SCHEDULE 2C DATA NETWORK MANAGEMENT SERVICES (INTERIM STATE SERVICES) for. Date TBD

SCHEDULE 2C DATA NETWORK MANAGEMENT SERVICES (INTERIM STATE SERVICES) for COUNTY OF ORANGE, CA Date TBD

Table of Contents 1.0 Data Network Management Services Overview and Objectives... 1 1.1 Data Network Management Services Overview...1 1.2 Service Objectives...1 2.0 Data Network Management Services Requirements... 2 2.1 Network Service Area Components...2 2.2 Service Descriptions and Roles & Responsibilities...6 3.0 Service Environment... 20 3.1 Scope of Infrastructure to be Supported...20 3.2 Baseline Information...20 4.0 Service Level Requirements... 20 4.1 Objectives...21 4.2 Service Level Requirements...21 5.0 Reports... 24 6.0 Referenced Appendices, Schedules and Attachments... 26 List of Tables Table 1. General Roles and Responsibilities...6 Table 2. Design and Engineering Services Roles and Responsibilities...7 Table 3. Network Provisioning Services Roles and Responsibilities...8 Table 4. Data Network Operations and Administration Services Roles and Responsibilities...9 Table 5. Network Monitoring and Reporting Services Roles and Responsibilities...10 Table 6. Circuit Support Services Roles and Responsibilities...11 Table 7. Network Documentation Services Roles and Responsibilities...12 Table 8. Network Security Services Roles and Responsibilities...13 Table 9. Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities...16 Table 10. Security Intrusion Prevention and Detection Services Roles and Responsibilities...18 Table 11. Security Monitoring and Incident Management Services Roles and Responsibilities...19 Table 12. Network Availability SLRs...21 Table 13. Backbone Network Performance SLRs...22 Table 14. Network Administration Services SLRs...23 Table 15. Content Filtering of Email SLRs...23 Table 16. Security Intrusion Detection SLRs...24 Table 17. Data Network Services Reports...24 Date TBD Page i

This is Schedule 2C (Data Network Management Services) to the Agreement between the County of Orange, CA ( County or the County ) and the Vendor ( Vendor ). Unless otherwise expressly defined herein, the capitalized terms used herein shall have the meaning assigned to them in Attachment A (SOW Definitions). This statement of work shall be in effect prior to the implementation of the Vendor provided/implemented converged network environment. 1.0 Data Network Management Services Overview and Objectives 1.1 Data Network Management Services Overview This Schedule 2C (Data Network Management Services) is the statement of work that sets forth the roles and responsibilities of the Parties for the Data Network Management Services provided under the Agreement as part of the Services. Data Network Management Services are the Services and activities required to provide and support the existing County data network environment that links computing users to County and external (e.g., CAPS+, PTMS, web applications). Vendor s responsibilities include the life cycle management (e.g., requirements, engineering, design, implementation, testing), service provisioning, security, administration and troubleshooting and proactive service management (e.g., Availability and Capacity Management, Performance, Incident and Problem Management) of the County network environment, including: Wide area network (WAN) (including metropolitan area network (MAN), circuit and conduit management) Third Party connectivity (e.g., state consortium systems and exchanges) Wired and wireless local area networks (LANs) IP management services Network security services Network operations, management and monitoring Support of network test environments for all network services Internet connectivity services E-mail gateway services 1.2 Service Objectives The following are the key high-level Service objectives the County expects to achieve through Vendor s Data Network Management Services: Achieve the Service Level Requirements (SLRs) specified in Section 4 of this SOW Services that provision and maintain a reliable, scalable and secure high-speed network infrastructure, with appropriate redundancy to meet SLRs End-to-end network monitoring and management including management of Third Party providers (e.g., Third Party coordination, carrier coordination, Problem and Incident management) Maintain and deliver Data Network Services in a cost-effective manner Date TBD Page 1

Timely delivery of Data Network solutions to support County project implementations, and related coordination with County and Third Parties 2.0 Data Network Management Services Requirements 2.1 Network Service Area Components Network Management Services and network components include, but are not limited to the following. 2.1.1 Wide Area Network (WAN) (including Metropolitan Area Network (MAN)) Services WAN Services include the monitoring and management of networking equipment and Software that interconnect two or more separate facilities. WAN Services include acting as an agent for trouble management of carrier services such as ATM, MPLS, point-to-point, frame relay circuits, County-owned circuits, dedicated internet connections and broadband circuits. Specific WAN Services include: Design of WAN connectivity solutions that will meet the County s business and technical requirements (e.g., performance, availability, reliability, capacity) WAN equipment provisioning and management (e.g., routers, CSUs/DSUs) Management of WAN circuit provisioning Management of circuit billing, invoicing and reconciliation Installation and decommissioning of WAN equipment (e.g., routers, gateways) Implementation of WAN connections and circuits Testing of WAN infrastructure (e.g., stress testing, regression testing, failover testing) changes in a non-production environment, prior to introduction into the County production environment Wiring and cabling (e.g., extended demarcation cabling) Optimization of WAN Services and circuits Management of end-to-end WAN connectivity and performance Internet connectivity and access QoS management for all IP-based services Monitoring of all managed network devices via SNMP Monitoring performance and usage parameters of WAN circuits (e.g., Availability, peak utilization, average utilization, latency per QoS/class of service level, error levels, forward and backward explicit congestion notifications (FECNs/BECNs), application breakdown) Compliance with security policies and best practices Asset and configuration management Maintenance of hardware and Software (e.g., routers, switches, system upgrades) Regular and ad-hoc reporting per County formatting requirements Development and maintenance of WAN documentation and diagrams Date TBD Page 2

Testing and implementation of network disaster recovery in accordance with the County Disaster Recovery Plan 2.1.2 Wired and Wireless Local Area Network (LAN) Services LAN Services include the provision and monitoring and management of networks that are usually confined to a single facility or portion of a facility. LAN components include Dynamic Host Configuration Protocol (DHCP) and wireless LANs supporting all network traffic originating from computing devices (e.g., desktop devices, local file and print servers, application servers, database servers, peripherals and other network devices and other End User devices). This Service does not include the LAN-attached Network Interface Card (NIC) at the desktop. Specific LAN Services include: Design of LAN solutions which will meet County requirements LAN equipment provisioning and management Installation and decommissioning of LAN equipment (e.g., switches, hubs) Testing of LAN infrastructure (e.g., stress testing, regression testing, failover testing) changes in a non-production environment, prior to introduction into County s production environment Management of LAN connectivity and performance, including wired and wireless LANs Management of Layer 2 through 7 switching devices and network appliances (e.g., load balancers) QoS management for all IP-based services (e.g., business critical, business, best effort) Monitoring all managed network devices via SNMP Monitoring LAN ports switches for servers and interconnectivity between the switches and other network devices; LAN ports shall be monitored for peak utilization, average utilization, latency, jitter, error levels unless otherwise agreed upon by County Wiring and cabling Password reset services per established security standards Regular and ad-hoc reporting per County requirements Compliance with security policies and best practices Asset Management and Configuration Management Support and administration of Third Party maintenance agreements and relationships Development and maintenance of LAN documentation and diagrams LAN administration services during County-defined windows (e.g., DNS changes, AD replication, virus definitions) Testing and implementation of network disaster recovery in accordance with the County Disaster Recovery Plan 2.1.3 IP Management Services Date TBD Page 3

IP Management Services include both Dynamic Host Configuration Protocol (DHCP) and administration and management of Domain Name Services (DNS). Vendor shall be responsible for managing DNS Services within the LAN and also on the Internet for all County application and service web sites. Vendor will also be responsible for providing DHCP services in support of all network traffic. Specific DNS services include: IP address management DHCP Service for Service Area hardware Internal and External DNS Service for Service Area hardware Internal and External DNS/DHCP Services for County sites Static IP addressing Provision and maintenance of central, real time logs that are to be kept in Vendorprovided portal/integrated ITSM suite per County information security policies Provision and support of a DNS/DHCP tool that provides the following capabilities including but not limited to: Combines data from all DHCP servers on the reports Logs all devices that provide IP addresses via DHCP in the County s environment including remote access devices Supports real-time reporting formatted to the County s standards Provides capability to search for information from either the IP address, MAC address, hostname, or Active Directory End User ID Ability to generate e-mail alerts when a specific IP address, MAC address, hostname, or Active Directory End User ID is used 2.1.4 Remote Access Remote Access Services include the provision and management of solutions (e.g., virtual private network (VPN)) that allows remote End Users and business partners to securely connect to the network and County Application Services and/or County IT resources over the public Internet or private intranet. It requires industry Internetbased standards for security to create and preserve privacy, data integrity, and authenticity. The Remote Access Service will be highly scalable (e.g., client, site-tosite). Remote Access support will be provided for County sites, designated home offices, wireless access points, and other locations as required. All Remote Access Services provided hereunder will be provided in compliance with the County s security policies. 2.1.5 Network Security Services Network Security Services include the provision and support of methods that provide security to wired and wireless physical and logical network devices connected to the network. All Network Security Services provided hereunder will be provided in tiered administration in compliance with the County s security policies. Network Security Services include but are not limited to: Firewall management (e.g. DMZ, Internet, Third Party connections) Provision and management of multi-factor authentication (e.g., token, certificate) Date TBD Page 4

Malicious code detection and prevention (e.g. IDS,/IPS, anti-virus, anti-malware) E-mail gateway and SPAM filtering per County requirements Security policy verification Tiered web filtering (e.g., URL filtering, malicious sites, spyware, advertisements, instant messaging, free software downloads) Internet usage reporting Tiered antivirus Provision, installation, configuration, management, and maintenance of network intrusion detection and prevention sensors at specified network entry points Intrusion incident reporting Ongoing vulnerability assessment and remediation Support of Third Party security assessment, scanning and penetration testing Support of current County encryption solutions Management of County-owned security certificates, SSLs and domain names Incident and Problem Resolution Intrusion incident reporting Logging, tracking and management of security risks and issues to Resolution and closure Network security services reporting per County requirements Physical and logical access control (e.g., End User, administrative, card access) Support of existing IDS/IPS appliances and services (e.g., IBM appliances and services) Remediation of discovered security risks from any security audit findings 2.1.6 Management and Administration Services Management and Administration Services include system and component management and monitoring, information protection, component addressing, and IT Service management activities such as patch management, version control, access control, and Change control for all in-scope data network components. Management Services include: Network systems management and troubleshooting (e.g., performance, Problem, Change and capacity monitoring) Bandwidth, capacity, availability and performance management and reporting Application usage statistics (e.g., identify top talkers by application via Layer 7 monitoring) Coordinating with public carriers and other circuit providers to perform operations activities, support SLRs and to manage reporting of Third Party SLRs to the County QoS management Physical and logical network segmentation Date TBD Page 5

Administration Services include: Managing network devices, configurations, ACLs, firewalls, Internet Protocol (IP) addresses and related Services (e.g., DNS/DHCP) as specified by the County Asset management and configuration management, including hardware and Software Logical (e.g., IP address change) IMACs for network components Physical equipment and site IMACs 2.1.7 Firewall Management, DMZ and Internet Infrastructure Services Firewall Management, DMZ and Internet Infrastructure Services are the activities associated with Managing and supporting County Internet and Third Party connections and associated firewalls, DMZ infrastructures, proxies, content filters and other Services necessary for secure Internet access from and to the County network. The following Services and roles and responsibilities shall apply to all County data network components described above (e.g., WAN, MAN, LAN, VPN). 2.2 Service Descriptions and Roles & Responsibilities In addition to the services, activities, and roles and responsibilities described in Schedule 2A ITSM and Lifecycle Services SOW, Vendor is responsible for the following Data Network Management Services, activities and roles and responsibilities. 2.2.1 General Responsibilities The following table identifies general roles and responsibilities associated with this SOW. An is placed in the column under the party that will be responsible for performing the task. Vendor responsibilities are indicated in the column labeled Vendor. Table 1. General Roles and Responsibilities General Roles and Responsibilities Vendor County 1. Develop, document and maintain the physical and logical network design/architecture plan (e.g., circuit inventory, conduit mapping, diagrams, and IP address schema, as builts) to meet County requirements 2. Review and approve the plan for network design/architecture 3. Provide and manage 24x7x365 network Availability 4. Provision network components as required 5. Provision circuits per County s instructions and approvals 6. Dispose of decommissioned network equipment in accordance with County policies 7. Maintain financial responsibility for the procurement/provision of circuits and equipment 8. Develop business and functional requirements for network projects 9. Provide technical and functional requirements for Vendor-proposed network support Date TBD Page 6

General Roles and Responsibilities Vendor County 10. Manage and perform firmware/software upgrades for all in-scope network devices 11. Review and approve firmware/software upgrade maintenance costs and schedule for network devices 12. Identify, test, and Resolve compatibility issues between firmware/software versions 13. Perform proactive network optimization and tuning 14. Coordinate with County entities and Third Parties (e.g., hardware/software Vendors, carriers, service providers) as required 15. Provide ad-hoc network reports when requested by the County 16. Coordinate with County Third Party WAN/LAN network providers for Incident Resolution and to collect and report on network Availability and performance to the End User 17. Support audit activities by providing necessary resource, reports and data 2.2.2 Design and Engineering Services Design and Engineering Services are the activities associated with the design and engineering of the technical infrastructure, and providing and managing tools and utilities to support the data network environment. The following table identifies the Design and Engineering Services roles and responsibilities that Vendor and the County shall perform. Table 2. Design and Engineering Services Roles and Responsibilities Design and Engineering Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Design and Engineering Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Design and Engineering Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Design and Engineering Services procedures 4. Prepare and provide network design, engineering, security plans and schedules (e.g., service design package (SDP)) to support new and enhanced applications, architectures and standards based on established procedures as needed or requested by the County 5. Review and approve network design, engineering, security plans, and schedules 6. Provide recommendations for optimizing network design 7. Review and approve recommendations for optimizing network design 8. Coordinate with County and Third Parties as required to meet service requirements and SLRs 9. Review and approve all Changes to the network environment in accordance with Change Management policies and procedures Date TBD Page 7

Design and Engineering Services Roles and Responsibilities Vendor County 10. Schedule all Changes to the network environment 11. Review and approve the scheduling of all Changes to the network environment 12. Provide technical advice to the County regarding application development to optimize utilization of data and applications over the network 2.2.3 Network Provisioning Services Network Provisioning Services are the activities associated with the pricing, evaluation, selection, acquisition, installation, ongoing management and disposition of new and upgraded network components (e.g., circuits, equipment). The following table identifies the Network Provisioning Services roles and responsibilities that Vendor and the County will perform. Table 3. Network Provisioning Services Roles and Responsibilities Network Provisioning Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Provisioning Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Provisioning Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Provisioning Services procedures 4. Manage circuit provisioning for new WAN connectivity, including obtaining favorable circuit pricing 5. Review carrier options and provide the County with recommendations regarding most favorable options 6. Review and approve Vendor s carrier recommendations regarding most favorable options 7. Maintain financial responsibility for data circuits 8. Specify network provisioning physical requirements (e.g., power, floor space) 9. Install equipment and establish connectivity as required 10. Document router configuration files and IP addressing schemas 11. Provide capacity planning, incorporating County-provided business requirements 12. Manage and coordinate the performance of public carriers (and other Third Parties) to meet County requirements (e.g., schedules, project plans, SLRs) 13. Ensure that all new circuits, devices and Software provisioned are included in all IT Service Management and Life Cycle Services related documentation (e.g., Asset and Configuration Management) 14. Upgrade/remove/decommission network equipment and connectivity from County sites as required per agreed schedules and in accordance with County policies and procedures Date TBD Page 8

Network Provisioning Services Roles and Responsibilities Vendor County 15. Manage and provide WAN connectivity installs, moves, adds and changes (IMACs) 16. Minimize disruptions in Services during Changes 17. Review and approve installation, connectivity and removal activities 18. Acquire and manage domain name entries on behalf of the County (e.g., web URL and SSL certificates) 19. Maintain financial responsibility and ownership of domain name entries 2.2.4 Data Network Operations and Administration Data Network Operations and Administration Services are the activities associated with the provisioning and day-to-day management of the data network environment. The following table identifies the Data Network Operations and Administration Services roles and responsibilities that Vendor and the County shall perform. Table 4. Data Network Operations and Administration Services Roles and Responsibilities Data Network Operations and Administration Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Network Operations and Administration Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Operations and Administration Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Operations and Administration Services procedures 4. Perform day-to-day Network Operations and Administration Services activities 5. Manage network Assets in accordance with the County s policies, standards and procedures (including security oversight and Change Management policies and procedures) 6. Recommend QoS and Class of Service (CoS) for QoS/CoS sensitive applications including IP based telephony systems 7. Review and approve QoS and Class of Service (CoS) requirements for QoS/CoS sensitive applications and IP based telephony systems 8. Implement and manage QoS and CoS for QoS/CoS-sensitive applications 9. Recommend IP addressing, directory and configuration information and requirements 10. Review and approve IP addressing, directory and configuration information and requirements 11. Develop and maintain IP addressing schemes, router configurations and routing tables that meet County s requirements 12. Manage and maintain DNS/DHCP Services Date TBD Page 9

Data Network Operations and Administration Services Roles and Responsibilities 13. Manage County Third Party contracts for facility cable management (physical wiring between servers and wiring closet and between wiring closet and desktop) Services at specified County sites Vendor 14. Maintain current inventory of cable plant 15. Manage and provide proactive and reactive maintenance on network Assets 16. Manage and respond to Services Requests and provide IMACs for network components and sites 17. Maintain and provide security information in a County-approved format, including access, general logs, application logs in accordance with the County s security policies and procedures 18. Coordinate network administration activities through defined Change Management processes 19. Support provisioning and de-provisioning account activities (e.g., administrative accounts, End User accounts) and maintain associated history logs as required 20. Support activities related to County- or Third Party-planned and unplanned Outages (e.g., post-power outage startup activities, County preparedness emergency exercises or Incidents, recovery) County 2.2.5 Network Monitoring and Reporting Network Monitoring and Reporting are the activities associated with the proactive monitoring and reporting of network performance and management information (e.g., performance metrics, Incidents) for in-scope network components (e.g., routers, switches, and network appliances). The following table identifies the Network Monitoring and Reporting Services roles and responsibilities that Vendor and the County shall perform. Table 5. Network Monitoring and Reporting Services Roles and Responsibilities Network Monitoring and Reporting Services Roles and Responsibilities 1. Recommend Vendor s standard Network Monitoring Services and Incident and Problem Resolution procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual Network Monitoring Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Network Monitoring Services procedures 4. Manage current or provide and manage new automated tools for monitoring network circuits, devices and traffic from a Vendor-provided Network Operations Center (NOC) 5. Implement measures and provide proactive analysis of network data and reports to limit network Outages and optimize the County s bandwidth utilization 6. Proactively monitor current network utilization and provide information to the County for use in determining future capacity requirements Vendor County Date TBD Page 10

Network Monitoring and Reporting Services Roles and Responsibilities 7. Monitor, operate, perform Problem determination, alert, and repair for all network environments on a 24x7x365 basis, including for Service Outage, loss of connection and specific performance indices 8. Monitor LAN ports for all servers and uplinks; LAN ports should be monitored for peak utilization, average utilization, latency, and error levels unless otherwise agreed upon by the County. Vendor should also have the capability to turn on monitoring for individual regular desktop ports for troubleshooting Vendor 9. Perform remote LAN analysis diagnostics and on-site troubleshooting 10. Manage Service Requests and dispatch process as directed by the County 11. Dispatch pre-approved Vendor on-site support personnel and/or Third Parties as appropriate 12. Manage data network performance or Availability issues resulting from a fault or impairment in network circuits or devices 13. Provide reporting (e.g., availability, utilization, latency, capacity) on network components providing connectivity to County Applications 14. Collect data and reports from Third Parties and provide consolidated reporting (e.g., availability, utilization, latency, capacity) on out-ofscope network components (e.g., Third Party circuits, Third Party WAN/LAN network circuits and components, Third Party partner and service provider connections) providing connectivity to County Applications 15. Review and approve network performance reporting 2.2.6 Circuit Support County Circuit Support Services are those activities associated with providing 24x7x365 support of the network to ensure continuous operation. This support includes Problem isolation and determination to the network device port level. The following table identifies the Circuit Support Services roles and responsibilities that Vendor and the County shall perform. Table 6. Circuit Support Services Roles and Responsibilities Circuit Support Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard Circuit Support Services procedures 2. Develop, document and maintain in the Policies, Standards and Procedures Manual those Circuit Support Services procedures that meet County requirements and adhere to County policies 3. Review and provide input and/or additional procedures as required and approve Circuit Support Services procedures 4. Isolate Problems to the port, circuit or device level 5. For circuit Incidents and Problems, contact carrier to determine the cause of the Outage, notify the County, and work on the Incident/Problem with carrier until Resolved Date TBD Page 11

Circuit Support Services Roles and Responsibilities Vendor County 6. Track Incidents and Problems, follow up on status, escalate when required and report status to the appropriate Party including when Incidents/Problems are Resolved 7. Provide any possible Workarounds to help maintain production until a permanent fix can be achieved during network Problems/Outages 8. Provide Third Party SLR reporting in accordance with County requirements 9. Support Disaster Recovery testing per the DR Plan (e.g., conduct failover testing) 10. Conduct Disaster recovery activities required to recover Services per the DR plan 2.2.7 Network Documentation Services Network Documentation Services are those activities associated with continually developing, revising, maintaining, reproducing, and making secure data network infrastructure information securely accessible on an as needed basis. Documentation shall be formally provided to the County in electronic form quarterly and shall be stored and maintained in the integrated IT Service Management suite. Some of the document types specific to this Schedule include: Network system specifications and topologies (e.g., router configurations, firewall policies, routing diagrams/ip addressing tables, hardware/software listings) Detailed circuit location information (e.g., circuit ID including LEC access ID, location, speed) Firewall policies, group and object information As-built documentation for all network devices (including firewalls) that are deployed in development, test, QA, production and other technical environments The following table identifies the Network Documentation Services roles and responsibilities that Vendor and the County shall perform. Table 7. Network Documentation Services Roles and Responsibilities Network Documentation Services Roles and Responsibilities Vendor County 1. Recommend Vendor s standard network documentation types and content 2. Develop and maintain network documentation that meets County requirements 3. Review and approve network documentation 2.2.8 Network Security Services All Network Security Services provided hereunder will be provided in tiered administration in compliance with the County s security policies. 2.2.8.1 Network Security Planning and Operations Services Network Security Planning and Operations Services are those activities associated with maintaining physical and logical security of all Network Management Services components (e.g., hardware, Software) and data, Malware protection, access protection and other Data Network Security Services in compliance with County security requirements and all applicable Date TBD Page 12

regulatory requirements. The following table identifies the Data Network Security Services roles and responsibilities that Vendor and the County shall perform. Table 8. Network Security Services Roles and Responsibilities Network Security Services Roles and Responsibilities Vendor County General 1. Implement physical and logical security plans consistent with County security policies and develop and provide documentation demonstrating adherence to the plans, processes and procedures 2. Maintain a secure network environment, including compliance with County policies 3. Perform information security compliance, auditing, and reporting per County defined requirements 4. Design, implement and maintain Vendor security services and technical solutions that protect data, logically and physically, in storage and during wired and wireless transmission against unauthorized or accidental access or modification or disclosures (e.g., encryption, network segmentation, monitoring tools) 5. Review and approve Vendor security solutions 6. Develop, document and maintain in the Policies, Standards and Procedures Security Services standards and procedures that meet County requirements, regulatory requirements, and adhere to County policies 7. Review and provide input and/or additional procedures as required and approve Network Security Services standards and procedures and provide additional procedures as required 8. Execute security policies and provide and operate security monitoring tools including documentation demonstrating consistent adherence to the process 9. Provide, implement and manage security analysis and monitoring tools into the County s network environment 10. Provide tiered and role-based access to Vendor s security analyses and monitoring tools 11. Review and approve security analysis and monitoring tools Security Policy and Controls 12. Provide County security strategy, policies and requirements 13. Recommend Vendor standard/best practice security policies, services and procedures 14. Ensure compliance with patch management and Change Management policy 15. Proactively monitor current IT security trends, threats, exploits and security best practices and notify the County of same 16. Provide a County security liaison that works with Vendor for security requirements related to the scope of this Schedule 17. Implement a Network Security Incident Response Team (NSIRT) program to resolve security incidents Date TBD Page 13

Network Security Services Roles and Responsibilities Vendor County 18. Participate in Computer Incident Response Team (CIRT) as required by the County or Third Parties 19. Review and approve all security plans, security remediation plans, programs, and security infrastructure Physical Security Control 20. Develop and maintain network environment access control list and provide reporting on which individuals have accessed locations and resources 21. Review and approve network environment access control list 22. Conduct a quarterly review of the list of authorized people to computing areas 23. Adhere to established access control policies and procedures System Administrative Privileges 24. Establish access profiles and policies for adding, changing, enabling/disabling and deleting log-on access for County and Third Parties 25. Investigate attacks (e.g., attempts to logon) 26. Provide logs of network security events containing data to support comprehensive audits of the effectiveness of, and compliance with security measures in accordance with County policies (e.g., audit trail) Security Integrity Advisory 27. Provide security advisory information to the County in a mutually agreed upon manner 28. Evaluate security advisories, assign a risk value and communicate recommended action plan to the County Security Status Checking and Validation 29. Provide a security assessment audit focal point for audits 30. Provide support for audit activities, public requests for information (PRIs) per the Public Information Act, e-discovery, legal hold, and forensic audits as required by the County (e.g., data collection, audit tool installation, report generation) 31. Develop plans to remediate audit findings that do not comply with the established County security policies and standards 32. Review and approve audit findings and remediation plans 33. Implement remediation plans and report on progress of associated implementation 34. Support audit activities by providing a security assessment audit coordinator 35. Maintain all documentation required for security assessments, audits and internal control and control testing 36. Perform semi-annual security assessments, or ad hoc assessments as required, to identify control or security gaps and provide trending problem reports to the County, and recommend remediation plan(s) 37. Conduct security planning and review sessions to review results of security assessments and Vendor remediation plans Date TBD Page 14

Network Security Services Roles and Responsibilities Vendor County 38. Review and approve remediation plans 39. Implement County-approved remediation plans Malware Prevention 40. Review and approve Malware Prevention policies and services 41. Adhere to County-approved Malware Prevention policies and services 42. Monitor supplier information and manage up-to-date information on malicious code outbreaks and deploy the appropriate signature files to protect against the malicious code in accordance with established County Change Management procedures 43. Deploy anti-malware updates and patches following a Malware Incident per the County Change Management procedures 44. Immediately notify the County on detection of malicious code within the infrastructure 45. Implement the established action plan (e.g., quarantine of malicious code or network segment) and escalation procedures for a malicious code events beyond what is automatically fixed by the anti-malware software 46. Filter outbound URLs to enforce compliance with County Internet Acceptable usage policies by checking URLs against lists of known "inappropriate" sites 47. Filter both inbound/outbound multiple Web protocols, including deep inspection of encrypted traffic 48. Filter inbound URLs real-time threat protection, block access to sites harboring harmful code, Malware - spyware, phishing, virus, worms and Trojan horse software. Provide for continuous scanning, eradication and reporting of detected harmful code as listed and Incident Resolution 49. Scan user-generated content on all key web protocols and protect against confidential information leaking from the organization 50. Provide seamless user/ip integration to County multi-agency for authentication, tracking, reporting 51. Integrate fully with End users browsers(e.g., MS I/E, foxfire, chrome) with IP and user identification tracking, reporting 52. Provide reporting/audit down to user activity as required by County Polices 53. Provide for Agency tiered management 54. Manage user/groups URL filters and reporting as required Content Filtering E-mail and SPAM Filtering 55. Recommend E-mail Gateway and inbound and outbound Filtering policies, services and procedures 56. Review and approve E-mail Gateway and SPAM filtering policies, services and procedures 57. Manage email gateway SPAM filters and process quarantined items (e.g., zip files, encrypted files) to ensure that County email services are not adversely affected by either inbound threats or outbound e-mail broadcast violations Date TBD Page 15

Network Security Services Roles and Responsibilities Vendor County 58. Notify the County and provide remediation of any blacklist events, in accordance with County policies and procedures 59. Identify and block incoming spam while protecting against other threats (e.g., viruses, malware, phishing, directory harvest, denial of service, bounceback attacks, zero-hour threats, and spam surges) 60. Provide seamless user/ip integration to County multi-agency for authentication, tracking, reporting 61. Ensure that only the intended recipient of sensitive email content is able to read that content and regulatory compliance using integrated, policy-based encryption 62. Provide flexible policy creation and enforcement, and logging and reporting 63. Provide predictive security against new and emerging email threats and Notify County Agencies 64. Detect and enforce County policies for inappropriate images in both inbound and outbound messages 65. Identify and block/quarantine false non-delivery notices forged by viruses and spammers 66. Manage process for misidentified legitimate messages as spam (false positives) and allowing legitimate email traffic to flow in. 67. Provide spam-domain name reputation, IP reputation, sender authentication, greylisting, image filtering, integrity analysis, heuristic detection, blacklists, and whitelists 68. Approve requests for new County-owned URL DNS and email address formats 2.2.8.2 Firewall Management, DMZ and Internet Infrastructure Services Firewall Management, DMZ and Internet Infrastructure Services are those activities associated with Managing and supporting all of County s firewalls, DMZ infrastructures, Internet connections and Third Party connections. Vendor shall provide these Services including firewall engineering and management, access control list engineering and management in compliance with the County s policies. Vendor will maintain and operate the firewall/dmz/internet infrastructure in such a way that Services are secure and reliable and perform according to requirements and SLRs. Vendor will also make recommendations on design Changes to improve Services as well as implementing the Change per established Change Management procedures. Vendor will act as an agency to contact ISPs and/or other Third Parties to setup connectivity and/or troubleshoot connections and other support questions. The following table identifies the Firewall Management, DMZ and Internet Infrastructure Services roles and responsibilities that Vendor and County shall perform. Table 9. Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities 1. Recommend Vendor standard Firewall Management, DMZ and Internet Infrastructure Services, procedures and best practices Vendor County Date TBD Page 16

Firewall Management, DMZ and Internet Infrastructure Services Roles and Responsibilities 2. Provide Firewall Management, DMZ and Internet Infrastructure requirements and policies (including segregation requirements and policies) 3. Develop, document and maintain in the Policies, Standards and Procedures Manual Firewall Management, DMZ and Internet Infrastructure Services procedures that meet requirements and adhere to defined policies Vendor County 4. Review and provide input and/or additional procedures as required and approve Firewall Management, DMZ and Internet Infrastructure Services procedures 5. Provide Services in accordance with County policies 6. Perform Firewall Management, DMZ and Internet Infrastructure engineering and related security design including methods for secure network access and authentication 7. Review and approve Firewall Management, DMZ and Internet Infrastructure architecture and security designs 8. Perform Firewall Management, DMZ and Internet Infrastructure Services in accordance with architecture and security designs a County policies 9. Implement defined access requirements and standards via firewall rule sets 10. Ensure compliance to defined security and configuration standards including Internet content filtering 11. Define intranet/internet boundaries within the County 12. Assist with the definition of intranet/internet boundaries within the County 13. Maintain intranet/internet boundaries within County 14. Define Third Party connectivity strategy 15. Assist with the definition of Third Party connectivity strategy 16. Review and approve Third Party connectivity strategy 17. Implement and support County-approved Third Party connectivity strategy 18. Support and manage content compression devices, load balancing devices, and SSL acceleration 19. Monitor performance levels of the firewall/dmz/internet infrastructure through setting of thresholds, provide reporting, and take proactive and/or reactive steps to Resolve any performance issues 20. Provide proxy and content filter services based on approved policies 21. Provide County and user-specific internet usage reports 2.2.8.3 Security Intrusion Prevention and Detection Services Security Intrusion Prevention and Detection Services are those activities associated with managing and supporting the IPS/IDS infrastructure and providing quick follow up on security Date TBD Page 17

events. For the interim environment, it is anticipated that Vendor would assume responsibility for the existing IBM appliance and IPS/IDS services. Vendor shall communicate any new security vulnerabilities, provide recommendations to remediate these vulnerabilities and implement County-approved recommendations. Vendor shall provide NIDS (network-based intrusion detection service). Vendor shall restore offline security event data as follows: up to 30 days of consecutive event data restored within two (2) Business Days; up to six (6) months of consecutive event data within five Business Days; and for more than six (6) months of event data each request will be individually evaluated by Vendor and an estimated time to restore will be provided. Such data must be restorable for at least 365 contiguous days. The following table identifies the Security Intrusion Prevention and Detection Services roles and responsibilities that Vendor and the County shall perform. Table 10. Security Intrusion Prevention and Detection Services Roles and Responsibilities Security Intrusion Prevention and Detection Services Roles and Responsibilities 1. Recommend industry best practice Intrusion Prevention and Detection Services policies 2. Develop, document and maintain in the Policies, Standards and Procedures Manual the Intrusion Prevention and Detection Services procedures that meet requirements and adhere to County-defined policies 3. Review and provide input and/or additional procedures as required and approve Intrusion Prevention and Detection Services procedures 4. Provide Security Intrusion Prevention and Detection Services and reporting in accordance with established policies and procedures 5. Provide, install, configure, and manage intrusion detection/prevention sensors at specific network entry points and all Third Party connection and wireless network entry points 6. Recommend risk ratings and remediation actions for security events in accordance with County policies and procedures Vendor 7. Review and approve the risk ratings and remediation actions 8. Provide daily and monthly reports indicating number of detected intrusions. Reports should include the top 10 exploits (and their sources) and top 10 devices registering detected intrusion 9. Coordinate with independent Third Party security provider(s) to capture and provide reports and analysis (e.g., trending) of security events within the local network, as required 10. Provide capability for the County to run ad-hoc intrusion detection reports via Vendor-provided portal/integrated ITSM suite 11. Notify the County of malicious activity and intrusions in accordance with County-defined policies 12. Provide alerts of malicious activity and intrusions according to risk rating of the signatures, in accordance with County-approved policies and procedures 13. Respond to and remediate the effects of malicious activity and intrusions as defined in the Incident Management process, as required to meet County policies and requirements 14. Continually develop recommendations for improved security County Date TBD Page 18

Security Intrusion Prevention and Detection Services Roles and Responsibilities 15. Provide recommendations for improved security on a quarterly basis or as required based on new security threats Vendor 16. Review and approve recommendations for improved security 17. Implement approved recommendations 18. Notify Vendor s security monitoring centers of scheduled Changes to the environment to ensure that the County does not receive security alerts when planned Changes are made 2.2.8.4 Security Monitoring and Incident Management Services County Security Monitoring and Incident Management Services are those activities associated with security monitoring, Incident response and escalation, including ensuring that all necessary traffic and activities are logged in accordance with County policies. The following table identifies the Security Monitoring and Incident Management Services roles and responsibilities that Vendor and the County shall perform. Table 11. Security Monitoring and Incident Management Services Roles and Responsibilities Security Monitoring and Incident Management Services Roles and Responsibilities 1. Recommend industry best practice Security Monitoring and Incident Management Services policies Vendor 2. Establish Security Monitoring and Incident Management Services policies 3. Provide Security Monitoring and Incident Management Services in accordance with established policies 4. Provide initial review of security Incidents and escalate to the County s security function, in accordance with the County s policies and procedures 5. Identify, quarantine and/or remove from the network any malicious code (e.g., virus/worm infected system and/or rogue device) 6. Identify and provide countermeasures for attacks (e.g., hacker, malicious code, virus/worm, trojan) 7. Collect,review and analyze all Incidents reported by all other security Services (e.g., NIDS, penetration testing, firewall) 8. Maintain log files in accordance with County policies 9. Provide security Incident reporting on security violations per County policies 10. Resolve security violations internal to the County 11. Resolve security violations internal to Vendor 12. Review all security patches relevant to the IT environment and classify the requirements, risk and speed in which the security patches should be installed in accordance with County security policies 13. Install security patches per the County s Change Management process and procedures including acquiring required County approval 14. Monitor security Incidents and ensure that identified viruses and Malware are quarantined to prevent propagation throughout the County County Date TBD Page 19

Security Monitoring and Incident Management Services Roles and Responsibilities Vendor 15. Resolve security violations internal to the County 16. Resolve security violations internal to Vendor 17. Monitor security Incidents and coordinate with agencies to ensure that identified viruses and Malware are quarantined to prevent propagation throughout the County 22. Notify the County and provide remediation of any blacklist events, in accordance with County policies and procedures 18. Provide the County with defined technical expertise, security credentials and all other support required for security audits 3.0 Service Environment 3.1 Scope of Infrastructure to be Supported County The following sub-sections and related service environment appendices further describe and scope the current and future data network environment to be supported and/or with which Vendor shall comply. These service environment appendices are to be continually maintained by Vendor, as new Vendor services and environment components are added and as removed, reviewed with the County, and updated by Vendor and made available to the County on a quarterly basis. 3.1.1 Hardware and Software Appendix 2C.1 Data Network Hardware and Appendix 2C.2 Data Network Software - A listing and description of all supported network hardware and software 3.1.2 Network Circuits Appendix 2C.3 and Appendix 2F.3 - Voice and Data Circuits - A listing and description of all supported network circuits and VPN connections 3.1.3 Network Topology Appendix 2C1.4 - Network Topology - A diagram providing the County s network topology 3.2 Baseline Information The County s current Baselines are provided in Appendix 3.1 to Schedule 3 - Fees. These business requirements represent the County s most realistic projection of the Service requirements for Day 1 implementation based on a combination of past trends and current anticipated overall business direction over the term of the Agreement. These metrics, along with other data which may be pertinent for sizing the solution, are reflected in Schedule 3 Fees. 4.0 Service Level Requirements Date TBD Page 20

4.1 Objectives COUNTY OF ORANGE, CA A key objective of this outsourcing agreement is to attain SLRs. SLRs associated with Data Network Management Services are detailed in the following section. The following service levels are required at the end of the transition period. Data Network Management Services SLRs associated with Fee Reductions are detailed in Schedule 4 - Fee Reductions. All times referenced in this section are Pacific Time. SLR performance shall be calculated based on measurements taken over the indicated Measurement Interval and reported to the County based on the Reporting Period. SLR Fee Reductions for SLRs with multiple Measurement Intervals within the Reporting Period shall be calculated as defined in Schedule 4 Fee Reductions. Vendor shall provide written reports to County regarding Vendor s compliance with the SLRs specified in this SOW. 4.2 Service Level Requirements Table 12. Network Availability SLRs DEFINITION Network Availability is defined as the time during which connectivity is fully functioning and normal business operations can be carried out with no data loss, downtime, or performance degradation. See Appendix C1.3 - Data Network Circuits and VPN connections for County Sites requiring Data Network Management Services All pre-scheduled maintenance shall be performed on the first and third Sunday of each month beginning at 0500 and ending at 1200 Network Availability SLRs SLR Service Measure Performance Target WAN Availability Availability 24 x7x365 Excluding Maintenance Window Remote Access Availability Internet Access and Associated Infrastructure Availability Availability 24x7x365 Excluding Maintenance Window Availability 24 x7 x 365 Excluding Maintenance Window LAN Availability Availability 24 x7 x 365 Excluding Maintenance Window SLR Performance % 99.99% 99.99% 99.99% 99.9% Date TBD Page 21

Network Availability SLRs SLR Service Measure Performance Target SLR Performance % Formula Availability (%) = 100% - Unavailability (%) Where Unavailability is defined as: Measurement Interval Reporting Period Measurement Tool [(Σ Outage Duration) (Scheduled Time)]% Scheduled Time = (Total possible time in Measurement Interval Maintenance Window time) Monitor continuously, measure monthly Monthly TBD Table 13. Backbone Network Performance SLRs DEFINITION Backbone Network Performance includes the ability of the network components to deliver data timely and accurately. Measured packet size is 128 bytes. Network Performance SLRs shall be measured and calculated and reported based on measurements taken during County defined peak business hours and shall be taken over a 24 hour period. Backbone Network Performance SLRs SLR Service Measure Performance Target Network Transit Delay Packet Delivery Ratio Elapsed Time round trip transit delay from ingress and egress ports on premise devises Successful packet transmission SLR Performance % 5 ms 99.99% 99.9% (data loss 0.1%) 99.95% Formula Transit Delay NTD = t 2 t 1 Where: t 1 is the time when a packet leaves the ingress premise, and t 2 is the time when the packet arrives at the egress premise Formula Packet Delivery Measurement Interval Reporting Period Measurement Tool Packet Delivery Ratio = 1 - PDR Where: Packet Delivery Ratio = Packets delivered/ packets sent. Monitor every 5 minutes, measure monthly Monthly TBD Date TBD Page 22

Table 14. Network Administration Services SLRs Network Capacity Monitoring Network Administration Services SLRs SLR Service Measure Performance Target Implementation of Non- Emergency Changes (e.g., IMACs, routers, switches) Implementation of Emergency Changes (e.g., changing, adding/deleting firewall rules) Proactive continuous monitoring of each circuit and supporting network components and proactive notification to advise the County of need to increase capacity per County requirements Elapsed time to successfully complete from County authorized request Elapsed time to successfully complete from County authorized request Formula Measurement Interval Reporting Period Measurement Tool Report to County within 2 Business Hours if during County defined Business Hours, sustained 95 th percentile avg. utilization reaches 75% of circuit provisioned capacity (in and out of in scope components) Per County-defined Change Management policies 2 hours after County approval or per approved County schedule/requirements SLR Performance % 98% 95.00% 99% Events completed within performance target / total events Monthly Monthly TBD Table 15. Content Filtering of Email SLRs Gateway Content Filtering of Email SLRs SLR Service Measure Performance Target Prevention of SPAM and other Malware Events Prevented All SPAM and Malware events prevented from entering the County s Email system SLR Performance % 99.9% Date TBD Page 23

Gateway Content Filtering of Email SLRs SLR Service Measure Performance Target Formula Measurement Interval Reporting Period Measurement Tool SLR Performance % Events prevented / total number of events occurring during the Measurement Interval Monitor continuously, measure monthly Monthly TBD Table 16. Security Intrusion Detection SLRs Security Intrusion Detection SLRs SLR Service Measure Performance Target NIDS Monitor for current attack signatures, retained for 90 Days then archive for 365 days NIDS Review all positive Priority Level 1 and Priority Level 2 alerts and notify the County viacountydefined escalation procedures SLR Performance % Overall schedule 24 x7 x 365 100% Elapsed time <15 minutes 99.9% Formula Events completed within performance target / total number of events occurring during the Measurement Interval Measurement Interval Reporting Period Measurement Tool Monitor continuously, measure monthly Monthly TBD 5.0 Reports Vendor shall provide written reports to the County regarding Vendor s compliance with the SLRs in addition to the reports specified in this section. Reports are required per the following: Table 17. Data Network Services Reports Report Description TBD with selected vendor Timing Date TBD Page 24

Report Description Timing Date TBD Page 25

6.0 Referenced Appendices, Schedules and Attachments Appendices/Schedules/ Attachments Appendix 2C1.1 Appendix 2C1.2 Appendix 2C1.3 Appendix 2C1.4 Attachment A Schedule 2A Schedule 3 Schedule 4 Description Data Network Hardware Data Network Software Network Circuits and VPN connections Network Topology Definitions ITSM and Lifecycle Services SOW Fees Fee Reductions Date TBD Page 26