Text Only Version

Vulnerability Management Statement of Work

Purpose

The purpose of this statement of work is to establish agreement regarding the EITS Information Security (InfoSec) Vulnerability Assessment Service to the Client. InfoSec shall utilize a number of tools including but not limited to Rapid7's NeXpose, NMap, and Nessus to perform a vulnerability assessment of Client's systems.

Vulnerability assessments may be conducted to:
  • Assist Client in ensuring integrity, confidentiality and availability of information and resources.
  • Investigate possible security incidents and/or ensure conformance to the University of Georgia's security policies.
  • Monitor user or system activity where appropriate.

Scope

The scope of the Vulnerability Assessment covers the mutually agreed subset of computer and communication devices owned or operated by the Client as specified in Appendix A. The client may request to enter logon credentials for the scan engine to enable it to perform deep checks, inspecting assets for a wider range of vulnerabilities, such as policy violations, adware, or spyware. Additionally, credentialed scans can check for software applications and packages such as Hotfix.

Period of Performance

InfoSec and the Client shall identify in writing the allowable date and time for the scan to take place. This period will be specified in Appendix A.

Requirements

When requested, and for the purpose of performing a Vulnerability Assessment, consent to access needed will be provided to members of InfoSec. The Client hereby provides its consent to allow InfoSec to access its networks and/or firewalls to the extent necessary to perform the scans authorized in this agreement. Client shall provide protocols, addressing information and network connections sufficient for InfoSec to utilize the software to perform the Vulnerability Assessment.

This access may include:
  • If a credentialed scan is requested, user level and/or system level access to the targeted computing or communications device.
  • Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on Client's equipment or premises.
  • Access to work areas (labs, offices, cubicles, storage areas, etc.).
  • Access to interactively monitor and log traffic on Client networks.

Service Impact

Although necessary precautions will be taken to avoid negative impact, network performance and/or availability may be affected by the Vulnerability Assessment process or through the execution of recommended remediation.

Client Point of Contact

Client shall identify in writing a person to be available if the InfoSec's Assessment Team has questions regarding data discovered or requires assistance. This "Point of Contact" is outlined in Appendix A

Confidentiality

Results of the Vulnerability Assessment are private. In the event an incident or vulnerability exposing sensitive data is discovered, it will be necessary to notify University Executive Leadership and potentially any affected parties. In this case, a situation report detailing the incident or vulnerability will be prepared and delivered to the Client and management.

Responsibility for Security

A Vulnerability Assessment can be an effective tool to identify weaknesses in the Clients system and network configuration. However, it is important that the Client understand that the stewardship and responsibility for the security of these systems remains the responsibility of the Client.

Deliverables

At the conclusion of the Vulnerability Assessment, InfoSec will produce the following documents and review with the Client.

  • Executive Summary - A high level overview of the identified vulnerabilities and recommended actions to mitigate associated risks
  • Vulnerability Assessment Report - An in-depth technical review of all identified vulnerabilities and technical mitigation options
  • Situation Report (as needed) - In the event of an incident or significant exposure is discovered, this Executive Level document will be prepared to outline the risk, mitigation options and necessary actions

Appendix A

Point of Contact:

The point(s) of contact for the unit [Managed_Sites] shall be: [Full_Name] [Email]

Period of Performance:

This is the place to specify dates and times that are acceptable to the client for scanning of their networks. If any time is acceptable please indicate so by writing "Any" in this space. You may be as specific as you like (such as "September 8, 2008, 5 am - 8 am.") or more general (i.e., "Any Tuesday between 7 am and 9 am").

Scope:

InfoSec will scan the set of IP's assigned to the unit [Managed_Sites] within the Campus Network Device Database, except the IP's listed below. If you prefer to specify only certain IP's, please write "None Except:" followed by the IP's you wish to have scanned.