implemented Incident Response Management template
This commit is contained in:
skyanth
parent
ae017d6638
commit
c03d5e7d31
@ -36,14 +36,14 @@
|
||||
10. For *each* option, check PDF Invoice:
|
||||
a. contents
|
||||
b. layout
|
||||
11. From XML Quote, generate an XML Invoice
|
||||
11. From XML Quote, generate an XML Invoice (that is XML, not FO/PDF!)
|
||||
12. Check XML Invoice validity
|
||||
EXPECTED OUTCOME: document is valid
|
||||
13. Edit XML Invoice:
|
||||
a. Add some bogus description and fee to `<additionalcosts>`
|
||||
b. Set @vat to 'no' for any service/cost
|
||||
14. Check XML Invoice validity
|
||||
EXPECTED OUTCOME: document is valid
|
||||
EXPECTED OUTCOME: document is still valid
|
||||
15. From XML Invoice, generate FO/PDF Invoice
|
||||
16. Check PDF Invoice:
|
||||
a. contents
|
||||
@ -85,7 +85,7 @@
|
||||
|
||||
1. Use the `ratecard.xml` snippet and `generate_ratecard.xsl` to generate a FO/PDF Rate Card.
|
||||
2. Check PDF Rate Card:
|
||||
a. contents (do all placeholders resolve)
|
||||
a. contents (do all placeholders resolve, do the rates have the correct denomination)
|
||||
b. layout
|
||||
|
||||
## Contracts
|
||||
|
||||
@ -1,6 +1,15 @@
|
||||
RELEASE NOTES
|
||||
=============
|
||||
|
||||
June 9th
|
||||
--------
|
||||
|
||||
### Implemented 'Incident Response Management' template
|
||||
|
||||
Works the same as `quickscope.xml`, only you use `ir_quickscope.xml`. Snippet selection depends on the presence of the optional `<organization_readiness_assessment>` element and its contents (other snippets are mandatory).
|
||||
|
||||
Various little buglets have been squashed as well.
|
||||
|
||||
June 8th ('I'm seeing the world in shades of orange' edition)
|
||||
--------
|
||||
|
||||
|
||||
@ -116,15 +116,19 @@
|
||||
<xs:attribute name="lastrevisiondate" type="xs:date"/>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="rate">
|
||||
<xs:complexType>
|
||||
<xs:simpleContent>
|
||||
<xs:extension base="xs:float">
|
||||
<xs:attribute name="title" type="xs:string"/>
|
||||
<xs:extension base="xs:decimal">
|
||||
<xs:attribute name="title" type="xs:string" use="optional"/>
|
||||
<xs:attribute name="denomination" type="xs:string" use="optional"/>
|
||||
</xs:extension>
|
||||
</xs:simpleContent>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
|
||||
<xs:element name="permission_parties">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
@ -262,9 +266,11 @@
|
||||
</xs:choice>
|
||||
<xs:attribute ref="xml:base"/>
|
||||
<xs:attribute ref="class" use="optional"/>
|
||||
<xs:attribute name="id" use="optional" type="xs:ID"/>
|
||||
<xs:attribute ref="xml:lang"/>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
|
||||
<xs:attribute name="class" type="xs:string"/>
|
||||
|
||||
<xs:element name="version_history">
|
||||
|
||||
88
xml/dtd/ir_quickscope.xsd
Normal file
88
xml/dtd/ir_quickscope.xsd
Normal file
@ -0,0 +1,88 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
|
||||
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
|
||||
<xs:import namespace="http://www.w3.org/2001/XInclude"
|
||||
schemaLocation="http://www.w3.org/2001/XInclude/XInclude.xsd"/>
|
||||
<xs:include schemaLocation="common.xsd"/>
|
||||
<xs:element name="ir_quickscope">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="client"/>
|
||||
<xs:element ref="meta"/>
|
||||
<xs:element ref="activity_info"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="meta">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="offer_language"/>
|
||||
<xs:element ref="offer_type"/>
|
||||
<xs:element ref="requested_service"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="offer_language" type="xs:NCName"/>
|
||||
<xs:element name="offer_type" type="xs:NCName"/>
|
||||
<xs:element name="requested_service" type="xs:string"/>
|
||||
|
||||
<xs:element name="activity_info">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="organizational_readiness_assessment" minOccurs="0"/>
|
||||
<xs:element ref="security_incident_management"/>
|
||||
<xs:element ref="technical_artefact_analysis"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="organizational_readiness_assessment">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="rate"/>
|
||||
<xs:element ref="team"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="team">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="member" maxOccurs="unbounded" minOccurs="1"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="member">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="name"/>
|
||||
<xs:element ref="expertise"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="expertise" type="xs:string"/>
|
||||
<xs:element name="security_incident_management" type="ir_service"/>
|
||||
<xs:element name="technical_artefact_analysis" type="ir_service"/>
|
||||
|
||||
<xs:complexType name="ir_service">
|
||||
<xs:sequence>
|
||||
<xs:element ref="rate"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
|
||||
|
||||
<xs:complexType name="block" mixed="true">
|
||||
<xs:choice maxOccurs="unbounded">
|
||||
<xs:group ref="inline-all"/>
|
||||
<xs:group ref="placeholders"/>
|
||||
</xs:choice>
|
||||
<xs:attribute ref="xml:base"/>
|
||||
</xs:complexType>
|
||||
<xs:group name="placeholders">
|
||||
<xs:choice/>
|
||||
</xs:group>
|
||||
</xs:schema>
|
||||
@ -13,9 +13,10 @@
|
||||
<xs:sequence>
|
||||
<xs:element ref="meta"/>
|
||||
<xs:element maxOccurs="unbounded" minOccurs="0" ref="generate_index"/>
|
||||
<xs:element maxOccurs="unbounded" minOccurs="0" ref="div"/>
|
||||
<xs:element maxOccurs="unbounded" ref="section"/>
|
||||
<xs:element maxOccurs="unbounded" minOccurs="0" ref="annex"/>
|
||||
<xs:element maxOccurs="unbounded" minOccurs="1" ref="waivers"/>
|
||||
<xs:element maxOccurs="unbounded" minOccurs="0" ref="waivers"/>
|
||||
</xs:sequence>
|
||||
<xs:attribute ref="xml:lang"/>
|
||||
</xs:complexType>
|
||||
@ -24,11 +25,12 @@
|
||||
<xs:element name="meta">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="title"/>
|
||||
<xs:element ref="offered_service_long"/>
|
||||
<xs:element ref="offered_service_short"/>
|
||||
<xs:element ref="company"/>
|
||||
<xs:element ref="targets"/>
|
||||
<xs:element ref="permission_parties"/>
|
||||
<xs:element ref="targets" minOccurs="0"/>
|
||||
<xs:element ref="permission_parties" minOccurs="0"/>
|
||||
<xs:element ref="activityinfo"/>
|
||||
<xs:element ref="version_history"/>
|
||||
</xs:sequence>
|
||||
@ -43,18 +45,57 @@
|
||||
<xs:element name="activityinfo">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="duration"/>
|
||||
<xs:element ref="persondays"/>
|
||||
<xs:element ref="test_planning"/>
|
||||
<xs:element ref="report_due"/>
|
||||
<xs:element ref="nature"/>
|
||||
<xs:element ref="type"/>
|
||||
<xs:element ref="fee"/>
|
||||
<xs:element ref="duration" minOccurs="0"/>
|
||||
<xs:element ref="persondays" minOccurs="0"/>
|
||||
<xs:element ref="test_planning" minOccurs="0"/>
|
||||
<xs:element ref="report_due" minOccurs="0"/>
|
||||
<xs:element ref="nature" minOccurs="0"/>
|
||||
<xs:element ref="type" minOccurs="0"/>
|
||||
<xs:element ref="fee" minOccurs="0"/>
|
||||
<xs:element ref="organizational_readiness_assessment" minOccurs="0"/>
|
||||
<xs:element ref="security_incident_management" minOccurs="0"/>
|
||||
<xs:element ref="technical_artefact_analysis" minOccurs="0"/>
|
||||
<xs:element minOccurs="0" ref="target_application"/>
|
||||
<xs:element minOccurs="0" ref="target_application_producer"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="organizational_readiness_assessment">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="rate"/>
|
||||
<xs:element ref="team"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="team">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="member" maxOccurs="unbounded" minOccurs="1"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="member">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="name"/>
|
||||
<xs:element ref="expertise"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
|
||||
<xs:element name="expertise" type="xs:string"/>
|
||||
<xs:element name="security_incident_management" type="ir_service"/>
|
||||
<xs:element name="technical_artefact_analysis" type="ir_service"/>
|
||||
|
||||
<xs:complexType name="ir_service">
|
||||
<xs:sequence>
|
||||
<xs:element ref="rate"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
|
||||
<xs:element name="fee">
|
||||
<xs:complexType>
|
||||
@ -158,10 +199,12 @@
|
||||
<xs:element ref="div"/>
|
||||
<xs:element ref="contact"/>
|
||||
<xs:element ref="generate_targets"/>
|
||||
<xs:element name="generate_teammembers"/>
|
||||
<xs:element ref="generate_offer_signature_box"/>
|
||||
</xs:choice>
|
||||
</xs:sequence>
|
||||
<xs:attribute name="id" use="optional" type="xs:ID"/>
|
||||
<xs:attribute name="todo" use="optional" type="xs:string"/>
|
||||
<xs:attribute ref="break" use="optional"/>
|
||||
<xs:attribute ref="xml:base"/>
|
||||
<xs:attribute ref="xml:lang"/>
|
||||
@ -211,8 +254,13 @@
|
||||
<xs:element name="signee_short"/>
|
||||
<xs:element name="signee_street"/>
|
||||
<xs:element name="signee_city"/>
|
||||
<xs:element name="signee_postal_code"/>
|
||||
<xs:element name="signee_country"/>
|
||||
<xs:element name="signee_waiver_rep"/>
|
||||
<xs:element name="signee_legal_rep"/>
|
||||
<xs:element name="ir_ora_rate"/>
|
||||
<xs:element name="ir_sim_rate"/>
|
||||
<xs:element name="ir_taa_rate"/>
|
||||
</xs:choice>
|
||||
</xs:group>
|
||||
|
||||
|
||||
@ -19,7 +19,6 @@
|
||||
<xs:element ref="offer_language"/>
|
||||
<xs:element ref="offer_type"/>
|
||||
<xs:element ref="requested_service"/>
|
||||
<xs:element ref="targets"/>
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
@ -33,6 +32,7 @@
|
||||
<xs:element ref="short_name"/>
|
||||
<xs:element ref="waiver_rep"/>
|
||||
<xs:element ref="address"/>
|
||||
<xs:element ref="postal_code"/>
|
||||
<xs:element ref="city"/>
|
||||
<xs:element ref="country"/>
|
||||
</xs:sequence>
|
||||
@ -41,6 +41,7 @@
|
||||
<xs:element name="activity_info">
|
||||
<xs:complexType>
|
||||
<xs:sequence>
|
||||
<xs:element ref="targets"/>
|
||||
<xs:element ref="days"/>
|
||||
<xs:element ref="persondays"/>
|
||||
<xs:element ref="nature"/>
|
||||
@ -62,7 +63,6 @@
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="application_name" type="xs:NCName"/>
|
||||
<xs:element name="rate" type="xs:integer"/>
|
||||
|
||||
<xs:complexType name="block" mixed="true">
|
||||
<xs:choice maxOccurs="unbounded">
|
||||
|
||||
@ -33,12 +33,12 @@
|
||||
</xs:sequence>
|
||||
</xs:complexType>
|
||||
</xs:element>
|
||||
<xs:element name="generate_raterevisiondate"/>
|
||||
|
||||
<xs:complexType name="block" mixed="true">
|
||||
<xs:choice maxOccurs="unbounded">
|
||||
<xs:group ref="inline-all"/>
|
||||
<xs:group ref="placeholders"/>
|
||||
<xs:element ref="generate_raterevisiondate"/>
|
||||
<xs:element name="generate_raterevisiondate"/>
|
||||
</xs:choice>
|
||||
<xs:attribute ref="xml:base"/>
|
||||
<xs:attribute ref="class"/>
|
||||
@ -49,7 +49,6 @@
|
||||
<xs:element name="client_long"/>
|
||||
<xs:element name="client_short"/>
|
||||
<xs:element name="client_rate"/>
|
||||
<xs:element name="generate_average_rate"/>
|
||||
<xs:element name="company_long"/>
|
||||
<xs:element name="company_short"/>
|
||||
<xs:element name="company_poc1"/>
|
||||
|
||||
@ -9,8 +9,7 @@
|
||||
The contract snippets in this repo are provided as an example and should not be used for official contracts. It is the responsibility of the end user to edit the contract snippets and code so that the resulting contract is valid and watertight in the context of their own business operations and legal system. -->
|
||||
<xi:include href="snippets/company_info.xml"/>
|
||||
<scope>
|
||||
<contract_type>fixed_term
|
||||
</contract_type><!-- single_engagement|fixed_term|non_zzp -->
|
||||
<contract_type>fixed_term</contract_type><!-- single_engagement|fixed_term|non_zzp -->
|
||||
<engagement_description>battling the pirates</engagement_description>
|
||||
<secondpartyrole>Contractor
|
||||
</secondpartyrole><!-- what contractor will be referred to throughout the contract. Can be anything, but should probably be Consultant or Contracting Party. When in doubt, leave as is. -->
|
||||
|
||||
40
xml/source/ir_quickscope.xml
Normal file
40
xml/source/ir_quickscope.xml
Normal file
@ -0,0 +1,40 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<ir_quickscope xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
xmlns:xml="http://www.w3.org/XML/1998/namespace"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="../dtd/ir_quickscope.xsd">
|
||||
|
||||
<!-- COMPANY INFO -->
|
||||
<xi:include href="client_info.xml"/>
|
||||
|
||||
<!-- DOCUMENT INFO -->
|
||||
<meta>
|
||||
<!-- Language the offer should be in (en|nl) -->
|
||||
<offer_language>en</offer_language>
|
||||
<!-- Offer type -->
|
||||
<offer_type>incident-response</offer_type>
|
||||
<!-- Requested service -->
|
||||
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
|
||||
<requested_service>Incident Response Management</requested_service>
|
||||
</meta>
|
||||
|
||||
<!-- ACTIVITY INFO -->
|
||||
<activity_info>
|
||||
<organizational_readiness_assessment><!-- Delete complete organizational_readiness_assessment element if not needed! -->
|
||||
<rate denomination="eur">100000</rate><!-- flat rate! -->
|
||||
<team>
|
||||
<member><name>Firstname Lastname</name><expertise>Expertise with technical and organizational readiness</expertise></member>
|
||||
<member><name>Firstname Lastname</name><expertise>Expertise with technical and operational readiness</expertise></member>
|
||||
<member><name>Firstname Lastname</name><expertise>Expertise with technical and legal readiness</expertise></member>
|
||||
</team>
|
||||
</organizational_readiness_assessment>
|
||||
<security_incident_management>
|
||||
<rate denomination="eur">250</rate><!-- rate per person-hour -->
|
||||
</security_incident_management>
|
||||
<technical_artefact_analysis>
|
||||
<rate denomination="eur">250</rate><!-- rate per person-hour -->
|
||||
</technical_artefact_analysis>
|
||||
</activity_info>
|
||||
|
||||
</ir_quickscope>
|
||||
@ -59,6 +59,14 @@
|
||||
<translation xml:lang="nl">training</translation>
|
||||
<translation xml:lang="en">training</translation>
|
||||
</string>
|
||||
<string id="coverpage_service_incident-response">
|
||||
<translation xml:lang="nl">incidentresponsmanagement</translation>
|
||||
<translation xml:lang="en">incident response management</translation>
|
||||
</string>
|
||||
<string id="coverpage_service_incident-response_short">
|
||||
<translation xml:lang="nl">incidentrespons</translation>
|
||||
<translation xml:lang="en">incident response</translation>
|
||||
</string>
|
||||
<string id="coverpage_for">
|
||||
<translation xml:lang="nl">VOOR</translation>
|
||||
<translation xml:lang="en">FOR</translation>
|
||||
|
||||
@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<div><p><company_long/> suggests to offer the following key incident response services to <client_long/></p>
|
||||
<ul><li>Organizational readiness assessment for incident response (including a presentation and training session)</li>
|
||||
<li>Security Incident Management</li>
|
||||
<li>Technical Artefact Analysis</li></ul>
|
||||
<p>Prior to providing security incident services, <company_short/> strongly advises <client_long/> to conduct a ‘readiness assessment’. A readiness assessment analyzes the current state of <client_short/> and provides advice to prepare and improve its capabilities for incident response handling.</p></div>
|
||||
@ -0,0 +1,71 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<section>
|
||||
<title>Organizational Readiness Assessment for incident response</title>
|
||||
<section>
|
||||
<title>Scope</title>
|
||||
<p>A readiness assessment analyzes the current organizational, operational, technical and
|
||||
legal incident response capabilities of the client for specifically incident response
|
||||
management:</p>
|
||||
|
||||
<ul>
|
||||
<li>Organizational status analysis focuses on the governance and communication lines
|
||||
both within the organization as well as with external stakeholders: <ul>
|
||||
<li>Are there playbooks ready in case of incidents?</li>
|
||||
<li>How will other departments and teams of <client_short/>
|
||||
be informed in case of
|
||||
incidents?</li>
|
||||
<li>How will management be informed and advised about actions to be taken?</li>
|
||||
<li>Will and if so how will external stakeholders of <client_short/> be informed?</li>
|
||||
</ul></li>
|
||||
<li>Operational status analysis focuses on the ticketing, triage, assignment,
|
||||
processing, and closure process of an incident. Underlying documents:<ul>
|
||||
<li>Availability of documents, reports and logs (e.g. user accounts, contact points, etc.)</li>
|
||||
<li>Quality of documents, reports and logs (e.g. level of detail, retention period, etc.)</li>
|
||||
<li>Are there standardized procedures and systems in place for incident management?</li>
|
||||
</ul></li>
|
||||
<li>Technical status analysis focuses on for instance:<ul>
|
||||
<li>Asset management and information (do you know where
|
||||
your systems are, specifications of the systems, up-to-date
|
||||
network diagrams, etc.)</li>
|
||||
<li>Analytics and monitoring environment</li>
|
||||
<li>Other tools needed</li>
|
||||
</ul></li>
|
||||
<li>Legal status analysis includes questions as:<ul>
|
||||
<li>Communication and contacts with national authorities in
|
||||
case of responsible disclosure of incidents</li>
|
||||
<li>Existence and quality of procedures for contact with the
|
||||
police, prosecutors and lawyers to maintain ‘chain of custody’</li>
|
||||
</ul></li>
|
||||
|
||||
</ul>
|
||||
<p>The readiness assessment not only provides a picture of the current state and setup, but also includes recommendations for <client_short/> to improve its organizational, operational, technical and legal capabilities for incident response handling. Advice can be given regarding the architectural design of the organization as well as how to set up monitoring.</p>
|
||||
</section>
|
||||
<section>
|
||||
<title>Prerequisites</title>
|
||||
<p>The client will provide at least one (1) single point of contact who will act as counterpart for the <company_short/> team. The point of contact will help in setting up interviews with e.g. other departments and management and respond to questions and requests from the <company_short/> team (e.g. information and/or access regarding <client_short/> systems).</p>
|
||||
<p>An option would also be to hold a workshop and team exercise to assess incident response readiness.</p>
|
||||
</section>
|
||||
<section>
|
||||
<title><company_short/> team</title>
|
||||
<p>A <company_short/> team will carry out the readiness assessment. <company_short/> team members will be:</p>
|
||||
<generate_teammembers/>
|
||||
</section>
|
||||
<section>
|
||||
<title>Effort
|
||||
estimation and result</title>
|
||||
<p>The duration for the assessment will be two to four weeks (depending on
|
||||
the access and speed of responses of the client’s contact persons to requests of the <company_short/> team). A report will be drafted after the assessment. The report includes a non-technical summary for management.</p>
|
||||
<p>The number of person-hours estimated for a readiness assessment for incident response services is 160 hours. Part of the assessment will be a training day by the <company_short/> team to:</p>
|
||||
<ul>
|
||||
<li>to familiarize participants with the incident management process in detail; how to improve incident handling techniques, best practices for publishing communications about incidents, working with the media, and testing and verifying incident management processes.</li>
|
||||
<li>equip participants with skills to work with information sources to
|
||||
gather critical information, including open-source intelligence and proprietary intelligence as well as examining processes for information exchange.</li>
|
||||
<li>expose participants to methods for incident coordination with a focus on how to handle major security events and coordinate incident responses with external entities</li>
|
||||
</ul>
|
||||
</section>
|
||||
<section>
|
||||
<title>Pricing</title>
|
||||
<p>The costs for the readiness assessment are estimated at <ir_ora_rate/> excluding tax.</p>
|
||||
</section>
|
||||
</section>
|
||||
@ -0,0 +1,93 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<section>
|
||||
<title>Security Incident Management</title>
|
||||
|
||||
<section>
|
||||
<title>Scope</title>
|
||||
<p><company_short/> will work with clients and agreed subject matter experts and stakeholders to coordinate the response to information security incidents. Incidents are events that have a significant probability to compromise a client’s operations and/or assets. Incidents can be:</p>
|
||||
|
||||
<ul>
|
||||
<li>Business E-Mail Spoofing / Compromise</li>
|
||||
<li>System infected with malware (not detected by virus scanner)</li>
|
||||
<li>Website was hacked or is serving malware</li>
|
||||
<li>DDOS attacks</li>
|
||||
<li>Policy breaches / bypasses of security controls</li>
|
||||
</ul>
|
||||
<p>Actions of <company_short/> include:</p>
|
||||
<ol>
|
||||
<li><b>response planning</b><br/>
|
||||
<company_short/> will work with impacted client and relevant stakeholder to assess the status of the information security incident as well as to plan and agree actions to contain and mitigate the threat for the organization</li>
|
||||
<li><b>response advisory</b><br/><company_short/> will support clients with proposing actions to be taken to contain, investigate and communicate the information security incident</li>
|
||||
<li><b>incident status updates and incident notifications</b><br/><company_short/> will maintain regular incident status updates and report those to given contact persons. <company_short/> can draft communications for senior manager or third parties. <company_short/> can support in incident inquiries on request</li>
|
||||
<li><b>technical analysis and incident management</b><br/><company_short/> will provide technical assistance to resolve the incident and
|
||||
advice to the client for actions to be undertaken</li>
|
||||
<li><b>post-incident recommendations</b><br/><company_short/> provides recommendations - to the extent possible from the information security incident - to the client organization improve their information security incidents prevention, technical and response capability</li>
|
||||
</ol>
|
||||
</section>
|
||||
<section>
|
||||
<title>Prerequisites</title>
|
||||
<p>The client will provide at least one (1) single point of contact who will support with planning including navigate the organization, assessing impacts, making decisions and coordinate execution of organizational tasks</p>
|
||||
<p>The client collaborates with and enables <company_short/> to deliver the services by including to:</p>
|
||||
<ul>
|
||||
<li>provide organizational expertise and decision making</li>
|
||||
<li>participate in incident calls and meeting</li>
|
||||
<li>provide access to the client’s technical environment and systems</li>
|
||||
<li>provide relevant information and data</li>
|
||||
<li>use a template for data incident notifications</li>
|
||||
<li>provide guidance on organizational, industry or country specific
|
||||
policies, laws and regulations</li>
|
||||
<li>if appropriate, provide appropriate access to communication and
|
||||
data exchange platforms as well as data (like email)</li>
|
||||
<li>if required, review, approve and perform official notifications to
|
||||
authorities</li>
|
||||
</ul>
|
||||
</section>
|
||||
<section>
|
||||
<title>Out of Scope</title>
|
||||
<p>Within the security incident management services <company_short/> WILL NOT:</p>
|
||||
<ul>
|
||||
<li>take decisions by itself that are in the remit of the client’s
|
||||
responsibility (like shutting down servers)</li>
|
||||
<li>provide information to anyone else but the client, agreed subject
|
||||
matter experts and stakeholders during the incident</li>
|
||||
<li>perform legally sound forensic data analysis and acquisition. <company_short/>
|
||||
will suggest potential partner firms to the client who are licensed for legally sound forensic data analysis. <company_short/> can support in legal forensic analysis, but the client will be responsible for the data acquisition as well as establish and ensure compliance to the necessary procedures (such as chain of custody)</li>
|
||||
<li>provide 24/7 security event monitoring; the client is responsible to alert <company_short/> in case of a potential incident</li>
|
||||
</ul>
|
||||
</section>
|
||||
<section><title>Service levels</title>
|
||||
<p>Security Incident Management Services are provided 09:00 to 18:00 CET. 24/7 support is available upon request and subject to extra charges.</p>
|
||||
<p>A service request can be made through:</p>
|
||||
<ul>
|
||||
<li>email: incident@radicallyopensecurity.com</li>
|
||||
<li>phone: to be delivered</li>
|
||||
<li>PGP KEY: to be delivered</li>
|
||||
</ul>
|
||||
<p>Specific service level agreements regarding response times are dependent on the current setup at and availability of <client_short/> personnel during incidents.</p>
|
||||
</section>
|
||||
<section>
|
||||
<title>Effort estimation</title>
|
||||
<p>By nature a security incident’s handling efforts cannot be defined
|
||||
beforehand. The case can evolve in different directions. In order to allow for a rough idea on potential costs, there are some rough estimations on work items and their estimated average time during incident handling. Work items include administration, preparation and wrap-up. All work items are discussed and agreed during incident handling.</p>
|
||||
<p>For each work item a rough estimate is:</p>
|
||||
<ul>
|
||||
<li>Incident Status Call: ~ 2,5h</li>
|
||||
<li>Incident Communication Draft: ~ 1h</li>
|
||||
<li>Incident Update: ~ 1h</li>
|
||||
<li>Incident Status Check: ~ 1h</li>
|
||||
<li>Incident Interview: ~ 3h</li>
|
||||
<li>Incident Review: ~ 4h</li>
|
||||
<li>Technical assistance: ~ 1 to 40+h</li>
|
||||
</ul>
|
||||
<p>After the incident, the incident documentation is key. For incident documentation we recommend to calculate ~ 1/5 of the incident’s overall handling time.</p>
|
||||
<p>Important note: These are average estimates to give an idea of potential budget impacts.</p>
|
||||
</section>
|
||||
<section>
|
||||
<title>Pricing</title>
|
||||
<p>Pricing
|
||||
Incident response management costs <ir_sim_rate/> per person-hour excluding tax and travel expenses.</p>
|
||||
<p>The team will be formed based on the urgency and skills needed. Client team members can ‘peek over our shoulders’ during incident response management services.</p>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<section><title>Technical Artefact Analysis</title>
|
||||
|
||||
|
||||
|
||||
<section><title>Scope</title>
|
||||
<p><company_short/> will support clients in analyzing technical artefacts of an
|
||||
information security incident. This includes:</p>
|
||||
<ol><li><b>Data Assessment</b><br/>
|
||||
<company_short/> will analyze data, in particular for being or containing
|
||||
malicious software</li>
|
||||
<li><b>Analysis</b><br/>
|
||||
<company_short/> will use practices and techniques to extract data and
|
||||
indicators from artefacts such as E-Mails, files or malware</li>
|
||||
<li><b>Attribution</b><br/>
|
||||
<company_short/> will attribute artefacts to the best possible to known threats,
|
||||
campaigns and exploited attack vectors</li>
|
||||
<li><b>Indicator of Compromise</b><br/>
|
||||
<company_short/> will use the incidents indicators of compromise and attribution to identify related information or other indicators</li></ol></section>
|
||||
|
||||
|
||||
<section><title>Prerequisites</title>
|
||||
<p>The client will provide at least one (1) single point of contact who will act as counterpart for the <company_short/> team. Technical analysis requires the client to provide the correct, original data and potential context. This includes:</p>
|
||||
<ul><li>E-mails to be analyzed need to be the originally received e-mail with all its header information</li>
|
||||
<li>(Suspected) malware must be attached in a zip or tar archive with password "infected"</li>
|
||||
<li>Prior to submitting service request, the client validated that the data can be submitted for analysis without additional controls and in line with applicable policies, laws and regulations</li>
|
||||
<li><company_short/> must be informed about details on the artefact for any artefact submitted which does not contain all the original information</li></ul></section>
|
||||
<section><title>Out of scope</title>
|
||||
<p>Within the technical artefact analysis <company_short/> WILL NOT:</p>
|
||||
<ul><li>perform legally sound forensic data analysis and acquisition. <company_short/> will suggest potential partner firms to the client who are licensed for legally sound forensic data analysis. <company_short/> can support in legal forensic analysis, but the client will be responsible for the data acquisition as well as establish and ensure compliance to the necessary procedures (such as chain of custody)</li></ul></section>
|
||||
<section><title>Service levels</title>
|
||||
<p>Technical Analysis Services can be requested between 09:00 to 18:00 CET. 24/7 support is available upon request and extra charge
|
||||
A service request can be requested through:</p>
|
||||
<ul><li>email: incident@radicallyopensecurity.com</li>
|
||||
<li>phone: to be delivered</li>
|
||||
<li>PGP KEY: to be delivered</li>
|
||||
<li>RocketChat</li></ul>
|
||||
<p>Specific service level agreements regarding response times are dependent on the current setup at and availability of <client_short/> personnel during analyses.</p></section>
|
||||
<section><title>Effort
|
||||
estimation</title>
|
||||
<p>Technical analysis of artefacts can be easy and straight forward or be
|
||||
very complex. In order to allow for an idea on potential costs, here are some rough estimations on work items and their estimated average time to analyze. Work items include administration, preparation and reporting aspects. For each estimate:</p>
|
||||
<ul><li>Malware Automated Assessment Report: ~ 0,5 h</li>
|
||||
<li>Malware Manual Reverse Engineering: ~ 4h to 40+h</li>
|
||||
<li>E-mail Analysis (Scam): ~ 0,5 h</li>
|
||||
<li>E-mail Analysis including Malware: ~ 1,5 h</li>
|
||||
<li>Analysis of IP addresses (<=10): ~ 0,25 h</li>
|
||||
<li>Analysis of IP Links: ~ 0,25 h</li></ul>
|
||||
<p><b>Important note:</b> These are average estimates to give an idea of potential budget impacts.</p></section>
|
||||
|
||||
<section><title>Pricing</title>
|
||||
<p>Technical artefact analysis costs <ir_taa_rate/> per person-hour excluding tax and travel expenses.
|
||||
The team will be formed based on the urgency and skills needed. Client team members can ‘peek over our shoulders’ during technical artefact analysis services.</p></section>
|
||||
</section>
|
||||
@ -8,7 +8,7 @@
|
||||
|
||||
<p>
|
||||
<b><i><signee_long/></i> (<i><signee_short/></i>)</b>, with its registered office at
|
||||
<signee_street/>, <signee_city/>, <signee_country/> and duly represented by
|
||||
<signee_street/>, <signee_postal_code/> <signee_city/>, <signee_country/> and duly represented by
|
||||
<b><signee_waiver_rep/></b>
|
||||
</p>
|
||||
|
||||
|
||||
@ -2,12 +2,12 @@
|
||||
<section>
|
||||
<title>Planning en Betaling</title>
|
||||
<p><company_short/> houdt de volgende planning aan voor haar werkzaamheden:</p>
|
||||
<p>
|
||||
|
||||
<ul>
|
||||
<li><company_short/> voert <company_svc_short/> uit op het doelwit: <p_testingduration/>.</li>
|
||||
<li><company_short/> levert het definitieve rapport: <p_reportdue/>.</li>
|
||||
</ul>
|
||||
</p>
|
||||
|
||||
|
||||
<p>Ons vaste tarief voor de bovenstaand beschreven
|
||||
<company_svc_short/> is <p_fee/>,- excl. BTW en bijkomende kosten.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<standard_waiver>
|
||||
<title><company_svc_short/> - VRIJWARINGSVERKLARING</title>
|
||||
|
||||
<p><b><i><signee_long/></i> (<i><signee_short/></i>)</b>, statutair gevestigd te <signee_street/> <signee_city/>
|
||||
<p><b><i><signee_long/></i> (<i><signee_short/></i>)</b>, statutair gevestigd te <signee_street/>, <signee_postal_code/> <signee_city/>
|
||||
en in deze rechtsgeldig vertegenwoordigd door <b><signee_legal_rep/></b></p>
|
||||
|
||||
<p><b>OVERWEGENDE DAT:</b></p>
|
||||
@ -28,9 +28,9 @@ in de veiligheid van deze systemen. <company_short/> zal zich daartoe toegang ve
|
||||
deze systemen om op zoek te gaan naar kwetsbaarheden. Vervolgens zal worden getracht
|
||||
dergelijke kwetsbaarheden uit te buiten om verdere toegang en verhoogde privileges
|
||||
te bemachtigen. <company_short/> zal de volgende doelwitten testen (de “Doelwitten”):
|
||||
<generate_targets/>
|
||||
</p>
|
||||
<p>2. <signee_short/> verklaart hierbij <company_short/> en de Consultants – op een datum die
|
||||
<generate_targets/>
|
||||
<p>2. <signee_short/> verklaart hierbij <company_short/> en de Consultants – op een datum die
|
||||
per email zal worden bevestigd – de meest uitvoerige toestemming te verlenen voor
|
||||
het uitvoeren van de opdracht, waaronder toestemming om:</p>
|
||||
|
||||
@ -58,9 +58,6 @@ tegen <company_short/> of de Consultants die door <company_short/> zijn ingescha
|
||||
ter uitvoering van de opdracht voor de Klant, dan zal <signee_short/> zijn volledige
|
||||
medewerking verlenen aan <company_short/> in diens verweer tegen een dergelijk onderzoek of strafzaak,
|
||||
waaronder het verschaffen van bewijs dat verband houdt met dit onderzoek of de strafzaak.</p>
|
||||
|
||||
<generate_waiver_signature_box/>
|
||||
|
||||
</standard_waiver>
|
||||
</waivers>
|
||||
|
||||
|
||||
@ -101,6 +101,7 @@
|
||||
<snippet>waiver</snippet>
|
||||
</snippet_group>
|
||||
</selection>
|
||||
|
||||
<selection subtype="training">
|
||||
<snippet_group set="group1">
|
||||
<snippet>introandscope</snippet>
|
||||
@ -114,6 +115,7 @@
|
||||
<snippet>waiver</snippet>
|
||||
</snippet_group>
|
||||
</selection>
|
||||
|
||||
<selection subtype="other">
|
||||
<!-- standard -->
|
||||
<snippet_group set="group1">
|
||||
@ -136,7 +138,23 @@
|
||||
<snippet>waiver</snippet>
|
||||
</snippet_group>
|
||||
</selection>
|
||||
|
||||
<selection subtype="incident-response">
|
||||
<snippet_group set="group1">
|
||||
<snippet>intro_incident-response</snippet>
|
||||
</snippet_group>
|
||||
<snippet_group set="organizational_readiness_assessment">
|
||||
<snippet>organizational_readiness_assessment</snippet>
|
||||
</snippet_group>
|
||||
<snippet_group set="group2">
|
||||
<snippet>security_incident_management</snippet>
|
||||
<snippet>technical_artefact_analysis</snippet>
|
||||
</snippet_group>
|
||||
</selection>
|
||||
|
||||
</document>
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- CONTRACTS -->
|
||||
@ -401,40 +419,5 @@
|
||||
</selection>
|
||||
|
||||
|
||||
<!--<selection subtype="fixed_term">
|
||||
<snippet_group set="parties">
|
||||
<!-\- define parties in contract -\->
|
||||
<snippet>parties</snippet>
|
||||
</snippet_group>
|
||||
<snippet_group set="whereas">
|
||||
<!-\- define conditions -\->
|
||||
<snippet>wa_contractorcan</snippet>
|
||||
<snippet>wa_noemploymentintention</snippet>
|
||||
</snippet_group>
|
||||
<snippet_group set="agree1">
|
||||
<!-\- define agreement, first part -\->
|
||||
<snippet>ag_period</snippet>
|
||||
<snippet>ag_noemployment</snippet>
|
||||
<snippet>ag_companyinstructs</snippet>
|
||||
<snippet>ag_ownrisk</snippet>
|
||||
</snippet_group>
|
||||
<snippet_group set="workinghours">
|
||||
<!-\- define working hours (this snippet is isolated because it is subject to some extra logic - not all fixed term contracts have working hours defined) -\->
|
||||
<snippet>ag_workinghours</snippet>
|
||||
</snippet_group>
|
||||
<snippet_group set="agree2">
|
||||
<!-\- define rest of agreement -\->
|
||||
<snippet>ag_payment_fixed_term</snippet>
|
||||
<snippet>ag_biggerscopewarning</snippet>
|
||||
<snippet>ag_propertyrights</snippet>
|
||||
<snippet>ag_retainrights</snippet>
|
||||
<snippet>ag_nondisclosure</snippet>
|
||||
<snippet>ag_responsibilities</snippet>
|
||||
<snippet>ag_thirdparty</snippet>
|
||||
<snippet>ag_liability</snippet>
|
||||
<snippet>ag_provisions</snippet>
|
||||
<snippet>ag_generaltermsandconditions</snippet>
|
||||
</snippet_group>
|
||||
</selection>-->
|
||||
</document>
|
||||
</snippet_selection>
|
||||
|
||||
@ -967,28 +967,6 @@
|
||||
</xsl:choose>
|
||||
</xsl:template>
|
||||
|
||||
<xsl:template match="generate_average_rate">
|
||||
<xsl:if
|
||||
test="not(//meta//client/rates/rate[@title = 'juniorpentester']) or not(//meta//client/rates/rate[@title = 'mediorpentester'])">
|
||||
<fo:block xsl:use-attribute-sets="errortext">Generated average rate is based on
|
||||
'juniorpentester' and 'mediorpentester' roles, which cannot be found in
|
||||
client_info.xml</fo:block>
|
||||
</xsl:if>
|
||||
<xsl:variable name="juniorrate"
|
||||
select="//meta//client/rates/rate[@title = 'juniorpentester'] * 1"/>
|
||||
<xsl:variable name="mediorrate"
|
||||
select="//meta//client/rates/rate[@title = 'mediorpentester'] * 1"/>
|
||||
<xsl:variable name="avg" select="($juniorrate + $mediorrate) div 2"/>
|
||||
<xsl:variable name="roundedavg" select="round($avg div 5) * 5"/>
|
||||
<xsl:call-template name="getDenomination"/>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:value-of select="$roundedavg - 10"/>
|
||||
<xsl:text> - </xsl:text>
|
||||
<xsl:call-template name="getDenomination"/>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:value-of select="$roundedavg + 10"/>
|
||||
</xsl:template>
|
||||
|
||||
<xsl:function name="my:titleCase" as="xs:string">
|
||||
<xsl:param name="s" as="xs:string"/>
|
||||
<xsl:choose>
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
<xsl:import href="structure.xslt"/>
|
||||
<xsl:import href="att-set.xslt"/>
|
||||
<xsl:import href="block.xslt"/>
|
||||
<xsl:import href="findings.xslt"/>
|
||||
<!--<xsl:import href="findings.xslt"/>-->
|
||||
<xsl:import href="auto.xslt"/>
|
||||
<xsl:import href="table.xslt"/>
|
||||
<xsl:import href="lists.xslt"/>
|
||||
@ -61,13 +61,7 @@
|
||||
</xsl:for-each>
|
||||
</xsl:variable>
|
||||
|
||||
<xsl:variable name="denomination">
|
||||
<xsl:choose>
|
||||
<xsl:when test="/offerte/meta/activityinfo/fee/@denomination = 'eur'">€</xsl:when>
|
||||
<xsl:when test="/offerte/meta/activityinfo/fee/@denomination = 'usd'">$</xsl:when>
|
||||
<xsl:when test="/offerte/meta/activityinfo/fee/@denomination = 'gbp'">£</xsl:when>
|
||||
</xsl:choose>
|
||||
</xsl:variable>
|
||||
|
||||
|
||||
<!-- ROOT -->
|
||||
<xsl:template match="/">
|
||||
@ -91,9 +85,7 @@
|
||||
<xsl:value-of select="upper-case(company/full_name)"/>
|
||||
</fo:block>
|
||||
<fo:block xsl:use-attribute-sets="for">
|
||||
<xsl:call-template name="getString">
|
||||
<xsl:with-param name="stringID" select="'coverpage_offer'"/>
|
||||
</xsl:call-template>
|
||||
<xsl:value-of select="//meta/title"/>
|
||||
</fo:block>
|
||||
<fo:block xsl:use-attribute-sets="title-0">
|
||||
<xsl:value-of select="upper-case(offered_service_long)"/>
|
||||
|
||||
263
xml/xslt/ir2offerte.xsl
Normal file
263
xml/xslt/ir2offerte.xsl
Normal file
@ -0,0 +1,263 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
||||
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:fo="http://www.w3.org/1999/XSL/Format" exclude-result-prefixes="xs" version="2.0">
|
||||
|
||||
|
||||
<xsl:import href="localisation.xslt"/>
|
||||
<xsl:import href="snippets.xslt"/>
|
||||
|
||||
<xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>
|
||||
|
||||
|
||||
<xsl:variable name="lang" select="/ir_quickscope/meta/offer_language/text()"/>
|
||||
<xsl:param name="snippetBase" select="'offerte'"/>
|
||||
<xsl:variable name="snippetSelectionRoot"
|
||||
select="document('../source/snippets/snippetselection.xml')/snippet_selection/document[@type = $docType]"/>
|
||||
|
||||
<xsl:variable name="docType" select="'offerte'"/>
|
||||
<xsl:variable name="docSubType" select="/ir_quickscope/meta/offer_type"/>
|
||||
|
||||
<!-- ROOT -->
|
||||
<xsl:template match="/">
|
||||
|
||||
<offerte xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
<xsl:attribute name="xml:lang">
|
||||
<xsl:value-of select="$lang"/>
|
||||
</xsl:attribute>
|
||||
<xsl:comment>document meta information; to be filled in by the offerte writer</xsl:comment>
|
||||
<meta>
|
||||
<title>PROPOSAL</title>
|
||||
<offered_service_long>
|
||||
<!-- if known type, use long service name from localisationstrings.xml; otherwise, use long service name provided in quickscope -->
|
||||
<xsl:choose>
|
||||
<xsl:when test="/ir_quickscope/meta/offer_type != 'other'">
|
||||
<xsl:call-template name="getString">
|
||||
<xsl:with-param name="stringID"
|
||||
select="concat('coverpage_service_', /ir_quickscope/meta/offer_type)"
|
||||
/>
|
||||
</xsl:call-template>
|
||||
</xsl:when>
|
||||
<xsl:otherwise>
|
||||
<xsl:value-of select="/ir_quickscope/meta/requested_service"/>
|
||||
</xsl:otherwise>
|
||||
</xsl:choose>
|
||||
</offered_service_long>
|
||||
<xsl:comment>if there is a shorter way of saying the same thing, you can type it here (it makes for more dynamic offerte text). If not, just repeat the long name.</xsl:comment>
|
||||
<offered_service_short>
|
||||
<!-- if known type, use short service name from localisationstrings.xml; otherwise, use short service name provided in quickscope -->
|
||||
<xsl:choose>
|
||||
<xsl:when test="/ir_quickscope/meta/offer_type != 'other'">
|
||||
<xsl:call-template name="getString">
|
||||
<xsl:with-param name="stringID"
|
||||
select="concat('coverpage_service_', /*/meta/offer_type, '_short')"
|
||||
/>
|
||||
</xsl:call-template>
|
||||
</xsl:when>
|
||||
<xsl:otherwise>
|
||||
<xsl:value-of select="/*/meta/requested_service"/>
|
||||
</xsl:otherwise>
|
||||
</xsl:choose>
|
||||
</offered_service_short>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">snippets/company_info.xml</xsl:attribute>
|
||||
</xsl:element>
|
||||
<permission_parties>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">client_info.xml</xsl:attribute>
|
||||
</xsl:element>
|
||||
</permission_parties>
|
||||
<activityinfo>
|
||||
<xsl:for-each select="//activity_info/*">
|
||||
<xsl:copy>
|
||||
<xsl:copy-of select="node()"/>
|
||||
</xsl:copy>
|
||||
</xsl:for-each>
|
||||
</activityinfo>
|
||||
<version_history>
|
||||
<xsl:comment>needed for date on frontpage and in signature boxes; it is possible to add a new <version> after each review; in that case, make sure to update the date/time</xsl:comment>
|
||||
<version number="auto">
|
||||
<xsl:attribute name="date"><xsl:value-of
|
||||
select="format-date(current-date(), '[Y]-[M,2]-[D,2]', 'en', (), ())"
|
||||
/>T10:00:00</xsl:attribute>
|
||||
<xsl:comment>actual date-time here; you can leave the number attribute alone</xsl:comment>
|
||||
<v_author>ROS Writer</v_author>
|
||||
<xsl:comment>name of the author here; for internal use only</xsl:comment>
|
||||
<v_description>Initial draft</v_description>
|
||||
<xsl:comment>for internal use only</xsl:comment>
|
||||
</version>
|
||||
</version_history>
|
||||
</meta>
|
||||
|
||||
<xsl:for-each
|
||||
select="$snippetSelectionRoot/selection[@subtype = $docSubType]/snippet_group[@set = 'group1']/snippet">
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNameBase" select="."/>
|
||||
<xsl:with-param name="snippetDirectory" select="$snippetBase"/>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
</xsl:for-each>
|
||||
|
||||
<xsl:if test="//activity_info/organizational_readiness_assessment">
|
||||
<xsl:for-each
|
||||
select="$snippetSelectionRoot/selection[@subtype = $docSubType]/snippet_group[@set = 'organizational_readiness_assessment']/snippet">
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNameBase" select="."/>
|
||||
<xsl:with-param name="snippetDirectory" select="$snippetBase"/>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
</xsl:for-each>
|
||||
</xsl:if>
|
||||
|
||||
<xsl:for-each
|
||||
select="$snippetSelectionRoot/selection[@subtype = $docSubType]/snippet_group[@set = 'group2']/snippet">
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNameBase" select="."/>
|
||||
<xsl:with-param name="snippetDirectory" select="$snippetBase"/>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
</xsl:for-each>
|
||||
|
||||
|
||||
<!--<xsl:comment>Introduction and Scope</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">introandscope</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>Project overview section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">projectoverview</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>Prerequisites section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">prerequisites</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>Disclaimer section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">disclaimer</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>Methodology section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">methodology</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>-->
|
||||
<!--<xsl:if test="/*/activity_info/codeaudit/@perform = 'yes'">
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart"
|
||||
>codeauditmethodology</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
</xsl:if>-->
|
||||
<!--<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">teamandreporting</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>Planning and payment section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">planningandpayment</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>About Us section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">aboutus</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>Work condition section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">conditions</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:comment>General terms and conditions section</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart"
|
||||
>generaltermsandconditions</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>
|
||||
|
||||
|
||||
<xsl:comment>Waivers</xsl:comment>
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">
|
||||
<xsl:call-template name="docCheck">
|
||||
<xsl:with-param name="fileNamePart">waiver</xsl:with-param>
|
||||
</xsl:call-template>
|
||||
</xsl:attribute>
|
||||
</xsl:element>-->
|
||||
</offerte>
|
||||
|
||||
|
||||
</xsl:template>
|
||||
|
||||
<!--<xsl:template name="docCheck">
|
||||
<xsl:param name="fileNamePart" select="'none'"/>
|
||||
<xsl:param name="typeSuffix">
|
||||
<xsl:choose>
|
||||
<xsl:when test="/*/meta/offer_type = 'pentest' or /*/meta/offer_type = 'other'"/>
|
||||
<xsl:otherwise>
|
||||
<xsl:text>_</xsl:text>
|
||||
<xsl:value-of select="/*/meta/offer_type"/>
|
||||
</xsl:otherwise>
|
||||
</xsl:choose>
|
||||
</xsl:param>
|
||||
<xsl:param name="fileNameStandard"
|
||||
select="concat('snippets/offerte/', $lang, '/', $fileNamePart, '.xml')"/>
|
||||
<xsl:param name="fileNameExtended"
|
||||
select="concat('snippets/offerte/', $lang, '/', $fileNamePart, $typeSuffix, '.xml')"/>
|
||||
<xsl:choose>
|
||||
<xsl:when test="doc-available(concat('../source/', $fileNameExtended))">
|
||||
<xsl:value-of select="$fileNameExtended"/>
|
||||
</xsl:when>
|
||||
<xsl:otherwise>
|
||||
<xsl:value-of select="$fileNameStandard"/>
|
||||
</xsl:otherwise>
|
||||
</xsl:choose>
|
||||
</xsl:template>-->
|
||||
|
||||
</xsl:stylesheet>
|
||||
@ -2,6 +2,22 @@
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
||||
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fo="http://www.w3.org/1999/XSL/Format"
|
||||
xmlns:my="http://radical.sexy" exclude-result-prefixes="xs my" version="2.0">
|
||||
|
||||
<xsl:template name="getDenomination">
|
||||
<xsl:param name="placeholderElement" as="node()" select="/"/>
|
||||
<xsl:choose>
|
||||
<xsl:when test="$placeholderElement/ancestor-or-self::*/@denomination = 'eur'">€</xsl:when>
|
||||
<xsl:when test="$placeholderElement/ancestor-or-self::*/@denomination = 'usd'">$</xsl:when>
|
||||
<xsl:when test="$placeholderElement/ancestor-or-self::*/@denomination = 'gbp'">£</xsl:when>
|
||||
<!--<xsl:otherwise>
|
||||
<xsl:when test="$placeholderElement/ancestor::*/@denomination = 'eur'">€</xsl:when>
|
||||
<xsl:when test="$placeholderElement/ancestor::*/@denomination = 'usd'">$</xsl:when>
|
||||
<xsl:when test="$placeholderElement/ancestor::*/@denomination = 'gbp'">£</xsl:when>
|
||||
</xsl:otherwise>-->
|
||||
<xsl:otherwise><fo:inline xsl:use-attribute-sets="errortext">WARNING: NO DENOMINATION FOUND</fo:inline></xsl:otherwise>
|
||||
</xsl:choose>
|
||||
</xsl:template>
|
||||
|
||||
<!-- PLACEHOLDERS -->
|
||||
<xsl:template match="client_long">
|
||||
<xsl:param name="placeholderElement" select="/*/meta//client/full_name"/>
|
||||
@ -167,7 +183,9 @@
|
||||
</xsl:template>
|
||||
<xsl:template match="p_fee">
|
||||
<xsl:param name="placeholderElement" select="/*/meta/activityinfo/fee"/>
|
||||
<xsl:value-of select="$denomination"/>
|
||||
<xsl:call-template name="getDenomination">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:call-template name="checkPlaceholder">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
@ -217,7 +235,7 @@
|
||||
<xsl:value-of select="my:calculatePeriod($endDate, $startDate)"/>
|
||||
</xsl:template>
|
||||
<xsl:template match="contract_total_fee">
|
||||
<xsl:value-of select="$denomination"/>
|
||||
<xsl:call-template name="getDenomination"/>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:value-of select="$total_fee"/>
|
||||
<!-- no need to check for existence as it's a calculation of two checked values below -->
|
||||
@ -302,7 +320,9 @@
|
||||
</xsl:template>
|
||||
<xsl:template match="contractor_hourly_fee">
|
||||
<xsl:param name="placeholderElement" select="/contract/meta/contractor/hourly_fee"/>
|
||||
<xsl:value-of select="$denomination"/>
|
||||
<xsl:call-template name="getDenomination">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:call-template name="checkPlaceholder">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
@ -346,6 +366,37 @@
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
</xsl:template>
|
||||
|
||||
<xsl:template match="ir_ora_rate">
|
||||
<xsl:param name="placeholderElement" select="/*/meta/activityinfo/organizational_readiness_assessment/rate"/>
|
||||
<xsl:call-template name="getDenomination">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:call-template name="checkPlaceholder">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
</xsl:template>
|
||||
<xsl:template match="ir_sim_rate">
|
||||
<xsl:param name="placeholderElement" select="/*/meta/activityinfo/security_incident_management/rate"/>
|
||||
<xsl:call-template name="getDenomination">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:call-template name="checkPlaceholder">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
</xsl:template>
|
||||
<xsl:template match="ir_taa_rate">
|
||||
<xsl:param name="placeholderElement" select="/*/meta/activityinfo/technical_artefact_analysis/rate"/>
|
||||
<xsl:call-template name="getDenomination">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:call-template name="checkPlaceholder">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
</xsl:template>
|
||||
|
||||
<xsl:template match="finding_count">
|
||||
<xsl:param name="threatLevel" select="@threatLevel"/>
|
||||
@ -367,11 +418,13 @@
|
||||
<!-- placeholder exists and contains text -->
|
||||
<xsl:choose>
|
||||
<xsl:when test="self::client_rate">
|
||||
<xsl:value-of select="$denomination"/>
|
||||
<xsl:call-template name="getDenomination">
|
||||
<xsl:with-param name="placeholderElement" select="$placeholderElement"/>
|
||||
</xsl:call-template>
|
||||
<xsl:text> </xsl:text>
|
||||
<xsl:value-of select="$placeholderElement"/>
|
||||
</xsl:when>
|
||||
<xsl:when test="self::p_fee or self::contractor_hourly_fee">
|
||||
<xsl:when test="self::p_fee or self::contractor_hourly_fee or self::ir_ora_rate">
|
||||
<!-- pretty numbering for fee -->
|
||||
<xsl:variable name="fee" select="$placeholderElement * 1"/>
|
||||
<xsl:number value="$fee" grouping-separator="," grouping-size="3"/>
|
||||
|
||||
@ -29,6 +29,9 @@
|
||||
</xsl:attribute>
|
||||
<xsl:comment>document meta information; to be filled in by the offerte writer</xsl:comment>
|
||||
<meta>
|
||||
<title><xsl:call-template name="getString">
|
||||
<xsl:with-param name="stringID" select="'coverpage_offer'"/>
|
||||
</xsl:call-template></title>
|
||||
<offered_service_long>
|
||||
<!-- if known type, use long service name from localisationstrings.xml; otherwise, use long service name provided in quickscope -->
|
||||
<xsl:choose>
|
||||
|
||||
@ -36,6 +36,9 @@
|
||||
</xsl:attribute>
|
||||
<xsl:comment>document meta information; to be filled in by the offerte writer</xsl:comment>
|
||||
<meta>
|
||||
<title><xsl:call-template name="getString">
|
||||
<xsl:with-param name="stringID" select="'coverpage_offer'"/>
|
||||
</xsl:call-template></title>
|
||||
<offered_service_long>
|
||||
<xsl:call-template name="getString">
|
||||
<xsl:with-param name="stringID"
|
||||
@ -66,7 +69,7 @@
|
||||
<xsl:element name="xi:include">
|
||||
<xsl:attribute name="href">client_info.xml</xsl:attribute>
|
||||
</xsl:element>
|
||||
<xsl:for-each select="/*/third_party">
|
||||
<xsl:for-each select="//permission_parties/party">
|
||||
<!-- TODO add to report -->
|
||||
<party>
|
||||
<xsl:copy-of select="node()"/>
|
||||
|
||||
@ -20,6 +20,7 @@
|
||||
<xsl:with-param name="signee_short" tunnel="yes"><xsl:value-of select="short_name"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_waiver_rep" tunnel="yes"><xsl:value-of select="waiver_rep"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_street" tunnel="yes"><xsl:value-of select="address"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_pc" tunnel="yes"><xsl:value-of select="postal_code"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_city" tunnel="yes"><xsl:value-of select="city"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_country" tunnel="yes"><xsl:value-of select="country"/>
|
||||
</xsl:with-param>
|
||||
@ -57,6 +58,7 @@
|
||||
<xsl:with-param name="signee_short" tunnel="yes"><xsl:value-of select="short_name"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_waiver_rep" tunnel="yes"><xsl:value-of select="waiver_rep"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_street" tunnel="yes"><xsl:value-of select="address"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_pc" tunnel="yes"><xsl:value-of select="postal_code"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_city" tunnel="yes"><xsl:value-of select="city"/></xsl:with-param>
|
||||
<xsl:with-param name="signee_country" tunnel="yes"><xsl:value-of select="country"/>
|
||||
</xsl:with-param>
|
||||
@ -203,6 +205,11 @@
|
||||
<xsl:value-of select="$signee_street"/>
|
||||
</xsl:template>
|
||||
|
||||
<xsl:template match="signee_postal_code">
|
||||
<xsl:param name="signee_pc" tunnel="yes"/>
|
||||
<xsl:value-of select="$signee_pc"/>
|
||||
</xsl:template>
|
||||
|
||||
<xsl:template match="signee_city">
|
||||
<xsl:param name="signee_city" tunnel="yes"/>
|
||||
<xsl:value-of select="$signee_city"/>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user