The URL can be used to link to this page

Browse Search

Home My WebLink About20192169.tiffRESOLUTION RE: APPROVE GRANT APPLICATION FOR WELD COUNTY INFORMATION TECHNOLOGY RISK ASSESSMENT PROJECT AND AUTHORIZE ELECTRONIC SUBMITTAL WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with a Grant Application for the Weld County Information Technology Risk Assessment Project, to conduct a risk assessment of the Weld County Department of Human Services information systems, from the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Department of Human Services, in collaboration with the Department of Information Technology, to the Colorado Department of Healthcare Policy and Financing, commencing upon full execution of signatures, and ending July 15, 2020, and WHEREAS, after review, the Board deems it advisable to approve said application, a copy of which is attached hereto and incorporation herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Grant Application for the Weld County Information Technology Risk Assessment Project, to conduct a risk assessment of the Weld County Department of Human Services information systems, from the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Department of Human Services, in collaboration with the Department of Information Technology, to the Colorado Department of Healthcare Policy and Financing, be, and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the application be, and hereby is, authorized for electronic submittal. cc• I-( ,cXc-r(Ocrct) (a11L1 I\c 2019-2169 HR0090 RE: GRANT APPLICATION FOR WELD COUNTY INFORMATION TECHNOLOGY RISK ASSESSMENT PROJECT PAGE 2 The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 12th day of June, A.D., 2019. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO ATTEST: die/Ivo Weld County Clerk to the Board BY: Deputy Cler APP: eVE ttorney Date of signature: 7fir arbara Kirkmey, Chair Mike Freeman, Pro-Tem an P. Conway CUSED CD- ott K. James EXCUSED Steve Moreno 2019-2169 H R0090 PRIVILEGED AND CONFIDENTIAL MEMORANDUM DATE: June 4, 2019 TO: Board of County Commissioners — Pass -Around FR: Judy A. Griego, Director, Human Services RE: Fiscal Year 2019-20 County Grant Program Application Please review and indicate if you would like a work session prior to placing this item on the Board's agenda. Request Board Approval of the Departments' Fiscal Year 2019-20 County Grant Program Application. On May 20, 2019, Colorado Department of Health Care Policy & Financing (HCPF), issued HCPF IM 19-034, which informed counties of available grant funding. In collaboration with Weld County Department of Information Technology (IT), the Weld County Department of Human Services (WCDHS) is requesting to apply for grant funding in the amount of $50,000.00, to conduct a risk assessment of the WCDHS information systems to ensure security control requirements are being met. This project falls under the grant's identified preferred project of Cybersecurity and Compliance with the Colorado Information Security Policies (LISP). This project will leverage established industry benchmarks, identify strengths and weaknesses, and develop recommendations to effectively mitigate risks and prioritize areas of improvement. This application is due to HCPF by Friday, June 14, 2019. Award notification will occur in early July 2019. Awarded projects must be completed by July 15, 2020. I do not recommend a Work Session. I recommend approval and submission of this grant application. Sean P. Conway Mike Freeman, Pro-Tem Scott James Barbara Kirkmeyer, Chair Steve Moreno Approve Schedule Recommendation Work Session vi aemaj vtrn ems \Lami V[p ?mud Other/Comments: 2019-2169 Pass -Around Memorandum; May 31, 2019 (Not in CMS) Page 1 O (Di( R ooc Karla Ford From: Sent: To: Cc: Subject: Approve ** Sent from my iPhone ** Scott James Wednesday, June 5, 2019 7:51 AM Karla Ford Commissioners Re: PA FOR ROUTING: FY2019-20 County Grant Application Scott K. James Weld County Commissioner, District 2 1150 O Street, P.O. Box 758, Greeley, Colorado 80632 970.336.7204 (Office) 970.381.7496 (Cell) Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited On Jun 5, 2019, at 7:33 AM, Karla Ford <kford@weldgov.com>wrote: This is for Wednesday's Agenda. Please let me know if you approve recommendation. Thank you! Karla Ford g Office Manager, Board of Weld County Commissioners 1150 O Street, P.O. Box 758, Greeley, Colorado 80632 :: 970.336-7204 :: kford(a7weldpov.com :: www.weldciov.com :: My working hours are Monday -Thursday 7:00a.m.-4:00 p.m. Friday 7:00a.m. - Noon <i mage003.j pg> Confidentiality Notice: This electronic transmission and any attached documents or other writings ore intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. From: Tobi Cullins Sent: Tuesday, June 4, 2019 4:18 PM To: Karla Ford <kford@weldgov.com> Cc: Ryan Rose <rrose@weldgov.com>; Lora Lawrence <Ilawrence@weldgov.com>; Jessica Raymond <jraymond@weldgov.com>; Stephanie Frederick <sfrederickPweldgov.com>; Esther Gesick <egesick@weldgov.com>; Barb Connolly <bconnollyPwelctgov.com>; Bruce Barker 1 Karla Ford From: Sent: To: Cc: Subject: Steve Moreno Wednesday, June 5, 2019 10:20 AM Mike Freeman Barbara Kirkmeyer; Karla Ford; Commissioners Re: PA FOR ROUTING: FY2019-20 County Grant Application Approve Sent from my iPhone On Jun 5, 2019, at 10:14 AM, Mike Freeman <mfreeman@weldgov.com>wrote: Approve Sent from my iPhone On Jun 5, 2019, at 10:03 AM, Barbara Kirkmeyer <bkirkmeyejEweldgov.com> wrote: Approve Sent from my iPhone On Jun 5, 2019, at 7:33 AM, Karla Ford <kford@weldgov.com>wrote: This is for Wednesday's Agenda. Please let me know if you approve recommendation. Thank you! Karla Ford b; Office Manager, Board of Weld County Commissioners 1150 O Street, P.O. Box 758, Greeley, Colorado 80632 :: 970.336.7204 :: kford(tr7yweldciov.com :: www.weldgov.com :: My working hours are Monday -Thursday 7:00a.m.-4:00 p.m. Friday 7:00a.m. - Noon <image003.jpg> Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. From: Tobi Cullins Sent: Tuesday, June 4, 2019 4:18 PM To: Karla Ford <kfoord �wefd�ov.com> Cc: Ryan Rose <rrose@weldgov.com>; Lora Lawrence <Ilawrence@weldgov.com>; Jessica Raymond <jraymond@wel ov_com>; Stephanie Frederick Karla Ford From: Sent: To: Cc: Subject: Mike Freeman Wednesday, June 5, 2019 10:14 AM Barbara Kirkmeyer Karla Ford; Commissioners Re: PA FOR ROUTING: FY2019-20 County Grant Application Approve Sent from my iPhone On Jun 5, 2019, at 10:03 AM, Barbara Kirkmeyer <bkirkmeyer@weldgov.com>wrote: Approve Sent from my iPhone On Jun 5, 2019, at 7:33 AM, Karla Ford <kford@weldgov.com>wrote: This is for Wednesday's Agenda. Please let me know if you approve recommendation. Thank you! Karla Ford X Office Manager, Board of Weld County Commissioners 1150 O Street, P.O. Box 758, Greeley, Colorado 80632 :: 970.336-7204 :: kford(a?weldgov.com :: www.weldgov.com :: My working hours are Monday -Thursday 7:00a.m.-4:00 p.m. Friday 7:00a.m. • Noon <image003.jpg> Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender try return e- mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. From: Tobi Cullins Sent: Tuesday, June 4, 2019 4:18 PM To: Karla Ford <kford@weldgov.com> Cc: Ryan Rose <rrose@weldgov.com>; Lora Lawrence <lawrence@weldgov.com>; Jessica Raymond <jraymond@weldgov.com>; Stephanie Frederick <sfrederick@weldgov.com>; Esther Gesick <egesick@weldgov.com>; Barb Connolly <bconnolly@weldgov.com>; Bruce Barker <bbarker@weldgov.corn>; Esther Gesick <egesick@weldgov.com>; HS Contract Management <HS- ContractManagement@co.weld.co,us>; Jamie Ulrich <ulrichjj@weldgov.com>; Judy Griego <griegoja@weldgov.com>; Lennie Bottorff <bottorll@weldgov.com> Subject: PA FOR ROUTING: FY2019-20 County Grant Application Good afternoon, Karla. Karla Ford From: Sent: To: Cc: Subject: Mike Freeman Wednesday, June 5, 2O19 1O:14 AM Barbara Kirkmeyer Karla Ford; Commissioners Re: PA FOR ROUTING: FY2O19-2O County Grant Application Approve Sent from my iPhone On Jun 5, 2O19, at 1O:O3 AM, Barbara Kirkmeyer <bkirkrneffr@welca w.com> wrote: Approve Sent from my iPhone On Jun 5, 2O19, at 7:33 AM, Karla Ford <kfordPweldgov.com> wrote: This is for Wednesday's Agenda. Please let me know if you approve recommendation. Thank you! Karla Ford Office Manager, Board of Weld County Commissioners 1150 O Street, P.O. Box 758, Greeley, Colorado 80632 :: 970.336-7204 :: kford@weldgov.com :: www.weldgov.com :: My working hours are Monday -Thursday 7:00a.m.-4:00 p.m. Friday 7:00a.m. - Noon <imageOO3.jpg> Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this communication in error, please immediately notify sender by return e- mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited. From: Tobi Cullins Sent: Tuesday, June 4, 2O19 4:18 PM To: Karla Ford <kford @wejLgi gm> Cc: Ryan Rose <rrose@weldf;ov.com>; Lora Lawrence <llawrence@weldgov.com>; Jessica Raymond <jrayrnondlweldgov.com>; Stephanie Frederick <sfrederick@weldgov.com>; Esther Gesick <egesick@weldhov.corn>; Barb Connolly <bconnolly,Ci)weldgov.com>; Bruce Barker <bbarker@weldgovcom>; Esther Gesick <egesickppweldgov.com>; HS Contract Management <HS- ContractMana;ement@co.weld.co.us>; Jamie Ulrich <ulrichij a weldfov.com>; Judy Griego <griegoia@weldgov.com>; Lennie Bottorff <bottorll@weldgov.com> Subject: PA FOR ROUTING: FY2O19-2O County Grant Application Good afternoon, Karla. June 4, 2019 DEPARTMENT OF HUMAN SERVICES P.O. BOX A GREELEY, CO. 80632 Website: s ww.weldgov.com Administration and Public Assistance (970) 352-1551 Child Support (970) 352-6933 Colorado Department of Health Care Policy and Financing 1570 Grant Street Denver, CO 80203 Dear Sir/Madam: The Weld County Department of Human Services (WCDHS) is pleased to provide a letter of support for the submission of the grant proposal entitled Weld County IT Risk Assessment. The project scope includes a risk assessment to be performed regarding our Information Systems which would ensure security control requirements continue to be met. The proposal aligns with the Preferred Project list set forth by the Department of Health Care Policy and Financing's strategic goals. Specifically, the Weld County IT Risk Assessment is part of the preferred projects category Cybersecurity and Compliance with the Colorado Information Security Polices (CISP.) We are fully committed to protecting the personal information of DHS clientele. The grant award supporting this initiative will allow DHS to ensure we are addressing all avenues of security control and protection. Sincerely, Juily A. G iego, Director J Cc: Jamie Ulrich, Deputy Director Lora Lawrence, Organizational Integrity Division Head Contract Management COLORADO Department of Health Care Policy & Financing Grant Application Fiscal Year 2019-20 County Grant Program Release Date: Monday, May 20, 2019 Instructions: Complete the Competitive Grant Application for all proposed projects except for Targeted Grants. Information on Targeted Grants will be released at a later date. Due Date: Close of business, Friday, June 14, 2019 to HCPFCountyRelations@state.co.us. Table of Contents: Application Section Page # Part I — Grant Proposal Program Manager 2 Part II — Proposed Project Pillars Strategic Direction 2 and of Alignment Part III — Data Metrics 4 and Part IV — Project Work Plan 4 Part V — Project Budget 5 Part VI — Tracking Documentation 7 and Part VII - Sustainability 8 9 Appendix A — Pillars Strategic Direction Alignment of Appendix B — County Grant Program Application Process 9 Appendix C — County Grant Program Scoring Process Interview 10 and Appendix D — County Grant Program Conditions Funding 12 of Part I Grant Proposal Program Manager Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 2 of 18 Weld County DHS Proposal Program Manager Grant Name Susan Bjorland Phone 970-400-6506 Email sbjorland@weldgov.com Part II — Proposed Project Alignment with Department Pillars of Strategic Direction Project Name Please provide a Project Name to identify your proposed project Weld County IT Risk Assessment Project Overview Please provide a brief description of the proposed project A risk assessment to be performed regarding our Information Systems to ensure security control requirements are being met. Department Pillars of Strategic Direction The proposed project can support the Department's Pillars of Strategic Direction or Preferred Projects. Select the Pillar or Preferred Project that aligns with the proposed project. Explain how the proposed project supports the selected Pillar or Preferred Project. Maximum Score = 3 Points Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 3 of 18 Department Pillars of Strategic Direction ❑Affordable Healthcare for all Coloradans — Reducing the cost of health care in Colorado El Medicaid Cost Control — Ensuring the right services for the right people at the right price for public health care programs El Member Health — Improving the delivery of programs or health outcomes for members ❑Customer Service — Improving service to our members, providers and partners ❑Operational Excellence — Creating compliant, efficient and effective business practices that are person- and family -centered Preferred Projects MCybersecurity and Compliance with the Colorado Information Security Policies (CISP) ❑Quality Assurance and Reducing Medicaid Errors This project will help ensure state-owned data is transmitted through secure Weld County systems by conducting a third -party risk assessment as noted in the State of Colorado's Office of Information Security's CISP-013 policy as well as the NIST SP 800-53 Rev 4. Framework regarding ensuring risk assessments are performed on Information Systems. Project Description Provide a high-level description of the proposed project including: implementation timelines; responsible individuals; data and metrics utilized to implement and/or measure outcomes; and, other important details about the proposed project. This engagement will intend to help Weld County Government's Department of Human Services define their current cybersecurity risk posture, develop a vision of the desired target state, and establish a maturity roadmap to the future state of operations. This service will leverage established industry maturity benchmarks, identify strengths and weaknesses, and develop recommendations that effectively mitigate risk by closing gaps and prioritizing areas for improvement. The assessment Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 4 of 18 will be conducted as a cooperative effort between the third -party risk assessment provider, Weld County's Department of Human Services, and Weld County's Department of Information Technology. The assessment will be performed during the fourth quarter of 2019. The report provided by the third -party risk assessment provider will serve as the baseline of what the security posture is, as well as a best - practices target state along with a prioritized roadmap to reach the desired target state. Desired target state timelines will vary depending upon the findings of the assessment. Deliverables for the engagement include: Security and Risk Gap Analysis and Remediation Plan including: a. Executive Report b. Gap analysis covering defined enterprise risk framework c. Detection and response program analysis and baseline d. Security Solution Portfolio Strategy e. Prioritized remediation plan Part III — Data & Metrics Data and Metrics: Current and Future State Describe the data and metrics that will be tracked to identify the project's success in both the current and future state of affairs. Maximum Score = 3 Points Project Scope, Activities and Tasks This section covers the project plan phases and activities for service delivery. Activity 1— Project Initiation and Mobilization The purpose of this activity is to finalize the project team members; develop a common understanding of project goals, roles, and responsibilities; and validate client readiness to engage the services by confirming the appropriate objectives, timelines, and information is documented. The third -party risk assessment provider will: 1. Prepare and distribute any data collection questionnaires 2. Facilitate a project kickoff meeting on a mutually agreed date and time to; a. Initiate the project; b. Communicate and share project objectives with key stakeholders; c. Review and communicate client requirements and project goals; and d. Review and finalize schedule and agenda of meetings and workshop sessions. Completion Criteria: This activity is complete when the project kickoff meeting has been conducted and any initial data collection material has been distributed. Deliverable Materials: None OF -Oz),\ Our mission is to improve health care access and outcomes for the people we serve while Few LF9o. demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf ra�6`- FY 2019-20 County Grant Program Competitive Application Page 5 of 18 Activity 2 — Security and Risk Workshop During this activity, the third -party risk assessment provider will conduct a workshop to identify and prioritize security risks across the high-level cybersecurity operations functional areas and mapped to best practices enterprise risk management frameworks. The third -party risk assessment provider will: 1. Review and assess strengths, weaknesses, opportunities and threats across the enterprise risk landscape regarding identify, protect, detect, respond, and recover; 2. Review and assess the gaps and opportunities relative to business and technical requirements across functional program areas; 3. Prioritize gaps and areas of improvements on business and technical requirements and risks; 4. Develop a draft target state milestone for security operations with prioritized remediation efforts aligned to identified gaps; 5. Review and define core risk categories and corresponding operations functional areas and services with integration and workflow requirements; and 6. Summarize findings and recommendations. Completion Criteria: This activity will be complete when Trustwave has completed the Security and Risk Workshop and summarized the findings and recommendations. Deliverable Materials: The findings and recommendations will be included in the Security and Risk Gap Analysis and Remediation Plan. Activity 3 — Analysis and Report Delivery The purpose of this activity is to aggregate facts reviewed in data gathering, workshop, and draft presentation to finalize a report to facilitate the client's capability maturation. Within this activity, the third -party risk assessment provider will: 1. Review and assess the gaps and opportunities per requirements across functional program areas; 2. Evaluate strategy and transformation options relative to client business and technical requirements, and risks; 3. Prepare the report, summarizing key findings to support the assessment; 4. Review the report with the client point of contact; and 5. Deliver the final report and hand off ownership to the client designated point of contact. Completion Criteria: This activity is complete when the third -party risk assessment provider completes the Security and Risk Gap Analysis and Remediation Plan and reviews it with the client. Deliverable material: Security and Risk Gap Analysis and Remediation Plan Data and Metrics: Measuring and Tracking Goals and Objectives Q - Our mission is to improve health care access and outcomes for the people we serve while ew `,,,,',-=,,a m demonstrating sound stewardship of financial resources. _ °' www.colorado.gov/hcpf k76 FY 2019-20 County Grant Program Competitive Application Page 6 of 18 Describe the intended plan for measuring and tracking goals and objectives of the project, identifying the individual(s) responsible for each activity. Data and/or Metric Responsible Individual Activity 1 (described above) The third -party risk assessment provider, Weld County Department of Human Services, Weld County Department of Information Technology Activity 2 (described above) The third -party risk assessment provider, Weld County Department of Human Services, Weld County Department of Information Technology Activity 3 (described above) The third -party risk assessment provider, Weld County Department of Human Services, Weld County Department of Information Technology Actions to bring the Weld County Department of Human Services to the desired target state Weld County Department of Human Services, Weld County Department of Information Technology Part IV — Project Work Plan Provide a work plan that lists the major task/activities and due dates to be performed to accomplish the project's goal(s) by completing the table below. Provide a work plan in the following table and expand as needed. MAJOR TASK OR ACTIVITY COMPLETION DATE DELIVERABLE Establish a contract for services with the third -party risk assessment provider 9/1/2019 Signed statement of work OF c, Our mission is to improve health care access and outcomes for the people we serve while ��p mew o demonstrating sound stewardship of financial resources. 0 www.colorado.gov/hcpf 76 FY 2019-20 County Grant Program Competitive Application Page 7 of 18 Complete Activity 1 (described above) 9/15/2019 Finalize the project team members; develop a common understanding of project goals, roles, and responsibilities; and validate client readiness to engage the services by confirming the appropriate objectives, timelines, and information is documented. Complete Activity 2 (described above) 10/15/2019 Conduct a workshop to identify and prioritize security risks across the high-level cybersecurity operations functional areas and mapped to best practices enterprise risk management frameworks. Complete Activity 3 (described above) 11/15/2019 Aggregate facts reviewed in data gathering, workshop, and draft presentation to finalize a report to facilitate the client's capability maturation. Complete Actions to bring Weld County to the desired target state Depends upon the findings of the assessment, but within a reasonable timeframe from the assessment results. Complete actions as identified in the roadmap to reach the desired target state. Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Part V — Project Budget Cost Allocation: Inclusion of other social services programs Page 8 of 18 Please select which social services programs the proposed project would impact (select all that apply): Medical Assistance IZ (including Health First Colorado, Old Age Pension — Medical and Child Health Plan Plus) Supplemental Nutrition Assistance Program (SNAP) Temporary Assistance for Needy Families (TANF) Old Age Pension (OAP) - Cash IZI Aid for the Needy and Disabled (AND)/Aid to the Blind (AB) As a reminder, proposed projects that are not Medical Assistance -only require cost allocation at a set percentage as determined by Random Moment Sampling (RMS) and approved by the Centers for Medicare and Medicaid Services (CMS). The county will be responsible for the portion of the cost allocation not paid for by the Department of Health Care Policy and Financing. In the section below, please address how the county will ensure the project impacts or involves the administration of Medical Assistance or the services provided for Medical Assistance members. See Appendix D, Conditions of Funding, for Budget and Audits and Sanctions clauses. This section is only applicable if the application is requesting that no cost allocation be applied. Please note that in some instances, 100% time reporting may allow for a greater cost allocation than the methodology described above. To determine which social services programs are impacted by the proposed project, the Department of Humans Services (DHS) analyzed guidelines pertaining to and including CJIS, HIPAA, and PCI compliance mandates protecting sensitive and personal identifiable information (PII). It was determined that DHS staff who are exposed to mandates and personal identifiable information (PII), and the DHS Divisions and programs which they represent, should be included in the proposal. As such, the Weld County IT Risk Assessment, will include the following programs: Medical Assistance, Supplemental Nutrition Assistance Program (SNAP), Temporary Assistance for Needy Families (TANF), Old Age Pension (OAP), and Aid for the Needy and Disabled (AND)/ Aid to the Blind (AB). Identifying potential cybersecurity vulnerabilities, and complying with CMS, HIPAA, Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 9 of 18 and PCI compliance mandates are crucial. DHS takes the confidentiality of client information with the utmost seriousness. It is an implied trust between client, agency (DHS), and the agencies staff. It is imperative that DHS continues to monitor, uphold, and improve its policies and procedures regarding PIT. To that end, the Weld County IT Risk Assessment provides data crucial to continuous improvement in protection of sensitive and personal identifiable information. The process is enhanced by using a third -party vendor, who can conduct an entirely non -biased assessment inclusive of findings and suggestions for improvement. It is anticipated that the risk assessment will identify any weaknesses in security practices so that DHS can address, correct, and improve any such identified concerns. It will allow DHS to minimize the moral and financial ramifications of any potential security lapses leading to identity theft, fraud, etc. The risk assessment will allow DHS to verify its processes and procedures in place and to update, as warranted. Further, conducting the risk assessment will allow DHS to evaluate, incorporate, and expand training and certification opportunities as related to PII. Feasibility and Reasonableness of the Budget Provide a narrative that explains how the budget categories and amounts were determined. • Provide supplemental documentation as noted in Appendix D, County Grant Program Conditions of Funding • Describe any intended inclusion of county resources dedicated to the project, identifying these resources as county -provided. Maximum Score = 3 Points There is a fiat fee for the Security and Risk Assessment to be performed by the third - party risk assessment provider. This fee includes all deliverables as detailed above. Itemized Budget • Provide a budget that includes a detailed itemization of project costs including personnel and other items directly associated with the implementation of the project. • The total budgeted amount should equal the total amount paid for Deliverables Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application on the Project Work Plan. Page 10 of 18 • Year -End Report Out travel costs for travel to the Department's office in Denver, CO should be included in the Itemized Budget. See Appendix D, County Grant Program Conditions of Funding, for more information. Provide a budget in the following table and expand as needed. ITEM BRIEF DESCRIPTION RATE AND UNIT OF MEASURE QUANTITY TOTAL FOR PROJECT Security and Risk Assessment Cost per assessment 1 assessment $50,000.00 PROJECT BUDGET TOTAL $50,000.00 Part VI — Tracking and Documentation Expenditures associated with awarded grant funds must be tracked and accounted for separately from other county administrative expenditures. Please describe the methodology you will utilize to track these expenditures. This should include funds spent, allocation and time tracking of staff, and documentation kept. The services provided by the third -party risk assessment provider are done so via a one-time fee. Time tracking will be done by the individuals assigned to this project for the purposes of determining soft costs but will not impact the budget allocated to this project. Part VII - Sustainability County Grant Program expenditures must be spent in the fiscal year for which they were awarded. This funding is intended for one-year innovation projects. Funding will not be extended to the same project in following years. Based on the data and metrics described in "Part III — Data & Metrics," please answer these questions: • How will the county determine if the project was a success? • If the project is a success, how will the project be sustained without funding I , of co6\ Our mission is to improve health care access and outcomes for the people we serve while mew A ' 1,'t demonstrating sound stewardship of financial resources. c, www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 11 of 18 from the County Grant Program? • What steps is the county taking in the project design and implementation to ensure the project is sustainable after grant funding is exhausted? Maximum Score = 3 Points The project will be considered a success when the desired target state identified in the assessment has been reached. Since security posture is a snapshot in time, this project will by nature reach a point where a re -assessment will be in the County's best interest. This type of assessment can be planned as a regular budgetary item for the County moving forward. or cc)LO \ Our mission is to improve health care access and outcomes for the people we serve while ,Few n 1 `Po c * demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 12 of 18 Appendix A: Department Pillars of Strategic Direction Alignment The State Measurement for Accountable, Responsive, and Transparent (SMART) Government Act (Colorado House Bill 10-1119) established a performance -based budgeting system for Colorado. Section 2-7-201, et seq., C.R.S., which requires departments to create performance plans outlining their goals, and describe how those goals will be evaluated through performance measures. The Department's Performance Plan describes its mission, vision and goals, and provides annual performance measures and strategies for achieving its goals. The Department's Pillars of Strategic Direction are as follows: • Health Care Affordability for Coloradans — Reducing the cost of health care in Colorado • Medicaid Cost Control — Ensuring the right services for the right people at the right price for public health care programs • Member Health — Improving the delivery of programs or health outcomes for members • Customer Service - Improving service to our members, providers and partner • Operational Excellence — Creating compliant, efficient and effective business practices that are person- and family -centered To qualify for funding under the County Grant Program, the proposed project must align with at least one of the five Department Pillars of Strategic Direction from the Department Performance Plan, unless the county chooses a project from the Preferred Projects List. Appendix B: County Grant Program Application Process Grant applications will be released on Monday, May 20, 2019 and will be due to the Department no later than close of business Friday, June 14, 2019. Grant applications and any supporting documentation must be submitted to HCPFCountyRelations@ state.co.us. Proposed projects will be scored and Grant Program Manager interviews conducted in June 2019. The Department will issue FY 2019-20 Award Letters to approved proposed projects by early July 2019. Projects can begin once the grantee returns the signed Award Letter to the Department. � CpLG\. Our mission is to improve health care access and outcomes for the people we serve while ew O�A <1;t\ f -.$'" demonstrating sound stewardship of financial resources. ic' www.colorado.gov/hcpf lft76 FY 2019-20 County Grant Program Competitive Application Page 13 of 18 Appendix C: County Grant Program Scoring Process and Interview To determine which proposed projects will be funded, Department staff will review grant applications prior to conducting an interview with the Grant Program Manager. Each proposal is scored based on the application and interview. Point Scale Scores are determined on a three (3) point scale: 1 point — The proposed project did not address the application section and/or interview questions or comments satisfactorily; insufficient information was provided to make an adequate determination. 2 points — The proposed project addressed the application section and/or interview questions or comments satisfactorily; sufficient information was provided to make an adequate determination. 3 points — The proposed project addressed the application section and/or interview questions or comments to an exceptional level of detail to make an adequate determination. Application Sections Score The following sections of the application are worth a maximum of three (3) points each: 1. Part II, Department Pillars of Strategic Direction Alignment — Description of how proposed project aligns with the Department's Pillars of Strategic Direction as described in Part II or Appendix A. 2. Part III, Data and Metrics — Description of how the data and metrics that will be tracked and current and future state of the project 3. Part V, Feasibility and Reasonableness of Budget — Description of the how the budget amounts were determined and a review of supplemental documentation provided 4. Part VII, Sustainability — Description of sustainability if the project is determined to be a success Our mission is to improve health care access and outcomes for the people we serve while ,�w, demonstrating sound stewardship of financial resources. '� www.colorado.gov/hcpf r lR76 FY 2019-20 County Grant Program Competitive Application Page 14 of 18 The sections will be scored based on the ability of the applicant to articulate clear, concise ideas and any supplemental documentation that is provided with the application. Interview Score Interviews will be scored based on the ability of the applicant to: provide an overview of the project; clear, concise answers to any outstanding questions; and, the ability of the applicant to accept feedback and adjust the proposed project, if needed. Preferred Projects List Score The selection of a project from the Preferred Projects List will automatically grant the applicant an additional three (3) points towards the total score. Only projects selected from the Preferred Projects List will be granted the additional three (3) points; applicants cannot select both Department Pillars of Strategic Direction and Preferred Projects. Total Score The proposed project's total score is based on the table below; proposed projects with the highest scores will be funded first until all Grant Program funding is exhausted. Section Scored Maximum Points Part II — Department Pillars of Strategic Direction Alignment 3 Part III — Data and Metrics 3 Part V — Project Budget 3 Part VII — Sustainability 3 Applicant Interview 3 Maximum Score 15 If Preferred Project is selected, additional score earned (Maximum Score with Preferred Project) 3 (18) I _ Oy c0Qo Our mission is to improve health care access and outcomes for the people we serve while ,mow ` o demonstrating sound stewardship of financial resources. c www.colorado.gov/hcpf 1876' FY 2019-20 County Grant Program Competitive Application Page 15 of 18 Appendix D: County Grant Program Conditions of Funding Acceptance of Conditions of Funding By completing and submitting the FY 2019-20 County Grant Program Application, the applicant is agreeing, if the proposed project is approved, to abide by the County Grant Program Conditions of Funding and Department finance rules as stated in 10 CCR 2505- 5. County Grant Program Conditions of Funding can be found in Appendix D. The applicant's proposed project may come with additional Conditions of Funding. Any additional conditions will be listed on the applicant's Award Letter. All Conditions of Funding must be met to be eligible for funding through the County Grant Program. Failure to comply with the Conditions of Funding may result in disallowances, per Appendix D, Subrecipient Monitoring, Audits and Sanctions. Attached to the grantee's Award Letter is an intergovernmental grant agreement that is signed by the Department's Executive Director. The intergovernmental grant agreement codifies the County Grant Program's Conditions of Funding with the grantee. The expenditure of any grant funding after issuance of the intergovernmental grant agreement indicates that the grantee agrees to abide by all applicable rules, regulations, requirements and conditions. The intergovernmental grant agreement is unilateral and does not require signature from the grantee. Program Conditions of Funding The applicant's proposed project must be replicable statewide or regionally, if the project is deemed a success. Projects that are not replicable statewide or regionally are not eligible for funding. Grant projects funded through the County Grant Program can be completed after the end of the fiscal year; however, grant funding must be expended no later than June 30, 2020, unless otherwise communicated to the Department. Project deliverables are due to the Department no later than July 15, 2020. Grantees are required to participate in Quarterly Check -Ins, which will include a minimum of one Site Visit and one Year -End Report Out. Failure to comply with the Quarterly Check -Ins, Site Visit(s) and/or Year -End Report Out may result in disallowances per Appendix D, Subrecipient Monitoring, Audits and Disallowances. Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 16 of 18 To fulfill the requirements of the Quarterly Check-In(s) and/or Site Visit(s), the grantee must submit, no later than the following deadlines, proposed dates for the calendar quarter in which the Quarterly Check-In(s) and/or Site Visit(s) will occur. FY 2019-20 Quarter Deadline Proposed to Submit Dates a Proposed Visit Dates Quarterly Check-In/Site Quarter July 1 1 - September 30 July 19, 2019 • September 1 - 30, 2019 Quarter October 2 1 — December 31 October 11, 2019 November 15 - December 15, 2019 January Quarter 3 1 — March 31 January 17, 2019 March 1 — March 30, 2020 Quarter April 1 4 — June 30 Year -End Report Out in June 2020 will count for Q4 Check -In For the Year -End Report Out requirement, grantees should include travel costs for the Grant Program Manager and one (1) additional staff, if necessary, to travel to and stay in Denver, CO for formal presentations on the proposed project in June 2020. Please note that State fiscal travel rules must be followed in funding requests for travel for the Year -End Report Out. A Final Deliverable must be submitted to the Department no later than close of business July 15, 2020. The Final Deliverable can vary based on the proposed project but must include a final itemized budget with actual costs and any outcomes template the Department may provide. Budget Conditions of Funding Grant funds will only be used as specified in the approved grant proposal. No other expenditures other than those directly tied to the proposed project are allowed. Indirect costs are not allowable expenses in the Itemized Budget and will be denied. Grant Program funds are intended to fulfill one-time funding requests, and the Department may deny any request for a continuation of a project from the previous fiscal year or additional funding for an ongoing project. Reimbursement of expenditures related to this grant must occur through the County Financial Management System (GEMS). All expenses are to be entered using the following CFMS account codes to request reimbursement. The Department will report the correct CFMS account code in the Award Letter. Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf FY 2019-20 County Grant Program Competitive Application Page 17 of 18 All expenditures associated with the approved grant proposal must occur on or before June 30, 2020; expenditures should be entered in CFMS no later than July 5, 2020. Expenses submitted after this date will not be reimbursed. Proposed projects can be based on estimates of costs. Actual costs may require budget flexibility in the Itemized Budget. Funds may be moved from one line -item to another in these instances but require an updated Itemized Budget be submitted no later than June 30, 2020. However, any changes to the Itemized Budget may not exceed the original request for funding that was approved. In addition, funds may only move from one previously -approved line -item to another; after the approval of the proposed project, new line -items in the Itemized Budget are not allowed. Expenditures above the proposed project's budget will not be allowed. Any expenditures above the approved project's budget must be paid for with county -only funds. Funding requests exceeding the fiscal year's average application funding request amount may be required to provide additional information and/or supplemental documentation during the application scoring process and/or interview. Those applicants impacted by this requirement may be notified prior to the scoring process and/or interview. For proposed projects that involve external vendors, partners, or agencies where the applicant will serve as a pass -through entity for County Grant Program funds, the applicant should provide quotes, letters of support, or other supporting documentation that supports the budget request and/or partnership with the submitted application. For proposed projects that impact other public assistance programs managed by the Colorado Department of Human Services or county -only programs, cost allocation methodology, approved by the Centers for Medicare and Medicaid Services (CMS), is applied. This cost allocation methodology is dependent on the proposed project and how it impacts other public assistance programs. The Department will provide the correct cost allocation methodology when a proposed project is approved. In addition, 100% time reporting may allow for a greater cost allocation than the cost allocation methodology described above, if the grantee selects this option. For approved projects where the true cost to Medical Assistance is unknown or ambiguous, the staff supporting the proposed project may be required to complete 100% time reporting to support expenses associated with the project. Applicants will be notified of this requirement in the Award Letter. Subrecipient Monitoring, Audits and Sanctions The grantee shall ensure that it complies with all applicable federal rules and Oti �p�_ Our mission is to improve health care access and outcomes for the people we serve while ,ew `z,-, o, demonstrating sound stewardship of financial resources. °_ www.colorado.gov/hcpf �* FY 2019-20 County Grant Program Competitive Application Page 18 of 18 regulations, found at 2 CFR Part 200, the Uniform Guidance, regarding the monitoring of subrecipients. In addition, the grantee is required to comply with guidance issued by the Office of State Controller regarding the monitoring of subrecipients. The OSC's OMB Subrecipient Guide is available to assist the grantee in meeting OSC requirements for monitoring of subrecipients. Additional guidance regarding 2 CFR Part 200 is available on the OSC's OMB Guidance website. Prior to the expenditure of any approved grant funding, the grantee will be required to complete the Office of State Controller's Subrecipient v. Contractor Determination Tool. The Department may disallow any grant expenditures that were coded to CFMS prior to the completion of the Subrecipient v. Contractor Determination Tool. Records are required documenting all expenses and accounting for the uses of all grant funds and must be provided at request and without delay. All tasks and expenditures associated with the proposed project are subject, at any time and without prior notification to the grantee, to audit by Department staff and/or an external auditor, per 10 C.C.R. 1.010.8.C, Audits by the Colorado Department of Health Care Policy and Financing. Failure to comply with any oversight requirements as listed in Appendix D, Conditions of Funding, are subject to County Administrative Rules as stated in 10 C.C.R 1.020. If the grantee fails to comply with 10 C.C.R. 1.010.8.C, 10 C.C.R. 1.020, or any requirement listed in Appendix D, County Grant Program Conditions of Funding or the Award Letter, the Department may, at its discretion, and only after the remedies described in 10 C.C.R. 1.020 are exhausted, subject the grantee to disallowance per 10 C.C.R. 1.020.2, Sanctions. The Department's decisions based on requirements in Appendix D, Audits and Sanctions, are final and not subject to appeal. For federal reporting purposes, the grantee should utilize the Medicaid CFDA # (93.778) and the Child Health Plan Plus (CHP+) CFDA # (93.767) if the grantee's project included a scope of work that impacted both Medicaid and CHP+. Our mission is to improve health care access and outcomes for the people we serve while demonstrating sound stewardship of financial resources. www.colorado.gov/hcpf \_IR76. "-7 Interview Slot Friday, June 21 Monday, June 24 Tuesday, June 25 Thursday, June 27 10:10am 10:30am 10:50am 11:10am 11:30am 11:50am 1:10pm 1:30pm 1:50pm Weld County J. Raymond 2:10pm Weld County - J. Raymond 2:30pm 2:50pm Weld County - J. Raymond Trustwave Security and Risk Workshop Statement of Work Developed for: Weld County 30 May 2019 Prepared By: Ray Goasey rgodsey@trustwave.com + 1.303.619.0988 Copyright © 2019 Trustwave Holdings, Inc. All rights reserved. Table of Contents 1 Executive Summary 3 1 1 Introduction 1 2 Our Understanding of your business objectives 2 Service Description 2 1 Service Coordination 3 Project Scope, Activities and Tasks 3 1 Activity 1 — Project Initiation and Mobilization 3 2 Activity 2 — Security and Risk Workshop 3 3 Activity 3 — Analysis and Report Delivery 4 Pricing 5 Dependencies and Assumptions 6 Contact Information 7 Signatures Copyright © 2019 Trustwave Holdings, Inc All rights reserved 3 3 3 4 4 4 5 5 6 6 7 8 1 Executive Summary 1.1 Introduction CLIENT is seeking assessment and remediation options that will address gaps and risk management across their security operations capabilities. The risk landscape is constantly shifting and enabling CLIENT's people, processes, and technology is a critical step to support a long-term plan to evolve the prevention, detection, and response capabilities of the organization. Planning, building, and running a holistic and scalable security operations function, that provides clear value to the business, can be a complex path for most organizations. This initial engagement will enable Trustwave to first develop an understanding of your specific needs and operating environment and render a recommended security operations solution and framework. Our recommendation will assume, that when feasible, existing tools and operational capabilities will be used to address prioritized gaps. The approach is designed to enable our clients to continuously improve their security operations and governance processes that are both cost effective and aligned to defined business objectives. Our agile approach enables your organization to realize the most benefit from your continued security investments. The activities, tasks, and deliverables organized in this sprint approach will ensure we have joint success establishing quick wins while providing options for future project sprints through the SOC roadmap. 1.2 Our Understanding of your business objectives The objective of this sprint is to partner with CLIENT in building out a strategic risk assessment and remediation plan using industry best practice frameworks for controls and risks to communicate gaps across people, process, and technology. The plan will identify and prioritize short term and future state projects and focus areas that are aligned to CLIENT -specific requirements, environment, and objectives. The sprint's objective will be met by: • Identifying and defining current, target, and future state analysis organized per NIST CSF. • Conducting domain specific workshops to support findings and remediation paths. • Aligning of the cyber program model to best practices and established standards and frameworks to enable the optimization of people, processes and technology. 2 Service Description The Security and Risk Workshop intends to help clients define their cybersecurity risk posture, develop a vision of the desired target state, and establish a maturity roadmap to the client's future state operations program. This service will leverage established industry maturity benchmarks, identify strengths and weaknesses, and develop recommendations that effectively mitigate risk by closing gaps and prioritizing areas for improvement. The final report will synthesize the information gathered during the workshop and related interviews with effective cybersecurity risk management practices and techniques to define a best -practices target state, and a prioritized roadmap. The deliverable for this engagement is: Copyright © 2018 Trustwave Holdings, Inc. All rights reserved. 3 1. Security and Risk Gap Analysis and Remediation Plan a. Executive Report b. Gap Analysis covering defined enterprise risk framework c. Detection & response program analysis and baseline d. Security Solution Portfolio Strategy e. Prioritized remediation plan Deliverable acceptance: Client may request one revision within seven business days of deliverable submission. If a response is not provided within 10 business days, the deliverable is considered final and accepted. 2.1 Service Coordination To facilitate delivery of the Services described in this SOW, both Trustwave and CLIENT will provide a designated Point of Contact (PoC) to perform the following: Trustwave designated PoC will: • Review the SOW and any associated documents with Client designated PoC; • Work with Client designated PoC to establish project governance and maintain communication; • Complete and return any Client questionnaires or checklists as applicable; • Serve as conduit between Trustwave project team and all Client personnel participating in Services; • Obtain and provide applicable information, data, consents, decisions and approvals as required by Trustwave to perform the Services in timelines described in the Service; • Deliver all Trustwave deliverables noted in this SOW; Client designated PoC will: • Review the SOW, and any associated documents, with Trustwave designated PoC; • Establish and maintain communication with Trustwave assigned resources; • Facilitate delivery of Client data collection for delivery to Trustwave designated PoC. 3 Project Scope, Activities and Tasks This section covers the project plan phases and activities for service delivery. 3.1 Activity 1 - Project Initiation and Mobilization The purpose of this activity is to finalize the project team members; develop a common understanding of project goals, roles, and responsibilities; and validate client readiness to engage the services by confirming the appropriate objectives, timelines, and information is documented. Trustwave will: 1. Prepare and distribute any data collection questionnaires; 2. Facilitate a project kickoff meeting on a mutually agreed date and time to: a. Initiate the project; b. Communicate and share project objectives with key stakeholders; c. Review and communicate Client requirements and project goals; and Copyright © 2019 Trustwave Holdings, Inc. All rights reserved. 4 d. Review and finalize schedule and agenda of meetings and workshop sessions. Completion Criteria: This activity is complete when the project kickoff meeting has been conducted and any initial data collection material has been distributed. Deliverable Materials: None 3.2 Activity 2 -Security and Risk Workshop During this activity, Trustwave will conduct a workshop to identify and prioritize security risks across the high-level cybersecurity operations functional areas and mapped to best practices enterprise risk management frameworks. Trustwave will: 1. Review and assess strengths, weaknesses, opportunities and threats across the enterprise risk landscape regarding identify, protect, detect, respond, and recover; 2. Review and assess the gaps and opportunities relative to business and technical requirements across functional program areas; 3. Prioritize gaps and areas of improvements on business and technical requirements and risks; 4. Develop a draft target state milestone for security operations with prioritized remediation efforts aligned to identified gaps; 5. Review and define core risk categories and corresponding operations functional areas and services with integration and workflow requirements; and 6. Summarize findings and recommendations. Completion Criteria: This activity will be complete when Trustwave has completed the Security and Risk Workshop and summarized the findings and recommendations. Deliverable Materials: The findings and recommendations will be included in the Security and Risk Gap Analysis and Remediation Plan. 3.3 Activity 3 - Analysis and Report Delivery The purpose of this activity is to aggregate facts reviewed in data gathering, workshop, and draft presentation to finalize a report to facilitate the client's capability maturation. Within this activity, Trustwave will: 1. Review and assess the gaps and opportunities per requirements across functional program areas; 2. Evaluate strategy and transformation options relative to client business and technical requirements, and risks; 3. Prepare the report, summarizing key findings to support the assessment; 4. Review the report with the client point of contact; and 5. Deliver the final report and hand off ownership to the client designated point of contact. Completion Criteria: This activity is complete when Trustwave completes the Security and Risk Gap Analysis and Remediation Plan and reviews it with the client. Deliverable material: Security and Risk Gap Analysis and Remediation Plan Copyright © 2019 Trustwave Holdings, Inc. All rights reserved. 5 4 Pricing Trustwave Service Cost Security and Risk Workshop $50,000.00 Total $50,000.00 • Trustwave will invoice Client, and Client shall pay up front. • Travel and expenses are not included in the fees and will be billed separately. Trustwave will use commercially reasonable efforts to travel as efficiently and cost effectively as possible given timing and travel requirements. Valid expenses typically include parking, meals, lodging, photocopying, communication costs, airfare, mileage and automobile rental. All invoices submitted by Trustwave are due and payable within thirty (30) days of the date of the invoice. If Client fails to pay an invoice within the thirty (30) days, Client shall pay interest on such invoices at the rate of 1.5% per month. All fees are quoted and payable in EURO and exclusive of taxes. Trustwave reserves the right to disable Client's services for non-payment. • Proposals are valid for up to thirty (30) days from the date on the cover page. • Annualized services must be used each year during the term and cannot be used and/or credited in subsequent years. • Time and materials services must be used during the term and cannot be used and/or credited in subsequent terms. Trustwave shall invoice Client on a monthly basis for actual hours consumed within the prior month. Trustwave will invoice Client for any unused hours at the end of the term and Client shall pay such invoice within thirty (30) days of the date of the invoice. If applicable, Client shall pay all shipping, handling, and related charges, including and without limitation taxes and customs charges. 5 Dependencies and Assumptions This agreement was developed based on the following dependencies and assumptions, which if not accurate or adhered to, may require a change in the scope of services. Any change in services and fees will be mutually agreed to in writing by both parties. The dependencies and assumptions include: Trustwave shall not begin to provide the Services as described herein until Client has returned this signed agreement and a Purchase Order (PO) for the total amount of the services selected (full contract amount). All terms and conditions included in a PO or submitted with a PO shall be null and void for all purposes. Client's primary point -of -contact (POC) as identified above, or a designee, must be available to Trustwave during the entire engagement. The representative must have sufficient authority to schedule testing and address any issues that may arise. Client shall obtain all consents and authorizations from any third parties necessary for Trustwave to perform the Services, including without limitation, third party datacenters, co -locations and hosts. For the avoidance of doubt, Trustwave will not be required to execute agreements with any such third parties. {SIGNATURE PAGE FOLLOWS} Copyright © 2019 Trustwave Holdings, Inc. All rights reserved. 6 6 Contact Information Client's Primary Contact Name: Title: Address: T: M: E: Client's Billing Contact Name: Title: Address: T: M: E: Client's Legal Contact Name: Title: Address: T: M: E: Copyright © 2019 Trustwave Holdings, Inc. All rights reserved. 7 7 Signatures IN WITNESS WHEREOF, the parties below have executed this Agreement as of the date indicated below. Trustwave: As a duly elected officer authorized to enter into agreements and contracts on behalf of Trustwave, I hereby provide and accept this Agreement. Signature: Print Name: Title: Effective Date: CLIENT: As a duly authorized representative with the authority to enter into agreements and contracts on behalf of Client, I hereby accept this Agreement for the designated services. Signature: Print Name: Title: Date: Copyright © 2019 Trustwave Holdings, Inc. All rights reserved. 8 Hello