Loading...
HomeMy WebLinkAboutCC Resolution 14249 (Network Security Risk Assessment)RESOLUTION NO. 14249 RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SAN RAFAEL APPROVING AND AUTHORIZING THE CITY MANAGER TO EXECUTE A PROFESSIONAL SERVICES AGREEMENT WITH FIREEYE, INC., DBA MANDIANT FOR NETWORK MULTI -PHASE SECURITY ASSESSMENT AND RISK MITIGATION, IN AN AMOUNT NOT TO EXCEED $58,000. WHEREAS, the City requires information technology security specific expertise in performing network and social engineering threat analysis; and WHEREAS, the City requires information technology security specific expertise in designing and implementing risk mitigation strategies to counter any identified network security issues; and WHEREAS, FireEye, Inc., dba Mandiant ("Mandiant") is an acknowledged industry leader in implementing specialized network security analysis and risk mitigation methodologies that include planning, infrastructure and business process analysis, risk identification, risk mitigation strategy development and implementation; and WHEREAS, Mandiant is also experienced in assisting customers with improvement of technology -related processes and procedures with special emphasis on security as needed to meet the modern challenges of interconnected computer systems and networks; and WHEREAS, the City wishes to enter into an agreement with Mandiant to provide network security assessment and risk mitigation services; and WHEREAS, the City Council finds that such an agreement falls under the Professional Services Agreement provisions of San Rafael Municipal Code Chapter 2.60. NOW, THEREFORE, IT IS HEREBY RESOLVED that the Council does hereby approve and authorize the City Manager to execute a Professional Services Agreement with Mandiant, in a form approved by the City Attorney, for network security assessment and risk mitigation services in an amount not to exceed $58,000. I, ESTHER C. BEIRNE, Clerk of the City of San Rafael, hereby certify that the foregoing Resolution was duly and regularly introduced and adopted at a regular meeting of the City Council of said City held on Monday, the 19th day of December, 2016 by the following vote, to wit: AYES: COUNCILMEMBERS: Bushey, Gamblin & Mayor Phillips NOES: COUNCILMEMBERS: None ABSENT: COUNCILMEMBERS: Colin and McCullough =%;3- 'e O&W ESTHER C. BEIRNE, City Clerk AGREEMENT FOR PROFESSIONAL SERVICES FOR INFORMATION TECHNOLOGY NETWORK INFRASTRUCTURE SECURITY ASSESSMENT AND MITIGATION SERVICES This Agreement is made and entered into this &-rP day of January, 2017, by and between the CITY OF SAN RAFAEL (hereinafter "CITY"), and FireEye, Inc., a corporation, dba Mandiant, (hereinafter "CONTRACTOR"). RECITALS WHEREAS, the CITY requires information technology security specific expertise in performing network and social engineering threat analysis; and WHEREAS, the CITY requires information technology security specific expertise in designing and implementing risk mitigation strategies to counter any identified network security issues; and WHEREAS, CONTRACTOR is an acknowledged industry leader in implementing specialized network security analysis and risk mitigation methodologies that include planning, infrastructure and business process analysis, risk identification, risk mitigation strategy development and implementation; and WHEREAS, CONTRACTOR is also experienced in assisting customers with improvement of technology -related processes and procedures with special emphasis on security as needed to meet the modern challenges of interconnected computer systems and networks. AGREEMENT NOW, THEREFORE, the parties hereby agree as follows: 1. PROJECT COORDINATION. A. CITY'S Project Manager. The Information Technology Manager is hereby designated the PROJECT MANAGER for the CITY, and said PROJECT MANAGER shall supervise all aspects of the progress and execution of this Agreement. B. CONTRACTOR'S Project Director. CONTRACTOR shall assign a single PROJECT DIRECTOR to have overall responsibility for the progress and execution of this Agreement for CONTRACTOR. Navid Jam is hereby designated as the PROJECT DIRECTOR for CONTRACTOR. Should circumstances or conditions subsequent to the execution of this Agreement require a substitute PROJECT DIRECTOR, for any reason, the CONTRACTOR shall notify the CITY within ten (10) business days of the substitution. DUTIES OF CONTRACTOR. CONTRACTOR shall perforin the duties as described in the Contractor Statement of Work, dated July 13, 2016, attached as Exhibit A hereto and incorporated herein. DUTIES OF CITY. CITY shall pay the compensation as provided in Paragraph 4, and perform the duties as follows: - Assist CONTRACTOR in gathering current information on CITY technology infrastructure. - Participate in project -specific meetings with CONTRACTOR as needed. - Assist CONTRACTOR in evaluating CITY's current security environment and identifying potential tasks, projects and priorities for improving this environment. - Participate in meetings with CONTRACTOR to review ongoing efforts, potential solutions, and other security topics that may arise during the term of this Agreement. - Provide general oversight for the work to be done by CONTRACTOR under this Agreement. - Any other duties the CITY is responsible for as attached Exhibit A and hereto and incorporated herein. 4. COMPENSATION. For the full performance of the services described herein by CONTRACTOR, CITY shall pay CONTRACTOR on a time and materials basis as specified in Exhibit A, provided that the total amount paid to CONTRACTOR will not exceed a total of $58,000.00 USD, including expenses and any applicable sales taxes, without a mutually agreed upon written amendment to this Agreement. Payment will be made within thirty (30) days of receipt by PROJECT MANAGER of itemized invoices submitted by CONTRACTOR. TERM OF AGREEMENT. The term of this Agreement shall be for up to 6 months commencing on the date of this agreement., Notwithstanding the foregoing, the parties may mutually agree to extend the term of the Agreement an additional 6 months in order to complete the services in Exhibit A, with City Manager's written approval. 6. DEFINITIONS. A. "Deliverables" means the written reports that are created by CONTRACTOR specifically for CITY as a result of the Services provided hereunder, and that are identified as deliverables on a Statement of Work. In no event, will Indicators of Compromise be considered "Deliverables," even if such Indicators are incorporated into a Deliverable. B. "Indicators of Compromise" or "Indicators" means specifications of anomalies, configurations, or other conditions that CONTRACTOR is capable of identifying within an information technology infrastructure. C. "Confidential Information" means the non-public information that is exchanged between the parties, provided that such information is: (i) identified as confidential at the time of disclosure by the disclosing party ("Discloser"), or (ii) disclosed under circumstances that would indicate to a reasonable person that the information should be treated as confidential by the party receiving such information ("Recipient"). D. "CONTRACTOR Intellectual Property (IP)" means all CONTRACTOR proprietary materials, including without limitation CONTRACTOR'S Confidential Information (as defined above), Deliverables, any hardware and/or software used by COTNRACTOR in performing Services, Indicators of Compromise, CONTRACTOR'S processes and methods (including any forensic investigation processes and methods), and any CONTRACTOR templates and/or forms, including report and presentation templates and forms. E. "CITY -Owned Property" means any technology, software, algorithms, formulas, techniques or know-how and other tangible and intangible items that were owned by CITY, or developed by or for CITY prior to the Effective Date that are provided by CITY to CONTRACTOR for incorporation into or used in connection with the development of the Deliverables or performance of Services. 7. TERMINATION. A. Discretionary. Either party may terminate this Agreement without cause upon thirty (30) days written notice mailed or personally delivered to the other party. B. Cause. Either party may terminate this Agreement for cause upon fifteen (15) days written notice mailed or personally delivered to the other party, and the notified party's failure to cure or correct the cause of the termination, to the reasonable satisfaction of the party giving such notice, within such fifteen (15) day time period. C. Effect of Termination. Upon receipt of notice of termination, neither party shall incur additional obligations under any provision of this Agreement without the prior written consent of the other. D. Return of Documents. Upon termination, any and all CITY documents or materials provided to CONTRACTOR and subject to payment by the CITY to the CONTRACTOR, any and all of CONTRACTOR's completed documents and materials prepared for or relating to the performance of its duties under this Agreement, shall be delivered to CITY as soon as possible, but not later than thirty (30) days after termination. Upon the termination or expiration of this Agreement, CONTRACTOR shall have the right to immediate possession of the CONTRACTOR IP (including all copies thereof) wherever located, without demand or notice. Within five (5) days after termination of the Agreement, CITY will return to CONTRACTOR the CONTRACTOR IP or, upon request by CONTRACTOR, destroy the CONTRACTOR IP (with the exception of the CONTRACTOR Hardware) and all copies thereof. 8. INTELLECTUAL PROPERTY. A. Grant of License. Subject to CITY'S timely payment of applicable fees, and subject to the terms of this Agreement, CITY shall have a perpetual, non-exclusive, nontransferable, right and license to (unless otherwise set forth in a Statement of Work) use, display and reproduce the Deliverables for its internal business purposes. Deliverables may not be shared with any third party other than law enforcement agencies. B. Intellectual Property Rights. CITY acknowledges that CONTRACTOR may use CONTRACTOR IP to provide the Services, and that CITY may obtain access to certain CONTRACTOR IP as a result of CONTRACTOR'S performance of its obligations under this Agreement. CONTRACTOR IP is and shall remain the sole and exclusive property of CONTRACTOR and CONTRACTOR shall retain all right, title and interest in and to the CONTRACTOR IP and all derivative works thereof. Between CITY and CONTRACTOR, CONTRACTOR shall retain all rights and title in and to any Indicators of Compromise CONTRACTOR developed by or for CONTRACTOR. C. Restrictions. Subject to the exceptions set forth in Section 8. A, CITY agrees not to reproduce or modify any portion of the CONTRACTOR IP, and will not disclose, sell, sublicense or otherwise transfer or make available all or any portion of the CONTRACTOR IP to any third party without the prior written consent of CONTRACTOR. Nothing contained in this Agreement shall directly or indirectly be construed to assign or grant to CITY any right, title or interest in or to the trademarks, copyrights, patents or trade secrets of CONTRACTOR or any ownership rights in or to the CONTRACTOR IP. CITY shall not cause or permit the reverse engineering, reverse assembly, or reverse compilation of, or otherwise attempt to derive source code frorn, the CONTRACTOR IP. CITY shall not create derivative works based upon all or part of the CONTRACTOR IP. CITY shall not resell, redistribute or make available CONTRACTOR IP or the Services to any third party, and shall not use the CONTRACTOR IP, Services or the Deliverables to provide services to any third party. D. CITY -Owned Property. CITY will be and remain, at all times, the sole and exclusive owner of the CITY -Owned Property (including, without limitation, any modification, compilation, derivative work of, and all intellectual property and proprietary rights contained in or pertaining thereto). CONTRACTOR will promptly return to CITY all CITY -Owned Property upon the termination or expiration of this Agreement, or sooner at CITY'S request. 4 INSPECTION AND AUDIT. Upon reasonable notice, CONTRACTOR shall make available to CITY, or its agent, for inspection and audit, all documents and materials maintained by CONTRACTOR in connection with its perfonnance of its duties under this Agreement. CONTRACTOR shall fully cooperate with CITY or its agent in any such audit or inspection. 10. ASSIGNABILITY. The parties agree that they shall not assign or transfer any interest in this Agreement nor the performance of any of their respective obligations hereunder, without the prior written consent of the other party, and any attempt to so assign this Agreement or any rights, duties or obligations arising hereunder shall be void and of no effect. 11. INSURANCE. A. Scope of Coverage. During the term of this Agreement, CONTRACTOR shall maintain, at no expense to CITY, the following insurance policies: 1. A commercial general liability insurance policy in the minimum amount of one million dollars ($1,000,000) per occurrence/two million dollars ($2,000,000) aggregate, for death, bodily injury, personal injury, or property damage. 2. An automobile liability (owned, non -owned, and hired vehicles) insurance policy in the minimum amount of one million dollars ($1,000,000) dollars per occurrence. 3. If any licensed professional performs any of the services required to be performed under this Agreement, a professional liability/technology errors & omissions insurance policy in the minimum amount of two million dollars ($2,000,000) per occurrence/two million dollars ($2,000,000) aggregate, to cover any claims arising out of the CONTRACTOR's performance of services under this Agreement. Where CONTRACTOR is a professional not required to have a professional license, CITY reserves the right to require CONTRACTOR to provide professional liability insurance pursuant to this section. 4. If it employs any person, CONTRACTOR shall maintain worker's compensation and employer's liability insurance, as required by the State Labor Code and other applicable laws and regulations, and as necessary to protect both CONTRACTOR and CITY against all liability for injuries to CONTRACTOR's officers and employees. CONTRACTOR'S worker's compensation insurance shall waive any right of subrogation against CITY under a blanket waiver of subrogation provision. B. Other Insurance Requirements. CONTRACTOR in subparagraph A of this requirements: The insurance coverage required of the section above shall also meet the following 1. Except for professional liability insurance, the insurance policies shall be specifically endorsed to include the CITY, its officers, agents, employees, and volunteers, as additionally named insureds under the policies. 2. The additional insured coverage under CONTRACTOR'S insurance policies shall be primary with respect to any insurance or coverage maintained by CITY and shall not call upon CITY's insurance or self-insurance coverage for any contribution. The "primary and noncontributory" coverage in CONTRACTOR'S policies shall be at least as broad as ISO form CG20 01 04 13. 3. Except for professional liability insurance, the insurance policies shall include, in their text or by endorsement, coverage for contractual liability and personal injury. 4. The insurance policies shall provide for thirty (30) days written notice to the PROJECT MANAGER in the event of any policy cancellation. 5. If the insurance is written on a Claims Made Form, then, following termination of this Agreement, said insurance coverage shall survive for a period of not less than five years. 6. The insurance policies shall provide for a retroactive date of placement coinciding with the effective date of this Agreement. 7. The limits of insurance required in this Agreement may be satisfied by a combination of primary and umbrella or excess insurance. Reserved. C. Deductibles and SIR'S. Any deductibles or self-insured retentions in CONTRACTOR's insurance policies must be declared to the PROJECT MANAGER and City Attorney, and shall not reduce the limits of liability. D. Proof of Insurance. CONTRACTOR shall provide to the PROJECT MANAGER or CITY'S City Attorney all of the following: Certificates of Insurance evidencing the insurance coverage required in this Agreement. 12. INDEMNIFICATION. A. Except as otherwise provided in Paragraph B., CONTRACTOR shall, to the fullest extent permitted by law, indemnify, release, defend with counsel, and hold harmless CITY, its officers, agents, employees and volunteers (collectively, the "City Indemnitees"), from and against any claim, demand, suit, judgment, loss, liability or expense of any kind, including but not limited to attorney's fees, expert fees and all other costs and fees of litigation, (collectively "CLAIMS"), arising out of CONTRACTOR'S performance of its obligations or 6 conduct of its operations under this Agreement, including CONTRACTOR's violation of any third party patent or other intellectual property rights in connection with its operations hereunder, all subject to the Limitation of Liability in Subsection D, below. The CONTRACTOR's obligations apply regardless of whether or not a liability is caused or contributed to by the active or passive negligence of the City Indemnitees. However, to the extent that liability is caused by the active negligence or willful misconduct of the City Indemnitees, the CONTRACTOR's indemnification obligation shall be reduced in proportion to the City Indemnitees' share of liability for the active negligence or willful misconduct. In addition, the acceptance or approval of the CONTRACTOR's work or work product by the CITY or any of its directors, officers or employees shall not relieve or reduce the CONTRACTOR's indemnification obligations. In the event the City Indemnitees are made a party to any action, lawsuit, or other adversarial proceeding arising from CONTRACTOR'S performance of or operations under this Agreement, CONTRACTOR shall provide a defense to the City Indemnitees or at CITY'S option reimburse the City Indemnitees their costs of defense, including reasonable attorneys' fees, incurred in defense of such claims. B. Where the services to be provided by CONTRACTOR under this Agreement are design professional services to be performed by a design professional as that term is defined under Civil Code Section 2782.8, CONTRACTOR shall, to the fullest extent permitted by law, indemnify, release, defend and hold harmless the City Indemnitees from and against any CLAIMS that arise out of, pertain to, or relate to the negligence, recklessness, or willful misconduct of CONTRACTOR in the performance of its duties and obligations under this Agreement or its failure to comply with any of its obligations contained in this Agreement, except such CLAIM which is caused by the sole negligence or willful misconduct of CITY. C. The defense and indemnification obligations of this Agreement are undertaken in addition to, and shall not in any way be limited by, the insurance obligations contained in this Agreement, and shall survive the termination or completion of this Agreement for the full period of time allowed by law. D. Limitation of Liability. THE TOTAL AGGREGATE LIABILITY OF CONTRACTOR TO THE CITY AND ALL OTHER PARTIES FOR ANY CLAIM ARISING IN CONNECTION WITH THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT OF THE LIMITS OF THE INSURANCE REQUIRED UNDER THIS AGREEMENT (TWO MILLION DOLLARS, AS DEFINED IN SECTION II(A)(1)). THIS LIMITATION OF LIABILITY WILL APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY LOST REVENUES OR PROFITS, OR OTHER INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES PERFORMED UNDER THIS AGREEMENT, EVEN IF THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING LIMITATIONS OF LIABILITY AND DISCLAIMERS OF DAMAGES ARE INDEPENDENT OF THE EXCLUSIVE REMEDY SET FORTH IN SECTION 24(A). THE LIMITATIONS OF LIABILITY CONTAINED IN THIS AGREEMENT WILL APPLY ONLY TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING IN THIS AGREEMENT PURPORTS TO LIMIT EITHER PARTY'S LIABILITY IN A MANNER THAT WOULD BE UNENFORCEABLE OR VOID AS AGAINST PUBLIC POLICY IN THE APPLICABLE JURISDICTION. The disclaimers, exclusions and limitations of liability set forth in this Agreement form an essential basis of the bargain between the Parties and, absent any of such disclaimers, exclusions or limitations of liability, the provisions of this Agreement, including without limitation the economic terms, would be substantially different. 13. NONDISCRIMINATION. CONTRACTOR shall not discriminate, in any way, against any person on the basis of age, sex, race, color, religion, ancestry, national origin or disability in connection with or related to the performance of its duties and obligations under this Agreement. 14. COMPLIANCE WITH ALL LAWS. CONTRACTOR shall observe and comply with all applicable federal, state and local laws, ordinances, codes and regulations, in the performance of its duties and obligations under this Agreement. CONTRACTOR shall perfonn all services under this Agreement in accordance with these laws, ordinances, codes and regulations. CONTRACTOR shall release, defend, indemnify and hold hannless CITY, its officers, agents and employees from any and all damages, liabilities, penalties, fines and all other consequences from any noncompliance or violation of any laws, ordinances, codes or regulations. 15. NO THIRD PARTY BENEFICIARIES. CITY and CONTRACTOR do not intend, by any provision of this Agreement, to create in any third party, any benefit or right owed by one party, under the terms and conditions of this Agreement, to the other party. 16. NOTICES. All notices and other communications required or permitted to be given under this Agreement, including any notice of change of address, shall be in writing and given by personal delivery, or deposited with the United States Postal Service, postage prepaid, addressed to the parties intended to be notified. Notice shall be deemed given as of the date of personal delivery, or if mailed, upon the date of deposit with the United States Postal Service. Notice shall be given as follows: TO CITY's Project Manager: Gus Bush City of San Rafael 1400 Fifth Avenue San Rafael, CA 94901 TO CONTRACTOR's Project Director: WITH A COPY TO: 17. INDEPENDENT CONTRACTOR. Navid Jam, Director Information Security Consulting Services 135 Main Street, Suite 550 San Francisco, CA 94105 FireEye, Inc. Attn: General Counsel 1440 McCarthy Boulevard Milpitas, CA 95035 For the purposes, and for the duration, of this Agreement, CONTRACTOR, its officers, agents and employees shall act in the capacity of an Independent Contractor, and not as employees of the CITY. CONTRACTOR and CITY expressly intend and agree that the status of CONTRACTOR, its officers, agents and employees be that of an Independent Contractor and not that of an employee of CITY. 18. ENTIRE AGREEMENT -- AMENDMENTS. A. The terms and conditions of this Agreement, all exhibits attached, and all documents expressly incorporated by reference, represent the entire Agreement of the parties with respect to the subject matter of this Agreement. B. This written Agreement shall supersede any and all prior agreements, oral or written, regarding the subject matter between the CONTRACTOR and the CITY. C. No other agreement, promise or statement, written or oral, relating to the subject matter of this Agreement, shall be valid or binding, except by way of a written amendment to this Agreement. D. The terms and conditions of this Agreement shall not be altered or modified except by a written amendment to this Agreement signed by the CONTRACTOR and the CITY. E. If any conflicts arise between the terms and conditions of this Agreement, and the terms and conditions of the attached exhibits or the documents expressly incorporated by reference, the terms and conditions of this Agreement shall control. 19. SET-OFF AGAINST DEBTS. CONTRACTOR agrees that CITY may deduct from any payment due to CONTRACTOR under this Agreement, any monies which CONTRACTOR owes CITY under any ordinance, agreement, contract or resolution for any unpaid taxes, fees, licenses, assessments, unpaid checks or other amounts. 20. WAIVERS. The waiver by either party of any breach or violation of any term, covenant or condition of this Agreement, or of any ordinance, law or regulation, shall not be deemed to be a waiver of any other term, covenant, condition, ordinance, law or regulation, or of any subsequent breach or violation of the same or other tern, covenant, condition, ordinance, law or regulation. The subsequent acceptance by either party of any fee, perfonnance, or other consideration which may become due or owing under this Agreement, shall not be deemed to be a waiver of any preceding breach or violation by the other party of any term, condition, covenant of this Agreement or any applicable law, ordinance or regulation. 21. COSTS AND ATTORNEY'S FEES. The prevailing party in any action brought to enforce the terms and conditions of this Agreement, or arising out of the performance of this Agreement, may recover its reasonable costs (including claims administration) and attorney's fees expended in connection with such action. 22. CITY BUSINESS LICENSE / OTHER TAXES. CONTRACTOR shall obtain and maintain during the duration of this Agreement, a CITY business license as required by the San Rafael Municipal Code. CONTRACTOR shall pay any and all state and federal taxes and any other applicable taxes. CITY shall not be required to pay for any work performed under this Agreement, until CONTRACTOR has provided CITY with a completed Internal Revenue Service Form W-9 (Request for Taxpayer Identification Number and Certification). 23. APPLICABLE LAW. The laws of the State of California shall govern this Agreement. 24. CONFIDENTIALITY. A. Confidential Information. Each party agrees that it shall: (i) take reasonable measures to protect the Confidential Information by using the same degree of care, but no less than a reasonable degree of care, to prevent the unauthorized use, dissemination or publication of the Confidential Information as the Recipient uses to protect its own confidential information of a like nature; (ii) limit disclosure to those persons within Recipient's organization with a need to know and who have previously agreed in writing, prior to receipt of Confidential Information either as a condition of their employment or in order to obtain the Confidential Information, to obligations similar to the provisions hereof; (iii) not copy, reverse engineer, disassemble, create any works from, or decompile any prototypes, software or other tangible objects which embody the other party's Confidential Information and/or which are provided to the party hereunder; (iv) not use the Confidential Information of the other Party for any purpose other than to perform or receive (as applicable) the Services hereunder; and (v) comply with, and obtain all authorizations required by, all applicable export control laws or regulations. Confidential Infornation shall not include 10 information that is (a) part of or becomes part of the public domain (other than by disclosure by the receiving Party in violation of this Agreement); (b) previously known to the receiving Party without an obligation of confidentiality; (c) independently developed by the receiving Party outside this Agreement; or (d) rightfully obtained by the receiving Party from third parties without an obligation of confidentiality. At the end of this Agreement, or earlier if requested by the disclosing Party, the receiving Party shall promptly return or destroy all Confidential Information, other than Confidential Information that may be retained in backup resources or for administrative purposes such as financial reporting and record-keeping. B. Exceptions. Notwithstanding Section 23(A), if CITY has hired CONTRACTOR to perform a PCI DSS Compliance Audit or a PCI investigation, Mandiant may provide The Payment Card Industry Security Standards Council, LLC (PCI SSC), card companies and the relevant merchant bank with all Reports of Compliance (ROC) and all related assessment and investigative report documents generated in connection with such work. Notwithstanding Section 23(A), either Party may disclose the Confidential Information of the other Party to the extent such disclosure is required to comply with applicable law, including a records request under the California Public Records Act and a subpoena in connection with any civil or criminal proceeding, or the valid order or requirement of a governmental or regulatory agency or court of competent jurisdiction, provided that the disclosing Party notifies the Party to whom the Confidential Information belongs as soon as practicable of any such requirement, so that the other Party may take whatever action that Party deems appropriate to protect that information. C. Publicity and Advertising. Notwithstanding any other provision of this Agreement, neither Party may issue press releases or endorsements which reference the other Party or include statements attributable to the other Party without the prior written consent of the other Party. 25. WARRANTIES. A. Limited Warranty. CONTRACTOR warrants that the Services will be provided in a professional manner pursuant to industry standards for the same or similar services. B. Acceptance. CITY shall have fifteen (15) business days from CITY's receipt of each Deliverable to review such Deliverable (the "Acceptance Period") to determine whether the Deliverable conforms to the written specifications for that Deliverable set forth in the Statement of Work (the "Specifications"). After CITY has completed the review described in this Section, CITY will notify CONTRACTOR in writing either that: (i) the Deliverable conforms to the Specifications and acceptance has occurred ("Acceptance"); or (ii) the Deliverable does not conform to the Specifications. Acceptance shall also be deemed to occur if CITY does not notify CONTRACTOR of its acceptance or rejection of a Deliverable prior to the expiration of the Acceptance Period. Upon receipt of such notice of non-conformance, CONTRACTOR will correct and re -deliver such Deliverable. The foregoing states CITY's sole remedy, and CONTRACTOR's sole obligation, with respect to Deliverables that fail to conform to Specifications. C. THE ABOVE -STATED LIMITED WARRANTY REPLACES ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF CONDITION, UNINTERRUPTED USE, ACCURACY, LEVELS OF SERVICE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT, AND CONTRACTOR DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR -FREE. 26. COUNTERPARTS. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, and all of which together shall constitute one and the same agreement. IN WITNESS WHEREOF, the parties have executed this Agreement as of the day, month and year first above written. CITY OF SAN RAFAEL J M S M. SCHUTZ, CIV M' ager ATTEST: ESTHER C. BEIRNE, City Clerk APPROVED AS TO FORM: ROBERT F. EPSTEIN, C ty Attorney 12 CONTRACTOR By: Printed Officer Name: Title: 3V i YL C 2 Ce and,'% BY: a / Printed Officer Name: �� ( Title: [— I `Y 1 CONTRACT ROUTING FORM INSTRUCTIONS: Use this cover sheet to circulate all contracts for review and approval in the order shown below. TO BE COMPLETED BY INITIATING DEPARTMENT PROJECT MANAGER: Contracting Department: IT Project Manager: Gus Bush Extension: 5302 Contractor Name: FireEye/Mandiant Contractor's Contact: Blaire Krochak Contact's Email: blaire.krochak@fireeye.com ❑ FPPC: Check if Contractor/Consultant must file Form 700 Step RESPONSIBLE DESCRIPTION COMPLETED REVIEWER DEPARTMENT DATE Check/Initial 1 Project Manager a. Email PINS Introductory Notice to Contractor 10/19/2016 GB / b. Email contract (in Word) & attachments to City 10/19/2016 FA Atty c/o Laraine.Gittens@cityofsanrafael.org 2 City Attorney a. Review, revise, and comment on draft agreement Click licre to ❑ and return to Project Manager enter a date. ❑ b. Confirm insurance requirements, create Job on Click here to PINS, send PINS insurance notice to contractor enter a date. 3 Project Manager Forward three (3) originals of final agreement to 12/14/2016 FZGB contractor for their signature 4 Project Manager When necessary, * contractor -signed agreement ❑ N/A agendized for Council approval *PSA > $20,000; or Purchase > $35,000; or Or ®GB Public Works Contract > $125,000 12/19/2016 Date of Council approval PRINT CONTINUE ROUTING PROCESS WITH HARD COPY 5 Project Manager Forward signed original agreements to City 12/21/2016 GB Attorney with printed copy of this routing form 6 City Attorney Review and approve hard copy of signed v� agreement 7 City Attorney Review and approve insurance in PINS, and bonds 5 -- 8 City Manager/ Mayor (for Public Works Contracts) Agreement executed by Council authorized official ! )✓ r 1 ., 9 City Clerk Attest signatures, retains original agreement and forwards copies to Project Manager IT AN D 1ANT a Statement of Work Agreement for Professional Services For Information Technology Network Infrastructure Security Assessment and Mitigation Services 1. DESCRIPTION OF SERVICES During the term of this SOW, Mandiant agrees to provide professional services as directed by Customer. The activities to be performed will consist of the following: Task 1: External Penetration Test Mandiant will perform security testing of Customer's Internet accessible systems. Mandiant will use a basic four step approach of identifying systems, scanning the systems for vulnerabilities, validating the vulnerabilities discovered during the scan, and optionally exploiting vulnerabilities. Using target IP address ranges provided by the Customer, Mandiant will use network scanning tools to identify which specific IP addresses are in use and the operating system and type of the device using each address. Mandiant will then conduct further scans in order to identify TCP and UDP ports open on the system and the services listening on those ports. Mandiant will also map the topology of the target network. Mandiant will then proceed to searching identified systems and services for known vulnerabilities and misconfigurations. Web servers in scope of the assessment will be examined to identify "off-the-shelf ' (non -custom) web applications with known vulnerabilities. Mandiant will also perform manual testing of identified services and non -custom web applications. Upon Customer approval, Mandiant will proceed to exploit identified vulnerabilities in order to validate the presence and impact of the issues. Mandiant will attempt to use compromised systems and services to exploit other systems in Customer's network in order test the depth of network defenses. Task 2: Internal Penetration Test Mandiant will perform security testing of Customer's corporate network. Mandiant will use a basic four step approach of identifying systems, scanning the systems for vulnerabilities, validating the vulnerabilities discovered during the scan, and optionally exploiting vulnerabilities. Using the IP address blocks provided by Customer, Mandiant will use network scanning tools to identify which specific IP addresses are in use, the operating system, and type of the device using each address. Mandiant will then conduct further scans in order to identify TCP and UDP ports open on the system and the services listening on those ports. Mandiant will also map the topology of the target network. Based upon the agreed scope, Mandiant will then proceed to searching identified systems and services for known vulnerabilities and misconfigurations. Web servers in scope of the assessment will be examined to identify "off-the-shelf' (non -custom) web applications with known vulnerabilities. Mandiant will also perform manual testing of identified services and non -custom web applications. Upon Customer approval, Mandiant will proceed to exploit identified vulnerabilities in order to validate the presence and impact of the issues. Mandiant will attempt to use compromised systems and services to exploit other systems in Customer's network in order test the depth of network defenses. Task 3: Social Engineering Mandiant will perform social engineering campaigns targeting Customer's employees. Mandiant will perform email -based campaigns. Mandiant will begin the social engineering assessment by conducting a formal reconnaissance of the Customer. The objective of this phase is detailed information about Customer's employees, including email addresses that can be used in later phases. Also targeted is information about Customer's workplaces, including the location and type of facility. This information is obtained from Customer's web site, along with other online resources such as social network sites, mailing list archives, Mandiant Confidential Exhibit A, Page 1 of 4 IT AN 1) 1ANT 0 newsgroups, and online forums. When requested, Mandiant can share target information obtained during this phase with a point of contact at the Customer for approval before moving on to later phases. Mandiant will then attempt to gain access to Customer systems using email -based phishing, which allows for a relatively anonymous attack and subjects almost every employee to possible exploitation. The actual techniques used during email - based social engineering will be based on the Customer and the individual targeted. Sense of urgency, requests for assistance, name-dropping, fear, and feigned authority can all be used to some effect. Other possible techniques include masquerading as an outside client or the help desk. Depending on client preferences and characteristics, email -based social engineering may take the form of a mass email to employees (as would be used in a standard phishing attack) or may involve individually targeted emails to select employees (as would be used in a "spear phishing" attack). Based upon the agreed scope, Mandiant will then proceed to searching identified systems and services for known vulnerabilities and misconfigurations. Web servers in scope of the assessment will be examined to identify "off-the-shelf' (non -custom) web applications with known vulnerabilities. Mandiant will also perform manual testing of identified services and non -custom web applications. Any services or products not listed above are considered out of scope. 2. DELIVERABLES The Deliverables to be produced for this engagement are as follows: Executive Summary: The Executive Summary will provide managers a high-level overview of the engagement. It highlights the strategic areas for improvement and provides an overall analysis of the security posture of the environment. Technical Report: The Technical Report provides detailed information about the assessment, including the methodology and tools used by Mandiant consultants, as well as the assessment findings. Each finding includes an explanation of the systemic cause, risk rating, and detailed remediation steps. All identified vulnerabilities will be prioritized, and an assessment of the potential cost and effort required to mitigate the vulnerabilities will be provided. The exact format and organization of the technical report can be customized as required. Presentation of Results: Along with the written Technical Report, Mandiant consultants can present a formal out -brief of the findings to an appropriate audience identified by the Customer. Each Deliverable will be considered accepted by Customer if Customer has not indicated that it does not accept the Deliverable within fifteen (15) days of the date that Deliverable was delivered to Customer. 3. FEES AND EXPENSES In consideration for the Services to be performed, Customer agrees to pay the fixed fee amounts reflected in the following table: TASK IEXPECTED COST TIMING Task 1: External Penetration Test Weeks 1-2 $16,000 • Security testing of the Customer's Internet accessible systems • Includes penetration testing of up to 200 live, Internet -accessible systems • Includes a comprehensive vulnerability assessment of Internet accessible systems • Performed in coordination with client on the days and times when testing can occur • Performed using one (1) consultant dedicated to penetration testing • All penetration test activities are time -bound to a total of seven (7) consultant -days of work including time for production of the final draft report • Performed remotely from Mandiant offices • This task does not include remediation validation Mandiant Confidential Exhibit A, Page 2 of 4 IT AN D 1ANT a TASK EXPECTED COST TIMING Task 2: Internal Penetration Test Week 3 $25,000 • Security testing of the Customer's internally accessible systems • Includes penetration testing of up to 200 live, internally accessible systems • Includes a comprehensive vulnerability assessment of internally accessible systems • Performed in coordination with client on the days and times when testing can occur • Performed using two (2) consultants dedicated to penetration testing • All penetration test activities are time -bound to a total of ten (10) consultant -days of work including time for the production of the final draft report • Performed onsite at the Customer's San Rafael, CA office • This task does not include remediation validation Task 3: Social Engineering Weeks 4-5 $16,000 • Social engineering activities will be limited to sending up to 100 emails • Mandiant and the Customer will agree to one (1) email scenario prior to commencing email -based social engineering • Goal is to obtain user credentials, customer data, and client data • Performed in coordination with client on the days and times when testing can occur • All social engineering activities are time -bound to a total of seven (7) consultant -days of work including time for the production of the final draft report • Performed remotely from Mandiant offices Report Development Week 6 N/A Total 6 Weeks $57,000 Customer shall reimburse Mandiant for the following expense categories that are directly attributable to work performed under this SOW: • Travel and living expenses. • Mileage in company or personal vehicles at the rate approved by the U.S. General Services Administration as of the contract date. • Telephone, fax, and Internet charges. • Computer storage media. • Postage and courier services. • Printing, reproduction and binding. • Any other expenses resulting from the work performed under this Agreement. All fees and expenses will be invoiced upon delivery of the draft Deliverable for each task. 4. ADDITIONAL SECURITY TESTING TERMS AND CONDITIONS 4.1. As a part of the penetration testing, Mandiant may, among other things, (a) scan Customer's network and systems for ports, services and other entry points that can be exploited; and (b) probe those entry points in an effort to gain access to Customer's network and systems in an effort to determine the severity of the vulnerability. 4.2. CUSTOMER UNDERSTANDS THAT, ALTHOUGH MANDIANT TAKES PRECAUTIONS TO AVOID DAMAGE TO CUSTOMER'S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A RESULT OF THE PENETRATION TESTING. Customer represents and warrants that all systems on its network or otherwise accessible during the penetration test have been backed up, and that any data loss or other damage caused by the penetration testing can be easily and quickly reversed. 4.3. Customer will provide to Mandiant certain information required for performing its tests, including a description and location (e.g., an IP address) of the systems and networks to be tested. Customer represents and warrants that all information provided is Mandiant Confidential Exhibit A, Page 3 of 4 IT AN D 1ANT a true and accurate and that Customer owns or is authorized to represent the owners of the systems and networks described in connection with the penetration testing. 4.4. Customer may inform all or a selected group of its employees, contractors, and other third parties about the penetration testing to be undertaken by Mandiant. In the event that Customer decides not to inform anyone of the penetration testing, Customer understands that people may spend time and money on behalf of Customer in detecting, blocking, investigating or responding to activities of Mandiant. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND EXPENDITURES MAY OCCUR, YOU SHOULD CONSULT WITH YOUR LEGAL COUNSEL AND/OR A MEMBER OF EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS. You may also want to consider contacting such third -party service providers as your telecommunications carrier to alert them to the testing. 4.5. User data contained on systems that are being tested may be accessible to Mandiant and Mandiant may download portions of such data (e.g., as proof of access). 4.6. At any point during the testing, either party may pause or stop the test. Should the testing be terminated, a rationale for such termination shall be provided by the party requesting such termination and such rationale shall be clearly documented. 5. ASSUMPTIONS 1. Estimate professional fees do not include any hardware, software, licensing, maintenance or support costs of any Mandiant or other third -party product or service suggested by Mandiant as we conduct the activities outlined above. 2. Mandiant will provide Deliverables to Customer throughout of this engagement. Draft deliverables are considered final upon confirmation from Customer (written or oral) or fifteen days after their submission date from Mandiant to Customer via email, whichever is shorter. 3. When Mandiant's personnel are performing Services on site at Customer's premises, Customer will allocate appropriate working space and physical access for all Mandiant assigned personnel. 4. Mandiant uses a (40) hour billable workweek as its standard. On-site services are generally delivered over a four day, (10) hours/day work week, Monday through Thursday, unless otherwise mutually agreed. At Mandiant's sole discretion our consultants may elect to incur greater than 40 billable hours in a workweek. 5. Customer will make available key individuals within the security program that can best help plan operations around security event monitoring and analysis, threat intelligence, and incident response. 6. Mandiant and Customer acknowledge that the scope of, or specific obligations of either party, under the Statement of Work may change during the engagement. Either party may elect to submit written change requests to the other party proposing changes to the Statement of Work. All changes to the requirements and Statement of Work will be made using agreed -to project change control procedures. 6. CONTACT INFORMATION Customer will provide contact information to Mandiant for those Customer personnel who are designated as Customer's points of contact for the Services. Mandiant Confidential Exhibit A, Page 4 of 4