Press Alt + R to read the document text or Alt + P to download or print.

No preview available

The URL can be used to link to this page

Home My WebLink AboutC11-004 Applied Trust Agreement MASTER CONSULTING AGREEMENT BETWEEN EAGLE COUNTY, COLORADO and APPLIED TRUST This Maser �C Agreement ( "Agreement ") dated as of this tp day of is between the County of Eagle, State of Colorado, a body corporate and politic, b and through its Board of County Commissioners ( "County "), and Applied Trust Engineering, Inc., a Colorado Corporation with a principal place of business at 1033 Walnut Street, Suite 300, Boulder, Colorado 80302 ( "Consultant "). WHEREAS, the County is in need of a company to provide the services outlined in Section 1.1 hereunder; and WHEREAS, Consultant has represented that it has the experience and knowledge in the subject matter necessary to carry out the services outlined in Section 1.1 hereunder; and WHEREAS, County wishes to hire Consultant to perform the tasks associated with such services outlined in Section 1.1 hereunder; and WHEREAS, County and Consultant intend by this Agreement to set forth the scope of the responsibilities of the Consultant in connection with the services and related terms and conditions to govern the relationship between Consultant and County in connection with the services. Agreement Therefore, based upon the representations by Consultant set forth in the foregoing recitals, for good and valuable consideration, including the promises set forth herein, the parties agree to the following: 1. Services Provided: 1.1 The Consultant will provide the consulting services described as Phase I, Internet Security Assessment, and Phase II, Vulnerability Assessment, as more particularly set forth in the attached Exhibit "A," (hereinafter called "Consulting Services ") incorporated herein by reference. The Consulting Services are generally described as providing information technology consulting and support and re- assessing Eagle County's IT infrastructure security with guidance on how to maintain and verify the security of the environment on an ongoing basis. 1.2 It is anticipated or possible that County will utilize Consultant for other services, such as the Phase IIa, Optional Security Fortification as described in Exhibit "A," on an as- needed basis. In the event that County elects to retain Consultant to perform the additional services described as Phase IIa, the hourly rates for such Phase IIa services will be as provided in Exhibit "A." However, any such additional services will be through a 1 LI 01—I signed written amendment to this Master Consulting Agreement. Consultant shall not perform any additional services without an executed amendment. Such amendment will set forth the scope of work for the additional services. Except as may be expressly altered by the amendment, all terms and conditions of this Master Consulting Agreement shall control. To the extent the terms and conditions of this Agreement may conflict with Exhibit "A" or any future exhibits or amendments, the terms and conditions of this Agreement shall control. 1.3 The Consultant agrees that Consultant will not knowingly enter into any consulting arrangements with third parties that will conflict in any manner with the Consulting Services. 1.4 Consultant has given the County a proposal for performing the Services and represented that it has the expertise and personnel necessary to properly and timely perform the Services. 2. Term of Agreement 2.1 This Agreement shall commence on the agreement date and, subject to the provisions of Section 2.2 hereof, shall continue in full force and effect for a period of 1 year commencing with the effective date of this Agreement. This Agreement may be extended beyond the time referred to in this Section 2.1 on terms and conditions as may be mutually agreed between the parties hereto. 2.2 This Agreement may be terminated by either party for any other reason with 15 days written notice, with or without cause, and without penalty whatsoever therefore. 2.3 In the event of any termination of this Agreement, Consultant shall be compensated for all incurred costs and hours of work then satisfactorily completed, plus approved expenses. 3. Independent Contractor: 3.1 With respect to the provision of the Consulting Services hereunder, Consultant acknowledges that Consultant is an independent contractor providing Consulting Services to the County. Nothing in this Agreement shall be deemed to make Consultant an agent, employee, partner or representative of County. 3.2 The Consultant shall not have the authority to, and will not make any commitments or enter into any agreement with any party on behalf of County without the written consent of the Board of County Commissioners. 3.3 The Consultant will maintain workman's compensation and unemployment insurance as required by law; commercial auto coverage, commercial general liability and errors and omissions insurance each with limits of not less than $1,000,000 per occurrence 4. Remuneration: 4.1 For each phase of the Consulting Services provided hereunder, County shall pay to the 2 Consultant a fee as set forth in the attached Exhibit "A." Consultant will not be entitled to bill at overtime and/or double time rates for work done outside of normal business hours unless specifically authorized to do so by County. Normal business hours are defined as 8:30 a.m. to 5 p.m. Mountain Time, Monday through Friday (excluding holidays). In the event the Consultant's Services include reimbursable expenses, the County must approve such reimbursable expenses in advance and such expenses shall be billed at cost without mark up. Fees for any additional services will be as set forth in an executed addendum between the parties. Fees will be paid within thirty (30) days of receipt of a proper and accurate invoice from Consultant respecting Consulting Services. The invoice shall include a description of services performed. Upon request, Consultant shall provide County with such other supporting information as County may request. Any overdue balances are subject to a 1 1 /2 % per month finance charge, and if payment is more than 30 days late a pre -paid retainer may be required to continue work. 42 County will not withhold any taxes from monies paid to the Consultant hereunder and Consultant agrees to be solely responsible for the accurate reporting and payment of any taxes related to payments made pursuant to the terms of this Agreement. 4.3 Notwithstanding anything to the contrary contained in this Agreement, no charges shall be made to the County nor shall any payment be made to the Consultant in excess of the amount for any work done without the written approval in accordance with a budget adopted by the Y �p g p Y Board in accordance with provisions of the Colorado Revised Statutes. Moreover, the parties agree that the County is a governmental entity and that all obligations beyond the current fiscal year are subject to funds being budgeted and appropriated. 4.4 Upon proposal acceptance of current and future Exhibits (work orders) by both parties to be associated with this Master Consulting Agreement, any subsequent requests for change must adhere to the Consultant change order process, as follows: Formal change order requests are filed with the client manager, who determines whether the scope of the change request falls within the scope of the original Exhibit or warrants an addendum agreement. Addendum agreements may require additional funding; County must provide written approval of the addendum agreement before Consultant commences the work described therein. 4.5 Hourly work performed on -site, such as at County's premises, will be billed at the applicable hours rate(s) plus an additional 15% surcharge. 5. Ownership of Documents: All documents (including electronic files) which are obtained during or prepared, either partially or wholly, in the performance of the Services shall remain the property of the County and are to be delivered to County before final payment is made to Consultant or upon earlier termination of this Agreement. 6. Indemnification: Within the limits allowed by law, Consultant shall indemnify County for, and hold and defend the County and its officials, boards, officers, principals and employees harmless from, all costs, claims and expenses, including reasonable attorney's fees, arising from claims of any nature whatsoever made by any person in connection with the negligent 3 acts or omissions of, or presentations by, the Consultant in violation of the terms and conditions of this Agreement. This indemnification shall not apply to claims by third parties against the County to the extent that the County is liable to such third party for such claim without regard to the involvement of the Consultant. 7. Limitation of Liability: In no event shall Consultant be liable for any indirect, special, or consequential damages or lost profits arising out of or related to this agreement or the performance or breach thereof, even If Consultant has been advised of the possibility thereof. Consultant's liability hereunder shall in no event exceed the total amount paid to Consultant hereunder. 8. Claims: Any claim arising out of or related to this Agreement must be brought no later than one year after the same has accrued. 9. Consultant's Professional Level of Care: Consultant shall be responsible for the completeness and accuracy of the Consulting Services, including all supporting data and other documents prepared or compiled in performance of the Services, and shall correct, at its sole expense, all significant errors and omissions therein. Consultant shall perform the Consulting Services in a skillful, professional and competent manner and in accordance with the standard of care, skill and diligence applicable to consultants, with respect to similar services, in this area at this time. 10. Assessment Activities Acknowledgement: To successfully assess the security of the computer systems and networks owned and operated by County, Consultant will perform scheduled, non - intrusive TCP/IP port and vulnerability scan tests of County's network. County hereby authorizes this scanning activity, and acknowledges that it may result in discovery of security vulnerabilities of County's network and/or computer systems. Furthermore, County acknowledges that it is possible, but extremely unlikely, that scanning activities could result in degradation or disruption of County's environment during the test. County assumes sole responsibility for any degradation or disruption of service during the test. Consultant will immediately notify County when each test is complete, and Consultant will not perform any additional security scanning activities after this notification without further authorization from County. Within 10 business days of completion of the test, Consultant will disclose all test results, including all identified security vulnerabilities, to County. Consultant will not disclose test results to any other parties besides County. At the request of County, Consultant will offer assistance with mitigation activities for any security vulnerabilities identified by the test. County is not obligated to mitigate identified security vulnerabilities, and Consultant will not disclose County's choice in this matter to any third party. 11. No Assignment: 4 The parties to this Agreement recognize that the Consulting Services to be provided pursuant to this Agreement are professional in nature and that in entering into this Agreement County is relying upon the professional services and reputation of Consultant and its approved subcontractors. Therefore, neither Consultant nor its subcontractors may assign its interest in this Agreement or in its subcontract, including the assignment of any rights or delegation of any obligations provided therein, without the prior written consent of County, which consent County may withhold in its sole discretion. Except as so provided, this Agreement shall be binding on and inure to the benefit of the parties hereto, and their respective successors and assigns, and shall not be deemed to be for the benefit of or enforceable by any third party. Unless specifically stated to the contrary in any written consent to an assignment, no assignment will release or discharge the assignor from any duty or responsibility under the Agreement. 12. Notices: 12.1 Any notice and all written communications required under this Agreement shall be given in writing by personal delivery, facsimile or U.S. Mail to the other party at the following addresses: (a) Eagle County Innovation and Technology Director 500 Broadway PO Box 850 Eagle, CO 81631 Telephone: 970 - 328 -3581 Facsimile: 970 - 328 -3599 withacopyto: Eagle County Attorney's Office 500 Broadway PO Box 850 Eagle, CO 81631 (b) AppliedTrust 1033 Walnut Street, Suite 300 Boulder, CO 80302 12.2 Notices shall be deemed given on the date of delivery; on the date the facsimile is transmitted and confirmed received or, if transmitted after normal business hours, on the next business day after transmission, provided that a paper copy is mailed the same date; or three days after the date of deposit, first class postage prepaid, in an official depository of the U.S. Postal Service. 13. Jurisdiction and Confidentiality: 13.1 This Agreement shall be interpreted in accordance with the laws of the State of Colorado and the parties hereby agree to submit to the jurisdiction of the courts thereof. Venue shall be in the Fifth Judicial District for the State of Colorado. 5 13.2 The Consultant and County acknowledge that, during the term of this Agreement and in the course of the Consultant rendering the Consulting Services, the Consultant and County may acquire knowledge of the business operations of the other party not generally known deemed confidential. The parties shall not disclose, use, publish or otherwise reveal, either directly or through another, to any person, firm or corporation, any such confidential knowledge or information and shall retain all knowledge and information which he has acquired as the result of this Agreement in trust in a fiduciary capacity for the sole benefit of the other party during the term of this Agreement, and for a period of five (5) years following termination of this Agreement. Any such information must marked as confidential. The parties recognize that the County is subject to the Colorado Open Records Act and nothing herein shall preclude a release of information that is subject to the same. 14. Non - Solicitation: The parties agree that during the term of this Agreement and for a period of one (1) year after expiration or termination for any reason, neither County nor Consultant shall solicit, negotiate with or offer employment to (whether as an employee, officer, director, partner, consultant, contractor, or otherwise), directly or indirectly, personnel from the other party. This paragraph will survive termination of this Agreement. 15. Miscellaneous: 15.1 This Agreement constitutes the entire Agreement between the parties related to its subject matter. It supersedes all prior proposals, agreements and understandings. 15.2 This Agreement is personal to the Consultant and may not be assigned by Consultant. 15.3 This Agreement does not and shall not be deemed to confer upon or grant to any third party any right enforceable at law or equity arising out of any term, covenant, or condition herein or the breach thereof. II SIGNATURE PAGE TO FOLLOW // 6 IN WITNESS WHEREOF, the parties hereto have executed this Agreement the day and year first above written. COUNTY OF EAGLE, STATE OF COLORADO, By and Through Its COUNTY MANAGER APPLIEDTRUST ENGINEERING, INC. By: C-z Title: STATE OF V1J .012M)O ) _ ) SS. COUNTY OF t (1 ) The foregoing instrument was acknowledged before me by V.a "T(�l. NO 11141-61 , of t his day of �6 Nib GOON this y � NU:� 2011 fru My commission expires: a (�'/ ?I� 11 DEBORAH L CHURCHILL A Notary Public Stag of Colorado Notary Public my Owl-011100i tdw 1� rV 16, 2 11 STATE OF ) SS. COUNTY OF ) The foregoing instrument was acknowledged before me b 1 n{- R. e. , of Applied Trust Engineering, Inc., this : ) , ) . . l a y of ,n. ( , 2 0 1 0 . My commission expires: `3 - 3 0 - t 3 MAUREEN R. MACMACKEN_ NOTARY PUBLIC Notary Public STATE OF COLORADO My Commission Expires Mar, 30, 2013 7 Page 1 of 3 Work Order N umber: 201 1- 1 Work Order Title: IT Security Assessment Work Order Date: December 29, 2010 Eagle County Reference: Exhibit A Statement of Work This proposal is presented in response to discussions with Eagle County regarding the need for re- assessment of the County's IT infrastructure security. Eagle County is seeking a thorough understanding of its current system and network security risks, a prioritized list of recommended mitigation actions, an independent analysis of Eagle County's infrastructure architecture and configuration, and guidance on how to maintain and verify the security of the environment on an ongoing basis. AppliedTrust will take the following phased approach to the project Deliverable: Phase I: Internet Security Assessment • Conduct a face -to -face kick -off meeting with Eagle County to review overall project goals and details of this phase. • Develop a project plan, complete with regular milestones, detailing schedule, tasks, and dependencies. • Perform external scans of the Eagle County infrastructure, documenting open IP addresses and ports and exposed application vulnerabilities. • Ensure that all penetration testing is done in a non - intrusive manner. Applied Trust will *not* attempt to exploit any vulnerabilities that are discovered in the scans. • Provide a brief summary report documenting findings of external scans, including prioritization of highest risks. Deliverable: Phase II: Vulnerability Assessment • Conduct a meeting with Eagle County to review existing documentation and network configuration. • Develop a project plan, complete with regular milestones, detailing schedule, tasks, and dependencies. • Conduct vulnerability analysis of Eagle County's internal local area network (LAN). • Perform OS -level examination of existing servers, including configuration, patch compliance, paths of trust, and vulnerability. • Review the configuration and use of virtualization technologies in a security context. • Review current network design in a security context. • Evaluate storage area network (SAN) security architecture and controls. • Review data center physical security (physical access, monitoring, etc). • Review roles and access rights /permissions used to share information between systems. • Capture and analyze network traffic samples, specifically examining protocols and applications in use and protocol configuration. • Compare current Eagle County software, protocol, and system deployment against current industry "best practices." • Perform internal hfnetcheck, nmap, and nessus scans of the Eagle County infrastructure, documenting open IP addresses and ports and exposed application vulnerabilities. Together, these scans test for known vulnerabilities as well as missing software patches. • Conduct an in -depth review of current security infrastructure tools and technologies for both AppliedTrust 303.245.4545 December 29, 2010 • Page 2 of 3 Deliverable: Phase II: Vulnerability Assessment configuration and usage gaps. • Examine all external connectivity, including modems and wide area network (WAN) connections such as TI circuits, including upstream ISPs and connections to remote offices. • Review remote access policy, architecture, and configuration, including the levels of access granted to remote users. • Evaluate database security architecture and controls. • Perform comprehensive validation of network and remote access configurations, including firewalls, routers and switches, remote access servers, and other network devices; identify misconfigurations and security vulnerabilities. • Interview key system /network administration staff and users; analyze existing practices and procedures to identify security weaknesses and necessary operational security improvements. • Perform a scheduled wireless network scan of primary Eagle County facility to identify any open or at -risk 802.1 1(b,g) wireless access points. The documented results of the scan will include approximate wireless network location, SSID, and encryption status. • Examine firewall configuration, administration, and security (including proxy configuration). • Evaluate the effectiveness of Eagle County's overall network architecture. • Perform and document results of up to four attempts to obtain login and password information or unauthorized physical access through "social engineering" means from current Eagle County staff. • Examine the use of current credit card handling and processing systems and provide a summary of Payment Card Industry Data Security Standard (PCI DSS) compliance requirements based on credit card processing and data handling functions within the County, as indentified by County IT staff. • Document security risks to Eagle County, including prioritized recommendations for improving the security of Eagle County's IT infrastructure. The deliverable will consist of a written assessment of Eagle County's security profile (12 -20 pages), identifying prioritized recommendations for both near -term and long -term security fortification and documenting the current and ideal states for the areas listed below. Descriptions of issues will contain technical details such that a system administrator can use the document as a guide for mitigation. The issues that will be addressed in the assessment will include: ▪ External paths of attack • Software patch -level and use compliance ▪ Network security architecture ▪ Infrastructure "best practices" comparison • User and administrative policy and compliance ▪ Encryption usage and handling • Trust -level dependencies and management ▪ Virus protection and management ▪ Role /function segmentation and access management • Remote access • Password policy and use • Physical network/system infrastructure security ▪ Level and methods of ongoing vigilance • Conduct a face -to -face presentation of assessment findings and discussion of recommendations at Eagle County. AppliedTrust 303.245.4545 December 29, 2010 Page 3 of 3 Deliverable: Phase Ila• Optional Security Fortification • Assist Eagle County with implementing the fortification steps detailed in the assessments, at whatever level of involvement desired by Eagle County IT staff (e.g., phone Q &A, collaborative work, project outsourcing). Estimated Effort: 8 to 80 hours, depending on the outcome of the Phase 1 and Phase 11 assessments. Pricing Deliverable Price Phase!: Internet Security Assessment Fixed Price: $3,060 Phase 11: Vulnerability Assessment Fixed Price: $9,120 Phase Ila: Optional Security Fortification Hourly Rates: • Senior Engineer: $165.00 /hour • Engineer: $145.00 /hour • Technical Writer: $120.00 /hour Terms Terms are as agreed to in the Applied Trust/Eagle County Master Consulting Agreement dated December 22, 2010. Applied Trust will honor the terms of this work order through January 30, 201 I . Statement of Work Acceptance: Eagle County AppliedTrust By: By: Printed Name: Printed Name: i' Title: Title: II ate: Date: AppliedTrust 303.245.4545 December 29, 2010