Title
a. Approve and authorize the Contracts/Purchasing Officer to sign an End User Agreement for the Qualys Guard tool application with Qualys, Inc., on behalf of the Information Technology Department, in the amount of $130,645.00 for Fiscal Year (FY) 2016-17; and
b. Accept non-Standard provisions as recommended by the Director of Information Technology.
Body
RECOMMENDATIONS:
It is recommended that the Board of Supervisors:
a. Approve and authorize the Contracts/Purchasing Officer to sign an End User Agreement for the Qualys Guard tool application with Qualys, Inc., on behalf of the Information Technology Department, in the amount of $130,645.00 for Fiscal Year (FY) 2016-17; and
b. Accept non-Standard provisions as recommended by the Director of Information Technology.
SUMMARY
This agreement with Qualys, Inc. will provide for an information security vulnerability, identification, and remediation system to provide vulnerability management services for the County’s use. This service assists the County in identifying new software and service vulnerabilities immediately, in order to proactively remediate them to protect County information assets against attack. This ability is a requirement of several regulations applicable to the County, including HIPAA, ISO-27002, MEDS and NIST. The County has utilized Qualys for the past eleven years, and it has been the primary reason for a significant drop in the number of vulnerabilities present on County workstations, servers, and network devices due to highly accurate vulnerability assessments and remediation information available to County network administrators.
DISCUSSION:
Since September of 2005, the County Information Technology Department (ITD) has utilized the QualysGuard scanning tool and service, first under an initial trial agreement, and for the past ten years as a paying customer of Qualys. This tool has provided ITD with on-demand ability to scan County Information Technology (IT) assets for information security vulnerabilities, and compare them against an industry-leading knowledge base of vulnerabilities with a 99.999% accuracy rate. In computer security, the word vulnerability refers to a weakness in a system which can allow an attacker to violate the confidentiality, integrity, availability, or audit mechanism of a system or the data and applications it hosts. Vulnerabilities often result from ‘bugs’ or design flaws in a system. The Qualys tool provides the County with the results of such scans, including detailed reports with verified remediation actions to be undertaken by County staff supporting administrative, legal, health, finance, and social service systems.
The County was originally presented with an “as-is” agreement for this tool. During the trial period, the County was able to negotiate more favorable terms with the vendor and has achieved improvements to the vendor’s standard agreement in several areas. These terms have persisted through the last several years of agreements we have signed and continue to maintain with the vendor. This agreement is for a renewal of the County’s existing service with the vendor.
The Qualys contract contains non-standard provisions, as identified by County Counsel. The IT Director believes that the continued reductions in security risks to the County outweigh the risks associated with this agreement.
OTHER AGENCY INVOLVEMENT:
County Counsel has reviewed the attached Qualys agreement and cannot approve the following non-standard provisions: automatic renewal on a year-by-year basis, advance payment and late fees, with no refund for unused portions of the subscription; limitations and disclaimers of warranty, limitations on Qualys’ liability for damages, both in amount and type of damages; “as-is” services; County obligation to indemnify and hold Qualys harmless, signature of a single corporate officer, and absence of standard Monterey County insurance provisions. Risk Management cannot approve the non-standard insurance and indemnity language.
FINANCING:
This Agreement is included in the FY 2016-17 Requested Budget for ITD 1930, Unit 8437, Appropriations Unit INF002. Should funding be reduced and/or terminated, the County may terminate this agreement by giving thirty (30) days written notice of such action to the Contractor.
Prepared by: Elizabeth Crooke, Management Analyst, 755-5108
Approved by:
_________________________________________________
Dianah Neff, Director of Information Technology, 759-6923
Attachments: Qualys Agreement
Qualys Quote