IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

Transcription

1 IBM Global Technology Services Statement of Work for IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing The information in this Statement of Work may not be disclosed outside of your enterprise and may not be duplicated, used or disclosed in whole or in part for any purpose other than to evaluate the services, provided that if a contract is awarded to IBM as a result of or in connection with the submission of this Statement of Work, you will have the right to duplicate, use or disclose the information to the extent provided by the contract. This restriction does not limit your right to use information contained in this Statement of Work if it is obtained from another source without restriction. IBM retains ownership of this Statement of Work. GUIDANCE PAGE Z Page 1 of 2

2 Table of Contents 1. Scope of Services Definitions Services Services Coordination IBM Services Coordination Responsibilities Your Point of Contact Responsibilities Your General Responsibilities Mutual Responsibilities Penetration Testing IBM Penetration Testing Responsibilities Your Penetration Testing Responsibilities Estimated Schedule Completion Criteria Charges Other Terms and Conditions Economic Monetary Union Permission to Perform Testing Systems Owned by a Third Party Disclaimer Z Page 2 of 12

3 IBM Australia Limited ABN Level 13, IBM Centre, 601 Pacific Highway, St Leonards, NSW 2065 Statement of Work for Services IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing 1. Scope of Services IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing (called Express Penetration Testing or Services ) will be provided to: 1) conduct a real-life attack on Internet-connected systems designated by the Services Recipient, 2) help identify critical business risks, 3) analyse and document the attack, and 4) prioritise and outline the identified security risks and recommended corrective actions. IBM will use existing, commercially available tools, as well as IBM proprietary tools, to perform the Services. Such tools and their associated documentation remain the property of IBM or third parties. The details of the Services will be specified in the applicable schedule (called Schedule ). IBM does not provide for the purchase or acquisition of any products as part of the Services. 2. Definitions Credentials in information systems, credentials are commonly used to control access to information or other resources. The combination of a user account number or name, and a secret password is a widelyused example of credentials. Demilitarised Zone ( DMZ ) a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. Such DMZ is designed to prevent outside users from getting direct access to a server that has company data. Device any system that responds on the network including routers, firewalls, Web servers, file transfer protocol ( FTP ) servers, and mail servers. Services Recipient any entity or individual receiving or using the Services, or the results or products of the Services. 3. Services 3.1 Services Coordination IBM Services Coordination Responsibilities IBM will provide an IBM Services specialist who will be IBM s focal point during performance of the Services. The IBM Services specialist will: a. review the SOW, and any associated documents, with your Point of Contact; b. establish and maintain communications through your Point of Contact, as defined in the section entitled Your Point of Contact Responsibilities below; c. provide data collection questionnaire(s) (if applicable) to your Point of Contact at the onset of the Services; d. review and administer the Project Procedures with your Point of Contact, as defined in the Schedule; and e. coordinate and manage the technical activities of IBM s assigned personnel. This is an ongoing activity that will be considered complete at the end of the Services. None Z Page 3 of 12

4 3.1.2 Your Point of Contact Responsibilities Prior to the start of the Services, you will designate a person ("your Point of Contact"), to whom all communications relative to the Services will be addressed and who will have the authority to act on your behalf in all matters regarding this SOW. Your Point of Contact will: a. complete and return any questionnaires or checklists within five days of your receipt from IBM; b. serve as the interface between IBM s project team and all of your departments participating in the Services; c. obtain and provide applicable information, data, consents, decisions and approvals as required by IBM to perform the Services, within two business days of IBM s request; and d. help resolve Services issues, and escalate issues within your organisation, as necessary Your General Responsibilities IBM's performance is dependent upon your management and fulfillment of your responsibilities under this SOW and the Agreement specified in the Schedule ( Agreement ), at no charge to IBM. You will: a. make appropriate personnel available to assist IBM in the performance of IBM s responsibilities; b. ensure that current maintenance and license agreements are in place with applicable vendors for those products and services upon which IBM is relying to provide the Services described herein; c. authorise International Business Machines Corporation and its subsidiaries (and their successors and assigns, contractors and IBM Business Partners) to store and use your business contact information wherever they do business, for use in connection with IBM products and services or in furtherance of IBM s business relationship with you; d. obtain any necessary consents, including those of individuals, and take any other actions required by applicable laws, including but not limited to the Privacy Act, prior to disclosing any of your employee information, or other personal information or data, to IBM. You agree that IBM may transfer your data to countries outside of Australia as IBM reasonably considers necessary or appropriate to perform the Services. If you disclose any Personal Information to IBM when supplying your data to IBM as specified in this clause, on or prior to making the disclosure you will take all reasonable steps necessary to disclose to the relevant individuals such information about IBM that is prescribed under national Privacy Principle 1.3. IBM will refer individuals who request access to their Personal Information to you. However, if required by applicable law, IBM may deal with such access requests directly and will notify you as soon as reasonably possible after receipt of the request. You will reimburse IBM for its reasonable expenses incurred in dealing with the request. For the purposes of this clause, Privacy Act means the Privacy Act 1988 as amended from time to time; Personal Information and National Privacy Principle have the same meaning as defined in the Privacy Act. The Services Recipient is solely responsible for determining that any transfer by IBM or Services Recipient of Services Recipient s data, including Personal Information, across a country border under the SOW and the Agreement complies with the applicable data protection laws. e. prior to making the facilities, software, hardware, networks or other similar resources available to IBM, promptly obtain any licenses or approvals necessary for IBM or its subcontractors to use, access and modify such resources to the extent necessary for IBM to perform the Services, including the development of any Materials. IBM will be relieved of its obligations to the extent your failure to promptly obtain such licenses or approvals adversely affects IBM s ability to perform its obligations. If a third party asserts a claim against IBM as a result of your failure to promptly obtain these licenses or approvals, you agree to reimburse IBM for any costs and damages that IBM may reasonably incur in connection with such claim; f. be responsible for: (1) the content of any database, the selection and implementation of controls on its access and use, backup and recovery, and the security of the stored data. This security will also include any procedures necessary to safeguard the integrity and security of software and data used in the Services from access by unauthorised personnel; (2) the identification and interpretation of any applicable laws, regulations, and statutes that affect the existing application systems, programs, or data to which IBM will have access during the Z Page 4 of 12

5 Services. It is your responsibility to ensure that the systems, programs, and data meet the requirements of those laws, regulations and statutes; (3) obtaining those products (such as any required software or hardware) and services upon which IBM is relying to provide the Services; (4) the physical installation and cabling of all hardware devices; (5) providing and paying for Internet access service or telecommunications transport circuits; and (6) your own network security policy and security violation response procedures Mutual Responsibilities Each of us will comply with applicable export and import laws and regulations, including those of the United States that prohibit or limit export for certain uses or to certain end users. Each of us will cooperate with the other by providing all necessary information to the other, as needed for compliance. Each of us will provide the other with advance written notice prior to providing the other party with access to data requiring an export license. 3.2 Penetration Testing IBM Penetration Testing Responsibilities Activity 1 - Project Initiation The purpose of this activity is to finalise the project team members, develop a common understanding of the project objectives, roles and responsibilities, and assess your readiness to implement the Services by confirming that the appropriate information is documented. IBM will: a. at least five business days prior to the project initiation conference call, provide any questionnaires or other data input sheets to your Point of Contact; b. facilitate a project initiation conference call, for up to two hours, on a mutually agreed date and time to: (1) initiate the project; (a) (b) (c) (d) introduce the project participants; discuss project team roles and responsibilities; review the project objectives; and provide an overview of the project methodology; (2) review your environment and organisation, including: (a) (b) (c) (d) network address range(s) to be tested, as specified in the Schedule (called target network range(s) ); devices and vulnerabilities present within the agreed upon target network range(s); penetration testing schedule; emergency contact plan, including event triggers and establishment of designated telephone number(s) and address(es); (3) review the completed data collection questionnaire(s) and identify any missing information; c. discuss risk tolerance; and d. develop a preliminary schedule of activities. This activity will be complete when the project initiation conference call has been conducted. None Activity 2 - External Network Vulnerability Testing The purpose of this activity is to identify active host systems and associated services within the targeted network range, assess such systems for known vulnerabilities, and evaluate the identified vulnerabilities. For the targeted network range specified in the Schedule, IBM will: Z Page 5 of 12

6 a. identify and document security exposures that may be used to infiltrate your network, for up to the number of Class C networks (targeted network range) specified in the Schedule; b. scan your designated network(s), using non-intrusive methods, to: (1) identify current vulnerabilities from an external perspective; and (2) identify false positives; and c. as applicable, analyse and document its findings and recommendations to be included in the External Network Vulnerability Report. This activity will be complete when IBM has delivered the External Network Vulnerability Test Report to your Point of Contact. External Network Vulnerability Test Report The External Network Vulnerability Test Report is a Type II Material consisting of the following, as appropriate: (1) Executive Summary - a high-level overview of the security posture; (2) Services Overview; (3) Assessment Findings Summary and Detail; and (4) Recommendations specific actions or considerations to address documented issues. IBM will deliver one copy of the External Network Vulnerability Test Report to your Point of Contact within ten business days following completion of the External Network Vulnerability Testing activity, or as otherwise mutually agreed. Activity 3 - Network Discovery and Assessment The purpose of this activity is to identify active hosts and services within the target network range(s) and assess the security posture of those systems. IBM will: a. conduct network discovery testing of the target network range; b. for up to the number of in-scope active Devices specified in the Schedule, identify active hosts and services. Test such hosts and services for issues and vulnerabilities that could lead to remote exploitation; Note: Only the Devices identified in the Schedule as in-scope for the penetration test will be included in a vulnerability assessment. A full network vulnerability assessment across all Devices in a specified network range will require a Network Vulnerability Assessment and is not included in the scope of this SOW. c. determine which vulnerabilities are conducive to attack and may be more likely to lead to a network compromise; d. assess and investigate high-value targets within the target network range(s) such as: (1) Web, application, database, and mail servers; (2) routers and switches; (3) firewalls; and (4) file transfer protocol ( FTP ) servers; and e. document the findings to be included in a Final Penetration Test Report. This activity will be complete when IBM has documented its findings to be included in the Final Penetration Test Report. None Z Page 6 of 12

7 Activity 4 - Perimeter Network Attack The purpose of this activity is to attempt to exploit identified vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios for the target network range(s), IP addresses, in-scope active Devices, and Web sites specified in the Schedule. IBM will: a. exploit key identified vulnerabilities: (1) on perimeter (remotely accessed) systems; or (2) on internal (locally accessed) systems. Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted; b. target specific systems and attempt to gain direct access to confidential data and administrator or elevated access privileges on vulnerable systems; c. attempt to compromise internal networks and systems by leveraging limited external access; d. demonstrate specific or systematic security weaknesses, if present. Examples of methods used to demonstrate such weaknesses may include: (1) mining of login Credentials using public sources; (2) brute-force password cracking directly against applications and virtual private networks ( VPNs ); (3) exploitation of buffer overflow and format string vulnerabilities; (4) session hijacking, if possible; and (5) Web application vulnerabilities testing including SQL injection, cross site, improper input validation, and application logic errors; and Note: Web application testing is conducted as a non-credentialed user. e. document the findings to be included in the Final Penetration Test Report. This activity will be complete when IBM has documented its findings to be included in the Final Penetration Test Report. None Activity 5 - Remote Exploitation The purpose of this activity is to utilise discovered successful attacks to initiate mutually agreed upon breach scenarios for the target network range(s). IBM will: a. attempt penetration into the DMZ and internal network(s); b. target confidential data (such as personnel, customer, and financial information); c. examine network linkages and implicit trust relationships; d. determine which portions of the internal network(s) are vulnerable to attack; e. work with your Point of Contact to identify goals regarding internal targets, such as: (1) accessing domain controller systems and cracking user passwords; (2) attempting to collect company confidential data from development servers; (3) attempting to leverage access to your sensitive systems to demonstrate malicious activity that may be possible; and (4) attempting to gain access to executive desktop computers; and f. document the findings in the Final Penetration Test Report. This activity will be complete when IBM has delivered the Final Penetration Test Report to your Point of Contact. Z Page 7 of 12

8 The deliverable Material, identified as a Type II Material, resulting from the completion of the Services is: Final Penetration Test Report The Final Penetration Test Report is a Type II Material consisting of the following, as appropriate: (1) Executive Summary a high-level overview of the security posture, summary of findings and a summary of recommendations; (2) Network Discovery and Assessment (Reconnaissance) an inventory of identified systems, ports, software versions, and vulnerabilities within the target network range(s) that may pose a security risk to your enterprise. The following information will be included as applicable: (a) (b) (c) (d) (e) host identification information; operating system information or device hardware; open port information; serious vulnerabilities found on hosts or devices; and configurations that may potentially impact your security or operations; (3) Penetration detailed description of how the identified information and vulnerabilities may be used to obtain internal access; and (4) Recommendations specific actions or considerations for fixing identified security weaknesses or implementing other viable mitigation strategies. IBM will deliver one copy of the Final Penetration Test Report to your Point of Contact within ten business days after the planned penetration attempts have been performed as detailed in the Remote Exploitation activity, or as otherwise mutually agreed. Activity 6 - Standard Penetration Retest The purpose of this activity is to conduct a retest of high risk vulnerabilities identified during a penetration test performed by IBM within the previous six months. Such retest is designed to verify the success of the recommended remediation activities resulting from the original penetration test. For only the high risk vulnerabilities identified during the original penetration test, IBM will: a. attempt to exploit identified vulnerabilities: (1) on perimeter (remotely accessed) systems; or (2) on internal (locally accessed) systems. b. target specific systems and attempt to gain direct access to confidential data and administrator or elevated access privileges on vulnerable systems; c. attempt to compromise internal networks and systems by leveraging limited external access; d. demonstrate specific or systematic security weaknesses, if present e. attempt penetration into the DMZ and internal network(s); f. target confidential data (such as personnel, customer, and financial information); g. examine network linkages and implicit trust relationships; h. determine which portions of the internal network(s) are vulnerable to attack; i. work with the your Point of Contact to identify goals regarding internal targets, such as: (1) accessing domain controller systems and cracking user passwords; (2) attempting to collect company confidential data from development servers; (3) attempting to leverage access to your sensitive systems to demonstrate malicious activity that may be possible; and (4) attempting to gain access to executive desktop computers; and j. update the Final Penetration Test Report with the findings from the penetration retest. Z Page 8 of 12

9 This activity will be complete when IBM has delivered the updated Final Penetration Test Report to your Point of Contact. Updated Final Penetration Test Report The updated Final Penetration Test Report is a Type II Material consisting of the following, as appropriate: (1) Executive Summary a high-level overview of the security posture, summary of findings and a summary of recommendations; (2) Penetration detailed description of how the identified information and vulnerabilities may be used to obtain internal access; and (3) Recommendations specific actions or considerations for fixing identified security weaknesses or implementing other viable mitigation strategies. IBM will deliver one copy of the updated Final Penetration Test Report to your Point of Contact within ten business days after the completion of the Standard Penetration Retest activity, or as otherwise mutually agreed. Activity 7 - Full Penetration ReTest The purpose of this activity is to conduct a retest of the IP addresses tested during a penetration test performed by IBM within the previous six months. Such retest is designed to verify the success of the recommended remediation activities resulting from the original penetration test. For only the IP addresses included in the original penetration test, IBM will: a. attempt to exploit identified vulnerabilities: (1) on perimeter (remotely accessed) systems; or (2) on internal (locally accessed) systems; b. target specific systems and attempt to gain direct access to confidential data and administrator or elevated access privileges on vulnerable systems; c. attempt to compromise internal networks and systems by leveraging limited external access; d. demonstrate specific or systematic security weaknesses, if present; e. attempt penetration into the DMZ and internal network(s); f. target confidential data (such as personnel, customer, and financial information); g. examine network linkages and implicit trust relationships; h. determine which portions of the internal network(s) are vulnerable to attack; i. work with the your Point of Contact to identify goals regarding internal targets, such as: (1) accessing domain controller systems and cracking user passwords; (2) attempting to collect company confidential data from development servers; (3) attempting to leverage access to your sensitive systems to demonstrate malicious activity that may be possible; and (4) attempting to gain access to executive desktop computers; and j. update the Final Penetration Test Report with the findings from the penetration retest. This activity will be complete when IBM has delivered the updated Final Penetration Test Report to your Point of Contact. Updated Final Penetration Test Report The updated Final Penetration Test Report is a Type II Material consisting of the following, as appropriate: Z Page 9 of 12

10 (1) Executive Summary a high-level overview of the security posture, summary of findings and a summary of recommendations; (2) Penetration detailed description of how the identified information and vulnerabilities may be used to obtain internal access; and (3) Recommendations specific actions or considerations for fixing identified security weaknesses or implementing other viable mitigation strategies.. IBM will deliver one copy of the updated Final Penetration Test Report to your Point of Contact within ten business days after the completion of the Standard Penetration Retest activity, or as otherwise mutually agreed Your Penetration Testing Responsibilities You agree to: a. complete and return any data collection questionnaires within five days of receipt of such questionnaires; b. work with IBM to schedule the project initiation conference call identified in the Project Initiation activity such that all participants have enough notice to attend and can complete required input documents (such as the data collection questionnaire) prior to the call; c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges. f. ensure the IP addresses associated with the technical testers are added to any filtering devices (such as firewalls and intrusion prevention systems), such that the testers have unfiltered access to the target systems. 4. Estimated Schedule The estimated schedule for the Services is detailed in the Schedule. Both parties agree to make reasonable efforts to carry out our respective responsibilities in order to achieve the estimated schedule. If the Schedule signature date is beyond the Estimated Start Date, the Estimated Start Date will automatically be extended to the first business day following the date of the last signature on the Schedule. The Estimated End Date will automatically be extended by the same number of days. 5. Completion Criteria IBM will have fulfilled its obligations for the Services when any one of the following first occurs: a. IBM completes the activities described in this SOW, including provision of the deliverable Materials; or b. the Services are terminated in accordance with the provisions of the Agreement identified in the Schedule. 6. Charges The charges for the Services described in this SOW, exclusive of applicable taxes, are as specified in the Schedule. Unless otherwise stated in the Schedule, pricing is based upon a contiguous work schedule. Delays in the work schedule are subject to the Project Change Control Procedure and may result in an increase in pricing. IBM shall not be responsible for delays or additional requirements imposed by any government agencies, labor disputes, fire, unavoidable casualties, or unforeseen conditions. Z Page 10 of 12

11 7. Other Terms and Conditions 7.1 Economic Monetary Union The Services do not address the capability of your systems to handle monetary data in the euro denomination. You acknowledge that it is your responsibility to assess your current systems and take appropriate action to ensure that such systems are able to correctly process or properly exchange accurate monetary data in the euro denomination. 7.2 Permission to Perform Testing Certain laws prohibit any unauthorised attempt to penetrate or access computer systems. You authorise IBM to perform the Services as described herein and acknowledge that the Services constitute authorised access to your computer systems. IBM may disclose this grant of authority to a third party if deemed necessary to perform the Services. The Services that IBM performs entail certain risks and you agree to accept all risks associated with such Services; provided, however, that this does not limit IBM s obligation to perform the Services in accordance with the terms of this SOW. You acknowledge and agree to the following: a. excessive amounts of log messages may be generated, resulting in excessive log file disk space consumption; b. the performance and throughput of your systems, as well as the performance and throughput of associated routers and firewalls, may be temporarily degraded; c. some data may be changed temporarily as a result of probing vulnerabilities; d. your computer systems may hang or crash, resulting in system failure or temporary system unavailability; e. any service level agreement rights or remedies will be waived during any testing activity; f. a scan may trigger alarms by intrusion detection systems; g. some aspects of the Services may involve intercepting the traffic of the monitored network for the purpose of looking for events; and h. new security threats are constantly evolving and no service designed to provide protection from security threats will be able to make network resources invulnerable from such security threats or ensure that such service has identified all risks, exposures and vulnerabilities. 7.3 Systems Owned by a Third Party For systems (which for purposes of this provision includes but is not limited to applications and IP addresses) owned by a third party that will be the subject of testing hereunder, you agree: a. that prior to IBM initiating testing on a third party system, you will obtain a signed letter from the owner of each system authorising IBM to provide the Services on that system, and indicating the owner's acceptance of the conditions set forth in the section entitled Permission to Perform Testing and to provide IBM with a copy of such authorisation; b. to be solely responsible for communicating any risks, exposures, and vulnerabilities identified on these systems by IBM s remote testing to the system owner, and c. to arrange for and facilitate the exchange of information between the system owner and IBM as deemed necessary by IBM. You agree: d. to inform IBM immediately whenever there is a change in ownership of any system that is the subject of the testing hereunder; e. not to disclose the deliverable Materials, or the fact that IBM performed the Services, outside your Enterprise without IBM s prior written consent; and f. to indemnify IBM in full for any losses or liability IBM incurs due to third party claims arising out of your failure to comply with the requirements of this section entitled, "Systems Owned by a Third Party" and for any third party subpoenas or claims brought against IBM or IBM s subcontractors or agents arising out of (a) testing the security risks, exposures or vulnerabilities of the systems that are the subject of testing hereunder, (b) providing the results of such testing to you, or (c) your use or disclosure of such results. Z Page 11 of 12

12 7.4 Disclaimer You understand and agree: a. that it is solely within your discretion to use or not use any of the information provided pursuant to the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose not to take based on the Services performed and/or deliverables provided hereunder; b. that it is your sole responsibility to provide appropriate and adequate security for the company, its assets, systems and employees; c. that it is your responsibility to add the IP addresses associated with the testers to any filtering devices, thereby permitting unfiltered network access to the target systems; and d. not to modify the configurations of any in-scope systems and infrastructure devices during the period of testing. e. that new technology, configuration changes, software upgrades and routine maintenance, among other items, can create new and unknown security exposures. Moreover, computer hackers and other third parties continue to employ increasingly sophisticated techniques and tools, resulting in ever-growing challenges to individual computer system security. IBM s performance of the Services does not constitute any representation or warranty by IBM about the security of your computer systems including, but not limited to, any representation that your computer systems are safe from intrusions, viruses, or any other security exposures. IBM does not make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information provided as part of the Services. Z Page 12 of 12