Vulnerability Assessment (TOS)

TERMS OF SERVICE FOR
VULNERABILITY ASSESSMENT - HARDWARE AND SOFTWARE

This Service is subject to and governed by the Customer's separate signed Master Services Agreement (MSA) or Customer Service Agreement (CSA) as applicable, with Consolidated Technology Services (CTS), calling itself Washington Technology Solutions or "WaTech" for short. The reference to WaTech means the same as Consolidated Technology Services. This Agreement is entered into between you and WaTech for the provision of WaTech's Vulnerability Assessment - Hardware and Software. For the purposes of this agreement "You" and "Customer" are used interchangeably and mean the entity to which WaTech is providing service.

A. Service Description

Vulnerability Management is a key competency in securing a business computing environment. We define the term "Vulnerability" in this context to be a weakness in a technology component that could allow an attacker to compromise the integrity, availability, or confidentiality of an asset.

WaTech operates a software and hardware vulnerability assessment scanning platform. The tools are first used to discover what is connected to a network to identify the scope of assets that need to be assessed for vulnerabilities. Once known, assets are placed into logical groups that are then used to configure and schedule vulnerability scans. Scan results are exported via a reporting database and can then be shared with the asset owners to identify if there are any requirements for remediation to close the vulnerabilities found and improve the security posture of the asset.

The platform enables agency security teams to identify where vulnerabilities reside across their environment of network components, servers, workstations, databases, and installed Commercial off the Shelf Software (COTS) programs.

Web application code scanning and compliance scanning are not included in this service.

There are two options for use of this service:

Option 1 - Unlimited Virtual License Model

Customers have unlimited access to software licenses to install and configure vulnerability scanners, central servers, and reporting engines in their own virtual environment.

Option 2 - Central Shared Hardware Model

Customers have access to configure and schedule scans of their environments leveraging the central shared hardware platform.

B. Availability/Accessibility

  1. Availability Management
    The service(s) defined in this agreement will be available 24 hours a day, 7 days a week. WaTech shall not be liable for any damages resulting from any service interruptions, downtimes, or any other factor beyond WaTech's control.

  2. Change Management
    All changes to WaTech Data Center computing and network environments are managed to promote or provide stability and minimize the impact of the changes to its customers. All changes to the WaTech computing and network environments are implemented in accordance with WaTech Information Technology Service.

  3. Problem Management
    Problems with the WaTech computing and network environments are managed in accordance with the WaTech Information Technology Service Management Operations Manual Problem Management Standards and Procedures.

  4. Security Management
    WaTech provides a security system infrastructure that reasonably protects its Customers from unauthorized external access to or broadcast on the Internet of customer's intellectual property, proprietary and confidential data. WaTech shall manage the security system infrastructures in accordance with the WaTech Information Technology Service Management Operations Manual Problem Management Standards and Procedures.

  5. Security Disclaimer
    This WaTech service is designed to prevent outsiders from gaining access and will provide an effective method of monitoring and limiting access. However, it may not prevent some instances of an employee from gaining unauthorized access to the Internet or to confidential information stored on the network. WaTech does not and will not accept liability for any losses or damage to Customer's business or data that arise as a result of the service not preventing unauthorized access. The WaTech service does provide a high standard of protection and service, but no system can claim to be completely secure.

C. Charges

Agencies paying into the State Network Allocation contribute to fund this service.

1. Option 1

The allocation covers the entire expense for the unlimited virtual licenses for the scanning platform. The scope of this software licensing covers the Vulnerability Assessment platform scanners, central servers, reporting servers, along with a license to scan an unlimited number of IP addresses. Customers bear the burden of the costs for virtual servers and underlying operating system licensing costs where the software is installed.

Where customers are unable to leverage their own virtual infrastructure, WaTech Private Cloud services are available at customer's expense.

2. Option 2
There are no additional costs associated with this option beyond the agency's contribution to the allocation.

D. Responsibilities

The delineation of responsibilities are documented in more detail in the RACI matrix (Appendix A.) Below is a general description of responsibilities.

  1. WaTech

    1. Manages the Vulnerability Assessment solution provider contracts, purchasing, maintenance support, and renewal agreements.

    2. Serves as the agency customer's liaison with the solution provider to manage and monitor support issues, assists to coordinate escalations for problem resolution Monday through Friday 8:00 am - 5:00 pm.

    3. Partners with the vendor to provide and facilitate state wide agency customer user group meetings and training sessions.

    4. Provisions unlimited virtual licenses and assists agency teams in onboarding and building out virtual Vulnerability Assessment implementations (Option 1.)

    5. Manages communications to ensure all agency customers are kept current on relevant news and events, and solicits regular feedback for service improvements.

    6. Manages central shared hardware platform in the State Data Center and assists agency teams in onboarding and use of their tenants within the multi-tenant environment (Option 2.)

      1. Uses reasonable efforts to assure that production platform will be available 24-hours, 7-days-a-week.

      2. Reasonably manage and maintain the physical environment housing the infrastructure in accordance with applicable WaTech policies.

  2. Customer

    1. Provides resources to partner with WaTech to define agency service requirements to assist with onboarding and implementation tasks.

    2. Owns day to day operation of the agency's use of the service to run discovery scans of their environment, configure and schedule vulnerability scans, manage result reporting and remediation processes.

    3. Submits support request and partners with WaTech in issue resolution with the solution provider.

    4. Allocates resources to participate in periodic user group meetings and training events.

E. Special Terms

  1. Exclusions

    WaTech does not support the following services as part of this allocation. The following items are the sole responsibility of the Customer:

    1. Customer support for systems outside the State Network.

    2. Implementation and management of Customer LAN environment (i.e., firewalls, hubs, servers, workstations, etc.).

    3. Connectivity for Dedicated Vulnerability Scanner.

    4. Internet Access.

    5. Remote client hardware.

    6. Data encryption within the State Network Protocols other than IP (Internet Protocol).

  2. User Name and Password; Identification of IP Addresses

    1. User Name and Password: For customers selecting Option 2 only, upon WaTech's acceptance of Customer's Registration, Customer will be registered and receive a user name and password for the Service. WaTech generates Customer's password in encrypted form and only Customer has access to it. Customer will be responsible for keeping Customer's user name and password confidential to the extent allowed by law. Customer shall notify WaTech or its immediately upon learning of any unauthorized use of Customer's user name or password. Until such time as Customer notifies WaTech of any unauthorized use of Customer's user name or password, Customer will be responsible for all activities and charges incurred through the use of Customer's user name and password.

    2. ii. Identification of IP Addresses: a) Because of the sensitive nature of performing security checks on IP addresses and/or Web Applications, Customer agrees that it has full right, power, and authority to consent to have the Service test for vulnerabilities ("scan") the IP addresses, Web Applications, and/or domain names identified to WaTech for scanning, whether electronically or by any other means, whether at the time of initial Registration or thereafter. (b) Customer also acknowledges and agrees that the scanning of such IP addresses, Web Applications, and/or domain names may expose vulnerabilities and in some circumstances could result in the disruption of services at such site(s). Certain optional features of the Service, including exploitive scans, involve substantial risk of Denial of Service (DOS) attacks, loss of service, hardware failure and loss or corruption of data. Consequently, Customer agrees that it is Customer's responsibility to perform backups of all data contained in or available through the devices connected to Customer's IP addresses, Web Applications, and/or domain names prior to invoking the use of the Service.

  3. License Grant

    Subject to the additional Product Specific License applicable to the service, the rights granted to Customer are subject to the following restrictions, and Customer hereby covenants as follows:

    1. Customer may use the Service only to scan IP addresses, Web Applications, and/or map domain names owned by and registered to Purchaser, or for which Customer otherwise has the full right, power, and authority to consent to have the Service scan and/or map. Neither will Customer permit third parties to benefit from the use or functionality of the Service via timesharing, service bureau arrangements or otherwise.

    2. While there is no software transfer necessary from Vendor to Purchaser to effectuate the Service, Purchaser agrees not to reverse engineer, decompile, or disassemble any software that is embedded that provides the Service, or otherwise attempt to derive the processes by which the Service is provided or the Reports are generated, except to the extent the foregoing restriction is expressly prohibited by applicable law.

    3. Purchaser may not use the Service except for the limited purpose of vulnerability management with regard to the IP addresses and/or Web Applications for which Customer has purchased services under the SLA.

  4. GOVERNMENT REGULATIONS

    The Products and the technology included therein provided under this Agreement are subject to governmental restrictions on exports from the U.S.; restrictions on exports from other countries in which such Products and technology included therein may be produced or located; disclosures of technology to foreign persons; exports from abroad of derivative products thereof; and the importation and/or use of such Products and technology included therein outside of the United States (collectively, "Export Laws"). Diversion contrary to U.S. law is expressly prohibited. Customer shall, at its sole expense, comply with all Export Laws and WATECH export policies made available to Customer by WATECH. Customer represents that it is not a Restricted Person, which shall be deemed to include any person or entity: (1) located in or a national of Cuba, Iran, Libya, North Korea, Sudan, Syria, or any other countries that may, from time to time, become subject to U.S. export controls for anti-terrorism reasons or with which U.S. persons are generally prohibited from engaging in financial transactions; or (2) on any restricted person or entity list maintained by any U.S. governmental agency. Certain information, products or technology may be subject to the International Traffic in Arms Regulations ("ITAR"). This information, products or technology shall only be exported, transferred or released to foreign nationals inside or outside the United States in compliance with ITAR.