SCHEDULE 2 NETWORK SERVICES STATEMENT OF WORK

Transcription

1 SCHEDULE 2 NETWORK SERVICES STATEMENT OF WORK FOR SUPERIOR COURT OF CALIFORNIA, COUNTY OF SAN DIEGO v Page i

2 Table of Contents Superior Court of California, County of San Diego 1.0 Network s Overview and Objectives s Overview Objectives Environment Scope of s and the Infrastructure to be Supported Descriptions s Tables of Roles and Responsibilities General Roles and Responsibilities Procurement s Network Management, Administration, and Operation Support for Voice over IP (VoIP) and IP-based Audio/Video Network s Provisioning and Circuit Support Network Monitoring and Reporting Network Documentation Project Management s Managed Security s Management Objectives Periods Aggregate and Incident based SLRs Level Requirements (SLRs) Reports List of Tables Table 1. General Roles and Responsibilities... 6 Table 2. Procurement s... 8 Table 3. Network Operations and Administration Roles and Responsibilities... 9 Table 4. Voice and Audio/Video Support Table 5. Network s Provisioning and Circuit Support Table 6. Network Monitoring and Reporting Table 7. Network Documentation Table 8. Project Management s Table 9. Perimeter Security s Table 10. VPN and Remote Access s v Page ii

3 Table 11. Security Intrusion Detection and Prevention s Roles and Responsibilities Table 12. Security Vulnerability and Penetration s Table 13. Security Incident Management s Table 14. Network Availability SLRs Table 15. Network Reports v Page iii

4 1.0 Network s Overview and Objectives 1.1 s Overview Converged Network Management services are the end-to-end s and activities, as detailed in the following SOW required to provide and support the Superior Court of the County of San Diego s () converged data, video, and voice network environment (both physical and virtual), that transports data traffic related to, and 3 rd -Party applications including but not limited to financial and business applications, web applications, video and associated video applications, and IP/VoIP telephony traffic, as described in Section 2.0 below. Network s comprise the tasks and responsibilities set forth herein and include, but are not limited to, the provisioning, management, administration, and troubleshooting of the following: Wide-area Network (WAN) Local-area Network (LAN) Virtual Private Network (VPN) and Remote Access Network Security Transmission of Voice and Video owns all assets currently in the environment and also owns the vendor maintenance contracts for those assets. Assets can be either physical or virtual network devices. All assets and support agreements except as otherwise noted, will be paid for by and registered to. 1.2 Objectives The following are the key high-level objectives expects to achieve through outsourced network management services and this Converged Network s Statement of Work (SOW): Manage, administer, and operate a reliable, scalable and secure high-speed Converged Network infrastructure to Operate efficiently and effectively by running on a consolidated network infrastructure and by simplifying network management, procurement and budgeting End to end Converged Network monitoring and management including management of 3 rd Party s (e.g., 3 rd Party coordination, carrier coordination, Problem and Incident Management) Achieve Level Requirements v Page 1

5 2.0 Environment Superior Court of California, County of San Diego 2.1 Scope of s and the Infrastructure to be Supported This section and its related SOW Appendices describe and scope the network environment that the will be supporting. Environment Appendices are living documents and will be updated frequently during the Term of this Agreement. Master copies of these documents will be maintained by using collaborative input from the Appendix A to Schedule 2: Network Environment Details Appendix B to Schedule 2: Inventory Details Worksheet This Appendix is the Inventory Worksheet and contains the following information to assist the in understanding the environment that the scope of this RFP will encompass: Inventory o o o o o Network hardware and software Network circuits Network topology diagrams Inventory List and line Quantities Maintenance and Support Coverage (items covered) Appendix C to Schedule 2: Transition Details This Appendix contains a list of transition requirements for the Appendix D to Schedule 2: Locations This Appendix contains the descriptions and locations of all facilities and locations requiring Network s. The business hours are also identified in this Appendix. The knowledge of these Site numbers is extremely important for the to know and become familiar with; site references and numbers are used frequently during day-to-day activities, project meetings, and discussions; in addition these site numbers are used repeatedly throughout this document and its appendices Appendix E to Schedule 2: Initiatives This Appendix consists of a list of known initiatives that the will be engaged in during the term of the contract. has provided as much information and detail as possible in the Appendix to provide a complete scope and description of what is being asked. v Page 2

6 2.1.6 Appendix F to Schedule 2: Tools and Associated Licenses and Maintenance Contracts This Appendix contains a list of the tools that the will be using and deploying in order to provide s to. The is required to fill out this Appendix, and ensure that it is kept up to date Appendix G of Attachment F: Policies, Procedures, and Standards This Appendix contains a description of the policies, procedures and standards that are designed to improve the overall delivery of Network s to. 2.2 Descriptions s The is responsible for providing Data Network s to as described through this Schedule 2 and its associated appendices. These s are considered to be In Scope, or otherwise known as a. Unless noted to the contrary or otherwise declared specifically to be Out of Scope, the requirements of this Schedule and its associated Appendices, are considered a Data Network s Wide Area Network (WAN) s o WAN s include the provision and monitoring, management, administration, and operation of networks that interconnect two or more separate facilities that span a geographic area. Transmission facilities include, but are not limited to, point-to-point circuits, Frame Relay, Internet circuits, broadband (DSL/Cable Modem) connections, and site-tosite VPN connections. shall work with public carriers and circuit providers on behalf of to ensure delivery of WAN s. Support of any network services-related work required by designated carriers, to support the network, is considered within the scope of s. Local Area Network (LAN) s o o LAN s include the provision and monitoring, management, administration, and operation of networks that are confined within a single facility or a portion of a facility. Examples of LANs within s environment include trusted, guest, remediation, and wireless infrastructure. Additionally, examples of LAN components include Dynamic Host Control Protocol (DHCP), Domain Name Server (DNS), 802.1x, and Wireless LAN components, which are required to support all network traffic. This ends at, and does not include, the network card of either, the network attached desktop or network attached printer. LAN s includes facility cabling infrastructure. Uninterruptible Power Supply (UPS) s o UPS s include the support of local intelligent UPS devices that are either pedestal or rack mount in form and are dedicated to provide protection to the Network devices. The UPS devices are connected to v Page 3

7 the data network for monitoring and alert trapping and are physically located throughout each facility, in IDFs, MDFs, MPOEs, Server Rooms, Data Centers, and other communications areas. Virtual Private Network (VPN) and Remote Access s o VPN and Remote Access s include the provision and monitoring, management, administration, and operation of methods for remote users and business partners to securely connect to the Network and its Data Center Computing s over the public Internet or through private point-to-point connections. This includes dedicated siteto-site connectivity that utilizes either a public or private network. Network Security s o Network Security s include the provision and support of methods that provide security to physical and logical devise connected to the network. Security s include Firewall, Intrusion Detection and Intrusion Prevention, and Vulnerability and Penetration testing. Management s o Management services include the provision and support of a suite of activities that spans all aspects of system security and networking levels in terms of system and component management and monitoring, information protection, component-addressing methods, access control, and change control Installs, Moves, Adds, Changes, and De-Installs (IMACD s) IMACDs are included in the s that the is responsible for Install Installs include the installation and configuration of network devices. This revolves around the installation of new equipment that replaces existing equipment as well as refreshing existing equipment with newer equipment Move Moves include the relocation of devices either within the same IDF, same cabinet, same Site, or between different Sites and different cabinets. Moves are not a frequent event, but may be necessary at times to make physical room within a rack or cabinet to accommodate additional equipment by moving network devices to other locations in either the same IDF/MDF or within the same cabinet or Site, or even between Sites Add This includes the addition of components (both hardware and software) to an existing device as well as the upgrading of any components within an existing device, including the replacing of components within a device. Adding or replacing components such as increasing memory, adding daughter boards, adding new port modules or storage arrays, or even adding and activating software license keys are some examples of an Add. v Page 4

8 Change Superior Court of California, County of San Diego Changes include the modification of configurations (of both hardware and software) of an existing device. Changing firewall rule sets, changing port configurations, or changing access lists, or changing module configurations and hardware jumpers are some examples of Changes De-install De-installs include the decommissioning of network equipment from a production status into a non-production status. Some examples include the de-installing of older equipment which is subject to refresh, de-installing equipment that is no longer needed in production and placed into spares inventory, and de-installing equipment that has either faulted or otherwise failed line Information s current lines are provided in Enclosure B, the Pricing Template. The quantities are derived from the details located in Appendix B of Schedule 2. The quantities that are and will be reflected in the line consist only of production equipment. lines are established upon the quantities of those devices that are in production on the first business day of the month. Network Assets that have been set aside for Spares equipment and/or used solely for purposes of testing or development will not be included into the line for pricing. An itemized inventory count will be performed for the first business day of the month to revalidate the line quantities for each billing period. v Page 5

9 3.0 Tables of Roles and Responsibilities Description of the Tables Each of the requirements tables in this Schedule state a role and responsibility. o o o An is placed in the column under the party that will be responsible for performing the task. responsibilities are indicated in the column labeled. The column titled, indicates those items with an in which the acknowledges, is a and therefore cannot additionally bill for the performance of any of those responsibilities. The phrase, Rate Card is used where the is not expected to meet the requirement as a, and will use the applicable table of time and materials rates for specific types of services as the vehicle for invoicing to meet those specific requirements. 3.1 General Roles and Responsibilities The Converged Network includes all Network Assets that are in production that include both physical and virtual network devices to meet the Objectives. The following table identifies the General Roles and Responsibilities associated with this SOW including the network components listed above. Table 1. General Roles and Responsibilities General Roles and Responsibilities 1) Create and maintain Information Technology Policies and Procedures 2) Perform business liaison function to operational units 3) Review and/or approve all proposed changes to the Converged Network environment 4) Develop Converged Network asset replacement, refresh, and upgrade plans 5) Comply with policies, procedures, standards and regulations applicable to for Information, Information Systems, personnel, and physical and technical security 6) Provide accurate invoices to 7) Participate and assist in the development of the Converged Network asset replacement, refresh, and upgrade plans 8) Manage and execute, and/or assist 3 rd Parties with, the execution of asset and UPS replacements, refreshes, and upgrades v Page 6

10 General Roles and Responsibilities 9) Adhere to standards for the cable plant, which includes wiring standards, fiber standards, terminator, face plates, cable runs, and cable types 10) Participate in the development and modification of Information Technology Policies and Procedures 11) Collaborate and participate in architecting, designing, and maintaining a secure Converged Network infrastructure 12) Provide advanced technical assistance to with architecture, engineering, design, deployment, testing, and user acceptance strategies and plans as required 13) Provide recommendations for Network Tower solutions based on industry best practices upon request Superior Court of California, County of San Diego 14) Final approval of recommendations and solutions 15) Work with to develop and submit network and security designs for preapproved solutions 16) Assist with and perform the integration and implementation of approved solutions 17) Work with to mitigate and remediate security risks and incidents 18) Manage the retention of IDS/IPS logs 19) Provide all expertise required to complete all Work including the retaining of expert subcontractors when retaining such outside expertise is required 20) Manage Asset Inventory (Device, Model, SN, Location, In- Data, Procurement Data, Break-Fix data, Asset tags, Tracking SmartNet and warranties, original purchase price) 21) Manage circuit billing 22) Perform Installs of Converged Network assets IMACD s 23) Perform Moves of Converged Network assets IMACD s 24) Perform Adds of Converged Network assets IMACD s 25) Perform Changes of Converged Network assets IMACD s 26) Perform De-Installs of Converged Network assets IMACD s 27) Provide Converged Network support to Disaster Recovery testing as required 28) Troubleshoot Network Assets in the Converged Network environment as required v Page 7

11 3.2 Procurement s Superior Court of California, County of San Diego may be required to perform Procurement s during the Term of this Agreement. Procurement s may be required in response to mitigate a Break-Fix incident to correct a network down status. Another condition that could require procurement would be to fulfill requirements for IT related initiatives for items such as hardware, software, and/or licensing renewals, replacements, and upgrades. The two examples listed above are not exhaustive and only provide two possible situations where procurement may be required by the to meet the requirements of this SOW. will be responsible for preapproving any procurement before procurement is made. will be responsible for funding only preapproved procurements. The following table identifies the underlying roles and responsibilities associated with Procurement s for this SOW. Table 2. Procurement s Procurement s 1) Provide with a procurement avenue and a Procurement process that can approve for to procure hardware, software, licenses, and other goods or materials through the 2) Manage Procurements and asset tagging for Network related projects as required 3) Provide with procurement estimates and quotes 4) Ownership of all hardware, software, and licenses procured 5) Procure any required (with approval) hardware, software, licenses, and other goods or materials 6) Fund and pay for the approved -procured hardware, software, licensing, and other goods or materials, using the Procurement Process 7) Provide any required additional expertise and/or labor, including 3 rd -Party Subcontractors, to complete New Projects requiring Network Tower participation (only New Projects) RATE CARD v Page 8

12 3.3 Network Management, Administration, and Operation Network Management and Administration s include activities, such as: Managing the Converged Network and Network Assets and their configurations, Internet Protocol (IP) addresses Hardware and Software and configurations, which also include Installs, Moves, Adds, Changes, and De-Installs (IMACD) Managing WAN, LAN, and Wireless configurations of Network Assets Operations activities include: Network systems management and troubleshooting (e.g. performance, problem, change, and capacity monitoring) Troubleshooting Network Assets and their configurations throughout s Converged Network environment Cooperating with and its 3 rd -Parties as required, with troubleshooting efforts Bandwidth management Protocol usage statistics (e.g. identify top talkers by protocol) Working with public carriers and other circuit providers to perform any operations activities (e.g. provisioning, problem management) Managing and maintaining all Network computing resources (e.g. hardware, software, and licensing) that are required to provide s Several IT Policies and Procedures have been created to effectively govern s internal IT functions. In order to maintain process efficiencies and minimize service disruptions to Court operations, the is subject to the same governance when working on the network environment. The following table identifies the activities, roles and responsibilities associated with Network Management, Administration, and Operation that are specific to this SOW. Table 3. Network Operations and Administration Roles and Responsibilities Network Operations and Administration 1) Manage and administer the Converged Network connectivity and the Network Assets throughout the enterprise including UPS devices 2) Manage both break-fix and incident response for all Network Assets including UPS devices 3) Provision and maintain Quality of for the Converged Network of various network traffic types 4) Provide recommendations for improving and optimizing Network performance v Page 9

13 Network Operations and Administration 5) Perform day-to-day Network operations and administration activities 6) Provide support in accordance with Policies and Procedures 7) Participate in, and adhere to s Change Management, Patch Management, and Release Management processes and meetings 8) Participate in developing and managing s IP addressing schemes for dynamic and static addressing in collaboration with 9) Participate in updating and maintaining the accuracy of the data and information contained in the Appendices applicable to this Statement of Work in collaboration with 10) Participate in managing public carriers and other circuit providers as required in collaboration with 11) Manage, administer, and troubleshoot Network Asset configurations (i.e., routers, switches, VPN appliances, firewalls, UPSs, etc.) 12) Manage, configure, administer, and maintain the IP addressing schemes, subnets, ACLs, and VLANs 13) Manage, configure, and maintain backup configurations for all Network Assets throughout the Converged Network environment 14) Manage user accounts as needed for accessing and maintaining Network resources (e.g. Network (devicespecific) User-id and password maintenance (e.g., routers, switches, firewall appliances)) 15) Manage and perform approved firmware and software upgrades on a quarterly basis for Network Assets as required by 16) Design, Procure, and Implement a redundant audit log repository system and solution 17) Configure, maintain, and archive, audit log information, which includes device access logs, general systems and security logs, and application logs 18) Provide with access to a utility for ad-hoc query of audit log information 19) Maintain Network Assets at the manufacturer s latest release levels as required 20) Cooperate with and provide configuration and troubleshooting support to other IT Towers 21) Manage and administer network interfaces between and its partner agencies v Page 10

14 Network Operations and Administration 22) Troubleshoot, mitigate, and resolve all issues, incidents, and break-fix tickets involving the Converged Network infrastructure, its protocols and services, and the dedicated UPSs that provide power protection to Network devices 23) Determine the root-cause behind all P1 and select P2 breakfix tickets and create and then present to a Root- Cause-Analysis 24) Troubleshoot, mitigate, and resolve Network infrastructure performance issues affecting Application response time across the Converged Network, Voice IP traffic and VoIP/IP Telephony due to issues such as latency and jitter 25) Provide with recommendations for the improvement of capacity and performance metrics 26) Manage network protocols and services (i.e., WCCP, DNS, DHCP, BGP, EIGRP, ST, RADIUS, IPSec, SSL, etc.) 27) Manage and maintain protocols and services for DNS, DHCP, RADIUS, etc. on Network Assets that such services are being serviced from Network Assets 28) Provide and its 3 rd -Parties with assistance in managing and administering External DNS 29) Manage, maintain, and administer the connectivity between locations, and between partner agencies and 3 rd Parties 30) Configure, manage, and administer password changes on devices that control User access to the Wireless Network 31) Manage internal infrastructure for both fiber and copper cabling from the wall plate to the network access switch, and from Network Asset to Network Asset (for new installations, troubleshooting, break-fix response and repair) 3.4 Support for Voice over IP (VoIP) and IP-based Audio/Video Support for VoIP and IP-based Audio/Video (and network protocols associated to VoIP) will be required at the Network Infrastructure level to ensure availability of s VoIP communications as well as applicable IP-based Audio/Video communications that traverses the Converged Network Infrastructure. The requirements in this section are actually covered in the requirements mentioned in other sections of this SOW, but are being listed here to ensure that the is aware of the responsibility to maintain the availability, quality, and integrity of not only the data communications traffic, but also of VoIP and IP-based Audio/Video communications traffic that traverses the Converged Enterprise Network. Until the new Courthouse project is complete in late 2016, the only SIP communications in the environment exist between Site PBs, with a small group of VoIP handsets expected to be setup and configured for VoIP pilot testing (the pilot testing would occur in advance of the expected occupancy of the new building). v Page 11

15 The following table identifies the roles and responsibilities associated with the support that the will be required to do in order ensure Voice Communications remain available. Table 4. Voice and Audio/Video Support Voice and Audio/Video Support 1) Manage, configure, and administer the Converged Network Assets to support VoIP and IP-based Audio/Video devices connected to the Converged Network 2) Manage the IP Addresses and VLANs for VoIP and IP-based Audio/Video devices 3) Manage, configure, and respond to break fix incidents involving End-User VoIP and IP-based Audio/Video End-User devices 4) Manage Quality of and the required VLANs for VoIP and IP-based Audio/Video protocols 3.5 Network s Provisioning and Circuit Support The following table identifies the roles and responsibilities associated with Network s Provisioning and Circuit Support that are specific to this SOW. Table 5. Network s Provisioning and Circuit Support Network s Provisioning and Circuit Support 1) Ordering of any new network data circuits 2) Ordering of any new digital voice or communications circuits 3) Maintain financial responsibility for s data and voice circuits 4) Collaborate and participate in designing and architecting an optimal Converged Network infrastructure topology 5) Perform oversight and work with s 3 rd -Party network vendors (i.e., CALNET, Cisco, Cox Communications, AT&T, etc.) as s Authorized Agent for both new circuit installations as well as necessary troubleshooting efforts 6) Perform network provisioning based upon approved policies and procedures 7) Configure, manage, and administer network hardware and software to facilitate new circuit installations and provisioning v Page 12

16 Network s Provisioning and Circuit Support 8) Document all circuit information, router and switch configurations, hardware devices and software licensing, and IP addressing schemas 9) Perform troubleshooting of s Network data circuits and digital voice communications circuits 10) Isolate, track, and resolve incidents, issues, and problems dealing with s Converged Network data and digital voice circuits 11) Provide recommendations for Workarounds which address Network data circuit and digital voice communications circuit outages as they occur 3.6 Network Monitoring and Reporting The following table identifies the roles and responsibilities associated with Network Monitoring and Reporting services that are specific to this SOW and s Converged Network environment. The is required to have an established NOC/SOC from which network monitoring and alert management will be handled. Table 6. Network Monitoring and Reporting Network Monitoring and Reporting 1) Create and maintain Monitoring and Reporting Policies and Procedures 2) Collaborate with to establish the metrics that the will be tracking, measuring, and reporting on, which may include: WAN circuit and network device interfaces, CPU and memory utilization of network devices, Up/Down status, bandwidth throughput, bandwidth utilization, jitter, latency, Security Incident Event Management, and traffic logs 3) Implement tools and systems for the monitoring, event management, alerting, and reporting of s Converged Network environment to provided Network Operations Center (NOC) 4) Manage log retention according to Monitoring and Reporting policies and procedures 5) Manage, configure, update, and administer, monitoring, event management, and alerting tools and systems 6) Provide access to the network monitoring, event management and alerting tools and systems to generate ad hoc reports v Page 13

17 Network Monitoring and Reporting 7) Monitor, alert, and respond to alerts and Incidents on the Converged Network to maintain and to ensure that Level Requirements are met on a 24x7x365 basis 8) Identify network issues and network Incidents and resolve them according to IT Policies and Procedures 9) Manage, configure, update, and administer the environmental monitoring of metrics such as temperature, humidity, video, acoustics, smoke, and liquids in key Network locations 10) Keep abreast of critical updates and announcements applicable to s Network Assets, including security vulnerabilities, and notify of the availability of product updates and manufacturer announcements 11) Discuss the criticality of updates with and develop recommendations for the necessity of implementation and a plan of implementation for approval 12) Implement approved updates in accordance to Patch Management and Release Management processes 13) Perform an annual Network-wide audit and provide with a report identifying stage of devices life-cycles, Cisco IOS revisions, manufacturer product revisions, state of licensing renewals, and manufacturer security enhancements 14) Provide monthly status reports on the Network environment concerning Network outages, performance and capacity statistics, the number of break-fix tickets, and other Network statistics 3.7 Network Documentation will manage the document store and maintain the responsibility of keeping all documentation posted on the IT portal page. The will be required to collaborate with and assist in updating and modifying, as well as creating new documentation during the Term of this Agreement. The following are some of the document types that are specific to this SOW that both and the will strive to keep current and updated. Network system specifications and topologies Device configurations such as, firewall policies, routing diagrams, and IP address tables Device Hardware and Software revisions and their support levels Network circuit information As-built documentation for all network devices, network systems, and Network related projects v Page 14

18 Root Cause Analysis: In the event of a major outage (Priority Level 1), the will be required to collaborate with to generate a Root Cause Analysis report (RCA) for any network event that was declared as a P1 incident. Although uncommon, there could be some Priority Level 2 incidents that will require an RCA be developed as well, in order to understand cause as well as develop plans to prevent a recurrence in the future. The following table identifies the roles and responsibilities associated with Documentation activities that are specific to this SOW. Table 7. Network Documentation Network Documentation 1) Collaborate with and assist with the creation and maintenance of Network Documentation to keep the content of the Appendices to this SOW updated and current 2) Analyze and deliver to a Root Cause Analysis report for all P1 break-fix Incidents 3) Publish Network Documentation on s secure web portal 3.8 Project Management s has a mature IT Project Management Office (PMO) to manage and oversee its IT projects. There are typically many active IT projects in work at any given moment in various stages of the project management life-cycle. Due to the volume of projects and the work involved on a daily basis, the may be called upon to provide a project manager to assist with managing projects and tasks that deal specifically with the network infrastructure. The will also be required to work with in order to operate successfully within the various Policies and Procedures that govern s IT PMO. The following table identifies the roles and responsibilities associated with Project Management s that are specific to this SOW. Table 8. Project Management s Project Management s 1) Create and maintain Project Management Policies and Procedures 2) Provide a Project Manager as required for Network related projects per Rate Card for Out of Scope Work Orders RATE CARD v Page 15

19 Project Management s 3) Perform Project Management functions in accordance to Project Management Policies and Procedures for Out of Scope Work Orders 4) Participate in meetings to discuss Projects the project plans and project tasks 5) Provide with cost estimates for implementing Network related projects, including estimated hardware, software, licenses, and outside services 6) Provide advanced technical assistance to with all architecture, engineering, design, deployment, testing, and user acceptance strategies and plans 7) Coordinate resources and subcontractor resources Superior Court of California, County of San Diego RATE CARD 8) Coordinate resources and 3 rd Party resources 3.9 Managed Security s The will be responsible for providing Managed Security s that revolve around s network security hardware, the network solutions and software, and the integration of such throughout the Converged Network infrastructure. The is required to have an established NOC/SOC from which monitoring and alerting of event activity will occur. Managed Security s requires the management, administration, operation and alert management, and troubleshooting of: Configuration and integration of s existing as well as new Network Access Control (NAC) and 802.1x architecture and solutions Perimeter security architecture VPN and Remote Access architecture Intrusion Detection and Intrusion Prevention (IDS/IPS) architecture Additionally Managed Security s requires, Performing Vulnerability and Penetration Assessments Managing and mitigating security Incidents and security alerts Maintaining a secure enterprise Network v Page 16

20 3.9.1 Perimeter Security Superior Court of California, County of San Diego shall provide Perimeter Security s including firewall management, access control list management, Web-Proxy and Filtering management, alerting and response. The following table identifies roles and responsibilities associated with the Perimeter Security s. Table 9. Perimeter Security s Perimeter Security s 1) Create and maintain Firewall Management Policies and Procedures 2) Manage, configure, and administer firewalls and firewall managers for securing trusted, untrusted, 3 rd -Party, and DMZ network infrastructure 3) Collaborate and participate in developing a secure perimeter architecture and design 4) Manage, configure, and administer Internet web-proxy, web-filtering, and anti-malware devices 5) Filter outbound URLs to enforce compliance with policies, including deep inspection of encrypted traffic 6) Ensure that web filtering categories and anti-malware patterns are current and up to date 7) Perform annual administrative firewall audits and collaborate with for rule clean up and expiration 8) Manage firewall interfaces and zones (e.g., DMZ, Internet, 3 rd -Party connections) 9) Collaborate with to develop a secure gateway solution for inbound and outbound filtering policies and procedures 10) Manage, integrate, configure, and administer the secure e- mail gateway solution for day-to-day VPN and Remote Access s VPN and Remote Access s deals with Virtual Private Network (VPN) technologies that include both, IPSec and SSL, and remote user authentication (including RADIUS), session encryption, and the provisioning and monitoring and management of remote End-Users and business partners to securely connect them to the Network through the public Internet or through private networks. These connections include dedicated site-to-site VPN tunnels with partners as well as remote client VPN and clientless VPN. All VPN and Remote Access s will be provided in compliance with s security policies. The following table identifies the roles and responsibilities associated with VPN and Remote Access s. v Page 17

21 Table 10. VPN and Remote Access s VPN and Remote Access 1) Create and maintain Remote Access Policies and Procedures a. Who is permitted to have Remote Access b. How are they permitted Remote Access c. What are the requirements for Remote Access d. Which resources can be accessed remotely 2) Install and configure new Remote Access devices and Remote Access managers 3) Manage, configure, update, and administer Remote Access devices and Remote Access methods which includes the following: a. VPN thick client access (IPSec and SSL) b. VPN SSL Browser-based client access c. RADIUS authentication d. Firewall rules to facilitate RAS e. Access Control Lists 4) Manage, operate, and administer s SSL Web VPN solution 5) Troubleshoot Remote Access devices and access methods as required 6) Collaborate and participate in developing a secure Remote Access architecture and design Security Intrusion Detection and Intrusion Prevention (IDS/IPS) s shall provide IDS/IPS s. The following table identifies the roles and responsibilities associated with IDS/IPS s. Table 11. Security Intrusion Detection and Prevention s Roles and Responsibilities IDS/IPS s 1) Create and maintain IDS and IPS Policies and Procedures 2) Collaborate and participate in developing a robust and effective IDS/IPS architecture and design 3) Install and configure new IDS/IPS devices and IDS/IPS managers 4) Manage, configure, update, and administer IDS/IPS devices and IDS/IPS managers v Page 18

22 IDS/IPS s 5) Respond to alerts and events triggered from the IDS/IPS systems 6) Identify security breaches and perform forensic analysis as required 7) Notify and brief of critical alerts and events triggered from the IDS/IPS systems 8) Provide monthly reports on prior month s IDS/IPS events and alerts 9) Provide with access to the IDS/IPS in order to generate ad hoc reports on demand Security Vulnerability and Penetration Assessment s There are two types of Security Vulnerability and Penetration Testing s that the is required to perform. Security Penetration and Vulnerability Assessment An Annual Event requires the to perform, or engage a third party to perform, an annual Security Penetration and Vulnerability Assessment, which consists of the activities associated with conducting a security assessment on the Data Network environment that targets devices, hosts, as well as servers that are connected to the network infrastructure. The annual event is one that covers multiple areas of the environment; both the target of the event and focus for the event can and do often change from year to year. This is a two-week event that incorporates onsite and offsite penetration and assessment scanning activities, with a period of report generation following the event. The will be expected to test the susceptibility of s Network hosts to a specific attack and/or suites of attacks targeting Internet address space as well as Intranet address space using combinations of manual, automated, and custom methods that root out server and application vulnerabilities in addition to vulnerabilities within the network infrastructure. Deliverables include a report of findings, the severity of findings, and the possible mitigation recommendations for to follow. It is important to note that the will utilize a person who is not a member of the onsite dedicated staff to perform this service, generate the findings report, and deliver the findings to an audience that includes the CIO, its IT Managers, and pertinent IT staff. A primary objective of this activity is to not intentionally or unintentionally bring down resources but rather, identify where the vulnerabilities are. All penetration testing activities are expected to be non-intrusive and non-service impacting to all applications and services. v Page 19

23 Security Penetration and Vulnerability Assessment Ad hoc Event In addition to the annual event, the will periodically perform Security and Penetration and Vulnerability Assessments against individual applications, databases, and servers outside of the normally scheduled annual event. These ad hoc events (anticipate no more than two (2) ad hoc events per year) are specialized and focused typically on a single system, a cluster of servers, or an application or application suite that is being introduced into the environment. The majority of s applications are designed, written, tested, and deployed in-house, with a few being contracted out to third party vendors. There are four primary considerations that considers to determine if an ad hoc Security Penetration and Vulnerability Assessment event is actually required. The purpose of the application The confidentiality of the data that the application has access to The logical placement of the server(s) that the application resides on (Internet facing or internal use only) The existence of any financial transactions that may be taking place When a new application is developed, or a new server is deployed, the system may be subjected to Security Penetration and Vulnerability Assessment. Ad hoc penetration tests have occurred historically at a rate of approximately one to two times annually; and requires that perform, or engage a third party to perform, these ad hoc events in addition to the annual event. As with the annual event, the is responsible for producing a report of findings, describing the severity of findings, and any listing any mitigation recommendations for to follow. The following table identifies the roles and responsibilities associated with the Security Vulnerability and Penetration Assessment services. Table 12. Security Vulnerability and Penetration s Security Vulnerability and Penetration s 1) Create and maintain Security Vulnerability and Penetration Assessment Policies and Procedures 2) Conduct and manage Security Vulnerability and Penetration Assessment for each of the annual events 3) Conduct and manage Security Vulnerability and Penetration Assessment for each of the ad hoc events 4) Provide a detailed report on findings, severity, and mitigation recommendations at the end of a Security Vulnerability and Penetration Assessment event 5) Install, configure, manage, and administer approved mitigation paths 6) Assist 3 rd -Parties with independent Security Vulnerability and Penetration Assessments as required v Page 20

24 3.9.5 Security Incident Management s Superior Court of California, County of San Diego The following table identifies the roles and responsibilities associated with Security Incident Management services. Table 13. Security Incident Management s Security Incident Management s 1) Create and maintain Security Incident Policies and Procedures 2) Provide security monitoring and incident management according to Policies and Procedures 3) Notify and brief of Security Incidents involving the Converged Network environment and infrastructure 4) Investigate security events and attacks 5) Identify, quarantine, and/or remove from the Converged Network, devices or network segments containing malicious code (e.g., virus/worm infected systems and/or rogue device) 6) Utilize forensic devices and other tools and systems as necessary to identify the Security Incident, locate its source, and its cause 7) Collaborate and assist 3 rd -Parties with the handling of Security Incidents involving and/or traversing the Converged Network environment and its infrastructure 8) Provide recommendations for reacting to, thwarting and implementing countermeasures during an actual Security Incident 9) Provide recommendations for preventing Security Incidents from recurring 10) Maintain and preserve all pertinent log data involving security incidents for evidence and review v Page 21

25 4.0 Management 4.1 Objectives Superior Court of California, County of San Diego has established the SLRs in this section to ensure data network services are uninterrupted and are available to deliver applications and other Court services to the Public, to Court employees, its Judges, and its partner agencies. 4.2 Periods The period of a single year is based upon the s Fiscal Year (July 1st through June 30th) The period of a single month is dependent upon the actual days within any given month The period of a single day is 24 hours (12:01am to midnight of the same day) The period of s Business Hours has been defined in Appendix D of Schedule 2. Availability (%) = 100 % - Unavailability (%) Unavailability does not refer to scheduled outages or planned downtime 4.3 Aggregate and Incident based SLRs Aggregated SLRs are those that are applied to all like devices within an entire Site; however the Sites themselves are not aggregated. Incident SLRs are those that are applied individually to each incident or occurrence, and are thus not aggregated. Availability SLRs are either aggregated on per Court Site basis, measured annually, and reported monthly, or they can be incident based, which are measured monthly and reported monthly. Administrative Task SLRs are incident based, measured monthly, and reported monthly Break Fix SLRs are incident based, measured monthly, and reported monthly. 4.4 Level Requirements (SLRs) The following minimum service levels are required at the end of the Transition Period. must consistently meet or exceed the following SLRs Availability Site Network WAN Availability This is in reference to the WAN devices, which are the core devices located at each Site, which the gigabit WAN circuits connect into, and bring the site onto the Courts WAN infrastructure. For the purposes of calculating Network Availability, redundant devices will be counted as a single device and will require both devices to be unavailable before unavailability is calculated. v Page 22

26 Site Network Availability is an incident based SLR LAN Network Availability Superior Court of California, County of San Diego This is inclusive of all LAN switches currently in service at any specific Site that carries data traffic and/or VoIP traffic. LAN Network Availability is an Incident based SLR Data Center LAN Availability This is inclusive of the redundant LAN switches within the data centers. For the purposes of calculating Data Center LAN, a pair of redundant devices will be counted as a single device and will require both devices be unavailable before unavailability is calculated. Data Center LAN Network Availability is an Incident based SLR Internet Access Availability This is inclusive of the network and security devices required to allow endusers to connect to the Internet via either HTTP or HTTPS or similar protocols. The devices included in the Internet calculation are the Internet Router, Internet Switch, Firewalls, External DNS, Websense and Blue Coat Proxy Servers, WCCP and Internet IDS/IPS devices. Redundant devices will be counted as a single device and will require both devices be unavailable before unavailability is calculated. Internet Access Availability is an Incident based SLR VPN Availability This is refers to the availability of the VPN devices (dedicated appliance such as a VPN concentrator or a VPN service running on a multifunction device such as a Cisco ASA or Checkpoint Firewall) and includes site-to-site VPN, availability of the VPN concentrators to accept remote client VPN connection requests, IPSec and SSL connections, and Web VPN availability. This availability excludes the VPN Client software that is loaded onto end-users computers. VPN Availability is an Incident based SLR Extranet Availability This refers to the availability of network and security devices required to allow 3rd Parties to connect to s Network. 3rd Parties include partner agencies via the 3rd Party Firewall, as well as site-to-site VPN between and 3rd Parties. There is a minimum of 2 devices counted and redundant devices will be counted as a single device and will require both devices be unavailable before unavailability is calculated. Extranet Availability is an Incident based SLR. v Page 23

27 4.4.2 Administrative Tasks and IMACDs Superior Court of California, County of San Diego This refers to the administrative tasks which support both the day-to-day activities and projects. Some of these administrative tasks include, but are not limited to the following administrative tasks: Implementing, removing, and/or modifying device configurations via software or web browser interface, Soft changes Implementing, removing, and/or modifying device configurations via hardware or other that requires an actual physical touch to complete, Hard changes All administrative tasks must go through the normal change control processes and should not to be performed as an on the fly change. Some changes will be required after normal business hours because some changes have an immediate impact that may temporarily disrupt services to the environment. Administrative tasks are an Incident based SLR Break Fix Return to Responding to a Break Fix instills added urgency by and the onsite Key Staff to remedy the situation quickly and correctly. Break Fix events fall into four levels of priority classification: P1 Major outage, service impacting affecting VIPs (see section 3.2.1) or multiple users, no work around. o Return to service: 4 hours P2 Major outage, affecting multiple users, with severely degraded service and limited work around. o Return to service: 8 hours P3 A business process or service is impacted affecting a user or multiple users but a work around is available. o Return to service: 24 hours P4 A business process, application, device or service is down affecting a single user or process down that does not impact users. o Return to service: 48 hours Break Fix return to service is an Incident based SLR Break Fix Time to Respond This section refers to actively responding to a break fix condition in order to begin remedying the situation. See Appendix D of Schedule 2 for a description of Business Hours. Time to respond P1 = 30 minutes from a break-fix alert being paged Time to respond P2 = 60 minutes from a break-fix alert being paged v Page 24

28 For purposes of efficiency, has defined two windows in which a break fix event can fall that requires immediate attention for P1 and P2 incidents: 1. A Window starting -3 hours from the Start of Business, and ending at the Close of Business 2. A Window outside of the period mentioned above All P1 and P2 break fix incidents are discussed with to be handled as an emergency change if the break fix occurs within 3 hours before business hours, or during business hours. Definitions of P1 and P2 break fix incidents are located in Schedule 1 of Enclosure C Root Cause Analysis (RCA) Time to Present RCA document For every P1 incident, an RCA document will be required. For some P2 incidents, an RCA will be required. Not all P2 incidents will need an RCA developed because the majority of P2 incidents have a workaround or have a very limited and small number who are the affected customer base. For P2 incidents that have a large impact either across an entire floor of a facility, or an entire Site, an RCA would be required Maintaining Minimum Qualifications The must maintain their minimum qualifications as identified in Minimum Qualifications. There will be an annual review between the and. This SLR exists to ensure that the quality and level of expertise receives remains high. The must not exceed 90 consecutive calendar days in which they fail to either meet or exceed the minimum qualifications. This 90 day grace period allows the to make the necessary adjustments in order to meet s minimum qualifications. v Page 25