Loading...
HomeMy WebLinkAboutContract CAG-19-198 AGREEMENT FOR FOCUSED SECURITY ASSESSMENT THIS AGREEMENT, dated July 12, 2019, is by and between the City of Renton (the "City"), a Washington municipal corporation, and Critical Informatics Inc. dba CI Security ("Consultant"), Washington Corporation. The City and the Consultant are referred to collectively in this Agreement as the "Parties." Once fully executed by the Parties, this Agreement is effective as of the last date signed by both parties. 1. Scope of Work: Consultant agrees to provide focused security assessment as specified in Exhibit A, which is attached and incorporated herein and may hereinafter be referred to as the "Work.". 2. Changes in Scope of Work: The City, without invalidating this Agreement, may order changes to the Work consisting of additions,deletions or modifications.Any such changes to the Work shall be ordered by the City in writing and the Compensation shall be equitably adjusted consistent with the rates set forth in Exhibit B or as otherwise mutually agreed by the Parties. 3. Time of Performance: Consultant shall commence performance of the Agreement pursuant to the schedule(s) set forth in Exhibit A. All Work shall be performed by no later than September 30, 2019. 4. Compensation: A. Amount. Total compensation to Consultant for Work provided pursuant to this Agreement shall not exceed $Fourteen thousand, Six hundres and fifty dollars ($14,650), plus any applicable state and local sales taxes. Compensation shall be paid for fixed sum according to the rate(s)or amounts specified in Exhibit B.The Consultant agrees that any hourly or flat rate charged by it for its Work shall remain locked at the negotiated rate(s) unless otherwise agreed to in writing or provided in Exhibit B. Except as specifically provided herein, the Consultant shall be solely responsible for payment of any taxes imposed as a result of the performance and payment of this Agreement. B. Method of Payment. On a monthly or no less than quarterly basis during any quarter in which Work is performed,the Consultant shall submit a voucher or invoice in a form specified by the City, including a description of what Work has been performed, the name of the personnel performing such Work, and any hourly labor charge rate for such personnel. The Consultant shall also submit a final bill upon completion of all Work. Payment shall be made by the City for Work performed within thirty (30) calendar days after receipt and approval by the appropriate City representative of the voucher or invoice. If the Consultant's performance does not meet the requirements of this Agreement, the Consultant will correct or modify its performance to comply with the Agreement.The City may withhold payment for work that does not meet the requirements of this Agreement. C. Effect of Payment. Payment for any part of the Work shall not constitute a waiver by the City of any remedies it may have against the Consultant for failure of the Consultant to perform the Work or for any breach of this Agreement by the Consultant. D. Non-Appropriation of Funds. If sufficient funds are not appropriated or allocated for payment under this Agreement for any future fiscal period, the City shall not be obligated to make payments for Work or amounts incurred after the end of the current fiscal period, and this Agreement will terminate upon the completion of all remaining Work for which funds are allocated. No penalty or expense shall accrue to the City in the event this provision applies. 5. Termination: A. The City reserves the right to terminate this Agreement at any time, with or without cause by giving ten (10)calendar days' notice to the Consultant in writing. In the event of such termination or suspension,all finished or unfinished documents,data,studies, worksheets, models and reports, or other material prepared by the Consultant pursuant to this Agreement shall be submitted to the City, if any are required as part of the Work. B. In the event this Agreement is terminated by the City,the Consultant shall be entitled to payment for all hours worked to the effective date of termination, less all payments previously made. If the Agreement is terminated by the City after partial performance of Work for which the agreed compensation is a fixed fee, the City shall pay the Consultant an equitable share of the fixed fee. This provision shall not prevent the City from seeking any legal remedies it may have for the violation or nonperformance of any of the provisions of this Agreement and such charges due to the City shall be deducted from the final payment due the Consultant. No payment shall be made by the City for any expenses incurred or work done following the effective date of termination unless authorized in advance in writing by the City. 6. Warranties And Right To Use Work Product: Consultant represents and warrants that Consultant will perform all Work identified in this Agreement in a professional and workmanlike manner and in accordance with all reasonable and professional standards and laws. Compliance with professional standards includes, as applicable, performing the Work in compliance with applicable City standards or guidelines (e.g. design criteria and Standard Plans for Road, Bridge and Municipal Construction). Professional engineers shall certify engineering plans, specifications, plats, and reports, as applicable, pursuant to ii RCW 18.43.070. Consultant further represents and warrants that all final work product created for and delivered to the City pursuant to this Agreement shall be the original work of the Consultant and free from any intellectual property encumbrance which would restrict the City from using the work product. Consultant grants to the City a non- exclusive, perpetual right and license to use, reproduce, distribute, adapt, modify, and display all final work product produced pursuant to this Agreement. The City's or other's adaptation, modification or use of the final work products other than for the purposes of this Agreement shall be without liability to the Consultant. The provisions of this section shall survive the expiration or termination of this Agreement. 7. Record Maintenance: The Consultant shall maintain accounts and records, which properly reflect all direct and indirect costs expended and Work provided in the performance of this Agreement and retain such records for as long as may be required by applicable Washington State records retention laws, but in any event no less than six years after the termination of this Agreement. The Consultant agrees to provide access to and copies of any records related to this Agreement as required by the City to audit expenditures and charges and/or to comply with the Washington State Public Records Act (Chapter 42.56 RCW). The provisions of this section shall survive the expiration or termination of this Agreement. 8. Public Records Compliance: To the full extent the City determines necessary to comply with the Washington State Public Records Act,Consultant shall make a due diligent search of all records in its possession or control relating to this Agreement and the Work, including, but not limited to, e-mail, correspondence, notes, saved telephone messages, recordings, photos, or drawings and provide them to the City for production. In the event Consultant believes said records need to be protected from disclosure, it may, at Consultant's own expense, seek judicial protection. Consultant shall indemnify, defend, and hold harmless the City for all costs, including attorneys' fees, attendant to any claim or litigation related to a Public Records Act request for which Consultant has responsive records and for which Consultant has withheld records or information contained therein, or not provided them to the City in a timely manner. Consultant shall produce for distribution any and all records responsive to the Public Records Act request in a timely manner, unless those records are protected by court order.The provisions of this section shall survive the expiration or termination of this Agreement. 9. Independent Contractor Relationship: A. The Consultant is retained by the City only for the purposes and to the extent set forth in this Agreement.The nature of the relationship between the Consultant and the City during the period of the Work shall be that of an independent contractor, not employee.The Consultant, not the City,shall have the power to control and direct the details, manner or means of Work. Specifically, but not by means of limitation, the Consultant shall have no obligation to work any particular hours or particular iii schedule, unless otherwise indicated in the Scope of Work or where scheduling of attendance or performance is mutually arranged due to the nature of the Work. Consultant shall retain the right to designate the means of performing the Work covered by this agreement, and the Consultant shall be entitled to employ other workers at such compensation and such other conditions as it may deem proper, provided, however, that any contract so made by the Consultant is to be paid by it alone, and that employing such workers, it is acting individually and not as an agent for the City. B. The City shall not be responsible for withholding or otherwise deducting federal income tax or Social Security or contributing to the State Industrial Insurance Program,or otherwise assuming the duties of an employer with respect to Consultant or any employee of the Consultant. C. If the Consultant is a sole proprietorship or if this Agreement is with an individual,the Consultant agrees to notify the City and complete any required form if the Consultant retired under a State of Washington retirement system and agrees to indemnify any losses the City may sustain through the Consultant's failure to do so. 10. Hold Harmless: The Consultant agrees to release, indemnify, defend, and hold harmless the City, elected officials, employees, officers, representatives, and volunteers from any and all claims, demands, actions, suits, causes of action, arbitrations, mediations, proceedings, judgments, awards, injuries, damages, liabilities, taxes, losses, fines, fees, penalties, expenses, attorney's or attorneys' fees, costs, and/or litigation expenses to or by any and all persons or entities, arising from, resulting from, or related to the negligent acts, errors or omissions of the Consultant in its performance of this Agreement or a breach of this Agreement by Consultant, except for that portion of the claims caused by the City's sole negligence. Should a court of competent jurisdiction determine that this agreement is subject to RCW 4.24.115, (Validity of agreement to indemnify against liability for negligence relative to construction,alteration, improvement,etc.,of structure or improvement attached to real estate...)then, in the event of liability for damages arising out of bodily injury to persons or damages to property caused by or resulting from the concurrent negligence of the Consultant and the City, its officers, officials, employees and volunteers, Consultant's liability shall be only to the extent of Consultant's negligence. It is further specifically and expressly understood that the indemnification provided in this Agreement constitute Consultant's waiver of immunity under the Industrial Insurance Act, RCW Title 51, solely for the purposes of this indemnification. The Parties have mutually negotiated and agreed to this waiver. The provisions of this section shall survive the expiration or termination of this Agreement. v 11. Gifts and Conflicts: The City's Code of Ethics and Washington State law prohibit City employees from soliciting, accepting, or receiving any gift, gratuity or favor from any person, firm or corporation involved in a contract or transaction. To ensure compliance with the City's Code of Ethics and state law,the Consultant shall not give a gift of any kind to City employees or officials. Consultant also confirms that Consultant does not have a business interest or a close family relationship with any City officer or employee who was, is, or will be involved in selecting the Consultant, negotiating or administering this Agreement, or evaluating the Consultant's performance of the Work. 12. City of Renton Business License: The Consultant shall obtain a City of Renton Business License prior to performing any Work and maintain the business license in good standing throughout the term of this agreement with the City. Information regarding acquiring a city business license can be found at: http://www.rentonwa.gov/cros/One.aspx?portalld=7922741&pageld=9824882 Information regarding State business licensing requirements can be found at: http://dor.wa.gov/doing-business/register-my-business 13. Insurance: Consultant shall secure and maintain: A. Commercial general liability insurance in the minimum amounts of $1,000,000 for each occurrence/$2,000,000 aggregate for the Term of this Agreement. B. In the event that Work delivered pursuant to this Agreement either directly or indirectly involve or require Professional Services, Professional Liability, Errors and Omissions coverage shall be provided with minimum limits of $1,000,000 per occurrence. "Professional Services", for the purpose of this section, shall mean any Work provided by a licensed professional or Work that requires a professional standard of care. C. Workers' compensation coverage, as required by the Industrial Insurance laws of the State of Washington, shall also be secured. D. Commercial Automobile Liability for owned, leased,hired or non-owned, leased,hired or non-owned, with minimum limits of $1,000,000 per occurrence combined single limit, if there will be any use of Consultant's vehicles on the City's Premises by or on behalf of the City, beyond normal commutes. E. Consultant shall name the City as an Additional Insured on its commercial general liability policy on a non-contributory primary basis. The City's insurance policies shall not be a source for payment of any Consultant liability, nor shall the maintenance of v any insurance required by this Agreement be construed to limit the liability of Consultant to the coverage provided by such insurance or otherwise limit the City's recourse to any remedy available at law or in equity. F. Subject to the City's review and acceptance, a certificate of insurance showing the proper endorsements, shall be delivered to the City before performing the Work. G. Consultant shall provide the City with written notice of any policy cancellation,within two (2) business days of their receipt of such notice. 14. Delays: Consultant is not responsible for delays caused by factors beyond the Consultant's reasonable control. When such delays beyond the Consultant's reasonable control occur,the City agrees the Consultant is not responsible for damages, nor shall the Consultant be deemed to be in default of the Agreement. 15. Successors and Assigns: Neither the City nor the Consultant shall assign, transfer or encumber any rights, duties or interests accruing from this Agreement without the written consent of the other. 16. Notices: Any notice required under this Agreement will be in writing, addressed to the appropriate party at the address which appears below (as modified in writing from time to time by such party),and given personally, by registered or certified mail, return receipt requested, by facsimile or by nationally recognized overnight courier service.Time period for notices shall be deemed to have commenced upon the date of receipt, EXCEPT facsimile delivery will be deemed to have commenced on the first business day following transmission. Email and telephone may be used for purposes of administering the Agreement, but should not be used to give any formal notice required by the Agreement. CITY OF RENTON CONSULTANT Mehdi Sadri Fred Langston 1055 South Grady Way 245 4th Street, Suite 405 Renton, WA 98057 Bermerton, WA 98337 Phone: (425) 430-6886 Phone: 206 687-9100 x 309 MSadri@rentonwa.gov Fred.Langston@Ci.Security Fax: (425) 430-6893 Fax: 17. Discrimination Prohibited: Except to the extent permitted by a bona fide occupational qualification, the Consultant agrees as follows: A. Consultant, and Consultant's agents, employees, representatives, and volunteers with regard to the Work performed or to be performed under this Agreement, shall not discriminate on the basis of race, color, sex, religion, nationality, creed, marital status, sexual orientation or preference, age (except minimum age and retirement provisions), honorably discharged veteran or military status, or the presence of any sensory, mental or physical handicap, unless based upon a bona fide occupational qualification in relationship to hiring and employment, in employment or application for employment, the administration of the delivery of Work or any other benefits under this Agreement, or procurement of materials or supplies. B. The Consultant will take affirmative action to insure that applicants are employed and that employees are treated during employment without regard to their race, creed, color, national origin, sex, age, sexual orientation, physical, sensory or mental handicaps, or marital status. Such action shall include, but not be limited to the following employment, upgrading, demotion or transfer, recruitment or recruitment advertising, layoff or termination, rates of pay or other forms of compensation and selection for training. C. If the Consultant fails to comply with any of this Agreement's non-discrimination provisions, the City shall have the right, at its option, to cancel the Agreement in whole or in part. D. The Consultant is responsible to be aware of and in compliance with all federal, state and local laws and regulations that may affect the satisfactory completion of the project, which includes but is not limited to fair labor laws, worker's compensation, and Title VI of the Federal Civil Rights Act of 1964,and will comply with City of Renton Council Resolution Number 4085. 18. Miscellaneous:The parties hereby acknowledge: A. The City is not responsible to train or provide training for Consultant. B. Consultant will not be reimbursed for job related expenses except to the extent specifically agreed within the attached exhibits. C. Consultant shall furnish all tools and/or materials necessary to perform the Work except to the extent specifically agreed within the attached exhibits. D. In the event special training, licensing, or certification is required for Consultant to provide Work he/she will acquire or maintain such at his/her own expense and, if Consultant employs, sub-contracts, or otherwise assigns the responsibility to perform the Work, said employee/sub-contractor/assignee will acquire and or maintain such training, licensing, or certification. E. This is a non-exclusive agreement and Consultant is free to provide his/her Work to other entities, so long as there is no interruption or interference with the provision of Work called for in this Agreement. vii F. Consultant is responsible for his/her own insurance, including, but not limited to health insurance. G. Consultant is responsible for his/her own Worker's Compensation coverage as well as that for any persons employed by the Consultant. 19. Other Provisions: A. Approval Authority. Each individual executing this Agreement on behalf of the City and Consultant represents and warrants that such individuals are duly authorized to execute and deliver this Agreement on behalf of the City or Consultant. B. General Administration and Management. The City's project manager is Mehdi Sadri. In providing Work, Consultant shall coordinate with the City's contract manager or his/her designee. C. Amendment and Modification. This Agreement may be amended only by an instrument in writing, duly executed by both Parties. D. Conflicts. In the event of any inconsistencies between Consultant proposals and this Agreement, the terms of this Agreement shall prevail. Any exhibits/attachments to this Agreement are incorporated by reference only to the extent of the purpose for which they are referenced within this Agreement. To the extent a Consultant prepared exhibit conflicts with the terms in the body of this Agreement or contains terms that are extraneous to the purpose for which it is referenced, the terms in the body of this Agreement shall prevail and the extraneous terms shall not be incorporated herein. E. Governing Law. This Agreement shall be made in and shall be governed by and interpreted in accordance with the laws of the State of Washington and the City of Renton. Consultant and all of the Consultant's employees shall perform the Work in accordance with all applicable federal, state, county and city laws, codes and ordinances. F. Joint Drafting Effort.This Agreement shall be considered for all purposes as prepared by the joint efforts of the Parties and shall not be construed against one party or the other as a result of the preparation, substitution, submission or other event of negotiation, drafting or execution. G. Jurisdiction and Venue. Any lawsuit or legal action brought by any party to enforce or interpret this Agreement or any of its terms or covenants shall be brought in the King County Superior Court for the State of Washington at the Maleng Regional Justice Center in Kent, King County,Washington, or its replacement or successor. Consultant hereby expressly consents to the personal and exclusive jurisdiction and venue of such court even if Consultant is a foreign corporation not registered with the State of Washington. H. Severability. A court of competent jurisdiction's determination that any provision or part of this Agreement is illegal or unenforceable shall not cancel or invalidate the remainder of this Agreement, which shall remain in full force and effect. I. Sole and Entire Agreement. This Agreement contains the entire agreement of the Parties and any representations or understandings, whether oral or written, not incorporated are excluded. J. Time is of the Essence. Time is of the essence of thissAgreementand each and all of its provisions in which performance is a factor. Adherence Ito completion dates set forth in the description of the Work is essential to the Consultant's performance of this Agreement. K. Third-Party Beneficiaries. Nothing in this Agreement is intended to, nor shall be construed to give any rights or benefits in the Agreement to anyone other than the Parties,and all duties and responsibilities undertaken pursuant to this Agreement will be for the sole and exclusive benefit of the Parties and no one else. L. Binding Effect. The Parties each bind themselves, their partners, successors, assigns, and legal representatives to the other party to this Agreement, and to the partners, successors, assigns, and legal representatives of such other party with respect to all covenants of the Agreement. M. Waivers. All waivers shall be in writing and signed by the waiving party. Either party's failure to enforce any provision of this Agreement shall not be a waiver and shall not prevent either the City or Consultant from enforcing that provision or any other provision of this Agreement in the future. Waiver of breach of any provision of this Agreement shall not be deemed to be a waiver of any prior or subsequent breach unless it is expressly waived in writing. N. Counterparts. The Parties may execute this Agreement in any number of counterparts, each of which shall constitute an original, and all of which will together constitute this one Agreement. IN WITNESS WHEREOF, the Parties have voluntarily entered into this Agreement as of the date last signed by the Parties below (the "Effective Date"). ix CITY OF RENTON CONSULTANT Digitally signed by Vince Ward DN:cn=Vince Ward,o,ou, �/'x}n�) email=Vince.Ward@CI.Security, ���V// Date:2019.07.09 09:34:50 By: By: 07'00' M di Sadri Critical Informatics Inc. dba Ci Security IT Director Vince Ward / Director of Operations 7 f/7 07/09/2019 Date Date Approved as to Legal Form By: ...04, ist ! Shane Moloney City Attorney Contract Template Updated 03/12/2019 EXHIBIT A C . ‘110. ecuri BY CRITICAL INFORMATICS + = + 0 CITY OF RENTON, WA FOCUSED SECURITY ASSESSMENT STATEMENT OF WORK SOW 2019-076 Presented To: MSadri@Rentonwa.gov Medhi Sadhri IT Director The City of Renton Submitted By: 1055 South Grady Way Fred Langston CISSP CCSK Renton,WA 98057 EVP, Professional Services Telephone: (425)430-6400 Critical Informatics Inc. dba CI Security xi 245 4th Street,Suite 405 Bremerton, WA 98337 Telephone: (206) 687-9100 x309 Fred.Langston@CI.Security Statement of Work C I Security Focused Security Assessment C BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Notice Critical Informatics has made every reasonable attempt to ensure that the information contained within this statement of work is correct, current and properly sets forth the requirements as have been determined to date. The parties acknowledge and agree that the other party assumes no responsibility for errors that may be contained in or for misinterpretations that readers may infer from this document. Trademark Notice 2019 Critical Informatics Inc. All Rights Reserved, Critical Informatics, the Critical Informatics logo and other trademarks, service marks, and designs are registered or unregistered trademarks of Critical Informatics in the United States and in foreign countries. © Copyright 2019 Critical Informatics Inc. Critical Informatics Inc. i Statement of Work ell,. S C u r i t y Focused Security Assessment CBY CRITICAL INFORMATICS The City of Renton July 9, 2019 Table of Contents GENERAL INFORMATION 1 BACKGROUND & OBJECTIVES 1 SERVICE DESCRIPTION AND SCOPE 3 GENERAL DESCRIPTION 3 SCOPE OF ACTIVITY 3 COORDINATION, PLANNING, & PROJECT INITIATION 4 THE CITY OF RENTON RESOURCE REQUIREMENTS 4 PROJECT INITIATION MEETING 5 INTERVIEWS 5 FOCUSED SECURITY ASSESSMENT METHODOLOGY 6 SCHEDULE 9 PERIOD OF PERFORMANCE 9 PROJECT CHANGE CONTROL 9 SERVICE DELIVERABLES 11 DESCRIPTION 11 ACCEPTANCE OF DELIVERABLES 11 ASSUMPTIONS 12 COST 14 FIRM FIXED PRICE FOR SERVICES 14 TRAVEL AND EXPENSE REIMBURSEMENT 14 APPENDIX A: PROJECT COMPLETION FORM 15 APPENDIX: B INTERVIEW GUIDE 16 Critical Informatics Inc. ii 4 rk k Y' General Information This Statement of Work ("SOW") is by and between Critical Informatics Inc. dba CI Security ("Critical Informatics", "Cl Security") and the City of Renton ("The City", "Customer"). The parties hereby agree as follows: This Statement of Work is governed by the terms and conditions set forth in the terms and conditions set out in the City of Renton's Agreement for Focused Security Assessment, to which this SOW is attached. The offer of pricing and other terms set forth in this Statement of Work shall become effective and binding on Critical Informatics and Customer only on the Effective Date. Statement of Nondisclosure Public Records Act: The Public Records Act provides that a number of types of documents are exempt from public inspection and copying — e.g., Exemption of Personal Information: RCW 42.56.230(3). In addition, documents are exempt from disclosure if any " other statute" exempts or prohibits disclosure. Where applicable, we will work with the City Clerk to ensure we provide deliverables that adhere to the City's responsibilities. Background & Objectives Purpose This SOW describes the activities, scope and deliverables for: ■ A Focused Security Assessment (FSA) of the City of Renton's security policies and practices across the organization ■ Includes both IT and Operational Technology (OT)/Supervisory Control and Data Acquisition (SCADA) environments Where controls are not fully implemented within the City's environment, Critical Informatics will provide prioritized recommendations so that the City of Renton can decrease information security risk and strengthen its overall security program. Remediation of controls not fully implemented is not included herein but may be covered in a separate SOW if requested. This SOW includes: ■ Scope of Work - Critical Informatics' methodology for conducting these assessments and the scope of work that will be performed ■ Deliverables - Description of the deliverables for this project Statement of Work I Security Focused Security Assessment C BY CRITICAL INFOR�utATICS The City of Renton July 9, 2019 ■ Pricing - Critical Informatics' pricing model for this engagement and the included components ■ Project Assumptions - any assumptions that were used to derive the scope of work or pricing for this engagement PAGE 2 OF 36 Statement of Work el. C I Security Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Service Description and Scope This section provides a description of services, scope of activity, and support requirements associated with the services. General Description Critical Informatics will provide to the City these services: • A Focused Security Assessment of the City's security policies and practices Focused Security Assessment Our Focused Security Assessment approach may be summarized as a computer and network security assessment intended to provide a point-in-time snapshot of the City of Renton's security posture, coupled with a set of prioritized recommendations for increasing the security throughout the organization. The Focused Security Assessment will focus on the City of Renton's Enterprise environment and the security management practices supporting that environment. The assessment methodology is based on standards of practice drawn from multiple sources that include the National Institute of Standards and Technology (NIST) Cyber Security Framework, the Criminal Justice Information Services security standard (CJIS) and possibly the Payment Card Industry Data Security Standard (PCI), and the Health Insurance Portability and Accountability Act (HIPAA). Scope of Activity The scope outlined below depicts the scope of activity associated with this engagement. Table 1: SOW Scope Statement Activity or Focus Scope & Delivery Requirements Focused Security . Up to eight (8) interviews across the City's departments and Assessment working groups Report A report of the findings and analyses of the Focused Security Assessment, and Internal and External vulnerability scanning. A prioritized list of remediation recommendations Management A presentation to the City of Renton's staff and management of the Presentation findings and prioritized remediation recommendations, with the opportunity for question and answers and open discussion. 0 PAGE 3 of 36 Statement of Work Cel. I e c u r i c y Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Location(s)of Work ■ Critical Informatics will perform the services at the following Performance geographic locations: IN the City of Renton's Offices (Renton, WA) ■ Critical Informatics Facilities (Remote) Coordination, Planning, & Project Initiation Critical Informatics will assign a Lead Consultant to be the primary point of contact for all project work. The Lead Consultant will coordinate, plan, manage, and report all project activities and findings to the City of Renton's designated Project Sponsor and/or Project Manager. Critical Informatics will provide project management for all aspects of this project, including tracking and resolution of project related issues, progress tracking, project reporting, and communication. A key component of Critical Informatics' project management approach is timely reporting of project progress and findings. This enables a proactive approach to addressing security risks discovered during the course of the project and ensures that all project stakeholders are completely informed at all times. To support this, Critical Informatics will conduct a weekly status report teleconference with the City of Renton's project team. Follow-up discussions and deliverables will occur on a case-by-case basis to ensure clear and timely communication of all issues. The City of Renton Resource Requirements Achieving the City of Renton's objectives will require active participation from both the Critical Informatics Project Lead Consultant as well as the City of Renton's own personnel. To ensure the timely and successful completion of this project, the City of Renton should expect at least the following resource time commitments from its own personnel: A Project Sponsor should be assigned to provide resolution of issues, escalation of issues, clarification of requirements, sign-off deliverables, and access to resources as required by the project team. This role will require only a 2-3 hour per week of commitment to the project. Additionally, the following activities and estimated time allocations will be performed as part of the project in which the City of Renton-identified staff will participate: ■ Kick-off meeting: 1 hour ■ Focused Security Assessment Interviews - Up to 1 1/2 hours each S. ems, PAGE 4OF36 Statement of Work CC S e C u r(t Y Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Project Initiation Meeting Critical Informatics recognizes the value of communication and ongoing collaboration with our customers. As such, we include a project initiation meeting (kick-off meeting) with all our engagements. During the meeting, Critical Informatics will address the following topics: ■ Introduce key people at the City of Renton and Critical Informatics Exchange contact information (for regular reporting and emergencies) ■ Review communication, notification, and issue escalation procedures ■ Discuss other specific the City of Renton requests and rules of engagement Critical Informatics will discuss the nature and time requirements for specific deliverable types that might be requested by the City of Renton during the project, the designated recipient, and the method which Critical Informatics will forward those deliverables. See Appendix: B Interview Guide for details of people, questions and times required to obtain the information requested. Interviews Critical Informatics will then create and conduct up to eight (8) focused information- gathering facilitation sessions across two (2) days at the City of Renton's offices. The sessions will articulate the required controls, while adding context from the current threat landscape that is relevant to the City. Each of the presentations will focus on the areas that are germane to the audience. For example: The groups that will be interviewed include: . Network . IT/Desktop Support . Information Security, Compliance and Data Protection . Telecom . Wireless Networking . Applications . Database . Development ■ Management . Finance PAGE 5 or 36 Statement of Work fl: IrityFocused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 ■ Legal ■ HR • Physical Facilities The sessions will address the control standards as components that are relevant to each of the audiences (with some overlap), and conduct the delivery of information, as well as its solicitation. As the requirements are presented, a conversational narrative will be used to interview the audience as to how effectively each requirement is being currently met. This conversation will include ideas on how gaps in compliance may be met using open-source, managed services, and other methods that fit municipal organization's networks with respect to cost and management requirements. Critical Informatics will review the results of the interviews and develop a report described in the Deliverables section below. A draft of the deliverable will be provided to the client lead stakeholder for approval prior to delivery in the de-brief sessions listed below. Focused Security Assessment Methodology Step 1- Information Gathering Critical Informatics will collect all relevant information from document reviews and staff interviews, and review and verify gathered data. This project will include a combination of onsite and remote work. During this time, Critical Informatics focuses on information gathering to gain a better understanding of the information security program, policy and procedural implementation, and the environment including: ■ Identification of the organizational structure and essential stakeholders in security management activities ■ The information risk environment • Governance, policy management, acceptable risk tolerance ■ Information security planning activities ■ Additional functional components of the security program and the key practices supporting the security program components ■ Operational risk and compliance activities ■ Critical issues confronting the City of Renton including but not limited to: IN Data sharing agreements with other agencies • Contracts with other agencies and service providers that impact the security of PII and other sensitive and critical data such as offsite back-up providers PAGE 6 OF 36 Statement of Work C C I Security Focused Security Assessment 110 BY CRITICAL INFORMATICS The City of Renton July 9, 2019 ■ Prior information security-related assessments ■ The general technical architecture The City of Renton may consider focusing on the following elements: ■ Security training needs for staff ■ Encryption - especially on mobile devices ■ Limit information being passed (especially student or health data) • Strengthen passwords with apps, VolP, voicemail PINs • Monitoring and incident response ■ Specific vulnerabilities Physical security As stated, Critical Informatics will derive most of the information necessary to assess the environment and supporting key practices through documentation reviews, such as policies, procedures, and plans related to information security, and interviews and subsequent discussions with knowledgeable staff responsible for various aspects of information security management including: ■ Executive Management • Key business unit leaders ■ Information Security staff • Staff focused on Privacy • CIO/IT Management/Administrators/Developers ■ Staff focused on Business Continuity and Disaster Recovery ■ Support Functions (HR, Legal, Finance, Facilities) • Others, as applicable Step 2—Review and Analysis During remote work activities, Critical Informatics professionals will analyze the information gleaned from documents provided by the City of Renton and our interviews with various staff. The objective is to identify critical issues and develop the prioritized recommendations for improvement. Critical Informatics will assess the current environment and security management practices against the National Institute of Standards PAGE 7 OF 36 Statement of Work 4 S C U r t�/ Focused Security Assessment C BY CRITICAL INFORMATICS The City of Renton July 9, 2019 and Technology (NIST) Cyber Security Framework, with further alignment with CJIS, HIPAA/HITECH, and possibly PCI DSS 3.2. Critical Informatics will provide prioritized recommendations, based upon risk, so that the City can meet its compliance objectives and strengthen its overall security program. Step 3- Reporting Using the results from Steps 1 & 2, Critical Informatics will develop prioritized recommendations to improve the City's information security program. The recommendations to improve the environment will be based on SOGP, business requirements, internal security-related requirements, and practices used by industry peers. As part of this activity, Critical Informatics will ensure that our recommendations and supporting rationale are clearly understood and appropriate for the City's environment. Critical Informatics will present any documentation detailing our findings and recommendations in draft form so that the City of Renton has an opportunity to review, comment, correct, and approve the format and content prior to finalizing the deliverable documentation. This iterative process helps to ensure that the City can make informed, incremental decisions regarding specific courses of action throughout this review. tea= PAGE 8 OF 36 Statement of Work " C S e C u r i t y Focused Security Assessment L. BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Schedule Period of Performance The City of Renton requests the following project duration with individual project requests being made by the City throughout the life of the project. Critical Informatics will make every reasonable attempt to meet the dates requested. The City understands and agrees that changes in critical factors (such as those listed below in Project Change Control, or a delay in signature of this document) may impact Critical Informatics' ability to meet certain dates. Project Start Date Within four (4) weeks of Effective Date Project Completion Date Within four (4) weeks of Start Date Project Change Control Critical Informatics has made every attempt to accurately estimate time required to successfully complete the project. The City acknowledges and agrees that if impediments, complications, or the City of Renton requested changes in scope arise, these factors are out of the control of Critical Informatics, and the length of the project and associated price could be impacted. Examples of valid impediments, complications, and changes in scope consist of (but are not limited to): • The City of Renton initiated delay where Customer is not prepared to allow Critical Informatics to begin work on the agreed upon start date thus resulting in additional cost to Critical Informatics for resources that have been sent to the City of Renton's site but cannot begin the Services ■ The City of Renton provided information necessary for timely delivery by Critical Informatics is not accurate Delays or problems associated with third party telecommunication equipment • (This includes, but is not limited to, cabling, servers, routers, hubs, and switches managed or installed by third parties.) • Malfunctioning hardware ■ Inability to access equipment or personnel that are required to complete the project ■ Conflicts or incompatibilities associated with the installation of hardware or software installed by Critical Informatics PAGE 9 OE 36 ff Statement of Work C Ir i t y Focused Security Assessment BY CRITICAL INFORMATLC,s The City of Renton July 9, 2019 ■ The City of Renton increases the scope of services requiring additional labor, hardware, software, materials, travel, lodging, meals, or other direct costs If any change(s) from impediments, complications, or the City changes in the scope of services cause an increase or decrease in the price or level of effort of the SOW, or the time required for the performance of any part of the work to be accomplished hereunder, whether or not such work is specifically identified in the written change, then the price, delivery schedules and other affected provision(s), if any, as applicable, shall be equitably adjusted and this SOW shall be modified in writing by the mutual agreement of the parties in accordance with this Section. PAGE 10 OF 36 CL Statement of Work CISecurity Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Service Deliverables Description Critical Informatics will provide the following deliverables as part of this project: Table 2: Deliverable Description Name of Deliverable Description of Deliverable Focused Security A report describing the activities performed, the findings and risk Assessment Report identified along with a set of prioritized recommendations and next steps to mitigate the risks and increase the security posture of the City Management A Microsoft PowerPoint presentation oriented towards Presentation management that provides an overview of assessment activities conducted and major findings noted with an emphasis on high-risk or systemic deficiencies. Critical Informatics will deliver this presentation onsite. Acceptance of Deliverables The City has five (5) business days to inspect and acknowledge full delivery of the Services to be provided by Critical Informatics hereunder upon completion and delivery of the Services by Critical Informatics. The City of Renton will indicate such acknowledgement by signing Critical Informatics' Project Completion Form, a sample of which is attached as Appendix A. If the City believes that Critical Informatics has not fully delivered the Services to be provided hereunder and refuses to sign the Project Completion Form on that basis, the City of Renton shall identify in reasonable detail the specific Services or deliverables which the City of Renton believes were not delivered, with specific reference to the corresponding sections of this SOW, via written notice to Critical Informatics within such five (5) business day period. Following Critical Informatics' receipt of any such notification, the parties shall cooperate in good faith to promptly address and resolve any remaining Service delivery requirements. Upon Critical Informatics' delivery of the remaining Services, if any, the City of Renton's right to inspect and acknowledge full delivery shall be as stated above. If the City fails to provide such acknowledgement or notice within the five (5) business days of receiving final deliverables, the City of Renton agrees that the Services shall be deemed fully delivered to the City, even if the City has not signed the Critical Informatics Project Completion Form. • PAGE 11 of 36 Statement of Work I Security Focused Security Assessment C BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Assumptions Critical Informatics used the following assumptions during development of this SOW. Any changes to these assumptions may affect the price and schedule commitments. ■ The City of Renton will provide Critical Informatics access to the business, customer, and technical information, and facilities necessary to execute the solution The City of Renton will provide Critical Informatics on-site and off-site access to documents necessary for this assessment ■ The City of Renton will ensure that appropriate personnel are available to meet with Critical Informatics, as necessary ■ Layer-3 devices will allow the protocols needed to discover and identify network services. ■ Critical Informatics will have approved access to vendors, for the purpose of obtaining device configurations, network diagrams, and details on monitoring or other processes that are performed on behalf of the Client. If required, the Customer will assist with obtaining this access. ■ During this engagement, any vulnerabilities, sensitive data, or configuration data found will not be disclosed except to specified client staff. ■ Critical Informatics will not be obligated to extend engagements when delays result from the City's inability to meet stated prerequisites prior to an engagement, nor when delays result from the City of Renton personnel not being available to provide required support ■ During this effort, Critical Informatics will not be responsible for negotiations with hardware, software, or other vendors, or any other contractual relationship between the City of Renton and third parties ■ Critical Informatics, at the request of the City, will provide input to the City of Renton regarding optimal product or vendor selection ■ Critical Informatics will perform the work between 8:30am and 5:00pm (local time). After-hour and weekend work (when required), must be explicitly identified below or as otherwise agreed to in writing by the parties: After-hours required? Yes ❑ No El Weekend hours required? Yes ❑ No PAGE 12 of 36 Statement of Work CI: IecurityFocused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 The City of Renton City Hall Location of onsite services? 1055 South Grady Way Renton, WA 98057 PAGE 13 OF 36 Statement of Work CIrityFocused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 EXHIBIT B COST Firm Fixed Price for Services Critical Informatics will provide the services for a Firm Fixed Price (FFP) for labor. Security Service Firm Fixed Price Focused Security Assessment $14,650 Travel and Expense Reimbursement Travel, meals, lodging, and other direct costs for the described effort are not expected for this project and are not included in the quote above. If equipment and other direct costs for the described effort are incurred at the request of and after obtaining prior authorization from the City of Renton, those expenses shall be reimbursed by the City of Renton at actual cost. PAGE 14 of 36 Statement of Work C eCu rit y Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 Appendix A: Project Completion Form Critical Informatics has completed all the agreed upon tasks outlined in the Statement of Work titled "Focused Security Assessment" and dated July 9, 2019. Accepted and Agreed By: The City of Renton, Washington Signature: Printed Name: Title: Date: Please email the signed form to Vince Ward at Vince.Ward@CI.Security. PAGE 15 OF 36 Statement of Work V C e c�.a APcS Focused Security Assessment C BY CRITICAL INFORMATICS?' The City of Renton July 9, 2019 Appendix: B Interview Guide Onsite Meetings • Personnel for Interviews and time commitments ■ Network Ops/Telecom/Infrastructure/Wireless Networking — 1-2 hours o Personnel - Network Admins, Wireless admins, Systems Architects and designers ■ Information Security Operations - 1 hour o Personnel: Administrators and Designers of Firewalls, VPNs and Gateways, Intrusion Detection Systems/Intrusion Prevention Systems, Data Loss Prevention, AV/Anti-malware, File Interiority Monitoring, Encryption Systems ■ Monitoring, Alerting and Incident Reponses ■ Vulnerability Management ■ Security Testing ■ Security Requirements gathering ■ Desktop Support - 1 hour o Personnel - AD admins and GPO designers, Helpdesk and PW reset, Desktop admins ■ Policy/Procedures/Governance Issues - 1 hour o Personnel - CIO/Cir. Of IT/CISO/Dir. of Security and IT Management ■ Security policies, practices, decision making processes for procurement, security decision making processes for projects or decision-making processes for outsourcing, change control and change management, compliance, risk management and governance ■ HR - 1/2 hour o Personnel - Staff who are knowledgeable about hiring, termination, job role change, and training practices 0 PAGE 16 OF 36 Statement of Work el. 0 I Security Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 ■ Hiring process, termination process, training requirements policy enforcement • Procurement — 1/2 hour o Personnel — Purchasing, Contracts • Security in the procurement process, contractual language regarding data protection and security • Applications/Database — 1 hour o Personnel - People who are knowledgeable about the team's practices, methods of operation, use of encryption in apps and dbs and the development process in Development Teams and Managers - 1/2 hour o Personnel - in-house development staff and managers, review SDLC • Facilities and Plant - 1/2 hour o Personnel - People whose responsibilities include building and facility access control, employee and visitor badging and escorting, video monitoring, card key and physical key systems, datacenter controls such as back-up power, temperature sensors, water sensors, fire suppression, paper and media management and disposal (shredding) Questions for Interviewees IN The following list, though not inclusive and open to modification based on your environment, may help you get an idea of the nature of the interviews: • Network o Go over network diagram or whiteboard o How do you grant and remove administrative access to network devices? o How do you maintain the patch levels and update to new versions for the network devices? o Do you apply role-based access to network devices? PAGE 17 OF 36 Statement of Work et. CI Security Focused Security Assessment BY CRITICAL INFORtv1ATtCS The City of Renton July 9, 2019 o Do you follow the Principle of Least Privilege when assigning access roles? o Do you follow the manufacturers configuration guides or other secure configuration benchmark like The Center For Internet Security or NIST? o Do you conduct security testing of the network after every significant update or major configuration change? o Are VLANs used and are they ACLed? ■ Operation Security o Provide list of operational security controls and technologies in use o Do you require secure baseline configurations for all IT systems and do you regular monitor those configurations? o Do you use Network Access Control technologies? o Is your firewall in a Default Deny configuration? o Are all rules documented with a business function? o Are the firewalls and any network ACLs reviewed regularly? o Describe the Monitoring, Alerting and Incident Response systems and processes o Describe the Vulnerability Management systems and processes o Describe the process of gathering security requirements for new or updated technology and infrastructure o Describe the Security Testing systems and processes in use and how the findings are incorporated into the environment and processes o Do you conduct audits on the network and on system to find regulated or classified data and assess if it is being handled correctly? •. PAGE 18 OF 36 Statement of Work el.CC( S e c u r i t y Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 o Do you use any data monitoring technologies or is DLP incorporated into the regulated or classified data protection measures? ■ DBAs and Application Administrators: o How do you provide access based on the principle of least privilege? o Is all access to the application for users entirely role-based access control (RBAC) and what are those roles based on? o Is access reviewed periodically and how often? o How is access approved? o Do you use multifactor authentication for access whether by users or by administrators? o How are users decommissioned? o How are connections made to the DB, stored procedures or direct DB calls? o Is data encryption enforced at the application layer or the DB layer and how and what ciphers? o What authentication methods are used for the application and where can the application be accessed from, i.e. the Internet or internal only? o Is the application using a fat client, thin client, Citrix/RDP or VPN? ■ Dev Team and Dev Managers: o Describe the SDLC? o What coding standards are being used and are they documented? o When and how often is testing performed? o Is there logical separation of Dev, Test, and Prod environments? o Who is allowed to promote code and how is it approved? 0 PAGE 19 OF 36 Statement of Work " cl Security Focused Security Assessment BY CRITICAL INFQRMATlCS The City of Renton July 9, 2019 o Is there segregation of duties between developers and production administrators? o Is live data every used in Dev or Prod? o Describe developer training. o Describe the results of the last or typical security code review. o Describe the last or typical web application security assessment. o What is the process for incorporating lessons learned back into the coding standards and practices? o How do you assess the controls expected on classified systems or systems and networks handling regulated or classified data? o Do you apply role-based access to applications and systems using regulated or classified data? o Do you follow the Principle of Least Privilege when creating Windows, applications and SaaS access roles for regulated or classified data? ■ IT Administrators ■ Describe IT and IS policies that apply to your work ■ Describe Change control practices ■ Do you use secure configuration benchmarks such as NIST or CIS for guiding configuration of OS and network devices? ■ Do you run security testing and how often? ■ How do you grant and remove access to onsite and SaaS applications? ■ Describe your AD/LDAP management practices? ■ Do you use Shared Accounts such as the Local Administrative Password or Root Account? ■ How do you connect to systems when conducting administrative activities? ■ Have you documented justification for every rule in your Firewall configurations? ■ Describe remote access uses and capabilities. PAGE 20 OF 36 Statement of Work Celso. C I Security Focused Security Assessment BY CRITICAL INFORMATICS The City of Renton July 9, 2019 ■ HR o Do you conduct Background Checks prior to hiring and for what positions? o Describe standard and hostile terminations or job position shifts? o Do you assist in enforcement of Policy violations? Procurement ■ Do you have a process to determine security requirements prior to evaluating products, vendors and services? ■ Are security risks weighed as a part of the procurement process? ■ Do you include data protection and information security clauses in your contracts or do your customers require them? ■ Do you have regulated data or operations that requires singing of data sharing agreements or business associate agreements? ■ Facilities and Plant Operations ■ Describe physical security controls o Card keys o Keys o Cameras o Fire/Water/Temp alerts in Datacenters o Back-up generators . CIO/Dir. of IT/CISO/Dir. of Security ■ Is data security and ownership covered in the procurement process and in vendor contracts? ■ How is Information Security Governance conducted? ■ Are Information Security and Acceptable Use Policies and Operational Security Procedures documented? Are they well known and do employees receive training on them? ■ Is Security Awareness training conducted and how often? PAGE 210F 36 f Statement of Work C S e c u A i I �/ Focused Security Assessment BY CRITICAL INFQRtv1ATlC5 The City of Renton July 9, 2019 ■ Do you incorporate security into your procurement process and if so how? ■ Is an Enterprise Security Risk assessment conducted annually? ■ What regulations are you required to comply with and have you achieved compliance with those regulations and standards (i.e. HIPAA, PCI, etc.)? ■ SCADA/OT ■ Are systems managed by you or by a vendor/contractor? ■ If a vendor/contractor, what policies and contract language are used to impose security requirements on the vendor/contractor? ■ Are vendors/contractors required to: o Have any equipment used on City SCADA/OT systems scanned for malware prior to use ■ Laptops ■ Smartphones ■ USB storage devices o Have background checks of any personnel working on City equipment? o Required to have employees schedule visits prior to working on City equipment? o Have employees badged or escorted by the City when working in City facilities housing SCADA/OT systems? o Return any data or destroy City data upon termination of the contract? ■ Are SCADA/OT systems segregated from other network traffic? How? ■ Are SCADA/OT systems monitored for security events? ■ Are SCADA/OT systems patched regularly? How? How often? ■ Has a SCADA/OT asset discovery exercise ever been performed? ■ Do you have a full inventory of SCADA/OT systems and devices? . PAGE 22 OF 36