Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Agreement A-18-712 with BeyondTrust Software Inc..pdf
Agreement No. 18-712 1 AGREEMENT 2 3 THIS AGREEMENT ("Agreement") is made and entered into this 11th day of December 2018 4 ("Effective Date"), by and between the COUNTY OF FRESNO, a Political Subdivision of the State of 5 California ("COUNTY"), and BeyondTrust Software, Inc., a California corporation, whose address is 5090 6 N. 40th Street, Suite 400, Phoenix, AZ. 85018 ("CONTRACTOR"). 7 WITNESSETH: 8 WHEREAS, COUNTY is in need of a Privileged Access Management(PAM) software system that includes 9 session management and recording, password vaulting, automation, and multi-factor authentication; and 10 WHEREAS, CONTRACTOR is willing and able to fulfill that need pursuant to the terms and conditions of 11 this Agreement; and 12 WHEREAS, COUNTY is able to obtain preferential pricing through the Request for Proposal (RFP #8367) 13 issued by Sacramento County on April 16, 2016 for a Privileged Access Management Solution, which was 14 competitively bid and awarded to BeyondTrust Software, Inc. 15 NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions herein contained, the 16 parties hereto agree as follows: 17 1. DOCUMENTS CONSTITUTING AGREEMENT 18 A. This Agreement includes: 19 1) Sacramento County's RFP No. 8367 for a Privileged Access Management 20 (PAM) Solution, attached as Attachment 1 and incorporated by this reference; 21 2) The proposal submitted by BeyondTrust Software, Inc., accepted and 22 awarded by Sacramento County attached as Attachment 2 (the "Proposal") and incorporated by this 23 reference. All capitalized terms contained in this Agreement and not specifically defined herein, shall be 24 defined in the Proposal (Attachment 2); 25 3) BeyondTrust Software, Inc.'s quote to COUNTY dated November 10, 2018, 26 attached as Attachment 3 and incorporated by this reference, which sets forth CONTRACTOR's pricing for 27 products and services to be provided under this Agreement; 28 4) CONTRACTOR's Password Safe Implementation Package, attached as -1- 1 Attachment 4 and incorporated by this reference; and 2 5) CONTRACTOR's Unix and Linux Implementation Package, attached as 3 Attachment 5 and incorporated by this reference. 4 2. DEFINITIONS 5 The following terms used throughout this Agreement shall be defined as follows: 6 Acceptance Test: 7 The Process of testing a specific function or functions to determine if the operation or operations are 8 stated in this Agreement. 9 Change Control Process: 10 Process used by the Information Technology Services Division of COUNTY's Internal Services 11 Department (ISD) to inform staff of new or updated production use systems. 12 COUNTY System Hardware: 13 The central processing units owned or leased by COUNTY that are described in this Agreement 14 on which COUNTY is licensed to use the System Software, any back-up equipment for such 15 central processing units, and any peripheral hardware such as terminals, printers, and Personal 16 Computers as described in this Agreement. 17 COUNTY System Software: 18 The operating system and database software installed on the COUNTY System Hardware. 19 Final System Acceptance: 20 When it is determined by COUNTY that all necessary deliverables have been delivered, the data 21 has been converted, the software has been successfully installed and tested, and the software 22 performs all functions in accordance with its specifications. 23 First Production Use: 24 Date of first use of the System in a production environment. 25 License: 26 The meaning assigned to the term 'License" as defined in Section III-A of this Agreement 27 and the rights and obligations which it creates under the laws of the United States of 28 -2- 1 America and the State of California including without limitation, copyright and intellectual 2 property law. 3 Monies: 4 The terms "Monies", "Charges", "Price", and "Fees" will be considered to be equivalent. 5 Public Records: 6 Public Records includes any writing containing information relating to the conduct of the public's 7 business that is prepared, owned, used, or retained by any state or local agency, regardless of 8 physical form or characteristics. 9 Supplier: 10 The terms "Supplier", "Vendor", and "BeyondTrust Software" all refer to CONTRACTOR and are 11 considered to be equivalent throughout this Agreement. 12 System: 13 The System Software and System Documentation, collectively. Reference to the "System" shall 14 include any component thereof. All modifications and enhancements to the System shall be 15 deemed to be part of the System as defined herein and shall be subject to all terms and 16 conditions set forth herein. 17 System Documentation: 18 The documentation relating to the System Software, and all manuals, reports, brochures, sample 19 runs, specifications and other materials comprising such documentation provided by 20 CONTRACTOR in connection with the System Software pursuant to this Agreement. 21 System Operation: 22 The general operation of COUNTY's hardware and all software including, but not limited to, 23 system restarts, configuration and operation of system peripherals (such as printers, modems, 24 and terminals), installation of new software releases, and other related activities. 25 System Installation: 26 All software has been delivered, has been physically loaded on a Computer, and COUNTY has 27 successfully executed program sessions. 28 System Software: -3- 1 That certain computer software described in this Agreement provided by 2 CONTRACTOR, and all interfaces, coding, tapes, disks, modules and similar materials 3 comprising such software or on which it is stored. System Software does not include 4 operating system software, or any other Third-Party Software. 5 User: 6 The terms "User," "Customer," "Client," and "Licensee" all refer to COUNTY and shall be 7 equivalent throughout this Agreement. 8 3. OBLIGATIONS OF THE CONTRACTOR 9 A. SOFTWARE LICENSE 10 1) GRANT OF LICENSE 11 CONTRACTOR grants to COUNTY and COUNTY accepts a non-exclusive, non- 12 transferable, non-assignable, perpetual license to use the following PowerBroker with 13 Beyondlnsight Product Licenses per asset: Password Safe, Windows, Servers Windows 14 Edition, and Server Essentials for Unix/Linux subject to the terms and conditions set forth in 15 this Agreement ("License"). 16 2) SCOPE OF LICENSE 17 The License granted herein shall consist solely of the non-exclusive, non-transferable, 18 non-assignable right of COUNTY to operate the System Software in support of various 19 COUNTY departments, including COUNTY's ISD, provided that the County of Fresno, as 20 signatory hereto, accepts liability for compliance with the terms and conditions of the 21 Agreement. 22 3) OWNERSHIP 23 The parties acknowledge and agree that, as between CONTRACTOR and COUNTY, title 24 and full ownership of all rights in and to the System Software, System Documentation, 25 and all other materials provided to COUNTY by CONTRACTOR under the terms of this 26 Agreement shall remain with CONTRACTOR. COUNTY will take reasonable steps to 27 protect trade secrets of the System Software and System Documentation. Ownership of 28 all copies is retained by CONTRACTOR. COUNTY may not disclose or make available to -4- 1 third parties the System Software or System Documentation or any portion thereof. 2 CONTRACTOR shall own all right, title and interest in and to all corrections, 3 modifications, enhancements, programs, and work product conceived, created or 4 developed, alone or with COUNTY or others, as a result of or related to the performance 5 of this Agreement, including all proprietary rights therein and based thereon. Except and 6 to the extent expressly provided herein, CONTRACTOR does not grant to COUNTY any 7 right or license, express or implied, in or to the System Software and System 8 Documentation or any of the foregoing The parties acknowledge and agree that, as 9 between CONTRACTOR and COUNTY, full ownership of all rights in and to all COUNTY 10 data, whether in magnetic or paper form, including without limitation printed output from 11 the System, are the exclusive property of COUNTY. 12 4) POSESSION, USE AND UPDATE OF SOFTWARE 13 COUNTY agrees that only COUNTY will use the System Software for its own internal 14 purposes. CONTRACTOR may, at reasonable times, inspect COUNTY's premises and 15 equipment to verify that all of the terms and conditions of this License are being observed. 16 If COUNTY is found to have used or deployed the System Software in excess of the 17 licenses purchased hereunder, COUNTY must pay the license fee and maintenance and 18 support fee for such overage as of the date of first use. CONRACTOR may create, from 19 time to time, updated versions of the System Software and System Documentation and 20 CONTRACTOR shall, so long as County is on a current maintenance and support plan, 21 make such system updates available to COUNTY when and if such system updates 22 become generally available. All System Updates shall be licensed under the terms of this 23 Agreement. COUNTY agrees to follow the prescribed instructions for updating the System 24 Software and System Documentation provided to COUNTY by CONTRACTOR. COUNTY 25 must authorize all System Updates in writing. 26 5) TRANSFER OF SOFTWARE 27 COUNTY shall not rent, lease, license, distribute, sell, transfer, or assign this license, the 28 System Software, or the System Documentation, or any of the information contained -5- 1 therein other than COUNTY data, to any other person or entity, whether on a permanent 2 or temporary basis, and any attempt to do so will constitute a breach of this Agreement. 3 No right or license is granted under this Agreement for the use or other utilization of the 4 licensed programs, directly or indirectly, for the benefit of any other person or entity, 5 except as provided in this Agreement. 6 6) RESTRICTION ON USE 7 COUNTY shall not (i) license, sublicense, sell, resell, transfer, assign, distribute or 8 otherwise commercially exploit or make available to any third party the System Software 9 or the System Documentation in any way; (ii) modify or make derivative works based 10 upon the System Software or the System Documentation; (iii) create Internet "links" to the 11 System Software or"frame" or"mirror" any System Documentation on any other server or 12 wireless or Internet-based device; (iv) send spam or otherwise duplicative or unsolicited 13 messages in violation of applicable law; (v) send or store infringing, obscene, threatening, 14 libelous, or otherwise unlawful or tortious material, including material harmful to children 15 or violative of third party privacy rights; (iv) send or store material containing software 16 viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or 17 programs; (vii) interfere with or disrupt the integrity or performance of the System 18 Software or the data contained therein, including but not limited to COUNTY Data; (viii) 19 attempt to gain unauthorized access to the System Software or its related systems or 20 networks or source code; (ix) reverse engineer or access the System Software in order to 21 (a) build a competitive product or service, (b) build a product using similar ideas, features, 22 functions or graphics of the System Software, or (c) copy any ideas, features, functions or 23 graphics of the System Software. 24 7) INTELLECTUAL PROPERTY, TRADEMARK AND COPYRIGHT 25 CONTRACTOR retains ownership of the System Software, any portions of copies thereof, 26 and all rights therein. CONTRACTOR reserves all rights not expressly granted to 27 COUNTY. This License does not grant COUNTY any rights in connection with any 28 trademarks or service marks of CONTRACTOR, its suppliers or licensors. All right, title, -6- 1 interest and copyrights in and to the System Software and the accompanying System 2 Software Documentation and any copies of the System Software are owned by 3 CONTRACTOR, its suppliers or licensors. All title and intellectual property rights in and to 4 the content which may be accessed through use of the System Software are the property 5 of the respective content owner and may be protected by applicable copyright or other 6 intellectual property laws and treaties. This License grants COUNTY no rights to use 7 such content. 8 B. SERVICES TO BE PROVIDED BY CONTRACTOR TO COUNTY 9 1) SYSTEM INSTALLATION 10 CONTRACTOR shall supply and install software in accordance with this 11 Agreement and the Attachments attached with respect to the fifteen (15) day 12 implementation professional services costs for Password Safe, Windows 13 Desktop, and Server Essential for Unix/Linux. Such software installation shall 14 include hardware/network review and recommendations, consultation, software 15 installation and remote technical support. 16 2) TRAINING 17 CONTRACTOR will conduct"train-the-trainer" training of COUNTY staff at a 18 COUNTY designated location and at a time approved in writing by COUNTY. 19 3) DOCUMENTATION 20 CONTRACTOR shall provide to COUNTY software system Documentation, 21 which shall consist of electronic media files. The electronic media files must be 22 printable using PC software normally available at COUNTY. CONTRACTOR 23 shall provide new System Documentation corresponding to all new Software 24 Upgrades. COUNTY may print additional copies of all documentation. All 25 System Documentation is to be used by COUNTY only for the purpose 26 identified within this Agreement. 27 28 -7- 1 C. SYSTEM MAINTENANCE AND SUPPORT BY CONTRACTOR 2 System maintenance and support includes System Updates as they are 3 generally released by CONTRACTOR, including updates as required as a 4 result of regulatory changes, as applicable. CONTRACTOR will support day- 5 to-day operation of the System as follows: 6 1) SUPPORT HOURS/SCOPE 7 Provide unlimited technical assistance by phone during normal coverage 8 hours (7:30 a.m. to 5:00 p.m. Pacific Standard Time (PST), Monday through 9 Friday, except CONTRACTOR and COUNTY holidays), toll-free telephone 10 assistance to keep the System in, or restored to, normal operating condition. 11 The object of this support will be to answer specific questions related to the 12 System Software and the application thereof. Support provided under this 13 Agreement does not include training of new personnel (after initial staff is 14 trained), operation of hardware, or solving other hardware/software problems 15 unrelated to the System Software. 16 2) SUPPORT RESPONSE 17 During the term of this Agreement, CONTRACTOR will (a) correct any error 18 or malfunctions in the System as supplied by CONTRACTOR which prevents 19 it from operating in conformance with the specifications set forth in this 20 Agreement or (b) provide a commercially reasonable alternative that will 21 conform to the specifications set forth in this Agreement. 22 If analysis by CONTRACTOR indicates a reported problem is caused by a 23 reproducible error or malfunction in the then-current release of the System 24 Software as supplied and maintained by CONTRACTOR that significantly 25 impacts effective use of the System by COUNTY, CONTRACTOR will, if the 26 System is inoperable, as reported by COUNTY, provide continuous effort to 27 correct the error or to resolve the problem by providing a circumvention. 28 -8- 1 In such cases, CONTRACTOR will provide COUNTY with corrective 2 information, such as corrective documentation and/or program code. 3 CONTRACTOR will endeavor to respond to COUNTY's service request no 4 later than four (4) business hours from the time a call has been received by 5 CONTRACTOR. In the event that a person with the necessary expertise is 6 not available when the call is received, CONTRACTOR will endeavor to 7 respond to the service request no later than within one (1) business day. 8 3) REMOTE VIRTUAL PRIVATE NETWORK (VPN) OR EQUIVALENT 9 DIAGNOSTICS 10 CONTRACTOR shall provide remote VPN diagnostics or equivalent 11 diagnostics support, which includes: 12 a. Diagnostic or corrective actions necessary to restore proper software 13 operation; 14 b. Diagnostic actions which attempt to identify the cause of System problem; 15 c. Correction of data file problem; and 16 d. Software System modifications. 17 e. CONTRACTOR product specialists will provide diagnostics on software 18 system via VPN or an equivalent COUNTY provided method. COUNTY 19 will provide any required hardware and equipment necessary at COUNTY 20 for CONTRACTOR VPN or equivalent support. 21 4) ERROR CORRECTION PROCESS 22 If during the term of this Agreement COUNTY determines that software 23 error(s) exist, COUNTY will first follow the error procedures specified in the 24 System Documentation. If following the error procedures does not correct the 25 software error, COUNTY shall immediately notify CONTRACTOR, setting 26 forth the defects noted with specificity. Upon notification of a reported 27 software error, CONTRACTOR shall provide a solution as soon as 28 practicable. If CONTRACTOR determines that a solution shall require more -9- 1 than five (5) days to resolve, CONTRACTOR shall notify COUNTY 2 immediately with a time estimate for completion. Upon completion of the 3 solution, COUNTY shall retest the System Software and report and other 4 software errors. 5 5) TECHNICAL INFORMATION 6 CONTRACTOR will provide technical information to COUNTY from time to 7 time. Such information may cover areas such as software usage, third party 8 software, and other matters considered relevant to COUNTY by 9 CONTRACTOR. Technical information will be provided at the discretion of 10 CONTRACTOR but will not be unreasonably withheld. 11 D. ADDITIONAL SYSTEM MAINTENANCE SERVICES BY 12 CONTRACTOR 13 CONTRACTOR may provide additional maintenance services ("Additional 14 Maintenance and Support Services" or"Additional Maintenance Services") at 15 an additional charge. Charges will be at current prices in effect at the time 16 goods or services are provided. Any Additional Maintenance and Support 17 Services requested by COUNTY and determined by CONTRACTOR to be 18 billable by CONTRACTOR must be identified as a chargeable service prior to 19 the service being performed and must be approved in writing in advance by 20 COUNTY's Contract Administrator. Additional Maintenance Services include, 21 but are not limited to, the following: 22 1) ADDITIONAL TRAINING 23 A specific amount of training is specified in this Agreement. Additional training 24 at a County facility is available upon request by COUNTY for an additional 25 charge under the terms of this Agreement. Requests for additional training 26 must be requested in writing in advance by COUNTY's Contract 27 Administrator. 28 2) DATA AND SYSTEM CORRECTIONS -10- 1 Data and System Corrections include any corrective actions accomplished by 2 CONTRACTOR on-site or via VPN which are necessary due to COUNTY 3 errors or unauthorized source code or data access by COUNTY. 4 Unauthorized access to the data is defined as any COUNTY editing of data 5 through other than normal system usage as defined in System 6 Documentation. Unauthorized access to source code is defined as any 7 COUNTY access whatsoever to system source code. Services provided by 8 CONTRACTOR are not billable when they result from errors caused by ITMC 9 or instruction provided by CONTRACTOR. 10 3) CUSTOMER SITE VISITS 11 Additional CONTRACTOR site visits within the scope of the project services 12 to COUNTY sites, as may be requested in writing by COUNTY, are available 13 at CONTRACTOR'S standard and costs for reasons such as, but not limited 14 to, (1) additional system training on hardware or software usage; (2) 15 resolution of system difficulties not resulting from actions by, or otherwise the 16 responsibility of CONTRACTOR (as determined by mutual agreement 17 between CONTRACTOR and COUNTY); (3) installation of Software 18 Releases; and (4) assistance in equipment maintenance, movement or 19 diagnosis. CONTRACTOR site visits outside of the scope of project services 20 will be reviewed by the CONTRACTOR and must be requested in writing in 21 advance by COUNTY's Contract Administrator. 22 4) CUSTOM PROGRAMMING 23 Requests for supplemental programming or customization of system features 24 not covered under this Agreement are available to COUNTY. Such requests 25 will be reviewed by CONTRACTOR and must be requested in writing in 26 advance by the COUNTY's Contract Administrator. 27 28 -11- 1 E. CONTRACTOR PROJECT COORDINATER 2 Upon execution of the Agreement, CONTRACTOR shall appoint a Project 3 Coordinator who will act as the primary contact person to interface with COUNTY 4 for implementation, maintenance and support of the software system. 5 F. SYSTEM UPDATES AND NEW PRODUCTS 6 1) SYSTEM UPDATES 7 From time to time CONTRACTOR will develop and provide System Updates 8 to COUNTY for the COUNTY's licensed CONTRACTOR software. System 9 Updates shall be subject to the terms and conditions of this Agreement and 10 shall be deemed licensed System Software hereunder and will be made 11 available to COUNTY at no additional charge to COUNTY so long as 12 COUNTY remains on a current maintenance plan. System Updates will be 13 made available to COUNTY at the discretion of CONTRACTOR but will not 14 be unreasonably withheld. 15 2) NEW PRODUCTS 16 CONTRACTOR may from time to time release new software with capabilities 17 substantially different from or greater than the System Software ("New 18 Products") and that therefore do not constitute System Updates. These New 19 Products will be made available to COUNTY at a cost to be agreed to in 20 writing in an Order for such New Products. 21 G. GENERATING/OPERATING SYSTEM UPDATES 22 The System Software must run on a client operating system that is consistently 23 and currently supported by the operating system vendor and any required third- 24 party software within thirty (30) days of release. The System Software is expected 25 to always be current in regards to the required client O/S. No outdated or 26 unsupported client O/S will be implemented on the production network. The 27 County will apply patches to both the client O/S and security subsystems on 28 COUNTY PCs as releases are available from O/S vendors. -12- 1 In order to support a secure environment, the System Software must run on the 2 latest supported release of any required third-party software, such as JAVA, 3 Flash, etc. COUNTY will notify CONTRACTOR when a critical security patch is 4 released for such products. In such event, CONTRACTOR will have thirty (30) 5 days to ensure the System Software can perform in the updated environment. 6 CONTRACTOR is expected to keep its software current in order to operate in this 7 environment. These patches include critical O/S updates and security patches. 8 H. ANTI-VIRUS MANAGEMENT 9 COUNTY will actively run anti-virus management, where appropriate, on all 10 application servers and PCs. The application is expected to perform adequately 11 while anti-virus management is active. 12 I. ADHERE TO CHANGE CONTROL PROCESS 13 CONTRACTOR must adhere to COUNTY's Change Control Process, which shall 14 be provided to CONTRACTOR in writing. COUNTY employs a procedure to 15 implement updates, upgrades, and version releases to a system that is in 16 production use. This forum allows ISD to inform staff (Help Desk, Network, 17 Server, Database, Security, and Analysts) of upcoming changes to a production 18 system. CONTRACTOR must inform ISD a minimum of one (1) week prior to any 19 planned, non-emergency changes so that the Change Control Process may be 20 followed. 21 J. OTHER 22 Unless otherwise specified, for third-party software, CONTRACTOR shall provide 23 standard documentation in electronic form (via the Internet of File Transfer 24 Protocol (FTP). 25 K. CLIENT INSTALL 26 To the extent applicable, should the software require installation on a Client PC, 27 the software will not be installed under a specific User Profile. It must install and 28 be available to all users on the all users' desktop. The software can require an -13- 1 administrator to install the software, but the software must not require 2 administrative rights in order to operate the software. 3 4. OBLIGATIONS OF THE COUNTY 4 A. COUNTY CONTRACT ADMINISTRATOR 5 COUNTY appoints its Director of Internal Services/Chief Information Officer or his 6 designee, as COUNTY's Contract Administrator with full authority to deal with 7 CONTRACTOR in all matters concerning this Agreement. 8 B. SAFEGUARDING SYSTEM SOFTWARE 9 COUNTY will follow its present practices to safeguard System Software delivered to 10 COUNTY by CONTRACTOR. A copy of COUNTY's "Information Technology (IT) 11 Standards and Preferences"will be made available upon request. 12 1. Intentionally omitted 13 14 C. FACILITIES AND PREPARATION 15 COUNTY will at its own expense provide all necessary labor and materials for site 16 preparation, electrical services, and cabling required for System Installation. 17 COUNTY shall receive the System Software and follow instructions provided by 18 CONTRACTOR to load it on COUNTY's System Hardware to prepare the System 19 for processing. 20 D. SYSTEM HARDWARE AND SYSTEM SOFTWARE 21 COUNTY will at its own expense provide and properly maintain and update on an 22 ongoing basis all necessary COUNTY System Software and County System 23 Hardware required to operate software. Said COUNTY System Software and 24 County System Hardware shall meet or exceed CONTRACTOR's 25 recommendations. 26 As part of COUNTY's responsibility for computer infrastructure, COUNTY shall 27 ensure that data is secure and protected at all times. CONTRACTOR is not 28 responsible for and cannot be held liable for inadvertent data disclosure or theft by -14- 1 COUNTY employees from COUNTY facilities. 2 E. COUNTY PROJECT MANAGER 3 Upon execution of this Agreement, COUNTY's Contract Administrator shall 4 designate one individual from ISD who will function as Project Manager with 5 responsibility for day-to-day management of the project for implementation of 6 software. The Project Manager and COUNTY personnel shall have the necessary 7 and appropriate training and experience to implement the terms of this Agreement. 8 COUNTY acknowledges CONTRACTOR'S reliance on same. 9 F. OTHER COUNTY OBLIGATIONS 10 Technical assistance from COUNTY's ISD staff will be provided during the 11 performance of the installation of the System Software. In particular, COUNTY will 12 provide: 13 a) Network connectivity and troubleshooting assistance. 14 b) Ability to monitor network traffic and isolate bottlenecks. 15 c) Technical assistance concerning the integration with existing COUNTY systems (if 16 applicable). 17 d) Expertise to handle issues with PCs, printers, and cabling before, during and after 18 rollout. 19 5. TERM 20 The term of this Agreement shall be for a period of three (3) years, commencing on 21 December 11, 2018 through and including December 10, 2021. This Agreement may be extended for two 22 (2) additional consecutive twelve (12) month periods upon written approval of both parties no later than 23 thirty (30) days prior to the first day of the next twelve (12) month extension period. The Director of Internal 24 Services/Chief Information Officer or his or her designee is authorized to execute such written approval on 25 behalf of COUNTY based on CONTRACTOR'S satisfactory performance. 26 6. TERMINATION 27 A. Non-Allocation of Funds-The terms of this Agreement, and the 28 services to be provided hereunder, are contingent on the approval of funds by the appropriating -15- 1 government agency. Should sufficient funds not be allocated, the services provided may be 2 modified, or this Agreement terminated, at any time by giving the CONTRACTOR thirty (30) days 3 advance written notice. 4 B. Breach of Contract- The COUNTY may immediately suspend or 5 terminate this Agreement in whole or in part, where in the determination of the COUNTY there is: 6 1) An illegal or improper use of funds; 7 2) A failure to comply with any term of this Agreement; 8 3) A substantially incorrect or incomplete report submitted to the COUNTY; 9 4) Improperly performed service. 10 In no event shall any payment by the COUNTY constitute a waiver by the COUNTY of any 11 breach of this Agreement or any default which may then exist on the part of the CONTRACTOR. Neither 12 shall such payment impair or prejudice any remedy available to the COUNTY with respect to the breach or 13 default. The COUNTY shall have the right to demand of the CONTRACTOR the repayment to the 14 COUNTY of any funds disbursed to the CONTRACTOR under this Agreement, which in the judgment of 15 the COUNTY were not expended in accordance with the terms of this Agreement. CONTRACTOR shall 16 promptly refund any such funds upon demand. 17 C. Without Cause - Under circumstances other than those set forth above, 18 this Agreement may be terminated by COUNTY upon the giving of thirty(30) days advance 19 written notice of an intention to terminate to CONTRACTOR. 20 7. COMPENSATION/INVOICING: 21 COUNTY agrees to pay CONTRACTOR and CONTRACTOR agrees to receive 22 compensation as follows: 23 A. ONE-TIME FEES FOR LICENSES, INSTALLATION, TRAINING, and FIRST YEAR 24 MAINTENANCE 25 Powerbroker Password Safe with Beyondlnsight License — per $74,250.00 26 asset 1,500 devices @ $49.50 per device Password Safe Maintenance — 1500 devices @ $9.90 per $14,850.00 27 device 28 Password Safe— Professional Services —Tier 3 $37,500.00 -16- 1 Implementation 2 PowerBroker for Windows with Beyondlnsight License — per $7,700.00 asset 3 500 devices @ $15.40 per device 4 Windows Maintenance— 500 devices @ $3.08 per device $1,540.00 5 PowerBroker Server Windows Edition License — per asset $62,177.50 6 950 devices @ $65.45 per device Server Windows Edition Maintenance — 950 devices @ $13.09 $12,435.50 7 per device 8 Windows Desktop— Professional Services—Tier 3 $37,500.00 Implementation 9 Server Essentials for Unix/Linux Maintenance per asset $9,157.50 10 50 devices @ $183.50 per device 11 Server Essentials for Unix/Linux Maintenance — 50 devices @ $1,831.50 12 $36.63 per device PowerBroker Server Essentials for Unix/Linux with $12,500.00 13 Beyondlnsight— Professional Services —Tier 1 Implementation 14 Unified Vulnerability UVM20 Virtual Appliance — 2 appliances $14,329.00 @ $7,164.50 per appliance 15 PowerBroker Password Safe —Training —Virtual ILT— per $7,500.00 16 student 17 10 students @ $750.00 PowerBroker Windows —Training —Virtual ILT— per student $3,750.00 18 5 students @ $750.00 19 PowerBroker Unix/Linux—Training —Virtual ILT— per student $3,750.00 20 5 students @ $750.00 21 Total $300,771.00 22 B. NOT TO EXCEED AMOUNT FOR ONE-TIME FEES 23 It is understood and agreed that the dollar figures listed above for one-time fees include 24 applicable taxes that may be subject to change during the period for scheduled payments. In no 25 event shall services performed under this current Agreement for one-time fees exceed 26 $300,771.00. 27 C. ANNUAL MAINTENANCE 28 -17- 1 CONTRACTOR shall invoice COUNTY, and COUNTY agrees to pay maintenance fees for all 2 licensed products identified above beginning the second year of this Agreement, which rate shall 3 be increased by two percent (2%) per year, for each year of the term, inclusive of renewal 4 periods. Such fees are paid annually and in advance. CONTRACTOR shall invoice COUNTY 5 annually for licensed products as follows: 6 7 PRODUCT YEAR 2 YEAR 3 YEAR 4 YEAR 5 8 Password Safe $15,147.00 $15,449.94 $15,758.94 $16,074.12 9 Windows $1,570.80 $1,602.22 $1,634.26 $1,666.95 10 Server Windows Edition $12,684.21 $12,937.89 $13,196.65 $13,460.59 11 Server Essentials for $1,868.13 $1,905.49 $1,943.60 $1,982.47 12 Unix/Linux 13 TOTAL $31,270.14 $31,895.54 $32,533.45 $33,184.13 14 15 D. ADDITIONAL MAINTENANCE FEES 16 Total additional maintenance fees shall be prorated as determined by the Additional Licensing 17 Fees (as defined below). 18 E. ADDITIONAL LICENSING FEES 19 COUNTY agrees to pay CONTRACTOR and CONTRACTOR agrees to receive compensation 20 for any additional licenses at the current tiering rate and CONTRACTOR honor such rate for the 21 entire potential five-year term of this Agreement. 22 F. NOT TO EXCEED AMOUNT FOR ADDITIONAL LICENSE, MAINTENANCE, or SERVICE 23 FEES 24 Additional fees shall only be paid to CONTRACTOR if any such license, maintenance, or 25 services are performed by CONTRACTOR upon COUNTY's written request. 26 G. TOTAL CONTRACT AMOUNT 27 In no event shall services performed under this Agreement exceed $364,000.00 during the 28 initial three-year term of this Agreement. In no event shall services performed under this -18- 1 Agreement exceed $396,500.00 if one renewal term is exercised, for a four (4) year term of this 2 Agreement. In no event shall services performed under this Agreement exceed $450,000.00 3 during the entire possible five (5) year term of this Agreement. It is understood that all expenses 4 incidental to CONTRACTOR's performance of services under this Agreement shall be borne by 5 CONTRACTOR. 6 H. INVOICING 7 CONTRACTOR shall submit invoices (which must reference the provided contract number), 8 either electronically or via mail to the County of Fresno ISD, Accounts Payable, 333 W. Pontiac 9 Way, Clovis, CA. 93612 or Accounts Payable, ISDBusinessOffice@fresnocountyCA.gov. 10 COUNTY will pay CONTRACTOR within forty-five (45) days of receipt of an approved invoice, by 11 mail addressed to CONTRACTOR'S remittance address: 5090 North 40`h Street, Suite 400, 12 Phoenix, Arizona 85018. 13 8. INDEPENDENT CONTRACTOR: In performance of the work, duties and obligations 14 assumed by CONTRACTOR under this Agreement, it is mutually understood and agreed that 15 CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, and employees will at all 16 times be acting and performing as an independent contractor, and shall act in an independent capacity and 17 not as an officer, agent, servant, employee,joint venturer, partner, or associate of the COUNTY. 18 Furthermore, COUNTY shall have no right to control or supervise or direct the manner or method by which 19 CONTRACTOR shall perform its work and function. However, COUNTY shall retain the right to administer 20 this Agreement so as to verify that CONTRACTOR is performing its obligations in accordance with the 21 terms and conditions thereof. 22 CONTRACTOR and COUNTY shall comply with all applicable provisions of law and 23 the rules and regulations, if any, of governmental authorities having jurisdiction over matters the subject 24 thereof. 25 Because of its status as an independent contractor, CONTRACTOR shall have 26 absolutely no right to employment rights and benefits available to COUNTY employees. CONTRACTOR 27 shall be solely liable and responsible for providing to, or on behalf of, its employees all legally-required 28 employee benefits. In addition, CONTRACTOR shall be solely responsible and save COUNTY harmless -19- 1 from all matters relating to payment of CONTRACTOR'S employees, including compliance with Social 2 Security withholding and all other regulations governing such matters. It is acknowledged that during the 3 term of this Agreement, CONTRACTOR may be providing services to others unrelated to the COUNTY or 4 to this Agreement. 5 9. CONFIDENTIALITY: A Party receiving Information (defined below) of the other will 6 not disclose such Information other than to persons in its organization who have a need to know and who 7 will be required to comply with this Section. The Party receiving Information will not use such Information 8 for a purpose inconsistent with the terms of this Agreement. "Information" means the Software, 9 Documentation and all information and intellectual property related thereto (including, but not limited to 10 all databases provided to COUNTY by CONTRACTOR whether created by CONTRACTOR or its third 11 party licensors such as, without limitation, the mapping product databases) as well as information 12 related to the business of CONTRACTOR or COUNTY. Information will not include: (i) information 13 publicly known prior to disclosure; (ii) information coming into the lawful possession of the recipient 14 without any confidentiality obligation; and (iii) information required to be disclosed pursuant to regulatory 15 action or court order, provided adequate prior written notice of any request to disclose is given to the 16 Party whose information is to be disclosed. Each Party will exercise at least the same degree of care to 17 safeguard the confidentiality of the other's Information as it does to safeguard its own proprietary 18 confidential information, but not less than a reasonable degree of care. 19 10. MODIFICATION: Any matters of this Agreement may be modified from time to time 20 by the written consent of all the parties without, in any way, affecting the remainder. 21 11. NON-ASSIGNMENT: Neither party shall assign, transfer or sub-contract this 22 Agreement nor their rights or duties under this Agreement without the prior written consent of the other 23 party except in the event of a change in corporate control resulting from the sale of all or substantially all of 24 a party's assets. In the event of change of control, a party may assign without consent but upon prior 25 written notice of such assignment. 26 12. HOLD HARMLESS AND L IMITATION OF LIABILITY: CONTRACTOR agrees to 27 indemnify, save, hold harmless, and at COUNTY'S request, defend the COUNTY, its officers, agents, and 28 employees from any and all costs and expenses (including attorney's fees and costs), damages, liabilities, -20- 1 claims, and losses, and any and all claims, damages, costs, fees, regulatory fines and penalties, and forms 2 of legal action involving Cyber Risks, occurring or resulting to COUNTY in connection with the performance, 3 or failure to perform, by CONTRACTOR, its officers, agents, or employees under this Agreement, and from 4 any and all costs and expenses (including attorney's fees and costs), damages, liabilities, claims, and 5 losses, and any and all claims, damages, costs, fees, regulatory fines and penalties, and forms of legal 6 action involving Cyber Risks, occurring or resulting to any person, firm, or corporation who may be injured 7 or damaged by the performance, or failure to perform, of CONTRACTOR, its officers, agents, or 8 employees under this Agreement. 9 To the extent so ordered by a court of competent jurisdiction based on a 10 determination of fault, COUNTY agrees to indemnify, save, hold harmless, and at CONTRACTOR'S 11 request, defend the CONTRACTOR, its officers, agents, and employees from any and all costs and 12 expenses (including attorney's fees and costs), damages, liabilities, claims, and losses occurring or 13 resulting to CONTRACTOR in connection with the performance, or failure to perform, by COUNTY, its 14 officers, agents, or employees under this Agreement, and from any and all costs and expenses (including 15 attorney's fees and costs), damages, liabilities, claims, and losses occurring or resulting to any person, firm, 16 or corporation who may be injured or damaged by the performance, or failure to perform, of COUNTY, 17 its officers, agents, or employees under this Agreement. 18 In the event of a claim of alleged infringement of patent rights, copyright, trade secret 19 rights, or intellectual property rights, to the fullest extent permitted by law, CONTRACTOR agrees, to and 20 shall indemnify, save, hold harmless, and at COUNTY's request, defend COUNTY, including its officers, 21 officials, agents, and employees from any and all demands, costs and expenses, penalties, attorney's fees 22 and court costs, damages of any nature whatsoever (including, without limitation, injury or damage to or 23 loss or destruction of property),judgments (including, without limitation, amounts paid in settlement and 24 amounts paid to discharge judgments), liabilities, claims and losses, suits, actions or proceedings of every 25 name, kind and description occurring or resulting to COUNTY, out of or in connection with any claim that is 26 based on the infringement (or assertions of infringement) of any of patent rights, copyright, trade secret 27 rights, or intellectual property rights with respect to services, software, or any Equipment provided by 28 CONTRACTOR as part of this Agreement, including, but not limited to, their materials, designs, techniques, -21- 1 processes and information supplied or used by CONTRACTOR or any of CONTRACTOR's subcontractor 2 of any tier in performing or providing any portion of CONTRACTOR's obligations as outlined in this 3 Agreement. If, in any suit, action, proceeding or claim relating to the foregoing, a temporary restraining 4 order or preliminary injunction is granted, CONTRACTOR shall make every reasonable effort to secure the 5 suspension of the injunction or restraining order. If, in any such suit, action, proceeding or claim, the 6 services, software or any Equipment provided by CONTRACTOR or any part, combination or process 7 thereof, is held to constitute an infringement and its use is enjoined, CONTRACTOR shall immediately (a) 8 pay the reasonable direct out-of-pocket costs and expenses to secure a license to use such infringing work, 9 replace the infringing work or modify the same so that it becomes non-infringing, and (b) make every 10 reasonable effort to secure for the COUNTY a license, at no cost to COUNTY, authorizing COUNTY's 11 continued use of the infringing work. If CONTRACTOR is unable to secure such license within a 12 reasonable time, CONTRACTOR, at its own expense and without impairing performance requirements of 13 the services, software, or any Equipment provided by CONTRACTOR as part of this Agreement, shall 14 either replace the affected services, software, or any Equipment provided by CONTRACTOR as part of this 15 Agreement, combination or process thereof, with non-infringing services, software, or other equipment, or 16 modify the same so that they become non-infringing. Notwithstanding the foregoing, CONTRACTOR shall 17 have no obligation to indemnify COUNTY to the extent that any claim arises from (a) COUNTY'S use of the 18 software in GentraventleR violation of this Agreement or the Documentation; (b) the combination or use of 19 the software with any other services, technology, content or material that were neither(x) provided by 20 CONTRACTOR, nor (y) specified by CONTRACTOR for use with the software as contemplated by this 21 Agreement and (z) County was expressly told in writing that the software should not be used or combined 22 with such services, technology, content or material; (c) modification of the software or services in violation 23 of this Agreement; or(d) COUNTY'S use of the software or services after County reasonably could have 24 implemented a non-infringing alternative provided by Contractor at Contractors cost and expense, provided 25 that County was offered such non-infringing alternative by Contractor in writing and refused such alternative 26 in writing. 27 The party requesting indemnification hereunder(the "Indemnified Party")will (i) 28 provide the other party (the "Indemnifying Party")with prompt notice of any such claim (provided, however, -22- 1 that failure to do so shall not relieve the Indemnifying Party of its indemnification obligations hereunder, 2 except to the extent of any material prejudice to the Indemnifying Party as a direct result of such failure); (ii) 3 permit the Indemnifying Party to assume and control the defense of such action upon the Indemnifying 4 Party's written notice to the Indemnified Party of its intention to indemnify; and (iii) upon the Indemnifying 5 Party's written request, provide to the Indemnifying Party all available information and assistance 6 reasonably necessary for the Indemnifying Party to defend such Claim. The Indemnified Party shall have 7 the right, at its sole cost and expense, to participate in the defense and settlement of any such Claim with 8 counsel of its choice. 9 To the maximum extent permitted by applicable law, CONTRACTOR and its licensors 10 will not be liable for any indirect, special, incidental, punitive or consequential damages (including for the 11 indirect loss of profit, revenue or content) arising out of or in connection with this agreement, however 12 caused, and under whatever cause of action or theory of liability brought (including under any contract, 13 negligence or other tort theory of liability) even if CONTRACTOR has been advised of the possibility of 14 such damages, and (ii) excluding CONTRACTOR's confidentiality obligations under Section 9 and 15 indemnification obligations under this Section 12, the cumulative, aggregate liability of either party to the 16 other party for any damages shall not exceed two times the fees paid by licensee to CONTRACTOR for the 17 software or services giving rise to the liability during the twelve (12) months preceding the claim giving rise 18 to such liability. 19 13. INSURANCE 20 Without limiting the COUNTY's right to obtain indemnification from CONTRACTOR or 21 any third parties, CONTRACTOR, at its sole expense, shall maintain in full force and effect, the following 22 insurance policies or a program of self-insurance, including but not limited to, an insurance pooling 23 arrangement or Joint Powers Agreement (JPA) throughout the term of the Agreement: 24 A. Commercial General Liability 25 Commercial General Liability Insurance with limits of not less than Two Million 26 Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This 27 policy shall be issued on a per occurrence basis. COUNTY may require specific coverages including 28 completed operations, products liability, contractual liability, Explosion-Collapse-Underground, fire legal -23- 1 liability or any other liability insurance deemed necessary because of the nature of this contract. 2 B. Automobile Liability 3 Comprehensive Automobile Liability Insurance with limits of not less than One 4 Million Dollars ($1,000,000) per accident for bodily injury and for property damages. Coverage should 5 include owned and non-owned vehicles used in connection with this Agreement. 6 C. Professional Liability 7 Professional Liability Insurance with limits of not less than One Million Dollars 8 ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) annual aggregate. 9 D. Worker's Compensation 10 A policy of Worker's Compensation insurance as may be required by the California 11 Labor Code. 12 CONTRACTOR shall obtain endorsements to the Commercial General Liability 13 insurance naming the County of Fresno, its officers, agents, and employees, individually and collectively, as 14 additional insured, but only insofar as the operations under this Agreement are concerned. Such coverage 15 for additional insured shall apply as primary insurance and any other insurance, or self-insurance, 16 maintained by COUNTY, its officers, agents and employees shall be excess only and not contributing with 17 insurance provided under CONTRACTOR's policies herein. This insurance shall not be cancelled or 18 without a minimum of thirty (30) days advance written notice given to COUNTY. 19 Within Thirty (30) days from the date CONTRACTOR signs and executes this 20 Agreement, CONTRACTOR shall provide certificates of insurance and endorsement as stated above for all 21 of the foregoing policies, as required herein, to the County of Fresno, ISD Business Office—Accounts 22 Payable, 333 W. Pontiac Way, Clovis, CA. 93612, stating that such insurance coverage have been 23 obtained and are in full force; that the County of Fresno, its officers, agents and employees will not be 24 responsible for any premiums on the policies; that such Commercial General Liability insurance names the 25 County of Fresno, its officers, agents and employees, individually and collectively, as additional insured, but 26 only insofar as the operations under this Agreement are concerned; that such coverage for additional 27 insured shall apply as primary insurance and any other insurance, or self-insurance, maintained by 28 COUNTY, its officers, agents and employees, shall be excess only and not contributing with insurance -24- 1 provided under CONTRACTOR's policies herein; and that this insurance shall not be cancelled without a 2 minimum of thirty (30) days advance, written notice given to COUNTY. 3 In the event CONTRACTOR fails to keep in effect at all times insurance coverage as 4 herein provided, the COUNTY may, in addition to other remedies it may have, suspend or terminate this 5 Agreement upon the occurrence of such event. 6 All policies shall be issued by admitted insurers licensed to do business in the State of 7 California, and such insurance shall be purchased from companies possessing a current A.M. Best, Inc. 8 rating of A FSC VI or better. 9 E. Technology Professional Liability (Errors and Omissions) 10 Technology professional liability (errors and omissions) insurance with limits 11 of not less than Two Million Dollars ($2,000,000.00) per occurrence. Coverage shall 12 encompass all of the CONTRACTOR's duties and obligations that are the subject of this 13 Agreement. Coverage shall include, but not be limited to, any and all claims, damages, costs, 14 fees, regulatory fines and penalties, or forms of legal action involving Cyber Risks. 15 F. Cyber Liability 16 Cyber liability insurance with limits of not less than Two Million Dollars 17 ($2,000,000.00) per occurrence. Coverage shall include, but not be limited to, any and all 18 claims, damages, costs, fees, regulatory fines and penalties, or forms of legal action involving 19 Cyber Risks. The cyber liability policy shall be endorsed to cover the full replacement value of, 20 damage to, alteration of, loss of, theft of, ransom of, or destruction of intangible property 21 (including but not limited to information or data) that is in the care, custody, or control of 22 CONTRACTOR. 23 For purposes of the technology professional liability insurance and the cyber 24 liability insurance required under this Agreement, Cyber Risks include, but are not limited to, (i) 25 security breaches, which include disclosure of, whether intentional or unintentional, information 26 provided by COUNTY, information provided by or obtained from any inmate, or personal- 27 identifying information relating to any inmate, to an unauthorized third party; (ii) breach of any of 28 CONTRACTOR's obligations under this Agreement relating to data security, protection, -25- 1 preservation, usage, storage, transmission, and the like; (iii) infringement of intellectual 2 property; (iv) invasion of privacy, including any release of private information; (v) information 3 theft by any person or entity, whatsoever; (vi) damage to or destruction or alteration of 4 electronic information; (vii) extortion related to CONTRACTOR's obligations under this 5 Agreement regarding electronic information, including information provided by COUNTY, 6 information provided by or obtained from any inmate, or personal-identifying information 7 relating to any inmate; (viii) network security; (ix) data breach response costs, including security 8 breach response costs; (x) regulatory fines and penalties related to CONTRACTOR's 9 obligations under this Agreement regarding electronic information, including information 10 provided by COUNTY, information provided by or obtained from an inmate, or personal- 11 identifying information relating to any inmate; and (xi) credit monitoring expenses. 12 14. AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during business 13 hours, and not more than once annually upon thirty(30) days prior written notice and during normal 14 business hours, make available to the COUNTY for examination all of its records and data with respect to 15 the matters covered by this Agreement. The CONTRACTOR shall, upon request by the COUNTY, permit 16 the COUNTY to audit and inspect all of such records and data necessary to ensure CONTRACTOR'S 17 compliance with the terms of this Agreement. 18 If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR shall be 19 subject to the examination and audit of the California State Auditor for a period of three (3)years after final 20 payment under contract(Government Code Section 8546.7). 21 15. CONTRACTOR may request annually a certified report detailing COUNTY'S 22 installation and usage of the software, including whether or not COUNTY has exceeded the scope of 23 license granted. If COUNTY'S use of any software is found to exceed the scope of the license granted, 24 COUNTY will be charged additional license and maintenance fees for each instance of additional use in 25 excess of license scope granted and such fees shall be payable in accordance with this Agreement. 26 NOTICES: The persons and their addresses having authority to give and receive notices under this 27 Agreement include the following: 28 COUNTY CONTRACTOR -26- 1 COUNTY OF FRESNO BeyondTrust Software, Inc. Director of Internal Services/Chief Legal Department 2 Information Officer 3 333 W. Pontiac Way 5090 N. 40t" Street, Suite 400 4 Clovis, CA. 93612 Phoenix, AZ 85018 5 All notices between the COUNTY and CONTRACTOR provided for or permitted under 6 this Agreement must be in writing and delivered either by personal service, by first-class United States mail, 7 by an overnight commercial courier service, or by telephonic facsimile transmission. A notice delivered by 8 personal service is effective upon service to the recipient. A notice delivered by first-class United States 9 mail is effective three COUNTY business days after deposit in the United States mail, postage prepaid, 10 addressed to the recipient. A notice delivered by an overnight commercial courier service is effective one 11 COUNTY business day after deposit with the overnight commercial courier service, delivery fees prepaid, 12 with delivery instructions given for next day delivery, addressed to the recipient. A notice delivered by 13 telephonic facsimile is effective when transmission to the recipient is completed (but, if such transmission is 14 completed outside of COUNTY business hours, then such delivery shall be deemed to be effective at the 15 next beginning of a COUNTY business day), provided that the sender maintains a machine record of the 16 completed transmission. For all claims arising out of or related to this Agreement, nothing in this section 17 establishes, waives, or modifies any claims presentation requirements or procedures provided by law, 18 including but not limited to the Government Claims Act (Division 3.6 of Title 1 of the Government Code, 19 beginning with section 810). 20 16. GOVERNING LAW: Venue for any action arising out of or related to this Agreement 21 shall only be in Fresno County, California. 22 The rights and obligations of the parties and all interpretation and performance of this 23 Agreement shall be governed in all respects by the laws of the State of California. 24 17. DISCLOSURE OF SELF-DEALING TRANSACTIONS 25 This provision is only applicable if the CONTRACTOR is operating as a corporation 26 (a for-profit or non-profit corporation) or if during the term of the agreement, the CONTRACTOR 27 changes its status to operate as a corporation. 28 Members of the CONTRACTOR's Board of Directors shall disclose any self-dealing -27- 1 transactions that they are a party to while CONTRACTOR is providing goods or performing services 2 under this agreement. A self-dealing transaction shall mean a transaction to which the CONTRACTOR 3 is a party and in which one or more of its directors has a material financial interest. Members of the 4 Board of Directors shall disclose any self-dealing transactions that they are a party to by completing and 5 signing a Self-Dealing Transaction Disclosure Form, attached hereto as Exhibit A and incorporated 6 herein by reference, and submitting it to the COUNTY prior to commencing with the self-dealing 7 transaction or immediately thereafter. 8 18. ENTIRE AGREEMENT: This Agreement constitutes the entire agreement between the 9 CONTRACTOR and COUNTY with respect to the subject matter hereof and supersedes all previous 10 Agreement negotiations, proposals, commitments, writings, advertisements, publications, and 11 understanding of any nature whatsoever unless expressly included in this Agreement. In the event of any 12 inconsistency in interpreting the documents which constitute this Agreement, the inconsistency shall be 13 resolved by giving precedence in the following order of priority: (1)the text of this Agreement (excluding any 14 Attachments); (2)Attachments 4 and 5, Implementation Packages. 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -28- 1 IN WITNESS WHEREOF,the parties hereto have executed this Agreement as of the day and year 2 first hereinabove written. 1 3 CONT , TO COUNTY OFFRESNO Auth Signature) I ui ero Chairman of the Board of 5 ervl of the County of Fresno 6 r jht* _—�wiu�' 4' Print Name &Title ATTEST- 7 BERNICE E. SEIDEL 5090 N. 40T"STREET, SUITE 400 CLERKOF THE BOARD OF SUPERVISORS 8 PHOENIX, ARIZONA 85018 COUNTY OF FRESNO, STATE OF CALIFORNIA 9 Mailing Address 04 By: 10 Deputy 11 12 FOR ACCOUNTING USE ONLY: 13 Fund No.: 1010 Subclass No.: 10000 14 O rg No.: 6105 Account No.: �3�9 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -29- 1 EXHIBIT A 2 SELF-DEALING TRANSACTION DISCLOSURE FORM 3 In order to conduct business with the County of Fresno (hereinafter referred to as "County"), 4 members of a contractor's board of directors (hereinafter referred to as "County Contractor"), 5 must disclose any self-dealing transactions that they are a party to while providing goods, 6 performing services, or both for the County. A self-dealing transaction is defined below: 7 "A self-dealing transaction means a transaction to which the corporation is a party and in 8 which one or more of its directors has a material financial interest" 9 The definition above will be utilized for purposes of completing this disclosure form. 10 INSTRUCTIONS 11 (1) Enter board member's name, job title (if applicable), and date this disclosure is being 12 made. 13 (2) Enter the board member's company/agency name and address. 14 (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to 15 the County. At a minimum, include a description of the following: 16 a. The name of the agency/company with which the corporation has the 17 transaction; and 18 b. The nature of the material financial interest in the Corporation's transaction that 19 the board member has. 20 (4) Describe in detail why the self-dealing transaction is appropriate based on applicable 21 provisions of the Corporations Code. 22 (5) Form must be signed by the board member that is involved in the self-dealing 23 transaction described in Sections (3) and (4). 24 25 26 27 28 -1- 1 (1)Company Board Member Information: 2 Date: 3 4 (2)Company/Agency Name and Address: 5 6 7 8 9 (3)Disclosure(Please describe the nature of the self-dealing transaction you are a party to): 10 11 12 13 14 15 16 17 18 19 (4)Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233 (a): 20 21 22 23 24 25 26 (5)Authorized Signature 27 Signature: Date: 28 -2- ATTACHMENT - 1 Sacramento County RFP 8367 Attachment 1 REQUEST FOR PROPOSAL -- THIS IS NOT AN ORDER COUNTY OF SACRAMENTO DEPARTMENT OF GENERAL SERVICES AC P,AM E N TO CONTRACT AND PURCHASING SERVICES DIVISION C O U N T Y RFP#8367 COMMODITY/SERVICE: PRIVILEGED ACCOUNT MANAGEMENT (PAM) SOLUTION CONTENTS DEFINITIONS.................................................................................................................................................. 2 INTRODUCTION.............................................................................................................................................3 DETAILED REQUIREMENTS......................................................................................................................3 KEYEVENTS...................................................................................................................................................3 PROPOSER'S INSTRUCTIONS.................................................................................................................... 8 BASISOF AWARD.......................................................................................................................................... 9 FINALACCEPTANCE ................................................................................................................................. 10 Appendices (listed separately in Public Purchase) A-Sacramento County General Terms & Conditions B-Additional Terms & Conditions C-DCSS Contractor Certification of Compliance D-Not Applicable E-Solicitation Exceptions F-Non Collusion Affidavit G-Sacramento County Minimum Insurance Requirements H-Customer References I-Pricing J-Local Vendor Preference Affidavit K-Risk Assessment Questionnaire L-Not Applicable M-Not Applicable N-Not Applicable O-Web Accessibility Policy P-Not Applicable Q-Response to Detailed Requirements Rev.Date 3/2/16 1 DEFINITIONS Response: The written, signed and sealed complete document submitted according to the proposal instructions. Response does not include any verbal or documentary interaction apart from submittal of a formal Response. Request/Proposal/Bid: The completed and released document, including all subsequent addenda, made publicly available to all prospective proposers. We/Us/Our: Terms that refer to the County of Sacramento, a duly organized public entity. They may also be used as pronouns for various subsets of the County organization, including, as the context will indicate: • Purchasing - the Contracts and Purchasing Services Division of the Department of General Services. • Department/Division—The department or division requesting the goods or services contained in this request, for which this PROPOSAL is prepared and which will be the end user of the requested goods or services. • Constituency — the client base or County population which may benefit from the procurement of goods and/or services requested herein. You/Your: Terms that refer to businesses/individuals submitting a response. The term may apply differently as the context will indicate. • Supplier-A business entity engaged in the business of providing services. • Proposer - A business entity submitting a Response to this proposal. Suppliers which may express interest in this proposal, but who do not submit a Response, have no obligations with respect to the proposal requirements. • Contractor - The Proposer(s) whose Response to this proposal is evaluated as meeting the needs of the County. Contractor(s)will be selected for award, and will enter into a contract(s) for provision of the services described in this proposal. • Contractor's Employee - All persons who can be offered to provide the services described in the proposal. All employees of the Contractor shall be covered by the insurance programs normally provided to persons employed by a company(ex: Worker's Comp, SDI, etc.). Mandatory: A required element of this request/proposal/bid. Failure to satisfy any element of this request/proposal/bid defined as "mandatory"will disqualify the particular response. Default: A failure to act as required by any contract resulting from this request, which may trigger the right to sue or may excuse the other party's obligation to perform under the contract. Cancellation/Termination: A unilateral or mutual decision to not complete an exchange or perform an obligation under any contract resulting from this request. "Or Equal": A statement used for reference to indicate the character or quality desired in a requested product or service. When specified in a proposal document, equal items will be considered, provided the response clearly describes the article. Offers of equal items must state the brand and number, or level of quality. When brand, number, or level of quality is not stated by proposer, the offer will be considered exactly as specified. The determination of the Purchasing Agent as to what items are equal is final and conclusive. Rev.Date 3/2/16 2 INTRODUCTION The County of Sacramento is requesting proposals for a Privileged Account Management (PAM) solution. Your proposal will be considered to enhance current Sacramento County security systems and procedures. Due to legislative and legal requirements in many areas, the selection and implementation of a Privileged Account Management System is considered essential to meeting these requirements. The proposed solution must protect data and assets from unauthorized access and offer a repeatable, process when granting or removing Rights to Privileged Accounts and Assets. The County expects the offered solution to fully monitor and record the User Session when utilizing a Privileged Account. The solution should have full, auditable logs which include User Accounts, Privileged Accounts and Specific Assets as searchable criteria. The proposed solution must include the capability to send notifications when identified and monitored county assets are being accessed. Note: Asset is defined as any file share, web service, e-mail account, Active Directory Account, Application, Database or physical device located in the Sacramento County Network. DETAILED REQUIREMENTS SCOPE OF WORK The County of Sacramento is requesting proposals to implement a new PAM solution to improve secure management and monitoring of privileged accounts. Please indicate how your proposed solution can provide the functionality that is described and or requested in the remainder of Appendix P. Proposals must include all costs and services required for hardware, software, implementation services, training, etc. These COST are to be entered in Appendix I — Pricing. Please include the implementation costs as requested in Appendix—I. These are being requested in sections based upon technology. Costs should outline each module/feature at a line-item level so that the County of Sacramento can determine the extent of the modules/features in relationships to its cost. If a feature is included in any response in Appendix Q, it should be included in the cost proposal (i.e. there should be no hidden costs). Rev.Date 3/2/16 3 CURRENT ENVIRONMENT CURRENT NETWORK ARCHITECTURE Current Logical Zone Architecture and Data Flow Summary. Tray aocumem le Ibe Date Created: 9/2=5 property of me county of saaamemo, •• • • . • • •• Date Printed: 9/2l2405 Inappropriate or _ use or Revision: 002 unauthorized;/j � reproductbn 168 wa6mnpunl6neaeby Zone and Data Flow Paths(Internet) r Author SPT law. Subject: Zone • �. • IKI Internet :Zone 0 Soreoe Destination Zone 0 Zone 0 Zone 0 Zone 3 Znneo eDMZ:Zone 1 Zone t— Zone 1 Zone 3 - Zo-2 zone County Firewall Zone 2 i (Internet) Zone 2 Zone 3 Zone 3 Zone 0 Zone 11 iDMZ: Zone 2 Zone 3 Permitted direction(source to destination) denotes session Initiation.Return traffic Is allowed for authorized sessions. Firawall rules regulate itted 'n e eg perm ports 4;� Tnls documern is Irre IDate Created: 9/2l2005 ofsa propMyaanwmor o. m co.my •• • • Data • Model Dete Primed: 91?l2005:J1 ,navvroodate or authorized u6e or Revision: 002 a reproduction is e ekielbn pum6nnae by Zone and Data Flow Paths(Extranet) Author: sPT lax. Subject: Zone Extranet : Zone 4 Data Flow Summary P�ddlrecti— Destination Zone 3 County FirewallZone 3 (ExtraNet) xDMZ:Zone 5 ctlon(sou ce to destlnat on) ion Initladon.Return traffic is for authorized sessions. es regulate permitted ports IntraNet:Zone 3 The County of Sacramento manages resources with Privileged Accounts in each Zone described in the "Logical Zone and Data Flow Model" drawing above. Rev.Date 3/2/16 4 The Use Case below has been included to describe our current DMZ structure and to illustrate known, intended, usage limitations due to the security of the design. Please take this information into consideration with your response to this RFP. Management of Zone 1 usually originates from Zone 3. But, circumstances do arise when a single Zone is isolated from all other Zones due to failures. This scenario, and others, must be taken into consideration by the proposed solution. See "Data Flow Summary Tables" in drawings above. Use Case - On-Zone RDP: Network Administrator requires access to Zone 1, Resource 2. Due to data-flow restrictions created for security purposes, the only Network path to Zone 1, Resource 2 is through Zone 1, Resource 1. Action: Administrator initiates RDP session from Zone 3 to Zone 1, Resource 1. Once session is established, Administrator then initiates an RDP session from Zone 1, Resource 1 to Zone 1, Resource 2. CURRENT PAM TOOLS The County of Sacramento does not currently use a PAM tool. Privileged account credentials are managed in a variety of decentralized tools using manual, non-governed, ad-hoc methodologies. Management of privileged accounts follows security best practices. IDENTITY ACCOUNT MANAGEMENT Data sources and directories, The County of Sacramento currently uses the following Identity Account Management data sources, directories, and tools: Active Directory, Schema Version 47 on Windows 2008 r2 or later. OpenLDAP, Version 2.4.33. EQUIPMENT TYPE & OPERATING SYSTEM VERSIONS Servers,Database, and Network Devices The County of Sacramento currently manages the following types of servers, databases, and devices in our County of Sacramento data centers: Oracle database, versions I IgR2 — 12c, Microsoft SQL Server database, versions 2005 —2014 CISCO Network Products (numerous models utilizing the following versions: Cisco IOS versions 12.x and 15.x Cisco NX-OS versions 6.x and 7.x Cisco IOS-XR versions 5.x Cisco IOS-XE version 3.x Cisco Unified Communications Manager: 9.1.2.13900-10 Cisco Unity Connection 9.1.2TT1.11900-2TT1 Cisco IP IVR 9.0.2.10000-71 Cisco Unified Contact Center Enterprise 9.0.1.0 Build 1454 EngHouse Interactive ARC Solutions Windows Servers versions 2003 —2012 Future Technologies Hadoop Rev.Date 3/2/16 5 DEVICE/APPLICATION/PRIVILEGED ROLES-Counts Windows Servers 1000 Windows Desktops 10,200 Microsoft SQL Servers Included in Windows Server Total CISCO - Switches 866 CISCO -Routers 129 CISCO—Voice Gateways 97 Applications 100 Database Connection Strings 200 Unix Servers 135 SAP Applications 42 (instances) Oracle Database 28 Privileged Account Roles Windows- 250 This is an estimate Privileged Account Roles Unix— 10 This is an estimate Training Requirements Number of Trainees PAM Administration 4 PAM Users (System Admins) 40 PAM Users (Application) 10 Rev.Date 3/2/16 6 KEY EVENTS Event/Action Date(s) REP Release Date April 14,2016 Proposer Conference at 799 G Street,2nd Floor, April 26 (9:30AM(PDT)) Conference Room 221 Sacramento, CA 95814 This is a non-mandatory Proposal Conference, however,vendors are encouraged to attend. Deadline for submitting written questions May 3, 2016 (4:OOPM(PDT)) Responses to written questions May 6,2016 Addendum issued(if necessary) May 12,2016 Proposals due May 26,2016 (12:OOPM(PDT)) Proposal Evaluation,Vendor presentations (if May 27,2016 through June 16, necessary) 2016 Board Approval(if necessary) TBD—July 22,2016(estimated) Intent to award contract TBD—July 29,2016(estimated) Note: The key events and dates are tentative and subject to change. Pre-Proposal Conference: A non-mandatory pre-proposal conference will be held at 9:30 AM on Tuesday, April 26, 2016 at Sacramento County's Department of Technology(Dtech)building, 799 G Street, Sacramento, CA 95814, RM 221. The proposers will be afforded the opportunity to meet with County personnel and discuss the content of the RFP in further detail. The County will accept oral questions during the conference and will attempt to provide answers at that time. Oral answers provided by the County shall not be binding. Only written answers posted via Public Purchase will be binding. Although attendance is not required,the County highly recommends interested parties to attend the pre-proposal conference to better understand our requirements and to ask clarifying questions. Attendees are advised to print and bring their own copies of the RFP and required documents. Printed documents to be distributed by the County during the conference may be limited to addendums only. We have added a Conference Line to the meeting notice. See specific's below: Join by Phone: +1 (916) 876-4100 Conference ID: 387938 Rev.Date 3/2/16 7 PROPOSER'S INSTRUCTIONS General Format: Respond to all requests for information and completion of forms contained in this Request for Proposal. You may use additional sheets as necessary. A qualifying response must address all items. Brochures and advertisements will not be considered a complete reply to requests for information and will not be accepted as such. Proposer is solely responsible for accuracy and completeness of proposal response and for electronically separating and marking documents as confidential when submitting their response through Public Purchase. Responses considered incomplete may be rejected. Alteration of Proposal Text: the original text of this proposal document, as well as any attachments, amendments or other official correspondence related to this proposal document, may not be manually, electronically or otherwise altered by proposer or proposer's agent(s). Any response containing altered, deleted, additional or otherwise non-original text will be disqualified. Preparation of Response: A. All responses must be signed by an authorized officer or employee of the responder. B. Responses must be submitted prior to the specified date and time, using the www.publicpurchase.com website. Responses delivered by hand, fax, telephone, e-mail, or any postal carrier will not be accepted. If bidder uploads a file to Public Purchase, it is bidder responsibility to ensure the file is not corrupt or damaged. If County is unable to open an attachment because it is damaged, corrupt, infected, etc., it may disqualify bidder's submission. See document titled"Public Purchase Instructions" for guidance entering your online response. C. Time of delivery must be stated as the number of calendar days following receipt of the order by the proposer to receipt of the goods or services by the County. D. Time of delivery may be a consideration in the award. E. Prices will be considered as net if no cash discount is offered. If a discrepancy between the unit price and the item total exists, the unit price prevails. Confidential Information/Public Record: All responses become property of the County. All responses, including the accepted proposal and any subsequent contract, become public records per the requirements of the California Government Code, Sections 6250 -6270, "California Public Records Act". Proprietary material must be clearly marked as such. Pricing and service elements of the successful proposal are not considered proprietary information. The County will treat all information submitted in a proposal as available for public inspection once the County has selected a contractor. If you believe that you have a legally justifiable basis under the California Public Records Act (Government Section 6250 et. seq.) for protecting the confidentiality of any information contained within your proposal, you must identify any such information, together with the legal basis of your claim in your proposal, and present such information separately as part of your response package. Public Purchase allows you to mark such documents as "confidential"when uploaded into the system. The final determination as to whether the County will assert your claim of confidentiality on your behalf shall be at the sole discretion of the County. If the County makes a determination that your information does not meet the criteria for confidentiality, you will be notified as such. Any information deemed to be non-confidential shall be considered public record. Rev.Date 3/2/16 8 BASIS OF AWARD This proposal award will be determined by factors other than price alone. The County's sole purpose in the evaluation process is to determine from among the Responses received, which one is best suited to meet the County's needs. Any final analysis or weighted point score does not imply that one proposal is superior to another, but simply that in our judgment the proposal(s) we select offer(s) the best overall solution for our current and anticipated needs. The County reserves the right to make modifications to any scoring and/or weight structure prior to the evaluation of responses. The responses will remain sealed during the proposal evaluation period, and will be made available for public inspection upon notice of proposal award. Bid responses will be considered valid for a period of 120 calendar days after bid closing date above. The County reserves the right to make a single award, multiple awards, or no award at all to this RFP. In addition, the RFP may be amended or canceled as necessary to meet requirements. Scoring and Evaluation Factors Responsive proposals will be reviewed against the general criteria as described in Proposal Evaluation Criteria below. The evaluation factors reflect the totality of considerations to be used in evaluating the requested Proposal responses. While cost is important, other factors are also significant, and the County may not select the lowest cost proposal. The objective is to choose the proposal that offers the highest quality services and will achieve the project's goals and objectives within a reasonable budget. All proposals will be evaluated using the same criteria and possible points. Evaluations will be based on the criteria listed below, which corresponds to information requested in various sections of the proposal: Final Selection The Evaluation Committee will formulate its recommendation for award of the Contract, and forward its selection to the appropriate parties for approval. The award will be in accordance with, but not limited to, the result of our evaluation and our perception of your understanding of our stated needs and specifications. Final award will be based off of the points assigned. Proposal Evaluation Criteria The Proposers will be reviewed and rated in the following areas: WRITTEN RESPONSE DEMONSTRATION COST The top scoring Proposers in the WRITTEN component will then be invited to the DEMONSTRATION phase. DEMONSTRATION scores will be compiled along with WRITTEN and COST scores to determine the successful proposal. The County reserves the right to enter into a Contract without further discussion of the submitted proposal. Therefore, the proposal should be submitted on the most favorable terms the proposing party can offer. The RFP document and the successful party's proposal response, as may be amended by agreement between the County and the successful party, will be the basis for the resulting Contract document(s). Additionally, the County may verify the successful party's representations that appear in the proposal in efforts to finalize the agreement. Failure of the successful party to deliver a sound gap analysis and data migration analysis Rev.Date 3/2/16 9 (deliverables one and two) where the analyses are acceptable to the County may result in Contract cancellation or termination. The successful party will be expected to enter into a Contract with the County. If the successful party fails to sign the Contract within fourteen (14) business days following the delivery of the Contract documents, the County may elect to proceed with the next highest scoring Proposer. The County shall not be bound, or in any way obligated, until both parties have executed a Contract. The proposing party may not incur any chargeable costs prior to final Contract execution. Note: All specifications, terms and conditions of this request will apply to any resulting order. FINAL ACCEPTANCE Equipment/Supplies/Services The County of Sacramento will agree to final acceptance only after the supplied equipment, product or service is tested and is found to perform within acceptable standards of operation, is in compliance with all published and implied performance standards, and is considered by the County to be ready for practical application. Rev.Date 3/2/16 10 ATTACHMENT — 2 BeyondTrust Response to RFP 8367 Appendix Q - Detail Requirements Response A specific point-by-point response, in the order listed,to each requirement below Definitions of the table heading: Req ID A unique requirement number. Requirement The requirement or question. Description Add one of the following response codes to this field: Comply (C) - Follow this response with a brief/concise explanation that adequately details your ability to meet the specified requirement unless the specification/requirement is clearly(unequivocally) a "yes/no", "can do/can't do", "will do/won't do"type of specification in which case "Comply",without Response Code an accompanying explanation, will suffice. Comply with exception (CE) - You must clearly state the difference between the specification and your ability to meet the requirement(s) of the specification. Cannot comply(CC) - Follow this response with sufficient detail that explains why the specification cannot be met. Responses are required; proposals lacking responses may be rejected. Be verbose, It will not suffice to simply state "Comply." If an evaluator is left wanting for information to fully understand your response, then your Vendor Response response will be scored accordingly. Adequately detailed, yet succinct, (evaluator friendly) responses are preferred. Responses that direct evaluators to "refer to" and/or to interpret documentation, e.g., from technical materials, pamphlets, brochures, etc. are unacceptable. RFP 8367 Appendix Q Page 1 of 23 Appendix - Q Detailed Requirement Areas 1. VENDOR PROFILE AND EXPERIENCE 2. TECHNICAL SPECIFICATIONS 3. DISCOVERY (Automated Discovery of Privileged Accounts) 4. MANAGING ACCOUNTS AND ASSETS 5. SESSION MANAGEMENT 6. SECURITY, AUDITING, AND COMPLIANCE 7. INTEGRATION RFP 8367 Appendix Q Page 2 of 23 1. VENDOR PROFILE AND EXPERIENCE We expect the Proposer to be forward thinking with a solution that can provide features that can help to ensure best practices in securely managing and monitoring privileged accounts within heterogeneous technology environments. Please indicate how your company and solutions can meet The County of Sacramento needs. Req ID Requirement Description Response Code Vendor Response 1.1 Executive Summary 1.1.1 Describe your company's C BeyondTrust background/history and years in BeyondTrust is a global information security software company that helps business. organizations prevent cyber-attacks and unauthorized data access due to privilege abuse. Our solutions give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Access Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your company goes. BeyonclTrust's security solutions are trusted by over 4,000 customers worldwide, including half of the Fortune 100.To learn more about BeyondTrust, please visit www.beyondtrust.com. Industries Served: • Government • Financial Services, Banking and Insurance • Aerospace and Defense • Energy and Utilities • Technology/Software • Entertainment • Healthcare and Pharmaceuticals • Retail and Consumer Packaged Goods • Communications • And more RFP 8367 Appendix Q Page 3 of 23 Key Facts: • Privately held and profitable • 40%year-over-year growth in 2015 • 350 employees • 7 awarded patents, and 10 pending patents • 100+ partners p Optiv is the largest holistic pure-play cyber security solutions provider in North America.The company's diverse and talented employees are committed to helping businesses and governments plan, build and run successful security programs through the right combination of products,services and solutions related to security program strategy,enterprise risk and consulting,threat and vulnerability management, enterprise incident management,security architecture and implementation,training, identity and access management, and managed security.Optiv is a Blackstone(NYSE: BX) portfolio company that has served more than 12,000 clients of various sizes across multiple industries, offers an extensive geographic footprint, and has premium partnerships with more than 300 of the leading security product manufacturers including BeyondTrust.With 780+government agency and department clients,of which over 50 are in Northern California,Optiv is well versed in assisting clients like the County of Sacramento improve their security posture. Industries Served: • Financial Services and Insurance • Government • Healthcare • Manufacturing • Professional Services • Retail, Hospitality and Travel • Technology and Telecom • Utilities and Energy RFP 8367 Appendix Q Page 4 of 23 Clients: • More than 12,000 clients served • 67 percent of Fortune 100 • 60 percent of Fortune 1000 • 1,250+educational institutions • 780+government agencies and departments Key Facts: • $1.513 in annual revenue (2014) • 1,400 employees • 625+ highly skilled security practitioners • 415+ dedicated client managers • 300+technology partners 1.1.2 Describe your company's financial C BeyondTrust was founded in 1985, is privately held, and profitable with standing/stability. significant YOY growth. In appendix K we offer a financial reference from our bank. Optiv reponse - please see appendix K item 3. 1.1.3 Describe your company's C BeyondTrust employs approximately 340 employees. Of this number, organization and staff resources, approximately 13%are dedicated to pre and post sales client support, including number of company 34%sales, 5% marketing, 37% R&D, and 8%G&A. Our primary technical employees dedicated to each support team is located in Halifax, Nova Scotia,where a significant portion division of the company(e.g. sales, marketing, R&D, client of our product development also occurs. We also have a support team support, etc.), and geographic located in Aliso Viejo, California so we have 24/7 support. locations for primary support and development teams 1.2 Experience 1.2.1 How has the proposed solution C Prior to coming to us, several of our customers have experienced resolved similar challenges faced breaches(some that made headlines) resulting from attacks via third-party by other institutions? systems and internal threats. Remote access by vendors and contractors needs controlled network separation and activity monitoring. We also RFP 8367 Appendix Q Page 5 of 23 protect against accidental or intentional misuse by insiders. Our customers are more confident in their security posture in that Password Safe provides a secure connection gateway with proxied access to RDP, SSH and Windows applications; protects privileged credentials; and records all privileged sessions and enables the ability to pause or terminate sessions real-time. None of our customers have ever been hacked or breached after they have implemented our solution(s). Case Studies: https://www.beyondtrust.com/resources/education/case- studies/ 1.2.2 What are the differentiators that C • Password, Session,API Access, and threat analytics are all separate your company and/or included as a single module at a single price solutions from others? . Policies support time and location based access • Upgrade and implementation do not require PSO engagements • Network based system discovery • Host based access control • Active/Active for fault tolerance • Application support • System level command control • Simplified Sudo Policy Management • Optional Windows Client for least privilege integration • Remote command execution on Unix and Linux • HA API interface with dynamic aliasing 1.2.3 Summarize your implementation BeyondTrust offers online product training, online training programs, and and training approaches. product deployment services to help you get the most from your security investment. Staffed by some of the best security and systems engineers, and software developers in the world, BeyondTrust provides an extensive range of training and consulting services to help you maximize the potential of BeyondTrust products within Sacramento County's IT infrastructure. Our Onsite training services has been performed by BeyondTrust for hundreds of customers. We can customize this training to address your RFP 8367 Appendix Q Page 6 of 23 specific concerns immediately after the solution's been deployed or at a later date. Product Training: BeyondTrust provides comprehensive training courses covering installation, configuration, and recommended usage of our products. In order to help you learn in the time and place that is most convenient for you we offer Instructor-led training courses. Instructor-led Training: Our instructor-led courses can be brought on-site to your location and can be customized to meet specific training needs. Product Implementation and Deployment Services: BeyondTrust offers assistance with all stages of product deployment, including proper network design, product configuration, and enterprise-wide integration. 1.3 Development of Solutions 1.3.1 Provide a strategic roadmap for C 1H 2O16 the proposed solution. Sailpoint Integration, SAML, MongoDB, Enhanced Custom Platform editor, API Enhancements, Direct Connect for SSH, HSM 2 H 2O16 Multi-tenant,Java Application Server support (JBOSS,Tomcat, NetWeaver), SaaS deployment options 1.3.2 How have your solutions been C Developed by our company and employees. We do incorporate user input designed/developed? Le.were and trends as we establish roadmap and also honor feature requests. they designed/developed by your company/employees; (continued) 1.3.2 or are there pieces that have been continued obtained through acquisitions, developed by third party contractors, licensed from third parties, etc.? 1.4 Development of Solutions RFP 8367 Appendix Q Page 7 of 23 1.4.1 Please complete "Customer References" in Appendix H 2. TECHNICAL SPECIFICATIONS The County of Sacramento has an enterprise data center with a heterogeneous environment of servers, databases, and network devices (as detailed in 2.11 below). We are interested in secure and efficient management of privileged/shared accounts within this environment. Please describe: Req ID Requirement Description Response Code Vendor Response 2.1 Infrastructure/architecture. C Beyond Insight/PowerBroker Password Safe is provided as a hardened, Provide a list of all infrastructure locked down appliance in both physical and virtual appliance formats.The requirements, including number and physical version comes in 2 sizes: UVM20 for up to 30k managed accounts; types of servers (including UVM50 for up to 250k managed accounts.The virtual version is sized virtualization options), operating systems, databases, storage, etc. identically to the UVM20, and requires approx. 32GB RAM, 150GB(+) disk space, and 2x4 cores.The appliance contains all software required. For active/passive (see below), SQL is supplied as part of the appliance; for active/active, an external SQL AlwaysOn Availability Group is required. There are 2 deployment models: Active/Passive -will failover to a mirrored appliance in the event the primary appliance is not available. Failover and recovery is fully automatic. This method will involve 2 appliances configured as a 'pair'. Active/Active- requires the use of an external database—we certify against SQL AlwaysOn. As many appliances as required can be configured to connect to this database. In this case, all appliances can be used at once, and are fully redundant; if one goes down,you simply switch to an alternative. AlwaysOn Availability Groups may be configured with a mix of synchronous commit and asynchronous commit replicas to provide real- time For sizing purposes, in an active/passive model, only one appliance is in operation at one time so you will size against a single appliance. In an active/active model, each appliance you add provides cumulative scalability as they are all used simultaneously RFP 8367 Appendix Q Page 8 of 23 2.2 Test and production instances. C Many deployment options are available for splitting instances across test Describe options for implementing a and production environments. If total physical isolation is required,two or multi-instance environment that more pairs of appliances may be used in an active/passive configuration— includes production and non- production instances. there will be no connection between these deployments, and administration will be separate. If physical isolation is not required, and cumulative scale for test and production can be covered by a single appliance, one pair of appliances may be deployed in active/passive configuration using multi-tentant to logically isolate the environments. For larger environments, active/active will allow multiple (2+) appliances to be deployed using multi-tenant to isolate test and production. 2.3 HA/DR/BC. Describe capabilities for C Appliance-based Beyond lnsight/PowerBroker Password Safe deployments backups/restores, and high provide for HA/DR/BC natively. In the case of active/passive deployment, a availability, disaster recovery, and load balancer is typically used to direct traffic to the active node of an business continuity. asynchronous pair of appliances. Databases are replicated in real-time between appliances. In the case of active/active deployments there is complete appliance redundancy—the database is external and must be configured for HA as part of the SQL AlwaysOn Availability Group configuration. 2.4 Application language/framework. C BeyondTrust uses a wide variety of development languages for our Describe the application products. Password Safe uses .NET(C#),SQL,Javascript,ActionScript, languages/frameworks that were Silverlight, HTML5/CSS, C++, and C. Our database layer is comprised of C# used to develop the solution. and SQL, and has been internally developed with goals of scalability and wide platform support. 2.5 Security/encryption. Describe how C By default, all communications to/from Beyond lnsight/PowerBroker the application, database/vault, and Password Safe systems is encrypted (HTTPS/SSL/SSH). All sensitive data is connections are secured. AES256 encrypted within the database, as are all session recordings.The appliances are fully hardened to DISA gold standards and contain built in endpoint protection mechanisms to isolate internals.Access to the operating can be configured to require BeyondTrust support intervention. All product and operating system updates are provided via online/air- gapped mechanisms. 2.6 Relationships and dependencies. C No outside software, agents, etc. are required to deploy Describe any relationships between Beyond lnsight/PowerBroker Password Safe. While not a requirement or a individual components of the dependency, already having Active Directory(or any LDAP-based solution) proposed solution, and an RFP 8367 Appendix Q Page 9 of 23 dependencies or constraints that in place can make the setup, management, and administration of the exist within or outside of the environment much more maintainable overtime. The appliances are proposed solution. For instance, is it supplied ready to run—all software is preinstalled including console, host-based or gateway based? Does it require middleware, reporting, and scanner. For active/passive, no external software is appliances, plug-ins, etc.? required; for active/active, an external SQL AlwaysOn Availability Group is required. 2.7 Authentication/authorization. C Beyond lnsight/PowerBroker Password Safe provides a feature-rich web- Describe protocols and based interface that users access to request system-level connections. methodologies that can be used to Authentication mechanisms currently include Active Directory, LDAP, and authenticate and authorize users, for login to and use of the proposed any RADIUS servers (for two-factor authentication). Additionally, we can solution. expose powerful APIs for Beyond lnsight/PowerBroker Password Safe for applications to make authencation requests to the system. 2.8 Authentication/Authorization for C Beyond lnsight/PowerBroker Password Safe has a RESTful API interface that Application. Please describe the may be accessed directly, or through optional cache components that method utilized for Application provide persistent storage of credentials or redundancy, scalability and Authentication, i.e. Database Connection String, Web Application, reduction of latency. Authentication/Authorization is provided by group etc.? Is there an API for the PAM membership. Password Safe supports Active Directory, LDAP and local solution? groups. Permissions are applied at the group level. Users accessing the system will have a resultant set of policy according to group membership. Local user accounts and groups are also supported for instances where external directories are not available and/or appropriate. 2.9 Patches and maintenance. C All patches come from BeyondTrust. We QA them and package them up for Describe the frequency within which delivery via SynclT(online) or manually using the SUPI updater(This is an software revisions and updates are internal term for our upgrade engine). Minor product updates are provided released for the proposed system, and any specifics related to 2—4 times per year, major updates approx.. every 2 years. processes or methodologies for their instal lation/testing/release. Updates The appliances come with the Enterprise Update Server. When properly configured, can be used to control updates to the appliance software provided and managed by BeyondTrust Operating System Updates BeyondTrust reviews critical patches every month from Microsoft and issues updates to the appliances within 30 days. Note that many patches RFP 8367 Appendix Q Page 10 of 23 are mitigated due to the hardening of the appliance (server service disabled etc).All appliances are patched regardless but the risk is minimal due to the appliance configuration and DoD STIG Hardening Guidelines we follow. 2.10 User interface. Describe user C There are three specific interfaces in the solution: interfaces for all portions of the proposed system. Are there any Beyondlnsight (admin UI used to configure systems, accounts and differences in UI delivery to different user bases (e.g. system permissions) is based on Flex and requires Flash. administrators vs. other users, etc., thick vs. thin client, etc.)? The analytics and reporting interface requires Silverlight. Please discuss any compatibly or incompatibility limitations. The end user interface is HTML5 based. Note that all interfaces are moving to HTML5 starting with analytics and reporting in July 2016. No client software is required. 2.11 Current Environment Compatibility. Compatibility with our current equipment and products. Please place an 'Y' in the appropriate column and supply Please additional details as requested. complete the Please complete the Table below. Table below 2.11 -Continued Product Compatible No Compatible Not Known Issues with Issues Compatible (please supply details) Server Microsoft Windows Server 2003 X Microsoft Windows Server 2008 X Microsoft Windows Server 2012 X Microsoft SQL Server 2008 X Microsoft SQL Server 2012 X Enterprise VMWare ESX X Virtual Server Platform version 5-6 Active Directory Schema Version 47 on X Windows 2008 r2 or later RFP 8367 Appendix Q Page 11 of 23 LDAP Version 2.4.33 X Network Cisco IOS versions 12.x and 15.x X Cisco NX-OS versions 6.x and 7.x X Cisco IOS-XR versions 5.x X Cisco IOS-XE version 3.x X Cisco IOS versions 12.x and 15.x X 2.11 - Continued Compatible No Compatible Not Known Issues with Issues Compatible please supply details VOIP Cisco Unified Communications Manager: X 9.1.2.13900-10 Cisco Unity Connection 9.1.2TT1.11900-2TT1 X Cisco IP IVR 9.0.2.10000-71 X Cisco Unified Contact Center Enterprise X 9.0.1.0 Build 1454 En House Interactive ARC Solutions X Other Linux—SUSE SLES 12.1, RHEL 7 X Unix— HP-UXB.11.31 X Oracle— 12.1 X SAP— HANA 1.0 X SAP— ERP 6.0 X SAP— Netweaver ref-740 X IBM zOS 1.13 X IBM zOS 2.2 X ADABAS 7.4.4 X RFP 8367 Appendix Q Page 12 of 23 3. DISCOVERY The County of Sacramento is interested in robust automated discovery features to ensure that target systems/accounts are efficiently found and added with minimal effort. Please describe: ResponseReq ID � Requirement Description . . Response 3.1 List of target systems. Provide a C Beyond Insight/PowerBroker Password Safe Discovery Scans can be list of the systems, databases, devices, Application, etc. that can scheduled to auto-discover and/or auto-onboard assests as they come onto be auto-discovered and added into the network. the proposed solution. • AIX • IBMi (AS/400) • HP-UX • Linux • MAC OSX • Solaris • Windows Desktop • Windows Server • Windows SSH • Active Directory • LDAP/LDAPS RFP 8367 Appendix Q Page 13 of 23 • RACF • Checkpoint • Cisco • Dell iDRAC • BIG-IP (F5) • HP iLo • HP Comware • Juniper • Palo Alto Networks • Fortinet • SonicWall • Oracle • SQL Server • MySQL • Sybase • Teradata • VMware vSphere API • VMware vSphere SSH • SAP • Amazon (AWS) • Office 365 https://www.beyondtrust.com/wp-content/uploads/ds-pbps- platform-support.pdf?1455821522 RFP 8367 Appendix Q Page 14 of 23 3.2 Discovery speed and C Discovery scans can be adjusted to run according to a number of performance. Describe the speed parameters, including total number of worker/scanner processes, number at which discovery will run across a of targets scanned simultaneously, etc. These types of scans are very large environment (and the speed lightweight, and consume very little from a system time resource at which systems can be added) within the proposed solution. perspective. Describe any performance degradation that may occur on the network or on targets that are being scanned. 3.3 Dependencies. Describe how C Dependancies may automatically be discovered via scan e.g. services. dependencies are discovered and Managed accounts may be manually configured into cross-platform sync tracked. For password changes that groups to ensure that passwords are propogated on change event.The built require propagation across multiple files/locations, or password in custom platform connector allows changes to be pushed to applications/ changes across linked systems scripts on multiple platforms. Additionally, scripts may also be driven which much have changes externally via the API interface to set, change, release or check-in committed at the same time credentials. 4. MANAGING ACCOUNTS AND ASSETS The Count, of Sacramento is interested in qaininq securit and efficienc in the management of privileged accounts and assets. Please describe: ReqID Requirement Description Response Code Vendor Response RFP 8367 Appendix Q Page 15 of 23 4.1 Adding privileged C Managed assets and accounts may be added via auto-discovery using the accounts/assets. Describe how included network scanner, added via file import, or added via the API accounts/assets are added into the interface. proposed solution (especially if/when such additions are done outside of the discovery features as For initial implementation, assets and accounts can be discovered and described above). Address the automatically added to Password Safe. Smart Rules allow conditional initial account import that would onboarding of items according to any discovered attribute/meta data. occur during implementation. For example, any SQL server instance on a particular network segment Include Application Authentication may be automatically onboarded,the SA password changed, and and Access for Database permissions set to the DBA group -the Smart Rule can even be Connection Strings, Web Based Applications and API utilization, if configured to send email alerts on completion of onboarding events. applicable. Systems and accounts may also be added via API. A2A and A2DB authentication is performed via a defined API-user account to provide access to the Password Safe REST interface. 4.2 Account types. Describe any C Beyond lnsight/PowerBroker Password Safe can manage both "true" differences between the types of privileged accounts and shared service accounts. We do not differentiate accounts that can be managed. Is between the two, as all configuration options exist for each managed there any difference between "true" privileged accounts (e.g. Root, account types (e.g.-Windows, Linux, etc.). Administrator, etc.) and other shared service accounts (e.g. accounts used in application-to- application or application-to- database scenarios)? 4_3 Access delegation and control. 4.3.1 Employees. Describe how end C End users access Beyond lnsight/PowerBroker Password Safe via an users' (e.g. system administrators, HTML5 web interface. All requests are made, processed, approved, developers, information security, denied, monitored, and played back through this single web interface. etc.) gain access to privileged accounts. How is access granted, The user's role determines which options are available to them upon changed, controlled, etc.? login. Multiple authentication methods are available (Active Directory/LDAP/RADIUS/X.509/SmartCards etc). Authorizations are built off a resultant set of policy based on the users group membership. 4.3.2 3ra party contractors. Describe C PowerBroker Password Safe allows the dynamic assignment of just-in- 4.3.2 how 3rd party time privileges via Adaptive Workflow Control, allowing organizations to RFP 8367 Appendix Q Page 16 of 23 continued contractors/consultants gain lock down access to resources based upon the day, date,time, and access to privileged accounts. How location. access is granted, changed, controlled, etc.? By limiting the scope to specific runtime parameters, it narrows down the window of opportunity where someone might be exploiting misappropriated credentials. For example, if you normally expect the HVAC contractor to be logging on from particular systems,you can ensure that access is only permitted from predefined allowable IP address ranges. Similarly you can set up policies to control when the accounts are accessible, and alert when specific access policies are invoked. 4.4 Contextual access. Describe C Beyond Insight/PowerBroker Password Safe's Adaptive Workflow Control if/how the proposed solution can and Access Policies allows you to control the day,the date,the time, and limit access to accounts/assets the location of how a given group of users access a given group of based on rules such as user type, time of day, IP address of the managed accounts. In this way, a user may be limited to certain accounts computer that is attempting to depending on when they log on and where they log on from.The policies make the access, etc. can also determine the approval workflow. For example, firecall access in the middle of the night may be auto-approved whereas access in the day may require approval.Access policies can invoke email alerts when they are used. 4_5 Scalability. Describe any limit to C BeyonclTrust's Professional Services group performs a detailed analysis of the number of accounts, users, each customer's environment to determine the best product architecture target devices, disparate data to meet the business/technology need. At a high level, in an center locations, etc., that can be managed within the proposed active/passive deployment model, the total number of managed solution. accounts is determined by the size of the appliance purchased; in an active/active model,there is essentially no limit to scale, as additional appliances will add cumulative capacity to the infrastructure. 4_6 Policy management. Describe C Policy Management rules are applied by linked groups of users to groups how any general policy of managed assets/accounst via a role-based access policy. Mechanisms management rules can be written exist to link Password Safe to external IcIAM solutions whereby the and enforced within the proposed solution (outside of those already external solution can provision the account and then call the Password discussed above in Access, Safe API to automatically add/manage/permission the account. Direct Delegation, and Control.) integration with solutions such as SailPoint will be available in July 2016. 4_7 Password Management RFP 8367 Appendix Q Page 17 of 23 4.7.1 Password Management C Beyond lnsight/PowerBroker Password Safe allows for both password Overview. Describe how management and schedule-based rotation. Services that run under the passwords are managed within the context of a service account can also be updated/recycled as required. proposed solution. Is there any difference between password Password changes only differ between platform (Windows/Linux/Unix), changes for different account types not the classification/use of the accounts on the system. (e.g. privileged accounts vs. shared service accounts)? 4.7.2 Manual password changes. C Beyond lnsight/PowerBroker Password Safe administrators can issue an Describe if/how users can execute immediate password change on an account by account basis, or as part of an immediate manual password an emergency mass password change to a group of accounts/all accounts. change, including any change, including requirements, Passwords can also be automatically rotated as part of the session release requenotifications, etc. process so every time a password is released, it is unique. 4.7.3 Automated password changes. C Password changes can be scheduled at any pre-determined interval.These Describe if/how password changes intervals may be set on a system by system basis,account by account basis, can be automated. or as part of a Smart Rule policy. 4.7.4 Propagation. Describe if/how C Password Safe managed account credentials may be propogated to passwords are propagated to configuration files via the API. Markers can be inserted into text files such configuration files (e.g. for service as web.config, and sample scripts provided can locate and replace account credentials that must be embedded in configuration files, credentials upon password change.This process may be invoked scripts, etc. . externally, or via custom platform push process. 4.7.5 Real time retrieval/binding. Does C Yes, real-time password retrieval for service accounts is supported in the proposed solution allow for Beyond lnsight/PowerBroker Password Safe via API. PowerBroker real-time dynamic password Password Safe APIs provide developers with the option to completely retrieval (e.g. at runtime)for service accounts? If so, is this eliminate the need hard-coded passwords in configuration files (and recommended? Describe the propogate them as well). company's philosophy on real time retrieval vs. propagation of It is always recommended that hard coded passwords be replaced with (encrypted) hard-coded passwords API calls where possible. into configuration files. 4.7.6 Ensuring accuracy. Describe how C Beyond lnsight/PowerBroker Password Safe automatically checks the proposed solution ensures that accounts on a period basis to ensure that the password has not been the passwords stored within it are changed via an external mechanism. If the password is different, accurate (e.g. what happens if a password is somehow changed Password Safe can invoke an immediate password change to bring the account in sync. RFP 8367 Appendix Q Page 18 of 23 outside of the purview of the proposed solution). 4.7.7 Password policy management. C Beyond lnsight/PowerBroker Password Safe allows for the creation of Describe how password policy multiple password rules to govern the differences between complexitiy rules are written and enforced. requirements of different platforms. Each managed system and account Describe if/how we can manage multiple rules (for instance, if we may use different password rules and aging controls according to group our assets based on data business/operating system stipulations. that they store/access, can we apply different password policies to different groups to control settings such as complexity, aging, etc.)? 4.7.8 Eliminating Admins' need to C Beyond lnsight/PowerBroker Password Safe has an integrated session know/use passwords. To what manager(at no extra charge)that can automatically log users onto extent can we eliminate end users resources without ever revealing the password, record all video and (e.g. system administrators, etc.) need to know/retrieve passwords keystrokes for later playback, and allow real-time session monitoring, (e.g. via session management, with options to remotely manage/disconnect active sessions. etc. 4.8 Cloud applications. Describe C Beyond lnsight/PowerBroker Password Safe fully supports the if/how accounts for our hosted management of cloud-based applications/services, including (but not cloud applications can be managed limited to)AWS,Azure, Rackspace, IBM SmartCloud. within the proposed solution. 4.9 Remote/segregated accounts. C Beyond lnsight/PowerBroker Password Safe must have network Describe limitations or specifics connectivity to the managed asset (device) in order to effect password related to management of accounts changes. Authentication requests are always serviced by the appropriate across different subnets, firewalls, remote devices, etc mechanism (local user repository,Active Directory, LDAP, etc.), not by PowerBroker Password Safe directly. 4.10 User experience. Please describe C Beyond lnsight/PowerBroker Password Safe provides a rich HTML-based user experience. System should be user interface for both end users and administrators.The UI has been inviting enough to encourage specifically designed such that a user can immediately be productive adoption. without recourse to training/job-aids. Features such as OneClick password and session launching makes the process of accessing resources both intuitive and fast. RFP 8367 Appendix Q Page 19 of 23 5. SESSION MANAGEMENT The County of Sacramento is interested in understanding how privileged sessions within target assets (i.e. logins to servers and databases with rivile ed accounts by system administrators, etc.) can be managed. Please describe: Req ID Requirement Description Response Code Vendor Response 5.1 Restricting access to targets. C PowerBroker Password Safe provides a Session Management Proxy Describe if/how privileged sessions through which all connections can be terminated. Configuring the Access to target systems can be forced to Policy to never release the actual password to the user(but rather provide launch through the proposed solution rather than through direct a one-time session key for each connection request),connecting through access to the target. the proxy then becomes the only path of access. For instances where you require users to access resources via known credentials, an Admin session feature allows a user to enter credentials to invoke the proxy—in this instance you would firewall off user direct access to managed systems 5.2 Privileged accounts vs. named C PowerBroker Password Safe provides full Role-Based Access Control accounts. Describe any functionality to support both shared and named accounts. A unique differentiation between system feature is the delegated admin mapping capability.Admins may be administrators logging in with a privileged account vs. logging in connected to their unique administrative accounts via a simple Smart Rule with their named user account. action. Full accountability, and controls are built in to ensure that users cannot connect to other users named accounts. 5.3 Session recording/playback. C PowerBroker Password Safe includes a proxy that connects the user to Please describe how sessions can managed resources. It sits in the middle of the data stream and injects be recorded and played back. credentials without ever sending username, password, or hostname down to the desktop. The solution requires no client on either the server or the desktop, and allows the user to use native tools (MSTSC, PuTTY, Relection, Teraterm, MobiXterm etc) 5.4 Storage/archival/deletion. Please C PowerBroker Password Safe provides the ability to configure the retention describe how recorded sessions are period of all data (including recorded sessions). Sizes of the recordings can stored, archived, and deleted. vary depending on a number of factors. By general rule, a SSH session will Please discuss any compression or similar considerations given to the grow at"20K/minute, while RDP sessions grow"300K/minute. Recordings sizes and ages of the stored are stored on the appliance immediately after the session is completed.An recordings. archive server may be configured to automatically move recordings off the appliance according to age, and available disk space. 5.5 Video of User Experience. Provide C The sessions are recorded as full motion video. As well as access to video of user experience while operating systems,video recording can be made of access to any Windows. performing Server, Database, AD Unix/Linux application; for example, DBMS tools,web browsers etc. Administration, duties. RFP 8367 Appendix Q Page 20 of 23 6. SECURITY, AUDITING, AND COMPLIANCE The County of Sacramento is interested in increasing and ensuring overall security. Please describe: 6.1 Multi-factor authentication. C Beyond lnsight/PowerBroker Password Safe supports RADIUS to leverage Describe if/how the proposed third party MFA components. Authentication may be configured such that solution supports multi-factor different RADIUS servers can be invoked according to the users credentials. authentication (MFA). 6.1.1 Multi-factor authentication CC While Password Safe may use any third-party mechanism via the RADIUS Additional uses. If MFA is offered, conector, multi-factor authentication is not a built in feature of the system. can it also be used outside of the control of the PAM solution (i.e. if we want to implement MFA for non- privileged users on any given application, etc.)? 6.2 Accuracy and currency. Describe C Beyond lnsight/PowerBroker Password Safe provides the ability to if/how the proposed solution can automatically detect new accounts/targets through the implementation of determine when new scheduled Detailed Discovery Scans. Any new accounts/systems can also accounts/targets have been attached to the network without be auto-onboarded as part of theat process. having also been added into the proposed PAM system 6.3 Pass-the-Hash. Please describe C Beyond lnsight/PowerBroker Password Safe provides users with a unique, if/how the proposed solution can time-limited session key for each approved request. The system secure against Pass-the-Hash credentials are never actually released to the end user. attacks. 6.4 Suspicious activity. Describe C Beyond lnsight/PowerBroker Password Safe provides live session if/how the proposed solution can be monitoring via the Session Management Proxy. While user sessions can be used to detect and alert on monitored/locked/terminated remotely by an Administrator or InfoSec suspicious activity on target systems. Does it provide for resource, no automatic termination function exists currently. automatic termination of sessions based on suspicious activity? 6.5 Reports. Provide a list of the C *Please reference the attached Report Book for more detailed information. reports that are available out of the box (including descriptions of each report's purpose). Please describe any warehousing RFP 8367 Appendix Q Page 21 of 23 methodologies/integration that may be required or may be available. Indicate whether third-party, or extra-cost reporting tools are required or recommended (e.g. Crystal Reports, etc.). 6.6 Audits. Describe how audits are C Beyond lnsight/PowerBroker Password Safe records all user activity in both performed against users, accounts, the end user and administrator interfaces. Reports can be run against this target systems, access, etc information and used to answer to internal/external audit-related inquiries. 6.7 SSH Key. Describe if/how the C With Password Safe,you can automatically rotate and synchronize keys proposed solution can be used to according to a defined schedule and enforce granular access control and manage SSH keys. workflow to access SSH keys. Private keys that are stored in Password Safe can be leveraged to automatically log users onto Unix or Linux systems through the proxy with no user exposure to the key. SSH public keys may also be synchronized automatically. Whenever a new SSH key pair is generated,the new public key may be distributed to all hosts in the sync group. Password and SSH key synchronization makes it even easier for administrators to manage multiple account credentials with a scalable method that ensures adherence to password policy while maintaining security. 6.8 Other Security. Describe how the C Beyondlnsight provides full traceability of activity both in the end user and proposed system ensures any administrative interfaces. All activity is recorded/logged for later review or security not discussed above, audit as needed. Additionally, a full suite of compliance-related including any auditing and compliance capabilities. configuration baselines are available against which systems can be compared. All of this data is available through the Analytics & Reporting module. 7. INTEGRATION The County of Sacramento is potentially interested in inte ration with a number of ancillary systems. Please describe: Req ID Requirement Description Response Code ] vendor Response RFP 8367 Appendix Q Page 22 of 23 7.1 IDENTITY ACCOUNT C Beyond lnsight/PowerBroker Password Safe can be integrated with most MANAGEMENT (IAM system). IcIAM systems via post processing callouts to the Password Safe API. Describe any integration with any SailPoint direct integration will be available in July 2016. traditional Identity Account Management systems (e.g. provisioning system). Provide a list of partner products with which connectors are already written. To reiterate, the County of Sacramento has posted a separate, but parallel, RFP for an identity and access management solution to manage non-privileged accounts/systems. 7.2 ITSM integration. Describe any C Beyond lnsight/PowerBroker Password Safe's currently supports BMC integration with any IT service Remedy and ServiceNow. CA Service Desk wil be available in July 2016. HP management (ITSM) systems. ServiceDesk will be available H2, 2016. 7.3 SIEM integration. Describe any C Beyond lnsight/PowerBroker Password Safe provides integration to any integration with security information SIEM solution via SNMP and syslog forwarding. and event management (SIEM) systems. The County of Sacramento currently uses XXXXXX. RFP 8367 Appendix Q Page 23 of 23 ATTACHMENT — 3 BeyondTrust Quote to County TM E rlroir 9. BeyondTrust VISIBILITY. KNOWLEDGE . ACTION . Quote Expiration Date 11/10/2018 BeyondTrust Software, Inc. 5090 North 40th Street,Suite 400 Phoenix,AZ 85018 Account Name County of Fresno Quote Number 00107173 Prepared By Adam Hendershot Contact Name Craig Sensano Phone (818)575-4039 Phone (559)600-5879 Email ahendershot@beyondtrust.com Email csensano@co.fresno.ca.us Bill To Account County of Fresno Ship To Name Craig Sensano Bill To Name Craig Sensano Ship To Address 2281 Tulare Street Bill To Address 2281 Tulare Street Ship To City Fresno Bill To City Fresno Ship To State CA Bill To State CA Ship To Zip 93721 Bill To Zip 93721 Ship To Country UNITED STATES Bill To Country UNITED STATES Ship To Email csensano@co.fresno.ca.us Bill To Email csensano@co.fresno.ca.us Product • • Discount SubtotalI Unit Price PBPSADD-LIC PowerBroker Password Safe with Beyondlnsight License- USD 45.00% USD 1,500.00 USD Per Asset 90.00 49.50 74,250.00 PBPSADD-Maint1stYR PowerBroker Password Safe with Beyondlnsight Maintenance USD 45.00% USD 9.90 1,500.00 USD -Per Asset 18.00 14,850.00 PBPS-PSRE-PKG15 PowerBroker Password Safe with Beyondlnsight- USD USD 1.00 USD Professional Services-Tier 3 Implementation Package 37,500.00 37,500.00 37,500.00 PBWD-LIC PowerBroker for Windows with Beyondlnsight License 28 00 45.00% 15 D 500.00 7 700 D PBWD-Maint1stYR PowerBroker for Windows with Beyondlnsight 1st Year USD 5.60 45.00% USD 3.08 500.00 USD Maintenance 1,540.00 PBWS-LIC PowerBroker Servers Windows Edition License 119 D 45.00% USD 950.00 62,177 D .50 PBWS-Maint1stYR PowerBroker Servers Windows Edition 1st Year Maintenance 23 D 45.00% 13 D 950.00 12,435 D PowerBroker Desktop with Beyondlnsight-Professional USD USD USD PBWD-PSRE-PKG15 Services-Tier 3 Implementation Package 37,500.00 37,500.00 1.00 37,500.00 PBULE-LIC PowerBroker Server Essentials for Unix/Linux with USD 45.00% USD 50.00 USD Beyondlnsight-License 333.00 183.15 9,157.50 REV 072512 CONFIDENTIAL BeyondTrust TM VISIBILITY. KNOWLEDGE . ACTION . Quote PBULE-Maint1stYR PowerBroker Server Essentials for Unix/Linux with USD 45.00% USD 50.00 USD Beyondlnsight- 1st Year Maintenance 66.60 36.63 1,831.50 PowerBroker Server Essentials for Unix/Linux with USD USD USD PBULE-PSRE-PKG5 Beyondlnsight-Professional Services-Tier 1 Implementation 12,500.00 12,500 00 1.00 12,500.00 Package UVM20V-HW Unified Vulnerability UVM20 Virtual Appliance USD 30.00% USD 2.00 USD 10,235.00 7,164.50 14,329.00 UVMVT-DGR-SHIP UVM Virtual Appliance Shipping and Handling-Domestic USD USD 2.00 USD FedEx Ground 20.00 20.00 40.00 PBPS-PSFN-VILT PowerBroker Password Safe-Foundations-Virtual ILT-Per USD USD 10.00 USD Student 750.00 750.00 7,500.00 PBWD-PSFN-VILT PowerBroker Windows-Foundations-Virtual ILT-Per USD USD 5.00 USD Student 750.00 750.00 3,750.00 PBUL-PSFN-VILT PowerBroker Unix/Linux-Foundations-Virtual ILT-Per USD USD 5.00 USD Student 750.00 750.00 3,750.00 Total Sales Price USD 300,811.00 Description This discount is in service to a deal tendered by December 21,2018. Quote and Terms and Conditions agreed to and accepted by: County of Fresno Beyond-rrust Software, Inc. By: By: Name: Name: Title: Title: Date: Date: PO Required: Yes or No Tax Exempt:Yes or No(If Yes,Please Attach copy of Certificate) PO Number: Tax Exempt#: Terms and Conditions: Prices are exclusive of and Purchaser is responsible for all VAT, use and equivalent, and withholding taxes, and taxes which may be applicable to online transactions in Purchaser's state, however designated, and for shipping and handling, customs and duties. All sales are final. Payment terms are Net 30 unless otherwise stated in BeyondTrust's invoice. Currency is US REV 072512 CONFIDENTIAL BeyondTrust TM VISIBILITY. KNOWLEDGE , ACTION . Quote dollars unless otherwise indicated. This Quote will become a binding order upon Purchaser's signature, which constitutes Purchaser's commitment to purchase pursuant to the terms and conditions of the Reference Agreement if indicated above, or if none is indicated, BeyondTrust's Standard Terms (either, the "Agreement"). Purchaser acknowledges that the Agreement has been made available to Purchaser along with this Quote, via BeyondTrust's website at http://www.beyondtrust.com/agreements/standardterms.pdf, or otherwise. This Quote and the Agreement are intended by the parties as the final declaration of their agreement with respect to the subject matter hereof and may not be contradicted by evidence of any prior or contemporaneous agreement. Purchaser's PO serves solely as a confirmation of Purchaser's commitment to pay; PO terms and conditions are not otherwise binding. Professional If Customer fails to utilize any portion or all of the services within one hundred and eighty(180)days of Customer's Services Terms& signature on this quote,the services shall automatically expire,allowing BeyondTrust to recognize them as complete. Conditions Fees paid for services that Customer fails to utilize are not refundable. If Customer cancels or reschedules an Engagement less than five(5)business days before it is scheduled to begin,Customer shall(a)forfeit purchased days equal to 50%of scheduled Engagement delivery time and(b)reimburse BeyondTrust for any non-refundable travel expenses incurred by BeyondTrust related to the Engagement. If Customer cancels any portion of an Engagement once the Engagement has begun,Customer shall(a)forfeit purchased days equal to 100%of scheduled Engagement delivery time and(b)reimburse BeyondTrust for any non-refundable travel expenses incurred by BeyondTrust related to the Engagement. REV 072512 CONFIDENTIAL ATTACHMENT — 4 Password Safe Implementation Package PROFESSIONAL SERVICES VISIBILITY. KNOWLEDGE. ACTION. t►.. Z • .1 A, lk � � I • � � �p • - ,... u•. �raw Ir.. j Ott IA s• ••-t �; + 1 s • r r � ' fir'•► - �+ it 'I• .! hid Joe T BeyondTrust- VISIBILITY. KNOWLEDGE. ACTION. Contents ImplementationPlan Overview ..................................................................................................2 Tier 1 Implementation Package ..................................................................................................3 Tier 1 Recommended Architecture .........................................................................................5 Tier2 Implementation Package ..................................................................................................6 Tier 2 Recommended Architecture .........................................................................................8 Tier 3 Implementation Project (Custom SoW).............................................................................9 Tier 3 Recommended Architecture .......................................................................................11 AboutBeyonclTrust...................................................................................................................12 PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 1 © 2018 BeyonclTrust Software, Inc. T BeyondTrust- VISIBILITY. KNOWLEDGE. ACTION. Implementation Plan Overview BeyondTrust° offers three professional services bundled package options for PowerBroker° Password Safe®(PBPS) + PowerBroker for Windows (PBW) & PowerBroker for Mac (PBMac). Our packages are designed to fit your preferred deployment technology and project scope. Summarized below are the steps required for each services tier to achieve a successful deployment outcome. We'll help you determine which tier will work best for you. • Tier 1: PowerBroker for Desktops for retrieval of passwords only (Run As) from PowerBroker Password Safe • Tier 2: PowerBroker Password Safe with PowerBroker for Desktops integration • Tier 3: PowerBroker Password Safe and PowerBroker for Desktops with distributed components (partner only) (approx. days*10 I on scope) Frofessional Services Criteria Install Beyondlnsight UVM Appliances(minimum 2 for High Availability) ✓ ✓ ✓ Install PowerBroker for Desktops client using AD or McAfee ePO policy ✓ ✓ ✓ Configure Active/Passive High Availability(HA)configuration (appliance only) ✓ ✓ ✓ Configure Active/Active High Availability(HA)configuration (appliance only) ✓ ✓ Agent based password changes for accounts or services ✓ ✓ Install Beyondlnsight and Password Safe as software (server hardening ✓ optional) Configure Active/Active High Availability(HA)configuration (software) ✓ Configure remote event collectors and/or worker nodes ✓ Assist with load balancers for event collectors ✓ Rule requirements with strict privileges or custom tokens to include ✓ application control (whitelisting or blacklisting policies) Custom dialogues, localization, or multifactor support ✓ f rofessional Services Tasks wr wr wmms Integrate Beyondlnsight with Active Directory(AD) ✓ ✓ ✓ Create PBW deployment packages using MSIs ✓ ✓ ✓ Configure PBW ADMX and policy settings ✓ ✓ ✓ Create Assets based on import,manual creation,or discovery ✓ ✓ ✓ Create functional accounts for managed assets ✓ ✓ ✓ PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 2 © 2018 BeyondTrust Software, Inc. �;_ BeyondTrust VISIBILITY. KNOWLEDGE. ACTION. (approx. •• • 10 days* 15 days dependent In I on ••e Create policies based on Beyondlnsight events(computer or user within AD or ✓ ✓ ✓ central policy) Create policies based on rules library ✓ ✓ ✓ Create risk compliance rules ✓ ✓ ✓ Create"Run As" rules for agent-based privileged elevation ✓ ✓ ✓ Configure RBAC with MFA support(RADIUS) ✓ ✓ Configure item level targeting per rule/group ✓ ✓ Configure cloud connectors ✓ ✓ Create custom user and/or computer rules ✓ ✓ Create file integrity,session monitoring,and Windows event log rules ✓ ✓ Windows Remote App Server with Autolt Scripts ✓ ✓ Integrate with external ticketing and/or connect HSM,SEIM or other supported ✓ ✓ third-party solutions(must specify) Integrate with IAM and/or other third-party applications ✓ Create custom platform connector ✓ Create custom dialogues, localization and messages ✓ Assist with API development ✓ Remote session archiving ✓ Single sign-on integration ✓ Training and Knowledge Transfer 1W rp or 0 Provide knowledge transfer for daily maintenance of PBPS, PBW, PBMac ✓ ✓ ✓ Provide online virtual based training to prepare for the implementation ✓ ✓ ✓ Provide onsite classroom based training to supplement the implementation optional *Days are intended to denote approximate duration of implementation rather than a purchase of time Tier 1 Implementation Package PowerBroker for Desktops for retrieval of passwords only(Run As)from PowerBroker Password Safe (Normal deployment timeframe: Ten (10) business days) 1) Deployment Scope a. Beyond lnsight° appliance deployment and configuration b. Beyondlnsight analytics and reporting—deployment and configuration c. PowerBroker for Desktops (Windows & Mac) deployment & configuration PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 3 © 2018 BeyondTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. d. Privilege management policy configuration and deployment (Active Directory or ePO) e. PowerBroker Password Safe i. Automated password management ii. Session Management (SSH & RDP session policy access) 2) Deployment Architecture a. Physical or virtual appliance only for Beyondlnsight (maximum 3 appliances—2 PBPS) b. 2 nodes set up in Active/Passive High Availability model for Password Safe c. PowerBroker for Desktop agents (up to 2,500 assets) d. Assets will be imported from Active Directory (AD) or optional discovery scan (up to 2,500 assets) 3) Access Policy Management a. Up to 5 distinct password access policies defined for select roles for PowerBroker Password Safe managed assets b. Up to 5 session management access policies using standard SSH or RDP protocols for PowerBroker Password Safe 4) Privilege Policy Management a. Up to 5 distinct asset policies for least privilege delegation and reporting b. Up to 5 distinct least privilege rules from the rules library c. Up to 5 distinct risk compliance rules 5) Standard Connectors a. AD integration with up to 1 forest and 3 domains for User, Group and Computer discovery, or LDAP integration to a single LDAP server 6) Add-on Options a. Session management—application proxy (not included with Tier 1) b. Application-to-Application API (not included with Tier 1) c. Custom Platform (not included with Tier 1) d. Session recording policy configuration, deployment and training (not included in Tier 1) e. File integrity configuration, deployment and training (not included in Tier 1) f. Event monitoring policy configuration, deployment and training (not included in Tier 1) 7) Training a. Deployment and best practice knowledge transfer b. Virtual training class—2 seats c. Optional 2-day on-site training available for purchase PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 4 © 2018 BeyonclTrust Software, Inc. T BeyondTrust- VISIBILITY. KNOWLEDGE. ACTION. TIER 1 RECOMMENDED ARCHITECTURE PowerBroker for Desktops for retrieval of passwords only(Run As)from PowerBroker Password Safe Legend 1.BI/PBPS web Interface access over HTTPS 2.Database Mirroring 3.Heartbeat for detection of availability 4.Various ports used for APM 5.Unsecured AD I I DAP Integration 6,Secured AD I I DAP Integration 7.Unsecured AD DC Discovery 8.Domain Account Management TCP/4422" 9.Kerberos Tickets issued on behalf of AD ILDAP 10.Kerberos Password Changes TCP/443' 11,DNS Ioo kups 12.Proxled connection from Fnd-User to PBPS 13.Proxied connection from PBPS to Target 14.System/User that may Create/Edit/Delete(CEO)PBD Policy via either Group Policy,Central Policy,or ePO �TCP/4489i 15.CED PBW Group Policy for Rules/Settings 16.CED PBW I PBMac Central Policyfor Rules/Settings End-User 17,CED PBW ePO for Rules/Settings 18.Rules/Settings pushed via Group Policy 19.Rules/Settings pushed via Central Policy 20.Rules/Settings pushed via ePO 21.PBW events aggregated into ePO 22 PBW,PBMac everts aggregated into Beyondlnsght 23.Review events aggregated into Beyondlnsght NOTF:This can apply for any po Icy modality chosen 24.Chooseone of thethree policy deployment modality options:GP(15/18)1 CP(16/19)I ePO(17/20/21) load Balancer NOTE:If PBMac is intended to be deployed,Central Polity must be chosen as the deployment modality 25.Create PBW deployment packages using MSIs 26,"Run As"rules for agent-based privilege elevation TCP/4489" PBD Policy Editor Administrator&System TCP/443' TCP/8443' — TCP/44323� TCP/4422" Mutually exclusive in this Tier" T--- I i GP' i i I--—',_---- ———„_--_-1 1 I I 1 TCP/44316 1 1 I UDP/3W9 ',TCP/636`A,(TCPI UDP)/Se I l I I I I (TCPIUDP)/46410,UDP/53" ! I' TCP/50223 i I 1 I ® I I I I I I I TCP/4433 I I GP"s I Active Directory LePO Serves+PBW E#ension I — s l UVti1 UVM ----�-----1 T L --L eP02° T r1 —ePO" j McAfee Agent PBW Tc.P/443" TCP/22 TCP/2 a� TCP/389 TCP/ —TCP/443— TCP/445 TCP/338 Clients rTCP/ TCP/ PB C TCP/4433}� TCP/1433 CIIeF—TCP/443' — Oracle C— Windows linut MSSQL mass PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 5 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. Tier 2 Implementation Package PowerBroker Password Safe with PowerBroker for Desktops Integration (Normal deployment timeframe: Fifteen (15) business days) 1) Deployment Scope a. Beyondlnsight appliance deployment and configuration b. Beyondlnsight analytics and reporting -deployment and configuration c. PowerBroker for Desktops (Windows & Mac) deployment and configuration i. Privilege management policy configuration and deployment (AD or ePO) ii. Application control policy configuration and deployment iii. Session recording policy deployment and configuration iv. File integrity policy deployment and configuration v. Event monitoring policy deployment and configuration d. PowerBroker Password Safe i. Automated password management ii. Session Management (SSH & RDP session policy access) iii. Windows terminal server remote application support 2) Deployment Architecture a. Physical or virtual appliance only for Beyondlnsight (maximum 5 appliances - 3 PBPS) b. 3 nodes set up in an Active/Active High Availability model for Password Safe, appliance only, deployed in up to 3 data center locations (client is responsible for providing a MS SQL database environment); optional Active/Passive configuration, appliance only c. PowerBroker Desktop agents (up to 5,000 assets) d. Optional HSM integration (Gemalto orThales) e. Assets will be imported from Active Directory (AD) or optional discovery scan (up to 5,000 assets) 3) Access Policy Management a. Up to 5 distinct RBAC roles for solution and system access b. Up to 5 distinct password access policies defined for select roles for PowerBroker Password Safe managed assets c. Up to 5 session management access policies using standard SSH or RDP protocols for PowerBroker Password Safe d. Up to 5 session management rules for Windows screen capturing 4) Privilege Policy Management a. Up to 5 distinct asset policies for least privilege delegation and reporting b. Up to 10 distinct least privilege custom rules c. Up to 3 distinct file integrity rules enabled from the library d. Windows application support with AutolT scripts (1 application) e. Up to 5 distinct risk compliance rules PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 6 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. 5) Standard Connectors a. AD integration with up to 1 forest and 3 domains for User, Group and Computer discovery, or LDAP integration to a single LDAP server b. MFA: RADIUS integration for Password Safe access (1 provider) c. Configure up to 2 auto-managed cloud connectors 6) Add-on Components a. Session Management—application proxy (not included in tier 2) b. Application-to-Application API (not included in tier 2) c. Custom Platform (not included in tier 2) 7) Training a. Deployment and best practice knowledge transfer b. Virtual training class—2 seats c. Optional 2-day on-site training available for purchase PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 7 © 2018 BeyonclTrust Software, Inc. T BeyondTrust'" VISIBILITY. KNOWLEDGE. ACTION. TIER 2 RECOMMENDED ARCHITECTURE PowerBroker Password Safe with PowerBroker for Desktops Integration Legend 1."PS web Mt•rf♦t•atoar as•r HTTPS 2.Database corm"Wcaslm Mora►"BI nodal and SOt AD AG 3,wardwan Sacurly Module sntegetlon 4 Wrbos mm used for APM S Lfinec�r d AD ILDAP Integatlor S.SecveC AD I-DAP Integatur I.LAtsectseo AD DC D ocorery 9 Doman A[Cou nt Maralrmer+. 7�1 9 Keb..fidrets iia-d—brrdf of AD IIOAP 10 Ktrbv► ►"viiord Cherps 11.OP16:poWm 12 Pwd rv+ad wiloo fror"Fnd-bear to POPS 13 Proalad cor ur racd from PBPS to Taut 14.System/11sar unit may CmjWrd;t/Dabte(al))POD P RIF via atber Group Policy,UnWI Polcy,a•P0 TCN4090 IS Cm PBW Group Po rty for lules/Sm rapIG CM PBW PSMac Central Pdfcv for 4.ee>,ISettlrgs Ends" 17 CED PBW ePO for RuleySmlres IB IIu1ewsr"onpommi as Group POKY It 1urySminopudrd.Aec—t•ePinky 201Wt/lir"inIppsalsrd vie*PO F 21.PEW 77.aWnmVtad Inb aPO JJ PBW PNI:n.vents l .V.11d uru bra dlroprr _ J3 -.i..,�. .,,,.a r..•; m..e.y_ ,.•'-1 MOTE -hsleftappyla"Polxv^odalrychose,. 24.17100Se aP m tss•of t/nc Hnree pdky deployre•rt modally opbom GP(15/1B)I CP(ISAM I NO(17/2W21) NO-L'd p9Mac Is trrtendeo to ue o ep"d.Cetral Poky"lust be dmm as a deploymerst rsaodally 25 Crest r PBW drpinrmrrt Packa>trr.nlq NW' Jr. 'Arm A:•ulr.far be-"Prsed nr.•I.t.ra..sr•b� 27.AAant-based Passwrd Chanaas si•PWVPBW IrtvKr,41on 22 MPAVY RAD" 29 sssbllors-RA 30.A►waysOn Is optbnal-can nurt to ActFMPaslw parr 3L Owdenlel Yyaalon b tr•n/Ulca CIeM,ItrabOOa.of dead aott lud Bebrm TFj6Q2" =• TLP14459' 7CP,44Ea' -CFi 46 7CP'4IG PW Policy Edits Adrrmavatnr R System'' T�/B443'' �I = T�,r179trrw ' MIjW)tacli9+e--- nthSTCr'•----1l 7� �� a r--------- - - ----------------�►. -- -- - LTCP/46 03 wm ,w 8 , , ���'� I I I I I I I I I I I I OP,u 3Bs"",TCFYGW', I I I ITM I IDPl.98', I"y I I I I I 464 ,UO►/h3' EMI__ I � I I__tom_—� LePO Save i PfiW Etearsott I I Active D.ecmry_J Lam'• i I' As— R,4N l�/ia33` RNy"�f1433' IVW l�r1f33' ��J POW TQ/443 aL .-WL 'LP 4s3 lisfssia as MI 1AM'1CP SQL ADO('E5 SQ,PBP-1-50: gients As rands s stsr DQ DR Site SIXsar. SQL;evc A4siltosity Group Pfi nary Sa-4- se'-wary Slsv'dlrr. Rmita nmla Repko peDlta Tt3Y TP: T__ --iT'417 �P,L TCP,'IM owe IPmpIe nc. Oracle C® wir,b IiAP MSSM Ole, %inmrs us— Cep RM liemKeAp�' BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. Tier 3 Implementation Project (Custom SOW) PowerBroker Password Safe and PowerBroker for Desktops with distributed components 1) Deployment Scope a. Beyondlnsight appliance deployment and configuration b. Beyondlnsight analytics and reporting -deployment and configuration c. PowerBroker for Desktops (Windows & Mac) deployment and configuration d. Privilege management policy configuration and deployment (AD or ePO) i. Application control policy configuration and deployment ii. Session recording policy deployment and configuration iii. File integrity policy deployment and configuration iv. Event monitoring policy deployment and configuration e. PowerBroker Password Safe i. Automated password management ii. Session Management (SSH & RDP session policy access) iii. Windows terminal server remote application support 2) Deployment Architecture a. Physical or virtual appliance for Beyondlnsight (5 appliances or more); optional software installation of Beyondlnsight (server hardening optional) b. Multiple nodes set up in an Active/Active High Availability model for Password Safe, appliance or software model deployed in up to 3 data center locations (client is responsible for providing a MS SQL database environment); optional Active/Passive configuration, appliance only c. PowerBroker Desktop agents (more than 5,000 assets) d. Optional load balancers for event collectors and/or worker nodes e. Optional HSM integration (Gemalto orThales) f. Configure remote session monitor archiving (PBPS only) g. Assets will be imported from Active Directory (AD) or optional discovery scan (more than 5,000 assets) 3) Access Policy Management a. Up to 5 distinct RBAC roles for solution and system access b. Up to 5 distinct password access policies defined for select roles for Password Safe managed assets c. Up to 5 session management access policies using standard SSH or RDP protocols for PBPS d. Up to 5 session management rules for Windows screen capturing e. Up to 5 distinct rules for automated SSH key management f. Up to 1 API script implementation sample and training PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 9 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. 4) Privilege Policy Management a. Up to 5 distinct asset policies for least privilege delegation and reporting b. Up to 15 distinct least privilege custom rules (allow for custom tokens) c. Up to 3 distinct application rules enabled with session recording from the policy library d. Up to 3 distinct file integrity rules enabled from the policy library e. Windows application support with AutolT scripts (3 applications) f. Up to 3 custom messages and localization g. Up to 5 distinct risk compliance rules 5) Standard Connectors a. AD integration with up to 1 forest and 3 domains for User, Group and Computer discovery, or LDPA integration to a single LDAP server b. MFA: RADIUS integration for Password Safe access (1 provider) c. Configure up to 1 database platform for local database account management d. Configure up to 2 auto-managed cloud connectors e. Create custom platform connector 6) You Pick—Choose from the Following a. Ticketing integration for Dynamic Access Policy access—<select 1 provider from list of certified vendors> b. Single Sign-On integration—<select 1 provider from list of certified vendors> c. Application-to-Application API d. SailPoint role integration (STI) 7) Training a. Deployment and best practice knowledge transfer b. Virtual training class—2 seats c. Optional 2-day on-site training available for purchase PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 10 © 2018 BeyonclTrust Software, Inc. T BeyondTrust- VISIBILITY. KNOWLEDGE. ACTION. TIER 3 RECOMMENDED ARCHITECTURE PowerBroker Password Safe and PowerBroker for Desktops with distributed components Legend 1."PS.ti a.,tent——over Hf"PS 2.Database cavrn vacation baraear INnodes and SQL AO AG 3.NrdMrc a Securty Module mtegrenorn 4.Wrla ports used for APW S Vn ureo AD ILDAP Integrator 6 Setveo AD I_DAP Integratror, 7 lrr—ur"AD OC OltrnPwerf 6 0on Arrou nI Marasrmrne ICP;4422` 9.DM Tl *)tared on hrtvlf of AD IDAP 10 Lrtr•at Pa>.wadChanprs �!�' 11.Of6.AOYups 12.Proaied tarlrecdon from End Lear to POPS 13 e•oaied corr"%or from P9PS to Tar6at �I TC5,4®9' 14.SystenWw that may C eate/Ed t/Delete(CEO)PW Pot'W via ether Group Po1IM Central Polcy,or eP0 13 CID Pew Group Po'ty for Rules/Sett rip 16 CED PBw I PSMtc Central Poky fw IRAes/Settlrp Erd-User 17 COD Pew APO fen tu1Ps/Srttrnp IB Nu4f/w"Inp ph tt tted vim Grotty Poy 19.11-W, 11irop puiJed vle Cantrr Pdlry 20.9u1as/5NfM0 Punted via*PO 23..PBW evens apa•aaated Mb ePO 22.Pew PBMat avant,aagr4atidnmo drar dlnagt- aJM1 sr s<a�appY la any pollCY modally tFc%• 24 Oroose ary/aO of Metlaee polity depWyrr'e'd modalRv options GP(1S/1W I CP(16A"I eP0(17r20/21) N(F 1 If PBMoc Is intend"to ow d rpbPrd.Cwrtrtl Putty moat be drown seal I, me maMl6y 25 Croatia PBw deploni—re packagn wlna Mg. 16 �n'As'rules rer aar+ytwrd PrMlrar.M.v�b- 27.g1anl bard Passanord Chan9tsvia PBP5/PBw irtaarwloet 21L MPAvh PAD" 29.SPsbabrSevi 30*f ys(>nisoptona-canrevrtto Acthre Pasrvepsi31.CiedenMlin*ctImloVWitthladlert,websvb ordoudacct 32 tTllw ••ra d Recorded Sesvons to Archhe Server 73 ertarauor wtn IAN Zp'4t22" 4t22" 34 11 1-1 9al�nrn rrrnrnnnartn wPF-vrrr[r11.:•crt�l load gass"em" 96 Nant Co6eetoryp tomrwnketbn tlte[tly Mdr AlwveOn Mawr T�,'ef69' TCP;s�9' 'CA'4i0' ;4D� Ardvse MP•bcyEdib- Server Adrtertestratnr&Sysderrrsu r �lglgg•r �'4t22' -F UM OMEN ----- ----i ---- ---� 4e" IS awbl iEB o vein EB(waft I I I I lipltppkRa•.�(iip��tpyl I I I I I ® i 4164 ,110�/73r I SpR ere; uN.t�Sdtrwe� lAM SRerere; LefV9Otrv4POWEaletso9l TCP/1,e3'• KO. 6P' LxP IaP YPY 1ICAII aaoWa Air R'W T8,h433° RNlT�.433 a'•\'TCF!1a3 POW 443• ��� S S . liswry IP M IA33•TCP SCLADOIES SQ,PBPS-SQ,' PIS /emu Clients ,sue, DCl DR Site Q S SUM 5�:] Smserver atslm In ixon- AveilsTi it,Gaup Pri'erl' S-4- sectno" 5®I� Reply! Repim moeoets fl�f0 SMc � —TaVin1 -17 rZ_ TCP,' �.L 7u.,329 TCP/ T�1417 "U, CP TuliQ Tom/ T�i TCP,�22 Power) m u s a a Implerr Oradc Can windouc tin,. h6S¢ aaom M.dr.r Otfrer WnMm tin Cim FM' BeyondTrust VISIBILITY. KNOWLEDGE. ACTION. About BeyondTrust BeyondTrust is the worldwide leader in Privilege-Centric Security, offering the most seamless and straightforward approach to preventing data breaches related to stolen credentials, hijacked insider accounts, and misused privileges. Our privileged access management platform is the most extensible on the market, enabling organizations to easily scale their privilege security programs as threats evolve across endpoint, server, cloud and network device environments. Only BeyondTrust unifies the industry's broadest set of built-in capabilities with centralized management, reporting and analytics, empowering leaders to take decisive and informed actions to defeat attackers. This is backed by a flexible design that simplifies integration with other best-of-breed solutions and boosts the value of our customers' IT security investments. With BeyondTrust, organizations gain the visibility and control they need to confidently reduce risk, maintain productivity, and stay out of the headlines. We are trusted by over 4,000 customers and a global partner network. Learn more at www.beyondtrust.com. PowerBroker Password Safe+PowerBroker for Desktops Implementation Packages 12 © 2018 BeyondTrust Software, Inc. ATTACHMENT — 5 Unix and Linux Implementation Package PROFESSIONAL SERVICES VISIBILITY. KNOWLEDGE. ACTION. As to, t IL r i' eIrvHAI ...sf °C •• r u .•.ff • iF Aim T BeyondTrust'" VISIBILITY. KNOWLEDGE. ACTION. Contents ImplementationPlan Overview ..................................................................................................2 Tier 1 Implementation Package ..................................................................................................3 Tier 1 Recommended Architecture .........................................................................................4 PBUL-Tier 2 Implementation Package .......................................................................................5 Tier 2 Recommended Architecture .........................................................................................6 PBUL-Tier 3 Implementation Package .......................................................................................7 Tier 3 Recommended Architecture .........................................................................................8 PBU L-Tier 4 1 m plementation Project (Custom Sow)..................................................................9 Tier 4 Recommended Architecture .......................................................................................10 AboutBeyondTrust...................................................................................................................11 PowerBroker for Unix&Linux Implementation Packages 1 © 2018 BeyondTrust Software, Inc. T BeyondTrust VISIBILITY. KNOWLEDGE. ACTION. Implementation Plan Overview BeyondTrust° offers four professional services package options for PowerBroker° for Unix & Linux (PBUL) or PowerBroker° for Unix & Linux Essentials (PBULE). Our packages are designed to fit your preferred deployment technology and project scope. Summarized below are the steps required for each services tier to achieve a successful deployment outcome. We'll help you determine which tier will work best for you. • Tier 1: Basic installation with distributed architecture • Tier 2:Two (2) Separate policy and log servers in a High Availability configuration • Tier 3: Up to four (4) separate policy and log servers in a High Availability configuration • Tier 4: More than four (4) separate policy and log servers in a High Availability service group Tier 1 Tier 2 Tie Tier 4 days*) days*) days*) dependent on Basic environment installation with distributed architecture ✓ ✓ ✓ ✓ Installation of PowerBroker Server Management Console(PBSMC) ✓ ✓ ✓ ✓ Initial policy assistance using role-based policy via PBSMC ✓ ✓ ✓ ✓ Multiple Policy and Log Servers(up to...) 2 2 4 >4 Role based policy ✓ ✓ ✓ ✓ Script based policy*** ✓ ✓ ✓ File integrity monitoring*** ✓ ✓ Advanced audit policy*** ✓ Integrate with Beyondlnsight for centralized management ✓ ✓ ✓ Automation of client deployment for DevOps*** ✓ Professional Services Tasks Installation of client and management components ✓ ✓ ✓ ✓ Initial administrator policy and assignment ✓ ✓ ✓ ✓ High Availability architecture and setup of management components ✓ ✓ ✓ Installation and integration of Beyondlnsight ✓ ✓ ✓ Installation of Solr for keystroke log indexing ✓ ✓ ✓ Integration into a Supported SIEM**Vendor ✓ ✓ ✓ Integration with a supported ticketing system ✓ ✓ Registry name services ✓ Automation of client deployment via package installers ✓ Training and Knowledge Transfer Provide knowledge transfer for daily maintenance of PBUL ✓ ✓ ✓ ✓ Provide online virtual based training to prepare for the implementation ✓ ✓ ✓ ✓ Provide onsite classroom based training to supplement the implementation optional *Days are intended to denote approximate duration of implementation rather than a purchase of time **Integration is limited to forwarding data but does not include SIEM rule creation. ***Options only available with PowerBroker®for Unix&Linux(PBUL). Not available for PowerBroker®for Unix&Linux Essentials(PBULE). PowerBroker for Unix&Linux Implementation Packages 2 © 2018 BeyondTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. Tier 1 Implementation Package Basic installation with distributed architecture (Normal deployment timeframe: Five (5) business days) 1) Deployment Scope a. PowerBroker for Unix & Linux policy server deployment b. PowerBroker for Unix & Linux log server deployment c. PowerBroker for Unix & Linux Run Host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment 2) Deployment Architecture a. Up to 2 servers running both policy and log configured in HA/failover b. Initial administrator policy and assignment c. Initial policy assistance using role-based policy via PBSMC 3) Privilege Management a. Up to 3 distinct privilege policies defined within the PBSMC interface* b. Up to 2 distinct file integrity policies defined within the PBSMC interface*** c. Up to 2 distinct advanced audit policies defined within the PBSMC interface*** 4) Add-on Components a. PowerBroker for Unix & Linux integration with supported SIEM vendor (not included in Tier 1) b. PowerBroker for Unix & Linux integration with supported ticketing system vendor(not included in Tier 1) 5) Training a. Deployment and best practice knowledge transfer b. Virtual training class— 1 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. ***Options only available with PowerBroker®for Unix&Linux(PBUL). Not available for PowerBroker®for Unix&Linux Essentials(PBULE). PowerBroker for Unix&Linux Implementation Packages 3 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. TIER 1 RECOMMENDED ARCHITECTURE Basic installation with distributed architecture Legend 1 Policy Server controls access based on policy defined 2 Log Server records eventsAeystrokes 3 Submit Host to Policy Senrer%—WIN faibver to other Policy Server as needed 4.Policy Server to Run Host PBSMC S.(Run Houl Policy Sewn)to Log Servers-will fallover to other tog Server as-needed 6.Au es%PBSMC over web Interface U$Ef 7 (Windowsl l inux)Server that may centrally manage PBUI installs,licenses,and policy = 8.Via privileged(wdoIso Ipbrunlroot)access,discover/install/un instal l/upgrade/pto file PBUL dients 9.REST API to configure policy,settings or retrieve data TCP/8443' PBSMC' TCP/22" TCP/22a TCP/24351' TCP/24351' TCP/24351' TCP/24351' TCP/22a TCP/22a PohCy'/Log! Pobcy'/Log' ES T10P/24347' TCP/24346' TCP/24347s TCP/24346' TCP/24345' TCP/24345' IF I IF ®.raut ®r ctul If .r .r till' ?; A r', RHIL SLIS Ubuntu ® vacs. ®r :run ® vwt ■ that �1 wit TCP/24347' U Lrm_ niai_uS% Cent0S Debian oracle Os X TCP/24347' UNIX Clients Linux Clients Note.Policy and tog Srrw+sdo not nrvdtobronthes.Imebox Note lhemaprityofthrsrportsarecustomlr.rbip,defaults.icr'shovn PowerBroker for Unix&Linux Implementation Packages 4 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. PBUL - Tier 2 Implementation Package Two (2)Separate Policy and Log Servers in a HA configuration (Normal deployment timeframe: Ten (10) business days) 1) Deployment Scope a. PowerBroker for Unix & Linux policy server deployment (HA architecture) b. PowerBroker for Unix & Linux log server deployment (HA architecture) c. PowerBroker for Unix & Linux run host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment e. Beyondlnsight IT Risk Management Console deployment 2) Deployment Architecture a. Up to 2 servers running both policy and log configured in HA/failover b. Initial administrator policy and assignment c. Initial policy assistance using role-based policy via PBSMC or optional hybrid native and PBSMC; optional script-based policy 3) Privilege Management a. Up to 3 distinct privilege policies defined within the PBSMC interface* b. Up to 2 distinct file integrity policies defined within the PBSMC interface*** c. Up to 2 distinct advanced audit policies defined within the PBSMC interface*** 4) Included Components a. PowerBroker for Unix & Linux integration with supported SIEM** vendor 5) Add-on Components (requires a higher tier) a. PowerBroker for Unix & Linux integration with supported ticketing system vendor(not included in Tier 2) 6) Training a. Deployment and best practice knowledge transfer b. Virtual training class—2 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. **Integration is limited to forwarding data but does not include SIEM rule creation. ***Options only available with PowerBroker®for Unix&Linux(PBUL). Not available for PowerBroker®for Unix&Linux Essentials(PBULE). PowerBroker for Unix&Linux Implementation Packages 5 © 2018 BeyonclTrust Software, Inc. BeyondTrusf VISIBILITY. KNOWLEDGE. ACTION. TIER 2 RECOMMENDED ARCHITECTURE Two (2)Separate Policy and Log Servers in a HA configuration Legend 1,Policy Server controls access based on policy Mined 2 Log Server records events/keystrokes 3.Submit Host to Policy%erven-will faikrver to other Policy Servers as needed 4.Pokey Server to Run Host S.(Run Hostl Policy Server)to log Servers-will farlover to other log Servers as needed 6.Access PBSM(over web Interface 7.(Windowsl Linux)Server that may centrally manage PBUL installs,licenses,and policy 8.Via privileged(sudolsulpbiunlroot)access,chs over/install/unmstalll/upgrade/pro61e PBUL dients RD P851C 9.REST API to configure policy,settings or retrieve data 10 their that views reports on Beyondlnsigh[ User 11 Beyondlmight Iell is tlw sngly pane of glass for all BeyanclTrust products;orw funrtion among many is cvntrakrad reporting 11 tog Svrvvrs sending vvvnts to Bvyondlnsight 13 Integration with supported$11 M vendor 14 Solr used for keystroke log indexing 15.Streaming of keystroke logs from Log Servers to Solr for indexing 16 %rAtching of keystroke b from BI to Soli TCP/8443° PBSMC' F 1 F r.— 11 1 TCP/22" TCP/& TCP/24351' TCP/24351' TCP/24351' TCP/24351' TCP/226 TCP/2f 4 (UDPIT(P)/514" Policy'/Log'X2 Policy/Log'x2 (IIDPIT(P)/514" TCP/24347s TCP/243464 TCP/24347s TCP/24346' TCP/8043u TCP/24345' 4 TCP/8443n� TCP/24345' TCP/8443� I 1 HP Alx x�urr n I RHFI StFS Ilburrtu TCP/443 � ® vpw W — - I 1I(P/44312I4—T(P/441bftyjn- lnsiohts�ti.:.lam TCP/2434T. TCP/24347s c«ntUs Urblan Urac Ic UNIX Cllenb Linux Chenb Note Policy and log$.rivers do not need to boon the same box Now The maprity ofthese ports are c ustomuable,defaults.we shown PowerBroker for Unix&Linux Implementation Packages 6 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. PBUL - Tier 3 Implementation Package Up to four(4)separate policy and log servers in a High Availability configuration)Normal deployment timeframe: Fifteen (15) business days) 1) Deployment Scope a. PowerBroker Unix & Linux policy server deployment (HA architecture) b. PowerBroker Unix & Linux log server deployment (HA architecture) c. PowerBroker Unix & Linux run host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment e. Beyondlnsight IT Risk Management Console deployment 2) Deployment Architecture a. Up to 2 policy and 2 log servers configured in HA/failover b. Initial administrator policy and assignment c. Initial policy assistance using role based policy via PBSMC d. Optional hybrid native and PBSMC; optional script based policy or advanced audit policy*** e. File integrity monitoring*** 3) Privilege Management a. Up to 4 distinct privilege policies defined within the Pow PBSMC interface* b. Up to 3 distinct file integrity policies defined within PBSMC interface*** c. Up to 3 distinct advanced audit policies defined within the PBSMC interface*** 4) Included Components a. PowerBroker Unix & Linux integration with supported SIEM** vendor b. PowerBroker Unix & Linux integration with supported ticketing system vendor 5) Training a. Deployment and best practice knowledge transfer b. Virtual training class—2 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. **Integration is limited to forwarding data but does not include SIEM rule creation ***Options only available with PowerBroker®for Unix&Linux(PBUL). Not available for PowerBroker®for Unix&Linux Essentials(PBULE). PowerBroker for Unix&Linux Implementation Packages 7 © 2018 BeyonclTrust Software, Inc. BeyondTrusf VISIBILITY. KNOWLEDGE. ACTION. TIER 3 RECOMMENDED ARCHITECTURE Up to four(4)separate policy and log servers in a High Availability configuration Legend 1.Policy Server controls access based on policy defined 2.Log Server records events/keystrokes 3.Submit Host to Policy Servers—will failover to other Policy Servers as-needed 4.Policy Server to Run Host 5.(Run Host I Policy Server)to Log Servers—will failover to other Log Servers as-needed 6.Access PBSMC over web interface 7.(Windows I Linux)Server that may centrally manage PBUL installs,licenses,and policy 8.Via privileged(ludo I su I pbrun I root)access,discover/install/uninstall/upgrade/profile PBUL clients 9.REST API to configure policy,settings or retrieve data 10.User that views reports on Beyondlnsight 11.Beyondlnsight[BI]is the single pane of glass for all BeyondTrust products;one function among many is centralized reporting 12.Log Servers sending events to Beyondlnsight 13.Integration with supported STEM vendor 14.Solr used for keystroke log indexing 15.Streaming of keystroke logs from Log Servers to Solr for indexing PBSMC 16.Searching of keystroke logs from BI to Solr 17.Integration with supported Ticketing system User 18.Log Replay Server 19.Report User's redirect from Beyondlnsight to Log Replay Server im 20.Log synchronization from all Log Servers onto the Replay Server TCP/84436 TCP/228 PBSMC TCP/228 TCP/24351' TCP/243519 TCP/24351' TCP/243519 ® FFTCP/228 TCP/228�� . . 41 (UDPITCP)/514' \ Policy'/Logzx2 (UDP*jTCP)/514=' E TCP/24347s— EB TCP/24346° TCP/24347s TCP/243464 ICP/844315CP/24351'�O3 mmTCP/24345243519�01 m TCP/8443" TCP/243453 tap2434e12434v1'°i �TCP/M4316 PBUL PBUL BUL BU. ® ®- 14 ®_ ®_� ®- 016ent s,rrrt ay r i HP-UX A.X Re _np/443m 1 RHEL SLES Ubuntu Po "e -reuLL U51 1 u TCP/443 TCP/443 LBeyondlr2sight"I Solans macOS/ TCP/24347s CIS TCP/24347' CentOS Debian Ore UNIX Clients Linux Clients Note:Policy and Log Servers do not need to be on the same box Note:The majority of these ports are customizable;defauhs are shown PowerBroker for Unix&Linux Implementation Packages 8 © 2018 BeyonclTrust Software, Inc. BeyondTrustT" VISIBILITY. KNOWLEDGE. ACTION. PBUL - Tier 4 Implementation Project (Custom SOW) More than 4 Separate Policy and Log Servers in a HA Service Group 1) Deployment Scope a. PowerBroker Unix & Linux policy server deployment (HA architecture) b. PowerBroker Unix & Linux log server deployment (HA architecture) c. PowerBroker Unix & Linux run host agent deployment d. PowerBroker Server Management Console (PBSMC) deployment e. Beyondlnsight IT Risk Management Console deployment 2) Deployment Architecture a. High Availability requirement: multiple policy and log servers (>4 each) b. Initial administrator policy and assignment c. Initial policy assistance using role based policy via PBSMC d. Optional hybrid native and PBSMC; optional script based policy or advanced audit policy*** e. File integrity monitoring*** f. Automation of client deployment for DevOps via packaged installers*** 3) Privilege Management a. Up to 5 distinct privilege policies defined within the PBSMC interface* b. Up to 3 distinct file integrity policies defined within the PBSMC interface*** c. Up to 3 distinct advanced audit policies defined within the PBSMC interface*** 4) Included Components a. PowerBroker Unix & Linux integration with supported SIEM** vendor b. PowerBroker Unix & Linux integration with supported ticketing system vendor c. Registry name service 5) Training a. Deployment and best practice knowledge transfer b. Virtual training class—2 seat c. Optional 2-day on-site training available for purchase *A detailed and agreed set of requirements for each policy segment is required before implementation commences. Any additions or alterations can only be formed on a best effort and time permitting basis. **Integration is limited to forwarding data but does not include SIEM rule creation ***Options only available with PowerBroker®for Unix&Linux(PBUL). Not available for PowerBroker'for Unix&Linux Essentials(PBULE). PowerBroker for Unix&Linux Implementation Packages 9 © 2018 BeyonclTrust Software, Inc. T BeyondTrust- VISIBILITY. KNOWLEDGE. ACTION. TIER 4 RECOMMENDED ARCHITECTURE More than 4 Separate Policy and Log Servers in a HA Service Group Legend 1.Policy Server controls access based on policy defined 2.Log Server records events/keystrokes 3.Submit Host to Policy Servers-will failover to other Policy Servers as-needed 4.Policy Server to Run Host 5.(Run Host I Policy Server)to Log Servers-will failover to other Log Servers as-needed 6.Access PBSMC over web interface 7.Windows I Linux)Server that may centrally manage PBUL installs,licenses,and policy 8.Via privileged(ludo I su I pbrun I root)access,discover/install/uninstall/upgrade/profile PBUL clients 9.REST API to configure policy,settings or retrieve data 10.User that views reports on Beyondlnsight 11.Beyondlnsight[BI]is the single pane of glass for all BeyondTrust products;one function among many is centralized reporting 12.Log Servers sending events to Beyondlnsight 13.Integration with supported SIEM vendor 14.Solr used for keystroke log indexing 15.Streaming of keystroke logs from Log Servers to Solr for indexing PBSMC 16.Searching of keystroke logs from BI to Solr 17.Integration with supported Ticketing system User 18.Log Replay Server 19.Report Users redirect from Beyondlnsight to Log Replay Server 20.Log synchronization from all Log Servers onto the Replay Server TCP/84436 PBSMC TCP/228 TCP/228 TCP/24351' TCP/243519 TCP/24351' TCP/243519 TCP/228�� (UDPITCP)/514" 1 Policy'/Log'x2+ Policy'/Log'x2+ / NDP�ITCP)/514'' TCP/24347s 0 ERB TCP/243464 TCP/24347s TCP/243464 F TCP/8443ss TCP/24351'� TCP/243453 TCP/24351'-3e� EB *--TCP/844315 TCP/24345 FCP/(74348134349)1°-§� —TCP/8443` 9UL BU. e ay. r I HP-UX AIX Repo _TCP/443"-fI 1 R-iE- SLES Ubuntu I ®I-rem ®_rem U I �I ®_reuL -® real ® reuL TCP/44313� r' I4---TCP/4431' LBeyondlrlsight111 Solaris macOS/ TCP/24347sOracle OSX TCP/24347s Cent05 Debian Linux UNIx Clients Linux Clients Note:Policy and Log Servers do not need to be on the same box Note:The majority of these ports are customizable;defaults are shown PowerBroker for Unix&Linux Implementation Packages 10 © 2018 BeyondTrust Software, Inc. BeyondTrust VISIBILITY. KNOWLEDGE. ACTION. About BeyondTrust BeyondTrust is the worldwide leader in Privilege-Centric Security, offering the most seamless and straightforward approach to preventing data breaches related to stolen credentials, hijacked insider accounts, and misused privileges. Our privileged access management platform is the most extensible on the market, enabling organizations to easily scale their privilege security programs as threats evolve across endpoint, server, cloud and network device environments. Only BeyondTrust unifies the industry's broadest set of built-in capabilities with centralized management, reporting and analytics, empowering leaders to take decisive and informed actions to defeat attackers. This is backed by a flexible design that simplifies integration with other best-of-breed solutions and boosts the value of our customers' IT security investments. With BeyondTrust, organizations gain the visibility and control they need to confidently reduce risk, maintain productivity, and stay out of the headlines. We are trusted by over 4,000 customers and a global partner network. Learn more at www.beyondtrust.com. PowerBroker for Unix&Linux Implementation Packages 11 © 2018 BeyondTrust Software, Inc.