This document outlines an information security assessment process and methodology provided by Opportune Corporate. It includes an agenda, overview of information security and its importance, Opportune's profile and experience, an information security assessment framework and methodology, approach and timeline, deliverables, and resumes. The methodology involves confirming the assessment scope, conducting various scans, reviewing policies and configurations, identifying vulnerabilities, analyzing and prioritizing risks, developing a remediation roadmap, and presenting final reports. Case studies demonstrate applying this methodology to assess the security of an oil and gas company and a mineral and royalty owner.

1. Information Security AssessmentProcess & Technology SERVICE OFFERING

2. AgendaInformation Security and its ImportanceOpportune Corporate Profile and ExperienceInformation Security Assessment FrameworkMethodologyApproach & TimelineDeliverablesResumes1/4/2011Proprietary and Confidential2

3. What is Information Security?Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:Integrity– guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Confidentiality– preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. Availability– ensuring timely and reliable access to and use of information. *Source: United States Code: Title 44, 3542. Definitions (b)(1)1/4/2011Proprietary and Confidential3

4. Why is Information Security Important?Upland man indicted for allegedly damaging computersystems used to monitor off-shore oil platformsHouston Computer Administrator Sentenced to 12 Months in Prison for Hacking Former Employer’s Computer NetworkStudent Convicted with Using University Computer Network for Denial of Service Attacks and to Control Other Computers (via "Botnet" Zombies) March 17, 2009 Depart. Of JusticeJuly 6, 2010 Depart. Of JusticeMay 26, 2010 Depart. Of JusticeStalking and Computer Intrusion Indictment Filed In PhiladelphiaAugust 5, 2010 Depart. Of Justice* Source: Department of Justice website1/4/2011Proprietary and Confidential4

5. Why is Information Security Important?What would it cost the business if:

6. Investor confidence or company image was damaged?

7. Confidential or proprietary information was leaked or destroyed?

8. Operational assets were tampered with?

9. Production data was altered?

10. Bid information was compromised?

11. The company was fined for regulatory non-compliance?

12. Who should care about Information Security?

13. Businesses with Industrial Control Systems (i.e. SCADA and DCS).

14. Businesses with personal information (i.e. bank account numbers and SSN).

15. Businesses with disgruntled employees.

16. Businesses who have to comply with government and industry regulations (i.e. NERC CIP, SOX, HIPAA and PCI DSS).Exposure of InformationIT Asset AbuseRegulatory ComplianceCompany Policy Data Modification /Systems SabotageDriversBusiness OperationsEconomic ExploitationCompany ImageCompany AssetsLegal Liability How often should you assess your Information Security?

17. Once a quarter to once a year depending on risk tolerance and compliance requirements.HSEInformation TheftDenial of ServicesSystem Intrusion / Unauthorized Access1/4/2011Proprietary and Confidential5

18. Opportune Corporate Profile1/4/2011Opportune LLP Service Offering6

19. Typical Consulting FirmNumber of PeopleThe Opportune AdvantageNumber of PeopleThe Opportune Difference10Yrs of ExperienceTypical large consulting firms staff with larger teams of less experienced resources to provide them with experience.Value AddedOpportune LLPNumber of People10Yrs of ExperienceValue Through Thought LeadershipOpportune’s deeply experienced staff has, on average, nearly 10 years of industry or consulting experience that they bring to each client. This means more experienced teams delivering on the projects and challenges you are facing better, faster and more economically. 10Yrs of ExperienceBecause Opportune’s staff are more experienced, on average, our teams can be smaller and the resources staffed will be more experienced.1/4/2011Proprietary and Confidential7

20. Security Case Study 1Company ProfileClient is a multi-billion dollar privately held operator of oil and gas properties throughout the United States. They have offices in 12 states with more than 700 employees. The client has seen tremendous growth in the last few years and expects similar growth over the coming years.Business ClimateIn some cases, rapid growth in the last few years has outpaced the ability of IT to keep up with them. A recent IT Organization Review exposed potential risks for the IT systems, which could impact the client’s ability to conduct business as well as their investors.Opportune ResultsOpportune was engaged to execute a comprehensive IT Security Assessment of all externally facing systems, external web applications, internal servers, workstations, network devices and SCADA systems. During the engagement Opportune identified several critical risk vulnerabilities. A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and critical systems from the Internet. Risks were prioritized so the client could begin remediation before the assessment was completed. Opportune provided a detailed report and overall summary of all vulnerabilities and gaps discovered during the assessment. This process provided an objective third party analysis of the risks, as well as recommendations to mitigate each vulnerability. Finally, Opportune provided the client with a quick hit list, short-term activities and long-term roadmap to allow the client to focus their security efforts efficiently and effectively.1/4/2011Proprietary and Confidential8

21. Security Case Study 2Company ProfileClient is one of the largest private fee mineral and royalty owners in the United States. The client owns or controls interests, either directly or through institutionally-supported partnerships, in more than 25,000 wells.Business ClimateThe client felt that the significant growth of their information systems over the last few years had opened them up to potential security threats both internally and externally. They did not know where their risks were and wanted to have them identified so they could be remediated.Opportune ResultsThe client engaged Opportune to assist in the assessment of policies, processes and procedures, including supporting information technology used to create management reports and support operating decisions. An IT security assessment was conducted across all of the company’s IT infrastructure and application assets, including a web site that supported investors. The engagement included vulnerability assessment, penetration testing, wireless scanning, configuration review, application testing and web application testing across all internal and external IT assets. The engagement was conducted covertly to test the detective and reactive capabilities of the IT department and to provide “Technology Recovery” to the CIO.A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and from the Internet and critical systems from the internal network.1/4/2011Proprietary and Confidential9

22. Information Security Assessment FrameworkDevelopment - Oportune’s proven Information Security Assessment Framework is developed from our extensive client experiences and our synthesis of industry-developed frameworks.

23. Foundation - Theframework’s foundation is the consideration of both the probability and likelihood of undesired events.

24. Assessment - When identifying and quantifying vulnerabilities to prioritize the resulting risk, the framework helps ensure the client will focus on mitigating the most critical items first.

25. Leverage - Additionally, use of our framework ensures that clients will be using a repeatable process that can be leveraged over time, well beyond the initial assessment.

26. Assets

27. Assessment Goals

28. Covert

29. OvertScopeIdentify

30. Scan

31. Enumerate

32. TargetDiscoverPlan

33. Roadmap

34. Report

35. Remediation Support

36. Review

37. Analyze

38. Exploit

39. PrioritizeRemediateEvaluate1/4/2011Proprietary and Confidential10

40. Information Security Assessment MethodologyOpportune’s Information Security Assessment Methodology provides fast, ACTIONABLE results.Confirm Assessment ScopeScopeReview Security PoliciesConduct External Vulnerability ScansConduct Internal Vulnerability ScansConduct Web Application ScansConduct Wireless ScansConduct Modem ScansReview Physical Security Measures (i.e. data center access)DiscoverCritical Vulnerability RemediationYCritical Issues?EvaluateConduct Gap Analysis Against Best Practices and Industry RegulationsExecute Ethical Hacking/Penetration TestsAnalyze Identified VulnerabilitiesReview Network, Server and Other OS ConfigurationAssess RiskNNResolved?Remediate(Planning)YDocument Remediation Items and RecommendationsDevelop Remediation RoadmapPresent Final Report and Oral Presentation1/4/2011Proprietary and Confidential11

41. Approach & TimelineThis is a typical timeline for an Opportune Information Security Assessment project. Some of these activities may adjust based on the outcome of the scope phase.Project Kick OffScopeDiscoverEvaluateProject DeliveryRemediate (Plan)Status CheckpointManagement Update MeetingProprietary and Confidential1/4/201112

42. Approach – ScopeOpportune will leverage similar techniques an attacker would use to compromise information and systems. To ensure a comprehensive assessment is performed, multiple services are utilized to provide an overall understanding of potential exposure and risk. 1/4/2011Proprietary and Confidential13

43. Approach – Vulnerability AssessmentOpportune will perform a detailed vulnerability assessment on IT assets that involves a comprehensive analysis of external and internal risks. Analyze the results from Vulnerability Scanning, Penetration Testing and Configuration Review and provide detailed assessment information for each issue .

44. Recommend strategic and detailed technology and process adjustments that will help optimize security currently deployed by the organization as well as recommend additional solutions. 1/4/2011Proprietary and Confidential14

45. Approach - Administrative Security AssessmentOpportune will evaluate the security policies, procedures, processes, training, capabilities and awareness within the organization. 1/4/2011Proprietary and Confidential15

46. Approach - Physical Security AssessmentOpportune will review key areas where IT assets reside by evaluating the overall Physical Security of locations such as: Data Centers and Network Closets.1/4/2011Proprietary and Confidential16

47. Opportune will analyze and prioritize vulnerabilities using a risk based approach. Critical items can be acted on during the engagement to provide the most benefit to the organization. Approach - PrioritizationRisks Are categorized into four levels.1/4/2011Proprietary and Confidential17

48. DeliverablesThe following deliverables will be supplied upon conclusion of the assessment:Executive summary report, Including:Summary of ScopeApproach and MethodologyHigh level Observations and FindingsQuick Hit ListShort-term and Strategic RecommendationsDetailed report, including:Methodology LeveragedPositive Security Aspects IdentifiedOverall Risk RatingDetailed Technical Vulnerability FindingsAssignment of a Risk Rating for Each VulnerabilitySupporting Exhibits For Identified VulnerabilitiesDetailed Technical Remediation StepsOral presentation1/4/2011Proprietary and Confidential18

49. Appendix A - Penetration Testing ApproachLeveraging information gathered from the vulnerability assessment, Opportune will attempt to gain access to the systems by exploiting verified vulnerabilities. Opportune will utilize similar attack methods and vectors that malicious attackers might use to compromise systems and information. Activities:The result of the Penetration Testing will provide the information necessary to perform a risk assessment and prioritized remediation roadmap.1/4/2011Proprietary and Confidential19

50. Appendix A - Web Application Testing ApproachActivities:Analysis of application: system profiling and likely points of weakness.

51. Scanning the user session lifecycle to identify vulnerabilities.

52. Exploitation of vulnerabilities to attempt to access data and/or systems.

53. Password cracking to try and gain access with elevated privileges on target devices.Key Assessment Areas1/4/2011Proprietary and Confidential20

54. Appendix A - Wireless Security Scanning ApproachWireless access points will be mapped and their authentication mechanisms identified if possible. Once the access points have been identified, the access points and associated networks will be exploited using discovered vulnerabilities.Activities:1/4/2011Proprietary and Confidential21