The URL can be used to link to this page

Home My WebLink AboutContract 42621T SECRETARY �;ONTRACT NO. 4 VP 2 ` PROFESSIONAL SERVICES AGREEMENT This PROFESSIONAL SERVICES AGREEMENT ( "Agreement') is made and entered into by and between the CITY OF FORT WORTH (the 'City "), a home rule municipal corporation situated in portions of Tarrant, Denton and Wise Counties, Texas, acting by and through Susan Alanis. its duly authorized Assistant City Manager, and SECURE IP SOLUTIONS LLC dba SOS SECURITY.. (the "Consultant" or "Contractor "), a Texas LLC and acting by and through Kirk Jones, its duly authorized President.. each individually referred to as a "party" and collectively referred to as the "parties.' CONTRACT DOCUMENTS: The Contract documents shall include the following: 1. This Agreement for Professional Services 2. Exhibit A — Statement of Work plus any amendments to the Statement of Work 3. Exhibit B — Service Order 4. Exhibit C — Milestone Acceptance Form 5. Exhibit D — Network Access Agreement 6. Exhibit E — Signature Verification Form All Exhibits attached hereto are incorporated herein and made a part of this Agreement for all purposes. In the event of any conflict between the documents, the terms and conditions of this Professional Services Agreement shall control. SCOPE OF SERVICES.. Consultant hereby agrees to provide the City with professional consulting services for the purpose of development of a Project Plan and Roadmap to address the City's Payment Card Industry Data Security Standards initiative. Attached hereto and incorporated for all purposes incident to this Agreement is Exhibit "A," Statement of Work, more specifically describing the services to be provided hereunder. 2. TERM. This Agreement shali commence upon the date that both the City and Consultant have executed this Agreement ( "Effective Date ") and shall continue in full force and effect for 6 months ( "Initial Term "), unless terminated earlier in accordance with the provisions of this Agreement. The City shall provide Consultant with written notice of its intent to renew at least thirty (30) days prior to the end of each term. 3. COMPENSATION. The City shat pay Consultant air amount not to exceed [$22,168.00] in accordance with the provisions of this Agreement and the Sery ce Order attached as Exhibit "B," which is ncorporated for all purposes herein Consultant shall not perform any additional services for the City not specified by this Agreement unless the City requests and approves in writing the additional costs for such sere ces The City shall rot be liable for any additional expenses of Consultant not specified by this Agreement unless the City fist approves such expenses in wi-iting TERMINATION. 4 ? W, tte- - -- i OFFICIAL RECORD VFTY.8FGRCTARY FT. WORTH, TX The City or Consultant may terminate this Agreement at any time and for any reason by providing the other party with 30 days written notice of termination. 4.2 Non - appropriation of Funds. In the event no funds or insufficient funds are appropriated by the City in any fiscal period for any payments due hereunder, City will notify Consultant of such occurrence and this Agreement shall terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which funds have been appropriated. 4.3 Duties and _Obliclations of the Parties. In the event that this Agreement is terminated prior to the Expiration Date the City shall pay Consultant for services actually rendered up to the effective date of termination and Consultant shall continue to provide the City with services requested by the City and in accordance with this Agreement up to the effective date of termination. Upon termination of this Agreement for any reason. Consultant shall provide the City with copies of all completed or partially completed documents prepared under this Agreement. 5. _D_ I_SCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION Consultant hereby warrants to the City that Consultant has made full disclosure in writing of any existing or potential conflicts of interest related to Consultant's services under this Agreement. In the event that any conflicts of interest arise after the Effective Date of this Agreement. Consultant hereby agrees immediately to make full disclosure to the City in writing Consultant, for itself and its officers. agents and employees, further agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. Consultant shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way. Consultant shall notify the City immediately if the security or integrity of any City information has been compromised or is believed to have been compromised 6. RIGHT TO AUDIT. Consultant agrees that the City shall. until the expiration of three (3) years after final payment under this contract, or the final conclusion of any audit commenced during the said three years. have access to and the right to examine at reasonable times any directly pertinent books, documents. papers and records of the consultant involving transactions relating to this Contract at no additional cost to the City. Consultant agrees that the City shall have access during normal working hours to all necessary Consultant facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section The City shall give Consultant reasonable advance notice of intended audits Consultant further agrees to include in al' its subcontractor agreements hereurder a provision to the effect that the subcontractor agrees that the City shall until exp ration of three 3) yeas after f nal payment o` the subcontract or the final conclusion of any audit commenced during the said three years have access to and the right to examine at reasonable times ary directly pert nent books. documents papers and records of such subcontractor involving transactions re!atee to the subcontract. and further tnat City shall have access during rorma working hours to a subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph City sha l g ve subcontractor reasonab�e notice of irtended audits r , �. INDEPENDENT CONTRACTOR. It is expressly understood and agreed that Consultant shall operate as an independent contractor as to all rights and privileges and work performed under this agreement, and not as agent, representative or employee of the City. Subject to and in accordance with the conditions and provisions of this Agreement, Consultant shall have the exclusive right to control the details of its operations and activities and be solely responsible for the acts and omissions of its officers, agents, servants, employees. contractors and subcontractors. Consultant acknowledges that the doctrine of respondeat superior shall not apply as between the City, its officers, agents, servants and employees. and Consultant, its officers. agents, employees, servants, contractors and subcontractors. Consultant further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Consultant. It is further understood that the City shall in no way be considered a Co- employer or a Joint employer of Consultant or any officers, agents, servants. employees or subcontractors of Consultant Neither Consultant, nor any officers, agents, servants, employees or subcontractors of Consultant shall be entitled to any employment benefits from the City. Consultant shall be responsible and liable for any and all payment and reporting of taxes on behalf of itself, and any of its officers, agents, servants, employees or subcontractors. 8. LIABILITY AND INDEMNIFICATION. A. LIABILITY - CONSULTANT SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL PROPERTY LOSS, PROPERTY DAMAGE ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, TO THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR OMISSION(S), MALFEASANCE OR INTENTIONAL MISCONDUCT OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. B. INDEMNIFICATION - CONSULTANT HEREBY COVENANTS AND AGREES TO INDEMNIFY, HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR LAWSUITS OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, FOR EITHER PROPERTY DAMAGE OR LOSS (INCLUDING ALLEGED DAMAGE OR LOSS TO CONSULTANT'S BUSINESS AND ANY RESULTING LOST PROFITS) ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, TO THE EXTENT CAUSED BY THE NEGLIGENT ACTS OR OMISSIONS OR MALFEASANCE OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. C. COPYRIGHT INFRINGEMENT - Consultant agrees to defend, settle, or pay, at its own cost and expense, any claim or action against the City for infringement of any patent, copyright, trade secret, or similar property right arising from City's use of the software and/or documentation in accordance with this agreement. Consultant shall have the sole right to conduct the defense of any such claim or action and all negotiations for its settlement or compromise and to settle or compromise any such claim, and City agrees to cooperate with it in doing so. City agrees to give Consultant timely written notice of any such claim or action, with copies of all papers City may receive relating thereto. If the software and /or documentation or any part thereof is held to infringe and the use thereof is enjoined or restrained or, if as a result of a settlement or compromise, such use is materially adversely restricted, Consultant shall, at its own expense and as City's sole remedy. either: (a) procure for City the right to continue to use the software and/or documentation; or (b) modify the software and /or documentation to make it non - infringing, provided that such modification does not materially adversely affect City's authorized use of the software and /or documentation; or (c) replace the software and/or documentation with equally suitable, compatible, and functionally equivalent non - infringing software and /or documentation at no additional charge to City; or (d) if none of the foregoing alternatives is reasonably available to Consultant, terminate this agreement and refund to City the payments actually made to Consultant under this agreement 9. ASSIGNMENT AND SUBCONTRACTING. Consultant shall not assign or subcontract any of its duties. obligations or rights under this Agreement without the prior written consent of the City If the City grants consent to an assignment. the assignee shall execute a written agreement with the City and the Consultant under which the assignee agrees to be bound by the duties and obligations of Consultant under this Agreement The Consultant and Assignee shall be jointly liable for all obligations of the Consultant under this Agreement prior to the effective date of the assignment. If the City grants consent to a subcontract the subcontractor shall execute a written agreement with the Consultant referencing this Agreement under which the subcontractor shall agree to be bound by the duties and obligations of the Consultant under this Agreement as such duties and obligations may apply. The Consultant shall provide the City with a fully executed copy of any such subcontract. 10. INSURANCE. Consultant shall provide the City with certificate(s) of insurance documenting policies of the following minimum coverage limits that are to be in effect prior to commencement of any work pursuant to this Agreement: 10.1 Coverage and Limits (a) Commercial General Liability $1.000,000 Each Occurrence $1,000,000 Aggregate (b) Automobile Liability $1,000,000 Each occurrence on a combined single limit basis Coverage shall be on any vehicle used by the Consultant. its employees, agents, representatives in the course of the providing services under this Agreement. "Any vehicle" shall be any vehicle owned, hired and non -owned (c) Worker's Compensation - Statutory limits Employer's liability $100,000 Each accident/occurrence $100,000 Disease - per each employee $500,000 Disease - policy limit This coverage may be written as follows. Workers' Compensation and Employers Liability coverage with limits consistent with statutory benefits outlined in the Texas workers' Compensation Act (Art 8308 — 1.01 et seq Tex. Rev. Civ. Stat.) and minimum policy limits for Employers' Liability of $100.000 each accident/occurrence. $500000 bodily injury disease policy limit and $100.000 per dsease pe- employee (d Technology Liability (F &O) $1.000 000 Each Claim Limit S1.000.000 Aggregate Limit Coverage shall include but nct be limited to the followine Fa lu -e to pre,,ert (ii) Unauthorized disclosure of information (iii) Implantation of malicious code or computer virus (iv) Fraud, Dishonest or Intentional Acts with final adjudication language Technology coverage may be provided through an endorsement to the Commercial General Liability (CGL) policy, or a separate policy specific to Technology E &O Either is acceptable if coverage meets all other requirements. Any deductible will be the sole responsibility of the Prime Vendor and may not exceed $50 000 without the written approval of the City. Coverage shall be claims -made, with a retroactive or prior acts date that is on or before the effective date of this Contract. Coverage shall be maintained for the duration of the contractual agreement and for two (2) years following completion of services provided. An annual certificate of insurance shall be submitted to the City to evidence coverage. 10.2 General Re uirements (a) The commercial general liability and automobile liability policies shall name the City as an additional insured thereon, as its interests may appear. The term City shall include its employees, officers, officials, agents, and volunteers in respect to the contracted services. (b) The workers' compensation policy shall include a Waiver of Subrogation (Right of Recovery) in favor of the City of Fort Worth. (c) A minimum of Thirty (30) days notice of cancellation or reduction in limits of coverage shall be provided to the City. Ten (10) days notice shall be acceptable in the event of non - payment of premium. Notice shall be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort Worth, Texas 76102, with copies to the City Attorney at the same address. (d) The insurers for all policies must be licensed andlor approved to do business in the State of Texas. All insurers must have a minimum rating of A- VII in the current A.M Best Key Rating Guide, or have reasonably equivalent financial strength and solvency to the satisfaction of RisK Management. If the rating is below that required, written approval of Risk Management is required. (e) Any failure on the part of the City to request required insurance documentation shall not constitute a waiver of the insurance requirement. (f) Certificates of Insurance evidencing that the Consultant has obtained all required insurance shall be delivered to the City prior to Consultant proceeding with any work pursuant to this Agreement. 11. COMPLIANCE WITH LAWS. ORDINANCES, RULES AND REGULATIONS. Consultant agrees that in the performance of its obligations hereunder. it will comply with all applicable federal state and loca laws ordinances. rues and regulations and that any work it produces in connection with this agreement will also comply with all applicable federal state and local laws ordinances ru es and regulations If the City notifies Consultant o` any violation of such laws ordinances. rules or regulations Corsu tant sha l immediately desist f,om and correct the violation 12. NON- DISCRIMINATION COVENANT. Consultant. for itself, its personal representatives, assigns, subcontractors and successors in interest, as part of the consideration herein. agrees that in the performance of Consultant's duties and obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group of individuals on any basis prohibited by law. If any claim arises from an alleged violation of this non- discrimination covenant by Consultant, its personal representatives, assigns, subcontractors or successors in interest, Consultant agrees to assume such liability and to indemnify and defend the City and hold the City harmless from such claim. 13. NOTICES. Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have been delivered when (1) hand - delivered to the other party, its agents, employees. servants or representatives. (2) delivered by facsimile with electronic confirmation of the transmission. or (3) received by the other party by United States Mail. registered. return receipt requested, addressed as follows: City of Fort Worth Attn: Susan Alanis. Assistant City Manager 1000 Throckmorton Fort Worth TX 76102 -6311 Facsimile: (817) 392 -8654 With Copy to the City Attorney At same address 14. SOLICITATION OF EMPLOYEES. SOS Security Attn: John Marler Address 13333 Northwest Fwy #600 Houston TX 77040 Facsimile: (713) 344 0728 Neither the City nor Consultant shall, during the term of this agreement and additionally for a period of one year after its termination, solicit for employment or employ, whether as employee or independent contractor. any person who is or has been employed by the other during the term of this agreement, without the prior written consent of the person's employer. 15. GOVERNMENTAL POWERS /IMMUNITIES It is understood and agreed that by execution of this Agreement. the City does not waive or surrender any of its governmental powers or immunities. 16. NO WAIVER. The failure of the City or Consultant to insist upon the performance of any term or provision of this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Consultant's respective right to insist upon appropriate performance or to assert any such right on any future occasion 17. GOVERNING LAW/ VENUE. This Agreement shall be construed in accordance with the laws of the State of Texas. If any action, whether real or asserted at law o, n equity. is brought pursuant to this Agreement venue for such action shah lie n state courts located in Tarrant County Texas or the Un ted States District CoL,r* for the Nor.hern District of Texas Fo•t Worth Dwvsion ee 18. SEVERABILITY. If any provision of this Agreement is held to be invalid. illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 19. FORCE MAJEURE. The City and Consultant shall exercise their best efforts to meet their respective duties and obligations as set forth in this Agreement, but shall not be held liable for any delay or omission in performance due to force majeure or other causes beyond their reasonable control, including, but not limited to, compliance with any government law, ordinance or regulation. acts of God, acts of the public enemy, fires, strikes, lockouts, natural disasters, wars, riots, material or labor restrictions by any governmental authority, transportation problems and/or any other similar causes. 20. HEADINGS NOT CONTROLLING. Headings and titles used in this Agreement are for reference purposes only, shall not be deemed a part of this Agreement, and are not intended to define or limit the scope of any provision of this Agreement. 21. REVIEW OF COUNSEL. The parties acknowledge that each party and its counsel have reviewed and revised this Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto. 22. AMENDMENTS. No amendment of this Agreement shall be binding upon a party hereto unless such amendment is set forth in a written instrument. which is executed by an authorized representative of each party 23. ENTIRETY OF AGREEMENT. This Agreement, including the schedule of exhibits attached hereto and any documents incorporated herein by reference, contains the entire understanding and agreement between the City and Consultant, their assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement is hereby declared null and void to the extent in conflict with any provision of this Agreement. 24. COUNTERPARTS. This Agreement may be executed in one or more counterparts and each counterpart shall.. for all purposes, be deemed an original. but all such counterparts shall together constitute one and the same instrument 25. WARRANTY OF SERVICES. Consultant warrants that its services wil be of a professional quality and conform to generally prevailing industry standards City must give written notice of any breach of this warranty within thirty (30; days from the date that the services are completed. In such event. at Consultant's option Consultant shall either (a) use commercially reasonable efforts to re- perform the services in a manner that conforms with the warranty or 'b) refund the lees paid by the City to Corsultant for the nonconforming se,vices - 'es�, a -e, e �ee- e._. 26. MILESTONE ACCEPTANCE. Consultant shall verify the quality of each deliverable before submitting it to the City for review and approval. The City will review all deliverables to determine their acceptability and signify acceptance by execution of the Milestone Acceptance Form, which is attached hereto as Exhibit "C." If the City rejects the submission, it will notify the Consultant in writing as soon as the determination is made Iistirg the specific reasons for rejection. The Consultant shall have ten (10) days to correct any deficiencies and resubmit the corrected deliverable. Payment to the Consultant shall not be authorized unless the City accepts the deliverable in writing in the form attached. The City's acceptance will not be unreasonably withheld. 27. NETWORK ACCESS. If Consultant, and /or any of its employees, officers, agents, servants or subcontractors (for purposes of this section "Consultant Personnel "), requires access to the City's computer network in order to provide the services herein, Consultant shall execute and comply with the Network Access Agreement which is attached hereto as Exhibit "D" and incorporated herein for all purposes. 28. IMMIGRATION NATIONALITY ACT The City of Fort Worth actively supports the Immigration & Nationality Act (INA) which includes provisions addressing employment eligibility, employment verification, and nondiscrimination. Consultant shall verify the identity and employment eligibility of all employees who perform work under this Agreement. Consultant shall complete the Employment Eligibility Verification Form (1 -9), maintain photocopies of all supporting employment eligibility and identity documentation for all employees, and upon request, provide City with copies of all I -9 forms and supporting eligibility documentation for each employee who performs work under this Agreement. Consultant shall establish appropriate procedures and controls so that no services will be performed by any employee who is not legally eligible to perform such services. Consultant shall provide City with a certification letter that it has complied with the verification requirements required by this Agreement. Consultant shall indemnify City from any penalties or liabilities due to violations of this provision. City shall have the right to immediately terminate this Agreement for violations of this provision by Consultant. 29. INFORMAL DISPUTE RESOLUTION. Except in the event of termination pursuant to Section 4.2, if either City or Consultant has a claim, dispute. or other matter in question for breach of duty. obligations, services rendered or any warranty that arises under this Agreement. the parties shall first attempt to resolve the matter through this dispute resolution process. The disputing party shall notify the other party in writing as soon as practicable after discovering the claim, dispute, or breach. The notice shall state the nature of the dispute and list the party's specific reasons for such dispute. Within ten (10) business days of receipt of the notice, both parties shall commence the resolution process and make a good faith effort, either through email. mail, phone conference. in person meetings, or other reasonable means to resolve any claim, dispute, breach or other matter in question that may arise out of or in connection with this Agreement If the parties fail to resolve the dispute within sixty (60) days of the date of receipt of the not ce of the dispute then the parties may submit the matte, to ron- binding mediation in Tarrant County Texas upon written consert of authorized representatives of both parties in accordance with the Industry Arbitration Ru es of the American Arbitration Association or other applicable rules governing mediation their in effect The mediator shad be agreed to by the parties Each party shall be liable for its own expenses rnclucing attorneys fees however the parties shall share equally ;n the costs of the mediation If the parties cannot resolve the dispute through mediatior then eithe- party shall have the right to exercise any and all remedies available under law regarding the dispute Notwithstanding the fact that the parties may be attempting to resolve a dispute in accordance with this informal dispute resolution process the parties agree to cont rue w thout delay a'! of thei respec, ve dunes and obliga „ors under th e �g-ee-elt,t , of rffer.ted ey the d scu,e Ether party may bef7)re o- _'E— 4 , _es ee . si� '. _. _oe -- during the exercise of the informal dispute resolution process set forth herein, apply to a court having jurisdiction for a temporary restraining order or preliminary injunction where such relief is necessary :o protect its interests 30. SIGNATURE AUTHORITY. The person signing this agreement hereby warrants that he /she has the legal authority to execute this agreement on behalf of the respective party, and that such binding authority has been granted by proper order, resolution. ordinance or other authorization of the entity. This Agreement. and ary amendment(s) hereto, may be executed by any authorized representative of Consultant whose name, title and signature is affixed on the Verification of Signature Authority Form which is attached hereto as Exhibit "E" and incorporate herein by reference. Each party is fully entitled to rely on these warranties and representations in entering into this Agreement or any amendment hereto. [SIGNATURE PAGE FOLLOWS] ee- e , =P t•e �_ , IN WITNESS WHEREOF. the parties hereto have executed this Agreement in multiples this �Z day of Qe cQXC tPff . 20A_ ACCEPTED AND AGREED: CITY OF FORT WORTH: By -&Atant - - -- - - -- anis City Manager Date: ATTEST: h By: -_u U��RW_� kll--, City Secretary SOS SECURITY: By._� Name: Title: �/ Date: /Z ATTEST: By 4 000000q000, qij �,a�a vo off'} d o� o0 0 V V�OOOO ° ° ° °° S APPROVED AS TO FORM AND LEG``��t I,xA �4 At��.uu44' Males B Farmer Assistant City Attorney CONTRACT AUTHORIZATION: M&C: Date Approved: Cr -nRO C IT -V- 4MAjefilf # j FT. WORTH, Tx EXHIBIT A STATEMENT OF WORK i f 1 Of PCI Roadmap Proposal for City of Fort Worth Prepared by SOS Security Jason Ottwell/Lori Morgan Project # DFW- 28091101 (OFFICIAL RECt !� FT. WORTH, Proposal Contents ProjectOverview .................................................................. ............................... ... 13 Background.......................................................................................... ............................... 13 Goals& Objectives ................................... ............................... ........ ............................... 13 ProjectScope . _ _ _ ....................................... ............................... _ ....... _ ...... 14 ProjectPhases .................................................. ............................... _... ..... ... ....... ........ ... . 14 Phase1 — Planning ........................................ ............................... .... _ ...................... 14 Phase 2 — Information Gathering ................................................ ............................... _. 14 Phase 3 —PCI DSS Compliance Gap Analysis .................................. ............................... 14 Phase 4 — Remediation Recommendation Projects ............................ ............................... 15 Phase 5 — Detailed Project Plan and Roadmap ................................. ............................... 15 Phase6 — Closing .... ........... ............. ......... .... .............. ._... .... ...... ............................... 15 ProjectTimeline ................................................................. ............................... -- .15 ProjectBillable Estimates ....... .. ................. ............. ............. ........... .............. ......._........... 16 Outof Scope ........................................................................................ ............................... 16 ProjectAssumptions.. . ........ ........................................ ............................... 16 EXHIBIT B: SERVICES ORDER.... ............... .. ................ ............................... 17 EXHIBIT C: MILESTONE ACCEPTANCE FORM ............... .... ...... ..................._ ......._ _._... 18 EXHIBIT D: NETWORK ACCESS AGREEMENT .................................. ............................... 19 EXHIBIT E VERIFICATION OF SIGNATURE AUTHORITY.. ... ..... .. . . ... ............... 22 ` _`eS5. d e _e� ..'ee' Project Overview Background The Cite of Fort Worth is pursuing PCI DSS (Pa}ment Card Industry Data Securitl Standard) compliance. as requested by Chase Paymentech. As a Level ; merchant. The Cih of Fort Worth has been requested to complete Belt assessment questionnaire D ("SAQ D "). In response to the PCI compliance request, the City of Fort Worth is seeking a professional services firm to support their PCI compliance initiative. The Cit} of Fort Worth is requesting support to validate its understanding of the current PCI in -scope environment. conduct a limited PCI DSS version 2.0 compliance gap analysis to understand exiting projects towards compliance, provide recommendations for remediation, develop a detailed project plan with remediation milestones. and create a remediation roadmap. Additional objectives. such as remediation support, netHork vulnerability assessments, and the PCI compliance report are not addressed in the statement of vNork, but are available services. This document is SOS Security's response to this request. Goals & Objectives The objective of the assessment is to conduct discovery, analysis. and to deliver a roadmap to be applied tov� ards the PCI initiative. The following items are critical success factors for the City of Fort Worth for this engagement: • Validation of the current PCI environment • Complete PCI DSS version 2.0 compliance gap analysis • Recommendations for compliance remediation • Detailed remediation project plan for internal use • Remediation Roadmap • SOS Security will assign personnel that have extensive PCI compliance experience and have been certified by the PCI Security Standards Council to validate an entity's adherence to the PCI DSS. Revision History Revision Date Document Version Revision Author Summary of Major Changes 10/11/2011 1.0 Jason Ottwell First draft submitted to City of Fort Worth 1 10/13/2011 1 1 Jason Ottwell i Clarification of assessor certifications I—V i 1 c v Ja50r1 uuwell r-orma?ted nto PSA Documer't .Fess _ , a -e!, ,es �� ee e- SE �c�te S' _ SEC�? �Y Project Scope Project Phases SOS Securit} will leverage a self - developed methodoloe. that combines years of experience assistinL, %sith compliance projects. Our methodologies are built to he easily customized to at client's environment and unique business requirements. F'hese include prop iding assistance in all or select phases of the methodology. as \�ell as the ability to efficicntly le�era2e \wrk that has been created b� the client or another sere ices provider. I he specific tasks of this project are the following: Phase 1 — Planning SOS Security consultants +ill work with City_ of Fort Worth to accurately capture the work to be performed in this project and to identity am obstacles that may arise throuuh this project. SUS Security w111 conduct a pre - project meeting_ to get detailed information about City of Fort `.Forth's ens ironnrent necessary to perform the rest of the deployment_ City of Fort Worth will provide a current project list of current projects that will need to be incorporated into the road map. During preliminary scoping of the engagement SOS Security found that the City of Fort Worth has previously retained a QSA to perform an audit of the water department. SOS SeCUrit4 will review both the QSA's report as well as the proposed projects to evaluate the best course of action. Phase l — Information Gathering SOS Security will perform up to ?d hours of unbilled time to conduct meetings and review of reports to better understand the City of Fort Worth's current environment. SOS Security will work w ith City of Fort W'orih's project team to refine the engagement objectives for the assessment. project timing. project planning. interim meetings. and the reporting format. SOS Security will perform an item- by-item rep iew of all requirements deemed not adequate_ This will be accomplished throuuh interviews w ith key personnel. the review of existing policies & procedures. SOS Security will work closely \k ith Cite of Fort Worth personnel to review all preliminary observations related to potential PCI compliance gaps. An "Item by item'' review is intended to facilitate an interactive review of the work product between the customer and SOS consultants. Up to 6 interviews will he done. and the number of individuals required will depend upon stakeholders in each group. The purpose of the interviews will be to gather as much background information as possible. During the interviews. SOS Security will look for projects that are currently in progress or will be started in the near future. Phase 3 —PCI DSS Compliance Gap Analysis SOS Security will perform an initial gap analysis to define high -level projects that will be included in the detailed project plan. The objective of the analysis is to define projects that are either high value or quickly resolved. Based upon the gap analysis. the road map and project plan can be further refined. -his targeted approach also helps to contain cost by moving forward with projects that are deemed necessary. Phase 4 — Renrecliation Recotnnrendation Projects SOS Security ,.sill "Mork X%ith City of Fort Worth personnel to provide viable options for remediation of deficient sections of PCI compliance. -The objective is to evaluate the list of potential projects. assi-n prioritN to the projects, and define solution options. if available. SOS Security kill ,.cork with Cite of Fort Worth to narro\N project options. potential costs of implementation. and project selection. High level projects would include topics such as log management. out - sourcing of credit card authorizations. scanning for PH data. The information gathering phase yyill set out a list of projects. These projects ,.N, ill need to he prioritized and implementation criteria created. A roadmap can be formed front these high level projects. Phase S — Detailed Project Plan and Rowlinap The project plan and roadmap are dependent upon the completion of Phase 4 (Remediation Recommendation Projects). Roadmap development demonstrates SOS Security's experience and value as a solution provider solely focused on security. In addition to the roadmap provided as part of this phase. a detailed project plan outlining the steps and dependencies to each sub - project will be provided. The project plan will be documented in Microsoft Project and will be geared to,.kards helping the City of Fort Worth more closel} manage the effort. This project plan is intended to he used by the Ciq of Fort V orth should they choose to do the remediation in -house or t,. ith it third party service provider. Prase 6 — Closing; .As part of our PCI DSS Compliance Program. the following standard deliverables % %il'i be provided to you. These deliverables can be tailored to meet the City of Fort Worth's specific needs. The standard key deliverables are listed as follows: • An Executive Summary Report yyhich will include a summary of results that can be shared with senior management. SOS Security will work in conjunction with the City of Fort Worth to ensure that executive summar} information is presented in a format that meets the City of Fort Worths requirements and expectations. • A PCI Gap Analysis detailing at a high level SOS Security's observations along 4yith recommended remediation activities to address PCI compliance gaps identified during the pre - project meetings arid assessment. • A Roadmap to achieve compliance showing the areas needing remediation. • A detailed project plan outlining the steps and dependencies to each project. • Deliverables yyill be in both electronic and hard copies. The project plan vNill be submitted as a Microsoft Project file. Project Timeline Phases I and 2 are intended to be completed in parallel and \kill not be billable. Gatherin- of information regardine projects in progress or starting in the near future skill be detailed during phases I and 2. Phases I through 3 vvili he completed onsite. Phase -I NN ill be partially onsite and remote. During phase-4. the project list may require meetings ,.kith vendors to obtain project criteria. Phase s and 6 will be remote. however ,.ye understand that onsite work mas he required for am phase. 1k c sv ill schedule time onsite v� ith the project liaison Once the projects are defined. implementation :rite:-w decided. and prioritized. the ioddntap '1110 project plan at&t he created Pha <e -1 i,, ( dependent upon Phase: I'ha�es 4 thn,u�h h � +II he c,mpleted sequentially ` Project Billable Estimates Phases 1 and 2 V, ill occur duri[ILI the 24 hours of unbilled time. Phase 3 - Approximately 24 hours Phase 4 - ,Approximateky 32 hours Phase 5 - .Approximately 40 hours Phase 6 - Approximateh 40 hours Out of Scope There are additional phases that vyiil be necessary for PC1 DSS compliance. Thcse phases are not included in the scope of the current document. These phases will be presented to management in a separate scope of vcork at the appropriate requested time, f here phases are as follows: • Remediation Assistance • Network Vulnerability Testine Project Assumptions The ability to complete this engagement in an efficient and timely manner is critical to SOS Security. The assumptions listed belovr set forth the expectations of the working relationship between the City of Fort Forth and SOS Security. SOS Security: • Our consultants consider all Cite of Fort Worth information and documentation as sensitive and confidential and will handle appropriately • Our consultants recognize the value of knovyledge transfer and vv ill encourage City of Fort Worth to participate in all appropriate aspects of the project • Our consultants and /or project managers vv ill notifj City of Font Worth of any items that may be delayed as soon as possible in order to determine vray to manage any impact (i.e.. cost, timeframes, modifications. etc.) • All deliverables vg ill. after completion, be revievyed jointly by City of Fort Worth and SOS Securit% consultants • We shall have no responsibility for other contractors or third parties engaged on the project unless expressly agreed to in writing City of Fort Worth: • Provides a single primary point of contact \\ ]thin City of Fort Worth's organization to help SOS Security consultants coordinate access to the required project materials and personnel • Provides documents , dia,rams detailing the existing policies, specifications and/or architecture in a timely manner • Provides a safe working environment. including a workspace. telephone and netvrork land Internet) access for the purpose of time entry, email and pro'iect- related efforts • Provides any necessary building. parking and or machine room badges passes to SOS Security consultants • SOS Security ,on,ultant, will he rc alit un City o' f ort \\ orth ,tiff to cowrlct. identified ta�k> and partlrlpatc In intcr\Ico's C tv �,C Foil InabllltV to pro-Vide 1111,,'�1it 111,1A atle"t the completion ofta,k, and (,I- • If the City of I or `,\ ol"l: a"s_alw7i'm, li,ted above cannot he Inca, there n1,1v he a ne�,ativ e ilnna;t 01 protect i1 llratl011 (11 helc are dcA !atio:l> Ill ,Cope. eltrl" ill dlll':1I1011. a Chall,e order AV III he nccessal and an dddelluulrl for additional effort vvi'I he crcatecl_ All chin e, ill ,cope or dur, on vv i'I he rvLoliated h;tvveell SOS Security and 0Iv M I orl �� c�nh- EXHIBIT B- SERVICES ORDER Client City of Fort Worth I Date 09/28/2011 Billing Contact Accounts Payable y Technical Contact Steve Streiffert Phone Name Printed Phone 832 - 247 -2706 Email President Email Steve.Streiff(; @fortworthgov.org Billing Address Address 275 W 13th Street Fort Worth, TX PO Number Date ,0 Project Number DFW- 28091101 Account Mgr Lori Morgan Practice Dir Jason Ottwell Terms and Conditions • SOS Security will invoice Client for services performed each quarter. • Each invoice is due and payable within 30 days of invoice date. • In addition to fees.. SOS Security will invoice for, and Client agrees to pay, all reasonable travel and living expenses incurred by SOS Security personnel during the delivery of these services, subject to SOS Security expense policy. • This service is offered on a time and materials basis. The time estimate of the effort is based on SOS Security present understanding of Customer requirements. If additional effort is required, SOS Security will furnish Customer with a new estimate and will continue work, subject to availability of personnel, only after receiving written authorization from Customer. Description of Services Hourly Rates PCI Roadmap: $163 per hour for 136Hours S22.168.00 $0 per hour for 24 Hours Free S??. 168.00 Total Executed by Client and SOS Security A th zed Si nature A z d Sign ature - Securi Kirk Jones 1 Name Printed Name Printed President OFFICIA Title - - Title Date Date ,0 RECORD RETARY PTH. TX a �FQg a s AFR��, eORHt AND LEGALITY: AtteSt�ed by: -�.� �Q Assist t City Attorney Rald . Gonzales, Asst OOOOQO �c a' NO�MaC =n1l"FAVO.," �ah �xAS_� °p EXHIBIT C: MILESTONE ACCEPTANCE FORM Services Delivered. Milestone / Deliverable Ref. #: Milestone / Deliverable Name: Unit Testing Completion Date: Milestone / Deliverable Target Completion Date: Milestone / Deliverable Actual Completion Date: Approval Date Comments (if needed): Approved by Consultant: Signature: Printed Name: Title: Date. For Director Use Only Contracted Payment Amount: Adjustments, including penalties Approved Payment Amount Approved by City Department Director: Signature: Printed Name: Title: Date: . se. - _'% "e EXHIBIT D: NETWORK ACCESS AGREEMENT 1. The _Network. The City owns and operates a computing environment and network (collectively the "Network ") Contractor wishes to access the City's network in order to provide [consulting services of development Project Plan and Roadmap for the PCI compliance initiative]. In order to provide the necessary support. Contractor needs access to Internet. Intranet, email, and City Network.]. 2. Grant of Limited Access. Contractor is hereby granted a limited right of access to the Citys Network for the sole purpose of providing consulting services. Such access is granted subject to the terms and conditions forth in this Agreement and applicable provisions of the City's Administrative Regulation D -7 (Electronic Communications Resource Use Policy), of which such applicable provisions are hereby incorporated by reference and made a part of this Agreement for all purposes herein and are available upon request. 3. Network Credentials. The City will provide Contractor with Network Credentials consisting of user IDs and passwords unique to each individual requiring Network access on behalf of the Contractor Access rights will automatically expire one (1) year from the date of this Agreement. If this access is being granted for purposes of completing services for the City pursuant to a separate contract. then this Agreement will expire at the completion of the contracted services, or upon termination of the contracted services, whichever occurs first. This Agreement will be associated with the Services designated below. ❑ Services are being provided in accordance with City Secretary Contract No. ❑ Services are being provided in accordance with City of Fort Worth Purchase Order No. ® Services are being provided in accordance with the Agreement to which this Access Agreement is attached. ❑ No services are being provided pursuant to this Agreement. 4. Renewal At the end of the first year and each year thereafter, this Agreement may be renewed annually if the following conditions are met: 4.1 Contracted services have not been completed. 4.2 Contracted services have not been terminated. 4.3 Within the thirty (30) days prior to the scheduled annual expiration of this Agreement, the Contractor has provided the City with a current list of its officers, agents, servants, employees or representatives requiring Network credentials. Notwithstanding the scheduled contract expiration or the status of completion of services. Contractor shall provide the City with a current list of officers, agents, servants, employees or representatives that require Network credentials on an annual basis Failure to adhere to this requirement may result in denial of access to the Network and /or termination of this Agreement 5. Network Restrictions. Contractor officers, agents, servants, employees or representatives may not share the City- assigned user IDs and passwords. Contractor acknowledges, agrees and hereby gives its authorization to the City to monitor Contractor's use of the City's Network in order to ensure Contractor's compliance with this Agreement A breach by Contractor its officers agents servants employees or representatives of this Agreement and any other written nstructions or guidelines that the City provides to Contractor pursuant to this Agreement shall be grounds for the City immediately to deny Contractor access to the Network and Contractor's Data terminate the Agreement and pursue any other remedies that the City may have under this Agreement or at law or in equity 5.1 Notice to Contractor Persornel — For purposes of this section. Contractor Personnel shal include all officers. agents. servants employees. or representatives of Contractor Contractor shall be responsible for specifically notifying a l Ccntractor Persenne who will provide services to the City under this agreement of the foliowing City req,.Irements and rests ctio -s reyaid -g access to the Cjty s Network (a) Contractor shall be responsible for any City -owned equipment assigned to Contractor Personnel, and will immediately report the loss or theft of such equipment to the City (b) Contractor, and/or Contractor Personnel. shall be prohibited from connecting personally - owned computer equipment to the City's Network (c) Contractor Personnel shall protect City- issued passwords and shall not allow any third party to utilize their password and /or user ID to gain access to the City's Network (d) Contractor Personnel shall not engage in prohibited or inappropriate use of Electronic Communications Resources as described in the City's Administrative Regulation D7 (e) Any document created by Contractor Personnel in accordance with this Agreement is considered the property of the City and is subject to applicable state regulations regarding public information (f) Contractor Personnel shall not copy or duplicate electronic information for use on any non -City computer except as necessary to provide services pursuant to this Agreement (g) All network activity may be monitored for any reason deemed necessary by the City (h) A Network user ID may be deactivated when the responsibilities of the Contractor Personnel no longer require Network access 6. Termination. In addition to the other rights of termination set forth herein, the City may terminate this Agreement at any time and for any reason with or without notice, and without penalty to the City. Upon termination of this Agreement. Contractor agrees to remove entirely any client or communications software provided by the City from all computing equipment used and owned by the Contractor, its officers, agents, servants.. employees and/or representatives to access the City's Network. 7. Information_ Security. Contractor agrees to make every reasonable effort in accordance with accepted security practices to protect the Network credentials and access methods provided by the City from unauthorized disclosure and use. Contractor agrees to notify the City immediately upon discovery of a breach or threat of breach which could compromise the integrity of the City's Network, including but not limited to, theft of Contractor -owned equipment that contains City - provided access software, termination or resignation of officers, agents, servants. employees or representatives with access to City - provided Network credentials, and unauthor +zed use or sharing of Network credentials. ACCEPTED AND AGREED: CITY OF FORT WORTH: By:_-- s Su an anis Ass to City Man e City , prg r "- "I , Date: I I ATTEST: By City Secretary APPROVED AS);0 FORM AND Assistant City Ahorney M&C:--- - none re.auired SOS SECURITY: By: � : NamName; r Jones Title: President Date: 28 November 2— *TEST a me:' John Marler a 0 tle: CTO 0 0 OFFICIAL RECORD CITY SECRETARY EXHIBIT E: N- FRIFIC,ATIO\' OF S1(j\A -1TRF AUTHORITY Full Legal Name of Company. Secure IP Solutions LLC / dba SOS Security Legal Address 13333 Northwest Fwy, Suite 600, Houston, TX 77040 Services to be provided: Consulting Services Execution of this Signature Verification Form ('Form ") hereby certifies that the following individuals and /or positions have the authority to legally bind the Company and to execute any agreement, amendment or change order on behalf of Company Such binding authority has been granted by proper order, resolution. ordinance or other authorization of Company. The City is fully entitled to rely on the warranty and representation set forth in this Form in entering into any agreement or amendment with Company. Company will submit an updated Form within ten (10) business days if there are any changes to the signatory authority. The City is entitled to rely on any current executed Form until it receives a revised Form that has been properly executed by the Company. Name Kirk Jones Position: Pres Signatuf Name /j John Marler Position: f Signature 3. Name: Position. Signature Name Signature of resid I Date: 4t „ i OFFICIAL RECORD -'-GfTYSMRETARY FT. WORTH, TX