This Cyber Security Audit Agreement (the "Agreement") is dated this day of , .
Between:
Client
an individual or company existing under the laws of the state of with its correspondence address located at:
(the"Client")
Contractor
Brian Whipp
an independent contractor existing under the laws of the state of Texas with its correspondence address located at:
P.O. Box 3379, San Marcos Tx 78667
(the "Contractor")
Definitions
Cybersecurity Audit
An inspection of a company's systems with the goal of assessing the security of systems utilizing or storing sensitive data.
White Box/Gray Box/Black Box Environment
These terms are shorthand for the amount of access a security accessor is given prior to their cybersecurity audit. In a Black Box Environment, auditors are given no information about the structure or security tools in use by an organization. In a White Box environment, auditors are given access to internal systems. In a Gray Box environment, auditors may be given partial access or some information as to the security of the target organization.
Company Data
Company Data is any and all data that the Company has disclosed to the Contractor. For the purposes of this Agreement, Company Data does not cease to be Company Data solely because it is transferred or transmitted beyond the Company’s immediate possession, custody, or control.
Scope Of Work
The Security Audit Company agrees to perform a comprehensive cyber security audit for the Client's systems, networks and infrastructure as outlined and agreed upon by the Client and the Contractor.
The following Statement of Work shall include the audit objectives, methodology, timeline, deliverables, and any additional specific requrements or exclusions agreed upon by both Parties.
The contractor shall perform the audit with due care and skill, and in accordance with industry best practices, applicable laws, and regulations.
The contractor shall provide the client with progress updates and promptly communicate any significant findings or concerns during the audit process.
The stated Independent Contractor shall be the only individual to perform the security audit.
The contractor shall audit and attempt to find security weaknesses in the company's systems as outlined in the entirity of this contract. The contractor shall not attempt to access any sensitive data not relevant to that goal such as client's private data outside the scope of company systems.
Statement of Work: Specific Details
For a Cyber Security Audit, certain specifics must be agreed upon by both parties:
1.There needs to be a specific time period set as to when the auditor will be begin and end their attempts to access the company's systems.
2.The client needs to understand the types of testing that may be used, and choose which types of testing will be done.
3.The client must define which systems will be subject to the security audit and if other systems, parts of systems, or types of data, are off limits.
Audit Start and End Time:
This Cyber Security Audit will begin at , and end at .
Audit Methodology:
The Client requests the following audit methods to be used:
Testing websites for potential vulnerabilites that could lead to malicious behavior such as unauthorized access, unauthorized privileges, or attacks that could target your users.
Password Cracking
Attempting to access data storage
Attempting to gain access to data in transit.
Port Scanning
And the following advanced audit methods to be used (subject to further detail):
Using phishing campaigns to test employee security awareness.
Using research and deception to see if employees can be decieved into giving up sensitive information.
Testing of on premiss security controls.
Audit Methodology Exclusions:
The Client has specified the following audit methods to not be used during the Audit:
Areas Of Operation Subject To Audit:
The Client gives access to the following systems to be audited:
Access to internal operational systems or platforms such as web portal.
Access to web servers.
Access to databases.
Access to mailservers.
Areas Of Operation Exceptions:
The Client has specified the following systems to be excluded from the Audit:
Disclosure of Additional Locations:
Hardware and services in regions other than the primary place of business may necessitate considerations for laws and regulations of that region. Please list any locations here:
Confidentiality
Contractor shall not disclose Company Data in any manner that would lead to a violation of state or federal law or the terms of this Agreement including, without limitation, by means of outsourcing, distributing, retransfer, or access, to any individual or entity.
Usage Policy
The Client shall designate a representative who will serve as the main point of contact and provide timely assistance and cooperation to the contractor during the audit process.
The Client shall provide the Contractor with access to all relevant systems, networks, facilities, and necessary information required for the audit as defined and agreed upon prior to the security audit.
Deliverables
The Contractor shall provide the Client with a comprehensive written report detailing the findings, vulnerabilities, and recommendations resulting from the audit.
The report shall include an executive summary, detailed assessment of each audited area, prioritized recommendations, and any supporting evidence or documentation.
Fees and Payment Terms
The Client shall compensate the Contractor for the services rendered based on the agreed-upon fees.
Payment shall be made according to the payment schedule outline or as otherwise afreed upon in writing by both parties.
Term and Termination
This Agreement shall commence on the effective data and shall continue until the completion of the audit and delivery of the final report, unless earlier terminated in accordance with this Agreement.
Either Party may terminate this Agreement for convenience by providing written notice to the other party.
Acceptance and Signature
The parties hereby agree to and have executed this Cyber Security Agreement on the date and year first mentioned above.