Loading...
HomeMy WebLinkAboutContract 44749 CITY SECRETARY CWRACT WO. PROFESSIONAL SERVICES AGREEMENT This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into by and between the CITY OF FORT WORTH (the "City"), a home rule municipal corporation situated in portions of Tarrant, Denton and Wise Counties, Texas, acting by and through Susan Alanis, its duly authorized Assistant City Manager, and COALFIRE SYSTEMS, INC., (the "Consultant" or"Contractor"'), a Texas Corporation and acting by and through Alan Ferguson, its duly authorized Executive Vice President, each individually referred to as a "party" and collectively referred to as the "parties," CONTRACT DOCUMENTS: The Contract documents shall include the following: 1. This Agreement for Professional Services 2. Exhibit A—Statement of Work plus any amendments to the Statement of Work 1 Exhibit B— Payment Schedule 4. Exhibit C— Milestone Acceptance Form 5. Exhibit D— Network Access Agreement 6. Exhibit E—Signature Verification Form All Exhibits attached hereto are incorporated herein, and made a part of this Agreement for all purposes. In the event of any conflict between the documents, the terms and conditions of this Professional Services Agreement shall control. 1. SCOPE OF SERVICES. Consultant hereby agrees to provide the City with professional consulting services for the purpose of performing a Security Assessment on PeopleSoft HR/Payroll system. Attached hereto and incorporated for all purposes incident to this Agreement is Exhibit "A," Statement of Work, more specifically describing the services to be provided hereunder. 2. TERM. This Agreement shall commence upon the date that both the City and Consultant have executed this Agreement ("Effective Date") and shall continue in full force and effect until the earlier to occur of all services are completed as contemplated herein, or ninety (90) days, unless terminated earlier in accordance with the provisions, of this Agreement. 3. COMPENSATION. The City shall pay Consultant an amount not to exceed $52,900.00 in accordance with the provisions of this Agreement and the Payment Schedule attached as Exhibit "B,," which is incorporated for all purposes herein. Consultant shall not perform any additional services for the City not specified by this Agreement unless the City requests and approves in writing the additional costs for such services. The City shall not be liable for any additional expenses of Consultant not specified by this Agreement unless the City first approves such expenses in writing. 4. TERMINATION. OFFICIAL RECORD REC 4,1, Convenience. CITY SECRETARY aTH T I X IT Professionai Services Agreement F"T. WORTH, ]TX Re ised June 2012 Coaffire Systems, Inc, RECEIVED N 96 '6 The City or Consultant may terminate this Agreement at any time and for any reason by providing the other party with 30 days' written notice of termination. 4.2 Non-appropriation of Funds. In the event no funds or insufficient funds are appropriated by the City in any fiscal period' for any payments due hereunder,. City will notify Consultant of such occurrence and this Agreement shall terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which -funds have been appropriated. 4.3 Breach. Subject to Section 29 herein, either party may terminate this Agreement for breach of duty, obligation or warranty upon exhaustion of all remedies set forth in Section 29, 4.4 Duties and Obli-gations of the Parties. In the event that this Agreement is terminated prior to the Expiration Date, the City shall pay Consultant for services actually rendered up to the effective date of termination and Consultant shall continue to provide the City with services requested by the City and in accordance with this Agreement up to the effective date of termination. Upon termination of this Agreement for any reason, Consultant shall provide the City with copies of all' completed or partially completed documents prepared under this Agreement. In the event Consultant has received access to City information or data as a requirement to perform services hereunder, Consultant shall return all City provided data to the City in a machine readable format or other format deemed acceptable to the City. 5. DISCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION. 5.1 Disclosure of Conflicts. Consultant hereby warrants to the City that Consultant has made full disclosure in writing of any existing or potential conflicts of interest related to Consultant's services under this Agreement. in the event that any conflicts of iinterest arise after the Effective Date of this Agreement, Consultant hereby agrees immediately to make full disclosure to the City in writing. 5.2 Confidential Information. Consultant, for itself and its officers, agents and employees, agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. 5.3 Unauthorized Access. Consultant shall store and maintain City Information in a secure manner and shall not allow unauthorized users to access, modify, delete or otherwise corrupt City Information in any way. Consultant shall notify the City irnmediately if the security or integrity of any City information has been compromised or is believed to have been coalipromised, in which event, Consultant shall, in good faith, use all commercially reasonable efforts to cooperate with the City in identifying what information has been accessed by unauthorized means and shall fully cooperate, with 'the City to protect such information from further unauthorized disclosure, 6. RIGHT TO AUDIT. Consultant agrees that the City shall, until the expiration of three (3) years after final payment under this contract, or the final conclusion of any audit commenced during the said three years, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of the consultant involving transactions relating to this Contract at no additional cost to the City. Consultant agrees that the City shall have access during normal working hours to all necessary IT Professional Services Agreement Revised June 2012 Coalfire Systems,Inc. 2 Consultant facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Consultant reasonable advance notice of intended audits. Consultant further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall, until expiration of three (3) years after final payment of the subcontract, or the final conclusion of any audit commenced during the said three years have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph, City shall give subcontractor reasonable notice of intended audits. 7. INDEPENDENT CONTRACTOR. It is expressly understood and agreed that Consultant shall operate as an independent contractor as to all rights and privileges and work performed under this agreement, and not as agent, representative or employee of the City. Subject to and in accordance with the conditions and provisions of this Agreement, Consultant shall have the exclusive right to control the details of its operations and' activities and be solely responsible for the acts and omissions of its officers,, agents, servants, employees, contractors and subcontractors. Consultant acknowledges that the doctrine of respondeat superior shall not apply as between the City, its officers, agents, servants and employees, and Consultant, its officers, agents, employees, servants, contractors and subcontractors. Consultant further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Consultant. It is further understood that the City shall in no way be considered a Co- employer or a Joint employer of Consultant or any officers, agents, servants, employees or subcontractors of Consultant. Neither Consultant, nor any officers, agents, servants, employees or subcontractors of Consultant shall be entitled to any employment benefits from the City. Consultant shall be responsible and liable for any and all payment and reporting! of taxes on behalf of itself, and any of its officers, agents, servants, employees or subcontractors. 8. LIABILITY AND INDEMNIFICATION. A. LIABILITY - CONSULTANT SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL PROPERTY LOSS, PROPERTY DAMAGE ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, TO THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR OMISSION(S), MALFEASANCE OR INTENTIONAL MISCONDUCT OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. EXCEPT IN THE EVENT OF GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT, LIABILITY OF CONSULTANT FOR CLAIMS ARISING UNDER THIS AGREEMENT SHALL NOT EXCEED, IN THE AGGREGATE, $3,000,000. B. INDEMNIFICATION - CONSULTANT HEREBY COVENANTS AND AGREES TO INDEMNIFY, HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR LAWSUITS OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, FOR EITHER PROPERTY DAMAGE OR LOSS (INCLUDING, ALLEGED DAMAGE OR LOSS TO CONSULTANT'S BUSINESS AND ANY RESULTING LOST PROFITS) ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, TO THE EXTENT CAUSED BY THE NEGLIGENT ACTS OR OMISSIONS OR MALFEASANCE OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. C. COPYRIGHT INFRINGEMENT - Consultant agrees to defend, settle, or pay, at its own cost and expense, any claim or action against the City for infringement of any patent, copyright, trade secret, or similar property right arising from City's use of the software and/or documentation in accordance with this agreement. Consultant shall have the sole right to conduct the defense of IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 3 any such claim or action and all negotiations for its settlement or compromise and to settle or compromise any such claim, and City agrees to cooperate with it in doing so. City agrees to give Consultant timely written notice of any such claim or action, with copies of all papers City may receive relating thereto. If the software and/or documentation or any part thereof is held' to infringe and the use thereof is enjoined or restrained or, if as a result of a settlement or compromise, such use is materially adversely restricted, Consultant shall, at its own expense and as City's sole remedy, either: (a) procure for City the right to continue to use the software and/or documentation; or (b) modify the software and/or documentation to make it non-infringing, provided that such modification does not materially adversely affect City's authorized use of the software and/or documentation; or (c) replace the software and/or documentation with equally suitable, compatible, and functionally equivalent non-infringing software and/or documentation at no additional charge to City; or (d) if none of the foregoing alternatives is reasonably available to Consultant, terminate this agreement and refund to City the payments actually made to Consultant under this agreement. 9. ASSIGNMENT AND SUBCONTRACTING. Consultant shall not assign or subcontract any of its duties, obligations or rights under this Agreement without the prior written consent of the City. If the City grants consent to an assignment, the assignee shall execute a written agreement with the City and the Consultant under which the assignee agrees to be bound by the duties and obligations of Consultant under this Agreement. The Consultant and Assignee shall be jointly liable for all obligations of the Consultant Linder this Agreement prior to the effective date of the assignment. If the City grants consent to a subcontract, the subcontractor shall execute a written agreement with the Consultant referencing this Agreement under which the Subcontractor shall agree to be bound by the duties and obligations of the Consultant under this Agreement as such duties and obligations may apply. The Consultant shall provide the City with a fully executed copy of any such subcontract. 10. INSURANCE. Consultant shall provide the City with certificate(s) of insurance documenting policies of the following minimum coverage limits that are to be in effect prior to commencement of any work pursuant to this Agreement: 10.1 Coverage and Limits (a) Commercial General Liability $1,000,000 Each Occurrence $1,000,000 Aggregate (b) Automobile Liability $1,000,000 Each occurrence on a combined single limit basis Coverage shall be on any vehicle used by the Consultant, its employees, agents, representatives in the course of the providing services under this Agreement. "Any vehicle" shall be any vehicle owned, hired and non-owned (c) Worker's Compensation - Statutory limits Employer's liability $100,000 Each accident/occurrence $100,000 Disease- per each employee $500,000 Disease - policy limit This coverage may be written as follows: IT Professional services Agreement Re vised June 2012 Coalfire Systems, Inc. 4 Workers' Compensation and Employers' Liability coverage with limits consistent with statutory benefits outlined in the Texas workers' Compensation Act (Art. 8308 — 1.01 et seq. Tex, Rev. Civ. Stat.) and minimum policy limits for Employers' Liability of $100,000 each accident/occurrence, $500,000 bodily injury disease policy limit and $100,000 per disease per employee (d) Technology Liability(E&O) $1,000,000 Each Claim Limit $1,000,000 Aggregate Limit Coverage shall include, but not be limited to, the following: (i) Failure to prevent unauthorized access (ii) Unauthorized disclosure of information (iii) Implantation of malicious code or computer virus (iv) Fraud, Dishonest or Intentional Acts with final adjudication language Technology coverage may be provided through an endorsement to the Commercial General Liability (CGL) policy, or a separate policy specific to Technology E&O. Either is acceptable if coverage meets all other requirements. Any deductible will be the sole responsibility of the Prime Vendor and may not exceed $50,000 without the written approval of the City. Coverage shall be claims-made, with a retroactive or prior acts date that is on or before the effective date of this Contract. Coverage shall be maintained for the duration of the contractual agreement and for two (2) years following completion of services provided. An annual certificate of insurance shall be submitted to the City to evidence coverage, 10.2 General Requirements (a) The commercial general liability and automobile liability policies shall name the City as an additional insured thereon, as its interests may appear. The term City shall include its employees, officers, officials, agents, and volunteers in respect to the contracted services. (b) The workers' compensation policy shall include a Waiver of Subrogation (Right of Recovery) in favor of the City of Fort Worth. (c) A minimum of Thirty (30) days notice of cancellation or reduction in limits of coverage shall be provided to the City. Ten (10) days notice shall be acceptable in the event of non-payment of premium. Notice shall be sent to the Risk Manager, City of Fort Worth, 1000 Throckmorton, Fort Worth, Texas 76102, with copies to the City Attorney at the same address. (d) The insurer's for all policies must be licensed and/or approved to do business in the State of Texas. All insurers must have a minimum rating of A- VII in the current A.M. Best Key Rating Guide, or have reasonably equivalent financial strength and solvency to the satisfaction of Risk Management. If the rating is below that required, written approval of Risk Management is required. (e) Any failure on the part of the City to request required insurance documentation, shall not constitute a waiver of the insurance requirement. Certificates of Insurance evidencing that the Consultant has obtained all required insurance shall be delivered to the City prior to Consultant proceeding with any work pursuant to this Agreement, IT Professional Services Agreement Revised June 201'2 Coalfire Systems, Inc. 5 11. COMPLIANCE WITH LAWS, ORDINANCES RULES AND REGULATIONS. Consultant agrees that in the performance of its obligations hereunder, it will comply with all applicable federal, state and local laws, ordinances, rules and regulations and that any work it produces in connection with this agreement will also comply with all applicable federal, state and local laws, ordinances, rules and regulations. If the City notifies Consultant of any violation of such laws, ordinances, rules or regulations, Consultant shall immediately desist from and correct the violation. 12. NON-DISCRIMINATION COVENANT. Consultant, for itself, its personal representatives, assigns, subcontractors and successors in interest, as part of the consideration herein, agrees that in the performance of Consultant's duties and obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group of individuals on any basis prohibited by law. If any claim arises from an alleged violation of this non- discrimination covenant by Consultant, its personal representatives, assigns, subcontractors or successors in interest, Consultant agrees to assume such liability and to indemnify and defend the City and hold the City harmless from such claim. 13. NOTICES. Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have been delivered when (1) hand-delivered to the other party, its agents, employees, servants or representatives, (2) delivered by facsimile with electronic confirmation of the transmission, or (3) received by the other party by United States Mail, registered, return receipt requested, addressed as follows: City of Fort Worth Coalfire Systems, Inc. Attn: Susan Alanis, Assistant City Manager Attn: Alan Ferguson, Exec. Vice Pres. 1000 Throckmorton 361 Centennial Parkway, #150 Fort Worth TX 761 02-63 1 1 Louisville, CO 80027 Facsimile: (817) 392-8654 Facsimile: With Copy to the City Attorney At same address 14. SOLICITATION OF EMPLOYEES. Neither the City nor Consultant shall:, during the term of this agreement and additionally for a period of one year after its termination, solicit for employment or employ, whether as employee or independent contractor, any person who is or has been employed by the other during the term of this agreement, without the prior written consent of the person's employer. Notwithstanding the foregoing, this provision shall not apply to an employee of either party who responds to a general solicitation of advertisement of employment by either party. 15. GOVERNMENTAL POWERS/IMMUNITIES It is understood and agreed that by execution: of this Agreement, the City does not waive or surrender any of its governmental powers or immunities. IT Professional Services Agreement Revised June 2012 Coaffire Systems,Inc. 6 16. NO WAIVER. The failure of the City or Consultant to insist upon the performance of any term or provision of this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Consultant's respective right to insist upon appropriate performance or to assert any such right on any future occasion. 17. GOVERNING LAW/VENUE. This Agreement shall be construed in accordance with the laws of the State of Texas. if any action, whether real or asserted, at law or in equity, is brought pursuant to this Agreement, venue for such action shall lie in state courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas, Fort Worth Division, 18. SEVERABILITY. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 19., FORCE MAJEURE. The City and Consultant shall exercise their best efforts to meet their respective duties and obligations as set forth in this Agreement, but shall not be held liable for any delay or omission in performance due to force majeure or other causes beyond their reasonable control, including, but not limited to, compliance with any government law, ordinance or regulation, acts of God, acts of the public enemy, fires, stri:kes, lockouts, natural disasters, wars, riots, material or labor restrictions by any governmental authority, transportation problems and/or any other similar causes, 20. HEADINGS NOT CONTROLLING. Headings and titles used in this Agreement are for reference purposes only, shall not be deemed a part of this Agreement, and are not intended to define or limit the scope of any provision of this Agreement. 21. REVIEW OF COUNSEL. The parties acknowledge that each party and its counsel have reviewed and revised this Agreement and that the normal rules of construction to the effect that any ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement or exhibits hereto, 22. AMENDMENTS. No amendment of this Agreement shall be binding upon a party hereto unless such amendment is set forth, in a written instrument, which is executed by an authorized representative of each party. 23. ENTIRETY OF AGREEMENT. This Agreement, including the schedule of exhibits attached hereto and any documents incorporated herein by reference, contains the entire understanding and agreement between the City and Consultant, their assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement is hereby declared null and void to the extent in conflict with any provision of this Agreement. 24. COUNTERPARTS. IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 7 This Agreement may be executed in one or more counterparts and each counterpart shall, for all purposes, be deemed an original, but all such counterparts shall together constitute one and the same instrument. 25. WARRANTY OF SERVICES. Consultant warrants that its services will be of a professional quality and conform to generally prevailing industry standards. City must give written notice of any breach of this warranty within thirty (30) days from the date that the services are completed. In such event, at Consultant's option, Consultant shall either (a) use commercially reasonable efforts to re-perform the services in a manner that conforms with the warranty, or(b) refund' the fees paid by the City to Consultant for the nonconforming services, 26. MILESTONE ACCEPTANCE. Consultant shall verify the quality of each deliverable before submitting it to the City for review and approval. The City will review all deliverables to determine their acceptability and signify acceptance by execution of the Milestone Acceptance Form, which is attached hereto as Exhibit "C." If the City rejects the submission, it will notify the Consultant in writing as soon as the determination is made listing the specific reasons for rejection. The Consultant shall have ten (10) days to correct any deficiencies and resubmit the corrected deliverable. Payment to the Consultant shall not be authorized unless the City accepts the deliverable in writing in the form attached. The City's acceptance will not be unreasonably withheld. 27. NETWORK ACCESS. If Consultant, and/or any of its employees, officers, agents, servants or subcontractors (for purposes of this section "Consultant Personnel"), requires access to the City's computer network in order to provide the services herein, Consultant shall execute and comply with the Network Access Agreement which is attached hereto as Exhibit ID" and incorporated herein for all purposes. 28. IMMIGRATION NATIONALITY ACT. The City of Fort Worth actively supports the Immigration & Nationality Act (INA) which includes provisions addressing employment eligibility, employment verification, and nondiscrimination. Consultant shall verify the identity and employment eligibility of all employees who perform work under this Agreement. Consultant shall complete the Employment Eligibility Verification Form (11-9), maintain photocopies of all supporting employment eligibility and identity documentation for all employees, and upon request, provide City with copies of all 1-9 forms and supporting eligibility documentation for each employee who performs work under this Agreement. Consultant shall establish appropriate procedures and controls so that no services will be performed by any employee who is not legally eligible to perform such services. Consultant shall provide City with a certification letter that it has complied with the verification requirements required by this Agreement. Consultant shall indemnify City from any penalties or liabilities due to violations of this provision. City shall have the right to immediately terminate this Agreement for violations of this provision by Consultant. 29. INFORMAL DISPUTE RESOLUTION. Except in the event of termination pursuant to Section 4.2, if either City or Consultant has a claim, dispute, or other matter in question for breach of duty, obligations, services rendered or any warranty that arises under this Agreement, the parties shall first attempt to resolve the matter through this dispute resolution process. The disputing party shall notify the other party in writing as soon as practicable after discovering the claim, dispute, or breach. The notice shall state the nature of the dispute and list the party's IT Professional services Agreement Revised Jurie 2012 Coalfire Systems, Inc. 8 specific reasons for such dispute. Within ten (10) business days of receipt of the notice, both parties shall commence the resolution process and make a good faith effort, either through email, mail, phone conference, in person meetings, or other reasonable means to resolve any claim, dispute, breach or other matter in question that may arise out of, or in connection with this Agreement. If the parties fail to resolve the dispute within sixty(6,0)days of the date of receipt of the notice of the dispute, then the parties may submit the matter to non-binding mediation in Tarrant County, Texas, upon written consent of authorized representatives of both parties in accordance with the Industry Arbitration Rules of the American Arbitration Association or other applicable rules governing mediation then in effect. The mediator shall be agreed to by the parties. Each party shall be liable for its own expenses, including attorney's fees„ however, the parties shall share equally in the costs of the mediation. If the parties cannot resolve the dispute through mediation, then either party shall have the right to exercise any and all remedies available under law regarding the dispute. Notwithstanding the fact that the parties may be attempting to resolve a dispute in accordance with this informal dispute resolution process, the parties agree to continue without delay all of their respective duties and obligations under this Agreement not affected by the dispute. Either party may, before or during the exercise of the informal dispute resolution process set forth herein, apply to a court having jurisdiction for a temporary restraining order or preliminary injunction where such relief is necessary to protect its interests. 30. SIGNATURE AUTHORITY. The person signing this agreement hereby warrants that he/she has the legal authority to execute this agreement on behalf of the respective party, and that such binding authority has been granted by proper order, resolution, ordinance or other authorization of the entity. This Agreement, and any amendment(s) hereto, may be executed by any authorized representative of Consultant whose name, title and signature is affixed on the Verification of Signature Authority Form, which is attached hereto as Exhibit "E" and incorporate herein by reference. Each party is fully entitled to rely on these warranties and representations in entering into this Agreement or any amendment hereto. [SIGNATURE PAGE FOLLOWS] IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 9 IN ITNESS W11" E EOF, the parties hereto have executed this Agreement in multiples thiday of 201> ACCEPTED AND AGREED: CITY OF FORT WORTH: NAME OF CONSULTANT: Coaifire Systems, Inc. By: _ By: Suipn,kanis I ame: Rick Dakin Assistant City Manager Title: CEO Date: ? Date: ..... .�..:�. ,,. ATTEST: ATTES : � By: City S �y Al -� APPROVED AS TO FORM AND LEGA T $ CP 00000- 00 B Maleshia B. Farmer Senior Assistant City Attorney CONTRACT AUTHORIZATION: M&C: Date Approved: ffOFFICIAL 1"OR&TARY IT Professional Services Agreement �e June 2012 Coalfire Systems,Inc. fly 10 r A r S&Vwe Order for: City of Fort Worth, Texas Eric Palmer IT Manager, ERP Support Regional Sales Director city of Fort Worth,Texas oaMflre Systems, Inc. IT Solutions Department 5001 Spring Walley Road, Suite 11 iQI 1��A Thrwacicrnorton S1~, Dallas Texas 77244 Fort Worth Tx 76102 817-392-7821 972-763-8012 Frio.Paimerofo,rthwortht,exas.gov JoeBarnes@coaIfire.com P v �IMF I a � 7 1 JI J '�wr �"J�, �t��2�,'d�� �`"�'rr �I �J�sl ,�yH�'�°rz 6�j n ,;) ,��A�'}�r �, ��Y°✓ r. Engagement Overview City of Fort Worth, Texas (optionally, "City of Fort Worth" or "Organization") has engaged Coalfire to perform Security Assessment on their PeopleSoft HR/Payroll system to help the Organization better manage its business and technology risk. This project will' leverage the KIST S138010-301 Risk Management Guide for Information Technology Systems. Coalfire will provide the organization a current and comprehensive security risk assessment and knowledge transfer to personnel and IT teams that can be used to prioritize risk and develop a roadmap by leveraging our templates and work products. The City of Fort Worth currently runs PeopleSoft version 9.1 on a Microsoft SQL Server 8.0. The development, CIA, and' test environments execute on virtualized environments and the production systems execute on physical systems. The following PeopleSoft Human Capital Management (HCM)v9.1 Modules are being utilized and comprise the scope of the project: 1) Global Core HCM o, Benefits Administration c Employee Self-Service o, Global Payroll c> Human Resources o Manager Self-Service o Payroll for North America 2) Workforce Management o Absence Management o Resource Management o Time and Labor 3) Workforce Service Deliverrt o Directory Interface o eBenefits About Coalfire Coalfire is an industry-leading provider of IT security, governance and regulatory compliance services. Coalfire's methodology has been validated by more than 5,000 projects nationwide and abroad. Our services portfolio spans the entire information security life cycle: IT Audit/compliance Management Forensic Testing/Analysis Compliance Validation Incident Response Controls Testing Forensic Analysis Compliance Advisory b Expert Witness w. Technical Assessment, IT Governance Advisory IT Professional Services Agreement Revised June 2012' Coalfire Systems, Inc. 12 Application Validation Risk Management (GRC) Penetration Testing Policy Development Vulnerability Scanning Compliance Program Advice ---------- Specific services Coalfire provides include: General IT Security and Risk Assessments—In accordance with industry best practices for risk management and IT governance (NIST SP-800 Series,COBIT, FFIEC, etc.). Regulatory Compliance Assessments for- • The Gramm-Leach-Bliley Act (GLBA)for financial services • The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH)Act for healthcare • The Federal Information Systems Management Act (FISMA) for certain federal systems and their business partners • The Sarbanes-Oxley Act (SOX) for evaluation of IT controls over financial reporting required by Section 404 • The Payment Card Industry Data Security Standard' (PCI DSS) -As an assessor authorized by the PCI Security Standards Council, Coalfire offers comprehensive PCI DSS services for merchants, service providers, merchant banks, and application developers worldwide. • SO,C Reports(formerly SAS 70)Audit Support- In conjunction with leading accounting firms, Coalfire provides controls evaluation and testing services to give evidence of the effectiveness of the design and operation of general and application level controls. • North American Electric Reliability Corporation (NERC) • Critical Infrastructure Protection (CIP) • Family Educational Rights and Privacy Act(FERPA) ■ Incident Response and Computer Forensics- For known or suspected compromise of sensitive data, including personally identifiable information (PII), payment card data, intellectual property and others. • Information Security Business Case and Security Program Development Coalfire—The Company ■ Independence — our primary business is IT Assessment, Audit and Regulatory Compliance. We do not sell or implement technology solutions and our recommendations are vendor neutral. ■ Certified Auditors — 100% of our auditors specialize in IT Security, Audit and compliance. We do not manage a team of junior resources. All Coalfire auditors maintain industry certifications such as Certified Information Systems Auditor(CISA)and Certified Information Systems Security Professional(CISSP). Most have advanced degrees in business management or information technology. many come from the banking industry and "Big 4" accounting firms. ■ Size and location — Coalfire has over 100 staff located in regional offices across the country. Several reputable analysts, such as Gartner and Forrester, track Coalfire as the largest IT-Audlit-Only consultancy in the country. our size provides us with extensive breadth of knowledge, while our regional offices allow us to provide the attention of a neighbor. IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 13 • Coa|#peisnota "virtua| conmpany°—Ou/centra;izedofficesprotectyuurclataamdwork papers, improve the quality and consistency cf our audit methodology and keep our staff updated on the latest threats and trends. • Project Portai| — All documents and work papers are shared through a secure web-based portal. This keeps sensitive data out of e-mail and provides a repository for future audits and exams. • Industry beadlngToo/s — KHanyauditors use free software such as inexpensive oropen'sou/ce scanning tools. Coa|fine nmainta!|ns a smite of best of industry assessment tools which reduce false positives and help to quickly identify and reduce areas of high risk. Statement of Work The services defined in this Statement of Work constitute the extent ofservices Coa|fire will provide tmthe Organization,and the Organization understands that services not specified in this Statement mf Work are out of scope for this engagement.Services listed in this document will be p,rovided on a mutually agreeable schedule. Task I-~Project Charter and Portal The project is initiated with a kick off meeting(Project Charter)that re-states objectives and aligns all stakeholders to specific roles and responsibilities,communication methods and schedm|es. The charter meeting serves toget all'project participants introduced, roles and responsibilities communicated,establish key dates and timelines,and discuss project methodologies and tools. 7777% ption Introduction of all stakeholders and coordination of project team identify overall Project Coordinator Establish and'agree on roles and responsibilities for project team members. Identify primary project contact points for project activities. Identify th e project tools,as follows: 0 Interview tracking schedule (Contact, Title, Telephone, Locatio In, Diate/Time,Topic) Document request tracking Upcoming meetings, events and tasks Open items, issues and risks Establish and agree on timelines and milestones. Set meetin Establish Status Meetings Dates and Times Review the Coalfire methodology and tools. A secure project VJJ portal is established to create a central place for all participants to TV Me store and retrieve working documents. AH approved team members, will be granted access rights to the Project Portal which is a central place for aH participants to store and retrieve documents for review and development(see below). |T Professional Services Agreement Revised June 2O/2 Coa|finm Systems, Inc. Project Portal Coalfire believes in providing secure communication, not just at the end of the project, but also during the project, All project processes are managed through a web-based portal that maintains the project chartering, budgeting, scoping, project plans,status reports,task assignments,stakeholders and communication channels, milestone tracking, reports and deliverables.This portal is a living tool for managing the project from our perspective and it helps all staff remain fully informed on project progress, .. offiNW10 OWN 'W I'M aria 'I.,kIW4 ANq.04. 40 V14 9'Mw,r� to' *A$ 49 '**A, 1,04,1 A­ff�a­� 6� W I# ....................... The portal provides a centralized repository for: • Final reports, work-in-progress reports, and raw data. The Portal also includes complete change control for documents and check-in and check-out authorization. We also control access for critical audit reports. • Contact information for all team members. • A calendar that ties to key deliverable dates decided during the Charter Meeting • Security resources and best practices documents, to include full GLBA oriented policy templates. Sub-Task Deliverables: Project Charter • Project Portal • Document Request List • Task 2—Security Risk Assessment Coalfire has a proven methodology for performing IT security risk assessment. Coalfire will work with the Organization to develop a standards-based process as the assessment process will provide key insight to the PeopleSoft business processes,supporting technology, threats,vulnerabilities and risks within the environment that require controls. The output of the security assessment process,will be a prioritized remediation roadmap of high risk areas mapped to regulatory and business requirements.The process developed will provide the methodology and framework for the Organization to perform ongoing risk management. IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 15 Benefits of such an approach include: 0 Begin the formalization of standards-based security risk assessment process that aligns to KIST SP800- 30 (Risk Management Guide for Information Technology Systems). KIST has proven to be the preferred method for risk assessment for all industry groups as referenced in the industry best practices. 0 A more comprehensive understanding of information and technology assets, control requirements and the security control programs at the Organization. Risk justification for security and control program design and budget, • Provides the Organization the foundation to build a common controls framework aligned to industry best practices and the Organization's tolerance for risk. The following diagram highlights the IT risk assessment methodology: IT Risk Management and Security Governance Executive Charter and"Tone at To Risk Assessment Process*, it Establish Risk Tolerance 1)Inventory Business Processes: 2)Define Risk Assessment Scope 2)Align Business Processes to Information and Systems 3)Identify Risk Management Participants inventovles, 4)Assess resource commitments and availability 3)Revise Information and System Security Catcgonzation; 4)Identify Regulatory Requirements: Assess Threat Environment ssess Control and Process Vulnerabilities dentify and Assess Current Controls)Audit Findings); Security Categorization dentify Residual Risk V 1)Inventory all information Systems: 2)Inventory all information assets; 3)Create security categorization for information 25h 4)Derive security categorizations for systems (based on Information) t Control Frameworks Risk Cobtrol Selection 1)Consolidated Common Controls(for 1)Saleal'control objedives I heterogeneous regulatory environments); 2)PCI Data Security Standard 2)Selecf:supportinq control activities for objectives t 3)FflPAA N 3)Establish audit standards for control design and operating 0 4)FFIEC/Title XfI Banking effectivepoS$ 5�GLBA M, 6)Best,Prsetices(ISO 17799.CoBIT,NI$T 800-63) Control Design 1)Control Activity Alignment and Tuning A Control AssessmentJ_A_u dit 2)Policy and Standard Development �g, Scope 3)Security Program Development 4)Procedural Guidance 1)Regulatory Audits(PCI, FN HIPAA) 2)Control Assessments for RA M000� Control Input(Tltle X11,FISMA,SOX): a)Network/Systems Penetration AssessmeriV Audlit Testing; 1 control Operation 4)Application Penetratton 1)Control Procedures Control Testing i 2)Control Program Implementation(Tools,Process Documentation,Forms Operatlo Artifacts) &amploC In0don RVVa",Coslfigu�tidn M�028~t.VW&Mbl&Y M06090MW D&O oaxsftsnap,Etc, Review Documentation and Prepare far Onsite Assessment Coalfire will utilize the recently provided information and providle a detailed information request document that outlines the City of Fort Worth's PeopleSoft technology, and program artifacts, diagrams, and documentation that will be used as a basis to develop an understanding of the Organization's PeopleSoft application IT and security architect and posture. City of Fort Worth, responsibility will be responsible for uploading, to the Project Portal associated IT policies, standards, diagrams, procedures and artifacts prior to the start of the assessment. The success of this engagement will require City of Fort Worth coordination and assistance to secure access to the various IT and business documents for Coalfire's review prior to the on-site work. Coalfire reviews the Organization's submittal of materials from the document request list provided by Coalfire in the Project IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 16 Charter, including any existing security assessments (IT or otherwise), organization charts, policies, etc. Through document inspections, this task is designed to ensure Coalfire has a thorough understanding of the Organization's current state and will be incorporated into the Work Plan. For example, if the Organization has conducted recent Internal IT Audits, IT General Controls, External Independent Security Assessments, External and Internal Security Vulnerability Reports, and Financial Audit Reports. Coalfire would like to review this to determine if that process addresses requirements for the IT risk assessment. Our goal is to leverage the Organization's prior work to the extent possible, and avoid asking Organization staff identical questions that were already answered, Conduct Security Assessment Interviews Coalfire uses a proven process to ensure engagement and momentum throughout this project. All security assessments run the risk of stalling, or not being completed. While the Organization has very specific needs and deadlines for this project, Coalfire will help ensure this project is executed smoothly from beginning to end. Department Kick-Off Meetings The first step is to conduct the Department Kick-Off Meetings, Coalfire will work with the Organization's project coordinator to ensure the timing of this meeting provides adequate coverage for the key departments. Given-the number of departments at the Organization, Coalfire will conduct this once or twice (as needed) at the Organization's primary healdquarters. The Organization may also elect to record the meeting at its own expense. This Kick-Off Meeting should have senior department leaders who can then determine the best people,for Coalfire to interview later. The attendees will learn about the IT risk assessment process. In particular, this will focus on the planned approach, methodology and timeline. This is a critical step to ensure the Organization has momentum for this project that is led from the executive and department leadership level. Business Processes Interviews Coalfire will work with the Organization project coordinator to ensure an efficient schedule for the business processes interviews. With the exception of IT, the Organization should plan (inform,) the applicable business process personnel that these meetings will last approximately one (1) hour. Certain areas may require less time,though one (1) hour should be adequate for most. Coalfire may need to later ask key individuals additional clarifying questions; however, the following information generally is handled -through email and'telephone calls. The business process interviews focuses on key business activities that affect the overall security of the PeopleSoft environment. Coalfire leverages our security assessment templates to guide our discussions. These can be provided to the departments in advance once customized for the engagement. The interviews are fluid and are used to identify and classify key business processes focused on security. A discussion of the PeopleSoft modules that support them will also be identified. Coalfire finally facilitates a discussion of the threats against those business processes. Coalfire has often found that business process leaders/staff have the best understanding of the threats and vulnerabilities that impact the PeopleSoft environment. Coalfire will later formalize the results of these interviews again into Our templates and verified to help ensure accuracy and completeness of the information gathered. IT Professional services Agreement Revised June 2012 Coalfire Systems, Inc. 17 Finally, it should be noted that the Organization is strongly encouraged to have a representative at every (or at least most) interviews. This tends to improve accuracy of the interviews, plus that representative will be able to more readily conduct such interviews themselves the next year. Coalfire allows the Organization to re-use all our templates for its own internal purposes, IT Interviews While IT is another department, it plays a special role in this process. As such,the IT Department should expect approximately 1 to 3 hours of interview time during the on-site interviews. The format is similar to those of the other departments; however, will involve a, much deeper review of the IT security, controls and processes in place at the Organization. In addition, the IT Department must assist Coalfire in understanding the IT systems, security features, and related business personnel that support the other Department's business processes. Develop Security Assessment Coalfire then tabulates the results into a formal Information security risk assessment. This includes the following Sub-Tasks: Sub-Task A—IT Asset Classification Coalfire will work with the Organization to identify information assets and develop IT asset classifications. This is a formal section within the deliverables that includes: • Inventory information systems (servers, workstations, network equipment) • Inventory information assets (critical data, sensitive information) Create security categorization,for information • Derive security categorizations for systems Sub-Task Deliverable: IT Asset Classification Sub-Task B—Security Risk Assessment Once the information assets have been identified, Coalfire will develop the risk assessment, which includes: • Inventory business processes • Align business processes to information and systems inventories • Revise information and system security categorization • Identify regulatory and other compliance requirements • Assess threat environment • Assess control and process vulnerabilities • Identify and assess,current controls • Identify residual risk Sub-Task Deliverable: Information Security Risk Assessment Draft Sub-Task C—Control Framework Once operations and compliance requirements have been determined, Coalfire will develop a! Consolidated Control Framework. This will reflect the necessary controls to have in place to achieve the desired state in the risk assessment. The Control Framework will be supplemented with alignment to IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 18 industry best practices, such as MIST and ISO. This Control Framework will serve as the ibenchmark for the Gap Analysis. • Administrative Technical Physical IT Security Program& • Cybersecurity,Controls • Building Controls Policy a Access Management • Datacenter Controls • Risk Assessment Program • Authentication &Authorization • Identification& Badges • Information Security • Encryption Controls for In • Hardware movement Oversight Transit&At Rest • PC Controls, • Incident Response Network Controls • Laptop,Tablet, Mobile • Hardware Platforms,OS, • Remote Access Device Controls DB&Software • Application Access • Media Controls Configuration Standards • Firewall& Perimeter Controls • Environmental Controls • Personnel Controls • Database Security Controls Data Classification • Change Management • Logging& Monitoring • Document Destruction • System Acquisition& • Backup, Recovery and Storage • Redundancy Development • A/V, Malicious Code Controls • Backup Handling • Vendor Contracts& • Intrusion Detection Management • Business Continuity Plans • Configuration& Maintenance • Insurance Requirements • Segregation of Duties Sub-Task Deliverable: Control Framework Sub Task D—Gap,Analysis Coalfire will benchmark the Organization between its current state and desired state, as identified in the Control Framework, The Gap Analysis will provide specific recommendations for remediation in order to adequately remediate the Risk. The Gap Analysis further prioritizes the remediation recommendations into a Remedilation Roadmap. The Remediatioln Roadmap is a timeline of remediation activities. It is a planning document that prioritizes remediation activities biased on severity of gap, cost and ease of remediation. It is an iterative document that Coalfire will develop with the Organization. The Roadmap also includes initial budget estimate in terms of labor, hardware and software for each activity. Coalfire can help the Organization execute against the Remediation, Roadmap in separate Service Orders once those gaps are identified. Sub-Task Deliverable: Gap Analysis& Remediation Roadmap, 'Task 3—External Vulnerability Assessment Coalfire's External Network Vulnerability Assessment leverages the output of automated scanners and augments these findings with manual analysis of identified vulnerabilities. The additional level of analysis and concise reporting, provided with this service helps eliminate common false positives, produced by automated scanning, and facilitates a more precise understanding of the actual security posture of systems in scope. IT Professional Services Agreement Revised June 2012 Coalfire Systems,Inc. 19 Methodology Using automated discovery and vulnerability assessment tools, Coalfire Assessors will gather and classify all systems, open ports, running services, and vulnerabilities detected within the target environment. The frequency and significance of the vulnerabilities found will be analyzed to identify enterprise-level architectural or programmatic recommendations where applicable. The following types of vulnerabilities are identified: • Remote Code Execution • Weak Configuration • Susceptibility to Malware 6 Patch Level enumeration • Use of insecure services and protocols • Database Server Vulnerabilities • Web Server Vulnerabilities Tools Tools Coalfire typically utilize for the External Network Vulnerability Assessment include: Tool Name Description NeXpose Network discovery and vulnerability assessment tool by Rapic17. Nessus Network discovery and vulnerability assessment tool by Tenable. Oeliverables The result of this task is a detailed report on vulnerabilities including risk ratings and recommendations for remediation at the system, architectural, or security program level as applicable. Coalfire will also provide a conference call debriefing to discuss findings and remediation with Company stakeholders. Task 4— Internal Network Vulnerability Assessment Coalfire's Internal Network Vulnerability Assessment leverages the output of automated scanners and augments these findings with manual analysis of identified vulnerabilities. The additional level of analysis and concise reporting provided with this service helps eliminate common false positives produced by automated scanning, and facilitates a more precise understanding of the actual security posture of systems in scope. Methodology Using automated diiscovery and vulnerability assessment tools,Coalfire Assessors will gather and classify all systems, open ports, running services, and vulnerabilities detected within the target environment. The frequency and significance of the vulnerabilities found will be analyzed to identify enterprise-level architectural or programmatic recommendations where applicable. The following types of vulnerabilities are identified: ■ Remote Code Execution ■ Weak Configuration • Susceptibility to Malware ■ Patch Level enumeration IT Professional Services Agreement Revised June 2012 Coaffire Systems,Inc, 20 ■ Use of insecure services and protocols ■ Database Server Vulnerabilities Tools Tools Coalfire typically utilize for the Network Vulnerability Assessments include: Tool Name Description IVeXpase I Network discovery and vulnerability assessment tool by Rapid7, Nessus Net—work discovery and vulnerability assessment tool by Tenable, Deliverables The result of this task is a detailed report on vulnerabilities including risk ratings and recommendations for remediation. Coalfire will also provide a conference call debriefing to discuss findings and remediation with Company stakeholders, Task 5— Debrief and Deliverables Coalfire analyzes the results of the above tasks and create the various reports as outlined below.All Coalfire deliverables go through our Quality Assurance process, whereby another skilled Assessor reviews the project documents in detail. Once the QA process is complete, Coalfire defivers the reports to the Organization's representatives as a DRAFT. This is handled as a formal debrief meeting with key stakeholders.TDECU is provided the opportunity to review our findings and recommendations and provide us with corrections. Coalfire then finalizes the reports and delivers them through the Project Portal. This Task may occur over several days depending on discussions and report corrections. Executive Summary The Executive Summary is written in non-technical language to the extent possible and is intended to summarize the project objectives and results, including IT compliance activities noted, gaps in compliance, and our observations and recommendations for improvement. Information Security Risk Assessment Report For each of the processes in scope, this document provides detail on the process; representatives interviewed; assessments of confidentiality, integrity, and availability; risk scenarios evaluated; the assessments of likelihood and impact of the risk scenario occurring if control activities were not performed; key control activities in place; the assessments of likelihood and impact of the risk scenario occurring after consideration of key control activities in place; and recommended actions to mitigate residual risks identified. Prioritized Remediation Roiadmap This document summarizes the recommended remediation activities mapped to the medium and high residual risk areas. Where feasible, Coalfire includes initial estimated level of effort and software hardware costs, as appropriate. IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 21 IT Information Assets and Systems Inventory and Classification This document contains a record for each application system/database referenced by the IT risk assessment Report together with information collected such as asset/system description, categories of sensitive information, information classification scheme rating,vendor,owner, users (e.g., business units, business processes), IT support lead', technical overview, etc. Presentation This is a presentation/discussion with management regarding the project, deliverables, and recommended next steps. Coalfire can present this onsite (involving travel expenses) or through a web meeting. This will be determined later in the engagement. Other Coalfire grants the Organization the re-use of our templates for its use in conducting updates and revisions to the risk assessment. Optional Task 6— External and Internal Penetration Test Coalfire's External and Internal Network Penetration Testing determines if vulnerabilities can be exploited to compromise-the network and/or accessible systems from the perspectives of both an Internet-based attacker and the "insider threat". This testing combines those two perspectives to provide a comprehensive view of your environment. This service includes Network penetration testing that will attempt to compromise networks and operating systems, as well as Commercial-off-the-shelf web applications. Methodology Coalfire approaches external network penetration testing with a singular goal—to gain unauthorized access to systems or data. At a high level, Coalfire takes an approach to penetration testing that is similar in nature to the Penetration Testing Execution Standard (PIES) and the penetration testing, methodologies endorsed by SANS and Offensive Security. For this leveli of penetration test service, our approach can be summarized as performing Reconnaissance and Vulnerability Identification, followed by Exploitation. Reconnaissance and Vulnerability Identification Using a variety of automated scanning tools (both open source and commercial) Coalfire Penetration Testers will gather and classify all systems, open, ports, and running services in the target environment. The following types of vulnerabilities are typical of those identified and exploited during a penetration test: • Weak Configuration • Missing patches Ulse of insecure services and protocols • Web Application Vulnerabilities, such as Cross-site scripting, SQL injection and Command injection • Authentication Vulnerabilities such as default or easily guessable usernames and passwords • Database Server Vulnerabilities such as insecure object permissions IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 22 Exploitation Coalfire will exploit vulnerabilities to gain access to systems or information contained on the system. Exploitation techniques may include buffer overflows,command injection, or other methods as appropriate to the system, being attacked. All exploitation done in this phase is intended to gain additional access to the platform being targeted in order to allow our testers to achieve the goals set for the engagement. Unless requested by the client,our penetration testing methodology does not include denial of service attacks. Tools Tools Coalfire utilizes for its Network Penetration Tests include: Tool Name Description NeXpose Network discovery and vulnerability assessment tool by RapidT. Nessus Network discovery and vulnerability assessment tool by Tenable. Metasploit Open Source exploitation framework to compile and execute exploit code. NMAIP Open source utility for network exploration and security auditing. Additional tools Various other open source and commercial tools are utilized during testing. Sub-Task Deliverable: The result of this Task is a detailed report on attack scenarios used,vulnerabilities discovered including risk ratings, proof of exploitation (screenshots) and recommendations for remediation. Coalfire will also provide a conference call debriefing to discuss findings and remediation with Company stakeholders. Task 7—Advisory Services Additional services to support City of Fort Worth technology program outside those listed above may be performed on a time-and-materials basis, Advisory Services include, but are not limited to: • input for new policies and procedures or other documentation related to compliance • Remediation Guidance • Review/validation of gap closure endeavors • Security Awareness Training • Security Vulnerability Security Scans,Social Engineering and Phishing Exercises Proposed Schedule Coalfire will confirm and document the work plan in coordination with the City of Fort Worth as part of the chartering effort, Below is a notional schedule to provide a sense of the period of performance.Additional consultants can be added to the project as needed to shorten the overall timeline. Task�,—Project Charter&P©rtal � City of Fort Worth Uploads Documents to Project Portal • Schedule Interviews& Location Visits Document Request&Tracking • Upcoming Meetings, Events and Tasks IT Professional,Services Agreement Revised June 2012 Coalfire Systems, Inc. 23 Task 2-Security Risk.Assessment d p p Task 3-External Security Vulnerability Assessment CM1 Task 4-Internal Security Vulnerability Assessment p Task 5-Debrief and Deliverables p p Task 6-(Optional)-External &Internal Penetration Test p ......�, Tasks AdvisaryServfc es TBD 4..... ...�.. �...,..M,w.µ.�M... �..._.___..._._.,... k..___.._.. Project Fees Coalfire will provide services under this engagement for the fixed-fee budget shown in the following table. Services will be provided on a mutually agreeable schedule. It is our understanding that City of Forth worth will purchase these services under the terms and conditions of the State of Texas DIR contract. Pricing in this Service Order is based on DIR Contract pricing.Coalfire°s DIR contract#is DIR-SDD-1899 Description .d Fees Task 1-Project Charter and Portal o Information Gathering j Task 2-Security Risk Assessment $28,000 o Prepare for Onsite Assessment o Risk Assessment Interviews .... .. ..... _... ,. ._....... ......_... . . .......... . ..... ... I i Task 3-External Security Vulnerability Assessment o <20 External Internet-Facing IP Addresses $5,000 Task 4-Internal Security Vulnerability Assessment $4,000 o <20 Internal IP Addresses Task 5-Debrief and Deliverables o Prepare Reports and Presentations as DRAFT 9,000 o Conduct Closing Meetings o Prepare Reports as FINAL . ................_.............. .... ...... „. ........ ....._......... . Consulting Fees Total % X46,000 .. . ... .. ............................._....... .. . _......... ......._ ....�.... Estimated Travel $500 o Billed at actual, not to exceed Total Consulting and Estimated Travel Fees $46,500 ..........._._..___._._ _..._ ..... . ......._..__.... --t..-- -- _____......._..... Task 6(Optional) External and Internal Penetration Test $6,400 o <20 External Internet Facing IP Addresses IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 24 Time and Material (T&M) Services The following services are provided on an as-needed, if-needed basis.Coalfire does not have a retainer for these services. All services listed below are provided at$220/hour. Description Rate Task 7—Advisory Services $153 per hour Requirements and Assumptions This project assumes certain participation and limitations as described below and as otherwise identified by the parties during,the course of this engagement. • Coalfire anticipates on-site activities will be performed at the Fort Worth,TX facilities. • The Organization will provide to Coalfire as appropriate and necessary to complete the project tasks: • Access to business staff, documentation, and facilities necessary for Coalfire to perform its services, including access to corporate and, if any, hosted computer systems and network connections; • A single point of contact to work with Coalfire throughout each phase of the project. The resource will have technical knowledge about the in-scope systems, devices and networks, or will have access to additional subject-matter experts 'within the Organization. The resource will serve as the focal point for immediately notifying the Organization of discovered high-risk vulnerabilities and findings; • Hazard free work environment and free from asbestos; • All necessary safety equipment and training while on the Organization's or its customer's site; • Introductions to and facilitated discussion with the Organization's service providers and third-party business partners, which may be considered within scope if applicable; and • Timely input throughout the project and will review progress at review meetings requested by Coalfire. • Cooperation, input, and access are critical to this project, and the Organization's will provide, representation at all review,meetings. • The Organization acknowledges and agrees that: (i) any outcome of the services involving compliance assessment is limited to a point-in-time examination of the Organization's compliance or non-compliance status with the applicable standards or industry best practices set forth in the Scope of Work and that the outcome of any audits, assessments or testing by, and the opinions, advice, recommendations and/or certification by Coalfire does not constitute any form of representation, warranty or guarantee that Organization's systems are 100% secure from every form of attack, and (ii) in assisting in the examination of the Organization's compliance or non-compliance status, Coalfire relies upon accurate, authentic and complete information provided by the Organization as well as use of certain sampling techniques. IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 25 • The Organization will communicate any issues or concerns with respect to the Services or Deliverables in a timely manner, • Coalfire has no obligation to, and will not, install, mount, affix, screw, or otherwise fasten any cable, hardware, or other product to any building or structure (inside or outside), and Coalfire has no obligation to, and will not, run cable above, under, behind, or through any ceiling, floor, or wall of any building or structure. To the extent that any such services are required, such services will be performed by another person or entity engaged directly by Organization. • Any changes to the scope and/or assumptions will require joint written approval. This may extend the duration of the engagement and/or require additional resources, resulting in additional cost to the Organization. • Advisory Services, including input for control design and interim testing during remediation, is offered on a time-and-materials basis and not covered in any fixed'-price service described herein. • Fees are subject to reimbursement of travel and per them expenses related to on-site services as set forth in the Project Fee Schedule., • All rates listed herein will remain valid for 30-days from the date of this Service Order. • All activities will be conducted during business hours. Acceptance This Service Order is subject to the terms and conditions of the Professional Services Agreement agreed to by the parties. icel Order! �13 Q508 City of,Ft Worth People Soft 77`7� " 77-�7 7,a,77 �7 �,7 77, M ,77 7,77 71", "Y's Signed: Signed: Name: Name: Alan Ferguson ._­__­_._­­.............. Title- Title: Executive Vice President .................... --------- Date: Date: Kindly return signed Service Order to the attention of Joe Barnes: E-Mail: Joe.Barnes�@�coalfire.com Office:972-763-8012 IT Professional Services Agreement Revised June 2012' Coalfire Systems, Inc. 26 EXHIBIT B PAYMENT SCHEDULE Project Fees Coalfire will provide services under this engagement for the fixed-fee budget shown in the following table. Services will be provided on a mutually agreeable schedule. it is our understanding that City of Forth worth will purchase these services under the terms and conditions of the State of Texas DIR contract. Pricing in this Service Order is based on DIR Contract pricing. Coalfire's DIR contract#is DIR-SDD-1899 Description Fixed Fees Task 1—Project Charter and Portal o Information Gathering ---------- ................. Task 2—Security Risk Assessment $ 28,000 o Prepare for Onsite Assessment o Risk Assessment Interviews Task 3—External Security Vulnerability Assessment o <20 External Internet-Facing IP Addresses $5,000 Task 4—Internal Security Vulnerability Assessment $4,000 o <20 Internal IP Addresses Task 5—Debrief and Deliverables o Prepare Reports and Presentations as DRAFT $9,000 o Conduct Closing Meetings o Prepare Reports as FINAL ---------- Consulting Fees Total 1461000, Estimated Travel $500 0 Billed at actual, not to exceed ...................... Total Consulting and Estimated Travel Fees $46,500 Task 6(Optional)—External and Internal Penetration Test $6,400 o <20 External Internet Facing IP Addresses Time and Material (T&M) Services The following services are provided on an as-needed, if-needed basis.Coalfire does not have a retainer for these services. All services listed below are provided at$220/hour. Description Rate Task 7—Advisory Services $153 per hour IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 27 EXHIBIT C MILEST01NE ACCEPTANCE FORM Services Delivered: Milestone/ Deliverable Ref. #: Milestone/ Deliverable Name: Unit Testing Completion Date: Milestone/ Deliverable Target Completion Date: Milestone/ Deliverable Actual Completion Date: Approval Date: Comments (if needed): Approved by Consultant: Approved by City Department Director: Signature: Signature: Printed Name: Printed Name: Title: Title: Date: Date: For Director Use Only Contracted Payment Amount: Adjustments, including penalties: Approved Payment Amount: IT Professional Services Agreement Revised June 2012 Coalfire Systems,Inc. 28 EXHIBIT D NETWORK ACCESS AGREEMENT 1 The Network. The City owns and operates a computing environment and network (collectively the "Network"). Coalfire Systems Inc. wishes to access the City's network in order to provide information security and vulnerability assessment services, In order to provide the necessary support, Contractor needs access to all computing systems, that comprise the City's Human Resources PeopleSoft environment, as well as the surrounding network(s)within which 'these systems reside. 2. Grant of Limited Access. Contractor is hereby granted a limited right of access to the City's Network for the sole purpose of providing information security and vulnerability assessment services. Such access is granted subject to the terms and conditions forth in this Agreement and applicable provisions of the City's Administrative Regulation D-7 (Electronic Communications Resource Use Policy), of which such applicable provisions are hereby incorporated by reference and made a part of this Agreement for all' purposes herein and are available upon request. 3. Network Credentials. The City will provide Contractor with Network Credentials consisting of user IDS and passwords unique to each individual requiring Network access on behalf of the Contractor. Access rights will automatically expire one (1) year from the date of this Agreement. If this access is being granted for purposes of completing services for the City pursuant to a separate contract, then this Agreement will expire at the completion of the contracted services, or upon termination of the contracted services, whichever occurs first. This Agreement will be associated with the Services designated below. F-1 Services are being provided in accordance with City Secretary Contract No. ❑ Services are being provided in accordance with City of Fort Worth Purchase Order Nlo. X Services are being provided in accordance with the Agreement to which this Access Agreement is attached. F-1 No services are being provided pursuant to this Agreement. 4. Renewal. At the end of the first year and each year thereafter, this Agreement may be renewed annually if the following conditions are met: 4.1 Contracted services have not been completed. 4.2 Contracted services have not been terminated. 4.3 Within the thirty(30) days prior to the scheduled annual expiration of this Agreement, the Contractor has provided the City with a current list of its officers, agents, servants, employees or representatives requiring Network credentials. Notwithstanding the scheduled contract expiration or the status of completion of services, Contractor shall provide the City with a current list of officers, agents, servants, employees or representatives that require Network credentials on an annual basis. Failure to adhere to this requirement may result in denial of access to the Network and/or termination of this Agreement. 5. Network Restrictions. Contractor officers, agents, servants, employees or representatives may not share the City-assigned user IDS and passwords. Contractor acknowledges, agrees and hereby gives its authorization to the City to monitor Contractor's use of the City's Network in order to ensure Contractor's, compliance with this Agreement. A breach by Contractor, its officers, agents, servants,, employees or representatives, of this Agreement and any other written instructions or guidelines that the City provides to Contractor pursuant to this Agreement shall be grounds for the City immediately to deny Contractor access to the Network and Contractor's Data, terminate the Agreement, and pursue any other remedies that the City may have under this Agreement or at law or in equity, 5.1 Notice to Contractor Personnel — For purposes of this section, Contractor Personnel shall include all officers, agents, servants, employees, or representatives of Contractor. Contractor shall be IT Professional services Agreement Revised JU17e 2012 Coalfire Systems, Inc. 29 responsible for specifically notifying all Contractor Personnel who will provide services to the City under this agreement of the following City requirements and restrictions regarding access to the City's Network: (a) Contractor shall be responsible for any City-owned equipment assigned to Contractor Personnel, and will immediately report the loss or theft of such equipment to the City (b) Contractor, and/or Contractor Personnel, shall be prohibited from connecting personally- owned computer equipment to the City's Network (c) Contractor Personnel shall protect City-issued passwords and shall not allow any third party to utilize their password and/or user ID, to gain access to the City's Network (d) Contractor Personnel shall not engage in prohibited or inappropriate use of Electronic Communications Resources as described in the City's Administrative Regulation D7 (e) Any document created by Contractor Personnel in accordance with this Agreement is considered the property of the City and is subject to applicable state regulations regarding public information (f) Contractor Personnel shall not copy or duplicate electronic information for use on any non-City computer except as necessary to provide services pursuant to this Agreement (g) All network activity may be monitored for any reason deemed necessary by the City (h) A Network user ID may be deactivated when the responsibilities of the Contractor Personnel no longer require Network access 6. Termination. In addition to the other rights of termination set forth herein, the City may terminate this Agreement at any time and for any reason with or without notice, and without penalty to the City. Uipon termination of this Agreement, Contractor agrees to remove entirely any client or communications software provided by the City from all computing equipment used and owned by the Contractor, its officers, agents, servants, employees and/or representatives to access the City's Network, 7. Information Security, Contractor agrees to make every reasonable effort in accordance with accepted security practices to protect the Network credentials and access methods provided by the City from unauthorized disclosure and use. Contractor agrees to notify the City immediately upon discovery of a breach or threat of breach which could compromise the integrity of the City's Network, including but not limited to, theft of Contractor-owned equipment that contains City-provided access software, termination or resignation of officers, agents, Servants, ernployees, or representatives with access to City-provided Network credentials, and unauthorized use or sharing of Network credentials. ACCEPTED AND AGREED: CITY OUT WORTH: CONTRACTOR NAME: Coaffire Systerns-Inc.., .71 By: By: _Skiwi Al'anis Name: Assistant C* an er Title.- C') Date: I Date: ATTEST* F­­ ST., By: J&hty 8emret V j kTI APPROVED AS ORM A LEGA 000"0000/ X Senior Assistant City Attorney M &C:_ none required LOFFICIAL RECORD CI IT Professional Services Agreement !y y Revised June 2012 Coalfire Systems, Inc. CITY SECRE-ITARY 1 1 30 FT. WORM9 TX EXHIBIT E VERIFICATION OF SIGNATURE AUTHORITY Full Legall Name of Company: Legal Address: Services to be provided: Execution of this Signature Verification Form ("Form") hereby certifies that the following individuals and/or positions have the authority to legally bind the Company and to execute any agreement, amendment or change order on behalf of Company. Such binding authority has been granted by proper order, resolution, ordinance or other authorization of Company. The City is fully entitled to rely on the warranty and representation set forth in this Form in entering into any agreement or amendment with Company. Company will submit an updated Form within ten (10) business days if there are any changes to the signatory authority, The City is entitled to rely on any current executed Form until it receives a revised Form that has been properly executed by the Company. 1. Name: Position: Signature 2, Name: Position: Signature 3. Name: Position: Signature Name: Signature of President 1 C Other Title: M510 Date: 2 - 'f(.2 fr IT Professional Services Agreement Revised June 2012 Coalfire Systems, Inc. 31 % I M&C Revie'v Official site(A the City of Fwt Main,Texas t;i,l� �" ,;,f ,'! Nr7 i✓" fakffi'. r �i fr�FF /ro r am�Y«5G `',P✓�G (/+���{y( ify ' A66",>!A. .✓,1 r !4✓,.. 4 l /:;G,r A,'S r�` r 1.;, ,;r r V T W 7, ;�� r r; r , I.( r�r S, I,'r Sf? ^.r a,. N r.; " ,r�`` ur/. q r� .3✓ e + F"r v 6.,. S �. , r✓... � d r.,. tt w. fi .., ` ro ( .::: iF s n';r n ,,,.✓..,b '� 'in � ., ri ,;. i'r a '3. r r n. r ....,, ,, v.,. ...✓�'. ,:. .. � '.G d.:e H" ✓„ .. ,.,. .,.. f ' ,;;,,.` v., n: �. 1 rt ,F,...,,reb„..- ,�/ r- k+.- �5 r, S �N,er r✓..�' ,5? f ,.'�t, u,r ,r,,.d 1, f. v, ,f ::.r ,Fk r✓ r ., @"r , Ell ,f ✓ ,. JhNrJ ., r . ,„✓.,,, r „„ f fr Y.. Y ,: n 1 ..Y....u,., r,f .,,, t, r,u a � � 7 ne. 1, „r, .✓., ,� ,, : ,..�M1.,rY. ,..,rv,, ➢ .. r� �1 � fnw� �� .9, nw.,r A>?A✓Sin d,(.dd mr4� l:: a, d✓.�� r,l✓ rn?��� r��r m...«,..,�� lt�� .rrca'� r r c rM., ter dro •s„ ��✓,,�, ,rrw��„r�eV� rva. � '� ,r SYi c'y t+raT paF f'r r fj i:hS tfCc cr r` r v( ',rt3 rrrr rr'';; r f y,':r >rrr r ,:. Jra 7n %,cr Nht s,r 7 I(I'(s N t�t�:'rO h„J¢!s it j� /f �;.. w`., ■r■, d < r / ('n'r f r f .rye ;lrlrraPM :,.re,!....,: 7tt v✓:so-✓vv,, ,s 1..,,,.CF F✓Vl ,n,.T„-.,:n✓, ,.-.�: -.,.r.. .: ....,.. ,.:... !Ilo-,.;,... „M,,,,,,;, ,, ,,,, ,,,,,,,,,,, r,,,, .W.,.( :, ..c,..v :,:,.r.,,c. S.v,:u... <, ,,,,..,,,r.JrlV,tt"L REFERENCE**C-20x397 LOG 04SECURIT'Y ASSESSMENT WITH DATE. 8/20/2013 NO.: G NAME: COALFIRE SYSTEMS CODE: C TYPE: CONSENT PUBLIC NO HEARING: SUBJECT: Authorize Execution of a Professional Services Agreement with Coalfire Systems, Inc., at a Cost Not to Exceed $53,000.00 for a Security Assessment Using a State of Texas, department of Information Resources Contract for the Information Technology Solutions Department (ALL COUNCIL DISTRICTS) RECOMMENDATION: It is recommended that the City Council authorize execution of a Professional Services Agreement with Coalfire Systems, Inc., at a cost not to exceed $53,000.00 for a Security Assessment of the City's PeopleSoft HR/Payroll System using State of Texas, Department of Information Resources Contract No. DIR-SDD-1899 for the Information Technology Solutions Department. DISCUSSION: A Security Assessment is meant to help organizations better manage business and technology risk. A key part of the Security Assessment is a Comprehensive Security Risk Assessment that can be used to prioritize risk and develop a mitigation roadmap. This independent assessment is being done as part of the industry's best practices to ensure the software system has been implemented with the appropriate and utmost business-friendly security levels for the city. The expense for this assessment has been planned and budgeted for in the cost of the system implementation and support. The assessment process will provide key insight into the HR/Payroll business processes in PeopleSoft, supporting technology, threats, vulnerabilities and risks within the environment that require controls. The output of the Security Assessment process will be a prioritized remed'iation road'map of high risk areas mapped to regulatory and business requirements. Finally, the process developed through the assessment will provide the methodology and framework for the City to perform ongoing risk management. COOPERATIVE PURCHASE - State law provides that a local government purchasing an item under a Cooperative Purchasing Agreement satisfies any state law requiring that the local government seek competitive bids for purchase of the item. Department of Information Resources (DIR) contracts were competitively bid to increase and simplify the purchasing power of government entities. MIWBE OFFICE -A waiver of the goal for MBE/SBE subcontracting requirements was requested by the Information Technology Solutions Department and approved by the MIWBE Office, in accordance with the BDE Ordinance, because the purchase of goods or services is from sources where subcontracting or supplier opportunities are negligible. ADMINISTRATIVE CHANGE ORDER -An Administrative Change Order or increase may be made by the City Manager for the Professional Services Agreement in the amount up to $13,250.00 and does not require specific City Council approval as long as sufficient funds have http://apps.cfwnet.org/couticil_p-,tcket/me—review.asp?ID=I 8785&councildate--8/20/2013[8/21/2013 8:38.46 AM] "w been appropriated. The Financial Management Services [director,certifies that funds are available in the current operating budget, as appropriated, of the Information Systems Fund. TO Fund/Account/Center P168 e„ 1200 0045021 $5 .000,OQ Submitted for City Manager's Office_byw Susan Alanis (8180) Originating Department Head: Peter,Anderson (8781) Additional information Contact: Mai Tran (8858) ATTACHMENT5 ittp://apps.cfwnet.org/counewl-packet/me.-review.asp`]D=1 87 85&councildate=g/2()/2013[8/21/2013 8:38.46 AM]