This Service Description describes Sophos Compromise Assessment (the “Service” or “Assessment”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.
Notwithstanding anything to the contrary in the Agreement, Customer acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/en-us/legal.
SCOPE OF SERVICE
The Service will be delivered entirely remotely over the course not more than seven (7) consecutive business days beginning on the date of the Scoping Call (the “Assessment Period”).
1. ASSESSMENT PROCESS
1.1. Scoping Call. A call will be conducted to: (i) provide an overview of the Assessment; (ii) allocate of responsibilities for performance of necessary tasks between Sophos and Customer; (iii) have Customer provide available information about the potential compromise; (iv) identify devices to be assessed; (v)develop a deployment plan for Service software on devices to be assessed; and (vi) establish a communications plan.
1.2. Sophos Central Health Check. Prior to the Assessment itself, Sophos will perform a health check. This health check will consist of an examination of Customer’s computing estate to:
(i) identify any devices in Customer’s estate with a ‘amber’ or ‘red’ health status;
(ii) identify any devices that have not contacted the console in over two weeks;
(iii) identify devices without all protection software installed;
(iv) review of 'Global Exclusions';
(v) identity of ‘Threat Protection’ policies not using recommended settings and;
(vi) review of Tamper Protection status.
1.3. Installation of Service Software. Customer will install the Service Software immediately upon receiving it from Sophos. Troubleshooting assistance with installation, if required, can be provided by Sophos at no additional charge upon request of Customer. Sophos cannot begin the Assessment until the Service Software is installed, and Sophos will not extend the length of the Assessment due to delays caused by Customer failing to install the Service Software in a timely manner.
1.4. Search for indicators of compromise. After installation of Service Software on the devices to be assessed, Sophos will utilize the Service Software in an attempt to identify any indicators of compromise such as: malicious files, unauthorized access, persistence mechanisms, privilege escalation, defense evasion, lateral movement, command and control, credential theft, data exfiltration, or other indicators of compromise.
1.5. Review of any indicators of compromise. Sophos will review the data collected during the search for indicators of compromise to determine whether there may be an active threat or previous compromise; and will report its findings to Customer as follows:
(i) if there is evidence of an active threat, then Sophos will schedule a call to provide Customer with details of the active threat, and to provide Customer with recommendations on steps Customer should take to further investigate and contain the threat;
(ii) if there is evidence that there was a compromise in the past that is not currently ongoing, Sophos will provide Customer with the evidence it has obtained relating to the compromise for use by Customer in further investigation; and
(iii) if no evidence of compromise is found, the Assessment will end.
1.6. Assessment Report and Service Completion. Upon completion of the review of indicators of compromise, if any, Sophos will prepare a written report which will consist of the following:
(i) a summary of the activities undertaken during the investigation;
(ii) a summary of the technical findings;
(iii) recommended next steps Customer should take to further investigate/remediate/mitigate any threat or compromise identified by the Service;
(iv) a summary of the findings from Sophos Central Health Check; and
(v) general recommendations for further action based on the Sophos Central Health Check and the Service.
If no indicators of compromise are found, Sophos will so state in the report.
CUSTOMER ACKNOWLEDGES THAT A LACK OF INDICATORS OF COMPROMISE DOES NOT MEAN THAT NO COMPROMISE EXISTS (OR EXISTED PREVIOUSLY), BUT RATHER MEANS THAT THERE IS NO EXISTING EVIDENCE AT THE TIME THE ASSESSMENT IS PERFORMED. SOPHOS SHALL NOT BE LIABLE TO CUSTOMER FOR DAMAGES OF ANY KIND ARISING OUT A COMPROMISE THAT WAS NOT DISCOVERED DURING THE ASSESSMENT.
Customer must provide written acknowledgement to Sophos, within ten (10) days of receipt of the Assessment Report, of Sophos’s completion of the Service. Customer’s failure to acknowledge completion of the Service or to provide reasons for refusing to confirm completion within the ten (10) day period will be deemed to constitute Customer’s acceptance of satisfactory completion of the Service.
2. ADDITIONAL CUSTOMER RESPONSIBILITIES
In addition to the Customer Responsibilities in the Agreement, Customer agrees to: (a) perform all of Customer’s obligations under the Agreement, including the responsibilities agreed during the Scoping Call; and (b) provide additional reasonable cooperation to Sophos in its performance of the Service, including but not limited to, prompt facilitation of all requested access to systems, and necessary permissions. Failure by Customer to perform any of these actions may result in Sophos being unable to perform the Service until such time as Customer performs the required action(s). Sophos will have no liability to Customer for any delay, failure or inability to perform the Service, and will not be required to extend the Assessment Period if such failure or inability results from Customer’s failure to perform its obligations.
Revision Date: 8 August 2022