Managed Risk Program: Measure and Engage
a. Phishing and Security Awareness Training
- Phishing Campaign. eSentire will conduct one (1) phishing campaign per quarter against those internal employees identified by Client, to determine users susceptible to phishing attacks and track email links clicked, interactions with decoy webpages (Phishgates)*, opened attachments and such other metrics as may be determined by eSentire from time to time. Client shall approve in advance of each phishing campaign the timing and schedule of such campaign. Pre-defined templates shall be used for each phishing campaign with a maximum of two (2) iterations of campaign template refinements. Client shall be responsible for ensuring the phishing campaign emails can be received by Client’s email infrastructure. Client shall receive a detailed technical report of each campaign that includes the methodology employed and detailed findings showing the results of each campaign, including which users clicked on links and interacted with decoy webpages.
- Security Awareness Training. eSentire will provide semi-annual security awareness training sessions for Client’s employees. Each training session may be broken down into a maximum of three (3) sub-sessions and each sub-session shall be no longer than one (1) hour in length. All sub-sessions shall be delivered within one (1) business day. The training sessions will include without limitation, password hygiene, social network posture, social engineering, unsecure connections, phishing attacks and other current topics and trends in cybersecurity. The training sessions shall be performed on a mutually agreed upon date and time, either remotely or onsite at Client’s location. If the training session is performed onsite, Client shall be responsible for all reasonable and necessary expenses incurred by eSentire in connection with the delivery of the onsite training as described in the Travel and Related Expenses section. The Client acknowledges and agrees that any recording or copies of the training content provided shall only be used for internal training purposes of Client’s employees.
b. External Vulnerability Scan and Penetration Test and OSINT
This engagement includes eSentire scanning (at such frequency as agreed to by eSentire and Client), the quantity of IP Addresses (including cloud-hosted and on-premise assets) set out on the applicable Order Form and which have been provided to eSentire by Client, identifying services running on each host, and identifying service versions running on each host, as well as:
- Penetration attempts on hosts and/or services identified by Client and which have known vulnerabilities;
- Attempt external infrastructure attacks (excluding denial of service attacks);
- Attempt external data access attacks (including brute force attacks);
- Attempt basic technical security violations of external facing applications (including cross site scripting attacks, cross site referencing, and SQL injection attacks); and
- Attempt deep dive exploitation of identified weaknesses in external systems into internal systems.
- External Vulnerability Rescan. eSentire will perform an External Vulnerability Rescan if Client received a one-time or annual recurring External Vulnerability Scan. After remediation activities undertaken by Client have been completed following an External Vulnerability Scan, eSentire will, no later than three (3) months following eSentire delivering to Client its draft report, rescan only those servers identified by eSentire to have high or critical security issuers to validate such remediation.
- Open Source Intelligence Gathering. eSentire will use custom tools and a variety of other services to collect data related to Client employees and their external network (OSINT) to generate lists of potential usernames and passwords, discover publicly available email addresses, and generate a snapshot of open ports and services for use in penetration testing.
c. Managed Vulnerability Service – Cloud, Co-managed
Managed Vulnerability Service is an eSentire and Client co-managed service which provides access to a vulnerability scan-management and reporting platform and delivers vulnerability reports and vulnerability trending on a predetermined periodic basis, including the following capabilities (the “MVS”):
- Vulnerability Scanning. Vulnerability scanning delivers vulnerability reports and vulnerability trending on a predetermined periodic basis, weekly for external scans and monthly for internal scans to determine Client’s vulnerability posture and allow Client to guide network/system configuration and controls. Client also has limited access to co-managed platform to define and direct their own scanning in cooperation with eSentire.
- Vulnerability Reporting. Various reports for external and internal findings are sent by eSentire to Client following each scan conducted above. eSentire may also direct Client to reporting platform portal to receive vulnerability reports in addition to or instead of providing scan report findings.
- Monthly Review. Client may request once per month a one (1) hour review of the findings of the scans conducted above with an eSentire Information Security Consultant.
- Ad-Hoc Vulnerability Scanning. Client may also direct their own ad-hoc vulnerability scanning via the eSentire-provided vulnerability scan-management and reporting portal with limitations and provided such scanning does not unduly interfere with eSentire delivery of the MVS or other eSentire supplied services.
- This engagement includes weekly external scanning and monthly internal scanning, the quantity of IP Addresses (including cloud-hosted and on-premise assets) set out in the applicable Order Form and which have been provided to eSentire by Client.
- Co-managed service. Client will be provided tenant access to an eSentire-managed scan-management and reporting platform portal. Client may direct their own scans and access reporting independent of eSentire and during this process shall not interfere or otherwise modify agreed scanning policies and scan frequencies as defined by eSentire. Client shall not otherwise interact with the provided tenant access in a manner that adversely affects the delivery of the MVS or any other eSentire-provided Client services with without prior written consent by eSentire.
- Quarterly PCI Attestations. Client may request that eSentire submits external scan results to the approved scanning vendor for PCI-ASV attestation. Such scanning shall be performed once per calendar quarter, provided it is Client’s sole responsibility to request that scan results are submitted for ASV certification as needed. For the avoidance of doubt, PCI attestations are not included in MVS and additional fees will apply andthe Quarterly PCI Attestations shall only be provided in connection to the Managed Vulnerability Service.
- Web Application Scanning (“WAS”) delivers the ability to scan external facing web applications for known vulnerabilities to determine Client’s web application posture and allow Client to guide web configuration and controls. Client also has limited access to co-managed platform to define and direct their own scanning in cooperation with eSentire. For the avoidance of doubt, the Web Application Scanning is not included in the MVS and additional fees will applyand the Web Application Scanning shall only be provided in connection to the Managed Vulnerability Service.
Sensors. eSentire may provide at least one physical or virtual security appliance (a “Sensor”) as specified on the applicable Order Form and to the extent required to provide to Client the MVS .
eSentire will configure and remotely manage the Sensor and its embedded software for all devices as part of the MVS. Client may only access the configuration of such Sensor with eSentire’s prior written authorization. eSentire shall only access the configuration of other network devices connected to the Sensor with Client’s authorization, and shall do so through an encrypted and secure means.
Client Responsibilities. Client is responsible for:
- Any and all data and systems which Client grants access to for receipt of the MVS;
- Obtaining all necessary licenses, permissions and consents to enable eSentire to access the Client’s network and servers in order to provide the MVS, including any 3rd party permissions as required ;
- Designating a Project Coordinator to work directly with and serve as the primary Client contact with eSentire for the duration of Client receiving the MVS;
- Providing eSentire a complete copy of its security (including privacy) policies, as available. Client is solely responsible for the creation, maintenance and enforcement of its security policies to protect the security of Client Data and Systems;
- Its choice of equipment, systems, software and online content;
- Providing the necessary resources, information, documentation and access to personnel, equipment, systems and scanning schedules, as reasonably required by eSentire, to allow eSentire to perform the MVS;
- Notifying eSentire of any change or contemplated change to its network in advance of Client effecting such change;
- Complying with all applicable local, state, provincial, federal and foreign laws in using the MVS and any provided tools used in conjunction with MVS including but not limited to the vulnerability scan-management and reporting platform portal;
- Advising eSentire of network and IP/endpoint range changes to scope. for the avoidance of any doubt, any material changes to the IP/endpoint count including overages that are greater than a five percent (5%) increase to the contracted scope in any sustained manner greated that three (3) days may incur additional costs at the then-current contract rate and shall be calculated by eSentire and billed to Client minus any newly applicable volume discount;
Client responsibilities for Web Application Scanning. Client is responsible for:
- Specifying one valid Web application address/port for each web application being scanned . Each additional web application being scanned will be billed to Client minus any newly applicable volume discount;
- Accessisng WAS service reporting via the eSentire-provided vulnerability scan-management and reporting platform portal;
- Conducting and remediating the found risks and vulnerabilities for each respective Web application;
- Any 3rd party hosting permissions as required.
Client responsibilities for Quarterly PCI Attestations. Client is responsible for:
- Being proactive towards the remediation of discovered vulnerabilities, contacting eSentire ahead of submission deadlines and in responding to communications regarding PCI compliance;
- Providing all documentation required for their PCI compliance submission a minimum of three (3) weeks before submission, providing updates as required, until documentation is formally submitted; and
- Requesting one (1) scan per calendar quarter so that eSentire submits external scan results to the approved scanning vendor for PCI ASV validation and certification. It is Client’s responsibility to request that scan results are submitted for ASV certification as needed.
In the event Client fails to perform its obligations in the time and manner specified or contemplated above, or should any assumption outlined herein with respect to the MVS Services fail to be valid or accurate, then eSentire will not be responsible for any related delay or damages. In the event that Client fails to notify eSentire of network changes as contemplated above, then eSentire shall be released from any and all obligations to scan the Client’s network until Client has notified eSentire of such change.
Exclusions. The MVS excludes the following:
- The design, creation, maintenance and enforcement of a security policy for Client; and
- eSentire attempting to access Client’s servers without Client’s express written or verbal consent.
d. Security Program Maturity Assessment
eSentire will review and assess the effectiveness of Client’s internal security program against the “Core 15” assessment areas of eSentire’s “Cybersecurity Reference Model”, other cybersecurity standard(s) or regulatory requirements as may be mutual agreed to by Client and eSentire in writing. The “Core 15” areas of the eSentire Cybersecurity Reference Model include:
- IT Security Strategy & Governance
- Human Resources
- Security Architecture
- IT/Security Risk Management
- Monitoring & Operations
- Incident Response
- Information Management
- Asset Management
- Vulnerability & Patch Management
- Third Party Risk Management
- Compliance & Audit
- Secure Network Design
- Authorization & Access Controls
- Malicious Code Prevention
- Secure Builds
The Security Program Maturity Assessment will also include meetings with appropriate Client designates and subject matter experts, eSentire evaluating risk areas and defining overall risk levels of Client’s internal security program, as well as eSentire evaluating and reporting to Client on the quality of Client’s processes, routines and controls. eSentire will provide to Client a baseline assessment of Client’s internal security program against eSentire’s “Cybersecurity Reference Model”, including an executive summary and details findings report in Microsoft Word and Excel formats.
e. Executive briefings
eSentire will provide an annual executive briefing covering topics such as testing results and subsequent risks, general security trends and the overall threat landscape.
f. Threat advisories
eSentire will send threat intelligence advisories via email on an as needed basis regarding emerging threats and vulnerabilities including mitigation advice.