HomeMy WebLinkAboutC-5593 - PSA for Network and Computer Security Consulting Servicesco PROFESSIONAL SERVICES AGREEMENT
WITH ACCUVANT INC. FOR
�J) NETWORK AND COMPUTER SECURITY CONSULTING AND SERVICES
I THIS PROFESSIONAL SERVICES AGREEMENT ( "Agreement ") is made and
v entered into as of this 20th day of August 2013( "Effective Date "), by and between the
CITY OF NEWPORT BEACH, a California municipal corporation and charter city
( "City"), and ACCUVANT INC., a Delaware corporation ( "Consultant "), whose address is
1125 17th St., Suite 1700, Denver, CO 82020, and is made with reference to the
following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of California with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of City.
B. City desires to engage Consultant to provide network and computer security
consulting and related services ( "Project").
C. Consultant possesses the skill, experience, ability, background, certification and
knowledge to provide the professional services described in this Agreement.
D. City has solicited and received a proposal from Consultant, has reviewed the
previous experience and evaluated the expertise of Consultant, and desires to
retain Consultant to render professional services under the terms and conditions
set forth in this Agreement.
NOW, THEREFORE, it is mutually agreed by and between the undersigned
parties as follows:
1. TERM
The term of this Agreement shall commence on the Effective Date, and shall
terminate on June 30, 2014, unless terminated earlier as set forth herein.
2. SERVICES TO BE PERFORMED
Consultant shall diligently perform all the services described in the Scope of
Services and Schedule of Billing Rates attached hereto as Exhibit A and incorporated
herein by reference ( "Services" or "Work "). City may elect to delete certain Services
within the Scope of Services at its sole discretion.
3. TIME OF PERFORMANCE
3.1 Time is of the essence in the performance of Services under this
Agreement and Consultant shall perform the Services in accordance with the schedule
included in Exhibit A. In the absence of a specific schedule, the Services shall be
performed to completion in a diligent and timely manner. The failure by Consultant to
strictly adhere to the schedule set forth in Exhibit A, if any, or perform the Services in a
diligent and timely manner may result in termination of this Agreement by City.
3.2 Notwithstanding the foregoing, Consultant shall not be responsible for
delays due to causes beyond Consultant's reasonable control. However, in the case of
any such delay in the Services to be provided for the Project, each party hereby agrees
to provide notice within two (2) calendar days of the occurrence causing the delay to the
other party so that all delays can be addressed.
33 Consultant shall submit all requests for extensions of time for performance
in writing to the Project Administrator as defined herein not later than ten (10) calendar
days after the start of the condition that purportedly causes a delay. The Project
Administrator shall review all such requests and may grant reasonable time extensions
for unforeseeable delays that are beyond Consultant's control.
3.4 For all time periods not specifically set forth herein, Consultant shall
respond in the most expedient and appropriate manner under the circumstances, by
hand - delivery or mail.
4. COMPENSATION TO CONSULTANT
4.1 City shall pay Consultant for the Services on a time and expense not -to-
exceed basis in accordance with the provisions of this Section and the Scope of
Services and Schedule of Billing Rates attached hereto as Exhibit A. Consultant's
compensation for all Work performed in accordance with this Agreement, including all
reimbursable items and subconsultant fees, shall not exceed Eleven Thousand
Dollars and 00/100 ($11,000.00), without prior written authorization from City. No
billing rate changes shall be made during the term of this Agreement without the prior
written approval of City.
4.2 Consultant shall submit monthly invoices to City describing the Work
performed the preceding month. Consultant's bills shall include the name of the person
who performed the Work, a brief description of the Services performed and /or the
specific task in the Scope of Services to which it relates, the date the Services were
performed, the number of hours spent on all Work billed on an hourly basis, and a
description of any reimbursable expenditures. City shall pay Consultant no later than
thirty (30) calendar days after approval of the monthly invoice by City staff.
4.3 City shall reimburse Consultant only for those costs or expenses
specifically identified in Exhibit A to this Agreement or specifically approved in writing in
advance by City.
4.4 Consultant shall not receive any compensation for Extra Work performed
without the prior written authorization of City. As used herein, "Extra Work" means any
Work that is determined by City to be necessary for the proper completion of the
Project, but which is not included within the Scope of Services and which the parties did
not reasonably anticipate would be necessary at the execution of this Agreement.
ACCUVANT INC. Page 2
Compensation for any authorized Extra Work shall be paid in accordance with the
Schedule of Billing Rates as set forth in Exhibit A.
5. PROJECT MANAGER
5.1 Consultant shall designate a Project Manager, who shall coordinate all
phases of the Project. This Project Manager shall be available to City at all reasonable
times during the Agreement term. Consultant has designated Ray Burgess to be its
Project Manager. Consultant shall not remove or reassign the Project Manager or any
personnel listed in Exhibit A or assign any new or replacement personnel to the Project
without the prior written consent of City. City's approval shall not be unreasonably
withheld with respect to the removal or assignment of non -key personnel.
5.2 Consultant, at the sole discretion of City, shall remove from the Project
any of its personnel assigned to the performance of Services upon written request of
City. Consultant warrants that it will continuously furnish the necessary personnel to
complete the Project on a timely basis as contemplated by this Agreement.
5.3 If Consultant is performing inspection services for City, the Project
Manager and any other assigned staff shall be equipped with a cellular phone to
communicate with City staff. The Project Manager's cellular phone number shall be
provided to City.
6. ADMINISTRATION
This Agreement will be administered by the Police Department ( "Newport Beach
Police Department "). The City's Police Computer Systems Manager or designee shall
be the Project Administrator and shall have the authority to act for City under this
Agreement. The Project Administrator shall represent City in all matters pertaining to
the Services to be rendered pursuant to this Agreement.
7. CITY'S RESPONSIBILITIES
To assist Consultant in the execution of its responsibilities under this Agreement,
City agrees to provide access to and upon request of Consultant, one copy of all
existing relevant information on file at City. City will provide all such materials in a
timely manner so as not to cause delays in Consultant's Work schedule.
8. STANDARD OF CARE
8.1 All of the Services shall be performed by Consultant or under Consultant's
supervision. Consultant represents that it possesses the professional and technical
personnel required to perform the Services required by this Agreement, and that it will
perform all Services in a manner commensurate with the highest professional
standards. For purposes of this Agreement, the phrase "highest professional
standards" shall mean those standards of practice recognized by one (1) or more first -
class firms performing similar work under similar circumstances.
ACCUVANT INC. •..-
8.2 All Services shall be performed by qualified and experienced personnel
who are not employed by City. By delivery of completed Work, Consultant certifies that
the Work conforms to the requirements of this Agreement, all applicable federal, state
and local laws, and the highest professional standard.
8.3 Consultant represents and warrants to City that it has, shall obtain, and
shall keep in full force and effect during the term hereof, at its sole cost and expense, all
licenses, permits, qualifications, insurance and approvals of whatsoever nature that is
legally required of Consultant to practice its profession. Consultant shall maintain a City
of Newport Beach business license during the term of this Agreement.
8.4 Consultant shall not be responsible for delay, nor shall Consultant be
responsible for damages or be in default or deemed to be in default by reason of strikes,
lockouts, accidents, acts of God, or the failure of City to furnish timely information or to
approve or disapprove Consultant's Work promptly, or delay or faulty performance by
City, contractors, or governmental agencies.
9. HOLD HARMLESS
9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend
and hold harmless City, its City Council, boards and commissions, officers, agents,
volunteers and employees (collectively, the "Indemnified Parties") from and against any
and all claims (including, without limitation, claims for bodily injury, death or damage to
property), demands, obligations, damages, actions, causes of action, suits, losses,
judgments, fines, penalties, liabilities, costs and expenses (including, without limitation,
reasonable attorneys' fees, disbursements and court costs) of every kind and nature
whatsoever (individually, a Claim; collectively, "Claims "), which may arise from or in any
manner relate (directly or indirectly) to any breach of the terms and conditions of this
Agreement, any Work performed or Services provided under this Agreement including,
without limitation, defects in workmanship or materials or Consultant's presence or
activities conducted on the Project (including the negligent, reckless, and/or willful acts,
errors and /or omissions of Consultant, its principals, officers, agents, employees,
vendors, suppliers, consultants, subcontractors, anyone employed directly or indirectly
by any of them or for whose acts they may be liable, or any or all of them).
9.2 Notwithstanding the foregoing, nothing herein shall be construed to
require Consultant to indemnify the Indemnified Parties from any Claim arising from the
negligence or willful misconduct of the Indemnified Parties. Nothing in this indemnity
shall be construed as authorizing any award of attorneys' fees in any action on or to
enforce the terms of this Agreement. This indemnity shall apply to all claims and liability
regardless of whether any insurance policies are applicable. The policy limits do not act
as a limitation upon the amount of indemnification to be provided by Consultant.
10. INDEPENDENT CONTRACTOR
It is understood that City retains Consultant on an independent contractor basis
and Consultant is not an agent or employee of City. The manner and means of
ACCUVANT INC. Page 4
conducting the Work are under the control of Consultant, except to the extent they are
limited by statute, rule or regulation and the expressed terms of this Agreement. No
civil service status or other right of employment shall accrue to Consultant or its
employees. Nothing in this Agreement shall be deemed to constitute approval for
Consultant or any of Consultant's employees or agents, to be the agents or employees
of City. Consultant shall have the responsibility for and control over the means of
performing the Work, provided that Consultant is in compliance with the terms of this
Agreement. Anything in this Agreement that may appear to give City the right to direct
Consultant as to the details of the performance of the Work or to exercise a measure of
control over Consultant shall mean only that Consultant shall follow the desires of City
with respect to the results of the Services.
11. COOPERATION
Consultant agrees to work closely and cooperate fully with City's designated
Project Administrator and any other agencies that may have jurisdiction or interest in the
Work to be performed. City agrees to cooperate with the Consultant on the Project.
12. CITY POLICY
Consultant shall discuss and review all matters relating to policy and Project
direction with City's Project Administrator in advance of all critical decision points in
order to ensure the Project proceeds in a manner consistent with City goals and
policies.
13. PROGRESS
Consultant is responsible for keeping the Project Administrator informed on a
regular basis regarding the status and progress of the Project, activities performed and
planned, and any meetings that have been scheduled or are desired.
14. INSURANCE
Without limiting Consultant's indemnification of City, and prior to commencement
of Work, Consultant shall obtain, provide and maintain at its own expense during the
term of this Agreement or for other periods as specified in this Agreement, policies of
insurance of the type, amounts, terms and conditions described in the Insurance
Requirements attached hereto as Exhibit B, and incorporated herein by reference.
15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS
Except as specifically authorized under this Agreement, the Services to be
provided under this Agreement shall not be assigned, transferred contracted or
subcontracted out without the prior written approval of City. Any of the following shall
be construed as an assignment: The sale, assignment, transfer or other disposition of
any of the issued and outstanding capital stock of Consultant, or of the interest of any
general partner or joint venturer or syndicate member or cotenant if Consultant is a
partnership or joint- venture or syndicate or co- tenancy, which shall result in changing
ACCUVANT INC. Page 5
the control of Consultant. Control means fifty percent (50 %) or more of the voting
power or twenty -five percent (25 %) or more of the assets of the corporation, partnership
or joint- venture.
16. SUBCONTRACTING
The subcontractors authorized by City, if any, to perform Work on this Project are
identified in Exhibit A. Consultant shall be fully responsible to City for all acts and
omissions of any subcontractor. Nothing in this Agreement shall create any contractual
relationship between City and any subcontractor nor shall it create any obligation on the
part of City to pay or to see to the payment of any monies due to any such
subcontractor other than as otherwise required by law. City is an intended beneficiary
of any Work performed by the subcontractor for purposes of establishing a duty of care
between the subcontractor and City. Except as specifically authorized herein, the
Services to be provided under this Agreement shall not be otherwise assigned,
transferred, contracted or subcontracted out without the prior written approval of City.
17. OWNERSHIP OF DOCUMENTS
17.1 Each and every report, draft, map, record, plan, document and other
writing produced (hereinafter "Documents "), prepared or caused to be prepared by
Consultant, its officers, employees, agents and subcontractors, in the course of
implementing this Agreement, shall become the exclusive property of City, and City
shall have the sole right to use such materials in its discretion without further
compensation to Consultant or any other party. Consultant shall, at Consultant's
expense, provide such Documents to City upon prior written request.
17.2 Documents, including drawings and specifications, prepared by
Consultant pursuant to this Agreement are not intended or represented to be suitable
for reuse by City or others on any other project. Any use of completed Documents for
other projects and any use of incomplete Documents without specific written
authorization from Consultant will be at City's sole risk and without liability to
Consultant. Further, any and all liability arising out of changes made to Consultant's
deliverables under this Agreement by City or persons other than Consultant is waived
against Consultant, and City assumes full responsibility for such changes unless City
has given Consultant prior notice and has received from Consultant written consent for
such changes.
17.3 All written documents shall be transmitted to City in formats compatible
with Microsoft Office and/or viewable with Adobe Acrobat.
18. CONFIDENTIALITY
All Documents, including drafts, preliminary drawings or plans, notes and
communications that result from the Services in this Agreement, shall be kept
confidential unless City expressly authorizes in writing the release of information.
ACCUVANT INC. '.i' s
19. INTELLECTUAL PROPERTY INDEMNITY
Consultant shall defend and indemnify City, its agents, officers, representatives
and employees against any and all liability, including costs, for infringement or alleged
infringement of any United States' letters patent, trademark, or copyright, including
costs, contained in Consultant's Documents provided under this Agreement.
Consultant shall keep records and invoices in connection with the Services to be
performed under this Agreement. Consultant shall maintain complete and accurate
records with respect to the costs incurred under this Agreement and any Services,
expenditures and disbursements charged to City, for a minimum period of three (3)
years, or for any longer period required by law, from the date of final payment to
Consultant under this Agreement. All such records and invoices shall be clearly
identifiable. Consultant shall allow a representative of City to examine, audit and make
transcripts or copies of such records and invoices during regular business hours.
Consultant shall allow inspection of all Work, data, Documents, proceedings and
activities related to the Agreement for a period of three (3) years from the date of final
payment to Consultant under this Agreement.
21. WITHHOLDINGS
City may withhold payment to Consultant of any disputed sums until satisfaction
of the dispute with respect to such payment. Such withholding shall not be deemed to
constitute a failure to pay according to the terms of this Agreement. Consultant shall
not discontinue Work as a result of such withholding. Consultant shall have an
immediate right to appeal to the City Manager or designee with respect to such disputed
sums. Consultant shall be entitled to receive interest on any withheld sums at the rate of
return that City earned on its investments during the time period, from the date of
withholding of any amounts found to have been improperly withheld.
22. ERRORS AND OMISSIONS
In the event of errors or omissions that are due to the negligence or professional
inexperience of Consultant which result in expense to City greater than what would
have resulted if there were not errors or omissions in the Work accomplished by
Consultant, the additional design, construction and /or restoration expense shall be
borne by Consultant. (Nothing in this Section is intended to limit City's rights under the
law or any other sections of this Agreement.
23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS
City reserves the right to employ other Consultants in connection with the
Project.
ACCUVANT INC. Page 7
24. CONFLICTS OF INTEREST
24.1 Consultant or its employees may be subject to the provisions of the
California Political Reform Act of 1974 (the "Act "), which (1) requires such persons to
disclose any financial interest that may foreseeably be materially affected by the Work
performed under this Agreement, and (2) prohibits such persons from making, or
participating in making, decisions that will foreseeably financially affect such interest.
24.2 If subject to the Act, Consultant shall conform to all requirements of the
Act. Failure to do so constitutes a material breach and is grounds for immediate
termination of this Agreement by City. Consultant shall indemnify and hold harmless
City for any and all claims for damages resulting from Consultant's violation of this
Section.
25. NOTICES
25.1 All notices, demands, requests or approvals, including any change in
mailing address, to be given under the terms of this Agreement shall be given in writing,
and conclusively shall be deemed served when delivered personally, or on the third
business day after the deposit thereof in the United States mail, postage prepaid, first-
class mail, addressed as hereinafter provided.
25.2 All notices, demands, requests or approvals from Consultant to City shall
be addressed to City at:
Attn: John Veale, Police Computer Systems Manager
Police Department
City of Newport Beach
100 Civic Center Drive
PO Box 1768
Newport Beach, CA 92658
25.3 All notices, demands, requests or approvals from City to Consultant shall
be addressed to Consultant at:
Attn: Director of Legal Affairs
ACCUVANT INC.
1125 17th St., Suite 1700,
Denver, CO 80202
26. CLAIMS
Unless a shorter time is specified elsewhere in this Agreement, before making its
final request for payment under this Agreement, Consultant shall submit to City, in
writing, all claims for compensation under or arising out of this Agreement.
Consultant's acceptance of the final payment shall constitute a waiver of all claims for
compensation under or arising out of this Agreement except those previously made in
writing and identified by Consultant in writing as unsettled at the time of its final request
ACCUVANT INC. Page 8
for payment. Consultant and City expressly agree that in addition to any claims filing
requirements set forth in the Agreement, Consultant shall be required to file any claim
Consultant may have against City in strict conformance with the Government Claims Act
(Government Code sections 900 et seq.).
27. TERMINATION
27.1 In the event that either party fails or refuses to perform any of the
provisions of this Agreement at the time and in the manner required, that party shall be
deemed in default in the performance of this Agreement. If such default is not cured
within a period of two (2) calendar days, or if more than two (2) calendar days are
reasonably required to cure the default and the defaulting party fails to give adequate
assurance of due performance within two (2) calendar days after receipt of written
notice of default, specifying the nature of such default and the steps necessary to cure
such default, and thereafter diligently take steps to cure the default, the non - defaulting
party may terminate the Agreement forthwith by giving to the defaulting party written
notice thereof.
27.2 Notwithstanding the above provisions, City shall have the right, at its sole
and absolute discretion and without cause, of terminating this Agreement at any time by
giving no less than seven (7) calendar days' prior written notice to Consultant. In the
event of termination under this Section, City shall pay Consultant for Services
satisfactorily performed and costs incurred up to the effective date of termination for
which Consultant has not been previously paid. On the effective date of termination,
Consultant shall deliver to City all reports, Documents and other information developed
or accumulated in the performance of this Agreement, whether in draft or final form.
28. STANDARD PROVISIONS
28.1 Recitals. City and Consultant acknowledge that the above Recitals are
true and correct and are hereby incorporated by reference into this Agreement.
28.2 Compliance with all Laws. Consultant shall, at its own cost and expense,
comply with all statutes, ordinances, regulations and requirements of all governmental
entities, including federal, state, county or municipal, whether now in force or hereinafter
enacted. In addition, all Work prepared by Consultant shall conform to applicable City,
county, state and federal laws, rules, regulations and permit requirements and be
subject to approval of the Project Administrator and City.
28.3 Waiver. A waiver by either party of any breach, of any term, covenant or
condition contained herein shall not be deemed to be a waiver of any subsequent
breach of the same or any other term, covenant or condition contained herein, whether
of the same or a different character.
28.4 Integrated Contract. This Agreement represents the full and complete
understanding of every kind or nature whatsoever between the parties hereto, and all
preliminary negotiations and agreements of whatsoever kind or nature are merged
ACCtNANT INC. Page .9
herein. No verbal agreement or implied covenant shall be held to vary the provisions
herein.
28.5 Conflicts or Inconsistencies. In the event there are any conflicts or
inconsistencies between this Agreement and the Scope of Services or any other
attachments attached hereto, the terms of this Agreement shall govern.
28.6 Interpretation. The terms of this Agreement shall be construed in
accordance with the meaning of the language used and shall not be construed for or
against either party by reason of the authorship of the Agreement or any other rule of
construction which might otherwise apply.
28.7 Amendments. This Agreement may be modified or amended only by a
written document executed by both Consultant and City and approved as to form by the
City Attorney.
28.8 Severability. If any term or portion of this Agreement is held to be invalid,
illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining
provisions of this Agreement shall continue in full force and effect.
28.9 Controlling Law and Venue. The laws of the State of California shall
govern this Agreement and all matters relating to it and any action brought relating to
this Agreement shall be adjudicated in a court of competent jurisdiction in the County of
Orange, State of California.
28.10 Equal Opportunity Employment. Consultant represents that it is an equal
opportunity employer and it shall not discriminate against any subcontractor, employee
or applicant for employment because of race, religion, color, national origin, handicap,
ancestry, sex, age or any other impermissible basis under law.
28.11 No Attorneys' Fees. In the event of any dispute or legal action arising
under this Agreement, the prevailing party shall not be entitled to attorneys' fees.
28.12 Counterparts. This Agreement may be executed in two (2) or more
counterparts, each of which shall be deemed an original and all of which together shall
constitute one (1) and the same instrument.
28.13 Limitation of Liability.
28.13.1 Except as otherwise expressly set forth herein, consultant
makes no warranties, guarantees, or representations of any kind, express or implied,
with respect to the operation, capacity, speed, functionality, qualifications, or capabilities
of the Aresight Logger System.
28.13.2 The aggregate amount of any liability of consultant, its
Officers, Directors, Agents, Subsidiaries, Affiliates, Partners, and Contractors, for one or
more claims arising from or relating to any deficiencies with respect to this Agreement,
shall not exceed in the aggregate, three times the amount paid to consultant hereunder
ACCLIVANT INC. Page 10
for the performance of Services hereunder. Notwithstanding the foregoing, this
limitation does not apply to claims that arise from gross negligence or intentional
misconduct by either party.
[SIGNATURES ON NEXT PAGE]
ACCUVANT INC. Page 11
IN WITNESS WHEREOF, the parties have caused this Agreement to be
executed on the dates written below.
APPROVED AS TO FORM:
CITY Date: AT�ORTXY'S OFFICE
Aaron C. Harp
City Attorney
ATTEST:
Date:
By: ow
Leilani I. Brown
City Clerk
CITY OF NEWPORT BEACH,
a California municipal corporation
Date: `� -1Z- \l�
By:
Jay ns
Chef of Police
CONSULTANT: ACCUVANT INC., a
Delaware corporation
Date: 7'-3-13
By: C-AiCV
Patrick Farre
Director of Legal Affairs
Date: Q- 3 _t 3
B W, 0,
By:
David Roshak
Chief Financial Officer
[END OF SIGNATURES]
Attachments: Exhibit A — Scope of Services and Schedule of Billing Rates
Exhibit B — Insurance Requirements
ACCUVANT INC. Page 12
EXHIBIT A
SCOPE OF SERVICES AND SCHEDULE OF BILLING RATES
ACCUVANT INC. Page A -1
ArcSight Logger
Deployment
Project Number. SoCal- OP88793
Prepared By: Ray Burgess / Juan Ruben SAnchex
May 29. 2013
Revision: #1.4
SECURITY STRATEGY.
EXPERTLY EXECUTED.
Experts in Information Security Solutions
ArcSight Logger Deployment
ACCUVM�jT Newport Beach Police Department - Project #: SoCal-OP88793
Table of Contents
ProjectOverview °.~.°°°°^~...-.^.~~~~°"""°"°"~°°~^~-.~.°~^~~~~..~.~.,.~°°^~^,.--^..~.°3
Background.......................................... ~.~~~^~..~^^°°°°~~~~.^-..°~~~.~.~..~^~°^^°~.~..~~-.
3
Goals& Objectives. ..^ ........................ ........... . ... ^-.......................................................................................
3
TaskList ................ ............................ ......................... ^......... .~~~~.^^.°.°^~^...~~ ............. ............... ~.~....3
ProjectScope .................................... ..................................................................................... ° ...................
-4
Professional Considerations °.~-°~."~~,°~.~~.--.^^°^°°°°°"°-_-~~°^°°^...~..~.^^~~.......^°^^8
Scheduling...~.~°^°^_.~.~~.~.._...~~.~,°°°°°~°~~....^°°^°~.,......~.^^~~~~..^°^~8
Pm»bmt Completion .~°^,,°...~..~°.~.......°~~~,...~°.~.,°..~..~°~°°°.~°"°°.°°,.8
ChangeIn Scope of Services ......... ^^.^^,°"..~.°^ ..... °^°^°^"°^°~~~~._~.°^°^-,°°~~...~.~.°'"°,°°°°~....^~~^8
"act Assumptions ........... ^°~,' ...... --- ...... . ... ......... ~~~~~~°.°^°"°,°~~~-.~_-.-'~~"°.-~.~~.~..^8
Project Management Approach ........ .°.°,,°...-~_~.°^°^^°.°°^°^,.-..~...~.~-...-~^-.~.^~...~~,,9
Terms.................................................. ...^.~...~.°^°°^°°,^~~...-~. ...............................................
10
ProjectInformation _-..~..~~...~.~^-°°^".......,_^°,°_._~...~~°°°~.-._..°^^^°°^°.°°.,=,1x
ProjectLocation ............................................................................................................................................
11
ClientCondactm ......... . .................................... .... ..................................... ...~°°°°.~^,`°.^°~~~~.,~^°A1
AuammnantContacts ....... ^ ........................ - ....... .^^^~^..^.^°^^°~.~.-~.~~°,°°°"^,°,,,.~~.^.,~.~,.~.~~~~.~~.
I I
Project Fees, Expenses, Payment Schedule ............................................... ....................................................
72
Fees.......................... ...................... ............................... .~~~.~.°°^,.°.^°°-.~.....^°°°°^.°°°°...t2
PaymentSchedule ................................ . ................................................ .......................... .........................
12
Travel& Expenses ~,°^.°..°.~..~.°,,°,.,.°.^^°"°°°^°^°--...~~~^,~.,._.-.~.~^°°°^,^'.°°°°°^12
Authorization............ ^.^°~^.~~°..°^°^°.°°^.^,. ............................................................ .~._~~.~^~,.~.~,~..~°12
Appendix A~ Equipment and Log Source Ubt~ ................ ........... ......~~.^^^..... ^~....~~..~~~.~.~.~~.
13
SystemInformation °..,^^°°°°^°°°._^...~^..~..~°°^°^°^^~~.~~^~.^^,,^,^^...~_^°^,^^°^^~°~°~~'.13
LogSources ........... ........................................................................................................... . ...................
13
Appmndkx 8~S|EK« Pro-Installation Preparation Steps ,.~.°~,...-^..-~°°^°.--^..~._^,°°~^.°°°.°..14
Appendix C~Minimum Recommended Logging Policy ....... ^ ..........................................................................
16
RetentionPeriod ~.°°°°~~.~~~ ........................................ ^......... .......... -,°°°° .............................. � .........
16
Authentication..........~.°....^°^°`°°..^,^~........'`.~. -- .~^.. ....°°°°..°^°~~.........^..^...°^...^'..°.^°"°^"'16
MAC................................................................................. . .........................................................................
1&
Access ar Modification Nf Sensitive Fileg°~-~..^..°°°°°^"°°.....°.°.^...~..°°°.~^.,..~......
17
NetworkDevices ................................ ........................................................... ..................... .......................
17
S|ENKCemtrallzed Log Management Considerations ^".^^°,°~._.....°,~^°.°"~..~~^ ......................
17
Revhdpz#ID Pap 2 of 19
ACCUTA' j Newport Beach Police
Project Overview
Background
Newport Beach Police Department is in the process of deploying ArcSight Logger for the collection of events
from Its security and Infrastructure devices for correlation, alerting and reporting purposes. The goal of this
project Is to meet the FBI's Criminal Justice Information Systems (CJIS) Security Policy (Version 51, dated
711312612) requirements for Auditing and Accountability. Newport Beach Police Department has requested
Accuvarift SEEM and log management expertise to meet the above requirements and to perform a basic
Installation and initial configuration of devices as specified in Appendix A and Appendix D.
Acouvant will provide a consulting resource to perform an initial implementation, configuration, and basic
tuning of the ArcSlght Logger solution, based on the terns of this contract.
Goals 8 Objectives
• Install ArcSight Logger components and configure required network and system configurations to
match customer provided information
• Configure data collection of standard ArcSight Logger supported log sources as agreed to in
Appendix A
• Instruct Newport Beach Police Department on basic system access and usage
Task List
The following is a list of activities that will be performed during this consulting engagement. Subject to
consultant availability, Newport Beach Police Department may extend this engagement by submitting a
change order and PO for additional services.
This agreement outlines services to be delivered on a fixed deliverable basis, pending availability of a
qualified consultant.
Tasks:
f. Architecture Review
Review the proposed deployment design with the customer prior to Implementation.
2. System Installation
Hardware will be installed to vendor provided standards and configured to match the customer's
environment for the list of devices in Aooendix A
3. Log Collector installation
Hardware and /or software components will be installed to collect data from the customer's Identified
log sources In Appendix A.
4. System Validation
Aocuvant will verify events are being received and stored from the log sources Identified and that
default system content is enabled.
5. Documentation and Knowledge Transfer
Accuvant will provide Installation and configuration documentation on key settings modified at the
time of Installation and basic aocess and usage hands on knowledge transfer during the engagement.
The consultant will provide a list of additional recommended log sources, next steps, and best
practices as appropriate.
Revislorr. #1.0 Page 3 of 19
Accu` ` � ArcSight logger Depl2yment
(-t(u {i Newport Beach Rafica Department - Project tt: Sochi- dR887g3
The Newport Beach Police Department is encouraged to participate during the engagement as no
formal knowledge transfer session is included in an ArcSight Logger
Project Scope
Below is a list of the activities that will be performed during an ArcSight Logger Deployment. Accuvant will
provide an appropriate consultant to execute the tasks listed below:
Planning
PLANNING AND Confirm the scope of work has been accurately captured in the project proposal and
ENVIRONMENT to identify any significant obstacles to implementing the solution before coming
REVIEW onsite.
Accuvant consultants will conduct a pre - project call to gather the detailed information
about the client environment necessary to complete the engagement objectives.
Newport Beach Police Department is required to review and gather as much
information as possible from the STEM Pre - installation Preparation Steps in
Appendix B prior to the pre - project call and onsite arrival. When possible,
having Information available for the kick -off meeting will ensure a more
productive dialogue
KICK -OFF MEETING This meeting will allow the entire project team to meet, review project objectives and
strategy, and confirm the project plan and each team member's responsibilities and
will include:
• Introductions of team members and their role In the project
• A review of the project's success criteria
• A walkthrough of the project plan, assigning dates and times of deliverables,
status reporting requirements, and any change control impacts
• Confirming that the Accuvant consultants understand their point(s) of contact
and have all of the necessary materials and access to begin their work
• Confirm system components have arrived and match the list from Appendix
A
APPLIANCE OR Accuvant will install the log collection device, software or appliance in the location
SOFTWARE identified by the client and as reviewed in the kickoff meeting.
INSTALLATION Newport Beach Police Department is responsible for ensuring logging has
been enabled and configured for device appropriate events. See Appendix C
for recommendations.
CONFIGURATION The log collection system will be configured with the manufacturer's provided content
and recommended practices. Network settings, basic administration and connectivity
settings will also be applied.
The customer is responsible for providing proper IP addressing, network
connectivity, and customer - specific DNS, NTP and Mail Server settings.
Revision: #1-0 Page 4 of 19
A%1 r^ ` ,1 l {� E� ArcSight logger Deployment
i(.i l( N Newport Beach Police Department — Project #: SoCal- OP88793
Database Installation and Configuration
APPLIANCE OR Accuvant will install the SIEM database or log management device software or
SOFTWARE appliance in the location identified by the client and as reviewed in the kickoff
INSTALLATION meeting.
CONFIGURATION The system will be configured with the manufacturer's provided content and
recommended practices. Network settings, basic administration and connectivity
settings will also be applied.
Appropriate disk space must be available at the time of installation, If external
storage is to be used, it must be provisioned and available prior to project
kickoff.
Correlation Engine Installation and Configuration
APPLIANCE/ Accuvant will install the management or correlation device, software or appliance in
SOFTWARE the location identified by the client and as reviewed in the kickoff meeting.
INSTALLATION
NETWORK AND The log manager or correlation system will be configured with the manufacturer's
CONNECTIVITY provided content and recommended practices. Network settings, basic administration
and connectivity settings will also be applied.
Client /Console Installation
CONSOLE Accuvant will install the client or management console software to allow for
CONFIGURATION management of the SIEM solution.
USER INTERFACE Connectivity will be verified for the user interface for administrators.
Kevlslon: #1.0
Page 5 of 19
A t Deployment
Newport n Beach Police Department— Project #: So Cai- OP38793
Log Collection Installation and Configuration
LOG SOURCE Three (3) unique log collectors or sources will be configured using manufacturer
CONFIGURATION supplied connectors or content.
A single log source can collect data for multiple devices. A single syslog collector can
collect data for many devices and types of devices in the network.
For an example in a typical deployment, the syslog collector will parse data for
routers, switches, firewalls, UPN, and UNIX hosts, and a single Windows collector
will pull data for dozens of servers.
The customer may be required to change logging destinations on source devices,
and/or provide administrative access and an account for log source types pulled from
the host devices (ODBC, Windows, and WMI).
For file based sources, full read and write privileges and direct rile access will be
required on the files to be read and parsed.
Connectivity between the log source collector and the source device Is
required prior to project kickoff and changes to firewalis and network devices
to allow connectivity are the customer's responsibility prior to the consultant
arriving onsite. Accuvant will assist as needed with details of required ports
and connectivity as request prior to scheduling onsite installation.
Project Documentation
DAILY STATUS Accuvant's consultants deliver daily status reports to the primary client contact (by
REPORTS default — weekly if preferred) detailing activities and what is planned for the following
day as well as any issues which have arisen that may delay the on -time completion
of the engagement.
All communication is secured using industry accepted encryption software to ensure
critical information is not compromised.
MANUFACTURER Accuvant will assist the client in obtaining the manufacturer's documentation for the
DOCUMENTATION product through the support site.
FINAL REPORT Accuvant will provide an installation summary report with recommendations as
appropriate to onsite findings. This will include an executive level summary as well as
relevant detailed technical findings and recommendations regarding any identified
weaknesses in the environment. The deliverable will consist of the following sections:
• Executive Summary —A one to two page summary of the findings of the
assessment.
• Work Performed — A detailed listing of each of the testing activities
performed by phase, with links to the reports and outputs created by all of
the tools used during the project,
• Findings and Recommendations — A listing of the security issues that were
identified, the risk they pose and recommendations on how to fix them.
Revision: #1.0 Page 6 of 19
( (fj //� N7 ArcSight Logger Deployment
l.l.l V/p Newport Beach Police Department— Project #: SoCal•oP88793
VERSIONS AND Accuvant will apply the most current version available (or as appropriate the best known
UPGRADES stable version consistent with Newport Beach Police Department's patch management
policy), of software, patches and manufacturer provided fixes to the installed system(s),
provided the systems are current on maintenance and support, and patches can be
applied during business hours. Accuvant will apply one major patch upgrade.
Multiple serial patch upgrades may require additional time and a scope change.
SYSTEM ACCESS AND The Accuvant consultant will require system passwords and access to the equipment to
PASSWORDS be configured. Accuvant suggests the Newport Beach Police Department should use a
temporary password during the engagement and change passwords upon project
completion
Revision: #1.0 Page 7 of 19
C#� fA N^( AProject logger Deployment
(,,,,t,l V'J.�� i Newport Beach Police Department — Project #: SoCal•gP$8793
Professional Considerations
Scheduling
Accuvant estimates this project will take approximately 5 man -days and will be completed over a one week
period, Of the estimated 5 days, 4 days are expected to be on -site and the remaining time has been allocated
for documenting the solution, and will be conducted off -site.
Accuvant proposes using at least one of our Consultants (bios available upon request) on an as needed basis
for the appropriate time necessary to perform the work outlined in this proposal. Accuvant and Newport Beach
Police Department will agree to work together to schedule time in advance when both parties will have
resources available for the project.
Project Completion
Accuvant may request that Newport Beach Police Department acknowledge completion of the contract in
writing via a Certificate of Acceptance, which would be used to signify the successful completion of the
consulting engagement.
Change in Scope of Services
In the event that unforeseen factors change this Services scope of work and /or impact the term and cost of
Accuvant- provided Services, Newport Beach Police Department and Accuvant may mutually revise the SOW
and Accuvant shall provide customer with an estimate of the impact of such revisions on the fees, payment
terms, completion schedule and other applicable provisions of the SOW. If the parties mutually agree to such
changes, a written description of the agreed change (`Change Order) shall be prepared, incorporating such
changes to the SOW and shall be signed by both parties. The terms of a Change Order Form prevail over
those of the SOW.
Project Assumptions
The ability to complete this engagement in an efficient and timely manner is critical to Accuvant. The
assumptions listed below set forth the expectations of the working relationship between Newport Beach
Police Department and Accuvant.
Accuvant
• The work is to be performed consecutively until project completion. There will be no break in services
other than weekends and / or Accuvant recognized holidays
• Our consultants consider all Newport Beach Police Department information and documentation as
sensitive and confidential and will handle appropriately
• Our consultants recognize the value of knowledge transfer and will encourage Newport Beach Police
Department to participate in all appropriate aspects of the project
• Our consultants and /or project managers will notify Newport Beach Police Department of any Items
that may be delayed as soon as possible in order to determine ways to manage any impact (i.e., cost,
timeframes, modifications, etc.)
Revision: 01.0 Page 8 of 19
Aj^C 14'/� w APt*ct Logger Deployment
LL..IJ 17111 V 1 Newport Beach Polies Department — Project #: SoGat- 4P88793
• NI deliverables will, after completion, be reviewed Jointly by Newport Beach Police Department and
Accuvant consultants
• Accuvant Is not responsible for providing any services or performing any tasks not specifically set
forth In this SOW
Acouvant shall have no responsibility for other contractors or third parties engaged on the project
unless expressly agreed to in writing
Newport Beach Police Department
• Provides a single point of contact within Newport Beach Police Department's organization to help
Accuvant consultants coordinate access to the required project maters and personnel
• Provides documents / diagrams detailing the existing policies, specifications and/or architecture in a
timely manner
• Provides a safe working environment, Including a workspace, telephone and network (and Internet)
access for the purpose of Ume entry, email and project- related efforts
• Provides any necessary buiiding, parking and/or machine room badges/passes to Acouvant
consultants
• Accuvant consultants Will be reliant on Newport Beach Police Department staff to complete Identified
tasks and participate in interviews. Newport Beach Police Departments inability to provide this staff
may affect the completion of tasks and/or deliverables.
• Deliverables wUi be reviewed by Newport Beach Police Department and returned with comments
within ten business days of delivery. Acceptance of the deliverable will be assumed, if no comments
are received from Newport Beach Police Department during that time.
If the Newport Beach Police Department assumptions listed above cannot be met, there may be a negative
Impact on project duration or cost. For example, time that an Accuvant consultant is prevented from working
due to a delay caused by Newport Beach Police Department Is billable, and will Increase the price of a fixed
fee or time -base/ project. If there are deviations in scope, effort or duration, a change order will be necessary
and an addendum for additional effort will be created. All changes In scope or duration will be negotiated
between Accuvant and Newport Beach Police Department.
Project Management Approach
Accuvant recognizes the importance of our client's awareness of the engagement progress and ongoing open
communication throughout the project. In order to assist In this requirement, Accuvant has implemented a
number of procedures as part of our engagements to ensure that this awareness and open communication
channels are maintained.
Pre - Engagement
A primary objective of the Accuvant project management services is to make the project as smooth of an
experience for the client as possible. To accomplish this goal, the project coordinator engages the dent
during the pre- engagement call and pre - engagement validation.
This pre-engagement call allows Accuvant consultants to gather the detailed information about the client's
environment necessary to perform the project. Accuvant consultants will drive this discussion by going
through a pre-engagement checklist with client personnel, The primary goals are to confirm the scope of work
has been accurately captured in the project proposal and to Identify any significant obstacles to completion
prior to beginning the engagement. Specific tasks performed in this phase Include:
• Reviewing the project proposal
• Confirming basic project logistics
• Walking through the sequence of tasks to be performed
Revision: #1.0 Page 9 of 19
ArcSight Logger Deployment n C UVAV
Newport Seach Police Department - Project #: SoGat- 01388793
• Listing and assigning any action items necessary to complete prior to the project commencing
Following the pre - engagement call, the practice manager or managing consultant engages Accuvanrs
consultants) to provide support in meeting project assumptions and action Items from the pre - engagement
coll. Establishing the proper environment for the first day of engagement is paramount in creating a smooth
and successful Aocuvant expedernce for the client.
Ongoing Communications
To ensure your project is completed in a timely manner, with minimum Impact to both system resources and
personnel, Accuvant utilizes various communication methods during each phase. The list below details the
methods utilized to ensure consistent ongoing communication with our clients throughout the engagement:
• Aocuvart delivers daily or weekly status report to our primary cunt contact detailing activities, what Is
planned for the following day or week, as well as any issues which have arisen that may delay the on-
time completion of the engagement.
• Accuvant also utilizes informal communication including a•malls and phone calls to ensure the client
Is kept Informed during the project.
• Ail communication Is secured utilizing industry accepted encryption software to ensure critical
Information Is not compromised.
• Our engagement model creates an environment in which the client, project manager and consultant
are constantly communicating
Review: #1.9 Page 10 of 19
/� �1 /^��y * 1T ArcSight Logger Deployment
n �/ry (i 1 Newport Beach Police Department — Project #: SoCai- OP88793
Project Information
Project Location
Locations: Remote [ X ) onsite [ X)
Address(es): 870 Santa Barbara Dr
Newport Beach, CA 92660
Special Directions:
Client Contacts
Project Lead: John Veale
Phone Number: 949.644.3649
Email: jveate@nbpd.org
Billing Contact:
John Veale
Phone Number:
949.644.3849
Emall:
jveale@nbpd.org
Billing Address:
870 Santa Barbara Dr
Newport Beach, CA 92660
Accuvant Contacts
Account Manager.
Ray Burgess
Phone Number:
714.904.9283
Email:
rburgess @accuvant.com
Solutions Engineer: Juan Ruben Sanchez
Phone Number: 858.449.1972
Email: juan.sanchez @accuvant.com
Revision: #1.o Page 11 of 19
n CCU V T ArcSight Logger Deployment
Newport BeDepartment
— Project #: SoCal- OP88793
Project Fees, Expenses, Payment Schedule
Fees
The Services shall be performed on a time and materials basis and is detailed in the table below.
Services to be rendered: ACVT -TS- ARC -TM' S Days 1 $1,800lday
• install ArcSight Logger
• Configure Log sources
• Provide training
I•I
Payment Schedule
Payment is based on the following schedule:
• Accuvant will invoice Newport Beach Police Department on a monthly basis, for the actual hours
worked during the previous period
• Each invoice is due and payable within 30 days of invoice date
• in the event Newport Beach Police Department delays or puts the project on hold, Accuvant reserves
the right to bill for the portion of work performed up to that point
Travel Ft Expenses
Travel and expenses are not included in the estimate and will be billed monthly as incurred. Accuvant will
make every attempt to incur reasonable expenses associated with the implementation of the project. Valid
expenses typically include parking, meals (unless a per diem is agreed upon), lodging, photocopying and
communication costs. Travel costs include: airfare, mileage (if a personal car is used) and automobile rental,
If international travel Is required, additional expenses may be incurred. Accuvant assumes that any required
travel will be booked a minimum of two weeks in advance of any onsite portion of the engagement. Travel
and expenses shall not exceed $2,000.
Revision: #1.0 Page 12 of 19
�-- ACCUV/1NT — ProjhtLoSoCal- P887nt_
Newport Beach Police Department — Project #: SoCal- OP88793
Appendix A - Equipment and Log Source List
System Information
t,
'�a ° `ai" .4;� a '� s,�'.�':�,.0 J." ...�kak��i���, ���.m.�.:.- w.w�s�,,�1 • �' .. �� � � �
ArcSight Appliance L3400 Server
Log Sources
Windows Domain
Authentication
Firewall Logs
3 Standard Syslog Connector
a
s
6
7
a
9
tU
Revision: 01.0 Page 13 of 19
I
c
d
a
cl
6
CL
U
d
m
0
lu
z
;C.
U
H
m
C
�3
0
o
m
L
F
c
0
c
m
c
0
b
c
m
c
0
�m
m
t/f c
Q� v
V1 E
b
C N
O n
J-1 o
R3 0 0
CL
c
� o d
N LU
w �!
4-J G d
L
ru o 0
O
(G E cc
LA o 'm
C O
_ d E
1 v
C1
LN
U
� U
7
LLI pO N
d
� � L
1 N
m
0,4)
X O
yr• N d
y C
/c o m
W y
A V
CL d • __
a �o
0
rn
EL
a
O
G
E:
W
a
O
'c
O
E
x
>`
v
d
0
CL
d
L
a
Ws
0
�
E
b
�
m
Q
a
w
tm
C
ow
4
d'.
L
u
a
W
0
a
o
E m
o-
N
d
cn
0
o
ay
m -C
m
x
a
d
d
'O
tn
or
40
c
O
A
R
V o
W
c
C
H
Q
W
Vdi
p
•
A
E
m
w
d
O
W
N
W
tn
cn
E
C
y0
«
y
W
O
d
V
w
b
d
N
a t` �"
N N
d C
m
O
P
y
Q
W W
J
d
O
d
N
m
N
.n
Q
9
y
i0 w N
an
m W
d ro
Z
u0i
rn
w
c
3
N
=
a E 0
mom«
rn w
rnyc.
w V.E
ro~
W
w
O
R'
N C
LV "
L
t W
h
Z
10
V O
W
p
U
o
rn
m
d
❑
m
E
E
E
E
m
d
1°
m
a c
m
m
w
5
a
•- w c
a'w
a L
a
❑ o
'a
❑
F
N V
t1�
Q
IL
Z
%
Q
N
Q '¢ W o
N W
o
N N
N N
ftl
Q
p
T
d
Q
10
Q
m
Q
m
U
❑
W
u.
U'
T C Q
m
U
❑
0
rn
EL
a
O
G
dt
i
V
0
m
a
O
ol
c
m
C
m
m
m°
E
E
C
�1
'O
rj
1
O
O
c
Cd
.S
m
2:1
-aC
c
n
a
$
pL°
g
a
$
o
rod.
a
$.
$
_
R ¢g
p
�
t
m
V
J
«�ERa�
��
�t
�sg
O
co
m
`��
m
m
c
T p
aw_
5
�
ZS3
t
p
E
{rte{
E
o
_
G
vC
CWD
:C
L
'�
rJ'
m�
C
C
T
ruc
N�
c
N $�
w
mH
E
$
�gg
Sc
n�
E
c
Q
m
CL
IL
a
0�
m
E
9
0
c
.3
_W
6
N
W 6
?
LL
c
ui
u
d
oo
ci
=
d
rri
a
d
N c
d
m
ci
c
N
i
d
v
W
o
Im
0
m
a
O
— ACCUV- �U V 1 Newport Beach Police Department– Project #: SoCal -01398793
Appendix C - Minimum Recommended Logging Policy
In order to meet compliance requirements and enable security threat monitoring, key standard events need to
be logged.
These Include:
A. All authentication events (success and failure)
B. Moves, adds and changes (MAC)
C. Access or Modification of critical files (Pit, Credit Card data, Sensitive /Classified files, Configurations)
D. Permits and Denies by Policy for Network Devices
Each application or device is unique and may have different choices on what to monitor and how to output
required events. Customer - specific hardening and logging policies by device type are recommended in
addition to this minimum policy.
Each system reporting to a centralized log source should be synchronized to a standard NTP time server, and
using UTC (or another policy to be agreed to and universally applied to all log sources).
Retention Period
A minimum of 30 days online and 3 years offline is a recommended minimum log retention period.
Authentication
A. Should Include the source address associated with the authentication event (IP, MAC, or Proxy
Session ID)
B. Should include the result, Success, or Failure, and the output code (account locked, Invalid
account...) – where possible map to the original vendor signature ID/Number
C. Target account name or ID
iM
Moves, adds and changes should Include the same fields as authentication events plus, target ID /Change
data.
1. Should include the source address associated with the authentication event (IP, MAC, or Proxy
Session ID)
2. Should Include the result, Success, or Failure, and the output code (account locked, invalid
account...)
3. Target account name or ID
4. Account/Group/File/Policy changed
5. Type of change made (add, delete, add new member)
Revision: #1.0 Page 16 of 19
ACcuNT Newport Beach Poilce Department— Project #: SoC81-OP88793
Access or Modification of Sensitive Files
Access and modifications to sensitive files, folders or objects should be logged for any key data that contains
system configuration settings, user access settings, personally identifiable information (Pit), credit card data,
or sensitive files (Human Resource, Accounting, Financial Information...). These types of events should
Include the same fields as above plus the type of access (readlwritefmodify /delete), and the object acted
upon.
1. Should Include the source address associated with the authentication evert (Up. MAC, or Proxy
Session K))
2. Should include the result, Success, or Failure, and the output code
3. Target account name or ID
4. Object modified
5. Type of change made (read, add, delete, update, grant permission or role, remove permission, modify
logging policy)
Network Devices
In addition to authentication everts, moves, adds and changes...
Firewails will need to log both accepts and denies.
Routers, switches should log all ACL denies (accepts are not required or suggested for Intra network
communication, but should be logged on border devices).
IDSIIPSANAFIDAMIDLP — should log all active signatures for allow or block
SIEM/Centralized Log Management Considerations
• For SIEMILog Management integration, sysior is often the Preferred out uut and easiest to Integrate,
however the specific vendor's product log Integration guides should be consulted.
• For custom applications that cannot send output via syslog, output to text file (cSV, or RTF), is often the
next best choice.
• Most SIEMILM solutions can also pug data via ODBC/SOL cads to data erase applications. These types of
calls require a query appropriate to the database with two additional fields — a unique record Identifier
andlor a time stamp.
• Often, scheduling output of scheduled queries to CSV /RTF files is preferred by database
application owners to limit the effect of a query on the application.
• By allowing the application owner to write the query used for custom applications, the application
owner can limit the fields displayed to avoid leaking sensitive data.
• Output via SNMP is supported by some devices and SIEMILM feeds. SNMP is often a last resort due to
authentication Issues, and the complexity of OID to event matching.
• SNMP v1 & v2 do not support authentication
• SNMP v3 is not supported by many applications
• Object Identifier Q10 are tuumedc mulg field values (i.e. 1.3.6.1.4.1.5518) that are mapped back
to events via Ms. These can be commix and difficult to understand.
Where possible, It Is strongly recommended that sample logs with a schema be collected for each critical
event and event source.
Revision: #1.0 Page 17 of 19
ACCU UN ! Newport Beach Police department — Project #: SoCai•01289793
Appendix D - CJIS Logging Requirements
5.4 Policy Area 4: Auditing and Accountability
Agencies shall dement audit and accountability controls to increase the probability of authorized users
conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components
that compose their Information systems to determine which security controls are applicable to the various
components.
Auditing controls are typically applied to the components of an information system that provide auditing
capability (servers, etc.) and would not necessarily be applied to every user-level workstation within the
agency. As technology advances, more powerful and diverse functionality can be found in such devices as
personal digital assistants and cellular telephones, which may require the application of security controls in
accordance with an agency assessment of risk.
5.4.1 Auditable Events and Content (information Systems)
The agency's information system shall generate audit records for defined events. These defined events
Include identifying significant events which need to be audited as relevant to the security of the Information
system. The agency shat specify which information system components carry out auditing activities. Auditing
activity can affect Information system performance and this issue must be considered as a separate factor
during the acquisition of formation systems.
The agencys information system shall produce, at the application and/or operating system level, audit
records containing sufficient Information to establish what events occurred, the sources of the events, and the
outcomes of the events. The agency shall periodically review and update the list of agency- defined auditable
events. In the event an agency does not use an automated system, manual recording of activities shall still
take place.
5.4.1.1 Events
The following events shall be logged:
1. Successful and unsuccessful system log-on attempts.
2. Successful and unsuccessful attempts to access, create, write, delete or change permission on a user
account file, directory or other system resource.
3. Successful and unsuccessful attempts to change account passwords.
4. Successful and unsuccessful actions by privileged accounts.
5. Successful and unsuccessful attempts for users to access, modify, or destroy the audit log file.
5.4.1.1.1 Content
The following content shall be included with every audited event:
1. Date and time of the event.
2. The component of the information system (e.g., software component, hardware component) where the
event occurred.
3. Type of event.
4. User /subject identity.
5. Outcome (success or failure) of the event.
5.4.2 Response to Audit Processing Failures
The agency's Information system shall provide alerts to appropriate agency officials in the event of an audit
processing failure. Audit processing failures include, for example: softwarethardware errors, failures in the
audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Revision: 01.0 Page 18 of 19
"— ACCU 1-AD V ! Newport Beach Police Department — Project #: SoCal- OP88793
5.4.3 Audit Monitoring, Analysis, and Reporting
The responsible management official shall designate an individual or position to review /analyze Information
system audit records for Indications of inappropriate or unusual activity, Investigate suspicious activity or
suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit
reviewlanatysts sloth be conducted at a minimum once a week. The frequency of reviewlanatysks sham be
Increased when the volume of an agency's processing Indicates an elevated need for audit review. The
agency shall Increase the level of audit monitoring and analysis activity within the information system
whenever there Is an indication of increased risk to agency operations, agency assets, or individuals based
on law enforcement information, intelligence Information, or other credible sources of Information.
5.4.4 Time Stamps
The agency's information system shall provide time stamps for use in audit record generation. The time
stamps shall include the date and time values generated by the internal system clocks in the audit records.
The agency shall synchronize internal Information system clocks on an annual basis.
5.4.5 Protection of Audit Information
The agency's information system shall protect audit Information and audit tools from modification, deletion
and unauthorized access.
5.4.6 Audit Record Retention
The agency shall retain audit records for at least 365 days. Once the minimum retention time period has
passed, the agency shall continue to retain audit records until it is determined they are no longer needed for
administrative, legal, audit, or other operational purposes. This Includes, for example, retention and
availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law
enforcement actions.
5.4.7 Logging NCIC and Ili Transactions
A log shall be maintained for a minimum of one (1) year on all NCIC and III transactions. The III portion of the
log shall clearly identify both the operator and the authorized receiving agency. III logs shall also dearly
identify the requester and the secondary recipient. The identification on the log shall take the form of a unique
Identifier that shall remain unique to the Individual requester and to the secondary recipient throughout the
minimum one year retention period.
5.4.8 References/Citations/Directives
Appendix I contains all of the references used in this policy and may contain additional sources that apply to
this section.
Revision: #1.0 Page 19 or 19
INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES
1. Provision of Insurance. Without limiting Consultant's indemnification of City, and
prior to commencement of Work, Consultant shall obtain, provide and maintain at
its own expense during the term of this Agreement, policies of insurance of the
type and amounts described below and in a form satisfactory to City. Consultant
agrees to provide insurance in accordance with requirements set forth here. If
Consultant uses existing coverage to comply and that coverage does not meet
these requirements, Consultant agrees to amend, supplement or endorse the
existing coverage.
2. Acceptable Insurers. All insurance policies shall be issued by an insurance
company currently authorized by the Insurance Commissioner to transact
business of insurance in the State of California, with an assigned policyholders'
Rating of A- (or higher) and Financial Size Category Class VI1 (or larger) in
accordance with the latest edition of Best's Key Rating Guide, unless otherwise
approved by the City's Risk Manager.
3. Coverage Requirements.
A. Workers' Compensation Insurance. Consultant shall maintain Workers'
Compensation Insurance, statutory limits, and Employer's Liability
Insurance with limits of at least one million dollars ($1,000,000) each
accident for bodily injury by accident and each employee for bodily injury
by disease in accordance with the laws of the State of California, Section
3700 of the Labor Code.
Consultant shall submit to City, along with the certificate of insurance, a
Waiver of Subrogation endorsement in favor of City, its officers, agents,
employees and volunteers.
B. General Liability Insurance. Consultant shall maintain commercial general
liability insurance, and if necessary umbrella liability insurance, with
coverage at least as broad as provided by Insurance Services Office form
CG 00 01, in an amount not less than one million dollars ($1,000,000) per
occurrence, one million dollars ($1,000,000) general aggregate. The
policy shall cover liability arising from premises, operations, personal and
advertising injury, and liability assumed under an insured contract
(including the tort liability of another assumed in a business contract) with
no endorsement or modification limiting the scope of coverage for liability
assumed under a contract.
C. Automobile Liability Insurance. Consultant shall maintain automobile
insurance at least as broad as Insurance Services Office form CA 00 01
covering bodily injury and property damage for all activities of Consultant
arising out of or in connection with Work to be performed under this
Agreement, including coverage for any owned, hired, non -owned or rented
ACCUVANT INC. Page B -1
vehicles, in an amount not less than one million dollars ($1,000,000)
combined single limit each accident.
D. Professional Liability (Errors & Omissions) Insurance. Consultant shall
maintain professional liability insurance that covers the Services to be
performed in connection with this Agreement, in the minimum amount of
one million dollars ($1,000,000) per claim and in the aggregate. Any policy
inception date, continuity date, or retroactive date must be before the
Effective Date of this Agreement and Consultant agrees to maintain
continuous coverage through a period no less than three years after
completion of the Services required by this Agreement.
A. Other Insurance Requirements. The policies are to contain, or be endorsed to
contain, the following provisions:
A. Waiver of Subrogation. All insurance coverage maintained or procured
pursuant to this Agreement shall be endorsed to waive subrogation
against City, its elected or appointed officers, agents, officials, employees
and volunteers or shall specifically allow Consultant or others providing
insurance evidence in compliance with these requirements to waive their
right of recovery prior to a loss. Consultant hereby waives its own right of
recovery against City, and shall require similar written express waivers
from each of its subconsultants.
B. Additional Insured Status. All liability policies including general liability,
excess liability, pollution liability, and automobile liability, if required, but
not including professional liability, shall provide or be endorsed to provide
that City and its officers, officials, employees, and agents shall be included
as insureds under such policies.
C. Primary and Non Contributonr. All liability coverage shall apply on a
primary basis and shall not require contribution from any insurance or self -
insurance maintained by City.
D. Notice of Cancellation. All policies shall provide City with thirty (30)
calendar days notice of cancellation (except for nonpayment for which ten
(10) calendar days notice is required) or nonrenewal of coverage for each
required coverage,
5. Additional Agreements Between the Parties. The parties hereby agree to the
following:
A. Evidence of Insurance. Consultant shall provide certificates of insurance
to City as evidence of the insurance coverage required herein, along with
a waiver of subrogation endorsement for workers' compensation and other
endorsements as specified herein for each coverage. Insurance
certificates and endorsement must be approved by City's Risk Manager
prior to commencement of performance. Current certification of insurance
shall be kept on file with City at all times during the term of this
ACCUVANT INC. Page B -2
I
Agreement. City reserves the right to require complete, certified copies of
all required insurance policies, at anytime.
B. City's Right to Revise Requirements. City reserves the right at any time
during the term of the Agreement to change the amounts and types of
insurance required by giving Consultant sixty (60) calendar days advance
written notice of such change. If such change results in substantial
additional cost to Consultant, City and Consultant may renegotiate
Consultant's compensation.
C. Enforcement of Agreement Provisions. Consultant acknowledges and
agrees that any actual or alleged failure on the part of City to inform
Consultant of non - compliance with any requirement imposes no additional
obligations on City nor does it waive any rights hereunder.
D. Requirements not Limiting. Requirements of specific coverage features
or limits contained in this Section are not intended as a limitation on
coverage, limits or other requirements, or a waiver of any coverage
normally provided by any insurance. Specific reference to a given
coverage feature is for purposes of clarification only as it pertains to a
given issue and is not intended by any party or insured to be all inclusive,
or to the exclusion of other coverage, or a waiver of any type.
E. Self - insured Retentions. Any self- insured retentions must be declared to
and approved by City. City reserves the right to require that self- insured
retentions be eliminated, lowered, or replaced by a deductible. Self -
insurance will not be considered to comply with these requirements unless
approved by City.
F. City Remedies for Non - Compliance. If Consultant or any subconsultant
fails to provide and maintain insurance as required herein, then City shall
have the right but not the obligation, to purchase such insurance, to
terminate this Agreement, or to suspend Consultant's right to proceed until
proper evidence of insurance is provided. Any amounts paid by City shall,
at City's sole option, be deducted from amounts payable to Consultant or
reimbursed by Consultant upon demand.
G. Timely Notice of Claims. Contractor shall give City prompt and timely
notice of claims made or suits instituted that arise out of or result from
Contractor's performance under this Contract, and that involve or may
involve coverage under any of the required liability policies. City assumes
no obligation or liability by such notice, but has the right (but not the duty)
to monitor the handling of any such claim or claims if they are likely to
involve City.
H. Consultant's Insurance. Consultant shall also procure and maintain, at its
own cost and expense, any additional kinds of insurance, which in its own
judgment may be necessary for its proper protection and prosecution of
the Work.
ACCUVANT INC. Page B -3