Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
30520
-1- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 A G R E E M E N T THIS AGREEMENT (“Agreement”) is made and entered into this day of December 2018 (“Effective Date”), by and between the COUNTY OF FRESNO, a Political Subdivision of the State of California ("COUNTY"), and BeyondTrust Software, Inc., a California corporation, whose address is 5090 N. 40th Street, Suite 400, Phoenix, AZ. 85018 ("CONTRACTOR"). W I T N E S S E T H: WHEREAS, COUNTY is in need of a Privileged Access Management (PAM) software system that includes session management and recording, password vaulting, automation, and multi-factor authentication; and WHEREAS, CONTRACTOR is willing and able to fulfill that need pursuant to the terms and conditions of this Agreement; and WHEREAS, COUNTY is able to obtain preferential pricing through the Request for Proposal (RFP #8367) issued by Sacramento County on April 16, 2016 for a Privileged Access Management Solution, which was competitively bid and awarded to BeyondTrust Software, Inc. NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows: 1.DOCUMENTS CONSTITUTING AGREEMENT A.This Agreement includes: 1)Sacramento County’s RFP No. 8367 for a Privileged Access Management (PAM) Solution, attached as Attachment 1 and incorporated by this reference; 2)The proposal submitted by BeyondTrust Software, Inc., accepted and awarded by Sacramento County attached as Attachment 2 (the “Proposal”) and incorporated by this reference. All capitalized terms contained in this Agreement and not specifically defined herein, shall be defined in the Proposal (Attachment 2); 3)BeyondTrust Software, Inc.’s quote to COUNTY dated November 10, 2018, attached as Attachment 3 and incorporated by this reference, which sets forth CONTRACTOR’s pricing for products and services to be provided under this Agreement; 4)CONTRACTOR’s Password Safe Implementation Package, attached as 11th Agreement No. 18-712 -2- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Attachment 4 and incorporated by this reference; and 5)CONTRACTOR’s Unix and Linux Implementation Package, attached as Attachment 5 and incorporated by this reference. 2.DEFINITIONS The following terms used throughout this Agreement shall be defined as follows: Acceptance Test: The Process of testing a specific function or functions to determine if the operation or operations are stated in this Agreement. Change Control Process: Process used by the Information Technology Services Division of COUNTY’s Internal Services Department (ISD) to inform staff of new or updated production use systems. COUNTY System Hardware: The central processing units owned or leased by COUNTY that are described in this Agreement on which COUNTY is licensed to use the System Software, any back-up equipment for such central processing units, and any peripheral hardware such as terminals, printers, and Personal Computers as described in this Agreement. COUNTY System Software: The operating system and database software installed on the COUNTY System Hardware. Final System Acceptance: When it is determined by COUNTY that all necessary deliverables have been delivered, the data has been converted, the software has been successfully installed and tested, and the software performs all functions in accordance with its specifications. First Production Use: Date of first use of the System in a production environment. License: The meaning assigned to the term 'License” as defined in Section III-A of this Agreement and the rights and obligations which it creates under the laws of the United States of -3- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 America and the State of California including without limitation, copyrig ht and intellectual property law. Monies: The terms "Monies", "Charges", "Price", and "Fees" will be considered to be equivalent. Public Records: Public Records includes any writing containing information relating to the conduct of the public's business that is prepared, owned, used, or retained by any state or local agency, regardless of physical form or characteristics. Supplier: The terms "Supplier", "Vendor", and “BeyondTrust Software” all refer to CONTRACTOR and are considered to be equivalent throughout this Agreement. System: The System Software and System Documentation, collectively. Reference to the "System" shall include any component thereof. All modifications and enhancements to the System shall be deemed to be part of the System as defined herein and shall be subject to all terms and conditions set forth herein. System Documentation: The documentation relating to the System Software, and all manuals, reports, brochures, sample runs, specifications and other materials comprising such documentation provided by CONTRACTOR in connection with the System Software pursuant to this Agreement. System Operation: The general operation of COUNTY's hardware and all software including, but not limited to, system restarts, configuration and operation of system peripherals (such as printers, modems, and terminals), installation of new software releases, and other related activities. System Installation: All software has been delivered, has been physically loaded on a Computer, and COUNTY has successfully executed program sessions. System Software: -4- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 That certain computer software described in this Agreement provided by CONTRACTOR, and all interfaces, coding, tapes, disks, modules and similar materials comprising such software or on which it is stored. System Software does not include operating system software, or any other Third-Party Software. User: The terms “User,” “Customer,” “Client,” and "Licensee" all refer to COUNTY and shall be equivalent throughout this Agreement. 3. OBLIGATIONS OF THE CONTRACTOR A. SOFTWARE LICENSE 1) GRANT OF LICENSE CONTRACTOR grants to COUNTY and COUNTY accepts a non-exclusive, non- transferable, non-assignable, perpetual license to use the following PowerBroker with BeyondInsight Product Licenses per asset: Password Safe, Windows, Servers Windows Edition, and Server Essentials for Unix/Linux subject to the terms and conditions set forth in this Agreement (“License”). 2) SCOPE OF LICENSE The License granted herein shall consist solely of the non-exclusive, non-transferable, non-assignable right of COUNTY to operate the System Software in support of various COUNTY departments, including COUNTY’s ISD, provided that the County of Fresno, as signatory hereto, accepts liability for compliance with the terms and conditions of the Agreement. 3) OWNERSHIP The parties acknowledge and agree that, as between CONTRACTOR and COUNTY, title and full ownership of all rights in and to the System Software, System Documentation, and all other materials provided to COUNTY by CONTRACTOR under the terms of this Agreement shall remain with CONTRACTOR. COUNTY will take reasonable steps to protect trade secrets of the System Software and System Documentation. Ownership of all copies is retained by CONTRACTOR. COUNTY may not disclose or make available to -5- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 third parties the System Software or System Documentation or any portion thereof. CONTRACTOR shall own all right, title and interest in and to all corrections, modifications, enhancements, programs, and work product conceived, created or developed, alone or with COUNTY or others, as a result of or related to the performance of this Agreement, including all proprietary rights therein and based thereon. Except and to the extent expressly provided herein, CONTRACTOR does not grant to COUNTY any right or license, express or implied, in or to the System Software and System Documentation or any of the foregoing. The parties acknowledge and agree that, as between CONTRACTOR and COUNTY, full ownership of all rights in and to all COUNTY data, whether in magnetic or paper form, including without limitation printed output from the System, are the exclusive property of COUNTY. 4) POSESSION, USE AND UPDATE OF SOFTWARE COUNTY agrees that only COUNTY will use the System Software for its own internal purposes. CONTRACTOR may, at reasonable times, inspect COUNTY’s premises and equipment to verify that all of the terms and conditions of this License are being observed. If COUNTY is found to have used or deployed the System Software in excess of the licenses purchased hereunder, COUNTY must pay the license fee and maintenance and support fee for such overage as of the date of first use. CONRACTOR may create, from time to time, updated versions of the System Software and System Documentation and CONTRACTOR shall, so long as County is on a current maintenance and support plan, make such system updates available to COUNTY when and if such system updates become generally available. All System Updates shall be licensed under the terms of this Agreement. COUNTY agrees to follow the prescribed instructions for updating the System Software and System Documentation provided to COUNTY by CONTRACTOR. COUNTY must authorize all System Updates in writing. 5) TRANSFER OF SOFTWARE COUNTY shall not rent, lease, license, distribute, sell, transfer, or assign this license, the System Software, or the System Documentation, or any of the information contained -6- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 therein other than COUNTY data, to any other person or entity, whether on a permanent or temporary basis, and any attempt to do so will constitute a breach of this Agreement. No right or license is granted under this Agreement for the use or other utilization of the licensed programs, directly or indirectly, for the benefit of any other person or entity, except as provided in this Agreement. 6) RESTRICTION ON USE COUNTY shall not (i) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the System Software or the System Documentation in any way; (ii) modify or make derivative works based upon the System Software or the System Documentation; (iii) create Internet “links” to the System Software or “frame” or “mirror” any System Documentation on any other server or wireless or Internet-based device; (iv) send spam or otherwise duplicative or unsolicited messages in violation of applicable law; (v) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violative of third party privacy rights; (iv) send or store material containing software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs; (vii) interfere with or disrupt the integrity or performance of the System Software or the data contained therein, including but not limited to COUNTY Data; (viii) attempt to gain unauthorized access to the System Software or its related systems or networks or source code; (ix) reverse engineer or access the System Software in order to (a) build a competitive product or service, (b) build a product using similar ideas, features, functions or graphics of the System Software, or (c) copy any ideas, features, functions or graphics of the System Software. 7) INTELLECTUAL PROPERTY, TRADEMARK AND COPYRIGHT CONTRACTOR retains ownership of the System Software, any portions of copies thereof, and all rights therein. CONTRACTOR reserves all rights not expressly granted to COUNTY. This License does not grant COUNTY any rights in connection with any trademarks or service marks of CONTRACTOR, its suppliers or licensors. All right, title, -7- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 interest and copyrights in and to the System Software and the accompanying System Software Documentation and any copies of the System Software are owned by CONTRACTOR, its suppliers or licensors. All title and intellectual property rights in and to the content which may be accessed through use of the System Software are the property of the respective content owner and may be protected by applicable copyright or other intellectual property laws and treaties. This License grants COUNTY no rights to use such content. B. SERVICES TO BE PROVIDED BY CONTRACTOR TO COUNTY 1) SYSTEM INSTALLATION CONTRACTOR shall supply and install software in accordance with this Agreement and the Attachments attached with respect to the fifteen (15) day implementation professional services costs for Password Safe, Windows Desktop, and Server Essential for Unix/Linux. Such software installation shall include hardware/network review and recommendations, consultation, software installation and remote technical support. 2) TRAINING CONTRACTOR will conduct “train-the-trainer” training of COUNTY staff at a COUNTY designated location and at a time approved in writing by COUNTY. 3) DOCUMENTATION CONTRACTOR shall provide to COUNTY software system Documentation, which shall consist of electronic media files. The electronic media files must be printable using PC software normally available at COUNTY. CONTRACTOR shall provide new System Documentation corresponding to all new Software Upgrades. COUNTY may print additional copies of all documentation. All System Documentation is to be used by COUNTY only for the purpose identified within this Agreement. -8- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 C. SYSTEM MAINTENANCE AND SUPPORT BY CONTRACTOR System maintenance and support includes System Updates as they are generally released by CONTRACTOR, including updates as required as a result of regulatory changes, as applicable. CONTRACTOR will support day- to-day operation of the System as follows: 1) SUPPORT HOURS/SCOPE Provide unlimited technical assistance by phone during normal coverage hours (7:30 a.m. to 5:00 p.m. Pacific Standard Time (PST), Monday through Friday, except CONTRACTOR and COUNTY holidays), toll-free telephone assistance to keep the System in, or restored to, normal operating condition. The object of this support will be to answer specific questions related to the System Software and the application thereof. Support provided under this Agreement does not include training of new personnel (after initial staff is trained), operation of hardware, or solving other hardware/software problems unrelated to the System Software. 2) SUPPORT RESPONSE During the term of this Agreement, CONTRACTOR will (a) correct any error or malfunctions in the System as supplied by CONTRACTOR which prevents it from operating in conformance with the specifications set forth in this Agreement or (b) provide a commercially reasonable alternative that will conform to the specifications set forth in this Agreement. If analysis by CONTRACTOR indicates a reported problem is caused by a reproducible error or malfunction in the then-current release of the System Software as supplied and maintained by CONTRACTOR that significantly impacts effective use of the System by COUNTY, CONTRACTOR will, if the System is inoperable, as reported by COUNTY, provide continuous effort to correct the error or to resolve the problem by providing a circumvention. -9- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 In such cases, CONTRACTOR will provide COUNTY with corrective information, such as corrective documentation and/or program code. CONTRACTOR will endeavor to respond to COUNTY's service request no later than four (4) business hours from the time a call has been received by CONTRACTOR. In the event that a person with the necessary expertise is not available when the call is received, CONTRACTOR will endeavor to respond to the service request no later than within one (1) business day. 3) REMOTE VIRTUAL PRIVATE NETWORK (VPN) OR EQUIVALENT DIAGNOSTICS CONTRACTOR shall provide remote VPN diagnostics or equivalent diagnostics support, which includes: a. Diagnostic or corrective actions necessary to restore proper software operation; b. Diagnostic actions which attempt to identify the cause of System problem; c. Correction of data file problem; and d. Software System modifications. e. CONTRACTOR product specialists will provide diagnostics on software system via VPN or an equivalent COUNTY provided method. COUNTY will provide any required hardware and equipment necessary at COUNTY for CONTRACTOR VPN or equivalent support. 4) ERROR CORRECTION PROCESS If during the term of this Agreement COUNTY determines that software error(s) exist, COUNTY will first follow the error procedures specified in the System Documentation. If following the error procedures does not correct the software error, COUNTY shall immediately notify CONTRACTOR, setting forth the defects noted with specificity. Upon notification of a reported software error, CONTRACTOR shall provide a solution as soon as practicable. If CONTRACTOR determines that a solution shall require more -10- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 than five (5) days to resolve, CONTRACTOR shall notify COUNTY immediately with a time estimate for completion. Upon completion of the solution, COUNTY shall retest the System Software and report and other software errors. 5) TECHNICAL INFORMATION CONTRACTOR will provide technical information to COUNTY from time to time. Such information may cover areas such as software usage, third party software, and other matters considered relevant to COUNTY by CONTRACTOR. Technical information will be provided at the discretion of CONTRACTOR but will not be unreasonably withheld. D. ADDITIONAL SYSTEM MAINTENANCE SERVICES BY CONTRACTOR CONTRACTOR may provide additional maintenance services (“Additional Maintenance and Support Services” or “Additional Maintenance Services”) at an additional charge. Charges will be at current prices in effect at the time goods or services are provided. Any Additional Maintenance and Support Services requested by COUNTY and determined by CONTRACTOR to be billable by CONTRACTOR must be identified as a chargeable service prior to the service being performed and must be approved in writing in advance by COUNTY’s Contract Administrator. Additional Maintenance Services include, but are not limited to, the following: 1) ADDITIONAL TRAINING A specific amount of training is specified in this Agreement. Additional training at a County facility is available upon request by COUNTY for an additional charge under the terms of this Agreement. Requests for additional training must be requested in writing in advance by COUNTY’s Contract Administrator. 2) DATA AND SYSTEM CORRECTIONS -11- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Data and System Corrections include any corrective actions accomplished by CONTRACTOR on-site or via VPN which are necessary due to COUNTY errors or unauthorized source code or data access by COUNTY. Unauthorized access to the data is defined as any COUNTY editing of data through other than normal system usage as defined in System Documentation. Unauthorized access to source code is defined as any COUNTY access whatsoever to system source code. Services provided by CONTRACTOR are not billable when they result from errors caused by ITMC or instruction provided by CONTRACTOR. 3) CUSTOMER SITE VISITS Additional CONTRACTOR site visits within the scope of the project services to COUNTY sites, as may be requested in writing by COUNTY, are available at CONTRACTOR’S standard and costs for reasons such as, but not limited to, (1) additional system training on hardware or software usage; (2) resolution of system difficulties not resulting from actions by, or otherwise the responsibility of CONTRACTOR (as determined by mutual agreement between CONTRACTOR and COUNTY); (3) installation of Software Releases; and (4) assistance in equipment maintenance, movement or diagnosis. CONTRACTOR site visits outside of the scope of project services will be reviewed by the CONTRACTOR and must be requested in writing in advance by COUNTY’s Contract Administrator. 4) CUSTOM PROGRAMMING Requests for supplemental programming or customization of system features not covered under this Agreement are available to COUNTY. Such requests will be reviewed by CONTRACTOR and must be requested in writing in advance by the COUNTY’s Contract Administrator. -12- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 E. CONTRACTOR PROJECT COORDINATER Upon execution of the Agreement, CONTRACTOR shall appoint a Project Coordinator who will act as the primary contact person to interface with COUNTY for implementation, maintenance and support of the software system. F. SYSTEM UPDATES AND NEW PRODUCTS 1) SYSTEM UPDATES From time to time CONTRACTOR will develop and provide System Updates to COUNTY for the COUNTY’s licensed CONTRACTOR software. System Updates shall be subject to the terms and conditions of this Agreement and shall be deemed licensed System Software hereunder and will be made available to COUNTY at no additional charge to COUNTY so long as COUNTY remains on a current maintenance plan. System Updates will be made available to COUNTY at the discretion of CONTRACTOR but will not be unreasonably withheld. 2) NEW PRODUCTS CONTRACTOR may from time to time release new software with capabilities substantially different from or greater than the System Software ("New Products") and that therefore do not constitute System Updates. These New Products will be made available to COUNTY at a cost to be agreed to in writing in an Order for such New Products. G. GENERATING/OPERATING SYSTEM UPDATES The System Software must run on a client operating system that is consistently and currently supported by the operating system vendor and any required third- party software within thirty (30) days of release. The System Software is expected to always be current in regards to the required client O/S. No outdated or unsupported client O/S will be implemented on the production network. The County will apply patches to both the client O/S and security subsystems on COUNTY PCs as releases are available from O/S vendors. -13- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 In order to support a secure environment, the System Software must run on the latest supported release of any required third-party software, such as JAVA, Flash, etc. COUNTY will notify CONTRACTOR when a critical security patch is released for such products. In such event, CONTRACTOR will have thirty (30) days to ensure the System Software can perform in the updated environment. CONTRACTOR is expected to keep its software current in order to operate in this environment. These patches include critical O/S updates and security patches. H. ANTI-VIRUS MANAGEMENT COUNTY will actively run anti-virus management, where appropriate, on all application servers and PCs. The application is expected to perform adequately while anti-virus management is active. I. ADHERE TO CHANGE CONTROL PROCESS CONTRACTOR must adhere to COUNTY’s Change Control Process, which shall be provided to CONTRACTOR in writing. COUNTY employs a procedure to implement updates, upgrades, and version releases to a system that is in production use. This forum allows ISD to inform staff (Help Desk, Network, Server, Database, Security, and Analysts) of upcoming changes to a production system. CONTRACTOR must inform ISD a minimum of one (1) week prior to any planned, non-emergency changes so that the Change Control Process may be followed. J. OTHER Unless otherwise specified, for third-party software, CONTRACTOR shall provide standard documentation in electronic form (via the Internet of File Transfer Protocol (FTP). K. CLIENT INSTALL To the extent applicable, should the software require installation on a Client PC, the software will not be installed under a specific User Profile. It must install and be available to all users on the all users’ desktop. The software can require an -14- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 administrator to install the software, but the software must not require administrative rights in order to operate the software. 4. OBLIGATIONS OF THE COUNTY A. COUNTY CONTRACT ADMINISTRATOR COUNTY appoints its Director of Internal Services/Chief Information Officer or his designee, as COUNTY’s Contract Administrator with full authority to deal with CONTRACTOR in all matters concerning this Agreement. B. SAFEGUARDING SYSTEM SOFTWARE COUNTY will follow its present practices to safeguard System Software delivered to COUNTY by CONTRACTOR. A copy of COUNTY’s “Information Technology (IT) Standards and Preferences” will be made available upon request. 1. Intentionally omitted C. FACILITIES AND PREPARATION COUNTY will at its own expense provide all necessary labor and materials for site preparation, electrical services, and cabling required for System Installation. COUNTY shall receive the System Software and follow instructions provided by CONTRACTOR to load it on COUNTY’s System Hardware to prepare the System for processing. D. SYSTEM HARDWARE AND SYSTEM SOFTWARE COUNTY will at its own expense provide and properly maintain and update on an ongoing basis all necessary COUNTY System Software and County System Hardware required to operate software. Said COUNTY System Software and County System Hardware shall meet or exceed CONTRACTOR’s recommendations. As part of COUNTY’s responsibility for computer infrastructure, COUNTY shall ensure that data is secure and protected at all times. CONTRACTOR is not responsible for and cannot be held liable for inadvertent data disclosure or theft by -15- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNTY employees from COUNTY facilities. E. COUNTY PROJECT MANAGER Upon execution of this Agreement, COUNTY’s Contract Administrator shall designate one individual from ISD who will function as Project Manager with responsibility for day-to-day management of the project for implementation of software. The Project Manager and COUNTY personnel shall have the necessary and appropriate training and experience to implement the terms of this Agreement. COUNTY acknowledges CONTRACTOR’S reliance on same. F. OTHER COUNTY OBLIGATIONS Technical assistance from COUNTY’s ISD staff will be provided during the performance of the installation of the System Software. In particular, COUNTY will provide: a) Network connectivity and troubleshooting assistance. b) Ability to monitor network traffic and isolate bottlenecks. c) Technical assistance concerning the integration with existing COUNTY systems (if applicable). d) Expertise to handle issues with PCs, printers, and cabling before, during and after rollout. 5. TERM The term of this Agreement shall be for a period of three (3) years, commencing on December 11, 2018 through and including December 10, 2021. This Agreement may be extended for two (2) additional consecutive twelve (12) month periods upon written approval of both parties no later than thirty (30) days prior to the first day of the next twelve (12) month extension period. The Director of Internal Services/Chief Information Officer or his or her designee is authorized to execute such written approval on behalf of COUNTY based on CONTRACTOR’S satisfactory performance. 6. TERMINATION A. Non-Allocation of Funds - The terms of this Agreement, and the services to be provided hereunder, are contingent on the approval of funds by the appropriating -16- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 government agency. Should sufficient funds not be allocated, the services provided may be modified, or this Agreement terminated, at any time by giving the CONTRACTOR thirty (30) days advance written notice. B. Breach of Contract - The COUNTY may immediately suspend or terminate this Agreement in whole or in part, where in the determination of the COUNTY there is: 1) An illegal or improper use of funds; 2) A failure to comply with any term of this Agreement; 3) A substantially incorrect or incomplete report submitted to the COUNTY; 4) Improperly performed service. In no event shall any payment by the COUNTY constitute a waiver by the COUNTY of any breach of this Agreement or any default which may then exist on the part of the CONTRACTOR. Neither shall such payment impair or prejudice any remedy available to the COUNTY with respect to the breach or default. The COUNTY shall have the right to demand of the CONTRACTOR the repayment to the COUNTY of any funds disbursed to the CONTRACTOR under this Agreement, which in the judgment of the COUNTY were not expended in accordance with the terms of this Agreement. CONTRACTOR shall promptly refund any such funds upon demand. C. Without Cause - Under circumstances other than those set forth above, this Agreement may be terminated by COUNTY upon the giving of thirty (30) days advance written notice of an intention to terminate to CONTRACTOR. 7. COMPENSATION/INVOICING: COUNTY agrees to pay CONTRACTOR and CONTRACTOR agrees to receive compensation as follows: A. ONE-TIME FEES FOR LICENSES, INSTALLATION, TRAINING, and FIRST YEAR MAINTENANCE Powerbroker Password Safe with BeyondInsight License – per asset 1,500 devices @ $49.50 per device $74,250.00 Password Safe Maintenance – 1500 devices @ $9.90 per device $14,850.00 Password Safe – Professional Services – Tier 3 $37,500.00 -17- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Implementation PowerBroker for Windows with BeyondInsight License – per asset 500 devices @ $15.40 per device $7,700.00 Windows Maintenance – 500 devices @ $3.08 per device $1,540.00 PowerBroker Server Windows Edition License – per asset 950 devices @ $65.45 per device $62,177.50 Server Windows Edition Maintenance – 950 devices @ $13.09 per device $12,435.50 Windows Desktop – Professional Services – Tier 3 Implementation $37,500.00 Server Essentials for Unix/Linux Maintenance per asset 50 devices @ $183.50 per device $9,157.50 Server Essentials for Unix/Linux Maintenance – 50 devices @ $36.63 per device $1,831.50 PowerBroker Server Essentials for Unix/Linux with BeyondInsight – Professional Services – Tier 1 Implementation $12,500.00 Unified Vulnerability UVM20 Virtual Appliance – 2 appliances @ $7,164.50 per appliance $14,329.00 PowerBroker Password Safe – Training – Virtual ILT – per student 10 students @ $750.00 $7,500.00 PowerBroker Windows – Training – Virtual ILT – per student 5 students @ $750.00 $3,750.00 PowerBroker Unix/Linux – Training – Virtual ILT – per student 5 students @ $750.00 $3,750.00 Total $300,771.00 B. NOT TO EXCEED AMOUNT FOR ONE-TIME FEES It is understood and agreed that the dollar figures listed above for one-time fees include applicable taxes that may be subject to change during the period for scheduled payments. In no event shall services performed under this current Agreement for one-time fees exceed $300,771.00. C. ANNUAL MAINTENANCE -18- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CONTRACTOR shall invoice COUNTY, and COUNTY agrees to pay maintenance fees for all licensed products identified above beginning the second year of this Agreement, which rate shall be increased by two percent (2%) per year, for each year of the term, inclusive of renewal periods. Such fees are paid annually and in advance. CONTRACTOR shall invoice COUNTY annually for licensed products as follows: PRODUCT YEAR 2 YEAR 3 YEAR 4 YEAR 5 Password Safe $15,147.00 $15,449.94 $15,758.94 $16,074.12 Windows $1,570.80 $1,602.22 $1,634.26 $1,666.95 Server Windows Edition $12,684.21 $12,937.89 $13,196.65 $13,460.59 Server Essentials for Unix/Linux $1,868.13 $1,905.49 $1,943.60 $1,982.47 TOTAL $31,270.14 $31,895.54 $32,533.45 $33,184.13 D. ADDITIONAL MAINTENANCE FEES Total additional maintenance fees shall be prorated as determined by the Additional Licensing Fees (as defined below). E. ADDITIONAL LICENSING FEES COUNTY agrees to pay CONTRACTOR and CONTRACTOR agrees to receive compensation for any additional licenses at the current tiering rate and CONTRACTOR honor such rate for the entire potential five-year term of this Agreement. F. NOT TO EXCEED AMOUNT FOR ADDITIONAL LICENSE, MAINTENANCE, or SERVICE FEES Additional fees shall only be paid to CONTRACTOR if any such license, maintenance, or services are performed by CONTRACTOR upon COUNTY’s written request. G. TOTAL CONTRACT AMOUNT In no event shall services performed under this Agreement exceed $364,000.00 during the initial three-year term of this Agreement. In no event shall services performed under this -19- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Agreement exceed $396,500.00 if one renewal term is exercised, for a four (4) year term of this Agreement. In no event shall services performed under this Agreement exceed $450,000.00 during the entire possible five (5) year term of this Agreement. It is understood that all expenses incidental to CONTRACTOR’s performance of services under this Agreement shall be borne by CONTRACTOR. H. INVOICING CONTRACTOR shall submit invoices (which must reference the provided contract number), either electronically or via mail to the County of Fresno ISD, Accounts Payable, 333 W. Pontiac Way, Clovis, CA. 93612 or Accounts Payable, ISDBusinessOffice@fresnocountyCA.gov. COUNTY will pay CONTRACTOR within forty-five (45) days of receipt of an approved invoice, by mail addressed to CONTRACTOR’S remittance address: 5090 North 40th Street, Suite 400, Phoenix, Arizona 85018. 8. INDEPENDENT CONTRACTOR: In performance of the work, duties and obligations assumed by CONTRACTOR under this Agreement, it is mutually understood and agreed that CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, and employees will at all times be acting and performing as an independent contractor, and shall act in an independent capacity and not as an officer, agent, servant, employee, joint venturer, partner, or associate of the COUNTY. Furthermore, COUNTY shall have no right to control or supervise or direct the manner or method by which CONTRACTOR shall perform its work and function. However, COUNTY shall retain the right to administer this Agreement so as to verify that CONTRACTOR is performing its obligations in accordance with the terms and conditions thereof. CONTRACTOR and COUNTY shall comply with all applicable provisions of law and the rules and regulations, if any, of governmental authorities having jurisdiction over matters the subject thereof. Because of its status as an independent contractor, CONTRACTOR shall have absolutely no right to employment rights and benefits available to COUNTY employees. CONTRACTOR shall be solely liable and responsible for providing to, or on behalf of, its employees all legally-required employee benefits. In addition, CONTRACTOR shall be solely responsible and save COUNTY harmless -20- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 from all matters relating to payment of CONTRACTOR'S employees, including compliance with Social Security withholding and all other regulations governing such matters. It is acknowledged that during the term of this Agreement, CONTRACTOR may be providing services to others unrelated to the COUNTY or to this Agreement. 9. CONFIDENTIALITY: A Party receiving Information (defined below) of the other will not disclose such Information other than to persons in its organization who have a need to know and who will be required to comply with this Section. The Party receiving Information will not use such Information for a purpose inconsistent with the terms of this Agreement. “Information” means the Software, Documentation and all information and intellectual property related thereto (including, but not limited to all databases provided to COUNTY by CONTRACTOR whether created by CONTRACTOR or its third party licensors such as, without limitation, the mapping product databases) as well as information related to the business of CONTRACTOR or COUNTY. Information will not include: (i) information publicly known prior to disclosure; (ii) information coming into the lawful possession of the recipient without any confidentiality obligation; and (iii) information required to be disclosed pursuant to regulatory action or court order, provided adequate prior written notice of any request to disclose is given to the Party whose information is to be disclosed. Each Party will exercise at least the same degree of care to safeguard the confidentiality of the other’s Information as it does to safeguard its own proprietary confidential information, but not less than a reasonable degree of care. 10. MODIFICATION: Any matters of this Agreement may be modified from time to time by the written consent of all the parties without, in any way, affecting the remainder. 11. NON-ASSIGNMENT: Neither party shall assign, transfer or sub-contract this Agreement nor their rights or duties under this Agreement without the prior written consent of the other party except in the event of a change in corporate control resulting from the sale of all or substantially all of a party’s assets. In the event of change of control, a party may assign without consent but upon prior written notice of such assignment. 12. HOLD HARMLESS AND L IMITATION OF LIABILITY: CONTRACTOR agrees to indemnify, save, hold harmless, and at COUNTY'S request, defend the COUNTY, its officers, agents, and employees from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, -21- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 claims, and losses, and any and all claims, damages, costs, fees, regulatory fines and penalties, and forms of legal action involving Cyber Risks, occurring or resulting to COUNTY in connection with the performance, or failure to perform, by CONTRACTOR, its officers, agents, or employees under this Agreement, and from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims, and losses, and any and all claims, damages, costs, fees, regulatory fines and penalties, and forms of legal action involving Cyber Risks, occurring or resulting to any person, firm, or corporation who may be injured or damaged by the performance, or failure to perform, of CONTRACTOR, its officers, agents, or employees under this Agreement. To the extent so ordered by a court of competent jurisdiction based on a determination of fault, COUNTY agrees to indemnify, save, hold harmless, and at CONTRACTOR'S request, defend the CONTRACTOR, its officers, agents, and employees from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims, and losses occurring or resulting to CONTRACTOR in connection with the performance, or failure to perform, by COUNTY, its officers, agents, or employees under this Agreement, and from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims, and losses occurring or resulting to any person, firm, or corporation who may be injured or damaged by the performance, or failure to perform, of COUNTY, its officers, agents, or employees under this Agreement. In the event of a claim of alleged infringement of patent rights, copyright, trade secret rights, or intellectual property rights, to the fullest extent permitted by law, CONTRACTOR agrees, to and shall indemnify, save, hold harmless, and at COUNTY’s request, defend COUNTY, including its officers, officials, agents, and employees from any and all demands, costs and expenses, penalties, attorney’s fees and court costs, damages of any nature whatsoever (including, without limitation, injury or damage to or loss or destruction of property), judgments (including, without limitation, amounts paid in settlement and amounts paid to discharge judgments), liabilities, claims and losses, suits, actions or proceedings of every name, kind and description occurring or resulting to COUNTY, out of or in connection with any claim that is based on the infringement (or assertions of infringement) of any of patent rights, copyright, trade secret rights, or intellectual property rights with respect to services, software, or any Equipment provided by CONTRACTOR as part of this Agreement, including, but not limited to, their materials, designs, techniques, -22- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 processes and information supplied or used by CONTRACTOR or any of CONTRACTOR’s subcontractor of any tier in performing or providing any portion of CONTRACTOR’s obligations as outlined in this Agreement. If, in any suit, action, proceeding or claim relating to the foregoing, a temporary restraining order or preliminary injunction is granted, CONTRACTOR shall make every reasonable effort to secure the suspension of the injunction or restraining order. If, in any such suit, action, proceeding or claim, the services, software or any Equipment provided by CONTRACTOR or any part, combination or process thereof, is held to constitute an infringement and its use is enjoined, CONTRACTOR shall immediately (a) pay the reasonable direct out-of-pocket costs and expenses to secure a license to use such infringing work, replace the infringing work or modify the same so that it becomes non-infringing, and (b) make every reasonable effort to secure for the COUNTY a license, at no cost to COUNTY, authorizing COUNTY’s continued use of the infringing work. If CONTRACTOR is unable to secure such license within a reasonable time, CONTRACTOR, at its own expense and without impairing performance requirements of the services, software, or any Equipment provided by CONTRACTOR as part of this Agreement, shall either replace the affected services, software, or any Equipment provided by CONTRACTOR as part of this Agreement, combination or process thereof, with non-infringing services, software, or other equipment, or modify the same so that they become non-infringing. Notwithstanding the foregoing, CONTRACTOR shall have no obligation to indemnify COUNTY to the extent that any claim arises from (a) COUNTY’S use of the software in contravention violation of this Agreement or the Documentation; (b) the combination or use of the software with any other services, technology, content or material that were neither (x) provided by CONTRACTOR, nor (y) specified by CONTRACTOR for use with the software as contemplated by this Agreement and (z) County was expressly told in writing that the software should not be used or combined with such services, technology, content or material; (c) modification of the software or services in violation of this Agreement; or (d) COUNTY’S use of the software or services after County reasonably could have implemented a non-infringing alternative provided by Contractor at Contractors cost and expense, provided that County was offered such non-infringing alternative by Contractor in writing and refused such alternative in writing. The party requesting indemnification hereunder (the “Indemnified Party”) will (i) provide the other party (the “Indemnifying Party”) with prompt notice of any such claim (provided, however, -23- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 that failure to do so shall not relieve the Indemnifying Party of its indemnification obligations hereunder, except to the extent of any material prejudice to the Indemnifying Party as a direct result of such failure); (ii) permit the Indemnifying Party to assume and control the defense of such action upon the Indemnifying Party’s written notice to the Indemnified Party of its intention to indemnify; and (iii) upon the Indemnifying Party’s written request, provide to the Indemnifying Party all available information and assistance reasonably necessary for the Indemnifying Party to defend such Claim. The Indemnified Party shall have the right, at its sole cost and expense, to participate in the defense and settlement of any such Claim with counsel of its choice. To the maximum extent permitted by applicable law, CONTRACTOR and its licensors will not be liable for any indirect, special, incidental, punitive or consequential damages (including for the indirect loss of profit, revenue or content) arising out of or in connection with this agreement, however caused, and under whatever cause of action or theory of liability brought (including under any contract, negligence or other tort theory of liability) even if CONTRACTOR has been advised of the possibility of such damages, and (ii) excluding CONTRACTOR’s confidentiality obligations under Section 9 and indemnification obligations under this Section 12, the cumulative, aggregate liability of either party to the other party for any damages shall not exceed two times the fees paid by licensee to CONTRACTOR for the software or services giving rise to the liability during the twelve (12) months preceding the claim giving rise to such liability. 13. INSURANCE Without limiting the COUNTY's right to obtain indemnification from CONTRACTOR or any third parties, CONTRACTOR, at its sole expense, shall maintain in full force and effect, the following insurance policies or a program of self-insurance, including but not limited to, an insurance pooling arrangement or Joint Powers Agreement (JPA) throughout the term of the Agreement: A. Commercial General Liability Commercial General Liability Insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy shall be issued on a per occurrence basis. COUNTY may require specific coverages including completed operations, products liability, contractual liability, Explosion-Collapse-Underground, fire legal -24- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 liability or any other liability insurance deemed necessary because of the nature of this contract. B. Automobile Liability Comprehensive Automobile Liability Insurance with limits of not less than One Million Dollars ($1,000,000) per accident for bodily injury and for property damages. Coverage should include owned and non-owned vehicles used in connection with this Agreement. C. Professional Liability Professional Liability Insurance with limits of not less than One Million Dollars ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) annual aggregate. D. Worker's Compensation A policy of Worker's Compensation insurance as may be required by the California Labor Code. CONTRACTOR shall obtain endorsements to the Commercial General Liability insurance naming the County of Fresno, its officers, agents, and employees, individually and collectively, as additional insured, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insured shall apply as primary insurance and any other insurance, or self-insurance, maintained by COUNTY, its officers, agents and employees shall be excess only and not contributing with insurance provided under CONTRACTOR's policies herein. This insurance shall not be cancelled or without a minimum of thirty (30) days advance written notice given to COUNTY. Within Thirty (30) days from the date CONTRACTOR signs and executes this Agreement, CONTRACTOR shall provide certificates of insurance and endorsement as stated above for all of the foregoing policies, as required herein, to the County of Fresno, ISD Business Office – Accounts Payable, 333 W. Pontiac Way, Clovis, CA. 93612, stating that such insurance coverage have been obtained and are in full force; that the County of Fresno, its officers, agents and employees will not be responsible for any premiums on the policies; that such Commercial General Liability insurance names the County of Fresno, its officers, agents and employees, individually and collectively, as additional insured, but only insofar as the operations under this Agreement are concerned; that such coverage for additional insured shall apply as primary insurance and any other insurance, or self-insurance, maintained by COUNTY, its officers, agents and employees, shall be excess only and not contributing with insurance -25- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 provided under CONTRACTOR's policies herein; and that this insurance shall not be cancelled without a minimum of thirty (30) days advance, written notice given to COUNTY. In the event CONTRACTOR fails to keep in effect at all times insurance coverage as herein provided, the COUNTY may, in addition to other remedies it may have, suspend or terminate this Agreement upon the occurrence of such event. All policies shall be issued by admitted insurers licensed to do business in the State of California, and such insurance shall be purchased from companies possessing a current A.M. Best, Inc. rating of A FSC VII or better. E. Technology Professional Liability (Errors and Omissions) Technology professional liability (errors and omissions) insurance with limits of not less than Two Million Dollars ($2,000,000.00) per occurrence. Coverage shall encompass all of the CONTRACTOR’s duties and obligations that are the subject of this Agreement. Coverage shall include, but not be limited to, any and all claims, damages, costs, fees, regulatory fines and penalties, or forms of legal action involving Cyber Risks. F. Cyber Liability Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000.00) per occurrence. Coverage shall include, but not be limited to, any and all claims, damages, costs, fees, regulatory fines and penalties, or forms of legal action involving Cyber Risks. The cyber liability policy shall be endorsed to cover the full replacement value of, damage to, alteration of, loss of, theft of, ransom of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of CONTRACTOR. For purposes of the technology professional liability insurance and the cyber liability insurance required under this Agreement, Cyber Risks include, but are not limited to, (i) security breaches, which include disclosure of, whether intentional or unintentional, information provided by COUNTY, information provided by or obtained from any inmate, or personal- identifying information relating to any inmate, to an unauthorized third party; (ii) breach of any of CONTRACTOR’s obligations under this Agreement relating to data security, protection, -26- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 preservation, usage, storage, transmission, and the like; (iii) infringement of intellectual property; (iv) invasion of privacy, including any release of private information; (v) information theft by any person or entity, whatsoever; (vi) damage to or destruction or alteration of electronic information; (vii) extortion related to CONTRACTOR’s obligations under this Agreement regarding electronic information, including information provided by COUNTY, information provided by or obtained from any inmate, or personal -identifying information relating to any inmate; (viii) network security; (ix) data breach response costs, including security breach response costs; (x) regulatory fines and penalties related to CONTRACTOR’s obligations under this Agreement regarding electronic information, including information provided by COUNTY, information provided by or obtained from an inmate, or personal- identifying information relating to any inmate; and (xi) credit monitoring expenses. 14. AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during business hours, and not more than once annually upon thirty (30) days prior written notice and during normal business hours, make available to the COUNTY for examination all of its records and data with respect to the matters covered by this Agreement. The CONTRACTOR shall, upon request by the COUNTY, permit the COUNTY to audit and inspect all of such records and data necessary to ensure CONTRACTOR'S compliance with the terms of this Agreement. If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR shall be subject to the examination and audit of the California State Auditor for a period of three (3) years after final payment under contract (Government Code Section 8546.7). 15. CONTRACTOR may request annually a certified report detailing COUNTY’S installation and usage of the software, including whether or not COUNTY has exceeded the scope of license granted. If COUNTY’S use of any software is found to exceed the scope of the license granted, COUNTY will be charged additional license and maintenance fees for each instance of additional use in excess of license scope granted and such fees shall be payable in accordance with this Agreement. NOTICES: The persons and their addresses having authority to give and receive notices under this Agreement include the following: COUNTY CONTRACTOR -27- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNTY OF FRESNO BeyondTrust Software, Inc. Director of Internal Services/Chief Information Officer Legal Department 333 W. Pontiac Way 5090 N. 40th Street, Suite 400 Clovis, CA. 93612 Phoenix, AZ 85018 All notices between the COUNTY and CONTRACTOR provided for or permitted under this Agreement must be in writing and delivered either by personal service, by first-class United States mail, by an overnight commercial courier service, or by telephonic facsimile transmission. A notice delivered by personal service is effective upon service to the recipient. A notice delivered by first-class United States mail is effective three COUNTY business days after deposit in the United States mail, postage prepaid, addressed to the recipient. A notice delivered by an overnight commercial courier service is effective one COUNTY business day after deposit with the overnight commercial courier service, delivery fees prepaid, with delivery instructions given for next day delivery, addressed to the recipient. A notice delivered by telephonic facsimile is effective when transmission to the recipient is completed (but, if such transmission is completed outside of COUNTY business hours, then such delivery shall be deemed to be effective at the next beginning of a COUNTY business day), provided that the sender maintains a machine record of the completed transmission. For all claims arising out of or related to this Agreement, nothing in this section establishes, waives, or modifies any claims presentation requirements or procedures provided by law, including but not limited to the Government Claims Act (Division 3.6 of Title 1 of the Government Code, beginning with section 810). 16. GOVERNING LAW: Venue for any action arising out of or related to this Agreement shall only be in Fresno County, California. The rights and obligations of the parties and all interpretation and performance of this Agreement shall be governed in all respects by the laws of the State of California. 17. DISCLOSURE OF SELF-DEALING TRANSACTIONS This provision is only applicable if the CONTRACTOR is operating as a corporation (a for-profit or non-profit corporation) or if during the term of the agreement, the CONTRACTOR changes its status to operate as a corporation. Members of the CONTRACTOR’s Board of Directors shall disclose any self-dealing -28- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 transactions that they are a party to while CONTRACTOR is providing goods or performing services under this agreement. A self-dealing transaction shall mean a transaction to which the CONTRACTOR is a party and in which one or more of its directors has a material financial interest. Members of the Board of Directors shall disclose any self-dealing transactions that they are a party to by completing and signing a Self-Dealing Transaction Disclosure Form, attached hereto as Exhibit A and incorporated herein by reference, and submitting it to the COUNTY prior to commencing with the self-dealing transaction or immediately thereafter. 18. ENTIRE AGREEMENT: This Agreement constitutes the entire agreement between the CONTRACTOR and COUNTY with respect to the subject matter hereof and supersedes all previous Agreement negotiations, proposals, commitments, writings, advertisements, publications, and understanding of any nature whatsoever unless expressly included in this Agreement. In the event of any inconsistency in interpreting the documents which constitute this Agreement, the inconsistency shall be resolved by giving precedence in the following order of priority: (1) the text of this Agreement (excluding any Attachments); (2) Attachments 4 and 5, Implementation Packages. 1 2 IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the day and year 3 COUNTY OF FRESNO I 4 +----->',_-,H,f-b4--+.---,-,-+.----+.:.~:...........,--,------ Chairman of the Board of 5 of the County of Fresno 6 7 8 9 10 11 5090 N. 40TH STREET, SUITE 400 PHOENIX, ARIZONA 85018 Mailing Address 12 FOR ACCOUNTING USE ONLY: 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Fund No .: Subclass No .: Org No .: Account No .: I OZO 10000 B'fOS '73D~ -29- ATTEST : BERNICE E. SEIDEL CLERK OF THE BOARD OF SUPERVISORS COUNTY OF FRESNO , STATE OF CALIFORNIA By c:to,;, C,~ Deoutv -1- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 EXHIBIT A SELF-DEALING TRANSACTION DISCLOSURE FORM In order to conduct business with the County of Fresno (hereinafter referred to as “County”), members of a contractor’s board of directors (hereinafter referred to as “County Contractor”), must disclose any self-dealing transactions that they are a party t o while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: “A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest” The definition above will be utilized for purposes of completing this disclosure form. INSTRUCTIONS (1)Enter board member’s name, job title (if applicable), and date this disclosure is being made. (2)Enter the board member’s company/agency name and address. (3)Describe in detail the nature of the self -dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a.The name of the agency/company with which the corporation has the transaction; and b.The nature of the material financial interest in the Corporation’s transaction that the board member has. (4)Describe in detail why the self -dealing transaction is appropriate based on applicable provisions of the Corporations Code. (5)Form must be signed by the board member that is involved in the self -dealing transaction described in Sections (3) and (4). -2- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 (1) Company Board Member Information: Date: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to): (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233 (a): (5) Authorized Signature Signature: Date: ATTACHMENT - 1 Sacramento County RFP 8367 Rev. Date 3/2/16 1 REQUEST FOR PROPOSAL -- THIS IS NOT AN ORDER COUNTY OF SACRAMENTO DEPARTMENT OF GENERAL SERVICES CONTRACT AND PURCHASING SERVICES DIVISION RFP #8367 COMMODITY/SERVICE: PRIVILEGED ACCOUNT MANAGEMENT (PAM) SOLUTION CONTENTS DEFINITIONS .................................................................................................................................................. 2 INTRODUCTION............................................................................................................................................. 3 DETAILED REQUIREMENTS ...................................................................................................................... 3 KEY EVENTS ................................................................................................................................................... 3 PROPOSER’S INSTRUCTIONS .................................................................................................................... 8 BASIS OF AWARD .......................................................................................................................................... 9 FINAL ACCEPTANCE ................................................................................................................................. 10 Appendices (listed separately in Public Purchase) A-Sacramento County General Terms & Conditions B-Additional Terms & Conditions C-DCSS Contractor Certification of Compliance D-Not Applicable E-Solicitation Exceptions F-Non Collusion Affidavit G-Sacramento County Minimum Insurance Requirements H-Customer References I-Pricing J-Local Vendor Preference Affidavit K-Risk Assessment Questionnaire L-Not Applicable M-Not Applicable N-Not Applicable O-Web Accessibility Policy P-Not Applicable Q-Response to Detailed Requirements Attachment 1 Rev. Date 3/2/16 2 DEFINITIONS Response: The written, signed and sealed complete document submitted according to the proposal instructions. Response does not include any verbal or documentary interaction apart from submittal of a formal Response. Request/Proposal/Bid: The completed and released document, including all subsequent addenda, made publicly available to all prospective proposers. We/Us/Our: Terms that refer to the County of Sacramento, a duly organized public entity. They may also be used as pronouns for various subsets of the County organization, including, as the context will indicate: Purchasing - the Contracts and Purchasing Services Division of the Department of General Services. Department/Division – The department or division requesting the goods or services contained in this request, for which this PROPOSAL is prepared and which will be the end user of the requested goods or services. Constituency – the client base or County population which may benefit from the procurement of goods and/or services requested herein. You/Your: Terms that refer to businesses/individuals submitting a response. The term may apply differently as the context will indicate. Supplier - A business entity engaged in the business of providing services. Proposer - A business entity submitting a Response to this proposal. Suppliers which may express interest in this proposal, but who do not submit a Response, have no obligations with respect to the proposal requirements. Contractor - The Proposer(s) whose Response to this proposal is evaluated as meeting the needs of the County. Contractor(s) will be selected for award, and will enter into a contract(s) for provision of the services described in this proposal. Contractor’s Employee - All persons who can be offered to provide the services described in the proposal. All employees of the Contractor shall be covered by the insurance programs normally provided to persons employed by a company (ex: Worker’s Comp, SDI, etc.). Mandatory: A required element of this request/proposal/bid. Failure to satisfy any element of this request/proposal/bid defined as “mandatory” will disqualify the particular response. Default: A failure to act as required by any contract resulting from this request, which may trigger the right to sue or may excuse the other party's obligation to perform under the contract. Cancellation/Termination: A unilateral or mutual decision to not complete an exchange or perform an obligation under any contract resulting from this request. “Or Equal”: A statement used for reference to indicate the character or quality desired in a requested product or service. When specified in a proposal document, equal items will be considered, provided the response clearly describes the article. Offers of equal items must state the brand and number, or level of quality. When brand, number, or level of quality is not stated by proposer, the offer will be considered exactly as specified. The determination of the Purchasing Agent as to what items are equal is final and conclusive. Rev. Date 3/2/16 3 INTRODUCTION The County of Sacramento is requesting proposals for a Privileged Account Management (PAM) solution. Your proposal will be considered to enhance current Sacramento County security systems and procedures. Due to legislative and legal requirements in many areas, the selection and implementation of a Privileged Account Management System is considered essential to meeting these requirements. The proposed solution must protect data and assets from unauthorized access and offer a repeatable, process when granting or removing Rights to Privileged Accounts and Assets. The County expects the offered solution to fully monitor and record the User Session when utilizing a Privileged Account. The solution should have full, auditable logs which include User Accounts, Privileged Accounts and Specific Assets as searchable criteria. The proposed solution must include the capability to send notifications when identified and monitored county assets are being accessed. Note: Asset is defined as any file share, web service, e-mail account, Active Directory Account, Application, Database or physical device located in the Sacramento County Network. DETAILED REQUIREMENTS SCOPE OF WORK The County of Sacramento is requesting proposals to implement a new PAM solution to improve secure management and monitoring of privileged accounts. Please indicate how your proposed solution can provide the functionality that is described and or requested in the remainder of Appendix P. Proposals must include all costs and services required for hardware, software, implementation services, training, etc. These COST are to be entered in Appendix I – Pricing. Please include the implementation costs as requested in Appendix – I. These are being requested in sections based upon technology. Costs should outline each module/feature at a line-item level so that the County of Sacramento can determine the extent of the modules/features in relationships to its cost. If a feature is included in any response in Appendix Q, it should be included in the cost proposal (i.e. there should be no hidden costs). Rev. Date 3/2/16 4 CURRENT ENVIRONMENT CURRENT NETWORK ARCHITECTURE Current Logical Zone Architecture and Data Flow Summary. The County of Sacramento manages resources with Privileged Accounts in each Zone described in the “Logical Zone and Data Flow Model” drawing above. Rev. Date 3/2/16 5 The Use Case below has been included to describe our current DMZ structure and to illustrate known, intended, usage limitations due to the security of the design. Please take this information into consideration with your response to this RFP. Management of Zone 1 usually originates from Zone 3. But, circumstances do arise when a single Zone is isolated from all other Zones due to failures. This scenario, and others, must be taken into consideration by the proposed solution. See “Data Flow Summary Tables” in drawings above. Use Case - On-Zone RDP: Network Administrator requires access to Zone 1, Resource 2. Due to data-flow restrictions created for security purposes, the only Network path to Zone 1, Resource 2 is through Zone 1, Resource 1. Action: Administrator initiates RDP session from Zone 3 to Zone 1, Resource 1. Once session is established, Administrator then initiates an RDP session from Zone 1, Resource 1 to Zone 1, Resource 2. CURRENT PAM TOOLS The County of Sacramento does not currently use a PAM tool. Privileged account credentials are managed in a variety of decentralized tools using manual, non-governed, ad-hoc methodologies. Management of privileged accounts follows security best practices. IDENTITY ACCOUNT MANAGEMENT Data sources and directories, The County of Sacramento currently uses the following Identity Account Management data sources, directories, and tools: Active Directory, Schema Version 47 on Windows 2008 r2 or later. OpenLDAP, Version 2.4.33. EQUIPMENT TYPE & OPERATING SYSTEM VERSIONS Servers, Database, and Network Devices The County of Sacramento currently manages the following types of servers, databases, and devices in our County of Sacramento data centers: Oracle database, versions 11gR2 – 12c, Microsoft SQL Server database, versions 2005 – 2014 CISCO Network Products (numerous models utilizing the following versions: Cisco IOS versions 12.x and 15.x Cisco NX-OS versions 6.x and 7.x Cisco IOS-XR versions 5.x Cisco IOS-XE version 3.x Cisco Unified Communications Manager: 9.1.2.13900-10 Cisco Unity Connection 9.1.2TT1.11900-2TT1 Cisco IP IVR 9.0.2.10000-71 Cisco Unified Contact Center Enterprise 9.0.1.0 Build 1454 EngHouse Interactive ARC Solutions Windows Servers versions 2003 – 2012 Future Technologies Hadoop Rev. Date 3/2/16 6 DEVICE / APPLICATION / PRIVILEGED ROLES - Counts Windows Servers 1000 Windows Desktops 10,200 Microsoft SQL Servers Included in Windows Server Total CISCO - Switches 866 CISCO - Routers 129 CISCO – Voice Gateways 97 Applications 100 Database Connection Strings 200 Unix Servers 135 SAP Applications 42 (instances) Oracle Database 28 Privileged Account Roles Windows- This is an estimate 250 Privileged Account Roles Unix – This is an estimate 10 Training Requirements Number of Trainees PAM Administration 4 PAM Users (System Admins) 40 PAM Users (Application) 10 Rev. Date 3/2/16 7 KEY EVENTS Event/Action Date(s) RFP Release Date April 14, 2016 Proposer Conference at 799 G Street, 2nd Floor, Conference Room 221 Sacramento, CA 95814 This is a non-mandatory Proposal Conference, however, vendors are encouraged to attend. April 26 (9:30AM (PDT)) Deadline for submitting written questions May 3, 2016 (4:00PM (PDT)) Responses to written questions May 6, 2016 Addendum issued (if necessary) May 12, 2016 Proposals due May 26, 2016 (12:00PM (PDT)) Proposal Evaluation, Vendor presentations (if necessary) May 27, 2016 through June 16, 2016 Board Approval (if necessary) TBD – July 22, 2016(estimated) Intent to award contract TBD – July 29, 2016(estimated) Note: The key events and dates are tentative and subject to change. Pre-Proposal Conference: A non-mandatory pre-proposal conference will be held at 9:30 AM on Tuesday, April 26, 2016 at Sacramento County’s Department of Technology (Dtech) building, 799 G Str eet, Sacramento, CA 95814, RM 221. The proposers will be afforded the opportunity to meet with County personnel and discuss the content of the RFP in further detail. The County will accept oral questions during the conference and will attempt to provide answers at that time. Oral answers provided by the County shall not be binding. Only written answers posted via Public Purchase will be binding. Although attendance is not required, the County highly recommends interested parties to attend the pre-proposal conference to better understand our requirements and to ask clarifying questions. Attendees are advised to print and bring their own copies of the RFP and required documents. Printed documents to be distributed by the County during the conference may be limited to addendums only. We have added a Conference Line to the meeting notice. See specific's below: Join by Phone: +1 (916) 876-4100 Conference ID: 387938 Rev. Date 3/2/16 8 PROPOSER’S INSTRUCTIONS General Format: Respond to all requests for information and completion of forms contained in this Request for Proposal. You may use additional sheets as necessary. A qualifying response must address all items. Brochures and advertisements will not be considered a complete reply to requests for information and will not be accepted as such. Proposer is solely responsible for accuracy and completeness of proposal response and for electronically separating and marking documents as confidential when submitting their response through Public Purchase. Responses considered incomplete may be rejected. Alteration of Proposal Text: the original text of this proposal document, as well as any attachments, amendments or other official correspondence related to this proposal document, may not be manually, electronically or otherwise altered by proposer or proposer’s agent(s). Any response containing altered, deleted, additional or otherwise non-original text will be disqualified. Preparation of Response: A. All responses must be signed by an authorized officer or employee of the responder. B. Responses must be submitted prior to the specified date and time, using the www.publicpurchase.com website. Responses delivered by hand, fax, telephone, e-mail, or any postal carrier will not be accepted. If bidder uploads a file to Public Purchase, it is bidder responsibility to ensure the file is not corrupt or damaged. If County is unable to open an attachment because it is damaged, corrupt, infected, etc., it may disqualify bidder’s submission. See document titled “Public Purchase Instructions” for guidance entering your online response. C. Time of delivery must be stated as the number of calendar days following receipt of the order by the proposer to receipt of the goods or services by the County. D. Time of delivery may be a consideration in the award. E. Prices will be considered as net if no cash discount is offered. If a discrepancy between the unit price and the item total exists, the unit price prevails. Confidential Information/Public Record: All responses become property of the County. All responses, including the accepted proposal and any subsequent contract, become public records per the requirements of the California Government Code, Sections 6250 -6270, “California Public Records Act”. Proprietary material must be clearly marked as such. Pricing and service elements of the successful proposal are not considered proprietary information. The County will treat all information submitted in a proposal as available for public inspection once the County has selected a contractor. If you believe that you have a legally justifiable basis under the California Public Records Act (Government Section 6250 et. seq.) for protecting the confidentiality of any information contained within your proposal, you must identify any such information, together with the legal basis of your claim in your proposal, and present such information separately as part of your response package. Public Purchase allows you to mark such documents as “confidential” when uploaded into the system. The final determination as to whether the County will assert your claim of confidentiality on your behalf shall be at the sole discretion of the County. If the County makes a determination that your information does not meet the criteria for confidentiality, you will be notified as such. Any information deemed to be non-confidential shall be considered public record. Rev. Date 3/2/16 9 BASIS OF AWARD This proposal award will be determined by factors other than price alone. The County’s sole purpose in the evaluation process is to determine from among the Responses received, which one is best suited to meet the County’s needs. Any final analysis or weighted point score does not imply that one proposal is superior to another, but simply that in our judgment the proposal(s) we select offer(s) the best overall solution for our current and anticipated needs. The County reserves the right to make modifications to any scoring and/or weight structure prior to the evaluation of responses. The responses will remain sealed during the proposal evaluation period, and will be made available for public inspection upon notice of proposal award. Bid responses will be considered valid for a period of 120 calendar days after bid closing date above. The County reserves the right to make a single award, multiple awards, or no award at all to this RFP. In addition, the RFP may be amended or canceled as necessary to meet requirements. Scoring and Evaluation Factors Responsive proposals will be reviewed against the general criteria as described in Proposal Evaluation Criteria below. The evaluation factors reflect the totality of considerations to be used in evaluating the requested Proposal responses. While cost is important, other factors are also significant, and the County may not select the lowest cost proposal. The objective is to choose the proposal that offers the highest quality services and will achieve the project’s goals and objectives within a reasonable budget. All proposals will be evaluated using the same criteria and possible points. Evaluations will be based on the criteria listed below, which corresponds to information requested in various sections of the proposal: Final Selection The Evaluation Committee will formulate its recommendation for award of the Contract, and forward its selection to the appropriate parties for approval. The award will be in accordance with, but not limited to, the result of our evaluation and our perception of your understanding of our stated needs and specifications. Final award will be based off of the points assigned. Proposal Evaluation Criteria The Proposers will be reviewed and rated in the following areas: WRITTEN RESPONSE DEMONSTRATION COST The top scoring Proposers in the WRITTEN component will then be invited to the DEMONSTRATION phase. DEMONSTRATION scores will be compiled along with WRITTEN and COST scores to determine the successful proposal. The County reserves the right to enter into a Contract without furth er discussion of the submitted proposal. Therefore, the proposal should be submitted on the most favorable terms the proposing party can offer. The RFP document and the successful party’s proposal response, as may be amended by agreement between the County and the successful party, will be the basis for the resulting Contract document(s). Additionally, the County may verify the successful party’s representations that appear in the proposal in efforts to finalize the agreement. Failure of the successful party to deliver a sound gap analysis and data migration analysis Rev. Date 3/2/16 10 (deliverables one and two) where the analyses are acceptable to the County may result in Contract cancellation or termination. The successful party will be expected to enter into a Contract with the County. If the successful party fails to sign the Contract within fourteen (14) business days following the delivery of the Contract documents, the County may elect to proceed with the next highest scoring Proposer. The County shall not be bound, or in any way obligated, until both parties have executed a Contract. The proposing party may not incur any chargeable costs prior to final Contract execution. Note: All specifications, terms and conditions of this request will apply to any resulting order. FINAL ACCEPTANCE Equipment/Supplies/Services The County of Sacramento will agree to final acceptance only after the supplied equipment, product or service is tested and is found to perform within acceptable standards of operation, is in compliance with all published and implied performance standards, and is considered by the County to be ready for practical application. ATTACHMENT – 2 BeyondTrust Response to RFP 8367 RFP 8367 Appendix Q Page 1 of 23 Appendix Q – Detail Requirements Response A specific point-by-point response, in the order listed, to each requirement below Definitions of the table heading: Req ID A unique requirement number. Requirement Description The requirement or question. Response Code Add one of the following response codes to this field: Comply (C) - Follow this response with a brief/concise explanation that adequately details your ability to meet the specified requirement unless the specification/requirement is clearly (unequivocally) a “yes/no”, “can do/can’t do”, “will do/won’t do” type of specification in which case “Comply”, without an accompanying explanation, will suffice. Comply with exception (CE) - You must clearly state the difference between the specification and your ability to meet the requirement(s) of the specification. Cannot comply (CC) - Follow this response with sufficient detail that explains why the specification cannot be met. Vendor Response Responses are required; proposals lacking responses may be rejected. Be verbose, It will not suffice to simply state “Comply.” If an evaluator is left wanting for information to fully understand your response, then your response will be scored accordingly. Adequately detailed, yet succinct, (evaluator friendly) responses are preferred. Responses that direct evaluators to “refer to” and/or to interpret documentation, e.g., from technical materials, pamphlets, brochures, etc. are unacceptable. RFP 8367 Appendix Q Page 2 of 23 Appendix - Q Detailed Requirement Areas 1. VENDOR PROFILE AND EXPERIENCE 2. TECHNICAL SPECIFICATIONS 3. DISCOVERY (Automated Discovery of Privileged Accounts) 4. MANAGING ACCOUNTS AND ASSETS 5. SESSION MANAGEMENT 6. SECURITY, AUDITING, AND COMPLIANCE 7. INTEGRATION RFP 8367 Appendix Q Page 3 of 23 1. VENDOR PROFILE AND EXPERIENCE We expect the Proposer to be forward thinking with a solution that can provide features that can help to ensure best practice s in securely managing and monitoring privileged accounts within heterogeneous technology environments. Please indica te how your company and solutions can meet The County of Sacramento needs. Req ID Requirement Description Response Code Vendor Response 1.1 Executive Summary 1.1.1 Describe your company’s background/history and years in business. C BeyondTrust BeyondTrust is a global information security software company that helps organizations prevent cyber-attacks and unauthorized data access due to privilege abuse. Our solutions give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Access Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your company goes. BeyondTrust’s security solutions are trusted by over 4,000 customers worldwide, including half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com. Industries Served: • Government • Financial Services, Banking and Insurance • Aerospace and Defense • Energy and Utilities • Technology/Software • Entertainment • Healthcare and Pharmaceuticals • Retail and Consumer Packaged Goods • Communications • And more RFP 8367 Appendix Q Page 4 of 23 Key Facts: • Privately held and profitable • 40% year-over-year growth in 2015 • 350 employees • 7 awarded patents, and 10 pending patents • 100+ partners Optiv Optiv is the largest holistic pure-play cyber security solutions provider in North America. The company’s diverse and talented employees are committed to helping businesses and governments plan, build and run successful security programs through the right combination of products, services and solutions related to security program strategy, enterprise risk and consulting, threat and vulnerability management, enterprise incident management, security architecture and implementation, training, identity and access management, and managed security. Optiv is a Blackstone (NYSE: BX) portfolio company that has served more than 12,000 clients of various sizes across multiple industries, offers an extensive geographic footprint, and has premium partnerships with more than 300 of the leading security product manufacturers including BeyondTrust. With 780+ government agency and department clients, of which over 50 are in Northern California, Optiv is well versed in assisting clients like the County of Sacramento improve their security posture. Industries Served: • Financial Services and Insurance • Government • Healthcare • Manufacturing • Professional Services • Retail, Hospitality and Travel • Technology and Telecom • Utilities and Energy RFP 8367 Appendix Q Page 5 of 23 Clients: • More than 12,000 clients served • 67 percent of Fortune 100 • 60 percent of Fortune 1000 • 1,250+ educational institutions • 780+ government agencies and departments Key Facts: • $1.5B in annual revenue (2014) • 1,400 employees • 625+ highly skilled security practitioners • 415+ dedicated client managers • 300+ technology partners 1.1.2 Describe your company’s financial standing/stability. C BeyondTrust was founded in 1985, is privately held, and profitable with significant YOY growth. In appendix K we offer a financial reference from our bank. Optiv reponse - please see appendix K item 3. 1.1.3 Describe your company’s organization and staff resources, including number of company employees dedicated to each division of the company (e.g. sales, marketing, R&D, client support, etc.), and geographic locations for primary support and development teams C BeyondTrust employs approximately 340 employees. Of this number, approximately 13% are dedicated to pre and post sales client support, 34% sales, 5% marketing, 37% R&D, and 8% G&A. Our primary technical support team is located in Halifax, Nova Scotia, where a significant portion of our product development also occurs. We also have a support team located in Aliso Viejo, California so we have 24/7 support. 1.2 Experience 1.2.1 How has the proposed solution resolved similar challenges faced by other institutions? C Prior to coming to us, several of our customers have experienced breaches(some that made headlines) resulting from attacks via third-party systems and internal threats. Remote access by vendors and contractors needs controlled network separation and activity monitoring. We also RFP 8367 Appendix Q Page 6 of 23 protect against accidental or intentional misuse by insiders. Our customers are more confident in their security posture in that Password Safe provides a secure connection gateway with proxied access to RDP, SSH and Windows applications; protects privileged credentials; and records all privileged sessions and enables the ability to pause or terminate sessions real-time. None of our customers have ever been hacked or breached after they have implemented our solution(s). Case Studies: https://www.beyondtrust.com/resources/education/case- studies/ 1.2.2 What are the differentiators that separate your company and/or solutions from others? C • Password, Session, API Access, and threat analytics are all included as a single module at a single price • Policies support time and location based access • Upgrade and implementation do not require PSO engagements • Network based system discovery • Host based access control • Active / Active for fault tolerance • Application support • System level command control • Simplified Sudo Policy Management • Optional Windows Client for least privilege integration • Remote command execution on Unix and Linux • HA API interface with dynamic aliasing 1.2.3 Summarize your implementation and training approaches. BeyondTrust offers online product training, online training programs, and product deployment services to help you get the most from your security investment. Staffed by some of the best security and systems engineers, and software developers in the world, BeyondTrust provides an extensive range of training and consulting services to help you maximize the potential of BeyondTrust products within Sacramento County’s IT infrastructure. Our Onsite training services has been performed by BeyondTrust for hundreds of customers. We can customize this training to address your RFP 8367 Appendix Q Page 7 of 23 specific concerns immediately after the solution’s been deployed or at a later date. Product Training: BeyondTrust provides comprehensive training courses covering installation, configuration, and recommended usage of our products. In order to help you learn in the time and place that is most convenient for you we offer Instructor-led training courses. Instructor-led Training: Our instructor-led courses can be brought on-site to your location and can be customized to meet specific training needs. Product Implementation and Deployment Services: BeyondTrust offers assistance with all stages of product deployment, including proper network design, product configuration, and enterprise-wide integration. 1.3 Development of Solutions 1.3.1 Provide a strategic roadmap for the proposed solution. C 1H 2016 Sailpoint Integration, SAML, MongoDB, Enhanced Custom Platform editor, API Enhancements, Direct Connect for SSH, HSM 2H 2016 Multi-tenant, Java Application Server support (JBOSS, Tomcat, NetWeaver), SaaS deployment options 1.3.2 1.3.2 continued How have your solutions been designed/developed? I.e. were they designed/developed by your company/employees; (continued) or are there pieces that have been obtained through acquisitions, developed by third party contractors, licensed from third parties, etc.? C Developed by our company and employees. We do incorporate user input and trends as we establish roadmap and also honor feature requests. 1.4 Development of Solutions RFP 8367 Appendix Q Page 8 of 23 1.4.1 Please complete “Customer References” in Appendix H 2. TECHNICAL SPECIFICATIONS The County of Sacramento has an enterprise data center with a heterogeneous environment of servers, databases, and network de vices (as detailed in 2.11 below). We are interested in secure and efficient management of privileged/shared accounts within this environment. Please describe: Req ID Requirement Description Response Code Vendor Response 2.1 Infrastructure/architecture. Provide a list of all infrastructure requirements, including number and types of servers (including virtualization options), operating systems, databases, storage, etc. C BeyondInsight/PowerBroker Password Safe is provided as a hardened, locked down appliance in both physical and virtual appliance formats. The physical version comes in 2 sizes: UVM20 for up to 30k managed accounts; UVM50 for up to 250k managed accounts. The virtual version is sized identically to the UVM20, and requires approx. 32GB RAM, 150GB(+) disk space, and 2x4 cores. The appliance contains all software required. For active/passive (see below), SQL is supplied as part of the appliance; for active/active, an external SQL AlwaysOn Availability Group is required. There are 2 deployment models: Active/Passive - will failover to a mirrored appliance in the event the primary appliance is not available. Failover and recovery is fully automatic. This method will involve 2 appliances configured as a ‘pair’. Active/Active - requires the use of an external database – we certify against SQL AlwaysOn. As many appliances as required can be configured to connect to this database. In this case, all appliances can be used at once, and are fully redundant; if one goes down, you simply switch to an alternative. AlwaysOn Availability Groups may be configured with a mix of synchronous commit and asynchronous commit replicas to provide real- time For sizing purposes, in an active/passive model, only one appliance is in operation at one time so you will size against a single appliance. In an active/active model, each appliance you add provides cumulative scalability as they are all used simultaneously RFP 8367 Appendix Q Page 9 of 23 2.2 Test and production instances. Describe options for implementing a multi-instance environment that includes production and non- production instances. C Many deployment options are available for splitting instances across test and production environments. If total physical isolation is required, two or more pairs of appliances may be used in an active/passive configuration – there will be no connection between these deployments, and administration will be separate. If physical isolation is not required, and cumulative scale for test and production can be covered by a single appliance, one pair of appliances may be deployed in active/passive configuration using multi-tentant to logically isolate the environments. For larger environments, active/active will allow multiple (2+) appliances to be deployed using multi-tenant to isolate test and production. 2.3 HA/DR/BC. Describe capabilities for backups/restores, and high availability, disaster recovery, and business continuity. C Appliance-based BeyondInsight/PowerBroker Password Safe deployments provide for HA/DR/BC natively. In the case of active/passive deployment, a load balancer is typically used to direct traffic to the active node of an asynchronous pair of appliances. Databases are replicated in real-time between appliances. In the case of active/active deployments there is complete appliance redundancy – the database is external and must be configured for HA as part of the SQL AlwaysOn Availability Group configuration. 2.4 Application language/framework. Describe the application languages/frameworks that were used to develop the solution. C BeyondTrust uses a wide variety of development languages for our products. Password Safe uses .NET (C#), SQL, Javascript, ActionScript, Silverlight, HTML5/CSS, C++, and C. Our database layer is comprised of C# and SQL, and has been internally developed with goals of scalability and wide platform support. 2.5 Security/encryption. Describe how the application, database/vault, and connections are secured. C By default, all communications to/from BeyondInsight/PowerBroker Password Safe systems is encrypted (HTTPS/SSL/SSH). All sensitive data is AES256 encrypted within the database, as are all session recordings. The appliances are fully hardened to DISA gold standards and contain built in endpoint protection mechanisms to isolate internals. Access to the operating can be configured to require BeyondTrust support intervention. All product and operating system updates are provided via online/air- gapped mechanisms. 2.6 Relationships and dependencies. Describe any relationships between individual components of the proposed solution, and any C No outside software, agents, etc. are required to deploy BeyondInsight/PowerBroker Password Safe. While not a requirement or a dependency, already having Active Directory (or any LDAP-based solution) RFP 8367 Appendix Q Page 10 of 23 dependencies or constraints that exist within or outside of the proposed solution. For instance, is it host-based or gateway based? Does it require middleware, appliances, plug-ins, etc.? in place can make the setup, management, and administration of the environment much more maintainable over time. The appliances are supplied ready to run – all software is preinstalled including console, reporting, and scanner. For active/passive, no external software is required; for active/active, an external SQL AlwaysOn Availability Group is required. 2.7 Authentication/authorization. Describe protocols and methodologies that can be used to authenticate and authorize users, for login to and use of the proposed solution. C BeyondInsight/PowerBroker Password Safe provides a feature-rich web- based interface that users access to request system-level connections. Authentication mechanisms currently include Active Directory, LDAP, and any RADIUS servers (for two-factor authentication). Additionally, we can expose powerful APIs for BeyondInsight/PowerBroker Password Safe for applications to make authencation requests to the system. 2.8 Authentication/Authorization for Application. Please describe the method utilized for Application Authentication, i.e. Database Connection String, Web Application, etc.? Is there an API for the PAM solution? C BeyondInsight/PowerBroker Password Safe has a RESTful API interface that may be accessed directly, or through optional cache components that provide persistent storage of credentials or redundancy, scalability and reduction of latency. Authentication/Authorization is provided by group membership. Password Safe supports Active Directory, LDAP and local groups. Permissions are applied at the group level. Users accessing the system will have a resultant set of policy according to group membership. Local user accounts and groups are also supported for instances where external directories are not available and/or appropriate. 2.9 Patches and maintenance. Describe the frequency within which software revisions and updates are released for the proposed system, and any specifics related to processes or methodologies for their installation/testing/release. C All patches come from BeyondTrust. We QA them and package them up for delivery via SyncIT (online) or manually using the SUPI updater (This is an internal term for our upgrade engine). Minor product updates are provided 2 – 4 times per year, major updates approx.. every 2 years. Updates The appliances come with the Enterprise Update Server. When properly configured, can be used to control updates to the appliance software provided and managed by BeyondTrust Operating System Updates BeyondTrust reviews critical patches every month from Microsoft and issues updates to the appliances within 30 days. Note that many patches RFP 8367 Appendix Q Page 11 of 23 are mitigated due to the hardening of the appliance (server service disabled etc). All appliances are patched regardless but the risk is minimal due to the appliance configuration and DoD STIG Hardening Guidelines we follow. 2.10 User interface. Describe user interfaces for all portions of the proposed system. Are there any differences in UI delivery to different user bases (e.g. system administrators vs. other users, etc., thick vs. thin client, etc.)? Please discuss any compatibly or incompatibility limitations. C There are three specific interfaces in the solution: BeyondInsight (admin UI used to configure systems, accounts and permissions) is based on Flex and requires Flash. The analytics and reporting interface requires Silverlight. The end user interface is HTML5 based. Note that all interfaces are moving to HTML5 starting with analytics and reporting in July 2016. No client software is required. 2.11 Current Environment Compatibility. Compatibility with our current equipment and products. Please place an “x” in the appropriate column and supply additional details as requested. Please complete the Table below Please complete the Table below. 2.11 - Continued Product Compatible No Known Issues Compatible with Issues (please supply details) Not Compatible Server Microsoft Windows Server 2003 X Microsoft Windows Server 2008 X Microsoft Windows Server 2012 X Microsoft SQL Server 2008 X Microsoft SQL Server 2012 X Enterprise VMWare ESX Virtual Server Platform version 5-6 X Active Directory Schema Version 47 on Windows 2008 r2 or later X RFP 8367 Appendix Q Page 12 of 23 LDAP Version 2.4.33 X Network Cisco IOS versions 12.x and 15.x X Cisco NX-OS versions 6.x and 7.x X Cisco IOS-XR versions 5.x X Cisco IOS-XE version 3.x X Cisco IOS versions 12.x and 15.x X 2.11 - Continued Compatible No Known Issues Compatible with Issues (please supply details) Not Compatible VOIP Cisco Unified Communications Manager: 9.1.2.13900-10 X Cisco Unity Connection 9.1.2TT1.11900-2TT1 X Cisco IP IVR 9.0.2.10000-71 X Cisco Unified Contact Center Enterprise 9.0.1.0 Build 1454 X EngHouse Interactive ARC Solutions X Other Linux – SUSE SLES 12.1, RHEL 7 X Unix – HP-UXB.11.31 X Oracle – 12.1 X SAP – HANA 1.0 X SAP – ERP 6.0 X SAP – Netweaver rel-740 X IBM zOS 1.13 X IBM zOS 2.2 X ADABAS 7.4.4 X RFP 8367 Appendix Q Page 13 of 23 3. DISCOVERY The County of Sacramento is interested in robust automated discovery features to ensure that target systems/accounts are effi ciently found and added with minimal effort. Please describe: Req ID Requirement Description Response Code Vendor Response 3.1 List of target systems. Provide a list of the systems, databases, devices, Application, etc. that can be auto-discovered and added into the proposed solution. C BeyondInsight/PowerBroker Password Safe Discovery Scans can be scheduled to auto-discover and/or auto-onboard assests as they come onto the network. • AIX • IBMi (AS/400) • HP-UX • Linux • MAC OSX • Solaris • Windows Desktop • Windows Server • Windows SSH • Active Directory • LDAP/LDAPS RFP 8367 Appendix Q Page 14 of 23 • RACF • Checkpoint • Cisco • Dell iDRAC • BIG-IP (F5) • HP iLo • HP Comware • Juniper • Palo Alto Networks • Fortinet • SonicWall • Oracle • SQL Server • MySQL • Sybase • Teradata • VMware vSphere API • VMware vSphere SSH • SAP • Amazon (AWS) • Office 365 https://www.beyondtrust.com/wp-content/uploads/ds-pbps- platform-support.pdf?1455821522 RFP 8367 Appendix Q Page 15 of 23 3.2 Discovery speed and performance. Describe the speed at which discovery will run across a large environment (and the speed at which systems can be added) within the proposed solution. Describe any performance degradation that may occur on the network or on targets that are being scanned. C Discovery scans can be adjusted to run according to a number of parameters, including total number of worker/scanner processes, number of targets scanned simultaneously, etc. These types of scans are very lightweight, and consume very little from a system time resource perspective. 3.3 Dependencies. Describe how dependencies are discovered and tracked. For password changes that require propagation across multiple files/locations, or password changes across linked systems which much have changes committed at the same time C Dependancies may automatically be discovered via scan e.g. services. Managed accounts may be manually configured into cross-platform sync groups to ensure that passwords are propogated on change event. The built in custom platform connector allows changes to be pushed to applications / scripts on multiple platforms. Additionally, scripts may also be driven externally via the API interface to set, change, release or check-in credentials. 4. MANAGING ACCOUNTS AND ASSETS The County of Sacramento is interested in gaining security and efficiency in the management of privileged accounts and assets . Please describe: Req ID Requirement Description Response Code Vendor Response RFP 8367 Appendix Q Page 16 of 23 4.1 Adding privileged accounts/assets. Describe how accounts/assets are added into the proposed solution (especially if/when such additions are done outside of the discovery features as described above). Address the initial account import that would occur during implementation. Include Application Authentication and Access for Database Connection Strings, Web Based Applications and API utilization, if applicable. C Managed assets and accounts may be added via auto-discovery using the included network scanner, added via file import, or added via the API interface. For initial implementation, assets and accounts can be discovered and automatically added to Password Safe. Smart Rules allow conditional onboarding of items according to any discovered attribute/meta data. For example, any SQL server instance on a particular network segment may be automatically onboarded, the SA password changed, and permissions set to the DBA group - the Smart Rule can even be configured to send email alerts on completion of onboarding events. Systems and accounts may also be added via API. A2A and A2DB authentication is performed via a defined API-user account to provide access to the Password Safe REST interface. 4.2 Account types. Describe any differences between the types of accounts that can be managed. Is there any difference between “true” privileged accounts (e.g. Root, Administrator, etc.) and other shared service accounts (e.g. accounts used in application-to- application or application-to- database scenarios)? C BeyondInsight/PowerBroker Password Safe can manage both “true” privileged accounts and shared service accounts. We do not differentiate between the two, as all configuration options exist for each managed account types (e.g.-Windows, Linux, etc.). 4.3 Access delegation and control. 4.3.1 Employees. Describe how end users’ (e.g. system administrators, developers, information security, etc.) gain access to privileged accounts. How is access granted, changed, controlled, etc.? C End users access BeyondInsight/PowerBroker Password Safe via an HTML5 web interface. All requests are made, processed, approved, denied, monitored, and played back through this single web interface. The user’s role determines which options are available to them upon login. Multiple authentication methods are available (Active Directory/LDAP/RADIUS/X.509/SmartCards etc). Authorizations are built off a resultant set of policy based on the users group membership. 4.3.2 4.3.2 3rd party contractors. Describe how 3rd party C PowerBroker Password Safe allows the dynamic assignment of just-in- time privileges via Adaptive Workflow Control, allowing organizations to RFP 8367 Appendix Q Page 17 of 23 continued contractors/consultants gain access to privileged accounts. How access is granted, changed, controlled, etc.? lock down access to resources based upon the day, date, time, and location. By limiting the scope to specific runtime parameters, it narrows down the window of opportunity where someone might be exploiting misappropriated credentials. For example, if you normally expect the HVAC contractor to be logging on from particular systems, you can ensure that access is only permitted from predefined allowable IP address ranges. Similarly you can set up policies to control when the accounts are accessible, and alert when specific access policies are invoked. 4.4 Contextual access. Describe if/how the proposed solution can limit access to accounts/assets based on rules such as user type, time of day, IP address of the computer that is attempting to make the access, etc. C BeyondInsight/PowerBroker Password Safe’s Adaptive Workflow Control and Access Policies allows you to control the day, the date, the time, and the location of how a given group of users access a given group of managed accounts. In this way, a user may be limited to certain accounts depending on when they log on and where they log on from. The policies can also determine the approval workflow. For example, firecall access in the middle of the night may be auto-approved whereas access in the day may require approval. Access policies can invoke email alerts when they are used. 4.5 Scalability. Describe any limit to the number of accounts, users, target devices, disparate data center locations, etc., that can be managed within the proposed solution. C BeyondTrust’s Professional Services group performs a detailed analysis of each customer’s environment to determine the best product architecture to meet the business/technology need. At a high level, in an active/passive deployment model, the total number of managed accounts is determined by the size of the appliance purchased; in an active/active model, there is essentially no limit to scale, as additional appliances will add cumulative capacity to the infrastructure. 4.6 Policy management. Describe how any general policy management rules can be written and enforced within the proposed solution (outside of those already discussed above in Access, Delegation, and Control.) C Policy Management rules are applied by linked groups of users to groups of managed assets/accounst via a role-based access policy. Mechanisms exist to link Password Safe to external IdAM solutions whereby the external solution can provision the account and then call the Password Safe API to automatically add/manage/permission the account. Direct integration with solutions such as SailPoint will be available in July 2016. 4.7 Password Management RFP 8367 Appendix Q Page 18 of 23 4.7.1 Password Management Overview. Describe how passwords are managed within the proposed solution. Is there any difference between password changes for different account types (e.g. privileged accounts vs. shared service accounts)? C BeyondInsight/PowerBroker Password Safe allows for both password management and schedule-based rotation. Services that run under the context of a service account can also be updated/recycled as required. Password changes only differ between platform (Windows/Linux/Unix), not the classification/use of the accounts on the system. 4.7.2 Manual password changes. Describe if/how users can execute an immediate manual password change, including any request/approval requirements, notifications, etc. C BeyondInsight/PowerBroker Password Safe administrators can issue an immediate password change on an account by account basis, or as part of an emergency mass password change to a group of accounts/all accounts. Passwords can also be automatically rotated as part of the session release process so every time a password is released, it is unique. 4.7.3 Automated password changes. Describe if/how password changes can be automated. C Password changes can be scheduled at any pre-determined interval. These intervals may be set on a system by system basis, account by account basis, or as part of a Smart Rule policy. 4.7.4 Propagation. Describe if/how passwords are propagated to configuration files (e.g. for service account credentials that must be embedded in configuration files, scripts, etc.). C Password Safe managed account credentials may be propogated to configuration files via the API. Markers can be inserted into text files such as web.config, and sample scripts provided can locate and replace credentials upon password change. This process may be invoked externally, or via custom platform push process. 4.7.5 Real time retrieval/binding. Does the proposed solution allow for real-time dynamic password retrieval (e.g. at runtime) for service accounts? If so, is this recommended? Describe the company’s philosophy on real time retrieval vs. propagation of (encrypted) hard-coded passwords into configuration files. C Yes, real-time password retrieval for service accounts is supported in BeyondInsight/PowerBroker Password Safe via API. PowerBroker Password Safe APIs provide developers with the option to completely eliminate the need hard-coded passwords in configuration files (and propogate them as well). It is always recommended that hard coded passwords be replaced with API calls where possible. 4.7.6 Ensuring accuracy. Describe how the proposed solution ensures that the passwords stored within it are accurate (e.g. what happens if a password is somehow changed C BeyondInsight/PowerBroker Password Safe automatically checks accounts on a period basis to ensure that the password has not been changed via an external mechanism. If the password is different, Password Safe can invoke an immediate password change to bring the account in sync. RFP 8367 Appendix Q Page 19 of 23 outside of the purview of the proposed solution). 4.7.7 Password policy management. Describe how password policy rules are written and enforced. Describe if/how we can manage multiple rules (for instance, if we group our assets based on data that they store/access, can we apply different password policies to different groups to control settings such as complexity, aging, etc.)? C BeyondInsight/PowerBroker Password Safe allows for the creation of multiple password rules to govern the differences between complexitiy requirements of different platforms. Each managed system and account may use different password rules and aging controls according to business / operating system stipulations. 4.7.8 Eliminating Admins’ need to know/use passwords. To what extent can we eliminate end users (e.g. system administrators, etc.) need to know/retrieve passwords (e.g. via session management, etc.) C BeyondInsight/PowerBroker Password Safe has an integrated session manager (at no extra charge) that can automatically log users onto resources without ever revealing the password, record all video and keystrokes for later playback, and allow real-time session monitoring, with options to remotely manage/disconnect active sessions. 4.8 Cloud applications. Describe if/how accounts for our hosted cloud applications can be managed within the proposed solution. C BeyondInsight/PowerBroker Password Safe fully supports the management of cloud-based applications/services, including (but not limited to) AWS, Azure, Rackspace, IBM SmartCloud. 4.9 Remote/segregated accounts. Describe limitations or specifics related to management of accounts across different subnets, firewalls, remote devices, etc C BeyondInsight/PowerBroker Password Safe must have network connectivity to the managed asset (device) in order to effect password changes. Authentication requests are always serviced by the appropriate mechanism (local user repository, Active Directory, LDAP, etc.), not by PowerBroker Password Safe directly. 4.10 User experience. Please describe user experience. System should be inviting enough to encourage adoption. C BeyondInsight/PowerBroker Password Safe provides a rich HTML-based user interface for both end users and administrators. The UI has been specifically designed such that a user can immediately be productive without recourse to training/job-aids. Features such as OneClick password and session launching makes the process of accessing resources both intuitive and fast. RFP 8367 Appendix Q Page 20 of 23 5. SESSION MANAGEMENT The County of Sacramento is interested in understanding how privileged sessions within target assets (i.e. logins to servers and databases with privileged accounts by system administrators, etc.) can be managed. Please describe: Req ID Requirement Description Response Code Vendor Response 5.1 Restricting access to targets. Describe if/how privileged sessions to target systems can be forced to launch through the proposed solution rather than through direct access to the target. C PowerBroker Password Safe provides a Session Management Proxy through which all connections can be terminated. Configuring the Access Policy to never release the actual password to the user (but rather provide a one-time session key for each connection request), connecting through the proxy then becomes the only path of access. For instances where you require users to access resources via known credentials, an Admin session feature allows a user to enter credentials to invoke the proxy – in this instance you would firewall off user direct access to managed systems 5.2 Privileged accounts vs. named accounts. Describe any differentiation between system administrators logging in with a privileged account vs. logging in with their named user account. C PowerBroker Password Safe provides full Role-Based Access Control functionality to support both shared and named accounts. A unique feature is the delegated admin mapping capability. Admins may be connected to their unique administrative accounts via a simple Smart Rule action. Full accountability, and controls are built in to ensure that users cannot connect to other users named accounts. 5.3 Session recording/playback. Please describe how sessions can be recorded and played back. C PowerBroker Password Safe includes a proxy that connects the user to managed resources. It sits in the middle of the data stream and injects credentials without ever sending username, password, or hostname down to the desktop. The solution requires no client on either the server or the desktop, and allows the user to use native tools (MSTSC, PuTTY, Relection, Teraterm, MobiXterm etc) 5.4 Storage/archival/deletion. Please describe how recorded sessions are stored, archived, and deleted. Please discuss any compression or similar considerations given to the sizes and ages of the stored recordings. C PowerBroker Password Safe provides the ability to configure the retention period of all data (including recorded sessions). Sizes of the recordings can vary depending on a number of factors. By general rule, a SSH session will grow at ~20K/minute, while RDP sessions grow ~300K/minute. Recordings are stored on the appliance immediately after the session is completed. An archive server may be configured to automatically move recordings off the appliance according to age, and available disk space. 5.5 Video of User Experience. Provide video of user experience while performing Server, Database, AD Administration, duties. C The sessions are recorded as full motion video. As well as access to operating systems, video recording can be made of access to any Windows. Unix/Linux application; for example, DBMS tools, web browsers etc. RFP 8367 Appendix Q Page 21 of 23 6. SECURITY, AUDITING, AND COMPLIANCE The County of Sacramento is interested in increasing and ensuring overall security. Please describe: Req ID Requirement Description Response Code Vendor Response 6.1 Multi-factor authentication. Describe if/how the proposed solution supports multi-factor authentication (MFA). C BeyondInsight/PowerBroker Password Safe supports RADIUS to leverage third party MFA components. Authentication may be configured such that different RADIUS servers can be invoked according to the users credentials. 6.1.1 Multi-factor authentication Additional uses. If MFA is offered, can it also be used outside of the control of the PAM solution (i.e. if we want to implement MFA for non- privileged users on any given application, etc.)? CC While Password Safe may use any third-party mechanism via the RADIUS conector, multi-factor authentication is not a built in feature of the system. 6.2 Accuracy and currency. Describe if/how the proposed solution can determine when new accounts/targets have been attached to the network without having also been added into the proposed PAM system C BeyondInsight/PowerBroker Password Safe provides the ability to automatically detect new accounts/targets through the implementation of scheduled Detailed Discovery Scans. Any new accounts/systems can also be auto-onboarded as part of theat process. 6.3 Pass-the-Hash. Please describe if/how the proposed solution can secure against Pass-the-Hash attacks. C BeyondInsight/PowerBroker Password Safe provides users with a unique, time-limited session key for each approved request. The system credentials are never actually released to the end user. 6.4 Suspicious activity. Describe if/how the proposed solution can be used to detect and alert on suspicious activity on target systems. Does it provide for automatic termination of sessions based on suspicious activity? C BeyondInsight/PowerBroker Password Safe provides live session monitoring via the Session Management Proxy. While user sessions can be monitored/locked/terminated remotely by an Administrator or InfoSec resource, no automatic termination function exists currently. 6.5 Reports. Provide a list of the reports that are available out of the box (including descriptions of each report’s purpose). Please describe any warehousing C *Please reference the attached Report Book for more detailed information. RFP 8367 Appendix Q Page 22 of 23 methodologies/integration that may be required or may be available. Indicate whether third-party, or extra-cost reporting tools are required or recommended (e.g. Crystal Reports, etc.). 6.6 Audits. Describe how audits are performed against users, accounts, target systems, access, etc C BeyondInsight/PowerBroker Password Safe records all user activity in both the end user and administrator interfaces. Reports can be run against this information and used to answer to internal/external audit-related inquiries. 6.7 SSH Key. Describe if/how the proposed solution can be used to manage SSH keys. C With Password Safe, you can automatically rotate and synchronize keys according to a defined schedule and enforce granular access control and workflow to access SSH keys. Private keys that are stored in Password Safe can be leveraged to automatically log users onto Unix or Linux systems through the proxy with no user exposure to the key. SSH public keys may also be synchronized automatically. Whenever a new SSH key pair is generated, the new public key may be distributed to all hosts in the sync group. Password and SSH key synchronization makes it even easier for administrators to manage multiple account credentials with a scalable method that ensures adherence to password policy while maintaining security. 6.8 Other Security. Describe how the proposed system ensures any security not discussed above, including any auditing and compliance capabilities. C BeyondInsight provides full traceability of activity both in the end user and administrative interfaces. All activity is recorded/logged for later review or audit as needed. Additionally, a full suite of compliance-related configuration baselines are available against which systems can be compared. All of this data is available through the Analytics & Reporting module. 7. INTEGRATION The County of Sacramento is potentially interested in integration with a number of ancillary systems. Please describe: Req ID Requirement Description Response Code Vendor Response RFP 8367 Appendix Q Page 23 of 23 7.1 IDENTITY ACCOUNT MANAGEMENT (IAM system). Describe any integration with any traditional Identity Account Management systems (e.g. provisioning system). Provide a list of partner products with which connectors are already written. To reiterate, the County of Sacramento has posted a separate, but parallel, RFP for an identity and access management solution to manage non-privileged accounts/systems. C BeyondInsight/PowerBroker Password Safe can be integrated with most IdAM systems via post processing callouts to the Password Safe API. SailPoint direct integration will be available in July 2016. 7.2 ITSM integration. Describe any integration with any IT service management (ITSM) systems. C BeyondInsight/PowerBroker Password Safe’s currently supports BMC Remedy and ServiceNow. CA Service Desk wil be available in July 2016. HP ServiceDesk will be available H2, 2016. 7.3 SIEM integration. Describe any integration with security information and event management (SIEM) systems. The County of Sacramento currently uses XXXXXX. C BeyondInsight/PowerBroker Password Safe provides integration to any SIEM solution via SNMP and syslog forwarding. ATTACHMENT – 3 BeyondTrust Quote to County Quote CONFIDENTIAL REV 072512 csensano@co.fresno.ca.usShip To Email UNITED STATESShip To Country 93721Ship To Zip CAShip To State FresnoShip To City 2281 Tulare StreetShip To Address Craig SensanoShip To Name csensano@co.fresno.ca.usBill To Email UNITED STATESBill To Country 93721Bill To Zip CABill To State FresnoBill To City 2281 Tulare StreetBill To Address Craig SensanoBill To Name County of FresnoBill To Account csensano@co.fresno.ca.usEmail (559) 600-5879Phone Craig SensanoContact Name ahendershot@beyondtrust.comEmail (818) 575-4039Phone Adam HendershotPrepared By 11/10/2018Expiration Date 00107173Quote Number County of FresnoAccount Name BeyondTrust Software, Inc. 5090 North 40th Street, Suite 400 Phoenix, AZ 85018 Product Line Item Description SRP Discount Extended Unit Price Quantity Sales Subtotal PBPSADD-LIC PowerBroker Password Safe with BeyondInsight License - Per Asset USD 90.00 45.00%USD 49.50 1,500.00 USD 74,250.00 PBPSADD-Maint1stYR PowerBroker Password Safe with BeyondInsight Maintenance - Per Asset USD 18.00 45.00%USD 9.90 1,500.00 USD 14,850.00 PBPS-PSRE-PKG15 PowerBroker Password Safe with BeyondInsight - Professional Services - Tier 3 Implementation Package USD 37,500.00 USD 37,500.00 1.00 USD 37,500.00 PBWD-LIC PowerBroker for Windows with BeyondInsight License USD 28.00 45.00%USD 15.40 500.00 USD 7,700.00 PBWD-Maint1stYR PowerBroker for Windows with BeyondInsight 1st Year Maintenance USD 5.60 45.00%USD 3.08 500.00 USD 1,540.00 PBWS-LIC PowerBroker Servers Windows Edition License USD 119.00 45.00%USD 65.45 950.00 USD 62,177.50 PBWS-Maint1stYR PowerBroker Servers Windows Edition 1st Year Maintenance USD 23.80 45.00%USD 13.09 950.00 USD 12,435.50 PBWD-PSRE-PKG15 PowerBroker Desktop with BeyondInsight - Professional Services - Tier 3 Implementation Package USD 37,500.00 USD 37,500.00 1.00 USD 37,500.00 PBULE-LIC PowerBroker Server Essentials for Unix/Linux with BeyondInsight - License USD 333.00 45.00%USD 183.15 50.00 USD 9,157.50 Quote CONFIDENTIAL REV 072512 Prices are exclusive of and Purchaser is responsible for all VAT, use and equivalent, and withholding taxes, and taxes which may be applicable to online transactions in Purchaser’s state, however designated, and for shipping and handling, customs and duties. All sales are final. Payment terms are Net 30 unless otherwise stated in BeyondTrust's invoice. Currency is US Tax Exempt: Yes or No (If Yes, Please Attach copy of Certificate) Tax Exempt #: __________________ By: ________________________________________ Name: _____________________________________ Title:_______________________________________ Date: ______________________________________ BeyondTrust Software, Inc. Terms and Conditions: PO Required: Yes or No PO Number: ____________________ By: ________________________________________ Name: _____________________________________ Title:_______________________________________ Date: ______________________________________ County of Fresno Quote and Terms and Conditions agreed to and accepted by: This discount is in service to a deal tendered by December 21, 2018.Description USD 300,811.00Total Sales Price PBULE-Maint1stYR PowerBroker Server Essentials for Unix/Linux with BeyondInsight - 1st Year Maintenance USD 66.60 45.00%USD 36.63 50.00 USD 1,831.50 PBULE-PSRE-PKG5 PowerBroker Server Essentials for Unix/Linux with BeyondInsight - Professional Services - Tier 1 Implementation Package USD 12,500.00 USD 12,500.00 1.00 USD 12,500.00 UVM20V-HW Unified Vulnerability UVM20 Virtual Appliance USD 10,235.00 30.00%USD 7,164.50 2.00 USD 14,329.00 UVMVT-DGR-SHIP UVM Virtual Appliance Shipping and Handling - Domestic FedEx Ground USD 20.00 USD 20.00 2.00 USD 40.00 PBPS-PSFN-VILT PowerBroker Password Safe - Foundations - Virtual ILT - Per Student USD 750.00 USD 750.00 10.00 USD 7,500.00 PBWD-PSFN-VILT PowerBroker Windows - Foundations - Virtual ILT - Per Student USD 750.00 USD 750.00 5.00 USD 3,750.00 PBUL-PSFN-VILT PowerBroker Unix/Linux - Foundations - Virtual ILT - Per Student USD 750.00 USD 750.00 5.00 USD 3,750.00 Quote CONFIDENTIAL REV 072512 If Customer fails to utilize any portion or all of the services within one hundred and eighty (180) days of Customer's signature on this quote, the services shall automatically expire, allowing BeyondTrust to recognize them as complete. Fees paid for services that Customer fails to utilize are not refundable. If Customer cancels or reschedules an Engagement less than five (5) business days before it is scheduled to begin, Customer shall (a) forfeit purchased days equal to 50% of scheduled Engagement delivery time and (b) reimburse BeyondTrust for any non-refundable travel expenses incurred by BeyondTrust related to the Engagement. If Customer cancels any portion of an Engagement once the Engagement has begun, Customer shall (a) forfeit purchased days equal to 100% of scheduled Engagement delivery time and (b) reimburse BeyondTrust for any non-refundable travel expenses incurred by BeyondTrust related to the Engagement. Professional Services Terms & Conditions dollars unless otherwise indicated. This Quote will become a binding order upon Purchaser’s signature, which constitutes Purchaser’s commitment to purchase pursuant to the terms and conditions of the Reference Agreement if indicated above, or if none is indicated, BeyondTrust’s Standard Terms (either, the “Agreement”). Purchaser acknowledges that the Agreement has been made available to Purchaser along with this Quote, via BeyondTrust’s website at http://www.beyondtrust.com/agreements/standardterms.pdf, or otherwise. This Quote and the Agreement are intended by the parties as the final declaration of their agreement with respect to the subject matter hereof and may not be contradicted by evidence of any prior or contemporaneous agreement. Purchaser’s PO serves solely as a confirmation of Purchaser’s commitment to pay; PO terms and conditions are not otherwise binding. ATTACHMENT – 4 Password Safe Implementation Package PROFESSIONAL SERVICES PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 1 Contents Implementation Plan Overview .................................................................................................. 2 Tier 1 Implementation Package .................................................................................................. 3 Tier 1 Recommended Architecture ......................................................................................... 5 Tier 2 Implementation Package .................................................................................................. 6 Tier 2 Recommended Architecture ......................................................................................... 8 Tier 3 Implementation Project (Custom SoW) ............................................................................. 9 Tier 3 Recommended Architecture ....................................................................................... 11 About BeyondTrust ................................................................................................................... 12 PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 2 Implementation Plan Overview BeyondTrust® offers three professional services bundled package options for PowerBroker® Password Safe®(PBPS) + PowerBroker for Windows (PBW) & PowerBroker for Mac (PBMac). Our packages are designed to fit your preferred deployment technology and project scope. Summarized below are the steps required for each services tier to achieve a successful deployment outcome. We’ll help you determine which tier will work best for you. • Tier 1: PowerBroker for Desktops for retrieval of passwords only (Run As) from PowerBroker Password Safe • Tier 2: PowerBroker Password Safe with PowerBroker for Desktops integration • Tier 3: PowerBroker Password Safe and PowerBroker for Desktops with distributed components (partner only) Tier 1 (approx. 10 days*) Tier 2 (approx. 15 days*) Tier 3 (timeline dependent on scope) Professional Services Criteria Install BeyondInsight UVM Appliances (minimum 2 for High Availability) ü ü ü Install PowerBroker for Desktops client using AD or McAfee ePO policy ü ü ü Configure Active/Passive High Availability (HA) configuration (appliance only) ü ü ü Configure Active/Active High Availability (HA) configuration (appliance only) ü ü Agent based password changes for accounts or services ü ü Install BeyondInsight and Password Safe as software (server hardening optional) ü Configure Active/Active High Availability (HA) configuration (software) ü Configure remote event collectors and/or worker nodes ü Assist with load balancers for event collectors ü Rule requirements with strict privileges or custom tokens to include application control (whitelisting or blacklisting policies) ü Custom dialogues, localization, or multifactor support ü Professional Services Tasks Integrate BeyondInsight with Active Directory (AD) ü ü ü Create PBW deployment packages using MSIs ü ü ü Configure PBW ADMX and policy settings ü ü ü Create Assets based on import, manual creation, or discovery ü ü ü Create functional accounts for managed assets ü ü ü PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 3 Tier 1 (approx. 10 days*) Tier 2 (approx. 15 days*) Tier 3 (timeline dependent on scope) Create policies based on BeyondInsight events (computer or user within AD or central policy) ü ü ü Create policies based on rules library ü ü ü Create risk compliance rules ü ü ü Create “Run As” rules for agent-based privileged elevation ü ü ü Configure RBAC with MFA support (RADIUS) ü ü Configure item level targeting per rule/group ü ü Configure cloud connectors ü ü Create custom user and/or computer rules ü ü Create file integrity, session monitoring, and Windows event log rules ü ü Windows Remote App Server with AutoIt Scripts ü ü Integrate with external ticketing and/or connect HSM, SEIM or other supported third-party solutions (must specify) ü ü Integrate with IAM and/or other third-party applications ü Create custom platform connector ü Create custom dialogues, localization and messages ü Assist with API development ü Remote session archiving ü Single sign-on integration ü Training and Knowledge Transfer Provide knowledge transfer for daily maintenance of PBPS, PBW, PBMac ü ü ü Provide online virtual based training to prepare for the implementation ü ü ü Provide onsite classroom based training to supplement the implementation optional * Days are intended to denote approximate duration of implementation rather than a purchase of time Tier 1 Implementation Package PowerBroker for Desktops for retrieval of passwords only (Run As) from PowerBroker Password Safe (Normal deployment timeframe: Ten (10) business days) 1) Deployment Scope a. BeyondInsight® appliance deployment and configuration b. BeyondInsight analytics and reporting – deployment and configuration c. PowerBroker for Desktops (Windows & Mac) deployment & configuration PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 4 d. Privilege management policy configuration and deployment (Active Directory or ePO) e. PowerBroker Password Safe i. Automated password management ii. Session Management (SSH & RDP session policy access) 2) Deployment Architecture a. Physical or virtual appliance only for BeyondInsight (maximum 3 appliances – 2 PBPS) b. 2 nodes set up in Active/Passive High Availability model for Password Safe c. PowerBroker for Desktop agents (up to 2,500 assets) d. Assets will be imported from Active Directory (AD) or optional discovery scan (up to 2,500 assets) 3) Access Policy Management a. Up to 5 distinct password access policies defined for select roles for PowerBroker Password Safe managed assets b. Up to 5 session management access policies using standard SSH or RDP protocols for PowerBroker Password Safe 4) Privilege Policy Management a. Up to 5 distinct asset policies for least privilege delegation and reporting b. Up to 5 distinct least privilege rules from the rules library c. Up to 5 distinct risk compliance rules 5) Standard Connectors a. AD integration with up to 1 forest and 3 domains for User, Group and Computer discovery, or LDAP integration to a single LDAP server 6) Add-on Options a. Session management – application proxy (not included with Tier 1) b. Application-to-Application API (not included with Tier 1) c. Custom Platform (not included with Tier 1) d. Session recording policy configuration, deployment and training (not included in Tier 1) e. File integrity configuration, deployment and training (not included in Tier 1) f. Event monitoring policy configuration, deployment and training (not included in Tier 1) 7) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 2 seats c. Optional 2-day on-site training available for purchase PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 5 TIER 1 RECOMMENDED ARCHITECTURE PowerBroker for Desktops for retrieval of passwords only (Run As) from PowerBroker Password Safe PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 6 Tier 2 Implementation Package PowerBroker Password Safe with PowerBroker for Desktops Integration (Normal deployment timeframe: Fifteen (15) business days) 1) Deployment Scope a. BeyondInsight appliance deployment and configuration b. BeyondInsight analytics and reporting - deployment and configuration c. PowerBroker for Desktops (Windows & Mac) deployment and configuration i. Privilege management policy configuration and deployment (AD or ePO) ii. Application control policy configuration and deployment iii. Session recording policy deployment and configuration iv. File integrity policy deployment and configuration v. Event monitoring policy deployment and configuration d. PowerBroker Password Safe i. Automated password management ii. Session Management (SSH & RDP session policy access) iii. Windows terminal server remote application support 2) Deployment Architecture a. Physical or virtual appliance only for BeyondInsight (maximum 5 appliances - 3 PBPS) b. 3 nodes set up in an Active/Active High Availability model for Password Safe, appliance only, deployed in up to 3 data center locations (client is responsible for providing a MS SQL database environment); optional Active/Passive configuration, appliance only c. PowerBroker Desktop agents (up to 5,000 assets) d. Optional HSM integration (Gemalto or Thales) e. Assets will be imported from Active Directory (AD) or optional discovery scan (up to 5,000 assets) 3) Access Policy Management a. Up to 5 distinct RBAC roles for solution and system access b. Up to 5 distinct password access policies defined for select roles for PowerBroker Password Safe managed assets c. Up to 5 session management access policies using standard SSH or RDP protocols for PowerBroker Password Safe d. Up to 5 session management rules for Windows screen capturing 4) Privilege Policy Management a. Up to 5 distinct asset policies for least privilege delegation and reporting b. Up to 10 distinct least privilege custom rules c. Up to 3 distinct file integrity rules enabled from the library d. Windows application support with AutoIT scripts (1 application) e. Up to 5 distinct risk compliance rules PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 7 5) Standard Connectors a. AD integration with up to 1 forest and 3 domains for User, Group and Computer discovery, or LDAP integration to a single LDAP server b. MFA: RADIUS integration for Password Safe access (1 provider) c. Configure up to 2 auto-managed cloud connectors 6) Add-on Components a. Session Management – application proxy (not included in tier 2) b. Application-to-Application API (not included in tier 2) c. Custom Platform (not included in tier 2) 7) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 2 seats c. Optional 2-day on-site training available for purchase PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 8 TIER 2 RECOMMENDED ARCHITECTURE PowerBroker Password Safe with PowerBroker for Desktops Integration PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 9 Tier 3 Implementation Project (Custom SoW) PowerBroker Password Safe and PowerBroker for Desktops with distributed components 1) Deployment Scope a. BeyondInsight appliance deployment and configuration b. BeyondInsight analytics and reporting - deployment and configuration c. PowerBroker for Desktops (Windows & Mac) deployment and configuration d. Privilege management policy configuration and deployment (AD or ePO) i. Application control policy configuration and deployment ii. Session recording policy deployment and configuration iii. File integrity policy deployment and configuration iv. Event monitoring policy deployment and configuration e. PowerBroker Password Safe i. Automated password management ii. Session Management (SSH & RDP session policy access) iii. Windows terminal server remote application support 2) Deployment Architecture a. Physical or virtual appliance for BeyondInsight (5 appliances or more); optional software installation of BeyondInsight (server hardening optional) b. Multiple nodes set up in an Active/Active High Availability model for Password Safe, appliance or software model deployed in up to 3 data center locations (client is responsible for providing a MS SQL database environment); optional Active/Passive configuration, appliance only c. PowerBroker Desktop agents (more than 5,000 assets) d. Optional load balancers for event collectors and/or worker nodes e. Optional HSM integration (Gemalto or Thales) f. Configure remote session monitor archiving (PBPS only) g. Assets will be imported from Active Directory (AD) or optional discovery scan (more than 5,000 assets) 3) Access Policy Management a. Up to 5 distinct RBAC roles for solution and system access b. Up to 5 distinct password access policies defined for select roles for Password Safe managed assets c. Up to 5 session management access policies using standard SSH or RDP protocols for PBPS d. Up to 5 session management rules for Windows screen capturing e. Up to 5 distinct rules for automated SSH key management f. Up to 1 API script implementation sample and training PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 10 4) Privilege Policy Management a. Up to 5 distinct asset policies for least privilege delegation and reporting b. Up to 15 distinct least privilege custom rules (allow for custom tokens) c. Up to 3 distinct application rules enabled with session recording from the policy library d. Up to 3 distinct file integrity rules enabled from the policy library e. Windows application support with AutoIT scripts (3 applications) f. Up to 3 custom messages and localization g. Up to 5 distinct risk compliance rules 5) Standard Connectors a. AD integration with up to 1 forest and 3 domains for User, Group and Computer discovery, or LDPA integration to a single LDAP server b. MFA: RADIUS integration for Password Safe access (1 provider) c. Configure up to 1 database platform for local database account management d. Configure up to 2 auto-managed cloud connectors e. Create custom platform connector 6) You Pick – Choose from the Following a. Ticketing integration for Dynamic Access Policy access – <select 1 provider from list of certified vendors> b. Single Sign-On integration – <select 1 provider from list of certified vendors> c. Application-to-Application API d. SailPoint role integration (STI) 7) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 2 seats c. Optional 2-day on-site training available for purchase PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 11 TIER 3 RECOMMENDED ARCHITECTURE PowerBroker Password Safe and PowerBroker for Desktops with distributed components PowerBroker Password Safe + PowerBroker for Desktops Implementation Packages © 2018 BeyondTrust Software, Inc. 12 About BeyondTrust BeyondTrust is the worldwide leader in Privilege-Centric Security, offering the most seamless and straightforward approach to preventing data breaches related to stolen credentials, hijacked insider accounts, and misused privileges. Our privileged access management platform is the most extensible on the market, enabling organizations to easily scale their privilege security programs as threats evolve across endpoint, server, cloud and network device environments. Only BeyondTrust unifies the industry’s broadest set of built-in capabilities with centralized management, reporting and analytics, empowering leaders to take decisive and informed actions to defeat attackers. This is backed by a flexible design that simplifies integration with other best-of-breed solutions and boosts the value of our customers’ IT security investments. With BeyondTrust, organizations gain the visibility and control they need to confidently reduce risk, maintain productivity, and stay out of the headlines. We are trusted by over 4,000 customers and a global partner network. Learn more at www.beyondtrust.com. ATTACHMENT – 5 Unix and Linux Implementation Package PROFESSIONAL SERVICES PowerBroker for Unix & Linux Implementation Packages PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 1 Contents Implementation Plan Overview .................................................................................................. 2 Tier 1 Implementation Package .................................................................................................. 3 Tier 1 Recommended Architecture ......................................................................................... 4 PBUL - Tier 2 Implementation Package ....................................................................................... 5 Tier 2 Recommended Architecture ......................................................................................... 6 PBUL - Tier 3 Implementation Package ....................................................................................... 7 Tier 3 Recommended Architecture ......................................................................................... 8 PBUL - Tier 4 Implementation Project (Custom SoW) .................................................................. 9 Tier 4 Recommended Architecture ....................................................................................... 10 About BeyondTrust ................................................................................................................... 11 PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 2 Implementation Plan Overview BeyondTrust® offers four professional services package options for PowerBroker® for Unix & Linux (PBUL) or PowerBroker® for Unix & Linux Essentials (PBULE). Our packages are designed to fit your preferred deployment technology and project scope. Summarized below are the steps required for each services tier to achieve a successful deployment outcome. We’ll help you determine which tier will work best for you. • Tier 1: Basic installation with distributed architecture • Tier 2: Two (2) Separate policy and log servers in a High Availability configuration • Tier 3: Up to four (4) separate policy and log servers in a High Availability configuration • Tier 4: More than four (4) separate policy and log servers in a High Availability service group Tier 1 (Approx. 5 days*) Tier 2 ((Approx. 10 days*) Tier 3 ((Approx. 15 days*) Tier 4 (Timeline dependent on scope) Professional Services Criteria Basic environment installation with distributed architecture ü ü ü ü Installation of PowerBroker Server Management Console (PBSMC) ü ü ü ü Initial policy assistance using role-based policy via PBSMC ü ü ü ü Multiple Policy and Log Servers (up to…) 2 2 4 >4 Role based policy ü ü ü ü Script based policy*** ü ü ü File integrity monitoring*** ü ü Advanced audit policy*** ü Integrate with BeyondInsight for centralized management ü ü ü Automation of client deployment for DevOps*** ü Professional Services Tasks Installation of client and management components ü ü ü ü Initial administrator policy and assignment ü ü ü ü High Availability architecture and setup of management components ü ü ü Installation and integration of BeyondInsight ü ü ü Installation of Solr for keystroke log indexing ü ü ü Integration into a Supported SIEM** Vendor ü ü ü Integration with a supported ticketing system ü ü Registry name services ü Automation of client deployment via package installers ü Training and Knowledge Transfer Provide knowledge transfer for daily maintenance of PBUL ü ü ü ü Provide online virtual based training to prepare for the implementation ü ü ü ü Provide onsite classroom based training to supplement the implementation optional * Days are intended to denote approximate duration of implementation rather than a purchase of time ** Integration is limited to forwarding data but does not include SIEM rule creation. *** Options only available with PowerBroker® for Unix & Linux (PBUL). Not available for PowerBroker® for Unix & Linux Essentials (PBULE). PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 3 Tier 1 Implementation Package Basic installation with distributed architecture (Normal deployment timeframe: Five (5) business days) 1) Deployment Scope a. PowerBroker for Unix & Linux policy server deployment b. PowerBroker for Unix & Linux log server deployment c. PowerBroker for Unix & Linux Run Host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment 2) Deployment Architecture a. Up to 2 servers running both policy and log configured in HA/failover b. Initial administrator policy and assignment c. Initial policy assistance using role-based policy via PBSMC 3) Privilege Management a. Up to 3 distinct privilege policies defined within the PBSMC interface* b. Up to 2 distinct file integrity policies defined within the PBSMC interface*** c. Up to 2 distinct advanced audit policies defined within the PBSMC interface*** 4) Add-on Components a. PowerBroker for Unix & Linux integration with supported SIEM vendor (not included in Tier 1) b. PowerBroker for Unix & Linux integration with supported ticketing system vendor (not included in Tier 1) 5) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 1 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. *** Options only available with PowerBroker® for Unix & Linux (PBUL). Not available for PowerBroker® for Unix & Linux Essentials (PBULE). PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 4 TIER 1 RECOMMENDED ARCHITECTURE Basic installation with distributed architecture PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 5 PBUL - Tier 2 Implementation Package Two (2) Separate Policy and Log Servers in a HA configuration (Normal deployment timeframe: Ten (10) business days) 1) Deployment Scope a. PowerBroker for Unix & Linux policy server deployment (HA architecture) b. PowerBroker for Unix & Linux log server deployment (HA architecture) c. PowerBroker for Unix & Linux run host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment e. BeyondInsight IT Risk Management Console deployment 2) Deployment Architecture a. Up to 2 servers running both policy and log configured in HA/failover b. Initial administrator policy and assignment c. Initial policy assistance using role-based policy via PBSMC or optional hybrid native and PBSMC; optional script-based policy 3) Privilege Management a. Up to 3 distinct privilege policies defined within the PBSMC interface* b. Up to 2 distinct file integrity policies defined within the PBSMC interface*** c. Up to 2 distinct advanced audit policies defined within the PBSMC interface*** 4) Included Components a. PowerBroker for Unix & Linux integration with supported SIEM** vendor 5) Add-on Components (requires a higher tier) a. PowerBroker for Unix & Linux integration with supported ticketing system vendor (not included in Tier 2) 6) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 2 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. ** Integration is limited to forwarding data but does not include SIEM rule creation. *** Options only available with PowerBroker® for Unix & Linux (PBUL). Not available for PowerBroker® for Unix & Linux Essentials (PBULE). PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 6 TIER 2 RECOMMENDED ARCHITECTURE Two (2) Separate Policy and Log Servers in a HA configuration PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 7 PBUL - Tier 3 Implementation Package Up to four (4) separate policy and log servers in a High Availability configuration )Normal deployment timeframe: Fifteen (15) business days) 1) Deployment Scope a. PowerBroker Unix & Linux policy server deployment (HA architecture) b. PowerBroker Unix & Linux log server deployment (HA architecture) c. PowerBroker Unix & Linux run host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment e. BeyondInsight IT Risk Management Console deployment 2) Deployment Architecture a. Up to 2 policy and 2 log servers configured in HA/failover b. Initial administrator policy and assignment c. Initial policy assistance using role based policy via PBSMC d. Optional hybrid native and PBSMC; optional script based policy or advanced audit policy*** e. File integrity monitoring*** 3) Privilege Management a. Up to 4 distinct privilege policies defined within the Pow PBSMC interface* b. Up to 3 distinct file integrity policies defined within PBSMC interface*** c. Up to 3 distinct advanced audit policies defined within the PBSMC interface*** 4) Included Components a. PowerBroker Unix & Linux integration with supported SIEM** vendor b. PowerBroker Unix & Linux integration with supported ticketing system vendor 5) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 2 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. ** Integration is limited to forwarding data but does not include SIEM rule creation *** Options only available with PowerBroker® for Unix & Linux (PBUL). Not available for PowerBroker® for Unix & Linux Essentials (PBULE). PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 8 TIER 3 RECOMMENDED ARCHITECTURE Up to four (4) separate policy and log servers in a High Availability configuration PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 9 PBUL - Tier 4 Implementation Project (Custom SoW) More than 4 Separate Policy and Log Servers in a HA Service Group 1) Deployment Scope a. PowerBroker Unix & Linux policy server deployment (HA architecture) b. PowerBroker Unix & Linux log server deployment (HA architecture) c. PowerBroker Unix & Linux run host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment e. BeyondInsight IT Risk Management Console deployment 2) Deployment Architecture a. High Availability requirement: multiple policy and log servers (> 4 each) b. Initial administrator policy and assignment c. Initial policy assistance using role based policy via PBSMC d. Optional hybrid native and PBSMC; optional script based policy or advanced audit policy*** e. File integrity monitoring*** f. Automation of client deployment for DevOps via packaged installers*** 3) Privilege Management a. Up to 5 distinct privilege policies defined within the PBSMC interface* b. Up to 3 distinct file integrity policies defined within the PBSMC interface*** c. Up to 3 distinct advanced audit policies defined within the PBSMC interface*** 4) Included Components a. PowerBroker Unix & Linux integration with supported SIEM** vendor b. PowerBroker Unix & Linux integration with supported ticketing system vendor c. Registry name service 5) Training a. Deployment and best practice knowledge transfer b. Virtual training class – 2 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. ** Integration is limited to forwarding data but does not include SIEM rule creation *** Options only available with PowerBroker® for Unix & Linux (PBUL). Not available for PowerBroker® for Unix & Linux Essentials (PBULE). PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 10 TIER 4 RECOMMENDED ARCHITECTURE More than 4 Separate Policy and Log Servers in a HA Service Group PowerBroker for Unix & Linux Implementation Packages © 2018 BeyondTrust Software, Inc. 11 About BeyondTrust BeyondTrust is the worldwide leader in Privilege-Centric Security, offering the most seamless and straightforward approach to preventing data breaches related to stolen credentials, hijacked insider accounts, and misused privileges. Our privileged access management platform is the most extensible on the market, enabling organizations to easily scale their privilege security programs as threats evolve across endpoint, server, cloud and network device environments. Only BeyondTrust unifies the industry’s broadest set of built-in capabilities with centralized management, reporting and analytics, empowering leaders to take decisive and informed actions to defeat attackers. This is backed by a flexible design that simplifies integration with other best-of-breed solutions and boosts the value of our customers’ IT security investments. With BeyondTrust, organizations gain the visibility and control they need to confidently reduce risk, maintain productivity, and stay out of the headlines. We are trusted by over 4,000 customers and a global partner network. Learn more at www.beyondtrust.com.