The URL can be used to link to this page

Home My WebLink AboutAgreement - Securance LLC - Cyber Security Assesment, Cyber Resilience Program, & Implementation Plan - Signed 2022-01-18 -1- 4835-2267-0361v1 LAC\04706083 AGREEMENT FOR SERVICES (For contracts over $5,000 - CONSULTANT) This AGREEMENT made this 13th day of January, 2022, between: CITY: City of Gilroy, having a principal place of business at 7351 Rosanna Street, Gilroy, California and CONSULTANT: Securance LLC, having a principal place of business at 13904 Monroes Business Park Tampa, FL 33635. ARTICLE 1. TERM OF AGREEMENT This Agreement will become effective on and will continue in effect through June 30, 2022 unless terminated in accordance with the provisions of Article 7 of this Agreement. Any lapse in insurance coverage as required by Article 5, Section D of this Agreement shall terminate this Agreement regardless of any other provision stated herein. ______ Initial ARTICLE 2. INDEPENDENT CONTRACTOR STATUS It is the express intention of the parties that CONSULTANT is an independent contractor and not an employee, agent, joint venturer or partner of CITY. Nothing in this Agreement shall be interpreted or construed as creating or establishing the relationship of employer and employee between CITY and CONSULTANT or any employee or agent of CONSULTANT. Both parties acknowledge that CONSULTANT is not an employee for state or federal tax purposes. CONSULTANT shall not be entitled to any of the rights or benefits afforded to CITY’S employees, including, without limitation, disability or unemployment insurance, workers’ compensation, medical insurance, sick leave, retirement benefits or any other employment benefits. CONSULTANT shall retain the right to perform services for others during the term of this Agreement. ARTICLE 3. SERVICES TO BE PERFORMED BY CONSULTANT A. Specific Services CONSULTANT agrees to: Perform the services as outlined in Exhibit “A” (“Specific Provisions”) and Exhibit “B” (“Scope of Services”), within the time periods described in Exhibit “C” (“Milestone Schedule”). DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 1/18/2022 -2- 4835-2267-0361v1 LAC\04706083 B. Method of Performing Services CONSULTANT shall determine the method, details and means of performing the above- described services. CITY shall have no right to, and shall not, control the manner or determine the method of accomplishing CONSULTANT’S services. C. Employment of Assistants CONSULTANT may, at the CONSULTANT’S own expense, employ such assistants as CONSULTANT deems necessary to perform the services required of CONSULTANT by this Agreement, subject to the prohibition against assignment and subcontracting contained in Article 5 below. CITY may not control, direct, or supervise CONSULTANT’S assistants in the performance of those services. CONSULTANT assumes full and sole responsibility for the payment of all compensation and expenses of these assistants and for all state and federal income tax, unemployment insurance, Social Security, disability insurance and other applicable withholding. D. Place of Work CONSULTANT shall perform the services required by this Agreement at any place or location and at such times as CONSULTANT shall determine is necessary to properly and timely perform CONSULTANT’S services. ARTICLE 4. COMPENSATION A. Consideration In consideration for the services to be performed by CONSULTANT, CITY agrees to pay CONSULTANT the amounts set forth in Exhibit “D” (“Payment Schedule”). In no event however shall the total compensation paid to CONSULTANT exceed $89,838.00. B. Invoices CONSULTANT shall submit invoices for all services rendered. C. Payment Payment shall be due according to the payment schedule set forth in Exhibit “D”. No payment will be made unless CONSULTANT has first provided City with a written receipt of invoice describing the work performed and any approved direct expenses (as provided for in Exhibit “A”, Section IV) incurred during the preceding period. If CITY objects to all or any portion of any invoice, CITY shall notify CONSULTANT of the objection within thirty (30) days from receipt of the invoice, give reasons for the objection, and pay that portion of the invoice not in dispute. It shall not constitute a default or breach of this Agreement for CITY not to pay any invoiced amounts to which it has objected until the objection has been resolved by mutual agreement of the parties. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -3- 4835-2267-0361v1 LAC\04706083 D. Expenses CONSULTANT shall be responsible for all costs and expenses incident to the performance of services for CITY, including but not limited to, all costs of equipment used or provided by CONSULTANT, all fees, fines, licenses, bonds or taxes required of or imposed against CONSULTANT and all other of CONSULTANT’S costs of doing business. CITY shall not be responsible for any expenses incurred by CONSULTANT in performing services for CITY, except for those expenses constituting “direct expenses” referenced on Exhibit “A.” ARTICLE 5. OBLIGATIONS OF CONSULTANT A. Tools and Instrumentalities CONSULTANT shall supply all tools and instrumentalities required to perform the services under this Agreement at its sole cost and expense. CONSULTANT is not required to purchase or rent any tools, equipment or services from CITY. B. Workers’ Compensation CONSULTANT agrees to provide workers’ compensation insurance for CONSULTANT’S employees and agents and agrees to hold harmless, defend with counsel acceptable to CITY and indemnify CITY, its officers, representatives, agents and employees from and against any and all claims, suits, damages, costs, fees, demands, causes of action, losses, liabilities and expenses, including without limitation reasonable attorneys’ fees, arising out of any injury, disability, or death of any of CONSULTANT’S employees. C. Indemnification of Liability, Duty to Defend 1. As to professional liability, to the fullest extent permitted by law, CONSULTANT shall defend, through counsel approved by CITY (which approval shall not be unreasonably withheld), indemnify and hold harmless CITY, its officers, representatives, agents and employees against any and all suits, damages, costs, fees, claims, demands, causes of action, losses, liabilities and expenses, including without limitation attorneys’ fees, to the extent arising or resulting directly or indirectly from any willful or negligent acts, errors or omissions of CONSULTANT or CONSULTANT’S assistants, employees or agents, including all claims relating to the injury or death of any person or damage to any property. 2. As to other liability, to the fullest extent permitted by law, CONSULTANT shall defend, through counsel approved by CITY (which approval shall not be unreasonably withheld), indemnify and hold harmless CITY, its officers, representatives, agents and employees against any and all suits, damages, costs, fees, claims, demands, causes of action, losses, liabilities and expenses, including without limitation attorneys’ fees, arising or resulting directly or indirectly from any act or omission of CONSULTANT or CONSULTANT’S assistants, employees or agents, including all claims relating to the injury or death of any person or damage to any property. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -4- 4835-2267-0361v1 LAC\04706083 D. Insurance In addition to any other obligations under this Agreement, CONSULTANT shall, at no cost to CITY, obtain and maintain throughout the term of this Agreement: (a) Commercial Liability Insurance on a per occurrence basis, including coverage for owned and non-owned automobiles, with a minimum combined single limit coverage of $1,000,000 per occurrence for all damages due to bodily injury, sickness or disease, or death to any person, and damage to property, including the loss of use thereof; and (b) Professional Liability Insurance (Errors & Omissions) with a minimum coverage of $1,000,000 per occurrence or claim, and $2,000,000 aggregate; provided however, Professional Liability Insurance written on a claims made basis must comply with the requirements set forth below. Professional Liability Insurance written on a claims made basis (including without limitation the initial policy obtained and all subsequent policies purchased as renewals or replacements) must show the retroactive date, and the retroactive date must be before the earlier of the effective date of the contract or the beginning of the contract work. Claims made Professional Liability Insurance must be maintained, and written evidence of insurance must be provided, for at least five (5) years after the completion of the contract work. If claims made coverage is canceled or non-renewed, and not replaced with another claims-made policy form with a retroactive date prior to the earlier of the effective date of the contract or the beginning of the contract work, CONSULTANT must purchase so called “extended reporting” or “tail” coverage for a minimum of five (5) years after completion of work, which must also show a retroactive date that is before the earlier of the effective date of the contract or the beginning of the contract work. As a condition precedent to CITY’S obligations under this Agreement, CONSULTANT shall furnish written evidence of such coverage (naming CITY, its officers and employees as additional insureds on the Comprehensive Liability insurance policy referred to in (a) immediately above via a specific endorsement) and requiring thirty (30) days written notice of policy lapse or cancellation, or of a material change in policy terms. E. Assignment Notwithstanding any other provision of this Agreement, neither this Agreement nor any duties or obligations of CONSULTANT under this Agreement may be assigned or subcontracted by CONSULTANT without the prior written consent of CITY, which CITY may withhold in its sole and absolute discretion. F. State and Federal Taxes As CONSULTANT is not CITY’S employee, CONSULTANT shall be responsible for paying all required state and federal taxes. Without limiting the foregoing, CONSULTANT acknowledges and agrees that: • CITY will not withhold FICA (Social Security) from CONSULTANT’S payments; • CITY will not make state or federal unemployment insurance contributions on CONSULTANT’S behalf; DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -5- 4835-2267-0361v1 LAC\04706083 • CITY will not withhold state or federal income tax from payment to CONSULTANT; • CITY will not make disability insurance contributions on behalf of CONSULTANT; • CITY will not obtain workers’ compensation insurance on behalf of CONSULTANT. ARTICLE 6. OBLIGATIONS OF CITY A. Cooperation of City CITY agrees to respond to all reasonable requests of CONSULTANT and provide access, at reasonable times following receipt by CITY of reasonable notice, to all documents reasonably necessary to the performance of CONSULTANT’S duties under this Agreement. B. Assignment CITY may assign this Agreement or any duties or obligations thereunder to a successor governmental entity without the consent of CONSULTANT. Such assignment shall not release CONSULTANT from any of CONSULTANT’S duties or obligations under this Agreement. ARTICLE 7. TERMINATION OF AGREEMENT A. Sale of Consultant’s Business/ Death of Consultant. CONSULTANT shall notify CITY of the proposed sale of CONSULTANT’s business no later than thirty (30) days prior to any such sale. CITY shall have the option of terminating this Agreement within thirty (30) days after receiving such notice of sale. Any such CITY termination pursuant to this Article 7.A shall be in writing and sent to the address for notices to CONSULTANT set forth in Exhibit A, Subsection V.H., no later than thirty (30) days after CITY’ receipt of such notice of sale. If CONSULTANT is an individual, this Agreement shall be deemed automatically terminated upon death of CONSULTANT. B. Termination by City for Default of Consultant Should CONSULTANT default in the performance of this Agreement or materially breach any of its provisions, CITY, at CITY’S option, may terminate this Agreement by giving written notification to CONSULTANT. For the purposes of this section, material breach of this Agreement shall include, but not be limited to the following: 1. CONSULTANT’S failure to professionally and/or timely perform any of the services contemplated by this Agreement. 2. CONSULTANT’S breach of any of its representations, warranties or covenants contained in this Agreement. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -6- 4835-2267-0361v1 LAC\04706083 CONSULTANT shall be entitled to payment only for work completed in accordance with the terms of this Agreement through the date of the termination notice, as reasonably determined by CITY, provided that such payment shall not exceed the amounts set forth in this Agreement for the tasks described on Exhibit C” which have been fully, competently and timely rendered by CONSULTANT. Notwithstanding the foregoing, if CITY terminates this Agreement due to CONSULTANT’S default in the performance of this Agreement or material breach by CONSULTANT of any of its provisions, then in addition to any other rights and remedies CITY may have, CONSULTANT shall reimburse CITY, within ten (10) days after demand, for any and all costs and expenses incurred by CITY in order to complete the tasks constituting the scope of work as described in this Agreement, to the extent such costs and expenses exceed the amounts CITY would have been obligated to pay CONSULTANT for the performance of that task pursuant to this Agreement. C. Termination for Failure to Make Agreed-Upon Payments Should CITY fail to pay CONSULTANT all or any part of the compensation set forth in Article 4 of this Agreement on the date due, then if and only if such nonpayment constitutes a default under this Agreement, CONSULTANT, at the CONSULTANT’S option, may terminate this Agreement if such default is not remedied by CITY within thirty (30) days after demand for such payment is given by CONSULTANT to CITY. D. Transition after Termination Upon termination, CONSULTANT shall immediately stop work, unless cessation could potentially cause any damage or harm to person or property, in which case CONSULTANT shall cease such work as soon as it is safe to do so. CONSULTANT shall incur no further expenses in connection with this Agreement. CONSULTANT shall promptly deliver to CITY all work done toward completion of the services required hereunder, and shall act in such a manner as to facilitate any the assumption of CONSULTANT’s duties by any new consultant hired by the CITY to complete such services. ARTICLE 8. GENERAL PROVISIONS A. Amendment & Modification No amendments, modifications, alterations or changes to the terms of this Agreement shall be effective unless and until made in a writing signed by both parties hereto. B. Americans with Disabilities Act of 1990 Throughout the term of this Agreement, the CONSULTANT shall comply fully with all applicable provisions of the Americans with Disabilities Act of 1990 (“the Act”) in its current form and as it may be amended from time to time. CONSULTANT shall also require such compliance of all subcontractors performing work under this Agreement, subject to the prohibition against assignment and subcontracting contained in Article 5 above. The CONSULTANT shall defend with counsel acceptable to CITY, indemnify and hold harmless the CITY OF GILROY, its officers, employees, agents and representatives from and against all suits, claims, demands, damages, costs, causes of action, losses, liabilities, expenses and fees, DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -7- 4835-2267-0361v1 LAC\04706083 including without limitation reasonable attorneys’ fees, that may arise out of any violations of the Act by the CONSULTANT, its subcontractors, or the officers, employees, agents or representatives of either. C. Attorneys’ Fees If any action at law or in equity, including an action for declaratory relief, is brought to enforce or interpret the provisions of this Agreement, the prevailing party will be entitled to reasonable attorneys’ fees, which may be set by the court in the same action or in a separate action brought for that purpose, in addition to any other relief to which that party may be entitled. D. Captions The captions and headings of the various sections, paragraphs and subparagraphs of the Agreement are for convenience only and shall not be considered nor referred to for resolving questions of interpretation. E. Compliance with Laws The CONSULTANT shall keep itself informed of all State and National laws and all municipal ordinances and regulations of the CITY which in any manner affect those engaged or employed in the work, or the materials used in the work, or which in any way affect the conduct of the work, and of all such orders and decrees of bodies or tribunals having any jurisdiction or authority over the same. Without limiting the foregoing, CONSULTANT agrees to observe the provisions of the Municipal Code of the CITY OF GILROY, obligating every contractor or subcontractor under a contract or subcontract to the CITY OF GILROY for public works or for goods or services to refrain from discriminatory employment or subcontracting practices on the basis of the race, color, sex, religious creed, national origin, ancestry of any employee, applicant for employment, or any potential subcontractor. F. Conflict of Interest CONSULTANT certifies that to the best of its knowledge, no CITY employee or office of any public agency interested in this Agreement has any pecuniary interest in the business of CONSULTANT and that no person associated with CONSULTANT has any interest that would constitute a conflict of interest in any manner or degree as to the execution or performance of this Agreement. G. Entire Agreement This Agreement supersedes any and all prior agreements, whether oral or written, between the parties hereto with respect to the rendering of services by CONSULTANT for CITY and contains all the covenants and agreements between the parties with respect to the rendering of such services in any manner whatsoever. Each party to this Agreement acknowledges that no representations, inducements, promises or agreements, orally or otherwise, have been made by any party, or anyone acting on behalf of any party, which are not embodied herein, and that no other agreement, statement or promise not contained in this Agreement shall be valid or binding. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -8- 4835-2267-0361v1 LAC\04706083 No other agreements or conversation with any officer, agent or employee of CITY prior to execution of this Agreement shall affect or modify any of the terms or obligations contained in any documents comprising this Agreement. Such other agreements or conversations shall be considered as unofficial information and in no way binding upon CITY. H. Governing Law and Venue This Agreement shall be governed by and construed in accordance with the laws of the State of California without regard to the conflict of laws provisions of any jurisdiction. The exclusive jurisdiction and venue with respect to any and all disputes arising hereunder shall be in state and federal courts located in Santa Clara County, California. I. Notices Any notice to be given hereunder by either party to the other may be effected either by personal delivery in writing or by mail, registered or certified, postage prepaid with return receipt requested. Mailed notices shall be addressed to the parties at the addresses appearing in Exhibit “A”, Section V.H. but each party may change the address by written notice in accordance with this paragraph. Notices delivered personally will be deemed delivered as of actual receipt; mailed notices will be deemed delivered as of three (3) days after mailing. J. Partial Invalidity If any provision in this Agreement is held by a court of competent jurisdiction to be invalid, void or unenforceable, the remaining provisions will nevertheless continue in full force without being impaired or invalidated in any way. K. Time of the Essence All dates and times referred to in this Agreement are of the essence. L. Waiver CONSULTANT agrees that waiver by CITY of any one or more of the conditions of performance under this Agreement shall not be construed as waiver(s) of any other condition of performance under this Agreement. Executed at Gilroy, California, on the date and year first above written. CONSULTANT: CITY: CITY OF GILROY By: By: Name: Name: Title: Title: DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 Paul Ashe President Paul Ashe City Administrator Jimmy Forbis -9- 4835-2267-0361v1 LAC\04706083 Social Security or Taxpayer Identification Number Approved as to Form ATTEST: City Attorney City Clerk DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 03-0392503 -1- 4835-2267-0361v1 LAC\04706083 EXHIBIT “A” SPECIFIC PROVISIONS I. PROJECT MANAGER CONSULTANT shall provide the services indicated on the attached Exhibit “B”, Scope of Services (“Services”). (All exhibits referenced are incorporated herein by reference.) To accomplish that end, CONSULTANT agrees to assign Paul Ashe, who will act in the capacity of Project Manager, and who will personally direct such Services. Except as may be specified elsewhere in this Agreement, CONSULTANT shall furnish all technical and professional services including labor, material, equipment, transportation, supervision and expertise to perform all operations necessary and required to complete the Services in accordance with the terms of this Agreement. II. NOTICE TO PROCEED/COMPLETION OF SERVICE A. NOTICE TO PROCEED CONSULTANT shall commence the Services upon delivery to CONSULTANT of a written “Notice to Proceed”, which Notice to Proceed shall be in the form of a written communication from designated City contact person(s). Notice to Proceed may be in the form of e-mail, fax or letter authorizing commencement of the Services. For purposes of this Agreement, Scott Golden shall be the designated City contact person(s). Notice to Proceed shall be deemed to have been delivered upon actual receipt by CONSULTANT or if otherwise delivered as provided in the Section V.H. (“Notices”) of this Exhibit “A”. B. COMPLETION OF SERVICES When CITY determines that CONSULTANT has completed all of the Services in accordance with the terms of this Agreement, CITY shall give CONSULTANT written Notice of Final Acceptance, and CONSULTANT shall not incur any further costs hereunder. CONSULTANT may request this determination of completion when, in its opinion, it has completed all of the Services as required by the terms of this Agreement and, if so requested, CITY shall make this determination within two (2) weeks of such request, or if CITY determines that CONSULTANT has not completed all of such Services as required by this Agreement, CITY shall so inform CONSULTANT within this two (2) week period. III. PROGRESS SCHEDULE The schedule for performance and completion of the Services will be as set forth in the attached Exhibit “C”. IV. PAYMENT OF FEES AND DIRECT EXPENSES Payments shall be made to CONSULTANT as provided for in Article 4 of this Agreement. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -2- 4835-2267-0361v1 LAC\04706083 Direct expenses are charges and fees not included in Exhibit “B”. CITY shall be obligated to pay only for those direct expenses which have been previously approved in writing by CITY. CONSULTANT shall obtain written approval from CITY prior to incurring or billing of direct expenses. Copies of pertinent financial records, including invoices, will be included with the submission of billing(s) for all direct expenses. V. OTHER PROVISIONS A. STANDARD OF WORKMANSHIP CONSULTANT represents and warrants that it has the qualifications, skills and licenses necessary to perform the Services, and its duties and obligations, expressed and implied, contained herein, and CITY expressly relies upon CONSULTANT’S representations and warranties regarding its skills, qualifications and licenses. CONSULTANT shall perform such Services and duties in conformance to and consistent with the standards generally recognized as being employed by professionals in the same discipline in the State of California. Any plans, designs, specifications, estimates, calculations, reports and other documents furnished under this Agreement shall be of a quality acceptable to CITY. The minimum criteria for acceptance shall be a product of neat appearance, well-organized, technically and grammatically correct, checked and having the maker and checker identified. The minimum standard of appearance, organization and content of the drawings shall be that used by CITY for similar purposes. B. RESPONSIBILITY OF CONSULTANT CONSULTANT shall be responsible for the professional quality, technical accuracy, and the coordination of the Services furnished by it under this Agreement. CONSULTANT shall not be responsible for the accuracy of any project or technical information provided by the CITY. The CITY’S review, acceptance or payment for any of the Services shall not be construed to operate as a waiver of any rights under this Agreement or of any cause of action arising out of the performance of this Agreement, and CONSULTANT shall be and remain liable to CITY in accordance with applicable law for all damages to CITY caused by CONSULTANT’S negligent performance of any of the services furnished under this Agreement. C. RIGHT OF CITY TO INSPECT RECORDS OF CONSULTANT CITY, through its authorized employees, representatives or agents, shall have the right, at any and all reasonable times, to audit the books and records (including, but not limited to, invoices, vouchers, canceled checks, time cards, etc.) of CONSULTANT for the purpose of verifying any and all charges made by CONSULTANT in connection with this Agreement. CONSULTANT shall maintain for a minimum period of three (3) years (from the date of final payment to CONSULTANT), or for any longer period required by law, sufficient books and records in accordance with standard California accounting practices to establish the correctness of all charges submitted to CITY by CONSULTANT, all of which shall be made available to CITY at the CITY’s offices within five (5) business days after CITY’s request. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -3- 4835-2267-0361v1 LAC\04706083 D. CONFIDENTIALITY OF MATERIAL All ideas, memoranda, specifications, plans, manufacturing procedures, data (including, but not limited to, computer data and source code), drawings, descriptions, documents, discussions or other information developed or received by or for CONSULTANT and all other written and oral information developed or received by or for CONSULTANT and all other written and oral information submitted to CONSULTANT in connection with the performance of this Agreement shall be held confidential by CONSULTANT and shall not, without the prior written consent of CITY, be used for any purposes other than the performance of the Services, nor be disclosed to an entity not connected with the performance of the such Services. Nothing furnished to CONSULTANT which is otherwise known to CONSULTANT or is or becomes generally known to the related industry (other than that which becomes generally known as the result of CONSULTANT’S disclosure thereof) shall be deemed confidential. CONSULTANT shall not use CITY’S name or insignia, or distribute publicity pertaining to the services rendered under this Agreement in any magazine, trade paper, newspaper or other medium without the express written consent of CITY. E. NO PLEDGING OF CITY’S CREDIT. Under no circumstances shall CONSULTANT have the authority or power to pledge the credit of CITY or incur any obligation in the name of CITY. F. OWNERSHIP OF MATERIAL. All material including, but not limited to, computer information, data and source code, sketches, tracings, drawings, plans, diagrams, quantities, estimates, specifications, proposals, tests, maps, calculations, photographs, reports and other material developed, collected, prepared (or caused to be prepared) under this Agreement shall be the property of CITY, but CONSULTANT may retain and use copies thereof subject to Section V.D of this Exhibit “A”. CITY shall not be limited in any way in its use of said material at any time for any work, whether or not associated with the City project for which the Services are performed. However, CONSULTANT shall not be responsible for, and City shall indemnify CONSULTANT from, damages resulting from the use of said material for work other than PROJECT, including, but not limited to, the release of this material to third parties for work other than on PROJECT. G. NO THIRD PARTY BENEFICIARY. This Agreement shall not be construed or deemed to be an agreement for the benefit of any third party or parties, and no third party or parties shall have any claim or right of action hereunder for any cause whatsoever. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -4- 4835-2267-0361v1 LAC\04706083 H. NOTICES. Notices are to be sent as follows: CITY: Scott Golden Information Technology Manager scott.golden@cityofgilroy.org City of Gilroy 7351 Rosanna Street Gilroy, CA 95020 CONSULTANT: Paul Ashe President and Engagement Manager pashe@securanceconsulting.com Securance LLC 13904 Monroes Business Park Tampa, FL 33635 I. FEDERAL FUNDING REQUIREMENTS. If the box to the left of this sentence is checked, this Agreement involves federal funding and the requirements of this Section V.I. apply. If the box to the left of this sentence is checked, this Agreement does not involve federal funding and the requirements of this Section V.I. do not apply. 1. DBE Program CONSULTANT shall comply with the requirements of Title 49, Part 26, Code of Federal Regulations (49 CFR 26) and the City-adopted Disadvantaged Business Enterprise programs. 2. Cost Principles Federal Acquisition Regulations in Title 48, CFR 31, shall be used to determine the allowable cost for individual items. 3. Covenant against Contingent Fees The CONSULTANT warrants that he/she has not employed or retained any company or person, other than a bona fide employee working for the CONSULTANT, to solicit or secure this Agreement, and that he/she has not paid or agreed to pay any company or person, other than a bona fide employee, any fee, commission, percentage, brokerage fee, gift or any other consideration, contingent upon or resulting from the award or formation of this Agreement. For breach or violation of this warranty, the Local Agency shall have the right to annul this Agreement without liability or, at its discretion, to deduct from the agreement price or DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -5- 4835-2267-0361v1 LAC\04706083 consideration, or otherwise recover, the full amount of such fee, commission, percentage, brokerage fee, gift or contingent fee. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -1- 4835-2267-0361v1 LAC\04706083 EXHIBIT “B” SCOPE OF SERVICES Attached DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 -1- 4835-2267-0361v1 LAC\04706083 EXHIBIT “C” MILESTONE SCHEDULE Attached DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 4835-2267-0361v1 LAC\04706083 EXHIBIT “D” PAYMENT SCHEDULE Attached DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 Exhibit “B” – Scope of Services City of Gilroy Cyber Security Assessment, Cyber Resilience Program, and Implementation Plan RFP #21-RFP-IT-460 Scope Overview Securance will fully assess and audit the security of all elements of the City’s technology environment. This will include a comprehensive and detailed review of the current environment, the creation of a Cyber Resilience Program (CRP) and an implementation plan to improve the City’s overall technology security posture. Securance will use IT industry standards to perform the assessment, including vulnerability assessments and penetration testing. A gap analysis will be used to demonstrate the effectiveness of current City IT infrastructure, security, and resourcing to identify and mitigate potential risk vulnerabilities. The gap analysis will outline security weaknesses versus best practices and applicable policies and laws. Securance is to provide the following: • Threat level (high, medium, low) • Level of effort to mitigate threat (high, medium, low) • Estimated resource requirements to mitigate threats In addition, Securance will provide a framework for a Cyber Resilience Program along with a Cyber Security Implementation Plan which together should include best practices guidance, needed technical configuration modifications, equipment, testing plans, and training. This plan will be tied to meeting, at a minimum, the Center for Internet Security (CIS) Controls. Securance will evaluate and analyze a recently completed report – “Public Works Department’s SCADA network design, external connectivity, and SCADA security best practices”, and provide additional feedback if warranted. Assessment and Testing Requirements The Cyber Security Assessment will include, but not be limited to, a detailed review of the areas listed below. Vulnerability assessments and penetration testing will be performed on the areas where appropriate. After completion, Securance will provide a written report, an electronic copy of the report, and a presentation of findings. The report shall address each item listed below and provide a summary of suggested remediation (if any). Vulnerability assessments and penetration testing services will be used to identify and validate configuration and/or technical flaws within a given system or network (e.g. firewalls, routers, servers, operating systems, applications, databases, etc.). 1. Policies, procedures and standards 2. Network Device Configurations (core, edge) 3. Network Architecture 4. Wireless Infrastructure and Configuration 5. Firewall Configuration a. VPN Configuration b. DMZ Configuration DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 6. Server Environment and Configurations 7. VMware Virtual Environment 8. Data and Information Security 9. VOIP Environment and Configuration 10. Mobile Devices 11. Desktop and Laptop Configurations 12. Physical Security Cyber Assessment Details Securance will: • Ensure the City is meeting due diligence in achieving regulatory compliance with protecting the confidentiality, privacy, integrity and availability of critical data and systems • Identify any gaps or vulnerabilities in the City’s current organizational security controls and policies and make recommendations and necessary adjustments to correct them • Develop comprehensive security policies based on CIS Controls, industry standards and best practices, and regulatory requirements • Facilitate in implementing the security policies, software, hardware and CIS Controls which will serve as the foundation for more informed decision-making and increased security awareness among staff • Provide training and knowledge transfer to the City’s Information Technology staff as necessary to continue to improve the security of the City’s technology infrastructure Cyber Resilience Program (CRP) and Implementation Plan Securance will create a Cyber Resilience Program (CRP) that outlines and describes the processes, policies and roadmap for effectively addressing and correcting the above assessed areas. This will include: • Prioritizing and ranking cyber resilience objectives, concerns, existing staffing, resources, services and programs based on the ability to achieve the City’s vision in conjunction with and in support of the City’s adopted plans – the Gilroy Strategic Plan and the Information Technology Strategic Plan. • Evaluating the City’s current operations and governance, as well as organizational structure, budget, policies and vehicles to ensure that these best meet the City’s cyber resilience programs through the most effective processes, contract provisions, service agreements, resource allocations, employee staffing and development, and reporting relationships. • Assistance in developing procedures/processes/plans/policies which stimulate organizational change and acceptance related to the implementation of new security program and policies. • Identifying and estimating the initial implementation as well as ongoing lifecycle requirements for the in level-of-effort, skills, personnel and budget over the first three years. • Assisting with developing strategies to plan for future exploits and unknown threats. • Identification of Key Performance Indicators (KPI’s) and effectiveness metrics for continually evaluating the CRP effectiveness. • A plan to establish and implement a training program for City of Gilroy staff which will provide the knowledge and information necessary to effectively understand the security policies being implemented. Example: New hire security training, annual security awareness training, et cetera. • A plan for training City Information Technology Staff for the managing and monitoring of any software or hardware used as part of the program. • Addressing effective methods for business recovery in the event of a Cyber Security incident. DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 • Providing methodologies and examples for tabletop and other practical exercises to train for responding to Cyber Security incidents. • How to manage organizational culture changes in creating a security awareness program, which will include staff at all levels. Deliverables 1) Cybersecurity Assessment Management Report a) Executive Summary b) Detailed Project Report c) Remediation Roadmap 2) Technician’s Report 3) Cyber Resilience Program Document 4) Implementation Plan 5) Presentation to the following groups a) IT Steering Committee b) City Council DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 Invoice Amount Milestone 1 24 Hours Management Consulting – Value Add Milestone 1 External Network Penetration Test Milestone 1 Internal Network Penetration Test Milestone 1 Policies and Procedures Review Milestone 1 Network Device Configuration Review (Core and Edge) Milestone 1 Network Architecture Review Milestone 1 WIFI Security Assessment Milestone 1 Firewall Configuration Review (DMZ and VPN) Milestone 1 Server Configuration Review (3 Brands and Versions) Milestone 1 VMware Environment Configuration and Security Review Milestone 1 Data and Information Security Milestone 1 VoIP Environment Configuration and Security Review Milestone 1 Mobile Device Management Milestone 1 Desktop and Laptop Configuration Review Milestone 1 Physical Security Data Centers and Select Data Closets Milestone 1 SCADA Report Review | Analysis : Milestone 1 DRAFT: Cybersecurity Assessment Management Report Milestone 1 Project Management Status Report Milestone 1 Planned Completion by 2/22/2022 Payment 1 $68,200 Milestone 2 Cyber Resilience Program Milestone 2 Planned Completion by 3/11/2022 Payment 2 $8,680 Milestone 3 Knowledge Transfer – Value Add Milestone 3 Presentations to IT Steering Committee and City Council – Value Add Milestone 3 Planned Completion by 3/25/2022 Final Payment $8,680 DocuSign Envelope ID: 30850883-D9E8-4637-8872-EA867BAD3CC2 Certificate Of Completion Envelope Id: 30850883D9E846378872EA867BAD3CC2 Status: Completed Subject: Please DocuSign: Contract Process Form for eSignature - Securance.docx, Contract - Exhibit B - ... Source Envelope: Document Pages: 28 Signatures: 8 Envelope Originator: Certificate Pages: 5 Initials: 1 Scott Golden AutoNav: Enabled EnvelopeId Stamping: Enabled Time Zone: (UTC-08:00) Pacific Time (US & Canada) scott.golden@cityofgilroy.org IP Address: 66.189.161.134 Record Tracking Status: Original 1/13/2022 4:23:40 PM Holder: Scott Golden scott.golden@cityofgilroy.org Location: DocuSign Signer Events Signature Timestamp Paul Ashe pashe@securanceconsulting.com President Paul Ashe Security Level: Email, Account Authentication (None) Signature Adoption: Pre-selected Style Using IP Address: 47.202.152.178 Sent: 1/13/2022 5:18:54 PM Viewed: 1/13/2022 5:53:23 PM Signed: 1/13/2022 5:54:08 PM Electronic Record and Signature Disclosure: Accepted: 1/13/2022 5:53:23 PM ID: f8758568-f50f-4421-bbaf-36bab8f907ae LeeAnn McPhillips LeeAnn.McPhillips@cityofgilroy.org Administrative Services Director City of Gilroy Security Level: Email, Account Authentication (None) Signature Adoption: Pre-selected Style Using IP Address: 141.126.77.131 Sent: 1/13/2022 5:54:11 PM Viewed: 1/13/2022 6:14:07 PM Signed: 1/17/2022 10:14:24 AM Electronic Record and Signature Disclosure: Not Offered via DocuSign Andy Faber Andy.Faber@berliner.com City Attorney Security Level: Email, Account Authentication (None)Signature Adoption: Pre-selected Style Using IP Address: 73.63.193.69 Sent: 1/17/2022 10:14:28 AM Viewed: 1/17/2022 10:32:01 AM Signed: 1/17/2022 10:33:18 AM Electronic Record and Signature Disclosure: Accepted: 1/17/2022 10:32:01 AM ID: 81755ba4-00e1-45cd-aadb-a19788fd7b08 Jimmy Forbis jimmy.forbis@cityofgilroy.org City Administrator Security Level: Email, Account Authentication (None)Signature Adoption: Pre-selected Style Using IP Address: 66.189.161.134 Sent: 1/17/2022 10:33:22 AM Viewed: 1/18/2022 1:36:16 PM Signed: 1/18/2022 1:36:48 PM Electronic Record and Signature Disclosure: Accepted: 1/18/2022 1:36:16 PM ID: 4fa76085-0d45-42c5-adce-daa148435858 Signer Events Signature Timestamp Thai Pham thai.pham@cityofgilroy.org City Clerk City of Gilroy Security Level: Email, Account Authentication (None) Signature Adoption: Uploaded Signature Image Using IP Address: 66.189.161.134 Sent: 1/18/2022 1:36:51 PM Viewed: 1/18/2022 1:49:46 PM Signed: 1/18/2022 1:49:53 PM Electronic Record and Signature Disclosure: Not Offered via DocuSign In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp Witness Events Signature Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Sent Hashed/Encrypted 1/13/2022 5:18:54 PM Certified Delivered Security Checked 1/18/2022 1:49:46 PM Signing Complete Security Checked 1/18/2022 1:49:53 PM Completed Security Checked 1/18/2022 1:49:53 PM Payment Events Status Timestamps Electronic Record and Signature Disclosure ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, City of Gilroy (we, us or Company) may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through the DocuSign system. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please confirm your agreement by selecting the check-box next to ‘I agree to use electronic records and signatures’ before clicking ‘CONTINUE’ within the DocuSign system. Getting paper copies At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. You will have the ability to download and print documents we send to you through the DocuSign system during and immediately after the signing session and, if you elect to create a DocuSign account, you may access the documents for a limited period of time (usually 30 days) after such documents are first sent to you. After such time, if you wish for us to send you paper copies of any such documents from our office to you, you will be charged a $0.00 per-page fee. You may request delivery of such paper copies from us by following the procedure described below. Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us that thereafter you want to receive required notices and disclosures only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format, it will slow the speed at which we can complete certain steps in transactions with you and delivering services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait until we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. Further, you will no longer be able to use the DocuSign system to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Electronic Record and Signature Disclosure created on: 6/29/2021 5:07:22 PM Parties agreed to: Paul Ashe, Andy Faber, Jimmy Forbis Unless you tell us otherwise in accordance with the procedures described herein, we will provide electronically to you through the DocuSign system all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us. Thus, you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process, please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures electronically from us. How to contact City of Gilroy: You may contact us to let us know of your changes as to how we may contact you electronically, to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: scott.golden@cityofgilroy.org To advise City of Gilroy of your new email address To let us know of a change in your email address where we should send notices and disclosures electronically to you, you must send an email message to us at scott.golden@cityofgilroy.org and in the body of such request you must state: your previous email address, your new email address. We do not require any other information from you to change your email address. If you created a DocuSign account, you may update it with your new email address through your account preferences. To request paper copies from City of Gilroy To request delivery from us of paper copies of the notices and disclosures previously provided by us to you electronically, you must send us an email to scott.golden@cityofgilroy.org and in the body of such request you must state your email address, full name, mailing address, and telephone number. We will bill you for any fees at that time, if any. To withdraw your consent with City of Gilroy To inform us that you no longer wish to receive future notices and disclosures in electronic format you may: i. decline to sign a document from within your signing session, and on the subsequent page, select the check-box indicating you wish to withdraw your consent, or you may; ii. send us an email to scott.golden@cityofgilroy.org and in the body of such request you must state your email, full name, mailing address, and telephone number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.. Required hardware and software The minimum system requirements for using the DocuSign system may change over time. The current system requirements are found here: https://support.docusign.com/guides/signer-guide- signing-system-requirements. Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to other electronic notices and disclosures that we will provide to you, please confirm that you have read this ERSD, and (i) that you are able to print on paper or electronically save this ERSD for your future reference and access; or (ii) that you are able to email this ERSD to an email address where you will be able to print on paper or save it for your future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format as described herein, then select the check-box next to ‘I agree to use electronic records and signatures’ before clicking ‘CONTINUE’ within the DocuSign system. By selecting the check-box next to ‘I agree to use electronic records and signatures’, you confirm that:  You can access and read this Electronic Record and Signature Disclosure; and  You can print on paper this Electronic Record and Signature Disclosure, or save or send this Electronic Record and Disclosure to a location where you can print it, for future reference and access; and  Until or unless you notify City of Gilroy as described above, you consent to receive exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you by City of Gilroy during the course of your relationship with City of Gilroy.