HomeMy WebLinkAboutContract 43254 (2)C11117 SE ")/741:0'Alf;rii
Ca9yt bitT i9rVie.
PROFESSIONAL SERVICES AGREEMENT
This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into by
and between the CITY OF FORT WORTH (the "City"), a home rule municipal corporation situated in
portions of Tarrant, Denton and Wise Counties, Texas, acting by and through Susan Alanis, its duly
authorized Assistant City Manager, and FISHNET SECURITY, INC., (the "Consultant" or "Contractor"),
a Missouri corporation and acting by and through Gary Fish, its duly authorized Chief Executive Officer,
each individually referred to as a "party" and collectively referred to as the "parties."
CONTRACT DOCUMENTS:
The contract documents shall include the following:
1. This Agreement for Professional Services
2 Exhibit A -- Statement of Work plus any amendments to the Statement of Work
3. Exhibit B -- Payment Schedule
4. Exhibit C — Milestone Acceptance Form
5. Exhibit D — Network Access Agreement
6. Exhibit E — Signature Verification Form
All Exhibits attached hereto are incorporated herein and made a part of this Agreement for all purposes.
In the event of any conflict between the documents, the terms and conditions of this Professional
Services Agreement shall control.
1. SCOPE OF SERVICES.
Consultant hereby agrees to provide the City with professional consulting services for the
purpose of PCI Perimeter Network Penetration Testing. Attached hereto and incorporated for all
purposes incident to this Agreement is Exhibit "Al" Statement of Work, more specifically describing
the services to be provided hereunder.
2. TERM.
This Agreement shall commence upon the date that both the City and Consultant have
executed this Agreement ("Effective Date") and shall continue in full force and effect through the
completion of the services set forth in Exhibit "A," but not to exceed ninety days from the Effective
Date (Term"), unless otherwise agreed to by the parties.
3. COMPENSATION.
The City shall pay Consultant an amount not to exceed $14,255.00 in accordance with the
provisions of this Agreement and the Payment Schedule attached as Exhibit "B," which is incorporated
for all purposes herein. Consultant shall not perform any additional services for the City not specified by
this Agreement unless the City requests and approves in writing the additional costs for such services.
The City shall not be liable for any additional expenses of Consultant not specified by this Agreement
unless the City first approves such expenses in writing.
4. TERMINATION.
4.1. Written Notice.
The City or Consultant may terminate this Agreement at any time and for any reason by
Professional Services Agreement
FishNet Security, Inc.
1
05-23-12 P02:44 IN
IRe wised October 2011
I OFFICIAL REC ►
C1TY SECRETARY
Ft. VWORTH, Tx
providing the other party with 30 days' written notice of termination.
4.2 Non -appropriation of Funds.
In the event no funds or insufficient funds are appropriated by the City in any fiscal
period for any payments due hereunder, City will notify Consultant of such occurrence and this
Agreement shall terminate on the last day of the fiscal period for which appropriations were
received without penalty or expense to the City of any kind whatsoever, except as to the portions
of the payments herein agreed upon for which funds have been appropriated.
4.3 Duties and Obligations of the Parties.
In the event that this Agreement is terminated prior to the Expiration Date, the City shall
pay Consultant for services actually rendered up to the effective date of termination and
Consultant shall continue to provide the City with services requested by the City and in
accordance with this Agreement up to the effective date of termination. Upon termination of this
Agreement for any reason, Consultant shall provide the City with copies of all completed or
partially completed documents prepared under this Agreement.
5. DISCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION.
Consultant hereby warrants to the City that Consultant has made full disclosure in writing of any
existing or potential conflicts of interest as defined by Chapter 176 of the Texas Local Government Code
related to Consultant's services under this Agreement In the event that any conflicts of interest arise
after the Effective Date of this Agreement Consultant hereby agrees immediately to make full disclosure
to the City in writing. Consultant for itself and its officers, agents and employees, further agrees that it
shall treat all information provided to it by the City as confidential and shall not disclose any such
information to a third party without the prior written approval of the City. If Consultant discloses
information to the City that Consultant considers to be confidential or proprietary, Consultant shall
clearly mark such information accordingly prior to such disclosure. Notwithstanding, the City is a public
e ntity under the laws of the State of Texas and disclosure of all information shall be governed by
Chapter 552 of the Texas Government Code, the Texas Public Information Act. Both parties shall store
and maintain the information of the other party in a secure manner and shall not allow unauthorized
u sers to access, modify, delete or otherwise corrupt the information in any way Receiving party shall
notify the disclosing party immediately if the security or integrity of any information has been
compromised or is believed to have been compromised.
6. RIGHT TO AUDIT.
Consultant agrees that the City shall, until the expiration of three (3) years after final payment
u nder this Agreement or the final conclusion of any audit commenced during the said three years, have
access to and the right to examine at reasonable times any directly pertinent books, documents papers
and records of the consultant involving transactions relating to this Agreement at no additional cost to
the City. Consultant agrees that the City shall have access during normal working hours to all
n ecessary Consultant facilities and shall be provided adequate and appropriate work space in order to
conduct audits in compliance with the provisions of this section. The City shall give Consultant
reasonable advance notice of intended audits.
Consultant further agrees to include in all its subcontractor agreements hereunder a provision to
the effect that the subcontractor agrees that the City shall, until expiration of three (3) years after final
payment of the subcontract, or the final conclusion of any audit commenced during the said three years
have access to and the right to examine at reasonable times any directly pertinent books documents,
papers and records of such subcontractor involving transactions related to the subcontract, and further
that City shall have access during normal working hours to all subcontractor facilities and shall be
provided adequate and appropriate work space in order to conduct audits in compliance with the
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
provisions of this paragraph. City shall give subcontractor reasonable notice of intended audits.
7. INDEPENDENT CONTRACTOR.
It is expressly understood and agreed that Consultant shall operate as an independent
contractor as to all rights and privileges and work performed under this Agreement, and not as agent
representative or employee of the City. Subject to and in accordance with the conditions and provisions
of this Agreement, Consultant shall have the exclusive right to control the details of its operations and
activities and be solely responsible for the acts and omissions of its officers, agents, servants,
employees, contractors and subcontractors Consultant acknowledges that the doctrine of respondeat
superior shall not apply as between the City, its officers, agents, servants and employees, and
Consultant, its officers agents, employees, servants contractors and subcontractors. Consultant
further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise
between City and Consultant. It is further understood that the City shall in no way be considered a Co -
employer or a Joint employer of Consultant or any officers, agents, servants, employees or
subcontractors of Consultant. Neither Consultant, nor any officers, agents, servants, employees or
subcontractors of Consultant shall be entitled to any employment benefits from the City. Consultant shall
be responsible and liable for any and all payment and reporting of taxes on behalf of itself, and any of its
officers, agents, servants, employees or subcontractors.
8. LIABILITY AND INDEMNIFICATION.
A. LIABILITY - CONSULTANT SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL
P ROPERTY LOSS, PROPERTY DAMAGE ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO
ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER WHETHER REAL OR ASSERTED, TO
THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR OMISSION(S), MALFEASANCE OR
INTENTIONAL MISCONDUCT OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR
EMPLOYEES. CONSULTANT EXPRESSLY EXCLUDES ALL WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. UNDER NO
CIRCUMSTANCES SHALL EITHER PARTY HAVE ANY LIABILITY WITH RESPECT TO ITS
O BLIGATIONS UNDER THIS AGREEMENT OR OTHERWISE FOR LOSS OF PROFITS,
CONSEQUENTIAL, EXEMPLARY, INCIDENTAL OR PUNITIVE DAMAGES EVEN IF EITHER PARTY
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ANY EVENT, EXCEPT FOR
CONFIDENTIALITY OBLIGATIONS SET FORTH IN SECTION 5 AND INDEMNIFICATION
O BLIGATIONS SET FORTH IN SECTION 8 OF THIS AGREEMENT THE LIABILITY OF EITHER
PARTY TO THE OTHER PARTY FOR ANY REASON AND UPON ANY CAUSE OF ACTION
WHATSOEVER SHALL NOT EXCEED ONE MILLION DOLLARS ($1,000,000). THE EXISTENCE OF
MORE THAN ONE CLAIM WILL NOT ENLARGE THIS AMOUNT.
B. INDEMNIFICATION — EXCEPT TO THE EXTENT CAUSED BY THE NEGLIGENT ACTS OR
WILLFUL MISCONDUCT OF THE CITY, CONSULTANT HEREBY COVENANTS AND AGREES TO
INDEMNIFY, HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS, SERVANTS
AND EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR LAWSUITS OF ANY KIND
OR CHARACTER BROUGHT BY A THIRD PARTY FOR EITHER PROPERTY DAMAGE OR LOSS
ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, ARISING OUT
O F OR IN CONNECTION WITH THIS AGREEMENT TO THE EXTENT CAUSED BY THE
N EGLIGENT ACTS OR OMISSIONS OR MALFEASANCE OF CONSULTANT, ITS OFFICERS,
AGENTS, SERVANTS OR EMPLOYEES.
C. COPYRIGHT INFRINGEMENT - Consultant agrees to defend, settle, or pay, at its own cost and
expense, any claim or action against the City for infringement of any patent, copyright, trade
secret, or similar intellectual property right arising from services provided by Consultant of
City's use of any of the services provided by Consultant pursuant to this Agreement. Consultant
shall have the sole right to conduct the defense of any such claim or action and all negotiations
for its settlement or compromise and to settle or compromise any such claim, and City agrees to
cooperate with it in doing so. City agrees to give Consultant timely written notice of any such
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
claim or action, with copies of all papers City may receive relating thereto. Consultant shall have
no obligation to indemnify, defend or hold harmless City for any claim of infringement caused by
(i) use of the services by the City in combination with any other products or services in a way not
authorized by Consultant if the infringement would not have occurred but for such combination,
or (ii) any alteration, change or modification of the services by the City not authorized by FishNet
if the infringement would not have occurred but for such alteration, change or modification.
9. ASSIGNMENT AND SUBCONTRACTING.
Consultant shall not assign or subcontract any of its duties, obligations or rights under this
Agreement without the prior written consent of the City; provided that Consultant may assign this
Agreement to an entity in connection with reorganization, merger, consolidation, acquisition or other
restructuring involving all or substantially all of the voting securities or assets of the Consultant upon
written notice to the City. If the City grants consent to an assignment, the assignee shall execute a
written agreement with the City and the Consultant under which the assignee agrees to be bound by the
duties and obligations of Consultant under this Agreement. The Consultant and Assignee shall be jointly
liable for all obligations of the Consultant under this Agreement prior to the effective date of the
assignment If the City grants consent to a subcontract the subcontractor shall execute a written
agreement with the Consultant referencing this Agreement under which the subcontractor shall agree to
be bound by the duties and obligations of the Consultant under this Agreement as such duties and
obligations may apply. The Consultant shall provide the City with a fully executed copy of any such
subcontract.
10. INSURANCE.
Consultant shall provide the City with certificate(s) of insurance documenting policies of the
following minimum coverage limits that are to be in effect prior to commencement of any work pursuant
to this Agreement:
10.1 Coverage and Limits
(a) Commercial General Liability
$1,000,000 Each Occurrence
$1,000,000 Aggregate
(b) Automobile Liability
$1,000,000 Each occurrence on a combined single limit basis
(c)
Coverage shall be on any vehicle used by the Consultant, its employees, agents,
representatives in the course of the providing services under this Agreement. "Any vehicle" shall
be any vehicle owned, hired and non -owned
Worker's Compensation - Statutory limits
Employer's liability
$100,000 Each accident/occurrence
$100,000 Disease - per each employee
$500,000 Disease - policy limit
This coverage may be written as follows:
Workers' Compensation and Employers' Liability coverage with limits consistent with statutory
benefits outlined in the Texas workers' Compensation Act (Art. 8308 — 1.01 et seq. Tex. Rev.
Civ. Stat.) and minimum policy limits for Employers' Liability of $100,000 each
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
accident/occurrence, $500,000 bodily injury disease policy limit and $100,000 per disease per
employee
(d) Technology Liability (E&O)
$1,000,000 Each Claim Limit
$1,000,000 Aggregate Limit
Coverage shall include, but not be limited to, the following:
(i) Failure to prevent unauthorized access
(ii) Unauthorized disclosure of information
(iii) Implantation of malicious code or computer virus
(iv) Fraud, Dishonest or Intentional Acts with final adjudication language
Technology coverage may be provided through an endorsement to the Commercial General
Liability (CGL) policy, or a separate policy specific to Technology E&O. Either is acceptable if
coverage meets all other requirements. Any deductible will be the sole responsibility of the
Consultant and may not exceed $50,000 without the written approval of the City. Coverage shall
be claims -made, with a retroactive or prior acts date that is on or before the effective date of this
Agreement. Coverage shall be maintained for the duration of the contractual agreement and for
two (2) years following completion of services provided An annual certificate of insurance shall
be submitted to the City to evidence coverage.
10.2 General Requirements
(a) The commercial general liability and automobile liability policies shall name the City as an
additional insured thereon, as its interests may appear. The term City shall include its
employees, officers, officials, agents, and volunteers in respect to the contracted services.
(b) The workers' compensation policy shall include a Waiver of Subrogation (Right of Recovery) in
favor of the City of Fort Worth.
(c) A minimum of Thirty (30) days notice of cancellation or reduction in limits of coverage shall be
provided to the City. Ten (10) days notice shall be acceptable in the event of non-payment of
premium. Notice shall be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort
Worth, Texas 76102, with copies to the City Attorney at the same address
(d) The insurers for all policies must be licensed and/or approved to do business in the State of
Texas. All insurers must have a minimum rating of A- VII in the current A.M. Best Key Rating
Guide, or have reasonably equivalent financial strength and solvency to the satisfaction of Risk
Management. If the rating is below that required, written approval of Risk Management is
required.
(e) Any failure on the part of the City to request required insurance documentation shall not
constitute a waiver of the insurance requirement.
(f) Certificates of Insurance evidencing that the Consultant has obtained all required insurance shall
be delivered to the City prior to Consultant proceeding with any work pursuant to this Agreement.
11. COMPLIANCE WITH LAWS, ORDINANCES, RULES AND REGULATIONS.,
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
Consultant agrees that in the performance of its obligations hereunder, it will comply with all
applicable federal, state and local laws, ordinances, rules and regulations and that any work it produces
in connection with this Agreement will also comply with all applicable federal, state and local laws,
ordinances, rules and regulations. If the City notifies Consultant of any violation of such laws,
ordinances, rules or regulations Consultant shall immediately desist from and correct the violation.
12. NON-DISCRIMINATION COVENANT.
Consultant, for itself, its personal representatives, assigns, subcontractors and successors in
interest, as part of the consideration herein, agrees that in the performance of Consultant's duties and
obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group
of individuals on any basis prohibited by law. If any claim arises from an alleged violation of this non-
discrimination covenant by Consultant, its personal representatives, assigns, subcontractors or
successors in interest, Consultant agrees to assume such liability and to indemnify and defend the City
and hold the City harmless from such claim.
13. NOTICES.
Notices required pursuant to the provisions of this Agreement shall be conclusively determined
to have been delivered when (1) hand -delivered to the other party, its agents employees, servants or
representatives, (2) delivered by facsimile with electronic confirmation of the transmission, or (3)
received by the other party by United States Mail, registered, return receipt requested, addressed as
follows:
City of Fort Worth FishNet Security, Inc.
Attn: Susan Alanis, Assistant City Manager Attn: Legal Department
1000 Throckmorton 6130 Sprint Parkway, Suite 400
Fort Worth TX 76102-6311 Overland Park, KS 66211
Facsimile (817) 392-8654 Email
legal@fishnetsecurity.com
With Copy to the City Attorney
At same address
14. SOLICITATION OF EMPLOYEES.
address:
Neither the City nor Consultant shall, during the term of this Agreement and additionally for a
period of one year after its termination, solicit for employment or employ, whether as employee or
independent contractor, any person who is or has been employed by the other during the term of this
Agreement, without the prior written consent of the person's employer.
15. GOVERNMENTAL POWERS/IMMUNITIES
It is understood and agreed that by execution of this Agreement, the City does not waive or
surrender any of its governmental powers or immunities.
16. NO WAIVER.
The failure of the City or Consultant to insist upon the performance of any term or provision of
this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or
Consultant's respective right to insist upon appropriate performance or to assert any such right on any
future occasion.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
17. GOVERNING LAW / VENUE.
This Agreement shall be construed in accordance with the laws of the State of Texas. If any
action, whether real or asserted, at law or in equity, is brought pursuant to this Agreement, venue for such
action shall lie in state courts located in Tarrant County, Texas or the United States District Court for the
Northern District of Texas, Fort Worth Division.
18. SEVERABILITY.
If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity,
legality and enforceability of the remaining provisions shall not in any way be affected or impaired.
19. FORCE MAJEURE.
The City and Consultant shall exercise commercially reasonable efforts to meet their respective
duties and obligations as set forth in this Agreement, but shall not be held liable for any delay or
omission in performance due to force majeure or other causes beyond their reasonable control,
including, but not limited to, compliance with any government law, ordinance or regulation, acts of God,
acts of the public enemy, fires, strikes, lockouts, natural disasters, wars, riots, material or labor
restrictions by any governmental authority, transportation problems and/or any other similar causes.
20. HEADINGS NOT CONTROLLING.
Headings and titles used in this Agreement are for reference purposes only, shall not be deemed
a part of this Agreement, and are not intended to define or limit the scope of any provision of this
Agreement
21. REVIEW OF COUNSEL.
The parties acknowledge that each party and its counsel have reviewed and revised this
Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved
against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto.
22. AMENDMENTS.
No amendment of this Agreement shall be binding upon a party hereto unless such amendment
is set forth in a written instrument, which is executed by an authorized representative of each party.
23. ENTIRETY OF AGREEMENT.
This Agreement, including the exhibits attached hereto and any documents incorporated herein
by reference, contains the entire understanding and agreement between the City and Consultant, their
assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous
oral or written agreement is hereby declared null and void to the extent in conflict with any provision of
this Agreement.
24. COUNTERPARTS.
This Agreement may be executed in one or more counterparts and each counterpart shall, for all
purposes, be deemed an original, but all such counterparts shall together constitute one and the same
instrument.
25. WARRANTY OF SERVICES.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
Consultant warrants that its services will be of a professional quality and conform to generally
prevailing industry standards. City must give written notice of any breach of this warranty within thirty (30)
days from the date that the services are completed as indicated in the Milestone Acceptance Form, which
is attached hereto as Exhibit "C". In such event if the parties determine that the services do not meet
the requirements and specifications set forth herein, at Consultant s option, Consultant shall either (a) use
commercially reasonable efforts to re -perform the services in a manner that conforms with the warranty,
or (b) refund the fees paid by the City to Consultant for the nonconforming services.
26. MILESTONE ACCEPTANCE.
Consultant shall verify that each deliverable meets the requirements and specifications set forth
herein before submitting it to the City for review and approval. The City will review all deliverables to
determine their acceptability and signify acceptance by execution of the Milestone Acceptance Form,
which is attached hereto as Exhibit "C." If the City rejects the submission, it will notify the Consultant in
writing within fifteen (15) business days after Consultant's completion of the deliverable listing the specific
reasons for rejection. The Consultant shall have ten (10) days, or such other time period as agreed upon
by the parties, to correct any deficiencies and resubmit the corrected deliverable to the City in accordance
with Section 25 above. Payment to the Consultant shall not be authorized unless the City accepts the
deliverable in writing in the form attached. The City's acceptance will not be unreasonably withheld.
27. NETWORK ACCESS.
If Consultant, and/or any of its employees, officers, agents, servants or subcontractors (for purposes of
this section 'Consultant Personnel') requires access to the City's computer network in order to provide
the services herein, Consultant shall execute and comply with the Network Access Agreement which is
attached hereto as Exhibit D" and incorporated herein for all purposes.
28. IMMIGRATION NATIONALITY ACT.
The City of Fort Worth actively supports the Immigration & Nationality Act (INA) which includes
provisions addressing employment eligibility, employment verification, and nondiscrimination. Consultant
shall verify the identity and employment eligibility of all employees who perform work under this
Agreement. Consultant shall complete the Employment Eligibility Verification Form (1-9), maintain
photocopies of all supporting employment eligibility and identity documentation for all employees and
upon request, provide City with copies of all 1-9 forms and supporting eligibility documentation for each
employee who performs work under this Agreement. Consultant shall establish appropriate procedures
and controls so that no services will be performed by any employee who is not legally eligible to perform
such services. Consultant shall provide City with a certification letter that it has complied with the
verification requirements required by this Agreement. Consultant shall indemnify City from any penalties
or liabilities due to violations of this provision. City shall have the right to immediately terminate this
Agreement for violations of this provision by Consultant.
29. INFORMAL DISPUTE RESOLUTION.
Except in the event of termination pursuant to Section 4.2, if either City or Consultant has a claim,
dispute, or other matter in question for breach of duty, obligations, services rendered or any warranty that
arises under this Agreement, the parties shall first attempt to resolve the matter through this dispute
resolution process. The disputing party shall notify the other party in writing as soon as practicable after
discovering the claim, dispute, or breach. The notice shall state the nature of the dispute and list the party's
specific reasons for such dispute. Within ten (10) business days of receipt of the notice, both parties shall
commence the resolution process and make a good faith effort, either through email, mail, phone conference
in person meetings, or other reasonable means to resolve any claim, dispute, breach or other matter in
question that may arise out of, or in connection with this Agreement. If the parties fail to resolve the dispute
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
within sixty (60) days of the date of receipt of the notice of the dispute, then the parties may submit the matter
to non -binding mediation in Tarrant County, Texas, upon written consent of authorized representatives of
both parties in accordance with the Industry Arbitration Rules of the American Arbitration Association or other
applicable rules governing mediation then in effect The mediator shall be agreed to by the parties. Each
party shall be liable for its own expenses, including attorney's fees; however, the parties shall share
equally in the costs of the mediation If the parties cannot resolve the dispute through mediation, then either
party shall have the right to exercise any and all remedies available under law regarding the dispute.
Notwithstanding the fact that the parties may be attempting to resolve a dispute in accordance with this
informal dispute resolution process, the parties agree to continue without delay all of their respective
duties and obligations under this Agreement not affected by the dispute Either party may, before or
during the exercise of the informal dispute resolution process set forth herein, apply to a court having
jurisdiction for a temporary restraining order or preliminary injunction where such relief is necessary to
protect its interests.
30. SIGNATURE AUTHORITY.
The person signing this Agreement hereby warrants that he/she has the legal authority to execute
this Agreement on behalf of the respective party, and that such binding authority has been granted by
proper order, resolution, ordinance or other authorization of the entity. This Agreement, and any
amendment(s) hereto, may be executed by any authorized representative of Consultant whose name, title
and signature is affixed on the Verification of Signature Authority Form, which is attached hereto as
Exhibit "E" and incorporate herein by reference. Each party is fully entitled to rely on these warranties
and representations in entering into this Agreement or any amendment hereto.
[SIGNATURE PAGE FOLLOWS]
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement in multiples this 8th day of
May, 2012
ACCEPTED AND AGREED:
CITY OF FORT WORTH:
By:
lanis
Assistant City Manager
Date: ,c (a-3( ar
FISHNET SECURITY, INC.:
By: (71/
Narrle Gary Fish
Title: Chief Executive Officer
,��-` °ki\ttti Date: Mav 8, 2012
Dac>•Ofirki
"011"°°°004%1
F/4" as �+� � � ST:
Fl ATTEST:gee�'''°� r_..��_ oo
tT_ i�r
��y.
F' ce I, 7/ ux of
BY� Ali,� - d .
0 (t';
---City Secretary'"` °w�laij
�,eiszy M = rk Williams,
l
1% ss scralt7
APPROVED AS TO FORM AND LEGALITY:
Maleshta B. Farmer
Assistant City Attorney
CONTRACT AUTHORIZATION:
nn&c: P43t
Date Approved:
Professional Services Agreement
FishNet Security, Inc.
OFFICIAL RECORD
CITY SECRETARY
FT. WORTH, TX
'AA
A
ms r hief financial Officer
Revised October 2011
10
EXHIBIT A
STATEMENT OF WORK
Scope of Work
Engagement Objectives
City of Fort Worth, Texas ("The City") has requested an information security and risk assessment focused
on identifying and mitigating information security threats and vulnerabilities. The PCI Perimeter Network
Penetration Testing will help the City identify security deficiencies that may exist within its cardholder
network
The benefits identified by FishNet Security in deciding to conduct a security assessment are to:
• Reduce information security risk to the City
• Identify strengths and weaknesses in the City systems from multiple perspectives
• Identify strategies to mitigate risk in the City systems
Perimeter Network Penetration Testing begins with a discovery phase to collect pertinent information
about the City's network environment Using this information, FishNet Security will develop a customized
testing profile to maximize the benefits of the assessment. Automated scans, paralleled with manual
examination, will be used to expose any weaknesses that may exist within the network. Validation then is
performed through a targeted penetration test that focuses on high -risk findings. Exploitation of these
findings often yields access to critical systems and sensitive information vital to the City operations.
Comprehensive testing results will be presented to the City in both technical and non -technical formats.
Scoping Considerations
Specific details relating to our understanding of the scope are listed below. This information has been
provided by the City through documents and/or interviews, and some assumptions may have been made
based upon standard security practices. Significant variance from this information may result in a
Change Order, and may incur additional labor or license fees. Should the noted scope or scoping details
be inaccurate, the proposal can be revised to incorporate required changes.
Perimeter IP Landscape
• Up to four (4) /24 networks for discovery
■ Up to 75 hosts for vulnerability and penetration testing
■ Guided exploitation, semi open scope, non -evasive testing approach
• Post -assessment retest of exploited systems up to 45 days following
original test
o Retest results will be included as an addendum to the original report
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
11
Detailed Tasks and Approach
PCI Perimeter Network Penetration Testing
Discovery Phase
FishNet Security will gather information from a variety of sources both technical and social to gain
knowledge about the City's network as well as all other locations where pertinent devices and hosts
reside. This information will then be compiled and a "footprint" or logical picture of the network will
emerge.
• Perform general foot printing to determine scope of the perimeter
• Execute various network queries to identify security devices
• Interrogate authoritative DNS servers for all hosts accessible
• Examine trace route output and intermediary hosts
Target Profiling Phase
By utilizing the information obtained during the discovery phase, FishNet Security further evaluates the
City's infrastructure in order to develop a targeted testing approach. This approach allows FishNet
Security to optimize the assessment by logically segmenting targets into prioritized groups. FishNet
Security then develops customized tests based on these prioritized groups. The goal of the profiling
phase is to group and prioritize targets based on specific target information.
• Perform deep host service investigations
• Group hosts by type to speed choice of vulnerability assessment tools
Examination Phase
During this phase, FishNet Security performs detailed vulnerability scans against the prioritized target
groups. A unique combination of commercial, open -source, and proprietary tools are utilized for these
scans. Parallel testing with manual examination aids in eliminating false -positives. To supplement the
vulnerability scanning, FishNet Security performs detailed configuration testing to ensure targets are
configured securely. This manual testing exposes material weaknesses overlooked by vulnerability
scans The objective of this phase is to identify potential security findings affecting the City's overall
security posture.
• Scan hosts for known vulnerabilities
• Review hosts for vulnerabilities not revealed by automated tools
• Classify targets based on vulnerability type
• Complete manual vulnerability checking to remove false positives
Risk Validation (Penetration Analysis) Phase
FishNet Security reviews the identified vulnerabilities and misconfigurations to determine their impact on
the City's overall security posture. This validation is performed through targeted penetration testing that
focuses on high -risk findings. Exploitation of these findings often yields access to critical systems and
sensitive information vital to the City operations. The objective of this phase is to provide the client with a
clear understanding of the risks associated with the identified findings.
• Use automated and manual tools to exploit vulnerabilities
• Use exploited hosts to gain additional knowledge of the target network
• Using the new information and access, return to the discovery phase and search
out systems that were not available from the original network vantage point
Professional Services Agreement Revised October2011
FishNet Security, Inc.
12
�moneirTOito
nediate
x: 4
This testing will validate the risk exposure of vulnerabilities in target systems due to misconfigurations,
known vulnerabilities and other security risks. FishNet Security will perform penetration testing during
normal business hours (8AM-5PM).
ecur'ity' technical process :rises. non deafri.uctiyreaeati
ted or changed} Under no elreumstancesare
.y a
abilities ar dentlfied th:e wd be documented and c
ecurity s (Penetrattoa
ne ble smile a j ecotye up aillable
�::
eventtthetargeted vutne`table servrce from
lie -guarantee i ffe"avaitabi ity of�f!elafge
`e` targetedt to nerable sernAtirara-cesduiririg
f ani .a- verse a ectsxare o serve on theT.
no files:or-data-are=intended to
Dopy -attacks used but if DoS
be'macle to correctxthetn.
hale there,exista
3ilePa �F sti.Netft$ecunty
%n. gBun .espons ve, c r
nerab eceY
wr'fhu
ieii o theeexploitafio`r
I Vulnerat e�service
ere 3
akestevery possible
ain exploits cannot beitt
shNet Security wilt
)t and notify the
Evaluation Phase
In this phase, FishNet Security evaluates the security impact of the identified findings as well as
applicable remediation procedures. FishNet Security prioritizes the findings based on a combination of
factors including previous experience, ease of exploitation, impact to the City s overall security posture,
and remediation effort. FishNet Security ensures the findings are clear, detailed, and provides the City
with an effective action plan The goal of this phase is to assess the effects of the findings and to provide
a roadmap towards remediation.
• Rate findings based on the risk and effort to mitigate
• Document vulnerabilities in a clear concise manner
• Enumerate remediation techniques
Documentation Phase
The documentation phase encompasses the generation of a consolidated report detailing the results
obtained during the tests. The corresponding analysis of this information is compiled into two sections:
1) a format that it easily understandable by management (executive summary) and 2) a technical report
that details the findings in a technical manner (Findings and Recommendations).
• Review all findings, removing all false positives
• Create concise overview of findings to present to executive sponsors
• Create detailed report of the engagement to deliver to technical staff
Post -Assessment Retest
FishNet Security will provide a retest within 45 days of the original test completion. Post -assessment
testing will be conducted against the same IP range used in the original test; any changes in the IP range
will require a change order and may incur additional labor or license fees.
• Provide remediation follow-up on exploited systems only
• Provide findings in original report addendum
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
13
Deliverables
FishNet Security will provide the City with the following deliverable documents, in electronic format.
Security Assessment Report
The report will describe the work performed; will show the criticality rating of the discovered
vulnerabilities; and will provide remediation steps and additional recommendations to Improve security
Included in this report are the following sections:
Executive Summary
This section of the report will provide the City with a summarization of findings and
recommendations in a non technical format.
Findings and Recommendations
This section of the report will provide the City with a consolidated list of findings root cause
analysis, and clear action steps to mature the current security posture. This also will discuss the
City s strengths, comments from the technical staff, and any mitigating factors with regards to the
identified risks.
Perimeter Network Vulnerability Matrix Report
This report will provide the City with a matrix containing vulnerabilities found, implications, severity or risk
level, and specific recommendations for remediation.
Knowledge Transfer
FishNet Security encourages the involvement of the City's staff and will provide knowledge transfer as
part of the comprehensive information security assessment. Participation throughout the engagement is
determined by the City availability.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
14
Dependencies and Assumptions
The following terms are set forth to determine the roles and responsibilities that both parties are to
maintain. This is done to eliminate confusion and prevent delays in data gathering. Failure to maintain
these terms may result in extended data collection, additional labor fees, and related travel expenses to
cover the extra time spent on -site.
• FishNet Security will not begin to provide the Services as described until the City has returned the
signed SOW.
The City will designate one (1) employee to serve as a primary Point of Contact (POC) for the
FishNet Security project team The City's designated POC will be responsible for, and have
authority to schedule the City resources for required meetings, interviews, and other needs
deemed necessary to complete the project work within the specified project parameters. The City
POC will participate in weekly status meetings and serve as the first point of escalation for any
project related requests or issues.
Evasive network assessment testing is conducted in an effort to avoid all automated and manual
alerting and detection controls. As such, this style of testing is a best -effort activity and depends
largely on the length of time FishNet Security is allotted to complete the project FishNet Security
does not guarantee all activities will evade detection. If testing activities trigger alerts or are
detected, evasive testing procedures will be halted and FishNet Security will complete the
remaining portions of the assessment in a non -evasive manner, unless an alternative testing
strategy is requested by the City and mutually agreed upon by FishNet Security.
Manual validation of identified vulnerabilities is a best effort activity and is intended to reduce not
completely eliminate, false -positive findings. Manual validation activities typically include
software version checks and review of installed patches and service packs.
FishNet Security assumes that the final deliverable report will consist of a single, consolidated
document. A Change Order fee will be applied to any additional reports that are required, but are
not requested by the City during the project scoping process.
• FishNet Security assumes that all project phases will be conducted from a single geographical
location. A Change Order fee may be applied for any additional locations that require physical
visitation by FishNet Security Consultants, but are not requested by the City during the project
scoping process.
• FishNet Security assumes that testing activities can be performed continuously in eight - hour
windows, on consecutive days and during regular business hours. Smaller testing windows or
off -hours testing time (Monday to Friday 5PM to 8AM and weekends) requirements should be
communicated during initial project scoping. Special testing requests that are not communicated
during the initial project scoping may result in a mutually agreed upon Change Order.
• The City is responsible for notifying impacted personnel of the testing as needed, and said testing
is conducted with the expressed authority of management.
• The City will provide access to all proprietary information, applications, and systems necessary to
the success of this project.
FishNet Security will not perform any additional work outside of the scope of work described in
this proposal without the expressed permission of authorized the City personnel; including a
signed Change Order.
• Scoped pricing is based upon the information provided by the client via initial discovery
documents/conversations with FishNet Security prior to the start of the engagement. Additional
applications and/or systems found during discovery phase of the engagement, not stated in this
SoW, will incur additional scoping, services or fees and may result in the need for a mutually
agreed upon Change Order.
• FishNet Security assumes that all client data gathering activities will be executed in an efficient
manner and data promptly submitted to FishNet Security consultants. Any delays incurred in
acquiring this information may result in the need for a mutually agreed upon Change Order.
•
•
•
•
•
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
15
• No FishNet Security employee is expected to work more than 10 consecutive hours.
• Cancellation: Two (2) weeks' written notice in advance of the engagement start date is required
for cancelling or rescheduling any services. If cancellation or rescheduling occurs with less than
two (2) weeks advance notice of the scheduled start date, the City agrees to pay a fee of $3,500.
Statement of Risk
Throughout the assessment, there may be several procedural points that the client must be aware of
including:
During the course of a security assessment, some of the methods and tools utilized -when used
without authorization and permission of the organization they are being employed against- may
constitute a violation of state and federal law. FishNet Security will not use any methods or tools
on the City's network without the prior permission of the City.
FishNet Security makes every effort to reduce the chance of service disruption while conducting
testing on the City network devices. As a result of this exercise and depending on the severity of
any existing vulnerabilities on client equipment being inspected, the possibility exists that service
disruptions could occur.
• If the exercise appears to be causing a real or suspected disruption to the client's activities,
o perations, or production systems, the assessor(s) will immediately halt the exercise and make
n otification to the City.
Due to the sensitive nature of this scope of work, it is imperative that the client understands the
associated risks.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
16
P roject Management
P roject Management Overview
As an initiative -focused engagement, maintaining clear channels of communication will be necessary to
e nsure success FishNet Security will conduct status meetings, including documented briefings on project
status, issues noted, and issues addressed as they relate to schedule, deliverables, project quality, and
team interaction. In addition to these scheduled briefings, FishNet Security will provide immediate
n otification of issues requiring the City action or intervention FishNet Security expects the prompt
resolution of any issues identified by our team members, as well as by the City, to have minimal impact on
the project timelines.
Responsibilities
The following list details FishNet Security's project management responsibilities for this engagement:
• Facilitation of the engagement kick-off meeting
• Management of project budget and Change Order process (if needed)
• Coordination of FishNet Security personnel logistics
• Status report preparation and delivery on regular intervals as determined by the City's
engagement leader
• Ensure deliverables meet the City sponsor's approval within the boundaries of the scope
of the engagement
• Ensure engagement work is completed as agreed upon in this SoW and obtain the City
sign -off
Additional project management services beyond the responsibilities listed above can be provided at an
additional cost and will be agreed upon prior to signature of this SoW.
Project Change Control
In the process of an engagement, additional work may be required based upon on -site discovery or
changes requested by the City. If variations from the original SoW are deemed necessary a mutually
agreed -upon Change Order will be created. FishNet Security will provide a Change Order for the City to
review and sign before any work outside the original scope is performed or additional expenses are
invoiced to the City.
The Change Order will specifically address the work, software, or other items added to the SoW and the
associated costs. A brief explanation of the requirements for the changes will also be included.
S ecurity and Privacy
Ensuring the security and privacy of your information is paramount. FishNet Security employees are
guided by strict information security handling procedures to maintain a high level of security.
• All employees are subjected to criminal history investigation as a condition of hire.
• All employees have agreed to and signed non -disclosure agreements.
• Data files maintained on portable computers (laptops) will be encrypted.
• Communications of sensitive "Client Confidential' data will be encrypted.
• Physical (paper) files and reports will be secured in locked offices and/or file cabinets.
• Client data files are destroyed after one year unless agreed to differently via client
contract or industry/regulatory requirement.
P rofessional Services Agreement Revised October 2011
FishNet Security, Inc.
17
Project Plan and Estimated Timelines
Detailed timelines and milestones will be further discussed and developed upon choosing FishNet
Security as the selected security services provider. Our consultants can typically be available within two
to four weeks of signature of this SoW. FishNet Security is committed to completing the project within a
timeframe that is agreed upon with the City.
Estimated Project Schedule
Tesks
PCI Perimeter Network Penetration Testing
Estimated Duration"
8 — 10 Days
*Please note — time estimates include all labor and documentation. The above timeline is ,an estimate used for
example purposes. The specific schedule will be determined collaboratively between FishNet Security and the City at
engagement commencement.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
18
111E1,10
1
PCI Perimeter Network
Penetration Testing
jE avei3ari
EXHIBIT B
PAYMENT SCHEDULE
Cost for PCI Perimeter Network Penetration Testing
emotes
orrned
$14,255
Invoice 50% with Signature of SoW and 50% upon receipt of deliverable.
Payment term Net/30 from the date of invoice. This quote is valid for 30 days from the date of the proposal.
Please e-mail/fax signed SOW in its entirety to FishNet Security at CentralFIRST Wfishnetsecuntv.com, or 816.421.3371.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
19
EXHIBIT C
MILESTONE ACCEPTANCE FORM
Services Delivered: PCI Perimeter Network Penetration Testing
Milestone / Deliverable Ref. #: 141899
Milestone / Deliverable Name. Security Assessment Report
Unit Testing Completion Date:
Milestone / Deliverable Target Completion Date:
Milestone / Deliverable Actual Completion Date:
Approval Date:
Comments (if needed):
Approved by Consultant: Approved by City Department Director:
Signature: Signature:
Printed Name. Printed Name:
Title: Title:
Date: Date:
For Director Use Only
Contracted Payment Amount:
Adjustments, including
penalties:
Approved Payment Amount:
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
20
EXHIBIT D
NETWORK ACCESS AGREEMENT
1. The Network The City owns and operates a computing environment and network (collectively
the "Network '). Contractor wishes to access the City's network in order to provide PCI Perimeter
Network Penetration Testing. In order to provide the necessary support Contractor needs access to
Internet facing systems including, but not limited to, publically routable systems located at the perimeter
of the City's primary registered Internet presence, the Internet presence for the Water Department the
Internet presence for the Joint Emergency Operations Center, and the Internet presence for the City of
Forth Worth Public Library.
2. Grant of Limited Access. Contractor is hereby granted a limited right of access to the City's
Network for the sole purpose of providing PCI Perimeter Network Penetration Testing. Such access is
granted subject to the terms and conditions forth in this Agreement and applicable provisions of the City's
Administrative Regulation D-7 (Electronic Communications Resource Use Policy), of which such
applicable provisions are hereby incorporated by reference and made a part of this Agreement for all
purposes herein and are available upon request.
3. Network Credentials. The City will provide Contractor with Network Credentials consisting of
user IDs and passwords unique to each individual requiring Network access on behalf of the Contractor
Access rights will automatically expire one (1) year from the date of this Agreement. If this access is
being granted for purposes of completing services for the City pursuant to a separate contract, then this
Agreement will expire at the completion of the contracted services, or upon termination of the contracted
services, whichever occurs first. This Agreement will be associated with the Services designated below.
El
■
Services are being provided in accordance with City Secretary Contract No.
Services are being provided in accordance with City of Fort Worth Purchase Order No.
Services are being provided in accordance with the Agreement to which this Access Agreement
is attached.
No services are being provided pursuant to this Agreement.
4. Renewal. At the end of the first year and each year thereafter, this Agreement may be renewed
annually if the following conditions are met.
4.1 Contracted services have not been completed.
4.2 Contracted services have not been terminated.
4.3 Within the thirty (30) days prior to the scheduled annual expiration of this Agreement, the
Contractor has provided the City with a current list of its officers, agents, servants, employees or
representatives requiring Network credentials.
Notwithstanding the scheduled Agreement expiration or the status of completion of services, Contractor
shall provide the City with a current list of officers, agents, servants, employees or representatives that
require Network credentials on an annual basis. Failure to adhere to this requirement may result in denial
of access to the Network and/or termination of this Agreement.
5. Network Restrictions. Contractor officers, agents, servants, employees or representatives may
not share the City -assigned user IDs and passwords. Contractor acknowledges, agrees and hereby gives
its authorization to the City to monitor Contractor's use of the City's Network in order to ensure
Contractor's compliance with this Agreement. A breach by Contractor, its officers, agents, servants,
employees or representatives, of this Agreement and any other written instructions or guidelines that the
City provides to Contractor pursuant to this Agreement shall be grounds for the City immediately to deny
Contractor access to the Network and Contractor's Data, terminate the Agreement and pursue any other
remedies that the City may have under this Agreement or at law or in equity.
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
21
By:
5.1 Notice to Contractor Personnel — For purposes of this section, Contractor Personnel shall
include all officers, agents, servants, employees, or representatives of Contractor. Contractor shall be
responsible for specifically notifying all Contractor Personnel who will provide services to the City under
this Agreement of the following City requirements and restrictions regarding access to the City's Network:
(a) Contractor shall be responsible for any City -owned equipment assigned to Contractor
Personnel, and will immediately report the loss or theft of such equipment to the City
(b) Contractor, and/or Contractor Personnel, shall be prohibited from connecting personally -
owned computer equipment to the City's Network
(c) Contractor Personnel shall protect City -issued passwords and shall not allow any third
party to utilize their password and/or user ID to gain access to the City's Network
(d) Contractor Personnel shall not engage in prohibited or inappropriate use of Electronic
Communications Resources as described in the City's Administrative Regulation D7
(e) Any document created by Contractor Personnel in accordance with this Agreement is
considered the property of the City and is subject to applicable state regulations
regarding public information
(f) Contractor Personnel shall not copy or duplicate electronic information for use on any
non -City computer except as necessary to provide services pursuant to this Agreement
(g) All network activity may be monitored for any reason deemed necessary by the City
(h) A Network user ID may be deactivated when the responsibilities of the Contractor
Personnel no longer require Network access
6. Termination. In addition to the other rights of termination set forth herein, the City may terminate
this Agreement at any time and for any reason with or without notice, and without penalty to the City.
Upon termination of this Agreement, Contractor agrees to remove entirely any client or communications
software provided by the City from all computing equipment used and owned by the Contractor, its
officers, agents, servants, employees and/or representatives to access the City's Network.
7. Information Security. Contractor agrees to make every reasonable effort in accordance with
accepted security practices to protect the Network credentials and access methods provided by the City
from unauthorized disclosure and use. Contractor agrees to notify the City immediately upon discovery of
a breach or threat of breach which could compromise the integrity of the City's Network, including but not
limited to, theft of Contractor -owned equipment that contains City -provided access software, termination
or resignation of officers, agents, servants, employees or representatives with access to City -provided
Network credentials, and unauthorized use or sharing of Network credentials.
ACCEPTED AND AGREED:
CITY OF FORT W RTH:--
By. By:
,et=ittettName:
$>'f--Title:
O���o VQ� j
AO 0 te:
aiseArcot?gi �QI:1 3 a 0 ,F:
0 g
d B
8,:pirri i
4.),Q oo ,., me: Mark i • ms
?bitZt'us/gitle:
4 1:1-1171:Ifts 0 P•mtP.
APPROVED AS TO FORM AND LEGALITY:
n Alanis
Assistant City Manag r
Date: 6� �.• 3 � I '�
ATT
S
adh-
Ass/City Secretary
Bry: ce1/4dAgiNc4
Assistant City At orney
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
FISHNETSECURITY, INC.:
A
Gary F1is / / /
Chief Executive Officer
Mav 8. 2012
Chief Financial Officer
22
M & C: none required
EXHIBIT E
VERIFICATION OF SIGNATURE AUTHORITY
Full Legal Name of Company: FishNet Security, Inc.
Legal Address: 6130 Sprint Parkway, Suite 400, Overland Park, KS 66211
Services to be provided: PCI Perimeter Network Penetration Testing
Execution of this Signature Verification Form ("Form") hereby certifies that the following individuals
and/or positions have the authority to legally bind the Company and to execute any agreement,
amendment or change order on behalf of Company. Such binding authority has been granted by proper
order, resolution ordinance or other authorization of Company. The City is fully entitled to rely on the
warranty and representation set forth in this Form in entering into any agreement or amendment with
Company. Company will submit an updated Form within ten (10) business days if there are any changes
to the signatory authority. The City is entitled to rely on any current executed Form until it receives a
revised Form that has been properly executed by the Company.
1. Name: pary Fish
Position: Chief E»e iv e Qfficer T
7
l
S ignature
1 :
2. Name. Mark Williams
Position: Chief Fi _nci. fficer
S ignature
3. Name.
Position:
S ignature
N ame. Gary` Fish
/7//d
S ignature of,Presideht'/ CEO /
Other Title:
Date: May 8, 2012
Professional Services Agreement Revised October 2011
FishNet Security, Inc.
23