Security Capability Evaluation

The DeepSeas Security Capability Evaluation allows DeepSeas Clients to evaluate their current security program.

The program provides the Client with a series of initial assessments, including onboarding and follow-up assessments within the DeepSeas Advisory App, an External Vulnerability Assessment for up to 20 IPs performed by the DeepSeas Red Team, set up, configuration, and access to the DeepSeas Advisory App, including the Security Maturity Scorecard to visualize and assist in their journey of risk mitigation and cyber defense.

The primary objectives of the Security Capability Evaluation are to:

• Perform onboarding and set up of DeepSeas Advisory App, including Security Maturity Scorecard.
• Perform initial assessments and analyze results to provide Client with a Findings Report.
• Provide the Client with self-service access to the DeepSeas Advisory App after initial evaluations and reviews are complete.

The Security Advisor will follow a standard security strategy program playbook that begins with a rapid onboarding assessment, followed by an External Vulnerability Assessment. Results from these efforts guide Client stakeholders to align budgets and strategic security initiatives to mature their security program.

The Security Advisory delivery methodology includes the following service elements:

• Onboarding and Initial Assessment(s)
• External Vulnerability Assessment (for up to 20 IPs/Hosts)
• Findings Review Session

This program consists of the following phases:

• Phase 1 – Security Advisor Program Mobilization
• Phase 2 – Conduct Cyber Domain Assessment in DeepSeas Advisory App
• Phase 3 – Conduct External Vulnerability Assessment
• Phase 4 – Conduct Findings Review

DeepSeas will produce the following deliverables:

1. DEEPSEAS ADVISORY APP ASSESSMENT RESULTS – DeepSeas will provide Client with an assessment report from DeepSeas Advisory App demonstrating control adherence to in-scope frameworks and regulations.
2. VULNERABILITY ASSESSMENT DETAILED FINDINGS REPORT – Provides details on discovered vulnerabilities, including a description, potential impact, technical and programmatic recommendations, host identified, and common vulnerability reference(s).

The Client shall have five (5) business days from receiving a Deliverable provided by DeepSeas to review, evaluate, and provide feedback or acceptance. The Deliverable shall be deemed accepted if DeepSeas receives no written approval or rejection within this time.

1. Unless otherwise stated in the scope section of this agreement or otherwise in writing, all services are to be performed remotely.
2. Client to provide URLs or IPs to DeepSeas for scans.
3. If applicable, consulting hours may be utilized at the discretion of DeepSeas for the completion of the Client's reactive requests. Hours may be consumed for activities outside of the scheduled working sessions and will be communicated to Client in advance.

The Client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

1. Client to assign a Single Point of Contact (POC) responsible for Client coordination and logistics.
2. Client is responsible for providing DeepSeas with key stakeholder information such as name and email address to be added to stakeholder register and configured in DeepSeas Advisory App.
3. The Client is responsible for scheduling and coordination of internal Client resources for all project work.
4. The Client is responsible for the approval and implementation of draft documents within the organization.
5. Client to provide necessary access, accurate and up-to-date inventory and asset information, and timely support for the Security Advisor during the assessment, planning, and implementation phases.
6. Client to ensure that all relevant stakeholders are aware of the planned security measures and are trained to use the new security tools and processes.
7. Client to review and approve all deliverables produced by the Security Advisor as part of the Project. This includes providing feedback and revisions in a timely manner to ensure that the Project stays on track and meets the agreed-upon timelines.
8. Client to provide signed approval on the agreed to Rule of Engagement document. While conducting the vulnerability assessment, a procedural document establishing guidelines for all testing activities and detailing scope of the engagement will be provided. It will include the scope of the vulnerability assessment, outline each party’s responsibilities and the process, the clients goal for the engagement, the outputs to be produced, and any potential testing constraints.
9. Client to allocate appropriate resources to support the Project, including personnel, equipment, and other necessary resources. This may involve reassigning staff members to work on the Project or acquiring new resources as needed.
10. Client to provide DeepSeas with access to all necessary data and information required for the Project. This may involve collecting and analyzing data related to the organization's current cybersecurity posture, infrastructure, and policies.
11. Client to maintain open and effective communication with the Security Advisor throughout the Project. This includes promptly responding to requests for information or feedback and providing regular updates on Project progress.

DeepSeas will be responsible for:

1. Scheduling kickoff meeting, all onboarding interview sessions, working sessions and status calls, as applicable.
2. Setting up Client in Advisory App and maintaining access through the term of the program
3. Completing onboarding surveys/interviews and providing access to Security Maturity Scorecard
4. Delivery of draft and final reports for the services contracted by the Client.