Schedule 2C-2 Converged Network Management Services (Future State SCHEDULE 2C-2 CONVERGED NETWORK MANAGEMENT SERVICES (FUTURE STATE SERVICES) for COUNTY OF ORANGE, CA Date TBD
Table of Contents 1.0 Converged Network Management Services Overview and Objectives... 1 1.1 Converged Network Management Services Overview...1 1.2 Service Objectives...2 2.0 Converged Network Management Services Requirements... 3 2.1 Converged Network Service Area Components...3 2.2 Service Descriptions and Roles & Responsibilities...7 3.0 Service Environment... 22 3.1 Scope of Infrastructure to be Supported...22 3.2 Baseline Information...22 4.0 Service Level Requirements... 23 4.1 Objectives...23 4.2 Service Level Requirements...23 5.0 Reports... 28 6.0 Referenced Appendices, Schedules and Attachments... 29 List of Tables Table 1. General Roles and Responsibilities...7 Table 2. Design and Engineering Services Roles and Responsibilities...8 Table 3. Network Provisioning Services Roles and Responsibilities...9 Table 4. Network Operations and Administration Services Roles and Responsibilities...10 Table 5. Network Monitoring and Reporting Services Roles and Responsibilities...12 Table 6. Circuit Support Services Roles and Responsibilities...13 Table 7. Network Documentation Services Roles and Responsibilities...14 Table 8. Network Security Services Roles and Responsibilities...14 Table 9. Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities...18 Table 10. Security Intrusion Prevention and Detection Services Roles and Responsibilities...19 Table 11. Security Monitoring and Incident Management Services Roles and Responsibilities...20 Table 12. Network Availability SLRs...23 Table 13. Network Performance SLRs...24 Table 14. Network Administration Services SLRs...25 Table 15. Gateway Content Filtering of Email SLRs...26 Table 16. Security Intrusion Detection SLRs...26 Date TBD Page i
Table 17. Network Services Reports...28 Date TBD Page ii
This is Schedule 2C-2 (Converged Network Management to the Agreement between the County of Orange, CA ( County or the County ) and the Vendor ( Vendor ). Unless otherwise expressly defined herein, the capitalized terms used herein shall have the meaning assigned to them in Attachment A (SOW Definitions). This statement of work shall be in effect following the implementation of the Vendor provided/implemented converged network environment. 1.0 Converged Network Management Services Overview and Objectives 1.1 Converged Network Management Services Overview This Schedule 2C-2 (Converged Network Management is the statement of work that sets forth the roles and responsibilities of the Parties for the Converged Network Management Services provided under the Agreement as part of the Services. Converged Network Management Services are the end-to-end Services and activities required to provide and support the County s converged network environment that transports data traffic related to County and Third Party applications including but not limited to financial and business applications (e.g., CAPS+, PTMS), web applications, video and associated video applications (e.g., future video conferencing, weekly Board meetings) and IP/VOIP telephony system traffic. Vendor s end-to-end responsibilities include life cycle management (e.g., requirements, engineering, design, implementation, testing), service provisioning, security, administration, troubleshooting, and proactive service management (e.g., Availability and Capacity Management, Performance Management, Incident and Problem Management) of the County s converged network environment and services, including but not limited to: Wide area network (WAN) (including metropolitan area network (MAN), circuit and conduit management) Third Party connectivity (e.g., state consortium systems and exchanges) Wired and wireless local area networks (LANs) IP management services Quality of service (QoS) and class of service (CoS) management Network operations, management and monitoring Support of network test environments for all network services Internet connectivity services (e.g., provisioning, monitoring and reporting) E-mail gateway services Network security services Vendor s solution for Converged Network Management Services shall provide multiple levels of secure and permission-based logical network connectivity through the enterprise network to County End Users including the following: Enterprise level connectivity Agency to agency connectivity Multiple agency to agency connectivity Date TBD Page 1
Agency to business partners (e.g., state, federal, other counties and cities) connectivity County connectivity to the internet via the enterprise data center Throughout the Term of the Agreement, Vendor Converged Network Management Services shall support changing County business, regulatory and technical requirements and Vendor services shall incorporate new technical and services solutions that meet County requirements and business objectives. 1.2 Service Objectives The following are the key high-level Service objectives the County expects to achieve through Vendor s Converged Network Management Services: Achieve the Service Level Requirements (SLRs) specified in Section 4 of this SOW Design, implement and maintain a reliable, scalable and secure high-speed converged network infrastructure, that meets the County s ongoing and changing business and technical requirements and service level requirements (SLRs) End to end converged network monitoring and management including management of Third Party providers (e.g., Third Party coordination, carrier coordination, Problem and Incident management) Maintain and deliver Converged Network Services in a cost effective manner Timely delivery of Converged Network solutions to support County project implementations, and related coordination with the County and Third Parties Date TBD Page 2
2.0 Converged Network Management Services Requirements 2.1 Converged Network Service Area Components Converged Network Management Services and network components include, but are not limited to the following. 2.1.1 Wide Area Network (WAN) (including Metropolitan Area Network (MAN)) Services WAN Services include the monitoring and management of networking equipment and Software that interconnect two or more separate facilities. WAN Services include acting as the prime Vendor or as an agent for trouble management for Third Party carrier services such as ATM, MPLS, point-to-point, frame relay circuits, Countyowned circuits, dedicated Internet connections and broadband circuits. Specific WAN Services include: Design of WAN connectivity solutions that will meet the County s business and technical requirements (e.g., performance, availability, reliability, capacity) WAN equipment provisioning and management (e.g., routers, CSUs/DSUs) Management of WAN circuit provisioning Management of circuit billing, invoicing and reconciliation Installation and decommissioning of WAN equipment (e.g., routers, gateways) Implementation of WAN connections and circuits Testing of WAN infrastructure (e.g., stress testing, regression testing, failover testing) changes in a non-production environment, prior to introduction into the County production environment Wiring and cabling (e.g., extended demarcation cabling) Password reset services per established security standards Optimization of WAN Services and circuits Management of end-to-end WAN connectivity and performance Internet connectivity and access Management of network QoS and CoS for all IP-based services Monitoring of all managed network devices (e.g., via SNMP) Monitoring performance and usage parameters of WAN circuits (e.g., Availability, peak utilization, average utilization, latency per QoS/class of service level, error levels, forward and backward explicit congestion notifications (FECNs/BECNs), application breakdown) Management of all WAN equipment (e.g., Routers, CSU/DSUs) Compliance with security policies and best practices Asset and configuration management Date TBD Page 3
Maintenance of hardware and Software (e.g., routers, switches, system upgrades) Regular and ad-hoc reporting per County formatting requirements Development and maintenance of WAN documentation and diagrams Testing and implementation of network disaster recovery in accordance with the County Disaster Recovery Plan 2.1.2 Wired and Wireless Local Area Network (LAN) Services LAN Services include the provision and monitoring and management of networks that are usually confined to a single facility or portion of a facility. LAN components include Dynamic Host Configuration Protocol (DHCP) and wireless LANs supporting all network traffic originating from computing devices (e.g., desktop devices, local file and print servers, application servers, database servers, peripherals and other network devices and other End User devices). This Service does not include the LAN-attached Network Interface Card (NIC) at the desktop. Specific Wired and Wireless LAN Services include: Review existing LANs and recommend improvements Design of LAN solutions which will meet County requirements LAN equipment provisioning and management Installation and decommissioning of LAN equipment (e.g., switches, hubs) Testing of LAN infrastructure (e.g., stress testing, regression testing, failover testing) changes in a non-production environment, prior to introduction into County s production environment Management of LAN connectivity and performance, including wired and wireless LANs Management of Layer 2 through 7 switching devices and network appliances (e.g., load balancers) Monitoring all managed network devices (e.g., via SNMP) Monitoring LAN ports switches for Servers and interconnectivity between the switches and other network devices (e.g., IP/VOIP telephony devices) ; LAN ports shall be monitored for peak utilization, average utilization, latency, jitter, error levels unless otherwise agreed upon by County Wiring and cabling Regular and ad-hoc reporting per County requirements Compliance with security policies and best practices Asset Management and Configuration Management Support and administration of Third Party maintenance agreements and relationships Development and maintenance of LAN documentation and diagrams LAN administration services during County-defined windows (e.g., DNS changes, AD replication, virus definitions) Testing and implementation of network disaster recovery in accordance with the County Disaster Recovery Plan Date TBD Page 4
Monitor remote equipment closets 2.1.3 IP Management Services COUNTY OF ORANGE, CA IP Management Services include both Domain Name Services (DNS) and Dynamic Host Configuration Protocol (DHCP), including administration and management of Domain Name Services. Vendor shall be responsible for managing DNS Services within the LAN and also on the Internet for all County application and service web sites. Vendor will also be responsible for providing DHCP services in support of all network traffic. Specific DNS services include: IP address management DHCP Service for Service Area hardware Internal and External DNS Service for Service Area hardware Internal and External DNS/DHCP Services for County sites Static IP addressing Provision and maintenance of central, real time logs that are to be kept in via Vendor-provided portal/integrated ITSM suite per County information security policies Provision and support of a DNS/DHCP tool that provides the following capabilities, including but not limited to: Combines data from all DHCP servers on the reports Logs all devices that provide IP addresses via DHCP in the County s environment including remote access devices Supports real-time reporting formatted to the County s standards Provides capability to search for information from either the IP address, MAC address, hostname, or Active Directory End User ID Ability to generate e-mail alerts when a specific IP address, MAC address, hostname, or Active Directory End User ID is used 2.1.4 Remote Access Remote Access Services include the provision and management of solutions (e.g., virtual private network (VPN)) that allows remote End Users and business partners to securely connect to the network and County Application Services and/or County IT resources over the public Internet or private intranet. It requires industry/internetbased standards for security to create and preserve privacy, data integrity, and authenticity. The Remote Access Service will be highly scalable (e.g., client and siteto-site) and support will be provided for County sites, designated home offices, wireless access points, and other locations as required. All Remote Access Services provided hereunder will be provided in compliance with the County s security policies. 2.1.5 Network Security Services Network Security Services include the provision and support of methods that provide security to wired and wireless physical and logical network devices connected to the network and for security to IP traffic on the network. All Network Security Services Date TBD Page 5
provided hereunder will be provided in tiered administration in compliance with the County s security policies. Network Security Services include, but are not limited to: Firewall management (e.g. DMZ, Internet, Third Party connections) Provision and management of multi-factor authentication (e.g., token, certificate) Malicious code detection and prevention, and Internet monitoring (e.g. IDS/IPS, anti-virus, anti-malware) E-mail gateway and SPAM filtering per County requirements Security policy verification Tiered web filtering (e.g., URL filtering, malicious sites, spyware, advertisements, instant messaging, free software downloads) Internet usage reporting Tiered antivirus Data leak monitoring Data Leak Prevention services Provision, installation, configuration, management, and maintenance of network intrusion detection and prevention sensors at specified network entry points Intrusion incident reporting Ongoing vulnerability assessment and remediation Support of Third Party security assessment, scanning and penetration testing Design, implementation, management and maintenance of encryption solutions Management of County-owned security certificates, SSLs and domain names Incident and Problem Resolution Password Reset services per established security standards Logging, tracking and management of security risks and issues to Resolution and closure Network security services reporting per County requirements Physical and logical access control (e.g., End User, administrative, card access) Remediation of discovered security risks from any security audit findings 2.1.6 Management and Administration Services Management and Administration Services include system and component management and monitoring, information protection, component addressing, and IT Service management activities such as patch management, version control, access control, and Change control for all in scope network components including IP telephony/voip components. Management Services include: Date TBD Page 6
Network systems management and troubleshooting (e.g., performance, Problem, Change and capacity monitoring) Bandwidth, capacity, availability and performance management and reporting Application usage statistics (e.g., identify top talkers by application via Layer 7 monitoring) Coordinating with public carriers and other circuit providers to perform operations activities, support SLRs and to manage reporting of Third Party SLRs to the County QoS and CoS management Physical and logical network segmentation Administration Services include: Managing network devices, configurations, ACLs, firewalls, Internet Protocol (IP) addresses and related Services (e.g., DNS/DHCP) as specified by the County Asset management and configuration management, including hardware and Software Logical (e.g., IP address change) IMACs for network components Physical equipment and site IMACs 2.1.7 Firewall Management, DMZ and Internet Infrastructure Services Firewall Management, DMZ and Internet Infrastructure Services are the activities associated with Managing and supporting County Internet and Third Party connections and associated firewalls, DMZ infrastructures, proxies, content filters and other Services necessary for secure Internet access from and to the County network. Internet/Web Services. The following Services and roles and responsibilities shall apply to all in scope County network components described above (e.g., WAN, MAN, LAN, VPN). 2.2 Service Descriptions and Roles & Responsibilities 2.2.1 General Responsibilities The following table identifies general roles and responsibilities associated with this SOW. An is placed in the column under the party that will be responsible for performing the task. Vendor responsibilities are indicated in the column labeled Vendor. Table 1. General Roles and Responsibilities General Roles and Responsibilities Vendor County 1. Develop, document and maintain the physical and logical network design/architecture plan and inventory (e.g., circuit inventory, conduit mapping, and IP address schema, as built) to meet County requirements 2. Review and approve the plan for network design/architecture 3. Provide and manage 24x7x365 network Availability 4. Provision network components as required 5. Provision circuits per County s instructions and approvals Date TBD Page 7
General Roles and Responsibilities Vendor County 6. Dispose of decommissioned network equipment in accordance with County policies 7. Develop business and functional requirements for network projects 8. Provide technical and functional requirements for Vendor-proposed network support and upgrade projects 9. Manage and perform firmware/software upgrades for all in-scope network devices 10. Review and approve firmware/software upgrade maintenance costs and schedule for network devices 11. Identify, test, and Resolve compatibility issues between firmware/software versions 12. Perform proactive network optimization and tuning 13. Coordinate with County entities and Third Parties (e.g., hardware/software Vendors, carriers, service providers) as required 14. Provide ad-hoc network reports when requested by the County 15. Coordinate with County Third Party WAN/LAN network providers for Incident Resolution and to collect and report on network Availability and performance to the End User 16. Support audit activities by providing necessary resource, reports and data 2.2.2 Design and Engineering Services Design and Engineering Services are those activities associated with the design and engineering of the technical infrastructure, and providing and managing tools and utilities to support the network environment. The following table identifies the Design and Engineering Services roles and responsibilities that Vendor and the County shall perform. Table 2. Design and Engineering Services Roles and Responsibilities Design and Engineering Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Design and Engineering Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Design and Engineering Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Design and Engineering Services procedures 4. Prepare and provide network design, engineering, security plans and schedules (e.g., service design package (SDP)) to support new and enhanced applications, architectures and standards based on established procedures as needed or requested by the County 5. Review and approve network design, engineering, security plans, and schedules 6. Provide recommendations for optimizing network design Date TBD Page 8
Design and Engineering Services Roles and Responsibilities Vendor County 7. Review and approve recommendations for optimizing network design 8. Coordinate with County and Third Parties as required to meet service requirements and SLRs 9. Review and approve Changes to the network environment in accordance with Change Management policies and procedures 10. Develop scheduling of all Changes to the network environment 11. Review and approve the scheduling of Changes to the network environment in accordance with Change Management policies and procedures 12. Provide technical advice to the County regarding application development to optimize utilization of data and applications over the network 2.2.3 Network Provisioning Services Network Provisioning Services are those activities associated with the pricing, evaluation, selection, acquisition, installation, ongoing management and disposition of new and upgraded network components (e.g., circuits, equipment). The following table identifies the Network Provisioning Services roles and responsibilities that Vendor and the County shall perform. Table 3. Network Provisioning Services Roles and Responsibilities Network Provisioning Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Provisioning Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Provisioning Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Provisioning Services procedures 4. Manage circuit provisioning for new WAN connectivity, including obtaining favorable circuit pricing 5. Review carrier options and provide the County with recommendations regarding most favorable options 6. Review and approve Vendor s carrier recommendations regarding most favorable options 7. Maintain financial responsibility for County specified data circuits and other connectivity methods 8. Maintain financial responsibility for County specified data circuits and other connectivity methods 9. Specify network provisioning physical requirements (e.g., power, floor space) 10. Install equipment and establish connectivity as required 11. Document router configuration files and IP addressing schemas 12. Provide capacity planning, incorporating County-provided business requirements Date TBD Page 9
Network Provisioning Services Roles and Responsibilities Vendor County 13. Manage and coordinate the performance of public carriers (and other Third Parties) to meet County requirements (e.g., schedules, project plans, SLRs) 14. Ensure that all new circuits, devices and Software provisioned are included in all IT Service Management and Life Cycle Services related documentation (e.g., Asset and Configuration Management) 15. Upgrade/remove/decommission network equipment and connectivity from County sites as required per agreed schedules and in accordance with County policies and procedures 16. Manage and provide WAN connectivity installs, moves, adds and changes (IMACs) 17. Minimize disruptions in Services during Changes 18. Review and approve installation, connectivity and removal activities 19. Acquire and manage domain name entries on behalf of the County (e.g., web URL and SSL certificates) 20. Maintain financial responsibility and ownership of domain name entries 2.2.4 Converged Network Operations and Administration Data Network Operations and Administration Services are those activities associated with the provisioning and day-to-day management of the network environment. The following table identifies the Network Operations and Administration Services roles and responsibilities that Vendor and the County shall perform. Table 4. Network Operations and Administration Services Roles and Responsibilities Network Operations and Administration Services Roles and Responsibilities 1. Recommend Vendor s standard Network Operations and Administration Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Operations and Administration Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required, and approve Network Operations and Administration Services procedures 4. Perform day-to-day Network Operations and Administration Services activities 5. Develop, manage and maintain inventory of Network traffic (e.g., types, sources, services) 6. Manage network Assets in accordance with the County s policies, standards and procedures (including security oversight and Change Management policies and procedures) 7. Recommend QoS and CoS for QoS/CoS sensitive applications including IP/VOIP based telephony systems 8. Review and approve QoS and CoS requirements for QoS/CoS sensitive applications and IP/VOIP based telephony systems Vendor County Date TBD Page 10
Network Operations and Administration Services Roles and Responsibilities 9. Implement and manage QoS and CoS for QoS/CoS sensitive applications and IP/VOIP based telephony systems 10. Recommend IP addressing, directory and configuration information and requirements 11. Review and approve IP addressing, directory and configuration information and requirements 12. Develop and maintain IP addressing schemes, router configurations and routing tables that meet County s requirements Vendor 13. Manage and maintain DNS/DHCP Services 14. Provide requirements (e.g., security, performance) for physical and logical network traffic segmentation 15. Recommend approaches, technologies and network management techniques for physical and logical network traffic segmentation 16. Review and approve Vendor recommend approaches, technologies and network management techniques for physical and logical network traffic segmentation 17. Implement, manage and maintain physical and logical network traffic segmentation to meet County requirements and SLRs (e.g., security, performance) 18. Manage County Third Party contracts for facility cable management (e.g., physical wiring between servers and wiring closet and between wiring closet and desktop) Services at specified County sites 19. Manage and maintain current inventory of cable plant 20. Manage and provide proactive and reactive maintenance on network Assets 21. Manage and respond to Services Requests and provide IMACs for network components and sites 22. Maintain and provide security information in an agreed upon format, including access, general logs, application logs in accordance with the County s security policies and procedures 23. Coordinate network administration activities through defined Change Management processes 24. Support provisioning and de-provisioning account activities (e.g., administrative accounts, End User accounts) and maintain associated history logs as required 25. Support activities related to County- or Third Party-planned and unplanned Outages (e.g., post-power outage startup activities, County preparedness emergency exercises or Incidents, recovery) County 2.2.5 Network Monitoring and Reporting Network Monitoring and Reporting are those activities associated with the proactive monitoring and reporting of network performance and management information (e.g., performance metrics, Incidents) for in-scope network components (e.g., routers, switches, and network appliances, IP /VOIP telephony system components). The following table identifies the Network Monitoring and Reporting Services roles and responsibilities that Vendor and the County shall perform. Date TBD Page 11
Table 5. Network Monitoring and Reporting Services Roles and Responsibilities Network Monitoring and Reporting Services Roles and Responsibilities 1. Recommend Vendor s standard Network Monitoring Services and Incident and Problem Resolution procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Monitoring Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Monitoring Services procedures 4. Manage current or provide and manage new automated tools for monitoring network circuits, devices and traffic from a Vendor provided Network Operations Center (NOC) 5. Implement measures and provide proactive analysis of network data and reports to limit network Outages and optimize the County s bandwidth utilization 6. Proactively monitor current network utilization and provide information to the County for use in determining future capacity requirements 7. Monitor, operate, perform Problem determination, alert, and repair for all network environments on a 24x7x365 basis, including for Service Outage, loss of connection and specific performance indices 8. Monitor LAN ports for all servers and uplinks; LAN ports should be monitored for peak utilization, average utilization, latency, and error levels unless otherwise agreed upon by the County. Vendor should also have the capability to turn on monitoring for individual regular desktop ports for troubleshooting Vendor 9. Perform remote LAN analysis diagnostics and on-site troubleshooting 10. Manage Service Requests and dispatch process as directed by the County 11. Dispatch pre-approved Vendor on-site support personnel and/or Third Parties as appropriate 12. Manage network performance or Availability issues resulting from a fault or impairment in network circuits or devices 13. Provide reporting (e.g., availability, utilization, latency, capacity) on network components providing connectivity to County applications 14. Collect data and reports from Third Parties and provide consolidated reporting (e.g., availability, utilization, latency, capacity) on out-ofscope network components (e.g., Third Party circuits, Third Party WAN/LAN network circuits and components, Third Party partner and service provider connections) providing connectivity to County applications 15. Review and approve network performance reporting 2.2.6 Circuit Support County Circuit Support Services are those activities associated with providing 24x7x365 support of the network to ensure continuous operation. This support includes Problem isolation and Date TBD Page 12
determination to the network device port level. The following table identifies the Circuit Support Services roles and responsibilities that Vendor and the County shall perform. Table 6. Circuit Support Services Roles and Responsibilities Circuit Support Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Circuit Support Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual those Circuit Support Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Circuit Support Services procedures 4. Isolate Problems to the circuit, port or device level 5. For circuit Incidents and Problems, contact carrier to determine the cause of the Outage, notify the County, and work on the Incident/Problem with carrier until Resolved 6. Track Incidents and Problems, follow up on status, escalate when required and report status to the appropriate Party including when Incidents/Problems are Resolved 7. Provide any possible Workarounds to help maintain production until a permanent fix can be achieved during network Problems/Outages 8. Provide Third Party SLR reporting in accordance with County requirements 9. Support Disaster Recovery testing per the DR Plan (e.g., conduct failover testing) 10. Conduct Disaster recovery activities required to recover Services per the DR plan 2.2.7 Network Documentation Services Network Documentation Services are those activities associated with continually developing, revising, maintaining, reproducing, and making secure network infrastructure information securely accessible on an as needed basis. Documentation shall be formally provided to the County in electronic form quarterly and shall be stored and maintained in the integrated IT Service Management suite. Some of the document types specific to this Schedule include: Network system specifications and topologies (e.g., router configurations, firewall policies, routing diagrams/ip addressing tables, hardware/software listings) Detailed circuit location information (e.g., circuit ID including LEC access ID, location, speed) Firewall policies, group and object information As-built documentation for all network devices (including firewalls) that are deployed in development, test, QA, production and other technical environments Maintain the network topology in a geospatial map The following table identifies the Network Documentation Services roles and responsibilities that Vendor and the County shall perform. Date TBD Page 13
Table 7. Network Documentation Services Roles and Responsibilities Network Documentation Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard network documentation types and content 2. Develop and maintain network documentation that meets County requirements 3. Review and approve network documentation 2.2.8 Network Security Services All Network Security Services provided hereunder will be provided in tiered administration in compliance with the County s security policies. 2.2.8.1 Network Security Planning and Operations Services Network Security Planning and Operations Services are those activities associated with maintaining physical and logical security of all Network Management Services components (e.g., hardware, Software) and data, Malware protection, access protection and other Network Security Services in compliance with County security requirements and all applicable regulatory requirements. The following table identifies the Network Security Services roles and responsibilities that Vendor and the County shall perform. Table 8. Network Security Services Roles and Responsibilities Network Security Services Roles and Responsibilities Vendor County General 1. Implement physical and logical security plans that comply with County security policies; develop and provide documentation demonstrating adherence to the plans, processes and procedures 2. Maintain a secure network environment, including compliance with County policies 3. Perform information security compliance, auditing, and reporting per County-defined requirements 4. Design, implement and maintain Vendor security services and technical solutions that protect data logically and physically, in storage and during wired and wireless transmission, against unauthorized or accidental access, modification or disclosures (e.g., encryption, network segmentation, monitoring tools) 5. Review and approve Vendor security solutions 6. Develop, document and maintain in the Policies, Standards and Procedures Manual Security Services standards and procedures that meet County requirements, regulatory requirements, and adhere to County policies 7. Review and approve Network Security Services standards and procedures 8. Execute security policies and provide and operate security monitoring tools including documentation demonstrating consistent adherence to the process 9. Provide, implement and manage security analysis and monitoring tools into the County s network environment 10. Provide tiered and role-based access to Vendor s security analyses and monitoring tools Date TBD Page 14
Network Security Services Roles and Responsibilities Vendor County 11. Review and approve security analysis and monitoring tools Security Policy and Controls 12. Provide County security strategy, policies and requirements 13. Recommend Vendor s standard best practice security policies, services and procedures 14. Review and provide input and/or additional procedures as required and approve Vendor recommended standard/best practice security policies, services and procedures 15. Ensure compliance with patch management and Change Management policy 16. Proactively monitor current IT security trends, threats, exploits and security best practices and notify the County of same 17. Provide a County security liaison that works with Vendor for security requirements related to the scope of this Schedule 18. Implement a Network Security Incident Response Team (NSIRT) program to resolve security incidents 19. Participate in Computer Incident Response Team (CIRT) as required by the County or Third Parties 20. Review and approve all security plans, security remediation plans, programs, and security infrastructure Physical Security Control 21. Develop and maintain network environment access control lists and provide reporting on which individuals have accessed locations and resources 22. Review and approve network environment access control list 23. Conduct a quarterly review of the list of authorized people to computing/network equipment areas 24. Adhere to established access control policies and procedures System Administrative Privileges 25. Establish access profiles and policies for adding, changing, enabling/disabling and deleting log-on access for County and Third Parties 26. Investigate attacks (e.g., attempts to logon) 27. Provide logs of network security events containing data to support comprehensive audits of the effectiveness of, and compliance with security measures in accordance with County policies (e.g., audit trail) System Administrative Privileges 28. Establish access profiles and policies for adding, changing, enabling/disabling and deleting log-on access for County and Third Parties 29. Investigate systematic attacks (e.g., attempts to logon) 30. Provide logs of network security relevant events containing sufficient data to support comprehensive audits of the effectiveness of, and compliance with security measures (audit tracking) Date TBD Page 15
Network Security Services Roles and Responsibilities Vendor County Security Integrity Advisory 31. Provide security advisory information to the County in a mutually agreed manner 32. Evaluate security advisories, assign a risk value and communicate recommended action plan to the County Security Status Checking and Validation 33. Provide security assessment audit single point of contact to define audit controls and coordinate audit activities 34. Provide support for audit activities, public requests for information (PRIs) per the Public Information Act, e-discovery, legal hold, and forensic audits as required by the County (e.g., data collection, audit tool installation, report generation) 35. Develop plans to remediate audit findings that do not comply with the established County security policies and standards 36. Review and approve audit findings and remediation plans 37. Implement remediation plans and report on progress of associated implementation 38. Support audit activities by providing a security assessment audit coordinator 39. Maintain all documentation required for security assessments, Audits and internal control and control testing 40. Perform semi-annual security assessments, or ad hoc assessments as required, to identify control or security gaps and provide trending problem reports to the County, and recommend remediation plan(s) 41. Conduct security planning and review sessions to review results of security assessments and Vendor remediation plans 42. Review all findings and identified risks and approve remediation plans 43. Implement County-approved remediation plans Content Filtering for Malware 44. Review and approve Malware Prevention policies and services 45. Adhere to County-approved Malware Prevention policies and services 46. Monitor supplier information and manage up-to-date information on malicious code outbreaks and deploy the appropriate signature files to protect against the malicious code in accordance with established County Change Management procedures 47. Deploy anti-malware updates and patches following a Malware Incident per the County Change Management procedures 48. Immediately notify the County on detection of malicious code within the infrastructure 49. Implement the established action plan (e.g., quarantine of malicious code or network segment) and escalation procedures for a malicious code event beyond what is automatically fixed by the anti-malware software 50. Filter outbound URLs to enforce compliance with County policies 51. Filter both inbound/outbound multiple Web protocols, including deep inspection of encrypted traffic Date TBD Page 16
Network Security Services Roles and Responsibilities Vendor County 52. Filter inbound URLs real-time threat protection, block access to sites harboring harmful code, Malware - spyware, phishing, virus, worms and Trojan horse software. Provide for continuous scanning, eradication and reporting of detected harmful code as listed and Incident Resolution 53. Scan user-generated content per County policies 54. Provide seamless user/ip integration to County multi-agency for authentication, tracking, reporting 55. Integrate fully with End User browsers (e.g., MS I/E, foxfire, chrome) with IP and user identification tracking, reporting 56. Provide reporting and audit capabilities, including user activity as required by County polices 57. Provide for Agency tiered management 58. Manage user/groups URL filters and reporting as required Content Filtering of Email 59. Recommend E-mail Gateway and inbound and outbound Filtering policies, services and procedures 60. Review and approve E-mail Gateway and Filtering policies, services and procedures 61. Manage email gateway SPAM, filters and queues, and process quarantined items to ensure that County email services are not adversely affected by either inbound threats or outbound e-mail broadcast violations. Provide management of tiered quarantined items 62. Notify the County and provide remediation of any blacklist events, in accordance with County policies and procedures 63. Identify and block incoming spam while protecting against other threats (e.g., viruses, malware, phishing, directory harvest, denial of service, bounce back attacks, zero-hour threats, and spam surges) 64. Provide seamless user/ip integration to County multi-agency for authentication, tracking, reporting 65. Provide email encryption 66. Provide flexible policy creation and enforcement, and logging and reporting 67. Manage process for misidentified legitimate messages as spam (false positives) and allowing legitimate email traffic to flow in. 68. Provide spam-domain name reputation, IP reputation, sender authentication, grey listing, image filtering, integrity analysis, heuristic detection, blacklists, and white lists 69. Process requests for new County-owned URL, DNS and e-mail address formats per County Change Management processes 2.2.8.2 Firewall Management, DMZ and Internet Infrastructure Services Firewall Management, DMZ and Internet Infrastructure Services are those activities associated with Managing and supporting all of County s firewalls, DMZ infrastructures, Internet connections and Third Party connections, proxies, content filters and other Services necessary for secure Internet access from and to the County network. Vendor shall provide these Services in compliance with the County s policies. Vendor will maintain and operate the firewall/dmz/internet infrastructure in such a way that Services are secure and reliable and Date TBD Page 17
perform according to requirements and SLRs. Vendor will also make recommendations on design Changes to improve Services as well as implementing the Change per established Change Management procedures. Vendor will act as an agency to contact ISPs and/or other Third Parties to setup connectivity and/or troubleshoot connections and other support questions. The following table identifies the Firewall Management, DMZ and Internet Infrastructure Services roles and responsibilities that Vendor and County shall perform. Table 9. Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities 1. Recommend Vendor s standard Firewall Management, DMZ and Internet Infrastructure Services, procedures and best practices 2. Provide Firewall Management, DMZ and Internet Infrastructure requirements and policies (including segregation requirements and policies) 3. Develop, document and maintain in the Policies, Standards and Procedures Manual Firewall Management, DMZ and Internet Infrastructure Services procedures that meet requirements and adhere to defined policies 4. Review and provide input and/or additional procedures as required and approve Firewall Management, DMZ and Internet Infrastructure Services procedures 5. Perform Firewall Management, DMZ and Internet Infrastructure engineering and related security design including methods for secure network access and authentication in accordance with County policy 6. Review and approve Firewall Management, DMZ and Internet Infrastructure Services architecture and security designs 7. Perform Firewall Management, DMZ and Internet Infrastructure Services in accordance with architecture and security designs a County policies 8. Implement defined access requirements and standards via firewall rule sets 9. Ensure compliance to defined security and configuration standards including Internet content filtering 10. Assist with the definition of Intranet/Internet boundaries within the County Vendor 11. Maintain Intranet/Internet boundaries within the County 12. Define Third Party connectivity requirements and policies 13. Assist with the definition of Third Party connectivity strategy 14. Review and approve Third Party connectivity strategy 15. Implement and support County-approved Third Party connectivity strategy 16. Support and manage content compression devices, load balancing devices, and SSL acceleration 17. Notify the County and provide remediation of any blacklist events, in accordance with County policies and procedures County Date TBD Page 18
Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities 18. Monitor performance levels of the firewall/dmz/internet infrastructure through setting of thresholds, provide reporting, and take proactive and/or reactive steps to Resolve any performance issues Vendor 19. Provide proxy and content filter services based on approved policies 20. Provide County and user-specific internet usage reports County 2.2.8.3 Security Intrusion Prevention and Detection Services Security Intrusion Prevention and Detection Services are those activities associated with managing and supporting the IPS/IDS infrastructure and providing quick follow up on security events. Vendor shall communicate any new security vulnerabilities and provide recommendations to remediate these vulnerabilities and implement County approved recommendations. Vendor shall provide NIDS (network-based intrusion detection service). Vendor shall restore offline security event data as follows: up to 30 days of consecutive event data restored within two (2) Business Days; up to six (6) months of consecutive event data within five Business Days; and for more than six (6) months of event data each request will be individually evaluated by Vendor and an estimated time to restore will be provided. Such data must be restorable for at least 365 contiguous days. The following table identifies the Security Intrusion Prevention and Detection Services roles and responsibilities that Vendor and the County shall perform. Table 10. Security Intrusion Prevention and Detection Services Roles and Responsibilities Security Intrusion Prevention and Detection Services Roles and Responsibilities 1. Recommend industry best practice Intrusion Prevention and Detection Services policies 2. Develop, document and maintain in the Policies, Standards and Procedures Manual the Intrusion Prevention and Detection Services procedures that meet requirements and adhere to County defined policies 3. Review and provide input and/or additional procedures as required and approve Intrusion Prevention and Detection Services procedures 4. Provide Security Intrusion Prevention and Detection Services and reporting in accordance with established policies and procedures 5. Provide, install, configure, and manage intrusion detection/prevention sensors at specific network entry points and all Third Party connection and wireless network entry points 6. Recommend risk ratings and remediation actions for security events in accordance with County policies and procedures Vendor 7. Review and approve the risk ratings and remediation plans and actions 8. Provide daily and monthly reports indicating number of detected intrusions. Reports should include the top ten (10) exploits (and their sources) and top ten (10) devices registering detected intrusion 9. Coordinate with independent Third Party security provider(s) to capture and provide reports and analysis (e.g., trending) of security events within the local network, as required 10. Provide capability for the County to run ad-hoc intrusion detection reports via Vendor-provided portal/integrated ITSM suite County Date TBD Page 19
Security Intrusion Prevention and Detection Services Roles and Responsibilities COUNTY OF ORANGE, CA 11. Notify the County of malicious activity and intrusions in accordance with County-defined policies 12. Provide alerts of malicious activity and intrusions according to risk rating of the signatures, in accordance with County-approved policies and procedures 13. Respond to and remediate the effects of malicious activity and intrusions as defined in the Incident Management process, as required to meet County policies and requirements Vendor 14. Continually develop recommendations for improved security 15. Provide recommendations for improved security on a quarterly basis or as required based on new security threats 16. Review and approve recommendations for improved security 17. Implement approved recommendations 18. Notify Vendor s security monitoring centers of scheduled Changes to the environment to ensure that the County does not receive security alerts when planned Changes are made 2.2.8.4 Security Monitoring and Incident Management Services County Security Monitoring and Incident Management Services are those activities associated with security monitoring, Incident response and escalation, including ensuring that all necessary traffic and activities are logged in accordance with County policies. The following table identifies the Security Monitoring and Incident Management Services roles and responsibilities that Vendor and the County shall perform. Table 11. Security Monitoring and Incident Management Services Roles and Responsibilities Security Monitoring and Incident Management Services Roles and Responsibilities 1. Recommend industry best practice Security Monitoring and Incident Management Services policies Vendor 2. Establish Security Monitoring and Incident Management Services policies 3. Provide Security Monitoring and Incident Management Services in accordance with established policies 4. Provide initial review of security Incidents and escalate to the County s security function, in accordance with the County s policies and procedures 5. Identify, quarantine and/or remove from the network any malicious code (e.g., virus/worm infected system and/or rogue device) 6. Identify and provide countermeasures for attacks (e.g., hacker, malicious code, virus/worm, trojan) 7. Proactively and routinely evaluate internal security vulnerabilities and recommend mitigation plans 8. Collect,review and analyze all Incidents reported by all other security Services (e.g., NIDS, penetration testing, firewall) 9. Maintain log files in accordance with County policies County Date TBD Page 20