The URL can be used to link to this page

Home My WebLink AboutContract 29345 CITY SECRETARY • CONTRACT NO. PROFESSIONAL SERVICES AGREEMENT This PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and entered into by and between the CITY OF FORT WORTH (the "City"), a home rule municipal corporation situated in portions of Tarrant, Wise and Denton Counties, Texas, acting by and through Richard Zavala, its duly authorized Assistant City Manager, and SECURE COMMERCE SYSTEMS ("Consultant") a Texas corporation and acting by and through Ron Newman, its duly authorized Chief Operating Officer. 1. SCOPE OF SERVICES. Consultant hereby agrees to provide the City with professional consulting services addressing City network security by providing Personnel and Management Consulting Services. The specifics of the services to be provided are described in detail in Exhibit A "Statement of Work," attached hereto and incorporated for all purposes. In the event of conflict between the Exhibit and this Agreement, the terms of this Agreement shall control. 2. TERM. This Agreement shall commence upon the date that both the City and Consultant have executed this Agreement ("Effective Date") and shall continue in full force and effect until terminated in accordance with the provisions of this Agreement or when the City provides Consultant with written notice that Consultant has fulfilled its obligations under this Agreement and that Consultant's services are no longer required. 3. COMPENSATION. The City shall pay Consultant an amount of $80,520.00 plus expenses per Exhibit A, also incorporated hereby for all purposes incident hereto, in accordance with the provisions of this Agreement. Consultant shall not perform any additional services for the City not specified by this Agreement unless the City requests and approves in writing the additional costs for such services. The City shall not be liable for any additional expenses of Consultant not specified by this Agreement unless the City first approves such expenses in writing. 4. TERMINATION. 4.1. Written Notice. The City or Consultant may terminate this Agreement at any time and for any reason by its providing the other party with 30 days' written notice of termination. ;FF.1(,lAl �s SORT '�� 1RGrIf 4.2 Non-appropriation of Funds. In the event no funds or insufficient funds are appropriated by the City in any fiscal period for any payments due hereunder, City will notify Consultant of such occurrence and this Agreement shall terminate on the last day of the fiscal period for which appropriations were received without penalty or expense to the City of any kind whatsoever, except as to the portions of the payments herein agreed upon for which funds shall be been appropriated. 4.3 Duties and Obligations of the Parties. In the event that this Agreement is terminated prior to the Expiration Date, the City shall pay Consultant for services actually rendered as of the effective date of termination and Consultant shall continue to provide the City with services requested by the City and in accordance with this Agreement up to the effective date of termination. 5. DISCLOSURE OF CONFLICTS AND CONFIDENTIAL INFORMATION. Consultant hereby warrants to the City that Consultant has made full disclosure in writing of any existing or potential conflicts of interest related to Consultant's services and proposed services with respect to the Scope of Services. In the event that any conflicts of interest arise after the Effective Date of this Agreement, Consultant hereby agrees immediately to make full disclosure to the City in writing. Consultant, for itself and its officers, agents and employees, further agrees that it shall treat all information provided to it by the City as confidential and shall not disclose any such information to a third party without the prior written approval of the City. 6. RIGHT TO AUDIT. Consultant agrees that the City shall, until the expiration of three (3) years after final payment under this contract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of the consultant involving transactions relating to this Contract. Consultant agrees that the City shall have access during normal working hours to all necessary Consultant facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this section. The City shall give Consultant reasonable advance notice of intended audits. Consultant further agrees to include in all its subcontractor agreements hereunder a provision to the effect that the subcontractor agrees that the City shall, until expiration of three (3) years after final payment of the subcontract, have access to and the right to examine at reasonable times any directly pertinent books, documents, papers and records of such subcontractor involving transactions related to the subcontract, and further that City shall have access during normal working hours to all subcontractor F1, �«JPEH, MY. facilities and shall be provided adequate and appropriate work space in order to conduct audits in compliance with the provisions of this paragraph. City shall give subcontractor reasonable notice of intended audits. 7. INDEPENDENT CONTRACTOR. It is expressly understood and agreed that Consultant shall operate as an independent contractor as to all rights and privileges granted herein, and not as agent, representative or employee of the City. Subject to and in accordance with the conditions and provisions of this Agreement, Consultant shall have the exclusive right to control the details of its operations and activities and be solely responsible for the acts and omissions of its officers, agents, servants, employees, contractors and subcontractors. Consultant acknowledges that the doctrine of respondeat superior shall not apply as between the City, its officers, agents, servants and employees, and Consultant, its officers, agents, employees, servants, contractors and subcontractors. Consultant further agrees that nothing herein shall be construed as the creation of a partnership or joint enterprise between City and Consultant. S. LIABILITY AND INDEMNIFICATION. CONSULTANT SHALL BE LIABLE AND RESPONSIBLE FOR ANY AND ALL PROPERTY LOSS, PROPERTY DAMAGE ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, TO THE EXTENT CAUSED BY THE NEGLIGENT ACT(S) OR OMISSION(S), MALFEASANCE OR INTENTIONAL MISCONDUCT OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. CONSULTANT COVENANTS AND AGREES TO, AND DOES HEREBY, INDEMNIFY, HOLD HARMLESS AND DEFEND THE CITY, ITS OFFICERS, AGENTS, SERVANTS AND EMPLOYEES, FROM AND AGAINST ANY AND ALL CLAIMS OR LAWSUITS FOR EITHER PROPERTY DAMAGE OR LOSS (INCLUDING ALLEGED DAMAGE OR LOSS TO CONSULTANT'S BUSINESS AND ANY RESULTING LOST PROFITS) ANDIOR PERSONAL INJURY, INCLUDING DEATH, TO ANY AND ALL PERSONS, OF ANY KIND OR CHARACTER, WHETHER REAL OR ASSERTED, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, TO THE EXTENT CAUSED BY THE NEGLIGENT ACTS OR OMISSIONS OR MALFEASANCE OF CONSULTANT, ITS OFFICERS, AGENTS, SERVANTS OR EMPLOYEES. 9. ASSIGNMENT AND SUBCONTRACTING. Consultant shall not assign or subcontract any of its duties, obligations or rights under this Agreement without the prior written consent of the City. If the City grants such consent, the assignee or subcontractor shall execute a written agreement with the City under which the assignee or subcontractor agrees to be bound by the duties d{ L`70. b:J and obligations of Consultant under this Agreement. 10. COMPLIANCE WITH LAWS, ORDINANCES, RULES AND REGULATIONS. Consultant agrees to comply with all federal, state and local laws, ordinances, rules and regulations. If the City notifies Consultant of any violation of such laws, ordinances, rules or regulations, Consultant shall immediately desist from and correct the violation. 11. NON-DISCRIMINATION COVENANT. Consultant, for itself, its personal representatives, assigns, subcontractors and successors in interest, as part of the consideration herein, agrees that in the performance of Consultant's duties and obligations hereunder, it shall not discriminate in the treatment or employment of any individual or group of individuals on the basis of race, color, national origin, religion, handicap, sex, or familial status. If any claim arises from an alleged violation of this non-discrimination covenant by Consultant, its personal representatives, assigns, subcontractors or successors in interest, Consultant agrees to assume such liability and to indemnify and defend the City and hold the City harmless from such claim. 12. NOTICES. Notices required pursuant to the provisions of this Agreement shall be conclusively determined to have been delivered when (1) hand-delivered to the other party, its agents, employees, servants or representatives, (2) delivered by facsimile with electronic confirmation of the transmission, or (3) received by the other party by United States Mail, registered, return receipt requested, addressed as follows: To THE CITY: To CONSULTANT: City of Fort Worth/IT Solutions Secure Commerce Systems, Inc. 1000 Throckmorton 7528 Sweetgum Fort Worth TX 76102-6311 Irving, TX 75063 Facsimile: (817) 871-8654 Facsimile: 972-444-8279 13. SOLICITATION OF EMPLOYEES. Neither the City nor Consultant shall, during the term of this agreement and additionally a period of one year after its termination, solicit for employment or employ, whether as employee or independent contractor, any person who is or has been employed by the other during the term of this agreement, without the prior written consent of the person's employer. 14. GOVERNMENTAL POWERS. It is understood and agreed that by execution of this Agreement, the City does not waive or surrender any of its governmental powers. 15. NO WAIVER. The failure of the City or Consultant to insist upon the performance of any term or provision of this Agreement or to exercise any right granted herein shall not constitute a waiver of the City's or Consultant's respective right to insist upon appropriate performance or to assert any such right on any future occasion. 16. CONSTRUCTION. This Agreement shall be construed in accordance with the internal laws of the State of Texas. If any action, whether real or asserted, at law or in equity, is brought on the basis of this Agreement, venue for such action shall lie in state courts located in Tarrant County, Texas or the United States District Court for the Northern District of Texas, Fort Worth Division. 17. SEVERABILITY. If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired. 18. FORCE MAJEURE. The City and Consultant shall exercise their best efforts to meet their respective duties and obligations as set forth in this Agreement, but shall not be held liable for any delay or omission in performance due to force majeure or other causes beyond their reasonable control, including, but not limited to, compliance with any government law, ordinance or regulation, acts of God, acts of omission, fires, strikes, lockouts, national disasters, wars, riots, material or labor restrictions by any governmental authority, transportation problems and/or any other similar causes. 19. HEADINGS NOT CONTROLLING. Headings and titles used in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement. 20. ENTIRETY OF AGREEMENT. This Agreement, including the schedule of exhibits attached hereto and any documents incorporated herein by reference, contains the entire understanding and agreement between the City and Consultant, their assigns and successors in interest, as to the matters contained herein. Any prior or contemporaneous oral or written agreement is hereby declared null and void to the extent in conflict with any provision of this Agreement. IN WIT,4ESS WHERE O , the parties hereto have executed this Agreement in multiples this " day of ' 2003. CITY OF FORT WORTH: SECURE COMMERCE SYSTEMS, INC. By: By: Richard Zavala Ron Newman Assistant City Manager Chief Operating Officer ATTEST: ATTEST: By: By: City ecretary APPROVED AS TO FORM AND LEGALITY: Contract Authorization Date AssisIgnt City Attorney Ft WORK Y-EI'L EXHIBIT A 1.0 Statement of Work Secure Commerce Systems is pleased to propose assistance to the City of Fort Worth in addressing the recommendations made in the document"Network Security&Vulnerability Assessment Report,"dated December 16,2002.It also proposes assistance in addressing the day4o-day and unforeseen security consulting services needs of the City over the contract period. 1.1 Scope of Work The scope for these security Consulting services will be the information systems administered by the IT Solutions organization within the City of Fort Worth. A Secure Commerce Systems senior security Consultant will perform tasks in support of a focused set of security initiatives intended to address specific deficiencies in the City of Fort Worth security posture. Security posture deficiencies were identified in the Secure Commerce Systems security vulnerability assessment report delivered in December 2002 and in discussions with City of Fort Worth personnel since that time.The focused set of security initiatives will be based on Secure Commerce Systems'enterprise security methodology,depicted in the following figure. t 1 ' ■ j f � The figure graphically illustrates that successful tmplemerrtdtron of the security initiatives depends on their being performed in the proper order.The success of each initiative depends on the successful completion of the initiatives that precede it Work is currently being performed under separate contract to develop a Comprehensive,centralized Information Security Policy that will be approved by the City Manager. Such a security policy will assist various City departments,such as HR and Legal,in enforcement of information security and in holding employees accountable for their actions. A security policy will assist the City in achieving Compliance with various regula OFFICIAL BOB CRY SKI- 9Y HIPAA and Homeland Security. A security policy will assist the City in attaining a more secure information technology infrastructure and provide an audit document against which future assessments may be made. Work is also currently being performed under separate contract to develop enterprise-wide security standards and guidelines for implementing the approved Information Security Policy. Standards and guidelines are critical components to the successful implementation of a security policy,and they include documents specifying security Best Practices and standards for cryptography,authentication,and protocols. Secure Commerce Systems proposes that the following additional security initiatives be pursued: 1.1.1 Internet Worm Incident Review Secure Commerce Systems proposes to provide the City of Fort Worth a high-level review of the Internet worm incident that it experienced beginning on or about August 21,2003.This analysis will attempt to document how the worm entered the City networks,what things were done right in handling the infection,what things were done wrong in handling the infection, and how such an infection might be prevented in the future. The scope of this information security vulnerability assessment will be the information systems administered by the City of Fort Worth. Secure Commerce Systems will perform the following work: • Secure Commerce Systems consultants will conduct interviews with City of Fort Worth IT personnel to map the entry and spread of the worm and to document the steps that were taken in the attempt to contain the spread. • Secure Commerce Systems consultants will evaluate existing perimeter network security controls that detect worms and viruses and act to prevent their entry into the City's internal networks. • Secure Commerce Systems consultants will evaluate existing internal network security controls that that detect worm and virus infections and act to halt their spread within the City's internal networks. • Secure Commerce Systems consultants will evaluate existing security incident response processes and procedures. • Secure Commerce Systems consultants will develop recommendations for changes to the City's network security controls and/or security incident response processes and procedures that will help prevent future worm and virus infections. • Secure Commerce Systems consultants will report the result of the analysis and recommendations. Deliverables: • Written report documenting the result of the analysis and the recommendations 1.1.2 Security Awareness Program Development Secure Commerce Systems proposes to assist the City of Fort Worth in the establishment of a new security awareness program. A security awareness program will be implemented to assist City employees in understanding the new City of Fort Worth Information Security Policy and their responsibilities under the new security program. The purpose and content of the approved security policy will be discussed,and new security requirements mandated by the security policy will be described. The content of the security awareness program will be tailored for the various City employees who will receive the information. Secure Commerce Systems will perform the following work: • The Secure Commerce Systems consultant will draft an initial, high-level security awareness presentation for review with a specific audience in order to address an immediate organizational need. • Working with City personnel,the Secure Commerce Systems consultant will create a strategy document for the development of a complete security awareness program based on the newly approved Information Security Policy and the standards and guidelines documents.This strategy will include a schedule of steps that need to be taken,a description of what is required for each step,and plans for handling issues that have been identified. • The Secure Commerce Systems consultant will draft a complete security awareness presentation,as well as any needed supplemental materials,for review with other personnel and organizations,as identified in the strategy. These materials may include web pages to be added to the City internal web site as well as promotional material for City newsletters. • The Secure Commerce Systems consultant will review the completed materials with other personnel and organizations,present the materials to a test group,and"train the trainers"as specified in the strategy. Deliverables: • Initial,high-level security awareness presentation material • Security awareness program strategy document • Complete security awareness presentation material 1.1.3 Ongoing Computer Information Security Of (CISO)Support Secure Commerce Systems proposes ongoing Computer Information Security Officer(CISO)support to assist the City of Fort Worth in its security operations processes and procedures for a 6-month period. Secure Commerce Systems will provide an experienced security consultant who will be available for,on average, 1 day a week for the duration of the 6-month period. This consultant will provide interim Computer Information Security Officer(CISO)services and act as an advisor on behalf of IT Solutions, the CIO,the CTO,the City Manager's office,the City Council,and the Mayor's office. This consultant will be available on-site and remotely via e-mail and telephone as needed. This security consultant will perform tasks in support of the IT Solutions organization's daily operational activities that will include,but are not limited to,the following: • Detection and remediation of security vulnerabilities in City networks and systems • Development of security processes and procedures as required by the City's Information Security Policy • Support for IT Solutions technical personnel in the handling of computer security incidents • Participation in meetings in which IT security issues will be addressed • Provide support and advisory services for additional security related matters as needed • Assist the CTO,the CIO,and departmental managers with the implementation of the Information Security Policy, standards, guidelines,and procedures to ensure ongoing maintenance of security • Actively participate in the IT Steering Committee meetings and other meetings as required Deliverables: Under the scope of this agreement, Secure Commerce Systems will deliver to the City of Fort Worth a number of work products, including the deliverables specified in the preceding descriptions. Secure Commerce Systems will provide a senior security consultant who will be on-site or available by telephone for conference calls with the City of Fort Worth,as required,for the duration of the contract.The consultant will also be available remotely via e-mail,as needed. The Secure Commerce Systems security consultant will serve as the project manager for the proposed work. The project manager will be a credentialed security professional,a Certified Information Systems Security Professional (CISSP),experienced in the 10 security domains and bound by a professional code of ethics.More information on the CISSP credential is presented in Appendix B.- Secure :Secure Commerce Systems will provide a team of senior technical and management security consultants to provide additional support as required and with the approval of City of Fort Worth management_ 1.2 City of Fort Worth Responsibilities The City of Fort Worth will identify and make available the necessary personnel and documentation to provide the relevant information necessary to perform the specified consulting services work. The City of Fort Worth will provide office space,supplies,and telecommunications facilities as required during on- site work. 2.0 Staffing and Fees Dr. Steve Cummings,PhD.or Mr.Barry Diller,depending on availability,will be the lead security consultant and project manager for the team,providing security consulting services at a fee rate per hour of$150. Other Secure Commerce Systems senior technical personnel will be utilized as needed,at their fee rate,and their biographies are presented in Appendix A. Web page development services will have a fee rate per hour of$150, RACF technical consulting services will have a fee rate per hour of$150. Item Description Estima • • Cost Hours 1 Internet Worm Incident Review 40 $6,000 2 Security Awareness Program Development 256 $38,400 3 ongoing CISO Support 192 $28,800 Total,not including expenses 488 $73,200 Secure Commerce Systems is a State of Texas Qualified Information Systems Vendor(QISV),number 1760694594100. 2.1 Expenses Professional fees do not include travel and living costs. Actual travel and living expenses incurred by Secure Commerce Systems consultants will be passed on to the City of Fort Worth for reimbursement under the terms of this agreement. Secure Commerce Systems strives to reduce travel expenses on behalf of its clients.The estimated expenses for this contract are$7320.00. This estimate will not be exceeded. F. WORT I TEX. Pagel of 3 City of Fort Worth, Texas Mayor and Council Communication COUNCIL ACTION: Approved on 11/18/2003 DATE: Tuesday, November 18, 2003 LOG NAME: 13P03-0267 REFERENCE NO.: P-9880 SUBJECT: Purchase of Professional Computer Security Services, Network Analysis and Authorize a Contract for Professional Services with Secure Commerce Systems, Inc. for the Information Technology Solutions Department RECOMMENDATION: It is recommended that the City Council authorize the City Manager to enter into two contracts with Secure Commerce Systems, Inc. for the period November 18, 2003, to June 30, 2004, for an amount not to exceed $97,620. DISCUSSION: The City's Internal Audit Department engaged Secure Commerce Systems, Inc. to evaluate the City's computer security pursuant to a competitive selection process (Request for Proposal) and awarded a contract for this assessment (M&C P-9691 dated October 8, 2002). In December 2002, Secure Commerce Systems, Inc. provided a report to the Government and Neighborhood Relations Committee regarding the status of computer security, and made certain recommendations for remediation of identified deficiencies. In February 2003, at the time of the management transition in the Information Technology Solutions Department (IT Solutions), Secure Commerce Systems, Inc. was engaged to assure the continued security of the City's computer network during the transition. This firm had recently completed a security audit, and was deemed uniquely qualified to assist in assuring on-going integrity and stability. On April 8, 2003 (M&C P-9781), the City Council approved the engagement of Secure Commerce Systems, Inc. to provide additional assistance to implement certain remediation actions to address high and medium risk security deficiencies as identified in their original assessment. The agreed scope of work was to be completed in six months, at a cost not to exceed $152,400. This Mayor and Council Communication is for the continuation of related security initiatives. A Secure Commerce Systems, Inc. senior security consultant will perform tasks in support of a focused set of security initiatives intended to address specific deficiencies in the City's security posture. The focused set of security initiatives will be based on Secure Commerce Systems, Inc.'s enterprise security methodology. Work is currently being performed under separate contract to develop a comprehensive, centralized Information Security Policy that will be approved by the City Manager. Work is also currently being performed under separate contract to develop enterprise-wide security standards and guidelines for implementing the approved Information Security Policy. IT Solutions proposes that the following additional security initiatives be pursued: Internet Worm Incident Review Secure Commerce Systems, Inc. proposes to provide a high-level review of the Internet worm incident that http://www.cfwnet.org/council_packet/Reports/mc_print.asp 12/4/2003 Page 2 of 3 the City experienced beginning on or about August 21, 2003. This analysis will attempt to document how the worm entered the City networks, what things were done well in handling the infection, what things could have been done better in handling the infection, and how such an infection might be prevented in the* future. Security Awareness Program Development Secure Commerce Systems, Inc. proposes to assist the City in the establishment of a new security awareness program. A security awareness program will be implemented to assist City employees in understanding the new Information Security Policy and their responsibilities under the new security program. The purpose and content of an approved Information Security Policy will be discussed, and new security requirements mandated by the policy will be described. The content of the security awareness program will be tailored for the various City employees receiving the information. On-going Computer Information Security Officer(CISO) Support Secure Commerce Systems, Inc. proposes on-going Computer Information Security Officer (CISO) support to assist the City in its security operations processes and procedures for a six-month period. Secure Commerce Systems, Inc. will provide an experienced security consultant who will be available for, on average, one day a week for the duration of the six-month period. This consultant will provide interim CISO services and act as an advisor on behalf of IT Solutions, the Chief Information Officer, the City Manager's Office, the City Council, and the Mayor's Office. This consultant will be available on-site, and remotely via e-mail and telephone, as needed. The cost for these professional services is: Service Cost Internet Worm Incident Review $ 6,000 Security Awareness Program Development $38,400 On-going CISO Support $28,800 TOTAL CONSULTING SERVICE $73,200 (not including travel and living costs) Professional fees do not include travel and living costs. Actual travel and living expenses incurred by Secure Commerce Systems, Inc.'s consultants will be passed on to the City for reimbursement under the terms of this agreement. Secure Commerce Systems, Inc. strives to reduce travel expenses on behalf of its clients. The estimated expenses for this contract are $7,320. This estimate will not be exceeded. In addition to the above project, the City has a need for an engineering security analysis of the network for the Library and Police Departments. The Library Department has a separate network from the rest of the City. The portion of the Library network may be consolidated into the City network. Since the Library network serves both the public and staff, the network architecture needs to be evaluated and a plan developed that allows staff to access the City network, and at the same time ensures security requirements. The Police Department needs help to remediate and put in place additional access control for the Police Department. In the audit of security in December 2002, it was recommended that additional security measures be incorporated at the Police Department. Secure Commerce Systems, Inc. has submitted a statement of work for the two projects, and it can be accomplished for an amount not to exceed $17,100. The security engineering analysis for the two departments will be completed by June 30, 2004. http://www.cfwnet.org/council_packet/Reports/mc_print.asp 12/4/2003 Page 3 of 3 Secure Commerce Systems, Inc. is designated as a Catalog Information Systems Vendor by the State of Texas. Under Section 271.083 of the Texas Local Government Code, a local government satisfies otherwise applicable competitive requirements when it makes a purchase through the Texas Building and Procurement Commission catalogue purchasing procedure as established by Section 2157.061 of the Texas Government Code. The City will comply with that procedure for the purchase agreement under this Mayor and Council Communication. M/WBE - A waiver of the goal for M/WBE subcontracting requirements was requested by the Purchasing Division and approved by the M/WBE Office because the purchase of services is from sources where subcontracting or supplier opportunities are negligible. FISCAL INFORMATION/CERTIFICATION: The Finance Director certifies that funds are available in the current operating budget, as appropriated, of the Information Systems Fund. BQN\03-0267\lgs TO Fund/Account/Centers FROM Fund/Account/Centers P168 531200 0041000 $97,620.00 Submitted for City Manager's Office b Richard Zavala (Acting) (6183) Originating Department Head: Jim Keyes (8517) Robert Combs (8357) Additional Information Contact: Kate Yarhouse (8465) http://www.cfwnet.org/council_packet/Reports/mc_print.asp 12/4/2003