The URL can be used to link to this page

Home My WebLink AboutCI Security - Master Services & Statement of ServiceBID CONTRACT AMENDMENT NO. 1 BID CONTRACT: City of Yakima Contract 2021-187B DESCRIPTION: Additional Services CONTRACTOR: Critical Insight AMENDMENT., Purchase of additional services: Focused Security Gap Assessment (NIST-CSF) with SCADA, Incident Response Preparedness, and Incident Response Retainer. DOLLAFAMOUNT OF MODIFICATION; Focused Security Gap Assessment (NIST-CSF) with SCADA Incident Response Preparedness Incident Response Retainer Invoiced thirty (30) days following Effective Date. ADDITIONAL II‘IFORMATION; Original Contract #2021-187B signed on 11-16-2021. AUTHORIZAT1ONI io n Carney, IT Se cos Manager DATED this 29th day of December, 2022. APPROVED Robert Harrison, City Manager CITY CONTRACT NO IS11 RESOLUTION NO )ktit $23,015.00 $20,600.00 $10,560.00 $54,175.00 Critical Insight Name: Email: Phone: Bill To: Kurt Simpson Kurt.Simpson@criticalinsight.com 206-823-5285 Name John Carney Company City of Yakima, Washington Street Address 129 N. 2'd Street City, State, Zip Yakima, WA 98901 Phone 509-249-6804 STATE Quote Date: Quote Expiration: Ship To: Name Company Street Address City, State, Zip Phone ENT OF SERVICE 12/7/2022 1/6/2023 John Carney City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 509-249-6804 Professional Services Service Code DeactiptiOn ahantit Unit T Extended MSRP Discount Extended Subscription CI-PS-FSA CI-PS-IRP CI-PS-IR Initial Invoice Focused Security Gap Assessment (NIST- CSF) with SCADA Incident Response Preparedness Incident Response Retainer Subtotal Per Billing Period *Estimated Sales Tax Invoice 1 flat 1 flat 24 hour(s) 12 months 8.30% estimated rate $23,015.00 $20,600.00 $10,560.00 $54,175.00 $54,175.00 $0.00 $54,175.00 Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. ©2022 Critical Insight, Inc. All rights reserved. $23015.00 $20,600.00 $10,560.00 $54,175.00 $54,175.00 $0.00 $54,175.00 ��~��U U��^��&n� ~~~.~.-~~~. Insight Terms and Conditions STATEME 77 OF SERV CE This Statement of Service effective as of the date of the signature of the last party to sign (the "Effective Date') is subject to the Critical Insight Master Services Agreement, dated as and (any other Exhibits, AttauhmentuorAmandnmantaheret4vvhinhannaachinnorporatedheneinbynoference,and which together with this SOS constitute the "Agreernent". Unless otherwise provided in this SOS, capitalized terms herein shall be as defined elsewhere in the Agreement. The terms of this Agreement constitute the final expression of the parties' binding understanding in respect to the subject matter hereof and supersede all prior or contemporaneous agreements, representations and understandings, written and oral, in respect to same. Customer acknowledges that it has read the Agreement and agrees tmbebound by its terms. ~ Contract term ioone (1)year, commencing the Effective Date hereof. ' ~ Billing shall be based on Critical Insight reporting. Critical Insight and Customer shall reconcile in good faith any discrepancies in their respective tracking records, provided Critical Insight's reporting shall � control inthe event ofanirreconcilable discrepancy. ^ Customer shall beinvoiced nnanannual basis inadvance. ~ The first year invoice shall be issued thirty (30) days following the Effective Date,and each subsequent 1 annual invoice shall be issued on the anniversary of the Effective Date or the next following business day ifsuch date falls onaweekend ornational holiday. Payment of invoiced amounts due no later than thirty (30) calendar days from date of invoice. Critical Insight and the Critical Insight logo are the trademarks nvCritical Insight, Inc. 2 DocuSign Envelope ID: FDF7B394-8975-4959-A60C-0960AC97E570 Critical insight Check one of the following: 0 Purchase Order Required 0 Purchase Order Not Required Customer Signature Name .,ct BE ft r 1jJt.14114450,--i TT Billing Contact Name Billing Street Address Title C ir40.A146-6 a City, State, Zip Date rdit( Critical Insight, Inc. Signature Name Title Docubi bad by 639W/027040 Garrett Silver CEO Date 12/30/2022 Billing Contact Phone Billing Email Critical Insight and the Critical Insight logo are the trademarks of Critical Insight, Inc. 3 ©2022 Critical Insight, Inc. All rights reserved. DocuSign Envelope ID: FDF7B394-8975-4959-A60C-0960AC97E570 EXHIBIT A CITY OF YAKIMA, WASHINGTON FOCUSED SECURITY ASSESSMENT Presented To: John Carney Manager, IT Operations City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 (509) 249-6804 John.Carney@yakimawa.gov SCOPE OF WORK SOW 2022-545 November 11, 2022 Submitted By: Randy Oppenborn Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 205 Bremerton, WA 98337 Randy.Oppenborn@Criticallnsight.com (630) 346-3525 CRITICAL INSIGHT, INC. CONFIDENTIAL Criti��.�^��U U��9%^�� cal ...~~.��~~� Table of Contents Scope ofWork City ofYakima, Washington Focused Security Assessment November 11.2O22 GENERALINFORMATION ....................................... ....... BACKGROUND & OBJECTIVES Purpose .1 KEY BUSINESS AND TECHNICAL CONTACTS � _�,�,=°"�°,°,__,_~°2 the City nfYakima Business Contact Information , ...... Critical Insight Business Contact & Technical Contact |nfurmuUon'.. ~_2 SERVICE DESCRIPTION AND SCOPEFocused Security Assessment APPROACH AND METHODOLOGY ........................_~~________3 Coordination, Planning, & Project Initiation -^.�3 the City ofYakima Resource Reqmiremen1x_.... ............. 4 PERIOD opPERFORMANCE ............................................... _~~...... ,~_~~.—~_~.___�7 PROJECT CHANGE CONTROL ...... / SERVICE DELIVERABLES __....... ~__,,~__^9 Dsuomprmw ACCEPTANCE upDELIVERABLES ........................................ —.~m^ g TnxvELxwoExpswosRs/wounoswswT---- ....... 12 APPENDIX A: PROJECT COMPLETION FORM ^........... ........ `....... —^^_~--~...... ........... 13 CRITICAL INSIGHT, INC. CONFIDENTIAL xh r,t^c.0Uns ^0 Scope ofWork City of Yakima, Washington Focused Security Assessment November 11.2O22 Critical Insight has rnodo every reasonable attempt to ensure that the information contained within this Scope of Work is correct, current and properly aato forth the requirements aahave been determined todate. The parties acknowledge and agree that the other party emaunnes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. Non -Disclosure Statement The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. Trademark Notice 2022 Critical Insight, Inc. All Rights Reserved, Ch1|ua| |ng|Qht@, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical |no|8h1 in the United States and in foreign countries. nQCopyright 7O2? C,itino| Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL iii rit^c�UUns^mmht � Scope ofWork City ofYakima, Washington Focused Security Assessment General Information ~°~^^ ^~~^~~^ ^^^^~~^ ^ ^~~~~~~~^ ^ �� B==kg.==.m.==~°^je=t,e= Purpose This SOW presents Critical Insight's approach and methodology for the fm||ovv|ng ,m A Focused Security Assessment (F84) based on the N|STCvbarSoourity Frarnmvxork(CSF) and, possibly, the Health Insurance Privacy and Accountability Act (H|PAA). Criminal Justice Information 8yaterna (CJ|S) and the Payment Card Industry Data Security Standard (PC| DBS) This SClVV includes: w Scope of Work - Critical Insight's methodology for assisting and supporting the City of Yakima's technology & executive teams, and the scope of work that will be performed a Deliverables - Description of the deliverables for this project CRITICAL INSIGHT, INC. CONFIDENTIAL 1 ritical Insi ht Key Business and Technical Contacts the City of Yakima Business Contact Information Scope of Work City of Yakima, Washington Focused Security Assessment November 11, 2022 Name: John Carney Manager, IT Operations Mailing Address: City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 E-Mail Address: John.Carney@yakimawa.gov Phone Number: (509) 249-6804 Critical Insight Business Contact & Technical Contact Information Name: Randy Oppenborn Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 E-Mail Address: Randy.Oppenborn@Criticallnsight.com Phone Number: (630) 346-3525 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 Critical Insi •, ht Scope of Work City of Yakima, Washington Focused Security Assessment November 11, 2022 Service Description and Scope This section provides a description of services, scope of activity, and support requirements associated with the services. Focused Security Assessment Our Focused Security Assessment approach may be summarized as a computer and network security assessment intended to provide a point -in -time snapshot of the City of Yakima's security posture, coupled with a set of prioritized recommendations for increasing the security throughout the organization. The Focused Security Assessment will focus on the City of Yakima's enterprise environment and the security management practices supporting that environment. The assessment methodology is based on standards of practice drawn from multiple sources that include the NIST Cyber Security Framework and, possibly, the PCI DSS, HIPAA and CJIS encryption and data security standards. Approach and Methodology Critical Insight will conduct up to seven (7) focused information -gathering facilitation sessions at the City of Yakima. The sessions will discuss the required controls, while adding context from the current threat landscape that is relevant. The sessions will address the control standards as components that are relevant to each of the audiences (with some overlap), and conduct the delivery of information, as well as its solicitation. As the requirements are presented, a conversational narrative will be used to interview the audience as to how effectively each requirement is being currently met. This conversation will include ideas on how gaps in compliance may be met using open -source, managed services, and other methods that fit their people, process and technology with respect to cost and management requirements. Critical Insight will review the results of the interviews and develop a presentation described in the Deliverables section below. A draft of the deliverable will be provided to the City of Yakima's point of contact for approval prior to delivery in the de -brief sessions listed below. Coordination, Planning, & Project Initiation Critical Insight will provide day-to-day project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. A key component of Critical Insight's project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. CRITICAL INSIGHT, INC. CONFIDENTIAL r��"caU Uns^e ht Scope ofWork City ofYakima, Washington Focused Security Assessment November 11.2O22 the City of Yakima Resource Requirements Achieving the City of Yokinma'n objectives will require active participation from both the Critical Insight Project Team as well as the City u[Yukinou'a own personnel. To ensure the timely and successful completion ofthis project, theC|tyofYakirneahou|d expect at least the following resource time nonnnni1nnenta from its own personnel: o� AProject ManoQerahou|dbmoom|gnedtm1hepr jmoltoomrveaothaa|ng|a point ofcontact for the Cr|1|oa| Insight Project Team *w The the City of Yakima may choose to oaa|gn the Project Sponsor and Project Manager role to the same person *^ This role will require a oonmnn|tnnen1 of approximately 4 hours during the course ofthe project n� Report Review Team ,* Upto4hours per member toconduct report reviews Project Initiation Meeting Critical Insight recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all of our engagements. During the meeting, Critical Insight will address the following topics: mm Introduce key people at the City of Yakima and Critical Insight n Exchange contact information (for regular reporting and emergencies) w Review scope ofservices w Review communication, notification, and issue escalation procedures mm Discuss other specific the City ofYakima requests and rules of engagement aDiscuss the involvement mfthe City pfYakima staff |nthe project for1he purpose mfknowledge transfer and security * Critical Insight will discuss the deliverables required at completion of the project, the designated recipient, and the manner in which Cr|1|cm| Insight will forward those deliverables See Appendix.- BInterview Guide for details ofpeople, questions and times required toobtain the information requested. Approach �mmnr '' �^�^��V U��^we�n� . .~..~~~~ .. .~.._.. .� Scope ofWork City ofYakima, Washington Focused Security Assessment Critical Insight will collect all relevant information from document reviews and staff interviews, and review and verify gathered data. This project will include a combination ofono|tm and remote work. During this time, Critical Insight focuses on information gathering to gain a better understanding of the information security program, policy and procedural implementation, and the environment including: wm Identification of the organizational structure and essential stakeholders in security management activities w The information risk environment mm Governance, policy management, acceptable risk tolerance a Information security planning activities a Additional functional components mfthe security program and the key practices supporting the security program components a Operational risk and compliance activities n Critical |aoueo confronting the City of Yakima a Prior information security -related aaoaamnnento mm The general technical architecture a Security training needs for staff a Encryption — especially on mobile devices mm Limitations on information being passed (especially sensitive orregulated data) mm Strengthen passwords with appo.Vo|P\vo|oenna|| P|No mm Incident response mm Specific SSL/TLSvulnerabilities As stated, Critical Insight will derive most of the information necessary to assess the environment and supporting key practices through documentation reviews, such as policies, procedures, and plans related to information security, and interviews and subsequent discussions with knowledgeable staff responsible for various aspects of information security management including: mw Executive Management m Key business unit leaders ]w. Information Security staff wm CIO, IT Management, Administrators CRITICAL INSIGHT, INC. CONFIDENTIAL 5 r.t.caU Uns.m�ht Scope ofWork City mfYakima, Washington Focused Security Assessment November 11,2O22 mm Developers wn Staff focused on Business Continuity and Disaster Recovery mm Support Functions /HR.Legal, Facilities) in (]tharo, as applicable Step 2—Review and Analysis During remote work activities, Critical Insight professionals will analyze the |nfqrnmo1|mn gleaned from documents provided by the City of Yok|nno and our interviews with various staff. The objective is to identify critical |aoueo and develop the prioritized recommendations for improvement. Critical Insight will aooeoo the current environment and security management practices against a standard of practice such as the NIST Cybersecurity Framework, with specifics that may draw on various regulatory requirements, for example, the PC| DSS, depending on how data housed by the City of Yakima may be within the purview of those requirements. Critical Insight will provide prioritized recommendations, based upon risk, so that the City of Yakima can meet the compliance objectives and strengthen its overall security program. Step 3Reporting — Using the results from Steps 1 & 2, Critical Insight will develop prioritized recommendations to improve the City of Yakima's information security program. The racornrnmndmdono to |nnprmva the environment will be based on aforementioned standards ofpractice, business requirements, internal security -related requirements, and practices used by peers. As part of this activity, Critical Insight will ensure that our reoornnnmndmt|mno and supporting rationale are clearly understood and appropriate for the City of Yahinne'e environment. Critical Insight will present any documentation detailing our findings and recommendations in draft form so that the City of Yakima has on opportunity to review, comment, correct, and approve the format and content prior to finalizing the deliverable documentation. This iterative process helps to ensure that the City of Yakima can make |nfornned, incremental decisions regarding specific courses ofaction throughout this review. CRITICAL INSIGHT, INC. CONFIDENTIAL 6 COI��k*^��UU��^�� ~~^^~^`~~~^ ^^^~~^�m~^� Scope ofWork City ofYakima, Washington Focused Security Assessment ��UU�� U �Ue Period of Performance the City of Yakima understands and agrees that changes in critical factors (such an those listed below in Project Change Control, or a delay in signature ofthis document) may impact Critical Insight's ability to meet oedo|n dates. ' Project Start Date - Project Completion Date: Within Eight (8) week of Effective Date Within Eight (8)weeka of Start Date � ��[o|ecI�~.�..anQe Control Critical Insight has made every attempt to accurately estimate time required to successfully complete the project. the City of Yakima acknowledges and agrees that if impediments, cmrnpUoat|mna, or the City mfYakima requested changes in scope arise, these factors are out ofthe control of Critical Insight, and the length ofthe project and associated price could be impacted. Examples mfvalid impediments, complications, and changes inscope consist of(but are not limited tm): w the City of Yakima |n|t|e1ad delay where the City of Yakima is not prepared to allow Critical Insight to begin work onthe agreed upon start date thus raau|dnQ in additional cost to Critical Insight for resources that have been sent 10the City mf\'ok|nna'asite but cannot begin the services w the City of Yakima provided information necessary for timely delivery by Critical Insight is not accurate n Delays or problems associated with third party telecommunication equipment � This includes, but is not limited to, cabling, servers, routerm, hubs, and ovv|toheo managed or installed by third poMi|ea m Malfunctioning hardware mm Inability to access equipment or personnel that are required to complete the project mm Conflicts or incompatibilities associated with the installation ofhardware mr software installed byCritical Insight m the City of Yakima increases the scope of services requiring additional labor, hardware, aoftvvmra' materials, travel, lodging, rneo|a, or other direct costs CRITICAL INSIGHT, INC. CONFIDENTIAL 7 _��,�,�� Uk��"�� ~~."~".~~~~ ...~..��..~ Scope ofWork City of Yo>dnno, Washington Focused Security Assessment |fany nhangm(o) from inlpadinnanto, complications, or the City of Yakima changes in the scope nfservices cause an increase or decrease in the price orlevel ofeffort mf the 8OVV, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work Is opmui[iuuUy identified in the written change, then the pr|ca, delivery schedules and other affected provision/a). if any, as opp|icab|e, shall be equitably adjusted and this BOVV ehoU be modified in vxr|1|ng by the nnu1uo| agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. CONFIDENTIAL 8 ritical Insi • ht Scope of Work City of Yakima, Washington Focused Security Assessment November 11, 2022 Service Deliverables Description Critical Insight will provide the following deliverables as part of this project: Table 1: Deliverable Description Focused Security Assessment Report Executive Presentation A report describing the activities performed, the findings and risk identified along with a 2-year roadmap containing a set of prioritized recommendations and next steps to mitigate the risks and increase the security posture of the City of Yakima A presentation to technical, management and/or executive staff describing the finding and recommendations. Acceptance of Deliverables the City of Yakima has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. the City of Yakima will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a sample of which is attached as Appendix A: Project Completion Form. If the City of Yakima believes that Critical Insight has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Yakima shall identify in reasonable detail the specific Services or deliverables which the City of Yakima believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Insight within such five (5) business day period. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Insight's delivery of the remaining Services, if any, the City of Yakima's right to inspect and acknowledge full delivery shall be as stated above. If the City of Yakima fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City of Yakima agrees that the services shall be deemed fully delivered to the City of Yakima, even if the City of Yakima has not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL ��,�^��U UK�«�^ Critical ^^^`~^ Assumptions 0 Scope ofWork City of Yakima, Washington Focused Security Assessment November 11.2O23 Critical Insight used the following assumptions during development ofthis SOW. Any changes tothese 8SSUmnpt|o0o may affect the price and schedule cummiimenL the City of Yakima will provide Critical Insight access to the business, customer, and technical information, and facilities necessary to execute the solution w the City of Yakima will provide Critical Insight on -site and off -site access to documents necessary for this assessment aw the City of Yakima will ensure that appropriate personnel are available to meet with Critical Insight, as necessary mm The Critical Insight professional working day iaeight hours, including reasonable time for meals w° Critical Insight understands that occasions arise during customer engagements that require a longer orshorter working day mm Cr|1|oe| Insight will not baobligated toextend engagements when delays result from the City ofYok|rno'o inability to nnm*t stated prerequisites prior to an engagement, nor when da|oyo result from the City of Yakima personnel not being available tmprovide required support "w During this effort, Critical Insight will not beresponsible for negotiations with hordvvara, software, or other vendors, or any other contractual relationship between the City of Yakima and third 9mrt|mo w° Critical Insight, at the request of the City of Yakima, will provide input to the City of Yakima regarding optimal product or vendor am|mntimn Any application code, documentation, and/or presentations developed under this SOW will be in English mw Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) m� After -hour and weekend work /vvhan requ|ned\, must be explicitly identified below or as otherwise agreed to in writing by the parties: After-hours required? Yes F-1 No 10 CRITICAL INSIGHT, INC. CONFIDENTIAL 10 ritic-I Insi • Scope of Work City of Yakima, Washington Focused Security Assessment November 11, 2022 Location of onsite services? City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 Or Remotely if pandemic restrictions remain in place CRITICAL INSIGHT, INC. CONFIDENTIAL 11 �,�.�� U UK�«�^*�� ~ .~.~~ . ~..._~_"..~ Scope ofWork City of Yahjrno, Washington Focused Security Assessment November 11.2O22 Cost Travel and Expense Reimbursement All work can be conducted renno1e|y, if desired or requested. Travel and expenses are not required on this engagement, especially if pandemic restrictions are in place. If travel, rnea|a' |odging, and other d|rmo1 costs for the described effort are incurred after obtaining approval from the the City of Yakima, those expenses mheU be reimbursed by the City of Yakima at actual cost. CRITICAL INSIGHT, INC. CONFIDENTIAL 12 ScopeofWork City ofYakima, Washington Focused Security Assessment November 11.2O22 Appendix Critical |na|oh1 has completed all of the agreed upon tasks outlined in the Scope of Work titled "Focused Security Assessment" and dated November 11. 2022. Accepted and Agreed By: City of Yakima, Washington Signature: Printed Name: Title: ' 0 Please email the signed form to CRITICAL INSIGHT, INC. CONFIDENTIAL 13 t^caU Uns^s t � Appendix B~ Interview Guide Scope ofWork City ofYakima, Washington Focused Security Assessment November 11.3O22 Omsi&e Meetings mm Personnel for Interviews, time commitments and questions: ^� IT Administration / Network Ops / Telecom / Infrastructure / Wireless Networking / Desktop Support / UnfoSec Interview Session: Desktop odnnina. AD adrnina, Hm|pdeak, Network Adrnins, VV|ra|eaa odnnina, architects (add InfoSec staff if the same people of if we want to combine efforts) meet for up to 2 hours (or 3'4 hours if we include the Information Security Operations staff if you have that role, which is up to you but might be a good idea. At many places, |nfoSao is the same as IT, so these happen together enyvvay] o Network Team • Go over network diagram orvvh|teboard • Describe the use ofVPNo • Describe WAN connections • AraVLANs used and are they ACLmd? • Do you control what network oerv|oaa and protocols are allowed onthe inside ofyour network? • How dmyou grant and remove administrative access tonetwork devices? How do you maintain the patch |mve|e and update to new versions for the network devices? Do you apply role -based access to network devices? Do you follow the Principle of Least Privilege when assigning access roles? Doyou follow the manufacturers configuration guides orother secure configuration benchmark like The Center for Internet Security orN|ST? Do you conduct security testing of the network after every significant update mrmajor conf|0uretionchange? Describe any RADIUS implementations Do you use secure configuration benchmarks such as N|STor CIS for guiding configuration of security and network devices? CRITICAL INSIGHT, INC. CONFIDENTIAL 14 ritical Insi • ht o IT Administrators Scope of Work City of Yakima, Washington Focused Security Assessment November 11, 2022 Describe IT and IS policies that apply to your work Describe desktop and server build and management practices and technologies as well as laptop/mobile workstation build and management practices and technologies Secure configuration baseline from CIS, NIST, MSFT? Do you use Shared Accounts such as the Local Administrative Password or Root Account? Is the Windows Firewall up by default or controlled by the network profile? What Antivirus is used and how are alerts, missed signature updates and missed software updates alerted and resolved? Is full disk encryption, such as BitLocker, in use and are Additional Decryption Keys managed by IT? Describe your AD/LDAP management practices? Is Role -Based Access Control (RBAC) used for access in applications? Are AD groups used to provide Role -Based Access Control (RBAC) for users access to systems, file shares or applications? How about machines being restricted to what other machines they can access using AG groups? Are AD Domain Admin and other highly privileged accounts provided limited to only those needing that level of access to do their job? Do users have local administrator rights on their workstations and are they able to install their own software? How does the staff find out about the publication of security patches, updates and security fixes and how are they tested, implemented, and validated? Is local software, like Adobe Acrobat, Flash, Java, etc. patched along with other software on workstations, laptops and servers? GPOs applied to enforce security: Password requirements • Account lockout requirements CRITICAL INSIGHT, INC. CONFIDENTIAL 15 �^�^K��U UK��^ ^ ^~^~~~~~ ^~^~^^ 0 �� nu� Scope ofWork City ofYakima, Washington Focused Security Assessment November 11'2O22 Logging configuration for servers and workstations 0 F|rmvveU policy Describe Mobile device rnmnagarnunt practices and technologies DeocMbeVo|P/phona architecture and management practices and technologies including if an |VR is in use Using PK| or AD certificates? Describe how. Do you use Shared Accounts such a shared Linux/Unix Rout Account mradrn|nmnnetworking gear like switches? • Describe Change control practices • Hmvv do you grant and remove aocaaa to mna|te and SaoS applications? • How do you connect to oyotarna when conducting administrative activities? Have you dmounnan1ad justification for every rule in your FirevvaU configurations? � Describe remote access uses and capabilities. Operational Technologies (OT) � List all OTin use: water, vvaatevva1or/omvvmr,otorrnvvmte[ m|ao1r|c utility diotribution, water production/distribution, Adaptive Traffic Management Systems (ATMS)' waste -to -energy plants with technologies such as SCADA, |CS. PLCo. industrial ethernet. RF, HVAC, Card Key. \/|dem K4on|tmr|ng, parking oyatmnna Hmvv is OT in the field, like ATMS cabinets on street corners, secured from tampering? How are they managed and bywhom (Vendor nmmnaged?) How and when are security patches installed on OT systems? Are Vendors servicing these nyatenno required to get preapprova|before working onany OTsystems? CRITICAL INSIGHT, INC. CONFIDENTIAL 16 r.t.caU Uns.mmht Scope of Work City of Yoh|mna. Washington Focused Security Amoasonnmnt * Are there employees background checked (usually enforced bycon1raot)? * Are Vendor's laptops or oymterno connecting to your network checked for current antivirus protection before being allowed 1mconnect? CIO/Dir. of |T/C|SO/Dir. of Security, Security Personnel: Administrators and Designers of FireweUo, VPNo and Gateways, Intrusion Detection System o/|ntruaion Prevention Systems, Data Loss Prevention, AV/Anti- nna|worm,File Interiority Monitoring, Encryption Systems o DV you have oyber-insurance? Does it also cover fraud (ph|ohing, phone scams, Business Email Compromise (BEC)\? o |odata security and ownership covered |nthe procurement process and |nvendor contracts? o Hmvv in Information Security Governance conducted? Describe the decision -making processes for procurement, security decision making processes for projects or decision -making processes for outsourcing, change control and change management, compliance, risk management and governance? o How are requests for exceptions topolicy handled? o Are Information Security and Acceptable Use Policies and Operational Security Procedures documented? Are they maintained and reapproved annually? Are they well known and doemployees receive training on them? o |oSecurity Awareness training conducted and how often? o |othere an|RPlan and io|ttested periodically with Tabletop Exercises (TTEa)? o Do you incorporate security into your procurement process and if so how? o Is an Enterprise Security Risk assessment conducted annually? o What regulations are you required to comply with and have you achieved compliance with those regulations and standards (i.e. H|PAA,PC|, H|PAA,CJ|S.NERCC|Peto.)? o Describe Monitoring, Alerting and Incident Response technology and process o Describe the Vulnerability Management process CRITICAL INSIGHT, INC. CONFIDENTIAL 17 r^t^caU Uns^9 ht Scope of Work City ofYakima, Washington Focused Security Assessment o Describe any security testing processes o Describe Security Requirements gathering for projects and procurement o Describe the nature and management ofoperational Security o Do you run security testing and how often? Vulnerability assessment? Network penetration testing? VVmb application penteot|ng and security code review? VV|rm|eaa assessments? Ph|ohing exercise? Password cracking to test for strong passwords? Security testing for digital pr|ntara. HVAC, other operational technology (OT)? ' o Describe the operational security controls and technologies in use such aoFiravvaUa.|DS/|PS'DLP,Encryption, email security, S|EM,etc. in use and how they ayatenna are monitored for alerts? o Do you require secure baseline configurations for all |Tsystems and doyou regular monitor those configurations? o Do you use Network Access Control technologies? o |ayour f|ravvaUinaDefault Deny configuration? o Are all rules documented with a business function? o Are the firawaUm and any netvvorkACLa reviewed regularly? o Describe the&4nnitorinQ,Alerting and Incident Response systems and processes o Describe the Vulnerability Management systems and processes o Describe the process of gathering security requirements for new or updated technology and infrastructure o Describe the Security Testing aynterna and proomaoma in use and how the findings are incorporated into the environment and processes o Doyou conduct audits onthe network and onsystem tofind regulated or classified data and aaeeao |f|tiobeing handled correctly? o Do you use any data monitoring technologies or is DLP incorporated into the regulated or classified data protection nneoourmo? o How are resets performed and how are identities verified prior to issuance ofanew password? CRITICAL INSIGHT, INC. CONFIDENTIAL 18 �~�^�^K��U UK��^ Critical ~~^~~^ 6 Scope ofWork City of Yakima, Washington Focused Security Assessment November 11.2O22 HR Interview Session: Staff who are knowledgeable about hiring, termination, job role ohonge, and training practices, approximately 16 hour. o Hiring process, termination process, training requirements policy enforcement o Do you conduct Background Checks prior to hiring and for what positions? o Describe standard and hostile terminations or job position shifts? o Do you assist in enforcement of Policy violations? Do you use a progressive discipline system? o How does HRnotify other departments and the facilities managers of onupcoming separation? Are there forms used totrack the collection ofassets and the removal ofboth physical and logical access? Procurement Interview Session: Purchasing, Contracts, approximately 1/2 hour. o Describe security in the procurement process - Are security risks weighed as a pert of the procurement process? o Do you have a process to determine security requirements prior to evaluating products, vendors and services and are security or regulatory requirements made a part of the procurement evaluation process? o Are specific statements required tobeincontracts that cover security mfCCL assets and data? o Doyou have regulated data oroperations that requires singing ofdata sharing agreements orbusiness associate agreements? o Is there a process to monitor vendor oonnp||encm and are there measures taken if vendor |ofound tm not be in compliance? Development Teams and Managers and AppUUomtionm/DmtabaseUnterview Session: In-house development staff and managers and staff who are knowledgeable about the teenn'a practices, methods of operation, use of encryption in appm and databases and the development process, up to 1 - 1 1/2hmuro o DevTeam and DevManagers: • Describe the 8DLC? ` • Waterfall, Agile, DmvSmcOpamethods used? CRITICAL INSIGHT, INC. CONFIDENTIAL 19 �,�,��U Uk��~ ^ ^~~~~~~~ ~^^`~^ 6 Scope nfWork City mfYakima, Washington Focused Security Assessment � What coding standards are being used and are they documented? w Are developers required tntake. OVVASPsecurity training? a When and how often is testing performed and what kind of testing |operformed? Security code reviews? Web application penetration tests? Testing based on OVVA8P? "o Is there logical separation of Dmv. Test, and Prod environments? •/ Who iaallowed 10promote code and how |o|tapproved? "" Is there segregation of duties between developers and production administrators? • Is live data every used in OmvorProd? • Describe developer training. • Describe the results ofthe last ortypical security code review. • Describe the |oat or typical web application security aaoaannnmnt. • What |mthe process for incorporating lessons learned back into the coding standards and practices? m' How do you aeaeao the controls expected on classified aymtenna or oyotenna and networks handling regulated or classified data? m^ Do you apply role -based access to applications and eyotenna using regulated or classified data? • Do you follow the Principle of Least Privilege when creating VV|ndovva, applications and SaaS ocoonu roles for regulated or classified data? o DBAo and Application Administrators: 8 Cloud SmaSmron premises? � How do you provide access based on the principle of least privilege? � Is all access to the 8ppUcat|on for users entirely role -based eocmoa control (RBAC) and what are those roles based on? � |oaccess reviewed periodically and how often? CRITICAL INSIGHT, INC. CONFIDENTIAL 20 �^�^K��U U��~ ^ ^~^`~~~^ ^^~~'^ 0 Scope mfWork City of Yakima, Washington Focused Security Assessment How iaaccess approved? Do you use rnu|tifac1orauthent|oat|on for access whether by users orbyadministrators? How are users decommissioned? How are connections made to the D8, stored procedures or direct DBcalls? = Is data encryption enforced at the application layer or the DB layer and how and what ciphers? • What authentication methods are used for the application and where can the application be accessed frprn, i.e. the Internet orinternal only? w Is the application using e fat dien1, thin client, Ci1rix/RDP or VPN? Facilities and Plant Interview Session: People whose responsibilities include building and facility access control, employee and visitor badging and escorting, video monitoring, card key and physical key systems, datecenter controls such as back-up power, temperature oenaore, water manamra, fire suppression, paper and media management and disposal /mhrmdding\'upto1 hour o Describe physical security controls m" Card keys • Duplicates allowed? w, Temp card keys |aaumd to ernp|oymaa when |mf1 'at home'? .w Are access records |ogged, where are they logged, and how long are the logs being retained for? • Fail open or fail closed? w Is the card key nyatarn patched regular (just like other computers on the network)? Door force alarms? Who responds? K800tmro/aubrnasters in use? How are they issued, to CRITICAL INSIGHT, INC. CONFIDENTIAL 21 �.�.�� ~~~~~~ I a Scope mfWork City ofYakima, Washington Focused Security Assessment Do you re -core any affected lock when a hey is |oo1 or not returned upon employee oaporat|mn/ternn|nat|on? a Are key safes |nuoo? w Does your team control file cabinet keys? If not, who does? PIN pad entry *° Are all codes unique tmanindividual? * Does the PIN system log aoomonma and identify the person who used the PIN pad for entry? Cenneram/VidepMmni1orinQ o All locations? o Are videos etrmonns monitored in real time oronly after an incident? u Where are the videos stored, and how long are they being retained for? o Is the video monitoring ayatmrn patched regular (just like other computers on the network)? o For the video monitoring in dataoen1aro, are all ingress/egress cameras located within the datacenterand facing the door from the |U8|de? o Describe Fire/Water/Temp alerts in Da1acentaro o Describe business continuity plan for facilities including back-up generators and the amount of time available based on fuel storage o Describe media destruction and disposal - shred bins? Contracted destruction services? _ CRITICAL INSIGHT, INC. CONFIDENTIAL 22 X :IT CITY OF YAKIMA, WASHINGTON INCIDENT RESPONS PREPAREDNESS Presented To: John Carney Manager, IT Operations City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 John.Carney@yakimawa.gov (509) 249-6804 SCOPE OF WORK SOW-2022-631 No VEMBER 11, 2022 Submitted By: John -Luke Peck Consulting Practice Director Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 JLP@Criticallnsight.com (425) 508-5150 CRITICAL INSIGHT, INC. CONFIDENTIAL Critical lnsi • Table of Contents GENERAL INFORMATION ht BACKGROUND & OBJECTIVES ........................................ Purpose KEY BUSINESS AND TECHNICAL CONTACTS the City of Yakima Business Contact Information Critical Insight Business Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 1 1 2 SERVICE DESCRIPTION AND SCOPE 3 SCOPE OF ACTIVITY IR PLAN DEVELOPMENT IR PLAN TABLETOP EXERCISE PROJECT MANAGEMENT, Coo THE CITY OF YAKIMA RESOURCE REQUIREMENTS ................ 6 Project Initiation Meeting 6 TTE .7 3 3 4 Conduct Exercise 8 SCHEDULE . 10 PROJECT CHANGE CONTROL SERVICE DELIVERABLES DESCRIPTION 10 12 .12 ASSUMPTIONS .14 TRAVEL AND EXPENSE REIMBURSEMENT ............. 16 APPENDIX A: PROJECT COMPLETION FORM 17 CRITICAL INSIGHT, INC. CONFIDENTIAL Critical Insight Scope mfWork City ofYakima, Washington Incident Response Preparedness November ll,2O22 Critical Insight has made every reasonable attempt to ensure that the information contained within this mtoternan1 of work is correct, current and properly sets forth the requirements as have been determined tmdate. The parties acknowledge and agree that the other party oaournea no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this dmmunnan1. NON -DISCLOSURE STATEMENT The information in this document is Critical Insight Confidential, and cannot be reproduced or redistributed in any way, shape, or form without prior written consent from Critical Insight, Inc. TRADEMARK NOTICE 2022 Critical Insight, Inc. All Rights Reserved, Critical |nmiQht09, the Critical Insight, and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, in the United States and in foreign countries. @ Copyright 2O22 Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL m ��^k°°4�^�� °��*�� nU�U��^w8*on�pU KU� Scope mfWork City nfYakima, Washington Incident Response Preparedness November 11.2O22 ��)K K�~�~=��y�*��~�� General Information u o n��k��* ^ ' Background � ��, w* .��^��es Purpose This SOW prmaan1a Critical Insight's approach and methodology for development of an Incident Response Plan UR Plan) for the City of Yakima. We will create an Incident Response Plan and process which includes: �w Review of current Incident Management pramt|caa, processes and documentation currently in use at the City of Yah|nne wm, Conducting a Gap Analysis of these incident management practices against Standards of Good Practice and compliance with regulations mm Based on the Gap Ana|ya|m, development of programmatic components not already in place and harmonization of existing incident management structures, p|ana, and guidance documents with the mvmreU Incident Management program objectives resulting in an |R Plan wmConduct o Tabletop Exercise (TTE) or 'dry run' using the new |R Plan "w Ensure the City of Yakima staff understand the ro|ea, responsibilities and activities they will be required to perform when the |R Plan is activated a Provide recommendations for subsequent TTEa that will include scenarios designed to validate the rerned|mt|nn of weaknesses identified |nthe first TTE This SOW includes: n� Scope of Work - Critical Insight's methodology for assisting and supporting the City of Yakima's technology & executive teams, and the scope of work that will be performed mmDeliverables - Description of the deliverables for this project wm Project Assumptions - any assumptions that were used to derive the scope of work orpricing for this engagement CRITICAL INSIGHT, INC. CONFIDENTIAL 1 Critical Insi • ht Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 Key Business and Technical Contacts the City of Yakima Business Contact Information Name: John Carney Manager, IT Operations Mailing Address: City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 E-Mail Address: John.Carney@yakimawa.gov Phone Number: (509) 249-6804 Critical Insight Business Contact Information Name: John -Luke Peck Consulting Practice Director Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: JLP@Criticallnsight.com Phone Number: (425) 508-5150 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 ° »��~°��°��U U��K��~�� Cf� Critical Insight Service Description °� K�^�^� �� U��U�� Scope - Scope ofWork City nfYakima, Washington Incident Response Preparedness November 11,2O22 This section provides a description of services, scope of activity, and required support requirements associated with the services. ��^ �"�^�x-_ ^^. ^~==°"�� The scope outlined below depicts the scope ofactivity associated with this engagement. Table 1: Scope of the Security Services � Activity or � Focus Scmpe& Delivery Requirements UR Plan �Development UR Plan Tabletop Exercise � Up to 4 meetings to establish of a comprehensive and formal incident management framework based on defined and managed processes for incident notification, communications, documentation, lessons learned, training, testing and auditing a Anupto4\6hour exercise ofthe |RPlan, conducted virtually U�� | Development u�� ox^ Plan ��~~^ "� Our Approach will execute the following tasks: mm Review of current Incident Management prou1|oma, processes and documentation n Conduct a Gap Analysis against Standards of Good Practice and compliance with regulations = Develop new programmatic components with the establishment and implementation of comprehensive, defined, managed, and measurable incident management processes m Develop/Amend/Enhance (existing) security policies and practices for incident monitoring and management s Develop ucustomized incident response plan and methodology guide (based on industry -leading policies, guidelines, and processes) tmprovide astep-by- step process for detecting and responding to incidents occurring within your organization. Serving as a roodnmap for effective incident response, the CRITICAL INSIGHT, INC. CONFIDENTIAL 3 Criti��^U~^��°��U ��*�"��^�� cal U � � � � n ��w x n^� ��-' Scope ofWork City mfYakima, Washington Incident Response Preparedness November 11,2O22 methodology guide includes decision matrices for establishing incident severity, escalation areas, and management decision points mm Develop documentation tools, operational procedures, and incident handling guides for consistent and repeatable guidance for the response team n Harmonize existing incident management structures, plans, and guidance documents with the refined Incident Management program objectives The result is an |R Plan ready for use and form Tabletop Exercise (TTE) to ensure readiness todeliver onthe plan. |%� C�| 7-�K�Uu�t�� Exercise n^ Plan Tabletop ��^��se Our approach for the TTE program executes the following tasks: mm Review of current incident management and incident response practices, processes and documentation against applicable standards of practice mm Document e formal incident response testing program for periodic evaluation of the effectiveness and applicability of the program � Develop testing criteria, requirements and procedures for the periodic evaluation of the Incident Response Plan and its or|t|oa| components w Conduct the first TTE according to one of the following |R frameworks `= H|TRUST CyberRX 2.0 P|aybmok Level 1 (Basic), a scenario -based exercise program to aooeoa the cyber security response preparedness of healthcare organizations but is fully applicable to any organization o We recommend the CyberRX approach as the N|ST methodology is not part of on integrated TTE approach °m A combination of the N|ST 800'82r2 Computer Security Incident Handling Guide (N|ST.8P.800-61r2), N|ST 800-84 Guide to Teat, Training, and Exercise Programs for IT Plans and Capabilities (N|ST.SP.800-84) and N|QT 800-1 84 Guide for Cyberoeour|1y Event Recovery /N|ST.SP.800-1 84\ w Provide an after -action report that includes e Table of Findings and Recommendations for increasing the effectiveness of the |R process and plans CRITICAL INSIGHT, INC. CONFIDENTIAL 4 °° ° ��U~U�U�w��U ��U��4� Cf��un�"**�wU Insight Table 2: IR Roles Description Area �Management � � � �Information Security Information Technology Physical Security Human Resources Communications Incident Function Handier Role Oversight Lead Scope mfWork City ofYakima, Washington Incident Response Preparedness November 11,2O22 Make decisions on |mauee not outlined in procedures Investigations Support Provide technical support aorequired Primary Secondary Consultation Secondary n Assess Physical Damage mw Business Continuity � Physical Property Investigation mo Safeguarding Evidence Provide legal advice when requested Provide Information with regards to situations involving employees Communicate with: w Internal: shareholders/owner, management, staff w External: press, public, vendors, law enforcement Project��e��f��r�^��y��h��^�� ''' Management, Coordination, — `� A key component of Critical Insight's project management approach is timely reporting ofproject progress and findings. This enables o proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. CRITICAL INSIGHT, INC. CONFIDENTIAL 5 Critical nsight Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 Critical Insight will provide a highly qualified resource as Lead Consultant on the project and the Point of Contact (PoC) for the life of the contract; additional resources may address specific areas of this body of work. The Lead Consultant has experience in incident management, regulatory compliance and information security, managing enterprise -level projects, and communicating with Executives, Steering Committees, Regulators, and Auditors as well as IT and operational staff. the City of Yakima Resource Requirements Achieving the City of Yakima's objectives will require active participation from both the Critical Insight Project Team as well as the City of Yakima's own personnel. To ensure the timely and successful completion of this project, the City of Yakima should expect at least the following resource time commitments from its own personnel: A Project Manager should be assigned to the project to serve as the single point of contact for the Critical Insight Project Team (the City of Yakima may choose to assign the Project Sponsor and Project Manager role to the same person). This role will require a commitment of approximately 4-6 hours during the course of the project. Additionally, the following activities and estimated time allocations will be performed as part of the project in which the City of Yakima -identified staff will participate: Kick-off meeting — Interview on IR processes and document collection: 1- 2 hours TTE Preparation: 1-2 hours Project Initiation Meeting Critical Insight recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all of our engagements. During the meeting, Critical Insight will address the following topics: Introduce key people at the City of Yakima and Critical Insight Exchange contact information (for regular reporting and emergencies) Review scope of services Review communication, notification, and issue escalation procedures Discuss other specific the City of Yakima requests and rules of engagement Discuss the involvement of the the City of Yakima staff in the project for the purpose of knowledge transfer and security CRITICAL INSIGHT, INC. CONFIDENTIAL 6 ��~°4�°��U ��°�� vU�U��U Insight Scope ofWork City ofYakima, Washington Incident Response Preparedness November 11'2O22 �w Critical Insight will discuss the deliverables required at completion of the project, the designated recipient, and the manner |nwhich Critical Insight will forward those deliverables w� Describe/provide the the City of Yakima |R P|an, prmoeaama and policies wn Plan the TTE and identify participants ,m Discuss prm-TTEcommunications from management toparticipants TTE Our preferred methodology is modeled on the CybmrRX, a scenario -based exercise program to aaoema the oyber security response preparedness of healthcare organizations. CyberRX 2.O|othe next iteration following the successful introduction ofCybmrRX 1.0 in 2013. The CybmrRXprogram in overseen by steering connnl|1tea comprised of representatives from the healthcare industry, HITRUST, and Department of Health and Human Services (DHHS). The CyberRX cycle includes the following phases and who is responsible for each phase: mn Prepare and Plan — Critical Insight and the City of Yakima w Conduct Exercise — Cr|1|oa| Insight and the City of Yakima a� Identify Lessons Learned — Critical Insight w Improve Cyberoecuhty Program — the City of Yakima The N|ST'baaadmethodology has the following components: mm Design. The design phase and planning for exercises typically starts at least one month in advance. The major atepo in the event design process are as follows: Determine the exercise topic based on the focus of the plan being exercised Determine the exercise scope based on the target audience Identify the objectives ofthe exercise Identify the individuals that should participate in the exercise and invite them tothe event Identify the staff for the exercise, including u [aui|iietor and a data collector Coordinate the |oQ|ot|oo for the exercise event. CRITICAL INSIGHT, INC. CONFIDENTIAL 7 Critical Insight Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 Development. Typical documentation includes a briefing, a facilitator guide, a participant guide, and an after -action report. Conduct. In this phase, the IR plan is actually exercised. Tabletop exercises are usually conducted in a classroom -type setting. The facilitator provides a briefing to the participants, then walks them through the scenario and initiates a group discussion using a question from the facilitator guide. As the discussion continues, the facilitator may inject additional questions periodically. The data collector documents issues to be included in the after - action report. Immediately following the facilitated discussion, the facilitator and data collector conduct an exercise debrief, in which they ask the participants in which areas they excel, in which areas they could use additional training, and which areas of the IT plan should be updated. Evaluation. The comments from the debrief, along with lessons learned during the exercise, are captured in an after -action report. The report should include background information about the exercise, documented observations made by the facilitator and data collector, and recommendations for enhancing the IR plan that was exercised. Outcomes of the evaluation could include updating the IR plan or other security -related documents, briefing managers on the results, and performing other actions. Prepare and Plan The Kickoff Meeting will service as the forum for initial TTE planning and exchange of information. Fourteen example scenarios are presented in the CyberRX ranging in complexity from one to three stars (levels of complexity, 3 being the most complex) and a subset of those chosen to be used in the first TTE. After review of the collected information and documentation, the Lead Consultant will adjust the plan and communicate those adjustments back to the City of Yakima. the City of Yakima will approve the final TTE plan no less than five (5) business days prior to the scheduled TTE. Additional adjustments, or adjustments requested withing five (5) business days prior to the scheduled TTE may affect the price and schedule commitments. Approximately 48 hours prior to the TTE, a short, final pre-TTE conference call will be conducted to ensure any final details have been addressed. Conduct Exercise The Lead Consultant will conduct the formal virtual TTE and document the strengths and weaknesses of the the City of Yakima IR plan, process and policy. The areas measured in a TTE are referred to in the CyberRX as the 10 Markers. The following ten markers are typical industry practices and are key activities, policies, or products to strengthen an organization's cybersecurity capabilities: 1. Governance/People CRITICAL INSIGHT, INC. CONFIDENTIAL Critical Ins°g �u 2. Incident Response Policy and/or Guidelines 3. Internal Communications and Escalation 4. Training 5. Information Sharing 6. Vulnerability &Thrmat Management 7. Asset Management and 8. Vendor assessment 9. Lessons Learned 10.Updmt|ng plans and policies Lessons Learned Scope of Work City ofYakima, Washington Incident Response Preparedness November 11.2O22 Critical Insight will create a TTE report with a Table of Findings and Recommendations built around the Ten Markers and will form the basis of the Lessons Learned phase and will include the rennadiat|on activities for the City of Yakima tpconsider for the Improve Cyberoecur|tyProgram phase. the City ofYakima will be given an opportunity to review the report before a final draft is delivered. Requested revisions will be incorporated when warranted into the final draft. Changes to the report after the final draft has been submitted may affect the price and schedule commitments. Improve Cybersecurity Program the City of Yakima addresses prioritized list of |tmnno for rennediat|on Repeat Prepare and Plan Each CyberRX cycle will include a Prepare and Plan stage that integrates scenarios design to provide validation of remediation and incorporation of lessons learned into the the City of Yakima |R p|mn, processes and policies. CRITICAL INSIGHT, INC. CONFIDENTIAL 9 °° ° ��8~U�U��U U��U��w^� &q" Critical U Insight L. n n u��w n o��n�� Scope ofWork City ofYakima, Washington incident Response Preparedness November 11,2O22 Schedule Period ��/� n Performance the City ofYakima understands and agrees that changes in critical factors (ouch as those listed below in Project Change Control, or a delay in signature of this document) may impact Cr|1|oa| Insight's ability to meet certain dates. Project Start Date'. Within Eight (8) weeks mfEffective Date Project Completion Dote: Within Eight (8)vveeks ofStart Date Project ��» | " ��w�^ `�oo�� / Cr|1|oa| Insight has made every attempt to accurately eo1inno1e time required to successfully complete the project. the City of Yakima acknowledges and agrees that if impediments, complications, or the City of Yakima requested changes in scope arioe, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid inlpadirnen1a, complications, and changes in scope cmno|a1 of (but are not limited to): m the City of Yakima initiated delay where the City of Yakima is not prepared to a||ovv Critical Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the City of Yakirne's site but cannot begin the services w the City of Yakima provided information necessary for timely delivery by Critical Insight is not accurate m Delays or problems associated with third party telecommunication equipment � This includes, but is not |irn|1md to, cabling, servers, routers, hubs, and switches managed or installed by third parties m Malfunctioning hardware a Inability to ocnaam equipment or personnel that are required to complete the project w Conflicts or |nconnpm1ibi||t|ao associated with the installation of hardware or software installed by Critical Insight mm the City of Yakima increases the scope of services requiring additional labor, hardware, software, materials, travel, |odg|ng, meals, orother direct costs CRITICAL INSIGHT, INC. CONFIDENTIAL 10 8°°f�°caU Ins~ a Scope ofWork City ofYakima, Washington Incident Response Preparedness November 11,2O22 |fany ohanQe(o) from innped|rnenta, complications, or the City of Yakima changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in U/m vvr|1tmn change, then the pr|ce, delivery schedules and other affected prov|a|mn(o)' if any, an app|ioab|e, shall be equitably adjusted and this SOW ohoU be modified in writing by the mutual agreement of the parties in accordance with this oaot|mn. CRITICAL INSIGHT, INC. CONFIDENTIAL 11 ^ ° ��8°°^�U��U U��U��4� Cf� �.� 8� U U UU� Critical Insight Scope ofWork City of Yakima, Washington Incident Response Preparedness November 1l,2O22 ��^�K��^�� U^��)�~U�� Service Deliverables Description ��on Critical Insight will provide the fm||ovv|ng deliverables as part of this project: Table 3: Deliverable Description Name of Deliverable 'l[abUmtop Exercise Description of Deliverable Incident Response Plan & up to 4 p|aybooko (aomnario'baoedresponse guides) m� Aplan that provides aatep-by-atep process for detecting and responding to incidents occurring within your organization and can serve aoaroodrnap for effective incident response One (1/2) day exercise conducted by video teleconference designed to identify any weaknesses in the |RProQrann and 1ofamiliarize the staff with their responsibilities in the event of an incident TTE Report with Table of Findings and Recommendations A written report summarizing the results of the TTE that will include a Table of Findings and Recommendations for improving the the City of Yakima Incident Management Program Acceptance r~� Deliverables ww�� / �'�up��/es the City of Yakima has five (5) buo|nmaa days to inspect and acknowledge full delivery of the services to be provided by Critical Insight hereunder upon completion and delivery of the Services by Critical Insight. the City of \'ak|nna will indicate such acknowledgement by signing Critical Insight's Project Completion Form, a ournp|a of which is attached as Appendix A: Project Completion Form. If the City of Yakima is not able to inspect and acknowledge deliverables within 5 bue|nmou days, the C|1Y of Yakima will notify Critical Insight in writing and work together to define a mutually agreed date. If the City of Yakima believes that Critical Insight has not fully delivered the services to be provided hereunder and refuses to sign the Project Completion Form on that CRITICAL INSIGHT, INC. CONFIDENTIAL 12 Critical Insight Scope ofWork City ofYakima, Washington Incident Response Preparedness November 11,2O22 basis, the City of Yakima ghoU identify in reasonable detail the specific eerv|oma or deliverables which the City of YaWnno believes were not delivered, with specific reference to the corresponding sections of this SON, via vvr|1tmn notice to Critical Insight within such five (5) business day periud. Following Critical Insight's receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining service delivery requirements. Upon Critical Insight's delivery of the remaining services, if any, the City ofYaNmna'a right to inspect and acknowledge full delivery shall be as stated above. If the City of Yakima fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City ofYakima agrees that the services ahoU be deemed fully delivered to the City of Yakima, even if the City of Yakima has not signed the Critical Insight Project Completion Form. CRITICAL INSIGHT, INC. CONFIDENTIAL 13 Critica nsight Assumptions Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 Critical Insight used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. the City of Yakima will provide Critical Insight access to the business, customer, and technical information and facilities necessary to execute the solution the City of Yakima will provide Critical Insight on -site and off -site access to documents necessary for this assessment the City of Yakima will ensure that appropriate personnel are available to meet with Critical Insight, as necessary Layer-3 devices will allow the protocols needed to discover and identify network services Critical Insight will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the City of Yakima If required, the City of Yakima will assist with obtaining this access During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be exploited or disclosed except to specified the City of Yakima staff Discovery and investigation processes should not interrupt any processes or services or cause any impact to the availability of operations Critical Insight will not be obligated to extend engagements when delays result from the City of Yakima's inability to meet stated prerequisites prior to an engagement, nor when delays result from client personnel not being available to provide required support During this effort, Critical Insight will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Yakima and third parties Critical Insight, at the request of the City of Yakima, will provide input to the City of Yakima regarding optimal product or vendor selection Critical Insight will perform the work between 8:30 a.m. and 5:00 p.m. (local time) As technical testing is included in the SOW which could require after -hour and weekend work, Critical Insight agrees to provide services as indicated below: CRITICAL INSIGHT, INC. CONFIDENTIAL 14 ritica Insi Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 After-hours upon request? Yes 0 No E Weekend upon request? Yes 0 No rt1 Location of onsite services? All work can be conducted remotely Or the City of Yakima 129 N. 2nd Street Yakima, WA 98901 CRITICAL INSIGHT, INC. CONFIDENTIAL 15 Critical Insi • Cost Travel and Expense Reimbursement Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 Travel and expense costs may be expected on this engagement though all work can be conducted remotely. If travel, meals, lodging, and other direct costs for the described effort are incurred, with prior approval from the City of Yakima, those expenses shall be reimbursed by the City of Yakima at actual cost. CRITICAL INSIGHT, INC. CONFIDENTIAL 16 Critical 1 si • Scope of Work City of Yakima, Washington Incident Response Preparedness November 11, 2022 Appendix project Compl ion Form Critir.AI Insight has completed all of the agreed upon tasks outlined in the Scope of Work titled "Incident Response Preparedness" and dated November 11, 2022. Accepted and Agreed By: City of Yakima, Washington Signature: Printed Name: Title: Date: Please email the signed form to QonsvItingCrticaUnSiqL OM . CRITICAL INSIGHT, INC. CONFIDENTIAL 17 XHI:IT C CITY OF YAKIMA, WASHINGTON INCIDENT ASSISTANCE SERVICES RETAINER Presented To: John Carney Manager, IT Operations City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 John.Carney@yakimawa.gov (509) 249-6804 SCOPE OF WORK SOW- 2022-632 No VEMBER 11, 2022 Submitted By: John -Luke Peck Consulting Practice Director & Critical Insight dCISO Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton, WA 98337 jlp@Criticallnsight.com (425) 508-5150 CRITICAL INSIGHT, INC. CONFIDENTIAL r^~�"caU I :s" 0w Tat le of Contents GENERAL INFORMATION ' Scope ofWork City of Yakima, Washington Incident Assistance Services Retainer November ll,2U22 Purpose KEY BUSINESS AND TECHNICAL CONTACTS ~` :2 THE CITY npYAmwA BUSINESS CONTACT INFORMATION CRITICAL INSIGHT BUSINESS CONTACT INFORMATION ~_.--^_.~~"---- .......... _`2 SERVICE DESCRIPTION AND SCOPE GENERAL DESCRIPTION ...... SCOPE npACTIVITY .--^^-'^`^-`----_.--.�.~_�-^�-�f-�---^� Incident triage and response Fnmnuioa .............. ASSUMPTIONS . ^_-_~_-_ COST � TRAVEL AND ExpswasREIMBURSEMENT ............... ---- ... ........... -~°°�-'~.~-.,-.^.--_.--=�3 CRITICAL INSIGHT, INC. CONFIDENTIAL x C0°°4F°ca| U ° .� U��U�� _.u�� Scope ofWork City ofYakima, Washington Incident Assistance Services Retainer November 11,2O22 Critical Insight, Inc. has made every reasonable attempt to ensure that the information contained within this statement of work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. NON -DISCLOSURE STATEMENT The information in this document is Critical |na|Qh1, Confidential, and cannot be reproduced or redistributed in any way, nhape, or form without prior written consent from Critical Insight, Inc. TRADEMARK NOTICE 2022 Cr|t|oo| Insight, Inc. All Rights Reserved, Critical |na|Qht@, the Critical Insight and Kraken logos and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Insight, in the United States and in foreign countries. @ Copyright 2O22Critical Insight, Inc. CRITICAL INSIGHT, INC. CONFIDENTIAL u« ��°��°��U ��*�"��,�� U�U U m 8 �'�� Scope ofWork City of Yakima, Washington Incident Assistance Services Retainer November 11,2O22 ��U U��^��K��^^�� General Information n " u��U��o v � � Backgrou.n.= = Objectives oeCtives Purpose This 8OVV presents Critical Insight's approach and methodology for on -demand Incident Assistance Services Retainer for the City of Yakima. These aarvioea, when needed. may include: mm Incident triage and response mmForensic mna|ya|a w Dish imaging w Event reconstruction w Preservation of evidence and |mgo| hold w Adark web search stolen data w' Assessment ofweb and network data compromise mmMessaging to o||an1. regulators Services are requested by email to our |R Retainer address - ' or using or Critical ReapOD8S Hmt||O8 at 1 /208\ 687-9100, press 1. AreGponoe to an incoming request will receive an enno|| or phone reply within 2 hours. In most cases, the response process and information gathering will begin as soon as that reply tothe incoming request is nnmde, but the full resources of the |Rteanm will be brought to bear on the effort within 24 hours or within 72 hours, at the Customer's discretion. This SOW includes: in Scope of Work - Critical Insight's methodology for assisting and supporting the City of Yakima' technology Q executive teams, and the scope ofwork that will be performed a Deliverables ' Description of the deliverables for this project mw Project Assumptions - any assumptions that were used to derive the scope of work or pricing for this engagement CRITICAL INSIGHT, INC. CONFIDENTIAL 1 • Critical Insight Scope of Work City of Yakima, Washington Incident Assistance Services Retainer November 11, 2022 Key Business and Technical Contacts the City of Yakima Business Contact Information Name: John Carney Manager, IT Operations Mailing Address: City of Yakima, Washington 129 N. 2nd Street Yakima, WA 98901 E-Mail Address: John.Carney@yakimawa.gov Phone Number: (509) 249-6804 Critical Insight Business Contact Information Name: John -Luke Peck Consulting Practice Director & Critical Insight dCISO Mailing Address: Critical Insight, Inc. 245 4th Street, Suite 405 Bremerton WA 98337 E-Mail Address: jlp@Criticallnsight.com Phone Number: (425) 508-5150 CRITICAL INSIGHT, INC. CONFIDENTIAL 2 ��U'°��°��U ��~�� Critical Insight Service Description °� �«^�^� ��U�� x��n �.��v� Scope ofWork City ofYakima, Washington Incident Assistance Services Retainer November 11.2O22 This section provides a description of services, scope of activity, and support requirements associated with the services. General Description The work and scope are not defined until the request for services is made but will consist ofincident response anm|mtonoa and forensics activities. Noexpert witness aerv|caa, such as testifying in court are included in this SOW. Critical Insight will respond by phone or email within 2 hours of initiation of a request for eaa|a1ancm. We require o call tothe |RAes|s1anoe Phone line or an email to the |RAaoietanoe mnnai| address to initiate |RAoaiotanoe services and prefer use of both in 1ondann to allow for the most rapid response. If you suspect your erna|| ayatmnn may be conmprmnniaed, use a non -business email to initiate contact such as GnmaU, etc. If you suspect your phone has been compromised, use someone else's phone or email. Indicate if this is Emergency Response, up to 24 hours for full resource deployment, or Rapid Response, up to 72 hours for full resource deployment in your oornrnun|oetimn. For24'hour Emergency Response requests, you will receive a phone response tothe service initiation request within 2 hours to begin the response prmoaoo, but often we are in contact with you within 20 minutes if not |nnnned|ata|y upon incoming communications. The full |R resources which may include boots -on -the -ground response, forensics, detailed log ono|ye|n, orother services will beovoi|nb|ewithin 24 hours of initiation of services, though we oornnnon|y are conducting those activities vv|1h|n hours. If you are making a request for the 72-hour response time, indicate that in the communication and we will contact you by the close of business that day, or if the request oornea in after hours, by 10:00 /\M the next morning. Tmrequest |RAssistance: w Email '|no|dmntReaponam6DCrit!oaUnoight.corn na Phone - 1 (206) 687-9100. press 1 (12066879100,,1 for speed dial) Or m 1 (2O6)687'91OO.press 9 We will provide d|oh imaging and forensic analysis software for hard disk analysis. If the City of Yakima uses and requires a specific forensics analysis suite, some cross training may be required prior to our use of the City of Yakima system if it is different than the tools vvmuse. CRITICAL INSIGHT, INC. CONFIDENTIAL 3 ^° ^ ��8~U��U��U U��U�� Cf��v�� U Uo x~� U U� Critical �w n�� Scope ofWork City mfYakima, Washington Incident Assistance Services Retainer November 11.2O22 NOTE: This is m retainer contract with all fees paid up front. Hours will be lost if they are not used within 90 days after the UR Retainer term, which is yman/365 days from the execution of this SOW' This mUUmnxs a fmUU year of UR Retainer, with a 90 period after the fmUU year to repmrpose and use those homrs' These hours can be repmrposed for any service we offer but requires at least 4 weeks lead time to schedule alternate work. Scope ==�� =. Awu..^y The scope outlined below depicts the scope of activity associated with this engagement. Table 1:Notification Lead Time Statement � Lead Time for Emergency Response Onoi1e � � Requests 24-hournotioe Lead Time for Rapid Response OnsiteRequests 72-hourno1inm |R Retainer Period One Year from Contract Signing Contract Period � One Year from Contract Signing � plus 0Odays Incident triage and response Once the City of Yakima has stabilized the oi1uadVn, we can further eaa|at ono|1e based on the request for services at one ofthe two Rapid Response rates shown in Table 1. Notification Lead Time Statement above. Our services may include: m Assist |nexecution against enexisting Incident Response plan m Response strategies and tactics a Advisor to Incident Manager, Executives, Legal Forensics Computer forensics is the process of examining and preserving data found in computers systems, digital storage mediums or on networks in order to determine as much oopossible about asecurity incident including: mm Identification ofhow |toccurred mm Root cause analysis todetermine why |toccurred CR|T|CALINSIGHT, INC. CONFIDENTIAL 4 Critical Ins° Scope ofWork City of Yakima, Washington Incident Assistance Services Retainer November 1l,2O22 mwCollection ufevidence ofsuspected misuse wm' Documentation mfpolicy violations am Documentation ofpotentially unlawful activities oractions Working with Legal, IT, |nfmSeo. Compliance, Business Unit and Risk Managers to provide value to all effected parts of the business, Critical Insight will provide e forensic examination of o laptop oyaternn and review log sources in order to aam|ot in identifying any malicious orunauthorized activity. The project activities will be performed both mnai1eand remotely. CRITICAL INSIGHT, INC. CONFIDENTIAL 5 °^ " ��8~U��U��U ��*�U��&=^� QC� ��oo�x~��wU Insight Schedule Scope mfWork City ofYakima, Washington Incident Assistance Services Retainer November 11,2O22 � Period =f Performance the City ofYakima understands and agrees that changes in critical factors (such as those listed bm|ovv in Project Change Control, or a delay in signature of this dmounnmn1) may impact Critical Insight's ability to rnamt certain dates. Project Start Date, Within Thirty (30) Days ofEffective Date Project Completion Date: � � Within One Year (1) of Start Date plus QO days Project =. Change Control Critical Insight has made every attempt to accurately ea1inna1a time required to successfully complete the project. the City of Yakima acknowledges and agrees that if impediments, complications, or the City of Yakima requested changes in scope ar|me, these factors are out of the control of Critical Insight, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): n Customer initiated delay where Customer is not prepared to allow Cri1|om| Insight to begin work on the agreed upon start date thus resulting in additional cost to Critical Insight for resources that have been sent to the client's site but cannot begin the Services w Customer provided information necessary for timely delivery by Critical Insight is not accurate m/ Delays or problems associated with third party telecommunication equipment � This includes, but is not limited to, oab|inQ, servero, routers, huba, and switches managed orinstalled bythird parties m Malfunctioning hardware m Inability to aooeam equipment or personnel that are required to complete the project a Conflicts orincompatibilities associated with the installation ofhardware or software installed byCritical Insight CRITICAL INSIGHT, INC. CONFIDENTIAL 6 Critical � U ° ;�� 8~U�U��n U��*�U��;� Scope ofWork City ofYakima, Washington Incident Assistance Services Retainer November 1l.2O32 v� The client increases the scope of services requiring additional labor, hardware, software, materials, travel, |odging, meals, or other direct costs If any change(s) from impediments, complications, or the client changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether ornot such work is specifically identified |nthe written change, then the prica, delivery schedules and other affected proviaion(a), if any, as applicable, shall beequitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. CRITICAL INSIGHT, INC. CONFIDENTIAL 7 Critical s Scope of Work City of Yakima, Washington Incident Assistance Services Retainer November 11, 2022 Service Deliverables Description Critical Insight has no predefined deliverables as part of this project. CRITICAL INSIGHT, INC. CONFIDENTIAL 8 Critical ]Insight Assumptions Scope ofWork City ofYakima, Washington Incident Assistance Services Retainer November 11.2U22 Critical Insight used the following assumpLimis during development of this SOW. Any changes tothese assumptions may affect the price and schedule cnnnrn|1nnentn. mw Customer will provide Critical Insight access tothe bua|nmas, customer, and technical information and facilities necessary toexecute the solution am Customer will provide Critical Insight on -site and off -site access to documents necessary for this assessment w Customer will ensure that appropriate personnel are available to meet with Critical Insight, eanecessary * Layer-3 devices will allow the protocols needed to discover and identify network services mm Critical Insight will have approved ocoean to vendora, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the Customer a~ If required, Customer will assist with obtaining this eooeno w During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be exploited or disclosed except to specified client staff w Discovery and investigation processes should not interrupt any processes or services orcause any impact 10the availability ofoperations um Critical Insight will not be obligated to extend engagements when delays result from client's inability to meet stated prerequisites prior to an engagement, nor when delays result from client personnel not being ave||ob|a to provide required support wm During this effort, Critical Insight will not be responsible for negotiations with hardware, ooftwmre, or other vendors, or any other contractual relationship between client and third parties to Critical |na|gh1, at the request of the client, will provide input to the o||en1 regarding opt|rnm| product orvendor selection mm Critical |no|Qh1 will perform the work between 8:30 a.m. and 5:00 p.m. (local time) a As tnohnica| testing is included in the SOW vvh|oh could require after -hour and weekend work, Critical Insight agrees to provide services as indicated below: CRITICAL INSIGHT, INC. CONFIDENTIAL 9 Critical Insi • Scope of Work City of Yakima, Washington Incident Assistance Services Retainer November 11, 2022 After-hours upon request? Yes PA No L. Weekend upon request? Yes No r Location of onsite services? All work can be conducted remotely Or the City of Yakima 129 N. 2nd Street Yakima, WA 98901 CRITICAL INSIGHT, INC. CONFIDENTIAL 10 riticai insi Cost • ht Scope of Work City of Yakima, Washington Incident Assistance Services Retainer November 11, 2022 Travel and Expense Reimbursement Travel, meals, lodging, and other direct costs for the described effort are not expected for this project and are not included in the quote above. When travel, meals, lodging, and other direct costs for the described effort are incurred, those expenses shall be reimbursed by the City of Yakima at actual cost. NOTE: The entire value of this IR Retainer Service will be paid in advance and payment is due on the Effective Date. All hours must be expended no later than 90 days after the IR Retainer expires one year from the Effective Date. No rollover of hours will occur when this contract expires, and unused hours will be lost if not used within 90 days of contract expiration. CRITICAL INSIGHT, INC. CONFIDENTIAL 11 ""^"°IY"F-1',="pt�'"'""°''"' Cl SECURITY MASTER SERVICES AGREEMENT THIS MASTER SERVICES AGREEMENT ("MSA"), together with any then -current Statement of Service ("SOS") between Customer and ChUoa| Insight, Inc., d8/a Cl Security ("Cl") and the related exhibits, documentation and specifications [] may from time Vutime deliver or make available to Customer, govern and control the Services described in the ordering SOS. Capitalized terms not otherwise defined below shall have the meaning assigned to them in the SOS. Unless otherwise stated in a SOS, the terms of this MSA shall control any conflicting urinconsistent term insuch SOS. t Definitions. CapitalizedhonnuinUhisAgreementnutothanwmodafinadhavothamooningdoaohbedbelow.forbnthuingular and plural form. o. "Agreement" means this K4SA. each SOS, and each exhibit that supplements the K8SAand/or a SO5, as each such document may beamended from time 0otime. b. "Appliance" means the computer hardware unit integrated in Customer's Internet aanmr stack as part cfC|'s provisioning process and included in, and required to enable activation and performance of, the Cl Products. u. "Cl Assets" means all computer hardware, eoftwaro, networking tools and equipment, opp|ion000 and devices owned and operated by Cl that are deployed or engaged in performance, in whole or part, of the Services, including any App|ianoa(u)provided toCustomer inconnection with the Services. d. "CI Pnmducts" means the C| Pmgromo. App|ianmau, monitoring and response services, action p|ano. Raportn, grophioe, pictorial and functional nupnementationy, aproodohmotu, pneoenteUona, ene|ys*u, pnoceoaaa, methodo, prnoedurau, ooncepte, hnow'hom/, toohniquua, pn*cticuu, and all related manuals and Dorumentotion, and modifications and improvements in respect to any of the fonegoing, pmvidod, delivered or made available to Customer byC|pursuant hnamutually executed SOS. e. "Cl Programs" means the Critical |nuightrw monitoring software programs and applications, dmoigno, invontionn, source code, tools, patches, updates and new versions to any of the foregoing, user ID's, user interfaces, tokens, passwords and portals licensed to Customer by Cl as part of the Cl Products but excludes third -party software and custom programs, ifany, developed byC|for Customer. f. "Cl Services" means the consulting eomioee described in the ordering SOS and any other professional neminoa that C|provides toCustomer otCustomer's request g. "Customer Data" means the in -bound and out -bound Internet borne data hosted on Customer's proprietary servers that ioaccessed and monitored bythe C|Programs. h. "Customer Infringement Exclusion" means (i) Customer's use of the Cl Programs except as permitted under this Agreement or Customer's combination of the Cl Programs with any hardwara, software or other materials either that are not provided by Cl, or that could not reasonably have been anticipated to be used in combination with the Cl Programs, in each case where absent such combination the Cl Programs would be non -infringing, (ii) Customer's use of other than the most current release of the Cl Programs that results in a claim or action for infringement that could have been avoided by use of the current ro|aaue, provided that Cl has supplied Customer with the most current release at no additional fee, or (iii) the provision by Customer to Cl of materials, designs, know-how, software or other intellectual property with instructions to Cl to use the same in connection with the Cl Programs. i. "Confidential Information" means all information, data, and material one party hereto (the receiving party) obtains from the other party (the disclosing party) in connection with this Agreement;Confidential Information does not include information that: (i)vvae known tnthe receiving party without restriction before receipt from the disclosing party; (ii) is publicly available through no fault of the receiving party; (iii) is rightfully received by the receiving party from a third party without a duty of confidentiality; or (iv) is independently developed by the receiving party without reference to any Confidential Information of the disclosing party. Confidential Information also includes the terms of this Agreement, non-public personal or financial information relating to a party's employees, customers or contractors, all trade 000rete, pnocoeaoa, proprietary data, information or documentation and any pricing or product information the disclosing party provides tnthe receiving party. j"Documentation" means the Service descriptions, playbooks, instructions and protocols set forth in digital or hard copy format and provided ormade available toCustomer byCl. k. "Effective Date" means the date set forth in the signature block of this Agreement. i "Excused Downtime" means any of the following: (i) force majeure events as defined in Sectign 16.a. hereof;(ii) data transmission failures outside the control of Cl; and (iii) scheduled and emergency maintenance outages. Schedule maintenance iogenerally conducted between the hours of8 p.m. Saturday and 8 a.m. Sunday. U.S. Pacific Time. Maintenance outages include, without limitation, installation of software updates and patches, service packs and routine server and application configuration changes. Cl may schedule a non -routine maintenance outage on an as needed basis in its ao|o discretion and, except in instances of emergency maintananoe, will use commercially reasonable efforts to notify Customer forty-eight (48) hours in advance of any such outage. m. "Report" means any written oummary, ana|yuia, finding, schedule or nthar, similar document prepared for Customer byC|oupart ofthe Services specified inthe ordering SOS. 03152021 ""^"OIu"LZI'""lup""^"°"''"' "Security Breach" means the actual or suspected unauthorized third -party access to or use of the Cl Assets that compromises the security or functionality of such osoo{u or the confidentiality or integrity of any Customer Confidential Information stored thereon. "Semvioea"means the C|Products and C|Services together. "Services Term" shall have the moaning set forth in Section 11.a. hereof. "TerTnination Event" means with respect to either party, that party becomes the subject of a proceeding under the Bankruptcy Code, (i) seeking the appointment of trustae, receiver urcustodian or (ii) seeking the |iquidaUon, winding -up, dissolution, reorganization or the like of such party, and the proceeding is not dismissed within 30 days of its commencement. If party is subject to e Termination Evunt, such party shall promptly use commercially reasonable efforts to seek court authorization to pay all post -petition fees as an administrative expense. "Tennination Fee" means the pro -rated portion of the total Service fee specified in the ordering SOS applicable to the period remaining in the then current Services Term as of the effective date of termination. 2. Services. Cl will provide Customer the Services set forth in one or more SOS's, which the parties may enter into from time to time, for the term of such SOS. Each SOS, and any related exhibits, will provide additional terms and conditions specific hothe Services described insuch SOS. 3. At all times during the term of the SOS. Customer will provide to Cl such access to Customer's technology infn*ntrudune, including proprietary and |inonood software and oumioo programs and app|imtiono, and authorized personnel as specified in the SOS. the Dooumonbainn, and as Cl may cdham*ian reasonably require to configure, integrate, enable, deliver and perform the Services set forth in the SOS. Customer will promptly obtain and provide to Cl any required |iuennea, appmve|a, oonoonto, permissions and credentials to Customer's facilities, systemo, hao]wene, devices, software and services, as necessary for Ci's timely access, performance and delivery of the Services. Customer acknowledges and agrees (e) that C|'s performance and delivery of the Somi000 are at all times conditioned upon (i) Customer providing timely, secure and unencumbered access to Customer's authorized pemonne|, haoi|iUen, equipmont, oyutoma, handwane, ooftwane, davi000, network and data, and (ii) Customer's timely decision -making and granting of approvals or permissions; and (b) that Cl shall not be in breach of its Services obligations hereunder, or liable for any resulting |000, damage or injury, arising from or in any way related to Customer's failure totimely satisfy and perform the conditions toC|'mperformance herein specified. 4. C1,113rogram License.Uponmutua|exooudonofanSOBfnrdo|ivaryofC|Pmgremeuppo¢paymontofthefun*oatforthin such SOS and for the duration of the term of such SOS. Customer will have o nonexclusive, non -assignable (except as provided in non'oub|iuonomb|o.myo|ty'haa.worldwide limited right toaccess and use the C|Programs solely for Customer's internal business operations and subject to the terms of this Agreement. Only Customer's authorized personnel may access and use the Cl Programs, and Customer is solely responsible for compliance with this Agreement by users accessing the Cl Programs with Customer's credentials. 5. Ownership and Restrictions. Customer retains all ownership and intoU*o1uo| property rights in and to Customer Data and, subject to payment of applicable Service fees, any Reports prepared by Cl for Customer. CI irrevocably assigns and transfers to Customer all of its worldwide right and title to, and interest in, the Reports, including all associated copyright, patent, trade secret, trademark and any other intellectual property or proprietary rights ("Intellectual Property Rights"). Additionally, Cl grants to Customer e non'exo|ueivo, wuddvvido, myalty-froo, irmvooab|u, perp*tua|, non'honninab|o, tronsfenab|e, sublicensable license to all Intellectual Property Rights used in the creation of the Reports in order for Customer to exercise its rights inthe Reports aacontemplated bythe applicable SOS. Without limiting the foregoing, (i)the Reports are "works made for hire" to the extent permitted by |nxv. and (ii) C| will not eoue¢ and ckhonwiao m/eixom. any ''mure| rights" in the Reports and Cl hereby assigns all right, title and interest in such materials to Customer and agrees horeasonably assist Customer, atCustomer's expense, hoperfect such interest. Except for Reports provided to Customer as part of the Services, Cl retains all ownership and Intellectual Property Rights in and bothe Services, and infurtherance thereof, Customer may not: a. Remove ormodify any proprietary marking cxnotice ofC|'o proprietary rights; b. Make any aspect of the Services available in any manner to any third party for commercial use by such party, unless such access inexpressly permitted inaSOS; o. K8odihy, make derivative works from, diaaouemb|o, reverse engineer or mvorao compile any part of the Services (the foregoing prohibition includes, without Umitobon, review of data structuree, signatures or similar materials produced by the Services), or access or use the Services in order to build or support, and/or assist a third party in building orsupporting, products orservices competitive toCl; d. Except for Reports and as required by applicable law, disclose to any third party the results of any Service without C|'oprior written consent; o. License, sell, rent, lease, transfer, assign, distribute, display, host, outsource, disclose, permit timeshare or service bureau use, or otherwise commercially exploit or mohn the 8nmiouo available to any third party other than as expressly authorized under this Agreement. 6. Exclusions. Customer is solely responsible for any hardware, software and networking tools, devices and appliances that are not provided byC|pursuant to this Agreement. Customer's responsibilities include, without limitation, Customer systems installation, maintenance and administrator activities, software and application licensing requirements, conditions and related financial commitments. Customer iosolely responsible, atCustomer's expense, for establishing, mainteining, operating and 03152021 Vuuuollyll "ivciuli" Bu,,.uJJr IU IJ'V:J'®'4.7:J/1'M000':JU V�FCCUOIi J/1C Critical Insight 4 N, C$ Security regulating Customer's access to the Internet, including without limitation, all computer hardware and software and properly configured and installed systems, browsers, modems, access lines and distributed networks necessary to enable, maintain, monitor and control Customer's Internet access. 7. CI Assets. During the term of this Agreement, Cl shall observe and maintain data, technical and physical systems and asset security, personnel practices, and continuous monitoring and maintenance protocols in respect to each of the foregoing, all in design, manner and practice consistent with then prevailing industry standards, to: (a) protect and maintain the integrity of (i) all Customer Data and Customer Confidential Information in Ci's possession, and (ii) Cl Assets, from unauthorized use, alteration, access, disclosure, damage or destruction; (b) detect, protect against and prevent a Security Breach; and (c) provide Cl employees and agents the appropriate training necessary to maintain the confidentiality, security and physical integrity of (i) Customer Data and Customer Confidential Information in Ci's possession, (ii) Critical Insight's Confidential Information, and (iii) the Cl Assets. CI shall promptly notify Customer upon discovery of a confirmed Security Breach. 8. CI Pr grams Service Levels. Cl will use commercially reasonable efforts to achieve the minimum availability of the Cl Programs set forth in the Documentation, not including the Excused Downtime, and Cl will monitor the availability of its systems on a 24/7 basis. 9. WaManggs, Disclaimers and Exglnsive Fternedie . Cl warrants (i) that the Cl Products will be performed in all material respects in accordance with the Service Documentation referenced in the ordering SOS, (ii) that the CI Programs shall be maintained and available at the service levels specified in aection 8 hereof, and (iii) that the Cl Services will be performed in a good and workmanlike manner substantially in accordance with industry standards. If the Services provided to Customer for any given calendar month during the Services Term are not performed as warranted, Customer must provide written notice to Cl no later than five (5) business days after the last calendar day of such month or, if different, as provided in the ordering SOS. Cl DOES NOT GUARANTEE THAT THE SERVICES WILL BE PERFORMED ERROR -FREE OR UNINTERRUPTED, OR THAT Cl WILL CORRECT ALL SERVICE ERRORS. CUSTOMER ACKNOWLEDGES THAT CI DOES NOT CONTROL THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES, INCLUDING WITHOUT LIMITATION, THE INTERNET, AND THAT THE SERVICES MAY BE SUBJECT TO THE LIMITATION, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. IN ADDITION, DELIVERY OF THE Cl SERVICES MAY BE CONTINGENT UPON THE ACCESS, SUPPORT AND COOPERATION OF CUSTOMER, WITHOUT WHICH SUCH SERVICES CANNOT BE PERFORMED. CI IS NOT RESPONSIBLE FOR, AND SPECIFICALLY DISCLAIMES LIABILITY FOR, ANY DELAYS, DELIVERY OR SERVICE FAILURES OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS AND CONDITIONS. FOR ANY BREACH OF THE ABOVE WARRANTIES, Cl WILL REMIT A SERVICE FEE CREDIT TO CUSTOMER EQUAL TO TEN PERCENT (10%) OF (A), IF FOR Cl PRODUCTS, THE NET MONTHLY FEES FOR THE APPLICABLE CI PRODUCTS FOR THE MONTH IN WHICH THE BREACH OCCURRED; AND (B), IF FOR Cl SERVICES, THE NET SERVICE FEE SET FORTH IN THE ORDERING SOS. THE CREDIT WILL BE APPLIED AS FOLLOWS: (X) FOR Cl PRODUCTS, AT CUSTOMER'S SOLE ELECTION, (i) AS AN OFFSET AGAINST ACCRUED BUT UNPAID FEES THEN OWED TO Cl, IF ANY, (ii) AS A CREDIT TOWARD RENEWAL TERM FEES, IF ANY, NEXT COMING DUE, OR (iii) AS A REFUND PAYMENT BY Cl; AND (Y) FOR Cl SERVICES, ONLY AS AN OFFSET TOWARD ANY ACCRUED BUT UNPAID FEES OWED TO CI FOR THE RELATED SERVICES, AND APPLICATION OR REMITTANCE, AS THE CASE MAY BE, OF SUCH CREDIT WILL REPRESENT CUSTOMER'S EXCLUSIVE REMEDY, AND FULL SATISFACTION OF CI'S SOLE LIABILITY, FOR ALL WARRANTIES SPECIFIED IN THIS AGREEMENT. EXCEPT AS SPECIFICALLY SET FORTH HEREIN, THE SERVICES, INCLUDING ANY REPORTS OR OTHER TANGIBLE OR INTANGIBLE ITEMS FURNISHED BY Cl TO CUSTOMER, ARE PROVIDED ON AN "AS IS" BASIS WITH NO WARRANTIES OR REPRESENTATIONS OF ANY KIND. Cl MAKES NO WARRANTY, EXPRESS OR IMPLIED, THAT THE SERVICES WILL RENDER CUSTOMER'S NETWORK AND SYSTEMS SAFE FROM MALICIOUS CODE, INTRUSIONS, OR OTHER SECURITY RISKS OR BREACHES OR THAT THE SERVICES WILL DETECT, REPORT OR NEUTRALIZE ALL SUCH MALICIOUS CODE, INTRUSIONS, SECURITY RISKS OR BREACHES. TO THE EXTENT NOT PROHIBITED BY LAW, THE FOREGOING WARRANTIES ARE EXCLUSIVE AND THERE ARE NO OTHER EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF ANY KIND, INCLUDING FOR HARDWARE, SOFTWARE, SYSTEMS, NETWORKS, ENVIRONMENTS OR SERVICES OR FOR MERCHANTABILITY, NONINFRINGEMENT, SATISFACTORY QUALITY AND FITNESS FOR A PARTICULAR PURPOSE. 10. Ind nits. a. CI Infringement Indemnity. Subject to Section 10.c., Cl will defend Customer in any suit or cause of action, and indemnify and hold Customer harmless against, and pay on behalf of Customer, any damages awarded to third parties in any such suit or cause of action (including reasonable attorneys' fees awarded to such third parties and settlement amounts) alleging that the Cl Programs as provided by Cl and used in accordance with the terms of this Agreement infringe upon any United States patent, copyright, trade secret, or other proprietary right of a third party, provided that, the foregoing infringement indemnity will not apply and Cl will not be liable for any damages assessed in any suit or cause of action to the extent resulting from a Customer Infringement Exclusion. If any CI Program is held or believed to infringe on any third party's intellectual property rights, Cl may, in its sole discretion, (i) modify 03152021 ""^""y"=''""luv"'`+"""''"' the Cl Program to be non -infringing, (ii) obtain for Customer a license to continue using such C1 Program, or (iii) if neither (I) nor (ii) are commercially practical, terminate this Agreement as to the infringing Cl Program and return to Customer any unearned fees paid byCustomer 0oC|inadvance. This Section 1 O.a. states C|'oentire liability and Customer's exclusive remedies for infringement of intellectual property rights of any kind. b. Customer Infringement Indemnity. Subject to Section I Oc., CustomerwiU defend C| in any suit orcause of action, and indemnify and hold Cl harmless against, and pay on behalf of Cl, any damages awarded to third parties in any such suit or cause of action (including reasonable attorneys'fees awarded to such third parties and settlement amounts) alleging infringement upon any United States patent, copyright, trade secret, or other proprietary right of athird party, tothe extent that any such suit or cause of action results from an allegation of a Customer Infringement Exclusion. This states Cu��nme/uendreliability and C|'uexclusive emedieofor in�ingemant arising hnmaCuutome,Infringement Exclusion. c. Indemnity Conditions. The indemnities set forth in this Agreement are conditioned upon the following: (i) the indemnitee ("Indemnitee") promptly notifies the indemnitor ("Indemnitor") in writing of such suit or cause of action, provided, that, any failure by |ndomnitoo to un promptly notify |ndomnitor will not anmm to noduon or forfeit an |ndemnitee'orights hereunder unless and only tothe extent such failure prejudices the rights and remedies of |ndemniturinrespect tusuch suit orproceeding, (ii)the |ndemnitorcontrols any negotiations ordefense and the |ndomnitee assists the |ndemnitoraa reasonably required by the |ndemnitor. and (III) the |ndomnitno1okau all reasonable steps tomitigate any potential damages that may result. 11. Term and Termination. a. Services under this Agreement shall be provided for the initial Services Term set forth in the ordering8OS.Unleoo C|receives written notice from Customer otleast sixty (0)days prior tnthe expiration ofthe then current Services Term, the SOS and related Services shall automatically renew for successive renewal Services Terms of one (1) year each. The initial term of the Services and any nonoea| term thereof are, herein, the ''Swn/icee Term". Upon expiration or earlier termination of the Services Term, (I) if Cl Services, all obligations of C1 to perform and deliver, and all rights ofCustomer hz ryzaivo. the C| Gomiooa. including the Cl 8urvioou listed on the ordering S]S, shall end, (ii) if Cl Products, all rights of Customer to access and use, and all obligations of Cl to enable and provide, the Cl Products, including the Cl Products listed in the ordering SOG, uhoU and. and (iii) if no ordering SOS is then in effect, the term of this Agreement shall contemporaneously terminate or expire, as applicable. b. If either party breaches a material term ofthe Agreement and fails to cure the breach within thirty (30) calendar days of delivery by the non -breaching party ofwritten notice of breach and demand for cure thoroof, then the breaching party is in default and the non -breaching party may without further notice to the breaching party immediately terminate the then current SOS. If Cl terminates the SC}8 and related Sominoe Term as specified in the immediately preceding oontanue. Customer shall pay to Cl all accrued but unpaid faao, if any, for the period prior to the effective date of termination, plus, as a non-exclusive remedy, an amount equal to the fees payable for the balance of the then current Services Term following the termination date as liquidated damages. In addition to the foregoing, any then current SOS will automatically terminate in the event of a Termination Event. c. In addition, C/ may immediately suspend the Services under the ordering SOS, including without limitation and if applicable, Customer's passwords, account and access to and use of the Cl Products (i) if Customer fails to pay C1 as required under this Agreement and 0mi|e to cure the non-payment within the first ten (10) calendar days of the above -noted 30'doy cure period, or (ii) if Customer violates any provision of Sections 4. 5 nr13 hereof. Any suspension by Cl of the Services under this Section 11 c. shall not excuse Customer from its continuing obligation tomake payment(o)under the ordering SOS. d. Sections 1,5.8.Q.YOandY2'Y8ohaUeun/ivatanminsdinnnraxpirationofthiaAgmomon1 12. Fees, ExpInses, ,Taxes and Inv a. Customer shall pay the fees for the Services ordered aeset forth inthe ordering SOS. All fees due under this Agreement are non -cancelable and payments thereof are non'rof ndab|e.CustumorahaUnuimbumoC|foractue| and reasonable expenses incurred by Cl in performing the Services (I) only on a pass -through basis without markup, and (ii) only if preapproved by Customer in the ordering SOS or similar writing. Fees and expenses, if any, listed in a SOS are exclusive of taxes. Customer is responsible for payment of any uu|eu, value-added or similar taxes imposed by applicable law for the Services ordered by Customer, except for taxes based on Ci's income. b. Commencing the initial renewal Services Term (if any) and on an annual basis thereafter, all fees shall be subject to adjustment, in C|'u sole numuonob|e diecredon, in on amount not to exceed the greater of(i) the change in the CPI -All Urban Consumers for the immediately preceding annual period, and (ii) 5%. o. Unless otherwise specified in the ordering SOS, (i) fees for Cl Products are payable in advance on an annual basis, and (ii) fees for Cl Services are payable in arrears on a monthly basis. In each instance payment is due within thirty (30) calendar days from the invoice date. Late payments shall accrue interest atthe lesser of(i)i296per annum. and (ii) the highest statutory rate, from the payment due date until paid in full. In the event of Customer's termination of a SOS for any reason prior to expiration of its stated Services Term, Cl shall be entitled to receive, and Customer shall pay on demand, as an early termination fee and not a penalty, the Termination Fee. |nthe event Customer's past due account is submitted to an attorney orcollections service for recovery, Cl shall be entitled to recover the cost of collection, including reasonable attorneys'fees, in addition to all past due amounts. The rights and remedies 03152021 ""^"oe""'',="ptz:"^"°°''"' set forth in this SectioI12 are in addition to any other legal, equitable and contractual rights and remedies available to Cl. 13. o. The receiving party will use Confidential Information of the disclosing party solely for the purposes of performing its obligations under the Agreement. The receiving party will not diao|000 or make Confidential Information of the disclosing party available to any third party, except as specifically authorized by the disclosing party in writing. Upon the disclosing party'aehtten requaot, the receiving party will promptly return tothe disclosing party all of its Confidential |nfomnation, or certify in writing signed by an authorized representative that it has destroyed all such materials- provided that, in no event will the receiving party be obligated or required to amend, modify or destroy back up media and systems maintained in the ordinary course of business and designed in a manner to prevent the unauthorized access to or use of the data stored on such media and systems. Neither party will disclose tothe other party or use in performance of its obligations hereunder any information, data, materials, or documents of a third party considered confidential or proprietary without the written authorization of such third party. Each party may disclose Confidential Information of the other party when compelled to do so by law if it provides, where legally permissible, reasonable prior notice to such other party. In furtherance of the foregoing, C1 shall require each of its employees and agents providing any aspect of the Somi000 hereunder to execute a confidentiality agreement incorporating confidentiality and non-use provisions consistent with, and no less restrictive than, the requirements ofthis Section 13�. U. At all times during the Services Term, Cl shall maintain reasonable and appropriate safeguards, security measures and protocols, which in no event shall be less effective than industry -standard safeguards, security measures and protocols, designed to (i) reasonably protect Customer's Confidential Information in Cl's possession or control from unauthorized use, alteration, access or disclosure; and (ii) detect and prevent a breach of such safeguards, security measures and protocols byany unauthorized party. o. Notwithstanding the foregoing, Cl may use the Customer's information for purposes other than the performance of the Services but only in an aggregated, anonymized form, such that Customer is not identified, and Customer will have nnownership interest insuch aggregated, ononymizeddata. 14. Limitation of Uabilily. WITHOUT LIMITINGANY INDEMNIFICATION OBLIGATIONS OFAPARTY UNDER SECTION 10 OF THIS AGREEMENT OR (EXCEPT AS EXPRESSLY PROVIDED OTHERWISE BELOW) THE LIABILITY OF A PARTY FOR ANY BREACH OFITS OBLIGATIONS UNDER SECTION t3(]FTHIS AGREEMENT, TOTHE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL (A) EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTIAL, OR CONSEQUENTIAL LOSSES OR DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES), WHETHER OR NOT SUCH PARTY WAS ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE AND (B) A PARTY'S TOTAL LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATING TO THISAGREEMENT, REGARDLESS OFTHE NATUREOFTHE CLAIM, EXCEEDTHEAMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER UNDER THIS AGREEMENT FOR THE SERVICES DURING THE TWELVE (12)-K4ONTHPERIOD IMMEDIATELY PRIOR TOTHE EVENT, ACT OROMISSION GIVING RISE TOSUCH LIABILITY, EXCEPT THAT WITH REGARD TO LIABILITY OF A PARTY FOR BREACH OF ITS OBLIGATIONS UNDER SECTION 13 OF THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY'S CUMULATIVE LIABILITY EXCEED THE LESSER OF (X) THE TOTAL CONTRACT PRICE OF THE APPLICABLE SOS, OR (Y) TWO HUNDRED AND FIFTY THOUSAND DOLLARS ($250,000). THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. 15. Export. Export laws of the United States and any other related local laws and regulations may apply to the Services. Such laws govern Customer's use of the Services and any data provided by Cl to Customer under this Agreement, and Customer shall comply with all such laws and regulations. No data, infbmnation, software programs and/or other materials resulting from the Services will be exported, directly or indirectly, in violation of these laws, or will be used for any purpose prohibited by these laws. i6.{enerat a. FmrcmMajeure. Neither party shall be liable to the other party or deemed to be in default for any delay or failure in performance of any obligation under the Agreement or interruption of any Service resulting, directly or indirectly, from acts of God, civil or military ouLhnhb/, acts of the public onnmy, acts of terrorism, acts of third pmtioo over whom the party has no control, war, riots, civil disturbances, insurrections, accidents, fire, explosions, earthquakes, floods, epidemics, pandernics, the elements or any other similar cause beyond the reasonable control of such party. b. Audit Cl may audit, at its own expenue. Customer's user logs and nn|o1ed data for the purpose of determining Customer's compliance with the tonna of this Agreement, including any then operative SOS. Audits oho|| be conducted by Cl or its designee and shall be limited to records from the Effective Date of the ordering SOS to the month of the audit. CI shall be limited to one (1) audit per twelve (12) consecutive calendar month period. Cl shall give ten (10) business days prior written notice ofits intention to perform an audit. |fany audit reveals non- compliance by Customer ofany material term of the Agreement, than (i) Customer shall promptly initiate and prosecute to completion any remedial action required to cure such non-compliance, provided such non-compliance 03152021 ""^"01y"`1',="pt�'"."""''"' isreasonably subject 0ocure, and(ii)ifUhonon-xnnp|ianoois avariance of 5&ormore inthe total count ofnetwork users upon which Customer's then -current annual subscription fee is based, then Cl may adjust the annual subscription fee specified in the ordering SOS for the period then remaining in the Services. |naddition, ifany audit reveals actual network users exceeding contracted network users by 5% or more, then Customer shall pay CI for all underpayments, plus interest, and shall reimburse Cl for the reasonable cost of the audit. o. Notice. Except as provided herein, any notice, approval or consent required or permitted hereunder shall be: (i) in writing; (ii) delivered by (A) hand or by overnight courier service, or (13) electronic mail to the respective addresses of the parties as set forth in the ordering SOS (or such other address a party may designate in writing); and (iii) effective upon actual delivery if by hand or courier service (or upon attempted delivery if receipt is refused), or upon electronic confirmation nfsuccessful delivery ifbyemail. d. Integration; Waiver. This Agnoamont, including any SQS. Dnnumantation, oxhibit, document or information or policy oon0000d by referenced URL, is the complete agreement for the Somioaa nndamd by Cumtnmor, and supersedes all prior or contemporaneous egmomenta, representations and undemtandingo, written or oro|, regarding such Services. If any provision of this Agreement shall be judicially determined to be unenforceable or inva|id, that provision shall be limited or eliminated to the minimum extent necessary sothat the Agreement shall otherwise remain infull force and effect and enforceable. Aporty'o righto, obligations and restrictions hereunder may not be waived except in a writing signed or digitally accepted by an authorized representative of each party. a. Assignment. No right or obligation under the Agreement (including the obligation to pay or right to receive monies duo) may be uooignad, delegated or subcontracted by o party without the prior written consent of the other party. and any purported assignment without such consent shall bavoid. [ Controlling Law. This Agreement shall be construed in accordance with the laws of the State of Washington without regard to its principles of conflict of laws. The exclusive jurisdiction and venue of any action relating to this Agreement shall be the Superior Court of Washington for the County of King or the United States District Court for the Western District of Washington and each party hereto submits itself to the exclusive jurisdiction of such courts and waives any argument relating to the convenience of forum. The rights and remedies herein provided are in addition tothose available toeither party otlaw orinequity. g. Customer Reference. Cl may use Customer's name and logo to identify Customer as a C| customer on C|'s webnite and in other marketing materials so long as Customer's name and logo do not appear with greater prominence than C|'oother customers. h. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed to be an original as against any party whose signature appears thereon, and all of which shall together constitute one and the same instrument. A h*xed, pdf or electronic signature shall have the same |age||y binding effect as on original signature. i. Modification. This Agreement and any SOS may not be changed, altered or modified except in a writing signed by anauthorized representative ofeach nfthe parties hereto. IN WITNESS WHEREOF, the parties have executed this Agreement effective aeof (the "Effective Date"). CRITICAL INSIGHT, INC. Title: CEO CITY OF KIMA By:Z; qL�� Print: 14,01221- , 03152021 "UL,UQIy I IF-] I VCIUY"- I LJ. UODF I;J CCL Critical Insight IMMENNEW-MMIMMI Email: Ke—y-in, Q_1n_iq k@C "it gaLl nsfs ght--c-Q—m Phone: 206-307-8035 Bill To: Name John Carney Company City of Yakima Street Address 129 N. 2 nd Street City, State, Zip Yakima, WA 98901 Phone 509-249-6804 STATEMENT OF SERVIGI Quote Date: 11/11/2021 Quote Expiration: 11/29/2021 Name John Carney Company City of Yakima Street Address 129 N. 2 nd Street City, State, Zip Yakima, WA 98901 Phone 509-249-6804 Contract Name: CIMNIA Partners - Cyber Security Solutions and Associated Products & Services Contract #: R200803 CI -MDR -Service Managed Detection and Response (MDR) 1 flat $12,000.00 20% $9,600.00 CI -MDR -User -Network MDR Network Users 500 network seat user(s) $60,000.00 20% $48,000.00 CI-P: Cl-C-lU-R010-010-03 1 U Collector, 3 disk(s), RJ45 1 OG connector 1 unit(s) $5,076.00 20% $4,060.80 ' Cl-CVI-Service Continuous Vulnerability Identification (CVI) 1 flat $3,000.00 20% $2,400.00 CI-CVI-Node CVI Nodes 1 node(s) $4,800.00 20% $3.840.00 * CI-P-MCAS Adaptor for MCAS 1 environment(s) $2,400.00 20% $1,920.00 - —$69,820.80 Subtotal $87,276.00 Initial Invoice Per Billing Period 12 months $87,276,00 $69,820.80 Platform Setup Fee $Z 455.20 $1,964.16 *Estimated Sales Tax 8.30% estimated rate $1,222.69 $978.15 Invoice $90,953.89 $72,763.11 Per Billing Period 6 months $0.00 $0.00 Platform Setup Fee $0.00 $0.00 *Estimated Sales Tax 8.30% estimated rate $0.00 $0.00 Invoice $0.00 $0.00 1 111111110111 1 LJUL,UJIYII GI I VCIUpC ILJ. VJJF IJIYV:J.7 �'Y J:Ji'f1000':JVU4CG:J0lJJMC q, , Critical 7 This Statement of Service (" SOS" ), effective as of the date of the signature of the last party to sign (the "Effective Date') is subject to the Critical Insight Master Services Agreement, dated as of the Critical Insight Description of Service attached here as Exhibit A, and any other Exhibits, Attachments or Amendments hereto, which are each incorporated herein by reference, and which together with this SOS constitute the "Agreement". Unless otherwise provided in this SOS, capitalized terms herein shall be as defined elsewhere in the Agreement. The terms of this Agreement constitute the final expression of the parties' binding understanding in respect to the subject matter hereof and supersede all prior or contemporaneous agreements, representations and understandings, written and oral, in respect to same. Customer acknowledges that it has read the Agreement and agrees to be bound by its terms. • The term of this SOS is one (1) year(s), commencing the Effective Date hereof, which upon expiration shall automatically renew for successive annual renewal terms, not to exceed four (4) years, until terminated as provided in the Master Services Agreement. • Billing shall be based on Critical Insight reporting. Critical Insight and Customer shall reconcile in good faith any discrepancies in their respective tracking records, provided Critical Insight's reporting shall control in the event of an irreconcilable discrepancy. • Customer shall be invoiced on an annual basis in advance. • The first invoice shall be issued thirty (30) days following the Effective Date. • Payment of invoiced amounts due no later than thirty (30) calendar days from date of invoice. • Pricing is based on the OMNIA Partners — Cyber Security Solutions and Associated Products & Services Contract #R200803. After the initial one (1) year term, Customer may, upon not less than thirty (30) days prior written notice, for any reason, terminate. The Termination option is available to and may be exercised by Customer only if Customer is not then in breach of its obligations under the Agreement. Upon such termination, Customer shall have no obligation to pay Service fees for the period in the original term remaining following the Effective Date, provided, the Customer cooperates with Cl in good faith to promptly stand down any then current integration activities, return to Cl any documentation and other proprietary property of Cl and allow Cl personnel to remove any computer hardware provisioned on Customer's systems. Cl agrees to indemnify, defend, and hold harmless the City, its elected and appointed officials, officers, employees, agents, representatives, insurers, attorneys, and volunteers from all liabilities, losses, damages, and expenses related to all claims, suits, arbitration actions, investigations, and regulatory or other governmental proceedings arising from or in connection with the acts, failures to act, errors or omissions of Cl, or any agent or subcontractor of Cl, in performance of this Agreement, except for claims caused by the City's sole negligence. The City's right to indemnification includes reasonable attorney's fees costs associated with establishing the right to indemnification hereunder in favor of the City. Cl shall provide professional liability coverage for technology errors & omissions covering liabilities arising from errors and omissions in rendering or failure to render its professional services under this Agreement and related SOW's, including without limitation, any computer, technology, data security or Internet professional services. Liability coverage is to include libel, slander, defamation, infringement of copyright, trademark, trade dress, software code, and invasion of privacy. The limits of liability on such coverage shall be a vUuuoly I I C-Ilvtluvu I LJ. U,.?JF lu I CCL Critical Insight minimum of $2,000,000 per occurrence with an annual aggregate of $5,000,000. Coverage territory shall be worldwide. FCl shall provide the City a certificate of insurance reflecting said coverage and an additional insured endorsement naming the City, its elected and appointed officials, employees, agents, attorneys and volunteers as additional insureds. Upon receipt from the City of a fully executed Agreement and nondisclosure agreement, Cl shall, within five ERJEME• i 1111mining-11 ir'111111 1111111 1 r •I IF111111 � I a 0 .. .. .. I I I 1'Ems *TL=l I Ljuwoly I I cllvt�lupt-' IV. U-jJF I;J I Critical Insigh- 601 E, I V=■ Check one of the following: Ej Purchase Order Required Purchase Order Not Required Customer Signature Title City Iflanager Date o V CITY CONTRACT RESOLUTION NO; Critical Insight, Inc. 0*cuSignad by: Signature Name Garrett silver Title CEO Date 11/16/2021 Billing Contact Name 20= City, State, Zip Yakima, WA 98901 Billing Contact Phone 509.575.6003 L/UI.UJly II GI I VCIUpu ILl.,. UJJr I:11J'U:1.70'4.7JM'I1000-JUU'4CC:JOIiJ/1C CriticalCCL EXHIBIT T i f i ALL COMMERCIALLY AVAILABLE PRODUCTS OFFERED BY CRITICAL INSIGHT TO CUSTOMERS ARE DETAILED IN THIS DESCRIPTION OF SERVICES. "GENERALLY AVAILABLE" PRODUCTS ARE SUBJECT TO THE SERVICE LEVEL COMMITMENTS OR "SLA's" SET FORTH ON PAGE 8 HEREOF. PRODUCTS LISTED AS "ALPHA" OR "BETA" ARE NOT SUBJECT TO ANY SLA's. ALPHA/BETA PRODUCTS ARE PROVIDED 'AS IS' WITH NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. Cl SHALL USE COMMERCIALLY REASONABLE EFFORTS TO SUPPORT ALPHA AND BETA PRODUCTS ONLY ON AN 'AS AVAILABLE' BASIS. The provisioning process to set up the ingest capabilities for each platform varies depending on the monitoring platform: • On Premises Collectors: • Deliver and install or provide instruction for installation of the Critical Insight Collector (CIC) on Customer premises and Critical Insight verify operation Platform (CI-P) . Share provisioning instructions for any other specified data sources • Cloud - AWS: • Determine from the list of Cl approved sources which services Customer intends for Critical Insight ("Cl") to monitor and provide relevant provisioning instructions • Microsoft- MCAS, Defender (Azure Cloud or Endpoint): L/UI.UOIYII GI I VCIVpC IL/. UJJr I IJ'V:JJ�"4JJM'/'1000-:1VU-FCCJO6i Jf1C SERVICECritical Insight STATEMENT OF Provide relevant provisioning documentation for Graph API or MCAS Each platform has unique data streams and Cl has approved specific data streams for ingest and monitoring. Data types not listed here may not yet be approved. The following list details the CI -approved data streams, which include but are not limited to (inquire for specifics as needed): • On -premises customers • Specific Intrusion -detection event streams • Specific Device, server, infrastructure, and application logs • Continuous onsite packet collection for network segments specified by Customer Cl• will generate flow records from collected packets Cl• ephemerally stores packets for a period limited by the storage capacity of the customer's chosen collectors • Microsoft Defender (Azure Cloud and/or Endpoint) and MCAS Customers Event streams, e.g. Graph API SecurityEvents or MCAS (Required) • AWS o GuardDuty Event Streams (Required) - ClouclTrail Audit Logs (Required) VPC Flow Records • WAF Logs Activation: • On -Premises Collector Activation: • Verify acquisition of NetFlow, named log sources, packet capture o Verify network scope of packet capture Managed Verify transmission of event data and correct ingestion into Detection and Critical Insight analytics engine '.Response Verify ability to perform extract of packet capture for (CI -MDR) investigation • AWS Activation: ClouclTrail • Customer verifies successful delivery of ClouclTrail logs into the accessible resource determined in provisioning Cl• Operations verifies that Cl can access Customer's ClouclTrail logs and that Cl is successfully pulling data from that location ""^""1Y"^'.,"u'"."°""",.". CCL Critical Insight ^m C|Operations verifies that C|oudTrai|information is formatted asexpected m, VPCFlows (via CloUclVV8tCh) • Operations verifies that Customer has granted C|access tothe selected C|mudVVatch Streams m [| Operations verifies that Oissuccessfully pulling data from those streams � Cl Operations verifies that C|oudWatch information is formatted asexpected • SeCWrityHVb—GUardOutV(GD) `• OOperations confirms that GDdata isavailable in C|oudVVatch '• Cl and Customer execute default AWSGO "Generate Sample Findings" test • C|Operations verifies that Sample Findings generate expected alerts • AWS\8/AF (via Kinesis Firehose\ uw Cl Operations verifies that Customer has granted Cl access tothe correct source for VVAFrecords w" C|Operations verifies that [|issuccessfully pulling WAF records * C|Operations verifies that VVAFrecords are formatted and flowing asexpected ^m Verify transmission of any Customer data into C|'s corporate analysis systems, S(][dashboards and ticketing wm Azure and Microsoft Defender ATP Activation: • Graph API • Customer verifies successful delivery ofdata from the selected services into the Graph API • C|Operations verifies that [| can access the specified data and that [|issuccessfully pulling it •'' Cl Operations verifies that incoming data is structured as expected and synthetically generated customer events are generating tickets v* Verify transmission mfany Customer data into C|'s analysis systems .� K8[ASAC1ivatimn: ' � C|Operations ensures successful delivery ofW1CASfeed from Customer toC|'sanalysis systems Cl monitors delivery of data streams on an automated basis as available, and will also perform periodic manual reviews Ljuwoly I I F-11vtnupc IV... UJJF I U CCL Critical Insight 2�M awlgzimfflll� Upon successful activation of specified platforms, Cl will ingest any approved data streams, specified in the 'Platform' section, and will Managed elevate alerts from those streams for review, as appropriate. CI Detection and analysts review approved data streams for indicators of compromis� Response which include but are not limited to: (CI -MDR) • Alerts linked to Poor Reputation IPs or Domains • Command and Control connections • Anomalous or suspicious alert patterns • Sudden shifts in the volume of key activities • Event correlation with regional, sector, or global campaigns Response: • Investigation ticket created and assigned to Critical Insight Analyst with a goal to conclude the investigation within the specified SLA (see SLA agreement) • Analysts investigate and attempt to confirm an incident has occurred by analyzing relevant and available data For on -premises customers, "relevant data" refers to the packet capture, network flows and system logs from 30 seconds prior to until 30 seconds after the suspect activity in standard investigations. When warranted, the time period may expand. • For AWS, Azure, Microsoft Defender, or MCAS customers, Managed "relevant data" refers to any data that the customer sends Detection and CI from Customer's native AWS, Azure, Defender, or MCAS Response systems (CI -MDR) Confirmation occurs when evidence of attack or compromise is verified by a Cl Analyst • For all confirmed incidents, notify customer within 30 minutes of incident verification • For urgent or high severity incidents, a final Incident Action Plan will be delivered to Customer at the time that all related tickets are closed. The report will include: • Summary of incident • Summary of any confirmed actions taken (by Cl and/or Customer) • Final status and/or resolution LJUL,UOIY I IF-[ I vtnupc I LJ. U')OF I L) I Critical Insight STATEMENT OF SERVICE Monthly Activity Report: Published by the 15th of month • Security Events Generated • Investigations Completed • Confirmed Severe Incidents (IAPs Issued) • Security events to include: • Intrusion detection signatures • Reputation matches • Anomalous traffic identification • Threat hunting findings • Additional detail for critical assets and highest volume events • Automatically conducts internal network vulnerability scans at Customer -defined frequencies and IP scopes(s) • Identifies insecure configurations, open ports and services, vulnerable software/service versions) and missing patches Continuous * Generates reports with steps to eliminate each vulnerability, as well Vulnerability as risk via CUSS scores to allow prioritization of remediation efforts Identification • Populates a web dashboard to view statistics, visualizations, and (CI-CVI) results o Tabular Results * Graphical representation of time -based trends for newly identified vulnerabilities and for remediated vulnerabilities • CI saves logs as indicated by Customer • CI hashes and encrypts logs to enable Customer to verify that they Log Retention are secure and unchanged (Cl-LR) • CI will gather and return logs according to search criteria (limited to source and date) specified by Customer, when requested LluuuolyII CI IYC1UPC IL. VJJr I:! IJ'V:J.7O-4.7:!/'1'M000-:JV VYGGJOI. J/'1G CriticalCCL •' • rOMOMIMIGESOUREM An urgent priority security incident is a network event or set of network events that is believed to present a serious and immediate risk to the Customer's network environment. Cl will contact the Customer (contact on file) via phone and email to attempt resolution. Examples of urgent priority security incidents include: ;• Suspected account compromise with account misuse observed Urgent • Customer security device has alerted Cl to a likely compromise that has been verified using other MDR data/tools with no evidence the security device has mitigated the incident • Suspected malware infection with evidence of immediate business impact • Communications observed with a suspected malicious host with evidence of data exfiltration or immediate business impact • Regulated data seen unencrypted going to an external destination A high priority security incident is a network event or set of network events that is believed to present a risk to the Client's network environment. Cl will contact the Customer (contact on file) via phone and email to attempt resolution. Examples of high priority security incidents include: High I e Suspected or potential account compromise with no misuse observed • Suspected malware infection with evidence of malware spreading but no evidence of immediate business impact • Suspected or potential system compromise with no evidence of misuse • Reaulated data seen unencrvgted between two internal A medium priority security incident is a network event or set of network events that may be a risk to the Client's network environment and may inform future customer actions. Cl will contact the Customer (contact on file) via email to Medium attempt resolution. Examples of medium priority security incidents include: • Attempted account compromise with no evidence of success • Suspected malware infection with no evidence of malware spread or immediate business impact 245 4th Street, Suite 405, Bremerton, WA 98337 1 https://criticalinsight.com 1206.687.9100 LJUUUQIY I I F-11VwUpt: 1U, UOOF 10 1 /0 Critical Insight IZ15L•STATEMENT OF SERVICI A low priority security incident is a network event or set of network events that is not believed to represent an immediate risk to the Client's network environment but does warrant awareness and investigation. Cl will contact the Customer (contact on file) via email to attempt resolution. Examples of low priority security dents include: • Potentially unwanted program observed • Other issue that is not an immediate security threat observeIe Critical Insight, Critical Informatics and the Critical Insight logo are the trademarks of Critical Insight, Inc. @2021 Critical Insight, Inc. All rights reserved. r,l � I 1 11 , , , I I I I I , ii 1 1 1 ni•I 11`113?��111111q�; I I•� wi!! 1111 omm I r reTSTO a I LJUL'U01Y I I F-1 I VVIUPU I U. VJOF I :j I CCL Critical Insight STATEMENT OF SERVIC'I Collect, normalize, 99.9% uptime in a given onth store, transmit, and for the Critical Insight Collector 2% of Critical Insight retain security event while client network is functional Monthly Fee Platform data (CI-P) .... ............... --------- Maintenance of Critical Replacement devices shipped 2% of Insight Collector within 3 business days of failure Monthly Fee Evaluate security alerts 99% of events escalated to and determine if they analyst for review in a given 2% of are false positives or month evaluated within 90 Monthly Fee Managed 1vetectkxn___ actual dents minutes and Response (CI -MDR) Incident Reporting and 2% of Remediation Follow-ups Monthly Fee .............. . . Continuous Scheduled vulnerability Vulnerabty scanning of customeris Identification network; report upload (C1-CV1) of scan results lifflan =BWff W-Tamrs Mr MOPTINT.T.OYLOWITI. Certificate Of Completion Envelope Id: 033Fl5l3659B495AA8885004EE58C3AE Status: Completed Subject: Please DocuSign: City of Yakima Cl Security_MSA 030721.pdf, City of Yakima_Critical Insight SOS—IFINA Source Envelope: Document Pages: 18 Certificate Pages: 4 AutoNav: Enabled Signatures: 2 Initials: 0 Envelopeld Stamping: Enabled Time Zone: (UTC-08:00) Pacific Time (US & Canada) Record Tracking Envelope Originator: Lori Nguyen 245 4th Street, Suite 205 Bremerton, WA 98337 Lori.Nguyen@criticalinsight.com IP Address: 64.207.219.137 Status: Original Holder: Lori Nguyen Location: DocuSign 11/16/2021 2:57:19 PM Lori.Nguyen@criticalinsight.com Signer Events Signature Timestamp Garrett Silver Sent: 11/16/2021 2:59:40 PM garreft.silver@criticalinsight.com Viewed: 11/16/2021 3:00:00 PM Signer: Garrett Silver, CEO MACE Signed: 11/16/2021 3:00:50 PM Critical Insight, Inc. Security Level: Email, Account Authentication Signature Adoption: Drawn on Device (None) Using IP Address: 71.212.126.225 Electronic Record and Signature Disclosure: Accepted: 11/16/2021 3:00:00 PM ID: 38Ob869c-el5b-48bc-839b-dc3cl7d69Od7 In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp Witness Events Signature Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Sent Hashed/Encrypted 11/16/2021 2:59:40 PM Certified Delivered Security Checked 11/16/2021 3:00:00 PM Signing Complete Security Checked 11/16/2021 3:00:50 PM Completed Security Checked 11/16/2021 3:00:50 PM Payment Events Status Timestamps; Electronic Record and Signature Disclosure F_IULAI LA 111, r-%UUUI U GI IU 01y I ICILU It; LJIAAUZ)U IV Ut--att:1.1 UI 1. OIJ/ZUZU O.e--+. I U /-%IVI Parties agreed to: Garrett Silver 1010 BE" V 191010 In Iti DMIJ kF� M, 010 IMKIN From time to time, Critical Informatics Inc. dba Cl Security (we, us or Company) may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through the DocuSign system. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please confirm your agreement by selecting the check -box next to 'I agree to use electronic records and signatures' before clicking 'CONTINUE' within the DocuSign system. Getting paper copies At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. You will have the ability to download and print documents we send to you through the DocuSign system during and immediately after the signing session and, if you elect to create a DocuSign account, you may access the documents for a limited period of time send you paper copies of any such documents from our office to you, you will be charged a Ill it per -page fee. You may request delivery of such paper copies from us by following the procedure described below. Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time Mi only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format, it will slow the siyeed at which we can comi�slete certain stei�cs in transactions with pou and delivering-services-ta you because we will need first to send the required notices or disclosures to you in paper formal, and then wait until we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. Further, you will no longer be able to use the DocuSign system to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Unless you tell us otherwise in accordance with the procedures described herein, we will provide electronically to you through the DocuSign system all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or mad* available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us. Thus, you can receive all the disclosures and notices electronically or in paper fonnat through the paper mail delivery system. If you i• • agree with this process, please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures • from us. How to contact Critical Informatics Inc. dba CI Security: 0 1- T - I•---p- , to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: lori.nguyengci. security To advise Critical Informatics Inc. dba CI Security of your new email address electronically to you, you must send an email message to us at lori.nguyen@ci. security and in the body of such request you must state: your previous email address, your new email address. We do not require any other information from you to change your email address. If you created a DocuSign account, you may update it with your new email address through your account preferences. To request paper copies from Critical Informatics Inc. dba CI Security To request delivery from us of paper copies of the notices and disclosures previously provid • us to • electronically, you must send us an email to lori.nguyen@ci. security and in the •iii • such request you must state your email .•• full name, mailing .•i and telephone number. We will bill you for any fees at that time, if any. I To withdraw your consent with Critical Informatics Inc. dba CI Security To inform us that you no longer wish to receive future notices and disclosures in electronic format you may: select the check -box indicating • wish to withdraw your consent, or you may; send us an email to lori.nguyen@ci. security and in the body • such request • must state your email, full name, mailing address, and telephone number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.. TIMMIM", M, $Wniftatsysteiii-r Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to WaW_ h-TV read this ERSD, and (i) that you are able to print on paper or electronically save this ERSD for your future reference and access; or (ii) that you are able to email this ERSD to an email address where you will be able to print on paper or save it for your future reference and access. Further, if you • to receiving • and disclosures exclusively in electronic format as described herein, then select the check -box next to 'I agree to use electronic records and signatures' before • 'CONTINUE' within the DocuSign system. By selecting the check -box next to 'I agree to use electronic records and signatures', you confirm that: • You can access and read this Electronic Record and Signature Disclosure; and • You can print on paper this Electronic Record and Signature Disclosure, or save or send this Electronic Record and Disclosure to a location where you can • it, for future reference and access; and • Until or unless you notify Critical Informatics Inc. dba Cl Security as described above, you consent to receive exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other (.o• that are required to be provided or made available to you by Critical Informatics Inc. dba Cl Security during the course of your relationship with Critical Informatics Inc. dba Cl Security. CM -Signature -Transmittal - C1 Security Final Audit Report 2021-11-17 Created: 2021-11-17 By: Jennifer Tippett aennifer.tippett@yakimawa.gov) Status: Signed Transaction ID: CBJCHBCAABAAvkUW—GAyj4pdalbTndZ7lx5VWbiDYOD "CM -Signature -Transmittal - C1 Security" History &0 Document digitally presigned by DocuSign\, Inc. (enterprisesupport@docusign.com), 2021-11-16 - 1101:20 PM GMT &e Document digitally presigned by Alejandra Rodriguez (alejandra.rodriguez@yakimawa.gov) 2021-11-16 - 11:28:46 PM GMT Document created by Jennifer Tippett Oennifer.tippett@yakimawa.gov) 2021-11-17 - 0:12:11 AM GMT Document emailed to Jennifer Ferrer -Santa Ines Oennifer.ferrer@yakimawa.gov) for signature 2021-11-17 - 0:13:07 AM GMT 5 Email viewed by Jennifer Ferrer -Santa Ines aennifer.ferrer@yakimawa.gov) 2021-11-17 - 0:13:16 AM GMT iJ& Document e-signed by Jennifer Ferrer -Santa Ines aennifer.ferrer@yakimawa.gov) Signature Date: 2021-11-17 - 0:13:36 AM GMT - Time Source: server (01 Agreement completed, 2021-11-17 - 0:13:36 AM GMT 43 Adobe Sigr PLATFORM MIGRATION ADDENDUM (MSA) THIS PLATFORM MIGRATION ADDENDUM ("Addendum"), effective as of 4 E V{1 apaq ("Effective Date"), sets forth the understanding between Critical Insight, Inc. ("Cr) and O(- co y i..GL ("Company") in relation to certain aspects of the Services under the Mas 1)►r Servi s Agreement and related Statement of Services executed by the parties, including any amendments, modifications and attachments to any of the foregoing (collectively the "Agreement"). Capitalized terms not otherwise defined in this Addendum shall have the meaning assigned to them in the Agreement. A. CI has obtained access to the use of certain third-party software and solutions (together, "Additional Solutions")from third parties(together,"Third Party Providers")to support and extend certain features of the Services, thereby broadening and deepening Service capabilities and feature sets available to CI's customers,generally;and B. CI desires to integrate the Additional Solutions into the Services CI performs on behalf of Company, and Company desires to obtain the benefit of the Services, as enhanced by the Additional Solutions,all as provided in this Addendum. NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, CI and Company agree as follows: 1. Definitions. a. The definition of"CI Assets" in Section l.c. of the Agreement is deleted in its entirety and replaced with the following: "Cl Assets"means all computer hardware, software,networking tools and equipment,appliances and devices owned,operated or licensed by CI that are deployed or engaged in performance, in whole or part, of the Services, including any Appliance(s) provided to Customer in connection with the Services. b. The definition of"CI Programs"in Section 1.e.of the Master Services Agreement is deleted in its entirety and replaced with the following: "CI Programs" means the Critical Insight® monitoring software programs and applications, Additional Solutions, designs, inventions, source code, tools, patches, updates and new versions to any of the foregoing, user ID's, user interfaces, tokens, passwords and portals licensed to Customer by CI as part of the CI Products but excludes custom programs, if any,developed by CI for Customer. 2. Indemnification. The indemnification obligations of CI pursuant to Section 10 of the Agreement shall apply to the CI Programs as defined in this Addendum. 3. Third Party Provider Rights. The Third Party Providers of the Additional Solutions shall be entitled to rely upon, shall each be an express beneficiary of, and shall be entitled to enforce, the provisions of the Agreement,including without limitation, Sections 9, 10, 13, 14 and 16. 4. Integration. Except as modified by this Addendum, the terms and conditions of the Agreement remain in full force and effect.Upon execution of this Addendum,the term"Agreement"means the Agreement,as modified by this Addendum. [SIGNATURE PAGE FOLLOWS] IN WITNESS WHEREOF,the parties have executed this Addendum as of the Effective Date. CRITICAL INSIGHT, INC. COMPANY: By: ears« „ «aoKa 9 By: e Garrett Silver,CEO Print: 061-I) - Title:_Y►'1-b 1 Y ) C i ) rryt CITY CONTRACT NO: 416 RESOLUTION NO: [SIGNATURE PAGE TO ADDENDUM]