HomeMy WebLinkAboutCA Quadrant Professional Service Agreement final EXECUTIVE SUMMARY
AGENDA ITEM:
Proposed Professional Service Agreement with Quadrant Security, LLC. (Quadrant)
Date: December 1,2022
BACKGROUND:
Security Event and Incident Monitoring (SEIM) is a critical part of CCUA's cybersecurity protection
strategy. This year the IT Department evaluated seven (7) other security vendors and found only one
(1) meets CCUA's current requirements. Quadrant has successfully provided CCUA these
cybersecurity services since 2011. Based upon the successful relationship with Quadrant and the IT
Department's current project commitments, Staff recommends continuing the cybersecurity
relationship with Quadrant.
Staff engaged Quadrant, to secure cybersecurity monitoring services for the next two (2) years. Staff
and Quadrant reviewed and negotiated the attached Professional Service Agreement for the stated
cybersecurity services.
Section 17,last sentence, of Chapter 94-491,Laws of Florida, Special Acts of 1994, states:
"Nothing in this section shall be deemed to prevent the authority from hiring or retaining such
3 engineers, attorneys, financial experts, or other technicians as it shall determine, in its discretion, or
from undertaking any construction work with its own resources, without any such public
advertisement."
CCUA's current purchasing policy Section 6.F. states:
"Professional services, as permitted under Section 17 of Chapter 94-491,are excluded from the public
advertisement and competitive bidding requirements.Except in the case of an emergency,as described
in section A. above, such services shall be approved in advance by the Board of Supervisors."
BUDGET:
Staff budgeted$51,000.00 for this expense in this fiscal year's operating budget.
RECOMMENDATION:
Staff respectfully requests the Board of Supervisors approve the Professional Service Agreement with
Quadrant Security LLC. to provide cybersecurity services to CCUA.
//AW(Author)
//AW, DS,AB (Review)
//JW(Final)
ATTACHMENTS:
Professional Service Agreement
//AW(Author)
//AW, DS,AB (Review)
//JW(Final)
PROFESSIONAL SERVICES AGREEMENT
BETWEEN
CLAY COUNTY UTILITY AUTHORITY
AND
QUADRANT SECURITY,LLC.
This PROFESSIONAL SERVICES AGREEMENT (the "Agreement"), made and entered
into as of this day of November,2022,between CLAY COUNTY UTILITY AUTHORITY,
an independent special district established and created pursuant to Chapter 94-491, Laws of Florida,
by Special Act of 1994, 3176 Old Jennings Road, Middleburg, FL 32068 (hereinafter"CCUA"), and
QUADRANT SECURITY, LLC. (hereinafter "Consultant" or "Quadrant"), whose principal
business address is 4651 Salisbury Road, Suite 315, Jacksonville, Florida 32256. The CCUA and
Consultant may hereinafter be individually referred to as a"Party" and collectively referred to as the
"Parties".
WITNESSETH
WHEREAS, CCUA desires to engage a consultant to provide managed detection and
response and enterprise security consulting services; and
WHEREAS, Consultant has experience and success in providing such services for similar
government entities; and
0
WHEREAS, CCUA and the Consultant desire by mutual agreement, to enter into this
Agreement as set forth herein.
NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of
which is hereby acknowledged, the Parties do hereby agree as follows:
1. RECITALS
The Parties agree that all the foregoing recitals are true and correct and are hereby incorporated
by reference herein.
2. SERVICES BY THE CONSULTANT
Consultant shall be responsible for providing on-going managed detection and response and
enterprise security consulting services to CCUA.
A. Quadrant Security, LLC. will deploy, monitor, and manage Quadrant's SIEM solution
(Sagan) and provide 24/7/365 alerting on all log traffic deemed malicious by the Quadrant
Security Operations team. This deployment will provide CCUA IT staff with around-the-
clock monitoring of the internal environment and external points-of-presence. CCUA will
be provided 24/7/365 eyes-on-target, report on unusual network activity and compromise
attempts, as well as provide assessment services.
Page 1 of 32
B. The scope of work is further defined in Exhibit 'A', and which is hereby made part of this
Agreement.
3. COMPENSATION
A. Compensation will be as outlined in Exhibit 'A'. Any additional expenses incurred will
require pre-approval from the designated CCUA staff member.
B. CCUA shall make payments to the Consultant based upon the approved invoices and
supporting documentation and deliverables within thirty(30)days of the receipt by CCUA
of a complete invoice. All invoices shall be sent to the attention of the Accounts Payable
Office at accountspayable@clayutility.org, and shall include back-up documentation as
required by CCUA. Invoice payment requirements do not start until a properly completed
invoice is provided to CCUA. If an invoice is not approved, in whole or in part, CCUA
will inform the Consultant of the issue and Consultant will not be paid until the issue has
been resolved to the satisfaction of CCUA.
4. TERM OF AGREEMENT AND TERMINATION
A. This Agreement shall be effective on the date first written above and shall be effective
until December 31, 2024.
B. CCUA may terminate this Agreement, in whole or in part,by delivering to the Consultant
a written Notice of Termination. CCUA may terminate the Agreement for its convenience
or for failure of the Consultant to fulfill any of its obligations hereunder, including without
limitation, the Consultant's failure to complete work within the required time or the
Consultant's failure to diligently proceed with the work to the satisfaction of CCUA.
Except in the case of a termination by CCUA for its convenience, the Consultant shall
have the opportunity to affect a remedy within fifteen (15) days of the Notice of
Termination, to the satisfaction of CCUA, as determined in CCUA's sole and absolute
discretion. Upon the Consultant's receipt of a written Notice of Termination from CCUA,
the Consultant shall: (1) immediately stop all further work unless otherwise directed in
writing by CCUA as no compensation shall be paid for any work performed after receipt
of such notice (provided however that expense of a nature which cannot be immediately
terminated shall be reimbursed at the minimum amount which may reasonably be arranged
for such termination, if CCUA concurs); and (2) deliver to CCUA's Project Manager
copies of all data, drawings, specifications, reports, estimates, summaries, and other
information and materials prepared while performing this Agreement, whether completed
or in process, in both paper and electronic formats acceptable to CCUA. In addition, if the
Consultant has possession of CCUA goods, it shall immediately provide CCUA with an
accounting of same and protect and preserve those goods until surrendered to CCUA or its
agent(s) or otherwise disposed of as directed by CCUA.
Page 2 of 32
C. These termination provisions shall be made a part of all subcontracts under this
Agreement.
D. After the effective date of the Notice of Termination, CCUA will only pay for
work/services already performed and goods already delivered and accepted in accordance
with the terms of the Agreement. At the discretion of CCUA, CCUA may make an
equitable adjustment to the compensation due to the Consultant, but under no
circumstances shall the Consultant be entitled to payment for any anticipatory profit, for
work/services not yet performed, or for goods not accepted by CCUA.
5. STATUS AND ACTIVITIES OF CONSULTANT
Consultant (and all of its employees and subconsultants) is associated with CCUA as an
independent contractor and not as an employee.
A. It is understood that Consultant is an independent contractor and is not an employee,agent,
partner, or representative of CCUA. As such, Consultant is responsible, where necessary,
to obtain, at Consultant's sole cost, workers' compensation insurance, disability benefits
insurance, and any other insurances that may be required by law. CCUA will not provide,
nor will it be responsible to pay for,benefits for consultant. Any such benefits,if provided
for consultant, including,but not limited to health insurance,paid vacation,paid holidays,
sick leave, or disability coverage of whatever nature, must be obtained and paid for by
Consultant or by other means but in no event will they be obtained and paid for by CCUA.
B. Consultant, and not CCUA, will be responsible for the manner and scope in which
Consultant performs the Scope of Work,but agrees that all manner and methods employed
by it will be subject to approval by CCUA. Notwithstanding that, Consultant agrees that
it will at all times conduct itself in an ethical and honest manner and in full compliance
with all applicable laws and regulations.
C. Consultant may use materials prepared by CCUA for purposes of carrying out its
obligations under this Agreement. Consultant may use such materials only upon the terms
and conditions stated by CCUA from time to time. Consultant may not modify or amend
any materials that it is authorized to use without the prior written consent of CCUA.
Except as expressly authorized in this Agreement, Consultant shall not have any right to
use any name, trademark, copyright, or other designation of CCUA in advertising,
publicity or marketing materials. In the event that Consultant desires to produce its own
materials referring to CCUA's business, using CCUA's intellectual property, and
suggesting any relationship, whatsoever, between it and CCUA, except as otherwise
authorized in this Agreement("Consultant Produced Materials"), Consultant shall submit
the Consultant Produced Materials to and obtain advance written approval from an
authorized representative of CCUA prior to printing and the dissemination of any such
Consultant Produced Materials to any third party. CCUA shall have sole discretion to
approve or disapprove of all Consultant Produced Materials. All materials furnished to
Consultant by CCUA are the property of CCUA and shall be used only in the manner
intended and for the furtherance of CCUA's business. Any materials,including Consultant
Page 3 of 32
Produced Materials, in Consultants possession or control at the termination of this
Agreement shall be promptly returned to CCUA.
D. Consultant shall not be subject to the provisions of any handbook or the rules and
regulations applicable to employees of CCUA, since it shall fulfill her responsibilities
independent of and without supervisory control by CCUA.
E. Consultant agrees to pay all employment taxes and other applicable taxes, including sales
taxes and income taxes.
F. Consultant agrees that it is not a joint employer with CCUA and further agrees that
neither Party possess control over the essential terms and conditions of employment the
other Party's employees.
6. CONFIDENTIALITY
A. For purposes of this Agreement, "Confidential Information" shall include all information
or material that has or could have commercial value or other utility in the business or
industry in which Disclosing Party is engaged. Additionally, "Confidential Information"
shall also include any and all personal,protected or otherwise sensitive information which
the Receiving Party might be exposed to during the day-to-day operations of the Disclosing
Party.
B. Receiving Party's obligations under this Agreement do not extend to information that is:
(a) publicly known at the time of disclosure or subsequently becomes publicly known
through no fault of the Receiving Party; (b) discovered or created by the Receiving Party
before disclosure by Disclosing Party; (c) learned by the Receiving Party through
legitimate means other than from the Disclosing Party or Disclosing Party's
representatives; or(d)is disclosed by Receiving Party with Disclosing Party's prior written
approval.
C. Receiving Party shall hold and maintain the Confidential Information in strictest
confidence for the sole and exclusive benefit of the Disclosing Party.Receiving Party shall
carefully restrict access to Confidential Information to employees, contractors and third
parties as is reasonably required and shall require those persons to sign nondisclosure
restrictions at least as protective as those in this Agreement. Receiving Party shall not,
without prior written approval of Disclosing Party, use for Receiving Party's own benefit,
publish, copy, or otherwise disclose to others, or permit the use by others for their benefit
or to the detriment of Disclosing Party, any Confidential Information. Receiving Party
shall return to Disclosing Party any and all records, notes, and other written, printed, or
tangible materials in its possession pertaining to Confidential Information immediately, if
Disclosing Party requests, it in writing.
Page 4 of 32
D. The nondisclosure provisions of this Agreement shall survive the termination of this
Agreement by a period of five (5)years.
E. Nothing contained in this Agreement shall be deemed to constitute either Party a partner,
joint venture or employee of the other Party for any purpose.
F. If a court finds any provision of this Agreement invalid or unenforceable, the remainder
of this Agreement shall be interpreted so as best to affect the intent of the parties.
G. This Agreement expresses the complete understanding of the Parties with respect to the
subject matter and supersedes all prior proposals, agreements, representations and
understandings. This Agreement may not be amended except in a writing signed by both
Parties.
H. The failure to exercise any right provided in this Agreement shall not be a waiver of prior
or subsequent rights.
7. PUBLIC RECORDS AND RELATED INQUIRIES
A. Notwithstanding anything contained in this Agreement to the contrary, the Consultant
acknowledges that CCUA is subject to the Florida Public Records Law, and that in
compliance therewith, at the sole discretion of CCUA, CCUA may disseminate or make
available to any person, without the consent of the Consultant, information regarding this
Agreement, including but not limited to information in the: responses; requirements;
specifications; drawings; sketches; schematics; models; samples; tools; computer or other
apparatus programs; or technical information or data, whether electronic, written, or oral,
furnished by the Consultant to CCUA under this Agreement, and that copies of work
products and related materials prepared or received by the Consultant under this
Agreement are public records.
B. Notwithstanding anything contained in this Agreement to the contrary,
the Consultant shall allow public access to all documents, papers, letters,
or other material subject to the provisions of Chapter 119, Florida
Statutes, made or received by the Consultant in conjunction with this
Agreement. Specifically, if the Consultant is acting on behalf of CCUA,
the Consultant shall:
1. Keep and maintain public records that ordinarily and necessarily
Page 5 of 32
would be required by CCUA in order to perform the services being
performed by the Consultant;
2. Provide the public with access to public records on the same terms
and conditions that CCUA would provide the records and at a cost
that does not exceed the cost provided in chapter 119 Florida
Statutes, or as otherwise provided by law;
3. Ensure that public records that are exempt or confidential and
exempt from public records disclosure requirements are not
disclosed except as authorized by law; and
4. Meet all requirements for retaining public records; transfer, at no
cost to CCUA, all public records in possession of the Consultant
upon termination of this Agreement; and destroy any duplicate
public records that are exempt or confidential and exempt from
public records disclosure requirements. All records stored
electronically must be provided to CCUA in a format that is
compatible with the information technology systems of CCUA.
to
C. The Consultant shall immediately provide CCUA with a copy of any Request to Inspect
or Copy Public Records in possession of the Consultant and the Consultant shall also
promptly provide CCUA with a copy of the proposed response to each such request. No
release of any such records by the Consultant shall be made without approval of CCUA.
The Consultant's failure to grant approved public access will be grounds for immediate
termination of this Agreement by CCUA.
D. All media and other inquiries concerning the Agreement and/or the Consultant's Scope of
Work shall be directed to CCUA's Executive Officer. The Consultant shall not make any
statements, press releases, or publicity releases concerning this Agreement or its subject
matter or otherwise disclose or permit to be disclosed any of the data or other information
obtained or furnished in compliance with this Agreement, or any particulars thereof,
without CCUA's written consent. However, the Consultant may communicate directly
with public agencies when required to do so as part of the Scope to be performed
hereunder.
8. CONFLICT OF INTEREST
A. The Consultant shall not promise any employee of CCUA, whose duties include matters
relating to or affecting the subject matter of this Agreement, compensation of any kind or
Page 6 of 32
nature from the Consultant, while such employee is employed by CCUA, or for one (1)
year thereafter.
B. The Consultant affirms that it will not take part in any activities that will be a conflict of
interest with CCUA or that would appear to compromise the integrity of CCUA. The
Consultant shall provide written notice to CCUA immediately upon occurrence or first
identification of any potential conflict-of-interest situation.
C. Upon request by CCUA,the Consultant shall execute any Conflict-of-Interest Certification
that may be required.
9. INDEMNIFICATION
To the fullest extent permitted by law, the Consultant shall indemnify, defend, and hold
harmless CCUA and its Board of Supervisors, officers, and employees, from liabilities,
damages, losses,and costs,including but not limited to reasonable attorneys'fees,to the extent
caused by the negligence, recklessness, or intentionally wrongful conduct of the Consultant
and other persons or entities employed or utilized by the Consultant in the performance of this
Agreement. The provisions of this Paragraph shall survive the termination of this Agreement.
The indemnification obligation hereunder shall not be limited in any way by amount or type
of damages, compensation or benefits payable under workers' compensation acts, disability
benefits acts, or other employee benefit acts.
10. PUBLIC ENTITY CRIMES
CCUA reserves the right to terminate this Agreement effective immediately upon written
notice in the event that the Consultant or any of its affiliate(s)are placed on the State of Florida
convicted vendor list pursuant to Section 287.133, Florida Statutes. For purposes hereof,
"affiliate" shall have the meaning set forth in Section 287.133(1)(a), Florida Statutes. The
Consultant shall advise CCUA promptly after conviction of any "public entity crime" as
defined in Section 287.133(1)(g), Florida Statutes, applicable to the Consultant or any of its
affiliate(s).
11. EQUAL EMPLOYMENT OPPORTUNITY AND NONDISCRIMINATION
A. The Consultant on its own behalf, and on behalf of any subconsultants, agrees that it, and
they, will comply with all federal, state and local laws and ordinances as well as any and
all rules,regulations and executive orders promulgated to ensure that it will not unlawfully
discriminate against anyone based on race, color, religion, national origin, sex (including
Page 7 of 32
gender identity, sexual orientation, and pregnancy), age, genetic information, disability,
veteran status, or other protected class in the performance of work or any other activity
under this Agreement. This provision binds the Consultant and any subconsultants from
the effective date of the Agreement through the completion of the Agreement. Consultant
agrees to include the language in this paragraph in any Agreement between it and its
subconsultants and to provide evidence to CCUA that such language has, in fact, been
included in the Agreement.
B. The Consultant shall permit access to its books, records, accounts, other sources of
information, and its facilities, as may be determined by CCUA to be pertinent to ascertain
compliance with this Section.
12. DISPUTES,DEFAULTS AND REMEDIES
A. Disputes arising in the performance of this Agreement shall be decided in writing by
CCUA's Executive Director, and the decision rendered shall be final and conclusive for
CCUA.
B. The Consultant and CCUA agree that any suit, action, or other legal proceeding arising
out of or relating to this Agreement shall be brought in the Circuit Court of Clay County,
and each Party hereby consents to the jurisdiction of each such court over any such suit,
action, or proceeding, and waives any objection which it or they may have to the laying of
venue of any such suit, action, or proceeding, and any of such courts. This provision is a
material inducement for CCUA and the Consultant entering into the transactions
contemplated hereby.
C. Each Party shall bear their own attorney's fees in connection with the performance,
interpretation, and enforcement of this Agreement.
13. INSURANCE
Insurance will be as outlined in Exhibit 'B'.
14. MISCELLANEOUS
A. The Consultant is not authorized to act as CCUA's agent and shall have no authority,
expressed or implied, to act for or bind CCUA, unless otherwise expressly set forth for a
particular purpose in a separate writing by CCUA.
B. This Agreement and the rights of all Parties hereunder shall be construed and enforced in
accordance with the laws of the State of Florida.
Page 8 of 32
C. No recourse under or upon any obligation, covenant, or agreement contained in this
Agreement or any other agreements or documents pertaining to the work, as such may
from time to time be altered or amended in accordance with the provisions hereof,or under
any judgment obtained against CCUA or by the enforcement of any assessment or by any
legal or equitable proceeding by virtue of any statute or otherwise, whether under or
independent of this Agreement, shall be had against any Board Member,officer,employee
or agent, as such, past, present or future, of CCUA either directly or indirectly, for any
claim arising out of this Agreement, or for any sum that may be due and unpaid by CCUA.
Any and all personal liability of every nature,whether at common law,in equity,by statute,
by constitution or otherwise, of any CCUA member, officer, employee, or agent as such,
to respond by reason of any act or omission on his or her part or otherwise for any claim
arising out of this Agreement, or for the payment for or to CCUA, or any receiver therefor
or otherwise, of any sum that may remain due and unpaid by CCUA, is hereby expressly
waived and released as a condition of and as consideration for the execution of this
Agreement.
D. Consultant will not use the name of CCUA or quote the opinion of any employees of
CCUA or refer to CCUA directly or indirectly in any promotional literature or
correspondence, news release, advertisement, or release to any professional or trade
publications without receiving specific written approval for such use or release from
CCUA.However,this Paragraph will in no way limit the Consultant's ability to satisfy any
governmental required disclosure of its relationship with CCUA.
E. This Agreement is binding upon the Parties hereto and their respective successors and
assigns. The Consultant shall not assign, sell, or transfer its interest in this Agreement
without CCUA's express written consent. Any such assignment by the Consultant must
contain a provision allowing CCUA to assert against any assignee, any and all defenses,
setoffs, or counterclaims which CCUA would be entitled to assert against the Consultant.
F. This Agreement may be modified or amended only by a writing signed by each of the
Parties hereto. Neither electronic mail nor instant messaging shall be considered a
"writing" for purposes of amending, supplementing, or modifying this Agreement. No
additional services shall be performed until such additional services are provided for in an
Amendment executed by both Parties.
G. The Consultant shall perform(and cause all subconsultants to perform)the Scope of Work
in a manner that is consistent with the level of reasonable care, skill,judgment, and ability
provided by others providing a similar scope of work in the same geographic area. The
standard of care shall not be altered by the application, interpretation, or construction of
any other provision of this Agreement, or any document incorporated or referenced herein,
Page 9 of 32
including the Solicitation. Unless otherwise expressly allowed by the specifications, all
items furnished by the Consultant in connection with the work performed hereunder must
be completely new and free from defects.
H. All of the personnel assigned by the Consultant and all subconsultants shall be qualified
and authorized under state and local laws to perform the services described in the Scope
of Work,whether by appropriate license, registration, certification, or other authorization.
I. When the Agreement requires services, all correspondence, documents, drafts, data
compilations and tabulations, research, analysis, plans, reports, and work product of any
kind, in any medium, submitted to or prepared by or for the Consultant in connection with
this Agreement, are the sole property of CCUA and shall be scanned into electronic format
and provided to CCUA in an indexed, logical, searchable format on computer Compact
Disks(CDs)or other format acceptable to CCUA. Such correspondence must be provided
to CCUA within thirty (30) days of the close-out of the Agreement and must be received
before CCUA will release final payment to the Consultant. The original documents shall
be maintained by the Consultant for a period of five (5)years after the completion of final
payment by CCUA. Thereafter, or upon termination of this Agreement for any reason,
such records shall immediately be delivered to CCUA.
J. This Agreement, when executed by the Parties, shall be effective as of the date stated
above. This Agreement fully and completely expresses the agreement of the Parties with
respect to the matters contained herein and shall not be modified or further amended except
by written agreement executed by each of the Parties hereto. The Consultant understands
and agrees that no representations of any kind whatsoever have been made to it other than
as appear in this Agreement, that it has not relied on any such representations and that no
claim that it has so relied on may be made at any time and for any purpose.
K. This Agreement may be executed in any number of counterparts, each of which shall be
deemed original; however, all of which when taken together shall constitute one and the
same instrument.
L. This Agreement and all Ancillary Documents may be executed and delivered by email or
other electronic signature method in accordance with Chapter 668, Florida Statutes, and
will have the same force and effect as a written signature.
(Signatures on following page)
Page 10 of 32
IN WITNESS WHEREOF, the Parties have executed this Professional Services Agreement,
effective as of the date indicated above.
QUADRANT SECURITY,LLC.:
By: cKJQ1'__ .
Printed Name: Kathrin Ritter
Title: COO
CLAY COUNTY UTILITY AUTHORITY:
By:
Printed Name: Jeremy Johnston
Title: Executive Director
APPROVED AS TO FORM:
By:
Angelia Wilson,Procurement Manager
Execute in Triplicate Distribution (electronic):
1. Quadrant Security, LLC.
2. CCUA Contract Repository
3. CCUA Project Manager—User Department
Page 11 of 32
EXHIBIT 'A'
Our Sagan Solution is more than SIEM: It has evolved into an ecosystem that serves as an all-
inclusive security solution. At Quadrant, we serve as the eyes and ears for our clients. Our
solution provides the power and security of 24/7/365 monitoring, notification, and
remediation assistance by true security professionals, supported by ever-evolving threat
detection technologies and techniques.
Attacks take place around the clock: Many of these threats are not always identified through log
analysis or packet inspection alone. Along with these technologies, Quadrant further utilizes
Honeypots, human analysis (SOC), and our Malware Detonation Platform, all of which
populate our proprietary BlueDot threat intelligence database and are shared across our global
client base.
Adversaries are always on the move: Their tools and techniques are constantly changing and it is our
job to continually enhance our solution and develop technologies that allow us to identify,
validate, and report threats for our clients.
The Process
Through a four-stage process (Figure 1), threats are identified, investigated, and escalated by
Quadrant to the client (stages 1-3), and subsequently neutralized via remediation performed by the
client(stage 4). The methodology is comprised of the following:
Stage 1: Monitoring
Quadrant sensors monitor both network traffic at the packet-level and system logs via
thousands of rules which trigger alerts when suspicious activity is detected. The total
transactions screened for a similarly sized organization is often in the range of tens of
billions per quarter.
Stage 2: Investigation and Analysis
Upon the occurrence of suspicious activity, the Sagan System Information Event
Management (SIEM) system forwards an alert to the Quadrant Security Operations
Center (SOC). Each alert is immediately triaged, and potentially critical items are
investigated by SOC analysts.
SOC Analysts categorize events using a group of prioritized classifications as seen in
Table 1 below. Priority 1 events are critical events, whereas Priorities 2 and 3 are not
considered critical on their own but may be flagged for monitoring of related
suspicious activities in the client network.
Stage 3: Escalation
Page 12 of 32
When a threat is deemed authentic and of significance, the client's InfoSec team will
be notified of the threat and provided with all available information in order for
appropriate remediation steps to be taken.
Stage 4: Client Threat Remediation
Once notified by Quadrant of a security threat, the client's security team will be able
to perform the necessary steps to eliminate the identified threat. In many cases, the
client can add the identified threat to its internal ticketing system for reporting and
auditing purposes, as well as to manage remediation and resolution.
Figure 1. Four-Stage Process
Network Traffic
Quad an Tnrrat r tnctkx�
Mnni raring riv ctgitinnf
{System Rule%) MMO Ana Ns'; N.alalittr F:,,t rii.ill ni
Qua drdrll St wry. C.uct(>IT1Pr Stage
Table 1. Quadrant Analyst Event Classifications
Analyst Classification Priority
Active Attack 1
Botnet Traffic 1 Spam 2
DoS Attempt 1 Spyware/Adware 2
Suspicious Traffic 2
Exploit Kit 1
Attempted Recon 3
Phishing Attempt 1
Authentication Failure 3
Rogue AP 1
False Positive 3
Security Audit 1
SQL Injection Attempt 1 Firewalled/Dropped/Denied 3
Invalid Login 3
Trojan Horse/Mal ware 1
Maintenance 3
Virus/Worm 1
Normal Traffic 3
Account Lockout 2
Not Applicable 3
Brute Force Attack 2
NMap/Portscan/Probes 2 Policy Violation 3
P2P Traffic 2 System Error 3
System Event 3
Remote File Inclusion 2
Page 13 of 32
The Continuous Tuning—Maximizing Security, Removing Noise
The Quadrant process includes continuous tuning of the detection systems in order to ensure the
highest level of threat detection while also providing the lowest number of false positives, or `noise'
that is forwarded back to the client's network security team. As Figure 2 shows, the ratio of total
transactions compared to escalated events can often be as great, or greater, than 1 Billion to 1.
Figure 2. Ratio of Total Transactions to Escalated Events
All TM&
i 0,000,000 System Screened
Billion
System Flagged
to
10,000 Tuning Filters Applied
Invenl44Nd
Analyst Investigation
ut.IHw
Client Notified QUADRANT
Page 14 of 32
The Statement of Work
The objective of this engagement is to deploy, monitor, and manage Quadrant's SIEM solution
(Sagan) and provide 24/7/365 alerting on all log traffic deemed malicious by the Quadrant Security
Operations team. This deployment will provide Client IT staff with around-the-clock monitoring of
the internal environment and external points-of-presence, allowing internal team members to
concentrate their efforts on other IT-related priorities. The Client is seeking an Information Security
Firm that can provide 24/7/365 eyes-on-target, report on unusual network activity and compromise
attempts, as well as provide assessment services.
Quadrant plans on satisfying all Client requirements by deploying the following:
Sagan - Security Event Analyzer Application (SIEM+)
Sagan is a multi-threaded, real-time Security Event Management and Analyzer
Application that uses a suricata-like rule to detect malicious traffic on the Client's
network and/or data assets. Upon start-up, Quadrant's product contains over 8,000
internally developed attack signatures that are used to detect and validate malicious
activity and critical events throughout the Client's infrastructure (e.g., hardware
failures, etc.).
The Sagan Console is Quadrant's state-of-the-art security dashboard and event
analysis portal. Each Client has access to their own portal via the web, thus making it
available from anywhere. The Console serves a number of important functions:
• The dashboard (Figure 3) provides a quick overview of the system's operational
status and any security threat activity.
Page 15 of 32
Events, network packets, and logs can be searched through via the Console, and security event
origins are displayed on an `Attack Map', giving the Client a glimpse into the types of threat actors
that may be targeting its networks.
• The Sagan Console provides custom, executive-level reporting capabilities
through aggregated event data.
Figure 3. Dashboard View
Swear x..0 I Wtb..w..�as.-,n w era r,_ LastN How
Mew
e 105 Q
Q
•
in
.,�.....--. ....ear MOH uewum Low
w oes..n.m..a...e. •.•
No Events roe a Lato.t Log Acttvtty
eweoot .are. r..e. ..—. ..., ,.. ... e� ...... r.,...
...
: s,00w. .� RS¢ek sewmw.m se...: o.e.aware
.. v Event Count ye Time by Sensor
w...F........ .....
re...F... 1
Threat Intelligence- BlueDot
Lists of"bad" IP addresses and domain names are of little value to organizations that
take information security seriously. IP blacklists or blocklists often lack context that is
required for decisive actions, lack relevance required by decision makers, are too
ambiguous to be reasonably actionable, and are provided with little to no regard to
timeliness.
Quadrant Information Security is aware of the shortcomings of reputation lists.
BlueDot, Quadrant's threat intelligence system, is an effort to combat reputational
deficiencies and garner a new paradigm of threat detection technology. Powered by
Sagan, BlueDot is a comprehensive system that analyzes a variety of system and
network artifacts in real-time in order to identify emerging threats.
BlueDot aggregates and processes information from honeypots,malware research,and
incidents vetted by Quadrant Information Security's skilled team of security analysts
to find relationships between attack data(Figure 4).
Information from BlueDot feeds Sagan's real-time detection capabilities, where
Page 16 of 32
analysts can use historical threat data to correlate attacks between adversaries and
industries.New threats may provide new threat indicators,and identification of known
threat indicators leads to the collection of additional ones.
BlueDot strives to achieve "quality over quantity" to ensure that decision makers are
performing their duties with the most accurate intelligence available.
Figure 4. BlueDot Feeds
Campaigns
QUADRANT Vulnerabilities Exploited(CVE)
Filenames
Filepaths
File Hashes
r" ^'"""' Sentinel-External Feeds Domain Names
,tartai, / ---- IP Addresses
Malware Behavior APT/Threat Actor Names
Registry Keys
Industries Targeted_
Geolocation of Honeypot URLs
IP Addresses BlueDot Tor Discovery
Attack Payloads Honeypots
Emerging Attack Vectors
Malware Samples Trend Analyses
Full Packet Capture
SOC Alert Data Industries
APT Deflector Signatures
IP Addresses
Domain Names
O
Packet Inspection Engine (IDS /Full Packet Capture/Metadata)
During the installation process, Quadrant's team of security professionals will set up a
machine that acts as an alarm system within the Client's network. This machine
(referred to as the "Quadrant Sensor"), analyzes the traffic coming into the network's
point-of-presence for any nefarious data and compromise attempts.
Quadrant uses a system that can be tailored 100%to the Client's needs. Its specialized
language allows Quadrant to select alerts appropriate to the Client's network, as well
as add and remove alerts as policies change and new attacks are discovered.
The Quadrant Sensor detects intrusions by first parsing network traffic in order to
extract its application-level semantics. It then executes event-oriented analyzers that
compare the activity with patterns deemed nefarious. Its analysis includes detection of
specific attacks including those defined by signatures, as well as those defined in terms
of events and unusual activities (e.g., certain hosts connecting to certain services, or
patterns of failed connection attempts).
Page 17 of 32
Malware Detonation/File Extraction
As part of the Sagan platform, Quadrant has developed an exciting component called
Malware Detonation. This platform allows Quadrant sensors to extract files traversing
the Client's network and safely execute them (detonate) in a secure network off-
premises in the Quadrant"cloud".
This technology is used to detect malware where other tools,like antivirus,fail.Rather
than depending on signatures and static analysis, the malware is detected by its
behavior within a secure virtual environment.This type of service is useful in detecting
advanced threats and undocumented attacks.For example,this type of service is useful
in attacks prior to indicators being distributed, like in the early stages of the
"WannaCry" outbreak.
The Client is given access to all of the analysis data generated in the Quadrant
Malware Analysis platform; including screenshots, network traffic recordings, static
analysis, behavior data, registry keys created/modified/destroyed, event logs, and
more.
Domain Tracking
Phishing and domain squatting attacks often rely on the end-user to detect and report
potential threats and incidents. Quadrant has developed a proactive utility, Domain
Tracker, which reduces the potential for human error, automates enrichment of data
related to suspicious domains, and disseminates additional attack indicators
throughout the Sagan ecosystem. Domain Tracker takes initiative from potential
attackers by anticipating possible attack vectors before they can be utilized.
Domain Tracker ingests domain names registered to an organization. Each domain
name ingested is processed by an algorithm which generates domain names similar to
the original, but varied by character additions, omissions, substitutions, and other
methods. Registration details are requested for each domain name generated, and
domains which return registration information are stored for additional analysis.
Contact details, IPv4 addresses, and geo-location for each domain name are stored in
a database. Findings appear in the Sagan console as soon as a new domain registration
or DNS change is observed. The Sagan ecosystem provides signatures tailored to the
Client's log analysis engine as suspicious domains are detected and alerting on
communications to or from suspicious domains may occur within minutes of the
domain being registered.
Page 18 of 32
24/7/365 Managed Services 19
Quadrant's SOC analysts assess each alert to determine the nature and significance of
the attack. In the case of a serious event, the system automatically alerts the SOC, 24
hours a day 7 days a week. If Quadrant analysts determine that the Client could be
compromised,the source address of the offending traffic will either be blocked, and/or
the Client's management personnel will be notified.
All alerts that come into the SOC are stored in a database on-site at Quadrant and the
traffic between the Client and Quadrant is securely encrypted. Quadrant's IDS trend
information is gathered every 5 minutes from multiple field sensors. This information
is used to show general attacks detected on the Internet and allows the SOC analysts
to trend attacks across multiple environments.
The Implementation and Action Items
Overview
Once the decision has been made to implement the Sagan solution,whether as a Proof-
of-Concept (POC) or full implementation, there are a number of considerations and
subsequent actions that will be required to commence with the SIEM and IDS service.
Primary consideration will be the number and placement of sensors for both network
packet analysis (IDS) and log analysis.
To ensure a smooth implementation and minimize the use of Client resources,
Quadrant provides a Client Liaison/Project Manager to coordinate the efforts of the
Client's and Quadrant's teams. Much of the hardware setup and installation is
completed by Quadrant, although some actions, such as directing log traffic to Sagan,
needs to be completed by the Client. Quadrant will assist with these efforts throughout
the implementation process.
Determining the Number, Type, and Placement of Sensors
Number of Sensors
The number of sensors required is determined primarily by the physical nature
of the Client's infrastructure. For example, if there are three physical locations
that have Internet points-of-presence which require IDS sensors, then there
will be three physical IDS sensors to service those locations. In most cases,
there will also be at least one log analysis and storage sensor (if the traffic
volume allows, this sensor may function as one of the IDS sensors).
Determining the number of sensors is usually completed during the scoping
process by reviewing the Client-completed Scoping Document provided by
Quadrant prior to implementation, as well as through discussions with the
Client.
Page 19 of 32
Type of Sensors 20
The type and specifications of the sensors are determined by the volume of
traffic each machine is expected to analyze and, in the case of log storage, the
volume of log data expected for a fifty-three-week period.The number of ports
required for each sensor is a function of the number of IDS input ports
required, plus one additional port for use as Quadrant's management port.
The Client will be asked to provide the type of connection (copper or fiber-
optic cabling, etc.) and the expected bandwidth needs to Quadrant. In most
cases, the ownership and responsibility of maintaining the sensors remains
with Quadrant, freeing the Client from having to dedicate additional resources
to sensor hardware.
Placement of Sensors
The optimal placement of the sensors will be determined through discussions
with the Client,the scoping document,and additional network documentation.
Typically, the IDS sensors will be placed physically close to core
infrastructure.Where applicable,the IDS sensors are usually placed behind the
firewall in order to reduce the number of alerts triggered by events that would
normally be stopped by the firewall.
Preparation of Sensors
Once the sensor hardware is received by Quadrant, the implementation team
will load the sensor operating system(s) and all required software. Quadrant
will then configure the machines for the specific Client sites.
The Client will be asked to provide Quadrant with the IP addresses for each
sensor, as this information is needed to remotely access the sensor for
maintenance purposes. The Client will not be required to load any software or
to configure the sensors.
Directing Log Traffic to Sagan for Analysis
Quadrant's log analysis and storage process requires that logs for all relevant assets
are forwarded to the Sagan log sensor. This typically includes servers, firewalls,
switches as well as other network devices. The Sagan appliance is designed to analyze
and store logs in Syslog format.
Syslog
For almost all non-Windows devices, logs can be directed to the Sagan
device in Syslog format, without any additional software. The Client's
network team will need to configure each of these devices to forward logs to
the Sagan device. Once complete, the Quadrant team will be able to provide
Page 20 of 32
confirmation that logs are, in fact, being received from each device.
Windows Agent
Windows devices do not have a native option for sending logs in syslog
format. Fortunately, Quadrant provides a custom syslog agent that is
delivered in an install package (MSI) that does not require restart. Though
most Windows devices are 64bit, it is important that the Client inform
Quadrant of the existence of any 32bit devices, as this will require a separate
installer package. As with non-Windows devices, the Quadrant team will
verify that logs are being received from each of the Windows devices.
Additional Network and Systems Considerations
Network Traffic Analysis
In order to ensure that Quadrant sensors will not disrupt network traffic,even
in the event of failure, Quadrant sensors are not placed 'in-line', but rather,
receive traffic mirrored via span. Network impacts are addressed during the
implementation kick-off meeting,prior to span configuration.
Log Traffic/Network Load
The transmission of logs to any central log repository will increase the
network load by the volume of log data to be stored. However, this is not
typically a significant burden above-and-beyond the existing traffic load.
Implementation Action Items at a Glance
Table 2 below provides an at-a-glance view of the steps and responsible parties for a typical
Sagan implementation:
Page 21 of 32
22
Table 2. Implementation Responsibilities
Implementation Action Responsible Parties Week#
Scoping Document Completed and Delivered Client 1
Meeting to Determine Sensor Placement and Set up by Quadrant Client Liaison/PM 1
Configuration
- Schedule Meeting 1
- Meet Client and Quadrant Implementation Team 1
- Provide IPs for Sensors Client 1
1
- Provide Cabling and Rack Specs for Client
each Sensor(Copper/Fiber?)
All 64bit Windows Servers(if Client 1
Applicable)?
- Determine Install Dates Client and Quadrant Implementation Team 1
Procure Hardware Quadrant Implementation Team 1
Configure Sensors Quadrant Implementation Team 2 3
Build and Deliver Windows Agent MSI(if Quadrant Implementation Team 2-3
Applicable)
I Install Hardware I Client and Quadrant Implementation Team 2-3
Configure IDS Spans Client
Load Windows Agent on Windows Devices Client 2-3
Direct Syslog to Sagan Sensor for Non Client 2-3
Windows Devices
The Incident Response Process
When an incident has occurred within the Client's network, Quadrant supports its Client
through the life-cycle of the incident by providing around-the-clock Incident Response (IR)
support. In conjunction with the 24/7/365 SOC,a Quadrant IR Lead engages with the Client
to ensure that all necessary analyses are completed,and thatall data and information deemed
related to the event are provided to the Client in a time-efficient and quality-assured manner.
Examples of the functions Quadrant provides in relation to IR are:
• IR support dedicated to the Client 24/7 for the duration of the incident
• Real-time monitoring for Indicators of Compromise (IOCs)
• In-depth research into possible IOCs
• Comprehensive and customized data searches into the events surrounding the incident
in order to identify additional IOCs
• Custom creation of rules to detect future and/or ongoing occurrences of IOCs
• Thorough search through the Client's network for other occurrences of IOCs
• Event validation and team notification of live activity during the incident
• Custom reporting and recommendations based on the incident
• Implementation of permanent rules and monitoring tools following the incident
Page 22 of 32
Quadrant understands that most organizations do business with MSSPs as a way to gain
additional security support, yet still allow the organization to focus on the day-to-day
functions for which it is responsible. The Quadrant team prides itself on being able to extend
its capabilities outside of the legacy Managed Security Services model, which in its
traditional sense is only about identifying malicious activity and notifying the client without
additional follow-through on security incidents.
Identification, Validation, Reporting, and Incident Response are the four components that
make up the Quadrant MSSP model (Figure 5). It is Quadrant's job to assist with Root
Cause analysis and ultimately help the Client with incident containment and to ensure
continued business operations.
Figure 5. Quadrant's Four-Component MSSP Model
g
Is.
1
Identify
.
Validate
Report
Incident
Response/
Root Cause ,
Remediate
The Reporting Process
Upon execution of this SOW, Quadrant will provide the Client with access to the Sagan
portal. This portal provides the Client with real-time security event activity and information
regarding how each security event is being handled in our SOC.
In order to provide the Client with as much information regarding its security environment
as possible, Quadrant has developed a number of reports, each providing a targeted level
of detail to point to a pathway to action. There are both executive-level (Figure 6) and
technical-level reports.
Page 23 of 32
Figure 6. Sample Executive Summary
.... .D.j• -•W'.7.' hila.
III ell
&mop Yam
.11
ow
- s 1
42.1.Mee
____ —
Y . - 111
_^.. _ I ICI i II
A
In addition,Quadrant provides both 24 Hour Recap Reports as well as Weekly Syslog Reports
for the Client's network and security teams. The 24-Hour Recap Report (Figure 7) provides
a listing of all alerts that occurred during the prior day.
Figure 7. Sample 24 Hour Recap Report
O QUADRANT QuadranUSagan/MSSP O QUADRANT QuadranUSagan/MSSP
24 Hour Alert Recap 24 Hour Vert Recap
, Sensor von
Sensor Details
24 h r li I I Each Of
b e. KMsensors
�. •re e ve let.n1 n to
�a•xnro.r.nrr:reel-Mon,. n.e-nr.e�.n.ne yell...-le..
Recap
Acme-Sagan-Windows
Wed Nov 16 2016 ..P ....
• f.wa+s.1n Mack M«ae lnoc- r, eaw 0
. .0.1•7 II 16 6
occurred on your u�nsor(s) PerwnPrevious 10 Day boarage w. . IweoaysAU111beermm.autrmibM/ 201611.18 1 1 1
for the 24 IlOur
n
20161616 MC oa of ... 1 prwows.Mn ..rvem ._.•111.1 ..v.ere.ron m+a11.1e 6 6 6
c 1ne n9M i „ -beer Nana s Ebel Mr.Forced R3/116./
wine:•no•`.,,.oa�e tr.', • +wwa spvnnw1menc— Ave %V° + + I
.9,.. .4`' M�vum
�m1y�e T s - _ _ _. _ . rv•+4wrs.vlrebe..bme+e..a.aim 1 + 2 I I
�`aa•.�o
ry
between the number of . r.eoows.,bvin.wa.r.bn•fon_-wc.r.e 2018.11.18 1 1 1
events over Me parlous My w1corr.eP®..arzs+16 292304
and the average events of . x
Me pnor ID dass, thus
zeirrv.'ng rn. c'n" " .r�r ear r� M]24uvs Meclreelrmol...v be SCSI 20161,18 e ] 2
18.43
.wl tebit'l re 1.630W6MeCl.wMaeen ery/II^/ 2018.12.10
14..
1 1 1
event signatures per servo. M'•1CCwsMMcl syrrrara ireeave..6mtr/ raa_l3 0161118 t 1 t
Papal of] __.,�r�, s.._r wv m.«..=v........,�, .r Pays 2W1
Page 24 of 32
The Client Communication Process
Quadrant's SOC handlers assess each IDS / Sagan alert to determine the nature and
significance of the attack.When a security event takes place,the system automatically alerts
the SOC, 24 hours a day 7 days a week. In the event of a high-risk alert where analysts
determine that the Client could be compromised, the handlers either block the source
address of the offending traffic or notify the Client's management personnel.
All entries are prioritized into one of three categorized as outlined below:
• High (Priority 1): The Security Event could cause significant impact to business
operations if executed.
• Medium (Priority 2): The Security Event severely restricts the use of an application,
system or piece of equipment affecting significant business functions.
• Low (Priority 3): The Security Event could impact a single user or Client users where
the restriction is not critical to the overall operation of the Client.
Each event category is associated with a timeframe which represents the length of time in
which the Client must be notified after the Security Event has taken place.
• High(Priority 1): Within 15 minutes
• Medium(Priority 2): Within 30 minutes
• Low(Priority 3): Within 60 minutes
During initial IDS / Sagan deployment projects, Quadrant will work with the Client to
determine how and when event categories are reported.
Clients may choose to be notified via email and/or phone.A Contact Tree will be completed
during deployment and regularly updated throughout the life of the contract.
The Service Level Agreements
The Service Level Agreements (SLAs) listed in this section apply to the services provided
within this SOW, subject to the terms, conditions, and limitations contained in this SOW
and the Master Services Agreement(MSA), if applicable.
• The SLAs shall not apply during Scheduled Downtime or Emergency Downtime and
therefore are not eligible for any Agreement credit. Quadrant shall provide Client at least
forty-eight (48) hours prior notice of each period of Scheduled Downtime. "Scheduled
Downtime"means periods when the services are rendered inoperable or unavailable by
Quadrant to permit Quadrant to perform maintenance for the services. Scheduled
Downtime shall occur no more frequently than once per calendar month and only
between the hours of 12:00 a.m. and 6:00 a.m. Eastern Time on a Saturday or Sunday.
"Emergency Downtime" means periods when the services are rendered inoperable or
unavailable by Quadrant to permit Quadrant to perform emergency maintenance
required solely to maintain the operation of the services or to address critical security
Page 25 of 32
vulnerabilities of the services, which maintenance Quadrant cannot timely perform
during Scheduled Downtime. Quadrant shall provide Client as much advance notice of
Emergency Maintenance as reasonably possible and shall endeavor to limit the duration
and number of periods of Emergency Maintenance to the minimum necessary.
• The SLAs shall not apply in the event of any Client-caused service outage that prohibits
or otherwise limits Quadrant from providing the service, including but not limited to,
misconduct, negligence, inaccurate or incomplete information, modifications made to
the services other than by Quadrant, or modifications made to any managed hardware
or software devices by the Client. This includes issues caused by Client's employees,
agents, or third parties.
• The SLAs shall not apply to the extent Client does not fulfill and comply with its
obligations and interdependencies.
SOC / Service Availability
Availability to the service shall equal no less than 99.0% of the time during a given
calendar month. In the event that this SLA is not met for a given calendar month,
Client shall be entitled to a monetary credit equal to one thirtieth (1/30th) of the
monthly contract value for each sixty (60) minutes that communication availability
was below the 99.0%threshold.
Help Desk Requests
Standard requests submitted via email or via telephone will be subject to "initial
response" (either through the SOC help desk ticketing system, email, telephonically
or otherwise)within one (1)hour from the time stamp on the initial communication.
Log Retention
The Client's raw log data as forwarded to Quadrant's sensor(s) will be stored and
retained for a period of 53 weeks on the sensor residing within the Client's network.
Client can request, in writing, that this period be extended. After the 53-week
retention, raw log data is automatically rotated out.
Page 26 of 32
The Scope
The scope of these services is limited to the assets below residing within the Client's
Corporate environment:
TOTAL PIEs/SAGAN DEPLOYMENTS INCLUDED IN THIS SOW:
• Corporate— Sagan/IDS
• Corporate—IPS Mode
• SCADA— Sagan/IDS (new)
• SCADA—IDS
• 1 Annual External Penetration Test
• EDR Log Integration
The Billing & Payment Breakdown
Quadrant will invoice the Client based on the options below. Payment terms for all
invoices is Net 15 of the invoice date, unless otherwise agreed upon.
Payment can be remitted via check to:
Quadrant Information Security
Attn: Accounts Receivable
4651 Salisbury Road, Suite 315
Jacksonville, FL 32256
Or via ACH (forms can be completed upon Client request)
Term Annual Payment
1 Years Contract/
Commitment (option $51,000.00
year)
Page 27 of 32
The Assumptions
• Quadrant shall be under no liability to the Client for any direct / indirect loss and / or
expense (including loss of profit) suffered by the Client as a result of any Sagan appliance
being tampered with or manipulated by Client staff.
• Quadrant shall be under no liability to the Client for any direct / indirect loss and / or
expense(including loss of profit)suffered by the Client arising out of a breach of this SOW
by any 3rd party or unauthorized external user of the services.
• Quadrant is not responsible for any system performance issues or network availability
issues that are a result of Client-initiated changes to network resources or network design
/ layout. Client is responsible for notifying Quadrant forty-eight (48) hours prior to any
network/infrastructure changes.
• Client is responsible for providing all cabling/connection material needed for the Client's
side of each sensor. If the Client has a fiber connection, Quadrant will provide the
transceiver needed for Quadrant's side of the connection, but the Client is responsible for
obtaining the transceiver for the Client side. If the Client has Copper, the Client is
responsible for providing the cabling needed Client-side for the Quadrant sensor.
• Quadrant is responsible for the replacement of all Sagan appliances (and associated costs)
that fall within the scope of this SOW, unless the hardware is procured by the Client.
Quadrant is responsible for preconfiguring and shipping the hardware to the Client but may
at times require Client input regarding configuration settings. In some cases, Client may be
responsible for international shipping expenses,which will be negotiated prior to hardware
re-deployment.In the event that travel is required in association with installing replacement
hardware,Quadrant will assume all costs related to the travel,unless otherwise agreed upon
by Quadrant or the Client.
• In the event the Client chooses to redeploy existing hardware from one physical location to
another, the Client will be responsible for any costs incurred as part of the redeployment.
These costs could include any shipping costs, hardware procurement costs, etc.
• Upon the ending or the termination of an SOW, the Client is responsible for returning to
Quadrant all hardware obtained from Quadrant in relation to the services. All hardware is
deemed to be owned by Quadrant, unless otherwise agreed upon in writing. The Client
maintains the right to keep possession of any storage devices containing the Client's data
(upon Quadrant agreement), but all other equipment must be returned at the Client's
expense.
Page 28 of 32
EXHIBIT `B' - GENERAL INFORMATION AND INSURANCE REQUIREMENTS
1. COMMERCIAL GENERAL LIABILITY INSURANCE
The Consultant shall purchase and maintain at the Consultant's expense Commercial General
Liability insurance coverage(ISO or comparable Occurrence Form)for the life of this Agreement.
Modified Occurrence or Claims Made forms are not acceptable.
The Limits of this insurance shall not be less than the following limits:
Each Occurrence Limit $1,000,000
Personal & Advertising Injury Limit $1,000,000
Fire Damage Limit (any one fire) $ 300,000
Medical Expense Limit(any one person) $ 10,000
Products & Completed Operations Aggregate Limit $2,000,000
General Aggregate Limit(other than Products &
Completed Operations) Applies Per Project $2,000,000
General liability coverage shall continue to apply to "bodily injury" and to "property damage"
occurring after all work on CCUA's site of the covered operations to be performed by or on behalf
of the additional insureds has been completed and shall continue after that portion of"your work"
out of which the injury or damage arises has been put to its intended use.
2. WORKERS' COMPENSATION AND EMPLOYER'S LIABILITY INSURANCE
The Consultant shall purchase and maintain at the Consultant's expense Workers' Compensation
and Employer's Liability insurance coverage for the life of this Agreement.
The Limits of this insurance shall not be less than the following limits:
Part One—Workers' Compensation Insurance—Unlimited
Statutory Benefits as provided in the Florida Statutes and
Part Two—Employer's Liability Insurance
Bodily Injury By Accident $500,000 Each Accident
Bodily Injury By Disease $500,000 Policy Limit
Bodily Injury By Disease $500,000 Each Employee
*If leased employees are used, policy must include an Alternate Employer's Endorsement
3. EXCESS LIABILITY INSURANCE
The Consultant shall purchase and maintain at the Consultant's expense Excess Liability
(Umbrella Form) insurance coverage for the life of this Agreement.
The Limits of this insurance shall not be less than the following limits:
Page 29 of 32
Each Occurrence Limit $2,000,000
Aggregate Limit $2,000,000
4. PROFESSIONAL LIABILITY (ERRORS & OMISSIONS)
This additional coverage will be required for all projects involving consultants, engineering
services, architectural or design/build projects, independent testing firms and similar exposures.
The Consultant shall purchase and maintain at the Consultant's expense Professional Liability
insurance coverage for the life of this Agreement.
If the Agreement includes a requirement for Professional Liability or Errors and Omissions
insurance, the minimum amount of such insurance shall be as follows:
Each Occurrence/Annual Aggregate $2,000,000
Project Specific
Design Professional Liability coverage will be provided on an Occurrence Form or a Claims
Made Form with a retroactive date to at least the first date of this Agreement. If provided on a
Claims Made Form, the coverages must respond to all claims reported within three years
following the period for which coverage is required and which would have been coveted had the
coverage been on an occurrence basis.
5. CYBER AND DATA SECURITY LIABILITY
This additional coverage will be required for all projects involving information technology
services, software providers, programmers and similar exposures.
The Consultant shall purchase and maintain at the Consultant's expense Cyber and Data Security
Liability insurance coverage for the life of this Agreement.
If the Agreement includes a requirement for Cyber and Data Security Liability insurance, the
minimum amount of such insurance shall be as follows:
Technology Errors and Omissions Liability coverage $2,000,000
Media $2,000,000
Network and Data(Information) Security $2,000,000
Policy coverage must include Third Party Liability coverage.
Consultant shall require each of his Consultants to likewise purchase and maintain at their expense
Commercial General Liability insurance, Workers' Compensation and Employer's Liability
coverage, Automobile Liability insurance and Excess Liability insurance coverage meeting the
same limit and requirements as the Consultant's insurance.
Page 30 of 32
Certificates of Insurance acceptable to CCUA for the Consultant's insurance must be received
within five (5) days of Notification of Selection and at time of signing this Agreement.
Certificates of Insurance and the insurance policies required for this Agreement shall contain an
endorsement that coverage afforded under the policies will not be cancelled or allowed to expire
until at least thirty(30) days prior written notice has been given to CCUA.
Certificates of Insurance and the insurance policies required for this Agreement will include a
provision that policies, except Workers' Compensation, are primary and noncontributory to any
insurance maintained by the Consultant.
CCUA must be named as an Additional Insured and endorsed onto the Commercial General
Liability (CGL), Auto Liability and Excess Liability policy(ies). A copy of the endorsement(s)
must be supplied to CCUA ten(10)days following the execution of this Agreement or prior to the
first date of services, whichever comes first.
CGL policy Additional Insured Endorsement must include Ongoing and Completed
Operations (Form CG2010 11 84 OR Form CG2010 04 13 and GC2037 04 13 edition or
equivalent). Other Additional Insured forms might be acceptable but only if modified to
delete the word "ongoing" and insert the sentence "Operations include ongoing and
completed operations".
CGL policy shall not be endorsed with Exclusion - Damage to Work performed by
Subconsultants on Your Behalf(CG2294 or CG2295)
CGL policy shall not be endorsed with Contractual Liability Limitation Endorsement
(CG2139) or Amendment of Insured Contract Definition (CG 2426)
CGL policy shall not be endorsed with Exclusion-Damage to Premises Rented to you(CG
2145)
CGL policy shall include broad form contractual liability coverage for the Consultant
covenants to and indemnification of CCUA under this Agreement
Certificates of Insurance and the insurance policies required for this Agreement shall contain a
provision under General Liability,Auto Liability and Workers' Compensation to include a Waiver
of Subrogation clause in favor of CCUA.
All Certificates of Insurance shall be dated and shall show the name of the insured Consultant,the
specific job by name and job number, the name of the insurer, the policy number assigned its
effective date and its termination date and a list of any exclusionary endorsements.
All Insurers must be authorized to transact insurance business in the State of Florida as provided
by Florida Statute 624.09(1) and the most recent Rating Classification/Financial Category of the
insurer as published in the latest edition of"Best's Key Rating Guide' (Property-Casualty) must
be at least A- or above.
All of the above referenced Insurance coverage is required to remain in force for the duration of
this Agreement and for the duration of the warranty period. Accordingly,at the time of submission
Page 31 of 32
of final application for payment, Consultant shall submit an additional Certificate of Insurance
evidencing continuation of such coverage.
If the Consultant fails to procure,maintain or pay for the required insurance, CCUA shall have the
right (but not the obligation) to secure same in the name of and for the account of Consultant, in
which event, Consultant shall pay the cost thereof and shall furnish upon demand, all information
that may be required to procure such insurance. CCUA shall have the right to back-charge
Consultant for the cost of procuring such insurance. The failure of CCUA to demand certificates
of insurance and endorsements evidencing the required insurance or to identify any deficiency in
Consultant's coverage based on the evidence of insurance provided by the Consultant shall not be
construed as a waiver by CCUA of Consultant's obligation to procure, maintain and pay for
required insurance.
The insurance requirements set forth herein shall in no way limit Consultant's liability arising out
of the work performed under the Agreement or related activities. The inclusions, coverage and
limits set forth herein are minimum inclusion, coverage and limits. The required minimum policy
limits set forth shall not be construed as a limitation of Consultant's right under any policy with
higher limits, and no policy maintained by the Consultant shall be construed as limiting the type,
quality or quantity of insurance coverage that Consultant should maintain. Consultant shall be
responsible for determining appropriate inclusions, coverage, and limits, which may be in excess
of the minimum requirements set forth herein.
If the insurance of any Consultant or any Subconsultant contains deductible(s),penalty(ies)or self-
insured retention(s), the Consultant or Subconsultant whose insurance contains such provision(s)
shall be solely responsible for payment of such deductible(s), penalty(ies) or self-insured
retention(s).
The failure of Consultant to comply at all times fully and strictly with the insurance requirements
set forth herein shall be deemed a material breach of this Agreement.
Page 32 of 32