HomeMy WebLinkAboutV(F) Approval and Authorization for the Mayor and City Clerk to Execute Remote Network Connection Agreement with the Orange County Sheriffs Office Agenda 05-18-2004
Mayor Center of Good zi_ I XLF
S. Scott Vandergrift Danny Howell. District 1
'CZyClOScott Anderson, District 2
Acting City Manager
� � Rusty Johnson, District 3
V. Gene Williford r`r l f i Nancy J. Parker, District 4
STAFF REPORT
TO: The Honorable Mayor and City Commissioners
FROM: Steven J. Goclon, Chief of Police
DATE: May 11, 2004
RE: Remote Network Connection Agreement
ISSUE
Should the Honorable Mayor and Board of City Commissioners authorize the City of Ocoee to
enter into a Remote Network Connection Agreement with the Orange County Sheriffs Office.
BACKGROUND/DISCUSSION
The connection agreement would allow the Ocoee Police department the ability to tie into the
existing network and data at Orange County Sheriff's Office (OCSO) and Orange County
Government.
The agreement includes:
• Policy for use of OCSO owned equipment
• Network security
• Connection(method of request, approval, and tracking)
• Method of access
• Contact information
• Protection of information
Without the agreement, useful and necessary information is going without access or is being
received via regular mail. Information includes active warrants, contacts, booking photos, and
Orange County government data. The agreement would help improve the safety of the citizens of
Ocoee by the sharing intelligence information.-There is no fee attached to the agreement. The
agreement would remain in effect until either party wishes to terminate the agreement. The City
of Ocoee has not previously entered into a connection agreement with the OCSO.
RECOMMENDATION
It is respectfully recommended that the Honorable Mayor and Board of City Commissioners
approve the Remote Network Connection Agreement between the CITY OF OCOEE and the
ORANGE COUNTY SHERIFF OFFICE.
Orange County Sheriff's Office
REMOTE NETWORK CONNECTION AGREEMENT
This Remote Network Connection Agreement (the "Agreement") by and between Orange County
Sheriffs Office, and The Ocoee Police Department, with principal offices at 150 N. Lakeshore Drive,
Ocoee, Florida("Agency"), is entered into as of the date last written below ("the Effective Date").
This Agreement consists of this signature page and the following attachments that are incorporated in
this Agreement by this reference:
1. Attachment 1: Remote Network Connection Agreement Terms and Conditions
2. Attachment 2: Network Connection Policy
3. Attachment 3: Remote Connection Request- Information Requirements Document
4. Attachment 4: Virtual Private Network(VPN) Agreement
5. Attachment 5: Remote Access Agreement
This Agreement is the complete agreement between the parties hereto concerning the subject matter of
this Agreement and replaces any prior oral or written communications between the parties. There are
no conditions, understandings, agreements, representations, or warranties, expressed or implied, which
are not specified herein. This Agreement may only be modified by a written document executed by the
parties hereto. Any disputes arising out of or in connection with this Agreement shall be governed by
Florida law without regard to choice of law provisions.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be duly executed. Each
party warrants and represents that its respective signatories whose signatures appear below have been
and are on the date of signature duly authorized to execute this Agreement.
City of Ocoee Orange County Sheriffs Office
Authorized Signature Authorized Signature
Captain Rob Harper
Name Name
Date Date
1
Remote Connection Agreement 4.30.99
Attachment 1
REMOTE NETWORK CONNECTION AGREEMENT
TERMS AND CONDITIONS
Object: To ensure that a secure method of connectivity is provided between Orange County Sheriff's Office and
Agency and to provide guidelines for the use of network and computing resources associated with the Network
Connection as defined below.
Definition: "Network Connection" means one of the Orange County Sheriff's Office connectivity options listed
in Section B of the Network Connection Policy.
1. Right to Use Network Connection. Agency may only use the Remote Network Connection for business
purposes as outlined by the Remote Network Connection Request- Information Requirements
Document.
2. Orange County Sheriff's Office-Owned Equipment.
2.1 Orange County Sheriff's Office may, in Orange County Sheriff's Office sole discretion, loan to
Agency certain equipment and/or software for use on Agency premises (the Orange County
Sheriff's Office-Owned Equipment) under the terms of the Orange County Sheriff's Office
Equipment Loan Agreement set forth in Attachment 5. Orange County Sheriff's Office-Owned
Equipment will only be configured for TCP/IP, and will be used solely by Agency on Agency's
premises and for the purposes set forth in this Agreement.
2.2 Agency may modify the configuration of the Orange County Sheriff's Office-Owned Equipment
only after notification and approval in writing by the Director of the Orange County Sheriff's
Office Information management Section or designee.
2.3 Agency will not change or delete any passwords set on Orange County Sheriff's Office-Owned
Equipment without prior approval by the Director of the Orange County Sheriff's Office
Information Management Section or designee. Promptly upon any such change, Agency shall
provide Orange County Sheriff's Office with such changed password.
3. Network Security.
3.1 Agency will allow only Agency employees approved in advance by Orange County Sheriff's
Office ("Authorized Agency Employees")to access the Network Connection or any Orange
County Sheriff's Office-Owned Equipment. Agency shall be solely responsible for ensuring that
Authorized Agency Employees are not security risks, and upon Orange County Sheriff's Office's
request, Agency will provide Orange County Sheriff's Office with any information reasonably
necessary for Orange County Sheriff's Office to evaluate security issues relating to any
2
Remote Connection Agreement 4.30.99
Authorized Agency Employee. Access to the Network Connection or any Orange County
Sheriff's Office-Owned Equipment
3.2 Agency will promptly notify the Director of the Orange County Sheriff's Office Information
Management Section or designee whenever any Authorized Agency Employee leaves Agency's
employ or no longer requires access to the Network Connection or Orange County Sheriff's
Office-Owned Equipment.
3.3 Each party will be solely responsible for the selection, implementation, and maintenance of
security procedures and policies that are sufficient to ensure that (a) such party's use of the
Network Connection(and Agency's use of Orange County Sheriff's Office-Owned Equipment)
is secure and is used only for authorized purposes, and (b) such party's business records and data
are protected against improper access, use, loss alteration or destruction.
4. Notifications. Agency shall notify Orange County Sheriff's Office in writing promptly upon a change in
the user base for the work performed over the Network Connection or whenever in Agency's opinion a
change in the connection and/or functional requirements of the Network Connection is necessary.
5. Payment of Costs. Each party will be responsible for all costs incurred by that party under this
Agreement, including, without limitation, costs for phone charges, telecommunications
equipment and personnel for maintaining the Network Connection.
6. DISCLAIMER OF WARRANTIES. NEITHER PARTY MAKES ANY WARRANTIES,
EXPRESSED OR IMPLIED, CONCERNING ANY SUBJECT MATTER OF THIS
AGREEMENT, INCLUDING,BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
7. LIMITATION OF LIABILITY. EXCEPT WITH RESPECT TO A PARTY'S
CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT, IN NO EVENT WILL
EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INDIRECT,
INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF
USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH
THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY DAMAGES
RESULTING FROM ANY DELAY, OMISSION OR ERROR IN THE ELECTRONIC
TRANSMISSION OR RECEIPT OF DATA PURSUANT TO THIS AGREEMENT,
WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT,
WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR
OTHERWISE, AND WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
8. Term, Termination and Survival. This Agreement will remain in effect until terminated by either party.
Either party may terminate this agreement for convenience by providing not less than thirty(30) days
prior written notice, to the Director of the Orange County Sheriff's Office Information Management
Section or designee or Agency designee, which notice will specify the effective date of termination.
Either party may also terminate this Agreement immediately upon the other party's breach of this
Agreement. Sections 5, 6, 7, 8, 10.1 and 10.2 shall survive any termination of this Agreement. If the
3
Remote Connection Agreement 4.30.99
Orange County Sheriff's Office has reasonable belief this connection threatens the security of the Orange
County Sheriff's Office secure data the connection can be terminated immediately.
9. MISCELLANEOUS.
10.1 Severability. If for any reason a court of competent jurisdiction finds any provision or portion of
this Agreement to be unenforceable, that provision of the Agreement will be enforced to the
maximum extent permissible so as to effect the intent of the parties, and the remainder of this
Agreement will continue in full force and effect.
10.2 Waiver. The failure of any party to enforce any of the provisions of this Agreement will not be
construed to be a waiver of the right of such party thereafter to enforce such provisions.
10.3 Assignment. Neither party may assign this Agreement, in whole or in part, without the other
party's prior written consent. Any attempt to assign this Agreement, without such consent, will
be null and of no effect. Subject to the foregoing, this Agreement is for the benefit of and will be
binding upon the parties'respective successors and permitted assigns.
10.4 Force Majeure. Neither party will be liable for any failure to perform its obligations in
connection with any Transaction or any Document if such failure results from any act of God or
other cause beyond such party's reasonable control (including, without limitation, any
mechanical, electronic or communications failure)which prevents such party from transmitting
or receiving any Documents.
4
Remote Connection Agreement 4.30.99
Attachment2
NETWORK CONNECTION AGREEMENT
Purpose: To ensure that a secure method of network connectivity between Orange County Sheriff's Office and
the Agency and to provide a formalized method for the request, approval and tracking of such connections.
Scope: External Agency data network connections to Orange County Sheriff's Office can create potential
security exposures if not administered and managed correctly and consistently. These exposures may include
non-approved methods of connection to the Orange County Sheriff's Office network, the inability to shut down
access in the event of a security breach, an exposure to hacking attempts or virus infection. When existing
Remote Network Connections do not meet all of the guidelines and requirements outlined in this document,
they will be re-engineered as needed
Definitions: A "Network Connection" is defined as one of the connectivity options listed in Section B. below.
"Third Parties" is defined as Orange County Sheriff's Office Partners, Vendors, Suppliers and the like.
A. Connection Requests and Approvals
All requests for Remote connections must be made using the appropriate method based on the support
organization. All requests must be approved by the Director of Information management.
The required information is outlined in the Remote Connection Request- Information Requirements
Document (See Attachment 3 of this document). All information requested on this form must be completed
prior to approval and sign off. It is Agency's responsibility to ensure that Agency has provided all of the
necessary information and that such information is correct.
All Remote connection requests must be approved by the Director of the Information Management Section or
designee.
As a part of the request and approval process, the technical and administrative contact within Agency's
organization or someone at a higher level within Agency will be required to read and sign the "Remote
Connection Agreement " and any additional documents.
B. Connectivity Options
The following five connectivity options are the standard methods of providing a Network Connection.
Anything that deviates from these standard methods must have a waiver sign-off by the Director of the
Information Management Section.
1) Leased line(e.g. Ti) - Leased lines will be terminated on the Partners network.
2) ISDN/FR- Dial leased lines will terminate on a Partners router located on the ECS or IT
Partners network. Authentication for these connections must be as stated in Section E. below.
5
Remote Connection Agreement 4.30.99
3) Encrypted Tunnel - Encrypted tunnels must be terminated on
the Partners Network whenever possible. In certain circumstances, it may be required to terminate an
encrypted tunnel on the dirty subnet, in which case the normal Orange County Sheriff's Office perimeter
security measures will control access to Internal devices.
4) Telnet access from Internet- Telnet access from the Internet
will not be provided.
5) Remote Dial-up via PPP/SLIP - Remote dial-up via PPP/SLIP
will be provided by the Orange County Sheriff's Office or designee. The
connection will be authenticated per Section E. below
C. Partner Access Points
When possible, Remote (Partner) Access Points (PAPs should be established in locations such that the cost of
the access is minimized. Each PAP should consist of at least one router with leased line with Frame Relay
and/or ISDN capability.
D. Services Provided
In general, services provided over Remote Network Connections should be limited only to those services
needed, and only to those devices (hosts, routers, etc.)needed. Blanket access will not be provided for
anyone. The default policy position is to deny all access and then only allow those specific services that are
needed and approved by Orange County Sheriff's Office pursuant to the established procedure.
In no case shall a Remote Network Connection to Orange County Sheriff's Office be used as the Internet
connection.
The standard set of allowable services are listed below:
VPN Access-VPN access will be allowed via the method approved by the Orange County
Sheriff's Office Information Management Section Director or designee.
File Exchange via ftp—Where possible, file exchange via ftp should take place on the existing
Orange County Sheriff's Office ftp servers OCSO.com.
Web Resource Access—Access to internal web resources will be provided on an as-needed
basis. Access will be provided via the VPN connection. Access to Orange County Sheriff's
Office's public web resources will be accomplished via the normal Internet access.
Access to Source Code Repositories This access will be decided on case by case basis.
Print Services—This access will be decided on case by case basis
SQL*Net Access—This will be decided on a case by case basis.
6
Remote Connection Agreement 4.30.99
NT File Exchange—File exchange will be provided by NT file servers located on the Orange
County Sheriff's Office Partners Network. Each User needing NT File exchange will be
provided with a separate folder that is only accessible to that Party and the necessary people at
Orange County Sheriff's Office.
E. Authentication for Remote Network Connections
Remote Network Connections made via remote dial-up using PPP/SLIP or standard telnet over the Internet will
be authenticated using the Partners Authentication database and Token Access System.
F. Orange County Sheriffs Office Equipment at Remote Sites
In many cases it may be necessary to have Orange County Sheriff's Office-owned and maintained equipment at
a Remote site. All such equipment will be documented on the Remote Access Connection Request—
Information Requirements Document. Access to network devices such as routers and switches will only be
provided to Orange County Sheriff's Office support personnel. All Orange County Sheriffs Office-Owned
Equipment located at Remote sites must be used only for business purposes. Any misuse of access or tampering
with Orange County Sheriff's Office-provided hardware or software, except as authorized in writing by the
Director of the Orange County Sheriff's Office Information Management Section or designee, may, in Orange
County Sheriffs Office's sole discretion, result in termination of the connection agreement. If Orange County
Sheriffs Office equipment is loaned to a partner, the partner will be required to sign an appropriate Orange
County Sheriff's Office Equipment Loan Agreement, if one is required
G. Protection of Agency Private Information and Resources
The Orange County Sheriff's Office network support group is responsible for the installation and configuration
of a specific Remote Connection must ensure that all possible measures have been taken to protect the integrity
and privacy of Orange County Sheriff's Office confidential information. At no time should Orange County
Sheriffs Office rely on access/authorization control mechanisms at the Remote site to protect or prohibit access
to Orange County Sheriff's Office confidential information.
Security of Remote Connections will be achieved by implementing"Access Control Lists" on the Partner
Gateway routers to which the Remote sites are connected. The ACLs will restrict access to pre-defined hosts
within the internal Orange County Sheriff's Office network. The ACLs will be determined by the appropriate
support organization. A set of default ACLs may be established as a baseline.
Enable-level access to Orange County Sheriffs Office-owned/maintained routers on Remote premise will only
be provided to the appropriate support organization. All other business personnel (i.e. Partner Site local
technical support personnel)will have restricted access/read-only access to the routers at their site and will not
be allowed to make configuration changes.
Orange County Sheriff's Office shall not have any responsibility for ensuring the protection of the Agency's
information. The Agency shall be entirely responsible for providing the appropriate security measures to ensure
protection of their private internal network and information.
7
Remote Connection Agreement 4.30.99
H. Audit and Review of Remote Network Connections
All aspects of Remote Network Connections - up to, but not including Agency's firewall,will be monitored by
the appropriate Orange County Sheriff's Office network support group. Where possible, automated tools will
be used to accomplish the auditing tasks.
Audits will be performed, on a schedule determined by the Orange County Sheriff's Office, on all Orange
County Sheriff's Office-owned/maintained router/network device configurations and the output will be mailed
to the appropriate Orange County Sheriff's Office network support group. Any unauthorized changes will be
investigated immediately.
All Remote Connections will be reviewed on a quarterly basis and information regarding specific Remote
Network Connection will be updated as necessary. Obsolete Remote Network Connections will be terminated.
8
Remote Connection Agreement 4.30.99
Attachment 3
REMOTE CONNECTION REQUEST - INFORMATION
REQUIREMENTS DOCUMENT
In accordance with the Network Connection Policy, all requests for Remote Network Connections must be
accompanied by this completed Information Requirements Document. This document should be completed by
the Orange County Sheriff's Office person or group requesting the Network Connection.
A. Contact Information
Requester Information
Name:
Department Number:
Manager's Name:
Director's Name:
Phone Number:
Email Address:
Technical Contact Information
Name:
Department:
Manager's Name:
Director's Name:
Phone Number:
Pager Number:
Email Address
Back-up Point of Contact:
Name:
Department:
Manager's Name:
Director's Name:
Phone Number:
Pager Number:
Email Address
B. Problem Statement/Purpose of Connection: The Orange County Sheriff's Office is eliminating the DEC
system and the applications that were used by the agency to obtain information for the Orange County Sheriff's
Office.
C. Scope of Needs: Access to law enforcement data
9
Remote Connection Agreement 4.30.99
What services are needed? (See Section D. of Network Connection Policy)
E. What type of work will be done over the Network Connection? Law enforcement related research
What applications will be used? RMS and Portal
What type of data transfers will be done?No data will be transferred
F. Are there any known issues such as special services that are required? Are there any unknown issues at this
point, such as what internal Orange County Sheriff's Office services are needed? None
G. Is a backup connection needed? (e.g., are there any critical business needs associated with this connection?)
No backup connection is provided
H. What is the requested installation date? (Minimum lead-time is 60 days) Immediately
I. What is the approximate duration of the Remote Network Connection? Perpetual
J. Are there any exiting Network Connections at Orange County Sheriff's Office with this Agency? Yes
L. Other useful information
10
Remote Connection Agreement 4.30.99
Attachment 4
Virtual Private Network (VPN) Agreement
Purpose
To provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the
Orange County Sheriff's Office network.
Scope
This agree applies to all Orange County Sheriff's Office contractors, consultants, temporaries, and other workers
including all personnel affiliated with third parties utilizing VPNs to access the Orange County Sheriff's Office
network. This agreement applies to implementations of VPN that are directed through an Orange County
Sheriff's Office Firewall.
3.0 Policy
Approved Orange County Sheriff's Office employee, vendors, etc. may utilize the benefits of VPNs, which are a
"user managed" service. This means that the user is responsible for selecting an Internet Service Provider(ISP),
coordinating installation, installing any required software, and paying associated fees. Further details may be
found in the Remote Access Agreement.
Additionally,
1. It is the responsibility of users with VPN privileges to ensure that unauthorized users are not allowed
access to Orange County Sheriff's Office internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as a token device or a
public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over
the VPN tunnel: all other traffic will be dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. VPN gateways will be set up and managed by Orange County Sheriff's Office Information Management
Section.
6. All computers connected to Orange County Sheriff's Office internal networks via VPN or any other
technology must use the most up-to-date anti-virus software approved by the Director of the Orange
County Sheriff's Office Information Management Section or designee.
7. VPN users will be automatically disconnected from Orange County Sheriff's Office's network after
thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other
artificial network processes are not to be used to keep the connection open.
8. By using VPN technology with personal equipment, users must understand that their machines are a de
facto extension of Orange County Sheriff's Office's network, and as such are subject to the same rules
and regulations that apply to Orange County Sheriff's Office-owned equipment, i.e., their machines must
be configured to comply with industry best practice Security Policies.
11
Remote Connection Agreement 4.30.99
Attachment 5
Remote Access Agreement
Purpose
The purpose of this agreement is to define standards for connecting to Orange County Sheriff's Office's network
from any host. These standards are designed to minimize the potential exposure to Orange County Sheriffs
Office from damages which may result from unauthorized use of Orange County Sheriff's Office resources.
Damages include the loss of sensitive or agency confidential data, intellectual property, damage to public image,
damage to critical Orange County Sheriffs Office internal systems, etc.
Scope
This policy applies to all Orange County Sheriffs Office employees, contractors, vendors and agents with a
Orange County Sheriff's Office-owned or personally-owned computer or workstation used to connect to the
Orange County Sheriffs Office network. This policy applies to remote access connections used to do work on
behalf of
Orange County Sheriffs Office, including reading or sending email and viewing intranet web resources.
Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems,
frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
Policy
1. It is the responsibility of Orange County Sheriffs Office employees, contractors, vendors and agents
with remote access privileges to Orange County Sheriffs Office's corporate network to ensure that their
remote access connection is given the same consideration as the user's on-site connection to Orange
County Sheriffs Office.
Requirements
1. Secure remote access must be strictly controlled. Control will be enforced via one-time password
authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-
phrase see the Password Policy.
2. At no time should any Orange County Sheriffs Office employee, contractor, vendor or agent provide
their login password to anyone.
3. Orange County Sheriffs Office employees and contractors with remote access privileges must ensure
that their Orange County Sheriffs Office-owned or personal computer or workstation, which is remotely
connected to Orange County Sheriffs Office's corporate network, is not connected to any other network
at the same time, with the exception of personal networks that are under the complete control of the user.
4. Routers for dedicated ISDN lines configured for access to the Orange County Sheriffs Office network
must meet minimum authentication requirements of CHAP.
5. Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not
permitted at any time.
6. Frame Relay must meet minimum authentication requirements of DLCI standards.
7. Non-standard hardware configurations must be approved by Orange County Sheriffs Office Information
Management Section.
12
Remote Connection Agreement 4.30.99
8. All hosts that are connected to Orange County Sheriff's Office internal networks via remote access
technologies must use the most up-to-date anti-virus software approved by the Information Management
Section, this includes personal computers.
9. Personal equipment that is used to connect to Orange County Sheriff's Office's networks must meet the
requirements of Orange County Sheriff's Office-owned equipment for remote access.
10. Organizations or individuals who wish to implement non-standard Remote Access solutions to the
Orange County Sheriff's Office production network must obtain prior approval from the Information
Management Section.
13
Remote Connection Agreement 4.30.99
OCOEE SIGNATURE BLOCK FOR
REMOTE NETWORK CONNECTION AGREEMENT
ATTEST: CITY OF OCOEE, FLORIDA
By:
Jean Grafton, City Clerk S. Scott Vandergrift, Mayor
(SEAL)
FOR USE AND RELIANCE ONLY BY APPROVED BY THE OCOEE CITY
THE CITY OF OCOEE,FLORIDA; COMMISSION AT A MEETING
APPROVED AS TO FORM AND HELD ON ,200_
LEGALITY this day of UNDER AGENDA ITEM NO.
, 200_.
FOLEY& LARDNER
By:
City Attorney
006.335346.1