Contract for Purchase of Services

CITY OF MADISON

INFORMATION TECHNOLOGY

NETWORK CONNECTION POLICY

1.PURPOSE.

The purpose of this Policy is to ensure that a secure method of network connectivity is provided between the City of Madison (“City”) and ,
an external organization, entity or individual that provides software support, software maintenance, network services, and/or system development services to the City (“Contractor”), and to provide guidelines for the use of network and computing resources associated with Contractor’s Network Connection as defined below.

2.DEFINITIONS.

"Confidential information" means protected health information subject to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended from time to time (“HIPAA”), any records related to juveniles, information gathered by police in ongoing investigations, network security information, the collection of any of the following in connection with a person or business’s name: dates of birth, social security number, driver’s license or state identification number, financial or credit/debit card account numbers, payroll information, tax forms, trade secrets, security/access codes, PINs or passwords, or any other sensitive information/records that could be used for identity theft or any other form of fraud, and any other information where the City’s record custodian declares the private reputational interest outweighs the public interest in release.

“City Network” means the collection of computers and other hardware and software interconnected by communication devices that allows for the sharing of resources and information by City of Madison employees.

"Network Connection" means a connection between the City Network and the network of the Contractor. Under these policies, only the connectivity methods listed below shall be used to establish a Network Connection, unless another method is approved by the City as described below:

A.Leased line (e.g. T1 or DSL) – Leased lines for Contractors will be terminated on the Contractor’s network.

B.Virtual Private Network (VPN) – Must use a City-approved VPN client and authentication method as specified in Section9.

C.WebEx or Go-To-Assist service – The City approves WebEx or Go-To-Assist services. Any other similar service requires specific approval from the City as described below. All such connections must be initiated and terminated by the City. All connections must be terminated by the initiating City employee at the conclusion of the business transaction.

The City’s three connectivity options listed above are the standard methods of providing a connection to the City’s Network to an outside entity. Anything that deviates from these standard methods must be approved in writing by the City’s Technical Services Manager or CIO.

3.RIGHT TO USE NETWORK CONNECTION.

Contractor may only use the Network Connection in compliance with this Policy and only to:

A.perform services described in the contract to which this Policy is attached, or

B.if not attached to any contract, establish a connection only at the request of the City and only for the reasons that the connection was requested by the City. The City will only request such a connection for its legitimate business purposes.

4.NETWORK SECURITY.

A.Contractor will allow only Contractor’s employees listed in Attachment A and approved by the City in advance (“Authorized Employees”) to access the Network Connection. Contractor shall inform all Authorized Employees listed on Attachment A of the requirements of this Policy.Contractor shall be solely responsible for ensuring that Authorized Employees are not security risks, and upon the City’s request, Contractor will provide the City with any information reasonably necessary for the City to evaluate security issues relating to any Authorized Employee.

B.Contractor will promptly notify the City whenever any Authorized Employee leaves Contractor’s employ or no longer requires access to the Network Connection and that person’s name shall be removed from Attachment A.

C.Each party will be solely responsible for the selection, implementation, and maintenance of security procedures and policies that are sufficient to ensure that (a) such party’s use of the Network Connection is secure and is used only for authorized purposes, and (b) such party’s business records and data are protected against improper access, use, loss alteration or destruction.

5.NOTIFICATIONS.

Contractor shall notify the City in writing promptly upon a change in the user base for the work performed over the Network Connection or whenever in Contractor’s opinion a change in the connection and/or functional requirements of the Network Connection is necessary.

Notices from either party to the other shall be sent by first-class, postage prepaid or hand delivered to the following:

FOR THE CITY: / City of Madison Technical Services Manager, Information Technology
210 Martin Luther King, Jr. Blvd., Room 500
Madison, WI 53703
Fax: (608) 261-9289
With a copy to: / City of Madison Chief Information Officer, Information Technology
210 Martin Luther King, Jr. Blvd., Room 500
Madison, WI 53703
FOR THE CONTRACTOR:

Contractor shall notify City within five (5) days of the change in name, address, phone, fax, or email of the individual listed above. It is Contractor’s responsibility to ensure that Contractor has provided all of the necessary contact information and that such information is correct.

6.RESERVATION OF RIGHT.

If at any time, Contractor’s Network Connection does not meet the requirements of this policy, the City reserves the right to have Contractor re-engineer those connections as needed at the Contractor’s expense, or terminate the connection.

7.CONNECTION REQUESTS AND APPROVALS.

All requests for Contractor Network Connections must be made via the City’s contact person set forth in Section 5.

8.SERVICES PROVIDED.

In general, services provided over Network Connections should be limited only to those services needed, and only to those devices (hosts, routers, etc.) needed, in the sole opinion of the City. The City will not provide blanket access. The City’s default policy position is to deny all access and then only allow a Network Connection to perform those specific services that are needed and approved by the City.

In no case shall the Contractor use the City’s Network as an Internet connection for the Contractor.

9.AUTHENTICATION FOR NETWORK CONNECTIONS.

All Network Connections will be authenticated using the City’s authentication database and Token Access System or other authentication methods approved by the City.

10.CONFIDENTIALITY.

A. Applicability. If Contractor’s connection to the City’s network is pursuant to a contract between the City and Contractor (“Contract”), the parties intend all provisions of such Contract including any confidentiality provision to be read together with this Network Access Policy and harmonized to the extent possible. In the event of a conflict between such Contract and this Policy, the provision that more strictly protects the City’s Confidential Information shall apply.

B.Contractor acknowledges that it may receive and have access to City’s Confidential Information. Confidential Information shall not include any information which:

was in the public domain prior to the date of receipt by Contractor;

was in Contractor's lawful possession prior to the date of communication by the City;

becomes part of the public domain by publication or otherwise not due to any unauthorized act or omission of Contractor;

was supplied to Contractor by a third party having the lawful right to do so;

was independently developed by Contractor without use of the Confidential Information; or

Contractor is required by law to disclose, provided that Contractor first notifies the City that it is required to disclose such Confidential Information and it allows the City a reasonable period of time to contest the disclosure of such Confidential Information.

C.All right, title and interest in and to the Confidential Information shall remain the exclusive property of the City and the Confidential Information shall be maintained in confidence and held in trust by Contractor for the benefit of the City. Contractor shall not, directly or indirectly, use or exploit the Confidential Information for any operational, commercial or other purpose whatsoever or in any manner detrimental to the City or disclose, disseminate, impart or grant access to the Confidential Information to any person for any purpose.

D.Contractor shall not copy, reproduce in any form or store in any retrieval system or database the Confidential Information without the prior written consent of the City, except for such copies, reproductions and storage as may be reasonably required internally by Contractor for the purpose for which Contractor receives the Confidential Information.

E.Contractor agrees that at no time shall Contractor, its employees or agents, authorize a third party to have access to the City’s network.

F.Security of connections will be achieved by implementing access control lists (ACL) on the Partner Gateway routers to which the Contractor sites are connected. The ACL will restrict access to pre-defined hosts within the internal the City network. The ACL will be determined by the appropriate City support organization. A set of default ACL may be established as a baseline.

G.The City shall not have any responsibility for ensuring the protection of Contractor’s information unless explicitly agreed in writing. Contractor shall be entirely responsible for providing the appropriate security measures to ensure protection of its private internal network and information.

11.CITY PROPERTY.

All materials relating to the business and affairs of the City, including, without limitation, all manuals, documents, reports, equipment, working materials, content, messages, materials, data, datasets, data structures, spreadsheets, entries, information, text, music, sound, photos, video, graphics, code or other items or materials, prepared by the City or by Contractor for the City, whether or not such materials are also considered Confidential Information as defined herein, are for the benefit of the City and are and shall remain the property of the City. If Contractor’s access to the City’s network is pursuant to a contract between the City and Contractor (“Contract”), the parties intend all provisions of such Contract including any provision regarding ownership of contract product and intellectual property to be read together with this Network Access Policy and harmonized to the extent possible. In the event of a conflict between such Contract and this Policy, the provision that more strictly protects the City’s property shall apply; however this Policy should not be interpreted to transfer or otherwise modify the ownership of Contractor’s intellectual property licensed to the City by Contractor pursuant to a written license agreement executed by the City and Contractor.

12.SIGNATURE.

A.Contract for Purchase of Services. If this Policy is referenced and incorporated into a Contract for Purchase of Services or other contract between the Contractor and the City, then the Policy applies to Contractor by virtue of Contractor’s signature on the underlying contract and no further signature is required for Contractor to be bound to this Policy.

B.Stand-Alone Document. If this Policy is presented to Contractor without an underlying contract, Contractor makes the following acknowledgement: By signing below, I acknowledge that I have read and received a copy of this Network Connection Policy and agree to be bound by the terms herein.

CONTRACTOR
Authorized Signature(only if required by paragraph 12.B.)
Name
Title
Date

Attachment A: Authorized Employees

Name / Telephone Number / Address / Email Address

Rev. 01/20/2016-posNetworkConnection.doc1