This Statement of Work (“SOW”) is incorporated into
the applicable Pricing Schedule/Addendum
Corp. (“AT&T”) and
San Joaquin Valley Libra
(“Customer”) and shall be effective on the latter of (i) the Effective
Date of the
or (ii) the later of the dates upon which the parties have both executed this
SOW. This SOW outlines the specific AT&T
rvices”) to be provided by AT&T to Customer for
the Charges set forth in
AT&T reserves the right to modify the prices and any other terms and conditions, including, but not limited to any
section of this SOW, if this SOW is not signed by Custome
r and AT&T by
05 May 2010
AT&T will conduct a Security Assessment
Perimeter (SAP) of your network security posture utilizing
AT&T network consulting methodologies to analyze, understand, design, implement, optimize, and
secure LAN and WAN networks. The scale of the SAP service for Customer is defined by the following
AT&T shall perform the SAP in two phases. First, AT&T will use tools to perform port and vulnerability
mapping using the information provi
ded by Customer. Second, AT&T will analyze the data, prepare the
assessment report, and review the report with Customer via telephone.
There are three main approaches for conducting a Penetration Test or Security Assessment
with this approach, AT&T acts as a complete outsider to gather information
form public sources to start the test and will then gather information as the test progresses.
There is an extension to this approach known as the Double
ch where the internal
personnel are not even notified. This will test their reaction as well. This is the most expensive
with this approach, AT&T and the customer agree on the data to be
transferred before conducting the tes
t. This is a more economical approach.
with this approach, the customer provides all information requested by AT&T
prior to the assessment. This is the most economical approach.
AT&T will perform the following services for the SAP:
meration and Mapping of Hosts
Utilizing the range of IP Addresses supplied by the
customer AT&T will run tools to identify hosts visible from the Internet within the range.
may also retrieve public records during this phase to assist in the detecti
on of hosts. Techniques
are used to detect hosts that are hidden from normal scanning techniques such as blocking ICMP
Echo Requests. Output from this phase will provide an inventory of servers visible from the
outside and will additionally serve as con
firmation to the customer of servers evaluated.
Enumeration and Mapping of Services
For the identified hosts, AT&T will perform a full port
scan to determine which ports are open on each host. Once an open port is identified, AT&T will
seek to determin
e the service being offered on that port. Output from this phase will provide the
customer an inventory of services offered to the outside and can be used to turn down un
necessary services thereby reducing risk.
AT&T will utilize a Broad Spectrum vulnerability
scanner to identify and prioritize potential vulnerabilities in the software and operating systems of
the hosts visible from the Internet. The scanner utilizes plug
in components that cover
known vulnerabilities across many operating systems and applications.
will conduct the
scan from the outside of the network, namely from the Internet.
This assessment will characterize
your organization as it is seen from the outside world. Output fr
om this phase will provide a list of
Report Potential Vulnerabilities
Vulnerability scanning is an inclusive, rather than an
exclusive process. Scan results describe the pool of potential vulnerabilities. Work must be done
either exclude a vulnerability or confirm that it is a probable vulnerability. AT&T will provide
expert advice of probable false positive results and mark results accordingly. Output from this
phase will provide Customer a comprehensive view of potentia
l server vulnerabilities rated by
Exploitation of Vulnerabilities
If this option is chosen,
will then attempt to exploit
vulnerabilities in order to compromise the target host. Our goal is not to destroy or compromise
any information, b
ut rather to progress to the point where we have demonstrated that it is
Rogue Modem Detection
With a technique known as WAR dialing, we can identify numbers
that provide access to computing resources within your organization. We can further
identify the technology behind the modem and attempt to gain access by testing a limited number
of carefully chosen passwords.
AT&T will conduct the SAP as described in this Proposal. Upon completion, AT&T shall provide a re
containing deliverables as indicated in Table 1 below.
Table 1: Engagement Deliverables
Electronic findings document
Database of all findings including custom Queries and Reports
The report will contain document
ed and detailed findings as a result of performing the service and will
convey AT&T’s opinion of how best to remedy vulnerabilities from a vendor
Documentation will be comprised of a Summary Report and a Detailed Report. The summary
provide overview information including:
Threat rank for each host
Scored 1 through 5 representing the highest level vulnerability on that
Threat score for each host
Sum of all threat ratings for all vulnerabilities on each host ident
which hosts present the most risk.
A list of the vulnerabilities occurring at least once on any host in the
The detailed report will provide comprehensive information including:
Vulnerabilities by Host
by host, vulnerabilities found on each host. This view allows the
reader to understand the threat to a particular host.
Hosts by Vulnerability
Ordered by vulnerability, hosts that exhibit a particular vulnerability. This
view allows the reader to unders
tand the hosts affected by particular vulnerability.
Services described in this SOW shall start to be implemented upon Contract execution. This project will
take place in separate intervals taking approximately
ss Day(s) to complete.
Customer will jointly determine the start date for the engagement within 30 days of contract signature.
The Services provided under this SOW shall only be performed during normal business hours, defined as
day through Friday 8:00 A.M. to 5:00 P.M., local time, excluding AT&T official holidays.
AT&T Designated Holiday
New Year’s Day
Last Monday in May
1st Monday in September
4th Thursday in November
Day After Thanksgiving
4th Friday in November
AT&T shall solicit, obtain and/or confirm the following information from the Customer
(a) Provide identity and cont
act information for the Customer Project
(b) Provide Local Site Contact name, telephone number, address, and email for both a primary a
Local Site contact.
This is to facilitate local scheduling issues, and other Site
information is to be provided to AT&T for each work project.
Confirmation that the Customer has performed the appropriate Site preparation activities when applicable
(d) Provide Customer resources on
site during project.
(e) Project executi
on shall be performed
during normal business hours
. The Customer shall be responsible
for making access available during this timeframe.
(f) Accept completed services utilizing the provided site acceptance form.
AT&T will complete and obtain Customer signature on the Acceptance document as shown in
Schedule of Charges
AT&T will conduct the SAP as described in this Proposal with the following parameters and pricing.
Table 2: Pro
Number of Active Hosts
8:00 A.M. to 5:00 P.M., Central time
Summary, Detail reports, CD ROM
Table 3: Pricing
AT&T Security Assessment
conclusion of this project, AT&T shall give a project summary presentation to Customer
personnel to review the deliverables, answer questions, and provide direction for next step action
All Customer locations are in the Unit
AT&T and Customer understand that due to the nature of Service being performed, unintentional service
feasible even with destructive probing disabled. AT&T is not responsible for interruptions of
Customer’s network services
of tasks described in the Services described herein.
Agreement Enabling Expenses
AT&T will perform the work using tools selected by AT&T.
additional hardware; software, connectivity and training expenses required by Customer (if
complete delivery of Services will be provided by Customer
el Time and Expenses
AT&T and Customer
engagement meetings will be
conducted using teleconference calls and all work will be executed at an AT&T or partner faci
otherwise specified in Sections 2 and/or 3 herein. If
Customer requires AT&T or partner personnel to
to perform work on or visit a Customer site, or attend a meeting with Customer
business expenses, (e.g., travel; food a
nd lodging) AT&T personnel incur in connection with provisioning
services under this
shall be invoiced separately
AT&T and Customer understand and agree that the performance of these Services, as provided in
accordance with this Agreement and SOW, may improve Customer’s security posture. These Services
can neither identify nor eliminate all risks by unauthorized or a
uthorized parties to affect Customer’s