Secure Identity Assessment (SIA) - Advanced

Statement of Work

1. Project Summary

This Statement of Work (“SOW”) is issued under, and subject to, the terms and conditions of the Agreement (as that term is defined in the Order Form).

Secure Identity Assessment (“SIA”) sessions are consulting services based on Okta’s best practices that focus on improving the customer’s security posture and hardening the customer’s Okta environment. Okta offers SIA sessions for Workforce Identity Cloud (“WIC”), Auth0, and Customer Identity Solution (“CIS”) customers.  In collaboration with Okta Professional Services, the Customer and Okta will prioritize topics within scheduled working sessions.

The customer acknowledges and agrees that:

  • The Services are provided on an advisory basis, for information purposes only and are not intended to convey legal, regulatory, or similar professional advice;
  • Okta will not discover or identify all errors, flaws, vulnerabilities or weaknesses in Customer’s [Okta environment] through the Services described herein;
  • Customer, and not Okta is solely responsible for the security of its software, systems and products, and Okta’s provision of the Services does not in any way relieve Customer of any responsibility for the design, manufacturing, testing, marketing, sale and security of Customers software, systems, and products; and
  • Okta cannot and does not provide any guarantee or warranty that its Services will ensure Customer’s software, systems or products will not be vulnerable, susceptible to exploitation, free from hacking and/or eventually breached, even if Okta’s recommendations are followed.

2. Project Scope

The following activities shall be within the scope of this SOW:

Review up to three (3) Production environments over three (3) weeks.  For additional environments, please consult with the Service Architect.  Only use the Secure Identity Assessment Delivery Model. 

  • One (1) one-hour project kick-off and model scoping session (covered in detail above under Project Kick-Off).
  • Okta will conduct up to three (3) two-hour discovery session(s) over a period from two (2) to four (4) weeks. During these session(s) an Okta Architect and Customer will walk through up to three (3) Okta environments to collect information on security posture for analysis.
  • Okta will conduct up to five (5) two-hour secure identity maturity evaluation assessment sessions delivered over a period from two (2) to four (4) weeks, with each session dedicated to evaluation against a single secure identity maturity control family.
  • Okta Technical Consultant will address detailed questions relating to Okta administration and security configuration that may arise during these sessions.
  • The above sessions can run concurrently or consecutively depending on customer and Okta resource availability.
  • The findings gathered by the Okta SMEs will be reviewed and analyzed by the Okta project team over an additional one (1) week timeframe.
  • After the analysis, the Okta project team will provide the following as final readout deliverables:
    • A categorized readout of security debt based on Okta’s secure identity maturity model, with a detailed roadmap charting a path to increasing the maturity of the key areas.
    • A sequenced set of actions on improving organizational security capability maturity and improving security within the Okta environment(s) .
    • A summary of the IT administration teams Okta knowledge and proficiency.

After the final readout, the Okta project team will provide (based on the knowledge gaps discussed above) a custom education and enablement plan, consisting of recommended training, enablement assets, and certifications that will help reduce security debt due to knowledge gaps. 

Customer Obligations

The project sponsor will participate during the project kick-off and final readout sessions, and it is critical the following Customer roles participate in all sessions and readout meetings:

  • Identity Infrastructure Architect / SMEs.
  • Okta Architect / SMEs.
  • Application Architect / SMEs.
  • Security Architect / SMEs.
  • Project Management.

Additional Customer obligations:

  • Ensure that sessions are scheduled and attended by the appropriate resources SMEs: employees, contractors, or third parties relevant to each session.
  • Ensure that the sessions begin on time and that the resources are available for the duration of the design session.
  • Ensure that all information required for the sessions (pre-work) is prepared in advance of the session (artifacts and proof points collected and available). 
  • Provide access to any third-party services or service providers as reasonably required.
  • Provide complete and accurate data for maturity evaluation.
  • Precompile a list of projects that are ongoing or upcoming that may impact the maturity of the evaluated session.

Assumptions

  • The identity security posture review will cover core usage patterns and will not include a review of individual extensions, integrations, and applications.
  • This engagement covers discovery and analysis only. The Customer may contract with Okta for additional consultation or implementation of the recommendations generated.
  • The project team has knowledge of and access to governance documentation and knowledge of system owners for each of the secure identity maturity families.
  • All Okta assessments, reviews, and checklists will be provided on Okta templates and forms.
  • Evaluation of technologies and capabilities outside of the Okta environment will be to assess capability maturity, and will not include an evaluation of technical implementation, best practices, or vulnerabilities.
  • The project communication plan is focused on the communication of the Okta and Customer experience design efforts and is not the Customer's end user or business user communication plan. 
  • All design sessions will be scheduled in two (2) hour blocks.
  • Maturity controls identified as N/A or not completed (with artifact and/or proof point) or similar will not be evaluated and excluded from overall maturity.

3. Out of Scope

Not all Okta features or products are appropriate for this type of Professional Services engagement or potentially require additional Okta technical resources. The following features, functionality and activities are out of scope for this SOW:

  • Implementation activities.
  • Okta configuration updates.
  • Code, extension, application, and/or integration reviews.
  • Specific configuration examples of non-Okta hardware or software in either maturity assessment or gap analysis.
  • Maturity assessment of vendor-specific or proprietary capabilities of non-Okta hardware or software.
  • Troubleshooting sessions.
  • Remediation of an existing security incident / breach.
  • Specific industry / regulatory compliance or audit checks.
  • Review of Okta Identity Governance, Okta Access Gateway, or Advanced Server Access usage.
  • Any services or activity not specifically included in the Project Scope section of this SOW.
  • Features not supported within the Okta Integration Network (OIN).
  • Any functionality that is part of roadmap, beta or early adopter programs.
  • Customer staging, end user communication, and change management. 

4. Fees & Expenses

Customer shall pay Okta the Fees and expenses set forth on the applicable Order Form in accordance with the terms of the Agreement. Actual reasonable and out-of-pocket expenses and taxes are not included herein and will be invoiced separately per the terms of the Agreement.

The Professional Services described in this SOW will be provided on a fixed fee basis. The term of this SOW (“SOW Term”) shall commence on the date the Order Form is fully executed (“Order Form Effective Date”) and shall expire on the earlier of:  (a) six (6) months after the Order Form Effective Date, or (b) upon completion of the Project Scope set forth in Section 2.  The Professional Services included in this SOW will be available to Customer during a six (6) week period within the SOW Term commencing on the initial Project Kick Off Meeting (as defined above) which may be scheduled after execution of the applicable Order Form.  All Professional Services available under this SOW may only be redeemed during the SOW Term.   Project delays resulting from Customer’s failure to Cooperate (as defined below) will not extend the SOW Term Okta is not responsible for and shall be relieved of responsibility for performing any Professional Services which have not been completed during the term due to Customer’s failure to Cooperate or failure to schedule such Professional Services in a timely manner. No refunds or credits will be provided for any Professional Services Fees. Fees will be invoiced upon the execution of the Order Form and will be due in accordance with the terms of the Agreement. 

5. Scheduling

Each project begins with a Project Kick Off Meeting to review requirements and to ensure that all stakeholders understand project objectives; identify resources, roles, and responsibilities; identify and mitigate risk; develop a project schedule, and maintain velocity during project execution. As such, both Okta and Customer project managers will be jointly responsible for planning, management and execution of a project schedule for Okta resources.

Okta will provide Professional Services during regular business hours (8:00 a.m. to 5:00 p.m.), Monday through Friday, except holidays (''Business Hours'') of the Okta office which is providing the Services. Okta will work remotely based on a mutually agreed plan throughout the execution of this engagement. Customer must cancel any Professional Services scheduled to be provided at least two (2) business days in advance or it will lose the scheduled working session(s) and that particular session will be marked as complete.

6. Okta Resourcing

The Okta Project team will be assigned and onboarded following the execution of the Order Form, based on current resource availability. If Okta resources are released from the project due to lack of Customer engagement, we do not guarantee their availability when project activity resumes. As a result, new resources may need to be onboarded at the expense of Customer. 

Project Manager

  • Main point of contact for Customer
  • Schedules and organizes project kick-off.
  • Coordinates working sessions in collaboration with Customer Project Manager. 
  • Tracks / Monitors project progress.
  • Manages any issues that arise.

Okta Architects (Business & Technical)

  • Technical subject matter expert with cloud and on-premise based IT system experience.
  • Documents, reviews, and manages technical requirements for specific cloud-based solutions powered by the Okta platform.
  • Develops architectural and strategic plans for cloud services.
  • Designs and implements identity lifecycle integration with Okta.
  • Provides technical leadership to the project team.

7. Customer Obligations

General Customer Obligations

The Customer will:

  • Remain engaged throughout the duration of the Professional Services by actively participating, providing requested integration information, and otherwise completing its obligations as set forth in this SOW in a timely manner (“Cooperate”).
  • Complete the functional and technical analysis and discovery.
  • Establish a communication and escalation plan including assigning appropriate resources who are knowledgeable about the technical and business aspects involved in the project including a dedicated project manager.
  • Provide access to any third-party services or software, as required.
  • Procure services or software and license rights necessary for the Okta Service to integrate to such services or software.
  • Pay any service provider costs required to enable SSO on applications that are in scope of this engagement.
  • Provide and test all of the necessary remote access by Okta to Customer systems prior to the commencement of the Professional Service.
  • Be responsible for all hardware/virtual machines operating system(s), browser(s), commercial application(s), code for custom developed applications, application/web server(s), directory(s), database, network, proxy, and firewall maintenance and security as well as an active backup and recovery strategy as applicable for the aforementioned.
  • Provide complete and accurate data for integration with the Okta Service.
  • Prepare and manage all corporate communications and training activities to promote greater adoption and higher satisfaction from Users. Sample communication templates may be provided for Customer use.

8. Assumptions

General Project Assumptions

  • Any service or activity not specifically included in this SOW is not included in the scope of this engagement.
  • Support for out of scope requirements will require the execution of a new SOW with an associated cost.  Upon execution of a new SOW, Okta cannot guarantee that the project resources will be reassigned to the new Professional Services engagement.
  • Okta and Customer will work together in good faith to resolve any issues quickly.
  • Scheduling for the Professional Services to be performed are based upon a first come first serve basis and will be mutually agreed upon by the parties prior to the commencement of the Professional Services hereunder.
  • Okta will follow independent software vendor guidelines for supported and deprecated versions of a product.
  • Okta preparation, research, and follow-up activities toward the completion of the Project Scope are billable and may not involve Customer Resources.
  • The Professional Services will be conducted remotely and/or onsite as mutually agreed by both parties.
  • Should any work be required at the Customer's site, travel expenses shall be invoiced in accordance with the Agreement.
  • The customer will be responsible for any fees related to Customer site travel expenses that cannot be refunded due to cancellations, such as airfare. 
  • All Professional Services are provided in the English language, unless otherwise agreed to by the parties.