HomeMy WebLinkAboutContract 32278 '( '9ECRETARY
�ONTF?ACT No.
.�f 222Z'k
PROFESSIONAL SERVICES AGREEMENT
This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered
into by and between the CITY OF FORT WORTH (the "City"), a home rule municipal
corporation situated in portions of Tarrant, Denton and Wise Counties, Texas, acting by and
through Richard Zavala, its duly authorized Assistant City Manager, and THOTH
SOLUTIONS, INC. ("Consultant") a Texas corporation and acting by and through James R.
Johnson, its duly authorized Officer and Agent.
1. SCOPE OF SERVICES.
Consultant hereby agrees to provide the City with professional consulting services for
the purpose of conducting a security assessment of the City's network environment.
Attached hereto and incorporated for all purposes incident to this Agreement is Exhibit A
describing the Scope of Work.
2. TERM.
This Agreement shall commence upon the date that both the City and Consultant have
executed this Agreement ("Effective Date") and shall continue in full force and effect until
terminated in accordance with the provisions of this Agreement or when the City provides
Consultant with written notice that Consultant has fulfilled its obligations under this Agreement
and that Consultant's services are no longer required.
3. COMPENSATION.
The City shall pay Consultant an amount not to exceed $49,470.00 in accordance with
the provisions of this Agreement. Consultant shall not perform any additional services for the
City not specified by this Agreement unless the City requests and approves in writing the
additional costs for such services. The City shall not be liable for any additional expenses of
Consultant not specified by this Agreement unless the City first approves such expenses in
writing.
4. TERMINATION.
4.1. Written Notice.
The City or Consultant may terminate this Agreement at any time and for any
reason by providing the other party with 30 days written notice of termination.
4.2 Non-appropriation of Funds.
In the event no funds or insufficient funds are appropriated by the City in any
fiscal period for any payments due hereunder, City will notify Consultant of such
occurrence and this Agreement shall terminate on the last day of the fiscal period for
which appropriations were received without penalty or expense to the City of any kind
whatsoever, except as to the portions of the payments herein agreed upon for which
funds shall be been appropriated.
4.3 Duties and Obligations of the Parties.
In the event that this Agreement is terminated prior to the Expiration Date, the
City shall pay Consultant for services actually rendered as of the effective date of
termination and Consultant shall continue to provide the City with services requested
by the City and in accordance with this Agreement up to the effective date of
termination.
5. DISCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION.
Consultant hereby warrants to the City that Consultant has made full disclosure in
writing of any existing or potential conflicts of interest related to Consultant's services and
proposed services with respect to the Scope of Services. In the event that any conflicts of
interest arise after the Effective Date of this Agreement, Consultant hereby agrees
immediately to make full disclosure to the City in writing. Consultant, for itself and its officers,
agents and employees, further agrees that it shall treat all information provided to it by the
City as confidential and shall not disclose any such information to a third party without the
prior written approval of the City.
Consultant understands and acknowledges that the City is a public entity under the
laws of the State of Texas, and as such, all documents and data held by the City are subject
to disclosure under Chapter 552 of the Texas Government Code, the Texas Public
Information Act (the "Act'). If the City is required to disclose any documents that may reveal
any Consultant proprietary information to third parties under the Act, or by any other legal
process, law, rule or judicial order by a court of competent jurisdiction, the City will utilize its
best efforts to notify Consultant prior to disclosure of such documents. The City shall not be
liable or responsible in any way for the disclosure of information not clearly marked as
"Proprietary / Confidential Information" or if disclosure is required by the Act or any other
applicable law or court order. In the event there is a request such information, it will be the
responsibility of Consultant to submit reasons objecting to disclosure. A determination on
whether such reasons are sufficient will not be decided by the City, but by the Office of the
Attorney General of the State of Texas.
6. RIGHT TO AUDIT.
Consultant agrees that the City shall, until the expiration of three (3) years after final
payment under this contract, have access to and the right to examine at reasonable times
any directly pertinent books, documents, papers and records of the consultant involving
transactions relating to this Contract. Consultant agrees that the City shall have access
during normal working hours to all necessary Consultant facilities and shall be provided
adequate and appropriate work space in order to conduct audits in compliance with the
provisions of this section. The City shall give Consultant reasonable advance notice of
intended audits.
Consultant further agrees to include in all its subcontractor agreements hereunder a
provision to the effect that the subcontractor agrees that the City shall, until expiration of
three (3) years after final payment of the subcontract, have access to and the right to
examine at reasonable times any directly pertinent books, documents, papers and records of
such subcontractor involving transactions related to the subcontract, and further that City
shall have access during normal working hours to all subcontractor facilities and shall be
provided adequate and appropriate work space in order to conduct audits in compliance with
the provisions of this paragraph. City shall give subcontractor reasonable notice of intended
audits.
7. INDEPENDENT CONTRACTOR.
It is expressly understood and agreed that Consultant shall operate as an
independent contractor as to all rights and privileges granted herein, and not as agent,
representative or employee of the City. Subject to and in accordance with the conditions and
provisions of this Agreement, Consultant shall have the exclusive right to control the details
of its operations and activities and be solely responsible for the acts and omissions of its
officers, agents, servants, employees, contractors and subcontractors. Consultant
acknowledges that the doctrine of respondeat superior shall not apply as between the City,
its officers, agents, servants and employees, and Consultant, its officers, agents, employees,
servants, contractors and subcontractors. Consultant further agrees that nothing herein shall
be construed as the creation of a partnership or joint enterprise between City and Consultant.
8. LIABILITY AND INDEMNIFICATION.
CONSULTANT SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL
PROPERTY LOSS, PROPERTY DAMAGE AND/OR PERSONAL INJURY, INCLUDING
DEATH, TO ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL
OR ASSERTED, TO THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR
OMISSION(S), MALFEASANCE OR INTENTIONAL MISCONDUCT OF CONSULTANT, ITS
OFFICERS, AGENTS, SERVANTS OR EMPLOYEES.
CONSULTANT COVENANTS AND AGREES TO, AND DOES HEREBY,
INDEMNIFY, HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS,
SERVANTS AND EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR
LAWSUITS FOR EITHER PROPERTY DAMAGE OR LOSS (INCLUDING ALLEGED
DAMAGE OR LOSS TO CONSULTANT'S BUSINESS AND ANY RESULTING LOST
PROFITS) AND/OR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL
PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, ARISING
OUT OF OR IN CONNECTION WITH THIS AGREEMENT, TO THE EXTENT CAUSED BY
THE NEGLIGENT ACTS OR OMISSIONS OR MALFEASANCE OF CONSULTANT, ITS
OFFICERS, AGENTS, SERVANTS OR EMPLOYEES.
9. ASSIGNMENT AND SUBCONTRACTING.
Consultant shall not assign or subcontract any of its duties, obligations or rights under
this Agreement without the prior written consent of the City. If the City grants such consent,
the assignee or subcontractor shall execute a written agreement with the City under which the
assignee or subcontractor agrees to be bound by the duties and obligations of Consultant
under this Agreement.
10. INSURANCE.
3
Consultant shall provide the City with certificate(s) of insurance documenting policies
of the following minimum coverage limits that are to be in effect prior to commencement of
any work pursuant to this Agreement:
10.1 Coverage and Limits
Commercial General Liability
$1,000,000 Each Occurrence
$1,000,000 Aggregate
Automobile Liability
$1,000,000 Each accident on a combined single limit basis or
$250,000 Property damage
$500,000 Bodily injury per person per occurrence
Coverage shall be on any vehicle used by the Consultant, its
employees, agents, representatives in the course of the providing
services under this Agreement. "Any vehicle" shall be any vehicle
owned, hired and non-owned
Worker's Compensation
Statutory limits
Employer's liability
$100,000 Each accident/occurrence
$100,000 Disease - per each employee
$500,000 Disease - policy limit
This coverage may be written as follows:
Workers' Compensation and Employers' Liability coverage with limits consistent
with statutory benefits outlined in the Texas workers' Compensation Act (Art.
8308 — 1.01 et seq. Tex. Rev. Civ. Stat.) and minimum policy limits for
Employers' Liability of $100,000 each accident/occurrence, $500,000 bodily
injury disease policy limit and $100,000 per disease per employee
10.2 Certificates.
Certificates of Insurance evidencing that the Consultant has obtained all
required insurance shall be delivered to the City prior to Consultant proceeding
with any work pursuant to this Agreement. All policies shall be endorsed to
name the City as an additional insured thereon, as its interests may appear.
The term City shall include its employees, officers, officials, agent, and
volunteers in respect to the contracted services. Any failure on the part of the
City to request required insurance documentation shall not constitute a waiver
of the insurance requirement. A minimum of thirty (30 ) days notice of
cancellation or reduction in limits of coverage shall be provided to the City. Ten
(10) days notice shall be acceptable in the event of non-payment of premium.
Such terms shall be endorsed onto Consultant's insurance policies. Notice shall
� CC,I i;l hi� 1 D'
I� .'✓1: �1 p �N.o
be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort
Worth, Texas 76102, with copies to the City Attorney at the same address.
5
11. COMPLIANCE WITH LAWS, ORDINANCES, RULES AND REGULATIONS.
Consultant agrees to comply with all applicable federal, state and local laws,
ordinances, rules and regulations_ If the City notifies Consultant of any violation of such laws,
ordinances, rules or regulations, Consultant shall immediately desist from and correct the
violation.
12. NON-DISCRIMINATION COVENANT.
Consultant, for itself, its personal representatives, assigns, subcontractors and
successors in interest, as part of the consideration herein, agrees that in the performance of
Consultant's duties and obligations hereunder, it shall not discriminate in the treatment or
employment of any individual or group of individuals on any basis prohibited by law. If any
claim arises from an alleged violation of this non-discrimination covenant by Consultant, its
personal representatives, assigns, subcontractors or successors in interest, Consultant agrees
to assume such liability and to indemnify and defend the City and hold the City harmless from
such claim.
13. NOTICES.
Notices required pursuant to the provisions of this Agreement shall be conclusively
determined to have been delivered when (1) hand-delivered to the other party, its agents,
employees, servants or representatives, (2) delivered by facsimile with electronic confirmation
of the transmission, or(3) received by the other party by United States Mail, registered, return
receipt requested, addressed as follows:
To THE CITY: To CONSULTANT:
City of Fort Worth/IT Solutions Thoth Solutions, Inc.
1000 Throckmorton PO Box 57
Fort Worth TX 76102-6311 Allen, TX 75013
Facsimile: (817) 392-8654 Facsimile (972) 442-7222
14. SOLICITATION OF EMPLOYEES.
Neither the City nor Consultant shall, during the term of this agreement and
additionally a period of one year after its termination, solicit for employment or employ,
whether as employee or independent contractor, any person who is or has been employed by
the other during the term of this agreement, without the prior written consent of the person's
employer.
15. GOVERNMENTAL POWERS.
It is understood and agreed that by execution of this Agreement, the City does not
waive or surrender any of its governmental powers.
16. NO WAIVER.
The failure of the City or Consultant to insist upon the performance of any term or
provision of this Agreement or to exercise any right granted herein shall not constitute a
6
waiver of the City's or Consultant's respective right to insist upon appropriate performance or
to assert any such right on any future occasion.
17. CONSTRUCTION.
This Agreement shall be construed in accordance with the internal laws of the State of
Texas. If any action, whether real or asserted, at law or in equity, is brought on the basis of this
Agreement, venue for such action shall tie in state courts located in Tarrant County, Texas or
the United States District Court for the Northern District of Texas, Fort Worth Division.
18. SEVERABILITY.
If any provision of this Agreement is held to be invalid, illegal or unenforceable, the
validity, legality and enforceability of the remaining provisions shall not in any way be affected
or impaired.
19. FORCE MAJEURE.
The City and Consultant shall exercise their best efforts to meet their respective duties
and obligations as set forth in this Agreement, but shall not be held liable for any delay or
omission in performance due to force majeure or other causes beyond their reasonable
control (force majeure), including, but not limited to, compliance with any government law,
ordinance or regulation, acts of God, acts of the public enemy, fires, strikes, lockouts, natural
disasters, wars, riots, material or labor restrictions by any governmental authority,
transportation problems and/or any other similar causes.
20. HEADINGS NOT CONTROLLING.
Headings and titles used in this Agreement are for reference purposes only and shall
not be deemed a part of this Agreement.
20. REVIEW OF COUNSEL.
The parties acknowledge that each party and its counsel have reviewed and revised
this Agreement and that the normal rules of construction to the effect that any ambiguities are
to be resolved against the drafting parry shall not be employed in the interpretation of this
Agreement or exhibits hereto.
21. ENTIRETY OF AGREEMENT.
This Agreement, including the schedule of exhibits attached hereto and any
documents incorporated herein by reference, contains the entire understanding and
agreement between the City and Consultant, their assigns and successors in interest, as to
the matters contained herein. Any prior or contemporaneous oral or written agreement is
hereby declared null and void to the extent in conflict with any provision of this Agreement.
[Signature Pages Follow]
7
ini WITNESS `WHEREOF, the parties hereto have executed this Agreement in multiples this
day of , 2005.
CITY OF FORT WORTH: THOTH SOLUTIONS, INC.
By: --�
Rich r .
Zavala J es R. Johnson
Acti Assistant City Manager Toth Solutions Inc., President
ATT ST: ATTEST:
By:
City Secreta By:
APPROVED AS TO FORM AND
LEGALITY:
By:
Assista t City Attorney
M&C: Q,
3.1
7 `''n1i Li U
EXHIBIT A
STATEMENT OF WORK
Thoth Solutions, Inc. (TSI) shall provide a detailed and thorough security assessment of the
current state of the City of Fort Worth's Library Network and hardware infrastructure. The
primary focus shall be on network security and additional emphasis including traffic monitoring,
communication capacity and throughput, network health checks, high availability (HA), disaster
recovery (DR), redundancy, and business continuity. The main objective of the report shall be
to identify critical network and infrastructure components that host Library Network business
systems and develop improvement opportunities to address the obvious and not-so-obvious
deficiencies. Emphasis shall also be placed on supporting current and future systems while
maintaining viability of the overall network and infrastructure. Improvement opportunities and
insights, although not cost qualified, will be provided to address the administration of network
services related to DR, security, off-site storage, business resumption facilities, and various
network hosting options applicable to the Library.
TSI's objective is to provide two (2) highly skilled and dedicated technical experts for a period
of eight (8) weeks to complete a detailed handbook of the entire Network that includes all
Layer 2 and Layer 3 devices and to conduct a comprehensive assessment of the City's Library
network security specific devices and procedures in order to highlight the strengths and
weaknesses of the current architecture.
A. Assessment and Documentation:
A current state assessment and documentation of all areas of the stated scope will
included but is not limited to the following:
• A review of existing policies and comprehensive documentation of the library
network.
• Analyze system architecture and network configurations.
• Assess the operational support tools and procedures.
• Investigate physical installations of access points.
• Identify rogue access points, potential issues, bottlenecks and inefficiencies.
• Perform penetration tests.
• Interview users and conduct workshops to keep key personnel abreast of
assessment finding.
• Draft and publish network infrastructure findings and a recommendations report.
1. A detailed handbook shall be created for the entire Network that includes all
Layer 2 and Layer 3 devices. The purpose of a network handbook is faster
troubleshooting, reduced information loss, easier task sharing and improved
network design.
Examples of the information included are:
• Building diagram/floor plan
• Physical network diagram
• Logical network diagram
• Hardware information
• Configuration information
LV
• Protocol information
• DNS information
• Network administration information
• Contact information
• Vendor information
• Device log sheets
• Procedure documentation
• Baseline network utilization reports
Acceptable use policy
• Security policy
Disaster recovery plan
• Penetration test results
• Complete inventory of network equipment categorized by location
B. Perimeter Network Assessment
The following will be addressed upon commencement of this phase of the assessment:
• Perform a security evaluation of the VPN solution.
• Assess the firewall design to ensure protection against unauthorized intrusion.
• Evaluate the DMZ architecture, web servers, routing, and DNS architecture.
• Provide patch management policies for the library network computers and
servers.
1. A comprehensive network assessment of the City's Library network security
speck devices and procedures shall be performed to highlight the strengths
and weaknesses of the current architecture.
• VPN — The VPN solution will be evaluated to ensure that it provides
private, ubiquitous communications to the locations and users that
require it. The VPN must be done in a secure manner while maintaining
as many of the characteristics of traditional private WAN connections as
possible.
• Firewall — The firewall design shall be assessed to ensure the network is
protected against unauthorized intrusion. The firewalls should never
allow inbound traffic to the corporate or private segment from a publicly
accessible segment, such as the Internet.
• DMZ — A properly designed and implemented DMZ reduces Internet-
related security risks, such as the possibility of Denial of Services (DoS)
attacks that affect corporate servers. A close look at the DMZ
architecture shall be included to mitigate these risks.
• Web Serves — The web servers will be evaluated to ensure that they are
properly patched with the latest security updates. The software
applications shall also be included in the evaluation to ensure the latest
versions are loaded.
M
�; ?� vll,YW
o � i,
• Routing — The Layer 3 routing protocol shall be assessed to ensure the
basic routing function is working optimally.
• DNS — The assessment will test whether the Library Network has a DNS
single point of failure. The assessment shall ensure the DNS
architecture is not running outdated or vulnerable versions of name
server software. It shall also ensure that the architecture is not running
name servers on hosts that have not been hardened against attack.
• Patch Management — A thorough computer/server patching policy shall
be measured how it protects the computers against worms and viruses.
All Library Network computers and servers should be ensured by the
policy that they are patched before they get connected to the network
and continually updated as new patches are released.
3
City of Fort Worth, Texas
Mayor and Council Communication
COUNCIL ACTION: Approved on 8/9/2005
DATE: Tuesday, August 09, 2005
LOG NAME: 13P05-0095 REFERENCE NO.: **P-10202
SUBJECT:
Authorize a Purchase Agreement for Security Assessment of the Computer Network Environment
with Thoth Solutions, Inc., for the Information Technology Solutions Department
RECOMMENDATION:
It is recommended that the City Council authorize a purchase agreement for security assessment of the
computer network environment with Thoth Solutions, Inc. (TSI) for the Information Technology Solutions
Department (IT Solutions) for an estimated amount of$49,470.00.
DISCUSSION:
During 2005, IT Solutions assisted the Library Department with the upgrade of its technology infrastructure
(all circuits, network equipment and servers). One part of the project was to separate the network into two
segments, one to serve the public and one to serve City staff. This allowed for City services such as email
and intranet to become available to library staff. Because the scope of the project was so extensive and
expansive, IT Solutions recommends bringing in a security firm to evaluate the work performed as a quality
measure and a best practice. The vendor will audit work performed, produce network diagrams and
documentation, identify flawed processes or policies and make recommendations for change. In addition
the vendor will evaluate associated segments of the Citywide network infrastructure that were affected by
these changes. The assessment will also help identify any opportunities to improve security practices.
A Request for Proposals (RFP) was issued in May 2005. The vendors were asked to respond with
three security assessment options. The comprehensive documentation of the library network and a
comprehensive perimeter network assessment of the City is the one being recommended for this
agreement.
An evaluation team of IT Solutions employees evaluated the proposals. The primary factors for the review
included: 1) Proposed Price, 2) Vendor Experience, 3) Response to Specifications and 4)Quality and
Thoroughness of Response. Fifteen vendors responded with proposals to provide security assessments of
the network environment. After evaluation, it was determined that TSI would provide the best solution for
the City.
BID ADVERTISEMENT - The RFP was advertised in the Commercial Recorder on May 18 and 25, 2005.
M/WBE - A waiver of the goal for MM/BE subcontracting requirements was requested by the Purchasing
Division and approved by the M/WBE Office because the purchase of goods or services is from sources
where subcontracting or supplier opportunities are negligible.
Logname: 13P05-0095 Page 1 of 2
4S.
FISCAL INFORMATION/CERTIFICATION:
The Finance Director certifies that funds are available in the current operating budget, as appropriated, of
the Information Systems Fund.
BQN\05-0095\LGS
TO Fund/AccounMenters FROM Fund/Account/Centers
P168 539120 0041100 $49.470.00
Submitted for City Manager's Office by: Richard Zavala (Acting) (6183)
Originating Department Head: , Jim Keyes (8517)
Additional Information Contact: Robert Combs (8357)
Pete Anderson (8781)
Logname: 13P05-0095 Page 2 of 2