Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC09-128 Applied Trust Engineering Agreement~(u~p~ TERM SHEET RECEIVED APR 212009 1) Requested hearing date: EAGLE COUNTY ATTORNEY 2) For County Manager signature?: Yes 3) Requesting department: Innovation and Technology 4) Title: Master Consulting Agreement between Eagle County and Applied Trust Engineering 5) Staff submitting: Scott Lingle 6) Purpose: Obtain expert guidance concerning numerous existing IT Security related issues. 7) Schedule: May -June 2009. 8) Financial considerations: • $11,390 maximum costs associated with this agreement. • Fully budgeted under Other Professional Services 2009 budget. (Estimated maximum 54 hours of effort, $165 per hour + $2,480 in fixed costs). • This agreement was single sourced with Applied Trust due vendor's to prior experience and intimate knowledge working with Eagle County IT security environment. Their hourly rate is extremely competitive with other vendors in this market space, and their experience with Eagle County gives them a significant advantage concerning number of hours this effort will take, as well as confidence that their personnel are adequately skilled to fulfill this agreement competently and comprehensively. 9) Other: ~f{~ log Sri j ~;n ~~ott Ya Ap OV A FORM ey: egle County Attorney's Office By: Eagle County Commissioners' Office ~'IAASTER CONSULTING AGREEMENT BETWEEN EAGLE COUNTY, COLORADO and APPLIED TRUST ENGINEERING This Master Consulting Agreement ("Agreement") dated as of this ~~ day of (~_._, 200, is between the County of Eagle, State of Colorado, a body corporate and. politic, by and through. its Board of County Commissraners ("Caunt~""}, and Applied Trust Engineering with a mailing address of 1033 Walnut Street, Suite 300, Boulder, CQ 80302 ("Consultant"). ~~-IEREAS, the County is in need of a company to provide the services outlined in Section 1.1 hereunder; and W>~IEREAS, Consultant has represented that it has the experience and knowledge in the subject matter necessary to carry out the services outlined in Section 1.1 hereunder; and WI~REAS, County wishes to hire Consultant to perform the tasks associated with such services outlined in Section l .l hereunder; and WI-IEREAS, County and Consultant intend by this Agreement to set forth the scope of the responsibilities of the Consultant i,n connection with the services and related terms and conditions to gavem the relationship between Consultant and County. in connection with the services. Agreement Therefore, based upon the representations by Consultant set #'orth in the foregoing recitals, far goad and valuable consideration, including the promises set Earth herein, the parties agree to the fallowing; 1. Services Provided: 1.1 The Consultant will provide the consulting services as more particularly set forth in the attached Exhibit "'A," (hereinafter called "Consulting Services`")incorporated herein. by reference. The Consulting Services are generally described as providing information. t~hnolagy consulting and support. 1.2 It is anticipated or possible that County will utilize Consultant for other services on an as- ne~ed basis, Any such additional services will be through a signed written amendment to this Master Consulting Agreement. Consultant shall not perform any additional services u~thout an executed amendment, Such amendment will set forth the scope of work for the additional. services, Except as maybe expressly altered by the amendment, all terms and conditions ofthis Master Consulting Agreement shall control. To the extent the ternls and conditions afthis Agreement may conflict with Exhibit "A" ar any future exhibits or amendments, the terms and conditions of this Agreement shall control. 13 The Consultant agrees that Consultant will not knowingly enter rota any consulting arrangements per se with third parties that will conflict in any manner with the Consulting Services. i .4 Consultant has given the County a proposal. far per#onning the Services and represented that it has the expertise and personnel necessary to properly and timely perform the Services. 2, Term of Agreement 2.1 This Agreement shall commence an the agreement date and, subject to the provisions of Section 2.2 hereof, shall continue in full farce and effevt for a period of 1 year commencing with the effective date of this Agreement. This Agreement may be extended beyond the time referred to in this Section 2.1 on terms and conditions as may be mutually agreed between. the parties hereto. 2.2 This Agreement may be terminated. by either party for any other reason with 15 days written native, with ar without cause, and without penalty whatsoever therefore. 23 In the event of any temunation of this Agreement, Consultant shall be compensated far all incurred oasts and hours of work then completed, plus approved expenses. 3. Independent Contractor; 3.1 V4'ith respect to the provision of the Consulting Sen ices hereunder, Consultant acknowledges that Consultant is an independent contractor providing Consulting Services to the County. Nothing in this Agreement shall be deemed to make Consultant an agent, employee, partner or representative of County. 3.2 The Consultant shall not have the authority to, and will not make any camrnitments ar enter into any agreement with any party on behalf of County without the written consent of the Board of County Comznissianers, 3.3 The Consultant will maintain liability, unemployment and workman's compensation insurance on his/her behalf, as necessary. 4. Remuneration: 4.1 For the Consulting Services prodded hereunder, County shall pay to the Consultant a fee as set forth. in the attached Exhibit "A."' Consultant will not be entitled to bill at overtime and/or double time rates for work done outside of normal business hours unless specifically authorized to da sa by County. Fees for any additional services will be as set forth. in an ex~uted addendum between the parties. Fees will be paid within thirty (3Q) days ofreveipt of a proper and accurate invoice from Consultant respecting Consulting Services. The invoice shall include a description of services performed. Upon request, Consultant shall provide County with such other supporting infamiation as County may request, Any overdue balances are subject to a 1 '/2 % per month finance charge, and if payment is more than 3Q days Iate a pre-paid retainer may be required to continue work. 4.2 County will not withhold any taxes from monies paid to the Consultant hereunder and Consultant agrees to be safely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. 4.3 Notwithstanding anything to the contrary contained in this Agreement, no charges shall be made tc} the County nor shall any payment be made to the Consultant in excess of the amount far any work done without the written. approval in accordance with a budget adopted by the Board in accordance with provisions of the Colorado Revised Statutes. Moreover, the parties agree that the County is a governmental entity and that all obligations beyond the current fiscal year are subject to funds being budgeted and appropriated. 5. Ownership of Documents: All documents (including electronic files) which are obtained during or prepared, either partially or wholly, in the performance of the Services shall remain the property of the County and are to be delivered to County before final payment is made to Consultant or upon earlier termination of this Agreement. fi. Lndemnificatian: Within the limits allowed. bylaw, Consultant sha11 indemnify County for, and hold and defend the County and its officials, boards, officers, principals and employees harrriless from, all casts, claims and expenses, including reasonable attorney's fees, arising from claims of any nature whatsoever made by any person in connection with the negligent acts or omissions of, or presentations by, the Consultant in violation of the terms and conditions of this Agreement. This indemnification shall not apply to claims by third parties against the County to the extent that the County is liable to such third party far such claim without regard to the involvement of the Consultant. '7. Limitation of Liability: In no event shall Consultant be liable for any indirect, special or canserluential damages or lost profits arising out of or related to this agreement or the performance or breach thereof, even if Consultant has been advised of the possibility thereof. Consultant's liability hereunder, shall in no event exceed the total. amount paid to Consultant hereunder. $. Consultant's :Professional Level of Care; Consultant shall be responsible for the completeness and accuracy of the Consulting Services, including all supporting data and other documents prepared or compiled in performance of the Services, and shall correct, at its sole expense, all significant errors and omissions therein. Consultant shall perform the Consulting Services in a skillful, professional. and competent manner and in accordance with the standard of care, skill and. diligence applicable to consultants, with respect to similar services, in this area at this time. 9. Assessment Activities Acknowledgement: To successfully assess the security of the computer systems and networks owned and operated by the County, Consultant will perform scheduled, non-intrusive TCP/1P part and vulnerability scan tests of the County's network. The County hereby authorizes this scanning activity, and acknowledges that it may result in discovery of security vulnerabilities of the County's network and/or computer systems. Furthermore, the County acknowledges that it is possible, but extremely unlikely, that scanning activities could result in degradation ar disruption of the County's environment during the test. The County assumes sole responsibility for any degradation or disruption of service during the test. Consultant will immediately notify the County when each test is complete, and Consultant will not perform any additional security scanning activities after this notification without further authorization from the County. Within ten business days of completion of the test., Consultant will disclose all test results, including all. identified security vulnerabilities, to the County. Consultant will not disclose results of test to any other parties besides the County. At the request of the County, Consultant will offer assistance with mitigation activities for any security vulnerabilities identified by the test. The County is nit obligated to mitigate identified security vulnerabilities and Consultant will nit disclose the County's chaise in this matter to any third party. 10, No Assignment: The parties to this Agreement recognize that the Consulting Services to be provided pursuant to this Agreement are professional in nature and that in entering into this Agreement County is relying upon the professional. services and reputation of Consultant and its approved subcontractors. Therefore, neither Consultant nor its subcontractors may assign its interest in this Agreement or in its subcontract, including the assignment of any rights or delegation of any obligations prav~ided therein, without the prior written consent of County, which consent County may withhold in its sole discretion. Except as sa provided, this Agreement shall be binding on and inure to the benefit of the parties hereto; and their respective successors and assigns, and shall not be deemed to be for the benefit of or enforceable by any third party. Unless specifically stated to the contrary in any written consent to an assignment, no assignment will release or discharge the assignor from any duty or responsibility under the Agreement. 11. Notices: 11.1 Any notice and all written communications required under this Agreement shall be given in writing by persona] delivery, facsimile or U.S. Mail to the other party at the following addresses: (a} Eagle County Innovation and Technology Director 500 Broadw=ay PU Box 850 Eagle, CO 81631 Telephone: 970-328-35$1 Facsimile: 970-328-3599 with. a copy to: Eagle County Attoz~ney's Office 500 Broadway P© Bax 850 Eagle, Cfl 81631 ~~ Applied Tnist Engineering 1033 Walnut Street Suite 300 Boulder, CQ 80302 11.2 Natives shall be deemed given on the date of delivery; an the date the facsimile is transmitted and confYrmed received ar, if transmitted after normal business hours, on the next business day after transmission,. provided that a paper copy is mailed the same date; ar three days after the date of deposit, first vlass postage prepaid, in an official depositary of the U.S. Postal Service. 12< Jurisdiction and Canfidentialityt 12.1 This Agreement shall be interpreted in accordance with the laws of the State of Colorado and the parties hereby agree to submit to the jurisdiction of the courts thereof. venue shall be in the Fifth Judicial. Distrivt for the State of Colorado. 122 The Consultant and Gaunty acknowledge that, during the term afthis Agreement and in the vourse of the Consultant rendering the Consulting Services, the Consultant and County may acquire knowledge ofthe business operations ofthe otherparty not generally knaw~n deemed canfi~dential. The parties shall not disclose, use, publish or otherwise reveal, either directly or through another, to any person, firm or vorporatian, any such confidential knowledge ar information and shall retain all knowledge and information which he has acquired. as the result of this Agreement intrust in a fiduciary capacity far the sale benefit of the other party during the term of this Agreement, and far a period of five (5) years following termination afthis Agreement. Any such information must marked as confidential. The parties recagni~e that the County is subject to the Colorado Open Records Act and nothing herein shall preclude a release of information that is subjevt to the same. 13. Non-Solicitation: The parties agree that during the term of this Agreement and far a period of one (1) year after expiration ar termination far any reason, neither the County nor Consultant shall solicit, negotiate with ar offer ernpla}~rnent to (whether as an employee, ai~icer, director, partner, consultant, contractor ar otherwise}, directly or indirectly, personnel from the ether film. This paragraph will survive temunatian afthis Agreement. 14. Miscellaneous: 14.1 This Agreement constitutes the entire Agreement between. the parties related to its subjevt matter. It supersedes all prior proposals, agreements and understandings. 142 This Agreement is personal to the Consultant and may not be assigned by Consultant. 143 This Agreement does not and shall not be deemed to vanfer upon ar grant to any third party any right enforceable at law or equity arising out of any term, covenant, or condition herein or the breach thereof, 1.5. Sale Source Government Contracts: if the Contractor has entered into a sale source government contract or contracts with the State of Colorado or any of its political subdivisions as defined in Article XXVIII of the Colorado Constitution which including this contract in the aggregate an an annual basis are equal to or exceed the amount of $ l QQ,000, then the following provisions apply: 15.1 Because of a presumption of impropriety between contributions to an}J campaign and sale source gavernsnent contracts, Contractor, on behalf of itself, any person who controls ten percent ar mare of the shares of or interest in the Contractor, and the Contractor's officers, directors and trustees (collectively, the "Contract Holder") sha11 contractually agree, for the duration of the contract and for two years thereafter, to cease making, causing to be made, or inducing by any means, a contribution, directly ar indirectly, an behalf of the Contractor Haider or on behalf of his or her immediate family member and for the benefit of any political party or for the benefit of any candidate for any elected office of the state or any of its political subdivisions. 15.2 The parties further agree that if a Contract Holder makes or causes to be made any contribution intended to promote or influence the result of an election on a ballot issue, the Contract Holder shall not be qualified to enter into a sole source government contract relating to that particular ballot issue. 15.3 The parties agree that if a Contract Haider intentionally ti-iolates sections 15 or 1~(2) of Article XXVIII of the Colorado Constitution, as contractual damages that Contract Holder shall be ineligible to hold any sale source government contract, or public employment with the state or any of its political subdivisions, for three years. 15.4 The Contract Holder agrees to comply with the summary and native provisions of Section 16 of Article XXVIII of the Colorado Constitution. 15.5 These provisions shall not apply to the extent they have been enjoined or invalidated by a court of competent jurisdiction. 1 S.Ci All terms used in this Section and not otherwise defined in this Agreement shall have the same meaning as set Earth in Article XXVIII of the Colorado Constitution. /fItF1~~d~DER Of PAGE INTENTIONALLY I FFI' BLAND 1/ IN WITNESS WHEREOF, the parties hereto have executed this Agreement the day and year first above written COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER APPLIED TRUST ENGINEERING ~~~ ~~~ By: f'.-1~ Title: Exhibit A, Page 1 of 6 Work Order Number: 1 Work Order Title: Database Security Review Work Order Date: April 17, 2009 Scope of Work: This proposal is in response to Eagle County's request for a comprehensive review of Microsoft SQL Server 2005 database security practices, procedures and current configurations. Database Security Review • Conduct kick-off meeting with Eagle County to review overall project goals and details. • Develop project plan, complete with regular milestones, detailing schedule, tasks, and dependencies. • Review service account suitability and use. • Assess roles and account security, use of roles, customization, and suitability. • Review application-level account maintenance and account privilege suitability. • Review separation of data/application data domains and partitioning controls. • Review permitted authentication methods and controls. Review auditing and logging of access to database servers and data. • Assess the use of cryptographic techniques, and how they are (or could be better) used to secure sensitive data. • Review application-level data access techniques in a security context. • Assess SQL surface area, and provide suggestions to reduce in a positive manner. • Review underlying operating system configurations, and suggest standardized changes to improve security for database services. • Identify general database processes, procedures, or controls in place currently, and make suggestions to improve them. • Describe techniques to improve SQL security utilizing advanced features of SQL 2005 and Windows Server 2003. • Document database security risks to Eagle County, including prioritized recommendations for improving the security of Eagle County's database environment. The deliverable will consist of a written assessment of Eagle County's database security profile (6-10 pages), identifying prioritized recommendations for both near-term and long-term security fortification. Descriptions of issues will contain technical details such that a system administrator can use the document as a guide for mitigation. Pricing and Payment Terms Phase I: Database Security Review Hourly: ^ $145/hr -Engineer ^ $165/hr-Senior Engineer Not to exceed 20 hours Terms Terms are as agreed to in Applied Trust/Eagle County Master Agreement, to which this document serves as Exhibit A. Applied Trust will honor the terms of this work order through May 15, 2009. Applied Trust Engineering, Inc. (303) 245-4545 April 17, 2009 Exhibit A, Page 2 of 6 Work Order Number: 2 Work Order Title: Internal Scanning System Work Order Date: April 17, 2009 Scope of Work: This proposal is in response to Eagle County's request for assistance installing and configuring an internal vulnerability scanning platform, in addition to providing sufficient training for ongoing management and maintenance by Eagle County staff. Internal Scanning System • Install and configure internal vulnerability scanning system on County-provided hardware. • This project requires the Nessus security scanner, and licensing is to be provided by Eagle County. • Train Eagle County Staff on system and scanning process, as well as interpretation of results so Eagle County can achieve full ownership of the ongoing scanning process. Pricing and Payment Terms Phase I: Internal Scanning System Install and Configure Scanning Platform: - Fixed Rate: $1,550.00 Training: - Fixed Rate $930.00 Terms Terms are as agreed to in Applied Trust/Eagle County Master Agreement, to which this document serves as Exhibit A. Applied Trust will honor the terms of this work order through May 15, 2009. Applied Trust Engineering, Inc. (303) 245-4545 April 17, 2009 Exhibit A, Page 3 of 6 Work Order Number: 3 Work Order Title: LAN/WAN Mapping Work Order Date: April 17, 2009 Scope of Work: This proposal is in response to discussions with Eagle County regarding requests for assistance creating a comprehensive LAN/WAN map to hand over to Eagle County for ongoing ownership and maintenance in Microsoft Visio 2007 format. LAN/WAN Mapping • Use automated tools to gather data pertaining to layer 3 network devices maintained by the County. • Using interactive techniques, login to core devices and manually collect data to supplement that gained during the automated scans. • Aggregate and interpret collected data and create a Visio 2007 diagram representative of the LAN/WAN network devices at the time data was collected, to hand over to Eagle County for ongoing ownership and maintenance. Diagram should be in a format suitable for output on a plotter. Pricing and Payment Terms Phase I: LAN/WAN Mapping Hourly: ^ $145/hr-Engineer ^ $165/hr -Senior Engineer Not to exceed 14 hours Terms Terms are as agreed to in Applied Trust/Eagle County Master Agreement, to which this document serves as Exhibit A. Applied Trust will honor the terms of this work order through May 15, 2009. Applied Trust Engineering, Inc. (303) 245-4545 April 17, 2009 Exhibit A, Page 4 of 6 Work Order Number: 4 Work Order Title: DMZ Architecture Review Work Order Date: April 17, 2009 Scope of Work: This proposal is in response to Eagle County's request for review and input on the current design and appropriateness of their DMZ. DMZ Architecture Review Review and document current DMZ architecture and high level function, purpose and interaction with the internal Eagle County network, Internet and affiliates if appropriate. Assess collected data, and document assessment and recommendation (-1-2 pages), to include at a minimum a suitability assessment compared with industry best practices, and potential risk. This assessment will focus on high-level deployment characteristics and methods, but will not include line-by-line access control list review. Pricing and Payment Terms Phase I: DMZ Architecture Review Hourly: ^ $145/hr -Engineer ^ $165/hr -Senior Engineer Not to exceed 6 hours Terms Terms are as agreed to in Applied Trust/Eagle County Master Agreement, to which this document serves as Exhibit A. Applied Trust will honor the terms of this work order through May 15, 2009. Applied Trust Engineering, Inc. (303) 245-4545 April 17, 2009 Exhibit A, Page 5 of 6 Work Order Number: 5 Work Order Title: Sheriff Firewall Placement and Network Segmentation Review Work Order Date: April 17, 2009 Scope of Work: This proposal is in response to Eagle County's request for review and input on the current design and appropriateness of their DMZ. Sheriff Firewall Placement and Network Segmentation Review Review and document Sheriff's office firewall placement and system location, in addition to assessing the intended function, purpose and interaction with the internal Eagle County network. Assess collected data, and document findings (-1-2 pages), to include at a minimum a suitability assessment compared with industry best practices and suggestions for architecture re-organization if appropriate. Assessment to include recommendations on placement of systems in addition to relevance/role of the current Sherriff's office firewall Pricing and Payment Terms Phase I: Sheriff Firewall Placement and Network Hourly: Segmentation Review $145/hr-Engineer ^ $165/hr -Senior Engineer Not to exceed 6 hours Terms Terms are as agreed to in Applied Trust/Eagle County Master Agreement, to which this document serves as Exhibit A. Applied Trust will honor the terms of this work order through May 15, 2009. Applied Trust Engineering, Inc. (303) 245-4545 April 17, 2009 Exhibit A, Page 6 of 6 Work Order Number: 6 Work Order Title: Product Security Review Framework Work Order Date: April 17, 2009 Scope of Work: This proposal is in response to Eagle County's request for assistance developing a product security review framework. Product Security Review Framework • Ensure a full understanding of standards and regulatory compliance requirements exists at the County. Create a product selection/assessment framework that provides guidance on appropriate questions and County specific criteria to ensure potential software purchases are appropriate for the County operating environment. Pricing and Payment Terms Phase I: Product Security Review Framework Hourly: ^ $145/hr-Engineer ^ $165/hr -Senior Engineer Not to exceed 8 hours Terms Terms are as agreed to in Applied Trust/Eagle County Master Agreement, to which this document serves as Exhibit A. Applied Trust will honor the terms of this work order through May 15, 2009. Applied Trust Engineering, Inc. (303) 245-4545 April 17, 2009