HomeMy WebLinkAboutAccuvant Inc; 2008-03-05;AGREEMENT FOR ENTERPRISE SECURITY ASSESSMENT SERVICES
ACCUVANT INC.
{THIS AGREEMENT is made and entered into as of the ^ _ day of
2008, by and between the CITY OF CARLSBAD, a municipal
corporation, ("City"), and Accuvant Inc., a Colorado corporation and qualified to do
business in California, ("Contractor").
RECITALS
A. City requires the professional services of a contractor that is experienced
in security technology, practices, methodologies, implementation and management.
B. Contractor has the necessary experience in providing professional
services and advice related to security technology, practices, methodologies,
implementation and management.
C. Selection of Contractor is expected to achieve the desired results in an
expedited fashion.
D. Contractor has submitted a proposal to City and has affirmed its
willingness and ability to perform such work.
NOW, THEREFORE, in consideration of these recitals and the mutual covenants
contained herein, City and Contractor agree as follows:
1. SCOPE OF WORK
City retains Contractor to perform, and Contractor agrees to render, those services (the
"Services") that are defined in attached Exhibit "A", which is incorporated by this
reference in accordance with this Agreement's terms and conditions.
2. STANDARD OF PERFORMANCE
While performing the Services, Contractor will exercise the reasonable professional
care and skill customarily exercised by reputable members of Contractor's profession
practicing in the Metropolitan Southern California Area, and will use reasonable
diligence and best judgment while exercising its professional skill and expertise.
3. TERM
The term of this Agreement will be effective from the date first above written to June 30
2008. The City Manager may amend the Agreement to extend it for three (3) additional
one (1) year periods or parts thereof in an amount not to exceed seventy-five thousand
dollars ($75,000) per Agreement year. Extensions will be based upon a satisfactory
review of Contractor's performance, City needs, and appropriation of funds by the City
Council. The parties will prepare a written amendment indicating the effective date and
length of the extended Agreement.
4- TIME IS OF THE ESSENCE
Time is of the essence for each and every provision of this Agreement.
City Attorney Approved Version #11.28.06
5. COMPENSATION
The total fee payable for the Services to be performed during the initial Agreement term
will be seventy-four thousand nine hundred eighty dollars ($74,980). If Contractor
travels to perform Services then City shall reimburse Contractor, at cost, for
Contractor's reasonable, documented, and necessary travel expenses upon
presentation by Contractor of detailed statements of those expenses, not-to-exceed five
thousand dollars ($5,000). The City reserves the right to withhold a ten percent (10%)
retention until City has accepted the work and/or Services specified in Exhibit "A".
Incremental payments, if applicable, should be made as outlined in attached Exhibit "A".
6. STATUS OF CONTRACTOR
Contractor will perform the Services in Contractor's own way as an independent
contractor and in pursuit of Contractor's independent calling, and not as an employee of
City. Contractor will be under control of City only as to the result to be accomplished,
but will consult with City as necessary. The persons used by Contractor to provide
services under this Agreement will not be considered employees of City for any
purposes.
The payment made to Contractor pursuant to the Agreement will be the full and
complete compensation to which Contractor is entitled. City will not make any federal or
state tax withholdings on behalf of Contractor or its agents, employees or
subcontractors. City will not be required to pay any workers' compensation insurance or
unemployment contributions on behalf of Contractor or its employees or subcontractors.
Contractor agrees to indemnify City within thirty (30) days for any tax, retirement
contribution, social security, overtime payment, unemployment payment or workers'
compensation payment which City may be required to make on behalf of Contractor or
any agent, employee, or subcontractor of Contractor for work done under this
Agreement. At the City's election, City may deduct the indemnification amount from any
balance owing to Contractor.
7. SUBCONTRACTING
Contractor will not subcontract any portion of the Services without prior written approval
of City. If Contractor subcontracts any of the Services, Contractor will be fully
responsible to City for the acts and omissions of Contractor's subcontractor and of the
persons either directly or indirectly employed by the subcontractor, as Contractor is for
the acts and omissions of persons directly employed by Contractor. Nothing contained
in this Agreement will create any contractual relationship between any subcontractor of
Contractor and City. Contractor will be responsible for payment of subcontractors.
Contractor will bind every subcontractor and every subcontractor of a subcontractor by
the terms of this Agreement applicable to Contractor's work unless specifically noted to
the contrary in the subcontract and approved in writing by City.
8. OTHER CONTRACTORS
The City reserves the right to employ other Contractors in connection with the Services.
City Attorney Approved Version #11.28.06
9. INDEMNIFICATION
Contractor agrees to indemnify and hold harmless the City and its officers, officials,
employees and volunteers from and against all claims, damages, losses and expenses
including attorneys fees arising out of the performance of the work described herein
caused by any negligence, recklessness, or willful misconduct of the Contractor, any
subcontractor, anyone directly or indirectly employed by any of them or anyone for
whose acts any of them may be liable.
The parties expressly agree that any payment, attorney's fee, costs or expense City
incurs or makes to or on behalf of an injured employee under the City's self-
administered workers' compensation is included as a loss, expense or cost for the
purposes of this section, and that this section will survive the expiration or early
termination of this Agreement.
10. INSURANCE
Contractor will obtain and maintain for the duration of the Agreement and any and all
amendments, insurance against claims for injuries to persons or damage to property
which may arise out of or in connection with performance of the services by Contractor
or Contractor's agents, representatives, employees or subcontractors. The insurance
will be obtained from an insurance carrier admitted and authorized to do business in the
State of California. The insurance carrier is required to have a current Best's Key Rating
of not less than "A-:V".
10.1 Coverages and Limits.
Contractor will maintain the types of coverages and minimum limits indicated below,
unless City Attorney or City Manager approves a lower amount. These minimum
amounts of coverage will not constitute any limitations or cap on Contractor's
indemnification obligations under this Agreement. City, its officers, agents and
employees make no representation that the limits of the insurance specified to be
carried by Contractor pursuant to this Agreement are adequate to protect Contractor. If
Contractor believes that any required insurance coverage is inadequate, Contractor will
obtain such additional insurance coverage, as Contractor deems adequate, at
Contractor's sole expense.
10.1.1 Commercial General Liability Insurance. $1.000.000 combined
single-limit per occurrence for bodily injury, personal injury and property damage. If the
submitted policies contain aggregate limits, general aggregate limits will apply
separately to the work under this Agreement or the general aggregate will be twice the
required per occurrence limit.
10.1.2 Automobile Liability (if the use of an automobile is involved for
Contractor's work for City). $1,000,000 combined single-limit per accident for bodily
injury and property damage.
10.1.3 Workers' Compensation and Employer's Liability. Workers'
Compensation limits as required by the California Labor Code and Employer's Liability
City Attorney Approved Version #11.28.06
limits of $1,000,000 per accident for bodily injury. Workers' Compensation and
Employer's Liability insurance will not be required if Contractor has no employees and
provides, to City's satisfaction, a declaration stating this.
10.1.4 Professional Liability. Errors and omissions liability appropriate to
Contractor's profession with limits of not less than $1,000,000 per claim. Coverage must
be maintained for a period of five years following the date of completion of the work.
10.2. Additional Provisions. Contractor will ensure that the policies of insurance
required under this Agreement contain, or are endorsed to contain, the following
provisions:
10.2.1 The City will be named as an additional insured on General
Liability.
10.2.2 Contractor will obtain occurrence coverage, excluding Professional
Liability, which will be written as claims-made coverage.
10.2.3 This insurance will be in force during the life of the Agreement and
any extensions of it and will not be canceled without thirty (30) days prior written notice
to City sent by certified mail pursuant to the Notice provisions of this Agreement.
10.3 Providing Certificates of Insurance and Endorsements. Prior to City's execution
of this Agreement, Contractor will furnish certificates of insurance and endorsements to
City.
10.4 Failure to Maintain Coverage. If Contractor fails to maintain any of these
insurance coverages, then City will have the option to declare Contractor in breach, or
may purchase replacement insurance or pay the premiums that are due on existing
policies in order to maintain the required coverages. Contractor is responsible for any
payments made by City to obtain or maintain insurance and City may collect these
payments from Contractor or deduct the amount paid from any sums due Contractor
under this Agreement.
10.5 Submission of Insurance Policies. City reserves the right to require, at anytime,
complete and certified copies of any or all required insurance policies and
endorsements.
11. BUSINESS LICENSE
Contractor will obtain and maintain a City of Carlsbad Business License for the term of
the Agreement, as may be amended from time-to-time.
12. ACCOUNTING RECORDS
Contractor will maintain complete and accurate records with respect to costs incurred
under this Agreement. All records will be clearly identifiable. Contractor will allow a
representative of City during normal business hours to examine, audit, and make
City Attorney Approved Version #11.28.06
transcripts or copies of records and any other documents created pursuant to this
Agreement at the sole cost of the City. Contractor will allow inspection of all work, data,
documents, proceedings, and activities related to the Agreement for a period of three
(3) years from the date of final payment under this Agreement.
13. OWNERSHIP OF DOCUMENTS
Contractor grants unlimited use to the City to copy or modify Deliverables for any
internal purpose. The parties agree that all Deliverables are the property of City to the
extent those Deliverables contain City-specific information. Where Contractor
incorporates Contractor's pre-existing intellectual property into the Deliverables,
Contractor hereby grants Client unlimited use to City to use Contractor's pre-existing
intellectual property as incorporated into the Deliverables for any internal purpose.
In the event this Agreement is terminated, all work product produced by Contractor or its
agents, employees and subcontractors pursuant to this Agreement will be delivered at
once to City. Contractor will have the right to make one (1) copy of the work product for
Contractor's records
14. COPYRIGHTS
Contractor agrees that all copyrights that arise from the services will be vested in City
and Contractor relinquishes all claims to the copyrights in favor of City. Any copyright
that does not vest in the City shall be transferred or assigned, without additional fees,
compensation or royalties, to the City by Contractor. Contractor understands and
agrees that the materials and Deliverables that are subject to independent copyright
protection that are developed in connection with the performance of this Agreement,
and are not Contractor's pre-existing intellectual property shall constitute a work for hire
as that term is defined in the Copyright Act of 1976 (Act), as amended. Contractor may
use its ideas, concepts, know-how, and techniques that it develops during the course of
providing Services and Deliverables under this Service Order, subject to Contractor's
confidentiality obligations set forth in this Service Order and provided that such ideas,
concepts, know-how, or techniques do not violate any patent, trademark, copyright or
trade secret right of City.
15. NOTICES
The name of the persons who are authorized to give written notices or to receive written
notice on behalf of City and on behalf of Contractor under this Agreement.
For City: Address 1635 Faraday Ave
Carlsbad. CA. 92008Name Gordon Peterson
T... ,-r., Phone No. (760)602-2450Title IT Manager -1 '
Department Info Tech
City of Carlsbad
City Attorney Approved Version #11.28.06
For Contractor: Address 621 Seventeenth Street, #2425
Name Edward S. Wittman Denver' C0 80293
Title Chief Financial Officer Phone Na 303298-0600
Each party will notify the other immediately of any changes of address that would
require any notice or delivery to be directed to another address.
15. CONFLICT OF INTEREST
City will evaluate Contractor's duties pursuant to this Agreement to determine whether
disclosure under the Political Reform Act and City's Conflict of Interest Code is required
of Contractor or any of Contractor's employees, agents, or subcontractors. Should it be
determined that disclosure is required, Contractor or Contractor's affected employees,
agents, or subcontractors will complete and file with the City Clerk those schedules
specified by City and contained in the Statement of Economic Interests Form 700.
Contractor, for Contractor and on behalf of Contractor's agents, employees,
subcontractors and consultants warrants that by execution of this Agreement, that they
have no interest, present or contemplated, in the projects affected by this Agreement.
Contractor further warrants that neither Contractor, nor Contractor's agents, employees,
subcontractors and consultants have any ancillary real property, business interests or
income that will be affected by this Agreement or, alternatively, that Contractor will file
with the City an affidavit disclosing this interest.
16. GENERAL COMPLIANCE WITH LAWS
Contractor will keep fully informed of federal, state and local laws and ordinances and
regulations which in any manner affect those employed by Contractor, or in any way
affect the performance of the Services by Contractor. Contractor will at all times observe
and comply with these laws, ordinances, and regulations and will be responsible for the
compliance of Contractor's services with all applicable laws, ordinances and regulations.
Contractor will be aware of the requirements of the Immigration Reform and Control Act
of 1986 and will comply with those requirements, including, but not limited to, verifying
the eligibility for employment of all agents, employees, subcontractors and consultants
that the services required by this Agreement.
17. DISCRIMINATION AND HARASSMENT PROHIBITED
Contractor will comply with all applicable local, state and federal laws and regulations
prohibiting discrimination and harassment.
18. DISPUTE RESOLUTION
If a dispute should arise regarding the performance of the Services the following
procedure will be used to resolve any questions of fact or interpretation not otherwise
settled by agreement between the parties. Representatives of Contractor or City will
reduce such questions, and their respective views, to writing. A copy of such
documented dispute will be forwarded to both parties involved along with recommended
City Attorney Approved Version #11.28.06
methods of resolution, which would be of benefit to both parties. The representative
receiving the letter will reply to the letter along with a recommended method of
resolution within ten (10) business days. If the resolution thus obtained is unsatisfactory
to the aggrieved party, a letter outlining the disputes will be forwarded to the City
Manager. The City Manager will consider the facts and solutions recommended by each
party and may then opt to direct a solution to the problem. In such cases, the action of
the City Manager will be binding upon the parties involved, although nothing in this
procedure will prohibit the parties from seeking remedies available to them at law.
19. TERMINATION
In the event of the Contractor's failure to prosecute, deliver, or perform the Services,
City may terminate this Agreement for nonperformance by notifying Contractor by
certified mail of the termination. If City decides to abandon or indefinitely postpone the
work or services contemplated by this Agreement, City may terminate this Agreement
upon written notice to Contractor. Upon notification of termination, Contractor has five
(5) business days to deliver any documents owned by City and all work in progress to
City address contained in this Agreement. City will make a determination of fact based
upon the work product delivered to City and of the percentage of work that Contractor
has performed which is usable and of worth to City in having the Agreement completed.
Based upon that finding City will determine the final payment of the Agreement.
Either party upon tendering thirty (30) days written notice to the other party may
terminate this Agreement. In this event and upon request of City, Contractor will
assemble the work product and put it in order for proper filing and closing and deliver it
to City. Contractor will be paid for work performed to the termination date; however, the
total will not exceed the lump sum fee payable under this Agreement. City will make the
final determination as to the portions of tasks completed and the compensation to be
made.
20. COVENANTS AGAINST CONTINGENT FEES
Contractor warrants that Contractor has not employed or retained any company or
person, other than a bona fide employee working for Contractor, to solicit or secure this
Agreement, and that Contractor has not paid or agreed to pay any company or person,
other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift,
or any other consideration contingent upon, or resulting from, the award or making of
this Agreement. For breach or violation of this warranty, City will have the right to annul
this Agreement without liability, or, in its discretion, to deduct from the Agreement price
or consideration, or otherwise recover, the full amount of the fee, commission,
percentage, brokerage fees, gift, or contingent fee.
21. CLAIMS AND LAWSUITS
By signing this Agreement, Contractor agrees that any Agreement claim submitted to
City must be asserted as part of the Agreement process as set forth in this Agreement
and not in anticipation of litigation or in conjunction with litigation. Contractor
acknowledges that if a false claim is submitted to City, it may be considered fraud and
Contractor may be subject to criminal prosecution. Contractor acknowledges that
City Attorney Approved Version #11.28.06
California Government Code sections 12650 et sea., the False Claims Act applies to
this Agreement and, provides for civil penalties where a person knowingly submits a
false claim to a public entity. These provisions include false claims made with deliberate
ignorance of the false information or in reckless disregard of the truth or falsity of
information. If City seeks to recover penalties pursuant to the False Claims Act, it is
entitled to recover its litigation costs, including attorney's fees. Contractor acknowledges
that the filing of a false claim may subject Contractor to an administrative debarment
proceeding as the result of which Contractor may be prevented to act as a Contractor
on any public work or improvement for a period of up to five (5) years. Contractor
acknowledges debarment by another jurisdiction is grounds for City to terminate this
Agreement.
22. JURISDICTIONS AND VENUE
Any action at law or in equity brought by either of the parties for the purpose of
enforcing a right or rights provided for by this Agreement will be tried in a court of
competent jurisdiction in the County of San Diego, State of California, and the parties
waive all provisions of law providing for a change of venue in these proceedings to any
other county.
23. SUCCESSORS AND ASSIGNS
It is mutually understood and agreed that this Agreement will be binding upon City and
Contractor and their respective successors. Neither this Agreement or any part of it nor
any monies due or to become due under it may be assigned by Contractor without the
prior consent of City, which shall not be unreasonably withheld.
24. ENTIRE AGREEMENT
This Agreement, together with any other written document referred to or contemplated
by it, along with the purchase order for this Agreement and its provisions, embody the
entire Agreement and understanding between the parties relating to the subject matter
of it. In case of conflict, the terms of the Agreement supersede the purchase order.
Neither this Agreement nor any of its provisions may be amended, modified, waived or
discharged except in a writing signed by both parties.
25. AUTHORITY
The individuals executing this Agreement and the instruments referenced in it on behalf
of Contractor each represent and warrant that they have the legal power, right and
actual authority to bind Contractor to the terms and conditions of this Agreement.
City Attorney Approved Version #11.28.06
8
CONTRACTOR CITY OF icipal
rnia
*Bv:
(^ign) here)
Scott WaTRer/ VP-Operations
(print name/title)
swalker@accuvant.com
(e-mail address)
**Bv:
(sign here)
Edward S. Wittman/CFO
(print name/title)
ATTEST
LORRAINE
City Clerk
ewittman@accuvant.com ^''^^^^'^/
(e-mail address) \f* '£" *^
If required by City, proper notarial acknowledgment of execution fty^dontractor
must be attached. If a Corporation. Agreement must be signed by one corporate
officer from each of the following two groups.
"Group A.
Chairman,
President, or
Vice-President
**Group B.
Secretary,
Assistant Secretary,
CFO or Assistant Treasurer
Otherwise, the corporation must attach a resolution certified by the secretary or
assistant secretary under corporate seal empowering the officer(s) signing to bind the
corporation.
APPROVED AS/TO FORM:
RONALD
By:.
City Attorney
^f.^-^\I^OTARvTn
9
City Attorney Approved Version #04.01.02
EXHIBIT "A"
SCOPE OF SERVICES
Itemized List of what Contractor will do for City and at what price.
The Enterprise Security Assessment is to begin within 30 days following
receipt of a purchase order and be completed within 60 days. Reports are due in
14 days in draft form for review. Final reports are due 10 days following
Contractor receipt of City staff draft comments and/or corrections. Price for these
services is agreed to be $74,980.00 due upon completion. The assessment is to
adhere to the September 28 2007 'Enterprise Information Security Assessment
Proposal' from Accuvant Inc. and will include the following...
ASSESSMENT CRITERIA DEVELOPMENT
POLICY
-Existing policies and procedures will be reviewed in order to determine the
standards that should be in place within the environment.
STANDARDS
-Security controls will be defined targeting compliance with pertinent regulations
and/or controls standards such as IS017799 and NIST800-53 as well as the
organization's own policies.
EXTERNAL TESTING
EXTERNAL ASSESSMENT
- Information Gathering - Accuvant will perform detailed information
gathering, data mining procedures and device discovery review both in the
public domain and targeting the subnet ranges supplied by the City of
Carlsbad.
- Vulnerability Discovery - Accuvant will perform detailed security analysis
and vulnerability scanning using a comprehensive suite of commercial and
open source tools on up to 6 externally visible devices (currently identified as:
mail, docpub, www, F5, telestaff, FD pix)
- Confirmation - All identified vulnerabilities reviewed and validated with
coordinated exploitation of targeted issues
WEB APPLICATION
- Perform basic application security testing techniques using automated tools
for City of Carlsbad web applications identified during the external testing
WAR DIALING
- Discovery - Accuvant will scan and manually review 236 phone numbers for
listening devices
City Attorney Approved Version #04.01.02
10
- Analysis - Identified devices analyzed and categorized based on device type
and function
- Exploitation - Validation of the security mechanisms (if any) in place on
identified systems that are reachable via City of Carlsbad DID range (PBX
systems, modems, Fax machines, etc.)
SOCIAL ENGINEERING
- Physical - Incorporated into the onsite testing phases, this component takes
advantage of the environment users and physical security weaknesses to target
compromise of the data housed at the targeted facility
- Users -This component uses various communication mediums (email,
telephone, IM, etc.) to take advantage of the environment users in order to gain
access to sensitive information or targeted data
INTERNAL TESTING
SERVERS
- Discovery - Discovery and enumeration of 250 systems / devices.
- Vulnerability Testing - Vulnerability discovery and vulnerability confirmation of 6
server based systems. This effort will include targeted database testing of 2
MSSQL servers using the AppDetective tool, (currently identified as: core,
sql_db2/fdsq!01/fdsqlc01n1, citydb, DMS, Faraday, ESMCsrv)
WORKSTATIONS
- Detailed testing against a representative sample of 5 workstations.
APPLICATIONS
- Perform basic application security testing for 6 critical web-applications. The
applications to be targeted will be detailed within the pre-project planning phases
and the testing will be limited to an average of 8 hours per application, (ecare,
DMS web, Hansen, mainstar, EMSCweb, mp-web)
PHYSICAL SECURITY
- Penetration - Attempt targeted compromise of City data through physical
means at 6 physical locations.
ARCHITECTURE ANALYSIS
- Gap Analysis - Gather information about the current capabilities of existing
security and network architecture and then perform a gap analysis between
industry best practices/pertinent controls and the organizations current posture.
THREAT TRAFFIC ANALYSIS
City Attorney Approved Version #04.01.02
11
- IPS device placed on network at a single site/location selected by the City of
Carlsbad.
CONFIGURATION REVIEWS
- Systems - Manual and automated configuration review of a maximum of 6
servers and 5 workstations, (currently identified as: citrix-2, central-dc2, dmz-dc,
admin2k3, nwmaster, gisweb), (random staff workstations)
- Network Devices - Manual and automated configuration review of a maximum
of 3 network devices that support the security of the environment, (currently
identified as: Cisco wireless controller, CAD pix, FD ASA)
SECURITY COVERAGE WORKSHOP
- Gather information about the current capabilities of the City of Carlsbad's
existing security and network architecture and perform a gap analysis.
REMEDIATION PLANNING & KNOWLEDGE TRANSFER
WORKSHOP
- Informal knowledge transfer will occur throughout each phase of the
assessment and a workshop discussion amongst the Accuvant project team and
City of Carlsbad team members is planned to take place during the conclusion of
the assessment effort.
DELIVERABLE CREATION
COMPREHENSIVE
- A comprehensive assessment deliverable will be produced at the conclusion of
the assessment summarizing the findings and remediation strategy. This will
include an executive level summary as well as relevant detailed technical
findings and recommendations regarding any identified weaknesses in the
environment.
ROADMAP
- Stand-alone document that details the security initiatives, strategies and
execution timelines defined for the organization through the assessment.
City Attorney Approved Version #04.01.02
12