Agenda 10/24/2017 Item #16E 410/24/2017
EXECUTIVE SUMMARY
Recommendation to approve and authorize the Chair to execute an Information Security Report
Confidential Disclosure Agreement with ImageTrend, Inc, the County’s EMS Patient Care
Reporting System software vendor.
OBJECTIVE: To assure security and confidentiality of information released to the County by
ImageTrend, Inc.
CONSIDERATIONS: Emergency Medical Services is in the process of upgrading the Patient Care
Reporting system with ImageTrend, Inc. As part of this process, Collier County’s Information
Technology Division is requesting that ImageTrend complete a Technical Architectural, Compatibility
and Supportability Requirements Document (copy attached). As a condition precedent to completing the
County’s required IT document, ImageTrend is requiring the County to execute an Information Security
Report Confidential Disclosure Agreement.
The agreement prevents the disclosure of confidential information while at the same time authorizes the
release of information that is already in the public domain, has become known through other sources that
are legally obtained, is approved for release by ImageTrend, directed to be released by a judicial or
governmental order or required to be released by a law such as the Florida Public Records law, F.S.
Chapter 119.
FISCAL IMPACT: There is no fiscal impact associated with this action.
LEGAL CONSIDERATIONS: This item is approved as to form and legality, and requires majority vote
for Board approval. -SRT
GROWTH MANAGEMENT IMPACT: There is no Growth Management Impact resulting from this
action.
RECOMMENDATION: To approve the Information Security Report Confidential Disclosure
Agreement with ImageTrend, Inc. and authorize the Chair to execute same.
Prepared by: Artie Bay, Supervisor, Emergency Medical Services Admin.
ATTACHMENT(S)
1. Info Security Report (PDF)
2. TACS _V12 2-14-2017 (PDF)
16.E.4
Packet Pg. 796
10/24/2017
COLLIER COUNTY
Board of County Commissioners
Item Number: 16.E.4
Doc ID: 3925
Item Summary: Recommendation to approve and authorize the Chair to execute an Information
Security Report Confidential Disclosure Agreement with ImageTrend, Inc, the County's EMS Patient
Care Reporting System software vendor.
Meeting Date: 10/24/2017
Prepared by:
Title: Supervisor - Accounting – Emergency Medical Services
Name: Artie Bay
10/11/2017 1:51 PM
Submitted by:
Title: Division Director - EMS Operations – Emergency Medical Services
Name: Tabatha Butcher
10/11/2017 1:51 PM
Approved By:
Review:
Emergency Medical Services Tabatha Butcher Additional Reviewer Completed 10/11/2017 2:00 PM
Administrative Services Department Paula Brethauer Level 1 Division Reviewer Completed 10/11/2017 2:13 PM
Administrative Services Department Len Price Level 2 Division Administrator Review Completed 10/11/2017 3:55 PM
County Attorney's Office Scott Teach Level 2 Attorney Review Completed 10/11/2017 3:59 PM
County Attorney's Office Jeffrey A. Klatzkow Level 3 County Attorney's Office Review Completed 10/12/2017 7:55 AM
Office of Management and Budget Valerie Fleming Level 3 OMB Gatekeeper Review Completed 10/12/2017 8:37 AM
Office of Management and Budget Laura Wells Additional Reviewer Completed 10/12/2017 9:08 AM
County Manager's Office Nick Casalanguida Level 4 County Manager Review Completed 10/16/2017 8:02 AM
Board of County Commissioners MaryJo Brock Meeting Pending 10/24/2017 9:00 AM
16.E.4
Packet Pg. 797
16.E.4.aPacket Pg. 798Attachment: Info Security Report (3925 : Information Security Report Confidential Disclosure Agreement with ImageTrend, Inc.)
16.E.4.aPacket Pg. 799Attachment: Info Security Report (3925 : Information Security Report Confidential Disclosure Agreement with ImageTrend, Inc.)
16.E.4.aPacket Pg. 800Attachment: Info Security Report (3925 : Information Security Report Confidential Disclosure Agreement with ImageTrend, Inc.)
Collier County Information Technology Department
Version: 12
Revision Date: 2/14/2017
Revised by: Richard J. Badge
Vendor signature:
Date:
Key for C16:C44
C = If internal required, If hosted N/A
R= Required
O= Optional, but may include additional costs to support
Key for C46: C49
Place an X in the YES or NO column, add any comments required in
column G
Technical Requirement R/O
Weighted for
optional
business
requirement for
depts. fielding
RFPS
Vendor's
response
Vendor's
comments Notes Team responsible
Web-based candidate software shall utilize Microsoft Internet Explorer. No
other browser is supported. Current Collier Production Version is IE11 or
Edge.R1 R
The department purchasing the software benefits
from increased security, efficiency, and lower
support costs over the life of the software Service Desk
Please list any other supported browsers in column G, they may or may not be
considered as acceptable. Any non-Microsoft browser considered as
acceptable will incur dedicated support costs.R2 O Applications
The vendor must submit any applicable license agreements for any proposed
elements including a description of the licensing model, and list prices for all
license types and whether or not custom licensing arrangements are available.R3 R
Allows the department that is purchasing the
software to determine the limitations of the
licensing and the short and long-term costs Applications
The vendor must submit any applicable maintenance agreements for any
proposed elements including a description of the maintenance plan, software
upgrade policies and exclusions, and list prices for all maintenance agreement
types and whether or not custom maintenance agreements are available.R4 R
For the department purchasing the software this
information will help them plan when will and how
often these events take place and to manage their
costs more efficiently.Applications
SAP is Collier's financial application and as such:
• Applications cannot directly interface with SAP
• Applications that have a point of sales component must be able to produce a
batch file daily containing all financial transactions for that day
• The batch file will use the format supplied by the Collier County Clerk of
Courts
R5 R Applications
Vendor name:
Application name:
Technical Architectural, Compatibility and Supportability Requirements Document (TACS)
Requesting Div/Dept.:
16.E.4.b
Packet Pg. 801 Attachment: TACS _V12 2-14-2017 (3925 : Information Security Report Confidential Disclosure Agreement
Collier County Information Technology Department
Version: 12
Revision Date: 2/14/2017
Revised by: Richard J. Badge
Vendor signature:
Date:
Key for C16:C44
C = If internal required, If hosted N/A
R= Required
O= Optional, but may include additional costs to support
Key for C46: C49
Place an X in the YES or NO column, add any comments required in
column G
Vendor name:
Application name:
Technical Architectural, Compatibility and Supportability Requirements Document (TACS)
Requesting Div/Dept.:
All desktop software applications must utilize Microsoft Operating System,
current Collier Production Version release with current patches and service
packs, Windows 10 (64-bit). Windows 7 will be phased out by 10/1/2017 R6 R Operations
Applications may not use Exchange Event Sinks or Exchange Public Folders.R7 R Operations
If US-CERT posts vulnerabilities associated with an application then the
application must be mitigated within a 30 day timeframe by the software
vendor.R8 R Operations
Software must comply with all Federal, State and Local regulation. Especially
the Florida Information Protection Act (FIPA Fla. Stat. 501.171). Vendors and
consultants must be able to show that their applications either a) do not store
the type of sensitive data mentioned in FIPA in their application's database or
b) be prepared to demonstrate how they secure the type of sensitive data
mentioned in FIPA in their application's database.
R9 R Administrative
HIPAA compliance is required for any applications that contain an individuals’
electronic personal information if it is created, received, used, or maintained in
the software.
R10 R
All applications that include point of sales systems or accept any type of
payments using credit cards must be PCI (Payment Card Industry Data
Security Standard) compliant and recertify every year. All credit card
processing must be done outside of the BCC network.
R11 R
Vendors are required to meet banking industries
PCI compliance requirements
All vendors requiring access to Collier County facilities and the computer
network must comply with current published County ordinances and policies.
Those ordinances and policies are same requirements that all county
employees must agree to, which include finger printing ,a background check,
and signing any user agreements required access the BCC computer network.
R12 R
16.E.4.b
Packet Pg. 802 Attachment: TACS _V12 2-14-2017 (3925 : Information Security Report Confidential Disclosure Agreement
Collier County Information Technology Department
Version: 12
Revision Date: 2/14/2017
Revised by: Richard J. Badge
Vendor signature:
Date:
Key for C16:C44
C = If internal required, If hosted N/A
R= Required
O= Optional, but may include additional costs to support
Key for C46: C49
Place an X in the YES or NO column, add any comments required in
column G
Vendor name:
Application name:
Technical Architectural, Compatibility and Supportability Requirements Document (TACS)
Requesting Div/Dept.:
Any software which stores personally identifying information, including but not
limited to passwords, SSN, driver’s license numbers, etc.... or any financial
information, such as credit card numbers, bank routing information, etc... must
fully protect the information and disclose the methods of protection used,
access protection methods, and life cycle handling of this data. Industry
standard encryption methods utilizing at least 256 bit encryption techniques are
required.
R13 R All IT teams
Software vendors will acknowledge in writing prior to selection, that Collier
County Government will own any and all data and the databases.R14 R Applications
The candidate software application proposal must include a complete hardware
topology diagram and recommended hardware configurations.
Vendor Deliverables:
- Topology Diagram
- Recommended hardware requirements (workstation and server)
- Network bandwidth requirements
C1 R
Technical specifications, hardware requirements,
and visual representations of the candidate’s
recommended software solution will enable the
selection committee to understand the complexity
of the application and costs to support it.
Applications
Web-based software must utilize IIS 7.5 or newer with current patches and
service packs.
C2 R
The department purchasing the software benefits
from increased security, efficiency, and lower
support costs over the life of the software Operations
Applications that utilize a web browser for an internal or external access will
utilize TLS1.2 instead of SSL
C3 R Operations
Software applications should support and run on current shipping release of
virtual servers, including:
- VMware ESX ( most current version )C4 R Operations
16.E.4.b
Packet Pg. 803 Attachment: TACS _V12 2-14-2017 (3925 : Information Security Report Confidential Disclosure Agreement
Collier County Information Technology Department
Version: 12
Revision Date: 2/14/2017
Revised by: Richard J. Badge
Vendor signature:
Date:
Key for C16:C44
C = If internal required, If hosted N/A
R= Required
O= Optional, but may include additional costs to support
Key for C46: C49
Place an X in the YES or NO column, add any comments required in
column G
Vendor name:
Application name:
Technical Architectural, Compatibility and Supportability Requirements Document (TACS)
Requesting Div/Dept.:
All software upgrades or changes required by the selected vendor must be fully
tested before being moved into the production environment. Therefore
vendors must include in their proposal the costs for licensing, professional
services, and annual maintenance to set up and maintain test and
development environments.
C5 R Applications
System must support the current the use of Netbackup in the Collier
Production environment with NetBackup most current version. C6 R Operations
All server software applications must utilize Microsoft Operating System,
current Collier Production Version release with current patches and service
packs, current version is Server 2012 R2 C7 R
Standardizing the desktop operating system to a
few specific versions decreases the management
overhead for support and lowers the cost to the
agency.
Operations
Solutions requiring a back-end database must utilize Microsoft SQL Server
Standard or Enterprise edition. The solution must use Microsoft SQL Server
2012 (64-bit) or newer. Compatibility mode must match the version of
Microsoft SQL Server.
C8 R Development
For SQL Server based solutions, the use of the default SQL SA account is
prohibited. The use of the SA role for daily functions is also prohibited. The
solution will adhere to the least privilege principle.C9 R Development
Hard coding account access shall not be permitted.
C10 R
Provides enhanced application security by
removing the issue of being unable to change
user account names and passwords if that
information is compromised
Operations/Development
If a geographic information systems (GIS) is included in the solution, the
solution must leverage the County's ESRI GIS infrastructure, which includes
ArcGIS for Server Enterprise Advanced version. Loosely couple architecture
using the REST endpoints is the preferred architecture solution. The County
strives to keep its ESRI GIS current with the latest released version.
C11 R Development
16.E.4.b
Packet Pg. 804 Attachment: TACS _V12 2-14-2017 (3925 : Information Security Report Confidential Disclosure Agreement
Collier County Information Technology Department
Version: 12
Revision Date: 2/14/2017
Revised by: Richard J. Badge
Vendor signature:
Date:
Key for C16:C44
C = If internal required, If hosted N/A
R= Required
O= Optional, but may include additional costs to support
Key for C46: C49
Place an X in the YES or NO column, add any comments required in
column G
Vendor name:
Application name:
Technical Architectural, Compatibility and Supportability Requirements Document (TACS)
Requesting Div/Dept.:
All optional items listed below may incur additional costs for support and
maintenance for the application that is proposed. All additional costs, for
implementation and ongoing maintenance would be borne by the
department purchasing the application.
Incident Support providing 24x7/365 coverage shall be offered. Incident
response service levels shall be specified.
O1 O - 10
This service is appropriate when a department’s
critical business is run outside of the normal 8 to
5 Monday to Friday work week ( example:
evenings, weekends, holidays) and the software
systems are proprietary or complex enough that
the BCC IT department cannot always resolve the
issue without assistance from the vendor. There is
however, a premium associated with the cost of
this type of vendor support, which the department
purchasing the software would bare.
Applications
Client software applications should support and the vendor should provide
package definition files with silent install without user interaction, using
Microsoft SCCM current version. Supported installation packages include:
- MSI, Microsoft Windows installer MSI compatible
O2 O - 10
Results in lower support and maintenance costs
for the department that owns the software.
Applications
All software application vendors are required to notify Collier County when new
releases become available and when current releases and related systems are
no longer supported.O3 O - 10
Allows the department that owns the software to
get the latest functionality that the vendor is
offering along with patches that keep software
security and compatibility current.
Applications
Preferred solutions should take advantage of the County's Active Directory
environment and utilize Windows Authentication at the application, database
and server tier, run fully in the user context, and not require elevated
permissions or administrative permissions. Elevated permissions require
adherence to all relevant policies, such as the Elevated Privileges and
Elevated Database Permissions policies.
O4 O - 10
Provides enhanced security by eliminating the
possibility of a disgruntled former employee or
vendor getting access to a department's
application since their network account with be
disabled.
All IT teams
Vendor Required Software for their applications to run Yes No Vendor's
comments
Software listed in this section will require
additional dedicated costs for support.
16.E.4.b
Packet Pg. 805 Attachment: TACS _V12 2-14-2017 (3925 : Information Security Report Confidential Disclosure Agreement
Collier County Information Technology Department
Version: 12
Revision Date: 2/14/2017
Revised by: Richard J. Badge
Vendor signature:
Date:
Key for C16:C44
C = If internal required, If hosted N/A
R= Required
O= Optional, but may include additional costs to support
Key for C46: C49
Place an X in the YES or NO column, add any comments required in
column G
Vendor name:
Application name:
Technical Architectural, Compatibility and Supportability Requirements Document (TACS)
Requesting Div/Dept.:
Does the application require Flash?Applications
Does the application require Java?Applications
Does the application require Silverlight?Applications
Does the application require any type of PDF software?Applications
16.E.4.b
Packet Pg. 806 Attachment: TACS _V12 2-14-2017 (3925 : Information Security Report Confidential Disclosure Agreement