SCHEDULE 2C DATA NETWORK MANAGEMENT SERVICES (INTERIM STATE SERVICES) for. Date TBD

Transcription

1 SCHEDULE 2C DATA NETWORK MANAGEMENT SERVICES (INTERIM STATE SERVICES) for COUNTY OF ORANGE, CA Date TBD

2 Table of Contents 1.0 Data Network Management Services Overview and Objectives Data Network Management Services Overview Service Objectives Data Network Management Services Requirements Network Service Area Components Service Descriptions and Roles & Responsibilities Service Environment Scope of Infrastructure to be Supported Baseline Information Service Level Requirements Objectives Service Level Requirements Reports Referenced Appendices, Schedules and Attachments List of Tables Table 1. General Roles and Responsibilities...6 Table 2. Design and Engineering Services Roles and Responsibilities...7 Table 3. Network Provisioning Services Roles and Responsibilities...8 Table 4. Data Network Operations and Administration Services Roles and Responsibilities...9 Table 5. Network Monitoring and Reporting Services Roles and Responsibilities...10 Table 6. Circuit Support Services Roles and Responsibilities...11 Table 7. Network Documentation Services Roles and Responsibilities...12 Table 8. Network Security Services Roles and Responsibilities...13 Table 9. Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities...16 Table 10. Security Intrusion Prevention and Detection Services Roles and Responsibilities...18 Table 11. Security Monitoring and Incident Management Services Roles and Responsibilities...19 Table 12. Network Availability SLRs...21 Table 13. Backbone Network Performance SLRs...22 Table 14. Network Administration Services SLRs...23 Table 15. Content Filtering of SLRs...23 Table 16. Security Intrusion Detection SLRs...24 Table 17. Data Network Services Reports...24 Date TBD Page i

3 This is Schedule 2C (Data Network Management Services) to the Agreement between the County of Orange, CA ( County or the County ) and the Vendor ( Vendor ). Unless otherwise expressly defined herein, the capitalized terms used herein shall have the meaning assigned to them in Attachment A (SOW Definitions). This statement of work shall be in effect prior to the implementation of the Vendor provided/implemented converged network environment. 1.0 Data Network Management Services Overview and Objectives 1.1 Data Network Management Services Overview This Schedule 2C (Data Network Management Services) is the statement of work that sets forth the roles and responsibilities of the Parties for the Data Network Management Services provided under the Agreement as part of the Services. Data Network Management Services are the Services and activities required to provide and support the existing County data network environment that links computing users to County and external (e.g., CAPS+, PTMS, web applications). Vendor s responsibilities include the life cycle management (e.g., requirements, engineering, design, implementation, testing), service provisioning, security, administration and troubleshooting and proactive service management (e.g., Availability and Capacity Management, Performance, Incident and Problem Management) of the County network environment, including: Wide area network (WAN) (including metropolitan area network (MAN), circuit and conduit management) Third Party connectivity (e.g., state consortium systems and exchanges) Wired and wireless local area networks (LANs) IP management services Network security services Network operations, management and monitoring Support of network test environments for all network services Internet connectivity services gateway services 1.2 Service Objectives The following are the key high-level Service objectives the County expects to achieve through Vendor s Data Network Management Services: Achieve the Service Level Requirements (SLRs) specified in Section 4 of this SOW Services that provision and maintain a reliable, scalable and secure high-speed network infrastructure, with appropriate redundancy to meet SLRs End-to-end network monitoring and management including management of Third Party providers (e.g., Third Party coordination, carrier coordination, Problem and Incident management) Maintain and deliver Data Network Services in a cost-effective manner Date TBD Page 1

4 Timely delivery of Data Network solutions to support County project implementations, and related coordination with County and Third Parties 2.0 Data Network Management Services Requirements 2.1 Network Service Area Components Network Management Services and network components include, but are not limited to the following Wide Area Network (WAN) (including Metropolitan Area Network (MAN)) Services WAN Services include the monitoring and management of networking equipment and Software that interconnect two or more separate facilities. WAN Services include acting as an agent for trouble management of carrier services such as ATM, MPLS, point-to-point, frame relay circuits, County-owned circuits, dedicated internet connections and broadband circuits. Specific WAN Services include: Design of WAN connectivity solutions that will meet the County s business and technical requirements (e.g., performance, availability, reliability, capacity) WAN equipment provisioning and management (e.g., routers, CSUs/DSUs) Management of WAN circuit provisioning Management of circuit billing, invoicing and reconciliation Installation and decommissioning of WAN equipment (e.g., routers, gateways) Implementation of WAN connections and circuits Testing of WAN infrastructure (e.g., stress testing, regression testing, failover testing) changes in a non-production environment, prior to introduction into the County production environment Wiring and cabling (e.g., extended demarcation cabling) Optimization of WAN Services and circuits Management of end-to-end WAN connectivity and performance Internet connectivity and access QoS management for all IP-based services Monitoring of all managed network devices via SNMP Monitoring performance and usage parameters of WAN circuits (e.g., Availability, peak utilization, average utilization, latency per QoS/class of service level, error levels, forward and backward explicit congestion notifications (FECNs/BECNs), application breakdown) Compliance with security policies and best practices Asset and configuration management Maintenance of hardware and Software (e.g., routers, switches, system upgrades) Regular and ad-hoc reporting per County formatting requirements Development and maintenance of WAN documentation and diagrams Date TBD Page 2

5 Testing and implementation of network disaster recovery in accordance with the County Disaster Recovery Plan Wired and Wireless Local Area Network (LAN) Services LAN Services include the provision and monitoring and management of networks that are usually confined to a single facility or portion of a facility. LAN components include Dynamic Host Configuration Protocol (DHCP) and wireless LANs supporting all network traffic originating from computing devices (e.g., desktop devices, local file and print servers, application servers, database servers, peripherals and other network devices and other End User devices). This Service does not include the LAN-attached Network Interface Card (NIC) at the desktop. Specific LAN Services include: Design of LAN solutions which will meet County requirements LAN equipment provisioning and management Installation and decommissioning of LAN equipment (e.g., switches, hubs) Testing of LAN infrastructure (e.g., stress testing, regression testing, failover testing) changes in a non-production environment, prior to introduction into County s production environment Management of LAN connectivity and performance, including wired and wireless LANs Management of Layer 2 through 7 switching devices and network appliances (e.g., load balancers) QoS management for all IP-based services (e.g., business critical, business, best effort) Monitoring all managed network devices via SNMP Monitoring LAN ports switches for servers and interconnectivity between the switches and other network devices; LAN ports shall be monitored for peak utilization, average utilization, latency, jitter, error levels unless otherwise agreed upon by County Wiring and cabling Password reset services per established security standards Regular and ad-hoc reporting per County requirements Compliance with security policies and best practices Asset Management and Configuration Management Support and administration of Third Party maintenance agreements and relationships Development and maintenance of LAN documentation and diagrams LAN administration services during County-defined windows (e.g., DNS changes, AD replication, virus definitions) Testing and implementation of network disaster recovery in accordance with the County Disaster Recovery Plan IP Management Services Date TBD Page 3

6 IP Management Services include both Dynamic Host Configuration Protocol (DHCP) and administration and management of Domain Name Services (DNS). Vendor shall be responsible for managing DNS Services within the LAN and also on the Internet for all County application and service web sites. Vendor will also be responsible for providing DHCP services in support of all network traffic. Specific DNS services include: IP address management DHCP Service for Service Area hardware Internal and External DNS Service for Service Area hardware Internal and External DNS/DHCP Services for County sites Static IP addressing Provision and maintenance of central, real time logs that are to be kept in Vendorprovided portal/integrated ITSM suite per County information security policies Provision and support of a DNS/DHCP tool that provides the following capabilities including but not limited to: Combines data from all DHCP servers on the reports Logs all devices that provide IP addresses via DHCP in the County s environment including remote access devices Supports real-time reporting formatted to the County s standards Provides capability to search for information from either the IP address, MAC address, hostname, or Active Directory End User ID Ability to generate alerts when a specific IP address, MAC address, hostname, or Active Directory End User ID is used Remote Access Remote Access Services include the provision and management of solutions (e.g., virtual private network (VPN)) that allows remote End Users and business partners to securely connect to the network and County Application Services and/or County IT resources over the public Internet or private intranet. It requires industry Internetbased standards for security to create and preserve privacy, data integrity, and authenticity. The Remote Access Service will be highly scalable (e.g., client, site-tosite). Remote Access support will be provided for County sites, designated home offices, wireless access points, and other locations as required. All Remote Access Services provided hereunder will be provided in compliance with the County s security policies Network Security Services Network Security Services include the provision and support of methods that provide security to wired and wireless physical and logical network devices connected to the network. All Network Security Services provided hereunder will be provided in tiered administration in compliance with the County s security policies. Network Security Services include but are not limited to: Firewall management (e.g. DMZ, Internet, Third Party connections) Provision and management of multi-factor authentication (e.g., token, certificate) Date TBD Page 4

7 Malicious code detection and prevention (e.g. IDS,/IPS, anti-virus, anti-malware) gateway and SPAM filtering per County requirements Security policy verification Tiered web filtering (e.g., URL filtering, malicious sites, spyware, advertisements, instant messaging, free software downloads) Internet usage reporting Tiered antivirus Provision, installation, configuration, management, and maintenance of network intrusion detection and prevention sensors at specified network entry points Intrusion incident reporting Ongoing vulnerability assessment and remediation Support of Third Party security assessment, scanning and penetration testing Support of current County encryption solutions Management of County-owned security certificates, SSLs and domain names Incident and Problem Resolution Intrusion incident reporting Logging, tracking and management of security risks and issues to Resolution and closure Network security services reporting per County requirements Physical and logical access control (e.g., End User, administrative, card access) Support of existing IDS/IPS appliances and services (e.g., IBM appliances and services) Remediation of discovered security risks from any security audit findings Management and Administration Services Management and Administration Services include system and component management and monitoring, information protection, component addressing, and IT Service management activities such as patch management, version control, access control, and Change control for all in-scope data network components. Management Services include: Network systems management and troubleshooting (e.g., performance, Problem, Change and capacity monitoring) Bandwidth, capacity, availability and performance management and reporting Application usage statistics (e.g., identify top talkers by application via Layer 7 monitoring) Coordinating with public carriers and other circuit providers to perform operations activities, support SLRs and to manage reporting of Third Party SLRs to the County QoS management Physical and logical network segmentation Date TBD Page 5

8 Administration Services include: Managing network devices, configurations, ACLs, firewalls, Internet Protocol (IP) addresses and related Services (e.g., DNS/DHCP) as specified by the County Asset management and configuration management, including hardware and Software Logical (e.g., IP address change) IMACs for network components Physical equipment and site IMACs Firewall Management, DMZ and Internet Infrastructure Services Firewall Management, DMZ and Internet Infrastructure Services are the activities associated with Managing and supporting County Internet and Third Party connections and associated firewalls, DMZ infrastructures, proxies, content filters and other Services necessary for secure Internet access from and to the County network. The following Services and roles and responsibilities shall apply to all County data network components described above (e.g., WAN, MAN, LAN, VPN). 2.2 Service Descriptions and Roles & Responsibilities In addition to the services, activities, and roles and responsibilities described in Schedule 2A ITSM and Lifecycle Services SOW, Vendor is responsible for the following Data Network Management Services, activities and roles and responsibilities General Responsibilities The following table identifies general roles and responsibilities associated with this SOW. An is placed in the column under the party that will be responsible for performing the task. Vendor responsibilities are indicated in the column labeled Vendor. Table 1. General Roles and Responsibilities General Roles and Responsibilities Vendor County 1. Develop, document and maintain the physical and logical network design/architecture plan (e.g., circuit inventory, conduit mapping, diagrams, and IP address schema, as builts) to meet County requirements 2. Review and approve the plan for network design/architecture 3. Provide and manage 24x7x365 network Availability 4. Provision network components as required 5. Provision circuits per County s instructions and approvals 6. Dispose of decommissioned network equipment in accordance with County policies 7. Maintain financial responsibility for the procurement/provision of circuits and equipment 8. Develop business and functional requirements for network projects 9. Provide technical and functional requirements for Vendor-proposed network support Date TBD Page 6

9 General Roles and Responsibilities Vendor County 10. Manage and perform firmware/software upgrades for all in-scope network devices 11. Review and approve firmware/software upgrade maintenance costs and schedule for network devices 12. Identify, test, and Resolve compatibility issues between firmware/software versions 13. Perform proactive network optimization and tuning 14. Coordinate with County entities and Third Parties (e.g., hardware/software Vendors, carriers, service providers) as required 15. Provide ad-hoc network reports when requested by the County 16. Coordinate with County Third Party WAN/LAN network providers for Incident Resolution and to collect and report on network Availability and performance to the End User 17. Support audit activities by providing necessary resource, reports and data Design and Engineering Services Design and Engineering Services are the activities associated with the design and engineering of the technical infrastructure, and providing and managing tools and utilities to support the data network environment. The following table identifies the Design and Engineering Services roles and responsibilities that Vendor and the County shall perform. Table 2. Design and Engineering Services Roles and Responsibilities Design and Engineering Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Design and Engineering Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Design and Engineering Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Design and Engineering Services procedures 4. Prepare and provide network design, engineering, security plans and schedules (e.g., service design package (SDP)) to support new and enhanced applications, architectures and standards based on established procedures as needed or requested by the County 5. Review and approve network design, engineering, security plans, and schedules 6. Provide recommendations for optimizing network design 7. Review and approve recommendations for optimizing network design 8. Coordinate with County and Third Parties as required to meet service requirements and SLRs 9. Review and approve all Changes to the network environment in accordance with Change Management policies and procedures Date TBD Page 7

10 Design and Engineering Services Roles and Responsibilities Vendor County 10. Schedule all Changes to the network environment 11. Review and approve the scheduling of all Changes to the network environment 12. Provide technical advice to the County regarding application development to optimize utilization of data and applications over the network Network Provisioning Services Network Provisioning Services are the activities associated with the pricing, evaluation, selection, acquisition, installation, ongoing management and disposition of new and upgraded network components (e.g., circuits, equipment). The following table identifies the Network Provisioning Services roles and responsibilities that Vendor and the County will perform. Table 3. Network Provisioning Services Roles and Responsibilities Network Provisioning Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Provisioning Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Provisioning Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Provisioning Services procedures 4. Manage circuit provisioning for new WAN connectivity, including obtaining favorable circuit pricing 5. Review carrier options and provide the County with recommendations regarding most favorable options 6. Review and approve Vendor s carrier recommendations regarding most favorable options 7. Maintain financial responsibility for data circuits 8. Specify network provisioning physical requirements (e.g., power, floor space) 9. Install equipment and establish connectivity as required 10. Document router configuration files and IP addressing schemas 11. Provide capacity planning, incorporating County-provided business requirements 12. Manage and coordinate the performance of public carriers (and other Third Parties) to meet County requirements (e.g., schedules, project plans, SLRs) 13. Ensure that all new circuits, devices and Software provisioned are included in all IT Service Management and Life Cycle Services related documentation (e.g., Asset and Configuration Management) 14. Upgrade/remove/decommission network equipment and connectivity from County sites as required per agreed schedules and in accordance with County policies and procedures Date TBD Page 8

11 Network Provisioning Services Roles and Responsibilities Vendor County 15. Manage and provide WAN connectivity installs, moves, adds and changes (IMACs) 16. Minimize disruptions in Services during Changes 17. Review and approve installation, connectivity and removal activities 18. Acquire and manage domain name entries on behalf of the County (e.g., web URL and SSL certificates) 19. Maintain financial responsibility and ownership of domain name entries Data Network Operations and Administration Data Network Operations and Administration Services are the activities associated with the provisioning and day-to-day management of the data network environment. The following table identifies the Data Network Operations and Administration Services roles and responsibilities that Vendor and the County shall perform. Table 4. Data Network Operations and Administration Services Roles and Responsibilities Data Network Operations and Administration Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Operations and Administration Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Operations and Administration Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Operations and Administration Services procedures 4. Perform day-to-day Network Operations and Administration Services activities 5. Manage network Assets in accordance with the County s policies, standards and procedures (including security oversight and Change Management policies and procedures) 6. Recommend QoS and Class of Service (CoS) for QoS/CoS sensitive applications including IP based telephony systems 7. Review and approve QoS and Class of Service (CoS) requirements for QoS/CoS sensitive applications and IP based telephony systems 8. Implement and manage QoS and CoS for QoS/CoS-sensitive applications 9. Recommend IP addressing, directory and configuration information and requirements 10. Review and approve IP addressing, directory and configuration information and requirements 11. Develop and maintain IP addressing schemes, router configurations and routing tables that meet County s requirements 12. Manage and maintain DNS/DHCP Services Date TBD Page 9

12 Data Network Operations and Administration Services Roles and Responsibilities 13. Manage County Third Party contracts for facility cable management (physical wiring between servers and wiring closet and between wiring closet and desktop) Services at specified County sites Vendor 14. Maintain current inventory of cable plant 15. Manage and provide proactive and reactive maintenance on network Assets 16. Manage and respond to Services Requests and provide IMACs for network components and sites 17. Maintain and provide security information in a County-approved format, including access, general logs, application logs in accordance with the County s security policies and procedures 18. Coordinate network administration activities through defined Change Management processes 19. Support provisioning and de-provisioning account activities (e.g., administrative accounts, End User accounts) and maintain associated history logs as required 20. Support activities related to County- or Third Party-planned and unplanned Outages (e.g., post-power outage startup activities, County preparedness emergency exercises or Incidents, recovery) County Network Monitoring and Reporting Network Monitoring and Reporting are the activities associated with the proactive monitoring and reporting of network performance and management information (e.g., performance metrics, Incidents) for in-scope network components (e.g., routers, switches, and network appliances). The following table identifies the Network Monitoring and Reporting Services roles and responsibilities that Vendor and the County shall perform. Table 5. Network Monitoring and Reporting Services Roles and Responsibilities Network Monitoring and Reporting Services Roles and Responsibilities 1. Recommend Vendor s standard Network Monitoring Services and Incident and Problem Resolution procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Monitoring Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Monitoring Services procedures 4. Manage current or provide and manage new automated tools for monitoring network circuits, devices and traffic from a Vendor-provided Network Operations Center (NOC) 5. Implement measures and provide proactive analysis of network data and reports to limit network Outages and optimize the County s bandwidth utilization 6. Proactively monitor current network utilization and provide information to the County for use in determining future capacity requirements Vendor County Date TBD Page 10

13 Network Monitoring and Reporting Services Roles and Responsibilities 7. Monitor, operate, perform Problem determination, alert, and repair for all network environments on a 24x7x365 basis, including for Service Outage, loss of connection and specific performance indices 8. Monitor LAN ports for all servers and uplinks; LAN ports should be monitored for peak utilization, average utilization, latency, and error levels unless otherwise agreed upon by the County. Vendor should also have the capability to turn on monitoring for individual regular desktop ports for troubleshooting Vendor 9. Perform remote LAN analysis diagnostics and on-site troubleshooting 10. Manage Service Requests and dispatch process as directed by the County 11. Dispatch pre-approved Vendor on-site support personnel and/or Third Parties as appropriate 12. Manage data network performance or Availability issues resulting from a fault or impairment in network circuits or devices 13. Provide reporting (e.g., availability, utilization, latency, capacity) on network components providing connectivity to County Applications 14. Collect data and reports from Third Parties and provide consolidated reporting (e.g., availability, utilization, latency, capacity) on out-ofscope network components (e.g., Third Party circuits, Third Party WAN/LAN network circuits and components, Third Party partner and service provider connections) providing connectivity to County Applications 15. Review and approve network performance reporting Circuit Support County Circuit Support Services are those activities associated with providing 24x7x365 support of the network to ensure continuous operation. This support includes Problem isolation and determination to the network device port level. The following table identifies the Circuit Support Services roles and responsibilities that Vendor and the County shall perform. Table 6. Circuit Support Services Roles and Responsibilities Circuit Support Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Circuit Support Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual those Circuit Support Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Circuit Support Services procedures 4. Isolate Problems to the port, circuit or device level 5. For circuit Incidents and Problems, contact carrier to determine the cause of the Outage, notify the County, and work on the Incident/Problem with carrier until Resolved Date TBD Page 11

14 Circuit Support Services Roles and Responsibilities Vendor County 6. Track Incidents and Problems, follow up on status, escalate when required and report status to the appropriate Party including when Incidents/Problems are Resolved 7. Provide any possible Workarounds to help maintain production until a permanent fix can be achieved during network Problems/Outages 8. Provide Third Party SLR reporting in accordance with County requirements 9. Support Disaster Recovery testing per the DR Plan (e.g., conduct failover testing) 10. Conduct Disaster recovery activities required to recover Services per the DR plan Network Documentation Services Network Documentation Services are those activities associated with continually developing, revising, maintaining, reproducing, and making secure data network infrastructure information securely accessible on an as needed basis. Documentation shall be formally provided to the County in electronic form quarterly and shall be stored and maintained in the integrated IT Service Management suite. Some of the document types specific to this Schedule include: Network system specifications and topologies (e.g., router configurations, firewall policies, routing diagrams/ip addressing tables, hardware/software listings) Detailed circuit location information (e.g., circuit ID including LEC access ID, location, speed) Firewall policies, group and object information As-built documentation for all network devices (including firewalls) that are deployed in development, test, QA, production and other technical environments The following table identifies the Network Documentation Services roles and responsibilities that Vendor and the County shall perform. Table 7. Network Documentation Services Roles and Responsibilities Network Documentation Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard network documentation types and content 2. Develop and maintain network documentation that meets County requirements 3. Review and approve network documentation Network Security Services All Network Security Services provided hereunder will be provided in tiered administration in compliance with the County s security policies Network Security Planning and Operations Services Network Security Planning and Operations Services are those activities associated with maintaining physical and logical security of all Network Management Services components (e.g., hardware, Software) and data, Malware protection, access protection and other Data Network Security Services in compliance with County security requirements and all applicable Date TBD Page 12

15 regulatory requirements. The following table identifies the Data Network Security Services roles and responsibilities that Vendor and the County shall perform. Table 8. Network Security Services Roles and Responsibilities Network Security Services Roles and Responsibilities Vendor County General 1. Implement physical and logical security plans consistent with County security policies and develop and provide documentation demonstrating adherence to the plans, processes and procedures 2. Maintain a secure network environment, including compliance with County policies 3. Perform information security compliance, auditing, and reporting per County defined requirements 4. Design, implement and maintain Vendor security services and technical solutions that protect data, logically and physically, in storage and during wired and wireless transmission against unauthorized or accidental access or modification or disclosures (e.g., encryption, network segmentation, monitoring tools) 5. Review and approve Vendor security solutions 6. Develop, document and maintain in the Policies, Standards and Procedures Security Services standards and procedures that meet County requirements, regulatory requirements, and adhere to County policies 7. Review and provide input and/or additional procedures as required and approve Network Security Services standards and procedures and provide additional procedures as required 8. Execute security policies and provide and operate security monitoring tools including documentation demonstrating consistent adherence to the process 9. Provide, implement and manage security analysis and monitoring tools into the County s network environment 10. Provide tiered and role-based access to Vendor s security analyses and monitoring tools 11. Review and approve security analysis and monitoring tools Security Policy and Controls 12. Provide County security strategy, policies and requirements 13. Recommend Vendor standard/best practice security policies, services and procedures 14. Ensure compliance with patch management and Change Management policy 15. Proactively monitor current IT security trends, threats, exploits and security best practices and notify the County of same 16. Provide a County security liaison that works with Vendor for security requirements related to the scope of this Schedule 17. Implement a Network Security Incident Response Team (NSIRT) program to resolve security incidents Date TBD Page 13

16 Network Security Services Roles and Responsibilities Vendor County 18. Participate in Computer Incident Response Team (CIRT) as required by the County or Third Parties 19. Review and approve all security plans, security remediation plans, programs, and security infrastructure Physical Security Control 20. Develop and maintain network environment access control list and provide reporting on which individuals have accessed locations and resources 21. Review and approve network environment access control list 22. Conduct a quarterly review of the list of authorized people to computing areas 23. Adhere to established access control policies and procedures System Administrative Privileges 24. Establish access profiles and policies for adding, changing, enabling/disabling and deleting log-on access for County and Third Parties 25. Investigate attacks (e.g., attempts to logon) 26. Provide logs of network security events containing data to support comprehensive audits of the effectiveness of, and compliance with security measures in accordance with County policies (e.g., audit trail) Security Integrity Advisory 27. Provide security advisory information to the County in a mutually agreed upon manner 28. Evaluate security advisories, assign a risk value and communicate recommended action plan to the County Security Status Checking and Validation 29. Provide a security assessment audit focal point for audits 30. Provide support for audit activities, public requests for information (PRIs) per the Public Information Act, e-discovery, legal hold, and forensic audits as required by the County (e.g., data collection, audit tool installation, report generation) 31. Develop plans to remediate audit findings that do not comply with the established County security policies and standards 32. Review and approve audit findings and remediation plans 33. Implement remediation plans and report on progress of associated implementation 34. Support audit activities by providing a security assessment audit coordinator 35. Maintain all documentation required for security assessments, audits and internal control and control testing 36. Perform semi-annual security assessments, or ad hoc assessments as required, to identify control or security gaps and provide trending problem reports to the County, and recommend remediation plan(s) 37. Conduct security planning and review sessions to review results of security assessments and Vendor remediation plans Date TBD Page 14

17 Network Security Services Roles and Responsibilities Vendor County 38. Review and approve remediation plans 39. Implement County-approved remediation plans Malware Prevention 40. Review and approve Malware Prevention policies and services 41. Adhere to County-approved Malware Prevention policies and services 42. Monitor supplier information and manage up-to-date information on malicious code outbreaks and deploy the appropriate signature files to protect against the malicious code in accordance with established County Change Management procedures 43. Deploy anti-malware updates and patches following a Malware Incident per the County Change Management procedures 44. Immediately notify the County on detection of malicious code within the infrastructure 45. Implement the established action plan (e.g., quarantine of malicious code or network segment) and escalation procedures for a malicious code events beyond what is automatically fixed by the anti-malware software 46. Filter outbound URLs to enforce compliance with County Internet Acceptable usage policies by checking URLs against lists of known "inappropriate" sites 47. Filter both inbound/outbound multiple Web protocols, including deep inspection of encrypted traffic 48. Filter inbound URLs real-time threat protection, block access to sites harboring harmful code, Malware - spyware, phishing, virus, worms and Trojan horse software. Provide for continuous scanning, eradication and reporting of detected harmful code as listed and Incident Resolution 49. Scan user-generated content on all key web protocols and protect against confidential information leaking from the organization 50. Provide seamless user/ip integration to County multi-agency for authentication, tracking, reporting 51. Integrate fully with End users browsers(e.g., MS I/E, foxfire, chrome) with IP and user identification tracking, reporting 52. Provide reporting/audit down to user activity as required by County Polices 53. Provide for Agency tiered management 54. Manage user/groups URL filters and reporting as required Content Filtering and SPAM Filtering 55. Recommend Gateway and inbound and outbound Filtering policies, services and procedures 56. Review and approve Gateway and SPAM filtering policies, services and procedures 57. Manage gateway SPAM filters and process quarantined items (e.g., zip files, encrypted files) to ensure that County services are not adversely affected by either inbound threats or outbound broadcast violations Date TBD Page 15

18 Network Security Services Roles and Responsibilities Vendor County 58. Notify the County and provide remediation of any blacklist events, in accordance with County policies and procedures 59. Identify and block incoming spam while protecting against other threats (e.g., viruses, malware, phishing, directory harvest, denial of service, bounceback attacks, zero-hour threats, and spam surges) 60. Provide seamless user/ip integration to County multi-agency for authentication, tracking, reporting 61. Ensure that only the intended recipient of sensitive content is able to read that content and regulatory compliance using integrated, policy-based encryption 62. Provide flexible policy creation and enforcement, and logging and reporting 63. Provide predictive security against new and emerging threats and Notify County Agencies 64. Detect and enforce County policies for inappropriate images in both inbound and outbound messages 65. Identify and block/quarantine false non-delivery notices forged by viruses and spammers 66. Manage process for misidentified legitimate messages as spam (false positives) and allowing legitimate traffic to flow in. 67. Provide spam-domain name reputation, IP reputation, sender authentication, greylisting, image filtering, integrity analysis, heuristic detection, blacklists, and whitelists 68. Approve requests for new County-owned URL DNS and address formats Firewall Management, DMZ and Internet Infrastructure Services Firewall Management, DMZ and Internet Infrastructure Services are those activities associated with Managing and supporting all of County s firewalls, DMZ infrastructures, Internet connections and Third Party connections. Vendor shall provide these Services including firewall engineering and management, access control list engineering and management in compliance with the County s policies. Vendor will maintain and operate the firewall/dmz/internet infrastructure in such a way that Services are secure and reliable and perform according to requirements and SLRs. Vendor will also make recommendations on design Changes to improve Services as well as implementing the Change per established Change Management procedures. Vendor will act as an agency to contact ISPs and/or other Third Parties to setup connectivity and/or troubleshoot connections and other support questions. The following table identifies the Firewall Management, DMZ and Internet Infrastructure Services roles and responsibilities that Vendor and County shall perform. Table 9. Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities 1. Recommend Vendor standard Firewall Management, DMZ and Internet Infrastructure Services, procedures and best practices Vendor County Date TBD Page 16

19 Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities 2. Provide Firewall Management, DMZ and Internet Infrastructure requirements and policies (including segregation requirements and policies) 3. Develop, document and maintain in the Policies, Standards and Procedures Manual Firewall Management, DMZ and Internet Infrastructure Services procedures that meet requirements and adhere to defined policies Vendor County 4. Review and provide input and/or additional procedures as required and approve Firewall Management, DMZ and Internet Infrastructure Services procedures 5. Provide Services in accordance with County policies 6. Perform Firewall Management, DMZ and Internet Infrastructure engineering and related security design including methods for secure network access and authentication 7. Review and approve Firewall Management, DMZ and Internet Infrastructure architecture and security designs 8. Perform Firewall Management, DMZ and Internet Infrastructure Services in accordance with architecture and security designs a County policies 9. Implement defined access requirements and standards via firewall rule sets 10. Ensure compliance to defined security and configuration standards including Internet content filtering 11. Define intranet/internet boundaries within the County 12. Assist with the definition of intranet/internet boundaries within the County 13. Maintain intranet/internet boundaries within County 14. Define Third Party connectivity strategy 15. Assist with the definition of Third Party connectivity strategy 16. Review and approve Third Party connectivity strategy 17. Implement and support County-approved Third Party connectivity strategy 18. Support and manage content compression devices, load balancing devices, and SSL acceleration 19. Monitor performance levels of the firewall/dmz/internet infrastructure through setting of thresholds, provide reporting, and take proactive and/or reactive steps to Resolve any performance issues 20. Provide proxy and content filter services based on approved policies 21. Provide County and user-specific internet usage reports Security Intrusion Prevention and Detection Services Security Intrusion Prevention and Detection Services are those activities associated with managing and supporting the IPS/IDS infrastructure and providing quick follow up on security Date TBD Page 17

20 events. For the interim environment, it is anticipated that Vendor would assume responsibility for the existing IBM appliance and IPS/IDS services. Vendor shall communicate any new security vulnerabilities, provide recommendations to remediate these vulnerabilities and implement County-approved recommendations. Vendor shall provide NIDS (network-based intrusion detection service). Vendor shall restore offline security event data as follows: up to 30 days of consecutive event data restored within two (2) Business Days; up to six (6) months of consecutive event data within five Business Days; and for more than six (6) months of event data each request will be individually evaluated by Vendor and an estimated time to restore will be provided. Such data must be restorable for at least 365 contiguous days. The following table identifies the Security Intrusion Prevention and Detection Services roles and responsibilities that Vendor and the County shall perform. Table 10. Security Intrusion Prevention and Detection Services Roles and Responsibilities Security Intrusion Prevention and Detection Services Roles and Responsibilities 1. Recommend industry best practice Intrusion Prevention and Detection Services policies 2. Develop, document and maintain in the Policies, Standards and Procedures Manual the Intrusion Prevention and Detection Services procedures that meet requirements and adhere to County-defined policies 3. Review and provide input and/or additional procedures as required and approve Intrusion Prevention and Detection Services procedures 4. Provide Security Intrusion Prevention and Detection Services and reporting in accordance with established policies and procedures 5. Provide, install, configure, and manage intrusion detection/prevention sensors at specific network entry points and all Third Party connection and wireless network entry points 6. Recommend risk ratings and remediation actions for security events in accordance with County policies and procedures Vendor 7. Review and approve the risk ratings and remediation actions 8. Provide daily and monthly reports indicating number of detected intrusions. Reports should include the top 10 exploits (and their sources) and top 10 devices registering detected intrusion 9. Coordinate with independent Third Party security provider(s) to capture and provide reports and analysis (e.g., trending) of security events within the local network, as required 10. Provide capability for the County to run ad-hoc intrusion detection reports via Vendor-provided portal/integrated ITSM suite 11. Notify the County of malicious activity and intrusions in accordance with County-defined policies 12. Provide alerts of malicious activity and intrusions according to risk rating of the signatures, in accordance with County-approved policies and procedures 13. Respond to and remediate the effects of malicious activity and intrusions as defined in the Incident Management process, as required to meet County policies and requirements 14. Continually develop recommendations for improved security County Date TBD Page 18