Event Tracker Implementation Services Plan and SOW for State of Iowa
Main Location: Hoover Data Center 1305 E. Walnut St. Des Moines, Iowa 52319
Installation Location: Hoover Data Center
The State of Iowa Department of Administrative Services’ Information Technology Enterprise (DAS-ITE) provides high quality, customer-focused information technology services as well as business and communications solutions to government and its citizens. In an increasingly technology-based world, DAS-ITE is at the core of nearly every new development and application of daily business in state government.
Objectives and Initiatives
Objective: To utilize log data to improve the efficiency and effectiveness of Operations, Compliance and Security of Computing Systems at the State of Iowa. Goals
Collect, correlate, and alert on logs from all computing devices that generate logs; Collect and compare configuration settings from selected computing devices; Alert on configuration deltas for selected devices; Report and alert on logs and configuration correlations and other event data and metadata; Reduce risk of data loss through management of removable media (i.e. USB, CD-ROM, portable hard drives, etc.); Install functioning collection points supporting DAS, DOT, DHS (ELIAS) and IDR Perform On-site training for Administrators and users (approx.20 people) Provide the foundation for a pilot with SIEM Simplified
EventTracker Enterprise Implementation Plan and SOW
Client Organization Chart for this Project
Name Jeff Franklin
Title
Project Responsibilities
CISO
Sponsor
Information Security Officer
EventTracker Lead
Hoover State Office Bld BLevel Des Moines, Iowa 50319
Calvin Moore
Telephone Number
E-mail Address
515-2814820
[email protected]
515-2814805
[email protected]
Hoover State Office Bld BLevel Des Moines, Iowa 50319
Mike Chesmore, Hoover State Office Bld BLevel Des Moines, Iowa 50319
Information Security Officer
EventTracker Backup
515-2815816
Page 2
[email protected]
EventTracker Enterprise Implementation Plan and SOW
EventTracker Modules U = Unlimited Qty
Product
Qty
Product
Qty
Product
1
EventTracker Enterprise
1
Master Console(s)
U
Collection Point(s)
U
Workstations
U
Additional Servers
U
Windows Agents
U
Change Audit (Server)
U
Change Audit (WS)
U
StatusTracker
U
Configuration Assessment (FDCC SCAP - NIST)
U
Behavior Analysis
U
NetFlow
U
Search
Cyber Analyst Data Mart
X
SIEM Simplified (full)
Up to 3
Remote Implementation Assistance Days
Up to 5
Web Training Days
On Site Days (2 per Agency (DAS, Trans, PH)
Fixed Costs
Up to 6
2 Days for DAS 1 day each for 2 Agencies (Trans, PH)
Project Plan - list the items and objectives, responsible parties and time frames: Item
Prism Responsible Party
Client Responsible Party
Kick Off Call Project Plan Timeline Success Criteria Installation Hardware Specs Sign-off
TBD
Initial Configuration Certification
TBD
Product Training
TBD
Moore/Chesmore
Project Objectives Met
TBD
Moore/Chesmore
Time Frame
Moore/Chesmore Week 1 Start Date (TBD)
TBD
Moore/Chesmore Week 1 Moore/Chesmore Week __
Page 3
Week __ Week __
EventTracker Enterprise Implementation Plan and SOW
Statement of Work (SOW) EventTracker Implementation Services State of Iowa - SIEM 1
Sponsor
Jeff Franklin, CISO State of Iowa
2
Background
Iowa has procured software licenses for EventTracker Enterprise as follows:
EventTracker Enterprise - Perpetual Site License Unlimited Log Sources, Consoles (Windows Servers /Firewalls/Network/Linux/Unix...) Log Collection with EventVault Collection Point / Collection Master Architecture Security and Compliance Reports Real-time Incident monitoring, dashboards and alerting Personalized Dashboards - Security, Operations, Compliance and MyEventTracker Audit Prep/Security Policy Activity Summary Reporting Flex Reporting StatusTracker Behavior Analysis Correlation Engine Change Audit for Windows Configuration Assessment Netflow USB Monitoring Cyber Analyst Data Mart Workstation Monitoring
The objective of the procurement is to satisfy various state operational, security and compliance requirements.
Page 4
EventTracker Enterprise Implementation Plan and SOW
The purposes of the SOW are to define the implementation requirements from various stakeholders, and prepare an implementation plan to meet those objectives using the previously procured licenses of EventTracker Enterprise, implement the approved configuration and train Iowa personnel in the appropriate use of EventTracker.
Objectives Provide design, implementation, configuration and training services for the Iowa EventTracker Enterprise software deployment. The focus will be on improving operational awareness and enhancing the security and compliance posture of the IT organization senior management and staff through: 1. 2. 3.
4.
5.
Comprehensive Audit and Event Log Collection and Processing Automated Monitoring and Alerting Scheduled and On Demand Reporting o Management o Staff (DAS, DOT, DHS, IDR) Implementation of Dashboards o Operations Group o Security Group o Compliance Group o Individual (“MyEventTracker”) Implementation of advanced EventTracker features as listed above
Service Phases Performed by Vendor 1.
Design Services (Data Architect) a. Requirements Definition – (Remote and On Site as required as determined by the State of Iowa. Maximum 5 business days On-Site) Operational Objectives Surveys with: Senior Management Other Stakeholders (DOT,DHS, DAS, IDR) System Administrators (Log Sources) EventTracker Users b. Deliverables Project Plan Data Architecture Recommendation (IT Infrastructure) System implementation, testing and installation EventTracker configuration (including collection points, alert configuration, report configuration, role configuration, Windows Agent configuration, backup schedule, hardening process.) Training Staff SIEM Simplified Service Setup
Page 5
EventTracker Enterprise Implementation Plan and SOW
2.
Implementation Services (Systems Management Technologist) – (Remote and On Site as required as determined by the State of Iowa. Maximum 5 business days On-Site) a. Install and upgrade EventTracker to latest build up to 10 Collection Points and Masters b.
Implement of System and Data Architect Recommendations. It is a pre-requisite for all requirements that all relevant/targeted log data be aggregated in EventTracker software for reports, alerts, dashboards and search queries to function. User Privileges Dashboards Operations Security Compliance Alerts Configure and implement specific Iowa needed alerts. We have 20 or more alerts that are used in risk assessments Consume and correlate IDS alerts Alert on lack of logs from expected sources – i.e. logging stops Alert on new or unknown devices (new laptop plugged in, alert goes to admin) Alert on non-approved software execution (not just install, but running of an EXE that’s not on the approved list) Alert on detection of host that’s not running a standard configuration (may not be possible. Example: imaged machines, standard software suite, machine X no longer has application Y installed, so alert on it) Alerts on AV activity: a. Signatures out of date b. AV client not running c. AV not able to successfully clean infection –OR—recurring same infection Alert on new Wireless client detect or unknown Wireless client Alert on new Wireless network (or SSID) detect Alerts on configuration changes to (at least) a. Routers b. Switches c. Firewalls d. IDS’s Alert on unknown service detect. Example: Machine X starts listening on port 80 for traffic, alert on this. Alert on account lockout Alert on account expiration Alert on significant changes to AD. Example: new admin added to AD. If data classification is in place, alert on unauthorized access to data. Alert on sensitive data exfiltration. Alert on USB connect/usage (or other portable media like CD/DVD’s) Train Iowa Staff on custom alerting Page 6
EventTracker Enterprise Implementation Plan and SOW
Reporting Standard (Out of Box) Flex (Develop Iowa Specific for ELIAS SSP and SSR reporting) Training on how to create custom reports Server hardening Configuration and archives backup Implement advanced features
3.
Training Services (Systems Management Technologist) a. Train EventTracker Users and Administrators (22 hour curriculum – dedicated to Iowa only) on EventTracker Modules EventTracker Enterprise Workstations Change Audit (Server) Configuration Assessment (FDCC SCAP - NIST) Search b. Deliverables: Onsite and web based training for up to 20 staff Train the trainer Training schedule Topics, hands-on exercises Certification of training (Training will be conducted via the web and on-site at Iowa based on mutual agreement.)
Page 7
EventTracker Enterprise Implementation Plan and SOW
3
Assumptions
a) Iowa will provide details about the IT assets to be monitored by EventTracker software including servers, network equipment, applications and associated network diagrams
b) Iowa will work with EventTracker staff to define relevant use cases for and best practices for the following: a.
The alert conditions and associated system and ECC staff notification rules
b.
Configuration of daily/weekly reports and the setup of team and user dashboards
c.
Behavior rules and associated EventTracker
d.
Advanced EventTracker features above
c) Iowa will designate a primary point of contact and staff to be trained on EventTracker features and administration.
d) When effective, some Implementation Services work will be performed remotely from vendor site within continental United States location. State of Iowa to provide limited/controlled remote access to the EventTracker installation for up to four defined individuals. Event Tracker will restrict VPN access to State of Iowa implementation to continental U.S. location and employees only.
Page 8
EventTracker Enterprise Implementation Plan and SOW
4
Labor Estimate Task Title
Hrs
Project Manager Data Architect Systems Management Technologist
TBD TBD TBD
2014 Labor Rate per Hr Included Included Included Capped
The capped services must be delivered within 90 days of contract execution.
Page 9
Total