Services are available as a subscription model, which allows Clients to commit to a set budget for X-Force Red Offensive Security Testing Services charges over a specific contract period, where an establish monthly charge for Services will apply. Under this model, IBM offers security testing and program management for X-Force Red Offensive Security Testing Services, where the level of support can be planned as part of the Client s established budget. During the contract term, Clients may request as many tests using any number of the supported testing methods they would like to have IBM execute, however, the charge for each type of test specified in the Order I EN Page 2 of 17
3 Document will be deducted from Client s total X-Force Red Offensive Security Testing Services charges. In addition, Clients have the option to contract for Program Management, which allows Clients who wish to have their security testing program run by an IBM senior technical resource. This IBM resource will create and run a security testing program on the Client s behalf as part of the Service. If Program Management is included with Client s order, charges for such services are based on the quantity of hours included as part of Client s contract and will be specified in the Order Document separately as a monthly reoccurring charge. IBM will conduct reviews with the Client every 3 months, where Client will be informed of their current usage consumption and when the Client s total funding commitment is near exhaustion. If Client s annual testing services charges or consumption of Program Management support hours exceeds the total monthly reoccurring charges established within the same calendar year, Client will be invoiced annually for the difference, which will be determined by IBM and based on Client s testing usage at the charge rate for each type of test and the usage charge for Program Management as specified in the Order Document. At the end of the contract term, any remaining budget or hours on the contract will expire and do not carry forward Services Activity - X-Force Red Portal The Red Portal (called Red Portal ) provides access to an environment (and associated tools) designed to centralize the management, collaboration and reporting of security testing services delivered by IBM X- Force Red (called XFR ) into a common, web-based interface. a. provide Client with a username, password, URL and appropriate permissions to access the Red Portal. The Red Portal provides Client with: (1) interaction with the XFR security team; (2) the ability to submit security test requests; and (3) access to security test findings and reports. b. provide Client with access to the Red Portal and Client s data for up to one (1) year after the termination of the contract. Client agrees to: a. utilize the Red Portal to perform daily operational Services activities; b. perform no security testing against the Red Portal without IBM's explicit permission; c. ensure Client's employees accessing the Red Portal on Client's behalf comply with the terms of use provided therein; d. appropriately safeguard Client's login credentials to the Red Portal (including not disclosing such credentials to any unauthorized individuals); e. promptly notify IBM if a compromise of Client's login credentials is suspected; f. indemnify and hold IBM harmless for any losses incurred by Client or other parties resulting from Client's failure to safeguard Client's login credentials; and g. the all terms of use as documented in the Red Portal, including after the termination of this contract for up to one (1) year or as long as the Client s accesses to the Red Portal to retrieve Client s data Services Activity - Application Vulnerability Scanning Application Vulnerability Scanning Services includes tool-based unvalidated, raw application scanning on internal and external web, mobile, terminal, client-server, mainframe and middleware platforms, for either dynamic or static, as selected in the Order Document. I EN Page 3 of 17
4 a. if selected or specified in the Order Document, perform dynamic unvalidated raw vulnerability automated scanning of Client identified targeted application(s) to identify common vulnerabilities (web server configuration flaws, insecure network communication, SQL injection, or cross-site scripting, etc.); b. if selected or specified in the Order Document, perform static unvalidated raw vulnerability automated scanning of Client provided source code to identify common vulnerabilities (injection flaws, insecure memory management, cross-site scripting, improper exception handling, etc.); c. produce a report (called Vulnerability Scan Report ) that reflects the identified vulnerabilities; and d. have completed Application Vulnerability Scanning when IBM has delivered the Vulnerability Scan Report to Client's Point of Contact. a. if applicable, provide IBM with network access to any network services required for normal application use during dynamic unvalidated raw vulnerability automated scanning; b. if applicable, provide IBM with valid user credentials prior to the initiation of dynamic unvalidated raw vulnerability automated scanning, if authenticated testing is desired; and c. if applicable, provide IBM with source code that IBM can compile including all external dependencies (libraries, frameworks, etc.) prior to the initiation of static unvalidated raw vulnerability automated scanning; and d. if applicable, install a testing device on Client s network Services Activity - Application Vulnerability Assessment Application Vulnerability Assessment includes tool-based dynamic validated vulnerability assessments, on internal and external web, mobile, terminal, client-server, mainframe and middleware platforms. a. perform automated scanning and manually review the scanner output for any false positives that can be identified through remote application interactions of the targeted application to identify common vulnerabilities (web server configuration flaws, insecure network communication, SQL injection, or cross-site scripting, etc.); b. produce a document (called Vulnerability Assessment ) that reflects the identified common vulnerabilities; and c. have completed Application Vulnerability Assessment when IBM has delivered the Vulnerability Assessment Report to Client s Point of Contact. a. provide network access to any network services required for normal application use; b. provide working user credentials if authenticated testing is desired; and c. if applicable, install a testing device on Client s network Services Activity - Application Penetration Testing The purpose of this service is to use a human tester to manually discover and exploit vulnerabilities in the target application to simulate a real world attack. This service is available in the three predefined levels of Entry/Compliance, Standard and Advanced. I EN Page 4 of 17
5 a. facilitate a project initiation call for up to one (1) hour to review Client s environment and organization, including application platform, architecture, frameworks, supporting infrastructure, known security problems or concerns associated with the application, preliminary testing schedule and emergency contact plan; b. if Entry/Compliance Application Penetration Test is selected, provide an IBM resource to perform testing and exploitation of the application for which the priority focus areas will include: (1) Mis-configured web servers; (2) Proper network encryption (SSL/TLS); (3) Single-step logic flaws; (4) Basic injection vulnerabilities (basic SQL injection, cross-site scripting, etc.); (5) Simple session management flaws; and (6) Authentication/authorization functionality; c. if Standard Application Penetration Test is selected, provide an IBM resource to perform testing and exploitation of the application for which the priority focus areas will include: (1) All vulnerabilities from Entry-Level Application Penetration Tests; (2) Logic flaws in multi-step work flows; (3) Insecure file uploads; (4) Advanced versions of injection flaws (blind/timing-based SQL injection, OS command injection, XPath, etc.); and (5) Basic data encryption flaws (reused keys, encryption/decryption oracles, etc.); d. if Advanced Application Penetration Test is selected, provide an IBM resource to perform testing and exploitation of the application for which the priority focus areas will include: (1) All vulnerabilities from Standard Application Penetration Tests; (2) Serialization/marshaling flaws; and (3) Advanced encryption attacks (padding oracle attacks, improper block modes, etc.); Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. e. produce a report (called Application Penetration Test Report ) that reflects the identified vulnerabilities; f. conduct report briefing call for up to one (1) hour to explain the findings and associated risks; and g. have completed Application Penetration Testing when the Application Penetration Test Report has been delivered to Client s Point of Contact and a report briefing has been provided or declined. a. work with IBM to schedule the project initiation conference call such that all participants have enough notice to attend; b. provide the required information prior to the project initiation call, including: (1) a definition of the targeted application; (2) a list of supporting infrastructure components that should be considered in-scope; (3) a list of any resources (servers, webpages, etc.) that should not be tested; (4) sufficient user credentials to access all aspects of the application and verify proper authorization enforcement; and (5) any specialized software required to use the application; c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; I EN Page 5 of 17
6 d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. provide a technical support point-of-contact (POC) for use during the engagement; f. ensure that the in-scope systems and infrastructure remain in a static state throughout the testing period; Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results. g. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems; and h. acknowledge that Client has two (2) weeks after receiving the Application Penetration Test Report to request a report briefing or decline, otherwise IBM will consider Client s acceptance of Application Penetration Test Report, as-is Services Activity - Manual Source Code Review of Application This purpose of this service is use a human tester to manually review provided source code identify vulnerabilities and poor programming practices that can impact the security of an application. a. facilitate a project initiation call for up to one (1) hour to review Client s source code structure, supporting libraries and frameworks, build requirements, known security problems or concerns associated with the application, preliminary testing schedule and emergency contact plan; b. provide an IBM resource to review source code provided by Client: (1) Priority focus areas will include: (a) (b) (c) (d) (e) Improper input sanitization (SQL injection, cross-site scripting, etc.); Authentication or authorization bypass; Insecure serialization/marshaling practices; Encryption flaws (weak algorithms, reused keys, oracles, etc.); and Insecure data storage; Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. c. document findings in a document (called Source Code Review Report ); d. deliver the final Source Code Review Report; e. if applicable, conduct report briefing call for up to one (1) hour to explain the findings and associated risks; and f. have completed Manual Source Code Review of Application when IBM has delivered the Source Code Review Report has been delivered to Client s Point of Contact and a report briefing has been provided or declined. a. work with IBM to schedule the project initiation conference call such that all participants have enough notice to attend; b. provide the required information prior to the project initiation call, including: (1) a description of the targeted application; (2) a list of supporting libraries that should be considered in-scope; and (3) a list of any source code that should not be reviewed; I EN Page 6 of 17
7 c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. provide a technical support point-of-contact (POC) for use during the engagement; f. provide access to the source code, relevant supporting libraries, and directions on how to create a build environment and compile the source code; and g. acknowledge that Client has two (2) weeks after receiving the Source Code Review Report to request a report briefing or decline, otherwise IBM will consider Client s acceptance of Source Code Review Report, as-is Services Activity- Network Vulnerability Scanning The purpose of this service is to conduct tool-based unvalidated, raw network scanning on internal and external networks with X-Force Red s automated suite of tools to identify potential security vulnerabilities. a. for up to the total number of internal or external IP addresses specified in the Order Document, scan the targeted addresses for known issues and vulnerabilities that could lead to remote exploitation; b. produce a report (called Vulnerability Scanning Report ) that reflects the identified vulnerabilities; and c. have completed the Network Vulnerability Scanning when IBM has delivered the Vulnerability Scanning Report to Client's Point of Contact. a. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; b. provide details required for testing in a timely manner, including IP addresses, domain names, network diagrams, and other relevant data; c. provide a technical support point-of-contact (POC) for use during the engagement; d. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges. e. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems Services Activity - Network Vulnerability Assessment If ordered by Client, IBM will provide services to identify active hosts and services, for up to the total number of in-scope active IP addresses as specified in the in the Order Document, and discover known vulnerabilities on these systems using automated scanning tools. a. scan up to the total number of IP addresses specified in the Order Document and focus on the targeted addresses for known issues and vulnerabilities that could lead to remote exploitation; I EN Page 7 of 17
8 b. manually review the scanner output for any false positives that can be identified through remote server interaction; c. produce a report (called Vulnerability Assessment Report ) that reflects the identified vulnerabilities; and d. have completed the Network Vulnerability Assessment when IBM has delivered the Vulnerability Assessment Report to Client's Point of Contact. a. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; b. provide details required for testing in a timely manner, including IP addresses, domain names, network diagrams, and other relevant data; c. provide a technical support point-of-contact (POC) for use during the engagement; d. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges. e. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems Services Activity - Network Penetration Testing Services The purpose of this activity is to attempt to exploit identified vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios against the devices associated with up to the total number of in-scope active IP addresses for Penetration Test specified in the Order Document. a. exploit key identified vulnerabilities: (1) on perimeter (remotely accessed) systems; and (2) on internal (locally accessed) systems; Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. b. target specific systems and attempt to gain direct access to confidential data and administrator or elevated access privileges on vulnerable systems; c. demonstrate specific or systematic security weaknesses, if present; Note: Examples of methods used to demonstrate such weaknesses may include: (1) mining of login Credentials; (2) brute-force password cracking directly against applications and virtual private networks ( VPNs ); (3) exploitation of buffer overflow and format string vulnerabilities; and (4) session hijacking, if possible; d. document the findings from the simulated attack in a report (called Final Penetration Testing Report ); and e. have completed Network Penetration Testing when IBM has delivered the Final Penetration Testing Report to Client's Point of Contact. I EN Page 8 of 17
9 a. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; b. provide details required for testing in a timely manner, including IP addresses, domain names, network diagrams, and other relevant data; c. provide a technical support point-of-contact (POC) for use during the engagement; d. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and e. ensure the IP addresses associated with the technical testers are whitelisted as appropriate on filtering devices (such as firewalls and intrusion prevention systems), according to the rules of engagement negotiated, such that the testers have appropriate access to the target systems. Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges Services Activity - Hardware/Device Penetration Testing The purpose of this activity is to provide a human tester to manually discover and exploit vulnerabilities in a hardware device or embedded system to simulate a real-world attack. Client may choose from Standard Hardware/Device Penetration Test or Advanced Hardware/Device Penetration Test, for which each test will be charged at the rate specified in the Order Document. a. facilitate a project initiation call for up to one (1) hour to review Client s environment and organization, including device platform, architecture, frameworks, supporting infrastructure, known security problems or concerns associated with the device, preliminary testing schedule and emergency contact plan; b. if Standard Hardware/Device Penetration Test is selected, provide an IBM resource to perform testing and exploitation of a device for which the priority focus areas will include: (1) Weak physical locks; (2) Chassis intrusion or modification; (3) Insufficient anti-skimming controls; (4) Undetected foreign devices; (5) Insecure data storage (plaintext data, weak encryption algorithms, key storage, etc.); (6) Proper network encryption (SSL/TLS); (7) Mis-configured network services; (8) Flaws related to user management functions like login, password recovery, or password policy; (9) Authentication/authorization bypass; (10) Memory corruption vulnerabilities (buffer overflows, format strings, null dereferencing, etc.); and (11) Logic flaws; c. if Advanced Hardware/Device Penetration Test is selected, provide an IBM resource to perform testing and exploitation of a device for which the priority focus areas will include: (1) All vulnerabilities from Standard Hardware Penetration Tests; (2) Malicious hardware commands (e.g., dispense cash); (3) Application-level vulnerabilities in backend services; (4) Backend injection flaws (blind/timing-based SQL injection, OS command injection, XPath, etc.); I EN Page 9 of 17
10 (5) Serialization/marshalling flaws; (6) Advanced encryption attacks (padding oracle attacks, improper block modes, etc.); and (7) Hidden vulnerabilities only discoverable through executable or source code analysis; Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. b. document findings in a report (called Hardware Penetration Test Report ); c. deliver the final Hardware Penetration Test Report; d. conduct report briefing call for up to one (1) hour to explain the findings and associated risks; and e. have completed Hardware/Device Penetration Testing when the Hardware Penetration Test Report has been delivered to Client s Point of Contact and a report briefing has been provided or declined. a. work with IBM to schedule the project initiation conference call such that all participants have enough notice to attend; b. provide the required information prior to the project initiation call, including: (1) a description of the targeted device including its standard deployment scenario; (2) a list of supporting infrastructure components that should be considered in-scope; (3) a list of any resources (servers, webpages, etc.) that should not be tested; (4) sufficient user credentials to access all aspects of supporting applications and verify proper authorization enforcement; and (5) any specialized software required to use the device; c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. provide the tester with physical access to the targeted device; f. ensure that the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results. g. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems Services Activity On-site Physical Security Testing On-site Physical Security Testing is conducted when a consultant travels to the designated location(s), and attempts to gain access to physical buildings, critical infrastructure, or confidential computing systems. Client may choose from On-site Physical Security Testing - Standard or On-site Physical Security Testing - Advanced, for which each test will be charged at the rate specified in the Order Document. a. if On-site Physical Security Testing - Standard is selected, provide an IBM resource to perform physical security testing for which the priority focus areas will include: (1) visit one (1) Client location as specified in the Order Document, and attempt to gain access and compromise computing infrastructure; I EN Page 10 of 17
11 (2) perform a light level of open-source intelligence ( OSINT ) researching publicly available badging procedures, door locations, maintenance or building contracts, etc.; b. if On-site Physical Security Testing - Advanced is selected, provide an IBM resource to perform physical security testing for which the priority focus areas will include: (1) visit four (4) Client locations as specified in the Order Document, and attempt to gain access and compromise computing infrastructure; (2) perform a full level of OSINT researching publicly available badging procedures, door locations, maintenance or building contracts, etc.; c. work with Client to identify attack scenarios such as posing as a vendor, or partner in an attempt to gain unauthorized access; d. request information about the location(s), on-site POC (if needed), and require appropriate level executive sign-off on activities and locations; e. provide basic statistics in terms of strengths, and weaknesses in locations security controls (lights, cameras, door locks, etc.); f. if written consent is provided by Client, and if access is gained to a datacenter, attempt limited testing of access to non-critical systems; g. not knowingly destroy, or damage company property when attempted to gain access to buildings or locations; h. produce a report (called Social Engineering Physical Report ) that reflects IBM s successes and failures in identifying vulnerabilities; and i. have completed On-site Physical Security Testing when IBM has attempted to comprise the targeted location and delivered the Social Engineering Physical Report to Client's Point of Contact. a. engage with the security consultant to have the kick-off call; b. provide a specific list of the location with full addresses; c. provide information around badging and access control procedures; d. sign-off from appropriate level executive; and e. provide consultant with letter of intent, and no-harm in the event that the consultant is detained by on-site staff, or law enforcement Services Activity Off-site Social Engineering IBM will attempt to gain access to Client s computing environment by means of social, or electronic coercion. Client may choose from Off-site Social Engineering - Standard or Off-site Social Engineering - Advanced, for which each test will be charged at the rate specified in the Order Document. a. if Off-site Social Engineering - Standard is selected, provide an IBM resource to perform social engineering testing for which the priority focus areas will include: (1) call up to thirty (30) individual users of the company in an attempt to gain access to restricted company information or user credentials; (2) develop up to two (2) storyboards during the kick-off call with Client, so the social engineering campaign can be as successful as possible; (3) request s and addresses for USB drive to be sent; (4) perform light level of OSINT to compliment the information provided by Client in order to optimize the test results; and (5) attempt to compromise up to five (5) end-points during the test, and attempt basic lateral movement within the network environment; I EN Page 11 of 17
12 b. if Off-site Social Engineering - Advanced is selected, provide an IBM resource to perform social engineering testing for which the priority focus areas will include: (1) call up to sixty (60) individual users of the company in an attempt to gain access to restricted company information or user credentials; (2) develop up to three (3) storyboards during the kick-off call with Client, so the social engineering campaign can be as successful as possible; (3) validate identified addresses and physical locations for USB drives to be sent; (4) perform custom OSINT to gather as much information about the target, it s employees, and under-stand how the company culture may allow for a security breech; and (5) attempt to compromise end-points during the test, and attempt basic lateral movement within the network environment; c. provide statistics including how many employees divulged company information, how many individuals inserted the USB drive, and how many had their computer compromised; d. create and develop malicious files or payloads for the users as part of the test, and, if applicable, send files with custom tailored macros in order to track open-files and other actions from the users; e. produce a report (called Social Engineering Off-site Report ) that reflects the identified vulnerabilities for which IBM was successful or fail to gain access to Client s computing environment; and f. have completed Off-site Social Engineering when IBM has delivered the Social Engineering Off-site Report to Client's Point of Contact. a. engage with the security consultant to have the kick-off call; b. provide the list of s and locations that the off-site social engineering will be targeted against; c. if Off-site Social Engineering - Standard is selected, provide an acceptable level of information, so the testing phone calls & USB devices reach their targets; and d. if Off-site Social Engineering - Advanced is selected, provide basic level of information, so the testing phone calls & USB drives reach their targets Services Activity Phishing Test The purpose of this activity is to provide phishing testing services to identity human vulnerabilities and user base knowledge of phishing threats to promote security awareness within Client s organization. Client may choose from Phishing Standard, Phishing Test Advanced or Phishing Test - Targeted Attack, for which each test will be charged at the rate specified in the Order Document. a. if Phishing Test - Standard is selected, provide an IBM resource to perform testing for which the priority focus areas will include: (1) send phishing up to one thousand (1,000) mailboxes; (2) develop one (1) storyboard during the kick-off call with Client, so the phishing campaign can be as successful as possible; (3) request as much information as possible about the target environment and users, so a broader audience is reached by the phishing campaign, so Client will have as much information as possible to boost their security-awareness program; (4) provide basic statistics in terms on how many people opened those s, how many people acted on those s (links that were clicked in what could have been a malicious URL); (5) perform a minimal level of OSINT since most of the information will be provided by Client; (6) not collect any user information (domain credentials) as part of the test, hence no attribution will be provided; I EN Page 12 of 17
13 (7) not send any malicious files or payloads to the users as part of the test; (8) not guarantee compatibility with Client s mobile platforms; and (9) not compromise any end-points during the test, nor attempt any lateral movement within the net-work environment; b. if Phishing Test - Advanced is selected, provide an IBM resource to perform testing for which the priority focus areas will include: (1) send phishing up to over one thousand (1,000) mailboxes or create a more sophisticated campaign with more statistics and attribution; (2) develop up to two (2) storyboards during the kick-off call with Client, so the phishing campaign can be as successful as possible; (3) request some information about the target environment and users to see how some of Client s defenses are working against phishing attacks; (4) provide more granular statistics in terms on how many people opened those s, how many people acted on those s (opened files or links that have been clicked in what could have been a malicious URL), how long a user might have spent in the landing page; (5) perform some level of OSINT to compliment the information provided by Client in order to optimize the test results; (6) define with Client if any credentials (usernames and/or passwords) will be collected to also provide attribution as part of the test results; (7) not send any malicious files or payloads to the users as part of the test, but, if applicable, will send files with custom tailored macros in order to track open-files and other actions from the users; and (8) will use templates compatible with the commonly used mobile platforms; (9) not compromise any end-points during the test, nor attempt any lateral movement within the network environment; c. if Phishing Test - Targeted Attack is selected, simulate what advanced adversaries would do to compromise an organization through the attack vector, where the priority focus areas will include: (1) develop a custom-tailored plan during the kick-off call with Client to define test objectives and target users; (2) perform OSINT in order to have as much information and context about the targets; (3) send crafted, targeted s carefully developed to bypass all defense mechanisms and convince the user to take an action that might go against the organization s security policy; (4) if applicable, use custom internet domains, SSL certificates, and custom server in order to interact with potential victims; (5) provide detailed statistics; (6) if available, collect user credentials (usernames and/or passwords) to provide attribution as part of the test results: (7) if applicable, compromise the target environment like an adversary would do; (8) if applicable, send malicious files or payloads to the users as part of the test; (9) if applicable, send files with custom tailored macros to track open-files and other actions from the users; (10) use templates compatible with the commonly used mobile platforms; d. produce a report (called Final Phishing Security Testing Report ) that reflects the documented simulated attacks and identified vulnerabilities; and e. have completed the Phishing Test when IBM has delivered the Final Phishing Security Testing Report to the Client s Point of Contact. Client agrees to: I EN Page 13 of 17
14 a. engage with the security consultant to have the kick-off call; b. if Phishing Test - Standard is selected, provide: (1) the list of s that the phishing will be sent (up to one thousand (1,000) mailboxes; and (2) as much information as possible about the target environment and users, so the phishing s reach as many users as possible so Client has a good idea on the security posture of their user-base; c. if Phishing Test - Advanced is selected, provide: (1) the list of s that the phishing will be sent; and (2) requested information about the target environment and users d. if Phishing Test Targeted Attack is selected, provide: (1) define the objectives of the test with the consultant during the kick-off call; and (2) inform the consultant whether they want to be notified when the test will be performed or not Services Activity Managed Service - Program Management The purpose of this activity is to provide the Client with a dedicated X-Force Red resource to create and run a security testing program on the Client s behalf. As part of this support, the security testing program is customized for each Client, but often the details include: discovering testing targets (i.e., applications and networks), prioritizing targets, identifying proper testing levels, coordinating testing with Client s internal teams, tracking and prioritizing remediation, and coordinating retesting efforts. IBM will provide Client with Managed Service Program Management for up to the quantity of hours and charges specified in the Order Document. a. provide a dedicated senior testing consultant during normal business hours M-F, 8AM-5PM local time that will be responsible for: b. running the Client s security testing program; c. identifying and prioritizing the Client s testing targets; d. selecting the proper security testing levels; e. tracking and coordinating the Client s remediation efforts to address identified vulnerabilities resulting from the security testing methods used; and f. have completed Managed Service Program Management when IBM has used all of the contracted hours or when Client has terminated the service for convenience. a. provide the consultant with a list of assets, or provide consultant with access required to perform asset discovery; b. assist in identifying asset owners; c. ensure that asset owners provide documentation on how assets are deployed, what data they handle, how the asset interacts with users and other systems, and what business role the asset plays; d. provide documentation about business priorities that define risk, or make staff available for interviews so consultant can compile the information; e. provide documentation about change management procedures and appropriate access to tracking systems; and f. provide documentation about defect tracking software and appropriate access to systems. I EN Page 14 of 17
15 Services Activity internal testing components As part of this services activity, IBM may use enabling software, hardware (also called Agents ) and/or third party services that are to be used for testing. The title to such Agent(s) will remain with IBM, or third party services vendor, as determined by IBM. At IBM's discretion, IBM will select and provide Client with selected Agent(s), this includes both IBM and non-ibm third party services. Client has the right to use the selected Agent(s) only as directed by IBM. Such Agent(s), provided by IBM are to be managed by IBM as part of the Services and may not be used for any other purpose during the term. If enabling software/and or hardware is accompanied by a separate license agreement, the terms of such license agreement also apply. At IBM's discretion, IBM will provide the following services where applicable. a. acquire Agent(s) specified in the Order Document; b. facilitate system design, and selection and use of the Agent(s) and features specified under this Services Description and associated contractual documents; and c. coordinate with vendor, to include those products provided by IBM or a third party, for the provision of support and maintenance for security technologies specified in the Order Document. As part of on premise testing, Client will need to agree to the following responsibilities. Client agrees: a. that other than as specified in this Services Description, use of the Agent(s) supplied hereunder will be subject solely to the manufacturer s terms and conditions third party or otherwise; b. use of the Agent(s) and features specified under this Services Description and associated contractual documents; c. to be responsible for: (1) receiving and signing for the security technologies at Client's delivery location specified in the Order Document or mutually agreed designated Client location. Any visible shipping damage shall be immediately reported to the shipper and IBM; (2) complying with and performing any applicable tasks called out as Client's responsibilities in this Services Description; (3) maintaining insurance on the Agent(s) throughout the contract period specified in the Order Document; and (4) determining that the Agent(s), and the integration of such products, are in compliance with national building and installation codes and other laws and regulations, including product safety regulations; d. that support and maintenance for the Agent(s) described herein will be coordinated by IBM and will not have to be obtained separately by Client; e. and acknowledges, Client is not permitted to physically move Agent(s) without expressed consent of IBM; f. to submit requests for in country physical moves of Agent(s) or services within 60 days of requested move date; g. physical moves of Agent(s) are subject to additional fees and local tax implications; h. due to regulations, cross border movement of Agent(s) or services will not be permitted; i. any fix IBM makes available as part of support and maintenance is made on behalf of the security technology vendor and is licensed by security technology vendor to Client under the terms of the applicable EULA. IBM provides any such Fixes AS IS AND WITHOUT WARRANTIES OF ANY KIND from IBM; and j. and acknowledges, should Client elect not to return the security technology Agent(s) upon nonrenewal, Client also agrees to pay IBM the then current fair market value of the security technology Agent(s), as determined by IBM. I EN Page 15 of 17
16 Disposition of Agents At the end of the contract period, or upon termination of the contract, or upon completion of relevant security test Client agrees: a. to work with IBM regarding the return of the security technology Agent(s); b. to return all Agent(s) to a shipping location specified by IBM; c. to be responsible for all return shipping charges; d. to ensure the equipment is returned in the same condition (excepting reasonable wear and tear) as delivered to Client; e. to be responsible for charges incurred as a result of misuse or damage of the Agent(s); and IBM may invoice Client directly for such misuse or damage; and f. in the event, it does not return the equipment, to be responsible for paying for the residual value of the equipment as invoiced by IBM End User License Agreement(s) for on premise testing On premise testing may include security technology Agent(s) from vendors other than IBM and as such, the terms set forth in the applicable End User License Agreement(s) are solely between Client and the applicable security technology vendor. Client agrees to be bound by the terms and conditions set forth in following End User License Agreement(s) ( EULA ) as they pertain to the security technology Agent(s) included as part of the on premise testing. The applicable Non-IBM Product EULA(s) are available for review at: From this security services contract documents portal, Client selects the applicable country to access the documents under the Third Party End User License Agreements section. 1.2 Service Activity Subscription and Managed Service Management The purpose of this activity is to provide Client with status reviews every three (3) months during the contract term regarding Client s subscription and managed service usage, if mutually agreed by IBM and Client and as applicable. a. mutually establish a service schedule with Client for status reviews, as applicable; b. conduct a teleconference for up to two (2) hours every three (3) months during the contract term to review usage of Client s subscription and managed service budget including service components utilized and remaining, update service schedule and provide recommendations if appropriate; c. document the results of each teleconference in a status report; and d. have completed Subscription and Managed Service Management, when IBM has delivered the status report at the end of each three (3) month review period or according to the service calendar to the Client s Point of Contact. Client agrees to make appropriate personnel available during status reviews to answer questions, obtain requested data, perform suggested actions, and similar items. 1.3 Services Activity Annual Subscription and Managed Service Management The purpose of this activity is to provide Client with status reviews every twelve (12) months during the contract term regarding Client s subscription and managed service usage, if mutually agreed by IBM and Client and as applicable. I EN Page 16 of 17
17 a. mutually establish a service schedule with Client for status reviews, as applicable; b. conduct a teleconference for up to two (2) hours to review annual usage of Client s subscription and managed service budget including service components utilized and remaining, update service schedule and provide recommendations if appropriate; c. if applicable, inform Client of subscription usage for testing services charges or consumption of Program Management support hours that exceeds the total monthly reoccurring charges established within the same calendar year and if appropriate, invoice Client at the usage rates specified in the Order Document for usage that exceeds the yearly allowance; d. document the results of each teleconference in an annual status report; and e. have completed Annual Subscription Management, when IBM has provided the annual status report at the end of each twelve (12) month review period or according to the service calendar to the Client s Point of Contact. Client agrees to: a. make appropriate personnel available during each twelve (12) month status reviews to answer questions, obtain requested data, perform suggested actions, and similar items; and b. be responsible for all usage charges that exceeds the Client s total monthly reoccurring charges established within the same calendar year at the charge rate for each type of test and the usage charge for Program Management as specified in the Order Document. I EN Page 17 of 17
IBM Managed Security Services for X-Force Hosted Threat Analysis Service
IBM Managed Security Services for X-Force Hosted Threat Analysis Service Z125-8483-00 05-2010 Page 1 of 5 Table of Contents 1. Scope of Services... 3 1.1 Licensing... 3 1.1.1 Individual... 3 1.1.2 Distribution...
More informationIBM Hosted Application Security Services - Pre-Production Application Scanning
IBM Hosted Application Security Services - Pre-Production Application Scanning FR_INTC-8839-02 2-2012 Page 1 of 21 Table of Contents IBM Hosted Application Security Services -...1 Pre-Production Application
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationManaged Security Services - Automated Analysis, Threat Analyst Monitoring and Notification
Service Description Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification The services described herein are governed by the terms and conditions of the agreement specified
More informationIBM Hosted Application Security Services - Website Scanning Platform
IBM Hosted Application Security Services - Website Scanning Platform Z126-5886-US-1 09-2012 Page 1 of 13 Table of Contents IBM Hosted Application Security Services -... 1 Website Scanning Platform... 1
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More informationIBM Application Security on Cloud
IBM Terms of Use SaaS Specific Offering Terms IBM Application Security on Cloud The Terms of Use ( ToU ) is composed of this IBM Terms of Use - SaaS Specific Offering Terms ( SaaS Specific Offering Terms
More informationIBM Managed Security Services - Vulnerability Scanning
Service Description IBM Managed Security Services - Vulnerability Scanning This Service Description describes the Service IBM provides to Client. 1.1 Service IBM Managed Security Services - Vulnerability
More informationIBM Security Intelligence on Cloud
Service Description IBM Security Intelligence on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationIBM Case Manager on Cloud
Service Description IBM Case Manager on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients of the
More informationEpicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)
Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017) GENERAL TERMS & INFORMATION A. GENERAL TERMS & DEFINITIONS 1. This Services Specification
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationIBM Managed Security Services for Security
Service Description 1. Scope of Services IBM Managed Security Services for E-mail Security IBM Managed Security Services for E-mail Security (called MSS for E-mail Security ) may include: a. E-mail Antivirus
More informationPRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT
PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT Last Revised: 12/20/17 1. Private Mobile Connection - Custom APN. Pursuant to the terms and conditions of
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationService Description: CNS Federal High Touch Technical Support
Page 1 of 1 Service Description: CNS Federal High Touch Technical Support This service description ( Service Description ) describes Cisco s Federal High Touch Technical support (CNS-HTTS), a tier 2 in
More informationI. PURPOSE III. PROCEDURE
A.R. Number: 2.11 Effective Date: 2/1/2009 Page: 1 of 5 I. PURPOSE This policy outlines the procedures that third party organizations must follow when connecting to the City of Richmond (COR) networks
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationORACLE PRODUCT SPECIFIC TERMS AND CONDITIONS FOR DYN DELIVERY SERVICES
FOR DYN EMAIL DELIVERY SERVICES 1. INTRODUCTION. These Oracle Product Specific Terms and Conditions for Dyn Email Delivery Services are entered into by and between Oracle and Client, and are incorporated
More informationIBM App Connect Enterprise on IBM Cloud
Service Description IBM App Connect Enterprise on IBM Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means the contracting party and its authorized users and
More informationXO SITE SECURITY SERVICES
XO SITE SECURITY SERVICES 1.0 Product and Services 1.1 Product Description. XO Site Security (the "Service") is a managed security service which uses Premises-based, multi-threat sensing Customer Premises
More informationPRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT
PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT Last Revised: 2/1/2017 1. Private Mobile Connection - Custom APN. Pursuant to the terms and conditions of
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationDocument Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 5, 2018. Replaces all prior versions. These Additional Terms govern your use of Document Cloud (including Adobe Sign) and
More informationVETS FIRST CHOICE PRIVACY POLICY FOR PARTICIPATING VETERINARY PRACTICES
VETS FIRST CHOICE PRIVACY POLICY FOR PARTICIPATING VETERINARY PRACTICES PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING THIS SITE. Last Updated: January 01, 2015 Direct Vet Marketing, Inc. (hereinafter,
More informationFerrous Metal Transfer Privacy Policy
Updated: March 13, 2018 Ferrous Metal Transfer Privacy Policy Ferrous Metal Transfer s Commitment to Privacy Ferrous Metal Transfer Co. ( FMT, we, our, and us ) respects your concerns about privacy, and
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationPass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores
Pass4suresVCE http://www.pass4suresvce.com Pass4sures exam vce dumps for guaranteed success with high scores Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version :
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationVMware vcloud Air Accelerator Service
DATASHEET AT A GLANCE The VMware vcloud Air Accelerator Service assists customers with extending their private VMware vsphere environment to a VMware vcloud Air public cloud. This Accelerator Service engagement
More informationService Description: Cisco Technical Services Advantage (Releases 1.0 through 2.3)
Page 1 of 8 Service Description: Cisco Technical Services Advantage (Releases 1.0 through 2.3) This document describes Cisco Technical Services Advantage support services. Related Documents: This document
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationOUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE
CONTENTS 1 ABOUT THIS PART... 2 2 GENERAL... 2 3 CLOUD INFRASTRUCTURE (FORMERLY UTILITY HOSTING)... 2 4 TAILORED INFRASTRUCTURE (FORMERLY DEDICATED HOSTING)... 3 5 COMPUTE... 3 6 BACKUP & RECOVERY... 8
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More information1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 16, 2016. Replaces the prior version in its entirety. Capitalized terms used in these Document Cloud Additional Terms ( Additional
More informationIBM Hosted Application Security Services - Production Application Scanning
IBM Hosted Application Security Services - Production Application Scanning AT_INTC-8840-02 2-2012 Page 1 of 20 INTC-8840-02 2-2012 IBM Österreich Internationale Büromaschinen Gesellschaft m.b.h. A-1020
More informationService Description. IBM Aspera Files. 1. Cloud Service. 1.1 IBM Aspera Files Personal Edition. 1.2 IBM Aspera Files Business Edition
Service Description IBM Aspera Files This Service Description describes the Cloud Service IBM provides to Client. Client means the company and its authorized users and recipients of the Cloud Service.
More informationSERVICES and MICROSOFT HOSTED EXCHANGE
EMAIL SERVICES and MICROSOFT HOSTED EXCHANGE 1. Description of Service. Web.com may provide you with the capability of sending and receiving electronic mail via the Internet and through mobile phones ("Email
More informationCisco QuickStart Implementation Service for Tetration Analytics Medium
Page 1 of 9 Service Description: Advanced Services Fixed Price Cisco QuickStart Implementation Service for Tetration Analytics Medium (ASF-DCV1-TA-QS-M) This document describes Advanced Services Fixed
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationBT Compute Protect Schedule to the General Terms
BT Compute Protect Schedule to the General Terms Contents A note on you... 2 Words defined in the General Terms... 2 Part A The BT Compute Protect Service... 2 1 Service Summary... 2 2 Standard Service
More informationIBM Managed Security Services (Cloud Computing) hosted and Web security - express managed security
IBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed e-mail security Z125-8581-01 12-2010 Page 1 of 15 Table of Contents 1. Scope of Services... 3 2. Definitions...
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationService Description: Software Support
Page 1 of 1 Service Description: Software Support This document describes the service offers under Cisco Software Support. This includes Software Support Service (SWSS), Software Support Basic, Software
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationQuestions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP
Questions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP 1. If we cannot attend the September 27 pre-bid meeting in-person, will there be conference call capability
More informationIBM Resilient Incident Response Platform On Cloud
Service Description IBM Resilient Incident Response Platform On Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means the contracting party and its authorized
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationPrivacy Policy. I. How your information is used. Registration and account information. March 3,
Privacy Policy This Privacy Policy describes how and when we collect, use and share your information across our App. When using our App you consent to the collection, transfer, storage, disclosure, and
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationQNB Bank-ONLINE AGREEMENT
This is an Agreement between you and QNB Bank ("QNB"). It explains the rules of your electronic access to your accounts through QNB Online. By using QNB-Online, you accept all the terms and conditions
More informationTable of Contents. Stand: * * *
IBM Österreich Internationale Büromaschinen Gesellschaft m.b.h. A-1020 Wien, Obere Donaustraße 95 Telefon (01) 211 45-0* Telefax (01) 216 08 86 Sitz: Wien Firmenbuchnummer FN 80000 y Firmenbuchgericht
More informationNOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY. Addendum No. 1 issued September 7, RFI responses are in red bold print
DEDICATED TO THE HEALTH OF OUR COMMUNITY www.hcdpbc.org NOTICE TO ALL PROSPECTIVE RESPONDENTS RFP 18-ITSS/CY Addendum No. 1 issued September 7, 2018 RFI responses are in red bold print How many public
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationService Description VMware Workspace ONE
VMware Workspace ONE Last Updated: 05 April 2018 The product described in this Service Description is protected by U.S. and international copyright and intellectual property laws. The product described
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationManaged NIDS Care Services
Managed NIDS Care Services This Service Guide ( SG ) sets forth a description of CenturyLink Managed NIDS Care Service ( Service ) offerings including technical details and additional requirements or terms,
More informationService Description: Advanced Services- Fixed Price: Cisco UCCE Branch Advise and Implement Services (ASF-CX-G-REBPB-CE)
Page 1 of 1 Service Description: Advanced Services- Fixed Price: Cisco UCCE Branch Advise and Implement Services (ASF-CX-G-REBPB-CE) This document describes Advanced Services Fixed Price: Cisco UCCE Branch
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationMobile Application Privacy Policy
Mobile Application Privacy Policy Introduction This mobile application is hosted and operated on behalf of your health plan. As such, some information collected through the mobile application may be considered
More informationBCDC 2E, 2012 (On-line Bidding Document for Stipulated Price Bidding)
BCDC 2E, 2012 (On-line Bidding Document for Stipulated Price Bidding) CLAUSE 13 ON-LINE BIDDING 13.1 ON-LINE BIDDING.1 Definitions: Owner means the party and/or their agent designated to receive on-line
More informationMonthly Cyber Threat Briefing
Monthly Cyber Threat Briefing January 2016 1 Presenters David Link, PM Risk and Vulnerability Assessments, NCATS Ed Cabrera: VP Cybersecurity Strategy, Trend Micro Jason Trost: VP Threat Research, ThreatStream
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationRequest for Proposal (RFP)
Request for Proposal (RFP) BOK PENETRATION TESTING Date of Issue Closing Date Place Enquiries Table of Contents 1. Project Introduction... 3 1.1 About The Bank of Khyber... 3 1.2 Critical Success Factors...
More informationRFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template
RFP/RFI Questions for Managed Security Services Sample MSSP RFP Template Table of Contents Request for Proposal Template Overview 1 Introduction... 1 How to Use this Document... 1 Suggested RFP Outline
More informationTiger Scheme QST/CTM Standard
Tiger Scheme QST/CTM Standard Title Tiger Scheme Qualified Security Tester Team Member Standard Version 1.2 Status Public Release Date 21 st June 2011 Author Professor Andrew Blyth (Tiger Technical Panel)
More informationAcceptable Use Policy
Acceptable Use Policy This Acceptable Use Policy is in addition to South Central Communication s Terms of Service and together the documents constitute the Agreement between South Central Communications
More informationBT Assure Cloud Identity Annex to the General Service Schedule
1 Defined Terms The following definitions apply, in addition to those in the General Terms and Conditions and the General Service Schedule of the Agreement. Administrator means a Customer-authorised person
More informationIBM Cloud Service Description: Watson Analytics
IBM Cloud Services Agreement IBM Cloud Service Description: Watson Analytics The following is the Service Description for your Order: 1. Cloud Service The Cloud Service offering is described below, portions
More informationIBM PureApplication Service
Service Description IBM PureApplication Service This Service Description describes the Cloud Service IBM provides to Client. Client means the company and its authorized users and recipients of the Cloud
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationETSY.COM - PRIVACY POLICY
At Etsy, we value our community. You trust us with your information, and we re serious about that responsibility. We believe in transparency, and we re committed to being upfront about our privacy practices,
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationAppPulse Point of Presence (POP)
AppPulse Point of Presence Micro Focus AppPulse POP service is a remotely delivered solution that provides a managed environment of Application Performance Management. AppPulse POP service supplies real-time
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More information