Service Description: OT Security Network Device Management, Monitoring & Response, Risk Assessment S2V Implementation (Vietnam)

SKU Numbers: NUV-SERV-OTS-IWMR-V and NUV-SERV-OTS-IWMR-V-EM

Overview

Nuvolo’s OT Security Setup package provides a best-practice approach to the Standard Feature setup of Nuvolo. The fixed-scope engagement follows a pre-defined setup strategy to streamline the configuration process and focuses on a rapid time-to-value deployment.

Nuvolo’s OT Security Network Device Management module is designed to keep up-to-date asset information by correlating your Connected Workplace assets with information from your real-time network monitoring solution. Combined with OT Security Monitoring & Response, keep up-to-date asset information correlated with security relevant information to help secure the fleet.

Nuvolo’s OT Security Risk Assessment module is designed to provide a framework for performing risk assessments surrounding Operation Technology, build out a risk management framework, and associate controls to mitigate risk. Due to this functionality, it is inherently designed to be configured to the needs of the individual organization.

The OT Security setup package defined below is based on the standard features and functionality included in the Vietnam release.

Pre-Requisites

  • A fully configured Service Now instance.
  • Implementation of the Nuvolo Asset & Maintenance Product, either supporting Facilities assets and/or Clinical assets.
  • The Nuvolo Location Hierarchy is a shared hierarchal structure that is utilized across all products in Nuvolo.

Implementation Kickoff

Nuvolo and Customer will collaborate for the activation of the Nuvolo application.  This marks the start of the engagement. The activation will begin with a kickoff meeting for the teams to meet and review the implementation process.

Nuvolo will:

  • Schedule remote project kickoff meeting for introductions.
  • Create implementation kickoff agenda.
  • Schedule and conduct implementation kickoff:
  • Review project roles and responsibilities.
  • Review of Customer’s organizational constraints, as provided by Customer
  • Review of project approval processes to avoid unnecessary delays.
  • Agree on sprint cycle plan with Customer.
  • Understand Customer’s network security requirements and approvals.
  • Review Customer’s and Nuvolo’s escalation processes.
  • Define Customer meeting cadence.
  • Review User Acceptance Training (UAT) requirements and level of effort.
  • Confirm list of subject matter experts (SMEs) provided by Customer.

Customer will:

  • Define organizational constraints, as applicable.
  • Deliver contact information for functional and technical SMEs to complete self-paced learning at the appropriate times and participate in the implementation.
  • Provide One or more Nuvolo application administrator for each Nuvolo application as appropriate.
  • Communicate Customer’s network security requirements and approvals and/or establish, as necessary to support the implementation.
  • Prepare Customer deliverables as identified for the implementation as scheduled.

Network Device Management Installation Activities Tasks

Nuvolo will:

  • Perform the initial application installation in lower instances (Dev, Stage/Test)

Customer will:

  • Confirm Nuvolo application installation in Customer environments

Matched Assets Workflows Activities and Tasks

Nuvolo will:

  • Discuss the process that will occur with incoming data from the Network Security Monitoring Solution
  • Configure appropriate key/field mappings
  • Configure appropriate identifications

Customer will:

  • Provide sample payload information surrounding the Network Security Monitoring solution
  • Decide which data elements from the payload to be used for updating asset information
  • Define which data elements from the payload will be used for identification purposes

Unmatched Assets Workflows Activities and Tasks

Nuvolo will:

  • Configure workflow surrounding unmatched assets
  • Configure work order auto-generation

Customer will:

  • Decide whether unmatched assets should create work orders for validation
  • Decide whether unmatched assets should automatically create new assets

Vulnerability Data Imports

Nuvolo will:

  • Import Vulnerability Definitions, CPEs, and CWEs into lower-level instances
  • Enable automatic updates of Vulnerability Definitions

Security Alerts and Vulnerability Remediation Work Orders

Nuvolo will:

  • Discuss work orders that will be generated as part of the workflow, and configure work order generation according to Customer’s decision

Customer will:

  • Decide whether automatic work order generation should occur for Security Alerts and Vulnerability Remediation

Environment Cleanup and Integration Enablement

Nuvolo will:

  • Remove unused network security monitoring data sources
  • Remove unused network security monitoring key/field mappings
  • Remove unused network security monitoring identifications
  • Remove unused network security monitoring action scripts
  • Provide data source sys_id for use with Network Security Monitoring integration
  • Associate web only user account with data source for authorization

Customer will:

  • Decide which Network Security Monitoring solution is used for integration purposes
  • Create a web-only user account for use with Network Security Monitoring Solution integration
  • Engage the Network Security Monitoring team for any coding that may be required on the NSM side for the integration (e.x., filter updates), and ensure it is completed within the implementation timeline

Risk Assessments and Findings & Controls Activities and Tasks

Nuvolo will:

  • Discuss Risk Assessments, generic Risk Assessment Types, and demonstrate how to create Risk Assessment Types for use in Model Security Lifecycle Profiles
  • Discuss Findings, generic Findings that would be identified and pose a Risk, and how to create Findings and associated Risk scores to be utilized in calculating potential Risk
  • Discuss Controls, generic Controls that could be utilized to mitigate a Finding, and how to create a Control/Finding combination to reduce potential Risk

Customer will:

  • Provide relevant Risk Assessment types if applicable to Customer’s environment. These may be generic, such as Initial Risk Assessment, Follow-Up Risk Assessment or more granular, such as New Purchase – Unknown Risk, Repeat Purchase – Known Risk.

Work Items, Work Assignments, and Delays Activities and Task

Nuvolo will:

  • Discuss Work Item Type definitions and configure potential work items to be completed for a given control and creation of work item types for use in Risk Assessments
  • Discuss Work Assignments that can be used for routing work items created when addressing specific Controls and demonstrate how to utilize Work Assignments for routing.
  • Discuss potential Delays that can occur when performing a Risk Assessment and associated details and demonstrate how to create new delays that may be encountered when performing Risk Assessments.

Customer will:

  • Define any work types to be configured
  • Define any space assignment rules to be utilized for the specified work types
  • Define any associated delays to be configured

Creating Model SLPs and Device Association Activities and Tasks

Nuvolo will:

  • Walk through the process of creating a Model Security Lifecycle Profile for relevant manufacturer, model, and software/firmware definitions for device association
  • Walk through adding Control/Finding combinations to mitigate risk associated with relevant findings

Customer will:

  • Provide a sample Manufacturer, Model, and Software/Firmware definition to be utilized for the creation of a Model SLP

Preparing Work to be Performed and Generating Work Orders

Nuvolo will:

  • Walk through the process of creating tasks associated with addressing findings and implementing controls, and documenting the procedural information required to perform the steps necessary to complete the relevant tasks
  • Walk through the process of generating planned work orders for devices associated with the Model SLP
  • Generating the work orders to have technicians perform the procedures required to implement the controls for specified findings

Customer will:

  • Provide procedural information to be used for tasks required to address Control/Finding remediation

Dashboards and Reporting Activities and Tasks

Nuvolo’s OT Security Network Device Management and Monitoring & Response contains dashboards and reports available in the standard application to be used to gain visibility into the successful correlation of asset information between systems. Nuvolo will review out of the box reports during this engagement

Risk Assessment comes with standard reporting functionality, we will review the dashboards and view the status of Model SLPs to track the work items performed for securing the fleet.

Dashboards and Reporting Activities and Tasks

Nuvolo’s OT Security Network Device Management and Monitoring & Response contains dashboards and reports available in the standard application to be used to gain visibility into the successful correlation of asset information between systems. Nuvolo will review out of the box reports during this engagement

Risk Assessment comes with standard reporting functionality, we will review the dashboards and view the status of Model SLPs to track the work items performed for securing the fleet.

User Acceptance Testing (UAT)

Nuvolo will:  

  • Provide Customer with access to configuration documentation in Nuvolo’s SDLC instance.
  • Create acceptance criteria required for testing user stories.
  • Package update sets and appropriate XML data and makes available to the Customer for each Development Sprint.
  • Conduct daily check-ins with Customer to review UAT progress and document reported issues.
  • Review, prioritize, and assign issues into one of the following classifications:
    • Defect: There is a flaw with the configuration, which Nuvolo will correct.
    • Training: The issue is due to a tester misunderstanding of functionality and will be corrected via training/education.
    • Enhancement: The issue submitted is not functionality that was agreed upon and was therefore never configured and is out of scope.
  • Make every effort to remediate UAT defects within the UAT period and provide enough time for the Customer to adequately re-test prior to go-live.

Customer will:

  • Create end-to-end process testing plan.
  • Building UAT use cases and leading internal resources through UAT.
  • Migrate update sets and appropriate XML data (i.e., configurations) from Sub Production instance(s) to the Production instance.
  • Perform User acceptance testing (UAT), in non-production instance, once configuration and unit testing has been completed.
  • Create scenario-based data in sub-production/UAT environment to facilitate UAT.
  • Manage Customer’s UAT resources and day-to-day operations.
  • Report each issue by documenting:
  • A description of the issue
  • Steps to reproduce and/or video recording
  • Expected results
  • Review defect list for accuracy.
  • Review each issue during the UAT Check-ins.
  • Test/re-test remediated defects within 24 hours of notification.

Training

Nuvolo’s OT Security Network Device Management and Monitoring & Response and Risk Assessment contains multiple components to match and map assets between Nuvolo’s Connected Workplace and your Network Monitoring Solution.

Nuvolo will provide training sessions based upon the OT Security standard features & functionality included in the implementation and delivered as follows:

Role/Persona Training Duration*
Security Administrator (OT Security) 1.5 hours
Security Analyst (OT Security) 2.5 hours
Security Assessor (OT Security)

*Assumes one session per role will be conducted. Additional sessions available upon request with an approved Change Order.

  • Training sessions will be conducted remotely and scheduled in 60–90 minute increments based upon content and Customer availability.
  • Training attendees should be limited to no more than twelve (12) trainees to allow ample time for Q&A with the Nuvolo trainer.
  • Training Deliverables include:
  • Instructor-led training via recorded conference calls.
  • Training PPT presentation and subsequent job-aides, as applicable. This material will provide the user with instructions on how to use their Nuvolo implementation to perform the functions of daily business activities.

Production Go-Live and Post Go-Live

Nuvolo will:

  • Coordinate schedule for production go-live date and time.
  • Provide go-live support to include documented deployment plan, side-by-side support as Customer migrates update sets and data into production with regular and mutually agreed upon check-in meetings during migration and regression testing.
  • Provide post go-live support (Hypercare) for one week to include daily check-in meetings, defect reports, and knowledge transfer to Nuvolo TE team.
  • Coordinate a transition to Nuvolo’s TE team.

Customer will:

  • Author Customer specific operational policies or work instructions.
  • Send the communication plan(s) as developed and scheduled.
  • Migrate update sets and data into production.

Change Requests

If there is a change in scope, assumptions, capability discovered during the implementation kickoff then Nuvolo will require a Change Request. Any Change Request signed by both parties shall be effective as of the date set forth therein (each, a “Change Order”).  Instances in which a Change Order shall be required include: (1) Customer’s requests for out-of-scope Services; (2) discovery of new information that requires an increase in the scope of Services; or (3) Customer’s failure to fulfill any of its responsibilities if such failure delays the Services or requires Nuvolo to incur additional time or costs in performing Services.

If the parties do not agree on a Change Order, the Engagement shall proceed as originally set forth. If, however, the existing Engagement or any specific Services cannot proceed without an executed Change Order, Nuvolo may suspend Services until the Change Order is executed.

Scheduled Timeline

The duration for the setup of the services outlined in this document is up to fourteen (14) weeks.

Delivery Terms

The duration of this deployment is up to fourteen (14) weeks. Any additional effort required related to complexity, scope or project duration will be subject to the change request process.

Any activities or tasks not specifically outlined in this Service Description are out of scope.

Nuvolo Access Requirements

Customer will provide access requirements and policies required of Nuvolo resources along with onboarding timelines prior to execution of the S2V Services Order Form. Customer acknowledges that all obligations of Nuvolo under the Order Form will require Nuvolo (including any subcontractors) to have direct access to Customer’s ServiceNow sub- production instance(s). Administrative access will be required in the sub-production instance(s) only and at no time will Nuvolo have access to the production environment.

Services shall be preconditioned upon Nuvolo receiving such access and proportionately limited to the extent access is denied. Failure to provide timely access may result in timeline delays and costs increase as outlined in the Order Form. Additionally, Customer acknowledges that Nuvolo will leverage a mix of onshore and offshore resources in support of the Engagement.