The URL can be used to link to this page

Home My WebLink AboutAgenda_GGAF_08.29.2018Notice of Meeting for the General Gov ernment and Finance Adv isory Board of the City of Georgetown August 29, 2018 at 4:30 PM at Library: Friends Room 218 located at 402 West 8th Georgetown, Tx The City o f G eo rgeto wn is committed to comp lianc e with the Americans with Dis abilities Ac t (ADA). If yo u req uire as s is tanc e in participating at a p ublic meeting d ue to a disability, as d efined und er the ADA, reas onab le as s is tance, ad ap tatio ns , or acc o mmo d ations will b e provid ed up o n req uest. P leas e c o ntact the City Sec retary's Office, at leas t three (3) days prior to the sc hed uled meeting d ate, at (512) 930-3652 o r City Hall at 113 Eas t 8th Street fo r add itional info rmation; TTY us ers ro ute through Relay Texas at 711. Legislativ e Regular Agenda A Draft minutes for June 27, 2018 meeting B Co nsideration and possible actio n to approve an InterLo cal Agreement to purchas e IT s ecurity services through the Texas Department of Information R es o urc es (DIR) . -Chris Bryc e, IT Directo r; James Davis , IT Op eratio ns Manager C Co nsideration and possible actio n to award c o ntracts for s elf-fund ed med ic al p ro gram ad ministration services, med ic al s top-loss insuranc e c overage, vo luntary vis io n b enefits , vo luntary life and AD&D ins urance c o verage, emp lo yee as s is tance program, b enefit advo cate servic es , flexible s p ending acc o unt adminis tration, COBRA adminis tratio n and autho rizing the City Manager to enter into s uc h contrac ts on behalf of the City. -Tadd Phillip s , HR Direc tor D Co nsideration and possible actio n to approve and rec o mmend to Counc il the Emp lo yee Benefits Co mmittee p ro p o s ed medic al and dental premiums for the 2019 p lan year. -Tad d P hillips, HR Direc tor CERTIFICATE OF POSTING I, Shelley No wling, C ity S ecretary fo r the C ity of Geo rgeto wn, Texas , d o hereby c ertify that this Notice of Meeting was p o s ted at City Hall, 113 E. 8th Street, a p lace read ily acc es s ible to the general p ublic at all times , on the ______ d ay o f __________________, 2018, at __________, and remained so p o s ted fo r at leas t 72 c o ntinuo us ho urs p receding the sc heduled time o f s aid meeting. ____________________________________ S helley No wling, City Sec retary Page 1 of 57 City of Georgetown, Texas Government and Finance Advisory Board August 29, 2018 SUBJECT: Draft minutes fo r June 27, 2018 meeting ITEM SUMMARY: Draft minutes fo r June 27, 2018 meeting FINANCIAL IMPACT: N/A SUBMITTED BY: Danella Ellio tt, Exec utive As s is tant to As s is tant C ity Manager ATTACHMENTS: Description Type DRAFT meeting minutes Backup Material Page 2 of 57 Minutes of Meeting of the GENERAL GOVERNMENT AND FINANCE ADVISORY BOARD (GGAF) City of Georgetown, Texas June 27, 2018 The General Government and Finance Advisory Board met on Wednesday, June 27, 2018 at 4:30 PM in the Friends Room of the Library, located at 402 West 8th Street, Georgetown, Texas. The City of Georgetown is committed to compliance with the Americans with Disabilities Act (ADA). If you require assistance in participating at a public meeting due to a disability, as defined under the ADA, reasonable assistance, adaptations, or accommodations will be provided upon request. Please contact the City Secretary’s Office, at least three (3) days prior to the scheduled meeting date, at (512) 930-3652 or City Hall at 113 East 8th Street for additional information; TTY users route through Relay Texas at 711. Board Members Present: City Staff Present: Tommy Gonzalez, Chair James Bralski, Vice Chair David Morgan, City Manager Laurie Brewer, Assistant City Manager Chere’ Heintzmann, Secretary Stu McLennan Kevin Pitts Leigh Wallace, Finance Director Paul Diaz, Budget Manager Elaine Wilson, Controller Christi Rawls, Assist Controller Nat Waggoner, Long Range Planning Mgr Legislative Regular Agenda Tommy Gonzalez, Chair called the meeting to order at 4:32 p.m. A Review minutes from the May 23, 2018 General Government and Finance Advisory Board Meeting - Board Liaison The Board did not have any comments regarding the minutes from the May 23, 2018 General Government and Finance Advisory Board meeting. Motion to approve the minutes by James Bralski, second by Cherie’ Heintzmann. Approved 5-0 B. Discussion and possible action to recommend Council adopt changes to the Fiscal and Budgetary Policy during the annual budget adoption process for Fiscal Year 2019 - Leigh Wallace, Finance Director Leigh reminded the board that as a part of the budget process, the Fiscal and Budgetary Policy is reviewed and amended annually by GGAF and Council to address any new financial or regulatory requirement that needs to be changed or added. It provides the framework for financial operations of the City and ensures prudent stewardship, financial planning and accountability. She gave an overview of the proposed changes, which included clarification of existing wording and formatting, removing any old language that no longer applies, and updating compliance for FY 2019. Notable changes include updates to multiple reserve balances, including the Electric Fund and the cost of service rate study. Page 3 of 57 Leigh, David and Laurie answered questions from the board discussion during the presentation. Tommy suggested that the following section remain in the policy… “III. E. Planning – The Budget process will be coordinated so that major policy issues are identified prior to the budget approval date. This will allow city Council adequate time for consideration of appropriate decisions and analysis of financial impact.” He feels that once a large change has been identified, Council should be notified immediately to review and digest it prior to the actual presentation of the proposed budget. He said that it just serves as a reminder. After discussion, the Board agreed to leave this section in the policy. Kevin asked for clarification about what would happen if the Electric Fund were to exceed its recommended minimum cash fund balance. David and Leigh provided examples of appropriate one- time uses of funds and agreed to add this summary to the policies. Motion to recommend that Council adopt the proposed changes to the Fiscal and Budgetary Policy as presented, with minor changes noted above (to leave in Section III. E. Planning). Item B was unanimously approved 5-0. C. Staff presentation and discussion on the City’s update process for the 2030 Comprehensive Plan – Nat Waggoner, Long Range Planning Manager Nat Waggoner presented an overview of the process for the update to the 2030 Comprehensive Plan. He noted that the plan has not been updated in 10 years. Nat discussed the visioning objectives and the vision development process. He explained why the plan needs updating and reviewed uses of a Comprehensive Plan. Nat also reviewed the project timeline, work plan of the committee and explained how they are involving citizens through public meetings and the Public Engagement Plan. Nat answered questions/concerns from the Board, and they expressed their appreciation for his presentation. Motion to adjourn at 5:40 was unanimously approved 5-0. __________________________________ ____________ Tommy Gonzalez Date Board Chair __________________________________ ____________ Chere’ Heintzman Date Board Secretary __________________________________ ____________ Amy Janecka Date Board Liaison Page 4 of 57 City of Georgetown, Texas Government and Finance Advisory Board August 29, 2018 SUBJECT: Cons id eration and p o s s ib le ac tion to approve an InterLoc al Agreement to p urc has e IT sec urity s ervic es thro ugh the Texas Dep artment o f Info rmation Res ources (DIR) . -Chris Bryc e, IT Direc tor; James Davis, IT Operatio ns Manager ITEM SUMMARY: This item is to req ues t approval of an InterLo c al Agreement with The State of Texas Dep artment o f Informatio n R es o urc es (DIR). This InterLoc al Agreement wo uld allo w the City to p ro cure managed s ecurity servic es through DIR, such as external vulnerab ility sc anning and p enetration tes ting, at a red uc ed p rice p o int. T hes e s ervic es are p ro vided at a s ubs tantial disc o unt compared to s ervices o ffered through o ther c o nsulting firms . The agreement does not c o mmit the City to the purchas e of any services, b ut only enables any future s ervic es to be purc has ed on S tate of Texas c ontrac ts . While s ervic es are purchas ed through DIR, the s ervices thems elves are pro vided b y p rivate c o mp anies s uc h as AT&T. T hey wo uld p o tentially help imp ro ve the City’s sec urity p os ture b y id entifying areas staff can implement a higher level o f sec urity fo r c urrent and future services fo r o ur c itizens and s taff. The Legal dep artment has reviewed and appro ved the attac hed InterLoc al Agreement and Managed Sec urity Servic es Terms and Co nditio ns. FINANCIAL IMPACT: There is no c os t as s oc iated with this InterLoc al Agreement. IT will sub mit any p urc hases utilizing this agreement as p er the b udgeting and p ro curement p ro cess. SUBMITTED BY: Chris Bryce, IT Directo r; James Davis , IT O p erations Manager ATTACHMENTS: Description Type DIR Shared Services Backup Material MSS Terms and Conditions Backup Material Page 5 of 57 DIR Contract No. DIR-SS-ILC0001_ INTERLOCAL CONTRACT BETWEEN THE DEPARTMENT OF INFORMATION RESOURCES AND CITY OF GEORGETOWN RELATING TO THE USE OF THE DIR SHARED SERVICES MASTER SERVICE AGREEMENTS This Interlocal Contract (“ILC” or “Contract”) is entered into by the governmental entities shown above as contracting parties (referred to individually as a “Party” and collectively as the “Parties”) pursuant to the provisions of the Interlocal Cooperation Act, Chapter 791, Texas Government Code. This ILC is created to give effect to the intent and purpose of Subchapter L, Chapter 2054, Texas Government Code, concerning statewide technology centers, specifically sections 2054.376(a)(3), 2054.3771, and 2054.3851. The entity receiving services under the DIR Shared Services Contracts through this ILC is hereinafter referred to as the “Receiving Entity” or the “DIR Customer.” This ILC authorizes DIR Customer to participate in the Department of Information Resources (“DIR” or “Performing Agency”) Shared Services Program. The DIR Shared Services Program includes contracts that have been competitively procured by DIR. All specific services and products are purchased through the DIR Shared Services Program contracts and subject to the processes and terms therein. DIR’s Shared Services Program provides for a Multisourcing Service Integrator (MSI) service provider (“MSI SCP”) and various Service Component Providers (“SCP”). The Shared Services Master Service Agreements, as amended, are defined on the Shared Services web page on the DIR website (“DIR Shared Services Contracts”) and are incorporated herein. Unless otherwise referenced, the references to Exhibits and Attachments herein are references to Exhibits and Attachments of the DIR Shared Services Contracts. DIR Customer acknowledges and agrees that this ILC is with DIR and, therefore, DIR Customer does not have privity of contract with the SCPs. Capitalized terms not defined herein shall have the meaning set forth in the relevant DIR Shared Services Contract. SECTION I CONTRACTING PARTIES DIR CUSTOMER: City of Georgetown PERFORMING AGENCY: Department of Information Resources City of Georgetown Contract # 18-0081-ILA Page 6 of 57 MANAGED SECURITY SERVICES TERMS AND CONDITIONS This agreement is part of and incorporated within the Interagency/Interlocal Contract (“Contract”) that has been entered into by the contracting parties. DIR Customer acknowledges and agrees that this Contract is with DIR and, therefore, DIR Customer does not have privity of contract with the SCPs. Capitalized terms not defined herein shall have the meaning set forth in the relevant DIR Shared Services Contract. 1. Conditions for Providing Security Services 1 .1 Access DIR and/or Service Component Provider (SCP) shall use the Internet for primary access to DIR Customer’s systems unless otherwise noted and agreed upon. DIR Customer shall not employ special access restrictions against DIR and/or Service Component Provider that it does not apply to the rest of the public network over the course of regular business. 1 .2 Network Control DIR Customer must inform DIR if DIR Customer does not control its network access and/or its Internet service is provided via a third party. DIR Customer is responsible for obtaining all necessary approvals. DIR Customer shall provide all necessary contact information for the third parties that control its network access, Internet service, and/or web applications. DIR Customer’s emergency contact list shall include primary and secondary staff capable of administering DIR Custome r computer systems specific to the type of services being requested or required. 1 .3 Disclosure of Objectionable Material In conducting the services authorized by DIR Customer, DIR may inadvertently uncover obscene, excessively violent, harassing, or otherwise objectionable material that may violate State or Federal law, including material that may infringe the intellectual property of a third party on DIR Customer devices or networks. DIR shall notify DIR Customer’s Executive Director or highest level executive of the existence of all such objectionable and/or potentially illicit material so that DIR Customer may deal with the objectionable and/or potentially illicit material as it deems appropriate. If DIR accesses child pornography, as defined in the Child Sexual Exploitation and Pornography Act, 18 U.S.C., Chapter 110, in conducting approved Services, DIR shall report such to DIR Customer’s Executive Director or highest level executive and an appropriate law enfo rcement agency and provide the law enforcement agency access to the visual depictions of child pornography. If DIR accesses information that they perceive as a serious threat to human life or safety in conducting the approved Services, DIR shall report such threat to an appropriate law enforcement agency and DIR Customer’s Executive Director or highest-level executive. 1.4 No Warranties and Limitation of Liability DIR makes no representation or warranty that its security services will disclose , identify, or prevent all vulnerabilities. DIR hereby disclaims all warranties, both express and implied, including without limitation, the implied warranties of merchantability and fitness for a particular purpose. In no event shall DIR be liable for damages of any kind or nature that may arise from the services provided by DIR or DIR’s Service Component Provider or Service Provider. City of Georgetown Contract # 18-0081-ILA Page 7 of 57 1.5 Service Interruption DIR will endeavor not to disrupt DIR Customer services and to adhere to best practices for all work performed. However, tools or services may affect the serviceability of poorly configured or overextended systems or services. It is possible that control of DIR Customer’s system may be lost. For any testing that DIR may be conducting, DIR endeavors to use the safest methods to compromise DIR Customer’s systems; however, DIR Customer should be prepared to restore a damaged system from a recent, acceptable backup within an acceptable time as determined by DIR Customer. During any testing DIR may conduct, DIR will NOT conduct any deliberate Denial-of-Service attack. DIR Customer agrees not to hold DIR liable in the event of any service interruption(s) that may arise as a result of performance of any Services. If either party becomes aware of a service interruption, that party will notify the other party’s emergency contact. 1.6 Termination of Services If DIR Customer terminates certain Services, that it requested and approved, for convenience, DIR Customer shall pay the remaining requisite unrecovered costs that have already been incurred prior to the notice of termination, such unrecovered costs will be calculated in accordance with the relevant DIR Shared Services Contract, SMM, or other DIR Customer approved terms. DIR Customer understands that it may not be able to terminate services or receive any refund of a pre-payment after approving the relevant financial solution. 2. DIR and DIR Customer Responsibilities 2.1 DIR Customer agrees as follows to the extent assessment Services are requested or required: a) DIR Customer responses to information requests and artifacts gathering pertinent to this security and risk assessment will be timely; b) The artifacts data are reasonably available via interviews and documents review; c) DIR Customer will make available the necessary Subject Matter Expert (SME) with required expertise to work with the SCP Assessment Team and will remain available thru the duration of the assessment; d) DIR Customer SME will be available when required for interaction with the SCP Assessment Team and that all the interviews will be conducted over the number of consecutive days as established during the project planning and scheduling phase; e) DIR Customer is responsible for the coordination and scheduling of resources and providing meeting facilities as necessary; f) Deliverables will be complete when DIR Customer has approved in writing that the deliverable meets the acceptance criteria; g) All document deliverables must be in formats (hard copy and/or electronic) as specified by DIR Customer. At a minimum, the formats must be in industry-accepted standards (e.g., MS Word, MS PowerPoint MS Project); h) DIR Customer will assist with meeting coordination for meetings between DIR Customer Key Personnel and DIR and the Service Provider and other staff to gather requirements and other activities; i) The SCP Assessment Team will be responsible for scheduling and conducting deliverables review meetings with DIR Customer to ensure understanding of recommendations and specific deliverable details; City of Georgetown Contract # 18-0081-ILA Page 8 of 57 j) A Texas cybersecurity framework assessment: 1) does not include technical vulnerability scanning or penetration testing; 2) is not a formalized attestation to be used to show compliance to any regulatory body; and, 3) is not a hands-on security configuration review. k) DIR may receive final copies of reports if DIR is paying for the assessment. 2.2 Penetration Testing 2.2.1 DIR Customer agrees as follows to the extent penetration testing (“PT”) is requested or required: a) For white box penetration testing, DIR Customer shall add SCP’s IP ranges, which shall be provided by SCP prior to test initiation, to DIR Customer’s non-shun list (whitelist) within DIR Customer’s IDS/IPS. b) SCP may conduct a passive scan to determine the number of live IPs within the Customer designated IP range. c) DIR Customer shall not intentionally place an unsecured system or device in the test scope. d) If DIR Customer detects SCP testing activities, DIR Customer technical staff shall follow standard operating procedures and policies. e) DIR Customer shall complete the provided Remediation Survey and return it to DIR within 60 days after DIR Customer receives the deliverables. If DIR Customer requests a Remediation Verification Test after the initial 60 days has expired, then DIR Customer shall submit the requisite Request for Services (“RFS”) and will be responsible for any related costs. f) If DIR Customer has purposely placed an unsecured system in the test scope that DIR subsequently compromises during the PT, it would be erroneous to conclude that DIR Customer can be compromised via that system, since the unsecured system would not normally be present. g) If DIR Customer knowingly deploys additional resources or increases monitoring activities during the PT, it would be erroneous to conclude that DIR Customer is secure, since those resour ces would not normally be present. 2 .2.2 DIR shall ensure that Service Provider : a) Provides DIR Customer with the source IP addresses associated with testing activities if DIR Customer detects SCP testing activities and requests confirmation if detected source IP addresses are associated with SCP testing activity. b) Notifies DIR Customer if anomalies such as system failure, inappropriate use of resources, or actual malicious attack are discovered during the PT. c) Notifies DIR’s Communications Technology Services Division and/or Network and Security Operations Center (NSOC) if vulnerabilities are discovered during the PT on network equipment owned or maintained by the Communications Technology Services Di vision after SCP informs DIR Customer. d) Provides analysis, descriptions of, and recommendations for protecting against confirmed vulnerabilities and, if applicable, exploits used during the PT. e) Provides DIR Customer reports for all other vulnerabilities discovered during the PT. City of Georgetown Contract # 18-0081-ILA Page 9 of 57 2.2.3 Notes on Vulnerability Scanners a) No ‘known vulnerability’ scanner is perfect. It is possible that an existing vulnerability may not have been found or that a vulnerability found may not actually be present. DIR uses vulnerability scanners that consistently perform at the top of their class. Verify and understand the vulnerability before deciding to remediate/mitigate it. In many cases, remediating/mitigating the vulnerability entails upgrading software. b) A vulnerability for “Agency A” may not be a vulnerability for “Agency B”. Organizations have their own specific business plans and needs. Each organization must evaluate the need to provide a service with the risk that the service may be abused. For example, file transf er protocol (FTP) may be listed as a vulnerability; if the organization intends to provide the FTP services, there is no need to remediate/mitigate. However, if the business does not need to provide FTP services, it may decide to discontinue that service. Evaluate the risk of providing the service and accepting the risk versus not providing the service. This is a management decision. c) Vulnerability scanning tools attempt to identify the vendors of services and operating systems. This identification is not always accurate. SCP will use various tools to produce vulnerability reports for the agency. DIR Customer should review the vulnerability reports and verify the existence of the vulnerability and then follow the vendor’s instruction for remediating/mitigatin g it. d) New vulnerabilities are discovered every day. SCP updates its tools before every PT- vulnerability scan to ensure that the highest number of known vulnerabilities is identified at the time the test is performed. City of Georgetown Contract # 18-0081-ILA Page 10 of 57 DIR Contract No. DIR-SS-ILC0001_ SECTION II STATEMENT OF SERVICES TO BE PERFORMED 2.1 Effect of ILC and General Process The DIR Shared Services Program offers a variety of services and related support and products. The list of such services is provided through the DIR Shared Services Catalog and the DIR Shared Services portal. Further, SCPs may work with third-party vendors to provide additional services or products within the requirements of the relevant DIR Shared Services Contract. This ILC describes the rights and responsibilities of the Parties relating to implementation, operation, maintenance, use, payment, and other associated issues by and between DIR Customer and DIR related to the Services to be provided through the DIR Shared Services Contracts. DIR Customer shall receive the Services described in the DIR Shared Services Contracts, subject to the terms of the relevant DIR Shared Services Contracts and this ILC. DIR Customer is only subject to those specific terms to the extent DIR Customer requests services or products through those specific DIR Shared Services Contracts. The details of specific processes and procedures are contained in the relevant Service Management Manual (“SMM”), developed by the MSI and/or SCPs and approved by DIR. The DIR Shared Services Contracts require the MSI and SCPs to develop appropriately documented policies, processes, and procedures and to provide training to DIR Customer personnel where required to ensure effective service interfaces, before approval and adoption of the SMM. The terms of the relevant DIR Shared Services Contracts will apply to this ILC and will remain in full force and effect except as may be expressly modified by any amendment to the specific DIR Shared Services Contract. Such amendments will automatically apply to this ILC with no further action by the Parties. DIR shall keep DIR Customer generally informed of such amendments and provide the opportunity to provide input to DIR through the Shared Services portal as well as the DIR Shared Services Program Governance structure described below. 2.2 DIR Shared Services Program Process To obtain Services, DIR Customer shall either order services directly through the MSI Marketplace portal where certain services and pricing are established or request certain services and products through the Request for Services process. This process is detailed in the relevant SMM for each SCP. SCP(s) will respond with a proposal, including the proposed solution or service, estimated cost or other financial obligations, if any, and any other relevant program-specific terms and conditions related to the services provided for in response to the Request for Service. DIR Customer may accept or decline those terms and services at that time. The final DIR Customer approved technical solution, financial solution, and related terms are contractually binding terms that incorporate the terms of City of Georgetown Contract # 18-0081-ILA Page 11 of 57 DIR Contract No. DIR-SS-ILC0001_ this ILC and the relevant Shared Services Contract(s). Later termination of a Service or solution after an original approval or any pre-payment, may result in additional cost to the DIR Customer and may not allow for any refund of payments already made. 2.3 Change Orders and Change Control In accordance with the relevant SMM and Shared Services Contract requirements, DIR Customer will coordinate with the MSI and/or SCP for all change requests. Change Control processes and authority may vary between DIR Shared Services Contracts as it relates to the rights of Customers to request changes. Further, Change Control does not allow DIR Customers to alter terms and conditions of the DIR Shared Services Contracts. SECTION III DIR CUSTOMER PARTICIPATION 3.1 General Governance Governance of the DIR Shared Services Program is based on an owner-operator approach in which DIR Customers, in the role of operator, actively work with all SCPs to resolve local operational issues and participate in committees to address enterprise matters. Enterprise-level decisions, DIR Customer issues, and resolution of escalated DIR Customer-specific issues are carried out by standing governance committees, organized by subject area and comprised of representatives from DIR Customers, DIR management, SCP management, MSI management, and subject-matter experts. DIR Customers are structured into partner groups that select representatives to participate in these committees. DIR Customer shall participate within this Governance structure as described above and within the relevant SMM(s). 3.2 DIR Customer and SCP Interaction and Issue Escalation In accordance with the relevant SMM(s), DIR Customer shall interface with SCPs on the performance of “day-to-day” operations, including work practices requiring SCP and DIR Customer interaction, issues resolution, training, planning/coordination, and “sign-off.” All issues are intended to be resolved at the lowest level possible. In those instances where it becomes necessary, the following escalation path is utilized. If DIR Customer is not able to resolve an issue directly with SCP staff, DIR customer escalates the issue to SCP management. If the issue cannot be resolved by SCP management, DIR Customer escalates to DIR. If the issue cannot be resolved by DIR, DIR Customer escalates to the appropriate DIR Shared Services Program Governance committee. 3.3 DIR Customer Specific Laws Per the Compliance with Laws section of the DIR Shared Services Contracts, DIR Customer shall notify DIR, in writing, of all DIR Customer-specific laws (“DIR Customer- Specific Laws”), other than SCP Laws, that pertain to any part of DIR Customer’s business that is supported by SCPs under the DIR Shared Services Contracts, and DIR City of Georgetown Contract # 18-0081-ILA Page 12 of 57 DIR Contract No. DIR-SS-ILC0001_ will notify SCPs, in writing, of such DIR Customer-Specific Laws. The Parties intend that such DIR Customer-Specific Laws will be identified and included in the portion of the SMM specific to DIR Customer. DIR Customer shall use commercially reasonable efforts to notify DIR, in writing, of any changes to DIR Customer-Specific Laws that may, in any way, impact the performance, provision, receipt and use of Services under the DIR Shared Services Contracts. DIR shall advise SCPs of such change and require that any changes to DIR Customer-Specific Laws are identified and included in the SMM. If necessary to facilitate DIR compliance with the requirements of the DIR Shared Services Contracts, DIR Customer shall provide written interpretation to DIR of any DIR Customer- Specific Law. 3.4 DIR Customer responsibilities Where appropriate, DIR Customer shall support the following: (a) Software currency standards are established for the Shared Services environment through the owner operator governance model. DIR Customers will be engaged in approval of these standards and the development of technology roadmaps that employ these software currency standards. DIR Customers are expected to remediate applications in order to comply with the standards (b) Technology standards (e.g. server naming standards, reference hardware architectures, operating system platforms) are established through Shared Services Governance. DIR Customers will adhere to these standards. Any exceptions will follow governance request processes. (c) DIR Customer shall ensure network connectivity and sufficient bandwidth to meet DIR Customer’s needs. (d) DIR Customers will collaborate with SCPs to establish and leverage standard, regular change windows to support changes to enterprise systems. These change windows will be constructed to support varying degrees of service impact, from planned down-time to no service impact. Standard enterprise changes during these windows may affect all systems in one or more of the consolidated data centers simultaneously. (e) DIR Customers will support the consolidation of commodity services into shared enterprise solutions that leverage common management and configuration practices delivered by the service providers. Examples of such commodity services are SMTP mail relay and DNS management. (f) DIR Customers will support and align with standard enterprise Service Responsibilities Matrixes and associated processes for obtaining an exception or making improvements to the standard enterprise Service Responsibility Matrixes. City of Georgetown Contract # 18-0081-ILA Page 13 of 57 DIR Contract No. DIR-SS-ILC0001_ 3.5 DIR Customer Equipment and Facilities Any use by SCPs of DIR Customer Equipment and/or Facilities shall be limited to the purpose of fulfilling the requirements of this ILC or the DIR Shared Services Contracts. DIR Customer will retain ownership of DIR Customer Equipment. DIR Customer shall comply with DIR refresh policies, as amended from time to time by DIR. 3.6 DIR Customer Contracts, Leases, and Software with Third Parties DIR Customer will make available for use or use its best efforts to cause to be made available for use by DIR and SCPs the DIR Customer Contracts and Leases with third parties (“DIR Customer Third Party Contracts and Leases”) and DIR Customer third party software (“DIR Customer-Licensed Third Party Software”) that pertain to the Shared Services. Any use by SCPs of DIR Customer Third Party Contracts and Leases and/or DIR Customer-Licensed Third Party Software shall be limited to fulfilling the requirements of this ILC or the DIR Shared Services Contracts. SCPs shall obtain all Required Consents in accordance with DIR Shared Services Contracts. DIR Customer will use its best efforts to assist SCPs to obtain from each Third Party Software licensor the right to use the DIR Customer-Licensed Third Party Software for Services provided under the DIR Shared Services Contracts. Except to the extent expressly provided otherwise and in accordance with the DIR Shared Services Contracts, SCPs shall pay all transfer, re-licensing, termination charges and other costs or expenses associated with obtaining any Required Consents or obtaining any licenses or agreements as to which SCPs are unable to obtain such Required Consents. If requested by DIR, DIR Customer shall cooperate with SCPs in obtaining the Required Consents by executing appropriate DIR approved written communications and other documents prepared or provided by SCPs. 3.9 Security DIR Customer shall comply with recommended relevant security standards and relevant SCP security guides, as amended from time to time by DIR, the MSI, or the SCP. DIR Customer shall inform DIR as to any DIR Customer specific security considerations. DIR Customer acknowledges that any failure on its part to follow recommended security standards, policies, and procedures may place its own data and operations at risk as well as those of SCP(s) and other governmental entities. DIR Customer accepts the related potential risks and liabilities that are created by DIR Customer’s failure to comply with the recommendations if it is determined such recommendations would have prevented an issue. DIR accepts no responsibility for the risk or liability incurred due to a DIR Customer’s decision to not follow DIR’s recommendations. SCP will not be liable for violations of security policies and procedures by DIR Customer. Additionally, failure to comply with security standards, policies, and procedures may lead to the suspension or City of Georgetown Contract # 18-0081-ILA Page 14 of 57 DIR Contract No. DIR-SS-ILC0001_ termination of the availability of certain Applications and services. SCP will give DIR and the DIR Customer notification of non-compliance. SECTION IV CONTRACT AMOUNT In accordance with terms of the DIR Shared Services Contracts, including all relevant pricing and accepted Request for Services proposals, and this ILC, DIR Customer shall be responsible for and agrees to pay DIR the applicable Charges for Services received from the SCPs and the MSI, Services DIR Customer agrees to pre-pay, the DIR recovery fees, any allocated charges, and any Pass Through Expenses incurred by DIR or SCPs on behalf of DIR Customer. The applicable fees are set out in the relevant DIR Shared Services Contracts as incorporated herein and, if applicable, specifically addressed in response to any Request for Services. Certain pricing is based upon DIR Customer’s specific consumption; therefore, DIR Customer controls the amounts and duration of the contract amounts. It is understood and agreed that amounts are subject to change depending upon Services required and/or requested and approved and further dependent upon legislative direction and appropriations available for such Services. Attachment A provides the estimated spend for services as approved by DIR Customer. This form may be revised and updated by DIR Customer as needed without a formal amendment from DIR by DIR Customer submitting to DIR an updated form. DIR Customer must adhere to its own policies and processes for authorizing an adjustment to such amounts internally. DIR Customer is solely responsible for monitoring compliance with Attachment A and to communicate any changes to Attachment A to DIR. DIR shall not be responsible for monitoring or ensuring such compliance. SECTION V PAYMENT FOR SERVICES DIR shall electronically invoice DIR Customer for Services on a monthly basis. Each invoice shall include the applicable monthly charges for Services received from the SCPs, the DIR recovery fees, all allocated charges, and any Pass-Through Expenses incurred by DIR or SCPs on behalf of DIR Customer in accordance with the DIR Shared Services Contracts. The DIR recovery fees shall be reviewed at least annually in accordance with the requirements for billed statewide central services as set forth in OMB Circular A-87, Cost Principles for State, Local and Indian Tribal Governments (as updated, revised or restated) and other applicable statutes, rules, regulations and guidelines. DIR shall retain documentation for the DIR recovery fees. DIR fees are also determined and reported in accordance with DIR processes and sections 2054.0345-0346 of the Texas Government Code. City of Georgetown Contract # 18-0081-ILA Page 15 of 57 DIR Contract No. DIR-SS-ILC0001_ Each invoice shall include sufficient detail for DIR Customer to allocate costs to all federal and state programs in accordance with the relative benefits received and to make federal claims according to the federal cost plan of DIR Customer. In order to allow DIR to meet the statutory payment requirements in Chapter 2251, Texas Government Code, DIR Customer shall make monthly payments by check or Electronic Funds Transfer (EFT) within twenty (20) days following receipt of each invoice from DIR. For purposes of determination of the payment due date, DIR and DIR Customer shall use the date when the invoice is electronically transmitted by DIR to DIR Customer and posted on the chargeback system along with reports that substantiate the service volumes and associated charges. Although cash flow considerations require timely payments as required herein, the rights of DIR Customer and DIR to dispute charges shall be consistent with Texas law. The MSI SCP is required to develop and maintain a chargeback system. DIR shall coordinate requirements and functionality for the chargeback system with DIR Customer needs and requirements under federal and state requirements for invoiced charges generated through the system. DIR Customer shall utilize this chargeback system to link the designated measurable activity indicators (such as applications or print jobs) with the appropriate financial coding streams. DIR Customer shall update this information monthly, or at such other intervals as are necessary, to enable the MSI SCP to generate accurate invoices reflecting the appropriate distribution of costs as designated by DIR Customer. DIR Customer is liable for all costs and expenses associated with providing Services under the ILC to the extent such costs and expenses have been incurred by DIR and such Services have been provided to DIR Customer or DIR Customer agrees to pay for such Services prior to receiving them. Except as allowed in Texas Government Code, Chapter 2251, DIR Customer shall have no right to set off, withhold or otherwise reduce payment on an invoice. In accordance with Texas Government Code, Section 791.015, to ensure enforceability of payment obligations, DIR Customer consents to DIR presenting this ILC and all unpaid invoices to the alternate dispute resolution process, as set forth in Chapter 2009, Texas Government Code. Provided, however, that such consent shall not constitute an agreement or stipulation that Services have been provided or that the invoices are correct. DIR Customer expressly retains all rights to which it is entitled under Texas Government Code, Chapter 2251, in the event of a disagreement with DIR as to whether Services have been provided and accepted or an invoice contains an error. If DIR Customer disputes an invoice, it shall present the billing dispute in writing directly to the MSI through the Service Catalog within four (4) invoice cycles after the date DIR Customer receives the invoice and reports that substantiate the service volumes and associated Charges from DIR. DIR Customer will provide to the MSI all relevant documentation to justify the billing dispute. City of Georgetown Contract # 18-0081-ILA Page 16 of 57 DIR Contract No. DIR-SS-ILC0001_ SECTION VI TERM AND TERMINATION OF CONTRACT AND SERVICES 6.1 Term and Termination of ILC The term of this ILC shall commence upon start of services or execution of this ILC, whichever shall come earlier, and shall terminate upon mutual agreement of the Parties. This ILC is contingent on the continued appropriation of sufficient funds to pay the amounts specified in DIR Customer’s Requests for Services, including the continued availability of sufficient relevant federal funds if applicable. Continuation of the ILC is also contingent on the continued statutory authority of the Parties to contract for the Services. If this ILC is terminated for any reason other than lack of sufficient funds, lack of statutory authority, or material breach by DIR, DIR Customer shall pay DIR an amount sufficient to reimburse DIR for any termination charges and any termination assistance charges incurred under the DIR Shared Services Contracts and this ILC as a result of such termination by DIR Customer. DIR Customer shall provide at least ninety (90) days’ written notice to DIR prior to termination. Payment of such compensation by DIR Customer to DIR shall be a condition precedent to DIR Customer’s termination. DIR and DIR Customer acknowledge and agree that compliance with federal law and ongoing cooperation with federal authorities concerning the expenditure of federal funds in connection with the DIR Shared Services Contracts and this ILC are essential to the continued receipt of any relevant federal funds. 6.2 Termination of Services If DIR Customer terminates certain Services, that it requested and approved, for convenience, DIR Customer shall pay the remaining requisite unrecovered costs that have already been incurred prior to the notice of termination, such unrecovered costs will be calculated in accordance with the relevant Shared Services Contract, SMM, or the approved services proposal and related terms. DIR Customer understands that it may not be able to terminate services or receive any refund of a pre-payment after approving the relevant financial solution. SECTION VII MISCELLANEOUS PROVISIONS 7.1 Public Information Act Requests Under Chapter 552, Texas Government Code (the Public Information Act), information held by SCPs in connection with the DIR Shared Services Contracts is information collected, assembled, and maintained for DIR. DIR shall respond to Public Information Act requests for SCP information. If DIR Customer receives a Public Information Act request for SCP information that DIR Customer possesses, DIR Customer shall respond City of Georgetown Contract # 18-0081-ILA Page 17 of 57 DIR Contract No. DIR-SS-ILC0001_ to the request as it relates to the information held by DIR Customer. Responses to requests for confidential information shall be handled in accordance with the provisions of the Public Information Act relating to Attorney General Decisions. Neither Party is authorized to receive or respond to Public Information Act requests on behalf of the other. If SCP or DIR receives a Public Information Act request for information or data owned by DIR Customer, DIR or SCP will refer the requestor to DIR Customer. 7.2 Inventory Control DIR shall coordinate financial accounting and control processes between DIR Customer and SCPs and ensure inclusion of reasonable control and reporting mechanisms, including any control and reporting mechanisms specifically required by DIR Customer, in the Service Management Manual. Such procedures shall specifically recognize DIR Customer requirements for inventory control and accounting for state owned and leased equipment and facilities, including hardware, software, contracts, and other items of value that may be utilized by, or authorized for use under the direction and control of SCPs. 7.3 Confidential Information DIR shall require SCPs to maintain the confidentiality of DIR Customer information to the same extent that DIR Customer is required to maintain the confidentiality of the information, and with the same degree of care SCPs use to protect their own confidential information. DIR acknowledges that DIR Customer may be legally prohibited from disclosing or allowing access to certain confidential data in its possession to any third party, including DIR and SCPs. The relevant SMM shall document detailed confidentiality procedures, including the process DIR Customer shall follow to identify confidential information it is legally prohibited from disclosing or allowing access to by DIR and SCPs and including confidentiality procedures required that are specific to DIR Customer. The DIR Shared Services Contracts sets forth the confidentiality obligations of SCPs. DIR Customer shall notify DIR, in writing, (1) if DIR Customer is a covered entity subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations at 45 Code of Federal Regulations Parts 160 and 164, that is required to enter into a business associate agreement with DIR or SCPs; (2) if DIR Customer receives Federal tax returns or return information; and (3) if DIR Customer is subject to any other requirements specific to the provision of Services. If DIR Customer receives federal tax returns or return information, then DIR Customer must comply with the requirement of IRS Publication 1075 and Exhibit 7 to IRS Publication 1075. In the event a DIR customer is subject to additional requirement as mentioned in this section, DIR shall require SCPs to maintain the confidentiality of DIR Customer information in accordance with language included in Attachment B of this agreement. Such additional requirements as is included in Attachment B of this agreement shall be included in the relevant SMM. 7.4 Notification Information Contact information for purposes of notification for each Party is set forth below. City of Georgetown Contract # 18-0081-ILA Page 18 of 57 DIR Contract No. DIR-SS-ILC0001_ DIR Customer’s Primary Contact Name:_Chris Bryce________________________________ Title:__Director of Information Technology______________ Address:_510 W. 9th St., Georgetown, TX 78726________ Telephone:_(512) 930-3579_________________________ Email:__Chris.bryce@georgetown.org _________________ DIR’s Primary Contact sharedservicescontractoffice@dir.texas.gov The DIR Billing Contact is listed in the DIR Contacts section of the monthly Shared Services Payment Guidance letter, which is provided to the DIR Customer with the monthly Shared Services invoice. 7.5 Binding Effect The Parties hereto bind themselves to the faithful performance of their respective obligations under this ILC. 7.6 Amendments This ILC may not be amended except by written document signed by the Parties hereto or as specified within this ILC or the attachment being amended. 7.7 Conflicts between Agreements If the terms of this Contract conflict with the terms of any other contract between the Parties, the most recent contract shall prevail. This Contract provides a general description of certain terms within the DIR Shared Services Contracts. If the terms of this Contract conflict with the terms of the DIR Shared Services Contracts, the DIR Shared Services Contracts’ terms shall prevail. If the terms of this Contract conflict with the terms of an accepted proposal or solution from a Request for Services, this Contract shall prevail. 7.8 Responsibilities of the Parties The Parties shall comply with all federal, state and local laws, statutes, ordinances, rules and regulations and with the orders and decrees of any courts or administrative bodies or tribunals in any manner affecting the performance of the ILC. The parties do not intend to create a joint venture. Each Party acknowledges it is not an agent, servant or employee of the other. Each Party is responsible for its own acts and deeds and for those of its agents, servants and employees. Notwithstanding the foregoing, DIR will cooperate with DIR Customer in all reasonable respects to resolve any issues pertaining to federal funding in connection with this ILC or the DIR Shared Services Contracts. City of Georgetown Contract # 18-0081-ILA Page 19 of 57 DIR Contract No. DIR-SS-ILC0001_ DIR and DIR Customer agree that Services contemplated in this ILC shall be governed by provisions in the DIR Shared Services Contracts regarding individual responsibilities of the parties, including Services provided by the SCPs. In the event DIR Customer actions, failure to perform certain responsibilities, or Request for Services result in financial costs to DIR, including interest accrued, those costs shall be the responsibility of DIR Customer. DIR and DIR Customer shall coordinate and plan for situations where conflicts, failure to perform or meet timely deadlines, or competition for resources may occur during the term of this contract. Unless otherwise specifically addressed, the governance process, addressed above, for the DIR Shared Services Contracts shall be used for issue resolution between DIR Customers, DIR and DIR SCPs. 7.9 Audit Rights of the State Auditor’s Office In accordance with Section 2262.154, Texas Government Code and other applicable law, the Parties acknowledge and agree that: (1) the state auditor, the Parties’ internal auditors, and if applicable, the Office of Inspector General of DIR Customer or their designees may conduct audits or investigations of any entity receiving funds from the state directly under the Contract or the DIR Shared Services Contracts, or indirectly through a subcontract under the DIR Shared Services Contracts; (2) that the acceptance of funds directly through this Contract or indirectly through a subcontractor under the Contract acts as acceptance of the authority of the state auditor, under the direction of the legislative audit committee, the Parties’ internal auditors, and if applicable, the Office of Inspector General of DIR Customer or their designees to conduct audits or investigations in connection with those funds; and (3) that the Parties shall provide such auditors or inspectors with access to any information considered relevant by such auditors or inspectors to their investigations or audits. 7.10 General Terms Except as expressly provided herein, no provision of this ILC will constitute or be construed as a waiver of any of the privileges, rights, defenses, remedies or immunities available to DIR Customer. The failure to enforce or any delay in the enforcement of any privileges, rights, defenses, remedies, or immunities available to DIR Customer by law will not constitute a waiver of said privileges, rights, defenses, remedies, or immunities or be considered as a basis for estoppel. Except as expressly provided herein, DIR Customer does not waive any privileges, rights, defenses, remedies or immunities available to DIR Customer. This Customer Agreement will be construed and governed by the laws of the State of Texas. Venue for any action relating to this Customer Agreement is in Texas state courts in Austin, Travis County, Texas, or, with respect to any matter in which the federal courts have exclusive jurisdiction, the federal courts for Travis County, Texas. If one or more provisions of this ILC, or the application of any provision to any Party or circumstance, is held invalid, unenforceable, or illegal in any respect, the remainder of this ILC and the application of the provision to other Parties or circumstances will remain valid and in full force and effect. City of Georgetown Contract # 18-0081-ILA Page 20 of 57 DIR Contract No. DIR-SS-ILC0001_ Signatory Warranty Each signatory warrants requisite authority to execute the ILC on behalf of the entity represented. SECTION VIII CERTIFICATIONS The undersigned Parties hereby certify that: (1) the matters specified above are necessary and essential for activities that are properly within the statutory functions and programs of the affected agencies of State Government; (2) this ILC serves the interest of efficient and economical administration of State Government; and (3) the Services, supplies or materials in this ILC are not required by Section 21, Article 16 of the Constitution of Texas to be supplied under contract given to the lowest responsible bidder. IN WITNESS WHEREOF, the Parties have signed this ILC effective on date of last signature below. RECEIVING ENTITY: CITY OF GEORGETOWN By: Printed Name: Dale Ross _______ Title: Mayor _____________________________ Date: _________________________________________________ PERFORMING AGENCY: DEPARTMENT OF INFORMATION RESOURCES By: Printed Name: Sally Ward Title: Director, Program Planning and Governance Date: _________________________________________________ Legal:_________________________________________________ City of Georgetown Contract # 18-0081-ILA Page 21 of 57 DIR Contract No. DIR-SS-ILC0001_ Attachments to ILC Attachment A Estimated Spend Form – (Customer may provide Attachment A to DIR if required by their processes.) Attachment B Additional Confidentially Requirements – (As necessary and described in Section 7.3, Confidential Information) City of Georgetown Contract # 18-0081-ILA Page 22 of 57 DIR Contract No. DIR-SS-ILC0001_ Attachment A Estimated Spend Form *This form is to be used as needed by the DIR Customer to capture spend within the Shared Services Program. This amount may be based upon the DIR Customer’s biennial budget(s). Below are the estimated spend amounts for certain DIR Shared Services received through this ILC and may change based upon DIR Customer consumption. This amount is to be managed and monitored solely by the DIR Customer. Amounts may be transferred by the DIR Customer that change this amount. Such increases or decreases are strictly within the control of the DIR Customer. DIR Customer is required to pay for any costs incurred in accordance with this ILC and the related DIR Shared Services Contracts regardless of the estimated spend amounts reflected herein. Updates to this form may be executed through written notice by the DIR Customer to DIR. Costs, such as incremental network expenses, which are billed directly to or paid by the DIR Customer, are not included in these amounts. For the period MONTH DAY, YEAR through MONTH DAY, YEAR the estimated spend is $XX,XXX as the spend applies to __________ Services. DIR Customer acknowledges and agrees that the responsibility to manage, monitor, and change the amounts contained in this form are the sole responsibility of the DIR Customer. Further, each signatory warrants requisite authority to execute any changes to this Attachment A in accordance with the DIR Customer’s applicable approval processes. By: Printed Name: Title: Date: _________________________________________________ City of Georgetown Contract # 18-0081-ILA Page 23 of 57 DIR Contract No. DIR-SS-ILC0001_ Attachment B Additional Confidentiality Requirements None City of Georgetown Contract # 18-0081-ILA Page 24 of 57 MANAGED SECURITY SERVICES TERMS AND CONDITIONS This agreement is part of and incorporated within the Interagency/Interlocal Contract (“Contract”) that has been entered into by the contracting parties. DIR Customer acknowledges and agrees that this Contract is with DIR and, therefore, DIR Customer does not have privity of contract with the SCPs. Capitalized terms not defined herein shall have the meaning set forth in the relevant DIR Shared Services Contract. 1. Conditions for Providing Security Services 1 .1 Access DIR and/or Service Component Provider (SCP) shall use the Internet for primary access to DIR Customer’s systems unless otherwise noted and agreed upon. DIR Customer shall not employ special access restrictions against DIR and/or Service Component Provider that it does not apply to the rest of the public network over the course of regular business. 1 .2 Network Control DIR Customer must inform DIR if DIR Customer does not control its network access and/or its Internet service is provided via a third party. DIR Customer is responsible for obtaining all necessary approvals. DIR Customer shall provide all necessary contact information for the third parties that control its network access, Internet service, and/or web applications. DIR Customer’s emergency contact list shall include primary and secondary staff capable of administering DIR Custome r computer systems specific to the type of services being requested or required. 1 .3 Disclosure of Objectionable Material In conducting the services authorized by DIR Customer, DIR may inadvertently uncover obscene, excessively violent, harassing, or otherwise objectionable material that may violate State or Federal law, including material that may infringe the intellectual property of a third party on DIR Customer devices or networks. DIR shall notify DIR Customer’s Executive Director or highest level executive of the existence of all such objectionable and/or potentially illicit material so that DIR Customer may deal with the objectionable and/or potentially illicit material as it deems appropriate. If DIR accesses child pornography, as defined in the Child Sexual Exploitation and Pornography Act, 18 U.S.C., Chapter 110, in conducting approved Services, DIR shall report such to DIR Customer’s Executive Director or highest level executive and an appropriate law enfo rcement agency and provide the law enforcement agency access to the visual depictions of child pornography. If DIR accesses information that they perceive as a serious threat to human life or safety in conducting the approved Services, DIR shall report such threat to an appropriate law enforcement agency and DIR Customer’s Executive Director or highest-level executive. 1.4 No Warranties and Limitation of Liability DIR makes no representation or warranty that its security services will disclose , identify, or prevent all vulnerabilities. DIR hereby disclaims all warranties, both express and implied, including without limitation, the implied warranties of merchantability and fitness for a particular purpose. In no event shall DIR be liable for damages of any kind or nature that may arise from the services provided by DIR or DIR’s Service Component Provider or Service Provider. Page 25 of 57 1.5 Service Interruption DIR will endeavor not to disrupt DIR Customer services and to adhere to best practices for all work performed. However, tools or services may affect the serviceability of poorly configured or overextended systems or services. It is possible that control of DIR Customer’s system may be lost. For any testing that DIR may be conducting, DIR endeavors to use the safest methods to compromise DIR Customer’s systems; however, DIR Customer should be prepared to restore a damaged system from a recent, acceptable backup within an acceptable time as determined by DIR Customer. During any testing DIR may conduct, DIR will NOT conduct any deliberate Denial-of-Service attack. DIR Customer agrees not to hold DIR liable in the event of any service interruption(s) that may arise as a result of performance of any Services. If either party becomes aware of a service interruption, that party will notify the other party’s emergency contact. 1.6 Termination of Services If DIR Customer terminates certain Services, that it requested and approved, for convenience, DIR Customer shall pay the remaining requisite unrecovered costs that have already been incurred prior to the notice of termination, such unrecovered costs will be calculated in accordance with the relevant DIR Shared Services Contract, SMM, or other DIR Customer approved terms. DIR Customer understands that it may not be able to terminate services or receive any refund of a pre-payment after approving the relevant financial solution. 2. DIR and DIR Customer Responsibilities 2.1 DIR Customer agrees as follows to the extent assessment Services are requested or required: a) DIR Customer responses to information requests and artifacts gathering pertinent to this security and risk assessment will be timely; b) The artifacts data are reasonably available via interviews and documents review; c) DIR Customer will make available the necessary Subject Matter Expert (SME) with required expertise to work with the SCP Assessment Team and will remain available thru the duration of the assessment; d) DIR Customer SME will be available when required for interaction with the SCP Assessment Team and that all the interviews will be conducted over the number of consecutive days as established during the project planning and scheduling phase; e) DIR Customer is responsible for the coordination and scheduling of resources and providing meeting facilities as necessary; f) Deliverables will be complete when DIR Customer has approved in writing that the deliverable meets the acceptance criteria; g) All document deliverables must be in formats (hard copy and/or electronic) as specified by DIR Customer. At a minimum, the formats must be in industry-accepted standards (e.g., MS Word, MS PowerPoint MS Project); h) DIR Customer will assist with meeting coordination for meetings between DIR Customer Key Personnel and DIR and the Service Provider and other staff to gather requirements and other activities; i) The SCP Assessment Team will be responsible for scheduling and conducting deliverables review meetings with DIR Customer to ensure understanding of recommendations and specific deliverable details; Page 26 of 57 j) A Texas cybersecurity framework assessment: 1) does not include technical vulnerability scanning or penetration testing; 2) is not a formalized attestation to be used to show compliance to any regulatory body; and, 3) is not a hands-on security configuration review. k) DIR may receive final copies of reports if DIR is paying for the assessment. 2.2 Penetration Testing 2.2.1 DIR Customer agrees as follows to the extent penetration testing (“PT”) is requested or required: a) For white box penetration testing, DIR Customer shall add SCP’s IP ranges, which shall be provided by SCP prior to test initiation, to DIR Customer’s non-shun list (whitelist) within DIR Customer’s IDS/IPS. b) SCP may conduct a passive scan to determine the number of live IPs within the Customer designated IP range. c) DIR Customer shall not intentionally place an unsecured system or device in the test scope. d) If DIR Customer detects SCP testing activities, DIR Customer technical staff shall follow standard operating procedures and policies. e) DIR Customer shall complete the provided Remediation Survey and return it to DIR within 60 days after DIR Customer receives the deliverables. If DIR Customer requests a Remediation Verification Test after the initial 60 days has expired, then DIR Customer shall submit the requisite Request for Services (“RFS”) and will be responsible for any related costs. f) If DIR Customer has purposely placed an unsecured system in the test scope that DIR subsequently compromises during the PT, it would be erroneous to conclude that DIR Customer can be compromised via that system, since the unsecured system would not normally be present. g) If DIR Customer knowingly deploys additional resources or increases monitoring activities during the PT, it would be erroneous to conclude that DIR Customer is secure, since those resour ces would not normally be present. 2 .2.2 DIR shall ensure that Service Provider : a) Provides DIR Customer with the source IP addresses associated with testing activities if DIR Customer detects SCP testing activities and requests confirmation if detected source IP addresses are associated with SCP testing activity. b) Notifies DIR Customer if anomalies such as system failure, inappropriate use of resources, or actual malicious attack are discovered during the PT. c) Notifies DIR’s Communications Technology Services Division and/or Network and Security Operations Center (NSOC) if vulnerabilities are discovered during the PT on network equipment owned or maintained by the Communications Technology Services Di vision after SCP informs DIR Customer. d) Provides analysis, descriptions of, and recommendations for protecting against confirmed vulnerabilities and, if applicable, exploits used during the PT. e) Provides DIR Customer reports for all other vulnerabilities discovered during the PT. Page 27 of 57 2.2.3 Notes on Vulnerability Scanners a) No ‘known vulnerability’ scanner is perfect. It is possible that an existing vulnerability may not have been found or that a vulnerability found may not actually be present. DIR uses vulnerability scanners that consistently perform at the top of their class. Verify and understand the vulnerability before deciding to remediate/mitigate it. In many cases, remediating/mitigating the vulnerability entails upgrading software. b) A vulnerability for “Agency A” may not be a vulnerability for “Agency B”. Organizations have their own specific business plans and needs. Each organization must evaluate the need to provide a service with the risk that the service may be abused. For example, file transf er protocol (FTP) may be listed as a vulnerability; if the organization intends to provide the FTP services, there is no need to remediate/mitigate. However, if the business does not need to provide FTP services, it may decide to discontinue that service. Evaluate the risk of providing the service and accepting the risk versus not providing the service. This is a management decision. c) Vulnerability scanning tools attempt to identify the vendors of services and operating systems. This identification is not always accurate. SCP will use various tools to produce vulnerability reports for the agency. DIR Customer should review the vulnerability reports and verify the existence of the vulnerability and then follow the vendor’s instruction for remediating/mitigatin g it. d) New vulnerabilities are discovered every day. SCP updates its tools before every PT- vulnerability scan to ensure that the highest number of known vulnerabilities is identified at the time the test is performed. Page 28 of 57 City of Georgetown, Texas Government and Finance Advisory Board August 29, 2018 SUBJECT: Cons id eration and p o s s ib le ac tion to award c ontrac ts fo r self-funded medic al program adminis tratio n s ervic es , medic al s to p -lo s s ins urance coverage, voluntary vision benefits, voluntary life and AD&D insuranc e c overage, employee assistanc e pro gram, benefit ad voc ate s ervic es , flexib le spend ing ac count ad ministration, C OBRA ad ministration and authorizing the City Manager to enter into such c o ntracts on b ehalf o f the C ity. -Tad d P hillips, HR Direc to r ITEM SUMMARY: A to tal o f 40 propos als fo r one or mo re c o verages were received in respons e to the City’s c o mp etitively ad vertis ed Reques t fo r P ro p o s als (RFP) for Emp lo yee Health Benefits (inc luding med ical, pharmacy b enefits management, s top lo s s , voluntary vis io n, vo luntary life insuranc e, benefits ad voc ate, COBRA ad ministration, ac c idental d eath & dismemberment, flexible s p ending acc ount adminis tratio n and emp lo yee as s is tance p rogram) for the up coming 2019 c overage year. Proposals were evaluated extens ively by a co mmittee that includ ed members of the benefits committee, HR, and Budget. The c o mmittee was advis ed b y Gallagher and Co . (the City’s b enefits c o nsultant), Purchas ing and Legal. Proposals were s cored us ing the fo llo wing criteria fo r medic al sto p -lo s s ins urance coverage, voluntary vis ion benefits: Cost 30%, Cos t Co ntainment/Inno vative S o lutio ns 20%, Population Health Manager Programs 20%, Co mmunication 5%, Claims Proc es s ing 10% and Integrated Sys tems/Tec hnology Initiative 10% and Past Performance 5%. F o r vo luntary life and AD&D ins urance coverage, emp lo yee as s is tance p ro gram, benefit advo cate services, flexib le s p ending acc o unt ad ministration and COBRA adminis tratio n: C o s t 40%, Reporting 20%, Tec hno lo gy Cap ab ilities 20%, References (C urrent and Past)/Relevant Servic es /Explanations 10%, Enrollment/C o mmunicatio n Materials 10% and Integrated S ys tems /Technology Initiative 10%. Finalis ts fo r major c o verages were c o ntacted and invited to s ub mit b es t and final o ffers , and the City entered into nego tiatio ns with the final cand id ates. Where possib le, c overages were b und led during nego tiatio ns to achieve the b es t value for the City. A s ummary of the o verall s cores is attac hed. Bas ed on the overall offering, financ ial impac t on the City and the impac t on employee, s taff recommends award as follo ws : United Health C are: medic al, p harmac y b enefits management, s top lo s s , vo luntary vis io n, COBRA ad ministration and flexible s p ending acc o unt adminis tratio n; MetLife: vo luntary life and ac cidental d eath and d is memb erment; Alliance Wo rk P artners : employee assistanc e p ro gram; and Compass: b enefit ad voc ate. The City antic ip ates o ffering c o mp etitive b enefits to emp lo yees while minimizing the financ ial impac t to b o th employees and the City. Coverages will be reviewed during the year to evaluate performance, and the City has req ues ted three year rate guarantees where ap p licable, saving the c o s t o f proc es s ing an RFP, p ro viding continuity in c are to employees and allo wing the City to estab lis h an ongoing relations hip with the p ro vider. FINANCIAL IMPACT: This RFP included a mix of b enefits , s o me o f whic h are paid exc lusively by employees (vis io n, life, and Page 29 of 57 AD&D), s o me p aid exclus ively by the city (benefits ad voc ate, EAP, flex s pend ing and COBRA ad min), and s o me paid by a mix o f the two (medic al ad min and s top lo s s ). All reco mmended awards maintain o r d ecrease City fixed c o s ts and fall within the p ro p o s ed F Y2019 Self Insuranc e Fund b udget. Further detail in p res entation. SUBMITTED BY: Tadd Phillip s , HR Direc tor ATTACHMENTS: Description Type Scoring Sheet Backup Material GGAF 8.29 pres entation Pres entation Page 30 of 57 DB CF NP NR TP LM Total Avg Score Medical UHC 86 100 90 99 89 94 558 93.00 BCBS 80 93 79 91 80 92 515 85.83 Cigna 63 88 68 86 64 85 454 75.67 S&W 58 82 65 81 66 79 431 71.83 Aetna 77 68 59 81 69 80 434 72.33 TML 50 77 60 82 58 77 404 67.33 Voya 71 95 51 91 81 90 479 79.83 CMCS 49 48 22 75 65 71 330 55.00 Vision MetLife 65 80 93 82 79 82 481 80.17 Aetna 80 88 87 80 85 80 500 83.33 Ameritas 84 90 88 93 87 94 536 89.33 Avesis 81 97 90 92 88 91 539 89.83 Dearborn 40 75 65 73 65 76 394 65.67 Eyemed 56 89 74 80 83 80 462 77.00 UHC 83 100 95 96 92 96 562 93.67 Life Metlife 91 100 95 96 81 96 559 93.17 Aflac 63 80 87 84 65 86 465 77.50 Dearborn 73 98 91 90 75 91 518 86.33 UHC 76 80 86 91 70 91 494 82.33 Voya 73 98 83 92 79 94 519 86.50 Cobra UHC 82 100 95 99 84 99 559 93.17 Discovery 80 98 76 87 83 89 513 85.50 Aetna (Payflex)69 95 73 90 80 92 499 83.17 FSA UHC 88 100 95 99 85 97 564 94.00 Discovery 60 90 67 87 76 87 467 77.83 Aetna (Payflex)66 98 80 90 79 90 503 83.83 Benefits Concierge Compass 100 100 81 100 81 100 562 93.67 EAP Aetna 64 70 80 79 70 82 445 74.17 AWP 88 95 79 99 82 97 540 90.00 Dearborn ComPsych 63 75 78 79 65 79 439 73.17 Deer Oaks 77 95 82 94 81 94 523 87.17 UHC 78 90 91 89 80 89 517 86.17 Request for Proposals: 201827 Employee Health Benefits Page 31 of 57 GGAFAugust 29th, 2018 Employee Benefits Employee Health Benefits/RFP Awards and Premium Increases Page 32 of 57 Presentation Outline ▪Employee Health Benefits/RFP Awards ▪RFP Process ▪RFP Awards-Recommendation ▪Premium Increase ▪5% Increase for Medical and Dental ▪Staff Recommendation Page 33 of 57 Employee Health Benefits/RFP Awards Page 34 of 57 RFP Products ▪Bid 8 Products Self Insured Paid By # of bids Medical/RX Benefits Manager Employer/Employee/Retiree 8 Medical Stop Loss Employer/Employee/Retiree 8 Fully Insured Paid By # of bids Voluntary Vision Employee/Retiree 7 Voluntary Life and AD&D Employee 5 Flex Spending Administration Employer 3 COBRA Administration Employer 3 City Provided Benefits Paid By # of bids Benefits Advocate Employer 1 Employee Assistance Program Employer 5 Page 35 of 57 RFP Process ▪May 2nd –RFP posted to public market ▪May 30th –Proposals received ▪July 27th –Best and Finals received ▪August 13th –Met with Benefits Committee on Recommendations ▪August 29th –Recommendations taken to GGAF ▪September 11th –Recommendations take to Council ▪October 18th –Open Enrollment begins ▪January 1st –New plan year begins Page 36 of 57 RFP Committee Voting Members ▪Chris Foster –Benefits Committee/GUS ▪Nathan Parras -Budget ▪Daniel Bilbrey –Benefits Committee/Fire ▪Tadd Phillips –Human Resources ▪Laura Maloy –Human Resources ▪Niki Ross –Human Resources Advisors ▪Purchasing ▪Legal ▪Gallagher Benefits Consultants Page 37 of 57 RFP Scoring Criteria Medical/Medical Stop-Loss/ Voluntary Vision ▪Cost 30% ▪Cost Containment/Innovative Solutions 20% ▪Population Health Manager Programs 20% ▪Communication 5% ▪Claims Processing 10% ▪Integrated Systems/Technology Initiative 10% ▪Past Performance 5% Voluntary Life and AD&D Insurance/COBRA Administration/FSA Administration/Benefit Advocate/Employee Assistance Program ▪Cost 40% ▪Reporting 20% ▪Technology Capabilities 20% ▪References (Current & Past)/Relevant Services/Explanations 10% ▪Enrollment/Communication Materials 10% ▪Integrated Systems/Technology Initiative 10% Page 38 of 57 Medical/RX Benefits Manager/Medical Stop Loss Analysis Plan Period Current BAFO UHC BAFO BCBS Network/Administration UHC UHC BCBS Stop Loss Carrier UHC UHC BCBS Specific Stop Loss Level $150,000 $150,000 $150,000 Medical/RX Administration Annual $271,704 $110,748 $175,392 Stop Loss Annual $670,236 $667,284 $783,996 Total Annual Spend (Fixed)$941,940 $778,032*$959,388** Change from current -17%2% (-$163,908)$17,448 *Full year cost shown, does not reflect waived 3 month admin fee valued at $27,687. **Full year cost shown, does not reflect waived 1 month admin fee valued at $14,616.Page 39 of 57 Current Vs. Recommended ▪3 year rate guarantee ▪3 free months of admin fees (Jan-March 2019) -~($27k savings) ▪$20k Wellness Credit –Pay for Biometric Screenings with these funds ▪$10k Communications Credit to use on personalized communications Medical & RX Benefits Manager Current Recommendation United Health Care United Health Care ▪1 year rate guarantee ▪Locked in Stop Loss rate with July claims ▪Held 2018 specific rate flat and lowered the aggregate rate for 2019 Medical Stop Loss Current Recommendation United Health Care United Health Care Page 40 of 57 Current Vs. Recommended ▪3 year rate guarantee ▪Overall lower rates for City Staff ▪Wal-Mart back in-network ▪Includes contact lens allowance benefit Voluntary Vision Current Recommendation MetLife United Health Care Page 41 of 57 Current Vs. Recommended ▪3 year rate guarantee ▪Held rates flat Voluntary Life and AD&D Current Recommendation MetLife MetLife Page 42 of 57 Current Vs. Recommended ▪1 year rate guarantee for FSA ▪Small increase in 2020 ▪Removed an administrative fee City was previously paying ▪3 year rate guarantee for COBRA ▪Benefit to having Flexible Spending and COBRA Administration under the same umbrella as medical. Flexible Spending Account & COBRA administration Current Recommendation United Health Care United Health Care Page 43 of 57 Current Vs. Recommended ▪3 year rate guarantee ▪Only bid ▪Long standing relationship with vendor Benefit Advocate Current Recommendation Compass Compass Page 44 of 57 Current Vs. Recommended ▪3 year rate guarantee ▪Reduced current rate ▪Long standing relationship with vendor Employee Assistance Program Current Recommendation Alliance Work Partners Alliance Work Partners Page 45 of 57 GGAF Actions ▪Consideration and possible action to award contracts for self-funded medical program administration services, medical stop-loss insurance coverage, voluntary vision benefits, voluntary life and AD&D insurance coverage, employee assistance program, benefit advocate services, flexible spending account administration, COBRA administration, and authorizing the City Manager to enter into such contracts on behalf of the City. •Staff recommends GGAF approval to forward to Council of the following: –UHC for Medical, Prescription, Stop Loss, Flexible Spending and COBRA administration & Vision –MetLife for Life and AD&D –Compass for Benefits Concierge Service –Alliance Work Partners for Employee Assistance Program Page 46 of 57 Questions? Page 47 of 57 Premium Increase Page 48 of 57 Fiscal and Budgetary Policy ▪VI. C. 3 ▪Employee Premiums –Annual premiums will be recommended to City Council through a collaborative process between the City’s Employee Benefit Committee and external Health Benefits Consulting firm using historical data and other analytical analysis. Page 49 of 57 Row Labels FY2019 Budget FY2020 FY2021 Beginning Fund Balance 3,319,839 3,061,839 2,487,539 Row Labels FY2019 Budget FY2020 FY2021 Dental Contributions 440,000 455,400 471,339 HDHP Contributions 2,950,000 3,053,250 3,160,114 Other 430,000 445,050 460,627 PPO Contributions 4,400,000 4,554,000 4,713,390 Reinsurance 500,000 517,500 535,613 Grand Total 8,720,000 9,025,200 9,341,082 Row Labels FY2019 Budget FY2020 FY2021 Dental Claims 480,000 504,000 529,200 Fees 413,000 428,000 440,000 H.S.A. Contributions 360,000 370,000 380,000 Medical Claims 6,700,000 7,155,000 7,676,625 Other 275,000 280,000 285,000 Stop Loss Fees 750,000 862,500 991,875 Grand Total 8,978,000 9,599,500 10,302,700 Row Labels FY2019 Budget FY2020 FY2021 Ending Fund Balance 3,061,839 2,487,539 1,525,921 CAFR Adjustment - - - IBNR 650,000 650,000 650,000 Rate Stabilization 1,532,000 1,709,500 1,843,700 Available Fund Balance 879,839 128,039 (967,779) ▪City Manager proposed FY2019 Budget includes January 2019 5% medical and dental premium increase for both employer and employee. ▪Self Insurance Fund Pro Forma assumes similar rate increases in out years. Page 50 of 57 Premiums ▪Medical & Dental –Self Insured ▪Recommending 5% increase for both employee and employer to mitigate rising claims costs ▪Employee Benefits Committee discussed options –given 5 options for medical and 3 options for dental Page 51 of 57 Employee Benefits Committee ▪Bert Witcher –Police ▪Delta Jolly –Police Association ▪Chris Foster –GUS ▪Daniel Bilbrey –Fire ▪Denny Herrin –Fleet ▪Jamie Beran –Parks ▪Sally Bernier –Library ▪Mike Stasny –GUS ▪Paul Diaz –Budget Page 52 of 57 Medical Premium Increase ▪Employee Benefit Committee Recommended Model ▪Chosen out of 5 models by the employee benefits committee ▪Initially started with a 5% increase –rounded up to the nearest dollar Plan Current Monthly Premium Proposed Monthly Premium ~% Increase Annual Difference HSA –E $12 $13 8%$12 HSA –EC $69 $73 6%$48 HSA –ES $276 $290 5%$168 HSA –EF $276 $290 5%$168 PPO –E $75 $79 5%$48 PPO –EC $137 $144 5%$72 PPO –ES $549 $577 5%$336 PPO -EF $549 $577 5%$336 5% increase on employee side is roughly $60,000 –proposed model would bring in $62,064.Page 53 of 57 Dental Premium Increase ▪Recommended Model ▪Chosen out of 5 models by the employee benefits committee ▪Increased employee only rate to $2 and rounded other tiers up to the nearest dollar Plan Current Monthly Premium Proposed Monthly Premium Annual Difference E $0 $2 $24 EC $19.32 $20 $8.16 ES $16.36 $17 $7.68 EF $40.55 $41 $5.40 5% increase on employee side is roughly $6,300 –proposed model would bring in $9,209.28Page 54 of 57 ▪Consideration and possible action to approve and recommend to Council the Employee Benefits Committee proposed medical and dental premiums for the 2019 plan year •Staff recommends GGAF approval of the following: –Proposed premium model for dental and for medical GGAF Actions Page 55 of 57 Questions? Page 56 of 57 City of Georgetown, Texas Government and Finance Advisory Board August 29, 2018 SUBJECT: Cons id eration and p o s s ib le ac tion to approve and recommend to Co uncil the Employee Benefits Committee propos ed med ical and d ental premiums fo r the 2019 plan year. -Tadd Phillip s , HR Directo r ITEM SUMMARY: Per Fisc al and Budgetary P o licy annual premiums will b e rec o mmended to C ity C o uncil thro ugh a collaborative proc es s between the City’s Emp lo yee Benefit Co mmittee and external Health Benefits Cons ulting fo rm us ing his toric al data and other analytical analys is . Mo nthly c laims d ata continue to trac k right at bud get. Additio nally, the rec ently completed RFP p ro cess will res ult in lo wer than expec ted fixed expens es . Ho wever, our c laims c o s t are expec ted to ris e. In o rd er to s mo o th increas es while using s o me excess fund res erve, a med ical and d ental p lan p remium inc reas e of 5% fo r employees , effec tive January o f 2019, has b een inc luded in the City Manager ’s p ro p o s ed F Y2019 b udget. Premium mod els for d ental and vis io n were pres ented to and d is cus s ed with the Emp lo yee Benefits Committee on Augus t 13th, 2018. For med ic al, the c o mmittee rec o mmends the mo d el sho wn in the p res entation, whic h is a flat 5% across b o th p lans and across all of the enrollment tiers fo r medic al. For d ental, the c ommittee recommend s the model s hown in the presentation, which includ es increasing each dependent tier up to the next whole d ollar p er month along with a c hange from zero premiums to $2/month for employee only. S taff felt comfo rtable in making the c hange on the emp lo yee o nly plan and mo s t o ther emp lo yers have moved aware fro m zero p remium d ental as a manner of res p o nsibly sharing costs . The Employee Benefits Co mmittee c o nsidered multiple o p tions to ac hieve the 5% from emp lo yees fo r b o th the medic al and dental p lans and recommends the models inc luded in the p res entation. S taff recommend s thes e premium c hanges and s eeks GGAF and City Counc il ap p ro val. Staff will then communic ate thes e changing during the October 2018 open enro llment perio d . FINANCIAL IMPACT: Rec o mmended medic al premiums will increas e revenue by approximately $62,000 p er year. Rec o mmended dental p remiums will inc reas e revenue b y ap p ro ximately $9,000 p er year. Thes e revenue inc reas es will p ut the Self-Ins urance Fund in pos itio n to meet b udgeted revenue in F Y2019. SUBMITTED BY: Tadd Phillip s , HR Direc tor Page 57 of 57