REPORT TO THE CITY COUNCIL
May 25, 2017
FROM: BRUCE RUDD, City Manager
BY: BRYON HORN, Chief Information Officer
Information Services Department
SUBJECT
Title
Approve Consultant Services Agreement with Optiv Security Inc. in an amount not to exceed $60,000 for an information security assessment focused on identifying information security threats and vulnerabilities.
Body
RECOMMENDATION
It is recommended that Council approve the Consultant Services Agreement between the City of Fresno (City) and Optiv Security Inc. (Optiv). The agreement provides for services to perform a comprehensive perimeter and internal penetration test. The cost of the service will not exceed $60,000. In accordance with Administrative Order 3-1, the services are being priced from a cooperative purchase agreement, California Multiple Award Schedules (CMAS).
EXECUTIVE SUMMARY
Cyber security is becoming more complex and prevalent in our daily lives. The Information Services Department (ISD) is responsible for protecting all of the City’s information systems and data. During January 2015, an initial security assessment was performed by Accuvant, Inc., (Accuvant) which contained several recommendations for implementing a more protective, yet business-aligned security program for the City. The Accuvant assessment gave an outside perspective and compared the City’s security standards with industry standards. In that assessment, Accuvant recommended that the City conduct a penetration test to ensure the City’s cyber health. In the Single Audit report which was conducted by Brown Armstrong as part of the CAFR, it was also recommended that the City conduct annual penetration tests.
Penetration tests are considered best practice and are generally completed each year by a qualified third party. The specialized expertise and established procedures and proven tests of an unassociated qualified third party company offers an unbiased and more real world example of an attempt/methodology that a hacker would use to penetrate a system. Although ISD staff has the expertise of securing our environment, they too need confirmation and validation that the City’s systems are properly secured by a third party. The agreement between the City and Optiv will fulfill this need. The last penetration test for the City was completed in 2005.
BACKGROUND
In order to ensure the security of municipal network systems, security assessments, audits and intrusion, penetration tests are required. The Accuvant security and risk assessment allowed the City to gain a perspective on implemented security provisions. The execution of the assessment included understanding the City’s mission, vision and culture including meeting with each Department, to understand their business function as well as identify viable risks. From this understanding, a deliverable was created in the form of a confidential report that was presented to the City and outlined risk factors as well as provided recommendations on future security provisions. Several of these recommendations have been implemented and a follow up assessment is due in Fiscal Year 2018.
ENVIRONMENTAL FINDINGS
The approval of this agreement is not a project for the purposes of the California Environmental Quality Act.
LOCAL PREFERENCE
Local preference was not implemented because Optiv is uniquely qualified.
FISCAL IMPACT
Funding for this agreement is appropriated in the Fiscal Year 2017 Budget; therefore, no additional funds are required.
Attachments:
Consultant Services Agreement
California Multiple Award Schedules
Uniquely Qualified Memo