The URL can be used to link to this page

23-075 FR Secure Professional Consultant ContractRisk Assessment/Internal Pen Testing Page 1 of 9 Professional/Consulting Contracts /Version: October 2021 PROFESSIONAL/CONSULTING SERVICES AGREEMENT 1. PARTIES This Agreement is made by and between the City of Cupertino, a municipal corporation (“City”), and FR Secure, LLC. (“Contractor”), a Limited Liability Company for Risk Assessment/Internal Pen Testing, and is effective on the last date signed below (“Effective Date”). 2. SERVICES Contractor agrees to provide the services and perform the tasks (“Services”) set forth in detail in Scope of Services, attached here and incorporated as Exhibit A. Contractor further agrees to carry out its work in compliance with any applicable local, State, or Federal order regarding COVID-19. 3. TIME OF PERFORMANCE 3.1 This Agreement begins on the Effective Date and ends on July 31, 2024 (“Contract Time”), unless terminated earlier as provided herein. Contractor’s Services shall begin on the effective date and shall be completed by July 31, 2024. The City’s appropriate department head or the City Manager may extend the Contract Time through a written amendment to this Agreement, provided such extension does not include additional contract funds. Extensions requiring additional contract funds are subject to the City’s purchasing policy. 3.2 Schedule of Performance. Contractor must deliver the Services in accordance with the Schedule of Performance, attached and incorporated here Exhibit B. 3.3 Time is of the essence for the performance of all the Services. Contractor must have sufficient time, resources, and qualified staff to deliver the Services on time. 4. COMPENSATION 4.1 Maximum Compensation. City will pay Contractor for satisfactory performance of the Services an amount that will based on actual costs but that will be capped so as not to exceed $29,375.00 (“Contract Price”), based upon the scope of services in Exhibit A and the budget and rates included in Exhibit C, Compensation attached and incorporated here. The maximum compensation includes all expenses and reimbursements and will remain in place even if Contractor’s actual costs exceed the capped amount. No extra work or payment is permitted without prior written approval of City. 4.2 Invoices and Payments. Monthly invoices must state a description of the deliverable completed and the amount due for the preceding month. Within thirty (30) days of completion of Services, Contractor must submit a requisition for final and complete payment of costs and pending Risk Assessment/Internal Pen Testing Page 2 of 9 Professional/Consulting Contracts /Version: October 2021 claims for City approval. Failure to timely submit a complete and accurate payment requisition relieves City of any further payment or other obligations under the Agreement. 5. INDEPENDENT CONTRACTOR 5.1 Status. Contractor is an independent contractor and not an employee, partner, or joint venture of City. Contractor is solely responsible for the means and methods of performing the Services and for the persons hired to work under this Agreement. Contractor is not entitled to health benefits, worker’s compensation, or other benefits from the City. 5.2 Contractor’s Qualifications. Contractor warrants on behalf of itself and its subcontractors that they have the qualifications and skills to perform the Services in a competent and professional manner and according to the highest standards and best practices in the industry. 5.3 Permits and Licenses. Contractor warrants on behalf of itself and its subcontractors that they are properly licensed, registered, and/or certified to perform the Services as required by law and have procured a City Business License, if required by the Cupertino Municipal Code. 5.4 Subcontractors. Only Contractor’s employees are authorized to work under this Agreement. Prior written approval from City is required for any subcontractor, and the terms and conditions of this Agreement will apply to any approved subcontractor. 5.5 Tools, Materials, and Equipment. Contractor will supply all tools, materials and equipment required to perform the Services under this Agreement. 5.6 Payment of Benefits and Taxes. Contractor is solely responsible for the payment of employment taxes incurred under this Agreement and any similar federal or state taxes. Contractor and any of its employees, agents, and subcontractors shall not have any claim under this Agreement or otherwise against City for seniority, vacation time, vacation pay, sick leave, personal time off, overtime, health insurance, medical care, hospital care, insurance benefits, social security, disability, unemployment, workers compensation or employee benefits of any kind. Contractor shall be solely liable for and obligated to pay directly all applicable taxes, fees, contributions, or charges applicable to Contractor’s business including, but not limited to, federal and state income taxes. City shall have no obligation whatsoever to pay or withhold any taxes or benefits on behalf of Contractor. Should any court, arbitrator, or administrative authority, including but not limited to the California Public Employees Retirement System (PERS), the Internal Revenue Service or the State Employment Development Division, determine that Contractor, or any of its employees, agents, or subcontractors, is an employee for any purpose, then Contractor agrees to a reduction in amounts payable under this Agreement, or to promptly remit to City any payments due by the City as a result of such determination, so that the City’s total expenses under this Agreement are not greater than they would have been had the determination not been made. 6. PROPRIETARY/CONFIDENTIAL INFORMATION In performing this Agreement, Contractor may have access to private or confidential information owned or controlled by the City, which may contain proprietary or confidential details the disclosure of which to third parties may be damaging to City. Contractor shall hold in confidence all City information provided by City to Contractor and use it only to perform this Agreement. Risk Assessment/Internal Pen Testing Page 3 of 9 Professional/Consulting Contracts /Version: October 2021 Contractor shall exercise the same standard of care to protect City information as a reasonably prudent contractor would use to protect its own proprietary data. 7. OWNERSHIP OF MATERIALS 7.1 Property Rights. Any interest (including copyright interests) of Contractor in any product, memoranda, study, report, map, plan, drawing, specification, data, record, document, or other information or work, in any medium (collectively, “Work Product”), prepared by Contractor in connection with this Agreement will be the exclusive property of the City upon completion of the work to be performed hereunder or upon termination of this Agreement, to the extent requested by City. In any case, no Work Product shall be shown to any third-party without prior written approval of City. 7.2 Copyright. To the extent permitted by Title 17 of the U.S. Code, all Work Product arising out of this Agreement is considered “works for hire” and all copyrights to the Work Product will be the property of City. Alternatively, Contractor assigns to City all Work Product copyrights. Contractor may use copies of the Work Product for promotion only with City’s written approval. 7.3 Patents and Licenses. Contractor must pay royalties or license fees required for authorized use of any third party intellectual property, including but not limited to patented, trademarked, or copyrighted intellectual property if incorporated into the Services or Work Product of this Agreement. 7.4 Re-Use of Work Product. Unless prohibited by law and without waiving any rights, City may use or modify the Work Product of Contractor or its sub-contractors prepared or created under this Agreement, to execute or implement any of the following: (a) The original Services for which Contractor was hired; (b) Completion of the original Services by others; (c) Subsequent additions to the original Services; and/or (d) Other City projects. 7.5 Deliverables and Format. Contractor must provide electronic and hard copies of the Work Product, on recycled paper and copied on both sides, except for one single-sided original. 8. RECORDS Contractor must maintain complete and accurate accounting records relating to its performance in accordance with generally accepted accounting principles. The records must include detailed information of Contractor’s performance, benchmarks and deliverables, which must be available to City for review and audit. The records and supporting documents must be kept s eparate from other records and must be maintained for four (4) years from the date of City’s final payment. Contractor acknowledges that certain documents generated or received by Contractor in connection with the performance of this Agreement, including but not limited to correspondence between Contractor and any third party, are public records under the California Public Records Risk Assessment/Internal Pen Testing Page 4 of 9 Professional/Consulting Contracts /Version: October 2021 Act, California Government Code section 6250 et seq. Contractor shall comply with all laws regarding the retention of public records and shall make such records available to the City upon request by the City, or in such manner as the City reasonably directs that such records be provided. 9. ASSIGNMENT Contractor shall not assign, sublease, hypothecate, or transfer this Agreement, or any interest therein, directly or indirectly, by operation of law or otherwise, without prior written consent of City. Any attempt to do so will be null and void. Any changes related to the financial control or business nature of Contractor as a legal entity is considered an assignment of the Agreement and subject to City approval, which shall not be unreasonably withheld. Control means fifty percent (50%) or more of the voting power of the business entity. 10. PUBLICITY / SIGNS Any publicity generated by Contractor for the project under this Agreement, during the term of this Agreement and for one year thereafter, will reference the City’s contributions in making the project possible. The words “City of Cupertino” will be displayed in all pieces of public ity, including flyers, press releases, posters, brochures, public service announcements, interviews and newspaper articles. No signs may be posted, exhibited or displayed on or about City property, except signage required by law or this Contract, without prior written approval from the City. 11. INDEMNIFICATION 11.1 To the fullest extent allowed by law, and except for losses caused by the sole and active negligence or willful misconduct of City personnel, Contractor shall indemnify, defend and hold harmless City, its City Council, boards and commissions, officers, officials, employees, agents, servants, volunteers, and consultants (“Indemnitees”), through legal counsel acceptable to City, from and against any and all liability, damages, claims, actions, causes of action, demands, charges, losses, costs, and expenses (including attorney fees, legal costs, and expenses related to litigation and dispute resolution proceedings) of every nature, arising directly or indirectly from this Agreement or in any manner relating to any of the following: (a) Breach of contract, obligations, representations, or warranties; (b) Negligent or willful acts or omissions committed during performance of the Services; (c) Personal injury, property damage, or economic loss resulting from the work or performance of Contractor or its subcontractors or sub-subcontractors; (d) Unauthorized use or disclosure of City’s confidential and proprietary Information; (e) Claim of infringement or violation of a U.S. patent or copyright, trade secret, trademark, or service mark or other proprietary or intellectual property rights of any third party. 11.2 Contractor must pay the costs City incurs in enforcing this provision. Contractor must accept a tender of defense upon receiving notice from City of a third-party claim. At City’s request, Contractor will assist City in the defense of a claim, dispute, or lawsuit arising out of this Agreement. 11.3 Contractor’s duties under this section are not limited to the Contract Price, workers’ compensation payments, or the insurance or bond amounts required in the Agreement. Nothing in Risk Assessment/Internal Pen Testing Page 5 of 9 Professional/Consulting Contracts /Version: October 2021 the Agreement shall be construed to give rise to an implied right of indemnity in favor of Contractor against City or any Indemnitee. 11.4. Contractor’s payments may be deducted or offset to cover any money the City lost due to a claim or counterclaim arising out of this Agreement, a purchase order, or other transaction. 11.5. Contractor agrees to obtain executed indemnity agreements with provisions identical to those set forth here in this Section 11 from each and every subcontractor, or any other person or entity involved by, for, with, or on behalf of Contractor in the performance of this Agreement. Failure of City to monitor compliance with these requirements imposes no additional obligations on City and will in no way act as a waiver of any rights hereunder. 11.6. This Section 11 shall survive termination of the Agreement. 12. INSURANCE Contractor shall comply with the Insurance Requirements, attached and incorporated here as Exhibit D, and must maintain the insurance for the duration of the Agreement, or longer as required by City. City will not execute the Agreement until City approves receipt of satisfactory certificates of insurance and endorsements evidencing the type, amount, class of operations covered, and the effective and expiration dates of coverage. Failure to comply with this provision may result in City, at its sole discretion and without notice, purchasing insurance for Contractor and deducting the costs from Contractor’s compensation or terminating the Agreement. 13. COMPLIANCE WITH LAWS 13.1 General Laws. Contractor shall comply with all local, state, and federal laws and regulations applicable to this Agreement. Contractor will promptly notify City of changes in the law or other conditions that may affect the Project or Contractor’s ability to perform. Contractor is responsible for verifying the employment authorization of employees performing the Services, as required by the Immigration Reform and Control Act. 13.2 Labor Laws. Contractor shall comply with all labor laws applicable to this Agreement. If the Scope of Services includes a “public works” component, Contractor is required to comply with prevailing wage laws under Labor Code Section 1720 and other labor laws. 13.3 Discrimination Laws. Contractor shall not discriminate on the basis of race, religious creed, color, ancestry, national origin, ethnicity, handicap, disability, marital status, pregnancy, age, sex, gender, sexual orientation, gender identity, Acquired-Immune Deficiency Syndrome (AIDS), or any other protected classification. Contractor shall comply with all anti-discrimination laws, including Government Code Sections 12900 and 11135, and Labor Code Sections 1735, 1777, and 3077.5. Consistent with City policy prohibiting harassment and discrimination, Contractor understands that harassment and discrimination directed toward a job applicant, an employee, a City employee, or any other person, by Contractor or its employees or sub-contractors will not be tolerated. Contractor agrees to provide records and documentation to the City on request necessary to monitor compliance with this provision. Risk Assessment/Internal Pen Testing Page 6 of 9 Professional/Consulting Contracts /Version: October 2021 13.4 Conflicts of Interest. Contractor shall comply with all conflict of interest laws applicable to this Agreement and must avoid any conflict of interest. Contractor warrants that no public official, employee, or member of a City board or commission who might have been involved in the making of this Agreement, has or will receive a direct or indirect financial interest in this Agreement, in violation of California Government Code Section 1090 et seq. Contractor may be required to file a conflict of interest form if Contractor makes certain governmental decisions or serves in a staff capacity, as defined in Section 18700 of Title 2 of the California Code of Regulations. Contractor agrees to abide by the City’s rules governing gifts to public officials and employees. 13.5 Remedies. Any violation of Section 13 constitutes a material breach and may result in City suspending payments, requiring reimbursements or terminating this Agreement. City reserves all other rights and remedies available under the law and this Agreement, including the right to seek indemnification under Section 11 of this Agreement. 14. PROJECT COORDINATION City Project Manager. The City assigns Tommy Yu as the City’s representative for all purposes under this Agreement, with authority to oversee the progress and performance of the Scope of Services. City reserves the right to substitute another Project manager at any time, and without prior notice to Contractor. Contractor Project Manager. Subject to City approval, Contractor assigns Tanner Tuma as its single Representative for all purposes under this Agreement, with authority to oversee the progress and performance of the Scope of Services. Contractor’s Project manager is responsible for coordinating and scheduling the Services in accordance with the Scope of Services and the Schedule of Performance. Contractor must regularly update the City’s Project Manager about the progress with the work or any delays, as required under the Scope of Services. City written approval is required prior to substituting a new Representative. 15. ABANDONMENT OF PROJECT City may abandon or postpone the Project or parts therefor at any time. Contractor will be compensated for satisfactory Services performed through the date of abandonment, and will be given reasonable time to assemble the work and close out the Services. With City’s pre-approval in writing, the time spent in closing out the Services will be compensated up to a maximum of ten percent (10%) of the total time expended to date in the performance of the Services. 16. TERMINATION City may terminate this Agreement for cause or without cause at any time. Contractor will be paid for satisfactory Services rendered through the date of termination, but final payment will not be made until Contractor closes out the Services and delivers the Work Product. 17. GOVERNING LAW, VENUE, AND DISPUTE RESOLUTION This Agreement is governed by the laws of the State of California. Any lawsuits filed related to this Agreement must be filed with the Superior Court for the County of Santa Clara, State of Risk Assessment/Internal Pen Testing Page 7 of 9 Professional/Consulting Contracts /Version: October 2021 California. Contractor must comply with the claims filing requirements under the Government Code prior to filing a civil action in court. If a dispute arises, Contractor must continue to provide the Services pending resolution of the dispute. If the Parties elect arbitration, the arbitrator’s award must be supported by law and substantial evidence and include detailed written findings of law and fact. 18. ATTORNEY FEES If City initiates legal action, files a complaint or cross-complaint, or pursues arbitration, appeal, or other proceedings to enforce its rights or a judgment in connection with this Agreement, the prevailing party will be entitled to reasonable attorney fees and costs. 19. THIRD PARTY BENEFICIARIES There are no intended third party beneficiaries of this Agreement. 20. WAIVER Neither acceptance of the Services nor payment thereof shall constitute a waiver of any contract provision. City’s waiver of a breach shall not constitute waiver of another provision or breach. 21. ENTIRE AGREEMENT This Agreement represents the full and complete understanding of ever y kind or nature between the Parties, and supersedes any other agreement(s) and understanding(s), either oral or written, between the Parties. Any modification of this Agreement will be effective only if in writing and signed by each Party’s authorized representative. No verbal agreement or implied covenant will be valid to amend or abridge this Agreement. If there is any inconsistency between any term, clause, or provision of the main Agreement and any term, clause, or provision of the attachments or exhibits thereto, the terms of the main Agreement shall prevail and be controlling. 22. INSERTED PROVISIONS Each provision and clause required by law for this Agreement is deemed to be included and will be inferred herein. Either party may request an amendment to cure mistaken insertions or omissions of required provisions. The Parties will collaborate to implement this Section, as appropriate. 23. HEADINGS The headings in this Agreement are for convenience only, are not a part of the Agreement and in no way affect, limit, or amplify the terms or provisions of this Agreement. 24. SEVERABILITY/PARTIAL INVALIDITY If any term or provision of this Agreement, or their application to a particular situation, is found by the court to be void, invalid, illegal, or unenforceable, such term or provision shall remain in force and effect to the extent allowed by such ruling. All other terms and provisions of this Risk Assessment/Internal Pen Testing Page 8 of 9 Professional/Consulting Contracts /Version: October 2021 Agreement or their application to specific situations shall remain in full force and effect. The Parties agree to work in good faith to amend this Agreement to carry out its intent. 25. SURVIVAL All provisions which by their nature must continue after the Agreement expires or is terminated, including the Indemnification, Ownership of Materials/Work Product, Records, Governing Law, and Attorney Fees, shall survive the Agreement and remain in full force and effect. 26. NOTICES All notices, requests and approvals must be sent in writing to the persons below, which will be considered effective on the date of personal delivery or the date confirmed by a reputable overnight delivery service, on the fifth calendar day after deposit in the United States Mail, postage prepaid, registered or certified, or the next business day following electronic submission: To City of Cupertino Office of the City Manager 10300 Torre Ave. Cupertino, CA 95014 Attention: Tommy Yu Email: TommyY@cupertino.gov To Contractor: FR Secure, LLC. 6550 York Ave S, Suite 500 Edina, MN 55435 Attention: Tanner Tuma Email: ttuma@frsecure.com 27. EXECUTION The person executing this Agreement on behalf of Contractor represents and warrants that Contractor has full right, power, and authority to enter into and carry out all actions contemplated by this Agreement and that he or she is authorized to execute this Agreement, which constitutes a legally binding obligation of Contractor. This Agreement may be executed in counterparts, each one of which is deemed an original and all of which, taken together, constitute a single binding instrument. IN WITNESS WHEREOF, the parties have caused the Agreement to be executed. CITY OF CUPERTINO CONTRACTOR A Municipal Corporation By By Name Name Title Title Date Date Vanae Pearson Vanae Pearson CFO Jul 6, 2023 Tommy Yu IT Infrastructure Manager Jul 6, 2023 Risk Assessment/Internal Pen Testing Page 9 of 9 Professional/Consulting Contracts /Version: October 2021 APPROVED AS TO FORM: CHRISTOPHER D. JENSEN Cupertino City Attorney ATTEST: KIRSTEN SQUARCIA City Clerk Date Christopher D. Jensen Jul 6, 2023 A Proposal For Risk Assessment, External Pen Test Prepared For City of Cupertino Prepared By: Tanner Tuma ttuma@frsecure.com Date: 05 / 30 / 2023 Prepared for: Bill Mitchell CTO City of Cupertino City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 05 / 30 / 2023 Bill Mitchell, CTO City of Cupertino 10800 Torre Ave Cupertino CA 95014 Thank you for your time and consideration of this proposal. At FRSecure, we are called to a mission of fixing the broken security industry. Our focus resides in helping our peers and clients master the fundamentals of information security through establishing a common language, providing low or no cost training and resources and by building the very best security professionals in the industry. Our objectivity in guiding you rests in our product agnostic stance and the core values shared by each and every member of our team. Whether or not we formally engage, please count on us to be a resource and help us keep you informed as we make our training and expertise available to the community. Our passion for information security as our sole focus is the driving force to our current and future success. We hope our proposal today adds to our already positive relationship, where our mission is put to work meeting your information security objectives. Respectfully yours, Evan Francen FRSecure Founder & CEO Page 2 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 The information security industry is broken. We are on a mission to fix it. By staying true to our mission, our commitment to product agnostic services and living our core values, we've developed a community of like-minded individuals, clients and partners. All we do is information security. Additional Information Available On FRSecure.Com • Team Certifications • Team Profiles • Industry Expertise • Free Tools • Blogs & Security Advice • CISSP Mentor Program Details Page 3 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Statement Of Work The information contained within this document is a proposal and formal statement of work, if accepted by City of Cupertino by execution of this document. Engagement Overview Purpose and Objective Proposed Solution Timing A comprehensive assessment of the organization's information security posture Information Security Risk Assessment • Administrative Controls • Physical Controls • Technical Controls • Internal and External Vulnerability Scan • S2Score & Reporting 6-8 weeks Determine the Who, What and When for addressing identified risks. Roadmap 1-2 weeks To evaluate the security of the controls protecting the external network External Penetration Test 4-6 weeks To evaluate controls in place and test staff's ability to spot and resist human behavior modification techniques. Social Engineering - Physical Penetration test 2-4 weeks Page 4 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Information Security Risk Assessment FRSecure's information security risk assessment is meant to find the measurable baseline for your security posture and prioritize remediation efforts for the most impactful items. A security assessment is always the first step to building a functioning, measurable security strategy. Detailed information available in the Approach and Process section at the end of the proposal. Please note that the S2Org Update may not satisfy the requirements for an annual risk assessment as it is a targeted update and not a full assessment. * Updates must be performed within 12 months upon receipt of deliverables from the previous S2Org * Report corrections must be requested within 3 months of receipt of deliverables * Major infrastructure changes, mergers/acquisitions or other fundamental changes to the environment will require a re-scoping of the project. Page 5 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Security Program Roadmap Building a functioning, successful security strategy lies in planning and preparation. Once risk is measured and recommendations are identified, the next step is to determine how to address the identified risks, determine who will own the execution of those decisions and when to act. The security program roadmap is designed to facilitate and document each step. Page 6 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 External Network Penetration Testing FRSecure's penetration testing team is on the cutting edge of the industry. Their creative, experienced approach to test your internet-facing security presence will result in substantive recommendations to better your defenses. Deliverables • Executive Summary • Reconnaissance • Enumeration • Exploitation • Recommendations Page 7 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Social Engineering Scope Social engineering exercises are developed with specific goals and objectives in mind, i.e. obtain credentials, gather sensitive information, or others. FRSecure will work with City of Cupertino to further refine the objectives and select or design a Social Engineering Exercise. For this engagement, it is assumed that the social engineering exercise may attempt to obtain login credentials and/or user or customer information. Final determination will be made during the kickoff with the security analyst. Social Engineering Overview The primary objective of the Social Engineering Exercise is to measure the effectiveness of the security training and awareness program by attempting to influence human behavior that achieves the attacker's objective. It is the easiest method to compromise an organization because it has the highest likelihood for success. FRSecure provides the following Social Engineering services: Physical: Physical Penetration Testing • The primary objective of physical penetration testing is to measure the effectiveness of the security training and awareness program, internal procedures, and technical controls by attempting to influence human behavior to achieve the attacker's objective. At a high level, a physical penetration test will: • Create a pretext, such as impersonation, where FRSecure staff will pose as a legitimate person or company to gain physical access, i.e. fire inspector, exterminator, power company technician. • Attempt to exploit human vulnerabilities • Accomplish objectives, which could include: • gaining access to restricted area • attaining local connection with network port with unauthorized device IMPORTANT: Before you begin phishing and training your users, you must Whitelist! It is extremely important that you whitelist our IP addresses in order to prevent our Spear Phishing emails from being blocked or filtered into your spam folder, or being "read" by spam filters. If the whitelist is not properly configured it may cause invalid results. There will be additional costs associated with any additional attempts requested by City of Cupertino if whitelists are not properly configured at the time of the initial attempt. Deliverables Social Engineering Exercise Report and Recommendations A report that details the work completed by FRSecure; including test results, recommendations, and FRSecure’s qualified opinion. Page 8 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Engagement Scope Details Engagement Scope Security Risk Assessment and Roadmap - L2 - Number of users - Number of physical locations - Number of internal IP addresses Laptops/Workstations/Servers/Network Devices - Number of active external IP addresses - Approximately 200 -Cupertino, CA Remote - Approximately 842 No Agent Scanning -14 External Penetration Test 14 Active External IP Addresses No Web Applications Some activity will be conducted during business hours Social Engineering - Physical Penetration test 4 sites in Cupertino CA Engagement Planning Engagement Kickoff Date Security Risk Assessment and Roadmap - L2 1-2 months from SOW signature Penetration Testing 1-2 months from SOW signature Social Engineering - Physical Penetration test 3-4 months from SOW signature The success of this engagement will be assured by your Key Account Manager in partnership with our Information Security Experts and Project Management Team. We encourage you to include the entire team in relevant communications, but please consider your Key Account Manager as your go-to for anything you need. Every engagement begins with formal initiation procedures. 1.Introductions to respective teams and their roles in the engagement 2.Establishment of communication preferences 3.Confirmation of scope and service levels expectation 4.Confirmation of timing and constraints 5.Engagement completion expectations and due date for deliverables Support Team Name Title Contact Tanner Tuma Account Executive ttuma@frsecure.com Darin Meyer Manager of Client Success dmeyer@frsecure.com Chad Spoden Sr. Security Consultant & Solution Architect cspoden@frsecure.com Executive Leadership Team John Harmon President jharmon@frsecure.com Vanae Pearson Chief Financial Officer vpearson@frsecure.com Page 9 of 26 EXHIBIT A & B City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Name Title Contact Oscar Minks Chief Technology Officer ominks@frsecure.com Page 10 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Engagement Investment Mulit-Year Risk Assessment Year 1 Year 2 Year 3 Year 4 Year 5 Risk Assessment - L2 ✔✔✔ Update Risk Assessment ✔✔ Roadmap ✔✔✔✔✔ Name Price QTY Terms Subtotal Risk Assessment and Roadmap - L2 $20,875.00 1 $20,875.00 External Penetration Test $8,500.00 1 $8,500.00 Social Engineering - Physical Penetration test $16,875.00 1 $16,875.00 Multi-Year Risk Assessment and Roadmap - L2 - 3 Year $16,700.00 3 Invoiced Annually $50,100.00 Risk Assessment and Roadmap - L2 - 5 Year $13,360.00 5 Invoiced Annually $66,800.00 External Penetration Test - 3 Year $6,800.00 3 Invoiced Annually $20,400.00 External Penetration Test - 5 Year $5,440.00 5 Invoiced Annually $27,200.00 Total (USD)$29,375.00 This Proposal Expires In 60 Days Customer Acceptance Contact Information City of Cupertino _______________________________ ____________________ Signature of Authorized Agent Date _______________________________ Billing Email Address FRSecure LLC Attn: Vanae Pearson 6550 York Ave S #500 Edina, MN 55435 Phone 612-230-0427 Email: vpearson@frsecure.com Page 11 of 26 EXHIBIT C Jul 6, 2023 itbillling@cupertino.org City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Assumptions FRSecure will provide all of the materials required for the completion of this engagement. FRSecure will rely upon experience, testing, observation, and interviews with City of Cupertino employees to assess the completeness and effectiveness of City of Cupertino’s information security program. FRSecure will follow all guidance provided by the previously referenced standards for the completion of the work. The FRSecure information security analyst will review a variety of information including, but not necessarily limited to prior working papers, reviews and current City of Cupertino diagrams, policies, processes, and procedures. Assessments that have been conducted follow the standards as noted in the National Institute of Standards in Technology Cybersecurity Framework (NIST CSF), ISO/IEC 27002:2013 international standard, Center for Internet Security (CIS) Controls, & NIST Special Publication 800-53 (NIST SP 800-53). Change Management Process Changes can be made to the scope of this engagement and Statement of Work. Any changes requested by either party must be in writing and signed by both parties indicating acceptance. Engagement Related Expenses All engagement related expenses will be billed to the client following FRSecure Client Project Travel And Expense Policy. Invoicing Details Invoicing will fall under one of the following three terms. 1.For one-time project agreements (i.e. assessments), a down payment invoice of 50% will be sent upon acceptance of this proposal and statement of work. The balance is due upon engagement completion of all deliverables to City of Cupertino. 2.For multi-year or multi-project agreements, a down payment invoice of 50% will be sent at the beginning of the year in each year or term in which the project is performed. The balance is due upon engagement completion of all deliverables to City of Cupertino. 3.Monthly or quarterly recurring consulting agreements, or projects with an amortized payment schedule, will be invoiced quarterly starting on the 1st day of the first month services begin. •City of Cupertino may cancel this engagement at any time pursuant to Section 2.E of the Master Services Agreement between City of Cupertino and FRSecure. Cancellation or rescheduling of an engagement by City of Cupertino may result in additional fees. •Meetings cancelled by City of Cupertino less than 5 business days prior to a FRSecure resource commitment of four or more hours, will result in a reschedule fee for time and expenses lost. Note: Prices shown do not include sales tax, if applicable. Please note, failure by City of Cupertino to respond to repeated attempts at communications by FRSecure within 90 days of initial communication of project initiation will result in project engagement closeout and City of Cupertino will be invoiced for full remaining balance due as described in this statement of work. Page 12 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Practice Lead Senior Consultant BRAD NIGH 6550 York Ave S #500, Edina, MN 55435 linkedin.com/in/bradnigh bnigh@frsecure.com (952) 467-8849 PROFILE Brad is a passionate information security expert with 20+ years of overall IT experience, including 10+ years of IT management and leadership experience working in 24/7 environments that required top tier technical skills, and efficient project management. In addition, Brad has several years of experience working in highly regulated industries that are required to comply with PCI-DSS, HIPAA, HITECH, Sarbanes-Oxley, OCC, and various state regulatory requirements. At FRSecure Brad leads the Professional Services practice, serving businesses of all sizes and in all industries by cooperatively solving the complex issues surrounding information security. Brad's goals are ensuring consistent methodology, improving our existing programs, and innovating and continual development of new offerings. EDUCATIONAL & COMMUNITY SERVICE ENGAGEMENTS •CISSP Mentorship Program •FRSecure Workshop Series •ISC2 Safe & Secure Online Volunteer •Wayzata Public Schools COMPASS Mentor (Cybersecurity) CERTIFICATIONS •Certified Information Security Manager (CISM) •Certified Information Systems Security Professional (CISSP) •Certified Security Studio Analyst (CSSA) •MCSA: Windows Server 2012 •ITIL v.3 Foundations •Certified Incident Handler (ECIHv2) •CMMC Certified Registered Practioner (CMMC-RP) Page 13 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Value Proposition Based on the conversations between FRSecure and City of Cupertino to date, we believe we are an excellent fit for your engagement. Here are some additional reasons we believe you should select FRSecure: •FRSecure’s Methodology – FRSecure has developed a proprietary approach to assessing information security risks. It’s more than a checklist of questions and recorded answers. Our approach gives you a full picture of your risks - prioritized and rated - with recommended solutions, so you know which security investments will have the greatest impact. •FRSecure’s Project Leader – All of our project leaders have more than 15 years of information security experience as a leader in, and consultant for hundreds of companies ranging from the Fortune 100 to SMBs. BIO’s for our project leaders are available upon request. •Full Transparency – FRSecure strongly believes in empowering our customers. The more knowledge transfer that occurs during our engagement, the more value our customers recognize. FRSecure fully discloses the methods, tools, and configurations used to perform analysis work for our customers in the hope that they can easily adopt our processes for their future benefit. •Product Agnostic – FRSecure does not represent any third-party products or services; on purpose. Our projects and recommendations stand on their own, with no ulterior motive to sell you things you don’t really need. FRSecure Information Security Principles Our Information Security Principles are fundamental to our everyday work and help us to stay focused on our mission to “Fix the Broken Industry”. All our Principles are able to stand by themselves, but they are also solidly interrelated. 1.A business is in business to make money Information security must align with business objectives. 2.Information Security is a business issue Information security is NOT an IT issue. 3.Information Security is fun That’s right, we said “FUN”! 4.People are the biggest risk Not technology. 5.“Compliant” and “secure” are different We shouldn’t confuse the two. 6.There is no common sense in Information Security If there were, we would have better information security. 7.“Secure” is relative One of many reasons for ongoing measurements and comparisons. 8.Information Security should drive business Identify and focus on information security benefits. Information security shouldn’t just be a cost-center. 9.Information Security is not one size fits all No two businesses are exactly alike. 10.There is no “easy button” So stop looking for one. Client references available upon request Page 14 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Information Security Risk Assessment With S2Org® And S2Score® The S2Score®, available through the SecurityStudio® software platform is the most objective and comprehensive measurement of information security risk available in the market. It was designed by engineers at FRSecure, who average more than 15 years of information security experience, with these specific objectives in mind: •Serve as the foundational risk score and measurement. •Based on risk. The most effective way to manage information security is based on risk, not on specific controls that may or may not fit for your organization. •Easy to understand. Easy to understand and effective are not mutually exclusive. In fact, they usually go hand in hand. The most effective information security programs are typically simple and effective. Complexity is often the enemy to good security. •Comprehensive. Information security is not an IT issue; it is a business issue. •Objective. Scoring is as objective as is possible given what we know about threats, vulnerabilities, exploits and risk in general. Each assessed control is given a risk metric based on professional opinions, best practices, and real-life data. •Clear and free from technical jargon. Terms like “NextGen”, “Internet of Things” (IoT), “Advanced Persistent Threats” (APT), etc. are all avoided as much as possible. •Industry accepted and credible. The assessment leverages and references current security frameworks and standards such as ISO/IEC 27001:2013 and the NIST Cybersecurity Framework (CSF). This is very good news for organizations that have built their information security programs per one or more of these frameworks and helps to lend to the credibility of the assessment. •One-stop. The type of assessment that can be used to measure the effectiveness of the security program, provide high-quality next steps (or recommendations), demonstrate regulatory compliance (HIPAA, GLBA, and others), and allow for effective cyber insurance underwriting* *NOTE: The S2Score® is approved for cyber insurance underwriting submission through Node International and Lloyd’s of London. Please note that the S2Org Update may not satisfy the requirements for an annual risk assessment as it is a targeted update and not a full assessment. * Updates must be performed within 12 months upon receipt of deliverables from the previous S2Org * Major infrastructure changes, mergers/acquisitions or other fundamental changes to the environment will require a re-scoping of the project. The S2Org® Assessment is built to be the definitive and best information security risk assessment methodology available with reporting designed to be easy to manage and actionable. Each phase, control category, control subcategory, and the overall S2Org® assessment is calculated based upon 1.The size of the organization 2.The industry in which the organization operates 3.Historical threat and incident data obtained from a variety of source. Scope The intended scope for the S2Org® is the entire organization. Information security is a very broad topic so to ensure a comprehensive assessment, that is still easy to understand, the S2Org® assessment is segmented into four (4) phases. Page 15 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 The four phases of a S2Org® assessment are: •Phase 1: Administrative Controls – The “people” part of security, including risk management, security governance, policies, standards, training and employee awareness. •Phase 2: Physical Controls – Physical controls are an essential and often overlooked part of your security strategy. How much does your anti-virus protection mean to you if someone steals your server? •Phase 3: Technical Controls (Internal) – We affectionately call this “the gooey center”. Most organizations do a pretty good job at securing the technical perimeter (firewalls, intrusion detection, etc.), but sometime neglect the controls that are essential for an effective defense-in-depth strategy. •Phase 4: Technical Controls (External) – This category covers how effective your organization is at securing the perimeter of your network. The S2Org™ process and simple and efficient. We understand that our clients have other work to do, so the process needs to be focused and time- sensitive. Each phase of the S2Org® assessment is slightly different in the manner that information is gathered and assessed. Phase 1 – Administrative Security Controls Assessment Administrative Controls form the framework for managing an effective security program and they are sometimes referred to as the “human” part of information security. Administrative Controls inform people on how organizational leadership expects day-to-day operations to be conducted and they provide guidance on what actions or activities workforce members are expected to perform. Common Administrative Controls include policies, awareness training, guidelines, standards, and procedures. Administrative Controls are derived from the NIST Cybersecurity Framework (CSF), ISO/IEC 27001:2013, NIST SP 800-53, and the CIS Critical Security Controls for reference, comparison, gap analysis, and risk rating. Where there are applicable gaps, the following metrics are applied using the S2Org® proprietary algorithm: •Information Security Maturity (“ISM”) - a measure of control quality and maturity, •Likelihood of an adverse event or realized threat, and the potential Impact suffered by the organization; resulting in a Risk Rating. Page 16 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Phase 1 – Administrative Security Controls is further segmented into the following 10 control categories which contain a total of 45 subcategories: The Administrative Controls are assessed through: 1.Documentation review 2.Interviews with the FRSecure Analyst 3.Observations made by the FRSecure Analyst Page 17 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Phase 2 – Physical Security Controls Assessment Physical Controls are the security controls that can often be touched and provide physical security to protect your information assets. Common physical controls include doors, locks, camera surveillance, and alarm systems. Phase 2 of the S2Org® assessment is a review of these, and other, physical security controls and associated risks. Focus for the Phase 2 of the assessment will be on where critical information resources are physically located. Phase 2 takes the following into consideration to generate a definitive risk score: The Physical Controls are assessed through: 1. Documentation review 2. Interviews with the FRSecure Analyst 3. Observations made by the FRSecure Analyst Page 18 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Phase 3 – Internal Technical Controls Assessment Internal Technical Controls are the controls that are technical in nature and used within your organization's technical domain (inside the gateways or firewalls). Internal technical controls include things such as firewalls, intrusion prevention systems, anti-virus software, and mobile device management (MDM). Phase 3 reviews these controls using a combination of interviews with staff and use of tools to perform: • Vulnerability scanning on the internal network(s), • Tests for password policies, system permissions, required auditing and system settings that are common in all networks. • Tests for user auditing settings, such as their password complexity and logging access failures and logons that are common in all networks. • Tests against known good configurations Phase 3 of the S2Org® assessment consists of the following control sections: FRSecure discloses the tools, methods, and configurations employed during testing to enable your personnel to conduct future testing on a regular basis. The Internal Technical Controls are assessed through: 1. Documentation review 2. Interviews with the FRSecure Analyst 3. Observations made by the FRSecure Analyst 4. Tools run by FRSecure or your personnel Page 19 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Phase 4 – External Technical Controls Assessment External technical controls are technical in nature and are used to protect outside access to your organization's technical domain (outside the gateways or firewalls). External technical controls consist of search engine indexes, social media, DNS, port scanning, and vulnerability scanning. The primary objective of the External Technical Controls Assessment and testing exercise is to identify significant vulnerabilities that pose a risk of unauthorized information disclosure, alteration, and/or destruction through publicly accessible* information resources. *Publicly accessible is defined as those resources which are purposefully or accidentally made available through the Internet. Phase 4 of the S2Org® assessment consists of the following control sections: The External Technical Controls are assessed through: 1. Documentation review 2. Interviews with the FRSecure Analyst 3. Tool and manual testing conducted by the FRSecure Analyst Page 20 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 Assessment Deliverables City of Cupertino will be provided with the following deliverables as part of this engagement: S2Score® One of the most important end results from the S2Org® assessment engagement is your S2Score®. You will be provided with your overall S2Score® as well as a S2Score® for each Phase, control category, and individual control sub-category. This is important for your organization as you identify your most significant risks and prioritize remediation. The S2Score® can be used to communicate your “risk score” to interested parties and is a definitive risk calculation. The S2Score® is represented on a scale of 300 – 850. • 300 – 500 is generally considered to be “Very Poor” • 501 – 599 is generally considered to be “Poor” • 600 – 659 is generally considered to be “Fair” • 660 – 779 is generally considered to be “Good” • A score equal to or higher than 780 is generally considered to be “Excellent” Most organizations should be striving to attain and maintain a score of 660 or higher. Page 21 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 S2Org® Executive Summary Report The S2Org® Executive Summary report is written in plain English with comparisons to other organizations; with a similar profile. It provides the necessary information to quickly understand where your organization’s information security program excels and where it is deficient. The snapshot views allow solid decision-making now (tactically) and into the future (strategically). Page 22 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 S2Org® Information Security Assessment Full Report The S2Org® Full Report is written with information security professionals in mind. All the details involved with what was assessed, how it was assessed (including tools and logic), findings, and recommendations are provided. The S2Org® Full Report is also supported with numerous other documents, technical testing results, and raw data. All supporting information is referenced and provided. How to Use This Report There are four primary purposes for this report: 1. To understand how mature your organization's information security program is. 2. To understand where your organization's information security risks are. 3. To build a plan of action on how you should address your most significant unacceptable risks. 4. To demonstrate compliance with industry regulations (HIPAA, GLBA, and others) and customers/business partner requirements In order to gain the most benefit from the contents of this report, it is recommended that you read the report in its entirety and develop a plan of action. Information security is a lifecycle discipline that requires a long-term commitment. In order to get the most benefit from this report, create an action plan for your organization. Page 23 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 S2Org® Roadmap The primary purpose of the Security Program Roadmap is to empower you to be able to choose which tasks you want to take on and which tasks you want to assign to external resources, and provide a strategic Roadmap for completion of all tasks. All actions are measurable and easily communicated. Improvement comes through putting the recommendations from the assessment into practice by: 1. Making risk-based decisions about what to do with each recommendation. 2. Assigning responsibility for actions that must be taken. 3. Determining the priority for such actions and assigning deadlines/timelines. Activities for the Roadmap are driven from the S2Org® assessment. The FRSecure Analyst creates the initial roadmap (or plan) for your information security program over the next 12, 24, and 36 months The Security Program Roadmap tackles the planning of “what”, “who”, and “when” for information security improvement: • What are we going to do with each of the findings and recommendations from the S2Org®? There are four viable options for decision- making: • Accept – the risk “as-is” and take no corrective actions but continue to monitor the risk • Mitigate – the risk and do what the recommendation says (or similar) • Transfer – the risk and/or defer it for insurance (or similar) • Avoid – the risk and stop doing the actions that led to the risk in the first place • Who is going to do the actions and carry out the decisions that were made? Decisions such as “Mitigate” and “Avoid” made in the previous step will require somebody to do something. Some of the tasks and/or projects can be done internally with your own resources and some of the tasks and/or projects will require outside assistance. Those tasks and/or projects that require outside assistance can be assigned to the vCISO (Step 4) and some of the tasks and/or projects can be assigned to another party. • When will the actions need to be taken to achieve your goals? It’s best to assign the tasks and/or projects to a timeline based on quarters to accommodate day-to-day operational challenges along the way. The information from S2Org® and the Roadmap can be easily communicated to stakeholders (Board of Directors, executive management, examiners/regulators, customers, etc.) includes: • What our current S2Score® is. • What our S2Score® goal is. • What tasks and/or projects are necessary to meet objectives. Page 24 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 External Network Penetration Testing FRSecure’s penetration testing methodology is based on the Penetration Testing Execution Standard (PTES). PTES is currently the most widely accepted standard for penetration testing, and is based on the practical knowledge and experience of the security industry’s leading experts. There are three formats for any penetration test: black-box, white-box, and grey-box. FRSecure penetration tests are typically performed as white- box assessments. These types of assessments yield more accurate results and provide a more comprehensive test of the security posture of the environment than a black-box or grey-box assessment. Page 25 of 26 City of Cupertino Risk Assessment, External Pen Test CONFIDENTIAL INFORMATION This document may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this document or the information herein is prohibited without prior permission of FRSecure. Copyright 2022 FRSecure LLC, All Rights Reserved. Document ID: FRSQ 8091 External Penetration Testing Engagement Summary External penetration testing consists of enumerating and verifying vulnerabilities that could be exploited by external attackers to gain unauthorized access to the client’s systems. The assessment helps validate the organization’s investment in their security and information technology infrastructure. FRSecure’s team plays the role of an external attacker, attempting to exploit vulnerable systems to obtain confidential information or compromise network perimeter defenses. Our findings are then used to provide example scenarios that demonstrate the potential impact of a compromise. Deliverables • Executive Summary • Reconnaissance • Enumeration • Exploitation • Recommendations Page 26 of 26 Exh. D-Insurance Requirements for Design Professionals & Consultant Contracts 1 Form Updated Jan. 2022 Consultant shall procure prior to commencement of Services and maintain for the duration of the contract, at its own cost and expense, the following insurance policies and coverage with companies doing business in California and acceptable to City. INSURANCE POLICIES AND MINIMUMS REQUIRED 1. Commercial General Liability (CGL) for bodily injury, property damage, personal injury liability for premises operations, products and completed operations, contractual liability, and personal and advertising injury with limits no less than $2,000,000 per occurrence (ISO Form CG 00 01). If a general aggregate limit applies, either the general aggregate limit shall apply separately to this project/location (ISO Form CG 25 03 or 25 04) or it shall be twice the required occurrence limit. a. It shall be a requirement that any available insurance proceeds broader than or in excess of the specified minimum insurance coverage requirements and/or limits shall be made available to the Additional Insured and shall be (i) the minimum coverage/limits specified in this agreement; or (ii) the broader coverage and maximum limits of coverage of any insurance policy, whichever is greater. b. Additional Insured coverage under Consultant's policy shall be "primary and non-contributory," will not seek contribution from City’s insurance/self-insurance, and shall be at least as broad as ISO Form CG 20 10 (04/13). c. The limits of insurance required may be satisfied by a combination of primary and umbrella or excess insurance, provided each policy complies with the requirements set forth in this Contract. Any umbrella or excess insurance shall contain or be endorsed to contain a provision that such coverage shall also apply on a primary basis for the benefit of City before the City’s own insurance or self- insurance shall be called upon to protect City as a named insured. 2. Automobile Liability: ISO CA 00 01 covering any auto (including owned, hired, and non-owned autos) with limits no less than $1,000,000 per accident for bodily injury and property damage. 3. Workers’ Compensation: As required by the State of California, with Statutory Limits and Employer’s Liability Insurance of no less than $1,000,000 per occurrence for bodily injury or disease.  Not required. Consultant has provided written verification of no employees. 4. Professional Liability for professional acts, errors and omissions, as appropriate to Consultant’s profession, with limits no less than $2,000,000 per occurrence or claim, $2,000,000 aggregate. If written on a claims made form: a. The Retroactive Date must be shown and must be before the Effective Date of the Contract. b. Insurance must be maintained for at least five (5) years after completion of the Services. c. If coverage is canceled or non-renewed, and not replaced with another claims-made policy form with a Retroactive Date prior to the Contract Effective Date, the Consultant must purchase “extended reporting” coverage for a minimum of five (5) years after completion of the Services. EXHIBIT D Insurance Requirements Design Professionals & Consultants Contracts Exh. D-Insurance Requirements for Design Professionals & Consultant Contracts 2 Form Updated Jan. 2022 OTHER INSURANCE PROVISIONS The aforementioned insurance shall be endorsed and have all the following conditions and provisions: Additional Insured Status The City of Cupertino, its City Council, officers, officials, employees, agents, servants and volunteers (“Additional Insureds”) are to be covered as additional insureds on Consultant’s CGL and automobile liability policies. General Liability coverage can be provided in the form of an endorsement to Consultant’s insurance (at least as broad as ISO Form CG 20 10 (11/ 85) or both CG 20 10 and CG 20 37 forms, if later editions are used). Primary Coverage Coverage afforded to City/Additional Insureds shall be primary insurance. Any insurance or self-insurance maintained by City, its officers, officials, employees, or volunteers shall be excess of Consultant’s insurance and shall not contribute to it. Notice of Cancellation Each insurance policy shall state that coverage shall not be canceled or allowed to expire, except with written notice to City 30 days in advance or 10 days in advance if due to non-payment of premiums. Waiver of Subrogation Consultant waives any right to subrogation against City/Additional Insureds for recovery of damages to the extent said losses are covered by the insurance policies required herein. Specifically, the Workers’ Compensation policy shall be endorsed with a waiver of subrogation in favor of City for all work performed by Consultant, its employees, agents and subconsultants. This provision applies regardless of whether or not the City has received a waiver of subrogation endorsement from the insurer. Deductibles and Self-Insured Retentions Any deductible or self-insured retention must be declared to and approved by the City. At City’s option, either: the insurer must reduce or eliminate the deductible or self-insured retentions as respects the City/Additional Insureds; or Consultant must show proof of ability to pay losses and costs related investigations, claim administration and defense expenses. The policy shall provide, or be endorsed to provide, that the self-insured retention may be satisfied by either the insured or the City. Acceptability of Insurers Insurers must be licensed to do business in California with an A.M. Best Rating of A-VII, or better. Verification of Coverage Consultant must furnish acceptable insurance certificates and mandatory endorsements (or copies of the policies effecting the coverage required by this Contract), and a copy of the Declarations and Endorsement Page of the CGL policy listing all policy endorsements prior to commencement of the Contract. City retains the right to demand verification of compliance at any time during the Contract term. Subconsultants Consultant shall require and verify that all subconsultants maintain insurance that meet the requirements of this Contract, including naming the City as an additional insured on subconsultant’s insurance policies. Higher Insurance Limits If Consultant maintains broader coverage and/or higher limits than the minimums shown above, City shall be entitled to coverage for the higher insurance limits maintained by Consultant. Adequacy of Coverage City reserves the right to modify these insurance requirements/coverage based on the nature of the risk, prior experience, insurer or other special circumstances, with not less than ninety (90) days prior written notice. ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? INSR ADDL SUBR LTR INSD WVD PRODUCER CONTACT NAME: FAXPHONE (A/C, No):(A/C, No, Ext): E-MAIL ADDRESS: INSURER A : INSURED INSURER B : INSURER C : INSURER D : INSURER E : INSURER F : POLICY NUMBER POLICY EFF POLICY EXPTYPE OF INSURANCE LIMITS(MM/DD/YYYY)(MM/DD/YYYY) AUTOMOBILE LIABILITY UMBRELLA LIAB EXCESS LIAB WORKERS COMPENSATION AND EMPLOYERS' LIABILITY DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, Additional Remarks Schedule, may be attached if more space is required) AUTHORIZED REPRESENTATIVE EACH OCCURRENCE $ DAMAGE TO RENTEDCLAIMS-MADE OCCUR $PREMISES (Ea occurrence) MED EXP (Any one person)$ PERSONAL & ADV INJURY $ GEN'L AGGREGATE LIMIT APPLIES PER:GENERAL AGGREGATE $ PRO-POLICY LOC PRODUCTS - COMP/OP AGGJECT OTHER:$ COMBINED SINGLE LIMIT $(Ea accident) ANY AUTO BODILY INJURY (Per person)$ OWNED SCHEDULED BODILY INJURY (Per accident)$AUTOS ONLY AUTOS HIRED NON-OWNED PROPERTY DAMAGE $AUTOS ONLY AUTOS ONLY (Per accident) $ OCCUR EACH OCCURRENCE CLAIMS-MADE AGGREGATE $ DED RETENTION $ PER OTH- STATUTE ER E.L. EACH ACCIDENT E.L. DISEASE - EA EMPLOYEE $ If yes, describe under E.L. DISEASE - POLICY LIMITDESCRIPTION OF OPERATIONS below INSURER(S) AFFORDING COVERAGE NAIC # COMMERCIAL GENERAL LIABILITY Y / N N / A (Mandatory in NH) SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN ACCORDANCE WITH THE POLICY PROVISIONS. THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD INDICATED. NOTWITHSTANDING ANY REQUIREMENT, TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS CERTIFICATE MAY BE ISSUED OR MAY PERTAIN, THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS, EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS. THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER. IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must have ADDITIONAL INSURED provisions or be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s). COVERAGES CERTIFICATE NUMBER:REVISION NUMBER: CERTIFICATE HOLDER CANCELLATION © 1988-2015 ACORD CORPORATION. All rights reserved.ACORD 25 (2016/03) CERTIFICATE OF LIABILITY INSURANCE DATE (MM/DD/YYYY) $ $ $ $ $ The ACORD name and logo are registered marks of ACORD 6/28/2023 (651) 255-6879 (651) 255-6801 29459 FRSecure LLC, SecurityStudio, Inc. 6550 York Ave S #500 Edina, MN 55435 37540 10111 A 1,000,000 X X 41SBAAE7649 10/11/2022 10/11/2023 1,000,000 Contractual Liab.10,000 1,000,000 2,000,000 2,000,000 1,000,000A X 41UECAA5573 10/11/2022 10/11/2023 6,000,000A 41SBAAE7649 10/11/2022 10/11/2023 6,000,000 10,000 A X 41WECAN5NZP 10/11/2022 10/11/2023 1,000,000 1,000,000 1,000,000 B E&O Incl Cyber Liab W19C30220801 10/11/2022 Per Incident/Agg 5,000,000 C Crime 106006231 10/11/2022 10/11/2023 Limit 1,000,000 The City of Cupertino, its City Council, officers, officials, employees, agents, servants and volunteers are included as additional insured in accordance with the policy provisions of the General Liability & Automobile liability policy. General Liability is on a primary & non-contributory basis. Waiver of Subrogation applies to General Liability coverage and Workers Compensation. City of Cupertino 10300 Torre Ave Cupertino, CA 95014 FRSELLC-01 DORTH Moores Insurance Management, Inc. PO Box 18120 Minneapolis, MN 55418 Erika Clausen eclausen@mooresinsurance.com The Hartford Beazley Insurance Company, Inc. The Travelers Companies, Inc X 10/11/2023 X X X X X X X X X X THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. Countersigned by Authorized Representative Form WC 00 03 13 Printed in U.S.A. Process Date:09/01/22 Policy Expiration Date:10/11/23 WAIVER OF OUR RIGHT TO RECOVER FROM OTHERS ENDORSEMENT Policy Number:41 WEC AN5NZP Endorsement Number: Effective Date:10/11/22 Effective hour is the same as stated on the Information Page of the policy. Named Insured and Address:FRSecure, LLC 6550 YORK AVE S # 500 EDINA MN 55435 We have the right to recover our payments from anyone liable for an injury covered by this policy. We will not enforce our right against the person or organization named in the Schedule. This agreement shall not operate directly or indirectly to benefit anyone not named in the Schedule. SCHEDULE Any person or organization for whom you are required by contract or agreement to obtain this waiver from us. Endorsement is not applicable in KY, NH, NJ or for any MO construction risk Professional Consultant Contract FRSecure Final Audit Report 2023-07-07 Created:2023-07-06 By:Marilyn Pavlov (marilynp@cupertino.org) Status:Signed Transaction ID:CBJCHBCAABAA-j5MlcgA1JQ6xnBbeRr1oXilQXHvyVX_ "Professional Consultant Contract FRSecure" History Document created by Marilyn Pavlov (marilynp@cupertino.org) 2023-07-06 - 12:19:54 PM GMT- IP address: 69.181.168.76 Document approved by Marilyn Pavlov (marilynp@cupertino.org) Approval Date: 2023-07-06 - 12:25:12 PM GMT - Time Source: server- IP address: 69.181.168.76 Document emailed to Araceli Alejandre (aracelia@cupertino.org) for approval 2023-07-06 - 12:25:14 PM GMT Document approved by Araceli Alejandre (aracelia@cupertino.org) Approval Date: 2023-07-06 - 2:38:00 PM GMT - Time Source: server- IP address: 73.170.104.117 Document emailed to Tanner Tuma (ttuma@frsecure.com) for approval 2023-07-06 - 2:38:04 PM GMT Email viewed by Tanner Tuma (ttuma@frsecure.com) 2023-07-06 - 2:40:25 PM GMT- IP address: 96.72.63.174 Document approved by Tanner Tuma (ttuma@frsecure.com) Approval Date: 2023-07-06 - 2:40:42 PM GMT - Time Source: server- IP address: 96.72.63.174 Document emailed to legal@frsecure.com for signature 2023-07-06 - 2:40:45 PM GMT Email viewed by legal@frsecure.com 2023-07-06 - 3:26:18 PM GMT- IP address: 75.89.173.67 Signer legal@frsecure.com entered name at signing as Vanae Pearson 2023-07-06 - 3:27:04 PM GMT- IP address: 75.89.173.67 Document e-signed by Vanae Pearson (legal@frsecure.com) Signature Date: 2023-07-06 - 3:27:06 PM GMT - Time Source: server- IP address: 75.89.173.67 Document emailed to christopherj@cupertino.org for signature 2023-07-06 - 3:27:09 PM GMT Email viewed by christopherj@cupertino.org 2023-07-06 - 3:37:36 PM GMT- IP address: 104.47.73.254 Signer christopherj@cupertino.org entered name at signing as Christopher D. Jensen 2023-07-06 - 3:38:04 PM GMT- IP address: 136.24.22.194 Document e-signed by Christopher D. Jensen (christopherj@cupertino.org) Signature Date: 2023-07-06 - 3:38:06 PM GMT - Time Source: server- IP address: 136.24.22.194 Document emailed to Tommy Yu (tommyy@cupertino.org) for signature 2023-07-06 - 3:38:09 PM GMT Email viewed by Tommy Yu (tommyy@cupertino.org) 2023-07-06 - 4:36:25 PM GMT- IP address: 64.165.34.3 Document e-signed by Tommy Yu (tommyy@cupertino.org) Signature Date: 2023-07-06 - 11:54:58 PM GMT - Time Source: server- IP address: 107.77.211.95 Document emailed to Kirsten Squarcia (kirstens@cupertino.org) for signature 2023-07-06 - 11:55:02 PM GMT Email viewed by Kirsten Squarcia (kirstens@cupertino.org) 2023-07-07 - 0:13:52 AM GMT- IP address: 104.47.73.126 Document e-signed by Kirsten Squarcia (kirstens@cupertino.org) Signature Date: 2023-07-07 - 0:14:00 AM GMT - Time Source: server- IP address: 64.165.34.3 Agreement completed. 2023-07-07 - 0:14:00 AM GMT