The URL can be used to link to this page

Home My WebLink AboutContract 28185� � �3 � u` � i � I. STATE OF TEXAS § COUNTIES OF TARRANT, DENTON AND W15E § CIiY ��['�4R�� . .. C(�N�'RACT � a _ � �.� � KN�W ALL BYTHESE PRESENTS: CONTRACT FOR PRO�ESSIONAL CONSULT�NG SERVICES This Contract is made by the City ofi Fort War�h, Texas, a municipal corporation situated in Tarrant County, Texas, hereinafter cal�ed "City", and Secure Commerce Systems, Inc., a Texas for-profit corporation, hereinafter called °Consulfant", bath parties acting herein by and #hroug� their duly authorized representatives: 1. 5cope of Services. Consultant agrees to �arovide lnform�tion Technology System audit consultation services to enab[e City to assess its electrortic informatian network's vulnerability and penetrabi[ity, and provide recommendations for rendering it more secure, as described in detail in Exhibit "A," Consultant's "Proposa[ for Network Securi�y 1 Vulnera�ility Audii" of August 15, 2002. Same is attached hereafter and incorporated herein for all �urpases by referenc�. In the event of a conflict between the terms of this Contract and the terms of Exhibit "A," th�s Contract shall confrol. Specific exception is taken to SectEon 4.10 "General Indemnification" of the Consultant's Proposal. 2. Compensation. The amour�fi to be pa[d to consultant for alf s�rvices perFormed hereunder shall not exceed Fifty-five thousand dollars ($55,OOQ). , - `. � f I . � , ' i �� 3. Term. The term of this Contract shall commence the date of full execution by Cify and Consultant and, wifh the exception of on-going maintenance and monifioring as delineate� in Exhibit "A," shall terminate no lat�r fhan the 28th day of February 2003, unless terminated eariier as pro�ided her�in. . 4. Termination. a. City may ierminate �h�s Contract at any time for cause amounting to a material breach of fhis Confract by Consultant, by notice irt writing fio Consultant. Upon receipt of such notice, Consulfiant shall immediately discontinue all services and work and the placing af al� orders or the entering into contracts for a[I supplies, assis�ance, facilities and mater�als in connect�on with #he performance of this Contract and sha11 proceed ta cancel prompily all existing confracts insofar as they are chargeable to this Contract. if fihe Ci#y terminates ih�s Contract under this Section 4.a., the City shall pay Contractor far services actuaily perFormed in accor�ance herewith prior to such terminafion, less such payments as have been pre�iously made to consultant, in accordance with a final statement submitted by Consultant documenting the performance of such wa�k. Cansu[tant may terminate this Contract ai any time if any payment due hereunder is not made by the City. b. In #he event no funds or insufficienf funds are appropriated and budgeted by City in any fiscal period for any payments due here�nder ("Default Period"), City will notify Consultant of such occurrence prior to th�-�r�eqi_r�n'in� of`�t�e } , , , ,� . ," , Default Period, and this Contract sha11 terminate on the last day ofitne fiscal period for which appropriations were receivec� without penalty or expense to City of any kind whatsoever with respect to #he Default Period, except as to ihe portions of the payments herein agreed upon far which funds shall ha�e been appropriated and budgeted. City agrees to appropriate and budget, as prac�icably as possible after the Default Period, amounts sufficient to co�er any paymer�ts owed but not paid to Consultan� as of the begir�ning of the Default period, and to promptly pay these amounts to Con�ultant. Cify has infarmed Consuliantthat, concurrentlywith approval ofthis contract, Citywifl a�prapriate and butfget 10Q% of the funds specified in fhis Contract, sa t�at all funds wiil be appropriated and budgeted prior �o ti�e commencem�nt date of this Contract. c. Upon t�rmination of this Contract for any reason, and subjeci to paragraphs 13 and 14, Car�sultant shall pro�ide fhe Ci#y with copies of all completed or partially completed documents prepared Under �his Contract. d. Eifiher parky may terminate this contracf upon 60 days natice in writing far convenience. 5. Insurance. a. Consuitanfi shall nat commence work under this Confract untif it has obtained all insurance required under �his section and such insurance has been approved by #he City, nor shafl Consultant allaw any subcontractor to commence work on its st�bcontracf until all similar insurance of the 3 ' '. � ,�� .,, subcontractor has been so obtained and appro�ai gi�en by the City. b, Workers' Campensation Ins�trance: Consultant shall take out and maintain during the life af this Contract statutory Workers" Campensation Insurance for a!I ofi its employees performing any of the services hereuncfer, and, in case any work is sublet, Consultant shall require t�e subconfractor similarly to provide Workers' Comper�satian insurance for all of the latter's employees unless such employees are co�ered by the protection afforded by Contract's ir�surance. ln case any class af employee who engages in hazardous work under this Con�ract is not protected under the Workers' Comper�sation statute, Cansuitanf shall provide and sha11 cause subcontractor to pro�ide adequate and suitable insurance for the protection of employ�es not otherwise protected. c. Public Liability and Property Damage Insurance. Consultant shall take aut and maintain during the Iffe of this Cor�fract suc� public liabi[ity and property damage insurance as sf�all protect Consultant and any subcor�tractor. perfvrming work co�ered by this Contract from claims for personal injuries, �nciuding death, as well as from claims for property damages or losses which may arise fram operation under this contract, wh�ther such operations be by Consultanf or by any� subcantractor or by anyone directly or indirectly employed by either of th�m. The amounf of such insuranc� sha[I be as follows: (1) Public Liability ]nsurance. In an amount no less than Two Hundred ►� :IF . ",. � . ;. �,. , � `� I� . ''� . , Fifty Thousand Dollars �$250,000) for injuri�s, incl�ding accidental death, to any one �erson; and subject to the same limit for �ach person, in an amount not less than Five Hundred Thousand Dollars ($500,�00) on account of one accident; (2) Property Damage Insurance. In an amounf not less #han Five Hundred Thousand Dollars ($500,000); {3) Umbrella Policy. In an amount not less than �ne Million Dollars ($1,OOO,QO�). d. Proof of Irtsurance Coverage. Contractor sha11 furnish the City with a certifica#e of insurance as �roof that it has obtained for the durafion af th�s Contract the insurance amdunts required herein. Cor�sultant's insurance policy shall provide thafi the insurer shall give fhe City thirty (30) days' prior written no#ice before altering, modifying or terminating the insurance co�erage. 6. Independent Contractor. Consultant shall perform all work and services hereunder as an independent contractor and not as an officer, agent or emp[oyee of the City. Consultant sha[I have exclusive confrol of, anci the exclusi�e right to control, the details of the work psr�armed hereunder. Nothing herein shall be construed as creating a partnership or joint venfiure betw�en the City and the Consulfiant, its afficers, agents, employees and subcontractars; and the doctrine of respandeat superivr shall have no application as be�ween �he City and the ConsuCtant. 5 ;i i, , ., t ,. . ,r ,. ; �, � � 7. Disclosur� of Conflicts. Consultant warrants to the City of Fort Worth that it has made full d�sclosur� in wri�ing of any existing or potential co�flicts of interest relafed ta the services to be perfo�med hereunder. Consultant further warrants that it wifl make prompt disclosure in writing of any conflicts of interest which develop subsequent to the signing of this Contract. 8. Riqht to Audit. Consultant agrees that the City shall, until the expiration of three (3) years after final payment �nder this contract, ha�e access to and the right to examine at reasonable times any directly pertinent baoks, documents, papers and records of th� consultant invol�ing transactions relating ta this Contract. Consultant agrees that the City shall ha�e access during normal rrvorking hours to all necessary Consulfiant fac�lities and sY�all be provided adequate and apprapriate work space in order to conduct audits in compliance with the prov�sions af this sec#ion. The City shall give Consultant reasonable advance no�ice of intended audifs. Consultantfurther agrees ta include in a11 its subcontracioragreements hereundera pro�ision to th� effect that fhe subcontracto� agrees that the Cifiy shall, until the expiration of three {3) years after final payment of the subcontract, have access to and the right to examine at reasonable times any direcfly perkinent books, documents, papers and records of such subcontractor involving transactians related �o �he subcontrac�, and furtherthat Ciiy shall have access during normal worlting hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduc# audits in complianc� with the provisions of this paragraph. City shall give subcontractor reasonable nofice of 6 '�,� - " ' ,.,, intended auc�its. 9. Prohibit�on of Assiqnment. Neither party hereio shall assign, sublet or #ransfer its interest herein without the prior written consent of the other party, and any attempted assignment, sublease or transfer of all or any part hereofi withouf s�ch prior written consenf shall be void. 10. Non-discrimina#ion. As a condition of this Contract, Consultant co�enants that it wifl �ake all necessary actions to insure thafi, in conr�ection with any work under �his Gontract, Coniractors, its associates and subcontractors, wil[ not discriminate �n the tr�atmeni or employment of any individual ar groups of indi�iduals on the grounds of race, calor, religion, national origin, age, sex or physical handicap unrelated to job performance, either directly, indirec�iy or through contractual or other arrangements. 11, Choice of Law; Venue. a. This Contract shall be construed in accardance vwrith th� internal law of the State af Texas. b. Should any action, whether real or asserted, at law or in equity, arise out af the terms of th�s contracf, venue for said action shall be in Tarrant Coun#y, Texas. 12. Riqhts in Results of Services. The materials and me#hods used in th� pro�ision of Consultant's services are proprietary to Consuitant. A11 rights, including copyrights, in and to such materials and ,.. 7 - ' '�' �� _ ' ' ., . : ,, . .. . � �� '�� „. �,, methods shall remain the prap�rty of Consultant. City is granted a limited ri�ht of internal reproduction and disfiribution of materials prepared specifically for City und�rihis Contract. 13. Confidentiallnfiorma#ion. City acknowledges and agrees that any and all information (in whate�er form) relating #o the business of Consultant and acquired by Cify under this Contract, or otherwise, js and shall remain, ta the extent permitted by lavv, confidentiaf information of Consuitant to the extent that it includes �aluable and proprie#ary trade, business and industry secrets of Consultant, City agrees to maintain in confid�nce and (except as otherwise provided in paragraph '[3) to �efrain, directiy or indirect[y, from copying, using, transferring, disclosing or ex�laiting in any manner any of such confidential information during the term vf this Contract and following termination tl�ereof, for any reason. EXECUTE� on this %�� day of �J11�r�, 2002. ,� , p,� �T: � CI Y F F�RT WOR H :i.f � _ .��-d --. � - �,.. City Secret Charles Baswell Assistant City 11�1anager APPROVED P� TO F'ORM AND LEGALITY: , ,� . _ ,.- ��- Assist� City Att rney ._�--��!._ _ _ - �ontraet .�u�:��a�� ._.�'°��10� ._. �. Date � -� __ S�cure Commerce Systems . ..., .-� � �� _ .� . { . .� �� gy. -��, �,,...� . t _ ; DanEel P. White CE� s � � . „ , . . . � � � C'ity of ' Fo�t T�o�th, T'exas f��yor �r�� Cou�cil Cor�mu�nica�io� �ATE REFERENCE NUMBER � LOG NAME 10I81o2 �`* P�969� Da02-0223 PAGE 1 of 2 suB��cT EXECUTE A CONTRACT WITH SECURE C�MMERCE SYSTEMS T� PERFORM A COMPUTER SECURlTY AUDIT OF THE C1TY'S INFORMATION TEGHNOLOGY NETWORK FOR THE INTERNAL AUDIT DEPARTMENT RECOMMENDATION: !t is recommended t�at the City Council: Authorize the City Manager to execute a confract with � Secure Gammerca Systems �o perform a com�u#er security audit af th� Cifiy's Information Technology Network for the lnternal Audit Departmenf for an amount not to excee� $S�,�QO; and 2. A�thorize this contract fo begin on the date of contract execution, and expire three mon#hs thereafter, DISCUSSI�N: The City increasingly uses remote access to its computers by employees (through mobile data corriputers, ce[lu�ar phones, dial-in telsphones, etc,), v�ndors, cansultants (thro�agh ,direct linlcs and the internet), and the public (through the internet). Ad�itiana�ly, the City currently has o�er 3,DOfl persanal camputers that. are connected to the mainframe and various ne�worfc servers. AIf af these connections pose risks that persons, either emplayees or nan-employees, could gain access to restricted data and intentionally ar unintentianally carrupt or release the data. Assessing the security of computers and networks is a highly technical undertaking that can �est be performed by consultants using specialized saftware. The Purchasing Division issued a Request for Propasal (RFP} to select a consuitant to pertorm a security assessment of interna) and external vulnerabiliiies of #he City's mair►frame and netwark computers. Based on iheir presentatian during the inienriew process, the lnternal Audit De�artment sefected Secure Gamm�rc� Systems ta p�rtarm tF�e audii. Tt�is initial sefection was based on the fallowing criteria: a Cost effectiveness; � Experience in conducting simi[ar r��iews; • Technicat propasal; and o Pro�ect deliuery times. BID ADVERTISEMENT - The Purchasing Di�ision solicited thirteen vendor from the purchasing system database and sixteen vendors fram RFP.Depo# �end�r listing. Sixt�en r�sponses were receiv�d, one of which was a "no-bid". TABULATIDN � See atfached bid tabu[ation. C`ity of 'Fo�t Wo�th, Texas M�yor ��nd �ou�ciC Co�r��a�«�t�or� DAT� k�EFERENC� iVUMBER LOG NAM� PAGE 1018102 **P-9691 � 0002-0223 2 at 2 sus��T EXECUTE A CONTRACT W1TH SECURE COMMERCE YSTEMS TO PERFORM A COMPUTER SECIJRITY AUDIT OF �THE CITY'S INF�RMATION TECHNO�.OGY NETWORK FOR THE INTERNA� ALJDIT DEPARTMENT MIWBE - A waiver of the goal far MIWB� subcontracting requirements was requested by fhe Purchasing Di�ision and approve� by the MfllVBE Office because fhe purchase of services is from sources where subcon�racting ar supplier oppartunities are negligible. F15CAL INFORMATIONICERTIFICATION: The Finance Director certifies that fiunds are availabfe in the current aperating budget, as apprapriated, of the General Fund. CB:n 6QN102-0223NVW 5ubmiiied far City Manager's Oi'fice by: Charles Baswell Originating DegarEment Head: � FC]Nb I ACCOUNT I CENT�R I AMO[TNT � (to) 6183 I CITY SECRETARY ]im Keyes Additianal Informat'ran Cnntact: Robert Combs � 8517 (from) GG01 531200 8357 0101400 $55,000.0� � � � � APPROVED 10/08/0� City of �ori �'ort�i l�roposat f 'or � ... , I~•��H,� ' . . . �.1 � ♦ ;,� -�„ h`' .' ' ,« r 1 � ,�:- -' �:- � . `, 1�Tetwo�& S'ecurity / iva�l�eNability Audit T'o beperformed by: ��' �� --�-� ��i'�"tE?"��'�� __. �� August I5, �04� �1�OPRI�TARY and CONFIDENTIAL This documenf contains Secure Commerce Sysfems proprietary informati�n and should not be released outside of fhe City of Fort Warfh wifhout prior writfen consent �''�t�►��•k ��c{��•r'�� l ��f��'�r.��rr��ilit�r .� rrc�� .'�kk�ll'a� � 4, ��{1'ry * Fot�ewortl Secure Commerce Systems, Inc. submits this pz'opasal ta the City of Fort WortIl for the purpose af establishin� a professional services agreement far the scope defined hereii�. Addiiional copies and questions concert�ing this report should be directed to Daniel P. White at Secure Cornrnerce Systerns, 17225 El Camino Real, Suite 340, Houston Texas, 77D58. The phone number far Secure Cornmerce Systerns is 281-286-3342, 2 PROPRI�TARY and CDNFIAENTlAL This document contains 5ecure Commerce Systems propriefary informaiion and should not f�e reJeased outside of the City of Fori Worfh wifhou� prior written eonsent. ��.�fr��ylr k��F��t I �a�lrr�ricr��i�r.'t�� r�rl.r� r�ta�,t��4 [5, ?S]l;? City o�Fort Wo� Purchasing Office ATTN: Robert Combs, Purchasing Manager P.O. Bax 17027 Fort Worih, Texas 76I QZ City of Fort Worth Purchasing Office ATTN: Robert Combs� Purchasing Manager 1000 Throckmorton Fort Worth, Texas 76102 3 PROPRI�"�,4RY and CONFID�NilA� This document contains Secure Gommerce Sysiems proprietary informafion and shvu�ld not be released outside of fhe City of Fort Worth with�ut prior written consent. �Vc��a�•�4 .5'c�rr��r'�� / ��rrc��cr1�r`�r�� rrr�r."� r�u�+��1 l5. �[}[}Z 1 Executi�� Su►a�rri�r� Secure Commerce Systems is pleased to respond to the City of Fort Worth's request for assistance in evaluating the City's existing networlc security aperations, and in providing effective recommendations for mitigating the rislcs that are identified. 1.1 Intent to Perform Se�vices Secure Cvmmerce Systems intends to perform f,he following services as specified in tlze Rec�uest for Proposal (RFP): 1. Evaluate secttrity canlz�ols to detect and/or prevent unauthorized access to th� City oi Fort Worth's computer network through its internet web pages. 2. Evaluate security controls to detect andlor prevani unautl�arized access to the City of Fort Worth's computer network through its dial-in system. 3. Evaluate �xisting int�rnal network security controls that limit access andlor prevent �inauthorized use of the City of Fort Worth's network r�sources by emplayees, contxactors and vendors. 4. Prepare a written repart, in a format agreed to by the City Auditor, listing securiiy vulnerabilities identified and recommendatio�s for abating those vulnerabilities. 1.� Qualifications fop Selection Secure Commerce Systems' vulnerabiliiy and penetration assessment se�rvices are among the most advanced in the industry. Secure Commerce Systems uses tested comTnercial products such as Internet Security System's .TnteYnet Scanner and Database Scanner, Symantee's Enterprise Securit}, Mctnag�r, SPI Dynamics Web In�pect and its own GuexrdTower TM recurring assessment family of products. Secure Commerce Systems' vulnerabiliiy assessmeni servic�s provide its clieilts with � thorougl� understanding of the dynamics of their ever-changing networks. Secure Commerce Systems' vulnerability assessment strategy uses two very different approaches that include an "insider" with knQwledge of the network or an "outsider" with little ar i�a lcnowledge of t11e nefwork. Typically, an Internet perimet�r assessment vwill use the latter approaeh and is often fol�owed by a penetration test to determine what inteinal assets ca.n be accessed or intellecival p��operty compromised as a result of the vulnerabilities discovered. Internal assessrnents usually use the "insider" approach, where internal IT security personnal knowledge is utilized ta st�earnline #he engagement aetivities and to explore the "insic�er gone bad" possibilrties far asset compromise. 4 �RO�Rf��ARY and CONFID�MTIAL This documenf confains Secure Cammerce Systems proprietary informatiorr and should raof be released outside af the Cify of Fart Worth wifhauf prior wriften consent. ?1��a��•1ti �Sc��}rr�� i�rr��e��rrl'��[r'�� r�r'� ��.��ur:� l�,?[}rl� In either case, Secure Cammerce Sy�tems' assessments identify alI systems connected to il�e iletwor�c, 'Th� sysiems identified are care�ully examined to exclude devices such as printers, programmable logic cantrallers, and legacy systems whase TCP/IP stacks may not l�e robust enough to withstand high criticaiity vulnerability scanning. In addition, Secure Commerce Systerns' assessmeut services offer the option af aLttomat�d vulnerability remediaiion utilizin� the Citadel hTereules product. This product drastically rcduces the la�or rcquired f�r vulne�rability remediation by perfortning concurrent patch application ta m�Itiple systems, incl�ading configuration changas as needed. I�i this way, Sacure Commerce Sysiems is ahle to leave its clients with an updated ope:rating system baseline far future comparison. Networks, however, are canstantly changing as nevcT systems are eontinually being added to the network. Car�figuration management is difficult ta achieve in developrnent networks, and nevvly disco�ered vulnerabiiities plague even production networks that axe carefully configuration rx�anaged. Secure Cammerce �ystems recommends recurring assessments throug�aut thc y�ar, and its GuardTower T"� automated recux-�'ing ass�ssment services are available to provide economical cantinuing assessments far mission critical systems. Often, the Return On Investment {ROI) for vulnerability assessments is not apparent until vulnerabilities have been used to gain unauthorized access or to create a denial of service situation. Sect�re Com�nerce Systerns' reports demonstrate the value of remediation from a business perspective. 5 �1��P14l�TARY and COIVI�L��M�IA� This documenf contains Secure Commerce 5ystems proprietary information and should nof be released outside of the Crty af For� Worih wifhout prior wriften consent. 1V��oirk �'�c.*r�r*r'�� [��1r�c�r�rr��rlr't�� r�l rr��it ;�4��;�wst 1�� ?fi�� l.3 Authori�ation Lette�^ c�nd Signatu�e To the City of Fort Worth, Secure Commerce Systems thanks you for the opportunity to work with you o�� Networlc SecuritylVulnerability Audit project. This proposal r�presents our current understanding of your needs, and our approach to addressing those needs. Should this praposal be accepted, Secure Comrnerce Systems agraes to enter into a contract under �he terms and conditions as prescribed by the Request For Proposal (RFP). No exceptions to tl�e tenns and conditions prescribed by the RFP are taken. Please review this proposal, and cammuzucate to us any changes, questions or concerns you may have. We anticipate that we can respond to all of your requirements, and look forward to heginning work saon. Sincerely, Ron Newrnan, Chief Qperations Officer Secure Commerce Systems, Inc. 6 PRCJPRI�iARY and CONFlD�AITIAL This document contains Secure Corrrmerce Systems proprietary informatron and should not be released oufside of the City of Fort Worih without priar wrrtten cansenf. ��t��r��J4 ��cu�r'��+ � ��l��crJ�rlr.�y �1�rrl�:� .��,�ti r �..��.o� The �Yty of For� �orth Agreemen� for �ecure Commerce Systems, Inc. Professional Services G`ansultrng Services estimated nat ta exceed $I75.00 per hor�r fo�- 300 hours For a totai of $52, SOl1. 00 And $2,500.00 in estimatec� expenses For c� total authorization not to exceed $55, 000.00 Contract Num6er: SC� 081502-1 Each of us agrees that the complete agreement betvveen Secure Cammerce Systems and the City of Fort Worth about these ser�'ices consists of ihis Customer Agreement and the associated Engagem�ni Letter. l�greed ta: Customer Nam�: City af Fort Wortla Pu�chasing Offce IODO Thpockmortor� Fort Worth, Texas iG102 By Authorizeti Signature Rohert Ca�nbs Name (type or print): Title: Purchasi�g Manager �ate: Agreed ta: Secure Camrraerce Systems, Inc. 17225 El Cami�ao Real, Suite 340 Houston, Texas 7�058 By Authorized Signakure Dariied P. White �Vame (type or print): Title: CEO baie: 7 ,PROPRI�'7'AF?Y and C01V�1D�fV�IA� Thrs document contarns Secure Commerce Systems proprretary rnforma�ron and should noi be released outsid� of fhe City of Fort Worfh withouf prior wriffen consent. �c��}o�•k ►S'e��i��F � ��rtl,��'[f�)��f� �tf�I�� 1lLa�USf �J. ��}�� P��po�al Secure Commerc� Systems is pleased to present this proposal to the City of Fort Worth. This propasal is organized according to the RFP requirements ta �acilitate your review efforts. Z.I UYganization All work specified within this proposal will be performed by personnel from the Houston off ce of Secure Cammerce Systems, Tnc., located at: S�cure Commerce Systerns, Inc. 17225 El Carnino Real, Suite 340 Houstan, Texas 77058 5ecure Commerce Systems is an S-class corporation in the State of Texas and has offces in Hauston, Dallas, Austin, Philadelphia, and Los Angeles. �.� System Concept and Solution Secure Cammerce Systems is praposing to provide the City of Fort Worth an analysis of the infarrnation security vulnerabiliiies associated with information systams, routers, and fir�walls 1Qcated on tl�e TCPIII' ne�works of tlie City of Fort Worih. Secure Commerce Systems will evaluate ihe Ciiy's vulnerability to unauthorized access to or use of its neiwork resources. �.3 Scope of Wo�k The scope of this iz�£arrna�ion securi�y vulnerability assessrrient �vill include the information systems administered hy the IT Solutions Department of the City of Fort Worth. Many of these systems are cenirally located at City Hall, but not all are located in the IT Salutions coinputer room. The purpose of this tasl� is to detect vulx�erabilities that can be exploited to penatrate the City of Fort Worth Internet gateway firewalls and internal network systems via TCPIIP and network services vulnerabilities. Secure Commeree Systems will conduct interviews wi�h designated City of Fort Wo�-th neiwork pro%ssionals and use vatious proprietary intrusion testing methads to map the network and to assess the security af the Internet gat�way ftrewalls and the internal network systems. Secur� Commerce Systems inten.ds ta perForm the following sarvices as sp�cified in the Request for Praposal (RFP): 8 PROARIE%9i;Y and COf111e1D�f1!'iIAL This dacument contains Secure Commerce Systems proprietary informafion and should rtot be released oufsrde of the Cify of Forf Worth without priar writferr cansent. �Ye��•1� �S'��c}rrr•�� l ��r��•�r.l�f�f�� 1 rrc#�t :�.��u�t �5, ?t.�{�: 1. Eval�.tate security cantrols to detect andlar prevent unauthorized access ta the City af Fart Worth's computer network ihrough its internet web pages. 2. Evaluate sacurity controls to detect and/or preven� unauthorizad access to ihe City of Fort Worth's cornput�r netwark through its dial-in system. 3. Evaluate excisting internal netrvork security controls thak limit access and/or prevent u;�autharized use of the City of Fort Worth's network resources by �mployees, coz�tractars arld vendors, 4. Prepare a written xepc�rt, in a%rrnat agreed to by the City Auditor, listing an intraduction in Sectian 1, an Executive Summary far City Council in Section 2, and detailed security vulnerabilities identifed and recommendations for abating ihose vulnerabilities in Section 3, 2.4 System Solution The Security Assessment Team will coardinafe its requirements and schedule with the appropriate City of Fort Worth technical support and network points-of contact {POC}. A!1 assessment activities requiring access ta production sy�tems and networks wi11 be gerformed in coordinatioi� with the appropriate POC, and change cantrpl approval will be obtained prior to proceediilg witla the assessmeilt. The methodology employed for per%rnung the vulnerability assessrnent will follow a sequence of defined phases. Each phase will be dependent on the output or results of the pr�viaus phase or phases for providing the data needed to accomplish its processes and activities. The phases of this m�thodology are presented in the following sub-sections. 2. � Project I�aitiatio�a The gurpose of this phase is to develop engagement objectives arad ta coinmuilicate t11e Security Assessment Tearn's understanding of the rules of engagement. 2. b Di,scove�y The purpose of this phase will be to gafiher a deiailed unc�erstanding of the Intern�t gat�way firewall and int�rnal network systems. Types of activities included in this phase wili be: o Network architecture reviews • Dafia callection, through discussions with technical and management teains, to include ii�dividual firewall rule sets and rauter conf gurations 9 �RO�Rl�TAf�Y and C��1�'I��MT1A� This documenf cantains Secure CQmmerce Sysf�ms propri�tary irrfarrraatiort and should n�t be released outsrde of fhe Cify of Fort Worth without prror written consent. ��ot�1�. �e�r��i�,�f � ��rr[��r{rr�r��r.��a �f rcr�� .�;��: � �, ��]? The collection of data from these activ�ties wi111�e used by the assessment �eam to gain an understanding af the Tnternet gateway firewall operational environmer�t in arder to dev�lop the most appropriate and effective m�ans for conducting the rest of the assessment. 2. i Assessment Phus� The goal of this phase will be to canduct a technical examination af the Internet gateway firewall and int�rnal network systems utilizing automated tools to assess the connectivity and network environm�nt and to evaluate the adequacy of security controls in place. Tlus phase will be performed from two perspectives: A. DuEside Laoking In The purpase of this view will be to sirnulate typical "hacker" type activities by analyzing remate access to the Inteme� gatew�'ay �irer�all environment. The ou�come of this task will be used to deternsine whether it is possible to attack the perirn�t�r security of the Internet gateway firewall and to gain unauthorized access to resources within the internal network environment. B. Ir�side Lookir�g Out The purpose of this view will be to assess the internal networl� sys#ems to deten�nine whether it is possible ta exploit vulgerabilities of thesa systems to gain unauthorized access to resources or to create denial of service situaiians. 28 Reporting The purpose of this phase is to generat� a dacument that inclucies an Executive Suriunary af fhe in_formation security vulnerabilities discovered, as wall as d�tail�d imdings thai will provide the iT professionals responsibie for vttlnerability remediation wiih information on where to �ind paiches andlor suggested technoZogy alternatives. 2.9 Remediation The purpose nf this phase is to prflvid� remediation of the discovered vuinerabilities. Z.10 Deliverahles The outcome of fhe information security vulnerabili�.y assessment wi11 be aggregated into an easy to understand pair of management and technical reports: 10 PI��PlZI�TAaY and CONFID�NiIAL This documerrt contains Secure Commerce Systems proprietary informatian and shaula� nof be released outsid� of the City of For� War#h without prior written consent. �V�t�� l� S�c:r��i�x � �a�lrf��•c�1��i�? 1� ��rlr� r��G��G�E f >, ?S�{3:? • The management repart will quanti�y tbe number of discovered vulnerabilities for each af the low, medium, and high risks present on �he n�trvork. The business threats that are inherently obvious as a result of the vnlnerabilities will be presented in clear municipal business format. � The �echnical report will clearly identify discovered vulnerabilities %r t11e Interr�ek gatevuay firewall enviranment and p;rovide recornmendations for carrective ineasures, Specific patches and their web iJRI, locafions (where applicable) will be pzovided within the report to facilitate quick remediatian of discovered vulnerabilities. Any inforrnation recovered during this phase will he treated as City of Fort Worth confidential and will be de�ivered only to autharized representatives o� the City of Fort Warth. A copy of the report will be �ept only as an archival copy on Secure Commerce Systems proprietary sysiems using a secure encryption algorithm. 2.I1 Crty of Fo�t Wo�th Responsihilities The City of Fort Worth will identify and make available �he necessary personnel and documentation to provide the assessment team an understanding of the Internet gateway firewall a�d internal netwoi•I� systems during the Discnver}r Phase of the prpject and via telephane and email thereafter. Th� City o�Fart Worth will provide office space, supplies, and telecommunications faciIities as reyuired during on-site work. 2.I2 P�ogram The 5CS approach malces a clear distinction between "�enetration testing" and vulnerability assessment. Penetratian testing, the expioitation of vulnerabilitias to gain access, is vezy useful in establishiiig a need or business case for securzty. However, penetration testi�.g alone does no� lead ta a process ai rislc reduction within the organization. A penetration tes# is an isola�ed event. SCS recommends lhe irnplementation of a continuous security improvemeni methvdology that combines policy, pracess, technology', and enforceable rnet�'ics. Qnly vvhen this has been accamplished, vvill an organization succeed in greatly reducing its risks. And equally i�portant, this is the only way to sustain such rislc reductifln over an extended period of time. The Security Capahility Maturity Mode� {�CN1M), de�eloped by SC�, outlines the components of a mature and effective security program. 2..13 Exte�nal Security Assessment 2.I3.I Network Topology An ICMP scan of all hosts in an address range is undertaken, u�ing a range of tools, nmap, strot�e and asmodeus. 1� PRO�RI�iARY and CONFID�NTIA� Thrs document contains Secure Commerce Systems proprietary inforrr►ation and should not be released outside of fhe C�ty of For� Worth withouf prror wrrtien consenf �V��n�•1� �ST�c��t�.� I ��r.r.��r.eiicr.l��it}.t ��r.�it �,,��,us� �5;��]4�? Commercial Scatmrng taols are nof used at this stage due to the slawness in response of these tools at this point. Depanding upon the blocking of ICMP traff'ic, alternative TCP/LJDP port scans will be undertalcen to loeate any `hidden' systems. An externally �isible network topology is plotted via the use of traceraut� to a111ocated hosts. Networks are to be regularly probed over a period of time, to ensure that hosts are not ei�abled during `out af hours' ar were unavailable due to rnaintenance or access restrictions. This also sorrle#inies locates additional hos#s that a single scan sometimes misses due to network connectivity, loading or timing problems. This is done for a prolanged period of time, and might be detected by any security manitoring and intnisian detection products at the client site. 2.13.2 Traffic Analysis Protocol analysis of a!1 netwark traffic will be undertaken to deterrnine if the firewall is restricting internal netvvark routing traffic correctly and that no internal traffic is bei��g fat-warded iz�canectly. Any information of a personai ox confidenkial nature captured is to be completely deleted from all storage media immediately following this analysis. 2.13.3 Port Scanning When a system is located, it is scanned using both TCP (SYN and FIN) scanning and UDP scam�ing. The part range scanned is 1-bS535. Ports that are open and available, and ports that are present but not available are noted. N�tworks are regularly prabed over a period of time, to ensure fihafi port� are not enabled during `out of hours' ar were una�vailable due to maintenance or access restrictions. These tests also produce additional ports that a single scan sometimes misses due to connectivity and tirning problems. This is dane for a prolanged period af time, and shauld be det�cted by any securiiy monitoring and intrusion detection products at the clien.t site. '� 2 �R��RI�i�RY and CON�'ID�NTIA�. Thrs document contains Secure Commerce Sysfems praprietary infarmafion and should not ,be released outside of the Cify of Fort Worth wi�hout prrar written consent. ��o�•l�: �S"e�r�ri�x� �'ir.lrrc�rcr.�r'�it�f ��x�i� .��k�st l�,�f1.()� . Z.I3.4 Manuallnvestigatian A manual investigafion af all visible systems will be undertaken using the keyboard mappings of the domain country. Any accessihle s�rvices will be reviewed for weai�nesses. These include the abse�ice of one tiine password proteetion an �xternal tclnet servers, the lack o�a contralled or chrooted itp environrnent and the presence of vulnerable CGI scripts on web servers or hot l�inks �o other systems and standard sendmail and DNS vulnerabilities. The use of standard NT NetBIOS ports �uvi11 be flagged. At this stage any rec�nt security acivisaries, passibly not incorporated into commercial securiry products will ha investigated. _ 2.13.5 Commercial S'cannirzg Having lacated all visible hosts, we scan for security vulnerabilities using a coinmercial tool and select scan non-responsive hosts. Ensuring the port range is suitable. The iools used include 7nteniet Scanner, Eeye's Retina, Nessus, and SPT Dynamics' Web Inspect. Z.I3. 6 Brute force attacks Tf any services are vulnerable ta a brut� force atiack the client will be �otit'ied. If the clien� has requested a brute force attack and a suitable applica#ion is available, brute farce scripts will be tailored to kh� speeific �ervice and executed. If simultan�4us internal scanning is being performed the use af Internal telcphone directories or any usear information gather�d will be utilized. 213. 7 Denir�L of Service uttacks If any services are vulne:rable fo a denial of service attack tbe client will be nvfiified. If �ie client has r�quested a denial of service attack, scripts will be tailored to the specific service. 2.I4 Intepnal 5ecurity Assessmerat Internal security assessments follow the same methodology o� external security assessinents. Tl�e folIowin� sections detail the differences. 2..14.1 CamhinerClnternal Exterrznl.5`cart When an external and internal sca� overlap, the findings of the internal scan are to be fed l�ack ta the external security auditors in an attempt to subvert ihe s�curity in a more realistic manner. '[ 3 PROPI4I�TARY and CON�1D�11{�fAL This document contains 5ecure Commerce 5ystems proprietary informafr�n and should not be released oufside of the Cify of Fort Worth wifhouf prior written consent. ll�c��r�•1� ►S'��rr��t�� I ��r�r[��.r�c�b�lf� �� rrrlit ��,��:;t � �. �{�r}� Internal access also allows real time verification of security procedures during a networic intrusion attack, assuming that the attack has been detected and that a security palicy is in effect. 2.14.2 Network Topology When an Internal scan is being undertaken a comrnercial netwark analysis product will be used to detect all systems on a network and plat net�orl� diagrams, regardless af addressing information provided by the client. Secure Commerce Systems uses Raytheon's �ilentRunner. ,2.14.3 Traf�c Analysis Protocal analysis af any captured packets will be unde:rtaken to determine the information exchanges occutring and any clear text usernames and passwords passin.g over the int�rnal network. Thi� also enables IPX, SNA and other non-IP based traffic to be scanned. Any info�mation of a personal or confidential nature captured is to be campletely deleted from all storage media im�nediately following this analysis. 2.14.4 Outgaing Access The objectives of this exercise are to attempt ta gain external access avoiding any proxies and by spoofing IP addresses in an attempt to prolae for routes through a firewall that might enabie access for external systems. 2.I4.5 Database Applicatians Tests will be perfartned in an attempt tv determine the structure of the database and any partitioning (physical or logical) restricting query set size. If internal and e�ternal scanning is being undertal�en, the use oF auditing recording authentication in�ormation and journaling maintaining database integrity during application testing will be validated. At�eYnpts to subvert referential integriiy will be made by using non-primary lceys, foreign keys or chosen value aitacks. Emhedded query language will b� examined using source code debugging unlities ta ensure that variables are initialized, any data types rnatch, ihat return values are being checked and that all errors aa'e being checked, that nu11 and illegal fields or argum�nts are handled. Access to database adminisiration accounts, system catalogues and audit logs will ba attempted. 14 �ROPk1�iARY and C�IVFIDE1Vi1AL Thrs document canfarns Secure Cammeree Systems proprietary Informafion and should not be released outsrde of fhe City of Fort Worth � wifhout prior writfen consen#. l��c��a��•k �S'�c��r.�i�t�� r�rtc�r�cr.�r'.�i�y �rr.r.�it r�ll�'ilw; f �,.?,?}I}'? Any information of a personal or eonfideniial natur� captured is to be completely deleted from alI storage media immediately following this analysis. If the Database is a SQL, Oracle, ar Infor�nix server Database Scanner v�ll be used, otherwise a manual invesfzgation will be undertaken, �. I S Host ,5ecu�ity Assessm ents 2.IS.1 Host hased security products During a host-based security review, the use of a commercial or other host based security audit product will he used to evaluate the security of a given system. A detailed scan using on� of the follawing products will be used: eEye Retina. rSS System Scanner, Syrnantec's Enfierprise Security Manager, SPI Dyna�nic's �VebInspect, Computer Associate's CA Exarnine, Pentasafe's Vigilent, and Console Risk Managem�nt's ConsuUZAdmiti. Z.IS.� Manual review In addition to running the cammercial products, a manual invesfiigation into host-�ased security will be undertaken. 2.I6 Dial In Penet�atio� A��essments Secure Commerce Systems' Dial-in penetration assessments are performed lacally to minimize Iong distance toll charges for our clients. The telephone ranges to be scanned far ans�vering or cail vacic rnodems, service contract rnfldems an systems, or telephone switches are identi�ied ir� advance in pre- engage�ment meetings. The agreed upon tirnes and durations in non-prime shif� hours are established in this pre-assessment planning meeting. Secure Cammerce Systems uses commercial tools such as Phone Sweep and ToneLOC to scan the telephone address ranges for answering modems. A list of answering modems is compzled and Secure Commerce ,Sysiems us�s our G�ardTower�M Sysiem Access Directory (SAD) to identify every knawn answering madetn's aperating system and it's "lockout" characteristics as a guide for attempting password cracking activities on answering modems. Secure Commerce Systems uses LQphtcrac�c, cracic, John ihe Ripper, Internet �ecurity System's Internet Scanner, and other internally developed dictionary passvvord cracking programs to gain access to th� systems. Once access is obtained to the systei�ns, a�ly vulnexabilifiies that a�e identif��d are exploitad to gain administrator access, and/or the access obtaii�ed is used to access City sensitive ox system sensitive I ie passworc� files} informaiion. A copy of these iiles are made to include in the repart fuadi�zags. 15 P140PRfETARY and CON�IU�NYIAL This documenf cor�tains Secure Commerce Sysfems proprietary informatfon and shauld not f�e released autside of the City of Fart Worfh withaut prior wriiten consent. fVe�c}c�r�� rc��rty I X�rt�',�c#��cr1��1r�.� �i��ir ��,��u�� . ��o� �.I � PR4DUCT Applicatio�a Security Assessrne�ts Any fianctional specificatians relating to the PRODUCT application that are pxovided will be reviewed from a security perspective and used to audit the PRODUCT application. Code Ie�el inspection is performed when under the scape of ttie engagement. �.17.1 Legitimate User Testi�ag Fabricated or test accounts will be used during iegitimate user testing, wlienever passible. Attempts to forge trax�sactions or to obtain information owned by another legitimate us�r will be made. If information of a personal or confidentxal nature is accessible, the client will be notif ed immediately, �f information af a personal ar confiden�ial nature is obtained during an ethical hacking exercise, the me�hodology used to ob�ain the informafion is io b� retained but all information obtained is ta be completely del�ted from all storage media and the client notified of the intrusion immediately. �.IB Firewarl Secu�ity assessments The operating systems underpin�ing the firewalls will be manually assessed t� ensure tbey have been hardened. The ins#allation of the firewall will be mauually checked to ensu.re that suitabl� partition�ng have been set for the firewalls. The firewall configuration and rulesets will he manually checked against any CUSTOMER secuxity policies or con�iguration guides and the results of the security assessments. The management of the firewall will be audited ta ensure that configuration and ruleset chai�ges, backups, removal and �xamination of audit logs are con.taralled in accordance with any supplied policies. Any intrusion detectian mechanisrns or policies will be audited to ensure that attacks are dealt with jn accardance with any supplied policies. It will be necessary for any firewall specifications, tag�ther with policies and procedures associated with the fire�vall to be provided to SCS either before or ai the start of the internal phase of the assignment, 16 �ROPRI�%4RY and CON�ID�1VilAL Thrs document contains Secure Commerce Systems praprrefary informati�n and should not be released oufside of the Ciiy of Fort Worth without prior written consent. �e��o�•#� S'��r�it�? l� T�ir��crl��[i� .�i��r��t r�ll�115I j �, .�.{��)� Z.I9 Exte�nal Testing via lnternet 2.61 Externally Visihle Infarniation Any externally ava,ilable infor�nation relating to the PRODUCT infi•astruc�ure will be examined for securiry rrelated information. If DNS infarmation is avai�able it is researched to obtain all IP addressing details relating to a given domain narne, and reverse address laokups rnade to obtain and verify an address range. Tn addition to IP address details, contact names and any indication of the user account na�ning policies in place within an organizaiion is obtained. In additional to providin� valuable information for fiir�her use, this stage ensures that the IP address range ta be tested is defined, dacumented, correct azad approved. Nslookup, and d�g requests are rnade to local name servers to abtain further addressing informa�ion, any oth�r adc�ress ranges, which are then looked up using Tntemic databases to verify awnership. Auihoritative name ser�er requests are made by changing to the primary and secondary name servers af an organization to ensur� that no DNS zone transfer attacks can be Fnade or other addiiional infonnation obtained. 2.61.1 Route�s Router configuration policies wi.11 be reviewed as part of the final exfernal testing phase to ensure ihat the PRQDUCT infrastructure is adequately protected. The router will be checked for suitable packet filtering and Native Address Translation {NAT) cvnfiguration and that IP spoofing or IP source routing is prevented. 2.20 Assessment Me�hodology Flow cha�t Next page 17 PRDPRI��Af:Y and C01V�I��N►IA� Thrs document contains Secure Commerce Sysfems proprietary irtformafiorr and should rrot be reJeased outside of fhe City flf Fort Worth wrthout prior written consent. }V��o�#� ��.�cr��i��f I �xr.�r��cr�i�� rrr�i� r��,i�si i�, ?i7�� Continued from Page 1 WorkArea ss suB er,e��ist � Pre-Arrival documents Review SCS Pracess with Client Approves c 5C5 A&P ClEent is provided Waiver to sign � Process Modiflcation NO Client requesis modifications to A&P process ND YES OFF-SITE ICantact ISP's Prnvir,�g_��pL pf Copy of Cllenf W Pracedural Checklist Reviewed Final review and discussion I ocatlon o A&P Testing STQP � Call Client ON-SITE I Procedural OnsiEe staff to be •� of SCS Seraarity g Consu{tartl to followSCS Def€ned prpcedures — I I SCS Security I SCS Securily Consultant ta � Consultan[ ta followSCS ➢efined p R��Rf�� fapow5C5 Defined .��,�� pracedures R� Q�$ procedures This d nf contarns SE rce Systems proprietary informafion a d should not be released flutsrde of the Crty af Forf 4Nor�h without prior wrrtfen consent. ��1� �S��c-��#r�i�� l ��r�x��r{rr��rr'.�r:�x� �� r�f� .�4��.�� i �. �� . 2.2I Delive�ahle Reports 5ecure Comm�rce Systems GuardTower�'� Methodology pravides accurate, tiine sta�nped, configuratian management of the intermediate deliverables compiled for each sectian af our rislc assessments. Each af the interim assessment resuits are double checked far va3idity and possible, identi.fiable false positives. A dacument managex is assigned to collacf each af the ext�rnal and internal ass�ssment results frflm network, host, database and application results and integrates them into the draft �inal report. The City of Fort Worth POC will be inforrned prior to each phase of the assessme�t what is about to b� done, when and over what expected duratian the tests will be performed, and with permission to praceed on a non-interruption of City business basis. When tesring is cornplete, the POC will be notified and the estimate far delivery of the �na1 report will be provided at that ti�e. Final Report Drafts are us�.ially delivered within twa weeks of the ternunation o� assessment activities. 19 PRO�RI��ARY and CONI�ID�f1lTlA� Thrs document contains Secure Commerce Systems proprietary infarmatron and shQuld not 6e released outside of fhe Crty of Fort Worth withaut prior wr'it�en c�nsent. �Vc�t��o�ik S�c��r��y � �} T��r��cr.1�r'.�r�� rclr� n�� E�, �c).rr? �.�2 Projectli�TanagementStructure � Barry Qiller VP of Engineering �--� �--` / � � 1 1 Dan White � � Project Manager --- t-- �ity of Fort Worth � I POC I I I � I � I Vulnerability � � Sciences � City of �art Worth � � Team Personnel � � ! � i — —� —Ciry of Fart Worth— � Architecture ` Pracfice � PoEicy Admin 2fl PROP141�TARY and GON�ID�N�'!�4l� This document canfains Secure Commerce Sysfems propriefary infarmatron and should nof be refeased outside of the Cify af Fort Worth wrthout prior written cons�nt. � O � � � �. Q� � � � � � 4ro CA O � �D C� � 4- r�.,,, � � � � � � O � � � � � � � � � � � O � � "� � � � N � � Q � � � � � O o y ro Z � � m O �a� � Z � � a n ~ `'C� � O � `"' a � � �, '�'+� 1a7 O � � 1 f �. �O2 io �� ; T25k Na�tte � o�renon r 1 ` `IntrodudoryMeatin `..;.....^....��.�.. . _. 7 daY? 9 2 � �� Pr�Assesssment0uestron�ire Rde�? ---�--��.. � �__._._._... - - _... � _w____..__...�....-- -....._.......�._ r 3 Assessmen[RuthoriYa6on 1 daf+ ` ----._.�._.__�._______________......._..--------- q _......._.__._, 6demal PenelraHon Test �` 8 day�7 5 ---�`�� Sten F�ctertnal RauterandFlrewall � E� 2 days S � Exqrn? disca�r8rad vuln6r9billu�5 3 tlays 7 Web 5ite RSsassment 1 d�y� — 8 ilrkerr�al V�dnara6€fityA�a�samerrt ; 6days7 ..,..,.�..,.�.�..,T_,..,..,,._,_.._.._ ...........................__..,.._.,.._.�.�.�..........�.., .�_ 9 � MeeGng w�Lh FW IT Persmnei j 2 c�ys � ..,_._._... ,.,.�.�. _.�. .�-..� �.�.,..�.� ................_... �.---' "iii'"""" ---�--:4ssess IJnlx and?�PS Systems 2 da�+s �� WAssess INVS�§�jstams .....�.-.-.-.�� 1 da,�? 92 ��Olal-1nPenetratlonTesk 'Ida� ---�-�-�-�—�-�—•------._..�_.._�..._....__�_.......-� +-�---- 13 � Scan Ciry 7elephona RangeS 1 da/'� 14 I , Util¢e SAO for Pas'sword Craclang _ 9 tla/7 18 39 I CallatE Automated Toof Re5uIt5 '� AnelyzaRBsufts ; C'brt8la[e and Format Ds[eilad Resulls ` T_ cutive 9�mmarY E)sveop'pe -�.T.__ ..............___.,..,..,..,..,.,.., . seot�an —s aays? 2 da�s 2 d3/5 1 dag? 2 tlaj�5 . 1 daf'? Task � : RoEletl Up Task �� Eueamal Tasla Critical Task � j Rolletl Up Crilical Task � _�� Projeet S�mm9ry Profett: Projec:l progress Rolled Up Mllestona O Graup ffij Summary pe[e: Thu 81t5702 Mile�orre � RolledllpFTogess � Summary �. ,p,. SPlit ,n.�.».:,,�,._.3,3,.,,,�,:.. Page 1 � s� zz. �oz _ . + _ _ -�s I � . .� QdA � � r � � � i!'ti � � � �� tr � �� e.� � � � ?..� "" � � .� � w �, � � � � � � � iseRa,�oa EsgLiS.'oz �e��c�r#1c Sc.�c°rr�•it�� r.1.,r��{u�rr'fi#�� i� f�t,�a�3 �s,.?r�c�? 2.Z3 Prior Expe�ience Secure Corn�erce Systems has performed over fifty penetration and test enga�emenis for clients in the govermnent, healthcar�, financial service and telecommunications industries. Our engagements are pratected by clien� confidentiality clauses and no pul�licity clanses and we respect this privacy of our clients, as we will far the City of Fort Worth. Esteemed references are available upon request. .�.24 Pe�sonnel The following personnel wili be assigned to this project: 1. Danie� P. White Daniel P. White is �he CEO of Secure Cornrnerce Systems, Inc. in Houston, Texas. Dan White has been providing Information Technology solutions for th� Fortune 500 for over twanty ye�rs. Dan b�gan his career at Shell �il, where for 3 yea�rs he provided SCADA con�rol systems, and then, in the Iate 1980s, he worked for Sun Microsystems. During the 199�s, Dan provided security systems engineering at Lockheed Martin �or the NASA rohnson Space Center (JSC) Mission Cantrol Cen�er. � the late 1990s, Dan joined the mallagemant of Price Waterl7ouse in their Enterprise Security Solutions practice. He later joined Interr�et Security Systems as tlle Directar of Professianal Services for the Central Region, Dan started Secure Commerce Syste�s in 200Q to provide information security services and products to the government, healthcare, financial services, telecommunications, and technology indusCries. A noted speaker and practitioner on intrusion detection systems, firewalls, and security cpntrol systems, Dan has supported healthcare concerns with consulting on HIl'AA and 21 CFR 11, fnancial concerns with regards to GLB regulatory compliazice, Banking and Telecammunications with E-Commerce, and industxy-wide support in infarmation security sirategic and tackical solutions. Dan has a Bachelox af Science degree in Electro-Optics from the University af Houston-Ci�ar Lake and has CC�E and ISS industry certi�cations. Dan �ill serve as Project mar�ager For this engagement and will devate 15% of his time to this proj ect. 2. Barry R. Diller, CISSP, VP of Engineering Barry R. Dil�er is the Director af Security Systenvs Engineering for Secure Commerce Systems, Inc. in Hous�on, Texas. Barry started wark with IBM after college and transfierred to Houston in 1986 to worlc ii� the cornpany's Federal Systems Division, perfor�ning system integration work in support of a number af 22 l�RO�RI�iA�Y and C011d�lD�NiIAL This documenf contains 5ecure Comrrrerce Systems proprietary information and should noi be released outsrde of fhe Ci�y of Fort Worth wiihouf prior written consent. .��c�tsr#orl��,ST�crrrr�wl ��f�l.��t�rr��r�� r.rr�f� F��1��IC i�5 �S+L%� commercial business prflposals. Tn i991, he began parforming network engineering for the institutional network at the NASA Johnson Space Center (JSC) and, later, for the 5pace Shuttle Onboard Flight Saftware development organization. Barty installed his first netw�rk security firewall in 1994 and b�came more and more invalved in the security aspects oi networlc engineerin� over the years. Barry 1�egan work as a senior security engineer and manager vvith Cnnsolidated 5pace Operations Contract (C50C) in 1999 anci was later designated Computer Secu�ity Officer (CSO} for the 7SC Mission Control Center, responszble for development and implernentation of s�curity architecture, palicies, and procedures for �hat facil�ty. Barry received his Master af Scienca de�ee in Elecirical Engineering from Oklahoma State University and holds CGSA, CCSE, and CIS�P certifications. Barry will serve as Lead Consultant and wi1l devote 1Q0 % of his iime to this project. 3. Ja�es E. Brigham, CCNA, Sr. Consultant James E. Brigham is a Senior Security Cansultant for Secure Cominerce Systems, Inc. in Hottston, Texas. Jim Brigham has over fifteen years of experience providing netwark securiiy for leading edge Fortune 500 clisnts and cornpanies. He has worked closely with the National Security Agency in the U.S. and the German National Agency in developing one of the first Cox�mon Criteria Labaratories in the United States. 3im has also been a leader in the HIPAA arena providing consulting and implementation services. In addition to his previous accomplishments, 3im has been certified in Cisco s�curity devices. Jim is now working far Secure Commerce Systems in Austin, Texas in network security product and services sales, consuliing, and implementation. �itn wi11 serve as a Sr. Consultant and will devote 100% afhis time to this project. 4. Joe L. White, Jr., CISSP, MCSE (NT4 & W�I�, CCPTP, SCSA Jae L. White, Jr. is the Western Region Manager �or Secure Commerce Systems, I�ic. ��d is Uased out nf San Fra.ncisco, Califomia. Joe brings an unique blend ofhands-on technical abili#y and busin�ss experience to SCS. Witli over 14 years of Information TechnoIogy experience, Joe's ii�dustry exposure sp�as Finance, Securities, Mortgage Banking, Soi�ware and Cansulting. 23 �RO�RI�iARY and CONFIDENiIAL This document contairrs Secure Commerce Sysfems proprietary informafion and shauld nof be released outsrde af the City of Fort Worth wifhout privr wriften consent. �e#�ixo�A�`� .S"�c�r.��ir.�.� I ��rr�r��lri�r'� �1 rrrf�� ,�� : �_ ?�,�;� Qui of college, Joe worked as a 1'rcensed 5eries '� Securities Broker and while in his mid-twenties was pxomoted to the youngest manager in his firm. After ihe crash of '87, Joe i�egan working full time with Ir�formation Technology, turning whafi was, up until then, a hobby into his care�r. He b�gan consulting and managi.ng server farms for top firms �n the Silicon Valley. He was then hired inta the pioneerin� eCommerce Cansulting division of KPMG and subsequent�y left KPMG to became a senior member of the pioneering Electronic Security Solutions group at Ernst & Young. While ate E&Y, Joe participated in numeraus consulting engagements including but not liinited to pene�rat�on tests, n�twork security assessments and system design reviews. A newl� fonned startup, NeiReliance, then recruited �oe to build, manage and administer its systems infrastructure. Mare r�cently, Joe has worked as a senior member with the Information Systems Security Cxraup for The Charles Schwab Corporation and has consulted on a range of projects within the San Francisca Bay area. 2.25 Authorized Negotiato� The person within Secure Comrnerce Systems who is autborized to negotia�e contraci �erms and render binding decisions on contracival rnatters is: Ronald Newman COO Secure Commerce Systems, Inc. 7528 Sweetgum Irving, Texas 75063 Phone: 972-83��9923 Email: rnewman@securecomin�rcesystems.com �.26 Cost P�oposal ►- � � J .C'�+CE��Ik4�`[L�L�LL11��{JIY�vst �s7 � ��fa��rt;�l �{4�1��:±-,�4�i1s1� ��s�'�S?,171�C11 [�(a 3 �'t�ll-1C1 �'CF1Gl1'il3iClTti �� 1'�� -# �'�'cL, ��tc ��s��sir��nl ? � �t�}��1 ��:v�lc��xi��t3d G[1 1.�:�bor �'o��l:�?�ot to Esc�eclj* 3fII1 '��2,�0(1 * Licensing Cast Expense for SPI Dynamics' Web �nspect ( additionaI $2,�00.00) �ayment will b� made monthly upon receipt of Secure Commerce Systems' invoice specifying the amount of work done, 24 PR�PRI�iA14Y and CON�lD�Nil'AL Thrs documenf contarns Secure Commerce Systems proprietary informafran and should not be released outside of ih� City of Farf Warth wrthouf prior wriften consent. ��T��o��l� �'��rr.��i�x� l ��l�r�.}�•cr#�r�r�,}� � r�rlrt ��teu�i l�, �?i�€k? S�cure Cc�mmerce Systems is in compliance with all applicable rules and regulations of Federal, State, and Locai gaverning en�ities. Secure Commerce Systems is in compliance with the terms of the Request for Propasal (RFP). 25 PROP141�i�+' RY and CONFID�NT[At This document can�ains Secure Cammerce Systems proprietary information and should not 6e re�eased outside of �he Crty of Fort Worth without prior wriften consent. .�Yc.*��c�r1� 4�'e�}rr��r'�� I T�r�rl�r��{r�br�i�}a �}� ��r�r"� ��x�� . }�� Cor�clu�i�n Sec�tre Commerce Systems appreciates the opporiunity to work with the City of Fort Warth. Shauld you have any questions regarding this engagement, please contact Ron Newman at 972-830-9923. Secure Cammerce Systems recognizes the importance of this prajec� to your organization; we are cornmitted to your success and are con�zdent th� p�roposed assistanoe will provide high �+alue to the Ci�y of Fart Warth as it pursues its obj ec�ives. Sincerety, Roraald Newrta.an COO, Secure Commerce Systems, Inc. 26 �RO�RI�iARX and CONFIDEN'�IAL. This document contarns Secure Commerce Sys�ems proprietary rnformation and should nof be released oufside of fhe Cify of Fori Worih wrfhout prior writfen consenf. �Ve��1� ��'�c�r�•��t � ��r��•�r1��l��,�� rr��tt A4��;�: �� €5, ?S1(a� � Ter�s an� C�n€�ifcions 4.I Secur�ity Secure Commerce Systems shall have such access to designated sites, as it is reasonably necessaiy to perfortn the services required by this Agreement. Tn perf�rming the services Secure Commerce Systems shall fully comply with established building access and security procedures, including use of desigi�ated entrance(s}, display of City of Fort Worth issued ID carc�s, and use and safeguazding af City of Fort Worth issued access control cards, as prescribed by City af Fart Worth. Any issued passes or other identification that may be xequired to be prasented upan request by Secure Cammerce Systems' personnel or agents seeking access to premises shall be issued at the discretion of ihe operator of tl�e premises, and shall be surrendered upon demand or upon terminanon of this Agr�ement. 4.� Term and Termination City of Fort Worth may terntinate thzs Agreement upoz� thirty {30} days written notice to Secure Co�n.tnerce Systems at any time without penalty. Upan termination, Secure Commerce Systems sha11 send wjithin thirty (30) days a termination proposal to City af Fork Worih. Such termination proposal may not exceed the �otal con�ract price [ess payfn�nts previousl� nr�ade and less the contract price flf work not te�nated, if applicable. In the event of such termination, City of Fort Worth's sole obligatian shall be ta pay Secure Cornmerce Systems a prorated fea and reimbursable expenses, as defined in this Agreement, through the daie of termination. 4,3 Co�i�act Compretiar� Secure Comrnerce Systems shall have fulfilled its obligations under this Agreem�nt when one of the following first occurs: 1. Sec�re Commerce Systems provides the total number of hours stated in the Agreement a�d any subsequent change authorization�; any change authorizations Secure Cornmerce Systems is issued during the time period of this Agreem�nt and within the scope of the original project will be subj ect to all the terins, conditions, and rates as speci�ied in ilus Agreement; or 2. This Agreement is terminated with a 30 day notice and withaut cause by mutual decision made by Secure Commeree Systems ar City of Fort Worth managen:�ent; such agreement to be documented and signed by both parties. 27 P140P1�I��ARYand CONFIDEIVilAL This document canfains Secure Commerce 5ystems proprrefary information and should no� be released oufs�de �f the Ci�y of Fart Worth without prior written corrsent. �V�#r�#��k,��c��r�j' I ��f��E'��rf��lf�� i�frlr'.� A,,,�;,�w� f �, '�][�:� 4.4 Co�z�dentiality Secure Comrneree Systems acknowledges that if may �e furnished with, rece�ve, or otherwise llave access to infortnation of or cancerning City af Fart Wortn which City of Fort Worth considers to be confidential or otherwise xestricted. "Confidential In�oz�mation" is any business, marketing, technical, scientific, security arrangements of City of Fort Warth or other infonnation disclosed by City of Foi-t Worih, which at the time of disclosuxe is designated as confidential {or lilce designation). Coniidential Information shall be retained in confidez�ce by Secure Commerce Systems and shall Ue used, disclosed, and copied solely for the purposes of, and in accordance with, this Agreement. Secure Commerce Systems shall only diselase Con�dential Information ta thos� emp3oyees with a need to lalaw sucl� Confidential Information. Secure Commerce Systems sha11 take reasonable steps to ensut�e that its employees and contractors comply with ihes� conf den�iality provisiuns. Secure Commerce Systems shall use the same de�ree of care as it uses ta protect iis own Confidential InFormation of a similar nature, but no less than reasonabla care, to prevent the unauthorized use, disclosure or publication of the Confidential Inforniation. Secure Commerce Systems will not use City o� Fart Worth's Confidential Infarmation for purposes other than those necessary to directly further the purposes of this Agreement. Secure Commerce Systems grants City o£ Fart Worth the right to reproduce documentation and installation materials for the sole purpose af distczbution within the Ciiy of Fort Worth system. Neither party will disclose to third parties the oth�r's Confidential Information withoui the prior wrilten consent of the other Party. No obligation of confidentzality exists with respect to any information wliich either Secure Commerce Sys�ems or City of Fort Worth can demonstrate: (a) is already in the rightful possession of the receiving party at the time of disclosure to it; (b} is rightfully received after disclosure to it from a third party who had a lawful right to disclose such info�atian to it without any obligation to restrict its further nse or disclosure; (c) zs independently develaped by or for the receiving party without reference to Confidential Information of the furnishing party; (d) was, at the iime of disclaslu'e to it, iil the public domazn, ox (e) after disclosure to it, published or othet�visa becomes part of ihe public damain through no fault of the receiving party. �n addition, Secure Canr�nerce Systems ar City of Fort Worth shall not be considered to have breach�d its obligations by disclosing Confden�ial Information of the other parLy as required ta satisfy any legal requirem�nt of a competant government body provided that, immediately upon receiving any such request and to the e�tent that it may legally do so, such party advises the other party prompt�y and prior to ma.king such disclosure in orde�r that the other party may interpose an objection to such disclosure, take action to assure canfidential handling of tha Confidential Information, or take such other action as it deems appropriate to protect the Confidential Information. 28 �ROARI�'�ARY and CON�l��N�IAL This docurr�ent confarns Secure Commerce Systems propriefary infarmation and should not be r'eleased aufside of fhe City af Fort Wor�h withaut prior wriften consent. 11{et��v�-� ��'��c�rr�{r'�� I ��r�.c�cr.�ir��#� A rr��t {tu�<<;t l �, ?U�}�� 4.5 No Publicity Secure Commerce Systems agrees that it will not refer to City of Fart Wortl1 in any customer Iists, publicatio�s, ar advertisements and will not publicize in any way its role with resp�ct to the Agreement withaut Ciiy of Fort Worth' prior written consent. 4.6 Insurance Secure Comtnerce Systems agrees io obtain and maintain during the performance of services under this A�reement and to furnish City af Fort Worth, if requested, with evidence of warker's compensation and ernployer's lialaility insurance and general comprehensive (includirzg contractual coverage) and automabile liability insurance in form and amount satisfactory to City of Fort VL�ortli. 4. % WQYYCl1Z� Secure Cammerce Systems' sole and exclusive �varranty sha11 be to perform the Services provided under this Agreement r�ith a degree of skill and care which is consistent with then current, generally accepted pro%ssional practice and procedures. Secure Commez-ce �ysterns reservas the right #o subcontract to third parties any or all �ervices to be provided hy Secure Comrnerce Systems under this Agreement or any SOW. City of Fort Worth hereby agrees that in arder for Secure Co�nmerce �ystems to render t�e Services under this Agreement and any applicable SOW, City of Fort Worth must perform all of iis obligations as zdentified in this Agreemenf and any applicable SOW. Secure Co�x�merce Systems s1�aI1 not be respon�ible for any delay or failure of performaz�ce arising out of City of Fort Worth's failure to perform such obligations. 4.8 Intellectual Property Rights Secure Commerce Systems, Inc and City of Fork Worth shall each retain owzaership of, and aIl right, titie, and intexest in and to, their respective, pre-existing intellectual property including, but not Iimited to, (A) patentabJ.e and unpatentable disco�eries, and ideas, including, but not limited to, methods, techniques, "know hov�', concepts, or praducts ("Inventions") and (B) all worlcs fixed in any medium oi exp�ssion, including copyright and rnask work rights, and except as set fnrth in Section 4.8.1 below, �1a license therein, whether express or implied, is granted by this agreement, as a result of' the Services perfotrned hereunder. To the extent the parties r�rish to grant righ�s ar intere�ts in pre-existing intellectual capital beyond the rights granted pursuant to Section 4.8.1 below, separate license agreements on mutually acceptahle terms will be executed. 29 PRD�RI��ARY and CONFIDLNiIAL This document confains Secure Camm�rce Sysfems praprietary informafion and shouJd not be r�leased outside of fhe Cify of Fort Worth wifhout prior wrrften consent. �c.��#�r�1c Sc��.�r�r�r:�} I� T�rr[�rc��-r.�bilr��? ��rrl�� f��.��u�� i �. ��t�,� 4.81 Nnt "Work for Hir�e" The Deliverables performed under this agreement are not "works for hire" and Secure Commerce Systems, Inc. retains all rights, title, anfierest in the underlying cornponents including, but not limited to, any t�chnology, techniques, methodalogies, programs, cades, objects, inventions, data, designs, graphics, specifications, pracesses, procedures, best practices, and other reusable cornponenfs own�d or provided by Secure Cammerca Systems prior to, in t�e course of, or independent of the Service� and/or the Deliverables ("Underlying Components"). Cit}r of Fort Worth understands and agrees that tl�e Underlying Components shall be solely owned by Secure Commerce Systems, Inc. To the extent that the Underlying Camponents are essential to the propar use and enjoyment of the Deliverable, Secure Commexce Systems granis to City of Fo�t Worth a non-exclusive, non�ransferable, royalty-free lic�nse ta use and copy such Underlying componenfis as pa�t of a Deliverable for City of Fort Warth's in#ernal busine5s purposes only including, but not limited ta, providing a copy to a third parties for consideration of internal business practices of City of Fort Worth, subject to third parties signing a confidentiality agreement wifh terrns similar to those contained in Section 4.4 a� this docum�n�. City of Fort Worth agrees to include Secure Commerce Systems copyright natice, as applicable on a11 copies of deliverable items made by ar for City of Fort Worth. 4.8.2 Right to Use Secure Commerc�; Systems, at all times, retains the ri�ht �a use aily general l�now how, technic�ues, ideas, cancepts, algarithms, ar other laiowledge acquired or developed during the perforrnanc� of this agreement, on behal� af itself, and its future customers. Secure Commerce Systems may perfarm the same or similar services �'ar others, provided f.hat any City of Fort Worth canfidential, proprieCary, or trade secret information is treated in accordance with the parties' obligatians under Section 4.4. 4.9 Limits of Liabiliiy AGGREGATE EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, Secuce Commerc� Systems SPECIFICALLY DISCLAIMS, AND City of Fort Wor�h HEREBY WAI�ES, ANY AND ALL EXPRESS DR IMPLI�D PROMISE�, REPRESENTATIONS AND WARR!-�NTTES WITH RESPECT TO THE SERVICES AND PRDDUCTS PROVIDED HEREUNDER, INCLUDING, BUT NOT LIlVIITED TO, ANY WARRANTY AS TO ITS MERCHANTABILITY, QUALTTY, OPERATION OR ITS FITNESS FOR ANY PARTICULAR PURPOSE, AS WELL AS ANY WARRANTIE� ALLEGED TD HAVE ARISEN FROM CUSTOM, USAGE, OR PAST DEALINGS BETWEEN THE P.ARTIES. THE PARTTES ACKNOWLEDGE AND AGREE THAT IN NO EVENT SHALL Secure Cornmerce Systems BE LIABLE, WI3ETHER IN CONTRACT, TORT OR OTHERWTSE, FOR ANY SPECIAL, INCIDENTAL, CON�EQUENTIAL, INDIlZ.ECT QR ECONOMIC DAMACrES, HOV4'EVER ARISING, AND OF WHATSOEVER NATURE, INCLUDING PiJNITNE DAMAGES, DAMAGES FOR LOSS OF PRQFITS, LOSS OF BUSINESS, BUSINES,S EXPENSE, MACHINE DOWN TIME, �a �RO�RI��i4RY and COfVF'ID�NTIAL This document contarns Secure Commerce 5ystems proprietary rnformafion and should not be released oufside of the Crty af Forf Worih wifhout prior wriften eonsent. 11�'c�#��r�� ,.��c��•��y I �r�,I�rerA�rlri#�� 1=��rl.r'� �1��g��f f �. 2��02 LOSS OF DATA, OR ANY OTHER SPECIAL OR EXEMPLARY DAMAGES, EVEN IF Secur� Cornmerce Systems HAS BEEN ADVISED OF THE PQSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANY 4THER PROVI�IONS OF THIS AGREEMENT TO THE CONTRARY, City of Fort Worth HEREBY ACKNOWLEDGES AND AGREES THAT S�cure Commerce Systems TOTAL LIABILITY TO City of Fart Worth SHALL IN NO CIItCUMSTANCE EXCEED THE AGGREGATE AMOUNT PAID TO Secure Commerce Systems PURSUANT TQ THE APPLICABLE SOW FOR THE SERVICES TO WHICH THE CLATM RELATES. Il�T NO EVENT SHALL THE TOTAL AMOUNT OF Secure Commerce Systems' LIABII.ITY FOR ALL CLAIMS EXGEED THE AMOUNT PAID TQ S�cure Cammerce Sj�5i0TI15 PURSUANT TQ THIS AGREEMENT. 4.10 Gene�allndem�ei�cation City of Fort Worth shall, to the fullest extent permitted hy Iaw, indemnify and hold harmless Secure Commarce Sys�ems, its directors, officers, ernployees, agents, partially or wholly owned subsidiaries, s�xcc�ssors and a.ssigns from and against all suits, actions, 1�ga1 or administrative proceedings, claims, liens, demands, liabilities, losses, costs, fees, and expenses (including �vithout lirnitation reasonable attorney's fees and expenses), directly or indireeily arising out of or in connection w�th tlie performance of the Services of this Agreement by Secure Cornmerca Systems or Secure Commerce �ystems' r�presentativss, including but no� limited fo injury ar death to persons (including without Iimifiati�n �ecure Comme�ree Systems ernployees) and damage to propet'ly, regardless of concurrent or eontributory negligence, whether active or passive, or strict liability of such indemnified parties, �xcept those caused by the sale intentional negliger�ce or willful misconduct of such inc�emnified parties. 4.I1 Licensed S'oftware Only licensed safkware provided by City of Fort Worth and in-house developed code (including City of Fort Worth and Secure Commerce Sysiems d�veloped} shall be used on City of Fart Worth's syst�ms. No public domain, shareware, or bulletin board soii:ware shall be installed. All additional hardware and saftware packages proposed far use, including upgxades, must be approved in advance and in writing by Ciiy af Fort Worth. 4.Y.2 Savings Clause City of Fort Worth's failure to perform any of its responsibilities set forth in tlais Agreement shall not be deemed to be grounds for termination by S�cure Commerce Systems; provided that City of Fort Worth' nonperformance of its abligatxons under this Agre�meni shall be exc�sed if and to the extent (i) City of Fort Worth' nonperformance resuits from Secure Carnrneree Systems' failure io perfarm its responsibilities, and {ii) City of Fort Worth provides Secure Commerce Systems wiih reasonable notice of such nanperformance and uses commercially reasonable efforts ta per�orm notwithstanding Secure 31 PRD�I4I�'►ARY and COMFl��1��lAL This document contains Secure Cammerce Systems proprietary information and should not be released outside of fhe Cify of Fort Worth wifhout prior written consent. �V�*#��n��k .S=e�rr��rt�r / � ��r��•cr#�r'.l�r�� ?�r�lr� 1��,��u�fi l�, �l}ii2. CaYnmerce Systems' failure to perforzn (with the Seeiue Cammerce Systems reimbursing City of Fort Worth for its additional out�of-packet expenses for such efforts.) 4. �3 Fo�ce Majeure Neither party shall be liable for any default or delay in the performance af its ob3igations under• this Agreement, or for failure to manufacture, deliver, or perform under this Agreement {i} if and to the extent such default ar delay is caused, directly or indirectly, by: fire, flood, earthqualce, elemerlts of natur� or acts of God; riots, civil disorders, rebellians or revalutians in any country; or any other �ause beyond the reasonable control of suck� parly (ii) provided the non-performing party is without fatilt in causing such deiault or delay, and such default or delay could not liave been prevented by reasonable precautions and can not reasonably be circux�nvented by the non-performing pariy thraugh the use of alternate sources, workaxound plans ar ather means. 4.I� As�ig�me�t Neither party may assign this Agreement in whole or in part or any interest herein, vvithout the prior written cansent of the other. Such consent vvill not be unreasonably withheld. NotwitY�standing the above, City of Fort Worth rnay assign this Agreernent to any en�ity within the City of Fort Woz�th system vwith the written consent of Secure Cammerce Systerns. 4.1 S Ser�vice CantYact Act Secure Commerce Systems certifies tlaat this Agreement is not subject to fhe Service Contract Act of 1965 because of eiiher (1) the Agreement is nat for the performance af "services" as that term is used in the act or (2} the Agreement is principally for the maintenance, calibration, and/or repair of enuipment described in 29 C.F.R. § 4.123(e)(1)(i), and because Secure Cammexce Syst�ms comes within the circumstances set forth in 29 C.F.R. � 4.123{e){1)(ii). Secure Commerce Systems agrees that the serviees be�ng pravided are consulting ser�+ices associated with City of Fort Worth infarmation security program. 4.16 Applicable Law This Agreemen� shall be governed by and construed in accordance with the Federal law o� th�; United States oi Arnerica and in the absence of contxolling Federallaw, in accordance with the laws af Tarraiit County of the state of Texas. 4.17 Notice Any notice to be given bereunder shall be given in writing by prepaid rec�ipt�d mail, facsimile ar overnight courier, and shall be effectiv� as %llows: (i) in the case of facsirnile or courier, an th� next 32 Pi��PR1�iARY and CON�1D�'N'�I�9L This document contains S�cure Commerce Systems proprietary information and should not be released outside af fh� Cify af Fort Wor�h wrfhout prror wrift�n consenf. ,�1fc�t��•!� 5��•r[�� r�l��•rr��i�r't�� ,f frrlr".� r��b��s3 l5: ��7i�� business day, and (zz) in the case of receip�ed mail, five (5) business days follvwing the date af deposit in �lie mail. If natice is {1) sent by' a nationally recognizeti express mail service or by registered or certifieci mail, return receipt reque�ted, addressed to the party to which such notice is to be given at its address below; or (2) delivered in person to such pariy at its address below: To: Rabert Combs, Purch�sing Manager To: City of Fort �Vorth Purrc�asing �ffice P.O. Box 17027 Fort Worth, Texas 76102 Daniel P. VVhite Secure Commerce �ystems, Inc. 17225 El Camino Real, Suite 340 Houston, Texas 77058 4.18 Additional Iterns Secure Commerce Sysfems azid City of Fort �TVorth agree that any disputes may at either party's aptioi� be resoived by arbitration, and that if arbitratian is selected n�ither party wiIl seek damages in toi-t or jury by trial. 4.I9 Miseellaneous Terrnination of this Agreemeni shall not a�ect the survi�al of representations, warranties and covenants contained berein. The rights and obligations, which by their nature extend beyond ihe termination of this Agreement survive and continue after ternvnation of this Agreement. All such pro�isions shall bind the parties hereto and their legal representative, successors an.d assignees. The failure of a party to claim a breach of any term of this Agreement shall noi constitute a waiver of such bxeach ar the �-ighf of such party to eraforce any subsequent br�ach oi such tertn. If any term or provision of this Agreement sliould be dectared invalid by a caurt of competent jurisdictian or by operation of law, the remaining tenns ar�d provisions of this Agreement shall be unimpaired, and the invalid term or pravision shall be replaced by such valid ter�n or provision as comes closest to the intention underlying the invalid term or provision, This Agreement may not be modified vr wai�ed orally and may be modif ed only in a wri�ing signed by duly anthorized representative of both parties. 4.20 EntireAg�eement This Agreement, including all Attachments, represents the entire agreement between the pai�ies regardi�g this subject matter and replaces any ara1 ar written corrunurucations. 33 PRO�RI�iARY and COfVF1D�,NTIAL Thrs document cantarrrs Secure Commerce Systems proprietary information and should not be released oufside of the Crty of Fort Worfh withouf prior wriften consent.