This Consultant Agreement and Statement of Work (collectively the "Agreement" and individually the "Consultant Agreement" and the "SOW"), and the date shown on the signature block of the Consultant Agreement, is made and entered into by and between BLACK BREACH, LLC, and the Client identified on the SOW (collectively, the "Parties"), and shall be effective on the date fully executed by Client and Consultant (the "Effective Date"). 

All references herein to Consultant include all Principals, Employees, Consultants, and Contractors.

RECITALS

WHEREAS, this Agreement is governed by and subject to the terms and conditions of the Master Service Agreement entered into between Client and Consultant. In the event of any conflict between the terms and conditions of this Agreement and the Master Service Agreement, the terms and conditions of this Agreement shall prevail.

WHEREAS, the Parties agree that the services to be provided under this Agreement shall be governed by the provisions set forth in the Master Service Agreement, and the Parties further acknowledge and agree that any additional terms, conditions, or statements of work relating to specific services shall be incorporated as exhibits to the Master Service Agreement.

NOW, THEREFORE, in consideration of the promises, mutual covenants, and agreements set forth herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereto agree as follows:

SCOPE OF SERVICES. 

The Consultant shall provide managed FTC Safeguards Cybersecurity Compliance service. 

1. Phishing Protection

The Consultant will perform simulated phishing attacks periodically throughout the term of this Agreement to train and educate employees to identify such attacks. The Consultant will provide a training module for employees to educate them on how to combat phishing attacks.

2. Oversee Service Providers (Vendors)

The Consultant will provide a policy to govern vendor cybersecurity responsibilities per the FTC safeguards rule. The policy will cover critical safeguarding areas to be addressed in vendor contracts to ensure the protection of customer data. The Consultant will periodically assess the Client's service providers and the adequacy of their cybersecurity safeguards. The Consultant will classify service providers. 

3. Risk Assessments and Safeguards Implementation Oversight

The Consultant will conduct an initial risk assessment of the Client's assets, vulnerabilities, and threats. Following the initial risk assessment, the Consultant will conduct annual risk assessments to evaluate the Client's security environment and protect the Client's customer data. Each risk assessment will be written and provided to the Client's senior official. The risk assessment will evaluate the following:

a. Periodic review of data

b. Review encryption practices

c. Identify asset lists and data flow

d. Review multi-factor authentication (MFA) practices

e. Review data destruction practices

f. Identify change management practices

4. Incident Response Plan

The Consultant will create an incident response plan that meets the FTC Safeguards regulation. The incident response plan will cover the appropriate handling of a security event, breach, or cyber-attack. The incident response plan will cover the following:

a. Preparation: Determine the goal of the response plan. 

b. Identification: Must be able to determine if an event is a security incident. Identify who the decision-makers are, their responsibilities, and levels of decision-making authority.

c. Containment: Stopping the incident from spreading and doing more damage.

d. Eradication: Determine the proper way to eliminate the root cause of the security incident.

e. Communication: Determine the appropriate internal and external communication and information-sharing channels. Identify procedures for documenting and reporting security events.

f. Recovery: Restoring affected systems to normal operation.

g. Lessons Learned: Discuss the response and identify any weaknesses in the Client's systems and controls needing revision and updating.

5. Security Awareness Staff Training

The Consultant will provide cybersecurity awareness training to educate the Client's workforce. This training teaches employees to identify and repel cybersecurity threats, protect the Client's sensitive data and intellectual property, and shield the Client's information systems from theft and damage.

All Consultant training or eLearning courses are engineered to engage and improve learning outcomes and include the following:

a. Animations: designed to visually engage Client learners in a captivating way

b. Dynamic Quizzing: designed to quickly and accurately assess learner progression

c. Unique Testing: designed with randomizing questions and answer order, instant grading feedback, and metrics available for leadership

d. Concise Training: designed to hold learner attention with short, interactive platforms

e. All training is Section 508 Compliant under the Rehabilitation Act of 1973

f. The Consultant will provide completion certificates for each course under this curriculum

g. The Consultant will provide and manage the training portal and all learner enrollment directions to the Client

6. Vulnerability Scanning

The Consultant scans agents across the Client's network to identify security vulnerabilities. The Consultant will run system-wide scans a minimum of once every six months.

7. Managed Detection and Response (MDR) Monthly Monitoring

The Consultant will provide endpoint protection for agents across the Client's network. The Consultant will cover all licensing and fees for monitoring agents installed. The Consultant will capture real-time threat alerts, including accelerated triage and root cause analysis with incident insights and the best MITRE attack alignment.

a. Mitigation: Easy-to-configure policies that kill the process, quarantine or delete malicious binaries and all associated remnants, and remove the endpoint from the network.

b. Immunization: Mitigated attack details are immediately shared with other endpoints within the network, immunizing those systems that might be part of a coordinated attack.

c. Remediation: Automatically restore deleted or modified files to their pre-attack state.

d. Forensics: We provide a 360-degree view of the attack, including file information, path, machine name, IP, domain, and more.

e. Anti-virus Replacement: We save you even more by allowing you to replace your current anti-virus. Our built-in anti-virus solution is certified by AV-TEST, a leading independent anti-virus research institute.

f. Active Threat Hunting: Detects advanced malware and advanced persistent threats.

g. Remote Shell: This allows quick access to investigate infections, gather evidence, and remediate attacks.

h. USB and Bluetooth Blocking: Only allow trusted USB and Bluetooth devices to connect to your endpoints.

i. Additional Firewall Protections: Built-in capability to create additional firewall rules per endpoint, freeing up long lines in hardware firewalls.

8. Annual Penetration Testing

The Consultant will analyze network environments, identify and attempt compromise against vulnerabilities, gain privileged access, and attempt to exfiltrate data according to the rules of engagement defined by the Client's comfort level. The Consultant will use automated and manual testing techniques within the MITRE attack framework.

a. Initial Access

b. Execution

c. Persistence

d. Privilege Escalation

e. Defense Evasion 

f. Credential Access

g. Discovery

h. Lateral Movement

i. Collection

j. Command and Control

k. Exfiltration

l. Impact

These techniques mimic tactics used by cybercriminals, providing real-world outcomes.

9. Annual Senior Leadership Report

The Consultant will provide an annual report to the Client's designated senior leadership official or board of directors. This report will outline the overall assessment of the Client's security program and includes the results of the risk assessment, penetration test, and recommendations for improvements to the Client's comprehensive security program.

10. Incident Response Triage

If the Client becomes the victim of a cybersecurity incident, the Consultant agrees to provide three (3) hours of incident response triage free of charge. Incident response triage includes all verbal expert recommendations on attempt recovery and recommended actions to be taken. Recovery is not guaranteed. Additional fees may apply hourly if additional services are required or requested.

Deliverables

The Consultant will notify the Client of threat detection and mitigation alerts for critical incidences as required. Before sending these alerts, the Consultant will investigate, validate, and remediate the incident to the best of their capabilities.

The Client will receive an annual risk assessment report evaluating and identifying the Client's assets, vulnerabilities, and threats.

The Client will receive an annual penetration testing report detailing the attempts to compromise vulnerabilities with mitigation and remediation actions.

The Client will receive an annual senior leadership report outlining the overall assessment of the Client's security program, which includes the results of the risk assessment, penetration test, and recommendations for improvements to the Client's comprehensive security program. 

Term

This Agreement commences on the Effective Date and will remain in effect through the Initial Term and all Renewal Terms, as specified in the SOW, unless otherwise terminated in accordance with the MSA (the Initial Term and all Renewal Terms collectively the "Term"). The Initial Term will be three (3) years from the Effective Date and will automatically renew for successive one-year periods, subject to the then-current conditions and price at the time of renewal. 

Payment Schedule

For monthly project services, the Client may pay annually or monthly at the Client's convenience. Payment will be due the first-month services start and as per terms outlined in the Consultant Agreement and Statement of Work and within (30) days of the invoice date. Amounts not paid when due will be subject to a late charge of one and one-half percent (1.5%) per month. Late charges are reasonable liquidated damages for collection fees and are not a penalty.

Invoice Remittance

Payment may be made as follows:

1. Mailed to: Black Breach, LLC, 1025 Rose Creek Drive, Suite 620-214, Woodstock, GA, 30189

2. Provided to Justin Shanken (or designee) in person

3. Wired directly to an account provided by Black Breach to Client

4. ACH directly to an account provided by Black Breach to Client

Last modified April 16, 2024