HomeMy WebLinkAboutJ - 10 Zelvin Security Professional Services AgreementTown of Cortlandville
Town Board Meeting – September 20, 2023 – DRAFT RESOLUTION
RESOLUTION # APPROVE PROFESSIONAL SERVICE AGREEMENT
BETWEEN ZELVIN SECURITY, LLC AND THE TOWN OF
CORTLANDVILLE TO PROVIDE AN “EXTERNAL
VULNERABILITY ASSESSMENT” OF THE TOWN’S
INTERNET INFRASTRUCTURE
Motion by Councilman
Seconded by Councilman Guido
VOTES: AYE – NAY –
ADOPTED
BE IT RESOLVED, the Town Board does hereby approve the professional service agreement
between Zelvin Security, LLC and the Town of Cortlandville to provide an “External
Vulnerability Assessment” of the Town’s Internet Infrastructure (i.e. firewalls, DNS servers,
routers, load balancers, and supporting systems) as required by the Town’s Cyber Security
Insurance Policy, for the total cost of $800.00, and it is further
RESOLVED, the Town Clerk is hereby authorized and directed to sign the Professional Service
Agreement and Non-Disclosure Agreement pertaining to such services for the year 2023.
External Vulnerability
Assessment
PROPOSAL PREPARED FOR:
Town of Cortlandville
BY: Lisa Atkinson, Managing Partner
DATE: September 14, 2023
SOW#: VA-09142023
1 | Page
Confidential | | Proprietary | Statement of Work
PROJECT GOALS AND SUMMARY
Zelvin Security is pleased to present this proposal to your business with the overall goal of improving its
cybersecurity posture. This proposal includes Ethical Hacking Services as defined by this scope of work, which
is designed to produce results which can be measured, guide future discussions, and assist your organization
with mitigation strategies.
Statement of Work (SOW) Summary
This document serves as a “Statement of Work” for Zelvin Security to perform a security
assessment against the Town of Cortlandville. This Statement of Work is to be executed in
coordination with the Professional Service Agreement, Non-Disclosure Agreement, and the Rules
of Engagement. Upon its execution, this Statement of Work shall become a part of the
Professional Service Agreement. In the event any provision in this Statement of Work conflicts
with any provision of the Professional Service Agreement, the Professional Service Agreement
shall control.
Project Timeline
Task Start Date End Date Test Duration
Task 1 As soon as paperwork is complete. Within 15 days 1.5 days
Target Areas
208.125.213.34 SonicWall TZ470 Firewall 7.0.0-R906
Pricing
Pricing is valid for 45 days from the date of this fixed price proposal.
Price
Task 1 External Penetration Test (6 External Ips) $800
Client Details
“Client” Business Name: Town of Cortlandville
Point of Contact: Kristin E. Rocco-Petrella, RMC
Client Contact Information: 607-756-5725
Client Acronyms: TOC
Client Location: The Raymond G. Thorpe Municipal Building
3577 Terrace Road, Cortland, New York 13045
2 | Page
Confidential | | Proprietary | Statement of Work
STATEMENT OF WORK DETAILS AND DESCRIPTIONS
Task 1 – External Vulnerability Assessment
External Vulnerability Assessment (E-VA) – Zelvin Security will execute an external vulnerability assessment and a
penetration test against the Internet infrastructure (i.e., firewalls, DNS servers, routers, hubs, load balancers, and
supporting systems). Zelvin Security will attempt to identify well-known vulnerabilities from an unauthenticated
perspective.
In accordance with IP Addresses provided the External Network Penetration Test of the Internet infrastructure will be
structured as follows:
o Probe points of entry for identifying system information or access parameters
o Identify holes through low-intensity passive penetration probes
o Identify holes through medium-intensity passive penetration probes
o Evaluate results
Report results, recommended mitigation solutions, analytical analysis of cybersecurity posture and suggestions for
improvement
It is understood that there could be up to 1 External IP Addresses included in this scope. This is a point in
time, best effort test. Not all vulnerabilities may be identified. Modifications to the SOW may impact the estimated
price and timeline and must be in writing and agreed to by both parties.
Deliverables of Tasks
Report Delivery (RPT- Written) - Zelvin Security will collect and organize its findings at the completion of each task
and produce a report. A draft document(s) shall be securely delivered for one (1) review process and client shall provide
Zelvin Security comments/recommendations within ten (10) calendar days of draft delivery. Zelvin
Security shall update the document(s) as it deems appropriate in response to comments received
and deliver the final version. Zelvin Security's obligations under each Task Order shall be complete
upon delivery of the final report. Invoicing will occur monthly for time/materials services and
invoicing will occur at the completion of each Task.
The report will, to the extent applicable, will include an executive summary, identified
vulnerabilities, and recommendations.
Once reports are produced by Zelvin Security, LLC (“Zelvin”) concerning cybersecurity testing, including vulnerability
assessments, penetration tests, and ethical hacking (the “Report”), the party receiving the Reports (the “Receiving
Party”) may reveal the Report and the information contained therein only to those of its affiliates or representatives (i)
who need to know the information contained within the Report, and (ii) are informed by Receiving Party of the
confidential nature of the Report so received. Those who have been provided the Report by Receiving Party will take
all actions to avoid disclosure or unauthorized use of the information contained therein
The Receiving Party shall be responsible for any unauthorized disclosure by its affiliates or representatives of the
Report or information contained therein.
Receiving Party
Name: Title: Email Address:
Nick Pizzola
Kristin Rocco-Petrella
Plan First
Technologies
TOC
nick@p1tech.net
Report Delivery (RPT- Discussion) – Zelvin Security will host a conference call to highlight notable strengths and an
overview of the project environment during the testing phases, answer technical questions related to the findings of the
3 | Page
Confidential | | Proprietary | Statement of Work
report and help guide the team to improve its cybersecurity posture. An onsite Story-board Presentation of the report
is available on a Time and Materials basis.
General Security Consulting
Zelvin Security is available to conduct general cybersecurity consulting on an as needed basis. In
the event there is a need for a project, Zelvin Security will submit a project proposal for approval,
otherwise, services will be performed on a time and materials basis.
Time and Materials (T & M) Services
Retesting – Remediation assistance and testing of specific vulnerabilities after remediation is completed is
available. This is performed on a time and material cost basis.
Information Security Consultancy – Zelvin Security’s penetration testing team is available support cybersecurity
management discussions, internal teams, and work with 3rd party vendors.
Remote: $350/hour – 30 min. minimum
Onsite: $425/hour – 60 min. minimum. Travel time and expenses billed to customer.
Travel and materials – Actual costs billed to client. $.575/mile
TERMS AND CONDITIONS
Cautionary Note
This engagement is not an absolute, nor is it a comprehensive, digital security assessment. There is no
guarantee of absolute security and this proposal and/or its corresponding approved Statement of Work,
Professional Services Agreement, Non-disclosure Agreement, Rules of Engagement, and any deliverables
do not represent all vulnerabilities that may exist at Client Name.
Further, if changes in architecture, hardware, software, technology, and as technology progresses, new
threats, and new vulnerabilities may arise which are not guaranteed by this proposed Statement of Work
(SOW). Furthermore, even if all recommendations are implemented promptly, threats to information
systems may remain.
Confidentiality is Strictly Enforced
All information contained in this document is confidential and proprietary to Zelvin Security. This
includes all correspondence, reports, findings, trade secrets, and privileged, confidential property. It is
furnished in confidence, with the understanding that it will not, without written permission from Zelvin
Security, be used other than for evaluation purposes nor be disclosed to any third party. Duplication
of this document and any Zelvin Security correspondence and quotation is strictly forbidden, and all
copies shall be returned to Zelvin Security upon request.
Protection of Your Information
Client confidentiality and protection of client provided information is a matter of great importance to Zelvin Security.
All information will be held in strict confidence with rigid security measures to protect sensitive corporate information.
We apply the following practices to protect client identity and information:
• Internal to Zelvin Security, the project will be compartmentalized from the rest of the corporation. A code
name can be used, at request, on internal correspondence and documentation. Contract correspondence
and other administrative written communications will be maintained only with the Zelvin Security’s contracts
representative.
4 | Page
Confidential | | Proprietary | Statement of Work
• Zelvin Security will maintain a log of all documentation provided. At the end of the engagement, Zelvin
Security will either destroy or return this documentation at the request the client.
• Documents will be stored in secured facilities. All electronic copies will be stored using strong encryption.
RULES OF ENGAGEMENT
In creating this proposal, Zelvin Security made a number of assumptions that could materially
affect project outcomes or timelines. Please note that any modification to these assumptions
may result in a modification of the overall cost, and/or schedule delays. The assumptions are as
follows:
Client:
• will appoint a single Point of Contact for this engagement
• will obtain all required authorizations and approvals needed for Zelvin Security to
perform the services contemplated by this proposal
• will provide access to such applications, systems, networks, equipment, software, and
information as are necessary, without violating the rights of any third party.
• agrees that Zelvin Security will have the authorization to access any computers,
computer systems, and computer networks that are necessary for the regular course of
work required by this proposal.
• agrees to indemnify and hold Zelvin Security harmless for any damages or liability
resulting from third-party claims that Zelvin Security did not have the authorization to
obtain such access.
To help complete the work on schedule, the Client agrees to the following:
• provide the Zelvin Security team with adequate testing time windows
• provide timely access to all appropriate personnel for the purpose of gathering
information throughout the assessment phase
• provide access to all documentation deemed relevant by the Zelvin Security consultants
for purposes of performing this assessment
Additional Assumptions Include:
• No retesting is included in the price of this engagement. Any retesting will be performed on a
time and materials basis.
• No special equipment, software, or other requirements that may impose a financial burden on
Zelvin Security shall be required without prior mutual agreement.
• No Denial of Service or load testing will be performed.
• An in-depth analysis of applications and services will be halted upon successful compromise –
meaning other issues that might exist may go undiscovered.
• No war-dialing testing will be performed.
Limitations:
• No limitations or testing windows will be imposed on Zelvin Security.
• Testing efforts will only be conducted on systems and users expressly listed as authorized
targets and do not appear in any exclusion lists provided by Client.
5 | Page
Confidential | | Proprietary | Statement of Work
Project Timeline
It may become necessary to pause testing for periods-of-time during the engagement which may impact
the overall timeline of the assessment. Possible reasons for pausing or stopping the engagement at any
time by either party may include but are not limited to:
• Adverse impact on the testing environment and systems – Zelvin Security will not perform denial of service
testing, however, if there is adverse impact to any system perceived to be caused by the testing activity,
then testing can be paused to troubleshoot and validate the cause. If applicable, testing may be resumed
taking care not to trigger the same or similar issues.
Exploitable vulnerability discovered – If a critical vulnerability is identified during the testing, which can be
exploited remotely over the Internet, Zelvin Security will notify technical point of contact promptly, so
remediation efforts may commence.
Project Communications
All files or correspondence which contain sensitive data should be encrypted and/or securely transferred. Prior to
transferring files, they should be encrypted with the “project password.”
Zelvin Security Point of Contact – Title – Email – Phone
Jeff Atkinson CEO, Lead Penetration Tester – Jatkinson@zelvin.com (703) 608-6657
Lisa Atkinson Project Management – Latkinson@zelvin.com (607) 591-5541
Zelvin Security Main Telephone Number (607) 758-9427 – P O Box 256, Homer, NY 13077
Escalation Chain Point of Contact – Title – Email – Phone
During the project communication will follow the following communication chain for
contract negotiations, routine correspondence, status updates, critical findings, issues, and invoicing.
Primary Nick Pizzola
Secondary Kristin E. Rocco-Petrella, RMC Town Clerk/Tax Collector/Registrar
townclerk@cortlandville.org 607-756-5725
Optional
Exemption Areas
Unless specified below, the entire scope of the project is considered available to testing unless exemption areas are
listed below.
Exemption Areas (optional) Description Comments
6 | Page
Confidential | | Proprietary | Statement of Work
Invoice Procedures
Upon execution below, these Rules of Engagement shall become a part of the Professional Services Agreement
(including the Statement of Work thereunder). If there exists any conflict between these Rules of Engagement and
the Professional Service Agreement, the terms of the Professional Service Agreement shall control. The following
invoice procedures apply: Client will be invoiced during the engagement upon completion of each of the Tasks
described above and in accordance with the Professional Service Agreement. Terms of payment are net 30 days
after receipt of Zelvin Security’s properly stated invoice. Invoices shall be submitted to Client using email directed to
the primary point of contact listed above, unless otherwise noted below.
Testing Resources
Zelvin Security will conduct the engagement from a remote location from one of the following IP addresses.
Primary Testing IP Addresses
69.21.119.160-190
Blacklist Removal - Client will remove Zelvin Security’s resources from any Blacklists at the conclusion of this
engagement, if required.
ACCEPTANCE AND AUTHORIZATION
“Client” agrees that it will provide Zelvin Security electronic access to its computer systems, networks, related
equipment, software, stored data, information, and personnel as reasonably required by Zelvin Security during the
performance of this Agreement. The Client has obtained all required authorizations and approvals needed in order for
Zelvin Security to perform the services contemplated by this Agreement. The Client confirms they have the authority
and control over such systems, networks, equipment, software, and information necessary to authorize and accept
Zelvin Security’s services without violating the rights of any other person. The Client represents and agrees that Zelvin
Security has the authorization to access such computers, computer systems and computer networks in the regular
course of work under this Agreement, and agrees to defend, indemnify, and hold Zelvin Security, its Directors, officers,
employees, agents and contractors harmless from and against all claims of any nature related to such activities,
including claims by Town of Cortlandville, its Directors, officers, employees, agents and contractors, and any third party.
For the purposes of Zelvin Security or its agent’s performance of any penetration or intrusion testing tasks issued by
The Client and agreed to by Zelvin Security under this Agreement, The Client hereby grants full permission and
authorization to Zelvin Security personnel to actively search for, identify, and exploit security issues in order to penetrate
Town of Cortlandville’s infrastructure(s) using any means to carry out the scope of work defined in this document.
Town of Cortlandville acknowledges that the assessment to be performed, as a result of this Statement of Work, is an
uncertain process, based upon past experiences, currently available information and known threats. In this regard,
Town of Cortlandville recognizes that there can be no assurance that any analysis of this nature will identify all possible
vulnerabilities or that Zelvin Security will propose exhaustive and operationally viable recommendations to mitigate this
exposure.
Invoice Contact Name and
Title Email Address Phone Number
Task
Reference
Kristin Rocco-Petrella, RMC townclerk@cortlandville.org
607-756-5725
7 | Page
Confidential | | Proprietary | Statement of Work
IN WITNESS WHEREOF, the parties hereto have caused this Statement of Work in combination of the Rules of
Engagement, Professional Services Agreement, and the Non-Disclosure Agreement to be effective on the latter of
the date(s) written below:
Kristin E. Rocco-Petrella, RMC Jeffory Atkinson
Town Clerk/Tax Collector/Registrar President
Title Title
Signature | Date Signature | Date
TOWN OF CORTLANDVILLE ZELVIN SECURITY, LLC
Company Name Company Name
ABOUT ZELVIN SECURITY
Zelvin Security is a boutique proactive penetration testing and cyber security testing firm specializing in network
and web application penetration testing. Since 2002, Zelvin Security began specializing as a conflict-free third
party testing the digital security of large financial institutions and manufacturing companies in the global market.
• Highly Skilled and Experienced Penetration Testers
• Personalized Service
• Easy-to-understand Manually Verified Reports
• Practical and Custom Mitigation Strategies
• Cost-effective Remediation Approach Suggested
Our Team
All penetration testing services are performed by senior-level (highly experienced) penetration testers who
understand the technical nuances of cyber security and possess business intelligence skills. This is particularly
useful in saving your organization time and money because remediation strategies are defined using root-cause
determinations. Our team performs the research to identify the source of a security fining and offers practical,
efficient, remediation recommendations. Every engagement is personally managed by Zelvin Security’s founder,
Jeff Atkinson.
Our Report
Reporting structure includes a high-level executive summary, presented in writing and virtually to business
executives, and a deep-dive, manually verified list of findings, organized by risk-level. Findings include step-by-
step remediation strategies, and Zelvin Security performs retesting as an added service.
Our Quality
The quality of the work performed by Zelvin Security’s team is far more important than the quantity. To achieve
this goal active testing is completed over a period of time, instead of performed on consecutive days. We have
found this strategy leads to better results for our clients.
Communication and care are the cornerstone of our operations. Throughout the engagement we will keep you
informed of our progress, process, and plan.
All members of the Zelvin Security team have been thoroughly screened and a signed nondisclosure
agreement is on file, binding each team member to protect the identity and information of all projects,
findings, and proprietary information. Resumes and references are available upon request.