HomeMy WebLinkAboutCC Resolution 14249 (Network Security Risk Assessment)RESOLUTION NO. 14249
RESOLUTION OF THE CITY COUNCIL OF THE CITY OF SAN
RAFAEL APPROVING AND AUTHORIZING THE CITY MANAGER TO
EXECUTE A PROFESSIONAL SERVICES AGREEMENT WITH
FIREEYE, INC., DBA MANDIANT FOR NETWORK MULTI -PHASE
SECURITY ASSESSMENT AND RISK MITIGATION, IN AN AMOUNT
NOT TO EXCEED $58,000.
WHEREAS, the City requires information technology security specific expertise in
performing network and social engineering threat analysis; and
WHEREAS, the City requires information technology security specific expertise in
designing and implementing risk mitigation strategies to counter any identified network security
issues; and
WHEREAS, FireEye, Inc., dba Mandiant ("Mandiant") is an acknowledged industry leader
in implementing specialized network security analysis and risk mitigation methodologies that
include planning, infrastructure and business process analysis, risk identification, risk mitigation
strategy development and implementation; and
WHEREAS, Mandiant is also experienced in assisting customers with improvement of
technology -related processes and procedures with special emphasis on security as needed to meet
the modern challenges of interconnected computer systems and networks; and
WHEREAS, the City wishes to enter into an agreement with Mandiant to provide
network security assessment and risk mitigation services; and
WHEREAS, the City Council finds that such an agreement falls under the Professional
Services Agreement provisions of San Rafael Municipal Code Chapter 2.60.
NOW, THEREFORE, IT IS HEREBY RESOLVED that the Council does hereby
approve and authorize the City Manager to execute a Professional Services Agreement with
Mandiant, in a form approved by the City Attorney, for network security assessment and risk
mitigation services in an amount not to exceed $58,000.
I, ESTHER C. BEIRNE, Clerk of the City of San Rafael, hereby certify that the
foregoing Resolution was duly and regularly introduced and adopted at a regular meeting of the
City Council of said City held on Monday, the 19th day of December, 2016 by the following
vote, to wit:
AYES: COUNCILMEMBERS: Bushey, Gamblin & Mayor Phillips
NOES: COUNCILMEMBERS: None
ABSENT: COUNCILMEMBERS: Colin and McCullough
=%;3- 'e O&W
ESTHER C. BEIRNE, City Clerk
AGREEMENT FOR PROFESSIONAL SERVICES
FOR INFORMATION TECHNOLOGY NETWORK INFRASTRUCTURE SECURITY
ASSESSMENT AND MITIGATION SERVICES
This Agreement is made and entered into this &-rP day of January, 2017, by and between
the CITY OF SAN RAFAEL (hereinafter "CITY"), and FireEye, Inc., a corporation, dba Mandiant,
(hereinafter "CONTRACTOR").
RECITALS
WHEREAS, the CITY requires information technology security specific expertise in
performing network and social engineering threat analysis; and
WHEREAS, the CITY requires information technology security specific expertise in
designing and implementing risk mitigation strategies to counter any identified network security
issues; and
WHEREAS, CONTRACTOR is an acknowledged industry leader in implementing
specialized network security analysis and risk mitigation methodologies that include planning,
infrastructure and business process analysis, risk identification, risk mitigation strategy development
and implementation; and
WHEREAS, CONTRACTOR is also experienced in assisting customers with
improvement of technology -related processes and procedures with special emphasis on security as
needed to meet the modern challenges of interconnected computer systems and networks.
AGREEMENT
NOW, THEREFORE, the parties hereby agree as follows:
1. PROJECT COORDINATION.
A. CITY'S Project Manager. The Information Technology Manager is hereby
designated the PROJECT MANAGER for the CITY, and said PROJECT MANAGER shall
supervise all aspects of the progress and execution of this Agreement.
B. CONTRACTOR'S Project Director. CONTRACTOR shall assign a single
PROJECT DIRECTOR to have overall responsibility for the progress and execution of this
Agreement for CONTRACTOR. Navid Jam is hereby designated as the PROJECT DIRECTOR
for CONTRACTOR. Should circumstances or conditions subsequent to the execution of this
Agreement require a substitute PROJECT DIRECTOR, for any reason, the CONTRACTOR shall
notify the CITY within ten (10) business days of the substitution.
DUTIES OF CONTRACTOR.
CONTRACTOR shall perforin the duties as described in the Contractor Statement of
Work, dated July 13, 2016, attached as Exhibit A hereto and incorporated herein.
DUTIES OF CITY.
CITY shall pay the compensation as provided in Paragraph 4, and perform the duties as
follows:
- Assist CONTRACTOR in gathering current information on CITY technology infrastructure.
- Participate in project -specific meetings with CONTRACTOR as needed.
- Assist CONTRACTOR in evaluating CITY's current security environment and identifying
potential tasks, projects and priorities for improving this environment.
- Participate in meetings with CONTRACTOR to review ongoing efforts, potential solutions, and
other security topics that may arise during the term of this Agreement.
- Provide general oversight for the work to be done by CONTRACTOR under this Agreement.
- Any other duties the CITY is responsible for as attached Exhibit A and hereto and incorporated
herein.
4. COMPENSATION.
For the full performance of the services described herein by CONTRACTOR, CITY shall
pay CONTRACTOR on a time and materials basis as specified in Exhibit A, provided that the total
amount paid to CONTRACTOR will not exceed a total of $58,000.00 USD, including expenses
and any applicable sales taxes, without a mutually agreed upon written amendment to this
Agreement.
Payment will be made within thirty (30) days of receipt by PROJECT MANAGER of
itemized invoices submitted by CONTRACTOR.
TERM OF AGREEMENT.
The term of this Agreement shall be for up to 6 months commencing on the date of this
agreement., Notwithstanding the foregoing, the parties may mutually agree to extend the term of the
Agreement an additional 6 months in order to complete the services in Exhibit A, with City
Manager's written approval.
6. DEFINITIONS.
A. "Deliverables" means the written reports that are created by CONTRACTOR
specifically for CITY as a result of the Services provided hereunder, and that are identified as
deliverables on a Statement of Work. In no event, will Indicators of Compromise be considered
"Deliverables," even if such Indicators are incorporated into a Deliverable.
B. "Indicators of Compromise" or "Indicators" means specifications of anomalies,
configurations, or other conditions that CONTRACTOR is capable of identifying within an
information technology infrastructure.
C. "Confidential Information" means the non-public information that is exchanged
between the parties, provided that such information is: (i) identified as confidential at the time of
disclosure by the disclosing party ("Discloser"), or (ii) disclosed under circumstances that would
indicate to a reasonable person that the information should be treated as confidential by the party
receiving such information ("Recipient").
D. "CONTRACTOR Intellectual Property (IP)" means all CONTRACTOR
proprietary materials, including without limitation CONTRACTOR'S Confidential Information (as
defined above), Deliverables, any hardware and/or software used by COTNRACTOR in performing
Services, Indicators of Compromise, CONTRACTOR'S processes and methods (including any
forensic investigation processes and methods), and any CONTRACTOR templates and/or forms,
including report and presentation templates and forms.
E. "CITY -Owned Property" means any technology, software, algorithms, formulas,
techniques or know-how and other tangible and intangible items that were owned by CITY, or
developed by or for CITY prior to the Effective Date that are provided by CITY to CONTRACTOR
for incorporation into or used in connection with the development of the Deliverables or
performance of Services.
7. TERMINATION.
A. Discretionary. Either party may terminate this Agreement without cause upon
thirty (30) days written notice mailed or personally delivered to the other party.
B. Cause. Either party may terminate this Agreement for cause upon fifteen (15) days
written notice mailed or personally delivered to the other party, and the notified party's failure to
cure or correct the cause of the termination, to the reasonable satisfaction of the party giving such
notice, within such fifteen (15) day time period.
C. Effect of Termination. Upon receipt of notice of termination, neither party shall
incur additional obligations under any provision of this Agreement without the prior written consent
of the other.
D. Return of Documents. Upon termination, any and all CITY documents or
materials provided to CONTRACTOR and subject to payment by the CITY to the
CONTRACTOR, any and all of CONTRACTOR's completed documents and materials prepared
for or relating to the performance of its duties under this Agreement, shall be delivered to CITY as
soon as possible, but not later than thirty (30) days after termination. Upon the termination or
expiration of this Agreement, CONTRACTOR shall have the right to immediate possession of the
CONTRACTOR IP (including all copies thereof) wherever located, without demand or notice.
Within five (5) days after termination of the Agreement, CITY will return to CONTRACTOR the
CONTRACTOR IP or, upon request by CONTRACTOR, destroy the CONTRACTOR IP (with
the exception of the CONTRACTOR Hardware) and all copies thereof.
8. INTELLECTUAL PROPERTY.
A. Grant of License. Subject to CITY'S timely payment of applicable fees, and
subject to the terms of this Agreement, CITY shall have a perpetual, non-exclusive, nontransferable,
right and license to (unless otherwise set forth in a Statement of Work) use, display and reproduce
the Deliverables for its internal business purposes. Deliverables may not be shared with any third
party other than law enforcement agencies.
B. Intellectual Property Rights. CITY acknowledges that CONTRACTOR may use
CONTRACTOR IP to provide the Services, and that CITY may obtain access to certain
CONTRACTOR IP as a result of CONTRACTOR'S performance of its obligations under this
Agreement. CONTRACTOR IP is and shall remain the sole and exclusive property of
CONTRACTOR and CONTRACTOR shall retain all right, title and interest in and to the
CONTRACTOR IP and all derivative works thereof. Between CITY and CONTRACTOR,
CONTRACTOR shall retain all rights and title in and to any Indicators of Compromise
CONTRACTOR developed by or for CONTRACTOR.
C. Restrictions. Subject to the exceptions set forth in Section 8. A, CITY agrees not to
reproduce or modify any portion of the CONTRACTOR IP, and will not disclose, sell, sublicense or
otherwise transfer or make available all or any portion of the CONTRACTOR IP to any third party
without the prior written consent of CONTRACTOR. Nothing contained in this Agreement shall
directly or indirectly be construed to assign or grant to CITY any right, title or interest in or to the
trademarks, copyrights, patents or trade secrets of CONTRACTOR or any ownership rights in or to
the CONTRACTOR IP. CITY shall not cause or permit the reverse engineering, reverse assembly,
or reverse compilation of, or otherwise attempt to derive source code frorn, the CONTRACTOR IP.
CITY shall not create derivative works based upon all or part of the CONTRACTOR IP. CITY
shall not resell, redistribute or make available CONTRACTOR IP or the Services to any third party,
and shall not use the CONTRACTOR IP, Services or the Deliverables to provide services to any
third party.
D. CITY -Owned Property. CITY will be and remain, at all times, the sole and
exclusive owner of the CITY -Owned Property (including, without limitation, any modification,
compilation, derivative work of, and all intellectual property and proprietary rights contained in or
pertaining thereto). CONTRACTOR will promptly return to CITY all CITY -Owned Property upon
the termination or expiration of this Agreement, or sooner at CITY'S request.
4
INSPECTION AND AUDIT.
Upon reasonable notice, CONTRACTOR shall make available to CITY, or its agent, for
inspection and audit, all documents and materials maintained by CONTRACTOR in connection
with its perfonnance of its duties under this Agreement. CONTRACTOR shall fully cooperate
with CITY or its agent in any such audit or inspection.
10. ASSIGNABILITY.
The parties agree that they shall not assign or transfer any interest in this Agreement nor the
performance of any of their respective obligations hereunder, without the prior written consent of
the other party, and any attempt to so assign this Agreement or any rights, duties or obligations
arising hereunder shall be void and of no effect.
11. INSURANCE.
A. Scope of Coverage. During the term of this Agreement, CONTRACTOR shall
maintain, at no expense to CITY, the following insurance policies:
1. A commercial general liability insurance policy in the minimum amount of
one million dollars ($1,000,000) per occurrence/two million dollars ($2,000,000) aggregate, for
death, bodily injury, personal injury, or property damage.
2. An automobile liability (owned, non -owned, and hired vehicles) insurance
policy in the minimum amount of one million dollars ($1,000,000) dollars per occurrence.
3. If any licensed professional performs any of the services required to be
performed under this Agreement, a professional liability/technology errors & omissions insurance
policy in the minimum amount of two million dollars ($2,000,000) per occurrence/two million
dollars ($2,000,000) aggregate, to cover any claims arising out of the CONTRACTOR's
performance of services under this Agreement. Where CONTRACTOR is a professional not
required to have a professional license, CITY reserves the right to require CONTRACTOR to
provide professional liability insurance pursuant to this section.
4. If it employs any person, CONTRACTOR shall maintain worker's
compensation and employer's liability insurance, as required by the State Labor Code and other
applicable laws and regulations, and as necessary to protect both CONTRACTOR and CITY
against all liability for injuries to CONTRACTOR's officers and employees. CONTRACTOR'S
worker's compensation insurance shall waive any right of subrogation against CITY under a
blanket waiver of subrogation provision.
B. Other Insurance Requirements.
CONTRACTOR in subparagraph A of this
requirements:
The insurance coverage required of the
section above shall also meet the following
1. Except for professional liability insurance, the insurance policies shall be
specifically endorsed to include the CITY, its officers, agents, employees, and volunteers, as
additionally named insureds under the policies.
2. The additional insured coverage under CONTRACTOR'S insurance
policies shall be primary with respect to any insurance or coverage maintained by CITY and shall
not call upon CITY's insurance or self-insurance coverage for any contribution. The "primary and
noncontributory" coverage in CONTRACTOR'S policies shall be at least as broad as ISO form
CG20 01 04 13.
3. Except for professional liability insurance, the insurance policies shall
include, in their text or by endorsement, coverage for contractual liability and personal injury.
4. The insurance policies shall provide for thirty (30) days written notice to the
PROJECT MANAGER in the event of any policy cancellation.
5. If the insurance is written on a Claims Made Form, then, following
termination of this Agreement, said insurance coverage shall survive for a period of not less than
five years.
6. The insurance policies shall provide for a retroactive date of placement
coinciding with the effective date of this Agreement.
7. The limits of insurance required in this Agreement may be satisfied by a
combination of primary and umbrella or excess insurance. Reserved.
C. Deductibles and SIR'S. Any deductibles or self-insured retentions in
CONTRACTOR's insurance policies must be declared to the PROJECT MANAGER and City
Attorney, and shall not reduce the limits of liability.
D. Proof of Insurance. CONTRACTOR shall provide to the PROJECT MANAGER
or CITY'S City Attorney all of the following: Certificates of Insurance evidencing the insurance
coverage required in this Agreement.
12. INDEMNIFICATION.
A. Except as otherwise provided in Paragraph B., CONTRACTOR shall, to the
fullest extent permitted by law, indemnify, release, defend with counsel, and hold harmless
CITY, its officers, agents, employees and volunteers (collectively, the "City Indemnitees"),
from and against any claim, demand, suit, judgment, loss, liability or expense of any kind,
including but not limited to attorney's fees, expert fees and all other costs and fees of litigation,
(collectively "CLAIMS"), arising out of CONTRACTOR'S performance of its obligations or
6
conduct of its operations under this Agreement, including CONTRACTOR's violation of any
third party patent or other intellectual property rights in connection with its operations hereunder,
all subject to the Limitation of Liability in Subsection D, below. The CONTRACTOR's
obligations apply regardless of whether or not a liability is caused or contributed to by the active
or passive negligence of the City Indemnitees. However, to the extent that liability is caused by
the active negligence or willful misconduct of the City Indemnitees, the CONTRACTOR's
indemnification obligation shall be reduced in proportion to the City Indemnitees' share of
liability for the active negligence or willful misconduct. In addition, the acceptance or approval
of the CONTRACTOR's work or work product by the CITY or any of its directors, officers or
employees shall not relieve or reduce the CONTRACTOR's indemnification obligations. In the
event the City Indemnitees are made a party to any action, lawsuit, or other adversarial
proceeding arising from CONTRACTOR'S performance of or operations under this
Agreement, CONTRACTOR shall provide a defense to the City Indemnitees or at CITY'S
option reimburse the City Indemnitees their costs of defense, including reasonable attorneys'
fees, incurred in defense of such claims.
B. Where the services to be provided by CONTRACTOR under this Agreement are
design professional services to be performed by a design professional as that term is defined
under Civil Code Section 2782.8, CONTRACTOR shall, to the fullest extent permitted by law,
indemnify, release, defend and hold harmless the City Indemnitees from and against any
CLAIMS that arise out of, pertain to, or relate to the negligence, recklessness, or willful
misconduct of CONTRACTOR in the performance of its duties and obligations under this
Agreement or its failure to comply with any of its obligations contained in this Agreement,
except such CLAIM which is caused by the sole negligence or willful misconduct of CITY.
C. The defense and indemnification obligations of this Agreement are undertaken in
addition to, and shall not in any way be limited by, the insurance obligations contained in this
Agreement, and shall survive the termination or completion of this Agreement for the full period
of time allowed by law.
D. Limitation of Liability. THE TOTAL AGGREGATE LIABILITY OF
CONTRACTOR TO THE CITY AND ALL OTHER PARTIES FOR ANY CLAIM ARISING
IN CONNECTION WITH THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT OF
THE LIMITS OF THE INSURANCE REQUIRED UNDER THIS AGREEMENT (TWO
MILLION DOLLARS, AS DEFINED IN SECTION II(A)(1)). THIS LIMITATION OF
LIABILITY WILL APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF
THIS AGREEMENT HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE. IN
NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY LOST REVENUES OR
PROFITS, OR OTHER INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR
EXEMPLARY DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT OR
THE SERVICES PERFORMED UNDER THIS AGREEMENT, EVEN IF THAT PARTY HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING
LIMITATIONS OF LIABILITY AND DISCLAIMERS OF DAMAGES ARE INDEPENDENT
OF THE EXCLUSIVE REMEDY SET FORTH IN SECTION 24(A). THE LIMITATIONS OF
LIABILITY CONTAINED IN THIS AGREEMENT WILL APPLY ONLY TO THE
MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING IN
THIS AGREEMENT PURPORTS TO LIMIT EITHER PARTY'S LIABILITY IN A MANNER
THAT WOULD BE UNENFORCEABLE OR VOID AS AGAINST PUBLIC POLICY IN THE
APPLICABLE JURISDICTION. The disclaimers, exclusions and limitations of liability set
forth in this Agreement form an essential basis of the bargain between the Parties and, absent any
of such disclaimers, exclusions or limitations of liability, the provisions of this Agreement,
including without limitation the economic terms, would be substantially different.
13. NONDISCRIMINATION.
CONTRACTOR shall not discriminate, in any way, against any person on the basis of age,
sex, race, color, religion, ancestry, national origin or disability in connection with or related to the
performance of its duties and obligations under this Agreement.
14. COMPLIANCE WITH ALL LAWS.
CONTRACTOR shall observe and comply with all applicable federal, state and local laws,
ordinances, codes and regulations, in the performance of its duties and obligations under this
Agreement. CONTRACTOR shall perfonn all services under this Agreement in accordance with
these laws, ordinances, codes and regulations. CONTRACTOR shall release, defend, indemnify
and hold hannless CITY, its officers, agents and employees from any and all damages, liabilities,
penalties, fines and all other consequences from any noncompliance or violation of any laws,
ordinances, codes or regulations.
15. NO THIRD PARTY BENEFICIARIES.
CITY and CONTRACTOR do not intend, by any provision of this Agreement, to create in
any third party, any benefit or right owed by one party, under the terms and conditions of this
Agreement, to the other party.
16. NOTICES.
All notices and other communications required or permitted to be given under this
Agreement, including any notice of change of address, shall be in writing and given by personal
delivery, or deposited with the United States Postal Service, postage prepaid, addressed to the
parties intended to be notified. Notice shall be deemed given as of the date of personal delivery, or
if mailed, upon the date of deposit with the United States Postal Service. Notice shall be given as
follows:
TO CITY's Project Manager: Gus Bush
City of San Rafael
1400 Fifth Avenue
San Rafael, CA 94901
TO CONTRACTOR's Project Director:
WITH A COPY TO:
17. INDEPENDENT CONTRACTOR.
Navid Jam, Director
Information Security Consulting Services
135 Main Street, Suite 550
San Francisco, CA 94105
FireEye, Inc.
Attn: General Counsel
1440 McCarthy Boulevard
Milpitas, CA 95035
For the purposes, and for the duration, of this Agreement, CONTRACTOR, its officers,
agents and employees shall act in the capacity of an Independent Contractor, and not as employees
of the CITY. CONTRACTOR and CITY expressly intend and agree that the status of
CONTRACTOR, its officers, agents and employees be that of an Independent Contractor and not
that of an employee of CITY.
18. ENTIRE AGREEMENT -- AMENDMENTS.
A. The terms and conditions of this Agreement, all exhibits attached, and all documents
expressly incorporated by reference, represent the entire Agreement of the parties with respect to the
subject matter of this Agreement.
B. This written Agreement shall supersede any and all prior agreements, oral or written,
regarding the subject matter between the CONTRACTOR and the CITY.
C. No other agreement, promise or statement, written or oral, relating to the subject
matter of this Agreement, shall be valid or binding, except by way of a written amendment to this
Agreement.
D. The terms and conditions of this Agreement shall not be altered or modified except
by a written amendment to this Agreement signed by the CONTRACTOR and the CITY.
E. If any conflicts arise between the terms and conditions of this Agreement, and the
terms and conditions of the attached exhibits or the documents expressly incorporated by reference,
the terms and conditions of this Agreement shall control.
19. SET-OFF AGAINST DEBTS.
CONTRACTOR agrees that CITY may deduct from any payment due to
CONTRACTOR under this Agreement, any monies which CONTRACTOR owes CITY under
any ordinance, agreement, contract or resolution for any unpaid taxes, fees, licenses, assessments,
unpaid checks or other amounts.
20. WAIVERS.
The waiver by either party of any breach or violation of any term, covenant or condition of
this Agreement, or of any ordinance, law or regulation, shall not be deemed to be a waiver of any
other term, covenant, condition, ordinance, law or regulation, or of any subsequent breach or
violation of the same or other tern, covenant, condition, ordinance, law or regulation. The
subsequent acceptance by either party of any fee, perfonnance, or other consideration which may
become due or owing under this Agreement, shall not be deemed to be a waiver of any preceding
breach or violation by the other party of any term, condition, covenant of this Agreement or any
applicable law, ordinance or regulation.
21. COSTS AND ATTORNEY'S FEES.
The prevailing party in any action brought to enforce the terms and conditions of this
Agreement, or arising out of the performance of this Agreement, may recover its reasonable costs
(including claims administration) and attorney's fees expended in connection with such action.
22. CITY BUSINESS LICENSE / OTHER TAXES.
CONTRACTOR shall obtain and maintain during the duration of this Agreement, a CITY
business license as required by the San Rafael Municipal Code. CONTRACTOR shall pay any
and all state and federal taxes and any other applicable taxes. CITY shall not be required to pay for
any work performed under this Agreement, until CONTRACTOR has provided CITY with a
completed Internal Revenue Service Form W-9 (Request for Taxpayer Identification Number and
Certification).
23. APPLICABLE LAW.
The laws of the State of California shall govern this Agreement.
24. CONFIDENTIALITY.
A. Confidential Information. Each party agrees that it shall: (i) take reasonable
measures to protect the Confidential Information by using the same degree of care, but no less than
a reasonable degree of care, to prevent the unauthorized use, dissemination or publication of the
Confidential Information as the Recipient uses to protect its own confidential information of a like
nature; (ii) limit disclosure to those persons within Recipient's organization with a need to know
and who have previously agreed in writing, prior to receipt of Confidential Information either as a
condition of their employment or in order to obtain the Confidential Information, to obligations
similar to the provisions hereof; (iii) not copy, reverse engineer, disassemble, create any works
from, or decompile any prototypes, software or other tangible objects which embody the other
party's Confidential Information and/or which are provided to the party hereunder; (iv) not use the
Confidential Information of the other Party for any purpose other than to perform or receive (as
applicable) the Services hereunder; and (v) comply with, and obtain all authorizations required by,
all applicable export control laws or regulations. Confidential Infornation shall not include
10
information that is (a) part of or becomes part of the public domain (other than by disclosure by the
receiving Party in violation of this Agreement); (b) previously known to the receiving Party without
an obligation of confidentiality; (c) independently developed by the receiving Party outside this
Agreement; or (d) rightfully obtained by the receiving Party from third parties without an obligation
of confidentiality. At the end of this Agreement, or earlier if requested by the disclosing Party, the
receiving Party shall promptly return or destroy all Confidential Information, other than
Confidential Information that may be retained in backup resources or for administrative purposes
such as financial reporting and record-keeping.
B. Exceptions. Notwithstanding Section 23(A), if CITY has hired CONTRACTOR to
perform a PCI DSS Compliance Audit or a PCI investigation, Mandiant may provide The Payment
Card Industry Security Standards Council, LLC (PCI SSC), card companies and the relevant
merchant bank with all Reports of Compliance (ROC) and all related assessment and investigative
report documents generated in connection with such work. Notwithstanding Section 23(A), either
Party may disclose the Confidential Information of the other Party to the extent such disclosure is
required to comply with applicable law, including a records request under the California Public
Records Act and a subpoena in connection with any civil or criminal proceeding, or the valid order
or requirement of a governmental or regulatory agency or court of competent jurisdiction, provided
that the disclosing Party notifies the Party to whom the Confidential Information belongs as soon as
practicable of any such requirement, so that the other Party may take whatever action that Party
deems appropriate to protect that information.
C. Publicity and Advertising. Notwithstanding any other provision of this Agreement, neither
Party may issue press releases or endorsements which reference the other Party or include
statements attributable to the other Party without the prior written consent of the other Party.
25. WARRANTIES.
A. Limited Warranty. CONTRACTOR warrants that the Services will be provided in
a professional manner pursuant to industry standards for the same or similar services.
B. Acceptance. CITY shall have fifteen (15) business days from CITY's receipt of
each Deliverable to review such Deliverable (the "Acceptance Period") to determine whether the
Deliverable conforms to the written specifications for that Deliverable set forth in the Statement of
Work (the "Specifications"). After CITY has completed the review described in this Section, CITY
will notify CONTRACTOR in writing either that: (i) the Deliverable conforms to the
Specifications and acceptance has occurred ("Acceptance"); or (ii) the Deliverable does not
conform to the Specifications. Acceptance shall also be deemed to occur if CITY does not notify
CONTRACTOR of its acceptance or rejection of a Deliverable prior to the expiration of the
Acceptance Period. Upon receipt of such notice of non-conformance, CONTRACTOR will correct
and re -deliver such Deliverable. The foregoing states CITY's sole remedy, and CONTRACTOR's
sole obligation, with respect to Deliverables that fail to conform to Specifications.
C. THE ABOVE -STATED LIMITED WARRANTY REPLACES ALL OTHER
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY
IMPLIED WARRANTIES OF CONDITION, UNINTERRUPTED USE, ACCURACY, LEVELS
OF SERVICE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NON INFRINGEMENT, AND CONTRACTOR DOES NOT WARRANT THAT THE
SERVICES WILL BE UNINTERRUPTED OR ERROR -FREE.
26. COUNTERPARTS.
This Agreement may be executed in counterparts, each of which shall be deemed to be an
original, and all of which together shall constitute one and the same agreement.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the day, month
and year first above written.
CITY OF SAN RAFAEL
J M S M. SCHUTZ, CIV M' ager
ATTEST:
ESTHER C. BEIRNE, City Clerk
APPROVED AS TO FORM:
ROBERT F. EPSTEIN, C ty Attorney
12
CONTRACTOR
By:
Printed Officer Name:
Title: 3V i YL C 2 Ce
and,'%
BY: a /
Printed Officer Name:
��
(
Title: [— I `Y 1
CONTRACT ROUTING FORM
INSTRUCTIONS: Use this cover sheet to circulate all contracts for review and approval in the order shown below.
TO BE COMPLETED BY INITIATING DEPARTMENT PROJECT MANAGER:
Contracting Department: IT
Project Manager: Gus Bush
Extension: 5302
Contractor Name: FireEye/Mandiant
Contractor's Contact: Blaire Krochak
Contact's Email: blaire.krochak@fireeye.com
❑ FPPC: Check if Contractor/Consultant must file Form 700
Step
RESPONSIBLE
DESCRIPTION
COMPLETED
REVIEWER
DEPARTMENT
DATE
Check/Initial
1
Project Manager
a. Email PINS Introductory Notice to Contractor
10/19/2016
GB
/
b. Email contract (in Word) & attachments to City
10/19/2016
FA
Atty c/o Laraine.Gittens@cityofsanrafael.org
2
City Attorney
a. Review, revise, and comment on draft agreement
Click licre to
❑
and return to Project Manager
enter a date.
❑
b. Confirm insurance requirements, create Job on
Click here to
PINS, send PINS insurance notice to contractor
enter a date.
3
Project Manager
Forward three (3) originals of final agreement to
12/14/2016
FZGB
contractor for their signature
4
Project Manager
When necessary, * contractor -signed agreement
❑ N/A
agendized for Council approval
*PSA > $20,000; or Purchase > $35,000; or
Or
®GB
Public Works Contract > $125,000
12/19/2016
Date of Council approval
PRINT
CONTINUE ROUTING PROCESS WITH HARD COPY
5
Project Manager
Forward signed original agreements to City
12/21/2016
GB
Attorney with printed copy of this routing form
6
City Attorney
Review and approve hard copy of signed
v�
agreement
7
City Attorney
Review and approve insurance in PINS, and bonds
5 --
8
City Manager/ Mayor
(for Public Works Contracts)
Agreement executed by Council authorized official
!
)✓ r
1 .,
9
City Clerk
Attest signatures, retains original agreement and
forwards copies to Project Manager
IT AN D 1ANT a
Statement of Work
Agreement for Professional Services
For Information Technology Network Infrastructure Security Assessment and Mitigation Services
1. DESCRIPTION OF SERVICES
During the term of this SOW, Mandiant agrees to provide professional services as directed by Customer. The activities to be
performed will consist of the following:
Task 1: External Penetration Test
Mandiant will perform security testing of Customer's Internet accessible systems. Mandiant will use a basic four step
approach of identifying systems, scanning the systems for vulnerabilities, validating the vulnerabilities discovered during the
scan, and optionally exploiting vulnerabilities.
Using target IP address ranges provided by the Customer, Mandiant will use network scanning tools to identify which
specific IP addresses are in use and the operating system and type of the device using each address. Mandiant will then
conduct further scans in order to identify TCP and UDP ports open on the system and the services listening on those ports.
Mandiant will also map the topology of the target network.
Mandiant will then proceed to searching identified systems and services for known vulnerabilities and misconfigurations.
Web servers in scope of the assessment will be examined to identify "off-the-shelf ' (non -custom) web applications with
known vulnerabilities. Mandiant will also perform manual testing of identified services and non -custom web applications.
Upon Customer approval, Mandiant will proceed to exploit identified vulnerabilities in order to validate the presence and
impact of the issues. Mandiant will attempt to use compromised systems and services to exploit other systems in Customer's
network in order test the depth of network defenses.
Task 2: Internal Penetration Test
Mandiant will perform security testing of Customer's corporate network. Mandiant will use a basic four step approach of
identifying systems, scanning the systems for vulnerabilities, validating the vulnerabilities discovered during the scan, and
optionally exploiting vulnerabilities.
Using the IP address blocks provided by Customer, Mandiant will use network scanning tools to identify which specific IP
addresses are in use, the operating system, and type of the device using each address. Mandiant will then conduct further
scans in order to identify TCP and UDP ports open on the system and the services listening on those ports. Mandiant will also
map the topology of the target network.
Based upon the agreed scope, Mandiant will then proceed to searching identified systems and services for known
vulnerabilities and misconfigurations. Web servers in scope of the assessment will be examined to identify "off-the-shelf'
(non -custom) web applications with known vulnerabilities. Mandiant will also perform manual testing of identified services
and non -custom web applications.
Upon Customer approval, Mandiant will proceed to exploit identified vulnerabilities in order to validate the presence and
impact of the issues. Mandiant will attempt to use compromised systems and services to exploit other systems in Customer's
network in order test the depth of network defenses.
Task 3: Social Engineering
Mandiant will perform social engineering campaigns targeting Customer's employees. Mandiant will perform email -based
campaigns.
Mandiant will begin the social engineering assessment by conducting a formal reconnaissance of the Customer. The objective
of this phase is detailed information about Customer's employees, including email addresses that can be used in later phases.
Also targeted is information about Customer's workplaces, including the location and type of facility. This information is
obtained from Customer's web site, along with other online resources such as social network sites, mailing list archives,
Mandiant Confidential Exhibit A, Page 1 of 4
IT AN 1) 1ANT 0
newsgroups, and online forums. When requested, Mandiant can share target information obtained during this phase with a
point of contact at the Customer for approval before moving on to later phases.
Mandiant will then attempt to gain access to Customer systems using email -based phishing, which allows for a relatively
anonymous attack and subjects almost every employee to possible exploitation. The actual techniques used during email -
based social engineering will be based on the Customer and the individual targeted. Sense of urgency, requests for assistance,
name-dropping, fear, and feigned authority can all be used to some effect. Other possible techniques include masquerading as
an outside client or the help desk. Depending on client preferences and characteristics, email -based social engineering may
take the form of a mass email to employees (as would be used in a standard phishing attack) or may involve individually
targeted emails to select employees (as would be used in a "spear phishing" attack).
Based upon the agreed scope, Mandiant will then proceed to searching identified systems and services for known
vulnerabilities and misconfigurations. Web servers in scope of the assessment will be examined to identify "off-the-shelf'
(non -custom) web applications with known vulnerabilities. Mandiant will also perform manual testing of identified services
and non -custom web applications.
Any services or products not listed above are considered out of scope.
2. DELIVERABLES
The Deliverables to be produced for this engagement are as follows:
Executive Summary: The Executive Summary will provide managers a high-level overview of the engagement. It
highlights the strategic areas for improvement and provides an overall analysis of the security posture of the
environment.
Technical Report: The Technical Report provides detailed information about the assessment, including the methodology
and tools used by Mandiant consultants, as well as the assessment findings. Each finding includes an explanation of the
systemic cause, risk rating, and detailed remediation steps. All identified vulnerabilities will be prioritized, and an
assessment of the potential cost and effort required to mitigate the vulnerabilities will be provided. The exact format and
organization of the technical report can be customized as required.
Presentation of Results: Along with the written Technical Report, Mandiant consultants can present a formal out -brief of
the findings to an appropriate audience identified by the Customer.
Each Deliverable will be considered accepted by Customer if Customer has not indicated that it does not accept the Deliverable
within fifteen (15) days of the date that Deliverable was delivered to Customer.
3. FEES AND EXPENSES
In consideration for the Services to be performed, Customer agrees to pay the fixed fee amounts reflected in the following table:
TASK IEXPECTED COST
TIMING
Task 1: External Penetration Test Weeks 1-2 $16,000
• Security testing of the Customer's Internet accessible systems
• Includes penetration testing of up to 200 live, Internet -accessible systems
• Includes a comprehensive vulnerability assessment of Internet accessible systems
• Performed in coordination with client on the days and times when testing can occur
• Performed using one (1) consultant dedicated to penetration testing
• All penetration test activities are time -bound to a total of seven (7) consultant -days of work
including time for production of the final draft report
• Performed remotely from Mandiant offices
• This task does not include remediation validation
Mandiant Confidential Exhibit A, Page 2 of 4
IT AN D 1ANT a
TASK EXPECTED COST
TIMING
Task 2: Internal Penetration Test Week 3 $25,000
• Security testing of the Customer's internally accessible systems
• Includes penetration testing of up to 200 live, internally accessible systems
• Includes a comprehensive vulnerability assessment of internally accessible systems
• Performed in coordination with client on the days and times when testing can occur
• Performed using two (2) consultants dedicated to penetration testing
• All penetration test activities are time -bound to a total of ten (10) consultant -days of work
including time for the production of the final draft report
• Performed onsite at the Customer's San Rafael, CA office
• This task does not include remediation validation
Task 3: Social Engineering Weeks 4-5 $16,000
• Social engineering activities will be limited to sending up to 100 emails
• Mandiant and the Customer will agree to one (1) email scenario prior to commencing email -based
social engineering
• Goal is to obtain user credentials, customer data, and client data
• Performed in coordination with client on the days and times when testing can occur
• All social engineering activities are time -bound to a total of seven (7) consultant -days of work
including time for the production of the final draft report
• Performed remotely from Mandiant offices
Report Development Week 6 N/A
Total 6 Weeks $57,000
Customer shall reimburse Mandiant for the following expense categories that are directly attributable to work performed under
this SOW:
• Travel and living expenses.
• Mileage in company or personal vehicles at the rate approved by the U.S. General Services Administration as of the
contract date.
• Telephone, fax, and Internet charges.
• Computer storage media.
• Postage and courier services.
• Printing, reproduction and binding.
• Any other expenses resulting from the work performed under this Agreement.
All fees and expenses will be invoiced upon delivery of the draft Deliverable for each task.
4. ADDITIONAL SECURITY TESTING TERMS AND CONDITIONS
4.1. As a part of the penetration testing, Mandiant may, among other things, (a) scan Customer's network and systems for ports,
services and other entry points that can be exploited; and (b) probe those entry points in an effort to gain access to Customer's
network and systems in an effort to determine the severity of the vulnerability.
4.2. CUSTOMER UNDERSTANDS THAT, ALTHOUGH MANDIANT TAKES PRECAUTIONS TO AVOID DAMAGE TO
CUSTOMER'S NETWORK AND SYSTEMS, DISRUPTIONS, OUTAGES AND/OR DATA LOSS MAY OCCUR AS A
RESULT OF THE PENETRATION TESTING. Customer represents and warrants that all systems on its network or otherwise
accessible during the penetration test have been backed up, and that any data loss or other damage caused by the penetration
testing can be easily and quickly reversed.
4.3. Customer will provide to Mandiant certain information required for performing its tests, including a description and location
(e.g., an IP address) of the systems and networks to be tested. Customer represents and warrants that all information provided is
Mandiant Confidential Exhibit A, Page 3 of 4
IT AN D 1ANT a
true and accurate and that Customer owns or is authorized to represent the owners of the systems and networks described in
connection with the penetration testing.
4.4. Customer may inform all or a selected group of its employees, contractors, and other third parties about the penetration
testing to be undertaken by Mandiant. In the event that Customer decides not to inform anyone of the penetration testing,
Customer understands that people may spend time and money on behalf of Customer in detecting, blocking, investigating or
responding to activities of Mandiant. IN LIGHT OF THE POSSIBILITY THAT SUCH ACTIONS MAY BE TAKEN AND
EXPENDITURES MAY OCCUR, YOU SHOULD CONSULT WITH YOUR LEGAL COUNSEL AND/OR A MEMBER OF
EXECUTIVE MANAGEMENT PRIOR TO ANY SUCH ZERO KNOWLEDGE ENGAGEMENTS. You may also want to
consider contacting such third -party service providers as your telecommunications carrier to alert them to the testing.
4.5. User data contained on systems that are being tested may be accessible to Mandiant and Mandiant may download portions of
such data (e.g., as proof of access).
4.6. At any point during the testing, either party may pause or stop the test. Should the testing be terminated, a rationale for such
termination shall be provided by the party requesting such termination and such rationale shall be clearly documented.
5. ASSUMPTIONS
1. Estimate professional fees do not include any hardware, software, licensing, maintenance or support costs of any Mandiant or
other third -party product or service suggested by Mandiant as we conduct the activities outlined above.
2. Mandiant will provide Deliverables to Customer throughout of this engagement. Draft deliverables are considered final upon
confirmation from Customer (written or oral) or fifteen days after their submission date from Mandiant to Customer via
email, whichever is shorter.
3. When Mandiant's personnel are performing Services on site at Customer's premises, Customer will allocate appropriate
working space and physical access for all Mandiant assigned personnel.
4. Mandiant uses a (40) hour billable workweek as its standard. On-site services are generally delivered over a four day, (10)
hours/day work week, Monday through Thursday, unless otherwise mutually agreed. At Mandiant's sole discretion our
consultants may elect to incur greater than 40 billable hours in a workweek.
5. Customer will make available key individuals within the security program that can best help plan operations around security
event monitoring and analysis, threat intelligence, and incident response.
6. Mandiant and Customer acknowledge that the scope of, or specific obligations of either party, under the Statement of Work
may change during the engagement. Either party may elect to submit written change requests to the other party proposing
changes to the Statement of Work. All changes to the requirements and Statement of Work will be made using agreed -to
project change control procedures.
6. CONTACT INFORMATION
Customer will provide contact information to Mandiant for those Customer personnel who are designated as Customer's points of
contact for the Services.
Mandiant Confidential Exhibit A, Page 4 of 4