This Cyber Security Audit Agreement (the "Agreement") is dated this day of , .
Between:
Client
an individual or company existing under the laws of the state of with its correspondence address located at:
(the"Client")
Contractor
Brian Whipp
an independent contractor existing under the laws of the state of Texas with its correspondence address located at:
P.O. Box 3379, San Marcos Tx 78667
(the "Contractor")
Definitions
Cybersecurity Audit
An inspection of a company's systems with the goal of assessing the security of systems utilizing or storing sensitive data.
White Box/Gray Box/Black Box Environment
These terms are shorthand for the amount of access a security accessor is given prior to their cybersecurity audit. In a Black Box Environment, auditors are given no information about the structure or security tools in use by an organization. In a White Box environment, auditors are given access to internal systems. In a Gray Box environment, auditors may be given partial access or some information as to the security of the target organization.
Company Data
Company Data is any and all data that the Company has disclosed to the Contractor. For the purposes of this Agreement, Company Data does not cease to be Company Data solely because it is transferred or transmitted beyond the Company’s immediate possession, custody, or control.
Scope Of Work
The Security Audit Company agrees to perform a comprehensive cyber security audit for the Client's systems, networks and infrastructure as outlined and agreed upon by the Client and the Contractor.
The following Statement of Work shall include the audit objectives, methodology, timeline, deliverables, and any additional specific requrements or exclusions agreed upon by both Parties.
The contractor shall perform the audit with due care and skill, and in accordance with industry best practices, applicable laws, and regulations.
The contractor shall provide the client with progress updates and promptly communicate any significant findings or concerns during the audit process.
The stated Independent Contractor shall be the only individual to perform the security audit.
The contractor shall audit and attempt to find security weaknesses in the company's systems as outlined in the entirity of this contract. The contractor shall not attempt to access any sensitive data not relevant to that goal such as client's private data outside the scope of company systems.
Statement of Work: Specific Details
For a Cyber Security Audit, certain specifics must be agreed upon by both parties:
1.There needs to be a specific time period set as to when the auditor will be begin and end their attempts to access the company's systems.
2.The client needs to understand the types of testing that may be used, and choose which types of testing will be done.
3.The client must define which systems will be subject to the security audit and if other systems, parts of systems, or types of data, are off limits.
Audit Start and End Time:
This Cyber Security Audit will begin at , and end at .
Audit Methodology:
The Client requests the following audit methods to be used:
Testing websites for potential vulnerabilites that could lead to malicious behavior such as unauthorized access, unauthorized privileges, or attacks that could target your users.
Password Cracking
Attempting to access data storage
Attempting to gain access to data in transit.
Port Scanning
And the following advanced audit methods to be used (subject to further detail):
Using phishing campaigns to test employee security awareness.
Using research and deception to see if employees can be decieved into giving up sensitive information.
Testing of on premiss security controls.
Audit Methodology Exclusions:
The Client has specified the following audit methods to not be used during the Audit:
Areas Of Operation Subject To Audit:
The Client gives access to the following systems to be audited:
Access to internal operational systems or platforms such as web portal.
Access to web servers.
Access to databases.
Access to mailservers.
Areas Of Operation Exceptions:
The Client has specified the following systems to be excluded from the Audit:
Disclosure of Additional Locations:
Hardware and services in regions other than the primary place of business may necessitate considerations for laws and regulations of that region. Please list any locations here:
Confidentiality
Contractor shall not disclose Company Data in any manner that would lead to a violation of state or federal law or the terms of this Agreement including, without limitation, by means of outsourcing, distributing, retransfer, or access, to any individual or entity.
Usage Policy
The Client shall designate a representative who will serve as the main point of contact and provide timely assistance and cooperation to the contractor during the audit process.
The Client shall provide the Contractor with access to all relevant systems, networks, facilities, and necessary information required for the audit as defined and agreed upon prior to the security audit.
Deliverables
The Contractor shall provide the Client with a comprehensive written report detailing the findings, vulnerabilities, and recommendations resulting from the audit.
The report shall include an executive summary, detailed assessment of each audited area, prioritized recommendations, and any supporting evidence or documentation.
Fees and Payment Terms
The Client shall compensate the Contractor for the services rendered based on the agreed-upon fees.
Payment shall be made according to the payment schedule outline or as otherwise afreed upon in writing by both parties.
Term and Termination
This Agreement shall commence on the effective data and shall continue until the completion of the audit and delivery of the final report, unless earlier terminated in accordance with this Agreement.
Either Party may terminate this Agreement for convenience by providing written notice to the other party.
Acceptance and Signature
The parties hereby agree to and have executed this Cyber Security Agreement on the date and year first mentioned above.
Client
[Client Name]
Signature:__________________
Print Name:__________________
Date:__________________
Contractor
Brian Whipp
Signature:__________________
Print Name:__________________
Date:__________________
Custom SLA Wizard:
The following questions will guide you through creating a customized contract for your Cyber Security Audit.
This audit will access your company's security systems and find remedies for any weaknesses that could be targeted by attackers.
You can CREATE AN ACCOUNT to store your contracts for later:
(*Required)
Login to your account:
Enter your name, your company name, or a legal DBA.
What is the state, province, or territory where laws apply to where your business is registered?
Please enter an address where we could send physical correspondance if needed.
Are there other locaitons where your company's data or services are located in that I should be aware of?
Enter a date for this contract.
The following questions will put together a plan for the type of security audit you want performed.
This can all be changed later.
A security audit can have many levels of testing. It is important to determine which testing techniques should be used before the audit begins.
For example, an extremely non-intrusive security test can be as simple as checking publicly available information and reviewing configuration settings.
On the other hand, the most intensive security audits go beyond just replicating the activities on an online hacker and involve phishing campaigns, deception, and testing of physical on-premis security controls.
Which approach would like taken for your security audit? (Choose one or both)
I would like the auditor to simulate the role of a malicious hacker. I do not want to disclose any information about our systems or security controls beforehand.
I would like the auditor to review our internal systems and security controls using internal access.
What systems would you like to provide access to for the security assessment?
Access to internal operational systems or platforms such as web portal.
Access to web servers.
Access to databases.
Access to mailservers.
(You can write in any specifics next)
Check which methodologies you may want tested in your audit:
Testing websites for potential vulnerabilites that could lead to malicious behavior such as unauthorized access, unauthorized privileges, or attacks that could target your users.
Password Cracking
Attempting to access data storage
Attempting to gain access to data in transit.
Port Scanning
(You can write in any specifics next)
Would you like any of the following advanced attack techniques used in your audit?
Email Phishing techniques to see if you or your employees can identify a threat.
Social engineering attacks - researching people within the company and using that information to decieve them.
Tests of physical controls - on premise assessing of site security and system integrity.
Are there any specific testing techniques you would like used or not used in your Cyber Security Audit?
Specify them here:
Are there any specific systems or data you would like to remain off-limits to the security audit? If so, enter those stipulations here:
A site assessment needs a specific start and end time. Please choose that here:
Start Time:
End Time:
This is the end of this contract generator wizard. On the next page you will be prompted to download a copy of the contract to your harddrive. If there are any additional changes you need, you can contact me at:
If you are ready, on the next page click "Announce I'm Finished!" which will let me know you have completed your contract. Then I will get back to you with more info and a Docusign link.
Click "Save" to download a copy of your contract to your local harddrive.