HomeMy WebLinkAboutStaff Report 10618
City of Palo Alto (ID # 10618)
City Council Staff Report
Report Type: Consent Calendar Meeting Date: 9/23/2019
City of Palo Alto Page 1
Summary Title: Approve a 5 Year Extension to Questica Inc for Budget
Software (Amendment #2)
Title: Approval of Amendment Number 2 to Contract Number C15152204
With Questica Inc., for the City's Budgeting Software for Five Additional
Years, in a Not-to-Exceed Amount of $399,556
From: City Manager
Lead Department: IT Department
Recommendation
Staff recommends that the City Council approve and authorize the City Manager or designee to
execute the attached Amendment No. 2 (Attachment A) to contract no. C15152204 with
QUESTICA INC., for budgeting software, to extend the term by 5 years, and to increase the total
contract compensation by $399,556, which includes $369,556 for software maintenance and
support over the five-year term as well as $30,000 for optional on-call professional services (for
example, for as-needed customizations), bringing the total contract amount to $1,059,024 over
the ten-year period.
Background
In June 2014, the City Council approved a contract with Questica Inc. to implement a best-in-
class budget software system. This system is used to develop the City’s annual operating and
capital budgets, municipal fee schedule, long range financial forecast, labor cost modeling,
performance management reporting, and financial budget to actual repo rts. This contract is
necessary to continue using this critical software, receiving updates and patches to the
software, and technical support for the Questica system licensed under this contract. The
existing license and support contract expired on June 30, 2019 (contract C15152204, CMR 4516,
as amended to a site license in CMR 5350).
Discussion
This amendment includes maintenance and support with an annual price escalation, totaling
$369,556 over the five-year term. It also includes optional on-call professional services in the
amount of $30,000 over the five-year term, for a total not to exceed amount of $399,556.
Annual costs are detailed in Attachment A.
City of Palo Alto Page 2
A solicitation would be impractical and unavailing at this time as the Questica budgeting
software system is meeting the City’s needs, is performing as desired, and was selected
originally through a competitive solicitation process. Going out to competitive solicitation,
rather than renewing this contract for a system that is working well for the City at this time,
would require business process overhauls and database reconstruction, and may hinder the
timely and efficient development and maintenance of the City’s budget ing process, where no
need for a new system is indicated. For these reasons, staff is requesting an exemption from
competitive solicitation as being impractical and unavailing under PAMC 2.30.360(b)(2).
Resource Impact
The funds for the payment of the first year of this contract amendment are budgeted in the IT
Technology Fund and were approved in the FY 2020 Adopted Budget. Funding for future years
of the contract is subject to the annual appropriation of funds.
Environmental Review
Approval of this contract does not constitute a project under the California Environmental
Quality Act (CEQA); therefore, no Environmental Assessment is required.
Attachments:
ATTACHMENT A: Amendment NO. 2 to Contract NO. C15152204 Between the City of
Palo Alto and QUESTICA INC.
Vers.: Aug. 5, 2019
AMENDMENT NO. 2 TO CONTRACT NO. C15152204
BETWEEN THE CITY OF PALO ALTO AND
QUESTICA INC.
This Amendment No. 2 (this “Amendment”) to contract no. C15152204 (the “Contract” as
defined below) is entered into as of September 16, 2019, by and between the CITY OF PALO ALTO,
a California chartered municipal corporation (“CITY”), and QUESTICA INC., an Ontario Corporation,
located at 980 Fraser Drive, Suite 105, Burlington, Ontario, Canada (“CONSULTANT”). CITY and
CONSULTANT are referred to collectively as the “Parties” in this Amendment.
R E C I T A L S
A. The Contract (as defined below) was entered into by and between the Parties hereto
for the provision of a budget software system, support and maintenance, as detailed therein.
A. The Contract was amended by Amendment No. 1 (as below) to add the
CONSULTANT’s performance management module to the Contract’s scope of services, as detailed
therein.
B. The Parties now wish to amend the Contract in order to extend the term of the
Contract, as detailed in this Amendment.
NOW, THEREFORE, in consideration of the covenants, terms, conditions, and provisions of
this Amendment, the Parties agree:
SECTION 1. Definitions. The following definitions shall apply to this Amendment:
a. Contract. The term “Contract” shall mean Contract No. 15152204 between
CONSULTANT and CITY, dated July 1, 2014, as amended by
Amendment No.1 to C15152204 between CONSULTANT and CITY.
b. Other Terms. Capitalized terms used and not defined in this Amendment
shall have the meanings assigned to such terms in the Contract.
SECTION 2. Section 1, “Scope of Services,” of the Contract is hereby amended to read as
follows:
“CONSULTANT shall perform the Services described in Exhibit “A” (and as summarized in Exhibit
“C”) in accordance with the terms and conditions contained in this Agreement. The performance of
all Services shall be to the reasonable satisfaction of CITY.
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
Vers.: Aug. 5, 2019
Optional On‐Call Provision (This provision only applies if checked and only applies to
agreements with on‐call services.)
CONSULTANT shall also provide On‐Call Professional Services on an as‐needed basis, to be
authorized by CITY, in CITY’s sole discretion, with a Task Order assigned and approved by CITY’s
Project Manager up to the not‐to‐exceed amount provided for such services in Section 4 (“Not to
Exceed Compensation”). Each Task Order shall be in substantially the same form as Exhibit “A‐1”
(“Professional Services Task Order”). Each Task Order shall designate a CITY project manager (if
different from the CITY project manager in this Agreement), and shall contain a specific proposed
scope of work, schedule of performance and compensation amount (in accordance with Exhibit C,
“Compensation”). CONSULTANT’s hourly rate for On‐Call Professional Services is specified in
Exhibit C‐1. The total price of all Task Orders issued under this Agreement shall not exceed the
amount of compensation set forth for On‐Call Professional Services in Exhibit C (“Compensation”)
of this Agreement. CONSULTANT shall only be compensated for work performed under an
authorized Task Order, and CITY may elect, but is not required, to authorize On‐Call Professional
Services up to the maximum compensation amount set forth for such services in Exhibit C
(“Compensation”).”
SECTION 3. Section 2, “Term,” of the Contract is hereby amended to read as follows:
“The term of this Agreement shall be from the date of its full execution through June 30, 2024,
unless terminated earlier pursuant to Section 19 of this Agreement.”
SECTION 4. Section 4, “Not to Exceed Compensation,” of the Contract is hereby amended
to read as follows:
“The compensation to be paid to CONSULTANT for the licenses and performance of Services
described in Exhibit “A” (“Scope of Services”), Section 1 (“Scope of Services”), and as summarized in
Exhibit “C” (“Compensation”), shall not exceed the maximum amounts specified in Exhibit “C”. In
the event Additional Services are authorized, the total compensation for such services shall not
exceed $29,968, as detailed in Exhibit “C”. In the event On‐Call Professional Services are
authorized (per Section 1), the total compensation for such services shall not exceed $30,000, as
detailed in Exhibit “C”. The applicable hourly rate schedules are set forth in Exhibit “C” and in
Exhibit “C‐1” (“Hourly Rate Schedule”). Additional Services, if any, shall be authorized in
accordance with and subject to the provisions of Exhibit “C”. CONSULTANT shall not receive any
compensation for Additional Services performed without the prior written authorization of CITY.
“Additional Services” shall mean any work that is determined by CITY to be necessary for the
proper completion of the Project, but which is not included within the Scope of Services described
in Exhibit “A” or Section 1. For clarity, On‐Call Professional Services provided pursuant to Section 1
shall not constitute Additional Services, provided that the amount for such On‐Call Professional
Services does not exceed the maximum amount provided for such services in Exhibit C.”
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
Vers.: Aug. 5, 2019
SECTION 5. The CITY’s project manager under to Section 13, “Project Management” of the
Contract is hereby replaced as follows:
“The City's project manager is Kayla Shapiro, Administrative Services Department, Office of
Management and Budget, Palo Alto, CA 94303, Telephone: 650‐329‐2260.”
SECTION 6. The following exhibits to the Contract are hereby amended or added, as
indicated below, to read as set forth in the attachments to this Amendment, which are hereby
incorporated in full into this Amendment and into the Contract by this reference:
a. Exhibit “A‐1” entitled “Professional Services Task Order”, ADDED.
b. Exhibit “C” entitled “Compensation”, AMENDED, REPLACES PREVIOUS.
c. Exhibit “C‐1” entitled “Hourly Rate Schedule”, AMENDED, REPLACES
PREVIOUS.
d. Exhibit “F” entitled “Information Privacy Policy”, ADDED.
e. Exhibit “G” entitled “Vendor Cybersecurity Terms and Conditions”, ADDED.
SECTION 7. Legal Effect. Except as modified by this Amendment, all other provisions of the
Contract, including any exhibits thereto, shall remain in full force and effect.
SECTION 8. Incorporation of Recitals. The recitals set forth above are terms of this
Amendment and are fully incorporated herein by this reference.
(SIGNATURE BLOCK FOLLOWS ON THE NEXT PAGE.)
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
Vers.: Aug. 5, 2019
SIGNATURES OF THE PARTIES
IN WITNESS WHEREOF, the Parties have by their duly authorized representatives executed
this Amendment effective as of the date first above written.
CITY OF PALO ALTO
City Manager (Contract over $85k)
APPROVED AS TO FORM:
City Attorney or designee
QUESTICA INC.
Officer 1
By:
Name:
Title:
Officer 2 (Required for Corp. or LLC)
By:
Name:
Title:
Attachments:
Exhibit A‐1: “Professional Services Task Order” (Added)
Exhibit C: “Compensation” (Amended, Replaces Previous)
Exhibit C‐1: “Hourly Rate Schedule” (Amended, Replaces Previous)
Exhibit F: “Information Privacy Policy” (Added)
Exhibit G: “Vendor Cybersecurity Terms and Conditions” (Added)
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
TJ Parass
CEO and President
Director of Finance
Mike Fricke
Vers.: Aug. 5, 2019
EXHIBIT “A‐1”
PROFESSIONAL SERVICES TASK ORDER
In accordance with the Agreement (as defined in Item 1A below) and CONTRACTOR and the CITY agree that
CONTRACTOR will perform the work detailed in this Task Order as detailed herein and in accordance with the terms and
conditions of the Agreement. This Task Order and all exhibits referenced in Item 7 below are incorporated into the
Agreement by this reference. CONTRACTOR shall furnish the necessary facilities, professional, technical and supporting
personnel required to perform this Task Order as described herein.
1A. CONTRACT NO. CONTRACT ISSUE DATE
1B. TASK ORDER NO.
1C. TASK ORDER ISSUE DATE
2. PERIOD OF PERFORMANCE: START: COMPLETION:
3. TOTAL TASK ORDER PRICE: $__________________
BALANCE REMAINING IN AGREEMENT $__________________________________
4. BUDGET CODE: _______________
COST CENTER_______________ COST ELEMENT______________ WBS/CIP___ _______PHASE___
5. CITY PROJECT MANAGER’S NAME/DEPARTMENT_________________________________________
6. DESCRIPTION OF SCOPE OF SERVICES
MUST INCLUDE:
WORK TO BE PERFORMED
SCHEDULE OF WORK
BASIS FOR PAYMENT & FEE SCHEDULE
DELIVERABLES
REIMBURSABLES (with “not to exceed” cost)
7. ATTACHMENTS TO THIS TASK ORDER: A: Scope of Services B (if any):_____________________
SIGNATURES OF THE PARTIES
IN WITNESS WHEREOF, the parties have caused this Task Order to be executed by their duly authorized representatives.
CITY OF PALO ALTO
I hereby authorize the performance of the work
described in this Task Order and I warrant that
I have the authority to sign on behalf of the CITY.
APPROVED:
BY:__________________________________
Name ________________________________
Title_________________________________
Date _________________________________
CONTRACTOR
I hereby agree to enter into this Task Order for CONTRACTOR to
perform the work described herein and I warrant that
I have the authority to sign on behalf of CONTRACTOR.
APPROVED:
BY:__________________________________
Name ________________________________
Title_________________________________
Date _________________________________
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
Vers.: Aug. 5, 2019
EXHIBIT C – “COMPENSATION”
Scope Description of Services Cost (NTE) Payment Schedule
Implementation (cost of all professional
services required for installation,
implementation, data conversion,
application development, training, and
the first year’s warranty, maintenance,
and support as well as any applicable
license costs.)
Licenses:
Site License (ALL YEARS)
$160,000.00 $43,000 at Contract Signing
$43,000 at start of training
$15,000 execution of 1st contract amdt
$59,000 System Go‐Live of Budget Sys.
Implementation Services: planning & analysis,
installation, data load & verify, accounting integration,
training, project management per Exhibit A.
$129,600.00 $25,920 each (x 5) as outlined below**
Maintenance* and Hosting (Year 1) $10,080.00 Contract Signing (July 1, 2014)
SUBTOTAL $299,680.00 ‐‐
Annual maintenance* (Year 2) Annual Maintenance ($57,500) and Hosting ($10,080) $67,580.00 One year after contract signing
Annual maintenance* (Year 3) Annual Maintenance ($57,500) and Hosting ($10,080) $67,580.00 Two years after contract signing
Annual maintenance* (Year 4) Annual Maintenance ($57,500) and Hosting ($10,080) $67,580.00 Three years after contract signing
Annual maintenance* (Year 5) Annual Maintenance ($57,500) and Hosting ($10,080) $67,580.00 Four years after contract signing
Custom Report Development 250 hours at $170 per hour $42,500.00 Upon acceptance of the report
Performance Management Module
Implementation and Training 100 hours at $170 per hour $17,000.00 As training is delivered
SUBTOTAL ‐ LICENSES (ALL YEARS) & SERVICES (YEARS 1‐5) $629,500.00 ‐‐
10% Contingency (“Additional Services” per Agrt § 4) $29,968.00 30 days after an approved invoice
SUBTOTAL NOT‐TO‐EXCEED COMPENSATION FOR LICENSES (ALL YEARS) & SERVICES (YEARS 1‐5) $659,468.00 ‐‐
Annual maintenance* (Year 6) Annual Maintenance & Hosting (Year 5 amount x 1.03) $69,607.40 Five years after contract signing
Annual maintenance* (Year 7) Annual Maintenance & Hosting (Year 6 amount x 1.03) $71,695.62 Six years after contract signing
Annual maintenance* (Year 8) Annual Maintenance & Hosting (Year 7 amount x 1.03) $73,846.49 Seven years after contract signing
Annual maintenance* (Year 9) Annual Maintenance & Hosting (Year 8 amount x 1.03) $76,061.88 Eight years after contract signing
Annual maintenance* (Year 10) Annual Maintenance & Hosting (Year 9 amount x 1.03) $78,343.74 Nine years after contract signing
On‐Call Professional Services (Years 6‐
10)
150 hours at $200 per hour (via Task Order per Agrt § 1) $30,000.00 Upon approved Task Order & invoice
SUBTOTAL NOT‐TO‐EXCEED COMPENSATION FOR YEARS 6‐10 $399,555.13 ‐‐
TOTAL NOT‐TO‐EXCEED COMPENSATION OF THE AGREEMENT (ALL YEARS) $1,059,023.13 ‐‐
* “Maintenance” and “Annual maintenance” include technical support.
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
Vers.: Aug. 5, 2019
EXHIBIT C – “COMPENSATION”
(CONTINUED)
**Payment Schedule for Implementation Services:
1. $25,920 due earlier of 60 days from contract signing or completion of data import
2. $25,920 due earlier of 120 days from contract signing or start of training
3. $25,920 due earlier of 150 days from contract signing or completion of data integration
4. $25,920 due earlier of 210 days from contract signing or Go‐Live
5. $25,920 due 60 days after Go‐Live
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
Vers.: Aug. 5, 2019
Exhibit C‐1
HOURLY RATE SCHEDULE
Project Manager ‐ $200/hr
Consultant ‐ $200/hr
Trainer ‐ $200/hr
Developer ‐ $200/hr
Report Writer ‐ $200/hr
On‐Call Professional Services – $200/hour
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY S
The City
persons i
consisten
§§ 6250
personal
ordinary
These m
federal a
including
1798.79.
of these
business
federal a
goals and
Identifiab
Informat
third par
Protecte
Persona
California
reference
PURPOSE
The City
pertainin
collected
services
other in
contracto
collected
regulatio
Informat
TATEMENT
of Palo Alto
in Palo Alto.
nt with the p
6270, to
(including,
course and
easures are
and Californ
g, without l
8(b), 1798.8
provisions d
in a mann
and Californ
d objectives
ble Informat
tion of perso
rty under co
ed Critical
ally Identify
a Civil Code
e.
E
y, acting in
ng to person
d by a variet
provided by
nformation
ors. The City
d by the Ci
ons and pro
tion is collect
o (the City
In promotin
provisions of
take appro
without lim
d scope of c
generally o
nia laws, th
imitation, t
80(e), 1798.
do not apply
er which p
ia laws. The
, to ensure
tion, Protect
ons doing b
ontract to th
Infrastructu
ying Informa
e sections,
its govern
s who do bu
y of means,
y the City,p
portals ma
y is commit
ity. The Cit
ocedures,a
ted, stored a
INFORMATI
) strives to
ng the qualit
f the Califor
opriate meas
mitation, fin
conducting t
bserved by
he Citys ru
he provision
81.5, 1798.8
to local gov
romotes the
e objective o
the ongoing
ted Critical In
usiness with
he City to pr
ure Informa
ation (coll
referred to
mental and
usiness with
including,w
persons acce
intained by
tted to prot
ty acknowle
and industry
and utilized
ON PRIVACY
o promote a
ty of life of t
nia Public R
sures to saf
nancial) info
the Citys b
federal, stat
les and reg
ns of Califo
82(e), 1798.
vernment ag
e privacy o
of this Polic
g protection
nfrastructur
h the City an
rovide servic
ation, Per
ectively, th
o above, an
d proprietar
or receive s
without limit
essing the C
y the City
tecting the p
edges feder
y best pra
in complian
POLICY
Y POLICY
and sustain
these person
ecords Act,
feguard the
ormation o
business as
te and local
gulations, a
ornia Civil C
.83(e)(7), an
gencies like t
f personal
cy is to desc
of the Pers
re Informatio
nd receiving
ces. The te
rsonally Ide
he Informa
nd are inco
ry capacitie
services from
tation, from
Citys websit
s staff and
privacy and
al and Cali
ctices are
ce with app
Y AND PROC
Revised
a superior q
ns, it is the p
California G
security an
f persons,
a local gove
l authorities
nd industry
Code §§ 179
nd 1798.92(c
the City, the
information
cribe the Cit
sonal Inform
on and Perso
g services fr
rms Person
entifiable In
ation) are
orporated in
es, collects
m the City. T
m persons ap
te, and pers
d/or author
security of
fornia laws
dedicated t
licable laws.
CEDURES 1 6
: December
quality of lif
policy of the
Government
nd privacy o
collected in
ernment ag
s and reflect
y best prac
98.3(a), 179
c). Though s
City will con
, as reflecte
tys data sec
mation, Perso
onally Identi
om the City
nal Informat
nformation
defined in
n this Polic
the Inform
he Informat
pplying to re
sons who a
rized third
the Inform
, policies,r
to ensuring
.
64/IT
2017
fe for
e City,
Code
of the
n the
ency.
ted in
tices,
98.24,
some
nduct
ed in
curity
onally
ifying
y or a
tion,
and
n the
cy by
ation
ion is
eceive
ccess
party
ation
rules,
g the
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
The goals and objectives of the Policy are: (a) a safe, productive, and inoffensive work
environment for all users having access to the Citys applications and databases; (b) the
appropriate maintenance and security of database information assets owned by, or entrusted
to, the City; (c) the controlled access and security of the Information provided to the Citys staff
and third party contractors; and (d) faithful compliance with legal and regulatory requirements.
SCOPE
The Policy will guide the Citys staff and, indirectly, third party contractors, which are by
contract required to protect the confidentiality and privacy of the Information of the persons
whose personal information data are intended to be covered by the Policy and which will be
advised by City staff to conform their performances to the Policy should they enjoy conditional
access to that information.
CONSEQUENCES
The Citys employees shall comply with the Policy in the execution of their official duties to the
extent their work implicates access to the Information referred to in this Policy. A failure to
comply may result in employment and/or legal consequences.
EXCEPTIONS
In the event that a City employee cannot fully comply with one or more element(s) described in
this Policy, the employee may request an exception by submitting Security Exception Request.
The exception request will be reviewed and administered by the Citys Information Security
Manager (the ISM). The employee, with the approval of his or her supervisor, will provide
any additional information as may be requested by the ISM. The ISM will conduct a risk
assessment of the requested exception in accordance with guidelines approved by the Citys
Chief Information Officer (CIO) and approved as to form by the City Attorney. The Policys
guidelines will include at a minimum: purpose, source, collection, storage, access, retention,
usage, and protection of the Information identified in the request. The ISM will consult with the
CIO to approve or deny the exception request. After due consideration is given to the request,
the exception request disposition will be communicated, in writing, to the City employee and
his or her supervisor. The approval of any request may be subject to countermeasures
established by the CIO, acting by the ISM.
MUNICIPAL ORDINANCE
This Policy will supersede any City policy, rule, regulation or procedure regarding information
privacy.
RESPONSIBILITIES OF CITY STAFF
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
A. RESPONSIBILITY OF CIO AND ISM
The CIO, acting by the ISM, will establish an information security management framework
to initiate and coordinate the implementation of information security measures by the
Citys government.
The Citys employees, in particular, software application users and database users, and,
indirectly, third party contractors under contract to the City to provide services, shall by
guided by this Policy in the performance of their job responsibilities.
The ISM will be responsible for: (a) developing and updating the Policy, (b) enforcing
compliance with and the effectiveness of the Policy; (c) the development of privacy
standards that will manifest the Policy in detailed, auditable technical requirements, which
will be designed and maintained by the persons responsible for the Citys IT environments;
(d) assisting the Citys staff in evaluating security and privacy incidents that arise in regard
to potential violations of the Policy; (e) reviewing and approving department specific
policies and procedures which fall under the purview of this Policy; and (f) reviewing Non
Disclosure Agreements (NDAs) signed by third party contractors, which will provide services,
including, without limitation, local or cloud based software services to the City.
B. RESPONSIBILITY OF INFORMATION SECURITY STEERING COMMITTEE
The Information Security Steering Committee (the ISSC), which is comprised of the Citys
employees, drawn from the various City departments, will provide the primary direction,
prioritization and approval for all information security efforts, including key information
security and privacy risks, programs, initiatives and activities. The ISSC will provide input to
the information security and privacy strategic planning processes to ensure that information
security risks are adequately considered, assessed and addressed at the appropriate City
department level.
C. RESPONSIBILITY OF USERS
All authorized users of the Information will be responsible for complying with information
privacy processes and technologies within the scope of responsibility of each user.
D. RESPONSIBILITY OF INFORMATION TECHNOLOGY (IT) MANAGERS
The Citys IT Managers, who are responsible for internal, external, direct and indirect
connections to the Citys networks, will be responsible for configuring, maintaining and
securing the Citys IT networks in compliance with the Citys information security and
privacy policies. They are also responsible for timely internal reporting of events that may
have compromised network, system or data security.
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
E. RESPONSIBILITY OF AUTHORIZATION COORDINATION
The ISM will ensure that the Citys employees secure the execution of Non Disclosure
Agreements (NDA), whenever access to the Information will be granted to third party
contractors, in conjunction with the Software as a Service (SaaS) Security and Privacy Terms
and Conditions. An NDA must be executed prior to the sharing of the Information of
persons covered by this Policy with third party contractors. The Citys approach to managing
information security and its implementation (i.e. objectives, policies, processes, and
procedures for information security) will be reviewed independently by the ISM at planned
intervals, or whenever significant changes to security implementation have occurred.
The CIO, acting by the ISM, will review and recommend changes to the Policy annually, or as
appropriate, commencing from the date of its adoption.
GENERAL PROCEDURE FOR INFORMATION PRIVACY
A. OVERVIEW
The Policy applies to activities that involve the use of the Citys information assets, namely,
the Information of persons doing business with the City or receiving services from the City,
which are owned by, or entrusted to, the City and will be made available to the Citys
employees and third party contractors under contract to the City to provide Software as a
Service consulting services. These activities include, without limitation, accessing the
Internet, using e mail, accessing the Citys intranet or other networks, systems, or devices.
The term information assets also includes the personal information of the Citys
employees and any other related organizations while those assets are under the Citys
control. Security measures will be designed, implemented, and maintained to ensure that
only authorized persons will enjoy access to the information assets. The Citys staff will act
to protect its information assets from theft, damage, loss, compromise, and inappropriate
disclosure or alteration. The City will plan, design, implement and maintain information
management systems, networks and processes in order to assure the appropriate
confidentiality, integrity, and availability of its information assets to the Citys employees
and authorized third parties.
B. PERSONAL INFORMATION AND CHOICE
Except as permitted or provided by applicable laws, the City will not share the Information
of any person doing business with the City, or receiving services from the City, in violation of
this Policy, unless that person has consented to the Citys sharing of such information
during the conduct of the Citys business as a local government agency with third parties
under contract to the City to provide services.
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
C. METHODS OF COLLECTION OF PERSONAL INFORMATION
The City may gather the Information from a variety of sources and resources, provided that
the collection of such information is both necessary and appropriate in order for the City to
conduct business as a local government agency in its governmental and proprietary
capacities. That information may be gathered at service windows and contact centers as
well as at web sites, by mobile applications, and with other technologies, wherever the City
may interact with persons who need to share such formation in order to secure the Citys
services.
The Citys staff will inform the persons whose Information are covered by this Policy that
the Citys web site may use cookies to customize the browsing experience with the City of
Palo Alto web site. The City will note that a cookie contains unique information that a web
site can use to track, among others, the Internet Protocol address of the computer used to
access the Citys web sites, the identification of the browser software and operating
systems used, the date and time a user accessed the site, and the Internet address of the
website from which the user linked to the Citys web sites. Cookies created on the users
computer by using the Citys web site do not contain the Information, and thus do not
compromise the users privacy or security. Users can refuse the cookies or delete the cookie
files from their computers by using any of the widely available methods. If the user chooses
not to accept a cookie on his or her computer, it will not prevent or prohibit the user from
gaining access to or using the Citys sites.
D. UTILITIES SERVICE
In the provision of utility services to persons located within Palo Alto, the City of Palo Alto
Utilities Department (CPAU) will collect the Information in order to initiate and manage
utility services to customers. To the extent the management of that information is not
specifically addressed in the Utilities Rules and Regulations or other ordinances, rules,
regulations or procedures, this Policy will apply; provided, however, any such Rules and
Regulations must conform to this Policy, unless otherwise directed or approved by the
Council. This includes the sharing of CPAU collected Information with other City
departments except as may be required by law.
Businesses and residents with standard utility meters and/or having non metered monthly
services will have secure access through a CPAU website to their Information, including,
without limitation, their monthly utility usage and billing data. In addition to their regular
monthly utilities billing, businesses and residents with non standard or experimental
electric, water or natural gas meters may have their usage and/or billing data provided to
them through non City electronic portals at different intervals than with the standard
monthly billing.
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
Businesses and residents with such non standard or experimental metering will have their
Information covered by the same privacy protections and personal information exchange
rules applicable to Information under applicable federal and California laws.
E. PUBLIC DISCLOSURE
The Information that is collected by the City in the ordinary course and scope of conducting
its business could be incorporated in a public record that may be subject to inspection and
copying by the public, unless such information is exempt from disclosure to the public by
California law.
F. ACCESS TO PERSONAL INFORMATION
The City will take reasonable steps to verify a persons identity before the City will grant
anyone online access to that persons Information. Each City department that collects
Information will afford access to affected persons who can review and update that
information at reasonable times.
G. SECURITY, CONFIDENTIALITY AND NON DISCLOSURE
Except as otherwise provided by applicable law or this Policy, the City will treat the
Information of persons covered by this Policy as confidential and will not disclose it, or
permit it to be disclosed, to third parties without the express written consent of the person
affected. The City will develop and maintain reasonable controls that are designed to
protect the confidentiality and security of the Information of persons covered by this Policy.
The City may authorize the Citys employee and or third party contractors to access and/or
use the Information of persons who do business with the City or receive services from the
City. In those instances, the City will require the Citys employee and/or the third party
contractors to agree to use such Information only in furtherance of City related business
and in accordance with the Policy.
If the City becomes aware of a breach, or has reasonable grounds to believe that a security
breach has occurred, with respect to the Information of a person, the City will notify the
affected person of such breach in accordance with applicable laws. The notice of breach will
include the date(s) or estimated date(s) of the known or suspected breach, the nature of
the Information that is the subject of the breach, and the proposed action to be taken or
the responsive action taken by the City.
H. DATA RETENTION / INFORMATION RETENTION
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
The City will store and secure all Information for a period of time as may be required by law,
or if no period is established by law, for seven (7) years, and thereafter such information
will be scheduled for destruction.
I. SOFTWARE AS A SERVICE (SAAS) OVERSIGHT
The City may engage third party contractors and vendors to provide software application
and database services, commonly known as Software as a Service (SaaS).
In order to assure the privacy and security of the Information of those who do business with
the City and those who received services from the City, as a condition of selling goods
and/or services to the City, the SaaS services provider and its subcontractors, if any,
including any IT infrastructure services provider, shall design, install, provide, and maintain
a secure IT environment, while it performs such services and/or furnishes goods to the City,
to the extent any scope of work or services implicates the confidentiality and privacy of the
Information.
These requirements include information security directives pertaining to: (a) the IT
infrastructure, by which the services are provided to the City, including connection to the
City's IT systems; (b) the SaaS services providers operations and maintenance processes
needed to support the IT environment, including disaster recovery and business continuity
planning; and (c) the IT infrastructure performance monitoring services to ensure a secure
and reliable environment and service availability to the City. The term IT infrastructure
refers to the integrated framework, including, without limitation, data centers, computers,
and database management devices, upon which digital networks operate.
Prior to entering into an agreement to provide services to the City, the Citys staff will
require the SaaS services provider to complete and submit an Information Security and
Privacy Questionnaire. In the event that the SaaS services provider reasonably determines
that it cannot fulfill the information security requirements during the course of providing
services, the City will require the SaaS services provider to promptly inform the ISM.
J. FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003
CPAU will require utility customers to provide their Information in order for the City to
initiate and manage utility services to them.
Federal regulations, implementing the Fair and Accurate Credit Transactions Act of 2003
(Public Law 108 159), including the Red Flag Rules, require that CPAU, as a covered
financial institution or creditor which provides services in advance of payment and which
can affect consumer credit, develop and implement procedures for an identity theft
program for new and existing accounts to detect, prevent, respond and mitigate potential
identity theft of its customers Information.
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
POLICY AND PROCEDURES 1 64/IT
Revised: December 2017
CPAU procedures for potential identity theft will be reviewed independently by the ISM
annually or whenever significant changes to security implementation have occurred. The
ISM will recommend changes to CPAU identity theft procedures, or as appropriate, so as to
conform to this Policy.
There are California laws which are applicable to identity theft; they are set forth in
California Civil Code § 1798.92.
NOTE: Questions regarding this policy should be referred to the Information Technology
Department, as appropriate.
Recommended: __________________________________ ________________
Director Information Technology/CIO Date
Approved: ___________________________________ _________________
City Manager Date
Exhibit FDocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
City of Palo Alto
Information Security
Document Version: V2.7
Doc: InfoSec 110
EXHIBIT G
VENDOR CYBERSECURITY TERMS AND CONDITIONS
This Exhibit shall be made a part of the City of Palo Alto’s Professional Services Agreement or any other contract entered
into by and between the City of Palo Alto (the “City”) and QUESTICA INC. (the “Consultant”) for the provision of Software as
a Service services to the City (the “Agreement”).
In order to assure the privacy and security of the personal information of the City’s customers and
people who do business with the City, including, without limitation, vendors, utility customers, library
patrons and other individuals and businesses, who are required to share such information with the
City, as a condition of receiving services from the City or selling goods and services to the City,
including, without limitation, the Software as a Service services provider (the “Consultant”) and its
subcontractors, if any, including, without limitation, any Information Technology (“IT”) infrastructure
services provider, shall design, install, provide, and maintain a secure IT environment, described
below, while it renders and performs the Services and furnishes goods, if any, described in the
Statement of Work, Exhibit B, to the extent any scope of work implicates the confidentiality and
privacy of the personal information of the City’s customers. The Consultant shall fulfill the data and
information security requirements (the “Requirements”) set forth in Part A below.
A “secure IT environment” includes: (a) the IT infrastructure, by which the Services are provided to
the City, including connection to the City's IT systems; (b) the Consultant’s operations and
maintenance processes needed to support the environment, including disaster recovery and business
continuity planning; and (c) the IT infrastructure performance monitoring services to ensure a secure
and reliable environment and service availability to the City. “IT infrastructure” refers to the
integrated framework, including, without limitation, data centers, computers, and database
management devices, upon which digital networks operate.
In the event that, after the Effective Date, the Consultant reasonably determines that it cannot fulfill
the Requirements, the Consultant shall promptly inform the City of its determination and submit, in
writing, one or more alternate countermeasure options to the Requirements (the “Alternate
Requirements” as set forth in Part B), which may be accepted or rejected in the reasonable
satisfaction of the Information Security Manager (the “ISM”).
Part A. Requirements:
The Consultant shall at all times during the term of any contract between the City and the Consultant:
(a) Appoint or designate an employee, preferably an executive officer, as the security liaison to
the City with respect to the Services to be performed under this Agreement.
(b) Comply with the City’s Information Privacy Policy:
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
City of Palo Alto
Information Security
Document Version: V2.7
Doc: InfoSec 110
(c) Have adopted and implemented information security and privacy policies that are
documented, are accessible to the City and conform to ISO 27001/2 – Information Security
Management Systems (ISMS) Standards. See the following:
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=42103
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297
(d) Conduct routine data and information security compliance training of its personnel that is
appropriate to their role.
(e) Develop and maintain detailed documentation of the IT infrastructure, including software
versions and patch levels.
(f) Develop an independently verifiable process, consistent with industry standards, for
performing professional and criminal background checks of its employees that (1) would
permit verification of employees’ personal identity and employment status, and (2) would
enable the immediate denial of access to the City's confidential data and information by any
of its employees who no longer would require access to that information or who are
terminated.
(g) Provide a list of IT infrastructure components in order to verify whether the Consultant has
met or has failed to meet any objective terms and conditions.
(h) Implement access accountability (identification and authentication) architecture and support
role‐based access control (“RBAC”) and segregation of duties (“SoD”) mechanisms for all
personnel, systems, and software used to provide the Services. “RBAC” refers to a computer
systems security approach to restricting access only to authorized users. “SoD” is an approach
that would require more than one individual to complete a security task in order to promote
the detection and prevention of fraud and errors.
(i) Assist the City in undertaking annually an assessment to assure that: (1) all elements of the
Services’ environment design and deployment are known to the City, and (2) it has
implemented measures in accordance with industry best practices applicable to secure coding
and secure IT architecture.
(j) Provide and maintain secure intersystem communication paths that would ensure the
confidentiality, integrity, and availability of the City's information.
(k) Deploy and maintain IT system upgrades, patches and configurations conforming to current
patch and/or release levels by not later than one (1) week after its date of release. Emergency
security patches must be installed within 24 hours after its date of release.
(l) Provide for the timely detection of, response to, and the reporting of security incidents,
including on‐going incident monitoring with logging.
(m) Notify the City within one (1) hour of detecting a security incident that results in the
unauthorized access to or the misuse of the City's confidential data and information.
(n) Inform the City that any third party service provider(s) meet(s) all of the Requirements.
(o) Perform security self‐audits on a regular basis and not less frequently than on a quarterly
basis, and provide the required summary reports of those self‐audits to the ISM on the annual
anniversary date or any other date agreed to by the Parties.
(p) Accommodate, as practicable, and upon reasonable prior notice by the City, the City’s
performance of random site security audits at the Consultant’s site(s), including the site(s) of a
third party service provider(s), as applicable. The scope of these audits will extend to the
Consultant’s and its third party service provider(s)’ awareness of security policies and
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B
City of Palo Alto
Information Security
Document Version: V2.7
Doc: InfoSec 110
practices, systems configurations, access authentication and authorization, and incident
detection and response.
(q) Cooperate with the City to ensure that to the extent required by applicable laws, rules and
regulations, the Confidential Information will be accessible only by the Consultant and any
authorized third party service provider’s personnel.
(r) Perform regular, reliable secured backups of all data needed to maximize the availability of
the Services.
(s) Maintain records relating to the Services for a period of three (3) years after the expiration or
earlier termination of this Agreement and in a mutually agreeable storage medium. Within
thirty (30) days after the effective date of expiration or earlier termination of this Agreement,
all of those records relating to the performance of the Services shall be provided to the ISM.
(t) Maintain the Confidential Information in accordance with applicable federal, state and local
data and information privacy laws, rules, and regulations.
(u) Encrypt the Confidential Information before delivering the same by electronic mail to the City
and or any authorized recipient.
(v) Unless otherwise addressed in the Agreement, shall not hold the City liable for any direct,
indirect or punitive damages whatsoever including, without limitation, damages for loss of
use, data or profits, arising out of or in any way connected with the City’s IT environment,
including, without limitation, IT infrastructure communications.
Part B. Alternate Requirements:
DocuSign Envelope ID: 633F6FA7-6311-414C-B9BE-D4517F1AEB0B