The URL can be used to link to this page

2024/03/20 Keeper Security, Inc. Password Management Software Solution Subscription2905/031858-0001 19584139.7 a03/14/24 CITY OF MENIFEE SOFTWARE SERVICES AGREEMENT PASSWORD MANAGEMENT SOFTWARE SOLUTION SUBSCRIPTION THIS SOFTWARE SERVICES AGREEMENT (“Agreement”) is made and effective this ______day of ____________, 2024 (“Effective Date”) by and between the CITY OF MENIFEE, a California municipal corporation, (“City”) and KEEPER SECURITY, INC., a Delaware corporation (“Provider”). City and Provider may sometimes herein be referred to individually as a “Party” and collectively as the “Parties.” In consultation with the California Public Contract Code, the California Labor Code, and other applicable laws relating to the performance of public work, the Parties agree that the services to be performed hereunder do not involve a “public work” as that term is defined in applicable law. SECTION 1. SERVICES. Subject to the terms and conditions set forth in this Agreement, Provider shall provide to City the services described in the Scope of Services, attached hereto as Exhibit “A” and incorporated herein by this reference (the “Services”). In the event of a conflict in or inconsistency between the terms of this Agreement and Exhibit “A”, this Agreement shall prevail. 1.1 Term of Services. The term of this Agreement shall begin on the date of the last signature of the parties and shall end after one (1) year starting from the Effective Date (the “Term”) unless the term of this Agreement is otherwise terminated or extended as provided for in Section 8. This Agreement may be renewed after the Term, on the same terms and conditions, for subsequent Terms upon the mutual agreement of the Parties. This Section 1.1 shall not affect City’s right to terminate this Agreement, as provided for in Section 8. 1.2 Standard of Performance. Provider represents and warrants that Provider is a provider of first class work and services and Provider is experienced in performing the Services contemplated herein and, in light of such status and experience, Provider shall perform the Services required pursuant to this Agreement in the manner and according to the standards observed by a competent practitioner of the profession in which Provider is engaged in the geographical area in which Provider practices its profession and to the sole satisfaction of the Contract Administrator. 1.3 Assignment of Personnel. a. All Services. Provider shall assign only competent personnel to perform the Services pursuant to Agreement. In the event that City, in its sole discretion, at any time during the term of this Agreement, desires the reassignment of any such persons, Provider shall, immediately upon receiving notice from City of such desire of City, reassign such person or persons. To the fullest extent feasible, Provider shall maintain a consistent staff and shall minimize staff changes or turnover on the Services. Provider shall keep a list of assigned personnel to the Services and shall provide such list to the City upon reasonable request. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 20 March 2905/031858-0001 19584139.7 a03/14/24 -2- b. Law Enforcement Services. If the Services are designed and procured for or on behalf of the Menifee Police Department, Provider shall comply with all applicable California Law Enforcement Telecommunications Services (CLETS) requirements. 1.4 Time. Provider shall devote such time to the performance of the Services pursuant to this Agreement as may be reasonably necessary to satisfy Provider’s obligations hereunder. 1.5 Authorization to Perform Services. Provider is not authorized to perform any of the Services or incur any costs whatsoever under the terms of this Agreement until receipt of authorization from the Contract Administrator. 1.6 Warranty. By executing this Agreement, Provider warrants that Provider (i) has thoroughly investigated and considered the Services, (ii) has carefully considered how the Services should be performed, and (iii) fully understands the facilities, difficulties, and restrictions attending performance of the Services. 1.7 Cyber Security Incident and Data Breach Notification: In the event of a cyber security incident or a data breach (each an "incident"), as such cyber security incident or data breaches are defined by applicable law, which may detrimentally impact City’s information technology network, Provider will report said incident by the fastest means available and also in writing, within forty-eight (48) hours after Provider reasonably believes that there has been a such incident has occurred. The notification shall identify (a) the nature of the incident; (b) the data accessed, used, or disclosed; (c) the persons who accessed, used, disclosed, or received the data; (d) Provider’s approach to quarantine or mitigate the incident; and (e) what corrective action Provider will take or has taken to prevent future incidents. Provider will provide daily, or more frequently as practicable, findings and actions performed by Provider until the cyber security incident has been effectively resolved. Provider will quarantine the incident to ensure secure access to data, and repair the Services as needed to recover from the incident. Provider shall conduct an investigation of the incident and share the report of the investigation with City. After any significant incident determined in City’s reasonable discretion to be catastrophic and material, Provider will at its expense have an independent, industry-recognized, City-approved third party perform an information security audit. The audit results shall be shared with City within seven (7) days of Provider’s receipt of such results. Upon Provider receiving the results of the audit, Provider will provide City with written evidence of planned remediation within thirty (30) days and promptly modify its security measures in order to meet its obligations under this Agreement. Section 5, Indemnification shall specifically apply to Claims (defined below) arising from cyber security incidents or data breaches which impact City’s information systems network through Provider’s network, system, or Services. 1.8 SOC Compliance. Where Provider is required by law to attain and maintain System & Organizational Controls (“SOC”) SOC 2 compliance, or its equivalent, for the Services, Provider shall maintain such compliance for the duration of the Agreement, and shall provide a copy of Provider’s SOC 2 Type 2 compliance reports to City within thirty (30) days of execution of the Agreement and annually thereafter within thirty (30) days of such reports being received by Provider. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -3- 1.9 City Policies. Provider shall comply with the City policy or policies attached hereto as Exhibit “B” and incorporated herein by this reference. 1.10 Change in Control. Provider shall provide written notice to City of major changes in control of Provider’s enterprise including mergers, sales, and any other occurrence resulting in a change of more than fifty percent (50%) of Provider’s ownership or executives. City may, in its sole discretion, elect to terminate this Agreement pursuant to Section 8 hereof as a result of a change in control of Provider’s enterprise. SECTION 2. COMPENSATION. City hereby agrees to pay Consultant a sum not to exceed Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) notwithstanding any contrary indications that may be contained in Consultant’s proposal, for the Services to be performed and reimbursable costs incurred under this Agreement. In the event of a conflict between this Agreement and Exhibit A, regarding the amount of compensation, this Agreement shall prevail. City shall pay Consultant for the Services rendered pursuant to this Agreement at the time and in the manner set forth herein. The payments specified below shall be the only payments from City to Consultant for the Services rendered pursuant to this Agreement. Consultant shall submit all invoices to City in the manner specified herein. Except as specifically authorized in advance by City, Consultant shall not bill City for duplicate services performed by more than one person. In no event shall the compensation paid during the term of this Agreement exceed the following amounts: a. Initial Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) b. First Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) c. Second Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) d. Third Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) e. Fourth Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) 2.1 Invoices. Provider shall submit invoices annually during the term of this Agreement, based on the cost for the Services performed and reimbursable costs incurred prior to the invoice date. Invoices shall contain the following information: a. Serial identifications of progress bills; i.e., Progress Bill No. 1 for the first invoice, etc.; b. The beginning and ending dates of the billing period; c. The total due this period; DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -4- Invoices shall be submitted to: City of Menifee Attn: Accounts Payable 29844 Haun Road Menifee, CA 92586 accountspayable@cityofmenifee.us 2.2 Annual Payment. City shall make payments, based on invoices received, for the software licenses. City shall have thirty (30) days from the receipt of an invoice that complies with all of the requirements above to pay Provider. 2.3 Total Payment. City shall not pay any additional sum for any expense or cost whatsoever incurred by Provider in rendering the Services pursuant to this Agreement. City shall make no payment for any extra, further, or additional service pursuant to this Agreement. 2.4 Hourly Fees. Intentionally Omitted. 2.5 Reimbursable Expenses. Intentionally Omitted. 2.6 Payment of Taxes. Provider is solely responsible for the payment of employment taxes incurred under this Agreement and any federal or state taxes. 2.7 Payment upon Termination. Intentionally Omitted. 2.8 Service Level Commitment. This Section shall only apply to Services which involve the provision or availability of a network, system, platform, or other asset by Provider to City (each an “Online Asset”). The service will be available 99.9% of the time as measured on a monthly basis (“Uptime Availability”) excluding Routine Maintenance (which shall not exceed 12 hours per calendar quarter) and force majeure events. If Provider is not in compliance with this obligation in any 30-day period during the terms of this Agreement, City can receive a credit payment (“Service Credit”) in the amounts set forth below for the applicable month. Service Credits will be applied at the time of the City’s next invoice period. Service Credits shall be the City’s sole remedies for availability or quality of the Software. Uptime Availability Amount Credited to Customer Less than 99.9%-99.5% 5% of the Monthly Fee Less than 99.5% - 99.1% 10% of the Monthly Fee Less than 98.7% - 98.1% 30% of the Monthly Fee 98% or less 50% of the Monthly Fee DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -5- Uptime Availability applies to the internet sync component of the software, noting that Keeper native applications are available offline. Furthermore, Uptime Availability only applies to events isolated to Keeper, and not to events resulting from external factors, such as Customer Single Sign-On solutions. In addition to the foregoing, upon request by the Contract Administrator, Provider may attend a quarterly service level review meeting with the Contract Administrator or designee. The Contract Administrator may consent in writing to cancelling any particular meeting or meetings. SECTION 3. FACILITIES AND EQUIPMENT. City shall make available to Provider only physical facilities such as desks, filing cabinets, and conference space, as may be reasonably necessary for Provider’s use while consulting with City employees and reviewing records and the information in possession of City. The location, quantity, and time of furnishing those facilities shall be in the sole discretion of City. In no event shall City be required to furnish any facility or equipment that may involve incurring any direct expense, including but not limited to computer, internet, long-distance telephone or other communication charges, vehicles, and reproduction facilities. SECTION 4. INSURANCE REQUIREMENTS. Before beginning any work under this Agreement, Provider, at its own cost and expense, shall procure the types and amounts of insurance listed below and provide certificates of insurance, indicating that Provider has obtained or currently maintains insurance that meets the requirements of this Section. Provider shall maintain the insurance policies required by this Section throughout the term of this Agreement. The cost of such insurance shall be included in Provider’s compensation. Provider shall not allow any subcontractor, Provider or other agent to commence work on any subcontract until Provider has obtained all insurance required herein for the subcontractor(s) and provided evidence thereof to City. Verification of the required insurance shall be submitted and made part of this Agreement prior to execution. Provider agrees that the requirement to provide insurance shall not be construed as limiting in any way the extent to which Provider may be held responsible for the payment of damages to any persons or property resulting from Provider activities or the activities of any person or persons for which Provider is otherwise responsible nor shall it limit Provider’s indemnification liabilities as provided in Section 5. 4.1 Workers’ Compensation. Provider shall, at its sole cost and expense, maintain Statutory Workers’ Compensation Insurance and Employer’s Liability Insurance for any and all persons employed directly or indirectly by Provider pursuant to the provisions of the California Labor Code. Statutory Workers’ Compensation Insurance and Employer’s Liability Insurance shall be provided with limits of not less than ONE MILLION DOLLARS ($1,000,000.00) per accident, ONE MILLION DOLLARS ($1,000,000.00) disease per employee, and ONE MILLION DOLLARS ($1,000,000.00) disease per policy. The insurer, if insurance is provided shall waive all rights of subrogation against City and its officers, officials, employees, and authorized volunteers for loss arising from the Services performed under this Agreement. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -6- 4.2 Commercial General and Automobile Liability Insurance. a. General requirements. Provider, at its own cost and expense, shall maintain commercial general and automobile liability insurance for the term of this Agreement in an amount not less than ONE MILLION DOLLARS ($1,000,000.00) per occurrence, combined single limit coverage, for risks associated with the Services contemplated by this Agreement, TWO MILLION DOLLARS ($2,000,000.00) general aggregate, and TWO MILLION DOLLARS ($2,000,000.00) products/completed operations aggregate. Such coverage shall include but shall not be limited to, protection against claims arising from bodily and personal injury, including death resulting therefrom, and damage to property resulting from the Services contemplated under this Agreement, including the use of hired and non-owned automobiles. b. Minimum Scope of Coverage. Commercial general coverage shall be at least as broad as Insurance Services Office Commercial General Liability occurrence form CG 0001. c. Additional Requirements. Each of the following shall be included in the insurance coverage: (i) The insurance shall cover on an occurrence or an accident basis, and not on a claims-made basis. (ii) Any failure of Provider to comply with reporting provisions of the policy shall not affect coverage provided to City and its officers, employees, agents, and volunteers. 4.3 Umbrella Policy. a. General Requirements. Provider, at its own cost and expense, shall maintain for the period covered by this Agreement an umbrella policy in an amount not less than ONE MILLION DOLLARS ($1,000,000. Any deductible or self-insured retention shall be shown on the Certificate. 4.4 Cyber Insurance. Provider, at its own cost and expense, shall maintain for the period covered by this Agreement cyber liability insurance in an amount not less than SIX MILLION DOLLARS ($6,000,000) in the aggregate covering any cyber security incidents which originates in or migrates from Provider’s network, and impacts City’s network, system, or access to the Services. 4.5 All Policies Requirements. a. Acceptability of Insurers. All insurance required by this Section is to be placed with insurers with a Bests’ rating of no less than A:VII and admitted in California. b. Verification of Coverage. Prior to beginning the Services under this Agreement, Provider shall furnish City with certificates of insurance, additional insured or policy DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -7- language granting additional insured status complete certified copies of all policies, including complete certified copies of all endorsements. All copies of policies and certified endorsements shall show the signature of a person authorized by that insurer to bind coverage on its behalf. City must be listed as an additional insured for liability arising out of ongoing and completed operations by or on behalf of Provider. c. Notice of Reduction in or Cancellation of Coverage. Provider shall provide written notice to City within thirty (30) calendar days if: (1) any of the required insurance policies is terminated; or (2) the limits of any of the required polices are reduced. In the event any of said policies of insurance are cancelled, Provider shall, prior to the cancellation date, submit new evidence of insurance in conformance with this Section 4 to the Contract Administrator. d. Additional Insured; Primary Insurance. City and its officers, employees, agents, and authorized volunteers shall be covered as additional insureds general liability policy. The coverage shall contain no special limitations on the scope of protection afforded to City or its officers, employees, agents, or authorized volunteers. The insurance provided to City as an additional insured must apply on a primary and non-contributory basis with respect to any insurance or self-insurance program maintained by City. e. Deductibles and Self-Insured Retentions. Intentionally Omitted. f. Subcontractors. Intentionally Omitted. g. Variation. The Contract Administrator may, but is not required to, approve in writing a variation in the foregoing insurance requirements, upon a determination that the coverage, scope, limits, and forms of such insurance are either not commercially available, or that City’s interests are otherwise fully protected. 4.6 Remedies. In addition to any other remedies at law or equity City may have if Provider fails to provide or maintain any insurance policies or policy endorsements to the extent and within the time herein required, City may, at its sole option, exercise any of the following remedies, which are alternatives to other remedies City may have and are not the exclusive remedy for Provider’s breach: a. Obtain such insurance and deduct and retain the amount of the premiums for such insurance from any sums due under this Agreement; b. Order Provider to stop work under this Agreement or withhold any payment that becomes due to Provider hereunder, or both stop work and withhold any payment, until Provider demonstrates compliance with the requirements hereof; and/or SECTION 5. INDEMNIFICATION. 5.1 Indemnification for Professional Liability. Where the law establishes a professional standard of care for performance of the Services, to the fullest extent permitted by law, Provider shall indemnify, protect, defend , and hold harmless City and any and all of its DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -8- officers, employees, officials, volunteers, and agents from and against any and all third party claims, losses, costs, damages, expenses, liabilities, liens, actions, causes of action (whether in tort, contract, under statute, at law, in equity, or otherwise) charges, awards, assessments, fines, or penalties of any kind (including reasonable Provider and expert fees and expenses of investigation, costs of whatever kind and nature) and any judgment (collectively, “Claims”) to the extent same are caused in whole or in part by any negligent or wrongful act, error, or omission of Provider, its officers, agents, employees, or subcontractors (or any entity or individual that Provider shall bear the legal liability thereof) in the performance of professional services under this Agreement. 5.2 Indemnification for Other than Professional Liability. Other than in the performance of professional services and to the full extent permitted by law, Provider shall indemnify, protect, defend , and hold harmless City, and any and all of its officers, employees, officials, volunteers, and agents from and against any and all third party Claims, where the same arise out of, are a consequence of, or are in any way attributable to, in whole or in part, the performance of this Agreement by Provider or by any individual or entity for which Provider is legally liable, including but not limited to officers, agents, employees or subcontractors of Provider. This requirement encompasses, without limitation, Claims arising from cyber security incidents arising out of Provider’s performance of the Agreement, and copyright, intellectual property, or patent Claims by third parties related to Provider’s provision of the Services. 5.3 Limitation of Indemnification for Design Professionals. Notwithstanding any provision of this Section 5 to the contrary, design professionals, as that term is defined in Civil Code Section 2782.8, are required to defend and indemnify City only to the extent permitted by Civil Code Section 2782.8. The term “design professional” as defined in Section 2782.8, is limited to licensed architects, licensed landscape architects, registered professional engineers, professional land surveyors, and the business entities that offer such services in accordance with the applicable provisions of the California Business and Professions Code. This Subsection 5.3 shall only apply to Provider if Provider is a “design professional” as that term is defined in Civil Code Section 2782.8. 5.4 Limitation of Indemnification. The provisions of this Section 5 do not apply to claims occurring as a result of City’s sole or active negligence. The provisions of this Section 5 shall not release City from liability arising from gross negligence or willful acts or omissions of City or any and all of its officers, officials, employees, and agents acting in an official capacity. 5.5 City’s Indemnification of Provider. City hereby agrees to defend, indemnify and hold harmless Provider, its business partners, third-party suppliers, providers, licensors, officers, directors, employees, distributors and agents against any damages, losses, liabilities, settlements, and expenses (including without limitation costs and reasonable attorneys' fees) in connection with any third party claim or action that (i) arises from any actual breach by The City of this Agreement, (ii) arises solely from the content or effects of any messages City distributes using the Software or (iii) otherwise arises from or relates solely to City misuse of the Software. In addition, City acknowledges and agrees that Provider has the right to seek damages when City uses the Software for unlawful purposes, in an unlawful manner, and/or in a manner inconsistent with the terms of this Agreement. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -9- SECTION 6. INDEPENDENT CONTRACTOR. At all times during the term of this Agreement, Provider shall be an independent contractor and shall not be an employee of City. City shall have the right to control Provider only insofar as the results of the Services rendered pursuant to this Agreement and assignment of personnel pursuant to Subsection 1.3; however, otherwise City shall not have the right to control the means by which Provider accomplishes the Services rendered pursuant to this Agreement. The personnel performing the Services under this Agreement on behalf of Provider shall at all times be under Provider’s exclusive direction and control. Provider shall not at any time or in any manner represent that it is or any of its officers, employees, or agents are in any manner officers, officials, employees, or agents of City. Provider shall not incur or have the power to incur any debt, obligation, or liability whatever against City, or bind City in any manner. Except for the fees paid to Provider as provided in this Agreement, City shall not pay salaries, wages, or other compensation to Provider for performing the Services hereunder for City. City shall not be liable for compensation or indemnification to Provider for injury or sickness arising out of performing the Services hereunder. Notwithstanding any other City, state, or federal policy, rule, regulation, law, or ordinance to the contrary, Provider and any of its employees, agents, and subcontractors providing services under this Agreement shall not qualify for or become entitled to any compensation, benefit, or any incident of employment by City, including but not limited to eligibility to enroll in the California Public Employees Retirement System (“PERS”) as an employee of City and entitlement to any contribution to be paid by City for employer contributions and/or employee contributions for PERS benefits. SECTION 7. LEGAL REQUIREMENTS. 7.1 Governing Law. The laws of the State of California shall govern this Agreement. 7.2 Compliance with Applicable Laws. Provider and any subcontractor shall comply with all applicable local, state, and federal laws and regulations applicable to the performance of the work hereunder. Provider shall not hire or employ any person to perform work within City or allow any person to perform the Services required under this Agreement unless such person is properly documented and legally entitled to be employed within the United States. Provider acknowledges and agrees that it shall be independently responsible for reviewing the applicable laws and regulations and effectuating compliance with such laws. Provider shall require the same of all subcontractors. 7.3 Cybersecurity Compliance. Without limiting Section 7.2 hereof, Provider shall comply with all applicable rules and regulations related to cybersecurity, including but not limited to the National Institute of Standards and Technology (NIST) security standards, Payment Card Industry (PCI) security standards, Personally Identifiable Information (PII) security standards, the Health Insurance Portability and Accountability Act (where applicable), and the California Privacy Rights Act (CPRA.) 7.4 Prevailing Wages. Provider acknowledges and agrees that it shall be independently responsible for reviewing the applicable prevailing wage laws and regulations and effectuating compliance with such laws, including, but not limited to the prevailing wage and related requirements applicable to public works contracts. Provider shall bear all risks of payment or non- DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -10- payment of prevailing wages under California law and/or the implementation of California Labor Code Section 1781, as the same may be amended from time to time, and/or any other similar law. Section 5, Indemnification, specifically encompasses Claims arising from or related to (i) the noncompliance by Provider or any party performing the Services of any applicable local, state, and/or federal law, including, without limitation, any applicable federal and/or state labor laws (including, without limitation, the requirement to pay state prevailing wages and hire apprentices); (ii) the implementation of California Labor Code Sections 1726 and 1781, as the same may be amended from time to time, or any other similar law; and/or (iii) failure by Provider or any party performing the Services to provide any required disclosure or identification as required by California Labor Code Section 1781, as the same may be amended from time to time, and/or any other similar law. 7.5 Licenses and Permits, Fees and Assessments. Provider represents, warrants, and covenants to City that Provider and its employees, agents, and any subcontractors have all licenses, permits, qualifications, and approvals of whatsoever nature that are legally required to practice their respective professions, and perform the Services. Provider represents, warrants, and covenants to City that Provider and its employees, agents, and subcontractors shall, at their sole cost and expense, keep in effect at all times during the term of this Agreement any licenses, permits, and approvals that are legally required to practice their respective professions, and perform the Services. Provider shall have the sole obligation to pay for any fees, assessments, and taxes, plus applicable penalties and interest, which may be imposed by law and arise from or are necessary for Provider’s performance of the Services, and shall indemnify, defend and hold harmless City, its officers, employees or agents of City, against any such fees, assessments, taxes, penalties or interest levied, assessed, or imposed against City hereunder. 7.6 Conflicts of Interest, Political Reform Act. Provider represents, warrants, and covenants that Provider presently has no interest, direct or indirect, which would interfere with or impair in any manner or degree the performance of Provider’s obligations and responsibilities under this Agreement. Provider further agrees that while this Agreement is in effect, Provider shall not acquire or otherwise obtain any interest, direct or indirect, that would interfere with or impair in any manner or degree the performance of Provider’s obligations and responsibilities under this Agreement. 7.7 Annual Appropriation of Funding. In accord with Article 16 Section 18 of the California Constitution, payment of compensation under this Agreement is contingent upon annual appropriation of funds by City for that purpose. Provider acknowledges and agrees that to the extent that the Services extend beyond one (1) fiscal year, payment for such Services is expressly conditioned on City’s annual appropriation of funds for such Services for each year. If no funds are appropriated then this Agreement shall be terminated. City pledges and agrees to process such appropriation requests annually and in good faith. Nothing in this Subsection shall be construed to limit the right of either Party to terminate this Agreement as provided herein. SECTION 8. TERMINATION AND MODIFICATION. 8.1 Consequences of Termination. In the event of termination, Provider shall be entitled to compensation for the Services performed up to the date of termination. Provider shall cooperate with City, and shall not unreasonably delay or impede City’s efforts to transition the DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -11- Services to another provider, where requested by City (a “Transition”). The Transition may include any or all of the following: a. Providing instructions to the City for how their end users can export any City data (if any) from Provider’s service in a computer readable format and providing City with at least ninety (90) days following termination for time to allow City to export City data ; and/or b. Providing to City documentation regarding City users and privileges to the Services; and/or c. Certifying to City that all City data has been deleted from Provider’s service on a date mutually agreed upon by the Parties; and/or d. Any other actions mutually agreeable to the Parties to assist with the Transition. 8.2 Extension. City may, in its sole and exclusive discretion, extend the end date of this Agreement beyond that provided for in Subsection 1.1. Any such extension shall require a written amendment to this Agreement, as provided for herein. 8.3 Amendments. The Parties may amend this Agreement only by a writing signed by all the Parties. 8.4 Assignment and Subcontracting. City and Provider recognize and agree that this Agreement contemplates personal performance by Provider and is based upon a determination of Provider’s unique personal competence, experience, and specialized personal knowledge. Moreover, a substantial inducement to City for entering into this Agreement was and is the professional reputation and competence of Provider. Provider may not assign this Agreement or any interest therein without the prior written approval of the Contract Administrator. 8.5 Survival. All obligations arising prior to the expiration or termination of this Agreement and all provisions of this Agreement allocating liability between City and Provider shall survive the expiration or termination of this Agreement. 8.6 Options upon Breach by Provider. If Provider materially breaches any of the terms of this Agreement, City's remedies shall include, but not be limited to, any or all of the following: a. Immediately terminate this Agreement; b. Retain a different Provider to complete the Services described in Exhibit “A” SECTION 9. KEEPING AND STATUS OF RECORDS. 9.1 Records Created as Part of Provider’s Performance. Where the Services include the preparation or receipt of any documents, including data, in any form, by Provider created exclusively for City, such records shall become property of City. Provider hereby agrees to deliver those documents to City upon the expiration or termination of this Agreement. It is understood DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -12- and agreed that the documents and other materials, including those described above, prepared pursuant to this Agreement are prepared exclusively for City and are not necessarily suitable for any future or other use. Any use of such documents for other projects by City shall be without liability to Provider. City and Provider agree that, until final approval by City, all data, plans, specifications, reports, and other documents created exclusively for City are confidential and will not be released to third parties without prior written consent of both Parties unless required by law. 9.2 Licensing of Intellectual Property. This Agreement creates a non-exclusive and perpetual license for City to use the software and the Intellectual Property it contains (“Documents and Data”) during the term of the Agreement. Provider shall require all subcontractors to agree in writing that City is granted a non-exclusive and perpetual license for any Documents and Data the subcontractor prepares under this Agreement. Provider represents and warrants that Provider has the legal right to license any and all Documents and Data. Provider makes no such representation and warranty in regard to Documents and Data which were prepared by design professionals other than Provider or provided to Provider by the City. City shall not be limited in any way in its use of the Documents and Data at any time, provided that any such use not within the purposes intended by this Agreement shall be at City’s sole risk. 9.3 Provider’s Books and Records. Provider shall maintain any and all ledgers, books of account, invoices, vouchers, canceled checks, and other records or documents evidencing or relating to charges for the Services or expenditures and disbursements charged to City under this Agreement for a minimum of three (3) years, or for any longer period required by law, from the date of final payment to Provider under this Agreement. All such records shall be maintained in accordance with generally accepted accounting principles and shall be clearly identified and readily accessible. 9.4 Inspection and Audit of Records. Any records or documents that Subsection 9.3 of this Agreement requires Provider to maintain shall be made available for inspection, audit, and/or copying at any time during regular business hours, upon oral or written request of City. Under California Government Code Section 8546.7, if the amount of public funds expended under this Agreement exceeds TEN THOUSAND DOLLARS ($10,000.00), this Agreement shall be subject to the examination and audit of the State Auditor, at the request of City or as part of any audit of City, for a period of three (3) years after final payment under this Agreement. SECTION 10. MISCELLANEOUS PROVISIONS. 10.1 Attorneys’ Fees. If either Party to this Agreement brings any action, including an action for declaratory relief, to enforce or interpret the provision of this Agreement, the prevailing Party shall be entitled to reasonable attorneys’ fees and expenses including costs, in addition to any other relief to which that Party may be entitled; provided, however, that the attorneys’ fees awarded pursuant to this Subsection shall not exceed the hourly rate paid by City for legal services multiplied by the reasonable number of hours spent by the prevailing Party in the conduct of the litigation. The court may set such fees in the same action or in a separate action brought for that purpose. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -13- 10.2 Applicable Law, Venue. The laws of the State of California shall govern this Agreement. In the event that either Party brings any action against the other under this Agreement, the Parties agree that trial of such action shall be vested exclusively in Riverside County. 10.3 Severability. If any provision of this Agreement is held invalid, the remainder of this Agreement shall not be affected thereby and all other parts of this Agreement shall nevertheless be in full force and effect. 10.4 Section Headings and Subheadings. The section headings and subheadings contained in this Agreement are included for convenience only and shall not limit or otherwise affect the terms of this Agreement. 10.5 No Implied Waiver of Breach. Waiver by any Party to this Agreement of any term, condition, or covenant of this Agreement shall not constitute a waiver of any other term, condition, or covenant. Waiver by any Party of any breach of the provisions of this Agreement shall not constitute a waiver of any other provision or a waiver of any subsequent breach or violation of any provision of this Agreement. Acceptance by City of any work or services by Provider shall not constitute a waiver of any of the provisions of this Agreement. No delay or omission in the exercise of any right or remedy by a non-defaulting Party on any default shall impair such right or remedy or be construed as a waiver. Any waiver by either Party of any default must be in writing and shall not be a waiver of any other default concerning the same or any other provision of this Agreement. 10.6 Successors and Assigns. The provisions of this Agreement shall inure to the benefit of and shall apply to and bind the successors and assigns of the Parties. 10.7 Provider Representative. All matters under this Agreement shall be handled for Provider by Nikki Jamison (“Provider’s Representative”). The Provider’s Representative shall have full authority to represent and act on behalf of Provider for all purposes under this Agreement. The Provider’s Representative shall supervise and direct the Services, using his best skill and attention, and shall be responsible for all means, methods, techniques, sequences, and procedures and for the satisfactory coordination of all portions of the Services under this Agreement. 10.8 City Contract Administration. This Agreement shall be administered by a City employee, Chief Information Officer or designee (“Contract Administrator”). All correspondence shall be directed to or through the Contract Administrator or his designee. The Contract Administrator shall have the power to act on behalf of City for all purposes under this Agreement. Unless otherwise provided in this Agreement, Provider shall not accept direction or orders from any person other than the Contract Administrator or his designee. 10.9 Notices. Any written notice to Provider shall be sent to: Keeper Security, Inc. Attn: Nikki Jamison, General Counsel 333 North Green Street, Suite 811 Chicago, IL 60607 DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -14- Any written notice to City shall be sent to the Contract Administrator at: City of Menifee 29844 Haun Road Menifee, CA 92586 Attn: Chief Information Officer with a copy to: City Clerk City of Menifee 29844 Haun Road Menifee, CA 92586 10.10 Rights and Remedies. Except with respect to rights and remedies expressly declared to be exclusive in this Agreement, the rights and remedies of the Parties are cumulative and the exercise by either Party of one or more of such rights or remedies shall not preclude the exercise by it, at the same or different times, of any other rights or remedies for the same default or any other default by the other Party. 10.11 Integration. This Agreement, including the exhibits attached hereto and incorporated herein by reference, represents the entire and integrated agreement between City and Provider and supersedes all prior negotiations, representations, or agreements, either written or oral. The terms of this Agreement shall be construed in accordance with the meaning of the language used and shall not be construed for or against either Party by reason of the authorship of this Agreement or any other rule of construction which might otherwise apply. 10.12 Counterparts. This Agreement may be executed in multiple counterparts, each of which shall be an original and all of which together shall constitute one agreement. 10.13 Execution of Contract. The persons executing this Agreement on behalf of each of the Parties hereto represent and warrant that (i) such Party is duly organized and existing, (ii) they are duly authorized to execute and deliver this Agreement on behalf of said Party, (iii) by so executing this Agreement, such Party is formally bound to the provisions of this Agreement, and (iv) that entering into this Agreement does not violate any provision of any other agreement to which said Party is bound. 10.14 Nondiscrimination. Provider covenants that, by and for itself, its heirs, executors, assigns, and all persons claiming under or through them, that in the performance of this Agreement there shall be no discrimination against or segregation of, any person or group of persons on account of any impermissible classification including, but not limited to, race, color, creed, religion, sex, marital status, sexual orientation, national origin, or ancestry. 10.15 No Third Party Beneficiaries. There are no intended third-party beneficiaries under this Agreement and no such other third parties shall have any rights or obligations hereunder. 10.16 Nonliability of City Officers and Employees. No officer, official, employee, agent, representative, or volunteer of City shall be personally liable to Provider, or any successor in DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -15- interest, in the event of any default or breach by City or for any amount which may become due to Provider or to its successor, or for breach of any obligation of the terms of this Agreement. 10.17 No Undue Influence. Provider declares and warrants that no undue influence or pressure is used against or in concert with any officer or employee of City in connection with the award, terms or implementation of this Agreement, including any method of coercion, confidential financial arrangement, or financial inducement. No officer or employee of City shall receive compensation, directly or indirectly, from Provider, or from any officer, employee, or agent of Provider, in connection with the award of this Agreement or any work to be conducted as a result of this Agreement. 10.18 No Benefit to Arise to City Employees. No member, officer, or employee of City, or their designees or agents, and no public official who exercises authority over or has responsibilities with respect to this Agreement during his/her tenure or for one (1) year thereafter, shall have any interest, direct or indirect, in any agreement or sub-agreement, or the proceeds thereof, for the Services to be performed under this Agreement. [Signatures on Following Page] DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 -16- IN WITNESS WHEREOF, the Parties hereto have executed and entered into this Agreement as of the Effective Date. CITY OF MENIFEE Armando G. Villa, City Manager Attest: Stephanie Roseen, Acting City Clerk Approved as to Form: Jeffrey T. Melching, City Attorney PROVIDER Nikki Jamison, General Counsel Mark Cravotta, Chief Revenue Officer [Note: 2 officer’s signatures required if Provider is a corporation, unless provided with a certificate of secretary in-lieu] DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B 2905/031858-0001 19584139.7 a03/14/24 EXHIBIT “A” EXHIBIT “A” SCOPE OF SERVICES Services shall include PASSWORD MANAGEMENT SOFTWARE SOLUTION SUBSCRIPTION services in the amount not to exceed Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) as further detailed in the following page(s). In no event shall the compensation paid during the term of this Agreement exceed the following amounts: Initial Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) First Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) Second Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) Third Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) Fourth Renewal Term: Two Thousand Nine Hundred Dollars and Zero Cents ($2,904.00) DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 1 of 42 EXHIBIT “B” CITY POLICIES CITY OF MENIFEE City Council Policy Policy Number: CC-18 Approving Authority: City Council Subject Electronic Communication Use Policy and Procedures Effective Date: May 1, 2019 Page 1 of 8 1. PURPOSE The objectives of this policy are to: A. provide clear and concise direction regarding use of the City’s electronic communications systems, including electronic mail (email), text messaging and voice mail; B. minimize any disruptions to City services related to electronic communications; C. enhance work productivity through the use of electronic communications; and D. comply with applicable State and Federal laws and City policies related to the use of email and all other forms of electronic communication. Specifically, this policy addresses the California Supreme Court’s 2017 decision in City of San Jose v. Superior Court of Santa Clara County, holding that a city employee’s communications, related to the conduct of public business, are subject to the California Public Records Act, even if they were sent or received using a personal account or personal device. 2. SCOPE / BACKGROUND This policy applies to all persons (including employees, appointed and elected officials, interns, and volunteers) who are permitted to use the City’s computing or network resources, and particularly the email functions of the system (“Authorized Users”). “City” means the City of Menifee. “Email” means any electronic communication to or from any authorized user using the Email System, including all information, data, and attachments to the electronic communication, “Email System” means the system of devices (including hardware, software, and other equipment) owned and controlled by the City or the authorized user, for the purpose of facilitating the electronic transmission. “Electronic Communications” includes any and all electronic transmission, and every DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 2 of 42 other means of recording upon any tangible thing in any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combinations thereof, and any record thereby created, regardless of the manner in which the record has been stored. Without limiting the nature of the foregoing, “electronic communications” include emails, texts, voicemails, and also include communications on or within commercial applications (apps) such as Facebook Messenger, Twitter, etc. 3. POLICY Definition of “Official City Record” Under this Policy, the definition of “Official City Record” is the same as the definition provided in the California Public Records Act (Cal. Gov. Code § 6250 et seq.) for “public records” and “writing”: “…any writing containing information relating to the conduct of the public’s business prepared, owned, used or retained by any state or local agency regardless of physical form or characteristics…” “…’Writing’ means handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting by electronic mail or facsimile, and every other means of recording upon any tangible thing any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combination thereof, and any record thereby created, regardless of the manner in which the record has been stored.” A. Electronic Communication Related to City Business is an Official City Record Email and other forms of electronic communications, such as voice mail, texts, tweets, and social media posts, generate correspondence and other types of records that can be recognized as Official City Records and may be subject to disclosure under the Public Records Act. In addition, any Official City Record created through email and other forms of electronic communications must be protected and retained in accordance with records retention laws. For this reason, employees, appointed and elected officials, interns, and volunteers are prohibited from using their personal devices for City business. Messages transmitted using the City’s Email System or City-owned equipment with capabilities for text messaging and/or voice mail, should be messages which involve City business activities and contain information essential to accomplishment of business-related tasks, or can otherwise be recognized as Official City Records. However, the incidental use of electronic communications (email, or voice) that may contain non-City related (personal) matters is permitted. This incidental use shall be limited, and must not interfere with the conduct of City business or the provision of City services. Any incidental (personal) email, text or voice messages are not DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 3 of 42 considered public records but may still be discoverable. All electronic communications are the property of the City of Menifee. B. City Email System is Not For Storage The City reserves the right to retrieve and make proper and lawful use of any and all electronic communications transmitted through the City’s Email System and any City-owned equipment. Although the use of electronic communications is considered official City business, the City’s communication systems, including email, text messaging and voice mail, are intended as a medium of communication only. Therefore, the Email System and any City-owned equipment such as cell phones should not be used for the electronic storage or maintenance of documentation, including, but not limited to, Official City Records. Regarding email, the system administrator performs regular electronic back-ups of the City’s Email System. However, the back-up is not a copy of all City email activity that occurred on the City email server during the back-up period. 4. GUIDELINES FOR PROPER EMAIL USAGE A. City email access is controlled through individual accounts and passwords. It is the responsibility of each Authorized User to protect the confidentiality of his or her account and password information. B. Authorized Users are responsible for managing their mailboxes, including organizing and cleaning out any non-City related messages that do not constitute Official City Records. Authorized Users are responsible for determining if emails contain substantive information regarding City business, or may later be important or useful for carrying out City business, and thus could be considered as Official City Records. C. An Outlook PST file, also known as an “Outlook Data File” or an “Outlook Personal Folders File,” is a file format used by Outlook to store email and other Outlook items. For reasons of security and network performance, the use of PST files is prohibited. D. All Authorized Users must check and respond to their emails on a regular basis, preferably daily. E. Authorized Users are expected to remember that email sent from City email accounts is a representation of the City. All Authorized Users must use normal standards of professional and personal courtesy and conduct when drafting and sending email messages. Email messages should be drafted and sent with the same care and in DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 4 of 42 the same manner as any communication printed on City letterhead. Like any other City communication, email is a reflection of the City’s business practices. F. Except as otherwise noted in this policy, all messages transmitted over the Email System should be limited to those which involve City business activities or contain information essential to Authorized Users for the accomplishment of City-related tasks. Use of the City’s Email System for personal communication must be kept to a minimum. Spam email can be harmful to the City’s computer system. Spam email is electronic junk mail, usually unsolicited commercial and non-commercial messages transmitted as a mass mailing to a number of recipients. If an email message does not pertain to City business, it should be deleted from your email account and not forwarded. Examples include jokes, thoughts for the day, “chain” type email messages, etc. G. Email messages should be easy to read and understand. Spelling and grammar should be correct. Avoid using abbreviations unless you are certain the recipient will understand the meaning. H. Email messages should be sent to smaller rather than larger audiences where appropriate. Avoid “broadcasting” messages and large documents. Email messages should not be used for broadcast purposes unless they are of interest to all City personnel. I. Avoid long email “chain” messages that include past emails attached to a current message. Deleting long strings of previous email exchanges from your reply messages will enhance readability. J. Limit designating email as “high-priority” or “urgent” – use those designations only when necessary and appropriate. 5. PROHIBITED USES OF THE CITY’S ELECTRONIC COMMUNICATIONS SYSTEMS Email shall not be used for any activity that is a violation of local, state, or federal law. Types of messages prohibited from being transmitted through the City’s Email System include, but are not limited to, the following: A. Messages in support or opposition to campaigns for candidates for an elected office or a ballot measure. B. Messages of a religious nature or promoting or opposing religious beliefs. C. Messages containing language which is insulting, offensive, disrespectful, demeaning, or sexually suggestive. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 5 of 42 D. Messages containing harassment of any form, sexual or ethnic slurs, obscenities, or any representation of obscenities. For more information please refer to the Human Resources Personnel Rules & Regulations Policy. E. Messages used to send or receive copyrighted material, proprietary financial information or similar materials. F. Messages used for gambling or any activity that is a violation of local, state, or federal law. 6. PROHIBITED USE OF CITY ELECTRONIC COMMUNICATION VIA PERSONAL ACCOUNTS A. City accounts shall be used to conduct City business. Authorized Users shall not use personal accounts for the creation, transmission or storage of electronic communications regarding City business. B. All Authorized Users shall, within 60 days following the adoption of this updated policy, search all private, nongovernmental electronic messaging accounts to which they have user access and locate any electronic communications that might constitute a “public record,” because it involved “City business” as set forth above. All such communications shall be forwarded to the Authorized User’s City-provided account. To the extent the Authorized User believes that any part of such communications contain personal matter not related to the conduct of the public’s business, the Authorized User shall provide a declaration, as set forth in Exhibit A. C. If an Authorized User receives an electronic message regarding City business on his/her non-City electronic messaging account, or circumstances require such person to conduct City business on a non-City account, the Authorized User shall either: (a) copy (“cc”) any communication from an Authorized User’s personal electronic messaging account to his/her City electronic messaging account; or (b) forward the associated electronic communication to his/her City account no later than 10 days after the original creation or transmission of the electronic communication. D. Authorized Users shall endeavor to ask persons sending electronic communications regarding City business to a personal account to instead utilize the Authorized User’s account, and likewise shall endeavor to ask a person sending an electronic communication regarding non-City business to use the Authorized User’s personal or non-City electronic messaging account. 7. ELECTRONIC COMMUNICATIONS AND PRIVACY A. No Expectation of Privacy DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 6 of 42 Authorized Users have no right or expectation of privacy or confidentiality in any message created, sent, received, deleted, or stored using the City Email System or any City-owned or subsidized communication devices. All messages and any attachments on the City’s computer network, Email System, or \City-owned system or subsidized communication device are subject to City review and disclosure of electronic communications regarding City business. Electronic communications regarding City business that are created, sent, received, or stored on an electronic messaging account, may be subject to the Public Records Act, even if created, sent received, or stored on a personal account or personal device. Most communications that include Authorized Users are not confidential communications. However, certain communications such as police investigations, personnel records, or attorney-client communications may be confidential or contain confidential information. Questions about whether communications are confidential, and how they are to be preserved, should be discussed with the City Clerk. B. Personal Email Accounts and Official City Records The use of personal email accounts by Authorized Users to transmit messages regarding City business is prohibited. In the event that messages regarding City business are received by Authorized Users through their personal email accounts, Authorized Users are directed to forward copies of such emails to their City email addresses to ensure a copy exists in the City Email System. Personal emails discussing City business are considered Official City Records that are subject to the Public Records Act and records retention laws. Authorized Users are directed to use only their City email accounts for sending/receiving emails regarding City business. C. Access Must Be Private Notwithstanding the City’s right to have Authorized Users access email and other electronic messages, all electronic messages should be treated as confidential by other Authorized Users and accessed only by the intended recipient. Authorized Users are not authorized to retrieve, read or listen to any electronic messages that are not sent to them. Any exceptions must receive prior approval by the City Manager or designee. D. Use Caution with Confidential Information All Authorized Users must exercise a greater degree of caution in sending confidential information on the City’s electronic communications systems than they take with other media because of the risk that such information may be copied and/or retransmitted. When in doubt, do not use email, text messaging, or voice mail as a means of confidential communication. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 7 of 42 8. PUBLIC RECORDS REQUESTS, RETENTION AND DESTRUCTION Electronic communications are a business tool which shall be used in accordance with generally accepted business practices and all Federal and State laws, including the California Public Records Act, to provide an efficient and effective means of intra- agency and interagency communications. Under most circumstances, communications sent electronically are public records, subject to disclosure under the Public Records Act and subject to records retention laws applicable to cities. A. Public Records Act In the event a Public Records Act request is received by the City seeking electronic communications of Authorized Users, the City Clerk’s office shall promptly transmit the request to the applicable Authorized User whose electronic communications are sought. The Clerk shall communicate the scope of the information requested to the applicable Authorized User, and an estimate of the time within which the City Clerk intends to provide any responsive electronic communications to the requesting party. It shall be the duty of each Authorized User receiving such a request from the City Clerk to promptly conduct a good faith and diligent search of his/her personal electronic messaging accounts and devices for responsive electronic communications. The Authorized User shall then promptly transmit any responsive electronic communications to the City Clerk. Such transmission shall be provided in sufficient time to enable the City Clerk to adequately review and provide the disclosable electronic communications to the requesting party. In the event a City official does not possess, or cannot with reasonable diligence recover, responsive electronic communications from the City official’s electronic messaging account, the City official shall so notify the City Clerk by way of a written declaration (Exhibit B). B. Automatic Deletion of Email The City’s email management system automatically deletes City emails, including any text messages that become emails, which are more than 24 months old from all Outlook folders of each City email user. Email in ”Deleted” and “Sent” folders will be automatically removed after ninety days. C. Managing Your City Email Authorized Users are responsible for the management of their mailboxes and associated folders on a daily basis. To ensure maximum efficiency in the operation DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 8 of 42 of the Email System, Authorized Users are directed to delete email messages that are not Official City Records from their inboxes on a weekly basis. Examples of such messages are personal emails, email advertisements/ announcements, or newsletters received via email. If email messages that are not Official City Records are necessary for transitory work, preliminary drafts, preparation of work product or personal notes, Authorized Users should either print the email and maintain the paper copy, or create a PDF version of the email (print to PDF) and store the file in an electronic folder on the City’s network drive to be deleted when no longer needed. It is the responsibility of Authorized Users to determine if an email message is an Official City Record which must be retained in accordance with the City’s Record Retention Policy. Email messages (including any attachments) that are deemed to be Official City Records shall be preserved. Authorized Users shall consider the content of an email message when determining if it is an Official City Record. The City Clerk can assist in making such a determination. In addition, following is a general guideline for determining whether an email message is an Official City Record: Messages That Are Generally Considered As Public Records (Retention Time = 2 years) Messages That Are Generally NOT Considered As Public Records • Email that is created or received in connection with official City business. • Email that shows how a City policy was created or how a decision was made by City staff and/or the City Council. • Email that begins, or authorizes, or completes an item or a transaction of official City business. • Email that documents significant official decisions or commitments reached verbally (person-to- person, by phone or in conference) and not otherwise documented in City files.  Personal messages and announcements not related to official City business.  Duplicate documents (copies or excerpts) distributed for convenience or reference.  Transmittal Messages that merely assist the flow of work.  Emails containing drafts, notes, interagency or intra-agency memos that are NOT retained in the ordinary course of business. (Gov. Code § 6254(a).) D. Email Attachments Attachments to email messages should be retained or disposed of according to the content of the attachment itself, not according to the email transmitting the attachment. Many email attachments are simply duplicates of existing documents, DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 9 of 42 or are draft versions of documents that might not be retained by the City after the final version of the document is complete. If you need help in determining whether an attachment to an email message must be retained, please contact the City Clerk’s Office. E. Preserving Electronic Messages – Public Records Act Requests, Subpoenas, Claims, and Potential Claims Against the City The City periodically receives requests for inspection or production of documents pursuant to the Public Records Act, as well as subpoenas or court orders for documents. In the event such a request or demand includes electronic messages, Authorized Users who have control over or access to any such messages, once they become aware of the request or demand, shall use their best efforts, by reasonable means available, to temporarily preserve any such message until it is determined whether the message is subject to preservation, public inspection or disclosure. Authorized Users shall contact the City Clerk regarding any such messages that are within their control. 9. VIOLATIONS Authorized Users found to have violated this policy may have his or her access to City email, text messaging or other means of electronic communication on City equipment limited or revoked completely. Authorized Users who violate this policy may be subjected to formal disciplinary action up to and including termination from City employment. 10. ROLES AND RESPONSIBILITIES A. The City Manager is responsible for administering this policy and procedure. B. All Authorized Users are responsible for compliance with this policy and procedure. Revision History Revision No. Date Approved Approved By: Comments 0 5/1/2019 City Council Original Policy DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 10 of Bill Zimmerman, Mayor Date DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 11 of CITY OF MENIFEE Administrative Policy Policy Number: AD-04 Approving Authority: City Manager Subject Internet Use and Computer Resource Use Policy Effective Date: 4/10/2016 Last Modified: Page 1 of 7 1. PURPOSE 1.1. The purpose of this administrative policy is to provide guidelines for the appropriate use of all technology resources provided by the City. All City computers, including laptop/notebook computers, and related equipment are formal communication and analytic tools. They should be used for City business-related purposes in a professional and courteous manner. Any use of City computer equipment for personal purposes, including sending and receiving emails and internet access, shall be limited, brief, and infrequent provided that the use does not directly or indirectly interfere with City computer systems or services, burden the City with additional incremental cost, interfere with other city computer users employment or other obligations to the City, or reflect negatively on the city or its employees. 1.2. The City reserves the right to change the policies and procedures set forth in this administrative policy at any time. 1.3. Employees should be aware that all records, whether on paper, voicemail, or computerized, are subject to the mandatory public disclosure requirements of the Public Records Act, subject to the exceptions provided under the Act. In addition, employees who use the City's computer network resources do so with no right or expectation of privacy or confidentiality, and at all times the data, systems, and traffic they create utilizing the City's computer network resources remain the property of the City. 2. SCOPE / BACKGROUND 2.1. This policy applies to all City of Menifee employees, volunteers, and contractors of the City using electronic communications technology and resources owned, sponsored or reimbursed by the City of Menifee. An electronic resource is any software or hardware device capable of receiving, storing, sharing or sending electronic data including but not limited to the internet, email, voicemail, cellular telephones, computers/laptops/tablets, DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 12 of telecommunications devices, video and audio equipment, wireless networks, servers, networks, software, agency hosted social media, and documentation that supports electronic communications services. 3. POLICY 3.1. The City's computer network resources are City property, regardless of physical location or the form in which they are maintained, and are to be used for City business in the course of normal operations. Employees who use the City's computer network resources do so with no right or expectation of privacy or confidentiality. The use of all computer network resources must comply with all requirements set forth in this administrative policy and all other City policies. While passwords are issued to employees in order to protect the City's business interests the conferral of such passwords does not create any individual right of privacy as to the City's computer network resources, including any data, files, or messages sent to, received, or created by such Employee. 3.2. The City has the capability to and may, with or without notice for any lawful purpose, monitor and audit all network activity to ensure compliance with this administrative policy, and activate, access, block, review, copy, disable, delete, and/or disclose any information residing on any computer network resources, including, but not limited to emails sent and received, voice mail messages received, files created or accessed, and all internet/web access, communications, and transactions. 3.3. All City network users are required to use personalized user IDs and passwords. The user ID will be assigned by the Information Technology Department staff and follows the syntax of first name initial and full last name unless otherwise specified. The passwords are chosen by the user and are not known to the Information Technology Department staff. 3.4. Passwords are confidential and shall not be shared. Passwords shall not be revealed in email messages or saved on files in any computer system. All passwords are to be treated as confidential City information. 3.5. Passwords are used for logging into the City network, using applications, or accessing specific resources. Network passwords are set to expire every 90 days. The system will prompt users when a change is necessary. Users should choose a new password when prompted. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 13 of 3.6. All hardware with the potential or capacity to access computer network resources (including but not limited to PCs, laptops, servers, handhelds, and wireless devices) is required to be secured with a password-protected screensaver. 3.7. Electronic snooping or tampering is a violation of this administrative policy and is grounds for disciplinary action, up to and including termination. This includes but is not limited to the unauthorized use or attempt to use another employee's password; the unauthorized entry to or attempted entry to the computer files and communications of another; the unauthorized entry or attempted entry to access encrypted, protected, or restricted computer network resources for which an employee has not been explicitly authorized to access; unauthorized "interception" of data not intended for that person; the utilization of City data for purposes other than those related to legitimate City business within the scope of direct job duties (including the use of public domain data obtained without following appropriate public information request procedures); or any other attempt to circumvent user authentication or security of any computer network resource. 3.8. Users of the City network are responsible for understanding and exercising reasonable security precautions. These precautions include, preserving the secrecy of user IDs and passwords, checking external data files for viruses before using on a computer, and deleting e-mails from unknown sources. 3.9. The City may authorize persons who are not employed by the City to use the City's computer network resources, only after approval from the appropriate department Director or City Manager. Such authorized access may be granted only upon the condition that such person shall use the system according to the rules and procedures established in this administrative policy and all other City policies. 3.10. Because the City network is comprised of connected computers, servers, and other devices, access to other users’ files may be possible. Users are expected to use caution and protect confidential data files when storing such data on network drives that are common areas to other users. 3.11. The use of City technology for personal profit or gain, or any other activity not specific to the mission or duties of the users or City is prohibited. 3.12. The use of City technology for any illegal, harassment, obscene, or other purpose, which could expose the City to liability or cause an adverse public perception, is prohibited. The display of sexually explicit images, documents, or offensive material on any City system is a violation of the City’s harassment policy. This includes sexually explicit or offensive material accessed from or received through the Internet, e-mail, or other electronic methods. In addition, sexually explicit or offensive material may not be archived, stored, distributed, edited, or recorded using any City resource. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 14 of 3.13. Unauthorized access, alteration, deletion, damage, infection, or destruction of any computer resource on the network is prohibited. 3.14. Employees who are terminated or laid off have no rights to the contents of their computer files, voice mail messages, or e-mail messages, and are not allowed access to any city-owned systems. Supervisors or management may access an employee’s computer resources as they deem necessary. 4. HARDWARE / SOFTWARE 4.1. The Information Technology Department staff or their designee will coordinate all computer service, equipment, additions, changes, moves, and repairs. 4.2. The Information Technology Department has established a standard configuration of computer hardware and software issued to users of the City network. Deviation by users from this standard configuration is prohibited. Changes to the system configuration must be requested from the Information Technology Department. 4.3. Unauthorized access, alteration, deletion, damage, infection, or destruction of any computer resource on the network is prohibited. 4.4. Employees are encouraged to power off or place their computers or monitors into sleep-mode before leaving for an extended period of time (meetings, lunch, etc.). Equipment should not be left on overnight and should be completely powered off each evening. Be sure to close all programs before powering off. 4.5. Laptops/ipads are assigned on a permanent or temporary basis to certain staff. All technology use rules apply to laptop/ipad users. 4.6. Laptops/ipads issued to staff to be used for use while at the City should be stored in a locked or secured area. 4.7. Additional laptops/ipads are available in a pool maintained by the Information Technology Department staff for issuance to employees with department head approval. The laptops will be assigned to the requestor on a first-come, first-served basis. Laptop checkouts can be for overnight or weekend business use, and may also be used during out-of-town travel on City business. 4.8. Laptops/ipads will be checked out and administered by Information Technology Division staff who will maintain a log for each laptop. The employee will be required to sign a checkout form. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 15 of 4.9. The user is responsible for properly caring for the equipment while in his or her use. The user shall not mark on any equipment with pencil or pen for any reason or permanently adhere any items to the monitors, keyboards, printers, mouse, or any other form of equipment. All liquids and food shall be kept away from the computer equipment at all times. 4.10. Any problems with the equipment, software, or other computer-related problems shall be reported to the Information Technology staff immediately. The user should not try to resolve any unfamiliar problems, or error messages without their assistance. If a problem does occur, the user shall immediately document what files were being accessed when the problem started and contact Information Technology staff for assistance. 4.11. All software used on the City network must be approved, acquired and licensed by the Information Technology Department and the City of Menifee. Software licenses and the physical media must be maintained in a central location by the Information Technology Department staff. 4.12. Users may not transfer, move or copy City-licensed software or data to another system or media without prior approval of Information Technology Department staff. 4.13. All software installation on any City resource must be installed or coordinated by Information Technology Department staff. Users may not install any software onto any City-issued resource. All software must be evaluated for compatibility by the Information Technology staff. 4.14. Any software, including databases, custom reports, graphics, or other work product developed while using a City resource or developed for use on the City network becomes the property of the City of Menifee. 4.15. Virus protection software resides on each computer. Users shall not disable this software. Users shall immediately notify Information Technology Division Staff of any virus detected on their system. 5. ON_LINE SERVICES 5.1. The Internet is a rapidly evolving resource with a vast amount of available information. Internet resources are made available to City network users to improve communication and information exchange with citizens and others and to provide an informational and research tool. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 16 of 5.2. Users should only download files as they relate to their job function. Downloads can cause significant slowdown in the network response time, introduce viruses, or damage other systems and disrupt work for others. Users should not download any files that require installation without authorization from the Information Technology Department staff. 5.3. Users shall not use any City resource to gain unauthorized access to other resources or entities. For example, a user with network access shall not attempt to gain access to areas on the City network or other outside networks. 5.4. Users should use caution when providing personal or business information over the Internet. Many sites collect this information for use in email Spam or for other fraudulent practices. 5.5. The City of Menifee seal & logo are trademarks of the City. Any use of the materials stored on the City’s website is prohibited without the written permission of the City of Menifee. The City of Menifee retains all intellectual property rights including copyrights on all text, graphic images, and other content. Modification, distribution, mirroring, or use of images or other web content is prohibited. 6. DATA STORAGE 6.1. The Information Technology Department staff maintains a backup of all files located on City servers. Backups are not performed on individual computers. 6.2. Each user is assigned a personal home directory. Other network users cannot access this directory. Files stored in this area should be ones only the creator will use. All data and other forms of electronic information including email that is stored on any type of media provided by the City are the City’s. The City reserves the right to access and disclose all such stored information for any purpose. 6.3. Each division or department is given a common area for their departmental data that other departments cannot access. Files stored in this area shall be ones that will be used by other members in your division or department. 6.4. Each user has access to common directories for all departments. Files stored in this area shall be ones that will be used by users outside of your division or department. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 1 of 42 DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 7. PENALTIES 7.1. Violations of this administrative policy subject employees to discipline up to and including termination. In the event of a violation, the City may pursue all remedies provided under the law, including advising legal and/or law enforcement authorities of any violation of law by an employee. 8. ROLES AND RESPONSIBILITIES 8.1. The City Manager is responsible for administering this policy and procedure 8.2. All employees, appointed or elected officials, volunteers, consultants, interns, are responsible for compliance with this policy and procedure. Revision History Revision No. Date Approved Approved By: Comments 0 04/10/14 R. Johnson, CM Original Policy 1 04/10/16 R. Johnson, CM Revised Policy DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 2 of 42 DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 CITY OF MENIFEE MEMORANDUM Date: January 1, 2022 To: Armando G. Villa, City Manager Rochelle Clayton, Assistant City Manager From: Ron Puccinelli, Chief Information Officer Cc: Robert Cardenas, Deputy HR Director, Risk Manager Sarah Manwaring, City Clerk Subject: Requesting approval of Cybersecurity Policy Administrative Directive AD-28 The City relies on numerous computer systems to deliver services to the public and manage internal business processes. These business systems collect, generate, and store large amounts of information, some of which is sensitive in nature and obligates the City to comply with various cybersecurity standards such as HIPAA, CLETS/CJIS, PCI DSS, and others. Additionally, a component of overall Risk Management includes a Cyber-Insurance policy through the City’s insurance provider. Both the Cyber-Insurance provider and several of the security standards require defining the City’s approach to Cybersecurity and identifying roles and responsibilities by means of a Cybersecurity policy. Currently the City does not have such a policy. The attached Cybersecurity Policy Administrative Directive will serve to establish the City’s policy and approach to Cybersecurity and define the roles and responsibilities of the various stakeholders across the City. The policy meets the requirements of the City’s Cyber-Insurance provider and the applicable security standards. This Cybersecurity Policy has also been provided to all Department Heads and the Risk Manager for review and incorporates all feedback received. I am respectfully requesting your authorization and signature to make the policy effective as of January 1, 2022. Attached please find the Cybersecurity Policy. Reviewed by: • Ron Puccinelli _____ • Rochelle Clayton ______ • Robert Cardenas ______ DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B Policy AD-04, Page 3 of 42 DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 CITY OF MENIFEE Administrative Policy Policy Number: AD-28 Approving Authority: City Manager Subject Cybersecurity Policy Effective Date: January 1, 2022 Last Modified: N/A 1. PURPOSE The City of Menifee (City) is dedicated to building a strong cybersecurity program to support, maintain, and secure critical infrastructure and data. The following policy is intended to maintain and enhance key elements of a citywide cybersecurity program. 2. SCOPE / BACKGROUND The Cybersecurity Policy lays the foundation for the City’s Cybersecurity Program as a whole and articulates executive level support for the effort. The Cybersecurity Policy supports the City’s Cybersecurity Program established to: • Protect City’s critical infrastructure • Protect the sensitive information entrusted to the City • Continuously improve our ability to detect and respond to cybersecurity events • Contain and eradicate compromises, restoring information resources to a secure and operational status • Ensure cyber-risk management is sufficient and in alignment with City operations and mission • Comply with external and regulatory data protection requirements The requirements identified in this policy apply to all information resources operated by or for the City, its departments, and advisory bodies. This includes all software, devices, and services that process, store, or transmit data, or anything that connects to a City device or Network. Elected officials, employees, consultants, and vendors working on behalf of the City of Menifee are required to comply with this policy. 3. POLICY A. The City shall: I. Assign cybersecurity responsibilities to the Chief Information Officer to coordinate citywide cybersecurity efforts II. Adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a methodology to secure information resources III. Use other NIST guidelines as applicable (csrc.nist.gov) DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 2 City of Menifee Policy AD-28 Page 2 of 7 SECTION 11. Cybersecurity Policy IV. Incorporate additional cybersecurity compliance or regulatory controls, such as Payment Card Industry Data Security Standard (PCI DSS), Criminal Justice Information Services (CJIS), Protected Health Information (PHI), and other security and privacy requirements. V. Conduct and update, at least annually, a cybersecurity risk assessment or with major changes to systems VI. Support cyber incident response as needed in accordance with Emergency Support Function 18 (ESF-18). VII. Develop and update, at least annually, a Cyber Incident Response Plan. VIII. Conduct cybersecurity, risk, and compliance assessments across all Departments B. Cybersecurity Framework In order to adequately protect information resources, systems and data must be properly categorized based on information sensitivity and criticality to operations. A risk-based methodology standardizes security architecture, creates a common understanding of shared or transferred risk when systems and infrastructure are connected, and makes securing systems and data more straightforward. The NIST Cybersecurity framework provides five elements to a cybersecurity program: I. Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. II. Protect: Develop and implement appropriate safeguards to ensure delivery of digital services. III. Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. IV. Respond: Develop and implement appropriate activities to respond to a cybersecurity event. V. Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services impaired by a cybersecurity event. C. Cybersecurity Risk Assessment As defined in NIST Special Publication 800-30, “Guide for Conducting Risk Assessments,” risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 3 City of Menifee Policy AD-28 Page 3 of 7 SECTION 12. Cybersecurity Policy the extent to which circumstances or events could adversely impact the City and the likelihood that such circumstances or events will occur. The purpose of risk assessment is to inform decision makers and support risk responses by identifying: I. Relevant cyber threats to the City II. Vulnerabilities both internal and external III. Impact (i.e., harm) to the City that may occur given the potential for threats exploiting vulnerabilities IV. Likelihood that harm will occur The result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). Risk assessments enable the City to determine current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity program. D. Risk Rating The risk ratings will be based on NIST Federal Information Processing Standards (FIPS) 199 security objectives of confidentiality, integrity, and availability of City systems and data. And the potential impact of low, moderate, and high. Figure 1 on the following page summarizes the potential impact definitions for each security objective—confidentiality, integrity, and availability. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 4 City of Menifee Policy AD-28 Page 4 of 7 SECTION 13. Cybersecurity Policy Figure 1 DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 5 City of Menifee Policy AD-28 Page 5 of 7 Cybersecurity Policy 4. ROLES AND RESPONSIBILITIES A. Chief Information Officer shall: I. Be the designated Information Security Officer, Privacy Officer and Cyber-Risk lead for the City. II. Coordinate with the Risk Manager to evaluate and obtain Cyber Insurance and on matters of Cyber-Risk. III. Coordinate with the Risk Manager to notify and engage with the City’s Cyber Insurance provider in the event of an incident. IV. Lead enterprise governance of information and technology efforts throughout the City. V. Establish and maintain a security team and function with the ability to identify, protect, detect, respond, and recover from attacks against City information resources. VI. Develop and maintain a cyber incident response plan capable of addressing major compromises of City information resources. VII. Review Emergency Support Function 18 Unified Cyber Command annex annually and ensure it is updated as needed. VIII. Organize and coordinate the City’s Cyber-Incident Response Team. IX. Ensure that all Departments employ a risk-based assessment and treatment program, and regularly report the status of the City’s residual cyber risk to the Executive Team. X. Select, design, and monitor cybersecurity controls for all City systems including without limitation any Software-as-a-Service or other hosted or cloud-based systems employed by any City Department. XI. Perform ongoing assessment of security controls. XII. Inform the City Manager and City Attorney when there is an event which compromises the confidentiality, integrity, or availability of a system or data involving Personally Identifiable Information (including payment card information), Regulatory Protected Information (such as but not limited to, CJIS, HIPAA or Social Security Numbers), and/or data that is not considered public, as soon as practical. XIII. Establish necessary procedures to support the cybersecurity program such as but not limited to, cybersecurity awareness, business continuity, incident response, access control, configuration management, change control, etc. XIV. Monitor current cyber threats and trends and recommend any necessary changes. XV. Implement, operate, and maintain cybersecurity controls for all systems acquired, used, or controlled by the City. B. Executive Team shall: I. Promote a culture of cybersecurity awareness and compliance with the City’s cybersecurity policy. Department heads must remind their employees and contractors about the City’s Cybersecurity policies, standards, procedures, guidelines, and best practices. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B DocuSign Envelope ID: 1917B5B9-6CFE-4EB3-B95C-5CBCD497F233 6 City of Menifee Policy AD-28 Page 6 of 7 SECTION 14. Cybersecurity Policy II. To the extent resources allow, ensure that all systems procured, operated, or contracted by their departments and the data contained by them are protected. III. To the extent possible, adequately support and fund cybersecurity operations based upon risk to City operations and mission. IV. With the aid of the City Attorney determine the requirements and execute necessary breach disclosures. C. Emergency Manager shall: I. Activate the city Emergency Operations Center (EOC) to coordinate response to an emergency level cyber event as outlined in Emergency Support Function 18 Unified Cyber Command. II. Support cybersecurity emergency exercise for City leaders in coordination with the Chief Information Officer. D. City Clerk shall: I. Work with the Chief Information Officer to develop and maintain an information classification system and support departments in their data classification efforts E. Public Information Officer shall: I. Work with the Chief Information Officer to develop, maintain, and activate a cyber- event communication plan as part of the incident response plan. F. Risk Manager Shall: I. Work with the Chief Information Officer to incorporate technology and Cyber risk into the City’s risk management plans and acceptable risk profile. II. Coordinate with the Chief Information Officer to evaluate and obtain appropriate Cyber Insurance. III. Assist the Chief Information Officer with notifying and coordinating with the City’s Cyber Insurance provider in the event of an incident. G. City Employees, contractors, and vendors shall: I. Comply with cybersecurity practices, requirements, and acceptable use agreement (Administrative Directive 04 - Internet Use and Computer Resource Use Policy) II. Promptly report any incidents to the IT Service Desk. III. Report suspicious emails. IV. Attend cybersecurity training at least annually. DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B City of Menifee Policy AD-28 Page 7 of 7 Cybersecurity Policy IV. EXCEPTIONS City cybersecurity requirements shall not supersede State or Federal requirements that may apply to certain specific data or systems. No exceptions to this policy will be approved. V. DEFINITIONS For a list of definitions please refer to: https://csrc.nist.gov/glossary VI. REFERENCES • NIST Computer Security Resource Center - https://csrc.nist.gov/ • NIST Cybersecurity Framework Website - http://www.nist.gov/cyberframework • Payment Card Industry - https://www.pcisecuritystandards.org • Criminal Justice Information Services (CJIS) Security Policy (latest version) https://www.fbi.gov/ • California Emergency Support Function 18 Cybersecurity, Annex to the California State Emergency Plan https://www.caloes.ca.gov/ • Health Information Privacy https://www.hhs.gov/hipaa/for- professionals/index.html • Cybersecurity & Infrastructure Security Agency https://www.cisa.gov/ Revision History Revision No. Date Approved Approved By: Comments 0 2/11/2022 City Manager Original Policy 1 2/11/2022 Date City Manager DocuSign Envelope ID: C1DDB438-7E52-4734-924D-81BEFB77B81B