The URL can be used to link to this page

FY2025-04 Professional Services Agreement with Securance LLC for Cybersecurity AuditCONTRACT TRANSMITTAL FORM RETENTION SCHEDULE: CL -09 CONTRACTS Records related to obligations under contracts, leases, and other agreements between the borough and outside parties, successful bids, and proposals. Each department maintains the file while the contract is active. once inactive, retain procurements for another 4 years and retain contracts, leases, or agreements involving real property for another 11 years. DEPARTMENT: Manager's Office CONTACT PERSON: Aimee Williams CONTRACT NO.: FY2025-04 CONTRACT TITLE: Professional Services Agreement with Securance LLC for Cybersecurity Audit VENDOR OR SERVICE PROVIDER: Securance LLC Administrative contracts are contracts approved by the manager within the spending authority allowed by code. Assembly approved contracts are beyond the manager's spending authority and require approval by the Assembly during a meeting. APPROVED BY: MANAGER ASSEMBLY O TYPE OF CONTRACT: Procurement EXTENSION OPTIONS: N/A EXPIRATION DATE: 6130/25 DATE OF APPROVAL: $/15/24 PURGE DATE FOR PROCUREMENT (Exp. + 4 yrs): June 30, 2029 OR PURGE DATE FOR INVOLVING REAL PROPERTY (Exp. +11 yrs): If there's no expiration date, give the process on how or when this record should be purged or flagged for review. FILL OUT BELOW IF THE RECORD AMENDS, EXTENDS, OR IS A CHANGE ORDER TO A CONTRACT CATEGORY: Seiect Category APPROVED BY: MANAGER O ASSEMBLY O DATE OF APPROVAL: TYPE OF CONTRACT: Procurement EXTENSION OPTIONS: EXPIRATION DATE: PURGE DATE FOR PROCUREMENT (Exp. + 4 yrs): OR PURGE DATE FOR INVOLVING REAL PROPERTY (Exp. +11 yrs): If there's no expiration date, give the process on how or when this record should be purged or flagged for review. 1ldovelboroughlCL1U - RECORDSIFORMSIcontract transmittal form NJ.docx Rev. 12123 Appendix A. Contract Agreement Professional Services Agreement with Securance LLC CYBERSECURITY AUDIT This AGREEMENT, made and entered into this _21st_ day of _August 2024 by and between the KODIAK ISLAND BOROUGH, organized under the laws of the State of Alaska, hereinafter referred to as the "Borough" and _Securance LLC_(a corporation) authorized to do business in Alaska, with offices located at 13916 Monroes Business Park, Suite 102, Tampa FL 33635 hereinafter referred to as the "Contractor." WITNESSETH WHEREAS the Borough wishes to enter into a contract with an independent contractor to provide cybersecurity analysis services. WHEREAS Contractor submitted a proposal asserting the qualification to perform these services and able to do so in a timely manner. NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows: 1.0 DEFINITIONS 1.1 "Agreement" shall mean this Professional Services Agreement, including: Exhibit A — Proposal of Contractor dated _May 31, 2024 1.2 "Change Order" is an addition to, or reduction of, or other revision approved by the Borough in the scope, complexity, character, or duration of the services or other provisions of this Agreement. 1.3 "Borough" shall all mean the Kodiak Island Borough, Alaska. 1.4 "Contracting Officer" shall mean the Borough Manager and include any successor or authorized representative. 1.5 "Project" shall mean the Cybersecurity Analysis. 2.0 TERM OF AGREEMENT. This Agreement shall take effect upon execution by both Borough and Contractor. This Agreement shall remain in full force and effect until the Project has been completed and further, until all claims and disputes have been concluded. The work is considered complete when the Borough has received and found acceptable the finished product of all work described in 4.0 Scope of Services or changes thereto. This date is not necessarily the Completion Date as described in 5.0 Completion Date. This Agreement may be amended only in writing and upon compliance with all applicable statutes, ordinances, and regulations. 3.0 FEES. For the service described in section 4.0 Scope of Service, the Borough will compensate the Contractor an amount not to exceed Forty two thousand, five hundred and four dollars ($_42,504 ). Fees will be billed on a _Completion of Audit basis. 4.0 SCOPE OF SERVICES. The Borough and Contractor have agreed upon a scope of work described in the Contractor's proposal, Exhibit A, to provide professional services based on approved standards and instructions. This Scope of Services can only be changed in writing pursuant to Section 26.0 of this Agreement. 5.0 SCHEDULE FOR COMPLETION. The project schedule shall be as set out in the Contractor's proposed schedule. 6.0 PERSON NEVORGANRATION 6.1 Key Personnel. Work and services provided by the Contractor will be performed by the project team identified in Exhibit A. 6.2 Changes in Key Personnel. The Contractor shall give the Borough reasonable advance notice of any necessary substitution or change of key personnel and shall submit justification therefore in sufficient detail to permit the Borough to evaluate the impact of such substitution on this Agreement. No substitutions or other changes shall be made without the written consent of the Borough. 7.0 STANDARD OF PERFORMANCE. The Contractor agrees to provide all required professional services to complete the project and any additions or changes thereto. The Contractor accepts the relationship of trust and confidence established between it and the Borough by this Agreement. The Contractor covenants with the Borough to furnish its best skill and judgment, and to further the interest of the Borough at all times through efficient business administration and management. The Contractor shall provide all services in a competent manner. It is understood that some of the services to be rendered hereunder required professional judgment and skill. In those cases, the Contractor agrees to adhere to the standards of the applicable profession. 8.0 TIMELINESS OF PERFORMANCE. Time is of the essence in this Agreement, Contractor's failure to meet any such deadlines or required performance may adversely imperil other contractual obligations of the Borough. 9.0 COMPLIANCE WITH LAWS. The Contractor shall be familiar with and at all times comply with and observe all applicable federal, state and local laws, ordinances, rules, regulations, and executive orders, all applicable safety orders, all orders or decrees of administrative agencies, courts, or other legally constituted authorities having jurisdiction or authority over the Contractor, the Borough, or the service which may be in effect now or during performance of the services. 10.0 INDEMNITY. The Contractor shall indemnify, defend, and hold harmless the Borough from and against any claim of, or liability for, negligent acts, errors, and omissions of the Contractor under this agreement, including attorney fees and costs. The consultant is not required to indemnify, defend, or hold harmless the Borough for a claim of, or liability for, the independent negligent acts, errors, and omissions of the Borough. If there is a claim of, or liability for, a joint negligent act, error, or omission of the Contractor and the Borough, the indemnification, defense, and hold harmless obligation of the Contractor, and liability of the parties, shall be apportioned on a comparative fault basis. In this provision, "Contractor" and "Borough" include the employees, agents, and contractors who are directly responsible, respectively, to each. In this provision, "independent negligent acts, errors, and omissions of the Borough" means negligence other than in the Borough's selection, administration, monitoring, or controlling of the Contractor, or in approving or accepting the Contractor's work or the Contractor's subcontractors. 11.0 INSURANCE. The Contractor understands that no Borough insurance coverage, including Workers' Compensation, is extended to the Contractor while completing the services described in this Agreement. The Contractor shall carry adequate (commercially reasonable coverage levels) insurance covering Workers' Compensation, general public liability, automobile, professional liability, and property damage including a contractual liability endorsement covering the liability created or assumed under this Agreement. The Contractor shall not commence work under this Agreement or any work on any phase of the Project until the Contractor provides the Borough with certificates of insurance evidencing that all required insurance has been obtained. These insurance policies and any extension or renewals thereof must contain the following provisions or endorsements: a. Borough is an additional insured thereunder as respects liability arising out of or from the work performed by Contractor of Borough. b. Borough will be given thirty (30) days prior notice of cancellation or material alteration of any of the insurance policies specified in the certificate. c. Insurer waives all rights of subrogation against Borough and its employees or elected officials. d, The insurance coverage is primary to any comparable liability insurance carried by the Borough. Upon request, Contractor shall permit the Borough to examine any of the insurance policies specified herein. Any deductibles or exclusions in coverage will be assumed by the Contractor, for account of, and at the sole risk of the Contractor. 12.0 GOVERNING LAW. The laws of Alaska will determine the interpretation, performance and enforcement of this Agreement. 13.0 OWNERSHIP OF WORK PRODUCTS. Payment to the Contractor for services hereunder includes full compensation for all work products and other materials produced by the Contractor and its subcontractors pertaining to this Agreement. The originals of all material prepared or developed by the Contractor or its employees, agents, or representatives hereunder, including documents, drawings, designs, calculations, maps, sketches, notes, reports, data, models, computer tapes, and samples shall become the property of the Borough when prepared, whether delivered or not, and shall, together with any materials furnished the Contractor and its employees, agents, or representatives by the Borough hereunder, be delivered to the Borough upon request and, upon termination or completion of this Agreement, Materials previously created and copyrighted by the Contractor included in this project will remain the property of the Contractor. Copies will be made available to the Borough upon request. Materials purchased from and copyrighted by third parties are not included in this provision. 14.0 PATENTS TRADEMARKS AND COPYRIGHTS. The Contractor agrees to defend, indemnify, and save the Borough harmless from and against any and all claims, costs, royalties, damages and expenses of any kind of nature whatsoever (including attorneys' fees) which may arise out of or result from or be reasonably incurred in contesting any claim that the methods, processes, or acts employed by the Contractor or its employees in connection with the performance of services hereunder infringes or contributes to the infringement of any letter patent, trademark, or copyright. In case such methods, processes, or acts are in suit held to constitute infringement and use is enjoined, the Contractor, within reasonable time and at its own expense, will either secure a suspension of the injunction by procuring for the Borough a license or otherwise, or replace such method, process, etc., with one of equal efficiency. 15.0 NONWAIVER. No failure of the Borough or Contractor to insist upon the strict performance by the other of any of the terms of this Agreement or to exercise any right or remedy herein conferred shall constitute a waiver or relinquishment to any extent of its rights to rely upon such terms or rights on any future occasion. Each and every term, right, or remedy of this Agreement shall continue in full force and effect. 16.0 SAFETY/PERFORMANCE. The Contractor shall perform the work in a safe and workmanlike manner. The Contractor shall comply with all federal and state statues, ordinances, orders, rules, and regulations pertaining to the protection of workers and the public from injury or damage and shall take all other reasonable precautions to protect workers and the public from injury or damage. 17.0 SUSPENSION OR TERMINATION. 17.1 Fault Termination or Suspension. This Agreement may be terminated by either party upon ten (10) days written notice if the other party fails substantially to perform in accordance with its terms. If the Borough terminates this Agreement, it will pay the Contractor a sum equal to the percentage of work completed and accepted by the Borough that can be substantiated by the Contractor and the Borough, offset by any amounts owed to the Borough. However, within the ten (10) day Notice of Intent to terminate the party in default shall be given an opportunity to present a plan to correct its failure. 17.2 Convenience Suspension or Termination. The Borough may at any time terminate or suspend this Agreement for any reason including its own needs or convenience. In the event of a convenience termination or suspension for more than six (6) months, the Contractor will be compensated for authorized services and authorized expenditures performed to the date of receipt of written notice of termination or suspension. No fee or other compensation for the uncompleted portion of the services will be paid, except for already incurred indirect costs which the Contractor can establish, and which would have been compensated but because of the termination or suspension would have to be absorbed by the Contractor without further compensation. 17.3 Activities Subsequent to Receipt of Notice of Termination or Suspension. Immediately upon receipt of a Notice of Termination or suspension and except as otherwise directed by the Borough or its Representative, the Contractor shall: a. stop work performed under this Agreement on the date and to the extent specified in the Notice; and b. transfer title to the Borough (to the extent that title has not already been transferred) and deliver in the manner, at the times, and to the extent directed by the Borough's representative, work in progress, completed work, supplies, and other material produced as a part of, or acquired in respect of the performance of the work terminated or suspended by the Notice. 18.0 EQUAL EMPLOYMENT OPPORTUNITY. The Contractor shall not discriminate against any employee or applicant for employment because of race, religion, color, national origin, or because of age, physical handicap, sex, marital status, change in marital status, pregnancy, or parenthood when the reasonable demands of the position do not require distinction on the basis of age, physical handicap, sex, marital status, changes in marital status, pregnancy, or parenthood. The Contractor shall take affirmative action required by law to ensure that applicants are employed and that employees are treated during employment without regard to their race, color, religion, national origin, ancestry, age, or marital status. 19.0 NO ASSIGNMENT OR DELEGATION. The Contractor may not assign, subcontract, or delegate this Agreement, or any part of it, or any right to any of the money to be paid under it without written consent of the Contracting Officer. 20.0 INDEPENDENT CONTRACTOR. The Contractor shall be an independent contractor in the performance of the work under this Agreement and shall not be an employee or agent of the Borough. 21.0 PAYMENT OF TAXES. As a condition of performance of this Agreement, the Contractor shall pay all federal, state, and local taxes incurred by the Contractor and shall require their payment by any other persons in the performance of this Agreement. 22.0 PRECEDENCE AND DIVISIBILITY. The provisions of this Agreement shall fully govern the services performed by the Contractor. If any term, condition, or provision of this Agreement is declared void or unenforceable, or limited in its application or effect, such event shall not affect any other provisions hereof and all other provisions shall remain fully enforceable. 23.0 ENTIRE AGREEMENT. This Agreement contains the entire agreement between the parties as to the services to be rendered by the Contractor. All previous or concurrent agreements, representations, warranties, promises, and conditions relating to the subject matter of this Agreement are superseded by this Agreement. 24.0 COMPLETION OF WORK, TERM OF AGREEMENT. The Contractor shall perform all work in a timely fashion, and in accordance with the schedules included in this Agreement and Exhibits. 25.0 CLAIMS AND DISPUTES. Venue for all claims and disputes under this Agreement, if not otherwise resolved by the partes, shall be in the appropriate Alaska State court in Anchorage or Kodiak, Alaska. 26.0 CHANGES IN SCOPE OF WORK, 26.1 General. No claim for additional services not specifically provided in this Agreement will be allowed, nor may the Contractor do any work or furnish any materials not covered by the Agreement unless the work or material is ordered in writing by the Contracting Officer. Preparation of Change Orders and design changes, due to errors and/or omissions by the Contractor, will be done at the sole expense of the Contractor. 26.2 Changes in Scope of Work. The Borough or its representative may, at anytime, by a written Change Order delivered to the Contractor, make changes to the scope of work, or authorize additional work outside the scope of work. 263 Compensation to the Contractor. If any Change Order for which compensation is allowed under this Article causes an increase or decrease in the estimated cost of, or time required for, the performance of any part of the work under this Agreement, or if such change otherwise affects other provisions of this Agreement, an equitable adjustment will be negotiated. Such an adjustment may be: a. in the estimated cost or completion schedule, or both: and b. in the amount of fee to be paid; and c. in such other provisions of the Agreement as may be affected, and the Agreement shall be modified in writing accordingly. 26.4 Any claim by the Contractor for adjustment under this section must be asserted within fifteen (15) days from the day of receipt by the Contractor of the notification of change; provided, however, that the Borough or its representative, deciding that the facts justify such action, may receive and act upon any such claim asserted at any time prior to final payment under this Agreement. Failure to agree to any adjustment shall be a dispute within the meaning of Section 25.0 of this Agreement. 27.4 LIMITATION OF FUNDS. 27.1 At no time will any provision of this Agreement make the Borough or its representative liable for payment for performance of work under this Agreement in excess of the amount that has been appropriated by the Borough Assembly and obligated for expenditure for purposes of this Agreement. 27.2 Change orders issued pursuant to Section 26 of this Agreement shall not be considered an authorization to the Contractor to exceed the amount allotted in the absence of a statement in the change order, or other modification increasing the amount allotted. 27.3 Nothing in this Section shall affect the right of the Borough under Section 17 to terminate this Agreement. 28.0 PRIOR WORK. For the purposes of this Agreement, work done at the request of the Borough or its representative before execution of this Agreement shall be deemed to be work done after its execution and shall be subject to all the conditions contained herein. 29.0 NOTICES. Any notices, bills, invoices, or reports required by the Agreement shall be sufficient if sent by the parties in the United States mail, postage paid, to the address noted below: Kodiak Island Borough Securance LLC Attn: Borough Manager 13916 Monroes Business Park, Suite 102 710 Mill Bay Road, Room 125 Tampa FL 33635 Kodiak, Alaska 99615 IN WETNESS WHEREOF, the parties have executed this Agreement Kodiak Island Borough Signed A/ ` -O By: Aimee Wifliams Tili Borough Manager Date ZZ AVCa Zi ATTEST: —f rm Nova M. Javier Borough Cierk Contractor Signed: By- Pdul Ashe Title- President Date. is ��SVp.ND g�� WDIAK ISLAND BOROUGH A L A S K A CYBERSECURITY AUDIT 0 0 0 0 0 0 0 0 00 0 0 0 0 0 O D o o 0 o MAY 31, 2024 1 SECURANCE CONSULTING Contact for RFP Response: Patrick Swere Proposal Manager pswere@securanceconsulting.com P: 877.578.0215 ext. 118 www.securanceconsulting.com TABLE OF CONTENTS REQUIREMENTS MATRIX COVER SHEET 22+ YEARS Securance has more than 22 years of experience providing services similar in 53 PROJECT TIMELINE 58 PROJECT MANAGEMENT 60 THE BOROUGH RESOURCES NEEDED TO COMPLETE THE PROJECT 64 REPORTING 68 SECURANCE'S DEDICATED PROJECT TEAM 69 Consultant Resumes Key Personnel 82 PROPOSED FEES 85 REFERENCES 86 COMPLIANCE WITH INDUSTRY CERTIFICATIONS AND STANDARDS 88 SAMPLE REPORT This proposal contains confidential material proprietary to Securance Consulting. The material, ideas, and concepts contained herein are to be used solely and exclusively to evaluate the capabilities of Securonce Consulting to provide assistance to the Kodiak Island Borough (Borough). This proposal does not constitute an agreement between Securance Consulting and the Borough. Any services Securance Consulting may provide to the Borough will be governed by the terms of a separate written agreement signed by both parties. All offers to provide professional services are valid for 60 days. SECURANCE PROFILE Q scope to those sought by the Kodiak Island ' _ THE SECURANCE DIFFERENCE .� Borough (Borough). 5 WE UNDERSTAND GOVERNMENTS �`% Similar Clients %% EXECUTIVE -LEVEL Case Studies - - - o CONSULTANTS Our j lcomevel consultants 10 RISK-BASED CYBERSECURITY POWERED BY Al have I have provided comprehensive 12 OUR UNDERSTANDING OF THE SCOPE OF WORK f� cybersecuotyaudits for clients such �.Y as the City of Kenai, the Matanuska - 13 SECURANCE APPROACH AND METHODOLOGIES Susitna Borough, and the City of i_. NIST CSF 2.0 Assessment Richmond. I / Policy and Procedure Review b 20 Internal I External Network Vulnerability Assessment EXTRA VALUE and Advanced Penetration Testing Few firms are as dedicated to their clients 2 3 Web Application Assessment us Securance will be to you. We will invest the time and effort necessary to learn the 31 Wireless Network Security Assessment Borough' IT environment and cybersecurity 33 Enterprise Application Security Assessment objectives. Then, we will use that 39 Next --Generation Firewall Assessment understanding to conduct a comprehensive 42 Switch Configuration Review security audit that will help strengthen the Borough's systems, applications, and 44 Active Directory Assessment networks in alignment with the Alaska 47 Incident Response Plan Tabletop Exercise Stotewide Cybersecurity Strategic Plan and 50 Business Continuity and Disaster Recovery Plan Review industry best practices. 53 PROJECT TIMELINE 58 PROJECT MANAGEMENT 60 THE BOROUGH RESOURCES NEEDED TO COMPLETE THE PROJECT 64 REPORTING 68 SECURANCE'S DEDICATED PROJECT TEAM 69 Consultant Resumes Key Personnel 82 PROPOSED FEES 85 REFERENCES 86 COMPLIANCE WITH INDUSTRY CERTIFICATIONS AND STANDARDS 88 SAMPLE REPORT This proposal contains confidential material proprietary to Securance Consulting. The material, ideas, and concepts contained herein are to be used solely and exclusively to evaluate the capabilities of Securonce Consulting to provide assistance to the Kodiak Island Borough (Borough). This proposal does not constitute an agreement between Securance Consulting and the Borough. Any services Securance Consulting may provide to the Borough will be governed by the terms of a separate written agreement signed by both parties. All offers to provide professional services are valid for 60 days. 1 SECURANCE CONSULTING !;e May 31, 2024 Meagan Christiansen, Special Projects Support Manager's Office 710 Mill Bay Road, Room 114 Kodiak, Alaska 99615 Dear Meagan Thank you for considering Securance Consulting for the Kodiak Island Borough's (Borough's) upcoming cybersecurity audit. As a firm of cybersecurity experts with more than 22 years of experience conducting comprehensive audits for more than 400 government clients, we have the expertise needed to elevate the Borough's cybersecurity posture and help align its technologies and practices with Alaska's statewide cybersecurity goals and industry best practices. We want to partner with you! With Securance as a partner, the Borough will benefit from an Advantage of Insight that other Firms cannot provide. Our unique audit approach will: 1 Incorporate our proprietary artificial intelligence (AI) -based tool to ldentify and predict risks, security weaknesses, compliance violations, and even potential attacks. We are the only firm using generative Al (GenAl) and large language models (LLMs) to focus our approach to cybersecurity audits on the most pertinent risks to our clients' technologies. 1 Provide the services of senior -level cybersecurity consultants, each with more than 15 years of experience securing government IT environments and helping clients meet industry best practices, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and Payment Card Industry Data Security Standards (PCI DSS). 1 Offer five free value adds for this engagement, including the Borough's requested external vulnerability assessment and penetration test, executive project management, weekly status reporting, thorough knowledge transfer session, and 24 hours of remediation consulting support. 1 Leverage two decades of experience working with more than 400 government clients on more than 2,500 cybersecurity audits. We have unique experience serving clients in Alaska, including the City of Kenai and the Matanuska-Sustinka Borough. Securance has completed all projects on time and on budget, and we will do the same for this engagement. Please see the following page for a small sample of projects similar in scope to the Borough's. 13916 Monroes Business Park, Suite 102 • Tampa, Florida 33635 877.578.0215 www,securanceconsulting.com CONFIDENUAL Client Project Contract Description Value N SECURANCE CONSULTING Performance Period 13916 Monroes Business Park, Suite 102 • Tampa, Florida 33635 877.578.0215 www.securanceconsulting.com CONFIDENTIAL 1 Configuration analysis of select servers, firewalls, and routers I switches ) Cybersecurity policy development City of Cybersecurity May -October $34,968 1 Disaster recovery plan (DRP) improvement Kenai Audit 2020 i Physical security and environmental controls review 1 Wireless network assessment 1 Security program charter improvement 1 Cybersecurity policy and procedure review and database I application change management process review 1 IT staff training and awareness assessment Matanuska- November- Susi#na Cybersecurity 1 $56,048 Firewall, router I switch, and server December Audit configuration analysis Borough 2020 i Domain I enterprise application security administration, and network and application password management review 1 Logging and monitoring review 1 Security tool feature configuration 1 Database, router I switch, and firewall configuration review 1 Internal, external, and wireless network vulnerability assessments and penetration City of Total of All Cybersecurity tests Eight Projects Projects:1 Richmond Audit $326,285 Remote access review Since 2010 1 Operating system configuration, physical security, and industrial control system security review 1 Email phishing campaign development 13916 Monroes Business Park, Suite 102 • Tampa, Florida 33635 877.578.0215 www.securanceconsulting.com CONFIDENTIAL 11 SECURANCE CONSULTING Bad actors can strike at any moment, and the Borough is already at risk. It took Securance less than a minute to find sensitive information about the Borough on the Email: awilliams@kodiakak.us dark web. In the wrong hands, this type of information could Hasher! Password: $2a$08$ywk9jh6cwEEZKVFergCa be the starting point of a cyber attack. The Borough needs a Sourced from dark web partner that can find security gaps like this one and determine their impact. Securance wants to be that partner. We acknowledge that Securance may not be the lowest -priced bidder of the services required by the Borough. However, our services represent a superior value when compared to those offered at a lower cost by our competitors. From the detailed and innovative nature of our audit to the comprehensiveness of our deliverables, the Borough will not find a firm whose analyses and results are more accurate and exhaustive than ours. Discussions with our clients over the past 22 years have confirmed that our slightly higher upfront costs represent significant long-term savings Thank you again for including Securance in your evaluation process. If you have any questions after reviewing our proposal, please do not hesitate to contact me. Professional regards, Paul Ashe, CPA, CSA, CISSP, CMMC-AB RP, HCISPP President We Want To Partner With You! 13916 Monroes Business Park, Suite 102 • Tampa, Florida 33635 877 578.0215 www.securanceconsulting.com CONFIDENTIAL REQUIREMENTS MATRIX Securance has formatted our proposal according to the Borough's requirements. Below, we summarize the contents of our proposal: RFP Section 5. Proposal Requirements Requirement The cover sheet contained herein shall be completed and submitted with the proposal Company profile, including relevant experience in conducting security audits for government agencies Proposed methodology and approach to conducting the security audit Project timeline and key milestones Qualifications and experience of the proiect team members Detailed cost proposal, including hourly rates and any additional expenses References from previous clients for similar projects Compliance with relevant industry certifications and standards Page No. L 3 13 53 68 82 85 86 Kodiak Island Borough Cybersecurity Audit COVER SHEET Cover Sheet Kodlak Island Borough Security Audit Proposal ACKNOWLEDGMENTS I certify that I am a duly authorized representative of the firm listed below and that the information and materials enclosed with this proposal accurately represent the capabilities of the office listed below for providing the services indicated. The Borough is hereby authorized to request any owner identified in this proposal to furnish any pertinent information deemed necessary to verify the information provided or regarding the reputation and capabilities of the firm. AMENDMENTS The proposer represents to the Borough that it has relied upon no oral representations from the Borough in the preparation of this proposal. If any amendments are issued to this RFP, the proposer must acknowledge the receipt of such amendments in the space provided on the line below or by signing the amendment and submitting it before the submittal deadline, unless the amendment states otherwise. Proposals that fail to acknowledge receipt of amendments shall be considered non-responsive and will not be evaluated. Amendment Acknowledgment Number(s): No formal amendments, but O&A responses received May 21. ORIGINAL SIGNATURE Acknowledgmep sheet usl be manually (original signature) signed. A proposal shall be rejected when the propos44 by hand. of Represe Date: 5.22.24 Name: Paul Ashe Title: President Firm: Securance LLC Type of Firm (check one) Individual Partnership Corporation in the State of: Office address for which this submittal is made: Street: 13916 Monroes Business Park Mailing: 13916 Monroes Business Park Suite 102, Tampa, Fl. 33635 City, State, Zip: Tampa, florida, 33635 Telephone: 877.578.029 S AK Business License No. once awarded, Securance will renew our Alaskan Business License. x Other (Specify): Limited Liability Company LLC in the State or Florida Kodiak Island Borough Cybersecurity Audit SECURANCE PROFILE Two Decades of Cybersecurity Audit Services Securance is a 900 -percent minority-owned limited liability company, certified as an 8(a), Small Disadvantaged Business (SDB), and Minority Business Enterprise (MBE). Paul Ashe, the Borough's proposed engagement manager (EM), founded Securance in March 2002. Since then, we have performed more than 2,500 cybersecurity audits for clients in nearly every industry, including more Exclusively Staffed with Senior -Level Cybersecurity Professionals In order to provide the highest quality services, Securance only hires cybersecurity consultants with more than 15 years of professional experience. Our proposed consultants for the Borough's project excel at improving cybersecurity policies and procedures, addressing vulnerabilities within networks, applications, and information systems, conducting penetration testing, upgrading easy -to -understand audit reports and roadmaps that guide organizations to implement actionable security improvements is our foundation. We will tailor the Borough's project to the unique specifications required by its IT environment, securii and control standards, and business requirements, so the Borough can feel confident in the departments and staff to achieve an improved Cybersecurity posture and alignment with Alaska's THE SECURANCE DIFFERENCE HANDS-ON EXECUTIVE LEADERSHIP ON EVERY PROJECT A niche cybersecurity firm, Securance was founded more than two decades ago by a group of executives from Big 4 accounting firms. Their vision was to provide highly specialized cybersecurity services to clients in a wide range of industries, with unique advantages that only a small business could offer. Among these benefits are the caliber of our professional staff and the hands-on involvement of our executive team in client projects. Larger firms use senior resources to lead their businesses, but often turn much of the fieldwork on client projects over to less experienced consultants. This is not the case with Securance. Our professional staff is limited to senior cybersecurity consultants with at least 15 — and, often, 30 or more — years of experience. Senior staff do not just lead our projects; they execute them from cradle to grave. In addition, members of our executive team, including founder and president Paul Ashe, compliance lead Chris Bunn, and security lead Ray Resnick, work alongside our staff consultants on every project. We have worked with hundreds of clients over the years and understand the disconnect that can occur when IT speaks one language and business another. An audit report filled with technical TECHNICAL jargon may be useful to a system administrator or engineer, but it RISK provides little, if any, value to the C -suite. Securance's reports are TRANSLATED written in plain English that both technical and non-technical executives can understand. We explain the potential adverse TO BUSINESS effect of each finding on business operations. This approach RISK extends the value of our analysis beyond the IT department, helping senior management understand the risks and making our recommendations truly actionable. Powered by Securance is the only cybersecurity audit firm that uses generative artificial intelligence (GenAl) and large language models (LLMs) to enhance its approach to identifying and assessing technology risks. Our proprietary GenAl technology uses OpenAl's GPT -4 model, an LLM with 1 trillion parameters, to analyze large amounts of multimodal data, identify patterns and potential risks in a client's technology environment, and, even, predict security breaches and failures. Armed with this insight, Securance tailors its audit approach to fit each client's organization, address industry concerns, and target technology -specific threats. Kodiak Island Borough Cybersecurity Audit WE UNDERSTAND GOVERNMENTS Government agencies have unique needs when it comes to cybersecurity. Not only do they have to protect their networks and information systems, but they are responsible for safeguarding sensitive citizen and employee data, ensuring their ability to detect and respond to cyber incidents parallels rapidly evolving cyber threats, and meeting state and federal cybersecurity objectives and industry best practices. Government agencies need a cybersecurity partner that understands how to defend against bad actors with innovative approaches, holistically enhance cybersecurity practices and plans, and uphold cybersecurity regulations and standards. Securance is that partner, and our experience proves this. Government at a Glance / 22+ years serving small, medium, and large government agencies / 400+ clients 1 2,500+ projects completed 1 Agencies served: local I city I state governments, healthcare organizations, transportation authorities, education I higher education institutions, financial I insurance organizations, utilities Given our experience and expertise, we will bring specific value to the Borough's project, including a(n): 1 Understanding of the Alaska Statewide Cybersecurity Strategic Plan objectives, including enhancing cybersecurity resilience and interoperability, fostering a stronger cybersecurity culture, strengthening cybersecurity collaboration and partnerships, and improving cyber incident management and response capabilities. Securance will provide comprehensive, actionable recommendations for better alignment with Alaska's cybersecurity goals. 1 Combined 133 years of experience among five cybersecurity consultants who are experts in implementing best practice standards, such as processes that align with the NIST CSF and PCI DSS, and guiding employees and IT staff to adhere to them. 1 Proprietary technology that harnesses the power of GenAl and LLMs to provide a predictive ability, degree of customization, and testing accuracy that other firms cannot match, / Heightened consideration of increasing cyber incidents in Alaska. The state detects and thwarts more than two million attempted cyber attacks on its IT systems each month, according to Alaska's IT chief. i Commitment to the Borough's long-term security. We will learn the Borough's IT environment, business culture, and unique security objectives before beginning our engagement, so our assessments and recommendations are as customized to the Borough's needs as possible. Kodiak Island Borough Cgbersecurity Audit WE UNDERSTAND GOVERNMENTS Similar Clients Below is a sample of clients that have engaged Securance for similar work to the Borough's project. Please see the following three pages for detailed case studies of Securance's work with the City of Kenai, the Matanuska-Susitna Borough, and the City of Richmond. 04 �gN41.q�� r . r �vHfir' DED ^1� DURHAM Ut Volusia County _MO©ESTO FLORIDA C A l, F U R N l A ,AT C. ,A of SAM � G�S� �Mia u o • � l .. 1 r ~ O Ja ELIYYIE9 14 IF �� Sf]N C rc preVO Tempe WELCOME NOME CITY or GlendaleCity of Phoenix ST. CHARLES Fremont 44 ILLINOIS • M-1 Kodiak Island Borough Cybersecuritg Audit Confidential WE UNDERSTAND GOVERNMENTS Case Studies PROJECT OUTCOMES Improved operating effectiveness of critical IT processes Developed formal cybersecurity policies and addressed the lack of a disaster recovery plan Improved network device configuration CLIENT NAME: City of Kenai (City) SECURANCE TEAM: Paul Ashe, Chris Bunn, Ray Resnick PROJECT DURATION: 5 Months in 2020 CYBERSECURITY AUDIT CLIENT OBJECTIVES The City needed a vendor to: 1 Conduct security assessments of device and operating system (OS) level security configurations in the IT environment. Assess the wireless network and physical security. 1 Lead a review of its disaster recovery plan (DRP). / Assist in the review and development of IT governance documents. SECURANCE SOLUTION The Securance team: 1 Performed a detailed configuration analysis of select servers, firewalls, and routers I switches and identified medium- and high-risk vulnerabilities. i Drafted formal cybersecurity policies to address a lack of policies governing daily IT operations. i Addressed the lack of a formal DRP and provided actionable recommendations for efficient DRP development. 1 Reviewed physical security and environmental controls. i Conducted a wireless network assessment and addressed medium -risk vulnerabilities. Confidential Kodiak Island Borough Cybersecurity Audit WE UNDERSTAND GOVERNMENTS Case Studies f. CLIENT NAME: Matanuska-Susitna Borough (Matanuska) SECURANCE TEAM: Paul Ashe, Chris Bunn, Ray Resnick OPROJECT DURATION: 1 Month in 2020 PROJECT OUTCOMES I CYBERSECURITY AUDIT Improved design and operating effectiveness of critical IT processes, including patch management, disaster recovery, logging I monitoring, and security awareness training Identified inadequate cybersecurity staffing levels as a critical risk and provided recommendations for improved organizational structure CLIENT OBJECTIVES Matanuska needed a vendor to assess the security and controls related to: 1 IT processes. 1 Firewalls. 1 Routers and switches. 1 Wireless network. 0 Server operating systems. Enterprise and infrastructure applications. 1 IT security tools. SECURANCE SOLUTION The Securance team: h identified an inadequate security program charter and helped Matanuska customize it to their unique environment. 0 Identified and addressed high-risk vulnerabilities within cybersecurity policies and procedures, and database I application change management processes. 0 Identified critical vulnerabilities within IT staff training and provided actionable recommendations for improved organizational structure. 0 Conducted a firewall, router I switch, and server configuration analysis. 0 Reviewed domain and enterprise application security administration, and network and application password management. 11 Assessed logging and monitoring processes. ! Assessed security tool feature configuration for multiple technologies. Kodiak Island Borough Cybersecurity Audit Confidential WE UNDERSTAND GOVERNMENTS Case Studies CLIENT NAME: City of Richmond (City) SECURANCE TEAM: Paul Ashe, Chris Bunn, Ray Resnick O PROJECT DURATION: Multiple Network Analyses And Cybersecurity Audits Since 2010 PROJECT OUTCOMES CYBERSECURITY AUDIT Identified urgent and CLIENT OBJECTIVES critical vulnerabilities The City needed a vendor to: within the internal network infrastructure and patch ► Identify technical vulnerabilities, inefficiencies in the incident management process response process, and IT process risks to improve its security posture. Facilitated a significant ► Perform a vulnerability assessment and penetration test of its reduction in technical risks internal, external, and wireless networks. following remediation Provided clear SECURANCE SOLUTION recommendations to The Securance team: address critical risks in the ► Assessed database, router I switch, and firewall configurations City's incident response and security to identify and address risks. process and ransomware ► Conducted internal, external, and wireless network readiness vulnerability assessments and penetration tests. ► Assessed the City's incident response process I ransomware readiness and provided actionable recommendations to mitigate identified critical risks. ► Performed detailed analysis of the City's enterprise application databases. 1 Assessed the City's remote network access and IT policies related to patch management. 1 Reviewed operating system configuration, physical security, and industrial control system security. 1 Conducted an email phishing campaign to assess end-user security awareness. Confidential Kodiak Island Borough Cybersecurity Audit RISK-BASED CYBERSECURITY POWERED BY Al Sec urance is the first and only cybersecurity audit firm to use generative Al (GenAl) and large language models (LLMs) to enhance its approach to client - focused assessments. GenAl and LLMs can transform the ways in which businesses across industries gather and analyze information, predict outcomes, and make better decisions. Cybersecurity is no exception. At Securance, we use LLMs to identify potential risks based on a client's technologies, IT processes, and industry. We apply this information to focus our approach and methodologies when conducting cybersecurity audits. LLM LARGELANGUAGE MODELS i i O, , \ i 0 o -o Ki ,Ir LLMs consider billions of parameters and ingest massive amounts of data from sources such as the Internet, Common Crawl, which collects data from more than 50 billion web pages, and Wikipedia, with approximately 57 million pages. While not perfect, LLMs have a remarkable ability to make predictions based on a relatively small number of prompts, or inputs. GenAl uses LLMs to produce content based on human -language prompts that provide clarity and context. Kodiak Island Borough Cybersecuritg Audit Confidential RISK-BASED CYBERSECURITY POWERED BY Al Securance's program leverages OpenAl's GPT -4 model. With 1 trillion parameters, GPT -4 can identify patterns from multimodal data, generate natural and readable output, and perform complex tasks. We use GPT -4 to deliver maximal value to our clients via customized methodologies, targeted assessments, and actionable recommendations to prevent security breaches. During an initial co -development and planning session, we gather information about the client, its technology environment, and its IT organization. We use this data to adjust our input prompts, which include: 1 The organization's industry. 1 The organization's size. 1 The security framework(s) in place. 1 The security tools in place. 1 Whether the organization has a security operations center (SOC) monitoring its network. Based on the input prompts, our LLMs and GenAl produce information that informs our assessment approach. Securance's model can even predict cyber breaches, events, and failures and their consequences. Predictions may include the potential for; 1 Failures in IT process controls. 1 Network, system, and/or application breaches based on the client's cybersecurity profile. 1 End-user security failures and phishing attacks. 1 Inappropriate access to data or systems by end users. Harnessing the power of GenAl, Securance provides clients with accurate results, tailored recommendations, and unique advantages that other security firms cannot match. The benefits of a Securance assessment include: 1 Comprehensive security profile. 1 Predictive risk analysis, including industry- and technology -specific risks. 1 Recommendations to prevent costly network and system breaches. To learn how we put this into practice, please review our detailed technical methodologies on the following pages. Kodiak Island Borough Cybersecurity Audit OUR UNDERSTANDING OF THE SCOPE OF WORK Below, we summarize our understanding of the Borough's expectations for this project and the deliverables. We have included methodologies for some of the audit tasks on the following pages. Additional methodologies can be provided upon request. 1 Kickoff Meeting 1 Establish Rules of Engagement 1 Create I Share Client Assistance Memo PRE -AUDIT ACTIVITIES 1 Comprehensive Cybersecurity Audit, Including: • NIST CSF Compliance Assessment • Policy and Procedure Review • Penetration Testing I Ethical Hacking Exercises, Including: Internal Network Vulnerability Assessment and Penetration Testing (VAPT) External Network VAPT — Value Add O • Web Appplication Testing Wireless Network VAPT _ • Assessments to Identify Vulnerabilities I Threats to Information CYBERSECURITY Systems, Applications, and Network Infrastructure, Including: AUDIT Enterprise Application Security Assessments Database Security Assessment Operating System Configuration Review Firewall Configuration Review Switch Configuration Review Active Directory Analysis • Incident Response and Business Continuity I Disaster Recovery Evaluation. This Includes: • Incident Response Process Review • Inc+dent Response Tabletop Exercise • Business Continuity Plan Review Disaster Recovery Plan Review 'e 1 Board -Ready Audit Management Report • Roadmap for Implementing Recommendations 1 Technician's Report POST -AUDIT ACTIVITIES AND 1 24 Hours of Remediation Support Consulting — Value Add DELIVERABLES Kodiak Island Borough Cybersecurity Audit Powered by SECURANCE APPROACH AND METHODOLOGIES NIST CSF 2.0 Assessment Our approach to NIST Cybersecurity Framework (CSF) assessments begins with understanding the Borough's business objectives, strategies, and cybersecurity posture. Then, we map the gathered information to all NIST CSF 2.0 sub -categories. This will allow our team to assess the Borough's current tier profile and, in collaboration with the Borough's project manager, determine a target tier profile. r � NIST CYBERSECURITY FRAMEWORK A _J Our assessment will review the following control areas and all their components to define the Borough's cybersecurity posture and risk appetite: Our team will work with the Borough's subject -matter experts to define objectives tailored to each category and sub -category within each function and list the Borough's initiatives to achieve the objective. Where initiatives are not in place, we will work with the Borough's IT team to define actionable initiatives. Our team will request and review artifacts supporting the Borough's current state for each of the sub -categories in each of the six functions. Our review will be augmented with interviews of the Borough's key persons responsible for or knowledgeable about each sub -category. As part of this process, we will assess the Borough's current -state Tier relative to the framework. 1 Tier 1: Partial — Organizational awareness of cybersecurity risks is minimal, and risk is managed in an ad hoc, case-by-case way. 1 Tier 2: Risk Informed — There is organizational awareness of risk and cybersecurity protection needs, but no consistent or formal risk management approach has been established. 1 Tier 3: Repeatable — Formally approved risk management practices are established, shared, and regularly updated. Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES NIST CSF 2.0 Assessment (continued) A . OUR PROCESS (continued) THEIR APPROACH 1 A one -size -fits all assessment that fails to recognize the organization's unique risk profile. 1 Tier 4: Adaptive — Cybersecurity risk management is built into the organization's culture, and practices are continuously adapted and improved in response to evolving threats. An example of how we display the current state by Tier is below. 0 -Not Applicable 1- Partial t 2- Risk Informed –0- 3- Repeatable t 4- Adaptive Govern Recover 5 Identify Respond For each sub -category, we will identify an actionable recommendation to move the Borough to the next tier, where an improvement is deemed necessary. This information will be presented in a NIST CSF Roadmap for Improvement. THE SECURANCE WAY... 1 A customized and evidence -based assessment involving input from various managers, staff, and stakeholders. 1 A roadmap designed to improve the maturity of the Borough's cybersecurity posture. ....DELIVERS EXTRA VALUE TO YOU. 1 The Borough receives specific, feasible, and clearly communicated recommendations for improving its cybersecurity posture. Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES NIST CSF 2.0 Assessment (continued) Below and on the following pages, we elaborate on what our consultants look for when assessing each of the NIST CSF 2.0 sub -categories: Confidential GOVERN We will assess governance over the Borough's overall enterprise risk management. Both cybersecurity and bad actors are perpetually evolving. It is essential to update the Borough's risk strategies with the appropriate policies, procedures, and processes to be in alignment with its goals and to combat new threats. This function will strengthen the Borough's enterprise's governance. 1 Organizational Content (GV.00) — Understand the Borough's objectives and priorities and where they fall in the supply chain. 1 Risk Management Strategy (GV RM) — Assess the strategy based on the Borough's risk appetite and tolerance. 1 Roles, Responsibilities, and Authorities (GV.RR) — Determine whether roles and responsibilities are defined, communicated and enforced. 1 Policy (GV.PO) — Review established, communicated, and implemented processes and supporting documentation. 1 Oversight (GV.OV) — Review the results of any organization -wide cybersecurity assessment to determine the impact to the risk management strategy. 1 Cybersecurity Supply Chain Risk Management (GV.SC) —Assess risk management policies and processes associated with suppliers and other third parties. We will evaluate the Borough's cybersecurity posture. This will include: O1 Asset Management (ID.AM) — Assess the Borough's hardware and software asset management program. 1 Risk Assessment (ID.RA) — Assess internal and external threats. IDENTIFY 1 Improvement (ID.IM) — Identify improvements across all CSF functions. We will review the design and test the effectiveness of controls intended to protect data and systems from cyber incidents. 1 Identify Management, Authentication, and Access Control (PR.AA) — V Assess control access to data and systems. 1 Awareness and Training (PR,AT) — Review the Borough's end-user PROTECT security awareness training program. Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES NIST CSF 2.0 Assessment (continued) 1 Data Security (PR.DS) — Assess security and controls over the Borough's data. 1 Platform Security (PR.PS) — Evaluate the confidentiality, integrity, and vod availability of physical and virtual platforms. PROTECT 1 Technology Infrastructure Resilience (PR.IR) — Assess management of (continued) _ _ _ security architectures to protect assets. We will assess the Borough's system to detect cyber events in a timely manner to reduce their chances of becoming incidents. > i Continuous Monitoring (DE.CM) — Review the monitor resources and assets nonstop. DETECT 1 Adverse Event Analysis (DE.AE) — Assess abnormalities and understand their potential cybersecurity threat. We will assess how the Borough responds to a cybersecurity attack. We will measure how well it contains an event, maintains its reputation, learns from the situation, and reduces inactivity time. 1 Incident Management (RS.MA) — Assess management of cybersecurity incidents. 1 Analysis (RS.AN) — Assess the analysis processes at the Borough. 1 Incident Response Reporting and Communication (RS.CO) — Review the RESPOND communication process with the Borough's stakeholders and other key personnel. 1 Incident Mitigation (RS.MI) Review the processes in place to mitigate and contain cyber Incidents. We will review the Borough's recovery capabilities after a cybersecurity incident to ensure continuity of operations. 1 Incident Recovery Plan Execution (RC.RP) — Review the plans and procedures implemented to restore data and systems affected during cybersecurity incidents. RECOVER 1 Incident Recovery Communication (RC.CO) — Assess the line of communication between IT staff and stakeholders for the sake of transparency. ® Kodiak Island Borough Cybersecurity Audit Confidential Powered by SECURANCE APPROACH AND METHODOLOGIES Policy and Procedure Review We define a policy as management's intentions relative to mitigating a risk. Policies should be supported by detailed procedures that provide guidance to IT engineers and administrators regarding the implementation of the policy. Securance has conducted policy and procedure reviews for government organizations and c}ients across all major industries over our 22 years of cybersecurity service. Our methodology for assessing IT policies and procedures is comprehensive and will be unique to the Borough's IT environment while addressing all common components of IT security. We determine where there are gaps in policies, procedures, and standards, if any, and uncover organizational weaknesses. While each organization will require its own unique set of policies and procedures, those commonly assessed include: ) Acceptable use 1 IT security policy 1 Anti-virus I malware 1 Job scheduling 1 Application security and administration ) Business continuity plan (BCP) I disaster recovery (DR) — backups 1 SCP I DR — plan 1 Change management 1 Configuration management 1 Database security and administration 1 Enterprise security 1 Incident management 1 IT asset management 1 IT governance 1 IT operations 1 IT organization and management 1 IT risk management 1 Mobile device management 1 Monitoring and logging management 1 Network security and administration ) Password controls ) Patch management 1 Physical security and environmental controls -- data center 1 Project management (SDLC) 1 Remote access management 1 Segregation of duties (SOD) 1 Server security and administration 1 User access provisioning 1 Vulnerability management To ensure the Borough's policies and procedures are comprehensive, accurate, and effective, Securance evaluates them for the criteria on the following page, or develops policies I procedures that contain these criteria. Confidential Kodiok Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Policy and Procedure Review (continued) Overview: Summary of the need for the policy. Scope: Devices, data, documents, or systems covered under the policy. Purpose: Overall objective of the policy. Policy: A measure by which an organization conducts a process, may be aligned to a particular framework. Industry leading frameworks include the NIST CSF, NIST special publication (SP) S00-53, ISO 27001, COBiT 5, and CIS 20. Disciplinary Action: Defined actions the organization will take in the event of a failure to comply with the policy. Definitions: A table of definitions for terms used within the policy. Exceptions: Any circumstances under which the policy would not apply. Expected Impact: Projected outcome of maintaining and implementing the policy. Revision History: A tabie denoting when the policy was last updated and what areas were modified. Approval: Process for formally instating the policy and the party responsible for approval. Lki OUR PROCESS i Gain an understanding of the Borough's governance model and daily IT operations through interviews with the Borough personnel. Our approach is structured based on where governance fits into an IT organization, as depicted below. ;�usinessl� IT objectives align with and !Objectives; support business goals IT Objectives and Strategy t IT Governance IT standards, policies, and procedures Architecture Network and Architecture application design LIT ions H Cybersecurity Cybersecurity program IT Operations — Daily IT functions Framework Compliance Alignment with security NIST CSF, PCI DSS and control frameworks Alignment with federal, Regulatory Compliance Federal, State, Local, state, local, and industry requirements Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Policy and Procedure Review (continued) 1 Review existing, or draft new, policies that map to day-to-day operations by: • Interviewing IT process owners. • Determining gaps in policies, procedures, and standards. • Drafting policies customized to the Borough's IT environment. • Reviewing draft policies with IT process owners. 1 Perform a comparative analysis against the NIST CSF, ensuring each policy's controls align with the framework by: • Reviewing draft policies with IT process owners to ensure each OUR PROCESS policy maps to daily activities. {CONTINUED} • Implementing new policies by training IT staff to adhere to them. THEIR APPROACH Review is based on templates. Supports procedural language embedded in policy language and having policies for the sake of policies. THE SECURANCE WAY... 0 Securance will dedicate the time and effort needed to understand the Borough's organization and right -size each policy document to fit its IT environment and cybersecurity needs. ....DELIVERS EXTRA VALUE TO YOU. 1 The Borough will receive thorough, clear, and specific recommendations for improved policy and procedure implementation. Securance will make sure all Borough staff understand how to adhere to them. Confidential Kodiak Island Borough Cybersecurity Audit Powered by SECURANCE APPROACH AND METHODOLOGIES Internal I External Network Vulnerability Assessment and Advanced Penetration Testing Vulnerability assessments and penetration tests are fundamental to an organization's security against internal and external cyber threats. With over 22 years of experiencing conducting these assessments for clients in every industry, including more than 400 government municipalities, Securance understands how to maximize the value and efficiency of every step in the testing process. Our team will consider the Borough's unique digital landscape and adjust our practices to meet its needs, including which method of testing best aligns with its security objectives: 1 Black Box: The Borough does not provide Securance any internal knowledge of the target system that is not publicly available. 1 Gray Box: The Borough provides Securance some knowledge of the network's internals, which may include design and architec- ture documentation and an account internal to the network. TESTING METHOD 1 White Box: The Borough provides Securance all information about the target network. Securance will utilize a combination of industry-leading techniques during this engagement, including the National Institute of Standards and Technology (NIST) Special Publication 800-115 (Technical Guide to Information Security Testing and Assessment), Information Systems Security Assessment Framework (ISSAF), Open -Source Security Testing Methodology Manual (OSSTMM), Open Worldwide Application Security Project (OWASP), and Penetration Testing Execution Standard (PTES). Kodiak Island Borough Cybersecurity Audit Confidential II Planning the Assessment 1 Information Gathering 10 1 Vulnerability Assessment 1 Advanced Penetration Testing DtJR PROCESS 1 Identifying and Removing False Positives PLANNING THE ASSESSMENT / Identify client resources 1 Develop rules of engagement • Securance will work with the Borough to confirm and agree upon clear rules of engagement for the Borough's project, including details about: Project scope of effort scans Communication rules Tool configuration How to handle scope Escalation plan The Borough's unique IT creep The Borough and environment The client's IP address Securance contact • Privileged testing Approved dates, times, information authority and tools The Borough's specific • VoIP solution I scan Interest in whitelisting concerns Third -party hosted IP lab's IP Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) 1 Develop specific scope that addresses which systems (if any) should not be assessed INFORMATION GATHERING External Assessment 1 Search for public information about the Borough's internet presence using the American Registry for Internet Numbers (ARIN), social media, the surface web, and the dark web 1 Identify weaknesses in the registration process, like publishing internal staff contact information Internal Assessment I► Connect to a "hot" port on the internal network, if applicable for selected testing method 1 Obtain internal IP information about approved targets / In stealth mode, perform a port sweep to develop a map of the internal network structure / Attempt to identify servers, applications, network infrastructure devices, database systems, web applications, and other technologies based on ports and services 1 Assess fingerprint information 1 Review information with the Borough's PM VULNERABILITY ASSESSMENT 1 Analyze information gathered in previous section 1 Our testing techniques scale from soft to aggressive. Below are examples of soft and aggressive techniques we will utilize: Soft Techniques • Passive port scanning to identify open ports and listening services • Default password identification • "Safe check" vulnerability scanning • Software version identification • Firmware version identification • Multiple -tool scanning Aggressive Techniques • Multi -location network sniffing • Applying a denial -of -service attack • Aggressive vulnerability scanning 1 Identify modes of access 1 Locate trusted hosts / Identify sensitive data flows Confidential Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) 1 Perform vulnerability scans using various tools and cross-reference available services against a comprehensive listing of vulnerability databases The Securance vulnerability assessment and penetration test performs a series of checks to discover methods to breach your systems. Here is a summary list of checks we include in our methodology: / Buffer overflows 1 Command injection 1 Hard -coved secrets 1 Job postings information 1 Router vulnerability detection 1 Session ID prediction 1 Bypass authentication 1 Cross -site request forgery 1 HTML source code analysis 1 LDAP injection 1 Sensitive error messages 1 SNMP scan 1 Case studies and presentations info 1 Cross -site scripting 1 Integer overflows 1 Mailing lists information 1 Server I service fingerprinting 1 SOL injection 1 Cross -site tracing 1 Validate cryptographic strength / Open relay scan 1 Directory traversal i SSL configuration 1 Ping sweep 1 Database scan 1 Vulnerable sample appl+cations 1 OS fingerprinting 1 DNS records information 1 Trade publications information 1 Port scanning 1 Default passwords 1 Web server vulnerability scan 1 Password cracking and guessing 1 Firewalking ADVANCED PENETRATION TESTING / Develop penetration testing rules of engagement 1 Determine the approved target systems for penetration testing 1 Utilize information gathered, including user names and passwords 1 Perform exploit testing 1 Collect and clean up evidence of exploitation Our advanced penetration methodology makes use of automated tools, such as Core Impact, Metasploit, and Canvas, to exploit common security vulnerabilities throughout an organization. We leverage tools like Cobalt Strike to perform lateral testing, gain control of other systems on the network, and attempt to exfiltrate sensitive data. In addition to automated testing, Securance will also perform manual penetration testing to find weaknesses missed by the automated tools. Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) Our manual testing techniques include: 1 Modification of scripts used in automated tools. 1 Threat hunting on compromised hosts. 1 Use of manual scripts available in the wild. 1 Installation of security tools on compromised hosts. 1 Keyboard entry on compromised hosts. 1 Exploit of risk found based on newly installed security tools on compromised hosts. Our penetration testing will involve: 1 Moving laterally in the environment. 1 1 Escalating account privileges. 1 Attempting to exfiltrate data. 1 Leaving a trophy. 1 Cleaning up the environment. Execute Automated and Manual Exploits I ✓. Exploits Unsuccessful Exploits Successful IDENTIFY AND REMOVE FALSE POSITIVES The following manual testing methods will be used to identify false positives: 1 Tools will be configured specifically to the operating system or firmware version of the network device or system being tested. i Our staff will rely on the experience of the subject -matter expert to identify false positives, in- cluding those caused by backporting. i Prior to reporting, we will validate our technical findings with IT management. Confidential Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) THEIR APPROACH 1 Use of automated tools with limited manual tests and no checks for false positives Software Tools THE SECURANCE WAY... 1 Securance will remain flexible to the Borough's larger goals and potentially changing needs as the engage- ment unfolds. 1 Results are investigated to ensure that no "false posi- tives" are left with the Borough. 1 Automated tools are paired with manual testing to pro- vide the Borough a thorough, accurate assessment. .... DELIVERS EXTRA VALUE TO YOU. The Borough will receive an exact depiction of how a bad actor would breach its network, and, more impor- tantly, the specific steps required to prevent a future network breach. Securance may use these tools during the penetration testing engagements, depending on the Borough's needs: 1 Web Application Scanning Tools • Webinspect: Dynamic application security testing (DAST) tool used to identify vulnerabilities in web applications and services. It scans the web application and uses audit engines to perform an attack, then generates a vulnerability report to aid remediation • ZAP (Zed Attack Proxy): Stands between the tester's browser and a web application to intercept requests, modify contents, and forward packets • Nikto: Works with command lines to identify common web flaws, such as server misconfigurations. It performs tests against multiple items, checks for outdated versions of servers, checks for configuration items, and tests intrusion detection systems • w3af (Web Application Attack and Audit Framework): A scanner with a framework to analyze applications and generate reports with its findings • WPScan: A security tool for Word Press. It can reveal flaws in Word Press installations, such as the use of the XML -RPC protocol or outdated dependencies. It can also perform brute -force attacks efficiently • NStalker: An automated scanning tool that provides a comprehensive assessment of web service vulnerabilities. It scans websites for security issues including SCOL injection and cross - site scripting Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) Network Scanning and Enumeration Tools • NMAP Scanner: Used for network exploration, host discovery, and security auditing; can map an entire network to find its open ports and services and fingerprint an operating system and can adapt to network conditions, including latency and congestion, during a scan • NESSUS Scanner: Network vulnerability assessment tool for measuring system risks; used used to probe systems and report vulnerabilities that might create an exposure • GFI LANguard: Designed specifically for Windows and enables users to manage and maintain end-point protection across a network; provides visibility into all the elements in a network, and helps assess where there may be potential vulnerabilities • Netcat: A UNIX utility that reads and writes data across network connections, using TCP or UDP protocol, which can be used for network troubleshooting, port scanning, and No transferring • Wireshark: Allows users to capture and browse the traffic running on a computer network; supports hundreds of protocols and can analyze encrypted traffic if the encryption keys are provided • Gobuster: Efficient software that can be used to enumerate hidden directories and files quickly. Many web applications use default directories and file names that are relatively easy to spot. This tool can use brute -force techniques to discover them • Amass: Efficient for DNS (Domain Name System) and subdomain enumeration; actively maintained and updated to keep up with the latest techniques and methodologies, and combines various reconnaissance and gathering techniques • SAINT: A vulnerability scanner approved by the Payment Card Industry (PCI) that scans networks, servers, and applications for weaknesses and provides detailed reports and remediation recommendations 1 Wireless Network Scanning Tools • Hashcat. Provides advanced password recovery features and lets testers crack Wi-Fi passwords or password -protected documents such as ZIP files • Aircrack-ng: Tool for analyzing and cracking wireless networks. Aircrack-ng's main focuses include packet capture and export of data to text files for further processing, replay attacks, de -authentication, fake access points, and others via packet injection, and Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access Pre -Shared Key (WPA-PSK) for WPA and WPA2 cracking • Wifite: A wireless network auditor that deals with current or legacy attacks against WEP and WPA2. It is good for retrieving the password of a wireless access point such as a router Confidentio! - Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) 1 Password Cracking Tools • John the Ripper: Supports hundreds of hash and cipher types, including for user passwords of Unix flavors, macOS, Windows, web apps, groupware, database servers, network traffic captures, encrypted private keys, filesystems and disks, archives, and document files • Medusa: A powerful brute -force tool that supports thread -based parallel testing like simultaneous brute -force attack • Ncrack: Can test all hosts and devices in a network for weak passwords; a set of command lines that can scan large networks, allowing sophisticated brute -force attacks • Rubeus: A tool used in penetration testing for Kerberos sessions that exploits the identified vulnerabilities and performs functions such as crafting keys and granting access using forged certificates 1 Penetration Testing Tools • AppDetective: Designed to identify potential security risks and compliance violations in relational database management systems (RDBMS); can also perform penetration testing support, configuration management, and privileged escalation detection • Cobalt Strike: Threat emulation software to create targeted attacks for penetration testing; simulates real-world attacks and tests the security defenses of organizations' networks and systems • Burp: A software suite that can perform advanced scans, typically used for traffic interception, such as for HTTP requests • Metasploit: Contains a vast collection of exploit modules that target known vulnerabilities in various operating systems, applications, and network services; automates the process of exploiting vulnerabilities to gain unauthorized access to target systems • Fiddler, Collection of manual tools for dealing with web debugging, web session manipulation, and security and performance testing Exploitation Tools • SolarWinds: A powerful combination of network discovery, system and security management, monitoring and attack tools • Metasploit Framework: An advanced open -source platform for developing, testing and using exploit code, as well as identifying vulnerabilities and testing the effectiveness of security controls • Core Impact: A powerful exploitation tool that can use access from one exploit to further exploit other devices Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Int. I Ext. Network Vulnerability Assessment and Advanced Penetration Testing (continued) • BeEF (Browser Exploitation Framework): Aids in enumeration, phishing, and social engineering; provides GUI and practical client -side attack vectors to target different contexts and achieve various tasks, such as stealing credentials • SQLmap: Automates the process of detecting and exploiting SQL injection flaws and database server takeovers; can detect various types of SQL injections, and supports an extensive range of databases • SET (Social Engineer Toolkit): Performs advanced social engineering attacks, allowing users to create payloads, phishing pages like Google login, and other web attacks 1 Sniffing Tools: • Wireshark: A network sniffer and TCP I IP analysis tool. It can capture and display the data traveling back and forth on a network in real-time or by analyzing saved capture files; supports hundreds of protocols and can analyze encrypted traffic • Ettercap: A packet sniffer that allows users to modify data on the fly and run man -in -the - middle (MITM) attacks; commonly used to intercept passwords with ARP (Address Resolution Protocol) poisoning or spoofing • Tcpdump: A powerful command -line packet analyzer that prints out a description of the contents of packets on a network interface, preceded by a timestamp • Wfuzz: Runs brute -force attacks on various elements such as directories, scripts, or forms Confidential Kodiak Island Borough Cybersecurity Audit Powered by SECURANCE APPROACH AND METHODOLOGIES Web Application Assessment r Web applications are pieces of software that run in a web browser to exchange information and deliver services. Organizations use web applications to connect with customers conveniently and securely. The Securance approach to testing web applications covers more than just OWASP Top 10 risks. We evaluate web applications against the following risk categories. 1 Data Protection: Because web applications often handle sensitive user data such as personal information, login credentials, and financial details, we assess the security and controls implemented to prevent unauthorized access and protect user data from theft or misuse. 1 User Privacy: We assess how the Borough protects users' personal information to maintain user privacy and build trust. OUR PROCESS 1 Preventing Cyber Attacks: We perform automated and manual ------- testing against the categories of attack listed below. • Boolean parameter tampering • injection flaws (e.g., SQL, CRLF) • Broken access control • Insecure communications • Broken authentication session management • Buffer and integer overflow • CGI attacks • Common HTTP device attacks • Cross site request forgery • Cross site scripting (XSS) • Directory I file traversal • Failure to restrict URL access • Format string • Generic HTTP attacks • Information leakage and improper error handling • Insecure components • Insecure cryptographic storage • Insecure deserialization • Insufficient logging and monitoring • Malicious file i remote execution • Microsoft CGI attacks • Microsoft IIS attacks • Parameter deletion • PHP file include • Security misconfiguration • Sensitive data exposure • Special parameter addition • XML external entity Our approach includes unauthenticated as well as authenticated testing. We will obtain a test credential set to log into the web application, uncover hidden input fields, test input parameters, crawl the portal and identify exploratory features, attempt to discover sensitive and private information, uncover common software writing errors, identify common injection vulnerabilities that may allow malicious code execution, and assess error handling that may expose the application. Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Web Application Assessment (continued) Our testing techniques are not only automated; we perform manual testing as well. Our manual testing includes: 1 URL manipulation. 1 Input field character testing. 1 Input field string sanitization testing. 3 Remote site return validation. 1 Software version vulnerability testing. API Testing Applin ht@rPr atioh pse stab as@ Application programming interfaces (API) act as an intermediary layer that processes data transfers between systems allowing companies to open their application data and functionality to external third -party developers, business partners, and internal departments within their companies. Our AN assessment includes: 1 Evaluating the security of both ends of the Borough's API connection. 1 Performing manual manipulation testing. 1 Assessing the Borough's data integrity controls. Confidential Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Web Application Assessment (continued) Database Assessment In addition to the operating system -level procedures, we perform a comprehensive security analysis against the portal's back -end database. Initial attempts are made to access the database without credentials. Pending success, we perform a database -specific vulnerability scan using commercial tools (e.g., Application Detective, Tenable). / Compliance with Regulations: We determine if there are specific federal, state, or local compliance requirements to protect user data and assess compliance with them to ensure the Borough will avoid legal consequences. 1 Financial Impact: As web applications are supporting many financial functions of the Borough's operations, we assess the financial impact due to a security breach, or legal actions. This includes fines, remediation costs, and or credit monitoring services. 1 Availability and Reliability: Ineffective security measures also contributes to the availability and reliability of web applications. We assess protections against distributed denial -of -service (DDoS) attacks to ensure that the web application remains accessible to users. 1 Protection Against Malware: Our assessment also includes testing if the web application is vulnerable to malware attacks, which may compromise the security of users' devices. Specifically reviewing the supported browser versions. Preventing Data Tampering: We review the web application to ensure it prevents unauthorized parties from tampering with data. Operating System Assessment If access to the operating system is obtained or provided, we perform a detailed security review of the operating system configuration. These procedures are performed against all servers that comprise the web application infrastructure. Tools used include Rapid7, Tenable, Qualys, and other's based on the fingerprint of the operating system. THEIR APPROACH 1 Limited, if any, assessment of database, API, and OS security. THE SECURANCE WAY... ) Database -specific testing performed to identify risks. II API -specific testing performed to identify data leakage and integrity. 1 Operating system -specific testing performed. ....DELIVERS EXTRA VALUE TO YOU. / No risk, threat, or vulnerability is missed. 1 The Borough will know exactly how to secure the entire application environment. SKodiak Island Borough Cybersecurity Audit Confidential Powered by SECURANCE APPROACH AND METHODOLOGIES Wireless Network Security Assessment Securance assesses the configuration and security of on -premise controller, cloud -based controller, and access point -based wireless networks. Our consultants will interview the wireless network administrator and review the following security controls: OUR PROCESS confidential Controller -Based Networks For wireless networks with an on -premise controller or cloud based controller, Securance will: 1 Assess controller configurations. 1 Evaluate rogue access point detection and management. 1 Uncover or identify hidden SSIDs. 1 Assess encryption strength. 1 Review network segmentation, including user authentication and access. 1 Review administrative access controls and logging. 1 Confirm access points can only receive configurations from the controller. 1 Capture a handshake and attempt to crack the encryption. 1 Install a rogue access point as a Pineapple device to attempt to divert user access. 1 Assess device authentication. For wireless networks with a cloud -based controller, Securance will evaluate the controls listed above to the extent the configurations are modifiable by the wireless administrator. Access Point -Based Wireless Networks Our access point -based assessment is similar to our controller - based assessment. However, because each access point has its own configuration, we will assess each access point's configuration individually. Kodiak Island Borough Cgbersecurity Audit a SECURANCE APPROACH AND METHODOLOGIES Wireless Network Security Assessment (continued) Penetration Testing Using assorted wireless radio devices, including Pineapple tools and various wireless adapters, we will intercept encrypted and unencrypted network packets. Depending on the rules of engagement, we will: OUR PROCESS (continued) THEIR APPROACH 1 Passively sniff and attempt to capture handshakes between the access point and client. 1 Attempt to deauthenticate clients from the wireless network and capture the reestablished handshakes between the access point and client. 1 Establish a rogue access point to lure client devices and capture their wireless authentication credentials. 1 Attempt to crack the encrypted credentials and use them to breach the wireless network. After gaining access to the wireless network, we will: 1 Deploy executables and scripts to gain a presence on the network. 1 Capture device and network information. 1 Escalate privileges. 1 Disable local firewalls and antivirus software. 1 Create a new privileged user. 1 Move laterally to access and gain control of the domain controller(s). 1 Exfiltrate data from host machines. 1 Hide evidence of our breach. Securance may use the following tools in this assessment:: 1 Vistumbler 1 Ncrack 1 Mimikatz 1 iStumbler 1 Hashcat 1 Advanced IP 1 Kismet 1 John the Ripper Scanner 1 Aircrack-ng suite 1 Cain and Abel 1 Perform interviews and configuration review of the wireless network. THE SECURANCE WAY... 1 Assesses not only the controller but also the access points. 1 Installs a pineapple to capture and decrypt handshake to penetrate the internal network. ...DELIVERS EXTRA VALUE TO YOU. 1 Comprehensive analysis of how the wireless network can be used as a vector to attack the internal network with detailed recommendations to secure the wireless network. Kodiak Island Borough Cybersecurity Audit Confidential Powered by SECURANCE APPROACH AND METHODOLOGIES Enterprise Application Security Assessment Securance has conducted enterprise application assessments for clients across all major industries in our 22 years of cybersecurity service. A proper enterprise application integrates computer systems within an organization so alt work and core business processes (e.g., sales, accounting, finance, huruan resources, rnanufacLuring) can be coordinated. Securance's methodology for assessing overall enterprise application security includes analyzing all layers of the application, including presentation, application business logic, database store, and operating system, as well as the IT general controls that govern the Borough's environment. OUR PROCESS Presentation Layer 1 Presentation Layer 1 Application Layer 1 Database Layer 1 Operating System Assessment The presentation layer refers to what the Borough presents to the world on the Internet or intranet. Keeping this layer separate from others allows the existing interfaces or design to be updated without making any changes to the backend layers. As most current applications are browser -based, either Internet or intranet - facing, our testing approach follows Open Worldwide Application Security Project (OWASP) standards. We will assess the Borough's Internet I intranet -facing applications using the following tools with unauthenticated and authenticated testing and manual and automated procedures. 1 Securance may use the following tools to test the Borough's presentation layer: • Burp Suite • NStalker • OWASP ZAP • Tenable • Webinspect APPLICATION LOGIC - - - -------- BUSINESS LOGIC API6 DATABASE a Linux 0 Unix ■■ an Windows Server Conf deoticrl Kodiak Istand Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Enterprise Application Security Assessment (continued) Application Layer The application layer is the layer with which users interact, and serves to exchange information between applications running on other computers. Securance will work with the Borough to ensure that its application is configured effectively to reduce possible risks. if the application is internally developed, we will review its system development methodology to identify any inherent weaknesses in the system development life cycle (SDLC) and project management methodology. We will determine if the application is founded on best practices for coding, and we will ensure that: 1 High-risk functions are restricted to authorized users and reviewed by management. 1 Adequate segregation of duties is established. 1 Application controls are effective. 1 Cross -validation rules are established. 1 Configurable application control and tolerance settings that address risks pertaining to the validity, completeness, and accuracy of master data are properly adjusted. Database Layer At the database layer, we will perform an administration and configuration analysis to identify administrative risks and technical vulnerabilities. Securance's methodology for conducting a database -specific security assessment is flexible and built around the unique usage of the application supported by the database, Our approach involves: 1 Assessing the administrative practices supporting the database. 1 Assessing the general controls supporting the database environment. 1 Identifying weaknesses in database design schema, technical vulnerabilities, and entry points through which unauthorized users could gain direct access to the database to extract or insert data. 1 Assessing the system to determine how it may have been affected by any of the discovered database security risks. / The database review includes assessments of the following universal database controls, as well as MySQL, Microsoft SQL and Oracle specific controls: • Accounts with no password • Console password not set. • Agent jobs privilege escalation • Database account management • Application-specific DB -related buffer • Default passwords overflows • Default password for well-known login • Automated table auditing • Disabled accounts • Blank password • Easily guessed passwords • Blank password for well-known login • Easily guessed passwords on sensitive • Comparisons against industry average and accounts leading practices • Extended stored proc privilege upgrade Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Enterprise Application Security Assessment (continued) • Latest service pack I hot fix not applied • Look for permissions granted to view the linked table • Password attack • Password same as login name • PL I SQL injection • Proxy password in secure registry key • Permissions on sensitive tasks • Public can create agent jobs • Several DBCC buffer overflows • Several parameter buffer overflows • Slammer I Sapphire Worm • Temporary stored procedures bypass permissions • XSTATUS backdoor Securance may use tools like Application Detective and Tenable, as well as manual procedures, to carry out the database layer assessment. Application Programming Interfaces (API) act as an intermediary layer that processes data transfers between systems, allowing companies to open their application data and functionality to external third -party developers, business partners, and internal departments within their companies, Our API assessment includes: / Evaluating the security of both ends of the Borough's API connection. 1 Performing manual manipulation testing. / Assessing the Borough's data integrity controls. Operating System Assessment The operating system is the environment in which an application runs. If not properly patched and updated, it will accrue vulnerabilities and leave application security susceptible to compromise. Our assessment is designed to ensure the organization's servers maintain a stable and secure environment and effective controls and policies to deter both physical and Internet -based malicious attacks. THEIR APPROACH 1 Limited, if any, assessment of Database, API, and OS security. THE SECURANCE WAY... 1 Database -specific testing performed to identify risks. 1 API -specific testing performed to identify data leakage and integrity. 1 Operating system -specific testing performed. DELIVERS EXTRA VALUE TO YOU. / No risk, threat, or vulnerability is missed. 1 The Borough will know exactly how to secure the entire application environment. C0r1,`1f1er,fml Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Enterprise Application Security Assessment (continued) We will evaluate each server operating system (OS) that hosts a presentation layer, application layer, and database layer for: 1 OS -level vulnerabilities. 1 Configuration aligned with the Borough's standards and best practices, including the NIST CSF. 1 The following are included in our operating system analysis: * Windows Server Review: • UNIX I Linux Server Review: 50+ security option settings Account policy (if applicable) Account policy settings (if applicable) Accounts with no password Change I patch management Comparisons against industry average and leading practice Connected servers and workstations Customer -selected registry key values Directory rights and privileges Disabled accounts Discretionary access controls Event logging (if applicable) Group management Group policy objects (GPO) and links Network connections Network shares • OS -specific vulnerability management (if applicable) Overall structure RAS dial -in • Security updates, patches, and hot fixes Services and drivers installed Trusted and trusting servers User administration User management Accounts with expired dates All password related settings Change I patch management Comparisons against industry leading practice Current network connections Disabled usernames Discrepancies in password [shadow password files Files with Word writable permissions FTP access • Group administrators Groups and group members Guest account management Last logins Login retries Network services enabled OS specific vulnerability management • Password shadowing • Passwords 30 days or older Permissions on sensitive files and directories Redundant groups and members • Rot account management and control SUID and SGID permissions System login script file System search paths System wide security settings Trivial passwords • Trusted hosts Use and control of "r" commands Use of Telnet and high-risk protocols • User administration Usernames, UIDs, and home directory Users allowed to login remotely Users with administrative status Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Enterprise Application Security Assessment (continued) In addition to performing a comprehensive review of the enterprise application, our approach also includes an assessment of the supporting IT general controls. We will assess the IT general controls supporting the application environment and compare them to the NIST CSF and PCI DSS. The most common IT processes supporting an enterprise application include: 1 User provisioning. Architecture Our assessment of these processes will be specific to the target enterprise application and include the following tasks- i IT operations H Cybersecurity \� 1 Obtain and review supporting IT policies, procedures, standards, and guidelines framework Compliance 1 Interviews with technology administrators NIST CSF, PCI DSS and I or IT process owners 1 Identification of controls stipulated in policy documentation and comparison to the NIST CSF and PCI DSS. Regulatory Compliance Federal, State, Local 1 Performance of test of design to ensure our understanding of the controls to be tested 1 Discuss and confirmation of the results of the test of design 1 Use of IT security and audit tools to perform specialized testing / Online and real-time review of technical configuration settings / Analysis of collected documents, technical reports, and other audit evidence 1 Sample testing to opine on the operating effectiveness of controls / Completing our issue tracker for all potential findings / Immediate review with the Borough's IT staff of any potential finding deemed Urgent or Critical / Discussion and confirmation of potential findings with the Borough's IT staff and key stakeholders These tasks will complete our Enterprise Application assessment and inform our actionable findings and observations. Confidential Kodiak Istand Borough Cybersecurity Audit / Batch job scheduling. 1 Password controls. Business Objectives 1 Patch management. 1 Physical security (on -premise applications only). IT TO and Strategy 1 Program change management. 1 System and data backup. 1 System and data recovery. IT Governance 1 User provisioning. Architecture Our assessment of these processes will be specific to the target enterprise application and include the following tasks- i IT operations H Cybersecurity \� 1 Obtain and review supporting IT policies, procedures, standards, and guidelines framework Compliance 1 Interviews with technology administrators NIST CSF, PCI DSS and I or IT process owners 1 Identification of controls stipulated in policy documentation and comparison to the NIST CSF and PCI DSS. Regulatory Compliance Federal, State, Local 1 Performance of test of design to ensure our understanding of the controls to be tested 1 Discuss and confirmation of the results of the test of design 1 Use of IT security and audit tools to perform specialized testing / Online and real-time review of technical configuration settings / Analysis of collected documents, technical reports, and other audit evidence 1 Sample testing to opine on the operating effectiveness of controls / Completing our issue tracker for all potential findings / Immediate review with the Borough's IT staff of any potential finding deemed Urgent or Critical / Discussion and confirmation of potential findings with the Borough's IT staff and key stakeholders These tasks will complete our Enterprise Application assessment and inform our actionable findings and observations. Confidential Kodiak Istand Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Enterprise Application Security Assessment (continued) THEIR APPROACH 1 Focuses on the application-specific controls only. THE SECURANCE WAY... 1 Assesses the entire application stack. Includes supporting IT general controls. 1 Incorporates technical testing where appropriate. ..DELIVERS EXTRA VALUE TO YOU. 1 A comprehensive assessment report of every risk and technical vulnerability within the applicat+on environment. Kodiak Island Borough Cybersecurity Audit Confidential Powered by SECURANCE APPROACH AND METHODOLOGIES Next -Generation Firewall Assessment. Securance's approach to performing firewall configuration reviews addresses misconfigurations, vulnerabilities, supporting IT processes, and other weaknesses that could leave an organization susceptible to attach. To ensure the Borough's firewall configuration is secure, we will assess the current configuration against best practice guidelines. We will discern the optimal configuration for your firewall, according to your network environment and security goals. Our comprehensive assessment begins with gaining an understanding of the role the device plays in protecting and/or segmenting the Borough's network infrastructure. Once we have gained an understanding of the firewall's role, our process includes the following steps. OUR PROCESS 1 Assessing the firewall environment and infrastructure • Interview firewall administrator(s) • Review network and firewall diagrams • Identify the current firmware version • Identify Internet service providers • Identify remote connections • Identify additional methods of Internet access • Obtain default vendor configuration 1 Reviewing administrative and access controls • Review administrator roles and responsibilities • Identify primary and backup administrators • Review password policy 1 Evaluating authentication methods 1 Review hardware and assets • IP addresses I URLs 1 Assessing configuration against best practice standards (e.g. CIS, DISA) • Review ruleset line by line • Identify problem rules • Identify redundant rules • Identify circular rules • Perform a vulnerability scan of the device(s) • Review logs manually • Analyze traffic patterns • Identify potential virus and hack attempts • Recommend potential rules to improve security • Assess use of insecure protocols Confidential Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Next -Generation Firewall Assessment (continued) In addition, next -generation firewalls can provide several subscription -based services. The diagram below illustrates some of the available services. Detection L81 �' Reporting Malware Security Firewall ©ol Content I URL. Filtering Restricts access to \ r risky applications v Application Follows organizational ! Control policies IV Intrusion Detection I Prevention Prioritizes, deprioritizes, or blocks System traffic to optimize bandwidth Based on the services the Borough subscribes to, we will evaluate how those services are configured. Examples are below. 1 Intrusion detection I penetration system: • Ensure IPS is calibrated appropriately to solely stop intruders and not the Borough's actual users • Ensure IDS and IPS are placed where they best function in the infrastructure Deploy IDS out of band so it can analyze all traffic and generate intrusion events from suspect or malicious traffic • Deploy IPS in the path of traffic so that all traffic must pass through the appliance to continue to its destination, or it can disrupt the connection in the event of malicious intent • Configure to block an attack ® Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Next -Generation Firewall Assessment (continued) 1 VPN: • Establish another layer of protection to the Borough's network • Establish connections with network defenders • Encrypt your network 1 URL I Content Filtering: • Ensure filtering is enabled and up to date to safeguard users from online threats by offering precise control over user access and engagement with internet content by recognizing patterns indicative of undesirable content Application Control: • Restricts access to risky applications • Follows organizational policies • Prioritizes, deprioritizes, or blocks traffic to optimize bandwidth 1 Malware Security: • Ensure anti-malware definitions are updated in real time • Includes: Logging Machine learning behavior analysis Reporting Signature -based detection Detection Static file analysis Honeypot files Dynamic malware analysis Cyclic redundancy check (CRC) Application allowlisting THEIR APPROACH 1 Typically, a desktop and administrative review of rule -set 1 Shallow knowledge of next -generation firewalls as a pillar of zero -trust network architecture THE SECURANCE WAY... 1 We take the time to understand the role of the firewall and how it is administered. / We evaluate beyond firewall rules. / We provide consultation on opportunities to optimize the firewall. ..DELIVERS EXTRA VALUE TO YOU. 1 First layer of defense configured to prevent unauthorized access or a network breach Confidential Kodiak Island Borough Cybersecurity Audit Powered by SECURANCE APPROACH AND METHODOLOGIES Switch Configuration Review Network devices reviews are critical for maintaining secure network infrastructure. The Securance methodology for evaluating the security of these network devices focuses on ensuring components are correctly configured and firmware is updated to create and maintain a network devoid of infrastructural weaknesses. !/ Local Area `\ Network (LAN) ISP Router Firewall Router Switch OUR PROCESS Pre -Assessment 1 Interview device administrators) to gain a preliminary understanding of the devices in the network and their current configurations. Analysis / Perform an automated and manual, line -by-line review of device configuration, ensuring: • The device is running the most up-to-date firmware version. • Default manufacturer passwords are not in use. • Insecure protocols are not in place: Telnet configurator. Unencrypted communications. File transfer protocol (FTP). • Access control is strong—Securance will review Access Control Lists (ACLS) to control traffic flow, restrict unauthorized access, and enhance security. • Network Address Translation (NAT) is properly implemented to effectively manage translating private and public IP addresses. • Virtual Local Area Networks (VLANs) are configured to better segment network traffic. • Spanning Tree Protocol (STP) is configured to prevent network loops and ensure redundancy. • Port Security is configured to enhance protection against unauthorized devices. ® Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Switch Configuration Review (continued) OUR PROCESS (continued) THEIR APPROACH ! Typically, a desktop and administrative review of the device's configuration. • Quality of Service (QoS) settings are configured to prioritize certain aspects of the Borough's network traffic. • Changes to the device configuration comply with organizational change management procedures. Vulnerability Scan 1 Perform an unauthenticated and I or authenticated vulnerability scan of the device to identify vulnerabilities associated with the specific device. Based on the identified vulnerabilities, perform specific exploit testing with a goal of obtaining full control of the device. Monitoring 1 Review logs using manual and automated techniques to verify that: • Logging for security events is enabled. • Logs are housed in a central location. • Sensitive information, such as passwords, are not logged. • Logs are not altered. • Alerts are set up. • Logs are aggregated with other technology logs. • Logs are reviewed on a regular basis. Gap Analysis 1 Compare device configuration and policies to the Center for Internet Security (CIS) benchmarks to identify gaps and develop a plan for the Borough to remediate them. 1 Results are based on superficial analysis providing incomplete recommendations. THE SECURANCE WAY... ! Thorough examination of configuration, security, and best -practice adherence. i Performs vulnerability scan to focus on critical areas and potential network risks. ....DELIVERS EXTRA VALUE TO YOU. i The Borough will receive a risk -focused and well- documented report that provides clear solutions with actionable improvement steps. co!Tfideotio� Kodiak Island Borough Cybersecurity Audit Powered by SECURANCE APPROACH AND METHODOLOGIES Active Directory Assessment Active Directory, Azure AD, and multi -factor authentication tool vulnerabilities can give attackers virtually unrestricted access to your organization's network and resources Securance's methodology for assessing the security of directory services is comprehensive and supports testing the entire architecture, users, and objects to decrease the likelihood of abuse and escalation attacks, including discovering indicators of exposure (loEs) and indicators of compromise (IoCs) in your hybrid AD environment. 1 Our process begins with gaining an understanding of the design of the directory services, including: • Domain Services — used to store directory information and manage users and resources • Lightweight Directory Services — manages multiple instances on one system and holds directory data in data stores • Certificate Services — Issue and management of digital security certificates • Federation Services — manages user authentication to multiple application, including on different networks • Rights Management Services content encryption and controls access permissions to content On -Premise API Directory Services Third -Party Cloud Azure Providers AD Connect OUR PROCESS / We evaluate the most common threats, including: • Default settings: Microsoft provides Windows Active Directory with predefined security settings, which may not be enough for your organization's needs. Especially since hackers are already familiar with default settings and can use this knowledge when attempting to find and exploit AD security gaps. • Unnecessarily broad access rights: There's always a risk that system administrators may grant too many privileges to a certain user or group of users. When provided with a higher levet of access than needed to perform their jobs, users can be tempted to abuse their access rights with malicious intent. Also, if accounts with extra access privileges are compromised, external attackers will have access to your most valuable resources and data. Kodiak Istond Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Active Directory Assessment (continued) • Weak passwords for admin accounts: Hackers are likely to use brute force attacks on AD environments, targeting uncomplex passwords for administrative accounts. If those passwords are easy to guess, your organization's data security is at risk. • Unpatched vulnerabilities on AD servers: Updating software to the latest version along with searching for and patching vulnerabilities is crucial. Otherwise, hackers can find their way into your organization's IT environment by exploiting unpatched applications and operating systems on AD servers. 1 We also perform a granular view of the following: • Domain structure • Forest, organizational units and their links to group policy objects (GPO). • Trusted and trusting domains. • Use of service accounts. • Use and configuration of multi -factor authentication • Domain policies • Password settings objects or default password policy • Audit policy • Security Option Settings controlled via the registry • User attributes OUR PROCESS Privileged user account management (continued) Use of shared accounts • Accounts allowed to dial in • Accounts not requiring passwords Discretionary access controls (DAC) for containers • Expired, disabled, and locked accounts • Home directories, logon scripts, and profiles • Local, global, and universal groups and their respective members Passwords 30 days and older Network shares. • User and object rights and privileges • Users not required to change their passwords • Use of administrator tools and how they are configured • Netwrix: Monitors user activity across multiple critical systems, including Active Directory, Group Policy, file servers, Windows Server, Exchange, Office 365, and SQL Server. • Manage Engine ADAudit Plus: Monitors logons, analyze lockouts, detect changes to users, groups, organizational units (OUs), group policy objects (GPOs), and other AD objects Confidential Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Active Directory Assessment (continued) 1 —3 OUR PROCESS (continued) THEIR APPROACH Microsoft AD Audit: Plays a critical role in maintaining security, compliance, and operational efficiency within your Windows Server environment Microsoft Best Practices Analyzer (BPA): Measures a role's compliance with best -practice rules across eight categories related to effectiveness, trustworthiness, and reliability • AD host configuration If access to the operating system is obtained or provided, we perform a detailed security review of the operating system configuration. These procedures are performed against all servers that comprise the AD host configuration. Tools used include Rapid7, Tenable, Qualys, and other's based on the fingerprint of the operating system. 1 Then, we compare Active Directory configuration and security to industry standards and best practices, including the NIST CSF and PCI DSS. 1 Focuses only on basic checks and misses critical areas 1 Generates a generic report without actionable insights Kodiak Island Borough Cybersecurity Audit THE SECURANCE WAY... 1 Covers all aspects of Active Directory, including domain controllers, trusts, group policies, security settings, and ail user accounts 1 Examines both technical and organizational aspects ...DELIVERS EXTRA VALUE TO YOU. 1 Securance will provide the Borough with detailed documentation, including findings, recommendations, and remediation steps that consider the Borough's unique environment, business needs, and compliance requirements. Confidential Powered by SECURANCE APPROACH AND METHODOLOGIES Incident Response Plan Tabletop Exercise A well-prepared and performed incident response plan (IRP) tabletop exercise helps a company to respond swiftly and effectively when situations demand it. The incident response process incorporates several stages that are performed in an ongoing cycle to minimize the impact of an incident to the organization. A mature IRP must address the following phases of incident response: OUR PROCESS V Preparation Detection A Containment, Post-InclderH Analysis Eradication, Activity Recovery 1 Preparation — The steps taken before an incident occurs, as well as those taken at the conclusion of incidents, exercises, and training to provide continuous improvement to the overall Incident Response Plan and processes. i Detection and Analysis — The process for identifying, reviewing, and analyzing identified information, as well as declaring an incident and classifying its severity, as part of ongoing monitoring processes both in the environment and the external landscape. i Containment, Eradication & Recovery — The steps taken to limit the scope of the incident, reduce it during response, eliminate the cause of the incident and further defeat the threat to prevent further damage, and finally restore the information resources and services to a functional level. 1 Post -Incident Activity — Measures taken to ensure that lessons can be learned to inform future protection efforts and detection capabilities, as well as those that can be used to improve incident response processes to increase the organization's efficiency. Additionally, post -incident activities include preparing the necessary reports to provide stakeholders with the information they require for ongoing management of cybersecurity and information technology risks. The tabletop exercise serves a key purpose during the Preparation stage. After each tabletop exercise, the organization can participate in the Post -Incident Activity review, which offer opportunities for continuous improvement through lessons -learned discussions. Confldentiol Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Incident Response Plan Tabletop Exercise (continued) Establishing a formal IRP is only the beginning. The real question is: does it work? Securance's consultants will train the Borough's relevant stakeholders and staff by facilitating tabletop exercises that are designed to improve the quality and effectiveness of the Borough's IRP and incident response capabilities. OUR PROCESS (continued) Planning the Exercise As part of the planning for a tabletop exercise, through a co -development session, the team will: 0 Define the exercise format. I Establish goals for the exercise. 1 Define the objectives, including assessing. • Communication — Identify and remove any silos that may delay responding to issues. • Escalation — Communicate with stakeholders so that decision makers have the information they need to take decisive action. • Teamwork — Ensure teamwork is used to reach appropriate and, where necessary, creative solutions. • Ability to Adapt and Overcome — Regardless of obstacles, ensure that a successful and secure incident recovery occurs. • Test Plans and Processes -- Ensure that contingency plans and processes exist to provide for ongoing business support in the wake of a cybersecurity attack. • Engagement— Provide an opportunity for the IT Department's team and key supporting departments to collaborate and test their capabilities. • Improvement — Use the laboratory -type environment to identify improvement areas in advance of any real-world cybersecurity events. 1 Define the exercise's participants. 1 Design a scenario and event timeline: • Scenarios can range from a simple account takeover to a full blown ransomware attack presenting a message to a system administrator as depicted below: Kodiak Island Borough Cybersecurity Audit Confidential Planning the Exercise (continued) . Major event timelines can appear as follows: by a y yoy all ywy cy y a Jy o Fy o0 0 ob A c h c (7 H 69 �.c m eC m y.o & ° i �y o` �A o`Q Q (. [..1r a, ti0 (� QoF Q m Ph �ti a y C a D m`��c 0.'�y a a a D y �oac q, sae �a�yo �ooQ o�aA o;F ��aO �okQF o°rL aF rm ° c`F �Oyya$ raaray c�.?l �a 40 q, U` 000000 a, °+�y (y ` l y !r a fir V h 000 Prior to Attack Weekend Prior to 0400 Morning of 0600 1 0700 I 0720 1 1100 Detection I Detectior I Detection OUR PROCESS (continued) THEIR APPROACH Conducting the Tabletop Exercise Based on established cybersecurity and best practice frameworks, Securance will: 1 Facilitate the tabletop exercise with the Borough's participants. 1 Review the exercise's results and conclusions with the Borough's participants. 1 Document the exercise results and conclusions in a non-technical report. 1 Provide guidance on how to improve and/or develop the Borough's IRP. 1 Use of Internet -based IRP templates and not customized to the Borough's environment THE SECURANCE WAY... 1 Mimics the process of responding to a live incident, including discussions regarding responsibilities, risks, and prioritize tasks 1 Mirrors potential threats the Borough may face, and challenges decision-making and coordination 1 Documents incident logs, communication records, and decision points 1 Encourages collaboration, communication, and critical thinking ....DELIVERS EXTRA VALUE TO YOU. 1 Securance will work with the Borough to complete an exercise that is customized to the Boroughs exercise objectives, informs adjustments needed to incident response capabilities I plans, and prepares the Borough to respond efficiently to a security incident. Cof>,icft 7tio� Kodiak Island Borough Cybersecurity Audit Powered by SECURANCE APPROACH AND METHODOLOGIES Business Continuity and Disaster Recovery Plan Review The goal of business continuity plans (BCPs) and disaster recovery plans (DRPs) is to achieve cyber resilience by minimizing the effects of disruptions and outages on operations. Our approach to reviewing disaster recovery plans is aligned with best practices from the International Disaster Recovery Plan Association (IDRA), the Business Continuity Planners Association (BCPA,) and the Disaster Recovery Institute (DRI). We update our methodology frequently to remain in line with current trends, including the adoption of cloud services, where redundancy and continuity of operations are transferred to the service provider. A typical DRP is composed of the components in the diagram below. Securance's assessment of DRPs includes review of the granular details within each component based on the Borough's needs. �F fill, �tv!�h Assemble Plan 4 i Testing and Maintenance Identify Scope Disaster ____ ____ O r 5 Ir � 5 Data and Back-ups iRecoverAppoint Emergency Contacts L. Planning J5 1 r / Restoring Technology Functionality Disaster Recovery Team 4�> Roles and Responsibilities / Meet with key stakeholders to understand the drivers and objectives of the assessment 1 Meet with information technology leadership, application managers, and network administrator(s) to establish a high-level understanding of the IT environment 1 Gather relevant documents, including: • Business impact analysis Assessment • Network diagrams Planning • Application portfolios • Data center information • Cloud service providers Kodiak Island Borough Cybersecurity Audit Confidential SECURANCE APPROACH AND METHODOLOGIES Business Continuity and Disaster Recovery Plan Review (continued) THEIR APPROACH 1 Reviews based on limited information or strictly relying on published standards Assessment Fieldwork THE SECURANCE WAY... 1 Understanding the Borough's drivers, objectives, and internal strategy 1 Incorporates reliance on third -party cloud providers, including review of cloud contracts, to ensure continuity of operations is included ....DELIVERS EXTRA VALUE TO YOU. 1 Our assessment will align the Borough's BCP I DRP to its unique needs to ensure continuity of operations, irrespective of the type of unplanned business disruption. 1 Schedule interview sessions with appropriate stakeholders to gain a deep understanding of the internal strategy regarding operational continuity 1 Review previous disruptions and remediation projects 1 Identify critical IT assets and their maximum allowable downtime (MAD) 1 Identify current response procedures for critical outages 1 Determine when these procedures were last tested / Identify and assess vendor emergency response capabilities # Develop an executive and management report on the gaps identified 1 Provide actionable remediation recommendations 1 Review management's responses to remediation recommendations to validate that findings are addressed 1 Conduct a gap analysis by assessing the details of each DRP section, including ensuring the following (please see next page): Confidential Kodiak Island Borough Cybersecurity Audit SECURANCE APPROACH AND METHODOLOGIES Business Continuity and Disaster Recovery Plan Review (continued) • Business impact analysis (BIA) exists • Plan maintenance is provided • Dependencies are listed • Assumptions are listed • Recovery location is provided, with map • Crisis team is named • Crisis team command structure is listed • IT team contact information is listed • Recovery strategies are listed • High-level recovery tasks are listed • Critical systems are defined by priority • Technology vendor contact is listed • Technology vendor contract or account number is listed • Infrastructure recovery procedures are listed • Technology -specific recovery procedures are I isted • Recovery time objective (RTO) is defined • DRP testing strategy is defined • DRP testing is performed • Lessons learned are documented Kodiak Island Borough Cybersecurity Audit Confidential PROJECT TIMELINE Schedule The chart below outlines each step in our audit process, designating major tasks, subtasks, key milestones, and the anticipated task owner. This project plan will be refined during the planning phases of the engagement between Securance and the Borough. Project Name r 3 N 3 M W Resource Management Consulting Paul Ashe Borough PM Kick-off Meeting Paul Ashe Borough PM Prepare Client Assistance Memo Respond to Client Assistance Request Review Client Assistance Request NIST CSF Assessment SC Consultants Borough Staff SC Consultants SC Consultants Assess key people, processes, and technologies against NIST CSF to identify control gaps SC Consultants Review IT governance documents Conduct interviews with relevant IT staff Perform gap analysis of current security tier level against NIST CSF Develop a current state framework profile Develop a NIST CSF roadmap SC Consultants SC Consultants SC Consultants SC Consultants SC Consultants Policy and Procedure Review SC Consultants Evaluate current policies to ensure they include essential components SC Consultants Perform comparative analysis against best practices SC Consultants Document and prioritize observations and gaps Internal Network Vulnerability Assessment and Penetration Test Obtain internal network IP information Perform vulnerability scanning Analyze results to remove false positives Review results of scan with the Borough SC Consultants SC Consultants SC Consultants SC Consultants SC Consultants Paul Ashe Borough PM Identify hosts to attempt to exploit and confirm with the Borough SC Consultants Perform exploit testing SC Consultants Extend testing to escalate privileges and move laterally in environment SC Consultants ■PROJECT STATUS MEETINGS ♦ WORK PRODUCT REVIEWS Kodiak Island Borough Cgbersecurity Audit Schedule (continued) T PROJECT STATUS MEETINGS 0 WORK PRODUCT REVIEWS Kodiak Island Borough Cybersecurity Audit M � Project Name y Resource 3 3 Review results with the Borough Paul Ashe Borough PM External Network Vulnerability Assessment and Penetration Test SC Consultants Perform information gathering of public information SC Consultants Perform vulnerability scanning SC Consultants Analyze results to remove false positives SC Consultants Review results of scan with the Borough SC Consultants Identify hosts to attempt to exploit and confirm with the Borough SC Consultants Perform exploit testing SC Consultants Extend testing to escalate privileges and move laterally in environment SC Consultants Review results with the Borough SC Consultants Web Application Assessment SC Consultants Assess the hosting server and associated web server's configurations SC Consultants Perform unprivileged web application vulnerability testing Paul Ashe Borough Staff Perform privileged web application vulnerability testing SC Consultants Analyze results of all testing SC Consultants Review results with application administrator Paul Ashe Borough Staff Wireless Network Assessment SC Consultants SC Consultants Identify controllers and SSIDs SC Consultants Interview wireless network administrator Perform wireless network scanning SC Consultants Obtain and assess wireless or AP configuration SC Consultants Perform manual penetration activities SC Consultants Paul Ashe Borough Staff Analyze results and review with wireless administrator Enterprise Application Assessment SC Consultants Gain an understanding of the application in scope SC Consultants Review system documentation, technical controls, and security practices SC Consultants Interview personnel responsible for security of the application SC Consultants T PROJECT STATUS MEETINGS 0 WORK PRODUCT REVIEWS Kodiak Island Borough Cybersecurity Audit OVERALL PROJECT APPROACH AND STAFFING PLAN Schedule (continued) Project Name Test enterprise application controls Development of KPIs for CRP Review the design and operating effectiveness of supporting IT general controls SC Consultants SC Consultants Database Assessment SC Consultants qT Ln SC Consultants Interview database administrator Paul Ashe Borough Staff Perform vulnerability scan of the operating system Resource 3 3 SC Consultants SC Consultants SC Consultants SC Consultants Database Assessment SC Consultants Assess the Borough's build and configuration standards SC Consultants Interview database administrator Paul Ashe Borough Staff Perform vulnerability scan of the operating system SC Consultants Perform database specific scanning SC Consultants Analyze results of scanning SC Consultants Review results with database administrator Paul Ashe Borough Staff Server Operating System Configuration Review SC Consultants Assess the Borough's build and configuration standards SC Consultants Interview database administrator SC Consultants Perform vulnerability scan of the operating system SC Consultants Perform configuration scan and analysis of 05 SC Consultants Analyze results of scanning SC Consultants Review results with server administrator Paul Ashe Borough Staff Firewall Configuration Assessment SC Consultants Interview firewall administrator SC Consultants Analyze firewall configuration SC Consultants Assess results of configuration analysis SC Consultants Switch Configuration SC Consultants Interview device administrator SC Consultants Obtain device model and firmware version SC Consultants Analyze device configuration file SC Consultants Assess results of analysis SC Consultants Active Directory Assessment SC Consultants Gain an understanding of the AD architecture SC Consultants ' PROJECT STATUS MEETINGS ♦ WORK PRODUCT REVIEWS Kodiak Island Borough Cybersecurity Audit CsPTx:7��1:Z��i�/��»:Z�l±[�ICI�I�1��fir73l�[�31�� Schedule (continued) In as P - Project Name W Resource 3 3 Review AD configuration SC Consultants SC Consultants SC Consultants Assess InTune configuration Perform application programming interface (API) technical testing Compile findings and review with Borough PM Paul Ashe Borough PM Incident Response Process Review SC Consultants Review documentation of previous incidents, response efforts, and existing SC Consultants response procedures Identify core systems and the maximum time frame for which they can be SC Consultants unavailable Review third -party vendors' response capabilities SC Consultants Identify critical IT assets, current response procedures, and the maximum SC Consultants time frame for which critical IT assets can be unavailable Determine whether the Borough's incident response process adequately SC Consultants addresses critical IT systems and networks SC Consultants SC Consultants IRP Tabletop Exercise Establish the scope of the effort through discussions with the Borough's key personnel SC Consultants Establish the exercise format, goals, and objectives with the Borough PM Define exercise participants I roles, and collaboratively design a unique SC Consultants scenario based on the Borough's environment and needs SC Consultants Facilitate the tabletop exercise with the Borough's participants Review the exercise's results and conclusions with the Borough's Paul Ashe participants Borough Staff Document the exercise results and conclusions in a non-technical report, including guidance on how to develop and improve the Borough's incident SC Consultants response process Business Continuity and Disaster Recovery Plan (DRP) Review SC Consultants Establish the scope of the effort through discussions with the Borough's SC Consultants personnel Review documentation, including application portfolios, database diagrams, SC Consultants network diagrams, and equipment configurations Review previous disruptions and remediation efforts SC Consultants Review third -party vendors' response capabilities SC Consultants Identify critical IT assets, current response procedures, and the maximum SC Consultants time frame for which critical IT assets can be unavailable . PROJECT STATUS MEETINGS . WORK PRODUCT REVIEWS ® Kodiak Island Borough Cybersecurity Audit OVERALL PROJECT APPROACH AND STAFFING PLAN Schedule (continued) Project Name Determine whether the Borough's DRP adequately addresses critical IT systems and networks Draft Management Report n ao m Resource C Review Management Report with the Borough's Key Stakeholders TBD Review Final Report and Hold Exit Conference TBD . PROJECT STATUS MEETINGS ® WORK PRODUCT REVIEWS SC Consultants SC Consultants Paul Ashe Borough Stakeholders Paul Ashe Borough PM Kodiak Island Borough Cybersecurity Audit PROJECT MANAGEMENT 0;,% SECURANCE CONSULTING ;00 Advantage !tel / 1 lrrsig t Status Report ABC Borough Cybersecurity Audit Project Manager Paul Ashe — Securance(pashe(&securanceconsuN'ing.com) Project Manager John Doe, IT Director (SampletaDABC borough.gov) Reporting Weekend Thursday, August 20, 2024 Project Due Date November 30, 2024 Overall Project Status Project Status Key: Green—On Target, Yelfow—At Risk, Red—Project will not finish on-time Phase I Project Tasks Schedule t. VA Internal Network Completed 100% 100% 2. PT: Internal Network Completed 100% 100% 3, VA: External Network Completed 100% 100% 4. PT: External Network Completed 100% 100% 5. Web Application Testing Completed 100% 100% 6. Wireless Network Testing Completed 100% 100% 7. NIST CSF Compliance: Policy and Procedure Review Ongoing 8. Database Configuration Review Ongoing 9. Firewall Configuration Review Ongoing 10. Switch Configuration Review Ongoing 11. Incident Response Process Review Ongoing 12. Incident Response Tabletop Exercise 13. Business Continuity Plan Review 14. Disaster Recovery Plan Review Project Status Report Kodiak Island Borough Cybersecurity Audit 1 of 3 Confidential PROJECT MANAGEMENT OUR PROCESS THEIR APPROACH Limited communications related to project status. / Findings not i s communicated until drafted. Confidentiof Shared Tasks Securance's FM and key personnel will be responsible for the following tasks throughout the Borough's project: 1 Issue and Risk Management: Securance prioritizes issues by taking the following into consideration: • Overall impact an issue may have to the project • Length of time the issue has been unresolved • Criticality of the issue to the Borough's IT environment These factors will be looked at as a whole and discussed with the Borough's PM to determine the ultimate priority of each issue. Additionally, as part of our status reports, we will document all project findings and related evidence in an "Issue Tracker" document that will also be shared with the Borough's PM. Use of the tracker helps to avoid unwanted surprises and I or disputes over findings. 1 Continuous Improvement: We will invite the Borough employees to shadow our consultants as they execute technical engagements. Additionally, to ensure continuous improvement of the Borough's security objectives, our team will conduct a knowledge transfer session upon completion of the audit. THE SECURANCE WAY... 1 Constant and consistent project communication, 1 Immediate communication of urgent and critical findings. 1 Confirmation of findings prior to drafting. ...DELIVERS EXTRA VALUE TO YOU. 1 Securance provides exceptional project management expertise, leveraging 22 years of experience conducting more than 2,500 cybersecurity audits, to deliver project success on time and on budget. Kodiak Island Borough Cybersecurity Audit THE BOROUGH RESOURCES NEEDED TO COMPLETE THE PROJECT When a contract or statement of work is executed, there are specific items Securance will need to perform the engagement. To ensure the Borough obtains the most out of its partnership with Securance, we have provided an initial list of information, access requests, and documentation our experienced team will need to hit the ground running. Access to the Borough's Staff / Adequate access to management and other key personnel for consultation and interviews. Very little of these individuals' time will be taken, but some contact will be necessary. 1 Access to a project manager for scheduling interviews with appropriate Borough staff 1 Access to technical staff during the length of the technical testing. Very little of their time will be needed. i Access to staff who have been identified for interviews during the length of the project (approximately one hour each) 1 Immediate access on a part-time basis to a cybersecurity staff member who can assist with questions Logical and Other Access Requests `''i 1 IP addresses relevant to the project 1 User IDs I passwords for web --applications I operating systems RESOURCES 1 Authority to access network components and operating systems NEEDED Client Assistance Request Summary (please see sample on the following page) Rules of Engagement Memo (please see example on pages 62 and 63) Office Space for On—Site Work 1 Identification badges, or equivalent should be available on arrival 1 Lockable cabinet for documentation 1 Workspace when on site Kodiak Island Borough Cybersecurity Audit PROJECT MANAGEMENT Sample Client Assistance Request Securance 2024 Kodiak Island Borough Client Assistance Request Location: No. Phase I Request Description Status/Notes/Comments I External Network Please provide tine contact information for the external network vulnerability assessment. 2 External Network Please provide a listing of all of the bntertret-facing IP addresses to be assessed. 3 External Network Please provide any specific IP addresses that are out -of -scope that may be hosted by 3rd parties or too sensitive to be scanned. 4 External Network Please provide any information related to the period of daytime when scanning can be begin 5 Internal Network Please provide the contact information for the internal network vulnerability assessment- 6 Internal Network Please provide the address from which we will authorized to work while performing the internal network vulnerability assessment 7 lbriterrial Newark Please provide a listing of all of the internal IP addresses to be assessed g Internal Network Please confirm if ail initial scanning can be performed at one time. g Internal Network Please advise if there are any specific sysierns or TP addresses that should not be scanned. 10 Internal Network Please advise if the City of Richmond has a VOIP system. These systems typically failover during vulnerability testing. I1 External Network Please provide all available network diagrams. The more detailed the better_ 12 Wireless Network Please provide the contact information for the Wireless Network Administrator. 13 Wireless Network Please provide a brief summary of the wireless solution implemented by the City of Richmond (i c., Controller -based, Cloud -based, AP -based). 14 Wireless Network I low many and what are the SSID's? 15 Wireless Network For each SSID please provide the following a) Encryption method and strength b) Device detection enabled? C) Access granted (i.e. Internet only. all prodution servers, departmental servers, etc.I d) is there a specific segment for mobile devices? e) MAC address filtering enabled? f) Sample connection log g) Is device authentication configured? 16 Database Please provide the contact information for the DBA_ 7 Database Please provide the brand, specific version, hosting server IP address, and hostname of the following types of databases to be tested, 18 Database Please provide a copy of the configuration standard used to configure the databases at the City of Richmond, 19 Database Please be prepared to provide a local database account to assist Securance with its scanning of each database for security configuration settings_ 20 Firewall Please provide the brand, version and firmware version of the firewa Its to be assessed_ 21 Firewall Please provide the contact infonuation for the firewall administrator. 22 Firewall Please provide copies of the firewall contig files. 26 Operating System Please provide the contact information for the server administrator Config 27 Operating System Please provide a listing of the operating system brands and versions in production Config 2g Operating System Please be prepared to assist Securance in connecting to operating systems to perforin a Config configuration review. 29 Operating System Please provide the IP addresses and hostnames of the operating systems in scope for Config testing. 30 Operating System Please provide any build guides or procedures that govern how operating systems are Config built and deployed. 3t Security Policies - Please provide a copy of the IT strategic plan. NIST CSF 32 Security Policies - Please advise how IT assets are managed, including hardware, software, and data. NIST CSF 33 Security Policies - Please provide a copy of the Cybersecurity Program. NIST CSF Kodiak Island Borough Cybersecurity Audit THE BOROUGH RESOURCES NEEDED TO COMPLETE THE PROJECT Sample Rules of Engagement Memo 5 MEMORANDUM DATE: 2024 (version 1.0) TO: Kodiak Island Borough IT Director FROM: Securance LLC RE: Cybersecurity Audit Rules of Engagement (RoE) - SAMPLE This memo represents the mutually agreed upon ROE for the upcoming cybersecurity audit. ITEM CLIENT RESPONSE 1. Scope of Effort Internal, External, and Wireless VAPT Web Application Testing Enterprise Application Testing 2. IT Environment Uniqueness 3. How to Handle Scope Creep 4. Approved Date(s) Internal System: External System: 5. Approved Time(s) 6. Approved Tool(s) Nmap, Rapid7, Qualys, Tenable, Cobalt Strike, Canvas, D2, NStalker, Others as necessary 7. Tool Configuration o Disable DDOS (Yes I No) o Disable Brute Force (Yes No) o Disable Experimental Test (Yes No) o Privileged Testing (Yes I No) o Disable Intrusive Test (Yes I No) a Scan all TCPIUDP Ports (Yes I No) o Report by Hostname (Yes I No) 8. If Privileged Testing (Admin Level: Yes I No) 9. Scan V Party -Hosted IP's (Yes I No) 10. Provide Client Lab's IP Address (Yes I No) CONFIDENTIAL Securance LLC Kodiak Island Borough Cybersecurity Audit Page 1 THE BOROUGH RESOURCES NEEDED TO COMPLETE THE PROJECT Sample Rules of Engagement Memo (continued) 10; MEMORANDUM ITEM 13. Interest in WhiteIistinq Lab's IP 1. CLIENT RESPONSE 14. Communication Ground Rules Communication vvill be via email. Provide daily status updates via: Email SMS Conference Call 15. Escalation Plan 1 S. Communication Tools Any signs of disruption, immediately contact consultant to discuss. Email. mobile and lag's direct phone (see By Securance: Please Sign Name: Please Type By Title: Please Type Date: Please Type Title: Client Project Manager: Please Sign Please Type Name: Date: Please Type Please Type c .... Page 2 Kodiak Island Borough Cybersecurity Audit consultant's info) 17. Client Specific Concern 17 Disruption 18. Client Specific Concern 27 19. Securance PM Contact Information D Project Manager Name Project Manager Email Address Project Manager Mobile Phone Project Manager Office/Lab Phone 20. Security Engineer Contact Information Consultant Name Consultant Email Address Consultant Mobile Phone a Consultant Office/Lab Phone By Securance: Please Sign Name: Please Type By Title: Please Type Date: Please Type Title: Client Project Manager: Please Sign Please Type Name: Date: Please Type Please Type c .... Page 2 Kodiak Island Borough Cybersecurity Audit REPORTING Status Reporting Throughout the engagement, the Borough's PM will receive project status reports that will identify the past week's completed tasks, tasks punned for the upcoming week, pending requests for information, and any issues and I or risks that have been identified, with actions taken to mitigate them. M W th( de rls Ilkl an rel se rel 1SECURANCE ;%CONSULTING Al Status Report X 1 SECURANCE CONSULTING Advanta lnsig tge '41 Status Report ABC Borough Cybersecurity Audit Project Manager Paul Ashe — Securance (pasheQsecurancgconsuHino.com) Project Manager John Doe, IT Director (Samplea-ABC borough.gov) Reporting Weekend Thursday, August 20, 2024 Project Due Date November 30, 2024 Overall Project Status On Project Status Key: Green on Target, Yellow --At Risk, Red—Prnlect will not finish on-time "Project Staujis Summary Phase 1 Project Tasks Schedule 1. VA: Internal Network Completed 100% 100% 2. PT: Internal Network Completed 100% 100% 3. VA: External Network Completed 100% 100% 4. PT: External Network Completed 100% 1000/0 5. Web Application Testing Completed 100% 100% 6. Wireless Network Testing Completed 100% 100% 7. NIST CSF Compliance: Policy and Procedure Review Ongoing 8. Database Configuration Review Ongoing 9. Firewall Configuration Review Ongoing 10. Switch Configuration Review Ongoing 11. Incident Response Process Review Ongoing 12. Incident Response Tabletop Exercise 13. Business Continuity Pian Review 14. Disaster Recovery Plan Review Pmjed Status Report 1 of 3 Kodiak Island Borough Cybersecurity Audit Confidential PROPOSED SCOPE Sample Deliverables Provided tor_ ABC 5choois CYBERSECURITY AUDIT HEAT MAP Securance Gori sull,ng Securance ronsulling Prov}ded ror: ABC Schools EXECUTIVE SUMMARY Background Client background information has been redacted In July 2023. ABC Schools (ABC's) IT department contracted Securance to perform a cybersecurity audit based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF enables organizations, regardless of size. degree of cybersecurity risk, or cybersecurity sophistication, to apply risk management principles and best practices to improve resilience and better manage cybersecurity risks. In addition to the NIST CSF IT risk assessment. the project also included targeted technical vulnerability testing. Specific Objectives and Scope The objective of the review was to use the NIST CSF to assess ABC's IT processes and identify vulnerabilities in select technologies_ The scope of the review included the following, • NIST CSF gap analysis using the Core Functions (Identify, Protect, Detect, Respond, and Recover), Categories, and Subcategories • IT processes_ • Governance policies and procedures — a formal framework of policies and procedures that provides a structure for organizations to ensure that IT investments support business objectives. Data and Information Security Management — the prevention of unauthorized access to and use, disruption, modification, and destruction of data assets. • Indicators of compromise (IoCs) — the. process of identifying forensic data, such as that in system log entries or files, that points to potentially malicious activity on a system or network. • External, internal, heating, ventilation, and air conditioning (HVAC), and closed-circuit television (CCN) network vulnerability assessment and penetration testing • Wireless network vulnerability assessment and penetration testing • Web application vulnerability assessment and penetration testing • Network firewall configuration assessment • IoC testing r%—+milord AAnr.nnor,+ Dors,,+ Provided ror ABC schools Summary of Findings — ABC SCh"IS The to Pravi—d ror. ABC se heels No. 1 2 3 4 S 6 7 8 9 10 11 12 Confidential F Securance Consulting Securance Consld y No_ 2: Internal Network Vulnerability Assessment and Penetration Test We scanned ABC's internal network and identified 25 coritical-, 23 high-, and 45 medium -priority unique vulnerabilities. The scan results revealed vulnerabilities that increase the likelihood of an internal network breach. The charts below show the vulnerabilities we identified, prioritized by levej of severity, as defined by the Common Vulnerability Scoring System, Version 3.0 (CVSS v3.0). The technician's report summarizes the unique vulnerabilities, affected systems, and recommended solutions. In many cases, the recommended solution requires a system security patch_ 20231 —.1 Nerwurk Unique VulnerabiBdca u 202-11 ...... a1 Ncnvark Turul V.Ir bilin.. IM2 vr� Isla Itrw. r L Kodiak Island Borough Cybersecurity Audit PROPOSED SCOPE Sample Deliverables (continued) 5ecurance vonsUn!ng Provided for, ABG Genter Kodiak Island Borough Cybersecurity Audit NX Confidential Est Soft Harrfwafel Human No IT Improvement Area Risk Recommendation Cost Software Ra source Cost Requirements 2025 - YEAR 2 REMEDIATION 00ALS WA Multiple file storage .Implement an d enforce a policy around $5.760.QQ TBD Internal locations approved file storage 160 Hour (d) WA Ineffective use of Enforce Connections as the enlarpnse $17.28000 TBD Internal Connections communication platform Obtain the 480 Hours (d) (tw Connections mobile application. Implement nsia„nPd and enforce a formal mobile device .vP& the management (MOM) policy and standard, —b& app "Ian and MnM solution( 1 Governance - I, and train stag in a comprehensive set of 814 k1tiU W 6W WA Consultant Gav arxo (poti .©a. IT policies. 120 Hours (a) Procedures. Standards. and Guidelines) 7 IT Process - Change Implement a formal change management $4.320.00 *A Internal Management © process and document each production 120 "ours (d) change 8 IT Process - Patch Implement a formal patch management $8,640.00 N1A Internal Management procpss that includes all of thn elements or an 240 Hours (d) effec4ve patch management soluhon (see detailed recommendation for Finding No 8) 9 IT Process - log Implement a tog management and monitoring $17,280-W WA Internal Management and process that includes all of the elements 480 Hours (d) Monitoring identrfred in the recommendation for Finding No. 9 Kodiak Island Borough Cybersecurity Audit NX Confidential PROPOSED SCOPE Sample Deliverables (continued) Technician's Report Intended to quide engineers and administrators throuqh the remediation process, the technician r f Securance Vulnerability Assessment Tech Report i External VA TABLE OF CONTENTS vulnerahllHies by Nes[ CompilancrFAILED' Cemplunce 'SRIPPEO' Complunce'nASSEO' Complian[e'INFO'. WARNING '.'ERROR' Remedlationf . S,U-id R—,dwl•n— vuinerabiriueS by HOSE n .. I -—!- 0 •„—!„, 0 0 0 0 z Sran InformHinn Sun Ione: Mon Dec 4 [495:52 2023 End um : Men aet • 2023 Holt Information IP. vul-1,111e01 Confidential Kodiak Island Borough Cgbersecurity Audit SECURANCE'S DEDICATED PROJECT TEAM The expertise and experience of the consultants listed on the following pages align with the Borough's scope of work and RFP requirements. If any of these consultants is unavailable when the project starts, Securance will propose an equally experienced substitute for approval. Securance only employs senior -level consultants; no junior -level consultants will be assigned to the Borough's project. Paul Ashe 25 Years' Experience Engagement Manager CISSP, CISA, CMMC-AB RP, (pending), CPA, HCISPP (pending), CICISO (pending) Ray Resnick, Chris Bunn Jerry Bruggeman 25 Years' Experience 35 Years' Experience 30 Years' Experience Senior Cybersecurity Consultant Senior Cybersecurity Consultant Senior Cybersecurity Consultant CISSP, CISM, CCNA, CCSP, CDPSE, CISSP, CHP, CMMC-AB RP CISSP (pending), Security + CFH, CMMC-AB RP, Security+ Montrell Hill IS Years' Experience Senior Cybersecurity Consultant Kodiak Island Borough Cybersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel PAUL ASHE 25 YEARS OF CYBERSECURITY EXPERIENCE President and Engagement Manager I Securance Consulting EDUCATION Master of Science Accounting Information Systems Bachelor of Science Accounting and Management Information Systems PROFESSIONAL CREDENTIALS 1 Certified Public Accountant (CPA) 1 Certified Information Systems Security Professional (CISSP) 1 Certified Information Systems Auditor (LISA) 1 Healthcare Information Security and Privacy Practitioner (HCISPP) 1 Cybersecurity Maturity Model Certification Registered Practitioner (CMMC RP) I! Certified Chief Information Security Officer (CICISO) RELEVANT EXPERTISE r� Paul has provided hands-on project management to lead Securance engagements over the past 22 years. A former IT consultant for Ernst & Young, he translates his knowledge and experience into an effective, time- and budget -conscious project management style. Paul conducts comprehensive cybersecurity audits, policy and procedure reviews, and technology -specific vulnerability assessments and penetration tests for government municipalities and clients in nearly every industry. He is an expert in implementing NIST CSF and PCI standards, and leverages a clear and proactive communication and reporting style throughout engagements. RELEVANT EXPERIENCE 1 Active Directory Analysis 1 Advanced Penetration Testing 1 Business Continuity I Disaster Recovery Planning 1 Enterprise I Web Application Testing 1 Internal I External I Wireless Network Security 1 Incident Response Planning and Tabletop Exercises i IT Governance I Policy and Procedure Reviews 1 NIST CSF Alignment I Best Practice Frameworks 1 Operating System I Database I Firewall I Network Device Configuration I Project Management: Paul has led Securance engagements from kick-off to final report for 22 years. 1 Incident Response: Paul assesses organizations' ability to detect, respond to, and recover from cyber incidents. He reviews incident response plans, and implements updates to help clients more efficiently and effectively handle security incidents. 1 Cybersecurity Audit: Paul helps clients identify technical and operational risks and vulnerabilities, develops prioritized remediation recommendations, and guides organizations to focus their resources in the right areas and make informed decisions about IT risk management. 1 IT Procedures: Pau} is an expert in developing and reviewing IT policies and procedures to ensure that business and IT strategies align, and that security practices are advanced, considerate of organization - specific context, and resilient against evolving security threats. 1 Cybersecurity Best Practice Assessments: Paul excels in helping clients align their practices and controls with cybersecurity frameworks, including the NIST CSF and PCI DSS. Confidential Kodiak Island Borough Cybersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel RELEVANT ACHIEVEMENTS 1 City of Kenai Performed configuration analysis of select servers, firewalls, and routers I switches; drafted formal cybersecurity policies, provided actionable recommendations for efficient DRP development; reviewed physica{ security and environmental controls; conducted a wireless network assessment. Matanuska-Susitna Borough Customized security program charter to Matanuska's unique IT environment; identified and addressed high-risk vulnerabilities within cybersecurity policies and procedures, and database I application change management processes; provided actionable recommendations for improved IT staff training; conducted a firewall, router I switch, and server configuration analysis; reviewed domain and enterprise application security administration, and network and application password management; assessed logging and monitoring processes; assessed security tool feature configuration for multiple technologies. 1 Elsinore Valley Municipal Water District Reviewed IT governance I policies and procedures for alignment with NISI` CSF; assessed operating system, endpoint, firewall, and router I switch configuration; conducted internal, external, and wireless network vulnerability assessments and penetration tests. 1 City of Pasadena Reviewed IT operations and processes against the NIST CSF and provided a roadmap to improve the City's security and control posture. 1 City of New Haven Identified vulnerabilities and opportunities to improve policies, procedures, and security configurations; provided extensive remediation support to address identified vulnerabilities, including incident response tabletop exercises and IT staff security awareness training; developed a three-year plan to implement all new security program items. 1 City of St. Charles Improved logging and monitoring, change management, patch management, and disaster recovery processes and reduced network and database vulnerabilities by 60 percent. 1 City of Durham Reduced urgent, critical, and high risk vulnerabilities associated with the internal network, enterprise application, and database environment by 50 percent; managed the recovery process after the City suffered a major ransomware attack; currently serves as the City's vCISO; oversees the cybersecurity program and security operations center (SOC); and achieved a 100 -percent reduction in cybersecurity breaches and incidents. 1 Village of Orland Park Mapped assessment findings to CJIS requirements and NIST CSF controls; then streamlined IT operations by improving the Village's governance documentation. 1 City of Modesto Improved governance documentation and reduced key person risk. 1 City of Richmond Facilitated a significant reduction in technical risks across the internal network following remediation. 1 Texas Municipal Retirement System Improved end user security awareness by 70 percent and reduced technical risk across the environment by more than 50 percent. 1 Village of Niles Spearheaded development of policies, procedures, cross -training, and a technology steering committee and reduced key person risk by matching staff to appropriate tasks. Kodiak Island Borough Cybersecurity Audit Confidential PROJECT TEAM Consultant Resumes — Key Personnel 16:13&A-0111 P] 35 YEARS OF CYBERSECURITY EXPERIENCE Senior Cybersecurity Consultant I Securance Consulting EDUCATION Master of Science Management Information Systems Bachelor of Science Computer Science for Business PROFESSIONAL CREDENTIALS 1 Certified Information Systems Security Professional (CISSP) 1 Certified HIPAA Professional (CHP) 1 Cybersecurity Maturity Model Certification Registered Practitioner (CMMC RP) RELEVANT EXPERTISE Chris is an expert in conducting cybersecurity audits, improving security processes, and implementing best practice frameworks. With more than 30 years of cybersecurity experience, Chris' expertise in improving IT operations and alignment with the NIST CSF, assessing network and system security, and remediating potential security threats has benefited numerous city, state, and local government entities. RELEVANT EXPERIENCE 1 Active Directory Analysis 1 Business Continuity I Disaster Recovery Planning 1 Cybersecurity Best Practice Deployment, e.g., NIST, PCI, COBIT, ISO 1 Database Security 1 Firewall Configuration 1 Enterprise i Web Application Security 1 External I Internal I Wireless Network Security 1 Incident Response Reviews I Tabletop Exercises 1 Operating System Security 1 Policy and Procedure Development I Review 1 Process and Practice Improvement 1 Router I Switch Configuration 1 IT Governance: Chris is an expert in assessing and developing I implementing IT policies and procedures to ensure efficient operations and compliance with regulatory requirements. 1 IT Best Practice Assessments: Chris' extensive knowledge of IT security framework standards, including NIST, PCI, ISO, COBIT, and ITIL, allows him to provide a holistic assessment across all areas of cyber risk management. 1 IT Process Improvement: Chris excels at identifying areas for process improvement to increase efficiencies, automate tasks, improve collaboration, and systematically track and manage data. Confidential Kodiak Island Borough Cybersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel RELEVANT ACHIEVEMENTS 1 City of Kenai Performed configuration analysis of select servers, firewalls, and routers I switches; drafted formal cybersecurity policies; helped assess DRP and streamline DRP development; reviewed physical security and environmental controls; conducted a wireless network assessment. 1 Matanuska-Susitna Borough Helped customize security program charter to Matanuska's unique IT environment; identified high-risk vulnerabilities within cybersecurity policies and procedures, and database I application change management processes; helped identify vulnerabilities within firewall, router I switch, and server configurations; reviewed domain and enterprise application security administration; assessed logging and monitoring processes; assessed security tool feature configuration for multiple technologies. 1 City of Modesto Improved governance documentation and reduced key person risk. / City of New Haven Delivered detailed mapping to the HIPAA Privacy, Security, and Breach Notification Rule code sections and provided actionable recommendations to help the City avoid civil penalties. 1 City of Pasadena Analyzed each specific IT operation and I or process by NIST CSF function, category, sub -category, and tier and provided a roadmap with detailed recommendations to improve the City's IT security and control posture. 1 City of Peoria Identified financial exposure related to data loss and developed a three-year audit program and roadmap for long-term improvement 1 City of Phoenix In addition to identifying and assisting to remediate vulnerabilities in the City's networks, servers, databases, firewalls, and routers, secured funding for a 24 17 1365 security operations center. 1 Colorado Department of Human Services Provided a detailed remediation roadmap to expediently attain full compliance with HIPAA; recommended they maintain their covered entity status and sign BAAs with all county -level social and human service departments. 1 Riverside University Health System Reduced vulnerabilities within the internal network, web applications, operating systems, and databases; developed a remediation plan that prioritized risks, estimated costs, timelines, and resources needed to attain full HIPAA compliance. / State of Wyoming Identified critical-, high-, and medium -risk vulnerabilities to decrease technical threats in the IT environment and improved IT governance to decrease future vulnerabilities. / Village of Niles Initiated development of policies, SOPS, cross -training, and a technology steering committee and reduced key person risk by matching staff to appropriate tasks. 1 Village of Orland Park Mapped assessment findings to CJIS requirements and NIST CSF controls and then streamlined IT operations by improving the Village's governance documentation. 1 Washington State Investment Board Reduced key -person risk by 90 percent and reduced financial exposure from non-compliance with State Office of the CIO's policies. Kodiak Istand Borough Cybersecurity Audit Confidential PROJECT TEAM Consultant Resumes — Key Personnel PRIOR ACHIEVEMENTS 1 East West Bank 12012 1 Senior Information Security Consultant I Responsible for execution of compliance and risk management projects within the Information Security department of the IT division; developed an IT risk management framework for national and international operations; developed and implemented IT policies and procedures, vendor risk management program, and daily monitoring procedures of critical and high risk applications and platforms. 1 Experis Finance/Accretive Solution 12006-20111 Senior Risk Advisory Services Consultant I Managed and executed IT audits for various organizations across industries. Audit topics included regulatory compliance, data governance, general computer controls, business continuity, enterprise application controls and security, and process improvement. 1 University of Florida 12005-2006 1 IT Audit Manager I Planned, supervised, and conducted audits of enterprise applications, data warehouse and reporting systems, financial systems, operations, advisory services, and other projects undertaken by the Office of Audit and Compliance Review; supervised and performed HIPAA compliance audits. 1 BDO Seidman LLP 12003-2005 1 IT Audit Manager I Member of the BridgeMark risk consulting and advisory services practice; responsible for SAP business intelligence (BI) and governance I risk I compliance advisory services for mySAP ERP with NetWeaver, PeopleSoft, and other service-oriented architecture ERP systems; responsible for project management in technology risk and security, business process improvement, BI and advanced analytics, regulatory compliance, and internal IT audits. Computer Sciences Corporation 12000-20031 IT Audit Supervisor I Responsible for the management and execution of service organization (SOC Type II), compliance, internal information system, and pre- and post -implementation audits. 1 Ernst & Young LLP 1997-2000 1 IT Audit Manager I Member of Information Systems Assurance and Advisory Services (ISAAS) practice; responsible for service organization, general computer controls, and IT process reviews, information security engagements, application control consulting, and internal IT audits. 1 Lockheed Martin 11994-1997 1 IT Audit Supervisor I Performed risk -focused audits of enterprise applications and platforms, system implementations, the enterprise network, engineering online security, and eCommerce security. 1 Sun Trust Bank 1987-1994 1 IT Audit Supervisor I Responsible for audits of computer operations, networks, information security policies, enterprise applications, and telecommunications. 1 Blue Cross and Blue Shield of Florida 11984– 1987 Senior IT Auditor I Supervised reviews of information systems and controls. Confidential Kodiak Island Borough Cybersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel RAY RESNICK 25 YEARS OF CYBERSECURITY EXPERIENCE Senior Cybersecurity Consultant I Securance Consulting EDUCATION Bachelor of Science Accounting PROFESSIONAL CREDENTIALS 1 Certified Information Security Manager (CISM) 1 Certified Information Systems Security Professional (CISSP) 1 Certified Cloud Security Professional (CCSP) 1 Certified Data Privacy Solutions Engineer (CDPSE) 1 Certified Ethical Hacker (CEH) 1 Cisco Certified Network Associate (CCNA) 1 Comi Security * Certified 1 Cybersecurity Maturity Model Certification Registered Practitioner (CMMC RP) RELEVANT EXPERTISE Ray, a retired Commander and Special Operations Officer for the U.S. Navy, specializes in analyzing organizational security needs, assessing security postures, and implementing remediation plans to mitigate risks to an acceptable level. Ray has the ability to work with IT staff at all levels to address risks, vulnerabilities, and gaps that hamper security in the IT environment. RELEVANT EXPERIENCE 1 Active Directory Analysis 1 Business Continuity I Disaster Recovery Planning 1 Compliance Assessments (e.g., NIST, PCI) 1 Database and Operating System Security 1 Enterprise I Web Application Security 1 Firewall Configuration 1 Incident Response Planning I Tabletop Exercises 1 Internal I External I Wireless Network Security 1 Network Device Configuration 1 Vulnerability Assessment and Penetration Testing 1 Cybersecurity Audits: Ray has been identifying and prioritizing cybersecurity risk for 25 years. His extensive knowledge of cybersecurity framework standards, such as NIST, PCI, ISO, COBIT, and ITIL, allow him to take a holistic approach across all areas of cyber risk management. / Advanced Penetration Testing: Ray is an experienced ethical hacker, skilled in advanced penetration testing techniques and performing configuration reviews of firewalls and other critical technologies to help organizations protect against potential threats. / Ransomware Readiness: Ray has extensive experience training staff in ransomware readiness and helping organizations prepare to respond to breaches quickly and efficiently, minimizing mean time to recovery. Kodiak Island Borough Cybersecurity Audit Confidential PROJECT TEAM Consultant Resumes — Key Personnel RELEVANT ACHIEVEMENTS w City of Kenai Performed configuration analysis of select servers, firewalls, and routers I switches; drafted formal cybersecurity policies; helped assess DRP and streamline DRP development; reviewed physical security and environmental controls; conducted a wireless network assessment. 1 Matanuska-Susitna Borough Helped customize security program charter to Matanuska's unique IT environment; identified high-risk vulnerabilities within cybersecurity policies and procedures, and database I application change management processes; helped identify vulnerabilities within firewall, router I switch, and server configurations; reviewed domain and enterprise application security administration; assessed logging and monitoring processes; assessed security tool feature configuration for multiple technologies. 1 City of Durham Reduced urgent, critical, and high risk vulnerabilities associated with the internal network, enterprise application, and database environment by 50 percent; managed the recovery process after the City suffered a major ransomware attack; serves as backup vCISO to Paul Ashe for the City; helps oversee the cybersecurity program and security operations center (SOC); and achieved a 100 -percent reduction in cybersecurity breaches and incidents. 1 City of Modesto Improved governance documentation and reduced key person risk. / City of New Haven Identified vulnerabilities and opportunities to improve policies, procedures, and security configurations; provided extensive remediation support to address identified vulnerabilities, including incident response tabletop exercises and plans to train IT staff and standard users in security awareness; developed a three-year plan to implement all new security program items. 1 City of Phoenix In addition to identifying and assisting to remediate vulnerabilities in the City's networks, servers, databases, firewalls, and routers, secured funding for a 24 17 1 365 SOC. 1 City of Richmond Facilitated a significant reduction in technical risks across the internal network following remediation. 1 Emergence Health Network Improved the organization's cybersecurity posture by recommending several improvements, including implementation of a disaster recovery plan and a change management process. 1 North Dakota Public Employee Retirement System Identified medium -risk vulnerabilities and offered actionable remediation recommendations and recommended the implementation of a program management policy to solidify program change policies. 1 Riverside University Health System Reduced vulnerabilities within the internal network, web application, operating system, and databases and developed a management plan that prioritized risks, estimated costs, timelines, and resources needed to attain full HIPAA compliance. 1 Village of Orland Park Mapped assessment findings to CJIS requirements and NIST CSF controls, streamlined IT operations by improving the Village's governance documentation. Confidential Kodiak Island Borough Cybersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel PRIOR ACHIEVEMENTS 0 Copper Collar Enterprises, LLC 12012-20181 Information Security Engineer I Conducted vulnerability scanning, attack and penetration studies, analyzed information and physical security vulnerability assessments; analyzed data security controls to identify weaknesses; designed remediation strategies. 1 Verizon Communications 11998-2003 1 Database Administrator I Performed database installs, loads, and data conversions. Tuned and altered databases and tables to increase performance. Prepared custom database reports with SQL and shell scripts. Wrote stored procedures, triggers, and database views to increase efficiency and security. Scheduled and performed database back-ups. Troubleshot application code for SQL errors and potential SOL injection vulnerabilities. 1 Verizon Communications 11998-2003 1 Senior Systems Engineer I Developed automated tools to improve system reliability and disk and CPU utilization; planned, coordinated, and performed application testing, installation, and patch management; responsible for installing, managing, and administering servers, providing training and technical support to end users, and maintaining system documentation. 1 United States Navy Reserve 12002-2003 1 Commander I Served as Executive Officer, Operations Department Head (N3), Inspector General, Information Technology and Physical Security Department Head (N6), and Intelligence Department Head (N2); responded to crisis management situations in the United States Central Command Area of Responsibility (USCENTCOM AOR). Supervised Crisis Action Team (CAT cell), Joint Personnel Adjudication System (JPAS), and internal badging systems for U.S. Naval Forces Central Command (NAVCENT); prepared and delivered briefings to Flag Level officers regarding political, military, security, and terrorism matters. 1 United States Navy 11991-20071 Deputy Assistant Chief of Staff Naval Liaison Officer I Performed high-level negotiations with senior governmental officials and military officers from 53 coalition nations; responsible for operational planning efforts of U.S. and coalition maritime assets during wartime environment. Kodiak Island Borough Cybersecurity Audit Confidential PROJECT TEAM Consultant Resumes — Key Personnel JERRY BRUGGEMAN 30 YEARS OF CYBERSECURITY EXPERIENCE Senior Cybersecurity Consultant I Securance Consulting EDUCATION Jerry is a versatile Cybersecurity expert with a strong background Bachelor of Science in risk management and penetration testing. He has helped conduct robust cybersecurity audits for large organizations in Cybersecurity both the private and public sectors, including the U.S. military. PROFESSIONAL CREDENTIALS Jerry has significant experience developing incident response plans and applying regulatory and best -practice frameworks, 1 Cam pTIA Security + Certified including the NIST CSF and PCI DSS. 1 Certified Information Systems RELEVANT EXPERIENCE Security Professional (CISSP) 1 Advanced Penetration Testing I Ethical Hacking Exercises pending 1 Business Continuity I Disaster Recovery Planning 1 Compliance Assessments (e.g., NIST CSF, PCI DSS) 1 Enterprise I Web Application Security 1 External i Internal I Wireless Network Security 1 Incident Response Improvement I Tabfetop Exercises 1 Information System Security I Network Infrastructure Review 1 IT Governance I Policy and Procedure Improvement RELEVANT EXPERTISE 1 Vulnerability Assessments I Penetration Testing: Jerry is an ethical hacker with a passion for penetration testing, cybersecurity, and information security. His exceptional ability to think like a hacker and probe for security vulnerabilities helps organizations enhance their security postures and protect against potential threats. 1 Ethical Hacking Exercises: Jerry is an expert in simulating attacks that use exfiltration, privilege escalation, evasion, and persistence to move laterally and access increasingly sensitive information. 1 Best Practice Frameworks: A former director of IT for numerous organizations, public and private, Jerry is an expert in assessing compliance with best practice standards such as NIST, PCI, COBiT, and ISO. 1 Network Security Jerry excels at identifying and exploiting vulnerabilities in networks, routers, switches, and firewalls and providing actionable remediation recommendations to address each vulnerability. 1 Incident Response and Ransomware Preparedness Assessments: Jerry's expertise in assessing organizations' incident response and ransomware preparedness plans has helped numerous organizations ensure they are prepared to handle information security events effectively and efficiently, reducing potential risk to operational integrity, financial stability, and public image. Confidential Kodiak Island Borough Cgbersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel RELEVANT ACHIEVEMENTS WITH SECURANCE 1 City of Cleveland Reviewed disaster recovery plan; improved endpoint configuration, conducted internal I external vulnerability assessments and penetration tests; enhanced security operations. 1 City of Ontario Conducted internal I external network vulnerability assessment and penetration test; performed social engineering exercise to evaluate end-user security awareness. I County of Sonoma Assessed operating system, endpoint, and firewall configuration; conducted interna[ I external network vulnerability assessment and penetration test; tested web application security; assessed wireless network security; performed social engineering exercise; improved compliance with HIPAA breach, notification, and security rules. 1 Elsinore Valley Municipal Water District Reviewed IT governance I policies and procedures for alignment with NIST CSF; assessed operating system, endpoint, firewall, and router I switch configuration; conducted internal, external, and wireless network vulnerability assessments and penetration tests. 1 Emergence Health Network Improved the organization's cybersecurity posture by recommending several improvements, including implementation of a disaster recovery plan and a change management process. 1 Milwaukee Metropolitan Sewage District Conducted network penetration tests. 1 Riverside University Health System Reduced vulnerabilities within the internal network, web applications, operating systems, and databases; developed a remediation plan that prioritized risks, estimated costs, timelines, and resources needed to attain full HIPAA compliance. M Rowan University Conducted external network penetration testing and assessment of network architecture. 1 VIA Metropolitan Transit Conducted internal network vulnerability assessment. 1 Village of Oak Park Improved the Village's cybersecurity posture by reducing technical risks associated with vulnerabilities in the internal and external networks and provided actionable remediation recommendations to reduce compliance risks within the environment. 1 Village of Schaumburg Identified urgent-, high-, and medium -risk vulnerabilities to decrease technical threats in the Village's IT environment. Kodiak Island Borough Cybersecurity Audit Confidential PROJECT TEAM Consultant Resumes -- Key Personnel PRIOR ACHIEVEMENTS 1 Healthplan Services (WIPRO) 12020-2023 1 Director of Information Security I Provided subject matter expertise in risk assessment, compliance, and technical security. II VASTEC 12013-2020 1 Director of Information Security I Spearheaded IT security program, developed disaster recovery and incident response plans, conducted IT risk assessments, performed and analyzed vulnerability scans, and administered virtual environments. 1 U.S. Air Force, 52d Combat Communications Squadron 1 2010-2013 1 Chief of Cyber Systems Operations I Managed a 120 -person team across five work centers, conducted vulnerability and risk assessments, tracked and reported KPIs, and developed and deployed tactical networks. 1 U.S. Air Force, 14th Weather Squadron 12005-2010 1 Manager, Information Assurance I Managed unit network security programs and assessments; conducted vulnerability and risk assessments. U.S. Air Force Weather Agency 12002-2005 1 Lead Infrastructure /Information Assurance Technician I Led and trained team responsible for administering and managing the weather network. Confidential Kodiak Island Borough Cybersecurity Audit PROJECT TEAM Consultant Resumes — Key Personnel MONTRELL HILL 98 YEARS OF CYBERSECURJTY EXPERIENCE Senior Cybersecurity Consultant I Securance Consulting 41 EDUCATION Montrell is an experienced cybersecurity leader who Bachelor of Science specializes in planning and conducting comprehensive Business Computer Information cybersecurity audits. As an expert in best -practice Systems and regulatory frameworks, he helps enterprises develop effective response and recovery plans, identify vulnerabilities and risks in technologies, refine their IT processes, and achieve their business and compliance goals. RELEVANT EXPERIENCE 1 Database Assessments 1 Disaster Recovery Plan Reviews 1 Enterprise I Web Application Security 1 External I Internal I Wireless Network Vulnerability Assessments and Penetration Testing 1 Firewall Configuration 1 Incident Response Evaluation I Tabletop Exercises 1 Operating System Configuration 1 Policy and Procedure Review I NIST CSF Compliance 1 Network and System Security 1 Router I Switch Configuration RELEVANT EXPERTISE 1 Incident Response Plan (IRP) Review I Development: Montrell's expertise in assessing and developing IRPs helps prepare organizations to handle information security events effectively and efficiently, whether due to data breaches, malware, or system outages, reducing potential risk to operational integrity, financial stability, and public image. 1 Network Security: Montrell excels at identifying and exploiting vulnerabilities in networks, routers, switches, and firewalls. 1 Cybersecurity Audit: Montrell is an expert at assessing the security of organizations' IT architectures and the supporting policies and procedures. He provides objective assessments of the effectiveness of an organization's risk management, processes, and governance. Kodiak Island Borough Cybersecurity Audit Confidential PROJECT TEAM Consultant Resumes — Key Personnel RELEVANT ACHIEVEMENTS WITH SECURANCE 1 Emergence Health Network Improved the organization's cybersecurity posture by recommending several improvements, including implementation of a disaster recovery plan and a change management process. 1 King County Conducted a security assessment of the County's industrial control systems (ICS) and physical security controls; helped the County select a network monitoring tool for its ICS environment. i Maryland -National Capital Park and Planning Commission Provided 480 hours of Cybersecurity as a Service (CSaaS) consulting to review incident response program, vulnerability management, application security, and perform other cybersecurity services. PRIOR ACHIEVEMENTS 1 First Command Bank 12019-2022 i Senior IT Auditor I Developed IT audit programs; performed audits and risk assessments; developed strategies to mitigate risks and remediate vulnerabilities. M Raytheon, Richardson 12015-2019 1 IT Audit Supervisor and Senior Information Governance & Risk Specialist I Performed IT risk assessments and audits; developed audit programs; oversaw fieldwork and deliverables and ensured that audits met internal quality control requirements, professional standards, laws, and regulations; presented audit findings and advised management on risk mitigation strategies. I GM Financial 12007-2015 1 IT Auditor I Led IT audits focused on IT general controls, application controls, data warehouses, platform technologies, network security, data center controls, and compliance; compared IT controls to information security and risk management frameworks, including COBIT, COSO, NIST 800-53, and ISO 27001. I Computer Science Corp 12005-2007 1 IT Consulting I Conducted information security and HIPAA compliance assessments. C:o r;klr.ntrcr! Kodiak Island Borough Cybersecurity Audit PROPOSED FEES Securance has provided itemized pricing for the major aspects of this project in the table below. Project Scope Item Line Item Fee Assessment of the Borough's Cybersecurity Practices, Policies, and Procedures (2 security policies I $1,584 20 pages of documentation) Identify Vulnerabilities I Threats to Information Systems, Applications, and Network Infrastructure (including enterprise applications, databases, operating systems, firewalls, switches, and Active $95,840 Directory) Penetration Testing and Ethical Hacking Exercises to Evaluate Effectiveness of Security Controls: - External Network Vulnerability Assessment and Penetration Test (4 IPs) — Value Add $1,584 Web Application Assessment (1 website) $792 Internal Network Vulnerability Assessment and Penetration Test (750 IPs) $2,640 Wireless Network Vulnerability Assessment and Penetration Test (controller -based network; 5 $2,112 locations in scope) Assess Compliance With Relevant Standards I Best Practices, Including the NIST CSF $7,920 Evaluate Ability to Detect, Respond To, and Recover From Cybersecurity Incidents (review of $7,584 incident response process only; no formal incident response plan in place) Incident Response Plan Tabletop Exercise $3,168 Review Continuity of Operations and Disaster Recovery Plans $1,584 Management Report (includes prioritized recommendations for mitigating identified risks and $3,168 vulnerabilities) Roadmap for Implementing Recommendations $2,112 Project Management — Value Add $2,112 Status Reporting — Value Add $4,224 Knowledge Transfer Session — Value Add $2,112 Remediation Support - 24 Consulting Hours — Value Add $3,168 Independent Project Review' Included Subtotal $55,704 Value Add Price Reduction ($13,200) Total $42,504 The professional fees listed above are inclusive of all out-of-pocket expenses. The Borough will NOT be billed for expenses such as travel, mileage, meals, and incidentals. Each assessment completed by Securance is reviewed by a consultant independent of the project, in order to ensure that the engagement thoroughly addresses all scope items, oil observations are factual and appropriately documented, recommendations are feasible and customized to the client, and all assessment components adhere to the firm's quality control standards. Kodiak Island Borough Cybersecurity Audit PROPOSED FEES Pricing Terms To provide the Borough with cost certainty, we are offering a "not to exceed" (NTE) proposal, which means that the total cost of the project or service will not exceed the amount specified on the previous page. However, we guarantee we will complete all items identified in the scope of services and listed in the contract or statement of work. Often the actual project fee is less than the NTE fee listed. Our reasons for using this pricing model include: 1 Our methodologies assume IT processes are mature and all components of the assessment are already in place. However, if we identify assessment components that are immature or were recently implemented, our testing effort will be less than proposed. This could result in significant savings to the Borough. 1 We may need to conduct fewer interviews than anticipated to gain a full understanding of the risk associated with an assessment component. We can then pass those savings on to the Borough. 1 The Borough's project manager may ask our team to suspend additional testing based on the risks, threats, and vulnerabilities we discover and report. In this situation, our effort will be reduced, and we will pass those savings on to the Borough or allocate those hours to other areas, as deemed necessary. II The Borough's project manager may wish to change the scope based on additional information obtained prior to project execution. In that case, there is no need to re -negotiate fees as our model is flexible to permit scope changes. Hourly Rate Securance's cost proposal is based on an hourly rate of $132, inclusive of labor, system licenses, and other reimbursable expenses. The hourly rate applies to all tasks and personnel resources required to complete this project. Any follow-up assessments or consulting engagements will be billed at the same hourly rate. Payment Terms Securance will submit an invoice after delivering a draft management report. All fees are due within 30 days following receipt of invoice. Securance will deliver the final management report following receipt of payment. Kodiak Island Borough Cybersecurity Audit PROPOSED FEES Building a Successful Partnership For Securance, this is not just another project. It is an opportunity to help the Borough address vulnerabilities within its technologies and practices so the Borough can confidently deliver the services its community and employees depend on, and contribute to fulfilling Alaska's cybersecurity objectives. After reviewing the Borough's needs and taking the time to understand your business, Securance believes we are the best fit for this opportunity, and we want to partner with you! We are offering the following free value adds as one way to demonstrate our commitment to the Borough's long-term cybersecurity, and the Securance Advantage of Insight. Deliverable Value In order to demonstrate our commitment to the Borough, we will provide External Network Vulnerability the requested vulnerability assessment and penetration test of the Assessment and Penetration external network at no additional cost. For more information, please Test see our external I internal vulnerability assessment and advanced penetration testing methodology beginning on page 20 of our proposal. If you have questions or would like additional information, do not hesitate to contact us. We want to make sure you have everything you need to make your decision. We want to partner with you and will be your best partner! Kodiak Island Borough Cybersecurity Audit At no additional charge, we will oversee the progress and completion of the Borough's project from beginning to end. Our proven project Project Management management methodology has been used successfully on projects for organizations across the country. Securance recognizes the importance of ongoing communication with the Borough. To ensure the Borough's project remains on schedule Status Reporting and that all potential issues are addressed, we will issue weekly status reports and review them with the Borough's PM during weekly status meetings. To ensure our assessment provides high value, is fully understandable, and the information obtained is sustained, we will conduct a knowledge Knowledge Transfer Session transfer session with appropriate Borough staff. This session will provide answers as to why and how Securance performed specific tasks, so the Borough staff are able to repeat the tasks at will. To enhance the effectiveness of this engagement and to demonstrate Remediation Support - 24 our commitment to the Borough. Securance will include 24 hours of free Consulting Hours management -level consulting and remediation support to be used at the Borough's discretion. If you have questions or would like additional information, do not hesitate to contact us. We want to make sure you have everything you need to make your decision. We want to partner with you and will be your best partner! Kodiak Island Borough Cybersecurity Audit REFERENCES Securance has decades of experience providing the Borough's requested services. Please see below for the contact information of three clients Securance has performed similar projects for. Piease note that our clients prefer to be contacted first via email. We encourage the Borough to contact each organization's representative to confirm the validity of our claims and the value of our deliverables. Organization Reference Contact Service Provided Name 1 Improved security program charter 1 Updated policies and procedures and improved database I application change management processes 1 Provided actionable recommendations for improved IT staff Mitch Senior I training Cybersecurity Analyst Matanuska- 1 Conducted a firewall, router I switch, and server configuration Susitna mitch.senior@matsugov.us analysis Borough 907.861.7801 1 Reviewed domain and enterprise application security administration, and network and application password management 1 Assessed logging and monitoring processes 1 Assessed security tool feature configuration for multiple technologies 1 Assessed database, router I switch, and firewall configurations and security 1 Conducted internal, external, and wireless network Rochelle Carter I Auditor vulnerability assessments and penetration tests City of Rochelle.Carter@rva.gov 1 Assessed the City's remote access Richmond 804.646.5632 1 Reviewed operating system configuration, physical security, and industrial control system security 1 Conducted an email phishing campaign to assess end-user security awareness 1 Performed internal I external vulnerability assessments 1 Assessed firewall configuration 1 Reviewed router and server configuration I virtual server environment Catherine t-aMarr I Deputy City of New Corporation Counsel 1 Assessed data and information security and conducted a Haven workstation I endpoint security assessment clamarr@newhavenct.gov 1 Conducted a wireless network assessment 203.946.7974 1 Improved policies and procedures I cybersecurity governance 1 Conducted phishing and vishing campaigns Confidential Kodiak Island Borough Cybersecurity Audit COMPLIANCE WITH INDUSTRY CERTIFICATIONS AND STANDARDS Securance complies with all relevant industry best practice standards, and our consultants maintain certifications, including: 1 CompTIA Security + 1 Certified Information Systems Security Professional (CISSP) 1 Certified Information Security Manager (CISM) 1 Certified Cloud Security Professional (CCSP) 1 Certified Data Privacy Solutions Engineer (CDPSE) 1 Certified Ethical Hacker (CEH) 1 Cybersecurity Maturity Model Certification Registered Practitioner (CMMC RP) 1 Certified Public Accountant (CPA) 1 Certified Information Systems Auditor (CISA) 1 Certified Chief Information Security Officer (CICISO) Kodiak Island Borough Cybersecurity Audit THE GROWING CHALLENGE IN CYBERSECURITY Overload of Th- Intellige Incompatibility with Existing Systems Irrelevance of Generic Threat Information Resource Strain Inefficient Threa Prioritizatior ' r}utdated nce REDUCE ALERT FATIGUE REVOLUTIONIZE YOUR CYBER DEFENSE WITH AI -POWERED INTELLIGENCE T ACMN REQUIRED - ThraPt Intelligente A Dr CIS) any::YU"A�tytj me WI—N 1nr Wdd all ct yew--- 1 3no tequuu IMMEDIATE A_TION UtgmeS.&a d_ -&i "-,M-I-.-Versions 2D'g4 thratgh 202011 t-=' _ cl c>,l A-rrucd rt�cnn,l:grc:s nestrame- ,Irwe pr- Crihcar Mi;loiDIEx hargn.W`:b Shell3nckde ,- Vers.... 2013.2:112015.20'9 CIe tA-ft Jed Thn j -qua htr:,'h �ep,d CTIO -Threat Tc RECEIVE ONLY RELEVANT INFORMATION Endpoint Detection and Response Email Security Multi -Factor Authenticatior User Behavior Analyti, Manage Operations Cef pliance and Regulatory lenges alert Fatigue Lack of Actionable Insights Delayed Response to Threats PRIORITIZE THREATS Advanced Persistent Threat Penetration Testing Veb App firewall Cybersecurity Program CTIQ utilizes advanced Al technology to gather real-time data from various intelligence sources and centralizes it into one platform. You will receive emails that provide clarity, context, and actionable remediation recommendations specific only to the technology in your environment. https:Hcybertig.io/ I info(Ocyberticljo