Orange County NC Website
DocuSign Envelope ID:88577424-D976-4534-82EF-EEA3A41BAB2A <br /> Carolinas IT 1600 Hillsborough Street Statement of Work <br /> Raleigh,NC 27605 <br /> PP,I(('Of 1\71;110 Corporate: (919)856-2300 Fax: (919)856-0420 <br /> Effective Date:20-Nov-2017 Expiration Date:31-Dec-2017 <br /> Client Information Client Contacts Carolinas IT Contacts <br /> Orange County Carla Julian Krista Cathey <br /> 300 West Tryon Street Phone/Ext.919-245-2434 Phone/Ext.919-573-4091 <br /> Hillsborough,NC 27278 Email:cjulian @orangecountync.gov Email:Krista.Cathey @CarolinaslT.com <br /> This Professional Services Agreement covers the services referenced herein. This Agreement shall be subject to all terms and <br /> conditions of the Master Agreement.To the extent any provisions of the Master Agreement conflict with the provisions of this <br /> Agreement,the provisions of the Master Agreement shall control, except to the extent that the applicable Statement of Work <br /> expressly and specifically states an intent to supersede the Master Agreement on a specific matter. The Master Agreement is <br /> hereby incorporated and made a part of this Agreement. <br /> This SOW defines exactly what work we are agreeing to do for you. Please DO NOT ASSUME that we are doing something <br /> as part of the project that is not specifically listed below. <br /> Overview:The goal of this project is to provide security risk assessments so the client is able to assess, identify and modify their <br /> overall security posture and to enable security, operations, organizational management and other personnel to collaborate and view <br /> the entire organization from an attacker's perspective. <br /> Initiation Phase:Carolinas IT will work with on-site IT staff/contractors to install and run a HIPAA Security specific data collection <br /> tool and gather information required for a complete assessment including: <br /> • Defining the client's Security Officer <br /> • Gaining required access to client's network <br /> • Installation of a network data collector <br /> • Installation of end-point device data collector <br /> • Delivery of a site survey including consultation on its use <br /> • Collection of public IP and wireless information <br /> Implementation Phase: Implementation of the assessments consist of one follow-up assessment and one on-site audit. <br /> The first scan, referred to as the annual on-site assessment,will be initiated immediately following the signing of this SOW or <br /> following the anniversary date of the original Security Risk Assessment. Carolinas IT will work with the on-site Security Officer, staff <br /> and contractors to complete the HIPAA Security specific data collection tool (installed during the initial assessment)and gather <br /> information required to assess progress made towards addressing the vulnerabilities identified in the initial HIPAA Security <br /> Management Plan and any subsequent updates to that plan. In addition to those steps, CIT Audit staff will conduct an annual on- <br /> site security audit required to validate the changes heretofore documented on the Management Plan. <br /> The second scan will be initiated at a scheduled time approximately six months after completion of the first scan mentioned above. <br /> The same steps will be followed to include working with the on-site Security Officer, staff and contractors to complete the HIPAA <br /> Security specific data collection tool and gather information required to assess progress made towards addressing the <br /> vulnerabilities identified in the most recent HIPAA Security Management Plan. <br /> The project will be implemented according to Carolinas IT best practices and manufacturers recommendations,while following the <br /> below steps: <br /> • On-going support of the data collecting tools <br /> • Interaction with Health Department staff to complete assessment of the environment <br /> • Report generation <br /> • On-site audit to validate mitigating tasks and documented improvements <br /> Deliverables and Closing: <br /> • Following the completion of each scan, the following versioned documents will be delivered: <br /> o Summary Risk Assessment including comparative risk score(documenting incremental improvement) <br /> o Risk Management Plan <br /> o Evidence of HIPAA Compliance Report <br /> • The reports will be presented via web conference. The objectives for the meeting include: <br /> o Review of the reports and identification of progress made towards mitigating vulnerabilities <br /> o Continued supervision and consulting of the Risk Management Plan <br /> 792094c7-3c00-42b2-aa97-9219813651e8.docx <br /> Page 1 of 4 11/20/2017 <br />