September 3, 2015

Joel Atkinson, Associate Category Manager

Florida Department of Management Services

4050 Esplanade Way, Suite 360

Tallahassee, FL 32399-0950

Reference: Department of Management Services RFI Cyber-Security Assessment, Remediation, and Identity Projection,

Monitoring, and Restoration Services

Dear Joel Atkinson,

HP Enterprise Services, LLC (HPES) appreciates the opportunity to present our response to the Florida Department of

Management Services (DMS) RFI for Cyber-security Assessment, Remediation, and Identity Protection, Monitoring, and

Restoration Services.

HPES is a global leader in cybersecurity services, and our security experts possess the methodologies, tools, knowledge,

certifications, and the direct hands-on experience to provide most of the pre-incident and post-incident services covered

by this RFI through the General Services Administration (GSA) Schedule 70 contract. The scope for schedule 70 does

not include identify monitoring, protection, and restoration services potentially affected by a cyber-security incident, but

can be handled as “open market” items.

We believe of particular importance to the State of Florida and its Agencies will be HPES’ recently announced

partnership with FireEye/Mandiant. This partnership is unique within the cybersecurity industry and leverages

Intellectual Property and specialized capabilities from both companies, through HPES’ GSA schedule 70 - allowing us to

deliver these pre and post-incident services seamlessly for our end clients.

On average today, breaches require 205 days just to detect, cost $3.5M per occurrence, take 32 days to respond after

detection and reported 69% of the time by a third party1 – HP/FireEye Advanced Compromise Assessment, Managed

Advanced Threat Protection, and Global Incident Response services are now available to prevent/remediate Advanced

Persistent Threats (APTs) and associated malware for all State of Florida Agencies and Departments. FireEye

capabilities have been at the center of remediation for most if not all of the recent publically announced breaches at

Target, Home Depot, Sony, the White House, DOD Joint Chiefs of Staff, Anthem, and CareFirst. We look forward to

eliminating the need to respond post-incident through proactively detecting/preventing these highly advanced threat-based

intrusions, and stand ready to respond post-incident should the need arise.

HPES is also as an awardee of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM)

Program Blanket Purchase Agreement (BPA) which is open to state & local governments. The CDM program

provides tools and services that enable government IT networks to strengthen the security posture of their cyber networks.

1“On average” metric sources : Mandiant M-Trends 2015 Report

HP Enterprise Services, LLC

13600 EDS Drive

Herndon, VA 20171

The tools and services delivered through the CDM program provide the ability to enhance and automate critical security

controls monitoring; correlate and analyze critical security-related information; and enhance risk-based decision making at

the agency and state enterprise level. Information obtained from the automated monitoring tools allows for the correlation

and analysis of security-related information across the enterprise. Information on this BPA sponsored by the U.S.

Department of Homeland Security can be found at http://h10131.www1.hp.com/public/contract-vehicles/dhs-cdm/ and on

the U.S. General Services Administration website http://www.gsa.gov/portal/content/177883

John Prestidge

Account Sales Executive

HPES State and Local Government

Introduction HP Enterprise Services and FireEye, Inc. have announced a joint partnership to bring security consulting and managed

monitoring services to our clients within US Public Sector.

The initial consulting capabilities include the Advanced Compromise Assessment which involves a team of HP and

FireEye (Mandiant) consultants performing a technical assessment of a customer’s environment to determine whether

or not that environment has been breached by a threat actor such as a nation state or criminal enterprise. Alternatively,

or depending upon the results of the Advanced Compromise Assessment, a joint team of HP and FireEye (Mandiant)

personnel will perform a deep technical Incident Response to determine the full breadth and impact of a penetration

and breach by the threat actor.

Our security qualifications include but are not limited to the following differentiators:

Having over 5,000 security professionals globally with over 40 years of industry experience delivering cyber-

security services.

Providing security services used by 9 of the 10 Top Banks, 9 of the 10 Top Software Companies, and 10 of the 10

Telecom’s.

Our client list includes all major branches of the Department of Defense.

Managing 10 Global Security Operations Centers with over 1,000 managed security customers.

Preventing over 23 Billion monthly security events and provide security services for the world’s largest Intranet –

the Navy and Marine Corps Intranet.

Selection as a Continuous Monitoring cybersecurity vendor on the US Department of Homeland Security’s

Continuous Diagnostics and Mitigation (CDM) Blanket Purchase Agreement.

Our Security Services are vendor agnostic – and include product/service offerings from a rich partner ecosystem

including Equifax, FireEye, Splunk, , RSA, F5, CA, Blue Coat, Palo Alto Networks, as well as a broad range of

HP developed security products and intellectual property which combine holistically to provide the best security

services in the market

Through our security product and services teams, we are the source of many of the vulnerability discoveries that

are fed into Microsoft, VeriSign, and others. In fact, we discover 4 times the critical vulnerability found by the

rest of the market combined! We monitor thousands of technologies from over 200 vendors for system

vulnerabilities and publish more than 8,500 bulletins per year.

Providing advisory, transformational, and/or managed cybersecurity services – depending upon each client’s

unique requirements.

Having a broad and deep portfolio of security services, including:

- Cyber-Situational Awareness and Defense services.

- Data Protection and Privacy Consulting services.

- Distributed Denial of Services (DDoS) Protection services.

- Data Loss Prevention services.

- Endpoint Security services.

- Identity Access Management and Identity Governance and Administrative services.

- Security Intelligence and Incident Response services.

- Security Strategy and Risk Management services.

- Network Security services.

- Threat and Vulnerability Management services.

- Security Information and Event Management (SIEM) services.

- Security Forensic services

While we have world-class leadership in security products, multivendor-based security services, and decades of global

security experience – you’ll find us fully committed to you and all Florida State Agencies with exceptional responsiveness

and the experience/capabilities to address all of the RFI’s requirements and more. To help answer any questions prior to

potential next steps, and to make it easy to share details on HPES’ cybersecurity capabilities, experience, and

differentiators with your key decision makers, we have created a custom microsite for review, per the access information

below. On this site, you will find detailed information on security metrics, examples, service descriptions, and

whitepapers to further illustrate the unique pre/post-incident security solution value that HPES is capable of providing the

State of Florida.

DMS HPES Microsite address https://h10131.www1.hp.com/spp/539/floridadepartmentofmanagementservices/

User Name florida

Password 2015+security

Note: Both the username and password above are all lower case. The password has a non-alphanumeric character as a best practice making it more difficult to crack.

Background

We can protect what matters. Together.

Today's adversaries are ceaselessly targeting business of all sizes, in all geographies and in all industries. Enterprises can't afford to take a 'wait and see' posture when protecting their assets. Studies show that on average it takes 205 days to identify that a breach has taken place; something has to change to balance the scales and protect your most valuable assets; using advanced threat protection services does just that.

We find the right solutions to solve each client's unique security problem; helping to detect active threats, stopping attacks before they happen, mitigating risk and proactively addressing lingering security vulnerabilities. HPES along with FireEye takes the fight to the adversary, to stop threats before they become breaches and mitigate intrusions with a swift incident response team that brings cutting edge tools and experience to solve the most pressing forensic investigations.

HPES and FireEye have just raised the bar for advanced threat protection services and incident response. We know your adversaries will respond, and we will proactively be there with you armed with HP Enterprise Services’ unparalleled global reach and portfolio of world-class security service offerings. To include a comprehensive suite of security remediation services underpinned by FireEye's advanced threat detection, intelligence, methodologies and incident response expertise.

The ultimate goal of a cyber-security solution is encapsulated in a concept referred to as “decision support”—real-time information on active threats, incidents, and security posture obtained from a robust security infrastructure. This infrastructure is supported by a mature security program that delivers timely recommendations for management action. The solution design incorporates:

The delivery of confidentiality, integrity, availability, and accountability in accordance with risk-management

requirements

A modular approach based on appropriately evaluated and configurable commercial off-the-shelf products

A proactive rather than reactive security solution to provide greater resilience to the attack

Consideration of known threat sources and those that may arise dynamically, using cyber-intelligence tools to warn

of emerging threats

Collecting, storing, and protecting all transactional and accounting data in an audit store, which is made available to

the security operations center (SOC), management, and all other relevant agencies

Maximize security effectiveness

HP Enterprise Security Services developed Cyber Security Consulting Services based on our existing dedicated security architecture practice. Through these focused, robust, and established security architectural principles, we enable organizations to maximize the effectiveness of their IT security strategy and provide a coherent and consistent view of—and protection from—the current threat landscape.

Contact Information

John Prestidge

Account Sales Executive

HP Enterprise Services LLC – State and Local

John.prestidge@hpe.com

603.529.5702 (o)

603.759.7996 (m)

Steve Lazerowich

Enterprise Security Solutions, Practice Principal

HP Enterprise Services LLC – USPS

steven.i.lazerowich@hpe.com

404.774.1213 (o)

301.560.4455 (m)

Response to Section IV 1) Pre-Incident Services:

a) Incident Response Agreements – Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident.

The State or individual agencies, in advance of an incident, can establish task orders directly against the GSA Schedule with CLINs that would be activated against certain activities. CLINs for preparation, assessment, response plans, training, and a hotline could be activated at time of award, while Incident response; Mitigation and Identity Monitoring, Protection, and Restoration CLINs would be activated on an as needed basis. The individual CLINs could be Firm Fixed Price or Time & Materials, as applicable to the service provided. The terms and condition of the GSA Schedule 70 would apply as well as specific state terms, providing there is no conflict with GSA terms.

Alternatively, the GSA IT Schedule allows for the formation of Blanket Purchase Agreements (BPA) whereby a framework can be established in advance with indefinite delivery-indefinite quantity (IDIQ) requirements to follow. The State of Florida can establish a BPA with single or multiple awardees for use by State Agencies, or state agencies can establish their own BPAs. Pricing and terms would be established through the BPA for use at the task order level. Individual agencies could then place orders against the BPA. Please include the ability to have Contractor Team Arrangements (CTAs) to allow for full solutions including any needed software. Under a Contractor Team Arrangement (CTA), two or more GSA Schedule contractors work together to meet ordering activity needs. By complementing each other's

capabilities, the team offers a total solution to the ordering activity’s requirement, providing a win-win situation for all parties. Information on CTAs can be found at www.gsa.gov/contractorteamarrangements.

b) Assessments – Evaluate a State Agency’s current state of information security and cyber-security incident

response capability.

HP Enterprise Cyber Security Consulting Services provides focused, robust, and established security architectural principles enabling organizations to maximize the effectiveness of their IT security strategy and provide a coherent and consistent view of—and protection from—the current threat landscape.

HP’s Digital Investigation Services (DIS) team is comprised of dedicated consultants with a wide range of corporate, law enforcement, and military cyber-investigative experience. They have experience providing insight and direction in incident response program development, training of incident response staff, investigation of complex security problem scenarios including: internal misuse and abuse, HR investigations, exploitation of vulnerable, publicly accessible systems (hacking), virus / malware outbreaks, denial and distributed denial of service attacks, and targeted, cyber espionage via advanced persistent threats.

In keeping with the theme of this RFI, HPES’ security practitioners are available to provide a variety of services as best meets the needs of either the State and/or any subordinate agencies. These assessment services, Cyber Security Readiness Service, Cyber Security Design Service and the HP/FireEye Compromise Assessment are described in detail below. HPES offers other types of assessments that may also be of interest to the State including those around HIPAA and PCI-DSS.

Cyber Security Readiness Service

In order to design a successful cyber-defense solution or an SOC, an organization needs a security architecture that can

support it. A series of workshops help define the successful implementation of this type of architecture. These workshops

are intended to:

Identify the need for enhanced security management in the context of the business requirement including risk,

compliance, and costs

Define the scope of the project

Identify the security management system within the client environment

Identify the policy and regulatory requirements that the client is required to satisfy

Examine the risk assessments and risk treatment plans, and address any accreditation issues

Identify audit and data retention requirements

Examine the security architecture

Identify the technical estate to be monitored to assess data capture rates and integration issues

Identify the requirements for incident handling, proactive security, and security management services

Identify training and mentoring requirements including a gap analysis on the client’s staff

Identify the disaster recovery and business continuity requirements

Identify program and project management requirements and quality assurance

Deliverables from this stage include:

Business benefits statement

Report on the findings of the assessment phase mapped to a capability maturity model

Outline of project plan for a cyber-solution

Indicative costs of a cyber-solution

Cyber Security Design Service

This service can build on the findings of the Cyber Security Readiness Service or stand-alone if you have already carried

out your own assessment of your cyber security readiness. It is designed to:

Establish the project management structure

Prepare or amend Risk Management and Accreditation Document Sets, if necessary, to include security operating

procedures and Information Security Management System

Prepare detailed project work plans with milestones

Build programs, including roles and responsibilities, processes, technology, compliance, asset register, and dashboard

Create and develop templates for compliancy requirements roadmap, reporting, policies, and procedures

Create and develop templates for security training and awareness programs

Create and develop templates for SOC training, forensic awareness, and mentoring programs

Create SOC physical and technical designs, including threat management systems

Establish the reporting baseline and design reports

Deliverables from this stage include:

Findings report of the design phase

Project steering committee structure

Project Management Office structure

Templates for compliancy requirements, security training and awareness programs, SOC mentoring and training

programs, and policies and procedures (a security handbook)

Report on security architecture design with recommendations for improvements

SOC physical and technical design

Dashboard design

Reporting templates

The HP/FireEye Compromise Assessment consists of two components – a host-based compromise assessment that

focuses on identifying active and dormant indicators of compromise on host systems, and a network-based compromise

assessment that focuses on identifying malicious activity in ingress and egress network traffic.

Host-Based Assessment To perform the host based assessment, HP/FireEye works with your network and system

administrators to have HP/FireEye’s MIR agent installed throughout the network (on all

systems running a Microsoft Windows operating system) and to deploy a MIR

controller on the network. HP/FireEye then performs a series of sweeps across the

network for indicators of compromise (IOCs). HP/FireEye malware and forensics

professionals analyze the results of the scans, and additional, more targeted scans are

conducted as necessary. The results are then collated and provided in a detailed report.

The paragraphs below describe this process in more detail.

Deploying HP/FireEye Intelligent Response (MIR) HP/FireEye Intelligent Response (MIR) is HP/FireEye’s flagship product for finding evidence of compromise across an

enterprise environment, and it is the primary tool used for the host-based assessment portion of the compromise

assessment. The initial phase of the host-based assessment involves planning for the MIR agent deployment to

endpoint systems. Initial planning is required to understand and address potential network segmentation issues,

identify high priority systems or segments that should be scanned first, prepare the agent and controller deployment

mechanisms, and identify any other aspects of the deployment that may require attention. Once the planning is

complete, HP/FireEye will provide the agent package for installation and will provide instructions and guidance for

deploying and testing it. To achieve maximum efficiency, the MIR planning and deployment will be conducted in parallel

with the external network penetration testing.

Sweeping with MIR (Execution and Analysis) Advanced Persistent Threat (APT) intruders use tools and techniques that leave trace evidence on each system they

compromise. We call this trace evidence host-based indicators of compromise. New indicators of compromise emerge

each time the APT intruders attack a network. Therefore, organizations need to be adept at identifying new indicators

of compromise. These new indicators are critical to understanding the scope of the compromise.

HP/FireEye has used MIR to inspect over one million systems at firms compromised by

APT intruders. During these efforts, HP/FireEye has identified and recorded hundreds

of unique host-based and network-based indicators of compromise, and on each

incident response engagement, we continue to add to and revise our host and

network-based indicators of compromise. These are APT indicators that anti-virus and

traditional signature based products do not detect.

HP/FireEye uses the power of MIR to inspect each system for any indicators of compromise, including but not limited to:

Figure 1: MIR

Datasheet

Specific file MD5 signatures

Specific file names and file path structures

Unique indicators in file import tables of executable files

References to over 100 known “hostile” domains in

running processes and active network connections

Indicators in critical registry keys and values

Specific global mutexes used by processes

Rootkits, hidden files and hidden processes

Compressed or encrypted executable files

Network-based indicators in memory

Typically, HP/FireEye performs a series of scans during the host-based assessment. Initially, the scans are directed at

test ranges of systems to allow verification of results and to benchmark scanning performance. Once initial testing has

been completed, HP/FireEye sweeps the environment and reviews matches to known IOCs. The sweeps are tailored for

the environment based on operating systems, types of systems to scan, any known threats, and industry vertical. Based

on the results of initial scans, HP/FireEye may perform follow-up scans to improve search accuracy, add additional IOCs,

and/or focus in on particular systems of interest.

All of the data from the various scans is processed as the assessment progresses as additional scans and systems of

interest are identified from the original scans that are run. Thus, at the end of the host review, HP/FireEye is able to

provide a detailed report explaining what steps were taken to search for evidence of an attack, whether any indicators

of compromise were found, and if so, what systems were affected and what indicators were found on those systems.

HP/FireEye reviews the results with your team to determine whether additional investigative steps are warranted and to

provide recommendations for next steps in terms of further investigation and/or remediation activities.

Note that the current scope does not include further investigation if indicators of compromise are identified. In the

event that evidence of compromise is found, further

investigation, live response analysis, and a full

incident response can be provided on a time and

materials basis at your request.

Network-Based Assessment For the network based assessment, HP/FireEye uses

a combination of HP/FireEye network sensors and

FireEye network appliances. The HP/FireEye

network sensors provide a network-based capability

based on modern network intrusion detection

technologies to monitor an enterprise network for

advanced threat activity. HP/FireEye analysts use

IOCs compiled from previous consulting

engagements, as well as any indicators from your environment from the host based

assessment to perform real-time monitoring for advanced threats in ingress and egress traffic.

The FireEye network appliances monitor the network for indications of potentially malicious activity. Binaries and other

potential malware from this traffic are then extracted and run through a virtual execution environment, which allows us

Figure 2: FireEye

NX Datasheet

to test for a range of threats from a new zero-day exploit, happening in real time on the network to an established

command and control channel used to maintain a persistent connection on the network.

Sensor Deployment Initial planning is required to understand the network architecture, network traffic points of presence, hardware

requirements, and other potentially critical network design issues. Once HP/FireEye has a comprehensive understanding

of the network environment, HP/FireEye delivers all necessary hardware (network sensor systems and FireEye network

appliances) for the selected network traffic points of presence to be monitored.

HP/FireEye pre-configures many of the settings on the network sensors and FireEye devices, so they should only require

minor configuration changes once physically installed by the organization. HP/FireEye can quickly finish the

configuration onsite and test the devices to ensure they are properly capturing and processing network traffic and that

they are properly sending alerts for identified malicious traffic. Once testing is complete, HP/FireEye then configures the

devices to send alerts to HP/FireEye personnel and to a pre-defined e-mail address as specified by your organization.

Network Traffic Alerting The goal of the network based portion of the assessment is to capture any active attacks in process. This may include

brand new attacks against the environment that happen while the assessment is being conducted as well as follow-on

activity from a previous compromise, such as command and control activity, data exfiltration, downloads of new

attacker tools and malware, etc. HP/FireEye provides real-time alerts for these activities so your team sees them as soon

as HP/FireEye does. Then HP/FireEye traces these activities back to the affected system to verify the compromise and

feeds any new IOC’s back into the host based assessment process to conduct additional host based searches, as

appropriate.

As with the host based portion of the assessment, all of the data from the network based compromise assessment is

processed as the assessment progresses and systems of interest are identified. This data feeds back into the host based

assessment and is incorporated into the detailed report, showing whether any indicators of compromise were found,

and if so, what systems were affected and what indicators were found on those systems. HP/FireEye reviews the

network based alerts with your team to determine whether additional investigative steps are warranted and to provide

recommendations for next steps in terms of further investigation and/or remediation activities.

Important note: If indicators of compromise are identified, HP/FireEye can provide surge support to respond to the

incident at your request. Note that incident response activities would extend or preempt the project and delay future

phases. Response surge support is provided on a time and materials basis.

Analysis and Results At the completion of the project, HP/FireEye provides a written report presenting the results of the assessment in a

management summary report that provides a summary of the results, including statistics of compromised hosts and a

list of critical findings. The summary also includes an analysis of your organization’s security posture based on the

results of this assessment. Additionally, the detailed portion of the report provides notes and results from each of the

phases of the compromise assessment and then presents the detailed findings to explain each identified indication of

compromise and the affected systems. The report includes:

Description of the compromise

Type of attack (commodity malware versus targeted attack)

Identified timelines (date of first activity, if determined; date of most recent activity)

A list of affected systems

Recommendations for next steps (remediation or further investigation)

c) Preparation: – Provide guidance on requirements and best practices.

The first step to providing a comprehensive incident response program is to begin with an Enterprise Engagement Process (EPP). The EPP is used to understand the State agency’s existing capability for incident response and ascertain the requirements for incident escalation, investigation, problem management, change management, socialization, training, and process testing. This enables HPES to leverage standard processes and provide increased consistency and quality. The end result is a complete escalation plan, response scenarios, confirmed reporting requirements, and a fully-informed and security-aware partnership. During the EPP, HP Digital Investigation Services (DIS) consultants will:

Complete a technical fact survey that describes the current technical and business environment as well as the

information necessary to successfully respond to a security incident (preparation)

Review existing incident response policies and procedures (preparation)

Develop a custom incident response and escalation plan that covers the response process flow, incident verification

process, incident verification process, incident validation/initial analysis and assessment, escalation process, initial

meeting and contact information (develop plan)

Review the due diligence and escalation plan to verify the process steps and provide training information to the

support organization (preparation)

d) Developing Cyber-Security Incident Response Plans – Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.

HP Digital Investigation Services resolve adverse security events by following proven processes and escalation routes supported by best-in-breed technology. Our approach is grounded in best practices and methodologies that ensure a predictable and immediate reaction to security threats. HPES clearly sets out how we respond to any and all attacks and how your defenses will be supported by our expertise in security and vulnerability protection. We will work with you to provide:

Security incident response planning— Provides a detailed work plan of the business and technical environment

Incident notification process— Provides additional feeds from sources within your IT environment, in addition to

HPES monitoring your IT environment

Security incident investigation— Determines cause, impact, and ways to prevent reoccurrence

Impact mitigation during an incident— Enables instant situational control and minimizes impact with immediate on-

site action by HPES to gain visibility of an incident, and detect and shut down the breach traffic

Executive notification process—Provides immediate notification and ongoing updates of incidences to designated

executives

Final incident report—Delivers a summary report on each incident, actions taken, and recommendations to mitigate

recurrence

Monthly reports—Provide monthly activity and trending, including metrics around severity and motive, case status,

and risks associated with active incidences

e) Training – Provide training for State Agency staff from basic user awareness to technical education.

The HPES team will partner with the State’s Security teams to develop a Security Awareness program (Security Training

Program) that will incorporate the State and Agency security policy guidelines. The overall Security Training Program will

begin with instituting a mission statement that supports State’s organization business plan. The Security Training

Program will align with the State’s current security culture, improve security practices, reduce potential security related

audit concerns, and comply with policies and support improvement.

A Security Awareness (SA) program is designed to accomplish the following:

Establish security as an integral part of business practices

Ensure everyone has a responsibility to exercise and promote good security practices

Provide the information necessary to implement good security practices according to approved policies, standards,

and procedures

Support the State’s requirements to meet and reinforce policy, laws and regulations support

Enhance and add value to services

Reduce risks to the State and its agencies

Sustain changes to threats, business requirements, and compliance standards

The HPES team will leverage the vulnerabilities and risks identified by recommended Vulnerability Assessments which

will help the team define actual program training needs and direction, as well as the Criminal History Record

Information Act (CHRIA), Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information

Services (CJIS) regulations, The United States Social Security Administration (SSA) regulations, IRS (Internal Revenue

Service) Publications, and the Payment Card Industry (PCI) standards compliance requirements.

Elements Description

Understand senior management’s level of

support

Institute Senior Management Security Awareness program

champion to demonstrate Senior Management’s commitment to

security.

Determine the Security Training Program Scope Evaluate the State’s risk and vulnerabilities

Evaluate compliance requirements for:

Criminal History Record Information Act (CHRIA)

Health Insurance Portability and Accountability Act (HIPAA)

Criminal Justice Information Services (CJIS) regulations,

United States Social Security Administration (SSA)

regulations

IRS (Internal Revenue Service) Publications, State ITBs

Payment Card Industry (PCI) standards

Determine Value and Applicability Map Laws, Regulations, Vulnerabilities and Job

Functions/Responsibilities. Designed to identify individuals’

needs and deliver appropriate security training.

Determine how security, laws and regulations

relate to Job Responsibilities

Security Awareness is best shared if the employees understand

why it is applicable to their job responsibilities. Establishing a

baseline of what best practices and reinforce policies for all

employees.

Delivery Methods Establish a Security Awareness internal website to provide

personnel with access to security resources. Post policies, a list

of security personnel, an incident response number, awareness

tips, etc.

Develop Design Establish a Security Awareness Methodology. A Security

Awareness program cannot afford to become stale or dated. It

must keep up with State’s current and the larger security

culture, evolving threats, laws and regulations, changes in

policies and job responsibilities.

Develop targeted Security Awareness programs Develop and implement targeted programs that ensure all

personnel have an awareness of common threats and a

familiarity with security policies and procedures and laws and

regulations.

Build a good balance of security with effective

business practices.

Capture metrics, measure, and report and improve.

Implement a scoreboard that communicates interactively with

the employee to ensure training is completed and provides

management team results.

In order to successfully leverage this approach and deliver quality services, the HPES team will require knowledgeable personnel representing the State security teams, State Management team, and State Policy team. To roll out an effective Security Training program, the HPES team will work with the State security teams to develop a roadmap which will be periodically reviewed to ensure it is achieving Security Training Program goals and continues to align with the State’s business goals.

In addition to Regulation and compliance requirements, the HPES team will work with the State security team to identify

specific requirements for the Security Awareness program; Examples of State additional requirements may include, but

are not limited to:

Legal requirements

Contractual requirements

Policy requirements

Computer personal usage policies and procedures

Computer security awareness training (annually per government regulation)

Understanding of employees participation in a business continuity plan

Proper information handling procedures and practices

E-mail usage policies and procedures

Understanding of the requirements for handling sensitive data

Guidelines for leaving the building after work

Severe weather response

Evacuation plan

Mandatory Security Training

HPES and the State will develop a Security Training program that includes a strategy for defining required Security

Awareness training programs for employees, contractors and subcontractors assigned to work on State projects and

facilities. Required training will be prioritized by the mapping developed through Determining the Value and

Applicability process. This process will also identify the type of training, and level of learning required to be most

effective; i.e. Awareness or active training.

The HPES team understands that there is a difference between “Security Awareness” and “Security Basics Training”.

Awareness presentations are designed to educate how to recognize security concerns and respond accordingly; focused

on benefit, not on fear. In presentations and awareness activities the learner is a recipient of information, whereas the

learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive

packaging techniques. Training is more formal, having the goal of building the knowledge and the skills needed to

facilitate job performance.

“Security Awareness” is explicitly required for ALL employees, whereas “Security Basics Training” is required for those

employees, including contractor employees, who are involved with IT systems. In today’s environment this typically

means all individuals within the organization. The “Security Basics Training” category is a transitional stage between

“Awareness” and “Training.” It provides the foundation for subsequent training by providing a universal baseline of key

security terms and concepts.

The HPES team is committed to developing the appropriate levels of training and has the highly qualified information

security subject matter experts capable of developing and delivering.

Levels of training

Working with State, the HPES team will develop a method to track employees, contractors and subcontractors assigned

to work on the State projects and verify that each individual receives appropriate training on time. The HPES team will

work with the State to implement a Security Scoreboard as a method to track employee’s progress, present friendly

reminders and present Management training completion metrics and results. The Security Training Scoreboard will be

integrated with the State’s security clearance database system to track current training status and overall attainment of

group training goals.

Training requirements will be driven by Project Level, Job Status, Job Profile and. This will provide a means to support

training requirements at a broader level.

The Security Training Scoreboard provides value by tying in with the Security Incident Management system where

analysis reports such as effectiveness of a specific security training vs. number of incidences over time. The HPES team

will work with the State teams to develop these types of reports, compliance reports and security training effectiveness

maturity reports. Reports will be used to evaluate against both the scope of the States security training needs and the

effectiveness of the training provided and the delivery methods. The reports will also be able to allocate future training

resources to derive the greatest value or return on investment.

Ongoing training will be supported by such things as slogans, campaigns, posters, periodic email flyers and website

postings.

Types of training

Levels of training will range from general security awareness, to governance, to targeted training.

Working with the Value and Applicability Mapping process, the method of delivery can easily be identified. The HPES

team will work with a variety of methods to deliver Security training. Examples of training materials/activities include:

Policies, procedures, guidelines

Conduct Office space reviews

Online self-paced training to ensure

Hands-on training courses

Security Awareness Videos

Interactive presentations – in person

Virtual Lunch & Learn sessions

Web based information – Bulletins (Dedicated Security web site)

Training campaigns, including posters, flyers, Brochures, emails

A security reminder banner on computer screens, that display when a user logs on

Promotional/specialty “trinkets” with motivational slogans

The HPES team will work with State’s security team to design to assimilate employees’ consideration of security and

associate it with protection and compliance. The HPES team’s delivery method is mixed to keep it fresh and engaging.

The HPES team will work with State’s security team develop best practices and reinforce policy.

Security Awareness Training

Awareness training presentations must be on-going, creative, and motivational, with the objective of focusing the

learner’s attention so that the learning will be incorporated into conscious decision-making and results in a behavior

that makes security part of everyone’s job.

Working with State’s security team, the HPES team will assist in the development of Employee Self-Assessments and an

All Employee Awareness program. The program will educate participants so they will better understand State’s security

policies and procedures and the ways of preventing common threats. Topics might include:

PC security practices

Clear desk practices

Mobile device security

Handling Sensitive Information

Information Classification

Browsing

Email & instant messaging

Piggybacking and tailgating

Social engineering

Insider threat

Personal safety

Travel Safety

Annual office space reviews

Annual Self-assessment surveys

Targeted Training

The HPES team will work with State’s security team to ensure training methods do not negatively impact productivity.

Targeted training will be focused and have a succinct goal.

The HPES team will work with State’s security team to build the Security training program working with the Security

Planning and Incident Response to assess current security culture, current threats and assess training needs. The

assessment will assist in developing all targeted training; topics such as:

Computer viruses

Remote Access

Backing up data

Continuity Destruction of sensitive materials

Building access

Security incidents

Security alerts

Password management Vendor patch deployment policies/processes

Advanced Persistent threat

Data Protection

Encryption

Security Threats are ongoing; therefore training is an ongoing necessity. The HPES team will work with State’s security

team to help build a sustaining Security training program. The Program’s processes and resources should be reviewed

annually, at the very least, and be used to update both training content and communication methods. As a result, the

program becomes an established part of the organization's culture and is current and engaging.

2) Post-Incident Services

a) Breach Services Toll-free Hotline – Provide a scalable, resilient call center for incident response information

to State Agencies.

State Agency personnel can initiate DIS services by calling HPES’ Security Operations Center, 7 days a week, 24 hours a

day or as agreed in the escalation plan. DIS personnel will respond to the State Agency’s inquiry to immediately begin an

investigation. A typical incident response service level agreement (SLA) is 15-minutes.

b) Investigation/Clean-up – Conduct rapid evaluation of incidents, lead investigations and provide remediation

services to restore State Agency operations to pre-incident levels.

These services are included as the “outputs” and deliverables of either a Compromise Assessment (described above) or

Incident Response services described below.

c) Incident Response – Provide guidance or technical staff to assist State Agencies in response to an incident.

HP DIS provides a team of experienced computer security incident response and digital forensics practitioners. HP DIS

provides a full complement of forensic processes and utilities for support of client needs. Typical HP DIS engagements

for services include targeted data collection, utilization analysis (HR investigations), technical root case analysis (RCA),

and scope of impact (SOI) analysis. All investigation services are supported through forensic data collection best

practices including Chain of Custody documentation, reproducible analysis methods, and detailed reporting as required.

The types of forensic investigations include, but are not limited to:

Targeted data collection services to support a client’s need to extract and preserve evidence to be used in the

furtherance of internal security investigations. Such investigations are supported through complete forensic

acquisition best practices and are performed at the direction of the client.

Utilization investigations provide the client with an understanding of the actions of a user for a given time frame. This

analysis will use available information on the user’s device as well as externally logged data (Active Directory, proxy,

network, etc.) to show timing, behaviors, and outcomes of user actions. Such investigations commonly support HR

investigations and malware investigations.

Technical Root Case Analysis (RCA) investigations attempt to provide insight into the actions contributing to a security

event. These investigations will collect digital artefacts from computers and logging resources (SIEMS, firewalls,

network appliances, authentication services, etc.) and, to the extent available, provide a detailed explanation of the

facts and conditions that lead to the event of concern. Such investigations are used to identify sources of unauthorized

changes, internal misuse, theft, unauthorized access, and impacts to service.

Scope of Impact (SOI) investigations attempt to establish the complete impact of a malicious event to the client

infrastructure. This impact may be defined by the number of devices affected, the duration of the event, the data

exposed, or the source of the impact. SOI investigations, much like RCA involve the collection of and iterative analysis

of any kind of digital artefact that may be leveraged to support the investigation. As this case type typically involves

many networked resources, HP DIS will guide the identification of appropriate digital artefacts, collection in a

forensically sound manner, and provide timely analysis.

Manual and automated malware analysis is often conducted to preserve our customers’ privacy and public image.

When presented with URLs hosting malicious content, processes collected from memory, or executables found on

disk, HP DIS will subject the file to an internal automated analysis process, as well as a manual review including

debugging and decompiling. These two processes are used to identify the behavior of the malware, enumerate its

characteristics, and to establish the potential for data theft and exfiltration. The results of analysis are used with

discretion to support the client by working with its antivirus and network security controls vendors to develop

signatures or improve the control detection ability. Where appropriate the findings from the analysis are used to

further an investigation by establishing the full scope of impact by identifying all systems exhibiting the same

characteristics.

All digital forensic services are provided through an ongoing engagement that will provide the State Agency with timely

updates and responses. Where appropriate, HP DIS will work side-by-side with the State Agency’s internal support

teams, investigation teams, and legal support.

Global Incident Response from HPES and FireEye/Mandiant comprises services that help you detect active threats, manage incidents, and respond to critical security breaches effectively. Our global response teams are available 24/7, working with you to execute an effective remediation plan. This includes deploying proprietary incident response technologies from HPES and FireEye/Mandiant to support the investigation through data capture, analysis, and reporting. This technology is supported by our constantly updated global threat intelligence to anticipate attacks and take preventive measures. We work with you to identify systems and networks that have been compromised by stealthy advanced threats and zero-day malware. We also investigate signs of compromise to determine if attackers are still active or have been in the past. While performing the investigation, we collect evidence and analyze it to determine the attack vector, establish the timeline, and determine the extent of the compromise. We then evaluate which data has been compromised and work toward identifying the attacker. We provide expert advice to help your organization recover from a breach and minimize the impact of the event, reducing both the risk to your business and the potential damage to your reputation. We work closely with you to provide comprehensive and structured reports to help you understand the chain of events and make the right business decisions.

We develop a detailed remediation plan aligned to your business objectives, providing context for the attack, the extent of the compromise, and the intentions and tactics of the attackers. We also recommend actions to contain the breach and eradicate the threat. A detailed security improvement plan provides recommendations to improve your security posture and implement the best security controls to avoid similar incidents in the future. d) Mitigation Plans – Assist State Agency staff in development of mitigation plans based on investigation and

incident response. Assist State Agency staff with incident mitigation activities.

For purposes of this response, we are assuming that “Mitigation” is defined as reducing the impact of a specific incident

response engagement and/or findings developed as a result of either performance of a Compromise Assessment; Cyber

Security Readiness Assessment; and/or Cyber Security Design Service engagement.

As such HPES personnel will work alongside State Agency personnel to understand the specific nature of findings and/or

events, approaches to reduce, or if possible eliminate, the impact of a finding or event, and how the State Agency may

assess susceptibility to such findings in other systems and Agencies. If requested, HPES will also provide specific

proposals for additional technologies, architectural approaches, business processes and application assessments to

reduce the likelihood of future recurrence.

e) Identity Monitoring, Protection and Restoration – Provide identify monitoring, protection, and restoration

services to any individuals potentially affected by a cyber-security incident.

Identity monitoring, protection and restoration services are outside the scope of the GSA IT 70 Schedule and are

typically handled under the GSA Financial And Business Solutions Schedule 520 which is currently not available to state

and local agencies. HPES, however, has partnered with Equifax, one of the largest sources of consumer and commercial

data and leading provider of these services, offers these services as an “open market” component of our overall

solution.

Equifax is able to provide unique data-driven solutions that deliver value to breach-affected individuals, agencies and

companies. Utilizing our databases, advanced analytics and proprietary enabling technology, Equifax provides real-time

answers for our customers. This innovative ability to transform information into actionable intelligence is valued by

customers across a wide range of industries and markets and serves as the basis for our Identity Monitoring, Protection,

and Restoration portfolio of products.

In the event of a cyber-security incident, Equifax is positioned to quickly respond to the incident on behalf of the

affected organization. Equifax provides ID Theft Protection products as well as ancillary products that provide

comprehensive coverage in response to the incident.

Equifax’s ID Theft Protection includes:

Credit file monitoring - daily monitoring of key changes to 1B or 3B credit files that may be early warning to potential

ID theft

Access to credit reports - enable consumers to ensure the accuracy of their 1B or 3B credit files

Automatic fraud alerts - statement on credit file requesting creditors to take additional steps to verify a consumer’s

identity before approving new loans

Web detect - monitoring of potential exposure of consumers’ SSNs, bank and credit/debit account numbers in

underground trading sites

To further support our partners with their cyber-security incident, Equifax also offers the following services:

Address Refresh and Data Append Services - when address records are old or incomplete, Equifax uses a proprietary

solution to update the old addresses to enable partners to maximize the universe of consumers that they can notify

Mail Shop Services - partners can outsource the processing of notification letter mailings

Data Breach Help Line (Tier 1) - call center to respond to consumer questions about the event and product availability

& enrollment