The URL can be used to link to this page

Home My WebLink AboutStaff Report 7703 City of Palo Alto (ID # 7703) City Council Staff Report Report Type: Consent Calendar Meeting Date: 6/12/2017 City of Palo Alto Page 1 Summary Title: Amendment No. 2 to Contract No. S15155738 With ARC for Scanning in an amount not to exceed $847,961 Title: Approval of Amendment Number 2 to Contract Number S15155738 Between the City of Palo Alto and American Reprographics Company, LLC for Document Scanning Services to Increase Compensation by $414,726 for a Total Amount Not-to-Exceed $847,961 and Amend Other Terms and Conditions From: City Manager Lead Department: Administrative Services Recommendation Staff recommends that Council authorize the City Manager or his designee to execute Amendment No. 2 to Contract No. S15155738 with American Reprographics Company, LLC (“Assignor”), ARC Document Solutions, LLC (“Assignee”) and City of Palo Alto (“Client”) for document scanning services to increase compensation by $414,726 for a total amount not-to- exceed $847,961, to amend other terms and conditions and rates, to incorporate exhibits related to the City’s standard information privacy provisions, and to consent to the assignment of the Agreement to Assignee. Background After an extensive RFP process, American Reprographics Company, LLC was awarded the Archiving Information Management Services contract on March 1, 2015 for a one-year term with three optional one-year renewal terms. Amendment No. 1, approved by Council on August 17, 2015, increased the contract’s total compensation by $348,735 from $84,500 to $433,235 (Report ID # 5790). Discussion This Amendment No. 2 will bring the contract value from a do-not-exceed amount of $433,235 to $847,961, an increase of $414,726. Since initially launching the City’s scanning efforts, the volume has increased. This is due to a larger than first estimated Development Services Department microfiche backlog and project plans and additional Planning Department project scanning. This work continues the phased approach to scanning across the City where City of Palo Alto Page 2 departments address the backlog of paper documents and more departments join the effort. Making documents available electronically through scanning has helped departments manage and share documents more efficiently, increased turn around times for public information requests, and freed up floor space in City Hall. The City also contracts with ARC for multi-function copier, scanner machines under a separate contract, which was approved by Council in November 2016 (Report ID # 7046). As departments shift from scanning a backlog of documents the copiers can be used to scan documents directly into the ARC hosted cloud-based archive solution provided with this contract. This Amendment will also acknowledge and consent to the assignment of the Agreement, incorporate contract revisions to existing provisions related to rates, contract term, termination, limitation of liability and warranties, as specified in the Amendment, and add new Exhibits C through E related to information privacy. Resource Impact The additional funding is for identified departmental scanning projects. The existing individual department scanning budgets will fund these scanning projects and no additional budget adjustments are needed. Staff anticipates this will be the last major budget allocation to address the backlog of paper documents. It is expected that ongoing scanning costs will continue at a lower cost with the majority of activity in the Development Services and Planning Departments where building and development plans continue to be paper-based. The breakdown across departments of the increased contract allocation in this amendment is shown below. Department: Amount: Administrative Services $ 30,386 Planning and Community Environment $ 91,248 Development Services $ 226,816 Utilities $ 17,040 Public Works $ 29,419 Fire $ 4,192 City Attorney $ 9,432 $ 6,193 Total $414,726 City of Palo Alto Page 3 Policy Implications Approval of the agreement is consistent with existing City policies. Environmental Review These services do not constitute a project for the purposes of the California Environmental Quality Act. This citywide scanning project will decrease the amount of paper and toner used to make reproductions and will help make city processes more sustainable as a result. Attachments:  Attachment A - Second Amendment to Contract No. S15155739 Archiving Information Management Services Agreement SECOND AMENDMENT TO CONTRACT NO. S15155738 ARCHIVING INFORMATION MANAGEMENT SERVICES AGREEMENT This Amendment to the Archiving Information Management Services Agreement (“Second Amendment”) dated December 7, 2016, between American Reprographics Company, LLC and City of Palo Alto is entered into by and between American Reprographics Company, LLC (“Assignor”), ARC Document Solutions, LLC (“Assignee”) and City of Palo Alto (“Client”). The following changes are agreed upon by the undersigned parties: RECITALS WHEREAS, the Parties have entered into an Archiving Information Management Services Agreement, dated March 1, 2015 (the “Agreement”); WHEREAS, the Parties have entered into that Amendment to Archiving Information Management Services Agreement, dated November 19, 2015 (the “First Amendment”); WHEREAS, the Parties desire to amend the Terms and Conditions of the Agreement as set forth in this Second Agreement. WHEREAS, the Parties desire to amend the Rates as identified in Exhibit B of the Agreement to allow for the adjusted Rates as set forth in the amended Exhibit B of this Second Agreement. WHEREAS, the Parties desire to incorporate Exhibit C, as attached in this Second Agreement, as part of the Agreement. WHEREAS, the Parties desire to incorporate Exhibit D, as attached in this Second Amendment, as part of the Agreement. WHEREAS, the Parties desire to incorporate Exhibit E, as attached in this Second Amendment, as part of the Agreement. WHEREAS, Assignor hereby assigns all of its right, title and interest in and to the Agreement to Assignee, and Assignee hereby assumes all of Assignor’s right, title and interest in and to the Agreement, pursuant to the terms and conditions of this Second Amendment. Client consents to the assignment of the Agreement from Assignor to Assignee. NOW, THEREFORE, in consideration of the premises set forth above and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows: AGREEMENT 1. Definitions. Capitalized terms used and not defined in this Amendment have the respective meanings assigned to them in the Agreement. 2. Amendment. As of the Effective Date, the Agreement is hereby amended or modified as follows: a)Section 1-Term. ATTACHMENT "A" The second sentence of Section 1 of the Agreement is hereby replaced by the following “Thereafter, this Agreement may be renewed for not more than two (2) additional one (1) year periods (“Maintenance Period(s)”)." b) Section VI- Termination/Default. The first sentence of Section VI is hereby replaced with “Client may terminate this Agreement by providing thirty (30) days’ notice to ARC.” c)Section X-Representations and Warranties. The second sentence of Section X is hereby replaced as “The expressed warranty set forth in this Section X is a limited warranty and is the only warranty made by ARC.” The last sentence of Section X is hereby deleted. d) Section XI -Indemnification; Limitation of Liability. Section XI (3) is hereby replaced as: In no event shall either party be liable to the other party or to any third party for any loss of use, revenue or profit or loss of data, or for any consequential, incidental, indirect, exemplary, special or punitive damages, whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damage was foreseeable and whether or not such party has been advised of the possibility of such damages. e)Exhibit B to the Agreement setting forth the Rates under the Agreement is hereby replaced by the amended Exhibit B attached to this Second Amendment. f)Exhibit C, Exhibit D, and Exhibit E as set forth in this Second Amendment are incorporated into the Agreement. g)Assignor hereby assigns all of its right, title and interest in and to the Agreement to Assignee, and Assignee hereby assumes all of Assignor’s right, title and interest in and to the Agreement, pursuant to the terms and conditions of this Second Amendment. Client consents to the assignment of the Agreement from Assignor to Assignee. 3. Miscellaneous. (a) This Second Amendment shall inure to the benefit of and be binding upon each of the Parties and each of their respective successors and assigns. (b) The headings in this Second Amendment are for reference only and do not affect the interpretation of this Second Amendment. (c) This Second Amendment may be executed in counterparts, each of which is deemed an original, all of which constitutes one and the same agreement. Delivery of an executed counterpart of this Second Amendment electronically or by facsimile shall be effective as delivery of an original executed counterpart of this Second Amendment. (d) This Second Amendment constitutes the sole and entire agreement of the Parties with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to such subject matter. (e) Each Party shall pay its own costs and expenses in connection with this Second Amendment (including the fees and expenses of its advisors, accounts and legal counsel). IN WITNESS WHEREOF, the Parties have executed this Second Amendment to be effective as of the date first above written. ASSIGNOR AMERICAN REPROGRAPHICS COMPANY, L.L.C. a California limited Liability Company By: Name: D. Jeffery Grimes Title: Corporate Secretary ASSIGNEE ARC DOCUMENT SOLUTIONS, LLC a Texas limited liability company By: Name: D. Jeffery Grimes Title: Corporate Secretary CLIENT CITY OF PALO ALTO By: Name: Exhibit B Rates 1.Rate for Services. Commencing on the first day in which ARC begins to provide Services, Client may select from one of two payment options: 1. Pay a fee of Ten Thousand Dollars ($10,000) as a onetime fee (“Fee”) for the platform and a fee of Four Hundred Dollars ($400.00) a month for information access to the platform during the term. Option 2: Pay a fee of Eight Hundred Thirty Three Dollars and Thirty Three Cents ($833.33) for Twelve (12) months in lieu of the onetime fee and a fee of Four Hundred Dollars ($400.00) a month for information access to the platform during the term. Client may choose The Fee is inclusive of the Services noted in Exhibit A. A sum calculated in accordance with the fee schedule set forth in Exhibit B, not to exceed a total maximum compensation amount of Eight Hundred Forty Seven Thousand Nine Hundred Sixty One dollars ($847,961.00). ARC will notify the client when this amount is reached and provide any remaining or additional services based on the Client’s written approval. 2.Actual Document Volume. Depending upon the Client’s actual document volume, ARC will increase or decrease the Fee based on the rates noted in exhibit B. 3.Actual Document Condition. ARC expects the documents to be of good quality which will not require additional preparation prior to scanning. Should the quality of the documents require document preparation, ARC will provide the Service for these types of documents at the Rates specifically set forth below in Exhibit B. 4.On-Going Intelligent Storage and Access Fee. Client will pay an on- going information storage and access fee (“Maintenance Fee”) noted in section 1 above beginning with the first month of access. On the anniversary of any Maintenance Period, ARC may increase the Rates for PWC to reflect increases in the functional and underlying technological advances made to the PWC. ARC will provide written notification of any increases in Rates and such increase will be prospective. In no event shall any increase in Rates for the PWC in any given year exceed five percent (5%) of the prior year’s Rate. 5.Services. Client will pay for additional system capacity or imaging services based on the following rates. Such additional fees will be invoiced as set forth below: Scanning and Indexing Services Price Scanning Small Format Documents up to 11 x 17 Black/White $0.05/image Scanning small format documents up to 11 x 17 Color/Greyscale $0.15/image Scanning Large Format B/W Documents 12 x 18 up to 36 x 48 to PDF: $0.90/page Scanning Large Format Color Documents 12 x 18 up to 36 x 48 to PDF: $1.20/page File Renaming/Indexing Small Format: $0.12/field File Renaming/Indexing Large Format: $0.12/field Scan & Index Single Format Microfiche $1.50 per jacket Auto Import to PWC $1.00 per file PWC Platform Customization $200.00/hr Additional Interactive Users $25.00/User/Month Additional Cloud Storage: $2.00/GB/Month Additional Professional Services/Training $90.00/hr Software Customization/Development $150/hr Document preparation/repair $60.00/hr Document Shredding $3.00/Box 6. Additional Services Exhibit B Rates ESTIMATE D QUANTITY Per JOB DESCRIPTION UNIT PRICE STANDAR D EXTENDE D PRICE STANDAR D ADDITIONAL ($$) FEE FOR RUSH, AFTER HOURS, WEEKEND or EMERGENCY Quote in Quantit Reproduction of engineering plans, maps, drawings Large Format – greater than 11” x Annual volume: 111,000 sq ft. (12x18 to 36x48) 800 prints each 1. 001-100 Black/white $ 0.075 per SQ FT 8325 $0.00 101-250 Black/white $ 0.075 per SQ FT 8325 $0.00 251-500 Black/white $ 0.075 per SQ FT 8325 $0.00 2. 001-100 One Color $ 0.65 per SQ FT 72150 $0.00 101-250 One Color $ 0.65 per SQ FT 72150 $0.00 251-500 One Color $ 0.65 per SQ FT 72150 $0.00 3. 001-100 Two Color $ $ 0.65 per SQ FT 72150 $0.00 101-250 Two Color $ $ 0.65 per SQ FT 72150 $0.00 251-500 Two Color $ $ 0.65 per SQ FT 72150 $0.00 Quote in Quantity Ranges Reproductions of Maps, charts, text Standard size – up to 11” x 17” Annual volume: 20,000 sq ft. 1,5 4. 0001-1000 Black/white $ 0.075 per SQ FT $1500 1001-2000 Black/white $ 0.075 per SQ FT $1500 2001-4000 Black/white $ 0.075 per SQ FT $1500 5. 0001-1000 One- color $ 0.65 per SQ FT $13000 1001-2000 One- color $ 0.65 per SQ FT $13000 2001-4000 One- color $ 0.65 per SQ FT $13000 6. 0001-1000 Two-color $ 0.65 per SQ FT $13000 1001-2000 Two-color $ 0.65 per SQ FT $13000 2001-4000 Two-color $ 0.65 per SQ FT $13000 Quote in Quantity Ranges Scanning – Digitally scan all drawings and other files; Scanning on a large format scanner (flatbed or drum type), which can scan large documents up to 36” width by any reasonable length; TIF format at resolutions of 200 to 400 dots per inch. Cost to include assigning one attribute (file name) to the Document up to 24 characters. Annual volume: 324 items 7. 001- 500 $ 1.02 per sheet $330.48 501-1000 $ 1.02 per sheet $330.48 1001-3000 $ 1.02 per sheet $330.48 3001-5000 $ 1.02 per sheet $330.48 TOTAL SUPPLIES: Paper, 36 “ wide, Bond, Color, large format $ 32.00 per roll 80 rolls/year 80,000 linear ft Plotter Cartridges: all 4 colors Cyan, Magenta, Black, Yellow $ TBD 96 each/year OPTION 1 – OVERSIZE FORMAT COPYING SERVICES Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR A. OVERSIZE FORMAT COPYING Black/White 1. Bond - weight 20 LB (24”x36” most common) a. % Post consumer recycled content 30 % b. Process Chlorine-free? Yes, No c. Third Party Certification (e.g., Green Seal)? Yes or No 2. Vellum – weight 20 LB a. 0 % Post consumer recycled content (specify %) b. Process Chlorine-free? Yes, No c.Third Party Certification (e.g., Green Seal)? Yes or No 3. Erasable copy – a. % Post consumer recycled content b. Process Chlorine-free? Yes, No c. Third Party Certification (e.g., Green Seal)? Yes or No 4. Mylar copy a. Weight (4 mil X or 5 mil ) b. Virgin c. 0 % Post consumer recycled content (specify %) d. Third Party Certification (e.g., Green Seal)? Yes or No $ 0.075 sq. ft. $ 0.75 sq. ft. $ N/A sq. ft. $ 1.25 sq. ft. $ 0.075 sq. ft. $ 0.75 sq. ft. $_ N/A sq. ft. $ 1.25 sq. ft. $ 0.075 sq. ft. $ 0.75 sq. ft. $ N/A sq. ft. $ 1.25 sq. ft. B. OVERSIZE FORMAT COPYING - COLOR 1. Bond - weight 20 LB (24”x36” most common) a. 30 % Post consumer recycled content b. Process Chlorine-free? Yes, No c. Third Party Certification (e.g., Green Seal)? Yes or No 2. Vellum – weight 20LB a. 0 % Post consumer recycled content $ 0.65 sq. ft. $ 1.25 sq. ft. $ 0.65 sq. ft. $ 1.25 sq. ft. $ 0.65 sq. ft. $ 1.25 sq. ft. Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR b. Process Chlorine-free? Yes, No c. Third Party Certification (e.g., Green Seal)? Yes or No 1. Erasable copy – Virgin_ a. % Post consumer recycled content (specify %) b. Process Chlorine-free? Yes, No c. Third Party Certification (e.g., Green Seal)? Yes or No 2. Mylar copy a. Weight (4 mil X or 5 mil ) b. Virgin c. 0 % Post consumer recycled content (specify %) d. Third Party Certification (e.g., Green Seal)? Yes or No $ N/A sq. ft. $ 2.50 sq. ft. $ N/A sq. ft. $ 2.50 sq. ft. $ N/A sq. ft. $ 2.50 sq. ft. OPTION 2 – STANDARD FORMAT COPYING SERVICES Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR A. STANDARD SIZE COPYING Black/white 1. On white paper stock, 20# bond & 65# cover, 30% post-consumer content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green Seal)? Yes or No From hard copy a. 8.5 x 11 copy, b. 8.5 x 14 copy, c. 11 x 17 copy, d. 24 x 36 copy. 2. On white paper stock, 20# bond & 65# cover, greater than 30% post consumer recycled content 30 % (specify) post-consumer content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green 20# bond / 65# cover $ 0.045 / $0.07 $ 0.09 / $ 0.14 $ 0.09 / $0.14 $ 0.45 / N/A 20# bond / 65# cover $ 0.045 / $0.07 $ 0.09 / $ 0.14 $ 0.09 / $0.14 $ 0.45 / N/A 20# bond / 65# cover $ 0.045 / $0.07 $ 0.09 / $ 0.14 $ 0.09 / $0.14 $ 0.45 / N/A Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR Seal)? Yes or No Specify recycled paper used: 20 LB 30% Post Consumer From hard copy: a. 8.5 x 11 b. 8.5 x 14 c. 11 x 17 d. 24 x 36 From digital files – 1st out-add: PDF AutoCad TIF $ 0.045 / $0.07 $ 0.09 / $ 0.14 $ 0.09 / $0.14 $ 0.45 / N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 $ 0.045 / $0.07 $ 0.09 / $ 0.14 $ 0.09 / $0.14 $ 0.45 / N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 $ 0.045 / $0.07 $ 0.09 / $ 0.14 $ 0.09 / $0.14 $ 0.45 / N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 B. STANDARD SIZE COPYING Black/white 1. On colored paper stock, 20# bond & 65# cover Recycled paper must have a minimum of 30% post-consumer content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green Seal)? Yes or No From hard copy a. 8.5 x 11 copy, b. 8.5 x 14 copy, c. 11 x 17 copy, d. 24 x 36 copy, 1. On colored paper stock, 20# bond & 65# cover, 30 % (specify) post- consumer content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green 20# bond / 65# cover $ 0.055 / $0.07 $ 0.10 / $ 0.14 $ 0.10 / $0.14 $ 0.55 / N/A 20# bond / 65# cover $ 0.055 / $0.07 $ 0.10 / $ 0.14 $ 0.10 / $0.14 $ 0.55 / N/A 20# bond / 65# cover $ 0.055 / $0.07 $ 0.10 / $ 0.14 $ 0.10 / $0.14 $ 0.55 / N/A Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR Seal)? Yes or No Specify recycled paper used: 20 LB 30% Post Consumer From hard copy: a. 8.5 x 11 b. 8.5 x 14 c. 11 x 17 d. 24 x 36 From digital files – 1st out-add: .pdf AutoCad TIFF $ 0.055 / $0.07 $ 0.10 / $ 0.14 $ 0.10 / $0.14 $ 0.55 / N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 $ 0.055 / $0.07 $ 0.10 / $ 0.14 $ 0.10 / $0.14 $ 0.55 / N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 $ 0.055 / $0.07 $ 0.10 / $ 0.14 $ 0.10 / $0.14 $ 0.55 / N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 C. REGULAR SIZE COPYING Black/white 1. On white paper stock 20# bond, 28# laser, 65# cover 30% post-consumer recycled content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green Seal)? Yes or No From hard copy a. 8.5 x 11 copy, b. 8.5 x 14 copy, c. 11 x 17 copy, 2. White paper stock 20# bond, 28# laser, 65# cover Greater than 30% post-consumer recycled content 30 % (specify) post-consumer Content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green Seal)? Yes or No Specify recycled paper used: 20# bond /28#/65# cvr $ 0.055/ 0.065/ 0.07 $_0.10 /0.11/ 0.14 $_0.10 /0.11/ 0.14 20# bond /28#/65# cvr $ 0.055/ 0.065/ 0.07 $_0.10 /0.11/ 0.14 $_0.10 /0.11/ 0.14 20# bond /28#/65# cvr $ 0.055/ 0.065/ 0.07 $_0.10 /0.11/ 0.14 $_0.10 /0.11/ 0.14 Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR 20 LB 30% Post Consumer From hard copy: 20# bond /28#/65# 20# bond /28#/65# 20# bond /28#/65# cvr cvr cvr 8.5 x 11 $ 0.055/ 0.065 $ 0.055/ 0.065 $ 0.055/ 0.065 8.5 x 14 $_0.10 /0.11 $_0.10 /0.11 $_0.10 /0.11 11 x 17 $_0.10 /0.11/ 0.14 $_0.10 /0.11/ 0.14 $_0.10 /0.11/ 0.14 From digital files – 1st out-add: $0.00 Any other charges associated with copying from digital files? No D. STANDARD SIZE COPYING - COLOR 1. On white paper stock, 20# bond & 65# cover, minimum 30% post-consumer content Process Chlorine-free? Yes, No Third Party Certification (e.g., Green Seal)? Yes or No From hard copy 1. 8.5 x 11 2. 8.5 x 14 3. 11 x 17 4. 24 x 36 2. On white paper stock, 20# bond & 65# cover, greater than 30% post- consumer recycled content 30 % (specify % post-consumer content) Process Chlorine-free? Yes, No Third Party Certification (e.g., Green 20# bond / 65# cover $0.35 / $0.45 $ 0.70 _/ $0.80 $ 0.70 / $0.80 $ 3.90 / N/A 20# bond / 65# cover $0.35 / $0.45 $ 0.70 _/ $0.80 $ 0.70 / $0.80 $ 3.90 / N/A 20# bond / 65# cover $0.35 / $0.45 $ 0.70 _/ $0.80 $ 0.70 / $0.80 $ 3.90 / N/A Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR Seal)? Yes or No Specify recycled paper used: 20 LB 30% Post Consumer_ From hard copy: 8.5 x 11 8.5 x 14 11 x 17 24 x 36 From digital files – 1st out-add $0.00 : PDF AutoCad TIF 20# bond / 65# cover $0.35 / $0.45 $ 0.70 _/ $0.80 $ 0.70 / $0.80 $ 3.90/ N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 20# bond / 65# cover $0.35 / $0.45 $ 0.70 _/ $0.80 $ 0.70 / $0.80 $ 3.90/ N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 20# bond / 65# cover $0.35 / $0.45 $ 0.70 _/ $0.80 $ 0.70 / $0.80 $ 3.90/ N/A $ 0.00 / 0.00 $ 20.00 / $20.00 $ 0.00 / 0.00 OPTION 3 – FINISHING SERVICES Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR E. MISCELLANEOUS TASKS 1. Acetate: 8.5 x 11 (146) ea 2. Acetate: 8.5 x 14 ea 3. Stapling (130) ea 4. Collating, manual hr 5. Inserting, manual hr 6. Folding hr 1. Binding: a. Velo bind – ½” 1” Available colors (5 minimum): N/A b. Tape binding – ½” 1” $ 1.05 $ 2.25 $ .29 $ 60.00 $ 60.00 $ 60.00 $ N/A $ N/A $ 5.00 $ 5.00 $ 1.05 $ 2.25 $ .29 $ 60.00 $ 60.00 $ 60.00 $ N/A $ N/A $ 5.00 $ 5.00 $ 1.05 $ 2.25 $ .29 $ 60.00 $ 60.00 $ 60.00 $ N/A $ N/A $ 5.00 $ 5.00 Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR Available colors (7 minimum): BLACK c. GBC Comb binding – ½” 1” 2” Specify % pre- or post- consumer recycled content 0% Available colors (5 minimum): BLACK d. Coil binding – 1/4” 1” Available colors (5 minimum): BLACK 2. Lamination: hot/cold 8.5 x 11 2 sides 3 mil 5 mil 11 x 17 2 sides 3 mil 5 mil 24 x 36 2 sides 3 mil 5 mil Per Sq. Ft. 2 sides 3 mil 5 mil 3. Foam core mounting 3/16” (Standard white) 4. Fore core mounting 3/16” (Black gator board) 5. Mounting/Printing on Chloroplast plastic $ 3.50 $ 3.50 $ 3.50 $ 4.50 $ 4.50 Hot / cold $ 0.70 / $1.80 $ 1.00 / N/A $1.05 / $2.70 $ 1.50 / N/A $ 4.20 / $10.80 $ 6.00 / N/A $ 0.70 / $1.80 $ 1.00 / N/A $2.60 / N/A $5.45 / N/A $2.65 / N/A $ 3.50 $ 3.50 $ 3.50 $ 4.50 $ 4.50 Hot / cold $ 0.70 / $1.80 $ 1.00 / N/A $1.05 / $2.70 $ 1.50 / N/A $ 4.20 / $10.80 $ 6.00 / N/A $ 0.70 / $1.80 $ 1.00 / N/A $2.60 / N/A $5.45 / N/A $2.65 / N/A $ 3.50 $ 3.50 $ 3.50 $ 4.50 $ 4.50 Hot / cold $ 0.70 / $1.80 $ 1.00 / N/A $1.05 / $2.70 $ 1.50 / N/A $ 4.20 / $10.80 $ 6.00 / N/A $ 0.70 / $1.80 $ 1.00 / N/A $2.60 / N/A $5.45 / N/A $2.65 / N/A OPTION 4 – DIGITAL ARCHIVING Item # DESCRIPTION 1st YEAR 2nd YEAR 3rd YEAR A. Scanning documents – each image (with one attribute or filename) Sizes: 12 x 18 and larger Delivery format: FTP TIFF PDF or combination Resolution – 400 DPI Reducing Plans (full size to ½ size) $ 1.02 PER SHEET $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 1.02 PER SHEET $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 1.02 PER SHEET $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional $ 0.00 additional B. CD ROM $ 5.00 $ 5.00 $ 5.00 Creation of 1st CD ROM Additional copies on CD ROM $ 5.00 $ 5.00 $ 5.00 FTP (File Transfer Protocol) $ 0.00 $ 0.00 $ 0.00 C. MISCELLANEOUS TASKS NOT ON BID LIST % discount off price list for other requirements 30 % D. EXCEPTIONS to specifications must be listed here: E. SALES TAX What services are taxable: ALL DELIVERY: Delivery terms shall be F.O.B. Destination, Freight Prepaid in accordance with the attached specifications, terms and conditions. Information Privacy Policy (IPP) Release and Version: 1st Release, Version 2.2 Release Date: 31 January, 2013 Document Classification: Need to Know Exhibit C City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 1 of 8 31 January, 2013 CONTENTS DOCUMENT CONTROLS ........................................................................................................................................... 2 CHANGE RECORD ................................................................................................................................................... 2 APPROVAL ............................................................................................................................................................. 2 DISTRIBUTION ........................................................................................................................................................ 2 1.OBJECTIVE ................................................................................................................................................... 3 A)INTENT .......................................................................................................................................................... 3 B)SCOPE .......................................................................................................................................................... 3 C)CONSEQUENCES ............................................................................................................................................ 3 D)EXCEPTIONS .................................................................................................................................................. 3 E)MUNICIPAL ORDINANCE .................................................................................................................................. 4 2.RESPONSIBILITIES OF CITY STAFF ................................................................................................................. 4 A) RESPONSIBILITY OF CIO AND ISM .................................................................................................................. 4 B)RESPONSIBILITY OF INFORMATION SECURITY STEERING COMMITTEE ................................................................ 4 C)RESPONSIBILITY OF USERS............................................................................................................................. 4 D)RESPONSIBILITY OF INFORMATION TECHNOLOGY (IT) MANAGERS .................................................................... 5 E)RESPONSIBILITY OF AUTHORIZATION COORDINATION ....................................................................................... 5 3.PRIVACY POLICY .......................................................................................................................................... 5 A)OVERVIEW ..................................................................................................................................................... 5 B)PERSONAL INFORMATION AND CHOICE ............................................................................................................ 5 C)METHODS OF COLLECTION OF PERSONAL INFORMATION .................................................................................. 5 D)UTILITIES SERVICE ......................................................................................................................................... 6 E)PUBLIC DISCLOSURE ...................................................................................................................................... 6 F)ACCESS TO PERSONAL INFORMATION ............................................................................................................. 6 G)SECURITY, CONFIDENTIALITY AND NON-DISCLOSURE ....................................................................................... 6 H)DATA RETENTION / INFORMATION RETENTION .................................................................................................. 7 I)SOFTWARE AS A SERVICE (SAAS) OVERSIGHT ................................................................................................ 7 J)FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003 (FACT) .................................................................. 7 4.CONTACTS ................................................................................................................................................... 8 City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 2 of 8 31 January, 2013 DOCUMENT CONTROLS Document Title Information Privacy Policy Location City of Palo Alto Website and SharePoint Document Author Raj Patel Document Manager Raj Patel Contributors Jonathan Reichental, Shiva Swaminathan, Tom Auzenne, Joe Blackwell, Grant Kolling CHANGE RECORD Date Author Version Change Reference 12-Jul-12 Raj Patel 0.01 First draft developed 26-Sep-12 Raj Patel 1.0 First draft released for review 09-Nov-12 Raj Patel 1.5 Updated first draft for review 19-Nov-12 Raj Patel 1.6 Additional updates as identified 22-Nov-12 Raj Patel 1.7 Revised table of content 26-Nov-12 Raj Patel 1.8 Revised followed by review from Jonathan Reichental and Tom Auzenne 6-Dec-12 Raj Patel 1.92 Revised according to comments from Jonathan Reichental 14-Jan-13 Raj Patel 2.0 Revised according to comments from Grant Kolling 31-Jan-13 Raj Patel 2.2 Revised according to recommendations from Information Security Steering Committee APPROVAL Date Name Role Comments 06-Dec-12 Raj Patel Information Security Manager; Information Technology Department Approved 06-Dec-12 Jonathan Reichental CIO; Information Technology Department Approved 06-Dec-12 Tom Auzenne Assistant Director, Utilities Department Approved 14-Jan-13 Grant Kolling Senior Assistant City Attorney; City Attorney’s Office Approved 31-Jan-13 Information Security Steering Committee Sponsor Approved DISTRIBUTION Name Location City of Palo Alto Employees, Service Providers, Residents and Businesses City of Palo Alto Website and SharePoint City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 3 of 8 31 January, 2013 1. Objective The City of Palo Alto (the “City”) strives to promote and sustain a superior quality of life for persons in Palo Alto. In promoting the quality of life of these persons, it is the policy of the City, consistent with the provisions of the California Public Records Act, California Government Code §§ 6250 – 6270, to take appropriate measures to safeguard the security and privacy of the personal (including, without limitation, financial) information of persons, collected in the ordinary course and scope of conducting the City’s business as a local government agency. These measures are generally observed by federal, state and local authorities and reflected in federal and California laws, the City’s rules and regulations, and industry best practices, including, without limitation, the provisions of California Civil Code §§ 1798.3(a), 1798.24, 1798.79.8(b), 1798.80(e), 1798.81.5, 1798.82(e), 1798.83(e)(7), and 1798.92(c). Though some of these provisions do not apply to local government agencies like the City, the City will conduct business in a manner which promotes the privacy of personal information, as reflected in federal and California laws. The objective of this Policy is to describe the City’s data security goals and objectives, to ensure the ongoing protection of the Personal Information, Personally Identifiable Information, Protected Critical Infrastructure Informationand Personally Identifying Information of persons doing business with the City and receiving services from the City or a third party under contract to the City to provide services. The terms “Personal Information,” “Protected Critical Infrastructure Information”, “Personally Identifiable Information” and “Personally Identifying Information” (collectively, the “Information”) are defined in the California Civil Code sections, referred to above, and are incorporated in this Policy by reference. A) INTENT The City, acting in its governmental and proprietary capacities, collects the Information pertaining to persons who do business with or receive services from the City. The Information is collected by a variety of means, including, without limitation, from persons applying to receive services provided by the City, persons accessing the City’s website, and persons who access other information portals maintained by the City’s staff and/or authorized third-party contractors. The City is committed to protecting the privacy and security of the Information collected by the City. The City acknowledges federal and California laws, policies, rules, regulations and procedures, and industry best practices are dedicated to ensuring the Information is collected, stored and utilized in compliance with applicable laws. The goals and objectives of the Policy are: (a) a safe, productive, and inoffensive work environment for all users having access to the City’s applications and databases; (b) the appropriate maintenance and security of database information assets owned by, or entrusted to, the City; (c) the controlled access and security of the Information provided to the City’s staff and third party contractors; and (d) faithful compliance with legal and regulatory requirements. B) SCOPE The Policy will guide the City’s staff and, indirectly, third party contractors, which are by contract required to protect the confidentiality and privacy of the Information of the persons whose personal information data are intended to be covered by the Policy and which will be advised by City staff to conform their performances to the Policy should they enjoy conditional access to that information. C) CONSEQUENCES The City’s employees shall comply with the Policy in the execution of their official duties to the extent their work implicates access to the Information referred to in this Policy. A failure to comply may result in City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 4 of 8 31 January, 2013 employment and/or legal consequences. D) EXCEPTIONS In the event that a City employee cannot fully comply with one or more element(s) described in this Policy, the employee may request an exception from the application of the Policy. The request form will be developed, reviewed and administered by the City’s Information Security Manager (the “ISM”). The employee, with the approval of his or her supervisor, will provide any additional information as may be requested by the ISM. The ISM will conduct a risk assessment of the requested exception in accordance with guidelines approved by the City’s Chief Information Officer (“CIO”) and approved as to form by the City Attorney. The Policy’s guidelines will include at a minimum: purpose, source, collection, storage, access, retention, usage, and protection of the Information identified in the request. The ISM will consult with the CIO to approve or deny the exception request. After due consideration is given to the request, the exception request disposition will be communicated, in writing, to the City employee and his or her supervisor. The approval of any request may be subject to countermeasures established by the CIO, acting by the ISM. E) MUNICIPAL ORDINANCE This Policy will supersede any City policy, rule, regulation or procedure regarding information privacy. 2. RESPONSIBILITIES OF CITY STAFF A) RESPONSIBILITY OF CIO AND ISM The CIO, acting by the ISM, will establish an information security management framework to initiate and coordinate the implementation of information security measures by the City’s government. The City’s employees, in particular, software application users and database users, and, indirectly, third party contractors under contract to the City to provide services, shall by guided by this Policy in the performance of their job responsibilities. The ISM will be responsible for: (a) developing and updating the Policy, (b) enforcing compliance with and the effectiveness of the Policy; (c) the development of privacy standards that will manifest the Policy in detailed, auditable technical requirements, which will be designed and maintained by the persons responsible for the City’s IT environments; (d) assisting the City’s staff in evaluating security and privacy incidents that arise in regard to potential violations of the Policy; (e) reviewing and approving department-specific policies and procedures which fall under the purview of this Policy; and (f) reviewing Non-Disclosure Agreements (NDAs) signed by third party contractors, which will provide services, including, without limitation, local or ‘cloud-based’ software services to the City. B) RESPONSIBILITY OF INFORMATION SECURITY STEERING COMMITTEE The Information Security Steering Committee (the “ISSC”), which is comprised of the City’s employees, drawn from the various City departments, will provide the primary direction, prioritization and approval for all information security efforts, including key information security and privacy risks, programs, initiatives and activities. The ISSC will provide input to the information security and privacy strategic planning processes to ensure that information security risks are adequately considered, assessed and addressed at the appropriate City department level. City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 5 of 8 31 January, 2013 C) RESPONSIBILITY OF USERS All authorized users of the Information will be responsible for complying with information privacy processes and technologies within the scope of responsibility of each user. D) RESPONSIBILITY OF INFORMATION TECHNOLOGY (IT) MANAGERS The City’s IT Managers, who are responsible for internal, external, direct and indirect connections to the City’s networks, will be responsible for configuring, maintaining and securing the City’s IT networks in compliance with the City’s information security and privacy policies. They are also responsible for timely internal reporting of events that may have compromised network, system or data security. E) RESPONSIBILITY OF AUTHORIZATION COORDINATION The ISM will ensure that the City’s employees secure the execution of Non-Disclosure Agreements (NDA), whenever access to the Information will be granted to third party contractors, in conjunction with the Software as a Service (SaaS) Security and Privacy Terms and Conditions. An NDA must be executed prior to the sharing of the Information of persons covered by this Policy with third party contractors. The City’s approach to managing information security and its implementation (i.e. objectives, policies, processes, and procedures for information security) will be reviewed independently by the ISM at planned intervals, or whenever significant changes to security implementation have occurred. The CIO, acting by the ISM, will review and recommend changes to the Policy annually, or as appropriate, commencing from the date of its adoption. 3. PRIVACY POLICY A) OVERVIEW The Policy applies to activities that involve the use of the City’s information assets, namely, the Information of persons doing business with the City or receiving services from the City, which are owned by, or entrusted to, the City and will be made available to the City’s employees and third party contractors under contract to the City to provide Software as a Service consulting services. These activities include, without limitation, accessing the Internet, using e-mail, accessing the City’s intranet or other networks, systems, or devices. The term “information assets” also includes the personal information of the City’s employees and any other related organizations while those assets are under the City’s control. Security measures will be designed, implemented, and maintained to ensure that only authorized persons will enjoy access to the information assets. The City’s staff will act to protect its information assets from theft, damage, loss, compromise, and inappropriate disclosure or alteration. The City will plan, design, implement and maintain information management systems, networks and processes in order to assure the appropriate confidentiality, integrity, and availability of its information assets to the City’s employees and authorized third parties. B) PERSONAL INFORMATION AND CHOICE Except as permitted or provided by applicable laws, the City will not share the Information of any person doing business with the City, or receiving services from the City, in violation of this Policy, unless that person has consented to the City’s sharing of such information during the conduct of the City’s business as a local government agency with third parties under contract to the City to provide services. City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 6 of 8 31 January, 2013 C)METHODS OF COLLECTION OF PERSONAL INFORMATION The City may gather the Information from a variety of sources and resources, provided that the collection of such information is both necessary and appropriate in order for the City to conduct business as a local government agency in its governmental and proprietary capacities. That information may be gathered at service windows and contact centers as well as at web sites, by mobile applications, and with other technologies, wherever the City may interact with persons who need to share such formation in order to secure the City’s services. The City’s staff will inform the persons whose Information are covered by this Policy that the City’s web site may use “cookies” to customize the browsing experience with the City of Palo Alto web site. The City will note that a cookie contains unique information that a web site can use to track, among others, the Internet Protocol address of the computer used to access the City’s web sites, the identification of the browser software and operating systems used, the date and time a user accessed the site, and the Internet address of the website from which the user linked to the City’s web sites. Cookies created on the user’s computer by using the City’s web site do not contain the Information, and thus do not compromise the user’s privacy or security. Users can refuse the cookies or delete the cookie files from their computers by using any of the widely available methods. If the user chooses not to accept a cookie on his or her computer, it will not prevent or prohibit the user from gaining access to or using the City’s sites. D)UTILITIES SERVICE In the provision of utility services to persons located within Palo Alto, the City of Palo Alto Utilities Department (“CPAU”) will collect the Information in order to initiate and manage utility services to customers. To the extent the management of that information is not specifically addressed in the Utilities Rules and Regulations or other ordinances, rules, regulations or procedures, this Policy will apply; provided, however, any such Rules and Regulations must conform to this Policy, unless otherwise directed or approved by the Council. This includes the sharing of CPAU-collected Information with other City departments except as may be required by law. Businesses and residents with standard utility meters and/or having non-metered monthly services will have secure access through a CPAU website to their Information, including, without limitation, their monthly utility usage and billing data. In addition to their regular monthly utilities billing, businesses and residents with non-standard or experimental electric, water or natural gas meters may have their usage and/or billing data provided to them through non-City electronic portals at different intervals than with the standard monthly billing. Businesses and residents with such non-standard or experimental metering will have their Information covered by the same privacy protections and personal information exchange rules applicable to Information under applicable federal and California laws. E)PUBLIC DISCLOSURE The Information that is collected by the City in the ordinary course and scope of conducting its business could be incorporated in a public record that may be subject to inspection and copying by the public, unless such information is exempt from disclosure to the public by California law. F)ACCESS TO PERSONAL INFORMATION The City will take reasonable steps to verify a person’s identity before the City will grant anyone online access to that person’s Information. Each City department that collects Information will afford access to affected persons who can review and update that information at reasonable times. City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 7 of 8 31 January, 2013 G) SECURITY, CONFIDENTIALITY AND NON-DISCLOSURE Except as otherwise provided by applicable law or this Policy, the City will treat the Information of persons covered by this Policy as confidential and will not disclose it, or permit it to be disclosed, to third parties without the express written consent of the person affected. The City will develop and maintain reasonable controls that are designed to protect the confidentiality and security of the Information of persons covered by this Policy. The City may authorize the City’s employee and or third party contractors to access and/or use the Information of persons who do business with the City or receive services from the City. In those instances, the City will require the City’s employee and/or the third party contractors to agree to use such Information only in furtherance of City-related business and in accordance with the Policy. If the City becomes aware of a breach, or has reasonable grounds to believe that a security breach has occurred, with respect to the Information of a person, the City will notify the affected person of such breach in accordance with applicable laws. The notice of breach will include the date(s) or estimated date(s) of the known or suspected breach, the nature of the Information that is the subject of the breach, and the proposed action to be taken or the responsive action taken by the City. H) DATA RETENTION / INFORMATION RETENTION The City will store and secure all Information for a period of time as may be required by law, or if no period is established by law, for seven (7) years, and thereafter such information will be scheduled for destruction. I) SOFTWARE AS A SERVICE (SAAS) OVERSIGHT The City may engage third party contractors and vendors to provide software application and database services, commonly known as Software-as-a-Service (SaaS). In order to assure the privacy and security of the Information of those who do business with the City and those who received services from the City, as a condition of selling goods and/or services to the City, the SaaS services provider and its subcontractors, if any, including any IT infrastructure services provider, shall design, install, provide, and maintain a secure IT environment, while it performs such services and/or furnishes goods to the City, to the extent any scope of work or services implicates the confidentiality and privacy of the Information. These requirements include information security directives pertaining to: (a) the IT infrastructure, by which the services are provided to the City, including connection to the City's IT systems; (b) the SaaS services provider’s operations and maintenance processes needed to support the IT environment, including disaster recovery and business continuity planning; and (c) the IT infrastructure performance monitoring services to ensure a secure and reliable environment and service availability to the City. The term “IT infrastructure” refers to the integrated framework, including, without limitation, data centers, computers, and database management devices, upon which digital networks operate. Prior to entering into an agreement to provide services to the City, the City’s staff will require the SaaS services provider to complete and submit an Information Security and Privacy Questionnaire. In the event that the SaaS services provider reasonably determines that it cannot fulfill the information security requirements during the course of providing services, the City will require the SaaS services provider to promptly inform the ISM. J) FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003 CPAU will require utility customers to provide their Information in order for the City to initiate and manage utility services to them. City of Palo Alto Information Technology Information Security Services Information Privacy Policy Version 2.2 Page 8 of 8 31 January, 2013 Federal regulations, implementing the Fair and Accurate Credit Transactions Act of 2003 (Public Law 108-159), including the Red Flag Rules, require that CPAU, as a “covered financial institution or creditor” which provides services in advance of payment and which can affect consumer credit, develop and implement procedures for an identity theft program for new and existing accounts to detect, prevent, respond and mitigate potential identity theft of its customers’ Information. CPAU procedures for potential identity theft will be reviewed independently by the ISM annually or whenever significant changes to security implementation have occurred. The ISM will recommend changes to CPAU identity theft procedures, or as appropriate, so as to conform to this Policy. There are California laws which are applicable to identity theft; they are set forth in California Civil Code § 1798.92. 4. CONTACTS Information Security Manager: Patel, Raj <Raj.Patel@CityofPaloAlto.org> Chief Information Officer: Reichental, Jonathan <Jonathan.Reichental@CityofPaloAlto.org> Utilities Department: Auzenne, Tom <Tom.Auzenne@CityofPaloAlto.org City Attorney’s Office: Yang, Albert<Albert.Yang@CityofPaloAlto.org> City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 1 of 15 Version 2.0 22 June 2016 Vendor Information Security Assessment (VISA) Questionnaire Purpose: This Vendor Information Security Assessment (VISA) Questionnaire requests information concerning a Cloud Service Provider (the Vendor), which intends to provide to the City of Palo Alto (the City) any or all of the following services: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a Service (IaaS). Note/Instructions:  SaaS, PaaS and IaaS are each a ‘cloud’ servicing model, in which software and database applications, computer network infrastructure and/or computer hardware/software platforms is/are hosted by the Vendor and made available to customers interconnected in a network, typically the Internet.  This Questionnaire is for the sole use of the intended Vendor and may contain confidential information of individuals and businesses collected, stored, and used the City. Any unauthorized collection, storage, use, review or distribution may be prohibited by California and/or Federal laws. If you are not the intended recipient of this Questionnaire, please contact the sender by e-mail and destroy all copies of the Questionnaire.  The Vendor shall provide answers to the questions or information to the requests provided below.  In the event that the Vendor determines that it cannot meet the City’s security and or privacy requirements, the Vendor may submit a request for an exception to the City’s requirements and propose alternative countermeasures to address the risks addressed in this Questionnaire. The City’s Information Security Manager (ISM) may approve or reject the exception request, depending on the risks associated with the exception request.  Security Exception Request shall be submitted if you cannot comply with this policy/requirements  Upon receipt of the Vendor’s response, the ISM will conduct a security risk assessment, using the following scoring methodology: A = Meets completely. B = Partially meets. The Vendor may be required to provide additional requested information. C = Doesn’t meet. The Vendor may be required to provide missing/additional detail. Vendor Information: Vendor Organization Name ARC Document Solutions Address 1981 N Broadway #385, Walnut Creek, CA 94596 Information Security Contact Person Name Demetrius Wallace Email networkteam@e-arc.com Phone 510.403.2422 Date this Questionnaire Completed May 18, 2015 City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 2 of 15 Version 2.0 22 June 2016 1.0 BUSINESS PROCESS AND DATA EXCHANGE REQUIREMENTS # Question Response from the Vendor Score Additional Information/Clarification Required from the Vendor 1.1 Please provide a detailed description of the Vendor’s business process that will be offered to the City, as this relates to the proposed requirements of the City’s RFP or other business requirements The Business process is a SaaS application Called PlanWell AIM which provides the City to upload/scan documents for storage/archiving purposes 1.2 Has the Vendor adopted and implemented information security and privacy policies that are documented and conform to ISO 27001/2 – Information Security Management Systems (ISMS) Standards or NIST 800-53 (National Institute of Standards – NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations) Yes- See attached 1.3 What data exchange will occur between the City and the Vendor? What data will be stored at the Vendor’s or other third party’s data storage location? (Provide data attributes with examples of the data to be stored) Documents uploaded by the City. User accounts and email addresses only City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 3 of 15 Version 2.0 22 June 2016 Example: Payment Card Information, Social Security Number, Driving License number Patrons Name, Address, Telephone etc.), which are examples of personal information, the privacy of which are protected by California constitutional and statutory law. 1.4 In the event that the Vendor is required to store Private Information (PI), Personally Identifiable Information (PII), and Sensitive Information (SI) about individuals/organizations with the service provider’s business systems, how does the Vendor maintain the confidentiality of the information in accordance with applicable federal, state and local data and information privacy laws, rules and regulations? [(The City of Palo Alto (the “City”) strives to promote and sustain a superior quality of life for persons in Palo Alto. In promoting the quality of life of these persons, it is the policy of the City, consistent with the provisions of the California Public Records Act, California Government Code §§ 6250 – 6270, to take appropriate measures to safeguard the security and privacy of the personal (including, without limitation, financial) information of persons, collected in the ordinary course and scope of conducting the City’s business as a local government agency. These Application stores data in encrypted folder only accessible by the city. City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 4 of 15 Version 2.0 22 June 2016 measures are generally observed by federal, state and local authorities and reflected in federal and California laws, the City’s rules and regulations, and industry best practices, including, without limitation, the provisions of California Civil Code §§ 1798.3(a), 1798.24, 1798.79.8(b), 1798.80(e), 1798.81.5, 1798.82(e), 1798.83(e)(7), and 1798.92(c)]. 1.5 What mechanism and/or what types of tool(s) will be used to exchange data between the City and The Vendor? Example: (VPN, Data Link, Frame Relay, HTTP, HTTPS, FTP, FTPS, etc.) HTTPS 1.6 What types of data storage (work in progress storage and backup storage) are present or will be required at the Vendor’s site? Example: (PCI Credit Card Info, SSN, DLN, Patrons Name, Address, telephone etc.) None 1.7 Is e-mail integration required between the City and the Vendor? Example: The provision of services may require the City to provide the Vendor with an e-mail account on the City’s e–mail server. NO 1.8 Has the Vendor ever been subjected to either an electronic or physical security breach? Please describe the event(s) and the steps NO City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 5 of 15 Version 2.0 22 June 2016 taken to mitigate the breach(es). What damages or exposure resulted? Are records of breaches and issues maintained and will these records be available for inspection by the City? 1.9 Does the Vendor maintain formal security policies and procedures to comply with applicable statutory or industry practice requirements/standards? Are records maintained to demonstrate compliance or certification? Does the Vendor allow client audit of these records? Note: Please submit supporting documentation. Yes, See attached 2.0 What are the internet and the browser security configurations for the cloud application? What security standards and requirements does the Vendor maintain to ensure application security at the user interface? (A set of detailed documentation should be provided to support the compliance). SSL Certificates 2.0 APPLICATION/SOLUTION CONFIGURATION # Question Response from The Vendor Score Additional Information/Clafication Required from The Vendor City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 6 of 15 Version 2.0 22 June 2016 2.1 What is the name of the application(s) that the Vendor will be hosting in order to provide services to the City? (List all) AIM 2.2 What functionality will be provided to the City’s employees or the City’s customers or other recipient of City services through the application? Document Archiving 2.3 Will the Vendor use a subcontractor and/or a third party service provider? (List all). If yes, then what data privacy and information security agreements are in place between the Vendor and any subcontractor/third party to ensure appropriate and accountable treatment of information? Note the City requires that the Vendor and each subcontractor and/or third party formally acknowledge that will comply with the City’s Information Privacy Policy and SaaS Security and Privacy Terms and Conditions NO 2.4 What is the Vendor's application(s) hosting hardware and software platform? Provide a detailed description, including security patches or security applications in use. Example: Windows or Unix Operating System (OS) and other detail. Amazon VPC/EC2 Cloud Infrastructure City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 7 of 15 Version 2.0 22 June 2016 2.5 How does the Vendor’s application and database architecture to manage or promote segregation of the City's data (related to its function as a local government agency) from the data of individuals providing services to or receiving services from the City? City would designate those with the ability to access City Data. 2.6 Describe the Vendor’s server and network infrastructure. Please provide server and network infrastructure deployment topology, including data flow architecture, including but not limited to security management applications, firewalls, etc. See Atttached 2.7 Please provide a detail proposed solution that will be developed as a part of the Vendor’s implementation to support this project. (For example detailed solution architecture, secured data flow to support business processes, etc.). Sales to complete 3.0 DATA PROTECTION #Question Response from the Vendor Score Additional Information/Clafication Required the Vendor City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 8 of 15 Version 2.0 22 June 2016 3.1 What will be the medium of data exchange between the City and Vendor? Internet, unless otherwise defined 3.2 .How will the data be kept secure during the data exchange process? Example: (VPN, Data Link, Frame Relay, HTTP, HTTPS, FTP, FTPS, etc.) HTTPS 3.3 How will the City’s data be kept physically and logically secure at the Vendor’s preferred storage location? Example: Locked storage, Digitally, Encrypted etc. Amazon Clould Service servers are kept in Locked Storage. 3.4 What application level protections are in place to prevent the Vendor’s or a subcontractor/third party’s staff member from viewing unauthorized confidential information? For example, encryption, masking, etc. File level encryption 3.5 What controls does the Vendor exercise over the qualification and performance of its team? Of their subcontractor/third party’s team(s)? (For example, criminal background verification prior to employment, providing security training after employment and managing Role Based Access Control (RBAC) during employment and network and application access termination upon employment termination. ARC maintains segregation of duties for all employee with access to Amazon Cloud Services City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 9 of 15 Version 2.0 22 June 2016 4.0 DATA BACK-UP #Question Response Score COPA’s Security Assessment 4.1 What are the Vendor’s method(s) used to keep data secured during the data backup process? Data is broken into multiple parts, which are stored at multiple locations. 4.2 . Is the Vendor’s encryption technology used to encrypt whole or selective data? Whole encryption is used 4.3 What types of storage media will the Vendor use for data backup purposes? For example, Tape, Hard Disk Drive or any other devices. Hard Disk at Amazon S3 Storage location no tape media is used. 4.4 Are the Vendor’s backup storage devices encrypted? If ‘yes,’ please provide encryption specification, with type of encryption algorithm and detail process of encryption handling. If ‘no,’ provide a detailed description (with processes, tools and technology) to keep data secured during the back-up process. Not required 5.0 DATA RETENTION City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 10 of 15 Version 2.0 22 June 2016 #Question Response from the Vendor Score Additional Information/Clafication Required from the Vendor 5.1 What is the Vendor’s standard data retention period of the backed up data? The data retention process shall comply with the City’s data 7 (seven) years data retention policy. Note: In the event that the Vendor cannot comply with this requirement then the City’s Project Manager shall approval from the City’s data retention schedule/policy owner. 7 years 5.2 Are the data backup storage media at the Vendor’s location or other third party location? All data is stored at Amazon Cloud Services S3 locations 5.3 If the Vendor’s backup storage devices are stored with another company, please provide: a. Company Name: b. Address: c. Contact person detail (Phone and Email): d. What contractual commitments are in place to NA City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 11 of 15 Version 2.0 22 June 2016 guarantee security compliance from these vendors 5.5 What is the media transfer process (I.e. The lock box process used to send tapes off-site)? NA 5.6 Who has access to the data storage media lockbox(es)? (Provide Name and Role) NA 5.7 Who on the Vendor’s staff or subcontractor/third party’s staff is/are authorized to access backup data storage media? (Provide Name and Role) NA 5.8 What is the backup data storage media receipt and release authorization process(es)? (Please submit a soft copy of the process) NA 6.0 ACCOUNT PROVISIONING AND DE-PROVISIONING (The Vendor must receive formal pre-authorization from the City’s Information Security Manager prior to provisioning and de-provisioning of application access account). #Question Response from the Vendor Score Additional Information/Clafication Required from the Vendor 6.1 What is the account provisioning/removal process? Example: how are users accounts created and City would create all accounts on Vendor portal City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 12 of 15 Version 2.0 22 June 2016 managed?) 6.2 .What is the account deprovisioning/removal process? Example: how are users accounts created and managed?) All accounts are created by City administrator 6.3 How will the City’s employees gain access to required application(s)? City administrator would grant access by creating additional accounts and giving those accounts access to City Data. 6.4 Does the application(s) have the capability to restrict access only from the City’s WAN (Wide Area Network)? No 7.0 PASSWORD MANAGEMENT #Question Response from the Vendor Score Additional Information/Clafication Required from the Vendor 7.1 What will be the policy and/or procedures for the logging, authentication, authorization and password management scheme? (Please provide a soft copy of the process) City Administrator to set those policies. City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 13 of 15 Version 2.0 22 June 2016 7.2 . Where will the login and password credentials be stored? Database server beind firewall. 7.3 Are the password credentials stored with encryption? If ‘yes,’ please provide encryption scheme detail. Yes, 7.4 The Vendor’s application must comply with the following password requirements. Does the Vendor’s application meet these requirements? 1. First time password must be unique to an individual and require the user to change it upon initial login. 2.If the password is sent via plain text email to the City employee to mitigate security exposure. 3. The City requires first time password to have a time-out capability of no more than 7 days. 4.The e-mail notification must not be copied to anyone except the user. 5. The permanent/long term password must YES City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 14 of 15 Version 2.0 22 June 2016 be changed frequently (at least TWICE a year) 6. E-mail notification must be sent to the user whenever the password has been updated. 7.User should not be able to view data or conduct business unless an initial password has been updated with a different password. 8.The Vendor shall inform the City’s users that, when a new password is created, the user shall not use the City’s LDAP (Lightweight Directory Access Control Protocal) password. 9.The password must have 8 or more alphanumeric (/) characters and it must contain at least one character from each of the bullets noted below (i.e. Each line shall contribute at least one character): abcdefghijklmnopqrstu City of Palo Alto Information Security Document Version: v2.3 Form: InfoSec 100 VISA Questionnaire Page 15 of 15 Version 2.0 22 June 2016 vwxyz ABCDEFGHIJKLMNO PQRSTUVWXYZ 0123456789 !@#$%^&*()- +=`~,></\"'?;:{[}] --------------------------------------------------- End Of Document-------------------------------------------------- ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD122– Production System Access Workflow Process Policy Page 1 of 2 CNTL # Revision: 1.0 Prepared by: DJW Effective Date: Approved by: Rahul Roy ARC Document Solutions Technology Center Production System Access Workflow Process Policy: Only authorized personal can access production systems at any time. No unauthorized access is permitted by any ARC Technology Center employees. One exception to this policy is in the case of an emergency. An emergency is when no authorized personal are available. In such a case a designated employee will be granted limited access to the production system(s). Definitions: Access – By access, it is implied that this means logging into any production system and or making any change to a production system, either locally or remotely. Authorized Personal – Authorize personal are U.S. citizens, ARC Technology Center employees with Domain Admin privileges. The two employees with such privileges have been identified as Goutam Dastider –Director of Information Technology and Demetrius Wallace Sr. – Sr. Network Manager and Director of Technical Services. Unauthorized Access – Non U.S. residents and any ARC Technology employee who has not been given domain admin privileges. Process –When and ARC Technology Center employee has determined that production system access is need to either access data or make a production system change, they must follow the guidelines lay out in this document and the Production System Access Workflow Diagram. The detail of which is listed below. Step 1. When any employee determines that there is an need for a production system to be accessed and or a change need to be made on a production system. The employee must fill out and Form ARCSW108-1 SW Change Request Form. Step 2. Employee must obtain proper Management signature authorization for production system access or changes. Step 3. Management will submit the form ARCSW108-1 SW Change Request Form to authorized production system access personal. Step 4. Authorized production system access personal will review the Change Request Form to ensure that the change or access will not cause production system problems and that the proper data security is being maintained. Step 5. After steps 1 through 4 have been completed, production system authorized personal will schedule and implement the access or change request. Note: All of the above steps are to be strictly followed. Failure to abide by this production system access workflow process policy can result in disciplinary action, including termination and can be punishable by law. Exhibit D ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD122– Production System Access Workflow Process Policy Page 2 of 2 Production Systems Goutam Demetrius Personnel Access is needed for a production system Management will Submit the Change Request Form to authorized personal for the production access Employees must Submit a Change Request Form for Production System Access and or Changes Review how the change will impact production ARC Technology Center Employees Authorized Production System Change Personal Goutam Dastider/ Demetrius Wallace Implement Production system Change Request Employees must obtain proper Management Signature Authorization Production System access is restricted to only authorized personal ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 1 of 8 CNTRL # AD107 Revision: 2.0 __ Prepared by: DJW Effective Date: 10/1/12 Approved by: Rahul Roy Title: ARCAD107 – COMPUTER AND INTERNET USAGE POLICY Policy: All employees using the ARC IT network shall adhere to strict guidelines concerning appropriate use of network resources. Purpose: To delineate policies and procedures for accessing the ARC IT network and/or accessing the Internet through the ARC IT network. Scope: This policy applies to all personnel with access to Internet and related services through the ARC network infrastructure. Internet Related services include all services provided with the TCP/IP protocol, including but not limited to Electronic Mail (e-mail), File Transfer Protocol (FTP), Gopher, and World Wide Web (WWW) access. Responsibilities: All ARC personnel are responsible for knowing and adhering to this usage policy. The Sr. Network Manager is responsible for enforcing this policy. Definitions: Internet – The international computer network of networks that connect government, academic and business institutions; the Internet (capitalized) refers specifically to the DARPA Internet and the TCP/IP protocols it uses. Intranet – A private network contained within an enterprise; a network within one organization, using Web technologies to share information internally. Procedure: 1.0 ACCEPTABLE USE - COMPUTERS AND INTERNET  Access to the Internet is specifically limited to activities in direct support of official ARC business.  In addition to access in support of specific work related duties, the ARC Internet connection may be used for educational and research purposes.  If any user has a question of what constitutes acceptable use he/she should check with their supervisor for additional guidance. Management or supervisory personnel shall consult with the Compliance Officer for clarification of these guidelines. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 2 of 8 2.0 INAPPROPRIATE USE - COMPUTERS AND INTERNET Internet access shall not be for any illegal or unlawful purpose. Examples of this are the transmission of violent, threatening, defrauding, pornographic, obscene, or otherwise illegal or unlawful materials Use of ARC e-mail or other messaging services shall be used for the conduct of ARC business only. These services shall not be used to harass, intimidate or otherwise annoy another person. The Internet can be reasonably accessed for private, recreational, and non- ARC-related activity. By reasonably, it is communicated that there should not be excessive use in which it affects job performance. Any use deemed excess by management shall be communicated to affected employees with a warning. If excessive use continues, privileges can be revoked and disciplinary actions will follow. ARC intranet or Internet connections shall not be used for commercial or political purposes. Employees shall not use ARC network for personal gain such as selling access of ARC user login ID. Internet access through the ARC network shall not be for or by performing unauthorized work for profit. Users shall not attempt to circumvent or subvert security measures on either the ARC network resources or any other system connected to or accessible through the Internet. ARC employees shall not use Internet access for interception of network traffic for any purpose other than engaging in authorized network administration. ARC users shall not make or use illegal copies of copyrighted material, store such material on ARC equipment, or transmit such material over the ARC network. 3.0 INTERNET AND E-MAIL ETIQUETTE ARC employees shall ensure all communication through ARC e-mail or messaging services is conducted in a professional manner. The use of suggestive, vulgar, or obscene language is prohibited. ARC users shall not reveal private or personal information through e-mail or messaging services without clear and specific written approval from Human Resources. Users should ensure that e-mail messages are sent to only those users with a specific need to know. The transmission of e-mail to large groups, use of e- mail distribution lists, or sending messages with large file attachments (attachments larger than 0.5 Mb) should be avoided. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 3 of 8 E-mail privacy cannot be guaranteed. For security reasons, messages transmitted through the ARC e-mail system or network infrastructure are the property of the ARC and are, therefore, subject to inspection. 4.0 COMPUTER AND INTERNET USAGE - SECURITY ARC users who identify or perceive an actual or suspected security problem shall immediately contact the IT Security Manager, in accordance with procedure ARCSD108 – IT INCIDENT HANDLING. Network users shall not reveal their account passwords to others or allow any other person, employee or not, to use their accounts. Similarly, users shall not use other employees’ accounts. Any and all use of IT assets is subject to monitoring by IT Security. Access to network resources shall be revoked for any user identified as a security risk or who has a demonstrated history of security problems. 5.0 COMPUTER AND INTERNET USAGE - PENALTIES Any user violating these policies or applicable local, state, or federal laws while using the ARC network shall be subject to loss of network privileges and any other disciplinary actions deemed appropriate, possibly including termination and criminal and/or civil prosecution. Additional Resources: A.None. References: A. ISO 17799:2000 STANDARD – INFORMATION TECHNOLOGY CODE OF PRACTICE FOR INFORMATION SECURITY MANAGEMENT, CLAUSE 8.5.1 (NETWORK CONTROLS) Clause 8.5.1(c) of this Standard states that “(i)f necessary, special controls should be established to safeguard the confidentiality and integrity of data passing over public networks (i.e., the Internet) and to protect the connected systems...special controls may also be required to maintain the availability of the network services and computers connected.” ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 4 of 8 Revision History: Revision Date Description of changes Requested By 1.0 1/13/06 Initial Release DJW 2.0 8/21/2012 Naming convention change from MPT to ARC Goutam Dastider ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 5 of 8 ARCAD107-1 ARC COMPUTER AND INTERNET USAGE POLICY Revision # __________ Date __________________ 1.0 ACCEPTABLE USE - COMPUTERS AND INTERNET Access to the Internet is specifically limited to activities in direct support of official ARC business. In addition to access in support of specific work related duties, the ARC Internet connection may be used for personal, educational and research purposes. If any user has a question of what constitutes acceptable use he/she should check with their supervisor for additional guidance. Management or supervisory personnel shall consult with the Compliance officer for clarification of these guidelines. 2.0 INAPPROPRIATE USE - COMPUTERS AND INTERNET Internet access shall not be for any illegal or unlawful purpose. Examples of this are the transmission of violent, threatening, defrauding, pornographic, obscene, or otherwise illegal or unlawful materials Use of ARC e-mail or other messaging services shall be used for the conduct of ARC business only. These services shall not be used to harass, intimidate or otherwise annoy another person. The Internet can be reasonably accessed for private, recreational, and non- ARC-related activity. By reasonably, it is communicated that there should not be excessive use in which it affects job performance. Any use deemed excess by management shall be communicated to affected employees with a warning. If excessive use continues, privileges can be revoked and disciplinary actions will follow. The ARC intranet or Internet connections shall not be used for commercial or political purposes. Employees shall not use ARC network for personal gain such as selling access of a ARC user login ID. Internet access through the ARC network shall not be for or by performing unauthorized work for profit. Users shall not atteARC to circumvent or subvert security measures on either the ARC network resources or any other system connected to or accessible through the Internet. ARC employees shall not use Internet access for interception of network traffic for any purpose other than engaging in authorized network administration. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 6 of 8 ARC users shall not make or use illegal copies of copyrighted material, store such material on ARC equipment, or transmit such material over the ARC network. 3.0 INTERNET AND E-MAIL ETIQUETTE ARC employees shall ensure all communication through ARC e-mail or messaging services is conducted in a professional manner. The use of suggestive, vulgar, or obscene language is prohibited. ARC users shall not reveal private or personal information through e-mail or messaging services without clear and specific written approval from Human Resources. Users should ensure that e-mail messages are sent to only those users with a specific need to know. The transmission of e-mail to large groups, use of e- mail distribution lists, or sending messages with large file attachments (attachments larger than 0.5 Mb) should be avoided. E-mail privacy cannot be guaranteed. For security reasons, messages transmitted through the ARC e-mail system or network infrastructure are the property of the ARC and are, therefore, subject to inspection. 4.0 COMPUTER AND INTERNET USAGE - SECURITY ARC users who identify or perceive an actual or suspected security problem shall immediately contact the Compliance Officer, in accordance with procedure ARCSD108 – IT INCIDENT HANDLING. Network users shall not reveal their account passwords to others or allow any other person, employee or not, to use their accounts. Similarly, users shall not use other employees’ accounts. Any and all use of IT assets is subject to monitoring by IT Security. Access to ARC network resources shall be revoked for any user identified as a security risk or who has a demonstrated history of security problems. 5.0 COMPUTER AND INTERNET USAGE - PENALTIES Any user violating these policies or applicable local, state, or federal laws while using the ARC network shall be subject to loss of network privileges and any other disciplinary actions deemed appropriate, possibly including termination and criminal and/or civil prosecution. 6.0 COMPUTER AND INTERNET USAGE - CONCLUSION All terms and conditions as stated in this document are applicable to all users of the ARC network and the Internet. These reflect an agreement of all parties and should be governed and interpreted in accordance with the laws of the State of <State>. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 7 of 8 7.0 USER COMPLIANCE I understand and will abide by the ARC computer, network, and Internet use policies. I further understand that any violation of this policy is considered unethical and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked and disciplinary action and/or appropriate legal actions may be taken. User Signature ________________________________ Date ____________ ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD107 – Computer and Internet Usage Policy Page 8 of 8 [This page intentionally left blank.] ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD113 – Mobile Assets Usage Policy Page 1 of 6 Revision: 1.0 Prepared by: D. J. Wallace Effective Date: 10/30/06 Approved by: Rahul Roy Title: ARCAD113 – MOBILE ASSETS USAGE POLICY Policy: All employees using the ARC mobile assets shall adhere to strict guidelines concerning appropriate use of mobile assets. Purpose: To delineate policies and procedures for the use of ARC mobile assets. Scope: This policy applies to all personnel who have been issued or given a company cell phone and/or laptop or other company issued mobile device. Responsibilities: All ARC personnel are responsible for knowing and adhering to this usage policy. The Sr. Network Manager is responsible for enforcing this policy. Definitions: Mobile Asset – This describes company issued cell phones, laptops etc. Procedure: 1.0 ACCEPTABLE USE – MOBILE ASSETS The use of ARC mobile assets is specifically limited to activities in direct support of official ARC business. In addition to access in support of specific work related duties, the ARC mobile assets may be used for educational and research purposes. If any user has a question of what constitutes acceptable use he/she should check with their supervisor for additional guidance. Management or supervisory personnel shall consult with the Compliance Officer for clarification of these guidelines. 2.0 INAPPROPRIATE USE - MOBILE ASSETS Mobile assets shall not be used for any illegal or unlawful purpose. Examples of this are the transmission of violent, threatening, defrauding, pornographic, obscene, or otherwise illegal or unlawful materials Users are to know that company issued mobile assets are a privilege. Users found abusing privileges of mobile assets shall have their privileges revoked. Employees shall not use ARC mobile assets for personal gain such as selling access of a ARC user login ID. Assets shall not be used for internet access through the ARC network for or by performing unauthorized work for profit. ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD113 – Mobile Assets Usage Policy Page 2 of 6 Damage to company issued mobile assets shall be assessed by user manager. If damages are determined to be caused by the user, the user will be responsible for the damages. Responsible means that users can be held accountable for the repair cost of ARC mobile assets. 3.0 MOBILE ASSETS ETIQUETTE ARC employees shall ensure every effort is made to protect ARC assets from damage. Cell phones shall be protected by carrying case. Laptop bags should be used to transport laptops from one location to another. 4.0 MOBILE ASSETS USAGE - SECURITY ARC users who identify or perceive an actual or suspected security problem shall immediately contact the IT Security Manager, in accordance with procedure ARCSD108 – IT INCIDENT HANDLING. Cell phones and laptops shall not be left unprotected. Cell phone should not be left lying around. For this presents the opportunity for theft. Laptop shall not be left unattended in a public place. Laptop should be store in the trunk of vehicles not in plain visibility within the car. For this presents the opportunity for theft. Access to mobile assets shall be revoked for any user identified as a security risk or who has a demonstrated history of security problems. 5.0 MOBILE ASSETS USAGE - PENALTIES Any user violating these policies or applicable local, state, or federal laws while using the ARC mobile assets shall be subject to loss of mobile asset privileges and any other disciplinary actions deemed appropriate, possibly including termination and criminal and/or civil prosecution. Additional Resources: A.None. References: A. ISO 17799:2000 STANDARD – INFORMATION TECHNOLOGY CODE OF PRACTICE FOR INFORMATION SECURITY MANAGEMENT, CLAUSE 8.5.1 (NETWORK CONTROLS) Clause 8.5.1(c) of this Standard states that “(i)f necessary, special controls should be established to safeguard the confidentiality and integrity of data passing over public networks (i.e., the Internet) and to protect the connected systems...special controls may also be required to maintain the availability of the network services and computers connected.” ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD113 – Mobile Assets Usage Policy Page 3 of 6 Revision History: Revision Date Description of changes Requested By 1.0 10/30/06 Initial Release DJW 1.1 9/23/14 Naming Change from MTP ARC DJW ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD113 – Mobile Assets Usage Policy Page 4 of 6 ARCAD113-1 ARC MOBILE ASSETS USAGE POLICY ACKNOWLEDGEMENT Revision # __________ Date __________________ 1.0 ACCEPTABLE USE – MOBILE ASSETS  The use of ARC mobile assets is specifically limited to activities in direct support of official ARC business.  In addition to access in support of specific work related duties, the ARC mobile assets may be used for educational and research purposes.  If any user has a question of what constitutes acceptable use he/she should check with their supervisor for additional guidance. Management or supervisory personnel shall consult with the Compliance Officer for clarification of these guidelines. 2.0 INAPPROPRIATE USE - MOBILE ASSETS  Mobile assets shall not be used for any illegal or unlawful purpose. Examples of this are the transmission of violent, threatening, defrauding, pornographic, obscene, or otherwise illegal or unlawful materials  Users are to know that company issued mobile assets are a privilege.  Users found abusing privileges of mobile assets shall have their privileges revoked.  Employees shall not use ARC mobile assets for personal gain such as selling access of a ARC user login ID. Assets shall not be used for internet access through the ARC network for or by performing unauthorized work for profit.  Damage to company issued mobile assets shall be assessed by user manager. If damages are determined to be caused by the user, the user will be responsible for the damages.  Responsible means that users can be held accountable for the repair cost of ARC mobile assets. 3.0 MOBILE ASSETS ETIQUETTE  ARC employees shall ensure every effort is made to protect ARC assets from damage.  Cell phones shall be protected by carrying case. Laptop bags should be used to transport laptops from one location to another. ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD113 – Mobile Assets Usage Policy Page 5 of 6 4.0 MOBILE ASSETS USAGE - SECURITY  ARC users who identify or perceive an actual or suspected security problem shall immediately contact the IT Security Manager, in accordance with procedure ARCSD108 – IT INCIDENT HANDLING.  Cell phones and laptops shall not be left unprotected. Cell phone should not be left lying around. For this presents the opportunity for theft.  Laptop shall not be left unattended in a public place. Laptop should be store in the trunk of vehicles not in plain visibility within the car. For this presents the opportunity for theft.  Access to mobile assets shall be revoked for any user identified as a security risk or who has a demonstrated history of security problems. 5.0 MOBILE ASSETS USAGE - PENALTIES Any user violating these policies or applicable local, state, or federal laws while using the ARC mobile assets shall be subject to loss of mobile asset privileges and any other disciplinary actions deemed appropriate, possibly including termination and criminal and/or civil prosecution. 6.0 MOBILE ASSETS USAGE - CONCLUSION All terms and conditions as stated in this document are applicable to all ARC employees. These reflect an agreement of all parties and should be governed and interpreted in accordance with the laws of the State of California. 7.0 USER COMPLIANCE I understand and will abide by the ARC mobile assets use policies. I further understand that any violation of this policy is considered unethical and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked and disciplinary action and/or appropriate legal actions may be taken. User Signature ________________________________ Date ____________ Print Name ___________________________________ ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD113 – Mobile Assets Usage Policy Page 6 of 6 [This page intentionally left blank.] ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 1 of 12 CTRL # AD106 Revision: 2.0 Prepared by: DJW Effective Date: 10/1/12 Approved by: Rahul Roy Title: ARCAD106 – NETWORK INFRASTRUCTURE STANDARDS Policy: To ensure maximum safety, capacity and efficiency, the ARC network infrastructure shall be engineered and installed in accordance with appropriate industry standards and state and local building and electrical codes. Purpose: To delineate specific standards regarding the installation of network infrastructure including cabling and equipment. Scope: This standard applies to all ARC Wide Area Networks (WAN) and Local Area Networks (LAN) and all infrastructure support devices attached to those networks. Responsibilities: The Director of Information Technology is responsible for the design, installation, and management of the ARC network infrastructure. The Director of Information Technology will be responsible for the coordination of all aspects of the cable plant installation. In addition, the Director of Information Technology will be the approval authority for the coordination of any additional adds, moves, or changes to the ARC network infrastructure. IT Network Team is responsible for the installation and operation of the LAN and WAN equipment and software installed within their LAN. The IT Network Team will coordinate with the Director of Information Technology for all issues related to corporate WAN Links or other Telecommunications equipment such as telephones as associated systems. The IT Network Team will coordinate all addions, moves, or other changes with the Director of Information Technology. The Director of Information Technology is responsible for the installation of TCP/IP and operation of all ARC WAN circuits and associated support equipment. The Director of Information Technology will provide direction to the IT Network Team regarding the operation, configuration and troubleshooting of all WAN equipment. In addition, the Director of Information Technology will be responsible for the installation, operation and troubleshooting of all ARC voice, fax and video communications systems. IT Network Team staff members are responsible for installing and maintaining network infrastructure in accordance with Network Infrastructure standards. Definitions: None. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 2 of 12 Procedure: 1.0 NETWORK INFRASTRUCTURE STANDARDS DEVELOPMENT 1.1 All ARC network infrastructure standards shall conform to IEEE 802 standards, wherever applicable. 1.2 The Director of Information Technology communicates the need for network infrastructure standards to the Chief Technology Officer. They review the proposed standards with respect to:  ITAD101-1 – INFORMATION TECHNOLOGY PLAN;  Industry standards, best practices, and benchmarks; and  Applicable federal, state, and local regulations. 1.3 Once the need for standards has been recognized and formally agreed on, the Director of Information Technology shall define the general content and scope of the future standards and present them to the Chief Technology Officer. 1.4 Once agreement has been reached on the basic standard, the Director of Information Technology shall develop detailed standards specifications and present these to the Chief Technology Officer. 1.5 When agreement on the detailed standards has been reached, the Chief Technology Officer shall present the standards to Top Management for approval. 2.0 NETWORK INFRASTRUCTURE STANDARDS IMPLEMENTATION 2.1 Once approved by the Chief Technology Officer, network infrastructure standards shall be communicated by the Director of Information Technology to IT Network Team. 2.2 The Sr. Network Manager shall have primary responsibility for maintaining ARCAD106-2 – NETWORK INFRASTRUCTURE STANDARDS LIST. 3.0 NETWORK INFRASTRUCTURE STANDARDS REVIEW 3.1 At regular intervals (annually, at a minimum), the Sr. Network Manager shall review the current set of ARC network infrastructure standards with the Director of Information Technology to verify that they continue to meet ARC requirements. The Sr. Network Manager should review ARCTS102-4 – TECH SUPPORT LOG to determine if there are patterns or trends of IT-related trouble that indicate outdated or incomplete standards. 3.2 If the Sr. Network Manager determines that infrastructure standards require updating, he shall meet with The Chief Technology Officer to discuss review findings and required updates and determine to what extent ARCAD101-1 – INFORMATION TECHNOLOGY PLAN may be impacted.  If ARCAD101-1 may be impacted by a change in standards, this issue shall be included in the next Technology Plan review, in accordance with procedure ARCAD101 – INFORMATION TECHNOLOGY PLAN. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 3 of 12 Additional Resources: None. References: A. INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE) STANDARD 802 – STANDARD FOR LOCAL AND METROPOLITAN AREA NETWORKS IEEE 802 is a family of standards that pertains to local area and metropolitan area networks; specifically, networks carrying variable-size packets. Services and protocols specified in these standards map to the lower two layers (Data Link and Physical) of the seven-layer OSI networking reference model. IEEE 802 subdivides the OSI Data Link Layer into sub-layers named Logical link control (LLC) and Media Access Control. The IEEE 802 family of standards is maintained by the IEEE 802 LAN/MAN Standards Committee (LMSC). Revision History: Revision Date Description of changes Requested By 1.0 12/5/2007 Initial Release DJW 2.0 8/21/12 Naming convention change from MPT to ARC Goutam Dastider ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 4 of 12 [This page intentionally left blank] ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 5 of 12 ARCAD106-1 – NETWORK INFRASTRUCTURE STANDARDS LIST 1.0 CABLE PLANT STANDARDS The ARC network infrastructure is vital to ARC business operations. The following paragraphs detail the basic mandatory installation procedures that are intended to assure a high quality, dependable, network cable plant infrastructure. The ARC network infrastructure includes all local and wide area networks (LAN/WAN) and all associated equipment and software required for their continued operation and management. LAN infrastructure is composed of a Main Distribution Frame/Closet (MDF) and a Data Center. In some smaller locations the MDF Data Center are co-located or there may be no MDF required. Infrastructure connecting the MDF to the Data Center locations will be regarded as part of the network backbone. The backbone is the main portion of the network and serves to distribute communication across the corporate infrastructure. The cable infrastructure from the Data Center to individual network hosts, including user workstations, is referred to as the horizontal cable plant. Each portion of the cable plant has specific standards that must be followed to ensure reliable communication. All installations shall be recorded on ARCAD106-3 – NETWORK INSTALLATION CHECKLIST AND BILL OF MATERIALS and copies shall be forwarded to the Sr. Network Manager and IT Asset Manager. The Sr. Network Manager shall maintain a repository of such records, in accordance with ARCSD104 – IT DISASTER RECOVERY. The IT Asset Manager shall maintain this record in accordance with ARCAM102 – IT ASSET MANAGEMENT. 2.0 HORIZONTAL CABLE PLANT The horizontal cable plant consists of all equipment and cabling found from the Data Center to the network interface on a given network host. 3.0 TELECOMMUNICATIONS RACK All equipment in the Data Center shall be properly installed in an industry standard communications rack or enclosure. Equipment that cannot be directly mounted to the rack shall be installed on a rack mounted shelve. Equipment shelves shall not be excessively loaded. Equipment shall not be double stacked on equipment shelves. The rack or enclosure shall be installed in a space or location that is not in the immediate vicinity of hot water heaters, hazardous equipment or material or equipment that could cause power fluctuations or electromagnetic interference (EMI) including heating and air-conditioning equipment, power transformers or distribution equipment. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 6 of 12 The telecommunications closet or enclosure shall remain locked at all times. Only personnel from the IT Network Team are authorized to have access to these spaces. All cabling in the MDF will be dressed neatly with appropriate wire management (cable ties/wraps), as necessary, to protect and aesthetically manage the physical cabling. a. Dedicated Communications Closet. For installation locations with a large dedicated communications closet, the IDF shall be installed in an open Aluminum 19” telecommunications rack of at least seven (7) feet in height. The rack shall be solidly bolted to the floor with not less than four bolts. The rack shall be anchored sufficiently to comply with all local earthquake standards or other applicable building codes. The rack shall be fitted with a horizontal and vertical wire management system. b. Small Telecommunications Closet A wall mounted 19-inch telecommunications rack shall be used for locations with small telecommunications closets that preclude the installation of a traditional 19-inch rack. To support the installation of telecommunications equipment a piece of industrial plywood shall be anchored to the wall of the closet. This plywood shall be not less than 0.75 inch in thickness and not less than 4 feet by 4 feet. The wall-mounted rack shall be solidly anchored to the plywood. c. No Telecommunications Closet For locations without a suitable telecommunications closet, the IDF equipment shall be installed in an enclosed lockable Telecommunications Cabinet (freestanding or wall mounted as appropriate). The IT Network Team shall control the keys and access to this cabinet. 4.0 POWER The Data Center shall provide sufficient electrical power for all installed equipment. The available electrical load shall not be less than 150% of the required current for all installed equipment. The UPS racks or enclosures shall be electrically grounded in accordance with all applicable government (local, state and federal) laws. Each rack shall be fitted with surge protected electrical power strips. The number of available outlets shall be 125% of number of outlets required by the installed equipment. 5.0 VENTILATION Proper environmental controls are important to ensure the proper and continued operation of the ARC network. All ARC Data Center locations shall have ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 7 of 12 sufficient air conditioning to maintain continuous airflow and a temperature between 65 to 75 degrees Fahrenheit. 6.0 CABLE SPECIFICATIONS 6.1 All components proposed for the cable plant installation will meet or exceed all UL and EIA-TIA specifications, and will be installed along industry standard guidelines, within applicable OSHA, city, and federal fire code restrictions. All ARC cabling shall be installed in accordance with the guidelines contained in ANSI/EIA/TIA-568-1991 Commercial Building Telecommunications Wiring Standard and two associated bulletins: Additional Cable Specifications for Unshielded Twisted-Pair Cables EIA/TIA Technical System Bulletin TSB-36, Nov. 1991 (Transmission Characteristics of Category 3-5 UTP cables) Additional Transmission Specifications for UTP Connecting Hardware EIA/TIA Technical System Bulletin TSB-40A, Dec 1993 (Performance of Connectors and Patch Panels Above 20 MHz) This standard defines a generic telecommunications wiring system for commercial buildings that will support a multiproduct, multivendor environment. It also provides direction for the design of telecommunications products for commercial enterprises. The purpose of this standard is to enable the planning and installation of building wiring with little knowledge of the telecommunications products that subsequently will be installed. This standard establishes performance and technical criteria for various wiring system configurations for interfacing and connecting their respective elements. EIA/TIA Category Specification provides for the following cable transmission speeds with specifications. Note: prior to Jan94 UL and Anixter developed a LEVEL system, which has been dropped or harmonized with the CATEGORY system Category 1 = No performance criteria Category 2 = Rated to 1 MHz (used for telephone wiring) Category 3 = Rated to 16 MHz (used for Ethernet 10Base-T) Category 4 = Rated to 20 MHz (used for Token-Ring, 10Base-T) Category 5 = Rated to 100 MHz (used for 100Base-T, 10Base-T) All ARC copper cabling (network and telephone) shall adhere to the standards for Category 5. Telephone cabling shall be installed with Category 2. EIA/TIA 568 specifies two different methods of installing cables. All ARC network cabling shall be installed in accordance with EIA/TIA 568A. EIA/TIA- 568 defines 568A pinouts as follows: Pair Pin Wire Color 3 1 White/Green ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 8 of 12 3 2 Green 2 3 White/Orange 1 4 Blue 1 5 White/Blue 2 6 Orange 4 7 White/Brown 4 8 Brown 6.2 Cable Plant Labeling Color coded cable plant labels meeting the EIA/TIA 606 standard will be installed on all termination points including patch panels, punch blocks, and wall plates. In addition, color-coded labels shall be installed on each end of all installed cable, approximately 6” from each end. Cable plant labels will be computer generated professionally and permanently affixed to each location, all reflecting the unique identification according to a pre- approved project labeling plan. The color of label used on a cross connect field identifies field's function. The cabling administration standard (CSA T-528 & EIA-606) lists the colors and functions as: Blue - Horizontal voice cables Brown - Interbuilding backbone Gray - Second-level backbone Green - Network connections & auxiliary circuits Orange - Demarcation point, telephone cable from Central Office Purple - First-level backbone Red - Key-type telephone systems Silver or White - Horizontal data cables, computer & PBX equipment Yellow - Auxiliary, maintenance & security alarms 6.3 General Cable Installation Guidelines Each network drop location shall contain not less than two network ports and at least one telephone port. Each drop location shall be placed eighteen inches above floor level. Each drop location shall be at least 2 inches away from electrical outlets. Each end of a cable run shall have additional slack or service loop. There shall be not less than three feet nor more than ten feet of service loop at ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 9 of 12 the Data Center end of the horizontal cable run. There shall be at least 6 inches of service loop at the network node end of the horizontal run.  All cabling will maintain bend radius, as prescribed by the EIA/TIA 568A standard.  For locations with hollow gypsum (dry wall) walls, cable shall be routed inside the wall. Cables shall be terminated in a flush mounted wall plate.  For locations with solid walls, such as concrete block or slab, cable shall be run inside approved wire molding. The color of the molding shall be as consistent as possible with the color of the wall. The wire molding shall be run in such as manner as to be as unobtrusive as possible.  Cable run within the ceiling shall not be draped over ceiling tiles. All cable run through ceilings shall either utilize cable trays or hooks. The cable run shall be at close to the upper limit of the inferior space between the false ceiling and the hard ceiling. 6.4 Vertical/Backbone Cable Plant  Fiber Optic Cable Multi-mode (MM) Fiber Multi-mode fiber used in ARC networks shall have a core diameter of 62.5 microns and cladding of 125 microns. Multi-mode fiber shall be used for backbone cable runs or for local area network connections that require reliable and secure communications at distances less than 2 km. Single Mode (SM) Fiber Single mode fiber has a very small core. Typical values are 5-10 microns. Single mode fiber has a much higher capacity and allows longer distances than multi-mode fiber. Single mode fiber has a maximum transmission distance of 40km. Single mode fiber shall typically be used for campus or wide area networks such as telephone company switch to switch connections and cable TV (CATV).  Fiber Connectors There are several different types of fiber connectors. All fiber connections within the ARC infrastructure shall use the following connector types. FSD - Fixed Shroud Duplex. This type of connector shall only be used for FDDI connections  SC - SC is the international standard. The SC connectors are recommended in SP-2840A. SC connectors shall be used on all multi-mode data fiber runs.  ST - Keyed, bayonet-style connector. This type of connector shall be used on all single-mode fiber runs.  SMA – Shall not be used. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 10 of 12 LC - LC Fiber Connectors shall be used to connect all storage related products including but not limited the SAN, Tape Library and some servers. 6.5 Cable Plant And Drop Location Numbering Scheme To facilitate efficient management of the cable plant infrastructure all cables and drop locations shall be assigned a unique serial number. The serial number shall be constructed of three sets of alpha-numeric characters separated by a dash. Data Center -Panel-Port Data Center – The three character identifier for the Data Center location Panel – A character denoting the specific patch panel Port – The port number on the patch panel. 7.0 INFRASTRUCTURE TESTING Proper cable plant testing, certification, and documentation are imperative for the successful operation of existing information systems, as well as the future planning and maintenance of the cable plant expansions. 7.1 Cable Plant Testing Twisted pair testing and certification will be performed with a cable analyzer to obtain the following information: * Cable Length * Connectivity * Cable Attenuation * Category 5 Compliance * NEXT (Near End Cross Talk) * Ambient Noise Levels Testing will be performed at 100 MHz ranges. All information derived from the testing procedures will be included as part of an overall documentation. 7.2 Fiber Optic Cable Plant Testing It will be the responsibility of cable installer (company or contractor) to assure that the quality and transmission integrity remains intact throughout the installation, from delivery of the fiber to the project site, until the fiber is tested in its completed stage. To provide this assurance, as well as useful comparison documentation, the installer will certify the fiber optic cable in three separate stages. Pre-Installation Certification – The initial check will test each fiber strand upon delivery to the project site and match the test results to the manufacture specifications sheets provided on the reels. This will be performed with an O.T.D.R. (Optical Time Domain Reflectometer) on the bare fibers on the reel. This information will provide verification of the cable lengths and show that the integrity of the cable has not been compromised during shipping. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 11 of 12 Post- Installation - The second fiber test procedure is performed after the installation and prior to termination of the fiber strands.This test will reveal damage to the fibers (if any) and provide accurate total lengths of each segment. Post-Termination - The final certification will be performed after the fiber has been terminated and installed into the fiber panels, and the cable plant has been dressed for aesthetics and protection. This final certification will ensure that each connector mating does not exceed the tolerances prescribed by industry standard, and that no additional damage to the fiber segments has occurred during the dressout. Actual OTDR printouts representing each of the test procedures at both industry accepted windows will be generated and retained. 7.3 Documentation The Sr. Network Manager shall maintain a comprehensive cable plant documentation package for each LAN under their purview. The documentation package shall, at a minimum, contain the following information: a.Detailed “as-built” drawings and schematics of the cable plant b.Category 5 test results for each copper cable c.Test results for each fiber optic cable A table detailing the cable drop location/port number scheme. ARC Computer & Network Policies, Procedures and Forms American Reprographic Company ARCAD106 – Network Infrastructure Standards Page 12 of 12 [This page intentionally left blank] ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD115 Software Change/ Upgrade Policy Page 1 of 3 CTRL # Revision:1.0 Prepared by: DJW Effective Date: 10/12/2006 Approved by: Title: ARCAD115 – SOFTWARE CHANGE & UPDATE POLICY Policy: ARC information technology philosophy is that all information technology software applications will generally reflect the most recent version of the application software that is properly vendor supported. This generally is no more than tow versions behind the most recent commercially available version. This is important to ensure the most comprehensive functionality of the applications in place and to help assure that customers receive the best and most comprehensive service through the latest in vendor application software. Accordingly, the Company will operate vendor application software in such a way that, as early as practical and cost effective, the most recent, commercially available release of vendor application software will be installed, tested, converted and used in the Company’s operating environment. Purpose: To establish the policy covering the upgrade of software applications and/or spreadsheets. Scope: This process applies to upgrades, or modifications, to the IT environment and applies to all hardware including but not limited to SANs, Backup Libraries, Servers, Workstations, Laptops and operating systems running on them. Responsibilities: The Director of Information Technology is responsible for the design, installation, and management of the ARC software standards. The Director of Information Technology will be responsible for the coordination of all aspects of the software acquisitions. In addition, the Director of Information Technology will be the approval authority for the coordination of any additional adds, moves, or changes to the ARC network and/or system software. IT Network Team is responsible for the installation and operation of the system software installed on all systems in the ARC Infrastructure. The IT Network Team will coordinate with the Director of Information Technology for all software related issues related to systems connecting to the corporate network and associated systems. The IT Network Team will coordinate all upgrades and changes with the Director of Information Technology. IT Network Team staff members are responsible for installing and maintaining all software within the network infrastructure in accordance with Network Infrastructure standards. ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD115 Software Change/ Upgrade Policy Page 2 of 3 IT Network Team will conduct weekly meeting discussing software changes if necessary. Definitions: Change: to transform alter, or modify the operating environment or standard operating procedures; and modification that could have a potential and/or significant impact on the stability and reliability of the infrastructure and impacts conducting normal business operation by our customers, ARC and ARC; any interruption in building environments (i.e. electrical outages) that may cause disruption to the IT infrastructure and systems. ARC – American Reprographic Company ARC – ARC Document Solutions Change Management Process: 1.0 SOFTWARE INFRASTRUCTURE CHANGE STANDARDS 1.1 Director of IT is responsible for pro-active planning in managing the infrastructure environment. Software change/ upgrade request should be complete as soon as all planning is done. 1.2 The Director of Information Technology is responsible for researching and for high priority matters approval from the Chief Technology Officer (CTO). The following forms will be used to for all change request and incident reporting:  ARCAD115-1 SOFTWARE CHANGE/UPGRADE REQUEST FORM 1.3 Change request forms that have not been completed will be rejected. 1.4 Change request can be submitted up to 3 months in advance. 1.5 If a change request cannot be completed with the change request timeline, an email will be sent informing all parties with a reason for the delay. 2.0 SOFTWARE INFRASTRUCTURE CHANGES 2.1 All software changes/upgrades will be done after hours except in the case of and emergency change request with CTO approval. 2.2 An official email will be sent out in the event that the outage will affect customers and corporate users of the network. ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCAD115 Software Change/ Upgrade Policy Page 3 of 3 Additional Resources: None. References: A. INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE) STANDARD 802 – STANDARD FOR LOCAL AND METROPOLITAN AREA NETWORKS IEEE 802 is a family of standards that pertains to local area and metropolitan area networks; specifically, networks carrying variable-size packets. Services and protocols specified in these standards map to the lower two layers (Data Link and Physical) of the seven-layer OSI networking reference model. IEEE 802 subdivides the OSI Data Link Layer into sub-layers named Logical link control (LLC) and Media Access Control. The IEEE 802 family of standards is maintained by the IEEE 802 LAN/MAN Standards Committee (LMSC). Revision History: Revision Date Description of changes Requested By 1.0 10/12/2006 Initial Release DJW 1.1 09/23/14 Name Change on document from MPT to ARC DJW ARCITSW101-1 – IT PROJECT PLAN < ARC Document Solutions > < PROJECT NAME > Document Revision #: Date of Issue: Approval Signatures Prepared by: Product Manager Prepared by: Project Manager Approved by: Executive in Charge Reviewed by: Quality Manager ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 2 of 20 Document Change Control This section provides control for the development and distribution of revisions to the Project Charter up to the point of approval. The Project Charter does not change throughout the project life cycle, but rather is developed at the beginning of the project (immediately following project initiation approval, and in the earliest stages of project planning). The Project Charter provides an ongoing reference for all project stakeholders. The table below includes the revision number (defined within your Documentation Plan Outline), the date of update/issue, a brief description of the context and/or scope of the changes in that revision, and the person responsible for authoring the changes. Revision Date Description of Change Author 1.0 10/4/2012 Initial Document DJW Editor’s Note: ITSW101-1 – IT PROJECT PLAN is adapted from the IEEE Standards for Software Project Management Plans, #1058-1998, and from the data requirements of ISO standard 12207 Software Life Cycle Processes. It is designed as a guide used to begin the project development plan. The plan should be dynamic, changing with project changes, but keeping the overall development plan well documented. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 3 of 20 Table of Contents 1.0 Project Overview ................................................................................... 4 1.1 Purpose, Scope, and Objectives ............................................................................. 4 1.2 Assumptions, Constraints, and Risks ..................................................................... 4 1.3 Project Deliverables ................................................................................................ 5 1.4 Schedule and Budget Summary ............................................................................. 5 1.5 Evolution of the Plan ............................................................................................... 5 1.6 References .............................................................................................................. 6 1.7 Definitions and Acronyms ....................................................................................... 6 2.0 Project Organization ............................................................................. 6 2.1 External Interfaces .................................................................................................. 6 2.2 Internal Structure ..................................................................................................... 7 2.3 Roles and Responsibilities ...................................................................................... 7 3.0 Managerial Process Plans .................................................................... 7 3.1 Start-up Plan ........................................................................................................... 7 3.1.1 Estimates .................................................................................................................... 7 3.1.2 Staffing ........................................................................................................................ 8 3.1.3 Resource Acquisition ................................................................................................... 8 3.1.4 Project Staff Training ................................................................................................... 9 3.2 Work Plan ................................................................................................................ 9 3.2.1 Work Breakdown Structure ......................................................................................... 9 3.2.2 Schedule Allocation ................................................................................................... 10 3.2.3 Resource Allocation .................................................................................................. 10 3.2.4 Budget Allocation ...................................................................................................... 10 3.3 Project Tracking Plan ............................................................................................ 11 3.3.1 Requirements Management ...................................................................................... 11 3.3.2 Schedule Control ....................................................................................................... 11 3.3.3 Budget Control .......................................................................................................... 12 3.3.4 Quality Control .......................................................................................................... 12 3.3.5 Reporting ................................................................................................................... 12 3.3.6 Project Metrics .......................................................................................................... 13 3.4 Risk Management Plan ......................................................................................... 13 3.5 Project Closeout Plan ........................................................................................... 14 4.0 Technical Process Plans .................................................................... 14 4.1 Process Model ...................................................................................................... 15 4.2 Methods, Tools, and Techniques .......................................................................... 15 4.3 Infrastructure ......................................................................................................... 15 4.4 Product Acceptance .............................................................................................. 16 4.5 Deployment Plan ................................................................................................... 16 5.0 Supporting Process Plans ................................................................. 16 5.1 Configuration Management ................................................................................... 16 5.2 Verification and Validation .................................................................................... 17 5.3 Documentation ...................................................................................................... 17 5.4 Quality Assurance ................................................................................................. 18 5.5 Reviews and Audits ............................................................................................... 18 5.6 Problem Resolution ............................................................................................... 19 5.7 Subcontractor Management .................................................................................. 19 5.8 Process Improvement ........................................................................................... 19 6.0 Additional Plans .................................................................................. 20 ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 4 of 20 1.0 PROJECT OVERVIEW This section of the IT Project Management Plan provides an overview of the purpose, scope and objectives of the project for which the Plan has been written, the project assumptions and constraints, a list of project deliverables, a summary of the project schedule and budget, and the plan for evolving the IT Project Management Plan. 1.1 PURPOSE, SCOPE, AND OBJECTIVES Describe the purpose, scope and objectives of the project. Explain how they fit within a broader vision of any overall program or product life cycle. Describe what is out of scope as well. Describe the business or system needs being satisfied by the project. Provide a reference to any requirements descriptions that drive this project.  Define the purpose and scope of the project.  Describe any considerations of scope or objectives to be excluded from the project or the deliverables.  Ensure that the statement of scope is consistent with similar statements in the business case, the project charter and any other relevant system-level or business-level documents.  Identify and describe the business or system needs to be satisfied by the project.  Provide a concise summary of: − the project objectives, − the deliverables required to satisfy the project objectives, and methods by which satisfaction of the objectives will be determined.  Describe the relationship of this project to other projects.  If appropriate, describe how this project will be integrated with other projects or ongoing work processes.  Provide a reference to the official statement of project requirements (e.g.: in the business case or the project charter). 1.2 ASSUMPTIONS, CONSTRAINTS, AND RISKS Describe assumptions and any constraints on which the project is based. Include system dependencies that will affect this project.  Describe the assumptions on which the project is based.  Describe the imposed constraints and risks on the project such as: − Schedule; − Budget; ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 5 of 20 − Resources; − Quality; − Software to be reused; − Existing software to be incorporated; − Technology to be used; and − External interfaces. 1.3 PROJECT DELIVERABLES List the deliverables or services to be provided by this project, or provide a reference to where such a list can be found. Include delivery dates, delivery locations, and quantities, as appropriate. It may be useful to portray these in a table.  Identify and list the following, as required to satisfy the terms of the project charter or contract: − Project deliverables (either directly in this Plan, or by reference to an external document); − Delivery dates; − Delivery location; and − Quantities required.  Specify the delivery media.  Specify any special instructions for packaging and handling. 1.4 SCHEDULE AND BUDGET SUMMARY Provide a summary of the schedule and budget, at the top level of the project work breakdown structure (or equivalent). Include all aspects of the project, including support functions, quality assurance, configuration management, and subcontracted work when treating the schedule and budget.  Provide a summary of the schedule and budget for the IT project.  Restrict the level of detail to an itemization of the major work activities and supporting processes (e.g.: give only the top level of the work breakdown structure). 1.5 EVOLUTION OF THE PLAN Describe how this plan will be completed, disseminated, and put under change control. Describe how both scheduled and unscheduled updates will be handled.  Identify the compliance of this Plan to any standards. For example: The structure of this Project Plan is in compliance with the recommendations of IEEE Standard 1058-1998. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 6 of 20 Specify the plans for producing both scheduled and unscheduled updates to this Plan. Specify how the updates to this Plan shall be disseminated. Specify how the initial version of this Plan shall be placed under configuration management. Specify how changes to this Plan shall be controlled after its issue. 1.6 REFERENCES Provide a list of all documents and other sources of information referenced in the plan. Identify each referenced document by title, report number, date, author and publishing organization. Identify other referenced sources of information, such as electronic files, using unique identifiers such as path/name, date and version number. Include a reference for the authorizing document for this project, the Statement of Work or Marketing Requirements or Charter or whatever that might be for the organization. Identify and justify any deviations from the referenced standards or policies. 1.7 DEFINITIONS AND ACRONYMS Define, or provide references to documents or annexes containing the definition of all terms and acronyms required to properly understand this Plan. 2.0 PROJECT ORGANIZATION Describe the overall organization for the project including internal and external structures, roles, and responsibilities. 2.1 EXTERNAL INTERFACES Describe the administrative and managerial interfaces between the project and the primary entities with which it interacts. Describe the organizational boundaries between the project and external entities. Identify, as applicable: − the parent organization, − the customer, − subcontracted organizations, and − other organizational entities that interact with the project. Use organizational charts or diagrams to depict the project's external interfaces. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 7 of 20 2.2 INTERNAL STRUCTURE Describe the internal management structure of the project, as well as how the project relates to the rest of the organization. Include employees and contract staffs that are managed as part of this project.  Describe the interfaces among the units of the IT development team.  Describe the interfaces between the project and organizational entities that provide supporting processes, such as configuration management, quality assurance, and verification and validation.  Use organizational charts or diagrams to depict the lines of authority, responsibility and communication within the project. 2.3 ROLES AND RESPONSIBILITIES Identify and state responsibilities assigned to each major role in the project, and identify the individuals who are responsible for those functions and activities.  Identify and state the nature of each major work activity and supporting process.  Identify the organizational units that are responsible for those processes and activities.  Consider using a matrix of work activities and supporting processes vs. organizational units to depict project roles and responsibilities. 3.0 MANAGERIAL PROCESS PLANS This section of the IT Project Management Plan specifies the project management processes for the project. It includes the plans for project start-up, risk management, project work, project tracking and project close-out. NOTE: This section may evolve over the lifetime of the project, and only a subset of them may be relevant; use elements accordingly. If there are documented processes that the project team is following, the plan may refer to the documented processes rather than reproduce them as part of this plan. 3.1 START-UP PLAN Describe the effort required to begin the project. Provide estimates for staffing, resources, schedules, and training. 3.1.1 Estimates Describe how the project effort, cost and schedule will be estimated, including methods, tools, and techniques.  Specify the estimated cost, schedule and resource requirements for conducting the project, and specify the associated confidence levels for each estimate. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 8 of 20  Specify the methods, tools and techniques used to estimate project cost, schedule and resource requirements;  Specify the sources of estimate data and the basis of the estimation such as: analogy, rule of thumb, standard unit of size, cost model, historical database, etc.  Specify the schedule for re-estimation, which might be regular, a periodic or event-driven (e.g.: on project milestones). 3.1.2 Staffing Describe how staffing will be done, along with the expected level of staffing by phase of the project, types of skills needed, and sources of staff (may be employees or contract personnel). Describe how the staff will be organized and supervised here, or include it in the section that describes the project internal structure.  Specify the number of required staff, providing the following details: − number of personnel by skill level, − numbers and skill levels in each project phase, and − duration of personnel requirement.  Specify the sources of staff personnel (e.g.: internal transfer, new hire, contracted, etc.)  Consider using resource Gantt charts, resource histograms, spreadsheets and tables to depict the staffing plan by skill level, by project phase, and by aggregations of skill levels and project phases. 3.1.3 Resource Acquisition Identify (or refer to a location that contains a description of) the resources associated with each of the major work activities, as well as an overall summary of the resource loading for the project and how they will be acquired.  Specify the plan for acquiring the resources and assets, in addition to personnel, needed to successfully complete the project.  Describe the resource acquisition process.  Specify the assignment of responsibility for all aspects of resource acquisition.  Specify acquisition plans for equipment, computer hardware and software, training, service contracts, transportation, facilities, and administrative and janitorial services.  Specify when in the project schedule the various acquisition activities will be required.  Specify any constraints on acquiring the necessary resources. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 9 of 20 If necessary, expand this subsection to lower levels, to accommodate acquisition plans for various types of resources. 3.1.4 Project Staff Training Specify the training needed to ensure that necessary skill levels in sufficient numbers are available to successfully conduct the IT project. Specify the following training information: − the types of training to be provided, − numbers of personnel to be trained, − entry and exit criteria for training, and − the training method, for example: lectures, consultations, mentoring, computer-assisted training, etc. Identify training as needed in technical, managerial and supporting activity skills. 3.2 WORK PLAN Specify (or refer to a location that contains a list of) the work activities and their relationships, depicted in a work breakdown structure. Decompose the structure to a low enough level to facilitate sound estimating, tracking, and risk management. Work packages may be built for some or each of the elements of the work breakdown structure, detailing the approach, needed resources, duration, work products, acceptance criteria, predecessors and successors. 3.2.1 Work Breakdown Structure Define a Work Breakdown Structure (WBS) to specify the various work activities to be performed in the IT project, and to depict the relationships among these work activities. Decompose the work activities to a level that exposes all project risk factors, and that allows accurate estimation of resource requirements and schedule duration for each work activity. Specify the following factors for each work activity: − necessary resources, − estimated duration, − products or deliverables of the activity, − acceptance criteria for the work activity products, and − predecessor and successor work activities. The level of decomposition internally within the WBS may vary depending on the quality of the requirements, familiarity of the work, applicable level of technology, etc. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 10 of 20 3.2.2 Schedule Allocation Specify (or refer to a location that contains) the schedule for the project, showing sequencing and relationships between activities, milestones, and any special constraints. Specify the scheduling relationships among the project work activities in a manner that depicts the time-sequencing constraints and illustrates opportunities for concurrent work activities. Identify the critical path in the schedule. Indicate any constraints on the scheduling of particular work activities, that are caused by external factors. Identify appropriate schedule milestones to assess the scope and quality of project work products and of project achievement status. Techniques for depicting schedule relationships may include milestone charts, activity lists, activity Gantt charts, activity networks, critical path networks and PERT charts. 3.2.3 Resource Allocation Identify (or refer to a location that contains a description of) the resources associated with each of the major work activities, as well as an overall summary of the resource loading for the project. Provide a detailed itemization of the resources allocated to each major work activity in the project WBS. Specify the numbers and required skill levels of personnel for each work activity. Specify, as appropriate, the allocation of the following resources: − personnel (by skill level), − computing resources − software tools − special testing and simulation facilities, and − administrative support. Use a separate line item for each type of resource for each work activity. 3.2.4 Budget Allocation Show (or refer to a location that contains a description of) the budget allocated to each of the major work activities. Use the organization’s standard cost categories such as personnel costs, travel, equipment, and administrative support. Provide a detailed breakdown of the necessary resource budgets for each of the major work activities in the WBS. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 11 of 20 Specify the estimated cost for activity personnel, and include as appropriate, the costs for the following items: − Travel; − Meetings; − Computing resources; − Software tools; − Special testing and simulation facilities; and − Administrative support. Use a separate line item for each type of resource in each activity budget. 3.3 PROJECT TRACKING PLAN 3.3.1 Requirements Management Describe the process to be used for measuring, reporting, and controlling changes to the product requirements. Describe the techniques to be used for configuration management of the requirements, requirements traceability, impact analysis for proposed changes, and approving changes (such as a Change Control Board). Specify the process for measuring, reporting and controlling changes to the project requirements. Specify the processes to be used in assessing the impact of requirements changes on product scope and quality, and the impacts of requirements changes on project schedule, budget, resources and risk factors. In the configuration management processes, specify change control procedures and the formation and use of a change control board. In the processes for requirements management, include traceability, prototyping and modeling, impact analysis and reviews. 3.3.2 Schedule Control Describe how progress will be monitored and controlled. Address how the schedule will be controlled (milestones, progress to plan on activities, corrective action upon serious deviation from the plan), when reporting will be done for both the project team and management, and what tools and methods will be used. Specify the schedule control activities by identifying the processes to be used for the following purposes: − To measure the progress of work completed at the major and minor project milestones; − To compare actual progress to planned progress; and − To implement corrective action when actual progress does not conform to planned progress. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 12 of 20 Specify the methods and tools that will be used to measure and control schedule progress. Identify the objective criteria that will be used to measure the scope and quality of work completed at each milestone, and hence to assess the achievement of each schedule milestone. 3.3.3 Budget Control Describe how performance to budget will be monitored and controlled. Address how the actual cost will be tracked to the budgeted cost, how corrective actions will be implemented, at what intervals cost reporting will be done for both the project team and management, and what tools and techniques will be used. Include all costs of the project, including contract labor and support functions. Specify the budget control activities by identifying the processes to be used for the following purposes: − To measure the cost of work completed; − To compare the actual cost to the planned and budgeted costs; and − To implement corrective action when the actual cost does not conform to the budgeted cost. Specify when cost reporting will be done in the project schedule. Specify the methods and tools that will be used to track the project cost. Identify the schedule milestones and objective indicators that will be used to assess the scope and quality of the work completed at those milestones. Specify the use of a mechanism such as earned value tracking to report the budget and schedule plan, schedule progress, and the cost of work completed. 3.3.4 Quality Control Describe the mechanisms that will be used to maintain quality control. [These may be described in detail in other plans or in the Supporting Process Plans of this document.] Specify the processes to be used to measure and control the quality of the work and the resulting work products. Specify the use of quality control processes such as quality assurance of conformance to work processes, verification and validation, joint reviews, audits and process assessment. 3.3.5 Reporting Describe how the progress of the project and other information needed by the project will be communicated to everyone associated with the project. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 13 of 20 Specify the reporting mechanisms, report formats and information flows to be used in communicating the status of requirements, schedule, budget, quality, and other desired or required status metrics within the project and to entities external to the project. Specify the methods, tools and techniques of communication. Specify a frequency and detail of communications related to project management and metrics measurement that is consistent with the project scope, criticality, risk and visibility. 3.3.6 Project Metrics Specify the methods, tools, and techniques to be used in collecting and retaining project metrics. Specify the following metrics process information: − Identification of the metrics to be collected; − Frequency of collection; and − Processes for validating, analyzing, and reporting the metrics. 3.4 RISK MANAGEMENT PLAN Describe the process that will be used to identify, analyze, build mitigation and contingency plans, and manage the risks associated with the project. Describe mechanisms for tracking the specific risks, the mitigation plans, and any contingency plans. Risk factors that should be considered when identifying the specific project risks include contractual risks, organization-related risks, technological risks, risks due to size and complexity of the product, risks in personnel acquisition and retention, risks in achieving customer acceptance of the product, and others specific to the context of the project. Specify the risk management plan for identifying, analyzing, and prioritizing project risk factors. Specify plans for assessing initial risk factors and for the ongoing identification, assessment, and mitigation of risk factors throughout the life cycle of the project. Describe the following: − procedures for contingency planning, − procedures for tracking the various risk factors, − procedures for evaluating changes in the levels of the risk factors and responding to changes in the levels of the risk factors, − risk management work activities, − procedures and schedules for performing risk management work activities, ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 14 of 20 − risk documentation and reporting requirements, − organizations and personnel responsible for performing specific risk management activities, and − procedures for communicating risks and risk status among the various customer, project and subcontractor organizations. Identify and describe the applicable impact of any of the following risk factors: − risks in the customer-project relationship, − contractual risks, − technological risks, − risks caused by the size and complexity of the product, − risks in the development and target environments, − risks in personnel acquisition, skill levels and retention − risks to schedule and budget, and − risks in achieving customer acceptance of the deliverables. 3.5 PROJECT CLOSEOUT PLAN Describe the plan for closing out this project. Identify the plans necessary to ensure orderly closeout of the IT project. Specify the following: a staff reassignment plan a process for archiving project materials a process for capturing project metrics in the business projects database a process for post-mortem debriefings of project personnel a plan for preparation of a final report to include lessons learned and an analysis of project objectives achieved an examination of the initial cost/benefit analysis to see if objectives have been met examine any performance measures intended to be impacted by the project 4.0 TECHNICAL PROCESS PLANS Describe the processes and approaches to be used for developing the work products or services for the project. The primary technical focus of the project may be one or more of the following: acquisition – obtaining a system, product or service supply – providing a system, product, or service development – constructing a system or product ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 15 of 20 operation – running a system or service for regular use maintenance – correcting, perfecting, or adapting a system 4.1 PROCESS MODEL Specify the life cycle model to be used for this project or refer to an organizational standard model that will be followed. If the project is tailoring an organization’s standard life-cycle model, that tailoring should be described here. Define the relationships among major project work activities and supporting processes. Describe the flow of information and work products among activities and functions. Specify the timing of work products to be generated. Identify the reviews to be conducted. Specify the major milestones to be achieved. Define the baselines to be established. Identify the project deliverable to be completed. Specify the required approvals within the duration of the project. In the process model for the project, include project initiation and project termination activities. Use a combination of graphical and textual notations to describe the project process model. 4.2 METHODS, TOOLS, AND TECHNIQUES Identify the methods to be used to develop the work products or services for the project. Specify the development methodologies, programming languages and other notations, and the processes, tools and techniques to be used to specify, design, build, test, integrate, document, deliver, modify and maintain the project deliverable and non-deliverable work products. Specify the technical standards, policies, and procedures governing development and/or modification of the work products. 4.3 INFRASTRUCTURE Specify the plan for establishing and maintaining the development environment (hardware, operating system, network and software), and the policies, procedures, standards, and facilities required to conduct the IT project. These resources may include workstations, local area networks, software tools for analysis, design implementations, testing, and project management, desks, office space, and provisions for physical security, administrative personnel, and janitorial services. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 16 of 20 4.4 PRODUCT ACCEPTANCE Describe (or refer to a separate document that provides) the plan for acceptance of the project deliverables by the customer or acquirer of the product. Specify the plan for customer acceptance of the deliverables generated by the IT project and include the final approval process for product acceptance. Specify objective criteria for determining acceptability of the deliverables. Reference a formal agreement of the acceptance criteria signed by representatives of the IT organization and the customer. Specify any technical processes, methods, or tools required for deliverable acceptance, such as testing, demonstration, analysis and inspection. Describe roles and responsibilities for reviewing the plan, generating the acceptance tests, running the tests, and reviewing results. 4.5 DEPLOYMENT PLAN Describe (or refer to a separate document that provides) the plan for releasing and installing the project deliverables or deploying them to the acquirer or customer site. The plan may need to include hardware installation, telecommunications or database infrastructure preparation, and other information, as well as describing the means of distributing the software. Describe (or refer to a separate document that provides) the plan for operating and maintaining the system after deployment. If this project develops a product that is packaged and shipped to customers for their installation, describe how the product will be prepared for release and shipment. 5.0 SUPPORTING PROCESS PLANS Provide plans for the supporting processes here, or refer to the appropriate plans and where they can be found. In some cases, the organization’s standard processes can provide the majority of the information and need not be reproduced in a plan. 5.1 CONFIGURATION MANAGEMENT Specify or reference the configuration management plan for the IT project, providing the information identified in the following lines. Specify the methods that will be used to perform the following activities: − configuration identification, − configuration control, − status accounting, − evaluation, and − release management. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 17 of 20 Specify the processes of configuration management including procedures for the following activities: − initial base-lining of work products, − logging and analysis of change requests, − change control board procedures, − tracking of changes in progress, and − procedures for notification of concerned parties when baselines are established or changed. Identify the automated configuration management tools used to support the configuration management process. 5.2 VERIFICATION AND VALIDATION Specify or reference the verification and validation plan for the IT project, providing the information identified in the following lines. Specify the scope, tools, techniques and responsibilities for the verification and validation work activities. Specify the organizational relationships and degrees of independence between development activities and verification and validation activities. Specify the use of verification techniques such as traceability, milestone reviews, progress reviews, peer reviews, prototyping, simulation and modeling. Specify the use of validation techniques such as testing, demonstration, analysis and inspection. Identify the automated tools to be used in verification and validation. 5.3 DOCUMENTATION Describe (or refer to the description of) the processes, techniques, and tools that will be used for generating the deliverable and non-deliverable work products for the project. Include the product deliverables described earlier in this plan, as well as the various supporting plans and other documentation used by the project team to conduct the project. Specify the organizational entities responsible for providing input information, and for generating and reviewing the project documentation. Specify the following information or object identification: − list of documents to be prepared, − controlling template or standard for each document, − who will prepare each document, − who will review each document, ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 18 of 20 − due dates for review copies, − due dates for initial baseline versions, and − a distribution list for review copies and baseline versions and quantities required. Documents often found useful to perform the technical processes for developing software that satisfies the requirements include the following: User Requirements Specification – description of the problems to be solved, user needs to be served, in the words of the user Software Requirements Specification – detailed technical descriptions of the product requirements, addressing functionality, quality attributes, interfaces, design constraints, and other information helpful to product design Design Documentation – descriptions of major components of the product design, including architecture, process design, user interfaces, database design, and internal interface design Test Documentation – test plans, test procedures, and test cases at all relevant levels of testing (unit, module, integration, system, acceptance, alpha, beta) 5.4 QUALITY ASSURANCE Specify or reference the quality assurance plan for the IT project, containing the information identified in the following lines. Specify the plans for assuring that the IT project fulfills its commitments to the IT process and the IT product as specified in the requirements specification, the IT Project Management Plan, supporting plans and any standards, procedures, or guidelines to which the process or the product must adhere. As applicable, specify the quality assurance procedures to be used, such as analysis, inspection, review, audit, and assessment. Indicate the relationship among the quality assurance, verification and validation, review, audit, configuration management, system engineering, and assessment processes. 5.5 REVIEWS AND AUDITS Describe the manner and methods used for all project reviews and audits. Specify the schedule, resources, and processes, and procedures used in conducting project reviews and audits. Specify the plans for joint customer-project reviews, management progress reviews, developer peer reviews, quality assurance audits, and customer-conducted reviews and audits. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 19 of 20 List the external agencies that approve or regulate any project deliverable. 5.6 PROBLEM RESOLUTION Describe the resources, methods, and tools to be used for reporting, analyzing, prioritizing, and handling project issues. Issues may include problems with staffing or managing the project, new risks that are detected, missing information, defects in work products, and other problems. Describe how the issues will be tracked and managed to closure. Indicate the roles of development, configuration management, the change control board, and verification and validation in problem resolution work activities. Provide for separate tracking of effort expended on problem reporting, analysis and resolution, so that rework can be tracked and process improvement accomplished. Note: Work product defects in baselined work products should be handled by the configuration management change control process. 5.7 SUBCONTRACTOR MANAGEMENT Specify or reference the plans for selecting and managing any subcontractors that may participate in or contribute to the IT project. Specify the criteria for selecting subcontractors. Generate a separate management plan for each subcontract, using a tailored version of this Project Plan, and include all items necessary to ensure successful completion of each subcontract as follows: − requirements management; − monitoring of technical progress; − schedule and budget control; − product acceptance criteria; − risk management procedures; − additional topics as needed to ensure successful completion of the subcontract; and − a reference to the official subcontract and subcontractor/prime contractor points of contact. 5.8 PROCESS IMPROVEMENT Specify the plans for periodically assessing the project, for determining areas for improvement, and for implementing the improvement plans. If this project carries a responsibility for defining, testing, or using some new organization process, describe how that is incorporated into the project’s work. If this project is responsible for showing the impact to the business of using some new process, describe how that is included in the project’s measurement plan. ARCITSW101-1 – IT PROJECT PLAN ARC Document Solutions ARCITSW101-1 – IT Project Plan page 20 of 20 Ensure that the process improvement plan is closely related to the problem resolution plan. Include in the improvement plan, a process to identify the project processes that can be improved without serious disruption to an ongoing project, and to identify the project processes that can best be improved by process improvement initiatives at the organizational level. 6.0 ADDITIONAL PLANS Specify or reference any additional plans required to satisfy product requirements and contractual terms, which may include: Plans for assuring safety, privacy, and security requirements are met; Special facilities or equipment specification; Product installation plans; User training plans; Integration plans; Data conversion plans; System transition plans; Product support and maintenance plans; and Identify potential follow-up project plans which will use or supersede this project. ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE ARC Document Solutions ARCITSW104 – Software Design & Source Code page 1 of 6 SOP # Revision: Prepared by: Effective Date: Approved by: Title: ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE Policy: To design software in a technically sound and efficient manner and fulfill requirements identified by the systems analyst. Purpose: To transform a set of system requirements (developed by the systems analyst) into programming instructions for a software product. Scope: All software products and updates released by the company. Responsibilities: Software Designers are responsible for transforming system requirements developed by the systems analyst into programming instructions and then communicating the overall design approach. Procedure: 1.0 SOFTWARE DESIGN - INTRODUCTION 1.1 The Software Designer transforms the system requirements and other design documents developed by the systems analyst (see ARCITSW103 – SYSTEMS ANALYSIS) into instructions and specifications for programming a software product. 1.2 The Software Designer might use the following tools: A word processing program, for typing text; A paint or draw program, for creating graphics; A flow charting program, for documenting data flows; A source code control system, for controlling program revisions; and A central database, for storing specifications, charts, and images. NOTE: If possible, scan sample documents to disk and store them with the specification files. 2.0 SOFTWARE DESIGN SPECIFICATION 2.1 The Software Designer shall write a description of the programming environment. The description should include instructions for: Locating the programming system (its directory/account structure); Accessing the programming system (startup, login); Applying for the required user codes; Locating programming libraries and tools; ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE ARC Document Solutions ARCITSW104 – Software Design & Source Code page 2 of 6 Programs Forms Reports Menus Database program name form name report name menu name database name description description description description description screen layout screen layout screen layout menu layout table names process logic field edits report layout field names messages process logic query logic keys & indexing messages process logic format rules messages edit rules update rules Checking components into and out of the software component library or source code control system (For information about the software component library, see ARCITSW109 – SOFTWARE RELEASES AND UPDATES procedure); Assigning tasks to programmers; Reporting and tracking problems (or bugs); and Returning completed work to the designer. 2.2 The Software Designer shall create a general design of the software required to fulfill the system requirements developed by the systems analyst. To do this, the designer must: Fully address each process, calculation, relation and flow defined in the system requirements; Design software components that leverage the strengths of the programming tools and run efficiently in the physical environment; and Incorporate internal and industry-accepted standards of design. 2.3 The Software Designer shall review the general design with the systems analyst and make any required changes. 2.4 The Software Designer shall write detailed programming instructions for each component in the design. The following table shows the types of components and instructions found in a typical database software design. 2.5 The Software Designer shall create a catalog of messages used in the software. For each message, the Software Designer indicates the action the system users or administrators must take. 2.6 The Software Designer shall review the detail design with the systems analyst and make any required changes. ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE ARC Document Solutions ARCITSW104 – Software Design & Source Code page 3 of 6 3.0 SOFTWARE DESIGN REVIEW 3.1 The Software Designer should use ARCITSW104-1 – DESIGN REVIEW CHECKLIST as a guide to preparation before presenting the software design documents in a formal review to everyone who will be working on the project, including: The project manager; The systems analyst; Programmers; Technical writers; and Quality assurance analysts. 3.2 The software design should be reviewed for compliance with overall design objectives, including: A clear understanding of the user environment, requirements and system analyst specifications; Use of best practices in software design, including effective design strategies, modularity, performance, and extensibility; and Clear process flows, data integration, and data models. 3.3 Document ideas, comments, and concerns for possible investigation. Plan on spending as much time as necessary to answer any questions before turning the design over for programming. The more time spent in the early planning phases will help to create easier coding and save time later in the software programming phase. 3.4 Users may request design changes during this or any other phase of the software development life cycle; users shall submit change requests in accordance with ARCITSW108 – DESIGN CHANGES DURING DEVELOPMENT. References: A. ISO/IEC 12207:1995 – INFORMATION TECHNOLOGY-SOFTWARE LIFE-CYCLE PROCESSES B. IEEE/EIA 12207.0 – STANDARD INDUSTRY IMPLEMENTATION OF INTERNATIONAL STANDARD ISO/IEC 12207:1995 This ISO standard describes the major component processes of a complete software life cycle and the high-level relations that govern their interaction. It establishes a software life cycle architecture based on two principles, modularity of processes and responsibility for processes. There are three process classes in the ISO software life cycle: primary (such as acquisition and operations); supporting (such as documentation and configuration management); and organizational (such as infrastructure and training). Each life cycle process is ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE ARC Document Solutions ARCITSW104 – Software Design & Source Code page 4 of 6 made up of activities, and each activity is further subdivided into tasks. The standard is based on ISO quality management principles. IEEE/EIA 12207 is the US implementation of ISO/IEC 12207. Like its ISO counterpart, the IEEE standard describes the major component processes of a complete software life cycle and the high-level relations that govern their interactions and it covers the life cycle of software, from conceptualization of ideas through retirement. The US standard has been released as a three-volume set: IEEE/EIA12207.0 – ISO/IEC 12207 with a U.S. introduction and 6 additional appendixes; IEEE/EIA12207.1 – Guidance on documentation content (a summary of the content of each type of document); and IEEE/EIA12207.2 – Guidebook with additions, alternatives, and implementation approaches to many of the activities and tasks of ISO/IEC 12207. For more information, visit the ISO web site at http://www.iso.org or the IEEE web site at http://www.ieee.org/. Revision History: Revision Date Description of changes Requested By 1.0 9/23/20142 Initial Release DJW ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE ARC Document Solutions ARCITSW104 – Software Design & Source Code page 5 of 6 ITSW104-1 - DESIGN REVIEW CHECKLIST DESIGN REVIEW ID ITEMS TO BE CONSIDERED RESPONSE 1 Have the work products to be reviewed been identified? 2 Has the type of review been selected? Alternatives include: Informal walk through by several team members Technical review by project team members and stakeholders Inspection by project team members(and perhaps others) 3 Have the goals of the review been established? 4 Has a moderator/facilitator been selected? 5 Has a review package been developed and distributed to the participants with ample review time? The review package should include at least the following: Work product to be reviewed Related templates, guidelines, other background information Forms with which to record defects, questions, issues 6 Has the software design been reviewed for compliance with overall design objectives including: A clear understanding of the user environment, requirements and system analyst specifications. Use of “Best Practices” in software design including effective design strategies, modularity, performance and extensibility. Clear process flows, data integration and data models.? 7 Have results of the review been used to update the work product? 8 Have the goals of the review been reviewed to determine success? 9 Has the process been reviewed to identify any improvements? ARCITSW104 – SOFTWARE DESIGN & SOURCE CODE ARC Document Solutions ARCITSW104 – Software Design & Source Code page 6 of 6 Source Code All Source Code is kept on a Dedecated Server and backed up to DR Site Daily. Access to Source code is given on a permission basis only. ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCSD116 –IT Virtual Private Network(VPN) Access Policy Page 1 of 2 CNTL# Revision: 1.0 Prepared by: Demetrius Wallace Effective Date: 9/23/12 Approved by: Rahul Roy Title: ARCSD116 – VIRTUAL PRIVATE NETWORK (VPN) ACCESS POLICY Policy: The purpose of this policy is to provide guidelines for remote access IPSec or L2TP Virtual Private Network (VPN) connections to the ARC network. Purpose: To define access rights to employs to remote access the ARC network. Scope: This policy is applicable to the all employees, contractors and who is using the virtual private network for remote access. Responsibilities: IT Management is responsible for reviewing and approving the virtual private network access. Definitions: IPSec Concentrator – A device in which VPN connections are terminated. Policy Approved ARC employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. Additionally, It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to ARC internal networks. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. VPN gateways will be set up and managed by the IT Management. All computers connected to ARC internal networks via VPN or any other technology must use the most up-to-date anti-virus software; this includes personal computers. VPN users will be automatically disconnected from ARC’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. ARC Computer & Network Policies, Procedures and Forms ARC Document Solutions ARCSD116 –IT Virtual Private Network(VPN) Access Policy Page 2 of 2 Pings or other artificial network processes are not to be used to keep the connection open. The VPN concentrator is limited to an absolute connection time of 24 hours. Users of computers that are not a ARC -owned equipment must configure the equipment to comply with <Company Name>'s VPN and Network policies. Only ARC IT Management-approved VPN clients may be used. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of ARC’s network, and as such are subject to the same rules and regulations that apply to ARC-owned equipment, i.e., their machines must be configured to comply with ARC’s security policies. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. ARCAD111 – IT Data Backup ARC Document Solutions ARCAD111 – IT Data Backup Page 1 of 5 CTL # GC-37 Revision: Prepared by: Demetrius Wallace Effective Date: Approved by: Rahul Roy Title: ARCAD111 – IT Data Backup Policy: The ARC Technology Center is responsible for maintaining all backups for ARC critical information. Purpose: The purpose of this policy is to establish methods for daily and weekly backup of Network Servers and financial systems. Scope: This procedure applies to all Company data stored by the IT Department, regardless of storage medium. Responsibilities: IT Management is responsible for developing and reviewing the Company’s data backup plan. The IT Network Manager is responsible for implementing the Company data backup plan. Definitions: Network-attached storage (NAS) – Hard disk storage set up with its own network address rather than being attached to the department computer serving applications to a network's workstation users. RAID - Redundant Array of Independent Disks is a method of storing the same data in different places (thus, redundantly) on multiple hard disks. Storage-area network (SAN) - A high-speed, special-purpose network or sub network connecting different kinds of IT storage devices with data servers on behalf of a large network of users. Storage Library – The device which contains the tape drive(s) used to record data. In computers, a storage medium is any technology (including devices and materials) used to place, keep, and retrieve data. The term “storage medium” usually refers to secondary storage, such as that on a hard disk or tape. Procedure: 1.0 IT BACKUP PLANNING 1.1 IT Management shall oversee development and implementation of an Information Backup Plan that: Ensures data availability, confidentiality, and integrity; Enables rapid and full recovery from natural or manmade disasters; Ensures Company compliance with industry standards and/or legal & regulatory requirements for data storage; and Allows efficient, cost-effective data management. ARCAD111 – IT Data Backup ARC Document Solutions ARCAD111 – IT Data Backup Page 2 of 5 1.2 To develop the ARC Backup Plan, IT Management shall: Conduct a needs analysis – determine the ARC storage capacity and requirements by conducting a historical analysis of storage use and reviewing user satisfaction surveys, in accordance with ARCAD110 – IT DEPARTMENT SATISFACTION and ARCAM102 – ARC ASSET MANAGEMENT; Research and benchmark IT industry practices and standards; and Account for pertinent legal/regulatory requirements (see References A – D). 1.3 IT Management shall design the Information Backup Plan, with the assistance of the IT Network Manager. 1.4 IT Management shall submit the Information Backup Plan to Top Management for its review and approval. 1.5 Upon approval of the Plan, IT Management shall communicate the Plan to the IT Network Manager and shall arrange for training, as needed. 2.0 IT BACKUP PLAN 2.1 Full Backup are taken weekly and Incremental Backups are taken daily. 2.2 Data backups shall be identified as mission-critical or not and shall be assigned security levels, indicating whether access shall be restricted, in accordance with ARCSD106 – IT ACCESS CONTROL. 2.3 All data backups shall be backed up according to a set schedule and type according to ARCAD111-2 – ARC BACKUP PLAN. Data shall be retained and disposed of in accordance with ARCAD102 – IT RECORDS MANAGEMENT. 2.4 Backed-up data shall be subjected to a periodic recovery test, in accordance with ARCSD104 – IT DISASTER RECOVERY. 2.5 The IT Network manager shall be responsible for implementing the Information Backup Plan, monitoring storage use, and periodically submitting a status report on backups to IT Management. The IT Network Manager shall receive vendor training in the event of new storage technologies being implemented. 3.0 IT STORAGE PLAN REVIEW 3.1 IT Management shall periodically (annually, at a minimum) meet with the IT Network Manage to review the Backup Plan and determine its continuing suitability and conformity to Company requirements and to ensure that data are retrievable and not in danger of loss due to technology changes. The IT Network Manage shall report on changes in IT industry practices, standards, and technologies that have occurred since the most recent review, for possible incorporation into the Plan. ARCAD111 – IT Data Backup ARC Document Solutions ARCAD111 – IT Data Backup Page 3 of 5 3.2 An external audit of the Company’s Backup Plan and processes should be conducted no less than once every three years. 3.3 IT Management shall review the results of such audits and reviews, incorporate them into the IT Storage Plan as needed, and communicate the changes to the IT Network Manage. 4.0 UPDATING THE IT BACKUP PLAN 4.1 The IT Network Manager shall implement required changes to the IT Backup Plan. 4.2 Within a month of such changes being implemented, IT Management shall conduct a review with the IT Network Manage to verify implementation of changes and verify that the desired results were achieved. Additional Resources: A.The Storage Networking Industry Association (SNIA) is a registered 501-C6 non- profit trade association. See http://www.snia.org/home for more information on this organization. B.American Institute of Certified Public Accountants (AICPA) Filing and Record Retention Procedures Guide. See http://www.aicpa.org for further information. References: A. NATIONAL ARCHIVES AND RECORDS ADMINISTRATION (NARA) RETENTION AND ACCESS REQUIREMENTS FOR RECORDS (36 CFR 1210.53) Federal retention requirements for non-profits are specified in the Code of Federal Regulations (36 CFR 1210.53), which are published by the Office of the Federal Register, National Archives and Records Administration, and may be purchased from the U.S. Government Printing Office (GPO) in Washington, DC. B. IRS PROCEDURE 98-25 – RECORDS RETENTION The U.S. Tax Code requires that, except for farmers and wage-earners, anyone subject to income tax or any person required to file an information return with respect to income must keep such books and records, including inventories, as are sufficient to establish the amount of gross income, deductions, credits, or other matters reported. The books or records required by must be kept available at all times for inspection by authorized internal revenue officers or employees and must be retained so long as the contents thereof may become material in the administration of any internal revenue law. Note: Section 6.01 requires taxpayers to maintain and make available documentation of the business processes that (1) create the retained records, (2) modify and maintain its records, (3) satisfy the requirements of section 5.01(2) of the procedure and verify the correctness of the taxpayer's return, and (4) evidence the authenticity and integrity of the taxpayer's records. ARCAD111 – IT Data Backup ARC Document Solutions ARCAD111 – IT Data Backup Page 4 of 5 Section 6.02 sets forth four elements that the documentation required under section 6.01 must establish: (1) the flow of data through the system, (2) internal controls that ensure accurate processing, (3) internal controls that prevent unauthorized record changes, and (4) charts of account. Section 6.03 sets forth six specific types of documentation for each retained file: (1) record formats, (2) field definitions, (3) file descriptions, (4) evidence that periodic checks are undertaken to ensure that data remains accessible, (5) evidence that the records reconcile to the taxpayer's books, and (6) evidence that the records reconcile to the taxpayer's return. C. SARBANES-OXLEY ACT OF 2002 The Sarbanes-Oxley Act, enacted by the U.S. Congress in July 2002, created new standards for corporate accountability and new penalties for acts of wrongdoing. Sarbanes-Oxley, or SOX, holds corporate executive officers responsible for financial reporting, mandates internal control processes, and outlaws changing or destroying financial records. SOX also sets forth new records retention guidelines for corporations; in particular, section 802 of the Act pertains to criminal penalties for alteration or destruction of documents. D. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) Regarding the subject of records storage, the Health Insurance Portability and Accountability Act (HIPAA), enacted by the U.S. Congress in 1996, does not specify storage requirements. The Act is, however, designed to allow patients access to their information, however or wherever it is stored. E. ISO STANDARD 17799:2005 – INFORMATION TECHNOLOGY-CODE OF PRACTICE FOR INFORMATION SECURITY MANAGEMENT, CLAUSE 12.1.3 (SAFEGUARDING OF ORGANIZATIONAL RECORDS) The main thrust of this international Standard is information security. Section 12 of the Standard deals with compliance issues. Section 12.1.3, “Safeguarding of Organizational Records,” deals with storage media and records retention. ARCAD111 – IT Data Backup ARC Document Solutions ARCAD111 – IT Data Backup Page 5 of 5 Revision History: Revision Date Description of changes Requested By 1.0 9/23/20142 Initial Release DJW ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 1 of 8 CTRL # AD108 Revision: 2.0 Prepared by: Demetrius Wallace Effective Date: 10/1/12 Approved by: Rahul Roy Title: ARCAD108 – E-MAIL POLICY Policy: The use of electronic mail (or e-mail) shall be used to support ARC’s business needs. Purpose: To delineate specific standards regarding the use of e-mail within the ARC e-mail (e-arc.com domain). Scope: This policy applies to all ARC personnel and computer systems. Responsibilities: All ARC employees are responsible for knowing, understanding, and adhering to the ARC e-mail policy. The Human Resources Manager is responsible for communicating the e- mail policy to all new ARC employees and retaining employee policy acknowledgements. Department Managers are responsible for communicating revisions to the e-mail policy to employees in their respective departments. Compliance Officer is responsible for developing e-mail policy and reviewing the policy (and any changes) with the Compliance Officer. The Compliance Officer is responsible for monitoring e-mail use and enforcing the ARC e-mail policy. Definitions: CTO – ARC’s Chief Technology Officer Compliance Officer. – Responsible for the creation and revisions of applicable policies Procedure: 1.0 E-MAIL POLICY DEVELOPMENT 1.1 The Compliance Officer shall develop the ARC e-mail policy, which may be based on common business standards and practices and on legal/regulatory requirements (see Reference B). 1.2 The Compliance Officer shall present the policy to the CTO for review. 1.3 The Compliance Officer shall review the e-mail policy, revise as needed, and signify its approval. ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 2 of 8 2.0 E-MAIL POLICY IMPLEMENTATION 2.1 Upon approval of the e-mail policy by the CTO, the Compliance Officer shall communicate the policy to all department managers. Department managers shall, in turn, communicate the policy to all employees in their departments. The Human Resources Manager shall be responsible for communicating the ARC e-mail policy to all new employees. All employees shall receive a copy of ARCAD108-1 – ARC E-MAIL POLICY ACKNOWLEDGEMENT. Upon reviewing the document, each employee shall sign and date their copy of the acknowledgement and return it to Human Resources. Employees should keep a copy of this document for themselves. 2.2 E-mail records shall be managed in accordance with ARCAD102 – IT RECORDS MANAGEMENT. 2.3 The Compliance Officer shall be responsible for monitoring ARC e-mail and enforcing the e-mail policy. 3.0 E-MAIL POLICY REVIEW 3.1 At regular intervals (annually, at a minimum), Compliance Officer shall review the ARC e-mail policy, to see if it continues to meet ARC requirements. 3.2 If the e-mail policy does not conform to ARC requirements, the Compliance Officer shall convene the CTO for the purpose of implementing improvements to the policy. 4.0 E-MAIL POLICY CHANGES 4.1 The Compliance Officer shall periodically review the ARC e-mail policy, to verify that it continues to meet ARC requirements. 4.2 Where the policy does not meet requirements, the Compliance Officer shall revise the policy as needed and communicate the revised policy to all employees. 4.3 Within one month of such changes to the e-mail policy, the Compliance Officer shall verify that they are being implemented and that they are having the intended effect. Additional Resources: A. ARCAD103 – IT DOCUMENT MANAGEMENT. ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 3 of 8 References: A. ISO 9001:2000 STANDARD – QUALITY MANAGEMENT SYSTEMS- REQUIREMENTS, CLAUSE 4.2.4 (CONTROL OF RECORDS) Clause 4.2.4 of this Standard states that “(r)ecords shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Records shall remain legible, readily identifiable, and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.” B. SARBANES-OXLEY ACT OF 2002 The Sarbanes-Oxley Act (“SOX”) passed by the U.S. Congress in 2002 is designed to prevent manipulation, loss, and/or destruction of publicly-held companies’ records. According to a number of high-profile SOX-related cases, e- mail is a company record and is subject to inspection and retention guidelines like any other Company document. Therefore, an organization has to have – and follow – an e-mail policy to be in compliance with SOX. Revision History: Revision Date Description of changes Requested By 1.0 12//7/2006 Initial Release DJW 1.1 3/18/2008 Employee changes Goutam Dastider 2.0 8/21/12 Naming convention change from MPT to ARC Goutam Dastider ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 4 of 8 [This page intentionally left blank.] ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 5 of 8 ARCAD108-1 – ARC E-MAIL POLICY ACKNOWLEDGEMENT Revision # 1.1 Date March 19th, 2010 1.0 E-MAIL AND ARC All portions of the ARC information infrastructure, including the information being transported by this infrastructure, is the property of ARC. This includes all e-mail transmitted or received through the ARC information infrastructure. Since e-mail is the property of ARC, all e-mail accounts and the e-mail stored by these accounts are subject to inspection at any time. E-mail is a powerful tool that can greatly enhance communication. The use of e-mail within the following guidelines by ARC employees is encouraged. 2.0 GENERAL GUIDELINES Employees shall follow the following general guidelines concerning the use of this ARC resource: E-mail is not private. Messages transmitted through the ARC e-mail system or network infrastructure are the property of ARC and are, therefore, subject to inspection at any time. Use of the ARC e-mail system automatically imply consent to search. Employees shall be required to retain e-mails related to essential, or mission- critical, projects. E-mails that do not pertain to mission-critical projects or issues should be deleted when they are no longer needed. Because attachments to e-mails are a common method of attacking computers and systems and because attachments occasionally use a lot of bandwidth, sending a file as an e-mail attachment or opening an e-mail attachment is strongly discouraged. Use of ARC e-mail or messaging services should be used for the conduct of ARC business only. ARC e-mail can be used for private, recreational, or other non-ARC-related activity. ARC e-mail shall not be used for commercial or partisan political purposes. ARC employees shall ensure all communication through ARC e-mail or messaging services is conducted in a professional manner. The use of vulgar, obscene, lewd, or suggestive language is prohibited. ARC users shall not reveal private or personal information by e-mail without specific approval from Human Resources. Users should ensure that e-mail messages are sent to only those users with a specific need to know. The transmission of e-mail to large groups should be avoided. ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 6 of 8 ARC e-mail shall not be used for any illegal or unlawful purposes. Examples of this are transmission of violent, threatening, defrauding, pornographic, obscene, or otherwise illegal or unlawful material. ARC e-mail services shall not be used to harass, intimidate, or otherwise annoy another person. ARC shall not be held liable for damages related to inappropriate use of e- mail by ARC employees or their families. ARC e-mail account password duration shall be 90 days. At the end of 90 days each user shall be proARCed to change his or her password. FAILURE TO FOLLOW ANY PART OF THIS POLICY WILL RESULT IN DISCIPLINARY ACTION, UP TO AND INCLUDING TERMINATION. 3.0 E-ARC.COM EMAIL ACCEPTABLE USE POLICY, TERMS AND CONDITIONS Microsoft Online Services Acceptable Use Policy- (Note: Taken from Microsoft online website) Last updated: August 2009 This Acceptable Use Policy (formerly known as Code of Conduct) identifies activities that you are prohibited from engaging in when using Microsoft Online Services ("Services" or in the case of an individual service, "Service"), which includes any Service that links to this Acceptable Use Policy. Please report violations of this Acceptable Use Policy to Microsoft Online Services Customer Support. Include the words "Acceptable Use Policy" in the subject. When using Microsoft Online Services, you may not: Use the Services in a way that is against applicable law. Including: Illegal activity such as child pornography; gambling; piracy; violating copyright, trademark or other intellectual property laws. Accessing or authorizing anyone to access the service from an embargoed country. Threatening, stalking, defaming, defrauding, degrading, victimizing or intimidating anyone for any reason. Invading anyone's privacy by atteARCing to harvest, collect, store, or publish private or personally identifiable information, such as passwords, account information, credit card numbers, addresses, or other contact information without their knowledge and consent. Use the Services in a way that could harm them or impair anyone else’s use of them. Including: Any atteARC to gain unauthorized access to a Service, acting to deny others access to a Service, or authorizing any third party to access or use the Services on your behalf (such as anyone without a license or revealing to anyone your username and password). Use the Services to try to gain unauthorized access to any other service, data, account or network by any means. Use any automated process or service to access or use the Services such as a BOT, a spider or periodic caching of information stored by Microsoft. ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 7 of 8 Intending to harm or exploit minors in any way, or collecting personally identifiable information of any minor. Falsify any email header information or in any way misrepresent your identity. Including misrepresenting the source of anything you post or upload or impersonating another individual or entity, such as with "spoofing". Use the Services to transmit, distribute, or deliver any unsolicited bulk or unsolicited commercial e-mail (i.e., spam). Except with regard to spam that you are directing to a Microsoft- provided e-mail spam filter. Remove, modify, or tamper with any regulatory or legal notice or link that is incorporated into the Services. Including providing or creating links to external sites that violate this Acceptable Use Policy or other legal agreements Microsoft provides. As well as any use of the Services to distribute any offering or link designed to violate these terms (e.g., enable sending of spam, enable denial of service attacks, etc.) Additionally: Microsoft is not responsible for the content of any user-created posting, listing or message. The decision to view content or engage with others is yours. We advise you to use your judgment. You are responsible for protecting your computer against interference, spyware or viruses that may be encountered for downloaded items from the service. We recommend you install a virus protection program on your computer and keep it up to date. Information you provide or upload to the Services may be stored outside of the country in which you reside. Your use of any Microsoft Online Services administered through this site is governed by the terms and conditions of the agreement(s) under which you purchased the services. You can obtain a copy of your agreement(s) by contacting Microsoft Online Services Support. If Microsoft believes that unauthorized or improper use is being made of the Microsoft Online Services, it may, without notice and at its sole discretion, take such action as it deems appropriate, including blocking messages from a particular internet domain, mail server or IP address. Violation of this policy can lead to termination of a customer’s account. Microsoft reserves the right to amend or change the Acceptable Use Policy of any service at any time without notice. We encourage you to periodically review these guidelines to ensure you are in compliance. Nothing in this policy is intended to grant any rights in the Microsoft Online Services. Failure to enforce this policy in every instance does not amount to a waiver of Microsoft’s rights 4.0 EMPLOYEE ACKNOWLEDGEMENT I have reviewed the ARC e-mail policy. By signing and dating this form, I attest to my understanding and acceptance of this policy. I understand that if I am ARC Computer & Network Policies, Procedures, and Forms American Reprographic Company ARCAD108 – E-Mail Policy Page 8 of 8 found in violation of this policy, I may be subject to ARC disciplinary action, up to and including termination, as well as civil and/or criminal prosecution. Signature: Date: Print name: ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 1 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies ARCSD104 – IT Disaster Recovery ARC Document Solutions Technology Center ARC Document Solutions Fremont CA. Information Technology Disaster & Recovery Procedures ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 2 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Table of Contents IT Disaster Recovery Plan………………………………………………page 3 Attachment 1 Production Disaster Recovery Procedures………..page 10 Attachment 2 Diagram & Emergency Staging Areas………………page 66 Attachment 3 Emergency Services & Agencies List………………page 68 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 3 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies ARCSD104-1 – IT DISASTER RECOVERY PLAN Department: Information Technology Address: 45535Fremont Blvd City: Fremont State: CA. ZIP: 94538 Phone: 510 403 2400 FAX: 510 403 2499 Department Leader: Rahul Roy Title: Chief Technology Officer Assistant Department Leader: Goutam Dastider Title: Director of Information Technology 1.0 Maintaining contact with members of the Company's Disaster Recovery Team during a disaster is critical to a successful Department recovery effort. Usual business phone numbers are listed below; these numbers should be used for all primary contact with Team members. Disaster Recovery Coordinator: Primary Name: Goutam Dastider Office Phone: 510 403.2404 Emergency Phone: 408 528 9176 Cellular Phone: 510 377 5444 Secondary Name: Demetrius Wallace Office Phone: 510 403.2422 Emergency Phone: 925 240 4665 Cellular Phone: 510 377 5449 Facilities / Equipment / Supplies / Transportation / Telecommunications: Name: Parag Kothari Phone: 510 403 2411 Emergency Phone: 510 894 0350 Cellular Phone: 510 299 0352 Other Department Leaders: Name: Ashish Singh Phone: 510 403 2409 Emergency Phone: 510 354 6175 Cellular Phone: 510 377 5438 Name: Chaitanya Garlapati Phone: 510 403 2452 Emergency Phone: 510 744 1819 Cellular Phone: 510 453 7673 Name: Eric Abirillo Phone: 510 403 2423 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 4 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Emergency Phone: 510 494 9488 Cellular Phone: 510 377 2341 Name: Krishna Kumar Phone: 510 403 2416 Emergency Phone: __________________________ Cellular Phone: 510 453 7577 2.0 In the event that normal phone lines are not functional, alternate communications may be available by public phones. The public phones most readily accessible by Department personnel are: Public Phone #1 (area code & number): N/A Location: N/A Public Phone #2: N/A Location: N/A Public Phone #3: N/A Location: N/A 3.0 The company has not established a hotline phone number for emergency use by all employees. Use of this special number is restricted to disaster recovery efforts and emergency notifications only, and is not to be used for any other purpose. Disaster Recovery Hotline number (for employees only): 1 800 367 1091 Security Alarm Company number: 1 800 367 1091 4.0 The Department Leader or designate is to immediately take the following actions if a disaster occurs: 1. Assess any injury or damage to employees, clients, contractors, and facilities. 2. Temporarily close and secure the facility, if necessary. 3. Contact appropriate emergency services, if necessary. 4. Begin documenting the effects of the disaster and actions taken; secure all assets and records. 5. First attempt to contact the company's Disaster Recovery Team Coordinators or Chairpersons with a damage assessment and actions taken report, and act upon instructions received. 6. If all documented attempt to communicate with Coordinators and Chairpersons have failed, the Department Leader or designate is authorized to initiate reasonable and prudent responses necessary to minimize potential: Injuries to employees, contractors, and clients; Damage to facilities; and Loss of assets and records. 5.0 The critical functions of the IT Department, to be serviced before the performance of any other task, are: Administrative operations; Computer operations; ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 5 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Network management; Technical Support; Control (custody) of mission-critical Company records; and Security (physical and I.T.). 6.0 The accessory, or secondary, functions of the Application & Database Departments are to be performed only after all critical functions have been addressed. Accessory functions of the Application & Database Departments include: IT project planning; Project management; System analysis and design; Software development; Software testing; Software documentation; Software release; Software support; and Software training. 7.0 Description of Department Leader's duties and responsibilities during a disaster: 1. Ultimately responsible for overall Department operations, including all personnel, clients, facilities, and IT assets. 2. Department Security Officer, Department Compliance Officer and Department Disaster Recovery Team Coordinator; interior and exterior Department physical security and appearance. 3. Ensure adequate supervision for all personnel and functions while absent from the company or unavailable for contact; operational quality control. 4. Respond to and comply with all regulations, policies and procedures regarding Department operations; prepare reports as required. 5. Client (user) service and relations; resolving client complaints; approve unusual or unique transaction when no other person has immediate authority to do so; provide information to Company supervisor for media relations and all requests for interviews from the press, radio and television. 6. Provide appropriate members of the Disaster Recovery Team with accurate and timely information updates regarding the Department's recovery efforts. 7. Other duties and responsibilities, as required. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 6 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 8.0 Description of Assistant Department Leader's duties and responsibilities: 1. Perform all duties and responsibilities of the Department Leader in his/her absence or because of his/her unavailability. 2. Ensure dual custody requirements are maintained for all functions; maintain key, employee information log for dual custody assignments; enforce employee and functional security procedures, Department opening and closing procedures. 3. Manage day-to-day operational functions and directly supervise all staff personnel. 4. Other duties and responsibilities, as required. 9.0 If a disaster occurs during working hours, the staff will evacuate the facility and assemble at: BACKUP DATA CENTER (name): Mirrorplus Technologies Location: 45719 Northport Loop West (Parking Lot) PRIMARY DATA CENTER (name): Mirrorplus Technologies Location: 47354 Fremont Blvd (Parking Lot) A diagram of the facility and designated emergency staging areas is located at the end of this section (Attachment 2 page 66). 10.0 If a Data Center is unable to function in its normal location, all operations will immediately shift to these alternate sites: BACKUP DATA CETER: Operation will move to Primary Data Center Location: ARC Document Solutions Sacramento Address: 801 Broadway City: Sacramento State: CA ZIP: 95818 Phone: 916.825.8747 Contact Brian Davis PRIMARY DATA CENTER: Operations will move to Backup Data Center Location: ARC Document Solutions Address: 45535 Northport Loop East City: Fremont State: CA ZIP: 94538 Phone: 510 403 2400 FAX: 510 403 2499 11.0 Recovery shall proceed according to the following timeline: Within two hours of an IT disaster, The Director of IT shall: Assess the damage; ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 7 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Ensure that Top Management and IT Management have been notified; Determine if on-site recovery is feasible or if remote sites shall be utilized; Notify all Directors and Managers of the problem; and Ensure that Company employees have been notified. Within four hours, the Director of IT shall: Notify offsite data storage facilities; Notify IT Managers at the primary and secondary recovery sites; Confer with all company managers and directors to review the situation and assign and schedule recovery tasks; and Contact the Company’s IT equipment supplier, if replacement equipment is needed. Within eight hours, the Director of IT shall: Provide an updated assessment of the situation to Top Management, including a recovery schedule estimate; Alert software vendors to interim operations requirements; Ensure that recovery tasks are underway; and Establish a base of interim operations, if necessary. Within twenty-four hours, the Director of IT shall: If replacement equipment is unavailable, begin alternate production schedules from a remote base of operations; and Ensure that the Company’s communications capabilities have been tested and verified. Within forty-eight hours, the Director of IT shall: Provide an updated assessment of the situation to Top Management, Notify Company departments of interim production schedules; and Reestablish a full production schedule, following the priorities set forth by the IT Disaster Recovery Plan. On delivery of any replacement equipment, the Network Team shall: Notify the Director of IT; Install and test software on the replacement equipment; Restore data on replacement equipment; Monitor restored operations; and Resume a full production schedule. Within five working days, the Director of IT shall: Provide an updated assessment of the situation to Top Management; Notify Company employees of resumption of normal production schedules; and Resume normal operations. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 8 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 12.0 If the Data Center is still operable, this checklist describes the functions or sections upon which you will concentrate recovery efforts, and in what order. Before opening the Data Center: a. Assess safety considerations for employees and customers. b. Coordinate with emergency services agencies, if necessary. c. Conduct a damage assessment of the building and determine levels of operation and full restoration time for electricity, telephones, water, and computers. d. Ensure all areas of responsibility are staffed. e. Ensure adequate equipment and supplies are available. f. Arrange for the safe relocation of all records and equipment, if necessary. 13.0 If it is safe to open the Data Center, reestablish: Employee, customer, facility, assets, and records security; Contact with Top Management; Corporate files and financial records; Personnel and fixed asset records; Accounting records; Other Company records. 14.0 The Department requires these logistical factors to be available to perform critical functions: Square feet: 3000 Maximum number of personnel (employees and contractors): all Maximum number of customers: 0 Special relocation needs in the event the facility is unable to support Department operations are: 15.0 A listing of all emergency services, personnel, and equipment available to this Department is located at the end of this procedure (Attachment 3 page 87). Additional guidelines to assist disaster recovery efforts for this Department are: Written operations procedures: Document ARCSD104 -1 IT - Disaster & Recovery Procedures Location stored: Both Primary and Backup Data Centers Container description: Disaster Recovery Procedures 16.0 All service agreements and vendor information are available by contacting: ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 9 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Primary or Secondary Disaster Recovery Coordinators 17.0 Additional office supplies, emergency equipment and survival supplies to assist disaster recovery efforts for this Department are: Emergency medical supplies available: Primary and Backup Data Centers ___________________________________________________________ Location stored: Break Room Areas ___________________________________________________________ Container description: ___________________________________________________________ ___________________________________________________________ An appropriate supply of the following forms is to be maintained: ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 10 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Attachment 1 Production Disaster & Recovery Procedures The following is a detailed list of steps involved in bringing the Backup Data Center online in the event of a complete Primary Data Center failure. The primary method for recovery of production data is through tape restoration. The timeline to bring the Backup Data Center online is estimated at 6 to 7 days with our current configuration. The list below specifies all areas of recovery with a complete step by step process provide thereafter. AREA OF RECOVERY 1.Hardware Procurement page 11 Tape Drives Hard Drives Servers 2.Server Hardware & Software Builds page 11 3.Network Configuration Changes page 13-19 4.SAN MA8000 Re-Configuration page 20-21 Data Restoration & Testing National Vault FTP Data Bidcaster User Work Area Data SubHub Download Data 5.Applications A.PLANWELL page 22-47 i.Customer ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 11 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies ii.Employee iii.Console B.SUBHUB page 47-52 C.DATA BASES page 53-54 i.Planwell ii.SubHub D.PREVIEW FAX CONVERSION page 55-57 6.EMAIL page 58-60 7.METAPRINT page 61-62 8.ABACUS page 63-64 1.Hardware Procurement The following is a list of additional hardware that would need to be procured to implement a full Disaster Recovery procedure. 1.5 HP Proliant Servers Model DL380 2.2 Dell LTO3 Tape Drives 3. 50 146 GB Disk for the MA8000 SAN 2.Server Hardware & Software Builds The following is a list of servers in our (PS) Production Site and (BS) Backup Site that have been identified to bring production back online in the event of a disaster that would shutdown our primary data center production. The server in the Backup Site would be re-imaged with the appropriate operating systems and network connectivity. Once systems have been imaged with all updates applied we would then turn the servers over to our database and application departments. The timeline for re-imaging all servers is 2 days. PS Server by Name BS Server by Name Application/Purpose PSAMCCUSTWS DC5 order.e-arc.com PSAMCEMPWS DC1CUSTWS1 amc employee web server PSLICCUSTWS DC1EMPWS1 Licensing cust web server ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 12 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PSLICEMPWS DC1OVWS1 Licensing emp web server PSRPLWS DC1LICEMPWS1 Replicator Web Server PSDBWS DC1LICCUSTWS1 db web server PSREPORTWS DC1CRWS1 Reports Web server PSPWINTEGRATION ReplicatorWs2 Planwell Integration PSOVWS DC1QEWS1 Oneview PSFSFTP DRSTAGDB1 FailSafe PSQEWO PWINTEGRATION1 Qewo PSENTFTP BSA01C2FTP1 ent ftp PSENTDB BSA28C3WELL1 Ent DB PSPINDB BSA35C3PIN1 Pin SQL DB PSDC1 BSAARCDBC Primary Domain Controller PSDC2 BSA01C10DC1 Backup Domain Controller PSREMOTEMASTER ReplicatorWs1 Remote Master PSBCUWA BSA08C2FTP2 BCUWA PSREPORTDB REPORTDB1 REPORRDB (CRDB1) PSSHWS ****BUY NEW SERVER*** PSPINADMWS BSA31C8TSCL1 Pinadmin Web Server PSSHUPL ****BUY NEW SERVER*** PSSHUNZIP ****BUY NEW SERVER*** PSSHDWL BSA33C8TSCL2 SubHub Download PSDEJAVU DC1LICUSTWS2 Dejavu application server PSCPC DC1CUSTWS2 Convert tiff to CPC files PSOCR Storageman Fax to text files PSNOTIFICATION AMCloc02 notification server PSSERACHINDEX Rahulhome3 Search Index PSEMAILPROC EPAVILLION Email processor PSFAXPROC ****BUY NEW SERVER*** PSPICKUPPROC ****BUY NEW SERVER*** PSCRMWS DC1DBWS2 CRM Web server PSCRMDB DC1STANDBYSQL CRM DB server PSBACKUP BSA08C2FTP2 BCUWA/Backup Server ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 13 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 3.Network Configuration Changes DNS CHANGES Here are all the domains and associate records that we have with AT&T These are the entries that need to be updated with new IP addresses ( 208.36.2.xx) DNS Changes can be done by log on to AT&T website. The following is the link to log to make DNS configurations. http://www.businessdirect.att.com Login: ARCadmin Password:xxxxxxxxxx e-arc.com. @ IN A 216.241.82.60 abacus IN A 216.241.82.89 intranet IN A 216.241.82.81 intranet2 IN A 216.241.82.82 mail IN A 216.241.82.72 mailshield IN A 216.241.82.70 member IN A 216.241.82.51 metaprint IN A 216.241.82.88 oneview IN A 216.241.82.58 order IN A 216.241.82.50 pwintegration IN A 216.241.82.76 staging1 IN A 208.36.2.14 staging2 IN A 208.36.2.13 www IN A 216.241.82.60 @ IN MX 10 mailshield.e-arc.com. @ IN MX 20 mail.e-arc.com. ir IN CNAME phx.corporate-ir.net. planwell.com. @ IN A 216.241.82.91 abacus IN A 216.241.82.87 dbserver IN A 216.241.82.57 education IN A 72.10.44.174 fsftp IN A 216.241.82.65 mail IN A 216.241.82.74 mailshield IN A 216.241.82.67 member IN A 216.241.82.53 metaprint IN A 216.241.82.86 order IN A 216.241.82.52 qewo IN A 216.241.82.66 staging1 IN A 216.241.82.77 staging2 IN A 216.241.82.90 stagingdb IN A 216.168.82.80 www IN A 216.241.82.91 @ IN MX 10 mailshield.planwell.com. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 14 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies @ IN MX 20 mail.planwell.com. training IN CNAME education.planwell.com. =========================================================== sub-hub.com. @ IN A 216.241.82.54 dbserver IN A 216.241.82.57 download IN A 216.241.82.75 info IN A 216.241.82.104 mail IN A 216.241.82.79 mailshield IN A 216.241.82.100 publish IN A 216.241.82.56 staging1 IN A 216.241.82.77 www IN A 216.241.82.54 @ IN MX 10 mailshield.sub-hub.com. @ IN MX 20 mail.sub-hub.com. ================================================================== pwinet.com. @ IN A 216.241.82.55 admin IN A 216.241.82.55 ================================================================== mirrorplus.com. @ IN A 216.241.82.61 crm IN A 216.241.82.59 ftp IN A 208.36.2.15 mail IN A 216.241.82.71 mailshield IN A 216.241.82.69 support IN A 216.241.80.31 www IN A 216.241.82.61 @ IN MX 10 mailshield.mirrorplus.com. @ IN MX 20 mail.mirrorplus.com. Bidcaster.net @. A 216.241.80.11 smtp. A 216.241.80.13 www. A 216.241.80.11 ftp. A 216.241.80.11 @. MX 20 mail.bidcaster.net. b) Cisco PIX Firewall (PIX520) at backup Datacenter have to reconfigure with new IP addresses and have to open specific ports according to Primary Datacenter PIX config. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 15 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies access-list acl_outside line 1 permit tcp any host 216.241.82.50 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.50 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.51 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.51 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.52 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.52 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.53 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.53 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.54 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.54 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.55 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.55 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.57 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.57 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.58 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.58 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.75 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.75 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.77 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.77 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.78 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.78 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.76 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.76 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.60 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.60 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.81 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.81 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.82 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.82 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.90 eq https ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 16 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies access-list acl_outside line 1 permit tcp any host 216.241.82.90 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.94 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.94 eq www access-list acl_outside line 1 permit tcp any host 216.241.82.95 eq https access-list acl_outside line 1 permit tcp any host 216.241.82.95 eq www access-list acl_outside line 2 permit tcp any object-group HTTP-SERVERS object-group HTTP- SERVICES access-list acl_outside line 2 permit tcp any host 216.241.82.59 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.61 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.62 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.64 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.85 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.95 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.91 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.92 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.93 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.94 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.78 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.75 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.101 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.103 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.104 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.86 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.87 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.88 eq www access-list acl_outside line 2 permit tcp any host 216.241.82.89 eq www access-list acl_outside line 3 permit tcp any object-group FTP-SERVERS object-group FTP- SERVICES access-list acl_outside line 3 permit tcp any host 216.241.82.56 eq ftp access-list acl_outside line 3 permit tcp any host 216.241.82.56 eq www access-list acl_outside line 3 permit tcp any host 216.241.82.56 eq https access-list acl_outside line 3 permit tcp any host 216.241.82.51 eq ftp ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 17 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies access-list acl_outside line 3 permit tcp any host 216.241.82.51 eq www access-list acl_outside line 3 permit tcp any host 216.241.82.51 eq https access-list acl_outside line 3 permit tcp any host 216.241.82.53 eq ftp access-list acl_outside line 3 permit tcp any host 216.241.82.53 eq www access-list acl_outside line 3 permit tcp any host 216.241.82.53 eq https access-list acl_outside line 3 permit tcp any host 216.241.82.61 eq ftp access-list acl_outside line 3 permit tcp any host 216.241.82.61 eq www access-list acl_outside line 3 permit tcp any host 216.241.82.61 eq https access-list acl_outside line 4 permit tcp any object-group SMTP-SERVERS object-group SMTP1- SERVICES access-list acl_outside line 4 permit tcp any host 216.241.82.67 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.69 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.70 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.82 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.60 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.81 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.91 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.92 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.93 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.94 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.95 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.79 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.100 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.103 eq smtp access-list acl_outside line 4 permit tcp any host 216.241.82.104 eq smtp access-list acl_outside line 5 permit tcp any object-group EXC1-SERVERS object-group SMTP3- SERVICES access-list acl_outside line 5 permit tcp any host 216.241.82.71 eq smtp access-list acl_outside line 5 permit tcp any host 216.241.82.71 eq imap4 access-list acl_outside line 5 permit tcp any host 216.241.82.71 eq 8791 access-list acl_outside line 5 permit tcp any host 216.241.82.71 eq https access-list acl_outside line 5 permit tcp any host 216.241.82.71 eq www ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 18 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies access-list acl_outside line 6 permit tcp any object-group EXC-IMAIL-SERVERS object-group SMTP2-SERVICES access-list acl_outside line 6 permit tcp any host 216.241.82.72 eq smtp access-list acl_outside line 6 permit tcp any host 216.241.82.72 eq pop3 access-list acl_outside line 6 permit tcp any host 216.241.82.72 eq 8383 access-list acl_outside line 6 permit tcp any host 216.241.82.74 eq smtp access-list acl_outside line 6 permit tcp any host 216.241.82.74 eq pop3 access-list acl_outside line 6 permit tcp any host 216.241.82.74 eq 8383 access-list acl_outside line 6 permit tcp any host 216.241.82.79 eq smtp access-list acl_outside line 6 permit tcp any host 216.241.82.79 eq pop3 access-list acl_outside line 6 permit tcp any host 216.241.82.79 eq 8383 access-list acl_outside line 7 permit udp any any object-group VPN-SERVICES access-list acl_outside line 7 permit udp any any eq isakmp access-list acl_outside line 8 permit object-group VPN-IPSEC-SERVICE any any access-list acl_outside line 8 permit esp any any access-list acl_outside line 9 permit icmp any any object-group PING-SERVICES access-list acl_outside line 9 permit icmp any any echo-reply access-list acl_outside line 9 permit icmp any any unreachable access-list acl_outside line 9 permit icmp any any time-exceeded access-list acl_outside line 10 permit tcp any object-group F5-MGMT-PUB object-group F5- ADMIN-SERVICES access-list acl_outside line 10 permit tcp any host 216.241.82.98 eq https access-list acl_outside line 10 permit tcp any host 216.241.82.99 eq https access-list acl_outside line 11 permit tcp any object-group FTP-SERVERS-B object-group FTP- SERVICES-B access-list acl_outside line 11 permit tcp any host 216.241.82.65 eq ftp access-list acl_outside line 11 permit tcp any host 216.241.82.65 eq ftp-data access-list acl_outside line 11 permit tcp any host 216.241.82.66 eq ftp access-list acl_outside line 11 permit tcp any host 216.241.82.66 eq ftp-data access-list acl_outside line 12 permit tcp any object-group WEB-SERVERS object-group WEB- SERVICES access-list acl_outside line 12 permit tcp any host 216.241.82.77 eq ftp ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 19 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies access-list acl_outside line 12 permit tcp any host 216.241.82.77 eq www access-list acl_outside line 13 permit tcp any object-group SSH-SERVERS object-group SSH- SERVICES access-list acl_outside line 13 permit tcp any host 216.241.82.81 eq ssh access-list acl_outside line 13 permit tcp any host 216.241.82.81 eq 3306 access-list acl_outside line 13 permit tcp any host 216.241.82.82 eq ssh access-list acl_outside line 13 permit tcp any host 216.241.82.82 eq 3306 access-list acl_outside line 13 permit tcp any host 216.241.82.98 eq ssh access-list acl_outside line 13 permit tcp any host 216.241.82.98 eq 3306 access-list acl_outside line 13 permit tcp any host 216.241.82.99 eq ssh access-list acl_outside line 13 permit tcp any host 216.241.82.99 eq 3306 access-list acl_outside line 14 permit tcp any object-group STAGDB-SERVER object-group STAGDB-SERVICES access-list acl_outside line 14 permit tcp any host 216.241.82.80 eq www access-list acl_outside line 14 permit tcp any host 216.241.82.80 eq ftp access-list acl_outside line 15 permit tcp any object-group UPLOADFTP-SERVERS object-group FTPS-SFTP-SERVICES access-list acl_outside line 15 permit tcp any host 216.241.82.56 eq 1024 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 20 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 4. SAN MA8000 Re-Configuration, Restoration & Testing Existing Configuration The follo win g is a list of rec ove ry disk capacity: Note: all configurations will be done through command line input After reconfiguration of the SAN the following data would need to be restored. 1. NATIONAL VAULTS FTP DATA 2. BIDCASTER USER WORK AREA 3. SUBHUB DOWNLOAD DATA Following the restoration of data to the MA8000 Storage Area Network (SAN) the data will be validated and servers given to application owner for final configuration, testing and presenting servers online. 9GB DRIVES 18GB DRIVES 36GB DRIVES 72GB DRIVES 146GB DRIVES TOTAL # DISK SHELF6 2 1 2 5 4 SHELF5 0 3 2 5 4 SHELF4 1 1 2 4 4 SHELF3 0 3 2 4 4 SHELF2 1 2 2 4 3 SHELF1 0 2 2 4 4 TOTAL 4 12 12 26 23 77 X9 X18 X36 X72 X146 TOTAL DISK CAPACITY 36GB 216GB 422GB 1.872TB 3.358TB 5.904TB 72GB DRIVES 146GB DRIVES TOTAL # DISK SHELF6 2 12 SHELF5 2 12 SHELF4 2 12 SHELF3 2 12 SHELF2 2 12 SHELF1 1 13 TOTAL 11 73 84 X72 X146 TOTAL DISK CAPACITY 792 GB 10.658 TB 11.450 TB Raw not logical capacity ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 21 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Backup Tape Recovery Procedures Tape Title: Full Backup Tapes - Policy (up to 5 weeks recovery) Off-Site Location Brownie's Digital Imaging 1322 V Street Sacramento CA 95818 916-443-1322 Tim Murphy - President Emergency Contact - Brian L Davis IT Manager Brownie's Digital 916-496-2343 mobile cell phone is on 24/7/365. Tape Title: Incremental Backup Tapes - Policy (up to 4 weeks recovery) Off-Site Location Inprint 1161 North Fairoaks Ave Sunnyvale CA. 94089 408-239-9583 Hussein Cell# 408 239 9583 Emergency Contact - Goutam Dastider/ Demetrius Wallace IT Director/ Sr. Network Manager Cell# 510 377 5444/ 510 377 5449 We have a key and alarm code to enter this facility 24/7 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 22 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 5A. Applications 5A.PLANWELL PLANWELL, EWO & BIDCASTER This section can be commonly used to install the customer and employee web site web servers for PlanWell, EWO and BidCaster applications for the ARC member companies as well as the Licensing companies. System Requirements This section describes about the System requirements for the application. One server each for AMC Customer web site, LIC Customer web site, AMC Employee admin web site, LIC Employee admin web site will be required to be set up as per the minimum configuration settings given below: Application No of servers AMC Customer web site : 1 server LIC Customer web site : 1 server AMC Employee admin web site : 1 server LIC Employee admin web site : 1 server Minimum server configuration: Windows 2003 Standard Edition, Xeon CPU 3 GHz, 3.5 GB RAM Software Description Notes .NET Framework 1.1 Download the latest from Microsoft.com FWKFTPLIB.dll Viewing Files Need to register. Before registering it , the following dlls need to be copied into WINDOWS\System32 MSVCRTD.DLL MFC42D.DLL MFCO42D.DLL LeadTools Viewing Files LeadTools CD MS Xml 3.0 XML usage Get from Build machine path Application Installation Procedure Web Sites Website set up for AMC/LIC Customer/Employee web site on separate servers: PRE-INSTALLATION STEPS This section describe about the steps required for Pre-Installation AMC CUSTOMER WEB SERVER AND LIC CUSTOMER WEB SERVER Create folders and copy required files as given below: C:\ECOM\All_Dlls C:\ECOM\arc_Customer C:\ECOM\PlanWell5 C:\ECOM\Temp-XML\OrderArchives C:\FailSafeOrders C:\TempFiles ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 23 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies All the above folders and files can be completely copied from the Build machine at the following location: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-CustomerWeb Copy the initialization file arc.ini as given below in respective servers: AMC Customer: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-CustomerWeb\ MachineSpecificFiles\AMC-Customer LIC Customer: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-CustomerWeb\ MachineSpecificFiles\LIC-Customer The above share path always contains the latest files for all the folders defined above. In case the Build server is down for any reason, the same files can be picked up directly from the Source Safe VSS, at the following path: $/ARC-PINEnterprise/ProductionSetUp/MainHardDrive AMC EMPLOYEE WEB SERVER AND LIC EMPLOYEE WEB SERVER Create folders and copy required files as given below: C:\ECOM\DLL C:\ECOM\ASP C:\ECOM\ASP\JobTickets C:\ECOM\ASP\Reports C:\ECOM\PlanWell5 C:\ECOM\PlanWellConsole All the above folders and files can be completely copied from the Build machine at the following location: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-EmployeeWeb Copy the initialization file arc.ini as given below in respective servers: AMC Customer: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-EmployeeWeb\ MachineSpecificFiles\AMC-Employee LIC Customer: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-EmployeeWeb\ MachineSpecificFiles\LIC-Employee The above share path always contains the latest files for all the folders defined above. INSTALLATION STEPS This section describes the steps to be performed to install the application AMC CUSTOMER WEB SERVER AND LIC CUSTOMER WEB SERVER Create the following virtual directories AMC Customer Web Server Virtual Directory Name Path Description Binaries Location URL ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 24 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies arcEOC C:\ECOM\ arcCustomer PlanWell/ EWO/ BidCaster web files Build machine \\192.168.0.109\ PlanWellShare\ PRODUCTION\ PWBCEWO- CustomerWeb\ ECOM\ arc_Customer Order.e-arc.com PlanWellViewer C:\TempFiles Temporary Dir for File viewing EARCy UserWorkArea \\Psuwavirtual\ AMCUserWorkArea BidCaster User work area Tape back up restoration LIC Customer Web Server Virtual Directory Name Path Description Binaries Location URL Default Web Site C:\ECOM\ arcCustomer PlanWell/ EWO/ BidCaster web files Build machine \\192.168.0.109\ PlanWellShare\ PRODUCTION\ PWBCEWO- CustomerWeb\ ECOM\ arc_Customer Order.planwell.com PlanWell C:\ECOM\ arcCustomer\ PlanWell For Redirection purposes PlanWellViewer C:\TempFiles Temp Dir for File viewing EARCy UserWorkArea \\Psuwavirtual\ AMCUserWorkArea BidCaster User work area Tape back up restoration AMC EMPLOYEE WEB SERVER AND LIC EMPLOYEE WEB SERVER Create the following virtual directories AMC Employee Web Server AND LIC Employee Web Server Common virtual directory set up is needed for the AMC and LIC Employee web servers as follows: Main Build Machine Path: \\192.168.0.109\PlanWellShare\PRODUCTION\PWBCEWO-EmployeeWeb\ECOM\ Virtual Directory Name Path Description Binaries Location URL Default Web Site C:\ECOM\ ASP PlanWell/ EWO/ BidCaster web files Build machine \\192.168.0.109\ PlanWellShare\ PRODUCTION\ PWBCEWO- EmployeeWeb\ member.planwell.com ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 25 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies ECOM\ ASP PlanWellConsole C:\ECOM\ arcCustomer\ PlanWell For Redirection purposes Build machine path as given above to this specific folder Reports C:\ECOM\ASP\ Reports Dir for Reports Build machine path as given above to this specific folder Viewer C:\Program Files\Crystal Decisions\Enterprise 10\Web Content\Enterprise10\ viewer BidCaster User work area Build machine path as given above to this specific folder PPS Executables Build machine path as given above to this specific folder POST INSTALLATION STEPS A. COM Dll’s registration: Important Note: The following COM dll’s must always be registered in the exact sequence given below as the consecutive dll’s are dependent on the previous ones. AMC CUSTOMER WEB SERVER AND LIC CUSTOMER WEB SERVER Register the Dll’s in the folder c:\ECOM\All_Dlls\ Location Action Value ABCUpload4.dll Register COM DLL Regsvr32 ABCUpload4.dll ArcSock.dll Register COM DLL Regsvr32 ArcSock.dll PWCryptoLib.dll Register COM DLL Regsvr32 PWCryptoLib.dll arcEOC.dll Register COM DLL Regsvr32 arceoc.dll arcQuote.dll Register COM DLL Regsvr32 arcQuote.dll arcEOCTracker.dll Register COM DLL Regsvr32 arcEOCTracker.dll AMC EMPLOYEE WEB SERVER AND LIC EMPLOYEE WEB SERVER Register the Dll’s in the folder c:\ECOM\DLL\ Location Action Value PWCryptoLib.dll Register Regsvr32 PWCryptoLib.dll ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 26 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies COM DLL arcDictionaryLib.dll Register COM DLL Regsvr32 arcDictionaryLib.dll arcEOC.dll Register COM DLL Regsvr32 arceoc.dll arcMEM.dll Register COM DLL Regsvr32 arcMEM.dll B. Other settings: Establish SQL Client Connectivity Install & Configure Crystal Reports Viewer 10 for reports with IIS settings Time out settings: Right-click on Default Web Site root > Home Directory > Configuration > Options Session timeout: 30 minutes ASP script timeout: 300 minutes Apply these settings for all the child nodes in IIS At Run command type in “net start w3svc” to start the IIS server OR do it manually by starting the service in the IIS manager screen INSTALL VERIFICATION AND TESTING This section will describe the testing procedure for validating the application Installation. Test the database connectivity from the web servers using the ODBC tools Open the Web page through qualified URL’s as given below: https://order.e-arc.com https://order.planwell.com https://member.e-arc.com https://member.planwell.com Log in to sites using test accounts and see if everything is working fine. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 27 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies CONSOLE Disaster recovery for PlanWell PDS (PRODUCTION): PDS is a box solution. The tech center does NOT host the product in house. Customers who buy PDS are responsible for their own disaster recovery – that is clear in our sales agreement for the product. So, there is no disaster recovery for PDS in Primary Data Center. Both the hardware and the software for the application are managed by the customer who buys it. All we offer is the technical support for the product. However, we do distribute the software that is on an HTTP server (208.36.2.14). The document containing the list of the PDS download URLs. Disaster recovery for PlanWell PDS (STAGING): Now, we host the staging server for PDS – that is used by our ARC divisions for training and testing purposes. The BDC hosts the PDS staging server on 192.168.0.14. a. Website (browser) is being hosted on 192.168.0.14 (staging1ws1). The URL to access the website is http://staging1.e-arc.com/pwpds. b. Database is also installed on 192.168.0.14 (staging1ws1). The name of the database is PlanWellPDS. Following are steps for PDS application disaster recovery: Steps for Disaster recovery for PlanWell PDS (STAGING): 1. Identify and get any standalone system. This system should have the pre- requisites as specified in the attached PDS installation guide - STEPS FOR PDS PLANWELL INSTALLATION. PDF. – Time Taken: 4 hrs 2. Install the PDS browser and database components by following the procedure as specified in the attached installation guide. – Time Taken: 2 hrs Total time: 6 hrs ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 28 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PlanWell ISAPI extension Definitions PlanWell ISAPI Extension is a backend component used for replication process. This component is to be installed on ReplicatorWS1 & Replicator WS2. Make sure on both systems virtual roots should be same This document describes about the following applications PlanWell ISAPI Extension System Requirements Software Description Notes Operating System Windows 2000 Server Windows 2000 Server IIS IIS 5.0 or later This can be added to through windows components SQL Client tools SQL Client tools Install SQL Client tools 2000 MSXML MSXML Install MSXML 3.0, 4.0 & MSXML 4.0 SP2 SARC Service Simple Mail Transfer Protocol (SMTP) This service should be installed and running Dependent DLLs Copy Dependent DLLs to System32 folder MFCO42D.DLL (Copy & Register) MSVCRTD.DLL (Copy) ADO Microsoft Active Data Access Objects version 2.7 This can be download from Microsoft web site Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\PWReplicator and Depends. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 29 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Copy the SQLWExtension-PW4 configuration file to C:\Winnt for AMC companies Copy the SQLWExtensionLic-PW4 configuration file to C:\Winnt for LIC companies Change the database settings in the configuration file if required Change the folder path in the configuration file section SQLWTempPath to the following temporary folders created Step 2: Create Temporary folders Create the following temporary folder structure for AMC companies E:\Temp\SQLWExtension\SQLWExtension Create the following temporary folder structure for LIC companies E:\Temp\SQLWExtensionLIC\SQLWExtension Step 3: Give Read and write access permissions to the above temporary folders. Step 4: Create the folder structure E:\Temp\ReplicatorIIS-AMC\SQLExtension for AMC Companies Copy the DLLS from net1 into SQLExtension created folder SQLWExtension.dll & SQLWExtensionMsg.dll for AMC Companies Create the folder structure E:\Temp\ReplicatorIIS-LIC\SQLExtension for AMC Companies Copy the DLL from net1 into above created folder SQLWExtensionLIC.dll Step 5: Rn SQLWEventLog.reg file (path is E:\Replicator-IIS-Req\For SQLExtension\Registry Files) Step 6: Change EventMessageFile to the path where SQLWExtensionMsg.dll is copied. To change the path Edit the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\A pplication\SQLWExt) Step 7: Run SQLWBatchCount.reg (path is E:\Replicator-IIS-Req\For SQLExtension\Registry Files) Step 8: For AMC companies create a virtual Directory (ProdProjRoot) and configure in IIS and Configure the Virtual root to the folder where SQLWExtension.dl is residing For LIC companies create a virtual Directory (PwLicProjRoot) and configure in IIS and Configure the Virtual root to the folder where SQLWExtensionLIC.dll is residing Step 9: Verifying AMC Setup Browse the SQLWExtension.dll, it should show message. Then it is correctly is installed, if it gives error some thing wrong in Installation Verifying LIC Setup Browse the SQLWExtensionLic.dll, it should show message ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 30 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Then it is correctly is installed, if it gives error some thing wrong in Installation Installation Procedure of PlanWell Account Sync component Step 1: Install SQLXML3.0 Step 2: Create a folder Inside the ReplicatorIIS-AMC called For Epavilion Schema Files Copy the Epavilion folder (contains the XML schems files) into above folder (E:\ReplicatorIIS-AMC\For Epavilion Schema Files) Step 3: Open SQLXML3.0 application Step 4: Create a virtual root with ProdAccRoot and pointing to Epavilion folder Step 5: On Virtual Names Tab, create 3 objects (DbObject, Schema pointing to Epavilion\Schema folder) & Template folder pointing to Epavilion\Template Folder) Step 6: Repeat the above steps for LIC the virtual root will be PwLicAccRoot Installation Procedure of PlanWell Replicator component Step 1: Create a folder Inside the ReplicatorIIS-AMC called Replicator Step 2: Copy ASP asp pages to the above folder (getftpdetailsEncrypted.asp & PWReplicatorMailNotify.asp) Step 3: Create Virtual root called ProdRRoot and pointing to the above folder Step 4: If required inside getftpdetailsEncrypted.asp page change the database settings Step 5: On this system configure the SMTP server - so that, it can send e-mails whenever the Replication fails. Step 6: Follow the above steps for LIC the virtual root will be PwLicRRoot POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING Verification of AMC Setup Browse the SQLWExtension.dll, it should show message. Then it is correctly is installed, if it gives error some thing wrong in Installation Verification of LIC Setup Browse the SQLWExtensionLic.dll, it should show message Then it is correctly is installed, if it gives error some thing wrong in Installation ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 31 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PlanWell MakeCD (PWProjectViewer Server) Component Definitions PlanWell Project Viewer is used by Legacy MakeCD component PlanWell Project Viewer has to be configured on DBServer1 & DB server 2 Same components are used for both AMC and LIC companies. Make sure on both systems virtual roots should be same This document describes about the following applications PlanWell Project Viewer System Requirements Software Description Notes Operating System Windows 2003 Server Windows 2003 Server IIS IIS 5.0 or later This can be added to through windows components SQL Client tools SQL Client tools Install SQL Client tools 2000 .NET Frame work .NET Frame Work Install .NET Frame work Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\PWProjectViewer Server. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: Create Virtual Root called PWApps. Step 2: Create virtual Root PWApps\2AE491ED\PWPROJECTVIEWER Step 3: Create Virtual Root called QUICKEWO ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 32 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Step 4: Copy GetMakeCDOrderLinksEncrypted.asp page under the virtual root Step 5: In PlanWell database Console20_settings table MakeCD Order row has to be updated. While updating the values should be 64 Base encoded values should be updated. POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING This feature has to be tested from PlanWell Project Viewer ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 33 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PlanWell Web Services Definitions PlanWell Web Services is a backend component used by console and Quick EWO for placing orders. PlanWell Web Services has to be configured one instance on both AMC & LIC This component is to be installed OneView Server1 & OneView Server2. Make sure on both systems virtual roots should be same This document describes about the following applications PlanWell Web Services System Requirements Software Description Notes Operating System Windows 2003 Server Windows 2003 Server IIS IIS 5.0 or later This can be added to through windows components SQL Client tools SQL Client tools Install SQL Client tools 2000 .NET Frame work .NET Frame Work Install .NET Frame work Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\PlanWell Web Services. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: Copy the files from net1 Step 2: Create virtual root called PWOrderWebService and pointing to the folder. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 34 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Step 3: Edit configuration file for following entries 1. FTPSourcePath  FTP path UNC path where Quick EWO sends the ZIP files 2. FTPTargetPath  FTP Target path UNC path where Quick EWO ftp foders based on epmemberid created. Point to the root folder 3. NetworkDomain  Netowrk domain name to access the path 4. NetworkPassword  Netowrk Password to access the path 5. OrderURL  Http path for SmrPrint.asp of Customer browser Step 4: POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING This feature has to be tested from Enterprise console and Quick EWO by placing an order ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 35 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PlanWell Pickup Server Component Definitions PlanWell Pickup Server Component is used by Pick up Application PlanWell Pickup Server Component has to be configured on DBServer1 & DB server 2 This application is has to configured for only AMC Companies. Make sure on both systems virtual roots should be same This document describes about the following applications PlanWell Pickup Server Component System Requirements Software Description Notes Operating System Windows 2003 Server Windows 2003 Server IIS IIS 5.0 or later This can be added to through windows components SQL Client tools SQL Client tools Install SQL Client tools 2000 .NET Frame work .NET Frame Work Install .NET Frame work Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\PlanWell Pick Up. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: Create Virtual Root PWApps/2AE491ED/PickupApp Step 2: Copy files from net1 Step 3: Register DLL - DataAccess.dll Step 4: If required change the Database entries in ASP pages ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 36 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING This feature has to be tested from PlanWell Pick up Application ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 37 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PlanWell Network Queue Definitions PlanWell Network Queue is a backend component used by Enterprise console PlanWell Network Queue has to be configured on DBServer1 & DB server 2 Same components are used for both AMC and LIC companies. Make sure on both systems virtual roots should be same This document describes about the following applications PlanWell Network Queue System Requirements Software Description Notes Operating System Windows 2003 Server Windows 2003 Server IIS IIS 5.0 or later This can be added to through windows components SQL Client tools SQL Client tools Install SQL Client tools 2000 .NET Frame work .NET Frame Work Install .NET Frame work Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\PlanWell Network Queue. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: TWO FTP servers / FTP virtual roots are required (One acts as Source and another one acts as Target) we can keep both on one system. Step 2: On Target Server create FTP virtual roots for all AMC companies Step 3: FTP virtual roots has to be updated in epavilion table with the path based on epmemberid Step 4: Create Virtual Root called PWApps Step 5: Create Virtual Root called PWApps\2AE491ED ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 38 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Step 6: Create Virtual Root called PWApps\2AE491ED\QUICKEWO Step 7: Copy GetQEWOPasswordEncrypted.asp page under the virtual root Step 8: If required Change the Database entries in ASP page Step 9: In PlanWell database Console20_settings table QuickEWOLinks Row has to be updated. While updating the values should be 64 Base encoded values should be updated. The values should be in the following order FTPServer, FTPuserID, FTPPassword,Order URL. Step 10: Create Virtual Root called PWApps\2AE491ED\PWREMOTEQ Step 11: Copy the files from net1 Step 12: Change the Database connection entry in RQ.ini Step 13: Register the DLL RemoteQueue.dll POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING This feature has to be tested from Console. Remote Queue functionality has to be tested ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 39 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PlanWell Mail Processor Definitions PlanWell Mail Processor is a backend component used by console and Quick EWO for sending emails. PlanWell Mail Processor has to be configured one instance on both AMC & LIC This component is to be installed DbSerer1 for AMC Companies and DbSerer2 for LIC companies. This document describes about the following applications PlanWell Mail Processor System Requirements Software Description Notes Operating System Windows 2003 Server Windows 2003 Server IIS IIS 5.0 or later This can be added to through windows components MSXML3.0 MSXML3.0 Install MSXML3.0 CDONTS CDONTS Search for CDONTS if not existing - copy the cDONTS and register SQL Client tools SQL Client tools Install SQL Client tools 2000 SARC Service Simple Mail Transfer Protocol (SMTP) This service should be installed and running Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\ PlanWell Mail Processor. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: Network team has configure the reserve DNS for this server Step 2: Copy PWMail files from net1 Step 3: Copy the .INI file to Windows folder ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 40 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Step 4: If required Edit database entries Step 5: PWTempFolderPath - Create a temp folder and give the path Step 6: Emergency911MailId - If any mail fails sends an e-mail. Configure other entries in INI Step 7: EMBURL - Customer Web site URL to smrprint.asp page Step 8: Register PWMailProcessor Service Step 9: Change the service to AUTO Repeat the above steps for LIC After Step 6 configure the notification summary page and repeat rest of steps PINURL - PWELL_NotificationSummary.asp page path on customer web site POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING This feature has to be tested from Enterprise console and Quick EWO by placing an order ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 41 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PWCDB server Component Definitions PWCDB server Component is a used for Planwell remote operations PWCDB server Component has to be configured one instance for both AMC & LIC This component is to be installed DbSerer1 for AMC Companies and DbSerer2 for LIC companies. This document describes about the following applications PWCDB server Component System Requirements Software Description Notes Operating System Windows 2003 Server Windows 2003 Server IIS IIS 5.0 or later This can be added to through windows components MSXML3.0 MSXML3.0 Install MSXML3.0 CDONTS CDONTS Search for CDONTS if not existing - copy the cDONTS and register SQL Client tools SQL Client tools Install SQL Client tools 2000 ADO 2.6, SP2 ADO 2.6, SP2 ADO 2.6 & SP2 Application Installation Procedure Web Sites This component is available at \\net1\PDMSConsoleBuilds\PWCDB server Component. PRE-INSTALLATION STEPS None INSTALLATION STEPS Step 1: Open msdfmap.ini (C:\windows) Step 2: Check the [CONNECT DEFAULT] section, and if the ACCESS parameter is set to NOACCESS, change it to READONLY. Step 3: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo" and make sure HandlerRequired is set to 0 and DefaultHandler is "" (Null string). ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 42 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Step 4: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameter s\ADCLaunch" and verify that there is a key called RDSServer.Datafactory. If not, create it. Step 5: Using Internet Services Manager, go to the Default Web Site and view the properties of the MSADC virtual root. Inspect the Directory Security/IP Address and Domain Name Restrictions. If the "Access is Denied" is checked then select "Granted". Step 6: Copy the DLL & Register the PWCDBServerLib.dll & .ini file Step 7: Change the .INi file and copy to Windows folder Step 8: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameter s\ADCLaunch\PWCDBServerLib.clsPWDBServer Step 9: Setup the ISAPI Filter POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING This feature has to be tested from Enterprise console and Quick EWO by placing an order or any address book operations ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 43 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies BIDCASTER PICKUP PROCESSOR Definitions This section can be used to install the Pickup Processor server for Pickup Processor application and service. System Requirements This section describes about the System requirements for the application. One server each for AMC and LIC Pickup Processor application will be required to be set up as per the minimum configuration settings given below: Application No of servers AMC Pickup Processor : 1 server LIC Pickup Processor : 1 server Minimum server configuration: Windows 2003 Standard Edition, Xeon CPU 3 GHz, 3.5 GB RAM Software Description Notes .NET Framework 1.1 Download the latest from Microsoft.com Application Installation Procedure Web Sites Set up for Pickup Processor server: PRE-INSTALLATION STEPS This section describe about the steps required for Pre-Installation PICKUP PROCESSOR SERVICE Create folders and copy required files as given below: E:\BroadCastDISP-SERVICE E:\BroadCastDISP-SERVICE\Install Batch Files The above folders and files can be completely copied from the Build machine at the following location: \\192.168.0.109\PlanWellShare\PRODUCTION\PickupProcessorService The above share path always contains the latest files for all the folders defined above. In case the Build server is down for any reason, the same files can be picked up directly from the Source Safe VSS, at the following path: $/ARC-PINEnterprise/ServerApplications/LIVEBroadCastDispatcherSERV Note: The above process needs to be repeated for LIC Pick up processor service in a separate machine. The steps are exactly the same as above. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 44 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Get the AMC/LIC specific config setting file “BroadCastDispatcherService.exe.config” and copy them onto the E:\BroadCastDISP-SERVICE folder as follows: AMC: \\192.168.0.109\PlanWellShare\PRODUCTION\PickupProcessorService\AMC LIC: \\192.168.0.109\PlanWellShare\PRODUCTION\PickupProcessorService\LIC INSTALLATION STEPS This section describes the steps to be performed to install the application PICKUP PROCESSOR Install BroadCastDispatcherService as one of the services: From the directory, E:\BroadCastDISP-SERVICE\Install Batch Files do the following: Right-click the file “Install_BroadcastDispatcherservice.bat” and click on edit. Confirm the path of the service application executable “BroadCastDispatcherService.exe” to be pointing to the right path. For Example: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe "E:\BroadCastDISP- SERVICE\BroadCastDispatcherService.exe" After that Run the batch file once. This will create the BroadCastDispatcherService as one of the available services on this machine. POST INSTALLATION STEPS Go to Services by windows navigation or type in services.mmc in the Start > Run command. Locate the service “BroadCastDispatcherService” in the services listing. Right-click on that service and click on Start. INSTALL VERIFICATION AND TESTING This section will describe the testing procedure for validating the application Installation. Check the Log file under the LogFiles directory to check for any errors. Send out a test broadcast and confirm that the broadcasts are being sent to queue. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 45 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies ONEVIEW Definitions This section can be used to install the OneView web site web servers for OneView application. System Requirements This section describes about the System requirements for the application. One server for OneView web site will be required to be set up as per the minimum configuration settings given below: Application No of servers OneView web site : 1 server Minimum server configuration: Windows 2003 Standard Edition, Xeon CPU 3 GHz, 3.5 GB RAM Software Description Notes .NET Framework 1.1 Download the latest from Microsoft.com Application Installation Procedure Web Sites Website set up for OneView server: PRE-INSTALLATION STEPS This section describe about the steps required for Pre-Installation ONEVIEW WEB SERVER Create folders and copy required files as given below: C:\oneview C:\oneview\import All the above folders and files can be completely copied from the Build machine at the following location: \\192.168.0.109\PlanWellShare\PRODUCTION\OneView The above share path always contains the latest files for all the folders defined above. In case the Build server is down for any reason, the same files can be picked up directly from the Source Safe VSS, at the following path: $/ARC-Premier Accounting/WebSite INSTALLATION STEPS This section describes the steps to be performed to install the application ONEVIEW WEB SERVER Create the following virtual directories ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 46 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies OneView Web Server IIS Setup Virtual Directory Name Path Description Binaries Location URL Default Web Site C:\OneView OneView web files Build machine \\192.168.0.109\ PlanWellShare\ PRODUCTION\ OneView oneview.e-arc.com POST INSTALLATION STEPS Establish SQL Client Connectivity Install & Configure Crystal Reports Viewer 10 for reports with IIS settings Time out settings: Right-click on Default Web Site root > Home Directory > Configuration > Options Session timeout: 30 minutes ASP script timeout: 300 minutes At Run command type in “net start w3svc” to start the IIS server OR do it manually by starting the service in the IIS manager screen INSTALL VERIFICATION AND TESTING This section will describe the testing procedure for validating the application Installation. Test the database connectivity from the web servers using the ODBC tools Open the Web page through qualified URL’s as given below: https://oneview.e-arc.com/Login.htm Log in to sites using test accounts and see if everything is working fine. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 47 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 5B.SUBHUB 1. Web Sites 1.1 Sub-Hub Website Pre-requisites: The following software needs to be installed. Software Description Notes .NET Framework 1.1 Download the latest from Microsoft.com FWKFTPLIB.dll Viewing Files Need to register. Before registering it , the following dlls need to be copied into WINDOWS\System32 MSVCRTD.DLL MFC42D.DLL MFCO42D.DLL IEWebControls IEWebContr ols.exe 1. Run this exe 2. Search for the following path “C:\Program Files\IE Web Controls”. 3. Open “Build. Bat” in notepad & search for csc.exe file (replace with “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe”). 4. Run this batch file 5. Verify whether “webctrl_client” folder is created in “C:\inetpub\wwwroot”. Credit Card Component PFProCOMS etup.exe 1. Copy the following into system32 folder and bin folder in Sub-Hub Web Site PFProdotNET.dll PFProCOMLib.dll pfpro.dll PayFlowPro.dll certs (folder) 2. Run “PFProCOMSetup.exe” SSL Certificate VeriSign will email you your certificate. If the certificate is an attachment (Cert.cer), you can use the file. If the certificate is in the body of the email, create a .cer file (example: NewCertificate.cer) by copying and pasting the certificate text into a plain text editor such as Notepad or Vi. Please be sure to include the header and footer as well as the surrounding dashes. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file. 1. Open the Internet Services Manager (IIS). Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manger. 2. Under Web Sites, right-click your web site and select Properties. 3. Click the Directory Security tab. 4. Under Secure Communications, click Server Certificate. 5. The Web Site Certificate Wizard will open, click Next. 6. Choose Process the Pending Request and Install the Certificate, then click Next. Important: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate. 7. Select the location of the certificate response file, and then click Next. 8. Read the summary screen to be sure that you are processing the correct certificate and then click Next. You see a confirmation screen. 9. After you read this information, click Next. Stop and start your Web server prior to any testing. Be sure to assign your site an SSL port (443 by default). If you do not specify an IP address when installing your SSL Certificate, the same ID will be used for all virtual servers created on the system. If you are hosting multiple sites on a single server, you can specify that the ID only be used for a particular server IP address. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 48 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Virtual Directories: The following are the virtual directories needs to be created in the sub- hub web server. Virtual Directory Name Path Description Binaries Location URL Default WebSite Sub-Hub Binaries www.sub-hub.com DnldXML C:\temp\subhub Temporary Dir EARCy www.sub-hub.com/DnldXML pwproject C:\pwproject Sub-Hub Cab files www.sub-hub.com/pwproject PWThumbnailVie wer C:\temp\subhu b Temporary Dir EARCy www.sub-hub.com/PWThumbnailViewer Database Connection Strings 1.2 PINAdmin WebSite Pre-requisites: The following software needs to be installed. Software Description Notes .NET Framewor k 1.1 Download the latest from Microsoft.com FWKFTPL IB.dll Viewing Files Need to register. Before registering it , the following dlls need to be copied into WINDOWS\System32 MSVCRTD.DLL MFC42D.DLL MFCO42D.DLL IEWebCon trols IEWebControls.e xe 6. Run this exe 7. Search for the following path “C:\Program Files\IE Web Controls”. 8. Open “Build. Bat” in notepad & search for csc.exe file (replace with “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe”). 9. Run this batch file 10. Verify whether “webctrl_client” folder is created in “C:\inetpub\wwwroot”. Location Key Value Sub-Hub Web Site : Web.Config ConfigSetti ngStr server=<new db server name>;uid=<User ID>;pwd=<password>;database=PINCommon Pwproject (Virtual Directory) : downloadExec.asp Line : 42 "Provider=SQLOLEDB;Data Source=<new db server name>;user id=<user id>;Password=<password>;Initial Catalog=PINCommon" ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 49 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Credit Card Compone nt PFProCOMSetup .exe 1. Copy the following into system32 folder and bin folder in Sub-Hub Web Site PFProdotNET.dll PFProCOMLib.dll pfpro.dll PayFlowPro.dll certs (folder) 2. Run “PFProCOMSetup.exe” Virtual Directories: The following are the virtual directories needs to be created in the sub- hub web server. Virtual Directory Name Path Description Binaries Location URL Default WebSite PINAdmin Binaries admin.pwinet.com DnldXML C:\temp\subhub Temporary Dir EARCy admin.pwinet.com/DnldXML pwproject C:\pwproject Sub-Hub Cab files admin.pwinet.com/pwproject PWThumbnailViewer C:\temp\subhub Temporary Dir EARCy admin.pwinet.com/PWThumbnailViewer Database Connection Strings Location Key Value PINAdmin Web Site : Web.Config ConfigSettin gStr server=<new db server name>;uid=<User ID>;pwd=<password>;database=PINCommon Pwproject (Virtual Directory) : downloadExec.asp Line : 42 "Provider=SQLOLEDB;Data Source=<new db server name>;user id=<user id>;Password=<password>;Initial Catalog=PINCommon" 2. Databases The following are the databases used by Sub-Hub applications Database Name Users/Logins Permissions Notes PINCommon Pin_sub_usr Pin_format_usr1 Pin_format_usr1 Pw_support usr_role fmt_role fmt_role pwrole Please contact Krishna for restoration procedure & back up procedure PINNotifications Pin_notify_usr Pw_support usr_role pw_role Data Transformation Services ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 50 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 3. Web Services Virtual Directory Description Binaries Location Notes SHPublishWebService Project Publishing Web Service This is the project publishing Web Service, need to change Web.config database key when deployed PINNPRSearchMgrWebService Sub-Hub Search Web Service This is the project publishing Web Service, need to change Web.config database key when deployed OCR Search Service 4. Windows Services Service Name Description Binary Location Notes PINNotification Manager Sub-Hub Notifications Manager $Sub-Hub- Development/Production/ PINNotification Manager App.config’s database key needs to be changed to new database server Sub-Hub Pickup Sub-Hub Pick-up Processor $Sub-Hub- Development/Production/ Sub-Hub Pickup App.config’s database key needs to be changed to new database server Project Search Builder Sub-Hub Project Search Builder $Sub-Hub- Development/Production/ Project Search Builder App.config’s database key needs to be changed to new database server Fax Server Fax Processor Service $Sub-Hub- Development/Production/ Fax Server Right Fax Client needs to be installed as a prerequisite. App.config’s database key needs to be changed to new database server Email Server Email Processor Service $Sub-Hub- Development/Production/ Email Server App.config’s database key needs to be changed to new database server Fax Response Server Fax Response Server $Sub-Hub- Development/Production/ Fax Response Server App.config’s database key needs to be changed to new database server DTS Name Source Database Destination Database Notes PINNotifications_DTS PINNotifications PINNotifications Please refer to the detailed documentation In vss under $/Database/DataTransformationServices/ 1. PinNotifications Database DTS.doc 2. Source Codes : PinNotifications_DTS_Script.sql PinNotifications_HistoryTables.sql ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 51 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 5. File Processors INI File entries Entry Values [UnZipServer] ZipSourcePath=\\pspinuplvirtual\SHPublish\ ProcessTempPath=\\pspinunzvirtual\SHUnZip\ ProcessTempPathSharedName=\\pspinunzvirtual\SHUnzip\ NationalvaultRoot=\\pspindwlvirtual\SHVault-1\ OCRDestinationPath=\\pspindwlvirtual\SHVault-1\ [CentralDatabase] ServerName=<db server> Database=pincommon User=<user id> Password=<password> [QueueDatabase] ServerName=<db server> Database=pincommon User=<user id> Password=<password> Processor Name Description Binary Location Notes Un-Zip Processor Un-Zip Processor $Sub-Hub- Development/Production/ File Processors Ini file entries needs to be changed as indicated under File Processors : INI File Entries CPC Processor CPC Processor $Sub-Hub- Development/Production/ File Processors Ini file entries needs to be changed as indicated under File Processors : INI File Entries Cpc battery needs to be installed. Please refer to (http://www.cartesianinc.com/Products/Battery) for battery installation. Déjà vu Processor DejaVu Processor $Sub-Hub- Development/Production/ File Processors Ini file entries needs to be changed as indicated under File Processors : INI File Entries Document Express 5.1 needs to be installed. OCR Processor OCR Processor $Sub-Hub- Development/Production/ File Processors Ini file entries needs to be changed as indicated under File Processors : INI File Entries 6. FTP Sites FTP Site URL Notes Upload Site publish.sub-hub.com WS_FTP needs to be installed. Userid : <userid> Password: <password> Folder : shpublish Download Site <download server> Userid : <user id> Password: <password> Folder : shvault1 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 52 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 7. Temporary Storage Temporary Storage Path Temporary Un-Zip Storage \\<UnZip Server>\SHUnZip\ ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 53 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 5C.Data Bases – PlanWell, SubHub PRE-INSTALLATION STEPS The following table consists all the LOGSHIPPING DATABASES available on the Backup Site. (Every 15 mins the below mentioned database log backups are taken and shipped and restored on the Standby Server. ) SLNO PRIMARY SERVER(PDC) STANDBY(BDC) DATABASENAME STANDBY DBNAME 1 PSENTSQLVIRTUAL BSA28C3WELL1 Epavilion Epavilion 2 PSENTSQLVIRTUAL BSA28C3WELL1 EpavilionLic EpavilionLic 3 PSENTSQLVIRTUAL BSA28C3WELL1 Planwell Planwell 4 PSENTSQLVIRTUAL BSA28C3WELL1 PlanwellLic PlanwellLic 5 PSENTSQLVIRTUAL BSA28C3WELL1 PWCommon PWCommon SLNO PRIMARY SERVER (PDC) STANDBY(BDC) DATABASENAME 1 PSPINSQLVIRTUAL BSA35C3PIN1 PINCommon PINCommon_ls 2 PSPINSQLVIRTUAL BSA35C3PIN1 PINNotifications PINNotifications Slno Standby ServerName Transaction Log location 1 BSA28C3WELL1 X:\Logshipping\ 2 BSA35C3PIN1 w:\logshipping  Verify the Standby Server Errorlog to find the transaction logs which are present in the logshipping folders are restored ,  Restore the last available transaction log(either from primay server or from logshipping folder), if it is not restored. INSTALLATION STEPS  Alter the status of each database from Readonly to Multiuser Access ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 54 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies  Rename the database PinCommon_LS to Pincommon POST INSTALLATION STEPS  Verify the logins  Create Database Maintenance Plan for all the databases  Create backup plan for all Databases INSTALL VERIFICATION AND TESTING Verify the connectivity by checking the application user login using query analyzer Verify using profiler to see the executing stored procedures/batches 5D.PREVIEW - FAX CONVERSION ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 55 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Fax Conversion Service Definitions This document describes the about the installation procedure for Fax Conversion Service (FCS). A service used for converting fax document for preview and for concord fax services System Requirements For MetaPrint application downloads and licensing sites the following software are required Software Description Notes Operating System Windows 2000 or later Windows 2000 or later Right Fax COM Objects Right Fax client components Application Installation Procedure Windows Applications PRE-INSTALLATION STEPS Copy the folder \\net1\Shared\FaxConversionService to the local folder INSTALLATION STEPS STPE 1: Register Service Register the Fax Conversion service. This can be done by Executing the command from the command line FaxConversionService.exe /service This will register the Fax Conversion Service application as Windows NT Service. STEP 2: Verify Service Installation Open the service manager; in the service manager you should able to see Fax Conversion Service. POST INSTALLATION STEPS STEP 1: Run Service Under corp\clusteradmin account Select Service in service manager, right click and select Properties menu. Got to Log On Tab Select This User and enter corp\clusteradmin and password ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 56 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies This user account should be able to access the userwork area of the PlanWell bidcaster STEP 2: Change the application INI file Configuration File Name: FaxConversionService.ini ( this file will be under FaxConversionService folder ) Setting Name Value Description Sample data ConversionMode 1 Always 1 ConversionMode=1 RightFaxQServer IP address / Name of the Right Fax server which will be used for the conversion RightFaxQServer=192.168.22.100 RightFaxUserID Right Fax User id used for the conversion RightFaxUserID=PRV_FAX_USER RightFaxUserPassword Password for the right fax user id Prvfaxuser RightFaxUserPassword=prvfaxuser RightFaxUseNTAuthentication 0 Always 0 RightFaxUseNTAuthentication=0 UseFaxNumberForConversion Test Fax Number UseFaxNumberForConversion=510- 377-2338 LogFilePath Path for Log File Create a log file directory LogFilePath=C:\FaxConversionService MaxConversionTime=0 0 Always 0 MaxConversionTime=100 HTTPSvrVD The Root directory Always C:\Temp HTTPSvrVD=C:\Temp HTTPPort 9001 If this port is in use then change. HTTPPort=9001 INSTALL VERIFICATION AND TESTING Run the Service from service manager Go to Log file directory and make sure that the log file is created Open the log file and read the first 5 lines which describes about the application status. OTHER APPLICATION CHANGES Once the FCS is set up we should change the following application configuration files. File Name: Web.config PlanWell-BidCaster application Configuration file Change the following key <add key = "FCSURL" value="http://FCS Server IpAddress:port/"/> Fax Server application configuration file ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 57 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies File Name : App.config Change the following key <add key = "FCSURL" value="http://FCS Server IpAddress:port/"/> ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 58 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 6.Email Servers & Application Software E-mail servers and Domain details: We have 2 Mail servers: 1. Imail 2. Microsoft Exchange Imail server has been configured to host the following domains -E-ARC.COM -216.241.82.60 -PLANWELL.COM -216.241.82.91 -SUB-HUB.COM -216.241.82.54 Exchange server has been configured to host the mirrorplus.com and CRM .mirrorplus.com Imail backup & Restore Procedure: 1. Backup the registry file on the existing server and back up to the tape Manually the registry can be copied by completing the following steps: a. Click on Start | Run, type in "regedit" and hit enter. b. Go to the path: HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail c. Then, click on REGISTRY and select "Export Registry File". Give the file a name. The Export Range should be selected branch. The selected branch field should show the following: HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail After ensuring this, click on Save. This will save all the user names and passwords for all of your domains that use the IMail user database. All the Imail user databases also needs to Backup Detail Procedure for backing up user database, forums etc. a. Select all three domains in the backup selection as shown below PSA33C4IM1\Forum list\*.* PSA33C4IM1\Imail_arc\*.* PSA33C4IM1\ImailPlanwell\*.* ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 59 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies PSA33C4IM1\Imail_Sub-hub\*.* 2. Restore to the new IMail server. Pre-requisites: Install windows 2003 standard or enterprise server Install Imail server To restore the copy of the registry follow the steps below: You can double-click the .reg file in Windows Explorer, or: a. Make sure a copy of the registry file is on the server. b. Then on the server, click on Start | Run, type in "regedit" and hit enter. c. Then, click on REGISTRY and select "Import Registry File". Select the copy of the registry file on the server. The existing IMail hive of the registry will be overwritten with the file you saved. Important: stop and restart the SMTP service after the change. If you are running version 8 or later, you should also stop and restart the Queue Manager Service. Exchange Email Server Disaster Recovery (DR) Procedures: We have two DR procedures 1. Mailbox recovery 2. Information Store Recovery Pre requisites for both the procedures Prepare windows server 2003 Prepare exchange server 2003 Install the enterprise exchange server in case if you go for cluster otherwise (in case of stand alone exchange server) you can install either standard or enterprise exchange server. Make sure your computer name and organization name and domain details are exactly same as your old exchange server Also the drive letters should be the same as old exchange server Mailbox Store Recovery Procedure: Restore the individual mail boxes from full backup sets ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 60 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Either you can restore mail box by mail box or multiple mailboxes at the same time Information Store Recovery Procedure: Restore the Full backup sets Restore the incremental or differential backup sets if any Change the ip address in the TCP\IP properties. Stop & Start all exchange services ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 61 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 7.MetaPrint Application Definitions This document describes about the following applications MetaPrint Online License Management Site System Requirements For MetaPrint application downloads and licensing sites the following software are required Software Description Notes Operating System Windows 2000 or later Windows 2000 or later IIS IIS 5.0 or later This can be added to through windows components SARC Service Simple Mail Transfer Protocol (SMTP) This service should be installed and running ADO Microsoft Active Data Access Objects version 2.7 This can be download from Microsoft web site Application Installation Procedure Web Sites The main Web site for Abacus downloads is http://support.mirrorplus.com In case of changing the server we need to map the URL support.mirrorplus.com to the new server. PRE-INSTALLATION STEPS Make sure that http://support.mirrorplus.com URL is mapped to the new server INSTALLATION STEPS Step 1: ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 62 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Create a directory in the local drive called metaprintdatafolder Copy the contents from \\net1\Shared\MetaPrint\MetaprintDataFolder to local metaprintdatafolder. Step 2 : Create Virtual directory Create a virtual directory called metaprint and map the local path to metaprintdatafolder Step 3 : Give Read and Script access permissions to the folder. POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING Open following URL from web browser http://support.mirrorplus.com/metaprint/prg/authorizelic.asp This page should display a form to authorize MetaPrint license. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 63 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 8.ABACUS Definitions Abacus is Print Copy tracking System. This document describes about the following applications Abacus Download Sites Abacus Online License Management Site System Requirements For Abacus application downloads and licensing sites the following software are required Software Description Notes Operating System Windows 2000 or later Windows 2000 or later IIS IIS 5.0 or later This can be added to through windows components SARC Service Simple Mail Transfer Protocol (SMTP) This service should be installed and running ADO Microsoft Active Data Access Objects version 2.7 This can be download from Microsoft web site Application Installation Procedure Web Sites The main Web site for Abacus downloads is http://support.mirrorplus.com In case of changing the server we need to map the URL support.mirrorplus.com to the new server. PRE-INSTALLATION STEPS Make sure that http://support.mirrorplus.com URL is mapped to the new server INSTALLATION STEPS Step 1: Copy abacus data folder from //net1/shared/Abacus/abacusdownloads to Step 2 : Create Virtual directory Create a virtual directory called abacus and map the local path to abacusfolder ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 64 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Step 3 : Give Read and Script access permissions to the folder. POST INSTALLATION STEPS NONE INSTALL VERIFICATION AND TESTING Open following URL from web browser http://support.mirrorplus.com/abacus/abacus_20.asp Click on each download link and make sure that each link is working and able to download the files. Open the following URL http://support.mirrorplus.com/abacus/enterlic.asp This page should display a form to authorize abacus license. ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 65 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 9.ATTACHMENT 2 FACILITY DIAGRAM AND EMERGENCY STAGING AREAS Backup Data Center 45719 Northpoot Loop west, Fremont, CA 94538 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 66 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Break Room Printer Room 1 WarehouseRoom 2 Cube 2 Cube 4Cube 6 PDC NOC Sudhakar/KiranOffice 2 ChaitanyaOffice 1 James Office 5 GoutamOffice 3 Cube 1 Rahul Office 3 ConferenceRoom Cannon IR5000 PDC Building Diagram Demetrius Office 6 Vinay Office 4 Power & Telephone Room 3 Rollup Door 3 Guo/SupratimOffice 7 Parking Lot Disaster Meeting Area 1 Parking Lot Disaster Meeting Area 2 West Main Entrance 1 Rollup Door 2 EastEntrance 2 Rollup Door 1 South Entrance 2 Primary Data Center 47354 Fremont Blvd, Fremont, CA 94538 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 67 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies 10.Attachment 3 EMERGENCY SERVICES & AGENCIES LIST EMERGENCY SERVICES Name: Police Department City: Fremont County: Alameda County Emergency Phone: 911 Business Phone: 510 790 6800 Name: Sheriff's Department County: Alameda Emergency Phone: 911 Business Phone: 510 790 6800 Name: Fire Department City: Fremont County: Alameda Emergency Phone: 911 Business Phone: 510 791 4292 Name: Paramedic/Rescue - Golden State Ambulance Inc. City: N/A County: Alameda Emergency Phone: 911 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 68 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Business Phone: 510 818 1400 Name: Air Ambulance – AAA Advanced Air Ambulance County: Alameda Business Phone: 800 633 3590 Name: Private Ambulance #1 – Golden State Ambulance Inc. County: Alameda Business Phone: 51 818 1400 Name: Private Ambulance #2 - Pacific Coast Ambulance Service County: Alameda Business Phone: 510 247 2070 HOSPITAL / URGENT CARE FACILITY Name: Hospital #1 – Kaiser Permanente Address: 39400 Paseo Padre Parkway (between Walnut Ave. & Stevenson Blvd) City: Fremont County: Alameda Business Phone: 510 248 3000 Name: Hospital #2 – Washington Hospital Address: 2000 Mowry Ave. (across the street from Civic Center Drive) City: Fremont County: Alameda Business Phone: 510 797 1111 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 69 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies EMERGENCY STAGING FACILITIES AND SHELTERS Name: American Red Cross Address: 33641 Mission Boulevard City: Union City County: Alameda Business Phone: 510 429 3300 Name: Community Center #1 - Fremont Resource Center Address: 39155 Liberty Street City: Fremont County: Alameda Business Phone: 510 574 2000 Name: National Guard Center Address: 1525 W. Winton Ave City: Hayward County: Alameda Business Phone: 510 264 5600 Name: Veterans Memorial Building Address: 39L155 Liberty Street # F620 City: Fremont County: Alameda Business Phone: 510 790 1518 DISASTER INFORMATION ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 70 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Name: Medical Emergency Information Hotline County: Emergency Phone: Name: Office of Emergency Services (City) Address: 777 B Street City: Hayward CA 94541 County: Alameda Business Phone: 510583 4948 Name: Office of Emergency Services (County) Address: 4985 Broder Blvd City: Dublin County: Alameda Business Phone: 925 803 7800 Name: Office of Emergency Services (State) Address: 3650 Schriever Ave, City: Mather County: Sacramento Emergency Phone: 916 845 8510 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 71 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies COMMUNICATIONS Name: XO Communication Phone 1: 989 758 6500 , Phone 2: 800 745 2747 XO DNS ip Addresses 65.106.1.196, 65.106.7.196 Name: MCI Phone 1: 1800 488 6384 A/C # W0F54044 SITE ID# WCOMW0F54044 Name: Sprint Phone 1: 1 800 900 0241 Name: AT &T Phone 1: 1 888 613 6330 Site ID# 157357 Circuit ID: 86HCGS556764DHEC499174 Name: AT&T Fax Lines : (Ticket # format RN090160) Circuit IDs - 03/AXTZ/011217//TPM 03/AXTZ/011218//TPM 03/AXTZ/011219//TPM 03/AXTZ/011220//TPM 03/AXTZ/011221//TPM 03/AXTZ/011222//TPM Name: SBC – Point to Point DS3 Phone 1: 1 800 922 7742 Name: Communication Dynamics ( Phone System) Business Phone: 925 625 0900 Name: Brownies Brian Davis ( Location of Full Backups) Phone 916-496-2343 mobile Name: Inprint Hussein Phone: 408-239-9583 Moble ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 72 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies SECURITY Name: Trojan Systems Inc - (ALARM SYTEM) City: 60 Rickenbacker Circle, Livermore, CA County: Alameda Emergency Phone: 1 800 367 1091 Business Phone: 925 245 1510 Fax: 925 245 0858 Name: Guard Company #1 – American Discount Security City: Union city County: Alameda Business Phone: 510 475 9000 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 73 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies CITY / COUNTY OFFICES Name: Administrative Offices (City) City: Fremont County: Alameda Business Phone: 510 284 4000 Name: Administrative Offices (County) City: Oakland County: Alameda Business Phone: 510 272 6984 Name: Air Quality Control Offices (County) City: 939 Ellis St. San Francisco CA 94109 County: San Francisco Business Phone: 415 7}1 6000 Name: Animal Control (County) City: Fremont County: Alameda Business Phone: 510 790 6640 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 74 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Name: Building Inspector (City) City: Fremont County: Alameda Business Phone: 510 494 4400 FEDERAL OFFICES Name: Federal Bureau of Investigation Address: 22320 Foothill Blvd #530 Business Phone: 510 886 7447 UTILITIES Name: Electric – Miller Electric City: Fremont County: Alameda Emergency Phone: 510 790 6345 Business Phone: 510 376 5371 Name: BC Electric Business Phone: 408 719 8644 Name: APC (American Power Conversion) UPS Backup Data Center Symmetra 1600 Model #P9696 SL# 3a0039s02919 Primary Data Center Symmetra SYCF40KF SN# ED0310000521 Business Phone: 800-555 2725 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 75 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies Name: Generator Primary Data Center - Peterson Power Systems PID: OLY00000PNPS00309 SID: 121994/07 MODEL: D100P2 Business Phone: 800-443-3356 Name: Generator Backup Data Center - Kohler Power System Kohler Generator Model# 40REOZJ Spec # PA-189233 Serial # 0708847 Phone: 1-888 712-9349 CONTRACTORS / VENDORS Name: Vartex (Doors) Business Phone: 800 698 6783 Name: Air Conditioning – R H Tinney Inc. City: 296 Wright Brothers Avenue Livermore CA. 94551 County: Alameda Emergency Phone: 925 525 0248 Business Phone: 925 373 6101 ARCSD104 – IT Disaster Recovery ARC Document Solutions ARCSD104 – IT Disaster Recovery Page 76 of 76 Confidential and Proprietary – For Internal Distribution Only Copyright by MirrorPlus Technologies EQUIPMENT Name: Dell Computer Business Phone: 1 800 945 3355 Name: Microsoft Business Phone: 888 456 5570 Name: Hewlett Packard Business Phone: 1800 633 3600 Access Code SMTB 9078 Name: Data Pipe Business Phone: 888 749 5821 Ref: Bicaster.net Name: Chriscom (Patch Panels) Business Phone: 925 625 0900 Main – 925 207 4205 Andy – 925 207 4206 Nahleen Name: Netscreen Business Phone: 800 638 8296 Name: Trend Micro Business Phone: 888 608 1009 Name: IP-Switch (Imail) Business Phone: 706 312 3500 Name: WSFTP Business Phone: 781 676 5700 ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 1 of 7 CNTL # GC-04 Revision: 1.0 Prepared by: Demetrius Wallace Effective Date:10/12/06 Approved by: Rahul Roy Title: ARCSD111 – Information Sensitivity Policy Purpose: The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of American Reprographics Company and ARC without proper authorization. The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing). All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect American Reprographics Company & ARC Confidential information (e.g., American Reprographics Company & ARC Confidential information should not be left unattended in conference rooms). Please Note: The impact of these guidelines on daily activity should be minimal. Questions about the proper classification of a specific piece of information should be addressed to your manager. Scope: All American Reprographics Company & ARC information is categorized into four main classifications:  American Reprographics Company Public  American Reprographics Company Confidential  ARC Public  ARC Confidential American Reprographics Company & ARC Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to American Reprographics Company Systems, Inc & ARC American Reprographics Company & ARC Confidential contains all other information. It is a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Included is information that should be protected very closely, such as ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 2 of 7 trade secrets, development programs, potential acquisition targets, and other information integral to the success of our company. Also included in American Reprographics Company & ARC Confidential is information that is less critical, such as telephone directories, general corporate information, personnel information, etc., which does not require as stringent a degree of protection. A subset of American Reprographics Company & ARC Confidential information is "American Reprographics Company & ARC Third Party Confidential" information. This is confidential information belonging or pertaining to another corporation which has been entrusted to American Reprographics Company & ARC by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from joint development efforts to vendor lists, customer orders, and supplier information. Information in this category ranges from extremely sensitive to information about the fact that we've connected a supplier / vendor into <Company Name>'s network to support our operations. American Reprographics Company & ARC personnel are encouraged to use common sense judgment in securing American Reprographics Company & ARC Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager Policy: The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as American Reprographics Company Confidential information in each column may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the American Reprographics Company Confidential information in question. 1.0 Minimal Sensitivity: General corporate information; some personnel and technical information Marking guidelines for information in hardcopy or electronic form. Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words "American Reprographics Company Confidential" may be written or designated in a conspicuous place on or in the information in question. Other labels that may be used include "American Reprographics Company Proprietary" or similar labels at the discretion of your individual business unit or department. Even if no marking is present, American Reprographics Company information is presumed to be "American Reprographics Company Confidential" unless expressly determined to be American Reprographics Company Public information by an American Reprographics Company employee with authority to do so. ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 3 of 7 Access: American Reprographics Company employees, contractors, people with a business need to know. Information Designation: Information related to American Reprographics Company Public and ARC Public are considered as Minimal Sensitive. Distribution within American Reprographics Company: Standard interoffice mail, approved electronic mail and electronic file transmission methods. Distribution outside of American Reprographics Company internal mail: U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods. Electronic distribution: No restrictions except that it be sent to only approved recipients. Storage: Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate. Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on American Reprographics Company premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media. Penalty for deliberate or inadvertent disclosure: Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 2.0 More Sensitive: Business, financial, technical, and most personnel information Marking guidelines for information in hardcopy or electronic form. Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". As the sensitivity level of the information increases, you may, in addition or instead of marking the information "American Reprographics Company Confidential" or "American Reprographics Company Proprietary", wish to label the information "American Reprographics Company Internal Use Only" or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times. ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 4 of 7 Access: American Reprographics Company employees and non-employees with signed non-disclosure agreements who have a business need to know. Information Designation: Information related to American Reprographics Company Confidential and ARC Confidential are considered as More Sensitive. Distribution within American Reprographics Company: Standard interoffice mail, approved electronic mail and electronic file transmission methods. Distribution outside of American Reprographics Company internal mail: Sent via U.S. mail or approved private carriers. Electronic distribution: No restrictions to approved recipients within <Company Name>, but should be encrypted or sent via a private link to approved recipients outside of American Reprographics Company premises. Storage: Individual access controls are highly recommended for electronic information. Disposal/Destruction: In specially marked disposal bins on American Reprographics Company premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. 3.0 Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of our company. Marking guidelines for information in hardcopy or electronic form. Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". To indicate that American Reprographics Company Confidential information is very sensitive, you may should label the information "American Reprographics Company Internal: Registered and Restricted", "American Reprographics Company Eyes Only", "American Reprographics Company Confidential" or similar labels at the discretion of your individual business unit or department. Once again, this type of American Reprographics Company Confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such. ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 5 of 7 Access: Only those individuals (American Reprographics Company employees and non- employees) designated with approved access and signed non-disclosure agreements. Information Designation: Information related to from American Reprographics Company Confidential and ARC Confidential are considered as Most Sensitive. Distribution within American Reprographics Company: Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods. Distribution outside of American Reprographics Company internal mail: Delivered direct; signature required; approved private carriers. Electronic distribution: No restrictions to approved recipients within American Reprographics Company, but it is highly recommended that all information be strongly encrypted. Storage: Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer. Disposal/Destruction: Strongly Encouraged: In specially marked disposal bins on American Reprographics Company premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media. Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. Enforcement Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law. Definitions Terms and Definitions Appropriate measures To minimize risk to American Reprographics Company from an outside business connection. American Reprographics Company computer use by competitors and unauthorized personnel must be restricted so that, in the event of an atteARC to ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 6 of 7 access American Reprographics Company corporate information, the amount of information at risk is minimized. Configuration of <Company Name>-to-other business connections Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary. Delivered Direct; Signature Required Do not leave in interoffice mail slot, call the mail room for special pick-up of mail. Approved Electronic File Transmission Methods Includes supported FTP clients and Web browsers. Envelopes Stamped Confidential You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and stamp it confidential. Approved Electronic Mail Includes all mail systems supported by the IT Support Team. These include, but are not necessarily limited to, [insert corporate supported mailers here…]. If you have a business need to use other mailers contact the appropriate support organization. Approved Encrypted email and files Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms. PGP use within American Reprographics Company is done via a license. Please contact the appropriate support organization if you require a license. Company Information System Resources Company Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above. Expunge To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, supplied as a part of Norton Utilities. Otherwise, the PC or Mac's normal erasure routine keeps the data intact until overwritten. The same thing happens on UNIX machines, but data is much more difficult to retrieve on UNIX systems. Individual Access Controls Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner. ARCSD111 – Information Sensitivity Policy ARC Document Solutions ARCAD111 – IT Info Sensitivity Page 7 of 7 On UNIX machines, this is accomplished by careful use of the chmod command (use man chmod to find out more about it). On Mac’s and PC's, this includes using passwords on screensavers, such as Disklock. Insecure Internet Links Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of <Company Name>. Encryption Secure American Reprographics Company Sensitive information in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Follow corporate guidelines on export controls on cryptography, and consult your manager and/or corporate legal services for further guidance. One Time Password Authentication One Time Password Authentication on Internet connections is accomplished by using a one time password token to connect to <Company Name>'s internal network over the Internet. Contact your support organization for more information on how to set this up. Physical Security Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet. Private Link A Private Link is an electronic communications path that American Reprographics Company has control over its entire distance. For example, all American Reprographics Company networks are connected via a private link. A computer with modem connected via a standard land line (not cell phone) to another computer have established a private link. ISDN lines to employees’ homes is a private link. American Reprographics Company also has established private links to other companies, so that all email correspondence can be sent in a more secure manner. Companies which American Reprographics Company has established private links include all announced acquisitions and some short-term temporary links Revision History American Reprographic Company Data Center Technology & Security ARC Cloud Computing Infrastructure ARC’s is proud to announce recent improvements to our Fremont based Technology Center. Cloud computing has been a hot topic in the industry for a few years now and ARC has been in lock step all the way. ARC is now offering on demand cloud computing with a bang while going green at the same time. With our fleet of product offerings, including PlanWell Collaboration, IshipDocs and PlanWell Enterprise to name a few, ARC is poised to meeting all of the industry’s most challenging Reprographic needs. ARC Technology Center host all ARC’s Flag Ship Products including: American Reprographic Company Data Center Technology & Security ARC Technology Center Enhancements: Storage 2 EMC CLARiiON CX4 – 240 ‐ Total capacity of 150 TB Storage Space Server 3 HP C7000 Blade Enclosures with: 21 HP BL490c G6 Servers for Application & File Sharing 6 HP BL685c G7 Servers for Microsoft SQL Database Software Microsoft Windows 2008 64bit Operating System VMware ESXi 4.1 Virtualization Software Network Infrastructure Redundant ISP’s for Production Site Failover BGP & HSRP for ISP Failover during vendor outages Redundant F5 Load Balancers for Load Balance Web Servers Redundant Cisco PIX Firewalls Redundant Juniper Netscreen Servicing Remote Server Connections Disaster Recovery VMware Site Recovery Manager for Automatic Production Site Failover EMC Recoverpoint Replication for LUN Level Replication Security With the growing demand for storage on demand the ARC Technology center has more than tripled our storage space, now hosting 150TB of Storage. With BIM products becoming available soon ARC has partnered with EMC to deliver a high speed, scalable state of the art Storage Area Network (SAN) solution. Below is a brief description of the features of the EMC Clariion CX4‐240. The ARC Technology center has implemented 2 EMC Clariions, one at our Fremont Based Technology Center and the other at our Disaster Recovery Site in Sacramento CA for data replication and security Best-in-class performance for midrange networked storage Features Benefits FAST Automate storage tiering to lower costs and deliver higher service levels FAST Cache Extend cache capacities for accelerated system performance and automatic absorption of unpredicted spikes in application workloads. Compression Compress inactive data and reclaim valuable storage capacity, reducing your footprint by up to 50 percent. Flash drives Extend your tiering capabilities by establishing a new tier 0 for ultra high performance. UltraFlex™ technology Leverage flexible connectivity options, online expansion, and the ability to integrate future technologies. Virtualization‐aware management Gain real‐time, dynamic view of virtual environments with end‐to‐end mapping and reporting capabilities. Three‐year enhanced support Get unlimited online self‐help, proactive remote support, software upgrades, 24x7 call center response, and 9x5 onsite t Storage 150TB EMC CLARiiON CX4 Model 240 Server Conﬁgured Components 3 HP BLC7000 CTO 3 IN LCD ROHS ENCL 6 HP B‐SERIES 8/12C BLADESYSTEM SAN SWITCH 12 HP BLC GBE2C LY 2/3 SWITCH 18 HP 2400W HIGH EFFICIENCY POWER SUPPLY 12 HP BLC ENCL SINGLE FAN OPTION 3 HP BLC7000 1 PH FIO POWER MODULE OPT 21 HP BL490C G6 CTO BLADE 21 HP E5540 BL490C G6 FIO KIT 21 HP E5540 BL490C G6 KIT 252 HP 4GB 2RX4 PC3‐10600R‐9 KIT 21 HP BLC NC326M NIC ADAPTER OPT KIT 21 HP BLC QLOGIC QMH2562 8GB FC HBA OPT 21 HP 2GB USB FLASH MEDIA DRIVE KEY KIT 6 HP BL685C G7 CTO BLADE 6 HP BL685C G7 O6174 12C 2P FIO KIT 6 HP SMART ARRAY BL465C/685C G7 FIO CNTRLR 48 HP 8GB 2RX4 PC3‐10600R‐9 KIT 12 HP 146GB 6G SAS 15K 2.5IN DP ENT HDD 6 HP BLC QLOGIC QMH2562 8GB FC HBA OPT Servers ‐HP Blades ARC Technology Center has increased its computing power while going green in the process. While implementing HP’s Blade servers for virtualization, the Technology Center was able to move from 100 stand‐a‐lone servers to 27 HP Blade servers. The switch allows the Technology Center to save cost on power consumption and cooling, while increasing the overall computing power. We have added two base line servers in the HP C7000 Blade Enclosures. The HP Full Height BL685c G7 clustered for SQL Databases and the HP Half Height BL490c G6 for Web, Application and File Sharing Servers. With this configuration no application is fully dependent on one server. All applications can run on any server at any time. Servers ‐HP Blades Schematic Diagram—HP Blade Architecture FANSTATUS 1 2 3 4 5 6 7 8 9 Power Supply 1 Power Supply 2 Catalyst 6500SERIES This diagram shows the built in redundancy of the HP C7000 Blade Enclosure. All NICs, Fiber Connections, Management connection, power connections, and fans are all redundant to provide a no single point of failure solution. Software While the industry moves toward Cloud Computing, several keys are needed to achieve this. The ARC Technology Center has achieved this by investing in VMware Virtualization Technology. The Tech Center has partnered with VMware to create a virtualized environment for Cloud Computing. While implementing VMware’s latest software release ESXi 4.1 on all of our HP Blade BL490c G6 servers. The Tech Center has created a virtualized 14 Server VMware Cluster in Fremont for redundancy and Cloud Computing. Gone are the days of the tedious task of purchasing servers and software for implementing a new application for hosting a sever for customer. With the implementation of VMware we can build servers in less than an hour at absolutely no additional cost. From preconfigured Templates the Tech Center can create Web servers, Application servers, File servers etc., The ARC Technology Center can deliver them on demand which is what cloud computing is all about. The Tech Center has stream lined it’s Operating systems to Microsoft Windows 2008 64bit and Redhat Linux Enterprise. ARC’s Data Center Topology /Design and Measures. Our portfolio covers all three critical security areas: physical security; operational security; and Network/System security. Physical security includes locking down and logging all physical access to servers at our data center. Operational security involves creating business processes that follow security best practices to limit access to confidential information and maintain tight security over time. Network/System security involves locking down customer systems from the inside, starting with hardened operating systems and up‐to‐date patching, Perimeter protection using Cisco PIX , IDS , RADIUS/TACACS, Secure IDs F5 Load Balancers, Cisco Catalyst 6509 and PIX Power ARC Data Center Network Security ARC Technology Center has architected a multi‐layered approached to secure and defend data from external attack. We leverage state‐of‐the‐art hardware and software security methods to prevent unauthorized intrusion by external users attempting to access data. Our infrastructure proactively deters and monitors for external attacks and unauthorized intrusions.ARC Technology Center employs experienced engineers, system administrators and IT professionals who pass through rigorous testing, confidentiality agreements and background checks to secure data. ARC Technology Center team is proactively monitoring and deploying new security measures via software and hardware on a regular basis as appropriate. Multi‐Layer Network Security Protection ARC Technology Center deploys a “Multi‐Layered Network Security Protection System” to Secure and defend data from intrusion and attack. Between our servers which house customer data and the internet, there are four layers of network security protection: 1. Router‐ Cisco The first line of defense to protect data is the router that resides in front of the firewall. The router is specifically configured to block the most prevalent worm attacks on the web by scanning and analyzing header and packet information. Via the scanning process, each packet is inspected and either granted authorized access or denied before ever reaching the firewall. The router is the initial line of defense to eliminate unauthorized and unnecessary traffic and blocks it from gaining access to the Firewall. 2. Firewall‐Cisco All information and data requests that pass through the router must next pass through the firewall. The firewall places strict limits on ports and protocols and provides the second layer of protection for data: NAT (Network Address Translation) also knows as Network or IP Masquerading technology is used in the data center firewall to provide an extra layer of security. Network Infrastructure Disaster Recovery These days with the possibility of disasters everywhere, the ARC Tech Center has upgraded it Disaster Recovery Site Sacramento CA by virtually replicating our Production Site in Fremont. For minimum downtime in the event of disaster the ARC Tech Center has minimized it’s disaster recovery windows from days to hours. By taking advantage of EMC’s Recover Point Replication Software and VMware’s Site Recovery Manger, the ARC Technology Center can complete a Site Failover over in virtually minutes and be up and running in less that 4 hours. This is achieved by continuously replicating all critical data to the DR Site. So all data resides in both location. During a Disaster systems at the DR Site are automatically started. Data is flushed from Caches and presented to all Host Servers and the DR Site is fully functional. Security Network Security · Written network access security policies readily accessible: – Password policies (such as not sharing, lengths, forced renewal, aging) – Acceptable use (ISP not allowed to run programs that are illicit or illegal; use of sniffers or cracking/hacking programs are not required) – Documented user responsibilities on security in company policies and re‐enforced by education – Asset protection · Network security infrastructure in place: – Perimeter protection (firewalls, filtering router) – Intrusion detection – Authentication and authorization (passwords, RADIUS/TACACS, Secure IDs) – Backup and recovery systems to restore after a problem, such as load balancing, failover protection – Regular assessment of network infrastructure – Assessment of network expansions or additions – Tape or media storage offsite backup – Regularly scheduled security audits – Server antivirus software protection Operations · Database of all installed equipment and configurations · Toll‐free telephone support Supported monitoring: – 24x7 monitoring of dedicated servers and network equipment (note both frequency and method, such as PING, Simple Network Management Protocol [SNMP]) – 24x7 monitoring of the health of the equipment with alarms and pager alerts for network failure and failovers – 24x7 monitoring firewall services available – Alternate NOC available – Second‐tier support personnel located nearby · Trouble ticket processes: – Created and logged for all unusual or unexpected events · Automated case escalation procedures in place including escalation timeframes · Reporting that provides trending statistics on trouble tickets and minutes (above) to facilitate quality and customer reports · Performance reporting and end‐user impact monitoring · Periodic and exception reports provided to customers (including usage and problem reports) · Spare equipment on site for key networking equipment available in case of hardware failure · Business continuity plan: – Daily site backups – Tape vaults or other secure storage facilities on site in case of natural disaster – Onsite and offsite storage available · Customer callout and escalation database · Intercom system · Written procedures for each customer on alarm handling Technology Center The ARC Technology Center has purchased two new Standby Generators for Power Backup at both, the Production Fremont Data Center and the Sacramento DR Data Center Sacramento Model: DSFAE Frequency: 60 Fuel type: Diesel KW rating: 80 standby 72 prime Emissions level: EPA Nonroad Tier 3 Fremont Model DSGAB Cummins Power Generation diesel driven generator set standby rated 125 KW, 156 KVA, 277/480 volts, 3 ø, 3 or 4 wire, 60 Hz, 1800 RPM with all standard accessories and The ARC Technology Center has purchased a New APC UPS to provide battery backup power at both the Production Fremont Data Center and the Sacramento DR Data Center Facility and Physical Requirements · Multiple physically separate connections to public power grid substations · Continuous power supply with backup uninterruptible power supply (UPS) systems: – Adequate UPS capacity including air conditioning and lights – UPS systems tested at full load on monthly schedule – Fuel for generators (48 hours) kept on premises and monitored for local environmental compliance · Formalized physical facility preventive maintenance program · Sub‐breakers per relay rack or lineup · Power filtering in UPS system Physical Security · Written security policies readily accessible: – Badge sharing and piggy back entry rules – All visitors must be admitted through reception – Written statement of work upon sign‐in Building access procedures: – Limited number of building entrances in compliance with local fire ordinance – Provide access to limited and managed security policies for all facility entrances – 24x7 onsite security guards – Visitor‐logging procedure · Equipment locations: – Video surveillance and motion sensors for entrances, interior doors, equipment cages, and critical equipment locations within the building ARCSD101 – IT VULNERABILITY ASSESSMENT ARC Document Solutions ARCSD101 – IT VULNERABILITY ASSESSMENT Page 1 of 6 CTRL # SD101 Revision: 1.1 Prepared by: DJW Effective Date:01/16/2006 Approved by: Rahul Roy Title: ARCSD101 – IT VULNERABILITY ASSESSMENT Policy: ARC shall regularly evaluate its IT systems and network for threats and vulnerabilities in order to protect its IT assets and reduce ARC’s risk. Purpose: To describe a procedure for identifying potential threats to ARC’s information technology assets (IT assets) and assessing threats on the basis of probability and risk. Scope: This procedure applies to all ARC IT assets, including the IT network. Responsibilities: The Compliance Officer is responsible for conducting threat assessments of the IT network and reporting on the results of such assessments. Also, the Compliance Officer is responsible for continually monitoring threats and taking actions to mitigate risk to ARC’s IT assets. Director of Information Technology is responsible for evaluating the results of a threat assessment, assessing the level of risk to various IT assets, and recommending actions that mitigate risk. Definitions: Risk – Possibility of losing availability, integrity, or confidentiality of IT assets due to a specific threat; also, the product of threat level and vulnerability level. Threat – Expression of intent to inflict evil, injury, or damage; potential violation of security. Threat Assessment – A process by which types of threats an IT network might be vulnerable to and where the network is most vulnerable are identified. Vulnerability – Flaw or weakness in a system's design, implementation, or operation and management that could be exploited. Procedure: 1.0 IT VULNERABILITY ASSESSMENT – INTRODUCTION 1.1 In order to prepare for threats to its IT assets and infrastructure, ARC must be aware of the types of threats that exist, the likelihood that they will occur, their potential impact, and the risk these threats may pose to ARC. 1.2 Threats may be natural or manmade. Natural threats include floods, storms, and earthquakes. Manmade threats may be accidental or intentional. Examples of manmade threats include use of unauthorized hardware or software and having unauthorized access to Company systems. ARCSD101 – IT VULNERABILITY ASSESSMENT ARC Document Solutions ARCSD101 – IT VULNERABILITY ASSESSMENT Page 2 of 6 Intentional threats exist both outside ARC and within. According to one survey (see Additional Resource I), four-fifths of respondents believed the greatest threats to their organizations were internally-based. 1.3 The risk posed by any given threat is a function of the combined likelihood of the threat occurring and the impact it would have on ARC’s assets (hardware, software, data, network/infrastructure, and personnel) if it were to occur. While risk to ARC IT assets cannot be completely eliminated, ARC must make all reasonable efforts to minimize risk. Those efforts should begin with assessing threats and risks. 2.0 IT VULNERABILITY ASSESSMENT PREPARATION 2.1 In advance of conducting a threat assessment of any of ARC’s IT systems, the Compliance Officer shall establish a baseline for assessment, identifying systems to be assessed (accounting, HR, sales, etc.) and determining their interconnectivity with other systems. ARCAM102-5 – IT ASSET INVENTORY DATABASE and ARCAM102-6 – IT NETWORK MAP should be used as guides. 2.2 The Compliance Officer should identify and describe threats that may target the IT assets and systems under consideration by one or more of the following means:  Periodically (at least once a month) reviewing ARCSD106-1 – ACCESS CONTROL LOG for threat occurrences, such as unauthorized system access;  Reviewing IT incidents for trends and/or patterns, in accordance with procedure ARCSD110 – IT INCIDENT HANDLING;  Reviewing any system test (test script, test procedures, expected results, etc.) for vulnerabilities testing;  Conducting penetration testing at irregular intervals, to verify the IT network’s ability to withstand intentional atteARCs at circumventing IT security (see Additional Resource F). 2.3 The Compliance Officer may acquire additional information for developing the assessment baseline by routinely reviewing threat alerts and bulletins from vendors, standards organizations, etc. Subscribing to one or more threat alert mailing lists is recommended (see Additional Resource G). 2.4 To determine if ARC needs to act on any given threat and to what extent it should act, the Compliance Officer shall classify threats / vulnerabilities should in the following manner:  The likelihood of threats occurring, according to information provided by external sources (see Additional Resources B – D). Threat likelihood may be categorized as: a. Low – the threat is unlikely to occur. For example, the Company’s three sites are all more than 500 miles from any ocean, so a hurricane or typhoon would not normally be a threat to the Company; ARCSD101 – IT VULNERABILITY ASSESSMENT ARC Document Solutions ARCSD101 – IT VULNERABILITY ASSESSMENT Page 3 of 6 b. Medium – the threat may occur. For example, one or more of the Company’s sites is located in an earthquake zone, so an earthquake is likely to have an effect on the Company; and c. High – the threat is likely to occur. For example, if the Company does not require password access to computers or data stores, the likelihood is high that someone will eventually access and steal or compromise Company data.  The impact of threats, in the absence of protection, and the possible or likely consequences of each. Threat impact may be classified as: a. Low – the threat may result in minimal loss of Company assets / resources; b. Medium – the threat may result in a significant loss of Company assets / resources, harm the Company’s mission or interests, or result in injury to an employee; and c. High – the threat may result in a very costly loss of Company assets / resources, significantly harm the Company’s mission, interests, or standing, or result in serious or fatal injury to an employee.  An exposure rating or risk assessment shall be based on likelihood and impact ratings. A risk matrix is prescribed (Figure 1), with likelihood running from low to high along one axis and impact running from low to high on the other axis. The resulting exposure rating / risk assessment shall be used to prioritize threats (Figure 2). a. High-risk threats require the highest security levels and present the greatest need for immediate action, if existing security tools and techniques are inadequate. b. Low-risk threats may require little or no response on the part of the Compliance Officer. Impact Low Medium High Li k e l i h o o d High Low Medium High Medium Low Medium Medium Low Low Low Low Figure 1 – Risk Matrix ARCSD101 – IT VULNERABILITY ASSESSMENT ARC Document Solutions ARCSD101 – IT VULNERABILITY ASSESSMENT Page 4 of 6 Risk Level Description and Actions High Preventive actions are required and a preventive action plan shall be developed and implemented as soon as possible. Medium Preventive actions are required and a plan to incorporate those actions within a reasonable time frame shall be developed. Low IT Management should confer with managers of affected systems to determine if preventive action is required or if risk is acceptable. Figure 2 – Threat Priority 3.0 IT VULNERABILITY ASSESSMENT 3.1 At regular intervals (once every six months, at least), the Compliance Officer shall conduct a threat/vulnerability scan of the IT network. This scan should be performed using commercially available software designed expressly for the purpose (see Additional Resource F). 3.2 The Compliance Officer shall review scan results and analyze the findings in order to determine if ARC needs to act on them and to what extent. 3.3 The Compliance Officer shall create ARCSD101-1 – THREAT ASSESSMENT REPORT, summarizing assessment findings and containing the following information, at a minimum:  Systems reviewed;  Number of threats found this period and last; and  A summary of identified threats. 3.4 The Compliance Officer shall submit ARCSD101-1 to Director of Information Technology and the affected systems’ management for their review. The Sox Compliance Committee and management of the affected systems shall determine if preventive actions are required, in accordance with ARCSD110 – IT INCIDENT HANDLING. 4.0 IT VULNERABILITY ASSESSMENT MANAGEMENT REVIEW 4.1 The Compliance Officer shall periodically review the risk assessment process to ensure its continued timeliness and applicability. Historical data from ARCSD101-1 (i.e., number, nature, and severity of threats over time) shall help determine if risks are under control. 4.2 Any time a significant implementation, revision, etc., takes place, the Compliance Officer shall review the risk assessment process, to ensure existing controls are applicable to such changes or if improved controls are required. ARCSD101 – IT VULNERABILITY ASSESSMENT ARC Document Solutions ARCSD101 – IT VULNERABILITY ASSESSMENT Page 5 of 6 Additional Resources: A. Microsoft TechNet provides a Security Risk Management Guide online that small businesses may find helpful. This guide can be found at http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/d efault.mspx. B. SANS (SysAdmin-Audit-Network-Security) Institute – SANS is one of the largest sources for information security training and certification in the world. SANS develops, maintains, and makes available (at no cost) the largest collection of research documents about various aspects of information security and it operates the Internet's early warning system, the Internet Storm Center. Information on SANS is available at http://www.sans.org/aboutsans.php. C. The Institute of Internal Auditors (IIA) is another good source of information on tools and resources for managing security. The IIA’s web site address is http://www.theiia.org/. D. Klevinsky, Laliberte, and Gupta, Hack I.T. – Security Through Penetration Testing, Addison-Wesley, 2002. E. Vulnerability scan tools are readily available via the Internet; one example is the Microsoft Baseline Security Analyzer (MBSA), which may be found at http://technet.microsoft.com/default.aspx. A list of other vendors and their scan tools may be found at the Network Computing web site (see http://www.nwc.com/showitem.jhtml?articleID=15000643). F. Microsoft, SANS, ZDNet, and a number of other sources issue security (threat) alerts through public media and e-mail. Companies and individuals may usually subscribe to e-mail alerts at no cost to them. It is strongly recommended that the Company subscribe to at least one e-mail alert list. G. Power, Richard, "1999 CSI/FBI Computer Crime and Security Survey," Computer Security Issues & Trends, Computer Security Institute, Winter, 1999. References: A. SARBANES-OXLEY ACT OF 2002 Threats to company information can come from within as well as from the outside, as incidents at Enron and WorldCom have shown. The Sarbanes-Oxley Act, passed by the U.S. Congress in 2002, was designed to prevent manipulation, loss, or destruction of publicly-held companies’ records by requiring public companies to exercise adequate internal controls. Conducting regular threat assessments helps companies comply with the requirements of the Act and makes good business sense. B. CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) COBIT is a process model developed to assist enterprises with the management of information technology resources. The process model focuses on developing suitable controls for each of 34 IT processes, or control objectives, in an effort to ARCSD101 – IT VULNERABILITY ASSESSMENT ARC Document Solutions ARCSD101 – IT VULNERABILITY ASSESSMENT Page 6 of 6 raise the level of process maturity in information technology and satisfy the business expectations of IT. In particular, COBIT Control Objective PO9 (Assess Risks) spells out objectives for risk assessment, identification, measurement, and acceptance, among others. Detailed information on COBIT and on COBIT Control Objectives may be found at http://www.isaca.org or at http://www.itgi.org/. C. HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 (HIPAA) The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) creates national standards to protect individuals' personal health information and gives patients increased access to their medical records. As required by the Health Insurance Portability and Accountability Act (HIPAA), passed by the U.S. Congress in 1996, the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. Most covered entities (certain health care providers, health plans, and health care clearinghouses) must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule. D. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) SPECIAL PUBLICATION #800-30 – RISK MANAGEMENT GUIDE FOR INFORMATION TECHNOLOGY SYSTEMS (JULY, 2002) This publication is available at http://csrc.nist.gov/publications/nistpubs/800- 30/sp800-30.pdf. Revision History: Revision Date Description of changes Requested By 1.0 1/16/2006 Initial Release Demetrius J. Wallace Sr. SCHEDULE “A” Software as a Service (SaaS)Provider Information Security Agreement Schedule A City of Palo Alto Proprietary and Confidential Page 1 of 5 SaaS Provider Security Agreement v1.3 Need to Know Only Raj Patel July. 10, 2012 [This Schedule A – Information Security Requirements (Schedule “A”) shall be subject to the terms and conditions of that Master Service Agreement/General Procurement Agreement/Service Level Agreement/Professional Services Agreement between the SaaS provider and the City of Palo Alto, (“the City”), dated March 1, 2015 (“Agreement”). This Schedule A – SaaS provider provider Security Agreement (Schedule “A”) must be included in contracts with the SaaS provider provider provider]. [The Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customer over a network, typically the internet]. Any capitalized item here in will has the same meaning as that same capitalized term under the Agreement unless noted otherwise herein or the definition of such capitalized item can be reasonably inferred from the context herein. To assure the security of the City the SaaS provider must define, develop, implement and maintain a secure environment to deliver the Services to the City that meets the requirements listed below in sections (a) through (w). In the event that the SaaS provider cannot meet the City’s security requirements, the SaaS provider may submit an exception with alternative countermeasures to address the risk. The City’s Information Security Manager may approve or reject the exception request depending upon the risk associated with the exception request. The IT environment must be documented and implemented prior to accessing, hosting or connecting to any component of the City's information assets or systems. The environment is defined as including, but not limited to, all of the following: Hardware and software systems and services used to provide the Services to the City Server and support components needed to run the software and services, including their configuration and interfaces to other servers and support components LAN and WAN networks connecting the servers and support components, including connection to Customer's systems Exhibit E SCHEDULE “A” Software as a Service (SaaS)Provider Information Security Agreement Schedule A City of Palo Alto Proprietary and Confidential Page 2 of 5 SaaS Provider Security Agreement v1.3 Need to Know Only Raj Patel July. 10, 2012  Operations and maintenance processes needed to support the environment, including disaster planning  Performance and capacity monitoring, and backups, and confidentiality and integrity technology to ensure a secure and reliable environment, including firewalls, virus detection, intrusion monitoring and encryption. The SaaS provider must comply with the following sections: (a) A single SaaS provider executive officer must be named as the “security liaison” for the City's Information assets (including the City's information, as applicable) under the care of the SaaS provider. (b) Prior to commencing any services for the City, the SaaS provider must complete the City’s Supplier Security Assessment Questionnaire, including the implementation of required countermeasures identified by the City’s Information Security Manager. (c) The SaaS provider must have information security policies that are documented, accessible to the City and aligned with ISO 27002 – Information Security Management Standard (ISMS): http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297 (d) The SaaS Provider must conduct routine information security training of personnel that is appropriate to their role. (e) The SaaS provider must develop and maintain detailed documentation of the Support and Services environment, including versions and patch levels. The Saas provider must provide a copy of these documents to the City’s Information Security Manager upon request. (f) The SaaS provider must have a verifiable process of performing background checks, consistent with industry standards, on workers sufficient to establish a level of trust, as to the worker's identity, and a means to register the worker's employment status that triggers removal of access to the City's data when the worker's role no longer requires access or worker's employment is terminated. (g) The SaaS provider must have a verifiable process to track all hardware and software used to provide services to the City and or the City's departments. (h) The SaaS provider must deploy access accountability (identification and authentication) architecture and support Role Base Access Control (RBAC) mechanism for all personnel, systems and software used to provide the services. (i) The SaaS provider must be able to demonstrate to the City that all elements of the SCHEDULE “A” Software as a Service (SaaS)Provider Information Security Agreement Schedule A City of Palo Alto Proprietary and Confidential Page 3 of 5 SaaS Provider Security Agreement v1.3 Need to Know Only Raj Patel July. 10, 2012 Services environment design and deployment are known to the SaaS provider, and are implemented with accepted industry best practices for secure coding and secure IT architecture. (j) The SaaS provider must provide and maintain secure intersystem communication paths, ensuring the confidentiality, integrity and availability of the City's data. (k) The SaaS provider must deploy and maintain system upgrades, patches and configurations conforming with the current patch and/or release level not more than a week from release. Emergency security patches must be installed within 24 hours from release. (l) The SaaS provider must provide detection of, response to and reporting of security incidents, including on-going incident monitoring with logging. (m) The SaaS provider must notify the City’s Information Security Manager immediately for security incidents. Security incidents are defined as unauthorized access to or misuse of the City's data. (n) In the event the SaaS provider is required to engage a 3rd party service provider(s) affecting to the services provided to the City then the SaaS provider must gain formal approval from the City’s Information Security Manager, prior to engaging the 3rd party service provider(s). (o) The SaaS provider must perform regular security audits (quarterly minimum), and provide required summary reports of these audits to the City’s Information Security Manager. (p) The SaaS provider must also accommodate (upon reasonable notice) random site security audits by the City’s Information Security Manager, including the SaaS provider’s 3rd party service provider(s), as applicable. The scope of these audits will include awareness of security policies and practices, systems configurations, access authentication and authorization, and incident detection and response. (q) The SaaS must cooperate with the City to ensure that, as may be required by applicable government regulations, sensitive and secured government information will only be accessible by the SaaS provider’s authorized personnel who are US citizens and that such data will be segregated and stored only in the US. (r) The SaaS provider must perform regular, reliable (the City approved) secured backups of all data needed by the Application Services to maximize availability of the Services. (s) The SaaS provider must submit their data backup, data archive and backup media access procedures to the City’s Information Security Manager and receive a formal SCHEDULE “A” Software as a Service (SaaS)Provider Information Security Agreement Schedule A City of Palo Alto Proprietary and Confidential Page 4 of 5 SaaS Provider Security Agreement v1.3 Need to Know Only Raj Patel July. 10, 2012 approval from the Information Security Manager for the procedures. (t) The SaaS provider must not store any classified information or any Private Information (PI) or Personally Identifiable Information (PII) or Sensitive Information (SI) about peoples in the SaaS provider’s business systems. In the event that the SaaS provider required to store, process or back-up such information the SaaS provider must request a formal authorization from the City’s Information Security Manager. (u) The SaaS provider must comply with US Federal, State and Local government data privacy requirements. “Access to US Federal, State or Local government data must not be provided to a third party or non-US national. An analysis of this data privacy requirement must be performed and documented by the project team. If data privacy issues around US Federal, State or Local government data are identified. (v) The SaaS provider must use the City’s approved data exchange architecture and technology to exchange the authorized data with the City and within the scope of the Master Service Agreement (MSA) with the City. In the event that the SaaS provider is required to exchange any sensitive and confidential documents via email then the SaaS provider must “securely encrypt” the document(s). (w) The SaaS provider must acknowledge and accept that in no event the SaaS provider will hold the City liable for any direct, indirect or punitive damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the City’s IT environment including but not limited to email and network communications. --------------------------------------------------- End Of Document --------------------------------------------------