The URL can be used to link to this page

R-2020 - 05/24/2022 - BOARD OF TRUSTEES - Resolutions THE VILLAGE OF OAK BROOK COOK AND DUPAGE COUNTIES, ILLINOIS RESOLUTION NUMBER 2022-IT-AG-SECURITY-R-2020 A RESOLUTION APPROVING AND AUTHORIZING THE EXECUTION OF AN AGREEMENT BY AND BETWEEN THE VILLAGE OF OAK BROOK AND HALOCK SECURITY LABS COPAL G. LALMALANI, Village President CHARLOTTE K. PRUSS, Village Clerk LAURENCE HERMAN MICHAEL MANZO JAMES NAGLE A. SURESH REDDY EDWARD TIESENGA ASIF YUSUF Village Board Published in pamphlet form by authority of the President and the Board of Trustees of the Village of Oak Brook on this the 24th day of May, 2022 RESOLUTION NO. 2022-IT-AG-SECURITY-R-2020 A RESOLUTION APPROVING AND AUTHORIZING THE EXECUTION OF AN AGREEMENT BY AND BETWEEN THE VILLAGE OF OAK BROOK AND HALOCK SECURITY LABS WHEREAS, the Village of Oak Brook is a municipal corporation with authority provided for and granted pursuant to the Illinois Municipal Code to exercise certain powers and perform certain functions pertaining to its local government and affairs; WHEREAS, the Village of Oak Brook (hereinafter referred to as "Village") upon approval of the corporate authorities may enter into an Agreement with another party pursuant to Illinois Statute; WHEREAS, cyber security assessments are an important activity in the risk management process because they reveal the extent to which controls are implemented correctly, operate as intended, and whether they meet the required security levels, which, in turn enables management to make sound risk-based decisions regarding the operations of the information system; WHEREAS, Halock Security Labs (hereinafter referred to as "Company"), is an information technologies company that supplies technical consulting services ("Services") related to cyber security, and has been working with Village Staff regarding the Master Services Agreement (hereinafter the "Agreement") for the Proposed Computer Network Assessment in an amount not-to-exceed $22,500.00; WHEREAS, the Village is interested in contracting with Company for the purposes of providing information technology Services to assess the current condition of the Village's Computer Network, as set forth in the Agreement and provided for herein; and WHEREAS, the Village of Oak Brook Corporate Authorities are of the opinion that it is in the best interests of the Village of Oak Brook to enter into the attached agreement with Company for the purposes referenced herein. NOW, THEREFORE, BE IT RESOLVED by the Village President and Board of Trustees of the Village of Oak Brook, DuPage and Cook Counties, Illinois as follows: Section One — Recitals The Corporate Authorities hereby find that all of the recitals hereinbefore stated as contained in the preamble to this resolution are full, true and correct and do hereby, by reference, incorporate and make them part of this resolution as legislative findings. Section Two —Approval of Agreement The Corporate Authorities hereby approves the Agreement substantially in the form attached hereto and made a part hereof collectively as Exhibit A. 2 Section Three—Authorization and Direction The Village Manager is hereby authorized to execute, and the Village Clerk is hereby authorized to attest the Agreement, substantially in the form attached hereto as Exhibit A, with such changes therein as shall be approved by the Village Attorney and the officials of the Village executing the same, their execution thereof to constitute exclusive evidence of their approval to any and all changes or revisions therein from and after the execution and delivery of such Agreement. Section Four- Other Actions Authorized The officers, employees and/or agents of the Village shall take all actions necessary or reasonably required to carry out and give effect to the intent of this Resolution and otherwise to consummate the transactions contemplated herein, and shall take all actions necessary in conformity therewith including, without limitation, the execution and delivery of all documents required to be delivered in connection with the transaction contemplated herein. Section Five - Authorization of Expenditures The Corporate Authorities hereby authorize and direct the expenditure of all costs related to the execution of the Agreement, additionally, the Village is authorized and directed to allocate and spend all necessary funds to fulfill the requirements of the Agreement and of this Resolution. Section Six -Acts of Village Officials That all past, present and future acts and doings of the officials of the Village that are in conformity with the purpose and intent of this resolution are hereby, in all respects, ratified, approved, authorized and confirmed. Section Seven—Effective Date This resolution shall be in full force and effect from and after its passage, approval and publication as provided by law. Section Eight - Publication This resolution shall be published in book or pamphlet form as provided by the Illinois Municipal Code. Section Nine—Conflict Clause All resolutions, parts of resolutions or board actions in conflict herewith are hereby repealed to the extent of such conflict. Section Ten —Saving Clause If any section, paragraph, clause or provision of this resolution is declared by a court of law to be invalid or unconstitutional, the invalidity or unconstitutionality thereof shall not affect the validity of any other provisions of this resolution, which are hereby declared to be separable. Section Eleven— Recording 3 This resolution shall be entered into the minutes and upon the journals of the Board of Trustees of the Village of Oak Brook. The Remainder of this Page has been Intentionally Left Blank/ Roll Call Vote follows: 4 APPROVED THIS 24th day of May, 2022. Gopal G. Lalmalani Village President PASSED THIS 24th day of May, 2022. Ayes: Trustees Herman, Manzo, Reddy, Tiesenga, Yusuf None Nays: Absent: Trustee Nagle ATTEST: Charlotte K. Pruss Village Clerk . G's COUNTY 5 Exhibit A Agreement 6 -r� {{ REVIEW OF CONTRACTS Awarding Agency: Type of Contract: Village of Oak Brook Computer Network Security Assessment 1 Department: Program/Account Number: Information Technology 151-76950 Awarded Contract Price: Budgeted Amount: $22,500 $25,000 CONTRACT AMOUNT- ® Under $20,000 $500,001 - $1,000,000 $20,000 - $500,000 ® Over $1,000,000 NOTES This proposed agenda item is to request authorization from the Village Board to authorize an agreement Between the Village and Halock Security labs to complete a comprehensive computer network security assessment of the Village's computer network infrastructure and security software systems. 1 DEPARTMENT DIR CTOR SIGNATURE RX Name: Date: t 3, �7-12— 1 INITIAL. R: eD Name: J�" Date: Name: /' Date: Name: Date: Three (3) Originals signed by other party Date/Initials [� Original provided to staff member for other party Date/Initials Original provided to Official Files Date/Initials Village of Oak Brook I Approved by Board of Trustees- Date/Initials: VILLAGE OF OAK BROOK PROFESSIONAL SERVICES AGREEMENT This AGREEMENT is dated as of the day of , 2022 ("Agreement's, and is by and between the VILLAGE OF OAK BROOK, 1200 Oak Brook Road, Oak Brook, Illinois 60523 an Illinois municipal corporation ("Village'l, and HALOCK SECURITY LABS,1834 Walden Office Square,Suite 200,Schaumburg,Illinois 60173("Consultant"). IN CONSIDERATION OF the recitals and the mutual covenants and agreements set forth in the Agreement, and pursuant to the Village's statutory powers,the parties agree as follows: SECTION 1. SCOPE OF SERVICES. The Village SECTION 3. REPRESENTATIONS OF retains the Consultant to perform,and the Consultant agrees to CONSULTANT. The Consultant represents and certifies that perform, all necessary services to perform the work in the Services shall be performed in accordance with the connection with the project identified below ("Services"), standards of professional practice, care, and diligence which Services the Consultant shall provide pursuant to the practiced by recognized consultants in performing services of terms and conditions of this Agreement: a similar nature in existence at the Time of Performance. The representations and certifications expressed shall be in Professional Services Agreement to Complete a addition to any other representations and certifications Comprehensive Computer Network Security Assessment of expressed in this Agreement, or expressed or implied by law, the Village's Computer Network Infrastructure and Security which are hereby reserved unto the Village. Software Systems,as more fully described in Exhibit A. The Consultant further represents that it is financially solvent, TIME OF PERFORMANCE. The Consultant shall perform has the necessary financial resources, and is sufficiently and complete the Services as mutually agreed upon between experienced and competent to perform and complete the Village and Consultant("Time of Performance'l. Services in a manner consistent with the standards of professional practice by recognized consultants providing SECTION 2. COMPENSATION. services of a similar nature. The Consultant shall provide all personnel necessary to complete the Services. A. Agreement Amount. The total amount billed by the Consultant for the Services under this Agreement SECTION 4. INDEMNIFICATION: INSURANCE: shall be in the not-to-exceed amount of$22,500.00, including LIABILITY. reimbursable expenses, without the prior express written authorization of the Village Manager. A. Indemnification. The Consultant proposes and agrees that the Consultant shall indemnify and save B. Agreement Term. The term of this harmless the Village against all damages, liability, claims, agreement will commence on the Effective Date and will losses, and expenses (including attorneys' fee) that may arise, continue for a period of twelve (12) months. The Village or be alleged to have arisen, out of or in connection with the reserves the right to award additional one (1) year extension Consultant's performance of, or failure to perform, the terms,with the concurrence of the Consultant. Services or any part thereof, or any failure to meet the representations and certifications set forth in Section 4 of this C. Taxes, Benefits, and Roialties. Each Agreement. payment by the Village to the Consultant includes all applicable federal, state, and Village taxes of every kind and B. Insurance. The Consultant acknowledges nature applicable to the Services as well as all taxes, and agrees that the Consultant shall, and has a duty to contributions, and premiums for unemployment insurance, old maintain adequate insurance, in an amount, and in a form and age or retirement benefits, pensions, annuities, or similar from companies, acceptable to the Village. The Consultant's benefits and all costs, royalties, and fees arising from the use maintenance of adequate insurance shall not be construed in of, or the incorporation into, the Services, of patented or any way as a limitation on the Consultant's liability for losses copyrighted equipment, materials, supplies, tools, appliances, or damages under this Agreement. devices, processes, or inventions. All claim or right to claim additional compensation because of the payment of any such C. No Personal Liabflfh. No elected or tax, contribution, premium, costs, royalties, or fees is hereby appointed official or employee of the Village shall be waived and released by Consultant. personally liable, in law or in contract, to the Consultant as the result of the execution of this Agreement. D. Pavment of Agreement Amount. Payments shall be made pursuant to the terms of the Local Government Prompt Payment At, 50 ILCS 505/3 et.seq. 1 providing,performing, and completing the Services,and with all applicable statutes, ordinances, rules, and regulations, SECTION 5. GENERAL PROVISIONS. including without limitation the Fair Labor Standards Act;any statutes regarding qualification to do business; any statutes A. Relationship of the Parties. The prohibiting discrimination because of,or requiring affirmative Consultant shall act as an independent contractor in providing action based on,race,creed,color,national origin,age,sex,or and performing the Services. Nothing in, nor done pursuant other prohibited classification, including, without limitation, to, this Agreement shall be construed to: (1) create the the Americans with Disabilities Act of 1990, 42 U.S.C. §§ relationship of principal and agent, employer and employee, 12101 et seq., and the Illinois Human Rights Act, 775 ILCS partners, or joint venturers between the Village and 5/1-101 el seq. Consultant shall also comply with all Consultant; or (2) to create any relationship between the conditions of any federal, state, or local grant received by the Village and any subcontractor of the Contractor. Village or Consultant with respect to this Contract or the Services. Consultant shall be solely liable for any fines or B. Conflicts of Interest. The Consultant civil penalties that are imposed by any governmental or quasi- represents and certifies that, to the best of its knowledge: (1) governmental agency or body that may arise, or be alleged to no Village employee or agent is interested in the business of have arisen, out of or in connection with Consultant's, or its the Consultant or this Agreement; (2) as of the date of this subcontractors, performance of, or failure to perform, the Agreement, neither the Consultant nor any person employed Services or any part thereof. Every provision of law required or associated with the Consultant has any interest that would by law to be inserted into this Contract shall be deemed to be conflict in any manner or degree with the performance of the inserted herein. obligations under this Agreement; and (3) neither the Consultant nor any person employed by or associated with the F. Prevailing Wage. If applicable, Pursuant to Consultant shall at any time during the term of this Agreement Section 4 of the Illinois Prevailing Wage Act, 820 ILCS obtain or acquire any interest that would conflict in any 13014, Contractor agrees and acknowledges that not less than manner or degree with the performance of the obligations the applicable rate of prevailing of wages, as found or under this Agreement, ascertained by the Department of Labor and made available on the Department's Official website,or determined by the court C. No Collusion. The Consultant represents on review, shall be paid for each craft or type of worker and certifies that the Consultant is not barred from contracting needed to execute this contract or to perform such work,and it with a unit of state or local government as a result of(1) a shall be mandatory upon the contractor to whom the contract delinquency in the payment of any tax administered by the is awarded and upon any subcontractor under him, to pay not Illinois Department of Revenue unless the Consultant is less than the specified rates to all laborers, workers and contesting, in accordance with the procedures established by mechanics employed by them in the execution of this contract. the appropriate revenue act, its liability for the tax or the amount of the tax, as set forth in Section 11-42.1-1 et seq. of G. Certified Payroll. If applicable, Contractor the Illinois Municipal Code, 65 ILCS 5/11-42.1-1 et seg.; or shall; in accordance with Section 5 of the Illinois Prevailing (2) a violation of either Section 33E-3 or Section 33134 of Wage Act, $20 ILCS 130/5, submit to the Village, and upon Article 33E of the Criminal Code of 1961, 720 ILCS 5133E-1 activation of the database provided by 820 ILCS 130/5.1 to the et seq. If at any time it shall be found that the Consultant Department of Labor, on a monthly basis, a certified payroll. has, in procuring this Agreement, colluded with any other The certified payroll shall consist of a complete copy of those person,firm,or corporation,then the Consultant shall be liable records required to be made and kept by the Prevailing Wage to the Village for all loss or damage that the Village may Act. The certified payroll shall be accompanied by a suffer, and this Agreement shall, at the Village's option, be statement signed by the Contractor or subcontractor which null and void. certifies that: (1) such records are true and accurate; (2) the hourly rate paid is not less than the general prevailing rate of D. Termination. Notwithstanding any other hourly wages required by the Prevailing Wage Act; and (3) provision hereof, to Village may terminate this Agreement at Contractor or subcontractor is aware that filing a certified any time upon 15 days prior written notice to the Consultant. payroll that he or she knows to be false is a Class A In the event that this Agreement is so terminated, the misdemeanor. A general contractor may rely upon the Consultant shall be paid for Services actually performed and certification of a lower tier subcontractor, provided that the reimbursable expenses actually incurred, if any, prior to general contractor does not knowingly rely upon a termination, not exceeding the value of the Services subcontractor's false certification. Upon seven business days' completed. notice,Contractor and each subcontractor shall make available for inspection and copying at a location within this State E. Compliance with Laws and Grants. during reasonable hours, the records required to be made and Consultant shall give all notices, pay all fees, and take all kept by the Act to: (i) the Village,its officers and agents; (ii) other action that may be necessary to ensure that the Services the Director of Labor and his deputies and agents; and (iii) to are provided,performed,and completed in accordance with all federal, State: or local law enforcement agencies and required governmental permits, licenses, or other approvals prosecutors, and authorizations that may be required in connection with 2 H. Default. If it should appear at any time that the Consultant has failed or refused to prosecute, or has delayed in the prosecution of, the Services with diligence at a K. Waiver. Neither the Village nor the rate that assures completion of the Services in full compliance Consultant shall be under any obligation to exercise any of the with the requirements of this Agreement, or has otherwise rights granted to them in this Agreement except as it shall failed,refused,or delayed to perform or satisfy the Services or determine to be in its best interest from time to time. The any other requirement of this Agreement ("Event of failure of the Village or the Consultant to exercise at any time Default'l,and fails to cure any such Event of Default within any such rights shall not be deemed or construed as a waiver ten business days after the Consultant's receipt of written of that right,nor shall the failure void or affect the Village's or notice of such Event of Default from the Village, then the the Consultant's right to enforce such rights or any other Village shall have the right, without prejudice to any other rights. remedies provided by law or equity, to (1) terminate this Agreement without liability for further payment; or (2) L. Third Partk Beneficiary. No claim as a withhold from any payment or recover from the Consultant, third party beneficiary under this Agreement by any person, any and all costs, including attorneys' fees and administrative firm, or corporation shall be made or he valid against the expenses,incurred by the Village as the result of any Event of Village. Default by the Consultant or as a result of actions taken by the Village in response to any Event of Default by the Consultant. M. Governing Laws. This Agreement and the rights of Owner and Consultant under this Agreement shall be I Assignment. This Agreement may not be interpreted according to the internal laws, but not the conflict assigned by the Village or by the Consultant without the prior of laws rules, of the State of Illinois; the venue for any legal written consent of the other party. action arising in connection with this Agreement shall be in the Circuit Court of DuPage County,Illinois. J. Notice. All notices required or permitted to be given under this Agreement shall be in writing and shall be N. Conflicts; Exhibits. If any term or provision delivered:(1)personally;(2)by a reputable overnight courier; in this Agreement conflicts with any term or provision of an or by (3) by certified mail, return receipt requested, and attachment or exhibit to this Agreement, the terms and deposited in the U.S.Mail,postage prepaid. Unless otherwise provisions of this Agreement shall control. expressly provided in this Agreement,notices shall be deemed received upon the earlier of: (a) actual receipt; (b) one business day alter deposit with an overnight courier as O. No Disclosure of Confidential evidenced by a receipt of deposit; or (c) three business days Information by the Consultant. Confidential information following deposit in the U.S. trail, as evidenced by a return means all material, non-public, business-related information, receipt. Notices and communications to the Village shall be written or oral, whether or not it is marked that is disclosed or addressed to,and delivered at,the following address: made available to the Consultant, directly or indirectly, through any means of communication or observation. The Village of Oak Brook Consultant acknowledges that it shall, in performing the 1200 Oak Brook Road Services for the Village under this Agreement,have access,or Oak Brook,Illinois 60523 be directly or indirectly exposed, to Confidential Information. Attention:Jim Fox,Information Technology The Consultant shall hold confidential all Confidential Director Information and shall not disclose or use such Confidential Information without the express prior written consent of the Notices and communications to the Consultant shall be Village. The Consultant shall use reasonable measures at least addressed to,and delivered at,the following address: as strict as those the Consultant uses to protect its own confidential information. Such measures shall include, Halock Security Labs without limitation, requiring employees and subcontractors of 1834 Walden Office Square the Consultant to execute a non-disclosure agreement before Suite 200 obtaining access to Confidential Information. Schaumburg,Illinois 60173 Attention:Terry Kurzynski,Senior Partner I 3 I HALOCKSecurltyLabs Purpose Driven Security any employee of the other Party and/or any independent subcontractor who performs work under the Agreement. Except for a HALOCK employee who, with Client's actual knowledge, performed Services for Client under this Agreement, the prohibitions set forth in this Section 9.4 shall not apply to the hiring of any such person who responds to a general solicitation or public advertising for employment with Client. Any Party that breaches this non-solicitation provision shall be subject to liability for liquidated damages in an amount equivalent to six (6) month's salary for the employee and/or independent subcontractor at issue. 9.5 Facilities and Services to be provided by Client. Unless otherwise stated in this Agreement, Client shall provide any independent subcontractor and/or HALOCK employee who performs Services under this Agreement with work space, desks, terminals, and incidental supplies at Client's facilities as required by the specific project or as defined within a SOW. 9.6 Out of Pocket Costs Reimbursements. If any HALOCK employee or HALOCK independent subcontractor is required by Client to incur "out of pocket" costs (such as travel and meals) as an incidental requirement under this Agreement, such costs as shall be reimbursed to HALOCK as authorized by Client. 9.7 Replacements. In the event that any HALOCK employee withdraws from work without Client's approval before conclusion of the work specified in this Agreement, then HALOCK shall supply an acceptable replacement to Client as soon as possible. Except as otherwise provided herein, HALOCK shall have no liability to Client, other than to supply an appropriately skilled replacement. 9.8 Relationship of Subcontractors. Client expressly acknowledges that HALOCK may, in its sole discretion, elect to supply the Client with an individual who is designated as a "Subcontractor" or "Independent Subcontractor" to perform services under a separate SOW. Client expressly acknowledges and understands that any such "Subcontractor" or "Independent Subcontractor" is not an agent or employee of HALOCK. 10.0 Delays. HALOCK and Client will mutually agree to dates for Services to be perforated and will make reasonable efforts to schedule and coordinate all project activities. In the event that either Party needs to reschedule a work activity for any reason, the notifying Party may do so without penalty so long as the notified Party is provided notice at least ten (10) business days prior to the scheduled work activity. HALOCK has the sole discretion to accept or deny a request, from Client, to reschedule for a specific alternate date although HALOCK will not unreasonably refuse such a request. The Client's failure to provide HALOCK with 10 business day notice, under this paragraph 10.0, may result in changes to the scope, schedule and/or an increase in fees unless alternate arrangements are agreed to by and between HALOCK and Client. HALOCK Security Labs I Master Services Agreement Page 4 or 18 HALOCKS encu rityLa bs Purpose Driven Security In the event delays are defined in a SOW, the terms of the SOW shall take precedence over this paragraph 10.0, and shall only apply to the Services under that SOW. In the event that the Client requests or requires a delay beyond one year from date on executed SOW, the Agreement will be terminated without any refund to Client, unless otherwise agreed by the Parties. 11.0 Confidential Information, Nondisclosure and Data Security. 11.1 General Provisions. In order for HALOCK to effectively perform its obligations under this Agreement, it may be necessary or desirable for Client to disclose confidential and proprietary information pertaining to Client's past, present and future activities. Since it is difficult to separate confidential and proprietary information from that which is not, HALOCK will instruct its employees to regard all information gained by each such person, as a result of the Services to be performed, as information that is proprietary to Client, and to keep such information strictly confidential. All records, files specifications, and technical data and the like relating to Client's business, which HALOCK shall receive, use, or come into contact with, shall be and remain Client's sole property and cannot be copied, or disseminated without Client's written permission. It is anticipated that Client may, from time to time, be provided with information that is confidential or proprietary to HALOCK. Neither Party will directly or indirectly disclose any confidential information except as required in the course of discharging its obligations under this Agreement. Furthermore, HALOCK agrees that it will not reveal any information pertaining to the business of Client, including business practices, employee or contractor identities, processes and methods of operation, except as may be required in performing Services. All records, files specifications, and technical data and the like relating to HALOCK's business, which Client shall prepare, use, or come into contact with, shall be and remain HALOCK's sole property and cannot be copied, or disseminated without HALOCK's written permission. 11.2 Limitations. Confidential information shall not, however, include any information which (i) is or subsequently becomes publicly known and made generally available through no action or inaction of the receiving Party; (ii) is in the possession of the receiving Party, without confidential restrictions, at the time of disclosure by the disclosing Party as shown by the receiving Party's files and records immediately prior to the time of disclosure; and/or (iii) is independently developed by the receiving Party without use of or reference to the disclosing Party's confidential information, as shown by documents and other competent evidence in the receiving Party's possession. 11.3 Disclosure. In the event that the receiving Party is requested or required (including, without limitation, by deposition, interrogatory, request for documents, subpoena, civil investigative demand or similar process) by a court of law, governmental authority or regulator to disclose any confidential information, the receiving Party will give the disclosing Party, to the extent not prohibited by law, rule, HALOCK Security Labs I Master Services Agreement Page 5 of 18 0 HALSecuritY Labs Purpose Driven Security applicable authority or regulation, prompt written notice of such request or requirement so that the disclosing Party may seek an appropriate order or other remedy protecting the confidential information from disclosure, The receiving Party will cooperate, to the extent commercially reasonable and at the disclosing Party's expense, with the disclosing Party to obtain such protective order or other remedy. In the event that a protective order or other remedy is not obtained or the disclosing Party waives its right to seek such an order or other remedy, the receiving Party may, without liability under this Agreement, furnish only that portion of the confidential information that the receiving Party is requested or required to disclose as determined by the receiving Party and/or its legal counsel. Nothing contained in this paragraph 11.3 shall prohibit the receiving Party from disclosing confidential information if required by any governmental, judicial, administrative or regulatory authority having jurisdiction over the receiving Party. The receiving Party will notify the disclosing Party of the request if permitted by law. 11.4 Gramm-Leach-Bliley Act. HALOCK adheres, as applicable to the Services rendered, to the final privacy rules pursuant to Section 501 (a) of the Gramm-Leach- Bliley Act. Further, in according with Section 501 (b) of the Gramm-Leach-Bliley Act (as defined in 15 U.S.C. 6801-6809), as a nonaffiliated third party to financial institutions, HALOCK does not engage in any activities as a financial institution nor does HALOCK provide services that would be defined as a financial service. In the course of providing consulting Services, HALOCK may knowingly or unknowingly encounter nonpublic personal information ("NPI"). HALOCK will not intentionally store, process, or transmit this information unless authorized as a requirement of the Services rendered. HALOCK will not disclose or share NPI with third parties nor will HALOCK use any NPI for its own marketing purposes. HALOCK will report any material breaches affecting the financial institution's NPI to the financial institution should such breach occur, including an estimate of the intrusion's effect on the financial institution, or any of its customers, and the corrective action taken or to be undertaken. HALOCK's GLBA policy may be revised or updated and is available upon request. 11.5 Reporting Requirements. HALOCK will promptly report any confirmed breaches in security or unauthorized access to or disclosure of Client's confidential information, including without limitation any instance of theft, unauthorized access by fraud, deception or other malfeasance or inadvertent access that resulted in any unauthorized access to or disclosure of the Client's confidential information (a "Security Event"), whenever such breaches should occur, including an estimate of the intrusion's effect on the Client, or any of its customers, and the corrective action taken or to be undertaken. HALOCK will provide Client with all reasonable cooperation in connection with any Security Event. In the event of a Security Event, HALOCK shall, upon Client authorization: (i) conduct an investigation of the Security Event, including the collection and preservation of data and evidence concerning the Security Event; (ii) take all steps HALOCK Security Labs I Master Services Agreement Page 6 of 10 0 HA►LOCKSecuritY Labs Purpose Driven Security appropriate and necessary to contain, prevent and mitigate any further Security Event; (iii) provide Client prompt notice of any such Security Event, but not later than twenty- four (24) hours after HALOCK learns of a confirmed Security Event; (iv) provide Client with a written report concerning any such Security Event within three (3) business days of the Security Event; (v) document and detail the remedial action taken and planned to be taken by HALOCK, to remediate any such Security Event; and (vi) and reasonably cooperate with Client to provide information as requested by Client, provided such requests do not violate confidentiality agreements established by and between HALOCK and other third parties. 11.6 Notice of Changes in HALOCK's Security Program. HALOCK shall notify Client whenever there are changes in its security program that would materially affect the terms stated in sections 11.1-11.5. 12.0 Assessments, Audits, Penetration Testing, and Incident Response. 12.1 General Provisions. HALOCK, through the course of its work efforts for Client, may need to perform automated scanning, manual attempts to exploit vulnerabilities, incident response, forensic analysis and/or other assessment activities in order to gain control of target systems and identify related vulnerabilities. These activities involve a variety of tools and techniques that may cause the target services to behave in an unintended manner. This may result in servers, services, applications, or other devices becoming unresponsive, and could potentially lead to data loss and/or data corruption. To the extent possible, HALOCK will take precautionary measures to avoid any such problems by conducting a planning session with Client prior to commencement of the assessment. 12.2 Client's Obligations and Waiver of Claims. The Client is expected to take appropriate steps to ensure that data and information on all systems that fall within the scope of Services and/or that may be impacted by the Services has been properly backed up prior to commencement of the Services. The Client agrees that it will make appropriate personnel available to aid in the planning and coordination of Services activity in order to minimize business impact and to assist in the process of recovering systems functionality if problems do arise. The Client shall grant HALOCK reasonable access to its networks, systems, and/or applications to perform the Services outlined in the related SOW. HALOCK will not be subject to liability for claims of any kind whatsoever that result from the Client's failure to take appropriate steps to back up data and/or information on its systems, and Client expressly waives any and all claims of any kind whatsoever, against HALOCK as well as HALOCK's employees and agents, which result from Client's failure to back up its data and/or information. 12.3 Impossibility of Identifying All Issues and Vulnerabilities. Client acknowledges and understands that, during the course of any incident response or other assessment HALOCK Security Labs I Master Services Agreement Page 7 of 18 HALOCKSecurityLabs Purpose Driven Security activity, it may be impossible and impractical for HALOCK to assess 1000 of a Client's environment and, in the performance of its work, HALOCK will only assess a reasonable sample of the Client's system, server, applications, processes and/or documentation. HALOCK will conduct a reasonable sampling of the relevant information and Client recognizes that HALOCK cannot identify every single problem with a Client's system, server, application, process and/or documentation. In light of the unpredictable nature of how systems may react to tools and techniques that HALOCK may use during the course of its work, HALOCK makes no guarantee that the final report will identify all vulnerabilities, liabilities, and/or control gaps that may, have or will affect the organization. Client expressly acknowledges and understands the statements in this Paragraph 12.3. 12.4 Inability to Guarantee Identification of Incident Source during Incident Response Work. During the performance of any incident response and/or forensic analysis, HALOCK will make all reasonable efforts to identify the source of the incident. However, HALOCK makes no guarantee that it will be able to identify the incident source, and makes no guarantee that its final report will include the source of the incident. Client expressly acknowledges and understands HALOCK's representations in this regard. 12.5 Point in Time. Client acknowledges and understands that HALOCK only provides point-in-time validation, testing and assessment, and that HALOCK's validation, testing and assessment of a system, server, application, process, and/or documentation only pertains to the time when HALOCK conducts its work. HALOCK makes no representations or statements concerning the status of Client's system, server, application, process, and/or documentation at any time prior to or after the validation, testing or assessment process. Client acknowledges and understands that its system, server, application, process, and/or documentation is subject to change before, during, and/or following any validation, testing or assessment by HALOCK. 12.6 Scope of Environment. Client acknowledges and understands that HALOCK is relying on Client's representations concerning the scope and boundaries of its environment. Client acknowledges that HALOCK's performance, validation, testing and assessment may be adversely impacted if Client fails to accurately describe or scope its environment for HALOCK. Client hereby waives any and all claims for damages of any kind, against HALOCK as well as HALOCK's employees and agents, which result directly or indirectly from Client's failure to accurately scope or describe its environment. 12.7 Continuous Maintenance. Client acknowledges and understands that it is responsible for any necessary compliance and/or system maintenance that may be required following the completion of any validation, testing of other assessment by HALOCK. Client hereby waives any and all claims for damages of any kind, against MALOCN SeCurity Labs I Maste,Services Agreement Page a Of to 0 H A LOCKSecu rityLa bs Purpose Driven Security HALOCK as well as HALOCK's employees and agents, which result directly or indirectly from Client's failure to perform any necessary compliance and/or system maintenance. 12.8 Payment Obligation is Independent of Outcome. Client agrees that all fees are due to HALOCK for Services rendered and tools utilized regardless of the outcome, results and/or Client satisfaction of the engagement. 13.0 Term and Termination. 434 Wtial Tenn and Renewal Tenn. T14e teFIR ef this Agr-eefnent will c-emwefiee EM the Effeefive Date and will Eei*aue for. a period ef twelw (12) Fnenths (h:&ja1 Ter-fn,,), 13.2 Termination. Notwithstanding section 13.1 (Initial Term and Renewal Term), either Party may terminate this Agreement at any time upon thirty (30) days prior written notice to the other Party. Upon termination, an orderly phase-out schedule will be mutually created by Client and HALOCK, and all of Client's property, material, and work in HALOCK's possession, including any and all documents in the possession of HALOCK and/or its employees, which incorporate any classified information (from a patent, trademark, copyright, proprietary information, and government secrecy standpoint), shall be delivered to Client. 13.3 Client's Obligations Upon Termination. In the event of any termination, Client shall pay to HALOCK any compensation due to HALOCK for the time of any independent subcontractor and/or HALOCK employee who has performed Services, plus approved reimbursable expenses as of the termination date pursuant to the terms and rates agreed to by the Parties. Unless otherwise agreed by the Parties in a separate agreement, in the event of a fixed fee projects Client shall pay to HALOCK a termination fee to be mutually agreed to by Client and HALOCK that shall be no less than an amount equal to the actual hours worked by any independent subcontractor and/or HA LOCK employee multiplied by the out of scope billing rates specified in the SOW. 13.4 Return of Equipment. Client agrees to return any and all equipment or other HALOCK property supplied by an independent subcontractor and/or HALOCK employee within ten (10) days of the termination of this Agreement and in working order. Client agrees to reimburse HALOCK for the full replacement cost of any damaged equipment or equipment not returned in a timely manner. 14.0 Representations and Warranties. HALOCK and Client each represent, warrant and covenant that: (i) each party has the full right and authority to enter into, execute, and perform its respective obligations under this Agreement and that no pending or threatened claim or litigation known to it will have a material adverse impact on its HALOCK Secunty Lath I Master Services Agreement Page 9 of 16 HALOCKSecu ritY Labs Purpose Driven Security ability to perform as required by this Agreement; (ii) the Services and obligations hereunder will be performed in a reasonable and workmanlike manner; (iii) the Services and obligations hereunder will be performed in compliance with all applicable federal, state and local laws, statutes, rules, regulations and ordinances; (iv) each party shall dedicate such time and resources as necessary to perform the Services on a timely basis; and (v) it will keep Client reasonably informed regarding the status of the Services performed hereunder. 15.0 Limits of Liability. Except for the obligations under paragraph 18.0 (Indemnity), in no event shall either Party be liable to the other for consequential, incidental, indirect, punitive or special damages (including loss of profits, data, business or goodwill), from all causes of action of any kind, including any action sounding in contract, tort, breach of warranty, or otherwise, even if a Party was advised of the likelihood of such damages occurring. It is further agreed that, except for each Party's obligations under paragraph 18.0 (Indemnity) of this Agreement, each Party's aggregate liability for direct damages for any claim that is brought pursuant to this Agreement shall not exceed $1 million ($1,000,000). 16.0 Waiver of Glaimr, and Liabilities by Client. C'e-1- aelirsewledges that eq , employee oF independent subczentFaEter- of HALOCK may, duFing the C-Oufse ef its . HALOCK may Rot have aR opportunity to adyise Client about the eansequenees of , effemd and/e;-pFevided through the GRC per-tal and/oF by Reasonable Risk, . 17.0 Warranty and Disclaimer of Warranties Concerning Products, Equipment and Goods. Client expressly acknowledges that it will select solutions and may agree to the use of products, software, equipment and/or goods in order to solve or attempt to solve identified problems and issues. While HALOCK may, in the performance of its work, recommend solutions to Client, including the use of products, software, equipment and/or goods, Client expressly acknowledges and agrees that HALOCK is not a designer, manufacturer, distributor, or operator of any such products, software, equipment and/or goods including but not limited to any software offered and/or provided through the GRC portal and/or by Reasonable Risk, LLC. In light of the foregoing, the Parties expressly acknowledge and agree to the following: HALOCK Security labs I Master Services Agreement Page SO at 18 HA LOCKSecu rityLa bs Purpose Driven Spcurity 17.1 If HALOCK has reason to know of the specific purpose for which a product, software, piece of equipment and/or good is required by Client, if HALOCK has reason to know that Client is relying on HALOCK's judgment when selecting a product, software, piece of equipment and/or good, and if Client actually relies on HALOCK's judgment when selecting a product, software, piece of equipment and/or good, then HALOCK hereby warrants that the product, piece of equipment and/or good is suitable for that specific purpose. 17.2 HALOCK does not make any express and/or implied warranties OF ANY KIND other than what is expressly stated in Section 17.1, and HALOCK hereby EXPRESSLY disclaims any and all additional EXPRESS AND/OR IMPLIED warranties of any kind including, but not limited to, any warranties of design and/or merchantability. 17.3 Client acknowledges that, when selecting and/or purchasing any product, software, piece of equipment and/or good for its use, Client shall not rely solely on any statement or representation made by any independent subcontractor, agent or employee of HALOCK and Client acknowledges that it has the right to independently exercise its own judgment when selecting and/or purchasing any product, software, piece of equipment and/or good. 17.4 Client acknowledges that HALOCK shall not be subject to liability for any damages caused by any design and/or manufacturing defect in any product, software, piece of equipment and/or good unless HALOCK knew or had reason to know about that defect prior to or at the time when the product, software, piece of equipment and/or good is acquired by Client and only if HALOCK failed to advise Client about the defect. 17.5 Except as is otherwise expressly stated in this Section 17.0, Client waives any claim of any kind against HALOCK or its assignee for any loss, damage or expense that is caused by or results from Client's use of any product, software, piece of equipment and/or good. 17.6 HALOCK and Client agree and acknowledge that the terms stated in this Section 17.0 apply only in the event that a separate statement of work has not been executed. If a separate statement of work exists, the terms of that statement of work supersede the terms stated in this Section 17.0. 18.0 Indemnity. 18.1 Each Party agrees that it will indemnify, defend (if requested) and hold harmless the other Party as well as its respective parents, affiliates and subsidiary entities, officers, directors, shareholders, representatives, successors, assigns, employees and agents (collectively, the "Indemnitees") from and against any and all judgments, actions, claims, lawsuits, losses, fines, penalties, interest, deficiencies, damages, HALOCK Security Labs I Master Serw es Agreement Page 11 Of le HALOCKSecu rityLa bs Purpose Driven Security liabilities, costs and/or expenses (including reasonable attorneys' fees, expenses, court costs and/or arbitration fees) (hereinafter "Indemnification Damages") that may be suffered, made or incurred by any Indemnitee arising out of: (i) any breach or alleged breach of any of the representations, warranties, covenants, obligations or agreements made by the indemnifying Party in this Agreement, and/or (ii) the fraud, negligence, willful, illegal and/or intentional conduct of the indemnifying Party. Client acknowledges, understands and agrees that HALOCK is not obligated to defend and/or indemnify Client from and against any and all Indemnification Damages arising out of any defects and/or problems with any software offered and/or provided through the GRC portal and/or by Reasonable Risk, LLC. Finally, the Party's agree that neither Party is entitled to seek indemnification from the other Party for any Indemnification Damages arising out of a Party's own negligent, willful and/or intentional conduct. 18.2 A Parry seeking indemnification from the other must provide the other Party with a written demand for indemnification promptly after learning about any claim that may require indemnification. The Party seeking indemnification must allow the indemnifying Party to assume full control of the defense and settlement of the claim. The indemnified Party agrees to provide the indemnifying Party with reasonable cooperation including, but not limited to, reasonable access to documents and witnesses that are necessary to defend the claim. The indemnified Party shall have the right to participate in the defense of the claim at its own expense. The indemnifying Party shall not enter into any settlement agreement, consent to the entry of a judgment or otherwise settle or resolve any claim without the written consent of the indemnified Party, and such consent shall not be unreasonably withheld. Finally, any failure by the indemnified Party to satisfy any obligations under this section shall limit the indemnifying Party's obligations but only to the extent it suffers actual prejudice as a result. 18.3 Insurance Requirements. HALOCK and Client shall maintain insurance against losses and damages to persons or to real or personal property, including worker's compensation, public liability, property damage and automobile liability insurance in an amount not less than $1 million ($1,000,000). Eaeh Tarty shah as the ether-n ti y as Prior to the commencement of any work and upon request, a Party shall produce, to the other Party, a certificate of insurance demonstrating such coverage. 18.4 Notices. Any notice required or permitted by this Agreement shall be in writing and shall be made by personal delivery, overnight express courier (such as Federal Express) or by pre-paid certified or registered mail, addressed to the other Party as follows: HALOCK Security Labs Master Services Agreement Page 12 of 18 HALOCK ecu rityLa bs Purpose Driven secimty If to HALOCK: Attn: Terry Kurzynski, Senior Partner HALOCK Security Labs 1834 Walden Office Square, Suite 200, Schaumburg, IL 60173 847.221.0212 If to Client : Attn. lim Fox Information Technology Director Village of Oak Brook 1200 Oak Brook Road Oak Brook Illinois 60523 630-368-5174 18.5 Or, notice may be delivered to such other address as may be given by any Party to the other in writing from time to time. Notice will be deemed to have been received upon delivery or upon rejection of delivery as evidenced by a Party's signature. 18.6 21.0 HALOCK Security Labs. The formal corporate name for HALOCK Security Labs is Remington Associates Ltd., d/b/a HALOCK Security Labs, an Illinois corporation. Client should use the name "HALOCK" or "HALOCK Security Labs" in its vendor management system. 22.0 General Provisions 22.1 Assignment and Successors. Either Party may assign any or all of its rights, obligations and/or duties under this Agreement at any time and from time to time upon the written consent of the other Party and each Party agrees that such consent shall not be unreasonably withheld. The Parties agree that this Agreement shall be binding upon the successors of each Party and shall inure to the benefit of, and be enforceable by, such successors, and any officers or directors thereof. 22.2 Rights of Title to HALOCK's Intellectual Property. Client acknowledges that HALOCK has invested substantial time, money and effort in order to develop its tools, toolkits, templates, methods, plans, posters, videos, agreements, content, processes, runbooks, as well as additional content and documents identified as its intellectual property ("HALOCK's Intellectual Property"). Except as expressly described in Section 22.3, HALOCK alone shall own all right, title and interest, including all related intellectual property rights, in and to HALOCK's Intellectual Property and any derivative works and HALOCK will have perpetual rights to HALOCK's Intellectual Property as well as any algorithms, methods, templates and processes used to develop HALOCK's Intellectual Property and any derivative works. 22.3 Ownership of Deliverables and Client's Works. All concepts, designs, programs, HALOCK Seculity Labs I master Services Agreement Page 13 of 18 HALOCKSecurlt Labs Purpose Driven Security manuals, tapes, flowcharts and any other material prepared by HALOCK for Client under this Agreement ("Deliverables") and/or any material developed independently by Client using HALOCK's Intellectual Property ("Client's Works") are created specifically for Client's use as defined by this Agreement. Client shall not redistribute or share any of HALOCK's Intellectual Property created under this Agreement with any company or persons not a party to this Agreement although thds restriction shall not apply to Deliverables and/or Client's Works. Client shall own and have the right to obtain from HALOCK and/or its employees, and to hold in its own name, copyrights, trademark registrations, patents or whatever protection Client may deem appropriate in any material prepared by HALOCK specifically for Client under this Agreement. HALOCK shall, and shall cause its employees and subcontractors to, execute any documents and take any actions reasonably requested by Client to perfect its ownership and/or registration of any Deliverables, Client's Works or any intellectual property rights therein. By providing Client with the Deliverables and/or allowing Client to develop the Client's Works, HALOCK does not waive any of its right, title and/or interest in HALOCK's Intellectual Property and derivative works. 22.4 License Grant. From and after the Effective Date, HALOCK hereby grants to Client, and Client hereby accepts from HALOCK, a perpetual, irrevocable, world-wide, fully paid-up, royalty-free license to use and modify the Deliverables and, to the extent necessary under the law, Client's Works. Except as expressly provided herein, Client is granted no rights or licenses whatsoever in or to HALOCK's Intellectual Property or any other HALOCK products, services or other HALOCK intellectual property or personal rights. 22.5 Restrictions. Client agrees not to use HALOCK's Intellectual Property, the Deliverables, and/or Client's Works in a manner that violates any applicable laws, regulations or this Agreement. Client shall not distribute the Deliverables and/or Client's Works in electronic editable format to any 3rd party without technically enforceable restrictions of use, including duplication, modification, trading or selling, or any other use for personal gain although this restriction does not prevent CIient from creating, modifying and/or distributing the Deliverables and/or Client's Works. 22.6 HALOCK's Trade Secrets. Client acknowledges that HALOCK's Intellectual Property constitutes trade secrets as that information (i) is not generally known and/or available to the public; (ii) has actual commercial value and provides HALOCK with an economic advantage over its competitors; and (iii) is actively protected from disclosure through contractual protection, maintaining the confidentiality of HALOCK's Intellectual Property and other reasonable efforts applicable to HALOCK's business. Client expressly agrees not to disclose any of HALOCK's Intellectual Property and/or trade secrets of any kind to any third party under any circumstances unless such HALOCK Security Labs I Master Services Agreement Page 14 of 1B t HALO C secu ritY Labs Purpose graven Security disclosure is expressly authorized by HALOCK in writing and further agrees to take reasonable steps to maintain the confidentiality of HALOCK's Intellectual Property and trade secrets although these restrictions and obligations shall not apply to the Deliverables and/or Client's Works. Client agrees not to use any of HALOCK's Intellectual Property and/or trade secrets for its own benefit except as expressly provided herein and in connection with the Services. Client acknowledges and agrees that the unauthorized acquisition, use or disclosure of HALOCK's Intellectual Property and trade secrets in a manner contrary to honest commercial practices by others is regarded as an unfair practice and a violation of trade secret protection as well as this Agreement. 22.7 Written Disclosure. HALOCK and its employee shall promptly disclose in writing to Client all writings, inventions, improvements, or discoveries, whether copyrightable, patentable, or not, which are written, conceived, made, or discovered by HALOCK's employees jointly with Client or singly arising out of, or during the term of this Agreement. As to each such disclosure, HALOCK and/or its employees shall specifically point out the features or concepts considered new or different. HALOCK represents and warrants that there are, at present, no writings, inventions, improvements, or discoveries not included in a copyright, copyright applications, patent, or patent application that were written, conceived, invented, made, or discovered by HALOCK and/or employees before entering into this Agreement, and which HALOCK and/or employees desire to remove from the provisions of this Agreement, except those stated specifically in writing by HALOCK. 22.8 Choice of Law. The Parties expressly agree that any dispute that arises under or in relation to this Agreement shall be governed by Illinois law, regardless of any applicable choice-of-law principles. 22.9 Binding Arbitration. The Parties agree that any controversy or claim arising out of or relating to this Agreement, or breach thereof, shall be settled via binding arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association, and judgment upon the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. Further, Client and HALOCK agree to equally share the cost of arbitration while arbitration is pending, with the prevailing Party to receive the cost of arbitration, as well as all reasonable legal fees and expenses incurred in relation to the arbitration. The Parties further agree that the arbitration hearing itself will proceed at a forum located within 150 miles of the Chicago-land area to be agreed upon by the Parties. 22.10 Entire Agreement. This Agreement and any SOW constitute the entire understanding between the Parties, and supersede all prior agreements and negotiations, whether oral or written. There are no other agreements between the Parties, except as set forth in this Agreement or any SOW. No supplement, HALOCK Secutlty Laos I Master SeNICeS Agreement Page Is of 18 NALOCKSecurityLabs Pufpose Driven Security modification, waiver, or termination of this Agreement shall be binding unless in writing and executed by the Parties to this Agreement, In the event of any conflict or inconsistency between the terms of the Agreement and the terms of any SOW, the terms of this Agreement will govern and control in all respects. The Client acknowledges and understands that the statements and representations that are included in any proposal, provided by HALOCK, are not incorporated into this Agreement as legally binding terms and obligations of HA LOCK. 22.11 Survival. Termination or expiration of this Agreement for any reason shall not release either Party from any liabilities which, by their nature, are applicable following any such termination or expiration. 22.12 Headings. The inclusion of headings in this Agreement is for convenience of reference only and shall not affect the construction or interpretation hereof. 22.13 Counterparts, Facsimile and Electronic Signatures. This Agreement may be executed in as many counterparts as may be deemed necessary and convenient, and by the different Parties hereto on separate counterparts, each of which when so executed shall be deemed an original, but all such counterparts shall constitute one and the same instrument. Delivery of an executed counterpart of a signature page to this Agreement by via any electronic means shall be effective as delivery of a manually executed counterpart to this Agreement. 22.14 Severability. If any provision of this Agreement is held invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions will not in any way be affected or impaired. 23.0 Attorney — Client Privilege. Client further understands that any communications that involve an attorney who is providing legal advice are communications that are protected by the Attorney-Client Privilege and/or work product doctrine. Client agrees that any communications between HALOCK and an attorney for the Client are considered privileged and subject to the protection of the attorney-client privilege so long as the communications are for the purpose of providing the Client with legal advice. Client acknowledges and understands that the privilege can we waived if protected information is disclosed to third parties. Finally, Client acknowledges that it is ultimately up to a court of competent jurisdiction to determine the full nature and extent of any protection that is afforded by the attorney- client privilege. Approval and Acknowledgment. The Parties acknowledges that they have thoroughly read this Agreement, understand it, and agree to be bound by its terms and further agree that it is the complete and exclusive statement of the Agreement between the Parties, which supersedes all proposals, oral or written, and all communications between the Parties relating to the subject matter of this Agreement. HALOCK and HALOCK Security Labs i Master services Agreement Page 16 or 18 HALOCKSecu rityLabs Purpose Driven Security Client further acknowledge that they have each had had the opportunity to review this Agreement with an attorney of their respective choice, and have each agreed to all of its terms. Under these circumstances, HALOCK and Client agree that the rule of construction that a contract be construed against the drafter shall not be applied in interpreting this Agreement and that in the event of any ambiguity in any of the terms or conditions of this Agreement, including any exhibits, schedules or attachments hereto, such ambiguity shall not be construed for or against any Party hereto on the basis that such Party did or did not author same. For: Village of Oak Brook For: HALOCK Security Labs Signed: Signed: Printed: Printed: Tera Kurzynski Title: Title:Senior Partner Date: Date: HALOCK Security Labs I Master Services Agreement Page 3 7 of 28 0 HALOCKSecu rityLabs Purpose Driven Security HALOCK RATE SHEET 2022 Effective Date: January 1, 2022 RATES. A separate SOW, quotation or proposal may be supplied for details of fees and payment terms. For projects in the absence of any other mutually agreed upon fee structure, this Rate Sheet contains a list of applicable rates. HALOCK reserves the right to adjust fees at its sole discretion and publish on an annual basis. APPLICABLE RATES Resource Classification Hourly Rate Security Engineer $350 Governance Risk Consultant(GRC) $350 Managing Consultant $350 Principal $350 Partner $400 Incident Response/Forensics $390 Litigation Support $400 Trial/Deposition $450 MALOCN Security labs I Master Services Agreement Nage 18 of 18 PROPOSAL FOR SECURITY SERVICES Security Assessment with Optional Configuration Reviews and Attack Path Modeling Presented To Village of Oak Brook On April 7`",2022 HALOCK 1834 Walden Office Square,Suite 200 Schaumburg, IL 60173 847.221.0200 www.halock.com Terry Kurzynski CISSP, CISH, QSA, ISO 27001 Auditor 847.221.0212 terryk@halock.com Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling This page intentionally left blank HALOCKSeturityLabs Page 2 of 19 P--1)",-S.. 1, Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling Table of Contents ExecutiveSummary ................................................................................................................4 ProjectBackground.............................................................................................................................4 High-Level Project Approach, Deliverables, and Duration ....................................................... 5 ProjectApproach................................................................................................................................5 Activities............................................................................................................................................. 5 Deliverables........................................................................................................................................ 6 Duration.............................................................................................................................................. 6 Scopeof Work ........................................................................................................................ 7 FinancialInvestment............................................................................................................... 9 Fees.....................................................................................................................................................9 Payment..............................................................................................................................................9 Terms & Conditions .............................................................................................................. 10 Planning............................................................................................................................................ 10 Delays ............................................................................................................................................... 10 Traveland Expenses.......................................................................................................................... 10 Acceptance........................................................................................................................... 11 AppendixA—Report sample................................................................................................. 12 Appendix B— Details of Attack Path Modeling....................................................................... 16 HALOCKSecurityLabs Page 3 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling EXECUTIVE SUMMARY PROJECT BACKGROUND The Village of Oak Brook has requested that HALOCK Security Labs ("HALOCK") perform a security assessment that helps them understand their preparedness against the most common cyber-attacks in their industry and provides them a set of recommended safeguards for efficiently preventing those attacks.The scope of the security assessment will include the following • Interactive, interview-based security controls review based upon the CIS Controls Version 8("CIS Controls" • (If selected) Configuration "as deployed" reviews of in place security controls. • (If selected) Evaluation of common technical attack paths using HALOCK's Industry Threat Index ("HIT Index"). • Formalized report of findings;comprehensive,prioritized recommendations to help Village of Oak Brook enhance its organizational security posture. ABOUT HALOCK SECURITY LABS HALOCK has built a reputation for excellence with our clients and the entire information security community since 1996. HALOCK's Purpose-Driven philosophy ensures security programs are customized for each client and their distinctive business requirements. Services include: • Governance and Compliance — Conduct risk assessments, vendor risk management, policy development, information security management systems, PCI compliance services, HIPAA Compliance, ISO 27001,security awareness training, and other CISO Advisory Services. • Penetration Testing — Conducts network penetration tests, web application penetration tests, wireless penetration testing,and social engineering assessments. • Incident Response and Forensics — Provides Incident Response Readiness, Incident Response, Forensic Examination, and Crisis Management services. • Product Solutions and Engineering—Resell and implement security solutions as well as security deployment and configuration services. This proposal is subject to the Security Services Agreement between HALOCK and Village of Oak Brook. 01 HALOCKSecurityLabs Page 4 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling HIGH-LEVEL PROJECT APPROACH, DELIVERABLES, AND DURATION PROJECT APPROACH The goal of an Attack Path Security Assessment is to model the most common threats against Village of Oak Brook's information assets. The assessment will evaluate and validate how Village of Oak Brook implements and operates recognized security controls to protect their information assets. HALOCK will model a set of infiltration scenarios that will describe how attackers would operate within Village of Oak Brook's network. This process will include interviews with Village of Oak Brook personnel, review of documentation, along with a set of configuration security assessment activities. ACTIVITIES Security Assessment with Optional Configuration Reviews and Attack Path Modeling Typically,four to six business weeks are required to complete the security assessment. Note that several factors can impact the specific timeline and schedule of this project, including availability of Village of Oak Brook resources, timely return of information, configuration and data requests, the date this proposal is executed, and other considerations. Specific dates associated with the execution of the security assessment will be confirmed by both Village of Oak Brook and HALOCK during the planning session as noted below. • Initiation: HALOCK's resource coordinator will contact the Village of Oak Brook sponsor to acknowledge receipt of an executed proposal and initiate the security assessment engagement. A kick-off meeting will be arranged with the Village of Oak Brook sponsor, the HALOCK project manager, and other stakeholders and project participants as identified by Village of Oak Brook. • Interviews: HALOCK will conduct interview sessions that typically span a period of 1 to 2 days to discover and document tools, processes,and technical security controls that have been instituted within Village of Oak Brook's infrastructure and overarching business operations. • Documentation and Recent Assessments: HALOCK will review appropriate documentation that describe Village of Oak Brook's technical environment. Documents may include network diagrams, hardening standards, as well as recent findings from vulnerability scans, penetration tests, and security audits. • (Optional) Configuration reviews: HALOCK will perform automated and manual analyses of all provided configuration files and will evaluate compiled configurations against industry best practices and standards. • (Optional)Attack Path Models: HALOCK will work with Village of Oak Brook personnel to model expected actions that attackers would take to compromise Village of Oak Brook's information assets. • (Optional)Attack Path Recommendations: HALOCK will recommend a set of safeguards that can most efficiently block the modeled attack paths. • Analysis and Reporting: Based upon interviews, compiled information, documentation, and provided configurations, HALOCK will document identified findings and corresponding recommendations. • Report Delivery and Review: HALOCK will deliver a complete report to Village of Oak Brook and schedule a session to review the report. HALOCKSecurityLabs Page 5 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling • Project/Phase Closure: Following the application of required revisions, the draft report will be transitioned to a final official release report and submitted accordingly to Village of Oak Brook. DELIVERABLES At the conclusion of the project HALOCK will provide the following deliverables: Security Assessment • A report describing the maturity of Village of Oak Brook technical security controls that currently protect their information assets. An example of a section of the Assessment report can be viewed in Appendix A. Optional add-on of up to five(5)configuration reviews of customer's choice • Results of the technical configuration reviews will be documented in the main security assessment report. A detailed explanation of Attack Path Modeling can be found in Appendix B. Optional add-on of five(5)attack path models based on customer's industry • A listing of the most common causes of reported security incidents in the applicable industry. • Attack Path Models that describe how threat-actors are likely to infiltrate and exploit Village of Oak Brook information assets. • Attack Path Recommendations that describe the most efficient safeguards ("choke points")that would effectively prevent those attack paths from succeeding. DURATION Atypical assessment will require 4-5 business weeks to deliver the draft report. Depending on the components selected,the types of configurations included for analysis, and the number of attack path models desired,the duration can be longer. This remainder of this page intentionally left blank HALOCKSecurityLabs Page 6 of 19 Purpa 0--5c::Z, Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling SCOPE OF WORK Additional specifics regarding the scope of work involved in performing the security assessment are presented below: Security Assessment • CIS Controls-based interviews and security posture analysis. Optional add-on of up to five(5)configuration reviews of customer's choice • Technical configuration reviews of up to five(5) configurations as chosen by Village of Oak Brook. Example targets for configurations may be but are not limited to, firewall, domain controller security policy, operating systems, log management, wireless access control,switch, router, etc. Optional add-on of five (5)attack path models based on customer's industry • Attack path modeling of up to five(5)scenarios based on the most common attack methods within Village of Oak Brook industry based on HALOCK's Industry Threat Index. REPORT DELIVERABLE TO INCLUDE: Security Assessment • A report describing the maturity of Village of Oak Brook technical security controls that currently protect their information assets. Optional add-on of up to five(5) configuration reviews of customer's choice • Results of the technical configuration reviews will be documented in the main security assessment report Optional add-on of five(5) attack path models based on customer's industry • A listing of the most common causes of reported security incidents in their peer industry. • Attack Path Models that describe how threat-actors are likely to infiltrate and exploit Village of Oak Brook information assets. • Attack Path Recommendations that describe the most efficient safeguards ("choke points")that would effectively prevent those attack paths from succeeding. Performing this security assessment will explicitly not consist of the following: • Remediation of any of the perceived deficiencies identified and documented in the report deliverable. HALOCKSecurityLabs Page 7 of 19 P.,P a Driven Sac ,y Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling • Certifying to any standard, regulation, or contractual obligation. • PCI—or similar—compliance, remediation,or validation efforts. • Any other activities not directly related to the activities and deliverables detailed in this proposal. Additional efforts/scope of work requested by Village of Oak Brook that are not included in the scope of services contained in this proposal will be discussed, estimated, and authorized by Village of Oak Brook before proceeding. 0 HALOCKSecurityLabs Page 8 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling FINANCIAL INVESTMENT FEES HALOCK will perform the security assessment for a fixed fee, including all tool costs: Effort/Description Fixed Fee Security Assessment (CIS Controls Review, interview-based) $12,500 Optional add-on of up to five(5)configuration reviews of customer's choice +$5,000 Optional add-on of five(5)attack path models based on customer's industry +$5,000 Total for all components $22,500 PAYMENT Fees for the each of the components will be paid according to the following payment schedule: Milestone/Date %Fees 1 Due to initiate Security Assessment with chosen components 50% 2111111 Due upon issuance of Security Assessment with chosen components draft report 50% Payments are due net 30 days. Elsa HALOCK SecurityLabs Page 9 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling TERMS & CONDITIONS PLANNING Acceptance of this proposal indicates that Village of Oak Brook agrees to adhere to the following: • Abide by task-specific terms as defined in the High-Level Project Approach, Deliverables, and Duration section of this proposal. • Promptly provide the necessary network diagrams, network device configurations,and requested information to equip HALOCK with what is required to complete the security assessment within the prescribed schedule. • Ensure the personnel, site, and components within the scope of the activities detailed in the proposal are ready and available during the agreed upon dates.Any individuals,sites,systems,or scope components not available during scheduled windows will be removed from the scope of the security assessment. D E LAYS Following acceptance of this proposal, kick-off meeting will be conducted. Among topics to be discussed during the kick-off meeting will be the schedule within which the security assessment will be performed; the delivery schedule will be confirmed and documented accordingly.Should Village of Oak Brook require an activity be rescheduled due to unforeseen events,they may do so without penalty provided a 14-day notice is given. Requests to reschedule efforts with less than a 14-day notice will be rescheduled or cancelled at the sole discretion of HALOCK, based on existing commitments and availability. Requests by Village of Oak Brook to postpone or otherwise delay an effort without the required notice will be considered a cancellation without notice of that effort. TRAVEL AND EXPENSES Travel expenses are not anticipated to be incurred by HALOCK in support of delivering the security assessment. However, should travel expenses become necessary, prior written approval will be obtained from Village of Oak Brook before any expenses will be incurred. Remainder of page intentionally left blank 0 HALOCKSecurityLabs Page 10 of 19 P"'rp D""'s—'ay Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling ACCEPTANCE Acceptance of Proposal for Professional Services Security Assessment with optional Configuration Reviews and Attack Path Modeling Presented to Village of Oak Brook April 7th, 2022 If you agree to the information presented in the proposal and wish to proceed, please sign and return to Nancy Sykora at nsvkora@halock.com. We look forward to the engagement. (ALL) Security Assessment with all options($22,500) Security Assessment Interview Only($12,500) Optional Add-On-Five(5)Configuration Reviews($5,000) Optional Add-On-Five(5)Attack Path Models($5,000) Village of Oak Brook acceptance: All invoices will be addressed to: Signed: Village of Oak Brook Attention: Printed: Address: Title: Date: HALOCK Security Labs agrees to honor this proposal for 60 days. Upon execution, Village of Oak Brook hereby commits to initiate this project within 90 days. HALOCK acceptance: Sig ned: Printed:Terry Kurzynski Title: Partner, HALOCK Security Labs Date: 04/07/2022 0 HALOCKSecurityLabs Page 11 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling APPENDIX A- REPORT SAMPLE The following is an excerpt from a Security Assessment Review report. Note that findings are unique to each engagement. CIS Controls Summary The objective of the CIS Controls is to protect critical assets, infrastructure, and information by assessing and potentially strengthening security posture. Continuous automated protection and monitoring of sensitive IT infrastructure will reduce the likelihood of compromises, minimize the need for recovery efforts, and will lower associated costs. The current state of infrastructure was evaluated against each listed CIS security control and given a corresponding maturity. The Maturity Rating is a numeric ranking of the assessed maturity of the existing control against the critical control HALOCK encountered and evaluated while the security assessment effort was conducted. 1. Initial/ Informal — Process is unpredictable, poorly controlled, and reactive. The process is typically managed in an ad-hoc fashion, producing inconsistent results. 2. Documented/ Managed — Basic process is identified and is generally repeatable but not standardized. Work groups often handle workload as a secondary, lower priority duty. 3. Defined/ Integrated — Process is clearly defined and standardized across the organization. Process is proactive and sufficiently and effectively aligned with business objectives. 4. Strategic/Quantitatively Managed—Process is measured and controlled at the organizational level. Employee compliance is often mandated, and process data is used to aid decision making. 5. Optimized—Process is measured and controlled, adjustments are made to increase program performance and effectiveness. Focus on process improvement and program growth and success. The Detailed Findings column references the section of the report that contains further information on the current state and associated risk rating. Table 1—"CIS Controls Evaluation Dashboard"—summarizes the current state of network architecture and infrastructure as measured against the CIS Critical Controls. Each security control included in Table 1 is arranged from the most critical control (beginning at the top of the table)to least critical control. CIS Controls V8 Maturity Detailed Findings Rating Inventory and Control of Enterprise Assets 2 L1 HALOCKSecurityLabs Page 12 of 19 P......Dreren Sa<u q Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling Inventory and Control of Software Assets 1 M1 Data Protection 1 L3 Secure Configuration of Enterprise Assets and Software 1 M2 Account Management 1 L2 UUMM a I wow Access Control Management 1 H1 •- -• • Continuous Vulnerability Management 2 H2 APP— Audit Log Management 2 -' Email and Web Browser Protections 2 •- -• i Malware Defenses 5 L4 r s Data Recovery 1 L5 i Network Infrastructure Management 3 M4 Network Monitoring and Defense 2 M5 Security Awareness and Skills Training 2 L6 Service Provider Management 1 H3 Application Software Security 1 M6 Incident Response Management 1 H4 Penetration Testing 1 M7 Table 1-CIS Controls Evaluation Dashboard Findings from technical configuration reviews are also added to the table above and would receive a High, Medium, or Low designation but no Maturity score as technical configuration tend to be more binary(on or off). H2 — CSC#7 - Continuous Vulnerability Assessment and Remediation Description CIS CSC#3:Continuously acquire,assess,and act on new information to identify vulnerabilities,remediate, and minimize the window of opportunity for attackers. -01 HALOCKSecurityLabs Page 13 of 19 Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling Cyber defenders must operate in a constant stream of new information: software updates, patches, security advisories, threat bulletins, etc. Understanding and managing vulnerabilities has become a continuous activity, requiring significant time, attention, and resources. Attackers have access to the same information and can take advantage of gaps between the appearance of new knowledge and remediation. For example, when new vulnerabilities are reported by researchers, a race starts among all parties, including: attackers (to "weaponize", deploy an attack, exploit); vendors (to develop, deploy patches or signatures and updates), and defenders (to assess risk, regression-test patches, install). Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised. Defenders face challenges in scaling remediation across an entire enterprise,and prioritizing actions with conflicting priorities,and sometimes uncertain side effects. Findings • For locations with local assets and cloud assets managed by the customer, there is no formal documented process to perform vulnerability scanning. It is assumed that the cloud providers utilized (such as GSuite and NetSuite) are assumed to be performing their own internal scanning of assets scanning but should be verified. • Windows update is utilized where possible for patching of endpoints automatically in locationl and location2. • Vendor controls all patching on a bi-weekly schedule through Kaseya. This process is part of the vendor checklist of activities performed on a recurring basis. Patching status and vulnerability remediation is tracked through Kaseya. • Location 2 and Location 3 push application patches (non-OS related) through Meraki. These are done on an ad-hoc basis,there is no formalized or documented process. Recommendation • Implement a formally documented vulnerability management program for all locations. While the approaches for identifying and managing vulnerabilities may vary depending on location of assets and access to the infrastructure, all scanning results should be consolidated into one tracking mechanism for easy determination of vulnerabilities and patching deficiencies. • Request periodic evidence of scanning and remediation for SaaS based providers. • To location 1 and location 2. formalize the process for patching on a schedule. Document and track remediation progress. • When executing vulnerability scans,these best practices should be followed. o Correlate event logs with information from vulnerability scans to verify that the activity of the regular vulnerability scanning. o Perform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested. HALOCKSecurityLabs Page is of 19 , 5,- Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling o Use a dedicated account for authenticated vulnerability scans,which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. o Ensure that the vulnerability scanning tools you use are regularly updated with all relevant important security vulnerabilities. o Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops). Apply patches for the riskiest vulnerabilities first. A phased rollout can be used to minimize the impact to the organization. Establish expected patching timelines based on the risk rating level. References Source Link CIS Critical Controls for Effective Cyber Defense vww.cisecurity.org/controls/ HALOCKSecurityLPae15of19 g abs Pu ...D"_'S" Village of Oak Brook-CONFIDENTIAL Proposal-Security Assessment with Optional Configuration Reviews and Attack Path Modeling APPENDIX B— DETAILS OF ATTACK PATH MODELING The purpose of attack path modeling is to identify threat scenarios relevant to an organization and determine if the security controls available can identify, protect,detect, respond, and recover throughout the attack stages. While there are numerous attack models that may be utilized, CIS has chosen to use the Cyber Kill Chain® attack stages as defined by Lockheed Martin as part of the attack path analysis. These are from the perspective of an attacker and the typical activities that would be executed by the attacker to achieve an objective. The Cyber Kill Chain attack stages 1. Initial Recon —The activity of identifying and harvesting information about the environment to complete an objective. 2. Weapon ization/Establish Foothold and Delivery — The activities associated with acquiring and developing tools to help achieve the attacker's mission and the deployment of the utilities to launch the operation. Examples are malware,targeted phishing, and custom scripts. 3. Exploitation/Initial Compromise/Privilege escalation — This is the initial compromise of a software, hardware, or human vulnerability and typically involves obtaining escalated privileges to the target infrastructure. 4. Internal Recon/Lateral Movement/Establish Persistence — These are the activities of the implementation of a function to maintain access into an environment over time. This activity typically involves opening a command channel to remotely receive and execute actions from the adversary. 5. Execute/Complete Mission —This is the completion of the goal. Examples of potential goals are system unavailability for ransom, collecting user credentials, collect and exfiltrating data, or affecting the integrity of the data. Figure 4 is a graphical representation on the Lockheed Martin Cyber Kill Chain. Network/Domain Recon Phishing Attacks Credential Theft Configuration Custom Malware queries Malicious Sites Password Cracking Command and Data Theft Session High-jacking Control Keyloggers Maintain,,.<--w Move Long-Term Intel Social Engineering Persistence System Flaws Presence Laterally Gathering Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission 30 30 -� Unauthorized Known& Command E Suspicious Files Valid Programs Trace Use of Valid Unknown Control Network Accessed by Used for Evil Evidence i Accounts Malware Activity Traffic Attackers Purposes Partial Files EVIDENCE OF COMPROMISE Figure 4-The Lockheed Martin Cyber Kill Chain HALOCKSecurityLabs Page 16 of 19 POasf O.rrn Security Village of Oak Brook-CONFIDENTIAL Proposal-Security Assessment with Optional Configuration Reviews and Attack Path Modeling CIS has modified the Lockheed Martin Cyber Kill Chain and mapped the CIS Critical Security Controls that an organization is recommended to have in place to identify,protect,detect,respond,and recover at each attack stage. HALOCK will collaboratively model the likelihood of each attack stage based on Village of Oak Brook's controls, and the commonality of those attacks in breached peer organizations. The attack path models will be based on the Community Attack Model provided by the CIS and HALOCK's Industry Threat Index (HIT Index). The CIS controls mapping is provided in Figure 5. Attack Stages Acquire/ Misuse CIS Controls Lateral Establish Execute Initial Recon 9 � DeliveryInitial (V7.0) Develop Tools Compromise Escalate Infernal Recon Mission P P Privilege Movement Persistence g Objectives Identify CSC 3 CSC 1,2 CSC 4 Protect CSC 3,7,9,12, CSC 7,8,12 CSC 5,7,8,11, CSC 3,4,5,11, CSC 4,9 CSC 4,5,8,11, 18 15,18 14,16 12 14 CSC 8,5,16,12 CSC 13 c c° CSC Detect CSC 12,17 3,5,6,8, CSC 5,11,16, CSC 3,4,8,12, CSC 6,12 11 17 16 CSG 4,8,12,16 Respond CSC 3,8,17 CSC 3,4,6,16, CSC 3,6,17 CSC 17,19 17 Recover CSC 10,17 Figure 5-Mapped CIS controls to the CIS Attack Path Using the HIT Index as the basis of determining likely attack paths, HALOCK will work with Village of Oak Brook to develop attack path models to help model risks of common cybersecurity breaches. These models will be used to identify the expected lifecycle of cyber breach attacks that would cause specific harm, such as loss of functioning systems and applications, exposure of confidential information, corruption of critical information,or unauthorized control of systems. This will result in a set of"kill chain" scenarios to help prioritize investments in corrective safeguards. HALOCK's HIT Index aggregates information about breaches both on the public record and from HALOCK's in-field work specific to the appropriate industry. The HIT Index analyzes breaches to understand their causes, the environments in which these threats successfully cause breaches, and to understand the controls that would prevent or detect those threats. The HIT Index provides HALOCK with the ability to estimate the likelihood of foreseeable threats for each organization type or industry, and to recommend controls that align with those most likely threats. 0 HALOCKSecurityLabs Page 17 of 19 e Ci, c s-,", Village of Oak Brook—CONFIDENTIAL Proposal—Security Assessment with Optional Configuration Reviews and Attack Path Modeling Reported Security Incidents -Industrial Group'X' FTI's Threat Surface Map displays the commonality of Threat Clusters that cause breaches in each industry. ®® r Detailed threat methods within each cluster help HALOCK determine the re resiliency of controls against known attacks. �®ined U.dete, ®®oo® ■1l r:k:r,r,Snt,_;!. ilr,:..krrl�WeLr Ai Matwer•. F' -.r:ri.l l:ro:. ■Petsorrrlel Miwse Physical Asset L- ■ .-: -:: ■... ■ :i-r:' ■ . V,,,:::r-. Figure 6-HALOCK's Industry Threat Index(HIT Index)Sample Once the Village of Oak Brook in-place controls are evaluated and the attack path scenarios have been defined,the final step is to evaluate the effectiveness of the in-place controls in disrupting the attack path for each scenario. To achieve this, Village of Oak Brook's controls will be analyzed and provided an initial effectiveness rating to help determine if a control or a set of controls at each functional phase would be effective against the type of attack in a scenario. The functional phases as defined by CIS are Identify, Protect, Detect, Respond, and Recover. What HALOCK is providing within the attack path modeling scenarios are high level assessments based on the evaluation of the customer security controls and HALOCK's knowledge of how the attack typically works from our forensic investigative experience. This analysis will not constitute a full risk analysis, as described in security frameworks and methods, such as NIST 800-30, CIS RAM,ISO 27005, or others. The present controls are assessed to be typically effective for Effective the attack path scenario evaluated. It would be difficult for the attack path method to bypass the in-place controls or impact their functionality. The present controls are somewhat effective for the attack Somewhat Effective path scenario evaluated. An attack with the correct conditions could circumvent the in-place controls or impact the functionality of a control. NALOCKSeeurityLabs Page 18 of 19 F,:o.,<<.r.r,.5 Village of Oak Brook-CONFIDENTIAL Proposal-Security Assessment with Optional Configuration Reviews and Attack Path Modeling :attackrpath esent controls would not be effective at the functional Not Effective for the attack path scenario being evaluated. Either ntrols would not prevent or would be impacted by the scenario evaluated. Not Applicable The attack stage does not apply to the attack path scenario under evaluation. Figure 7-Effectiveness criteria The resulting analysis will result in a mapping of the effectiveness of the in-place controls for a specific attack path. In the example provided for the "Hacking System - Ransomware" attack path, notice that the controls in place in this sample scenario have been analyzed to be somewhat effective at preventing the delivery of Ransomware to endpoints. However, if an infection of an endpoint does occur,the current controls in place would not be effective in protecting and detecting privilege escalation, internal recon, and lateral movement activities. Attack Stages-Hacking System Ransomware Attack Path CIS Controls Acquire/ Initial Misuse/ Execute Initial Recon l / Delivery Escalate Internal Recon Lateral Establish (V7.0) Develop Tools Compromise Movement Persistence Mission Privilege Objectives ldentHy CSC 3 CSC 1 2 CSC 4 Protect CSC 7,8,12 CSC 5,7,8,11, C 3,4,5,i R-SC 4,5,8,1 15,18 14,16 x C 4'9 12 14 CSC 8,5,12,16 Detect c CSC 3,5,6,8, C 5,11,16, CSC 3,4,8,12, CSC 12,17 11 CSC 6,12 16 CSC 4,8,12,16 Respond CSC 3,4,6,16, IC CSC 3,6,17 17,19Recover 10,17 Somewhat - __.._.. g Effective Not Applicable Figure 8-Hacking System Ransomware Attack Path HALOCK will provide analysis at each stage of the attack where applicable and recommendations to improve the effectiveness of the controls. HALOCKSeeuritylabs Page 19 of 19 Cnrooac Uiven Securty