Get documents about "Mgt Svcs Schedule Template
Document Sample
Statement of Work for [project name] at [Customer name long]
Appendix C-2 to DIR Contract Number DIR-SDD-688
[project name]
Statement of Work
for
[Customer name long]
IT Security Services Statement of Work No. [sow#]
[Date]
Developed By
Calence, LLC
Corporate Office
1560 W. Fountainhead Parkway, 2nd Floor
Tempe, AZ 85282
Austin Office
1130 Rutherford Lane, Suite 208
Austin, TX 78753
1
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Statement of Work This Statement of Work is dated effective _________________________
(“Effective Date”) by and between Calence, LLC (“Calence”) and [Cus-
tomer name long] (“Customer name” or “Customer”) and is delivered
pursuant and subject to the terms and conditions of the Contract for
Information Technology Security Services, DIR Contract No. DIR-SDD-
688 (the “Agreement”) between Calence and State of Texas Department of
Information Resources (“DIR”). This Statement of Work will be incorpo-
rated by reference into the Agreement and become a part of the Agreement
upon execution by both parties. Unless otherwise indicated, capitalized
terms used herein that are defined in the Agreement shall have the same
meanings as in the Agreement. In the event of any conflict between this
Statement of Work and the Agreement, the Agreement shall control.
Objectives Calence will meet the following Service objectives:
[CalencePCI]
[CalencePCI Scanning/Scanning Plus Service]
• Perform Quarterly Payment Card Industry (PCI) Network Security
Scanning.
[CalencePCI Gap Analysis]
• Perform a Payment Card Industry (PCI) Gap Analysis.
[CalencePCI Compliance Audit]
• Perform a Payment Card Industry (PCI) Level 1 Compliance Audit
for protection of sensitive, confidential information.
[CalencePCI Ongoing Support Services]
• Provide ongoing support for Payment Card Industry (PCI) Com-
pliance efforts, supporting Customer compliance initiatives.
[Physical Security]
• Deliver a physical security solution resulting in the implementation
of equipment as per the bill of materials (BOM) that will provide
the services as per manufacturer specifications.
[Security Assessment]
• [Include if performing external, wireless or war-dialing]
Perform a perimeter security assessment
Perform an external security assessment of [Customer name]’s
Internet-accessible systems.
Perform war-dialing on up to [#] phone numbers.
Perform a wireless security assessment for the locations listed
in the Scope and Approach Section below.
2
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Perform a firewall policy analysis for all in-scope firewall poli-
cies.
• Perform an internal security assessment of the [Customer name]’s
technology resources.
• [Include for web application assessment]
Perform an assessment of [name] web application.
• [Include for database security assessment]
Perform a database systems security assessment of the following:
Business drivers behind the database and related applications
Host operating system security
Database server setup and configuration
Database user access and authorization
Current front-end/back-end programming methodology
[Firewall Implementation]
• Design and deploy firewall architecture
• Configure a single [product name] firewall
[IDS Install]
• Integrate network intrusion detection system (IDS) into [Customer
name] network.
Scope and Calence will perform the following Services:
Approach Project Management
• Be the primary point of contact to Customer on all project issues,
needs and concerns
• Conduct an initial planning meeting prior to the start of the project
• Complete change-request documentation as required
• Manage Customer expectations and satisfaction throughout the
project
• Schedule and coordinate the necessary resources to support the
project
• Identify, escalate and document project issues as necessary
• Provide team leadership and guidance
3
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• Create and maintain a project plan in conjunction with [Customer
name] and measure weekly progress against mutually agreed-upon
milestones
• Schedule and conduct team update/status meetings
• Schedule and conduct project status meetings with [Customer
name]’s designated project representative
• Prepare written status reports for [Customer name] at mutually
agreed-upon intervals
[CalencePCI Scanning/Scanning Plus Service]
CalencePCI [Scanning or Scanning Plus – choose one] Service
Goal: Evaluate IT security posture measured from the Internet for PCI compliance
Scope:
No more than [x] externally accessible IP addresses [update]
[Scanning Plus Only – Delete if just Scanning] No more than [x] cus-
tom-developed payment-enabled applications
All tasks managed by PCI QSA
• Perform [x] quarterly external security assessments in compliance
with PCI Security Scanning procedures
Discovery Phase: Investigate publicly available information to
determine [Customer name]’s Internet-exposed IP address
space. Review IP addresses with Customer prior to scan exe-
cution
Scanning Phase: Configure and monitor scanning tools
[Scanning Plus Only – Delete if just Scanning]Application
Testing Phase: Using a combination of automated tools and
manual testing procedures, evaluate all in-scope web applica-
tions for Cross-Site Scripting and SQL Injection vulnerabilities
as required by the PCI DSS
[Scanning only – Delete if Scanning Plus]Documentation Re-
view Phase: Review automated reports for accuracy of techni-
cal findings and compliance determinations.
[Scanning Plus Only – Delete if just Scanning]Analyze all re-
sults and create final report using data from automated vulner-
ability scanning and automated and manual web application
testing.
Customer Scan Results Review Meeting: Meet with customer
to review discovered vulnerabilities, discuss remediation and
overall trends from quarter to quarter.
4
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[CalencePCI Gap Analysis]
CalencePCI Gap Analysis
Goal: Review all of [Customer name]’s credit card-oriented systems for potential
PCI compliance issues
Scope:
Systems, technical staff and technical management personnel of any systems
and functions that transmit, process or store cardholder information, in-
cluding up to [x] business groups and [x] technical groups that directly in-
teract with cardholder data.
[x] Firewall Cisco PIX/ASA, Juniper Netscreen, Checkpoint Firewall-
1 or Cisco IOS router firewall devices
Approximately [x] active, internally-accessible IP addresses
• Through a combination of documentation review and interviews,
analyze [Customer name]’s current posture for possible gaps in
Payment Card Industry Data Security Standard (PCI DSS) compli-
ance; technical inspection may be required, but will be limited to
only a small subset of that required for the full PCI DSS audit; ar-
eas to be reviewed include:
Network architecture, including firewalls and use of network
segmentation to enforce security
Device and system hardening procedures to eliminate vendor-
supplied default configurations
Protection of cardholder data in storage
Protection of cardholder data in transit
Anti-virus software usage and management
Security of systems and applications that transmit, process or
store cardholder data
Enforcement of “need to know” access models
Employee user account management procedures and practices
Physical security
Security monitoring and logging procedures and practices
Recurring security testing procedures and practices
Applicable information security policies and other documenta-
tion
Analyze firewall policies of all in-scope firewall devices
Perform a vulnerability scan of all in-scope systems to empiri-
cally determine compliance status of patch management and
device hardening efforts
• Provide Gap Analysis Report
Assess actual card processing infrastructure against PCI DSS
5
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Provide design suggestions
Document gap analysis issues for remediation
[CalencePCI Auditing Service]
CalencePCI Auditing Service
Goal: Audit all of [Customer name]’s IT systems for compliance with the PCI
Data Security Standard
Locations: [enter locations from which the audit will be conducted]
Scope: [update description of in-scope systems]
Critical Environment
− Servers: No more than [x] servers including [list platform types:
Windows, Unix/Linux, Novell, etc.]
Additional Support Systems
− Servers: Tape backup, logging, authentication and other technical
support systems
− Workstations: [x] workstations including in-scope business users and
technical administrator systems
Additional In-scope Systems/Areas
− Network architecture and infrastructure devices
− Connection to third parties for maintaining the environment, if any
− Any system outside of the critical environment with more than
500,000 records of confidential information stored thereon
• Validate final scope of PCI audit
Review data flows and network diagrams of all system compo-
nents involved in transmitting, processing or storing card-
holder data
Review the optional use of internal network security controls
that may limit scope to subsets of the overall network
Review all connections to third parties for supporting the Au-
thorization and Settlement process, or maintaining the envi-
ronment, if any
• In accordance with the currently published PCI Security Audit
Procedures, perform PCI compliance audit, validating compliance
in each of the following areas:
Network architecture, including firewalls and use of network
segmentation to enforce security
− Review and validate that network firewalls are properly
deployed in compliance with PCI DSS
− Review network diagrams for DSS compliance
6
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Device and system hardening procedures to eliminate vendor-
supplied default configurations
− Review network device hardening procedures
− Review server hardening procedures
− Review workstation hardening procedures
Protection of cardholder data in storage
− Review database servers for proper storage of protected
information
− Review system logs, backup tapes and other maintenance
systems for potential storage of protected information
Protection of cardholder data in transit
− Review the following for proper encryption of protected
information over insecure networks
o Application data flows for primary application
o Workstation data flows
Anti-virus software usage and management
− Measure anti-virus saturation percentage on workstations,
servers and other systems
Security of systems and applications that transmit, process or
store confidential information
− Perform application assessment of [Customer name]’s
payment -based applications
o Perform “blind” application assessment
Perform without valid user credentials
Evaluate authentication system’s resistance to
commonly used credentials
o Perform application review with focus on security
Application description and architecture
Presentation, application and database tier plat-
forms
Identification, authentication and authorization
methods
Session state management methods
Input validation methods
Database integration methods
o Analyze database back-end security through interviews
and direct observation
User table security
7
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Database structure for potential security issues
Additional application security checks as necessary
Use of encryption on appropriate information
Enforcement of “need to know” access models
− Review access models to validate enforcement of “need to
know”
Employee user account management procedures and practices
− Review user account management practices for employee
user accounts
− Perform random sweep of one physical user environment
for violations of password policy
− Validate two-factor authentication for all remote access
− Validate proper integration between system administration
and human resources for changes in employment status
− Validate password change frequency and password com-
plexity requirements
Physical security
− Review data center security
− Review physical access to work areas
− Review guest registration and access procedures
− Review physical access of off-site backups and media
− Review media destruction procedures
− Perform “dumpster diving” to measure compliance with
destruction of printed material
Security monitoring and logging procedures and practices
− Evaluate system logging capabilities for network, applica-
tion, server and database components
− Evaluate time synchronization configurations
− Evaluate security of audit and logging systems
− Evaluate log monitoring/analysis capabilities
− Validate that system logs do not contain sensitive informa-
tion or that, if they do, the logs are secured with additional
protections
Recurring security testing procedures and practices
− Review the four previous quarterly external scans
− Validate internal security scanning requirements
8
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
− Review the most recent penetration test results
− Review network IDS device architecture and configuration
Applicable information security policies and other documenta-
tion
− Validate that security policies address compliance with PCI
DSS
− Validate that daily operational procedures address technical
and administrative requirements of the PCI DSS
− Validate that employees are sufficiently trained in their in-
formation security responsibilities
− Validate that HR screening practices are in place for those
employees that have access to cardholder information
− Validate that applicable third-party contracts ensure the
continuity of security for cardholder data
− Review the Incident Response Plan
• Provide PCI Compliance Report
CalencePCI Ongoing Support Services
Goal: Provide the necessary, ongoing support resources – in the form of online knowledge-
base access, project planning templates, access to executive analysts, newsletters and other
PCI-related materials – to enable [Customer name] to manage their continuing PCI
program, including assistance with the development of valid compensating controls.
Note: These services are optional in that they are not required in order to demonstrate
compliance. However, this service is recommended to provide ongoing, ad hoc support for
any PCI concerns for the term of the contract.
License Counts:
[x] Task Management users: Task management users update compliance manage-
ment tasks to which they have been assigned. There should be one license per IT
user.
[x] Full Portal users: Full portal users can use all features of the portal including
querying the knowledgebase, submit queries and manage the task management as-
signments.
[x] annual inquiries (see description below)
• PCI Knowledge Base – The Knowledge Base serves as a search-
able, online guide to support your payments security program; all
content is peer reviewed by Executive Analysts for accuracy; useful
throughout the year, the knowledge base provides the following for
each PCI requirement:
Role(s) – Security, Systems, Networking, HR, Legal, etc.
Test procedures
Potential compensating controls
9
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Intent
Glossary of key terms
Helpful links
• On-Demand Inquiries – Interpreting the Payment Card Industry
(PCI) Data Standard can be challenging; while most requirements
will be straightforward to a skilled IT security professional, particu-
larly with the assistance provided by the Knowledge Base, some
questions will inevitably remain unanswered; the on-demand in-
quiries are designed to provide definitive, timely answers to these
questions; the on-demand inquiries will include the following:
“Routine” inquiries will be responded to within 3 business days
“Extraordinary” inquiries are those that require validation from
an outside source (such as the PCI SSC or a payment card
company); such inquiries will receive a notification within 3
days that they are extraordinary and will receive a response
within 5 business days; if response is provided outside of these
SLAs, the answer will be provide free of charge (the inquiry
will not be deducted from the total purchased)
In the event that [Customer name] is unsatisfied with the an-
swer or has additional follow-up questions, the Customer has
the option to submit a clarification in writing or request a con-
ference call with the Analyst.; either way, no additional charge
will apply as this is still considered part of the original inquiry
• Compliance Task Management – Assign each PCI requirement to
specific individuals and create real-time reports on overall PCI
compliance
Task Identification – All tasks required by the PCI DSS ver-
sion 1.1 are outlined along with their prescribed frequency (e.g.
daily, weekly, monthly, quarterly, after every change, etc). The
system will also identify one or more default groups that typi-
cally handle these tasks (e.g. network admin, system admin, ap-
plication development, security, etc).
Task Assignment and Notification –Admin user(s) can assign
these tasks to individuals or groups. The system will then send
notification e-mails to the assigned individuals or groups on
the interval specified by the Admin user(s). E-mail notification
is flexible, allowing admin users to customize the task descrip-
tion, provide additional notes referencing an internal procedure
to be followed, change task frequency, set reminder intervals,
escalation policies, and more.
Task Completion – When a user receives a system-generated e-
mail, they will be directed to a secure web page outlining the
task required. They will then have the option of updating the
task status (from a default ‘Initiated’ to ‘Completed’ or ‘Other’)
and entering a description / location of any compliance evi-
10
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
dence (e.g. documentation, test evidence) as well as any notes
about the task.
Task Tracking and Reporting – Administrative users will then
be able to track and report on task status. All reports will be
exportable to Excel. At a minimum, Calence will offer the fol-
lowing standard reports:
− Overall Task Status – A summary of all current tasks, their
completion status, and any notes logged.
− Task Status by Group – A summary of all current tasks
and their completion status, grouped by job function (net-
working, systems, etc)
− Overdue Tasks – A summary of all overdue tasks and any
notes logged.
− Other Tasks – A summary of all tasks where notified users
have changed the status to ‘other.’ These tasks typically
require follow-up by the central compliance team. Some
examples include:
o User believes task was misassigned
o User believes task is inappropriate or not required for
compliance
o User does not have the resources to perform task
o User needs additional information to perform task
• Other Resources – In addition to the Knowledge Base, our solu-
tion also provides the following tools to help Customers’ manage
their PCI program throughout the year:
Program planning template
Risk analysis template
State notification laws
Blogs
Breaking news
Quarterly newsletters
[Physical Security]
Review
• Review business, security, and technology strategies
• Review physical security goals (deterrent, investigation, loss preven-
tion, safety, etc.)
• Gather technical documentation (network diagrams, security poli-
cies)
11
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• Walk sites for device locations and construction
• Gather site Maps
• Review key user communities, applications, and systems
• Review network architecture
• Review technical security controls
• Review security program details (policies, capabilities)
• Identify issues and risks
Plan
• Develop physical security project plan
• Develop physical security implementation plan
• Develop physical security plan
• Develop physical security test plans
• Develop risk mitigation plan
• Develop Day 1 support plan
• Develop Day 2 Customer support transition plan
• Develop end user training plan
• Develop administrator training plan
Design
• Complete physical security design
• Document access policies
• Document camera configuration requirements
• Document alert notification requirements
• Document IP speaker requirements
• Document video paging requirements
Implementation
• Develop site map graphics
• Install cameras and associated servers
• Install alert devices and associated equipment
• Install IP speakers and associated equipment
• Configure and test cameras and associated servers
• Configure and test alert devices and associated equipment
• Configure and test IP speakers and associated equipment
12
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• Implementation testing
• Update diagrams and documentation
Project Management
• Conduct a kick-off meeting to introduce the team and confirm the
objectives, timeline and approach
• Discuss the communication plan to ensure succinct and orderly
communication between the involved parties
• Perform overall project management and resource planning using a
detailed project plan
• Agree upon change control processes to minimize impact of the
changes
• Deliver weekly status reports (if required)
• Develop communication plan requirements (status reports, etc.)
• Conduct project wrap-up meeting to review results, lessons learned
and future opportunities for recommendation
[Security Assessment]
Perimeter Security Assessment
• Perform an external security assessment
Goal: Evaluate IT security posture measured from the Internet
Locations: [List locations where Internet POPs are]
Discovery Phase: Investigate publicly available information to
determine [Customer name]’s Internet-exposed IP address
space
Enumeration and Light Scanning Phase: Map Internet-
accessible services by scanning and analyzing [Customer
name]’s Internet IP address space
Heavy Scanning Phase: Enumerate active services for known
vulnerabilities using a combination of open-source and com-
mercial tools
Confirmation Phase: Attempt to penetrate into [Customer
name]’s network through any discovered vulnerabilities
• [remove if no wireless included]
Perform wireless network assessment
Goal: Evaluate wireless LAN security posture
Locations: [List of locations where we’ll be performing a wireless security as-
sessment]
Perform wireless radio discovery through war-walking (access
points, ad hoc network and “wandering” Customer radios)
13
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Evaluate access point configuration for WEP, LEAP, MAC
filtering, PEAP/WPA2, and other security controls
Determine signal leakage to uncontrolled areas
Evaluate wireless Customer security to determine the likeli-
hood of bypassing corporate perimeter security devices such as
firewalls to gain internal access.
Attempt to gain unauthorized access through weak WEP keys,
signal leakage, ad-hoc network, etc.
• [remove if no war-dialing included]
Perform war-dialing
Dial up to [#] phone numbers, looking for rogue modems that
allow unauthorized access into [Customer name]’s network
Identify, if possible, the listening software (Windows NT RAS,
pcAnywhere, Cisco IOS, etc.)
Identify default or weak passwords in use on any discovered
modems
• Document all findings, including recommended fixes
• [remove if no firewall policy analysis included]
Perform firewall policy analysis
Goal: Evaluate firewall configuration and access-lists/policies for risky rules
and opportunities for policy optimization
Scope: [x] [Cisco PIX/ASA/FWSM, Checkpoint, NetScreen, Cisco IOS
access-lists] policies.
Perform an analysis of all in-scope firewall policies,
Analyze firewall rules, with special focus on the following data
points:
− Firewall Interface Map – a definitive list of networks lo-
cated behind each firewall interface
− Risky Rules – A list of rules, including specific access-list
lines, that are responsible for risky communications al-
lowed into and out of [Customer name]’s network
− Opportunities for policy optimization, including covered
rules (rules that cannot execute because another rule cov-
ers it), disabled rules and time-based rules
− Adherence to firewall configuration best practices
Review analysis results for appropriateness
− For any risky rules, validate the requirement for the rule
and document the risk inherent in the rule as part of the
final report
− Review firewall optimization analysis with appropriate
[Customer name] personnel
14
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• Document all findings, including recommended fixes
Internal Security Assessment
Goal: Evaluate the security posture of internal IT systems
Locations: [List of locations that we will be assessing. This isn’t necessarily the list
of locations that we’ll be visiting]
• Platforms and approximate system counts [All numbers can be
approx. As long the numbers don’t change by an order of magni-
tude, the pricing model will hold]
Servers: approximately [#] Windows systems, [#] Unix sys-
tems, [#] Novell systems
Workstations: approximately [#] Windows-based workstations
• Discovery Phase
Review network architecture with focus on security (through
personnel interviews and review of network diagrams)
− Firewall usage and configuration
− Network segmentation (VLAN, DMZ, Access Require-
ments from remote user communities)
− Administrative access and authorization to network com-
ponents
Collect basic information on applications and system platforms
in use
− Major applications including email, financials, home-grown
applications
− Basic information on general NOS, database and applica-
tion platforms (Windows, Unix, Novell, etc.) including
versions, IP addresses, etc.
[remove if no policy review]
Review existing IT security policies
− Interviews with key IT personnel
− Review of documented policies, if available
• Enumeration and Light Scanning Phase
Network service discovery through port scans, SNMP sweeps,
“banner grabbing” and other non-intrusive methods
• Heavy Scanning Phase
Perform authentication system weak password check against
one primary authentication system
− Blank passwords
− Password the same as username
15
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
− Default username/passwords
Perform server security assessment
− Full network-based vulnerability assessment to find
known security vulnerabilities
Perform workstation security assessment
− Weak local account password check
− Common workstation vulnerability assessment
− Rogue network services (Web, FTP, etc.) investigation
• Confirmation Phase
With [Customer name]’s permission, confirm suspected vul-
nerabilities by attempting to penetrate into affected systems
• Analysis and Documentation Phase
Analyze output from data collection phase
Document all findings in final report
Web Application Security Assessment
Goal: Evaluate the security posture of the web-based application and provide [Cus-
tomer name] with specific coding recommendation that will lead to more secure web
applications
Application name: [app name using the customer’s nomenclature]
• Perform “blind” web application assessment
Perform without valid user credentials
Evaluate authentication system’s resistance to various user in-
put validation sequences through which unauthorized access
may be possible
• Perform application review with focus on security, including:
Application description and architecture
Presentation, application and database tier platforms
Identification, authentication and authorization methods
Session state management methods
Input validation methods
Database integration methods
• Use authorized “testing” credentials (provided by [Customer
name]) for the following:
Perform user input validation checks (illegal characters in form
value, etc.)
Perform field buffer overflow checks on user input (overfilling
form input fields)
16
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Perform menu security sanity checks
Analyze inter-tier interaction code (presentation/application to
database tier)
• Analyze database back-end security through interviews and direct
observation
User table security
Database structure for potential security issues
Additional application security checks as necessary
Use of encryption on appropriate information
• Document all findings, including recommended fixes
Database Security Assessment
Scope: [x] database servers
• Complete the kick-off/information gathering meeting
Discuss project timetable, required information, communica-
tion plan, access to key individuals, etc.
Discuss business uses of in-scope databases
Discuss technical background including:
− Database platform and operating system
− Approved access methods (TCP/IP, named pipes, etc.)
− Application/database security models, including use of
(extended) stored procedures, views, roles, database user
accounts and integration with domains (MSSQL)
− Use of referential integrity and/or triggers to maintain data
integrity
− Use of database maintenance plans and/or database
backup procedures
− Use and maintenance of built-in auditing capabilities
• Perform a security assessment of the database server’s operating
system
Goal: Evaluate IT security posture of underlying operating systems
Perform a vulnerability scan against the underlying operating
system and the database server’s network listeners (i.e.,
TCP1433/UDP1434 for MSSQL and TCP3306 for MySQL)
Validate host and/or “domain” privileges for operating system
user account under which the database runs
Validate system hardening settings as appropriate for database
server, including:
− Operating system hardening procedures
17
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
− Database server software hardening procedures
• Review application access methods
Review application-to-database integration methods
Review network communication for encryption
• Perform “blind” database security assessment
Attempt to gain unauthorized access to the database without
valid credentials
• Perform authenticated database security assessment
Goal: With valid database server credentials, perform a detailed analysis of se-
curity settings, user permissions and database construction/maintenance
Evaluate the database server for default, insecure configuration
settings
Evaluate the database server for default user accounts
Evaluate the permissions assigned to database user accounts
Evaluate the level of access provided to default (extended)
stored procedures known to lead to security incidents
Evaluate database integrity including:
− Verification of the use of referential integrity controls
− Verification of the use of triggers
− Verification of the use of database integrity checks (main-
tenance plan)
Evaluate database security model including:
− Validation of the “per application”/”per user” security
model
− Verification of the use of views, roles and other database
security measures
− Verification of the use of custom stored procedures and
associated security measures
Validate the use of database auditing capabilities including:
− Validation of the auditing settings against best practice
recommendations
− Validation of the audit administration, including reviewing
audit logs for suspicious activity, maintaining audit infor-
mation, etc.
• Document all findings, including recommended fixes
18
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[Firewall Implementation]
• Conduct a kick-off meeting to introduce the team and gather con-
sensus on the objectives and tasks
• Gather existing network diagrams and other documentation to
confirm the current network infrastructure and the applications
utilizing the network
• Review business and technical requirements
• Review configuration of the current devices for compliance with
industry best practices
• Define and document current application data flows
• Document current high-level security policies
• Develop firewall design including network addressing, NAT,
TCP/UDP port conduits, and security zones including Outside,
Inside and DMZ segments
• Develop firewall configurations
Develop complete configuration to meet the traffic patterns
and flows currently defined
Create configuration to support the future implementation of a
web server in the DMZ
• The following [Customer name] data and security devices are in-
cluded in this scope:
[#] [product name]
[#] [product name] switches
• Stage devices in the lab
• Develop an implementation plan that mitigates impact to produc-
tion services and clearly communicates required steps
• Develop a testing plan to confirm security posture and application
functionality before and after integration
• Harden peripheral devices and configure coarse filter(s) to limit
unauthorized traffic
• Deploy firewall into production
• Test basic network connectivity
• Migrate documented DMZ services and test functionality
• Verify change has not inadvertently altered security policies
(i.e., conduct an Internet scan of the network before and after
change)
• Document final network design
19
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• Transition to [Customer name] with wrap-up report
• Provide a two-hour overview/training session of firewall configura-
tion as implemented.
[IDS Install]
• Review business requirements and technical architecture
• Assist in reviewing and selecting appropriate hardware solution
• Review network and confirm best placement of sensor and collec-
tor within current architecture
• Develop an implementation plan that mitigates impact to produc-
tion services and clearly communicates steps to [Customer name]
• Plan and deploy a single network IDS sensor
• Configure a single IDS collector
• Perform initial grooming of sensors (estimated 24 hours)
• Create policy
Interview [Customer name] staff to determine appropriate es-
calation procedures
Create process for evaluating alerts, updating system signa-
tures, and documenting and escalating incidents
• Document all changes and final network design
• Transition to [Customer name] with wrap-up report detailing work
performed and results
• Provide a one-hour overview on how to manage IDS.
Developed Calence will provide the following Developed Works:
Works [CalencePCI Scanning/Scanning Plus Service]
CalencePCI [Scanning or Scanning Plus – choose one] Service
• CalencePCI Scanning Report for each quarterly scan (required ele-
ments)
Executive Summary suitable for submission to the appropriate
card brands
− PCI Certificate Number – The PCI ASV certificate num-
ber that was used to conduct the scan.
− Compliance Status – Overall and per-IP address compli-
ance status as required for PCI Quarterly Scanning reports
PCI Vulnerability Synopsis – Per-system summary of vulner-
abilities discovered.
20
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
PCI Remediation Plan – Per-system summary of remediation
steps necessary to resolve all observed vulnerabilities. Includes
time estimates to effect remediation
[Scanning Plus Only – Delete if just Scanning] PCI Application
Vulnerabilities – Detailed information of each web application
cross-site scripting or SQL injection vulnerabilities as observed
through extended testing. Information to include vulnerability
description, confirming information such as screenshots
(where appropriate), steps to replicate, risk, affected
pages/input variables and steps to remediate.
PCI Vulnerability Details –Detailed information of each vul-
nerability discovered on each in-scope system including vul-
nerability description, risk, remediation steps, affected systems
and confirming information.
• CalencePCI Scanning Report for each quarterly scan (supplemental
elements)
Miscellaneous Discovered Information – List of services, oper-
ating systems, databases, users/groups and files/directories
discovered for each in-scope system.
[CalencePCI Gap Analysis]
CalencePCI Gap Analysis
• PCI Gap Analysis Report identifying potential gaps in the PCI
compliance of all [Customer name]’s PCI “in-scope” systems.
Executive Summary – Provides executive-level background,
summaries and conclusions of PCI Gap Analysis.
PCI Current State – Provides line-item detail of the current
PCI posture, including “In-Place” and “Not In-Place” results
for each item of the PCI DSS.
PCI Findings and Recommendations – Contains specific rec-
ommendations to address outstanding PCI compliance issues
and suggested timetable for remediation.
Appendices – Provides additional supporting detail, including
all Gap Analysis work papers, collected data, etc.
[CalencePCI Compliance Audit]
CalencePCI Auditing Service
• Annual PCI Report on Compliance
Contact Information and Report Date
Executive Summary
− Business description
− Service provider, transaction processing support and other
third-party relationships that include access to cardholder
data
21
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
− POS products in use
− Describe Customer’s status pertaining to direct connec-
tions to any card brand’s network
− Relationships with wholly owned or international entities
with PCI compliance requirements
− Wireless connectivity to cardholder environment
Scope and Approach
− PCI version in use
− Assessment timeframe
− Technical background information summarizing the tech-
nical environment that was assessed.
− Any network areas precluded from the audit
− List of interviewees
− List of documentation reviewed
− Brief description and/or high-level diagram of network
topology and controls.
Summary of Quarterly Scan Results
Findings and Observations
− Using the PCI-provided template, document the exis-
tence/absence of each control prescribed in the Data Se-
curity Standard.
− As necessary, document the adequacy of any compensating
controls.
Appendix – Supporting Details – access to all raw data used in
generating the report will be made available on the accompany-
ing CD-ROM available after [Customer name] has accepted
the report.
[Physical Security]
• Project contact list
• Project escalation list
• Installation location diagrams and as-builts
• Bills of materials based upon installation requested
22
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[Security Assessment]
• [For all except Web Application, unless customer requests a sepa-
rate DB Assmt report (See below)]
Assessment Findings Report with Table of Contents resembling
the following:
Executive Summary
− Project Scope and Approach – business justification for
the project, approach taken and personnel involved.
− Summary of Findings – executive-level summary of the as-
sessment findings and justification for resources for reme-
diation effort.
− Conclusions – concluding remarks, with comparative
analysis against applicable security best practices (best
practices based on [Customer name]’s size, industry, busi-
ness model, etc.).
Technical Findings and Recommendations
− Technical Background – background information summa-
rizing the technical environment that was assessed.
− Organization of Findings – explanation of risk levels,
summary list of findings with “time to remediate” and
“risk level” information.
− Findings and Recommendations – technical descriptions
of all findings, including confirming screen shots, sug-
gested remediation steps, affected systems, etc., broken
into the following sections: [update below if only external
or internal]
o External – includes findings for external security as-
sessment, war-dialing and wireless security assessment
[update]
o Internal – includes findings for internal security as-
sessment, authentication systems, policy review, work-
stations, etc.
o Firewall Analysis – details all risky rules, firewall con-
figuration items and optimization opportunities; will
also include specific details, such as rule number/text
in question, recommendations for mitigation, and risk
ratings.
o [If part of a larger assessment, DB report will be in-
cluded in overall report by default, unless the customer
requests a separate report (See Below)] Database As-
sessment – details all discovered database security
findings including description of vulnerability, recom-
mended fixes and vulnerable systems.
23
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
− Appendix – Supporting Details – access to all raw data
used in generating the report will be made available on the
accompanying CD-ROM available after [Customer name]
has accepted the report.
• [For Web Application only – Include in all SOWs that there is a
Web Application, whether or not other services are being pro-
vided]
Application Assessment Findings Report
Executive Summary
− Project Scope and Approach – business justification for
the project, approach taken and personnel involved.
− Summary of Findings – executive-level summary of the as-
sessment findings and justification for resources for reme-
diation effort.
− Conclusions – concluding remarks, with comparative
analysis against applicable security best practices (best
practices based on [Customer name]’s size, industry, busi-
ness model, etc.).
Technical Findings and Recommendations
− Technical Background – background information summa-
rizing the application that was assessed, including:
o Application description and architecture
o Summary of presentation, application and database tier
platforms
o Identification, authentication and authorization methods
o Session state management methods
o Input validation methods
o Database integration methods
− Organization of Findings – explanation of risk levels,
summary of findings and “business/security impact”
scores
− Findings and Recommendations – technical descriptions
of all findings, including confirming screen shots, sug-
gested remediation steps, affected systems, etc.; findings
will be categorized according to the security area to which
they belong (e.g., application architecture vs. database inte-
gration)
Appendix – Supporting Details – access to all raw data used in
generating the report will be made available on the accompany-
ing CD-ROM available after the report has been accepted by
the Customer
24
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• [Only use if the DB assessment is standalone work effort or if the
customer requires a separate DB assessment report for some other
reason; otherwise delete.] One Database Security Assessment Find-
ings Report
Executive Summary
− Project Scope and Approach – business justification for
the project, approach taken and personnel involved.
− Summary of Findings – executive-level summary of the as-
sessment findings and justification for resources for reme-
diation effort.
− Conclusions – concluding remarks, with comparative
analysis against applicable security best practices (best
practices based on [Customer name]’s size, industry, busi-
ness model, etc.).
Technical Findings and Recommendations
− Background Information
o Business uses of databases
o Database platform and operating system
o Approved access methods
o Application/database security models, including use of
(extended) stored procedures, views, roles, database
user accounts and integration with domains (MSSQL).
o Referential integrity and/or triggers
o Database maintenance plans and/or database backup
procedures.
o Auditing Configuration
− Organization of Findings – explanation of risk levels,
summary of findings and “business/security impact”
scores.
− Findings and Recommendations – technical descriptions
of all findings, including confirming screen shots, sug-
gested remediation steps, affected systems, etc.
Appendix – Supporting Details – access to all raw data used in
generating the report will be made available on the accompany-
ing CD-ROM available after the report has been accepted by
the Customer.
[Firewall Implementation]
• Design binder with documented business requirements and the
firewall design details
• Updated network diagrams
25
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
• Documented data flows
• Documented security policies
• Updated device configurations
• Implementation and testing plans
• Documented test results
[IDS Install]
• Intrusion detection policies and procedures
• Annotated device configurations
All rights and title to any Developed Works shall belong to Customer. All
rights and title to Copyright Materials and Trade Secret Materials shall
belong to Calence, subject to the license expressly granted in this Statement
of Work. All rights and title to Calence Resources shall belong to Calence,
without any license with respect thereto Customer or any third party. All
rights not expressly granted by Calence hereunder are reserved by Calence.
Subject to Customer’s performance of its obligations under this Statement
of Work, including its payment obligations, Calence hereby grants to
Customer a nonexclusive, nontransferable, limited license (without the right
to grant sublicenses), to use, execute, copy and create derivative works of
the Copyright Materials, and to use Trade Secret Materials: (i) solely for
Customer’s internal business purposes; (ii) not for the benefit of, or access
by, any third party other than Customer’s contractors who are subject to
written agreements consistent with this Statement of Work and who act
solely for the benefit of Customer; and (iii) subject to all other provisions of
the Agreement and this Statement of Work.
For the purposes of this Statement of Work:
• “Calence Resources” means all software, documentation, informa-
tion and materials used by Calence, or by Calence’s contractors on
behalf of Calence, in Calence’s performance under this Statement
of Work.
• “Copyright Materials” means all works of authorship recorded or
copied in the Developed Works, and which may include designs,
plans, blueprints, manuals, diagrams, activity reports, security as-
sessments, and other written materials.
“Trade Secret Materials” means all non-public information that is provided
to Customer under this Statement of Work, and which may include patent
applications, trade secrets, technical and non-technical data, business
methods and models, drawings, processes, formulas, ideas, concepts, know-
how, techniques, sketches, models, inventions, processes, algorithms,
formulas, and including information regarding experiments, developments,
designs and specifications.
26
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Assumptions The following assumptions and requirements apply for this Services
engagement:
and
[All CalencePCI offerings]
Requirements
1. Calence may identify vendors connecting to [Customer name]’s
network. Data flows transferred over these connections are in-
scope, but assessments of vendor networks or systems on the other
end of these connections are not included.
2. Issues found in the execution of these Services will be communi-
cated, but unless otherwise stated in the Scope and Approach sec-
tion, resolution is not included in the scope of this project. Reme-
diation services are available under a separate Statement of Work.
3. Calence reserves the right to select the best security assessment
tools available to the consulting team at the time of the security as-
sessment.
4. Work estimates assume that all data collection will be completed
within the timeframes identified in the Timeframes section below.
Any changes to the scope, timeframes, and/or assumptions will re-
quire joint written approval prior to any work being performed.
5. Unless specifically outlined in the Scope and Approach section, the
assessment does not include the following:
• Social engineering of [Customer name] employees
• Anti-virus testing
• Physical security reviews
• Revisions to existing policies
• IP Telephony systems (including phones and servers)
• Security incident response
6. [Customer name] will provide a single point of contact to work
with Calence throughout each phase of the project. The resource
will have technical knowledge about the in-scope systems, devices
and networks, or will have access to additional subject-matter ex-
perts within the [Customer name] organization. The resource will
serve as the focal point for immediately notifying [Customer name]
of discovered high-risk vulnerabilities and findings.
7. As required of all PCI Certified security vendors, if requested in
writing by any credit card brand company or their member banks,
Calence is required to share the reports gathered on behalf of [Cus-
tomer name]. In such event, Calence will notify [Customer name]
of such a request prior to providing any requested information. All
other confidentiality agreements between Calence and [Customer
name] will remain in full effect.
[CalencePCI Scanning/Scanning Plus Service]
8. [Scanning Plus Only – Delete if just Scanning]The CalencePCI
Scanning service performs automated testing for known operating
27
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
system vulnerabilities and Cross-Site Scripting and SQL Injection
web application issues. The CalencePCI service does not provide
manual follow-up validation of suspected web application vulner-
abilities. The Customer assumes all risk for any web application
vulnerabilities in custom-developed web applications.
9. The CalencePCI [Scanning or Scanning Plus – chose one] service
addresses up to two PCI compliance scans. If the first scan shows
system vulnerabilities that will prevent PCI DSS compliance,
Calence will advise [Customer name] of any such issues and gener-
ate the final report. To be eligible for retesting in the current quar-
terly cycle, [Customer name] will remediate any issues prior to the
earlier of [Customer name]’s reporting deadline or within three
weeks of notification. A second PCI scan limited to revalidation of
compliance-affecting vulnerabilities will be conducted within one
week of notification by [Customer name] of the intent to rescan, at
which time any previously found high-risk vulnerabilities will be
documented as fixed. The second scan will be a complete retest,
which could indicate that vulnerabilities discovered since the first
scan are present. In the event any systems are found to be non-
compliant after two scans, the final report will demonstrate non-
compliance, as required by the PCI DSS.
[CalencePCI Scanning/Scanning Plus Service and CalencePCI Compliance
Audit]
10. If Network IDS is present and operating in “block”, “shun” or
another form of “active defense”, an exception will be made in the
device configuration to permit Calence to conduct the assessment.
Calence will provide static IP addresses.
11. The assessment uses a combination of “blind” and “full disclosure”
techniques to reduce the amount of time necessary to conduct a
thorough evaluation. [Customer name] will provide Calence with
access to all necessary information, documentation and technology
necessary for Calence to perform the Services. All documentation
will be provided in electronic format whenever possible.
[CalencePCI Gap Analysis and CalencePCI Compliance Audit]
12. As part of the Gap Analysis, any network architectural review will
be based on documentation provided by [Customer name] and will
not include independent discovery by Calence. Validation of the
network architecture will be performed by Calence to the extent
that it involves the in-scope systems.
[CalencePCI Gap Analysis]
13. Policy recommendations will be at the level of identifying gaps in
existing policies, but policy review does not include writing new or
replacement policies.
28
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[CalencePCI Compliance Audit]
14. System counts provided in the Scope and Approach section are
based on Calence’s understanding of [Customer name]’s technical
environment. The PCI Compliance Audit requires that all systems
involved in the transmission, processing or storage of cardholder
data or any system with access to the cardholder environment are
included in the audit. Adjustments in the total system counts may
require a change in scope. Any such change in scope will be ap-
proved by both parties in the form of an addendum.
15. The PCI DSS Security Audit Procedures require that workstations
and terminals that have an IP Address and independent access to
the Internet must be included in the scope of the audit. Sampling
of these systems is permitted if standard images are applied against
these systems.
16. The internal assessment will be conducted from one central loca-
tion. Access to any remote locations will be accomplished through
[Customer name]’s WAN. Although all reasonable steps will be
taken to alleviate negative performance impact, WAN performance
may degrade while scanning and validation activity is underway.
[Physical Security]
17. [Customer name] will provide IP addressing scheme and IP ad-
dresses to be assigned to physical security device(s).
18. [Customer name] will provide site maps/building diagrams identi-
fying current site floor plans.
19. [Customer name] will provide list of personnel who will have ac-
cess to physical security surveillance data on a per-campus and en-
terprise basis.
20. [Customer name] will acknowledge physical security device(s) loca-
tion, validated with onsite walk-throughs prior to installation.
21. Any changes to installed device(s) may require a change order and
[Customer name] may incur additional charges for these changes.
22. [Customer name] will provide all electrical, conduit, and/or facility
preparation for the installation/support of physical security de-
vice(s).
23. Calence will install equipment listed on bill of materials (BOM)
with additional equipment installed based on approved change or-
der.
[Security Assessment]
[All Assessments]
24. Any network architectural review will be based on documentation
provided by [Customer name] and will not include independent
29
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
discovery by Calence. Documentation will be provided to Calence
in a suitable electronic format (preferably as a Visio diagram).
25. Calence may identify vendors connecting to [Customer name]’s
network. Work estimates do not include assessments of vendor
networks or systems.
26. If Network IDS is present and operating in “block”, “shun” or
another form of “active defense”, an exception will be made in the
device configuration to permit Calence to conduct the assessment.
Calence will provide static IP addresses.
27. Calence reserves the right to select the best security assessment
tools available to the consulting team at the time of the security as-
sessment.
28. Issues found in the security vulnerability assessment will be com-
municated, but resolution is not included in the scope of this pro-
ject.
29. The assessment uses a mix of “blind” and “full disclosure” tech-
niques to reduce the amount of time necessary to conduct a thor-
ough evaluation. [Customer name] will provide Calence with access
to all of [Customer name]’s information, documentation and tech-
nology necessary for Calence to perform the Services. All docu-
mentation will be provided in electronic format whenever possible.
30. Work estimates assume that all data collection will be completed
within the timeframes listed in the Timeframes section below.
[Customer name] will be invoiced for any out-of-scope work, de-
lays or repeated tasks caused by factors outside Calence’s control.
These factors include, but are not limited to, availability of Cus-
tomer personnel, equipment and telecommunication provider ser-
vices.
31. Unless specifically outlined in the Scope and Approach Section, the
assessment does not include the following:
• Social engineering of [Customer name] employees
• Anti-virus testing
• Physical security reviews
• Revisions to existing policies
• IP Telephony systems (including phones and servers)
• Security incident response
[External Assessments]
32. [Customer name] will provide a single resource to work with
Calence through the external assessment. The resource will have
knowledge of [Customer name]’s external networks and Internet-
accessible platforms and will serve as the focal point for immedi-
ately notifying [Customer name] of discovered high-risk vulner-
abilities.
30
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
33. Calence will perform discovery of [Customer name]’s Internet-
accessible networks and systems, but will confirm this information
with the customer before proceeding. [Customer name] will re-
spond to Calence’s request for confirmation within 4 hours of be-
ing notified of such request. Notification will be through email
with a follow-up voice call. Leaving a voice mail message will be
considered sufficient for the voice notification.
34. Calence will conduct work in the most appropriate location based
on access requirements and costs associated with travel. Therefore,
most of the external scanning and/or war-dialing will be conducted
remotely to [Customer name]’s offices.
35. [update number?] The external assessment will be conducted on no
more than 25 Internet-accessible IP addresses, including web serv-
ers, firewalls, email servers, etc.
[War-dialing]
36. Phone numbers and preferred timeframes for war-dialing will be
provided to Calence within 72 hours of project kick-off. Failure to
provide this information may cause forfeiture of the fees for war-
dialing.
37. All phone numbers for war-dialing will be domestic United States
numbers. Additional charges will apply for international phone
numbers.
[Wireless]
38. [Customer name] will provide a single resource to work with
Calence throughout the wireless assessment. The resource will
have technical knowledge about the wireless network, including the
locations of “approved” access points and technical configurations.
The resource will serve as the focal point for immediately notifying
[Customer name] of discovered high-risk vulnerabilities in the
WLAN environment. The resource will coordinate physical access
to the locations using WLAN technology, including badge access,
security clearances, etc., as necessary.
39. The wireless assessment will be limited to the physical location(s)
listed in the Scope and Approach Section.
40. [Customer name] will provide console access to a selective repre-
sentation of WLAN access points.
[Firewall Policy]
41. The Customer will provide to Calence electronic copies of all in-
scope firewall policies for off-line analysis by Calence.
[Internal Assessments]
42. [Customer name] will provide a single resource to work with
Calence throughout the internal assessment. The resource will
have technical knowledge about the wireless network, including the
locations of “approved” access points and technical configurations.
The resource will serve as the focal point for immediately notifying
31
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[Customer name] of discovered high-risk vulnerabilities in the
WLAN environment.
43. The internal assessment will be conducted from one central loca-
tion. Access to remote locations will be accomplished through
[Customer name]’s WAN.
[Policy review]
44. Policy review will be limited to interviews of no more than two key
personnel.
45. Policy recommendations will be at the level of identifying gaps in
existing policies, but policy review does not include writing new or
replacement policies.
[Web application assessments]
46. The web application assessment includes analysis of the application
components that have a direct effect on the overall security of the
application. These have been enumerated in the Scope and Ap-
proach Section. A line-by-line code review will not be necessary.
47. [For externally accessible web apps] Calence will conduct work in
the most appropriate location based on access requirements and
costs associated with travel. Therefore, most of the web applica-
tion will be conducted remotely to [Customer name]’s offices.
[Database systems assessments]
48. [Customer name] will provide a resource to work with Calence
through the database assessment. The resource will be able to pro-
vide Calence with knowledge of [Customer name]’s database sys-
tems, underlying operating systems and applications using the da-
tabases.
49. The database assessment assumes that unrestricted access to the
database server as a “System Administrator” or equivalent security
role. Calence’s activities will be restricted to read-only activities,
but some security settings will require administrator-level access to
the system to review.
50. The operating system review portion of the database security as-
sessment will be conducted in two parts: a network-based vulner-
ability scan and a system configuration audit conducted from the
local console. Administrator access from the console will be re-
quired. Remote access technologies such as MSRDP, PCAnywhere
or VNC are acceptable.
[Firewall Implementation]
51. Integration does not include [provide details of any tasks that
might be assumed to be included, but are not – authentication,
VPN, management software, etc.]
52. [data flows option 1] [Customer name] is responsible for commu-
nicating all relevant application data flows and will provide proper
documentation prior to project kick-off.
32
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
53. [data flows option 2] Data flows on the new firewall will be limited
to the following:
• [if possible, document data flows within the contract – non-trusted
to DMZ over http, trusted to non-trusted over http, etc.]
54. This implementation does not include incorporating new applica-
tion data flows (i.e., applications not currently in production).
55. [data flows option 3] [Customer name] is able to provide applica-
tion data flows needed through this new Internet infrastructure.
The scope of work assumes the data flows will include: 1) Internal
users surfing the Internet, and allowing return traffic. 2) Web
server in the DMZ allowing Internet users to access it over port 80.
3) Exchange Server will send and receive emails to and from the
Internet. 4) SQL server and the DMZ will sync with an SQL server
on the Inside segment (data flow will be initiated from the internal
SQL server). 5) Outlook Web Access will remain on the Internal
segment, so remote users will access this server directly from the
Internet. Inbound and outbound data flows to support this Out-
look Web Access will be supported through the firewall. Any data
flows outside the above defined data flows will be considered “out
of scope” and could require extra work to identify and define.
56. Calence will make recommendations regarding security policies;
however, [Customer name] is responsible for the approval, adop-
tion and enforcement of these policies.
57. All devices will be configured with all necessary hardware by [Cus-
tomer name] prior to the start of work.
58. Calence will configure the new hardware to integrate with existing
network management services (e.g., syslog, NTP,
TACACS/RADIUS, SNMP). Troubleshooting associated with ex-
isting services will be limited to local issues with the new infrastruc-
ture only.
59. [Customer name] is responsible for configuring/testing Internet
connections prior to the start of this project.
60. [Customer name] is responsible for configurations to all end de-
vices including desktops, laptops, servers and printers.
61. Calence will communicate any network or security issues and/or
vulnerabilities uncovered during the project; however, detailed
analysis and resolution is not included within the scope of this pro-
ject.
62. Calence will have appropriate access to impacted servers to support
troubleshooting and clarification of identified data flows.
63. The project will provide an adequate change window to support
the integration of the firewall and the migration of servers to the
DMZ in a single conversion. Additional conversions may be sup-
ported with a change of project scope.
64. No IP addressing changes will be required with the exception of
the servers migrated to the DMZ.
33
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
65. [Customer name] will acquire adequate Internet address space from
their ISP. Calence recommends a minimum of [update] 16 ad-
dresses with 32 or more preferred for scalability.
[IDS Install]
66. [Customer name] is responsible for communicating all “approved”
application data flows and will provide proper documentation prior
to project kickoff.
67. [Customer name] will provide assistance in defining inappropriate
traffic (i.e., unapproved data flows) when grooming sensors.
68. Policies and procedures for this project will be limited to updating
IDS signatures, evaluating IDS alerts, and documenting and esca-
lating incidents for evaluation.
69. This plan allows for 24 hours to perform initial grooming of IDS
sensors. Additional tuning may be required depending on the com-
plexity of data flows and traffic traversing the network. Additional
time spent grooming will be billed hourly.
[include for all]
70. All software, hardware, network wiring, permits, licenses and right
of ways, if not provided by Calence, necessary for the completion
of this project will be acquired and/or installed by [Customer
name] in a timeframe that allows Calence to complete or meet the
project-specific milestones.
71. [Customer name] and its employees, contractors, and agents will:
(a) cooperate with any reasonable request of Calence, (b) provide
input throughout the project and will review progress at review
meetings requested by Calence; and (c) provide Calence with access
to all of [Customer name]’s information, documentation and tech-
nology, necessary for Calence to perform the Services in accor-
dance with this Statement of Work, including a list of all Customer
and third-party contacts necessary for Calence to do so. Such co-
operation, input, and access are critical to this project, and [Cus-
tomer name]’s representation at all review meetings is essential.
72. [Customer name] will ensure that the Calence project staff is given
access to all necessary facilities and workspace, and is provided all
furniture, supplies and equipment (telephones, faxes, LAN connec-
tivity, printer access, dial-out modem lines, passwords, keys, etc.)
required to successfully perform, troubleshoot, and complete the
Services for the duration of the Services. In addition, [Customer
name] will ensure that the work environment is free of hazardous
materials and free from asbestos, and that all Calence personnel are
provided with all necessary safety equipment and training while on
[Customer name]’s or its customer’s site.
73. [Customer name] is responsible for providing adequate and secure
onsite storage for all deliveries.
34
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
74. [Customer name] is responsible for: (a) Back-up and/or data migra-
tion of existing data unless otherwise agreed to by Calence;
(b) Computer system and network designs; and (c) Component se-
lection as it relates to the performance of the computer system
and/or the network.
75. All Services will be performed over a consecutive timeframe unless
otherwise provided herein or agreed to by Calence in writing.
Calence will schedule resources upon receipt and acceptance of a
fully executed Statement of Work and a Purchase Order (to the ex-
tent required) from [Customer name]. Calence will use commer-
cially reasonable efforts to take into account [Customer name]’s
schedule, but in all events the performance of the Services is sub-
ject to the availability of Calence personnel and resources, as de-
termined by Calence. Any cancellations or changes in a project
schedule that are requested by [Customer name] and that do not
proximately result from an act or omission by Calence will be sub-
ject to a charge of 4 hours billed at the rate of $[#] per hour. [up-
date rate]
76. Any onsite skills transfer that takes place during this project will
not replace the manufacturer’s formal system implementation and
administration classes.
77. No formal user training is included in this Statement of Work. User
training is available for an additional cost.
78. [Customer name] will communicate any issues or concerns with
respect to the Services or Developed Works in a timely manner.
79. Any work performed around undocumented data flows will consti-
tute additional out-of-scope work.
80. Work estimates assume the Services will be completed within the
duration stated in the Timeframes section below. Calence is not
responsible for delays or repeated tasks caused by factors outside
Calence’s control. These factors include availability of Customer
personnel, equipment and telecommunication provider services.
Any changes to the scope, timeframes, and/or assumptions will re-
quire joint written approval prior to any work being performed.
81. To the extent consistent with the Texas Public Information Act,
Customer agrees to hold information designated in writing as con-
fidential or proprietary by Calence in strictest confidence and not
to copy, reproduce, sell, assign, license, market, transfer or other-
wise disclose such information to third parties or to use such in-
formation for any purpose whatsoever, except to perform the Cus-
tomer’s obligations hereunder and except as otherwise permitted
by this Statement of Work or applicable Texas law. Nothing herein
transfers to Customer any title to or ownership rights in any such
information; and, upon written request of Calence, Customer shall
promptly return or delete any such information which it has in its
possession.
82. Calence has no obligation to, and will not, install, mount, affix,
screw, or otherwise fasten any cable, hardware, or other product to
35
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
any building or structure (inside or outside), and Calence has no
obligation to, and will not, run cable above, under, behind, or
through any ceiling, floor, or wall of any building or structure. To
the extent that any such services are required, such services will be
performed by another person or entity engaged directly by [Cus-
tomer name].
Any changes to the scope and/or assumptions will require joint written
approval. This may extend the duration of the engagement and/or require
additional resources, resulting in additional cost to [Customer name].
Timeframes [time and materials] Calence estimates that the Services described herein
will require [#] work-hours of effort and will be completed within [#]
weeks after the start of the project.
[fixed] Calence estimates that the Services described herein will be com-
pleted within [#] weeks after the start of the project.
[CalencePCI]
Calence estimates that the Services described herein will be completed as
identified in the table below.
[If CalencePCI Scanning is included, either Scanning or Scanning Plus must
be chosen, and the other one deleted.]
CalencePCI Scanning Service Offsite data collection and documentation:
(per quarter) 1 week
CalencePCI Scanning Plus Offsite data collection: 1 week
Service (per quarter)
Documentation will be available in no
more than 2 weeks following completion
of all on-site data collection.
PCI DSS Gap Analysis Onsite: [x] week, with concluding “Out-
brief” presentation
Documentation will be available in no
more than [x] weeks following completion
of onsite work [will usually be 1 week and
2 weeks, but validate]
PCI DSS Audit Onsite: [x] weeks, with concluding
“Outbrief” presentation
Report on Compliance will be available
within [x] weeks following completion of
onsite work
CalencePCI Ongoing Support Ongoing compliance support will be
Services available from Calence for the term of [x]
year from the contract start date.
36
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[Security Assessment]
Calence estimates that the Services described herein will be completed
within the timeframes below:
Description Data Collection Documentation
Timeframe Timeframe
[update to match assessments [x] weeks [x] weeks
being offered]
External, Wireless, Database, and
Internal Security Assessment
[update to match applications [x] weeks [x] weeks
being assessed. Each Web App
Asmt with require a separate
document]
Web Application ([insert
application name])
Fees Technical Fees
Services will be provided on a time and materials basis at the rate(s) listed
below and in accordance with Section 4.B. of DIR Contract No. DIR-
SDD-688.
Estimated Hourly Estimated
Hours Rate Technical
Fees
[#] $[#] $[#]
Services will be provided for the fixed fee listed below and in accordance
with Section 4.B. of DIR Contract No. DIR-SDD-688.
Fixed Technical
Fee
[project name] $[#]
[CalencePCI]
Services will be provided for the fixed fees listed below (collectively, the
“Fees”) and in accordance with Section 4.B. of DIR Contract No. DIR-
SDD-688.
[If CalencePCI Scanning is included, either Scanning or Scanning Plus must
be chosen, and the other one deleted.]
Type of Service Fixed Price
CalencePCI Scanning (Contract $[#]*
term: [x] consecutive quarters)
CalencePCI Scanning Plus (Contract $[#]*
term: [x] consecutive quarters)
PCI DSS Gap Analysis $[#]
37
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
PCI DSS Audit $[#]
CalencePCI Ongoing Support $[#]
Services
Total Fixed Fee $[#]
[remove if CalencePCI Scanning/Scanning Plus is not included] *This price
shows an annual commitment of four consecutive quarters of CalencePCI
[Scanning or Scanning Plus – chose one] service. [Include if term is less
than 3 years]Additional discounts are available for longer contract terms.
[Include if term is longer than 1 quarter] In addition, one-time quarterly
assessment pricing is available without a longer-term commitment.
[Security Assessment]
Services will be provided for the fixed fees listed below and in accordance
with Section 4.B. of DIR Contract No. DIR-SDD-688.
Description Fixed Consulting Fee
[update to match assessments being offered] $[#]
External, Wireless, Database, and Internal
Security Assessment
[update to match applications being assessed. $[#]
Each Web App Asmt with require a separate
document]
Web Application ([insert application name]0
Total Security Assessment $[#]
Pricing Assumptions
1. [use this if they will pay expenses] Technical Fees pricing does not
include hardware/software costs or additional expenses, if any are
required.
[use this if they will not pay expenses] Technical Fees pricing does
not include any necessary hardware/software costs, and expenses
are not reimbursable.
2. [delete for fixed fee] Estimated hours are contingent upon a dedi-
cated full-time [Customer name] resource. This resource will work
with Calence on a full-time basis for the duration of this project to
assist with the completion of the Services defined within this
Statement of Work.
3. [delete for fixed fee] Pricing is indicated as a time and materials rate
with a 4-hour minimum.
4. All prices are in U.S. dollars.
5. The work to be performed will be completed during normally
scheduled working hours (8:00 A.M. to 5:00 P.M. local time Monday
through Friday), excluding Calence observed holidays (New Year’s
38
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
Day, Memorial Day, Independence Day, Labor Day, Thanksgiving
Day, The day after Thanksgiving, Christmas Eve, Christmas Day).
[delete the following (and the table) unless we will charge over-
time/weekend/holiday rates] Notwithstanding anything in this
SOW to the contrary, any work performed outside of these normal
business hours will be charged at the rates shown below.
Hour Type Hour Definition Rate
Normal Business 8 A.M. to 5 P.M. Rate listed
Hours (“NBH”) Monday through Friday above
Overtime Hours 5 P.M. to 8 A.M. NBH Rate
Monday through Thursday + 30%
Weekend Hours Friday 5 P.M. to Monday 8 A.M. NBH Rate
+ 50%
Holiday Hours Starts 5 P.M. prior to holiday NBH Rate
through 8 A.M. after holiday + 50%
Additional [delete entire section if Customer will NOT pay expenses]
Expenses [use if local resources will be used, but Customer will pay expenses if non-
local resources needed.]
Calence plans to use local resources who will not require any travel ex-
penses. In the event a non-local resource is needed, Calence will obtain
prior written approval before incurring any travel charges. [Customer name]
will reimburse Calence in accordance with the State of Texas Travel
Regulations for reasonable expenses incurred in connection with our
performance of the Services, if any are required, including travel expenses,
lodging, and meals.
[use if non-local resources will be used, and Customer will pay expenses]
[Customer name] will reimburse Calence in accordance with the State of
Texas Travel Regulations for reasonable expenses incurred in connection
with our performance of the Services, if any, including travel expenses,
lodging, and meals.
Invoicing and [time and materials pricing] [Customer name] will be invoiced monthly and
will pay each invoice in accordance with Section 5.C. of Appendix A of the
Payment DIR Contract No. DIR-SDD-688.
[fixed fee pricing] [Customer name] will be invoiced monthly, based on the
percentage of the Services completed that month, and will pay each invoice
in accordance with Section 5.C. of Appendix A of the DIR Contract No.
DIR-SDD-688.
[Use for CalencePCI]
Update the payment terms to include that CalencePCI Scanning and
Ongoing Support require up-front payment. All other services are under
typical Calence payment terms.]
39
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
[Use the following if CalencePCI Scanning/Scanning Plus or Ongoing
Support are included.]
[Customer name] will pay the CalencePCI [Scanning or Scanning Plus –
chose one] and [delete if no Ongoing Support] CalencePCI Ongoing
Support Services Fees in advance (the “Advance Fees”). Upon execution
of this Statement of Work by the parties, [Customer name] shall be invoiced
for all Advance Fees and payment shall be made in accordance with Section
5.C. of Appendix A of the DIR Contract No. DIR-SDD-688. Calence shall
have no obligation to perform any of the Services associated with the
Advance Fees unless and until the full amount is received by Calence.
[Customer name] will be invoiced monthly for all remaining Fees, based on
the percentage of the Services completed that month, and will pay each
invoice in accordance with Section 5.C. of Appendix A of the DIR Con-
tract No. DIR-SDD-688.
Credit Approval This Statement of Work is subject to credit approval by Calence. [Cus-
tomer name] agrees to submit such financial information from time to time
as may be reasonably requested by Calence for the establishment and/or
continuation of credit terms.
Location The engagement will be performed at [Customer name]’s facilities located at
[address].
Customer [Customer name]’s management contact for this engagement is [name]
(phone: [#]; fax: [#]; email: [email address]), and the technical contact is
Contact [name] (phone: [#]; fax: [#]; email: [email address]). They will be responsi-
Information ble for making the arrangements necessary to accommodate Calence staff
members and provide them with the [Customer name] resources required
to complete the project.
Consent [use this section only for security assessment, penetration/intrusion and
PCI SOWs.]
[Customer name] represents and acknowledges that it has requested
Calence to perform the Services described herein. These Services may
include certain network security assessment, penetration or intrusion testing
services with respect to [Customer name]’s computer and information
system, including the network, routers and computers, and other Customer
technology. The purpose of the Services is to assess the security of the
Customer technology, including the ability of unauthorized individuals to
access the Customer technology. Accordingly and notwithstanding anything
to the contrary in the Agreement, [Customer name] acknowledges, accepts
and assumes the risk and liability that during the normal course of business,
whether at the time the Services are performed or at some unknown future
time, a risk exists that unauthorized persons or entities may, among other
things, gain access to, attach and/or impair the integrity of the Customer
technology temporarily or permanently causing damage to all or part of the
Customer technology notwithstanding that Calence has used reasonable
40
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
efforts to provide any Services in a good, professional, workmanlike
manner in accordance with this Statement of Work.
Change Calence reserves the right to increase the fees and other amounts due to it
hereunder in the event any of the assumptions or requirements set forth in
Management this Statement of Work are unperformed or incorrect, or if [Customer
name] requests Calence to provide additional services outside the scope of
Services. In any such event, Calence will have no obligation to perform the
affected Services or any additional services unless Calence has agreed, in
writing, to the increased fees and/or the additional scope, as applicable, in
the form of an addendum to this Statement of Work.
Escalation Communications from Customer to Calence concerning the Services
provided under this Statement of Work will be escalated in accordance with
Procedure the following table. Names are listed in the order in which escalation
occurs.
Title Name Contact Information
Account Manager [name] Phone: [#]
Fax: [#]
Email: [name]@calence.com
Project Manager [name] Phone: [#]
Fax: [#]
Email: [name]@calence.com
Consulting Market [name] Phone: [#]
Director Fax: [#]
Email: [name]@calence.com
Acceptance Date This offer of Services will be good through [acceptance date]. Signature by
[Customer name] indicates acceptance and authorization to proceed with
the Services.
Invoicing Calence will send invoices to:
Procedures [Customer name long]
Address:___________________________________________________
_________________________________________________________
Attention: Accounts Payable
Accounts Payable Contact:_____________________________________
Phone: ____________________________________________________
A Purchase Order Is Is Not required for payment of invoices.
Purchase Order Number: _____________________________________
41
Statement of Work No. [sow#] Version 1 [date]
Statement of Work for [project name] at [Customer name long]
IN WITNESS WHEREOF, [Customer name long] and Calence have executed this Statement of Work as
of the Effective Date.
Calence, LLC [Customer name long]
Signature: _______________________________ Signature: ______________________________
Name: _________________________________ Name:_________________________________
Title: __________________________________ Title: __________________________________
Date: __________________________________ Date:__________________________________
42
Statement of Work No. [sow#] Version 1 [date]
Related docs
