The URL can be used to link to this page

Home My WebLink About08 C47120 - Plante Moran - Computer Security ConsultingCONTRACT NO. C41720 STAFF REPORT CITY OF PALM DESERT INFORMATION SYSTEMS DEPARTMENT MEETING DATE: June 24, 2021 PREPARED BY: Clayton von Helf, Information Systems Manager REQUEST: Authorize the City Manager to execute a contract with Plante & Moran, PLLC, for computer security consulting and development of an IT strategic plan in the amount of $90,500. ___________________________________________________________________________ Recommendation By Minute Motion, that the City Council Authorize the City Manager to execute a contract with Plante & Moran, PLLC, for computer security consulting and development of an IT strategic plan in the amount of $90,500. Funds are available in Account No. 5304190-4404000. Strategic Plan Although the City’s internal I.T. infrastructure is not addressed in the strategic plan, its upgrade underlays, and is essential to, all projects and services performed by the City. Information Technology Master Plan This action will update our Information Technology Master Plan, adopted in 2017, to address the new technology challenges facing the City. Background Analysis Our IT Master Plan, the current framework for IT investment and strategy, was adopted in February of 2017. The threats and opportunities for municipal IT structures have significantly changed since then. Plante Moran, LLC, is a leader in IT consulting work, with a vast array of expertise. They have recently completed a SWOT analysis of the current IT environment at the City. This contract will take a deeper look into our IT organization and prepare the City for the future. Specifically, Plante Moran will address the following four key areas in the IT department. •IT Governance – Develop a working IT Steering Committee for City staff, to govern the IT priorities and decisions. •Business Continuity – Develop a robust disaster recovery plan, using the latest cloud technologies and industry standards. June 24 , 2021 -Staff Report IT Strategic Plan -Plante Moran Page 2 of 2 • Cybersecurity -Develop a complete Cybersecurity framework and Incident response plan, that will ensure protection of the City's infrastructure and data. • Future Strategic IT Planning -Develop an IT Strategic Plan as a guide for our future investments and direction. Plante Moran 's recent completion of a SWOT analysis at the City , gives them a solid foundation to work from to develop the new plans and policies. This will save valuable time with interviews and information gathering . Using Plante Moran for this work is in the best interest of the City , staff is requesting an exception to competitive bidding under PDMC 3 .30 .160.1. Fiscal Analysis Approval of staff's request would result in an expense of $90 ,500 . Funds are available in IT Master Plan budget , Account No. 5304190-4404000 . LEGAL REVIEW DEPT. REVIEW FINANCIAL REVIEW CITY MANAGER NA .'A.nay J"irest in e 9-~e::r 1'11. 1'1100,i,e,, L. Toe{ c{ Hile V\..l Cl V\, Robert W . Harg reaves Andy Firestine Janet Moore L. Todd Hileman City Attorney Assistant City Manager Director of Finance City Manaqer ATTACHMENTS : P lante & Moran , PLLC Proposals CITY COUNCILACXION APPROVED_ ....... V ___ DENTED------ RECEIVED ______ OTHER------ MEETING DATE Co 2--Y ·w 2::::1 AYEs d:!CJxn, K:(fao0t\:Y.lo , Nes:tn tde ,G4io:12w ,1 1e4;'-~lltf NOES: \\IDnf' ABSENT: N QY\S'.( ABSTAIN: Non e VERIFIED BY: M61S /S r-$ Original on File with City Clerk's Office May 21, 2021 Mr. Todd Hileman City Manager City of Palm Desert 73510 Fred Waring Drive Palm Desert, CA 92260 Dear Todd, Thank you for the opportunity provided to Plante & Moran, PLLC to present a proposal to assist you with advisory services in support of the City’s development of a disaster recovery plan. This letter and the accompanying Professional Services Agreement, which is hereby incorporated as part of this engagement letter, confirms our understanding of the nature, limitations, and terms of the services Plante & Moran, PLLC (“PM”) can provide to the City of Palm Desert (“CPD”). Statement of Understanding and Scope of Services It is our understanding that the City is seeking assistance from a qualified and reputable firm, with prior experience working with the City and knowledge of its IT environment and operations, to assist with the development of a disaster recovery plan to recover the City’s IT and communications infrastructure, applications and processes in the event of a disaster. To accomplish the stated objectives, Plante Moran proposes its proven methodology, which is based on a collaborative effort between Plante Moran and the City of Palm Desert. It will involve review of existing documentation and remote meetings with IT staff and key stakeholders, following a predefined sequence of activities, as detailed in the work plan below. Workplan 1. Conduct project kick-off meeting A project kick-off meeting will be scheduled shortly after project approval. This meeting will be conducted over an audio/video conference call and with use of data collaboration tools. Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 2 of 13 2. Collect and review documentation Plante Moran will request and review existing documentation related to recent changes to the City’s IT environment. We do not expect the City to create any documentation that does not already exist. For any of the areas where documentation is either lacking or does not exist, the pertinent information during the environment discovery meetings with IT staff. 3. IT environment discovery We will conduct an audio/video conference interview call with the IT staff of the City to clarify, complement and expand the information gathered in the recently conducted IT assessment of the City. There will be no deliverable for this phase. The information gathered and the analysis will serve to inform subsequent work steps and the development of the disaster recovery plan and IT assessment deliverables. 4. Threats and risks assessment (TRA) A high-level assessment of the threats that may impact availability will be conducted with key representatives of the City. The TRA will be based on the City’s existing Local Hazards Mitigation Plan and Community Emergency Response Training program. This will be based on consideration of the following categories of hazards: • Natural hazards, which result from acts of nature, such as extreme cold, extreme heat, hurricanes, earthquakes, tornadoes, animal disease outbreak, pandemics, or epidemics. • Technological hazards, which result from accidents or the failures of systems and structures, such as electrical failures, urban floods, fires, hazardous materials spills or dam failures. • Human-caused incidents, which result from the intentional actions of an adversary, such as a threatened or actual chemical attack, acts of violence or terrorism, or cyber incidents (resulting from internal or external threats). We will facilitate a single working session with the key project participants including those responsible for assessing risk for the City. The participants are not expected to obtain and use detailed statistical data regarding past event occurrences in order to conduct this assessment. The participants will apply readily available qualitative information, such as the nature of local hazards, hazardous materials, geographical features, and past event occurrences to provide a generalized qualitative scaling of estimated likelihood of event occurrence (high, medium, low) and severity of impact (high, medium, low). The results of the risk-rating completed in this work step be reviewed and approved by the City before proceeding to the next work step. Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 3 of 13 5. Business impact analysis (BIA) To construct a viable systems recovery plan, a business impact analysis based on feedback from the City’s key stakeholders is essential. The BIA will be used to document critical business applications and determine recovery priorities. We will conduct an online survey of key representatives from the City to identify the various applications, and understand usage patterns, availability of workarounds, and tolerance for interruption and data loss. We will document the dependencies and criticalities of these applications and services. The outcome of the business impact analysis will determine the impacts of outages to critical applications and services, and highlight the relationships to underlying infrastructure, internal processes, and services provided to constituents. The BIA will help determine the maximum interruption time and the maximum data loss period that the City’s business units can endure without the functionality of key systems before incurring material operational or financial losses. We will then conduct a meeting with the City’s project team to seek approval and consensus on the expected recovery time objectives (RTO) and recovery point objectives (RPO) that will inform the disaster recovery plan. The deliverable for this phase will be a report summarizing the critical recovery timeframes and interdependencies between applications, services, and IT infrastructure. 6. Develop recovery strategies Based upon the needs and priorities identified in the BIA, several recovery strategies will be identified to efficiently and effectively address disaster conditions and restore services for key applications or systems. And based on the results of the TRA, several probable and impactful scenarios will be identified and accounted for in the IT disaster recovery plan. For each scenario, the description, declaration process, approach, recovery strategy and escalation factors will be provided. We will also identify the requisite recovery team composition and high-level recovery procedures for each scenario. The various recovery steps and considerations will inform the sequencing of recovery activities and the allocation of resources. As part of this work step we will also evaluate the ability of the current infrastructure to support the recovery strategies. We will gather information about the ability of the existing backup and recovery systems to support the newly identified recovery goals. The outcome of this evaluation will be identification of the systems, which meet, exceed, or fall short of recovery goals. Where possible, Plante Moran will look for ways to improve efficiency and recoverability by modifying existing processes. We will use this analysis to make cost-effective recommendations concerning existing or additional technologies needed to best achieve the outcomes of the disaster recovery plan. There will be no deliverable for this phase. The information gathered and the analysis will serve to inform subsequent work step and the development of the disaster recovery plan and IT assessment deliverables. Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 4 of 13 7. Develop IT disaster recovery plan Through discussions with the City’s project team, we will use the newly identified recovery strategies to develop an initial draft IT disaster recovery plan. The plan will include a governance strategy to address ongoing updates to the plan. This disaster recovery plan will adhere to recommended best practices provided by standards bodies such as NIST and ISO and likely cover the following topics: • Executive summary of the plan • IT disaster declaration criteria • Responsibilities and decision-making authorities for designated teams and/or staff members • Identification and ranking of applications by their criticality and recovery priority • Recovery time objectives (RTO), and recovery point objectives (RPO) • Alternative strategies for short-term, intermediate, and long-term outages • Sequence of recovery activities • Return to normal operating mode • Contact information: key suppliers and recovery vendors, employee calling tree, emergency contact information • DRP change control policies, update procedures, and testing/validation schedules • Other supporting documentation as applicable The deliverable for this work step will be an IT disaster recovery plan summarizing the critical recovery time frame, the interdependencies between applications, services and IT infrastructure, and the items identified above. The developed plan is intended to address the information technology needs of the City only and is not intended to serve as a broader non-IT plan. The IT DRP should be incorporated as a component of the City’s overall business continuity plan. We will review the draft deliverable with you and your team and incorporate any revisions necessary as a result of those discussions into the final report. 8. Finalize gaps analysis We will develop and deliver a draft gaps analysis memorandum that will incorporate our findings and recommendations for the implementation of the disaster recovery plan. The memorandum will include high level recommendations to address critical gaps identified in the IT environment, from the standpoint of people, process and technology, to transition from the current state to the desired future state. This information will be a complement to the recently conducted IT assessment, with focus on optimizing current technologies and implementing additional technologies needed to support the disaster recovery plan. We will review the draft deliverable with you and your team and incorporate any revisions necessary as a result of those discussions into the final document. Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 5 of 13 PROJECT TEAM The key to any project’s success lies in the collective abilities of the individuals assigned to the project. The Plante Moran project team members proposed for this engagement have been selected for their experience in similar projects and are identified below. Engagement Partner Judy Wright | Engagement Partner Judy has over 25 years of experience in the computer industry involving information technology. Her experience includes project management, strategic initiatives including IT assessments and project facilitation, process improvement, technology planning, ERP solution selections and implementations, and data network design and implementation. Prior to joining Plante Moran, Judy was the Director of Computing Services at Wayne State University School of Business Administration and adjunct faculty in the Management Information Systems program. She holds a BA degree in Computer Science from Wayne State University and an MBA from The University of Michigan. Technical Lead Jacinto Cordero | Senior Consulting Manager Jacinto has over 20 years of experience in information and communication technologies. His areas of expertise include IT assessment and strategic planning, voice, data, video and wireless/mobile network design and optimization, managed network services, network security, cybersecurity policies and controls, physical security (including video surveillance, access control, public addressing and radio communications), high-availability compute/storage, disaster recovery/business continuity, data lifecycle management, data center design, cloud migration, Internet of Things (IoT), ERP readiness, and digital transformation for global/multinational service providers and organizations. Prior to joining Plante Moran, Jacinto worked in consultancy, solutions and business development roles at Huawei Technologies, China Telecom and Telex/Claro/América Móvil. He holds Cisco CCNA Routing and Switching and CompTIA Security+ certifications, a BS in Electronic Engineering from ESPOL in Ecuador and an MBA from Texas A&M University. Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 6 of 13 Additional Resources Technical Advisor Sally Nagy | Senior Manager |Technical Advisor Sally has an extensive background in both public and private sector executive management with a proven record of results applying business insight to the application of information technology to achieve the organization’s goals. As Chief Information Officer/IT Director of both public and private sector organizations (City of Sacramento, Santa Barbara County, City of Tucson), she has directed all aspects of information technology including application development, project management, communications, operations, system architecture, GIS, and technical support. Sally’s consulting engagements have included IT governance, organizational change management, business and technology strategic planning, IT tactical planning, procurement and contract negotiations, project management, workforce development, organizational and program reviews, quality assurance, and enterprise technical architecture. Technical Specialist Shae Sultes | Senior Consultant Shae has over 5 years' experience in infrastructure design, implementation, and support in enterprise environments including education, financial, manufacturing, non-profit, and service providers. Extensive IT infrastructure systems experience with a proven track record in system design, security, and project execution. Working knowledge of LAN and WAN protocols and network technologies related to all major project lines and system manufacturers. Expertise in developing technical solutions and support with considerations for emerging business and technology trends along with industry best practices. Prior to Plante Moran, industry experience gained providing high level hardware and application support across various industries. Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 7 of 13 PROPOSED SCHEDULE We are prepared to start the project within two weeks of a signed engagement letter and anticipated that the project will take ten weeks to complete. Our timeline is predicated upon the availability and responsiveness of the City’s staff, as well as the timely conveyance of requested information. During the project kick-off step we expect to outline the project schedule that best meets your needs. FEES AND PAYMENT TERMS Our fee for this engagement, subject to the terms and conditions of the accompanying Professional Services Agreement, will be $18,000. As you probably realize, our primary cost is salaries that are paid currently. Accordingly, our invoices will be rendered monthly and are due when received. In the event an invoice is not paid timely, a late charge in the amount of 1.25 percent per month will be added, beginning 30 days after the date of the invoice. If you are in agreement with our understanding of this engagement, as set forth in this engagement letter and the accompanying Professional Services Agreement, please sign the enclosed copy of this letter and return it to us with the accompanying Professional Services Agreement. Thank you for the opportunity to serve you. Very truly yours, PLANTE & MORAN, PLLC Judy Wright, Partner Mr. Todd Hileman May 21, 2021 City of Palm Desert Page 8 of 13 Agreed and Accepted We accept this engagement letter and the accompanying Professional Services Agreement, which set forth the entire agreement between the City of Palm Desert and Plante & Moran, PLLC with respect to the services specified in the “Scope of Services” section of this engagement letter. This agreement may be amended by written agreement between Plante & Moran, PLLC and the City of Palm Desert. City of Palm Desert L. Todd Hileman Date City of Palm Desert CONTRACT NO. C41720 Professional Services Agreement – Consulting Services Page 1 of 5 Professional Services Agreement – Consulting Services Addendum to Plante & Moran, PLLC Engagement Letter This Professional Services Agreement is part of the engagement letter for our consulting services dated May 21, 2021 between Plante & Moran, PLLC (referred to herein as “PM”) and City of Palm Desert (referred to herein as “Client”). 1. Management Responsibilities – The consulting services PM will provide are inherently advisory in nature. PM has no responsibility for any management decisions or management functions in connection with its engagement to provide these services. Further, Client acknowledges that Client is responsible for all such management decisions and management functions; for evaluating the adequacy and results of the services PM will provide and accepting responsibility for the results of those services; and for establishing and maintaining internal controls, including monitoring ongoing activities, in connection with PM’s engagement. Client has designated Tod Hileman, City Manager, to oversee the services PM will provide. Client represents and warrants that any and all information that it transmits to Plante Moran will be done so in full compliance with all applicable federal, state, local, and foreign privacy and data protection laws, as well as all other applicable regulations and directives, as may be amended from time to time (collectively, “Data Privacy Laws”). Client shall not disclose personal data of data subjects (“Personal Data”) who are entitled to certain rights and protections afforded by Data Privacy Laws to PM without prior notification to PM. Client shall make reasonable efforts to limit the disclosure of Personal Data to PM to the minimum necessary to accomplish the intended purpose of the disclosure to PM. 2. Nature of Services – PM’s project activities will be based on information and records provided to PM by Client. PM will rely on such underlying information and records and the project activities will not include audit or verification of the information and records provided to PM in connection with the project activities. The project activities PM will perform will not constitute an examination or audit of any Client financial statements or any other items, including Client’s internal controls. Additionally, this engagement will not include preparation or review of any tax returns or consulting regarding tax matters. If Client requires financial statements or other financial information for third-party use, or if Client requires tax preparation or consulting services, a separate engagement letter will be required. Accordingly, Client agrees not to associate or make reference to PM in connection with any financial statements or other financial information of Client. In addition, PM’s engagement is not designed and cannot be relied upon to disclose errors, fraud, or illegal acts that may exist. However, PM will inform you of any such matters that come to PM’s attention. 3. Use of Report – At the conclusion of PM’s project activities, PM will provide Client with a written report as described in the accompanying engagement letter. PM’s report will be restricted solely to use by management of Client and Client agrees that PM’s report will not be distributed to any outside parties for any purpose other than to carry out legal responsibilities of Client. PM will have no responsibility to update PM’s report for any events or circumstances that occur or become known subsequent to the date of that report. 4. Interactive Analyses and Visualizations – In instances where PM expressly agrees in the accompanying engagement letter to provide interactive analyses or visualization tools (collectively, “Electronic Documents”) to Client, such Electronic Documents will be provided in a format determined to be acceptable to both parties. Client acknowledges and agrees that Client’s ability to access such Electronic Documents may require software programs that PM does not develop, license, or support, and Client shall be solely responsible for the costs to obtain, use, or support any such required software. PM makes no representation or warranty with respect to such software or the continuing functionality of such software relative to the Electronic Documents and disclaims any and all express or implied warranties if any, associated with such software, its merchantability, and/or its fitness for any particular use by Client. If and to the extent provided by PM, Electronic Documents are provided solely for the purpose of supporting the written report and are to be used only as expressly described in and authorized by the written report. PM disclaims any responsibility for any use of the Electronic Documents that is not expressly provided for in and authorized by the written report. Further, Client acknowledges that Client is solely responsible for evaluating the adequacy and accuracy of any results generated through the use of Electronic Documents. PM will have no CONTRACT NO. C41720 Professional Services Agreement – Consulting Services Page 2 of 5 responsibility to support or update the Electric Documents for any events or circumstances that occur or become known subsequent to the date of their corresponding written report. Client acknowledges that PM may utilize proprietary works of authorship that have not been created specifically for Client and were conceived, created, or developed prior to, or independent of, this engagement including, without limitation, computer programs, methodologies, algorithms, models, templates, software configurations, flowcharts, architecture designs, tools, specifications, drawings, sketches, models, samples, records, and documentation (collectively, “PM Intellectual Property”). Client agrees and acknowledges that PM Intellectual Property is and shall remain solely and exclusively the property of PM. Upon payment for the engaged services, to the extent that PM incorporates PM Intellectual Property into the Electronic Documents (which PM shall do only as expressly provided for in the accompanying engagement letter), PM grants to Client a limited royalty-free, nonexclusive, right and license to use such incorporated PM Intellectual Property for internal purposes only and in the original format. Client agrees not to copy, publish, modify, disclose, distribute, decompile, reverse engineer, or create derivative works based on PM Intellectual Property. Notwithstanding the foregoing, in no event will PM be precluded from developing for itself or for others, works of authorship which are similar to those included in the written report. If and to the extent PM shares information obtained from third-party data sources with Client, Client agrees not to (i) disclose or redistribute any such third-party data to third parties without the express written consent of PM; or (ii) attempt to extract, manipulate, or copy any embedded or aggregated third-party data from the Electronic Documents for any purpose. 5. Confidentiality, Ownership, and Retention of Workpapers – During the course of this engagement, PM and PM staff may have access to proprietary information of Client, including, but not limited to, information regarding general ledger balances, financial transactions, trade secrets, business methods, plans, or projects. PM acknowledges that such information, regardless of its form, is confidential and proprietary to Client. PM will comply with all applicable ethical standards, laws, and regulations as to the retention, protection, use, and distribution of such confidential client information. Except to the extent set forth herein, PM will not disclose such information to any third party without the prior written consent of Client. In the interest of facilitating PM’s services to Client, PM may communicate or exchange data by internet, email, facsimile transmission or other electronic methods. While PM will use its best efforts to keep such communications and transmissions secure in accordance with PM’s obligations under applicable laws and professional standards, Client recognizes and accepts that PM has no control over the unauthorized interception of these communications or transmissions once they have been sent, and consents to PM’s use of these electronic devices during this engagement. Professional standards require that PM create and retain certain workpapers for engagements of this nature. All workpapers created in the course of this engagement are and shall remain the property of PM. PM will maintain the confidentiality of all such workpapers as long as they remain in PM’s possession. Both Client and PM acknowledge, however, that PM may be required to make its workpapers available to regulatory authorities or by court order or subpoena in a legal, administrative, arbitration, or similar proceeding in which PM is not a party. Disclosure of confidential information in accordance with requirements of regulatory authorities or pursuant to court order or subpoena shall not constitute a breach of the provisions of this Agreement. In the event that a request for any confidential information or workpapers covered by this Agreement is made by regulatory authorities or pursuant to a court order or subpoena, PM agrees to inform Client in a timely manner of such request and to cooperate with Client should Client attempt, at Client’s cost, to limit such access. This provision will survive the termination of this Agreement. PM’s efforts in complying with such requests will be deemed billable to Client as a separate engagement. PM shall be entitled to compensation for its time and reasonable reimbursement of its expenses (including legal fees) in complying with the request. PM reserves the right to destroy, and it is understood that PM will destroy, workpapers created in the course of this engagement in accordance with PM’s record retention and destruction policies, which are designed to meet all relevant regulatory requirements for retention of workpapers. PM has no obligation to maintain workpapers other than for its own purposes or to meet those regulatory requirements. Upon Client’s written request, PM may, at its sole discretion, allow others to view any workpapers remaining in its possession if there is a specific business purpose for such a review. PM will evaluate each written request CONTRACT NO. C41720 Professional Services Agreement – Consulting Services Page 3 of 5 independently. Client acknowledges and agrees that PM will have no obligation to provide such access or to provide copies of PM’s workpapers, without regard to whether access had been granted with respect to any prior requests. 6. Consent to Disclosures to Service Providers – In some circumstances, PM may use third-party service providers to assist PM with its services, including affiliates of PM within or outside the United States. In those circumstances, PM will be solely responsible for the provision of any services by any such third-party service providers and for the protection of any information provided to such third-party service providers. PM will require any such third-party service provider to: (i) maintain the confidentiality of any information furnished; and (ii) not use any information for any purpose unrelated to assisting with PM’s services for Client. In order to enable these third-party service providers to assist PM in this capacity, Client, by its duly authorized signature on the accompanying engagement letter, consents to PM’s disclosure of all or any portion of Client’s information, including tax return information, to such third-party service providers, including affiliates of PM outside of the United States, if and to the extent such information is relevant to the services such third-party service providers may provide and agrees that PM’s disclosure of such information for such purposes shall not constitute a breach of the provisions of this Agreement. Client’s consent shall be continuing until the services provided for this engagement Agreement are completed. 7. Third-Party Data – PM may reference third-party data sources in performing the services described in the accompanying engagement letter. Third-party data may include publicly available data, commercially available data licensed to PM, or information obtained from other sources. PM will use its judgment, discretion, best efforts, and good faith in evaluating the use of third-party data sources, but does not warrant or guarantee the accuracy, completeness, or timeliness of any data obtained from third-party data sources and disclaims any liability arising out of or relating to the use of data from third-party data sources. Client acknowledges that any commercially available third-party data sources referenced by PM are licensed to PM and PM’s ability to share information obtained from commercially available third-party data sources is often restricted by the terms of use granted to PM by the licensor and, unless expressly set forth in the accompanying engagement letter, PM makes no representation or warranty that Client will have access to data obtained from third-party data sources. If and to the extent PM shares information obtained from third-party data sources with Client, Client agrees not to disclose or redistribute any such third-party data to third parties without the express written consent of PM. This Agreement does not convey to Client a sublicense to any third-party data source unless expressly agreed to in writing and signed by a duly authorized representative of PM. However, nothing herein shall prevent Client from directly contracting with or obtaining a license from any third-party data source if Client determines, in its sole discretion, that any such direct contract or license to be in its best interest. 8. Fee Quotes – In any circumstance where PM has provided estimated fees, fixed fees or not-to-exceed fees (“Fee Quotes”), these Fee Quotes are based on Client personnel providing PM staff the assistance necessary to satisfy Client responsibilities under the scope of services. This assistance includes availability and cooperation of those Client personnel relevant to PM’s project activities and providing needed information to PM in a timely and orderly manner. In the event that undisclosed or unforeseeable facts regarding these matters causes the actual work required for this engagement to vary from PM’s Fee Quotes, those Fee Quotes will be adjusted for the additional time PM incurs as a result. In any circumstance where PM’s work is rescheduled, PM offers no guarantee, express or implied, that PM will be able to meet any previously established deadline related to the completion of PM’s work. Because rescheduling its work imposes additional costs on PM, in any circumstance where PM has provided Fee Quotes, those Fee Quotes may be adjusted for additional time PM incurs as a result of rescheduling its work. PM will advise Client in the event these circumstances occur; however, it is acknowledged that the exact impact on the Fee Quote may not be determinable until the conclusion of the engagement. Such fee adjustments will be determined in accordance with the Fee Adjustments provision of this Agreement. 9. Payment Terms – PM’s invoices for professional services are due upon receipt unless otherwise specified in the accompanying engagement letter. In the event any of PM’s invoices are not paid in accordance with the terms of this Agreement, PM may elect, at PM’s sole discretion, to suspend work until PM receives payment in full for all amounts due or terminate this engagement. In the event that work is suspended, for nonpayment or other reasons, and subsequently resumed, PM offers no guarantee, express or implied, that PM will be able to meet any previously established deadlines related to the completion of PM’s consulting work or issuance of PM’s CONTRACT NO. C41720 Professional Services Agreement – Consulting Services Page 4 of 5 consulting report upon resumption of PM’s work. Client agrees that in the event that work is suspended, for non- payment or other reasons, PM shall not be liable for any damages that occur as a result of PM ceasing to render services. 10. Fee Adjustments – Any fee adjustments for reasons described in this Agreement will be determined based on the actual time expended by PM staff at PM’s currently hourly rates, plus all reasonable and necessary travel and related costs PM incurs, and included as an adjustment to PM’s invoices related to this engagement. Client acknowledges and agrees that payment for all such fee adjustments will be made in accordance with the payment terms provided in this Agreement. 11. Force Majeure – Neither party shall be deemed to be in breach of this Agreement as a result of any delays or non-performance directly or indirectly resulting from circumstances or causes beyond its reasonable control, including, without limitation, fire or other casualty, acts of God, war, other violence, epidemic, pandemic, or other public health emergency or government mandated shut down (each individually a “Force Majeure Event”). A Force Majeure Event shall not excuse any payment obligation relating to fees or costs incurred prior to any such Force Majeure Event. 12. Exclusion of Certain Damages – Except to the extent finally determined to have resulted from PM’s gross negligence or willful misconduct, the liability of PM and any of PM’s officers, directors, partners, members, managers, employees; its affiliated, parent or subsidiary entities; and approved allied third-party service providers (collectively, “PM Persons”) for any and all claims, losses, costs, and damages of any nature whatsoever is limited so that the total aggregate liability of the PM and/or the PM Persons with respect to and arising out of the services provided hereunder shall not exceed the total fees paid to PM for the services provided in connection with this Agreement. It is agreed that these limitations on PM’s and the PM Persons’ maximum liability are reasonable in view of, among other things, the nature, scope, and limitations of the services PM is to provide, and the fees PM is to receive under this engagement. In no event shall the PM or the PM Persons be liable, whether a claim be in tort, contract, or otherwise, for any consequential, indirect, lost profit, punitive, exemplary, or other special damages. The exclusion of certain damages as set forth in this Section apply to any and all liabilities or causes of action against PM and/or the PM Persons, however alleged or arising, unless and to the extent otherwise prohibited by law. This provision shall survive the termination of this engagement. In the event this Agreement expressly identified multiple phases of services, the total aggregate liability of PM shall be limited to no more than the total amount of fees received by PM for the particular phase of services alleged to have given rise to any such liability. 13. Defense, Indemnification, and Hold Harmless – As a condition of PM’s willingness to perform the services provided for in the accompanying engagement letter, Client agrees to defend, indemnify, and hold PM and the PM Persons harmless against any claims by third parties for losses, claims, damages, or liabilities, to which PM or the PM Persons may become subject in connection with or related to the services performed in the engagement, unless a court having jurisdiction shall have determined in a final judgment that such loss, claim, damage, or liability resulted primarily from the willful misconduct or gross negligence of PM, or one of the PM Persons. This defense, indemnity, and hold harmless obligation includes the obligation to reimburse PM and/or the PM Persons for any legal or other expenses incurred by PM or the PM Persons, as incurred, in connection with investigating or defending any such losses, claims, damages, or liabilities. 14. Conditions of PM Visit to Client Facilities – Client agrees that PM’s services will be provided remotely to the maximum extent possible. In order to facilitate the provision of services remotely, Client agrees to provide documentation and other information reasonably required by PM for PM’s performance of the engaged services electronically to the extent possible throughout the course of the engagement. In the event in-person visits to Client’s facility(ies) are determined by PM in its sole discretion to be necessary for the performance of the engaged services, Client agrees, as a pre-condition to any such in-person visit, to provide to PM for PM’s evaluation Client’s policies and procedures that Client has implemented and will adhere to relating to workplace safety and the prevention of the transmission of disease at its facility(ies). In addition, Client affirms that it is in compliance with applicable Centers for Disease Control and Prevention and OSHA guidance pertaining to the prevention of the transmission of disease (collectively, “Applicable Preventative Guidance”) and agrees that it shall continue to comply with Applicable Preventative Guidance throughout any in-person visits by PM to Client’s facility(ies). Client further affirms that it is in compliance and shall continue to comply with all other applicable CONTRACT NO. C41720 Professional Services Agreement – Consulting Services Page 5 of 5 laws, regulations, or executive orders relating to COVID-19 and the prevention of the spread thereof (collectively, “COVID-19 Laws”) and agrees that it shall continue to comply with COVID-19 Laws throughout any in-person visits by PM to Client’s facility(ies). Notwithstanding the foregoing, PM reserves the right to suspend or refrain from any in-person visit by PM to Client’s facility(ies) or impose further conditions on any such in-person visit if and as PM deems necessary at its sole discretion. Client agrees and acknowledges that any determination by PM to visit Client’s facility(ies) is not and shall not be construed to be or relied on by Client as a determination by PM of Client’s compliance with Applicable Preventative Guidance or any COVID-19 Laws. 15. Receipt of Legal Process – In the event PM is required to respond to a subpoena, court order, or other legal process (in a matter involving Client but not PM) for the production of documents and/or testimony relative to information PM obtained and/or prepared during the course of this engagement, Client agrees to compensate PM for the affected PM staff’s time at such staff’s current hourly rates, and to reimburse PM for all of PM’s out-of- pocket costs incurred associated with PM’s response unless otherwise reimbursed by a third party. 16. Termination of Engagement – This Agreement may be terminated by either party upon written notice. Upon notification of termination, PM’s services will cease and PM’s engagement will be deemed to have been completed. Client will be obligated to compensate PM for all time expended and to reimburse PM for related costs PM incurs through the date of termination of this engagement. 17. Time Limits – Except for actions to enforce payment of PM’s invoices and without limiting any claims for indemnification hereunder, any claim or cause of action arising under or otherwise relating to this engagement must be filed within two years from the completion of the engagement without regard to any statutory provision to the contrary. 18. Entire Agreement – This Agreement is contractual in nature and includes all of the relevant terms that will govern the engagement for which it has been prepared. The terms of this Agreement supersede any prior oral or written representations or commitments by or between the parties regarding the subject matter hereof. Any material changes or additions to the terms set forth in this Agreement will only become effective if evidenced by a written amendment to this Agreement, signed by all of the parties. 19. Severability – If any provision of this Agreement (in whole or part) is held to be invalid or otherwise unenforceable, the other provisions shall remain in full force and effect. 20. Conflicts of Interest – PM’s engagement acceptance procedures include a check as to whether any conflicts of interest exist that would prevent PM’s acceptance of this engagement. No such conflicts have been identified. Client understands and acknowledges that PM may be engaged to provide professional services, now or in the future, unrelated to this engagement to parties whose interests may not be consistent with interests of Client. 21. Agreement Not to Influence – Client and PM each agree that each respective organization and its employees will not endeavor to influence the other’s employees to seek any employment or other contractual arrangement with it, during this engagement or for a period of one year after termination of the engagement. Client agrees that PM employees are not “contract for hire.” PM may release Client from these restrictions if Client agrees to reimburse PM for its recruiting, training, and administrative investment in the applicable employee. In such event, the reimbursement amount shall be equal to two hundred hours of billings at the currently hourly rate for the PM employee. 22. Signatures – Any electronic signature transmitted through DocuSign or manual signature on the accompanying engagement letter transmitted by facsimile or by electronic mail in portable document format may be considered an original signature. 23. Governing Law – This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, and jurisdiction over any action to enforce this Agreement, or any dispute arising from or relating to this Agreement shall reside exclusively within the State of Michigan. End of Professional Services Agreement – Consulting Services [This page has intentionally been left blank.] Make the mark. City of Palm Desert | June 1, 2021 Proposal to Provide IT Assessment Follow-on Services June 1, 2021 Mr. Clay von Helf Information Services Manager City of Palm Desert 73510 Fred Waring Drive Palm Desert, CA 92260 Dear Clay: We appreciated the opportunity to speak with you to discuss next steps following the recent IT Assessment. It is our understanding that you are would like a proposal related to four recommendations in the IT Assessment Report: • Assistance with setting up and navigating through the early days of an IT Steering Committee • Developing an IT Strategic Plan • Developing a Disaster Recovery plan • Developing a cyber management framework (CMF) and incident response plan (IRP) The good news is we can build upon the work performed during the IT Assessment to move these initiatives along quickly. Following are three statements of work for the above referenced initiatives. The fourth is attached separately. Plante Moran is committed to delivering the highest quality of service. We appreciate the opportunity to continue working with you on your IT initiatives. Sincerely, PLANTE & MORAN, PLLC Adam Rujan, Partner Agreed and Accepted We accept this engagement letter and the accompanying Professional Services Agreement (collectively, “Agreement”), which set forth the entire agreement between the City of Palm Desert and Plante & Moran, PLLC with respect to the services specified in the “Scope of Services” section of this engagement letter. This Agreement may be amended by written agreement between Plante & Moran, PLLC and City of Palm Desert. City of Palm Desert L. Todd Hileman Date City Manager IT Assessment Follow-on Services – PLANTE MORAN 2 | Page Table of Contents IT Steering Committee Assistance ............................................................................... 3 IT Strategic Plan .......................................................................................................... 8 Cybersecurity Management Framework Development .............................................. 19 Engagement Agreement ........................................................................................... 27 IT Assessment Follow-on Services – PLANTE MORAN 3 | Page IT Steering Committee Assistance IT Assessment Follow-on Services – PLANTE MORAN 4 | Page Scope of services IT Steering Committee Assistance Plante Moran would be happy to assist the City as it deploys an IT Steering Committee to guide the implementation of information technology initiatives to meet the City’s business needs. Typical assistance would include: • Developing draft Steering Committee Charter and Guiding Principles for the Committee’s review • Facilitating Committee meetings to adopt the Charter and Guiding Principles • Assisting with meeting agenda development • Facilitating initial meetings (possibly the first 4-6, depending on frequency) • Providing as-needed guidance as the Committee begins operating on its their own • Performing an annual assessment of how well the Committee is performing and providing recommendations for improvement IT Assessment Follow-on Services – PLANTE MORAN 5 | Page Project team The key to any project’s success lies in the collective abilities of the individuals assigned to the project. The Plante Moran project team members proposed for this engagement have been selected for their experience in similar projects and are identified below. Adam Rujan| Partner Adam has nearly thirty-two years’ experience consulting to government and public sector organizations. His experience includes assisting governmental units with organizational and operational analyses, IT Assessment, and system selection reviews. He has developed specific expertise in assisting organizations understand and implement new technology, including issues of IT governance and change management. Adam’s clients have included a wide range of local municipalities, counties, agencies and authorities and state government. He is a frequent presenter and has authored numerous articles on improving operational efficiency and effectiveness. He recently authored a chapter on IT Governance for the book CIO Leadership for Cities and Counties, published by the Public Technology Institute. IT Assessment Follow-on Services – PLANTE MORAN 6 | Page Sally Nagy | Senior Manager Sally has an extensive background in both public and private sector executive management with a proven record of results applying business insight to the application of information technology to achieve the organization’s goals. As Chief Information Officer/IT Director of both public and private sector organizations (City of Sacramento, Santa Barbara County, City of Tucson), she has directed all aspects of information technology including application development, project management, communications, operations, system architecture, GIS, and technical support. As a consultant, Sally’s engagements have included information technology governance, organizational change management, business and technology strategic planning, information technology tactical planning, procurement and contract negotiations, project management, workforce development, organizational and program reviews, quality assurance, and enterprise technical architecture. IT Assessment Follow-on Services – PLANTE MORAN 7 | Page Pricing and assumptions Our hourly rate for these services is $275. Notes • It is our practice to bill monthly for fees incurred in the prior month. • If any issue arises during the course of the project that will impact the timing or the budget, we will discuss the issue with the City prior to proceeding. Assumptions Our proposal and associated fees are based upon the assumptions listed below. • The City will appoint an internal project lead who will be the main point of contact between the City and Plante Moran and will assist with logistics and coordination of activities. • There will be a single draft-to-final process for each deliverable (assumed to be 10 days). • Onsite work activity, if any, will be confirmed at least two weeks prior to the agreed upon travel date; any travel change fees incurred after such date will be expensed to the City. IT Assessment Follow-on Services – PLANTE MORAN 8 | Page IT Strategic Plan IT Assessment Follow-on Services – PLANTE MORAN 9 | Page Scope of services Plante Moran has continually refined its approach for IT Strategic Planning to deliver technical, schedule, and cost advantages that provide the utmost value to our clients. We believe that using this approach will provide results that exceed the City’s expectations and are in alignment with your objectives. The IT strategic plan is informed by the results of the IT assessment, as it relates to the organizational execution capabilities, current plans and initiatives, and overall performance and stakeholder satisfaction. Additional inputs are driven from industry best practices and benchmarking against industry metrics comparable peers, and the overarching organizational goals and priorities. The organizational core competencies, as well as available resources and budget constraints are also accounted for. By means of visioning sessions that will follow a collaborative approach between the City and Plante Moran, the overall strategy will be agreed upon and synthesized into an IT strategic plan that will guide the City’s investments, decisions and activities. The IT strategic plan will include a prioritized list of key initiatives to drive transformation and/or growth and an actionable roadmap of projects, alongside a framework and metrics developed to monitor progress and assess performance results. Project portfolio Implementation plan Performance measures Strategic RoadmapPlan Synthesis PM DATA REPOSITORY Technology best practices Technology marketplace VISIONING Goals & objectives Strategies & priorities People ProcessTechnology IT Assessment IT Assessment Follow-on Services – PLANTE MORAN 10 | Page Project workplan For the successful implementation of this phased approach, project monitoring will be a work step running in parallel throughout the project. The purpose is to conduct activities that are relevant to managing all phases of the project and enhancing its success. During Discovery we will review any changes to the City’s IT organization, technology environment, products, services, processes and systems, etc., since completion of the IT assessment. The Strategic Plan phase will focus on the development of a strategy to connect the current state to the envisioned future state. The IT strategic plan will guide the organization’s investments, decisions and activities. The major activities (work steps) to be performed are detailed below. Ongoing project management / monitoring The purpose of this work step is to conduct activities that are relevant to managing the project and enhancing its success for the City. Project initiation activities will be conducted to introduce the project team, confirm objectives, project scope, deliverables and timetables. The project objectives will be accomplished through the development of a project organizational structure, detailed project plans, and regularly scheduled progress meetings. The project initiation activity will occur during a project initiation meeting with the City’s project team. We anticipate that this project initiation meeting will be conducted over an audio/video conference call and with use of data collaboration tools. IT Assessment Follow-on Services – PLANTE MORAN 11 | Page Discovery Measurable objectives Deliverables Review of any changes to the City’s current IT environment since completion of the IT assessment in May 2021. Preliminary findings and gaps Objectives: The purpose of this set of activities is to review any changes to the City’s current systems, processes and organizational structure since completion of the IT Assessment in May 2021. This phase will include the following activities: Conduct project kick-off meeting A project kick-off meeting will be scheduled shortly after project approval. This meeting will be conducted over an audio/video conference call and with use of data collaboration tools. Collect and review documentation Plante Moran will request and review existing documentation related to recent changes to the City’s IT environment. We do not expect the City to create any documentation that does not already exist. For any of the areas where documentation is either lacking or does not exist, the pertinent information during the discovery meetings with IT staff. IT Assessment Follow-on Services – PLANTE MORAN 12 | Page IT Strategic Plan development Measurable objectives Deliverables Development and presentation of the City’s IT strategic plan IT plan strategic plan, including:  Strategic roadmap  Actionable plans Plan development will focus on the application of strategic findings from the IT Assessment conducted earlier and development of the IT Strategic Plan for presentation and discussion with leadership and key stakeholders. The activities included in the phase are detailed below. Conduct visioning workshop We will conduct a half-day retreat with the key City leaders to facilitate the development of: • Technology vision and mission • Technology goals and strategies • Technology principles Our discussions will consider: • IT alignment with organizational goals and current business environment • Alignment with industry standards for IT operations, project management and asset management • Expected technology needs • Emerging technologies and trends • Productivity enhancement through technology • Opportunities to achieve cost savings • Support requirements to achieve productivity goals • Potential implementation projects • Internal projects and requirements, including resource capacity, data governance, security, etc. • Funding requirements • Risks and mitigation strategies • Metrics for evaluation Also, during this retreat, we will work closely with City leaders to develop project prioritization criteria to objectively evaluate and prioritize technology projects. It is expected that these prioritization criteria will clearly reflect the linkage between the City’s goals and objectives and IT initiatives. We also consider the urgency (e.g., requirement to reduce the current risk of an aging technology) and impact of the projects. IT Assessment Follow-on Services – PLANTE MORAN 13 | Page Establish strategic plan objectives The overall goal for implementing technology is not for the technology itself but rather to enhance existing business processes performed by IT and support for processes that are performed across the City. Technology is intended to enhance business processes by: • Making access easier and more efficient • Making processes more effective • Improving decision-making (data driven decisions) • Providing enhanced service to internal and external customers • Improving access to information • Reducing costs As such, the goal in developing an IT Strategic Plan is to provide a coordinated, planned approach towards the deployment of technology with the intention of supporting the goals of the organization and improving the effectiveness of business processes. An IT Strategic Plan encompasses the areas covered within the IT assessment but expands the scope of recommendations to be more broad-based. The IT Strategic Plan will encompass the following items: • The establishment of a vision that will set the direction and tone for the City’s approach to information service and technology provision. • The preparation and presentation of a set of well defined, easily managed, prioritized, departmental, line of business, and organization-wide projects to satisfy the identified needs of customers and staff, (i.e., critical technology investments). • Documentation of the rationale and benefits (business case) of undertaking such projects, including the development of a set of criteria that can be used to prioritize identified projects. • An assessment of the implementation, support resources and technical skills required of IT staff and outside technical assistance. • An assessment of the training and future support requirements for new and enhanced technologies. • The establishment and documentation of an adaptive governance process that can provide continuous improvement for the IT division to follow to keep the plan up to date. • The development of selection, implementation, and support strategies to guide the purchase and deployment of information technology resources (financial, human, technological) across the duration of the strategic plan. IT Assessment Follow-on Services – PLANTE MORAN 14 | Page Review/define project prioritization criteria Project prioritization criteria will be developed in conjunction with the City’s project staff that will be used to objectively evaluate and prioritize projects that are identified as a result of previous interviews with IT staff, leadership and stakeholders. It is expected that these prioritization criteria will clearly reflect the linkage between organizational goals and objectives and IT initiatives. For example, Plante Moran has used the following prioritization criteria in connection with past IT Strategic Plans: • Constituent services enhancement • Value enhancement (reduce costs and/or increase revenue) • Organizational development (e.g., increases staff learning) • Mandate/government directive compliance • Alignment with budget planning Throughout this phase, we will interact with the IT representatives for follow-ups to and clarifications of information gleaned during IT assessment activities. Define information technology projects We will identify and document discrete “projects” that should be undertaken by the organization that will be departmental, line of business, organization-wide or IT operational related. The projects will be designed to enhance the synergy within and between operations, result in the implementation of required new technologies in a timely manner, make use of existing technologies whenever possible, control expenditures, realize efficiencies, and, above all, enhance the ability for departments to provide service to their stakeholders. Specifically, completion of the projects should: • Assist in meeting organization-wide goals and objectives. • Enhance service levels. • Satisfy the technology and business requirements of key entities, internal users, and departments. • Build the necessary support infrastructure to administer the technology. • Result in the upgrade of current systems as necessary. • Result in the implementation of new hardware, software, and communications equipment. • Enhance processes to reduce inefficiencies, improve cost effectiveness, minimize paper intensive tasks, and eliminate redundant data entry. • Account for inter-technology compatibility and data sharing. • Reduce dependency on outdated equipment and software. • Maintain data integrity, confidentiality and redundancy. • Aid in the standardization of hardware and office automation systems. IT Assessment Follow-on Services – PLANTE MORAN 15 | Page • Enhance data and network security. Throughout this phase, we will interact with the IT representatives for follow-ups to and clarifications of information gleaned during IT assessment activities. Develop and present the IT strategic plan We will develop a draft Information Technology Strategic Plan that will provide a plan for the deployment of technology over the next five years. In addition, the IT Strategic Plan will include a short-term tactical plan to include the identified and prioritized schedule of IT initiatives developed earlier. We anticipate the IT Strategic Plan will include: • Executive summary • Summary of planning methodology and approach • IT vision and goals • Specific IT strategies, aligned with City business needs and goals • Desired target IT environment • Implementation projects, prioritized by the identified City goals and objectives, along with their dependencies • Implementation timeline • Estimated cost • Recommended IT organizational structure, staffing, and training recommendations • Industry benchmarks against which the City can measure • Recommended metrics against which to measure implementation progress • Regional partnership opportunities, if available • Implementation Plan maintenance process, including governance and implementation guidelines Prepare and deliver strategic plan deliverables We will review the draft strategic plan document with the City’s project team and make any modifications necessary as a result of this meeting. Once feedback is received from the project team, we will incorporate any changes and finalize the strategic plan. IT Assessment Follow-on Services – PLANTE MORAN 16 | Page Project team The key to any project’s success lies in the collective abilities of the individuals assigned to the project. The Plante Moran project team members proposed for this engagement have been selected for their experience in similar projects and are identified below. Project Team Adam Rujan| Partner Adam has nearly thirty-two years’ experience consulting to government and public sector organizations. His experience includes assisting governmental units with organizational and operational analyses, IT Assessment, and system selection reviews. He has developed specific expertise in assisting organizations understand and implement new technology, including issues of IT governance and change management. Adam’s clients have included a wide range of local municipalities, counties, agencies and authorities and state government. He is a frequent presenter and has authored numerous articles on improving operational efficiency and effectiveness. He recently authored a chapter on IT Governance for the book CIO Leadership for Cities and Counties, published by the Public Technology Institute. IT Assessment Follow-on Services – PLANTE MORAN 17 | Page Sally Nagy | Senior Manager Sally has an extensive background in both public and private sector executive management with a proven record of results applying business insight to the application of information technology to achieve the organization’s goals. As Chief Information Officer/IT Director of both public and private sector organizations (City of Sacramento, Santa Barbara County, City of Tucson), she has directed all aspects of information technology including application development, project management, communications, operations, system architecture, GIS, and technical support. As a consultant, Sally’s engagements have included information technology governance, organizational change management, business and technology strategic planning, information technology tactical planning, procurement and contract negotiations, project management, workforce development, organizational and program reviews, quality assurance, and enterprise technical architecture. Project timeline We are prepared to start the project within two weeks of a negotiated contract. We anticipate that this work will take an estimated 45 days to complete, predicated upon the availability and responsiveness of the City’s staff, and the timely provisioning of requested information. During the project initiation step, we will meet with your project team to validate our information gathering approach, and to confirm a schedule that best meets your needs, City resources, and accounts for the City’s calendar. IT Assessment Follow-on Services – PLANTE MORAN 18 | Page Pricing and assumptions Our fixed fee this project is $27,000. We would like to emphasize that our cost and work plan are flexible. We would welcome the opportunity to work with the City to finalize a work plan and associated costs to best meet the needs of the City. Pricing outlined is based upon the project fee assumptions provided within this cost proposal. Notes • It is our practice to bill monthly for fees incurred in the prior month. • If any issue arises during the course of the project that will impact the timing or the budget, we will discuss the issue with the City prior to proceeding. Assumptions Our proposal and associated fees are based upon the assumptions listed below. • The IT Strategic Plan development project will start by September 1, 2021. A project start beyond this would result in increased fees as additional discovery activities would be required to identify changes in the technology environment and/or business needs since completion of the IT Assessment. • The City will appoint an internal project lead who will be the main point of contact between the City and Plante Moran and will assist with logistics and coordination of activities. • There will be a single draft-to-final process for each deliverable (assumed to be 10 days). • Onsite work activity, if any, will be confirmed at least two weeks prior to the agreed upon travel date; any travel change fees incurred after such date will be expensed to the City. IT Assessment Follow-on Services – PLANTE MORAN 19 | Page Cybersecurity Management Framework Development IT Assessment Follow-on Services – PLANTE MORAN 20 | Page Scope of services Phase 1: Engagement planning and preparation Project planning and kickoff Project initiation activities will be conducted to introduce the project team, finalize the project scope, deliverables and timetables. This step will be completed during a kick-off meeting with the City’s project team. During this meeting, we also anticipate conducting management interviews in order to gain a broad understanding of the City’s information technology operation. Project plan and schedule We will work with the City during this activity to finalize a project plan. In addition, Plante Moran will submit formats for all deliverables to the City for review and approval. We will conduct conference calls to discuss the City’s expectations regarding deliverable formats and ensure these requirements are included in each deliverable format. Regular status updates Strong communication is the key to successful engagement execution. We will have periodic meetings with the City to discuss the results of our work for the week. During these discussions, we will: • Report on the status of the project work plan and timeline • Re-schedule tasks as necessary • Discuss major open issues/risks and develop strategies to address them • Review next steps Phase 2: Cyber risk assessment Establish cybersecurity framework We leverage the NIST cybersecurity framework as a baseline for assessing security controls, policies, and procedures implemented. The NIST Cybersecurity Framework (NIST CSF) utilizes a risk-based approach to map controls over the confidentiality, integrity, and availability of systems and data, as well as to meet various security and privacy regulations. Further, the NIST CSF provide provides flexibility to evaluate size and scale of municipal entities resulting in a better “Apples to Apples” comparison of security controls. Discovery We will conduct meetings with management and staff, review documentation and assess technology areas and locations housing technology systems and hardware to gain an understanding of the City’s use of technology. We will leverage documentation and information obtained during Plante Moran’s IT Assessment IT Assessment Follow-on Services – PLANTE MORAN 21 | Page engagement in order to identify IT processes in place and reduce any redundancies and overlaps during the discovery process. IT Assessment Follow-on Services – PLANTE MORAN 22 | Page Assess cybersecurity controls We will analyze security controls, procedures, and policies, including potential vulnerabilities associated with the design, structure, and resourcing of current security measures. We will compare identified security control and policies implemented with security program objectives defined within the NIST CSF. We will evaluate associated risks in order to determine the overall impact to the organization and build an overall picture of the security management of IT resources and systems. Recommendations from the risk assessment will all include risk/effort/priority ratings to assist management with decision-making on cost- benefit of implementing each. Phase 3: Final Report Delivery Compile Findings and Prepare Draft Report Based on interviews completed, reviews of documentation, and our evaluations performed, we will compile our recommendations to be considered for remediation. Throughout the course of our assessment, we will also communicate these findings to ensure there are no surprises at the end of the engagement and that we have not misunderstood any discussions or documentation. Our deliverable will also include a prioritized list of risk items for management’s consideration of risk administration (i.e. risk transfer, avoidance, acceptance, or remediation). We will develop a Draft Cybersecurity Controls Report that summarizes all of the findings and recommendations. The findings and recommendations discussed previously will be translated into a report that will include the following: • Executive Summary • Recommendations and opportunities for improvement • Details on Cybersecurity Controls Testing completed IT Assessment Follow-on Services – PLANTE MORAN 23 | Page Project team The key to any project’s success lies in the collective abilities of the individuals assigned to the project. The Plante Moran project team members proposed for this engagement have been selected for their experience in similar projects and are identified below. Project Team Adam Rujan| Partner Adam has nearly thirty-two years’ experience consulting to government and public sector organizations. His experience includes assisting governmental units with organizational and operational analyses, IT Assessment, and system selection reviews. He has developed specific expertise in assisting organizations understand and implement new technology, including issues of IT governance and change management. Adam’s clients have included a wide range of local municipalities, counties, agencies and authorities and state government. He is a frequent presenter and has authored numerous articles on improving operational efficiency and effectiveness. He recently authored a chapter on IT Governance for the book CIO Leadership for Cities and Counties, published by the Public Technology Institute. IT Assessment Follow-on Services – PLANTE MORAN 24 | Page Sally Nagy | Senior Manager Sally has an extensive background in both public and private sector executive management with a proven record of results applying business insight to the application of information technology to achieve the organization’s goals. As Chief Information Officer/IT Director of both public and private sector organizations (City of Sacramento, Santa Barbara County, City of Tucson), she has directed all aspects of information technology including application development, project management, communications, operations, system architecture, GIS, and technical support. Sally’s consulting engagements have included IT governance, organizational change management, business and technology strategic planning, IT tactical planning, procurement and contract negotiations, project management, workforce development, organizational and program reviews, quality assurance, and enterprise technical architecture. F. Alex Brown, CPA, CHP, CISSP | Principal Alex has over eighteen years of information technology audit, technology regulatory control compliance, and system integration project experience. Alex has extensive experience in the assessment of technology risk and evaluation of IT controls in support of IT security regulatory compliance engagements including HIPAA/HITECH and Sarbanes-Oxley. In addition, Alex has extensive experience in working with various IT security control frameworks (e.g. NIST 800, ISO 27001/27002, COBIT, HIPAA, FERPA). Alex has extensive industry experience including Healthcare, Government, Higher Education and Manufacturing. Alex’s experience includes planning and performing engagements to evaluate and assess IT risk, evaluate the effectiveness of control measures implemented, identify IT control deficiencies, and develop remediation recommendations. Alex is a Certified HIPAA Security Professional (CHP), Certified Public Accountant and is a member of the American Institute of Certified Public Accountants (AICPA). Alex holds a BS degree in Accounting from North Carolina A&T State University. IT Assessment Follow-on Services – PLANTE MORAN 25 | Page Timeline IT Assessment Follow-on Services – PLANTE MORAN 26 | Page Pricing and assumptions Our fixed fee this project is $18,000. We would like to emphasize that our cost and work plan are flexible. We would welcome the opportunity to work with the City to finalize a work plan and associated costs to best meet the needs of the City. Pricing outlined is based upon the project fee assumptions provided within this cost proposal. Notes • It is our practice to bill monthly for fees incurred in the prior month. • If any issue arises during the course of the project that will impact the timing or the budget, we will discuss the issue with the City prior to proceeding. Assumptions Our proposal and associated fees are based upon the assumptions listed below. • Our findings and observations are derived from the documents reviewed and interviews conducted. • The City will appoint an internal project lead who will be the main point of contact between the City and Plante Moran and will assist with logistics and coordination of activities. • There will be a single draft-to-final process for each deliverable (assumed to be 10 days). • Onsite work activity, if any, will be confirmed at least two weeks prior to the agreed upon travel date; any travel change fees incurred after such date will be expensed to the City. IT Assessment Follow-on Services – PLANTE MORAN 27 | Page Engagement A greement IT Assessment Follow-on Services – PLANTE MORAN 28 | Page Professional Services Agreement – Consulting Services Addendum to Plante & Moran, PLLC Engagement Letter This Professional Services Agreement is part of the engagement letter for our consulting services dated March 3, 2021 between Plante & Moran, PLLC (referred to herein as “PM”) and City of Palm Desert (referred to herein as “Client”). These terms and conditions mirror those of the predecessor IT Assessment. 1. Management Responsibilities – The consulting services PM will provide are inherently advisory in nature. PM has no responsibility for any management decisions or management functions in connection with its engagement to provide these services. Further, Client acknowledges that Client is responsible for all such management decisions and management functions; for evaluating the adequacy and results of the services PM will provide and accepting responsibility for the results of those services; and for establishing and maintaining internal controls, including monitoring ongoing activities, in connection with PM’s engagement. Client has designated Clay von Helf, IT Manager, to act as its representative in all matters pertaining to the administration and performance this Agreement. Client represents and warrants that any and all information that it transmits to PM will be done so in full compliance with all applicable federal, state, local, and foreign privacy and data protection laws, as well as all other applicable regulations and directives, as may be amended from time to time (collectively, “Data Privacy Laws”). Client shall not disclose personal data of data subjects (“Personal Data”) who are entitled to certain rights and protections afforded by Data Privacy Laws to PM without prior notification to PM. Client shall make reasonable efforts to limit the disclosure of Personal Data to PM to the minimum necessary to accomplish the intended purpose of the disclosure to PM. 2. Nature of Services – PM’s project activities will be based on information and records provided to PM by Client. PM will rely on such underlying information and records and the project activities will not include audit or verification of the information and records provided to PM in connection with the project activities. The project activities PM will perform will not constitute an examination or audit of any Client financial statements or any other items, including Client’s internal controls. Additionally, this engagement will not include preparation or review of any tax returns or consulting regarding tax matters. If Client requires financial statements or other financial information for third-party use, or if Client requires tax preparation or consulting services, a separate engagement letter will be required. Accordingly, Client agrees not to associate or make reference to PM in connection with any financial statements of Client. In addition, PM’s engagement is not designed and cannot be relied upon to disclose errors, fraud, or illegal acts that may exist. However, PM will inform you of any such matters that come to PM’s attention. The services shall be performed by PM or under its supervision. PM will determine the means, methods and details of performing the services subject to the requirements of this Agreement. Client retains PM on an independent contractor basis and not as an employee. Any personnel performing the services shall not be employees of Client and shall at all times be under PM's exclusive direction and control. PM shall be responsible for all reports and obligations respecting such personnel, including, but not limited to: wages, salaries, social security taxes, income tax withholding, unemployment insurance, disability insurance, and workers' compensation insurance. IT Assessment Follow-on Services – PLANTE MORAN 29 | Page PM shall comply with all applicable laws and regulations of the federal, state and local government. PM shall perform all services under this Agreement in a skillful and competent manner, consistent with the standards generally recognized as being employed by professionals in the same discipline in the State of California. PM warrants that all employees shall have sufficient skill and experience to perform the services assigned to them. PM represents that it and its employees have all licenses, permits, qualifications and approvals of whatever nature that are legally required to perform the services, and that such licenses and approvals shall be maintained throughout the term of this Agreement. 3. Use of Report – At the conclusion of PM’s project activities, PM will provide Client with a written report as described in the accompanying engagement letter. To the extent permitted by law, PM’s report will be restricted solely to use by management of Client and Client agrees that PM’s report will not be distributed to any outside parties for any purpose other than to carry out legal responsibilities of Client. PM will have no responsibility to update PM’s report for any events or circumstances that occur or become known subsequent to the date of that report. 4. Interactive Analyses and Visualizations – In instances where PM expressly agrees in the accompanying engagement letter to provide interactive analyses or visualization tools (collectively, “Electronic Documents”) to Client, such Electronic Documents will be provided in a format determined to be acceptable to both parties. Client acknowledges and agrees that Client’s ability to access such Electronic Documents may require software programs that PM does not develop, license, or support, and Client shall be solely responsible for the costs to obtain, use, or support any such required software. PM makes no representation or warranty with respect to such software or the continuing functionality of such software relative to the Electronic Documents and disclaims any and all express or implied warranties if any, associated with such software, its merchantability, and/or its fitness for any particular use by Client. If and to the extent provided by PM, Electronic Documents are provided solely for the purpose of supporting the written report and are to be used only as expressly described in and authorized by the written report. PM disclaims any responsibility for any use of the Electronic Documents that is not expressly provided for in and authorized by the written report. Further, Client acknowledges that Client is solely responsible for evaluating the adequacy and accuracy of any results generated through the use of Electronic Documents. PM will have no responsibility to support or update the Electric Documents for any events or circumstances that occur or become known subsequent to the date of their corresponding written report. Client acknowledges that PM may utilize proprietary works of authorship that have not been created specifically for Client and were conceived, created, or developed prior to, or independent of, this engagement including, without limitation, computer programs, methodologies, algorithms, models, templates, software configurations, flowcharts, architecture designs, tools, specifications, drawings, sketches, models, samples, records, and documentation (collectively, “PM Intellectual Property”). Client agrees and acknowledges that PM Intellectual Property is and shall remain solely and exclusively the property of PM. IT Assessment Follow-on Services – PLANTE MORAN 30 | Page Upon payment for the engaged services, to the extent that PM incorporates PM Intellectual Property into the Electronic Documents (which PM shall do only as expressly provided for in the accompanying engagement letter), PM grants to Client a limited royalty-free, nonexclusive, right and license to use such incorporated PM Intellectual Property for internal purposes only and in the original format. Client agrees not to copy, publish, modify, disclose, distribute, decompile, reverse engineer, or create derivative works based on PM Intellectual Property. Notwithstanding the foregoing, in no event will PM be precluded from developing for itself or for others, works of authorship which are similar to those included in the written report. If and to the extent PM shares information obtained from third-party data sources with Client, Client agrees, to extent permitted by law, not to (i) disclose or redistribute any such third-party data to third parties without the express written consent of PM; or (ii) attempt to extract, manipulate, or copy any embedded or aggregated third-party data from the Electronic Documents for any purpose. PM shall defend, indemnify and hold the Client, its directors, officials, officers, employees, volunteers, agents and representatives free and harmless for any alleged infringement of any patent, copyright, trade secret, trade name, trademark, or any other proprietary right of any person or entity in consequence of the use on the project by Client of the PM Intellectual Property, including any method, process, product, or concept specified or depicted. 5. Confidentiality, Ownership, and Retention of Workpapers – During the course of this engagement, PM and PM staff may have access to proprietary information of Client, including, but not limited to, information regarding general ledger balances, financial transactions, trade secrets, business methods, plans, or projects. PM acknowledges that such information, regardless of its form, is confidential and proprietary to Client. PM will comply with all applicable ethical standards, laws, and regulations as to the retention, protection, use, and distribution of such confidential client information. Except to the extent set forth herein, PM will not disclose such information to any third party without the prior written consent of Client. In the interest of facilitating PM’s services to Client, PM may communicate or exchange data by internet, email, facsimile transmission or other electronic methods. While PM will use its best efforts to keep such communications and transmissions secure in accordance with PM’s obligations under applicable laws and professional standards, Client recognizes and accepts that PM has no control over the unauthorized interception of these communications or transmissions once they have been sent, and consents to PM’s use of these electronic devices during this engagement. Professional standards require that PM create and retain certain workpapers for engagements of this nature. All workpapers created in the course of this engagement are and shall remain the property of PM. PM will maintain the confidentiality of all such workpapers as long as they remain in PM’s possession. Both Client and PM acknowledge, however, that PM may be required to make its workpapers available to regulatory authorities, by court order or subpoena in a legal, administrative, arbitration, or similar proceeding in which PM is not a party, or pursuant to the California Public Records Act. Disclosure of confidential information in accordance with requirements of regulatory authorities, pursuant to court order or subpoena, or pursuant to the California Public Records Act shall not constitute a breach of the provisions of this Agreement. In the event that a request for any confidential information or workpapers covered by this Agreement is made by regulatory authorities, pursuant to IT Assessment Follow-on Services – PLANTE MORAN 31 | Page a court order or subpoena, or pursuant to the California Public Records Act, the party receiving the request agrees to inform the other party in a timely manner of such request and to cooperate with the other party should the other party attempt, at the other party’s cost, to limit such access. This provision will survive the termination of this Agreement. In accordance with Government Code section 8546.7, records of both PM and the Client shall be subject to examination and audit by the State Auditor General for a period of three (3) years after final payment. PM shall make available to the Client any of the PM’s other documents related to the project immediately upon request of the Client. Except as required by Government Code section 8546.7, upon Client’s written request, PM may, at its sole discretion, allow others to view any workpapers remaining in its possession if there is a specific business purpose for such a review. PM will evaluate each written request independently. Client acknowledges and agrees that PM will have no obligation to provide such access or to provide copies of PM’s workpapers, without regard to whether access had been granted with respect to any prior requests. 6. Consent to Disclosures to Service Providers – In some circumstances, PM may use third- party service providers to assist PM with its services, including affiliates of PM within or outside the United States. In those circumstances, PM will be solely responsible for the provision of any services by any such third-party service providers and for the protection of any information provided to such third-party service providers. PM will require any such third-party service provider to: (i) maintain the confidentiality of any information furnished; and (ii) not use any information for any purpose unrelated to assisting with PM’s services for Client. In order to enable these third-party service providers to assist PM in this capacity, Client, by its duly authorized signature on the accompanying engagement letter, consents to PM’s disclosure of all or any portion of Client’s information, including tax return information, to such third-party service providers, including affiliates of PM outside of the United States, if and to the extent such information is relevant to the services such third-party service providers may provide and agrees that PM’s disclosure of such information for such purposes shall not constitute a breach of the provisions of this Agreement. Client’s consent shall be continuing until the services provided for this engagement Agreement are completed. 7. Third-Party Data – PM may reference third-party data sources in performing the services described in the accompanying engagement letter. Third-party data may include publicly available data, commercially available data licensed to PM, or information obtained from other sources. PM will use its judgment, discretion, best efforts, and good faith in evaluating the use of third-party data sources, but does not warrant or guarantee the accuracy, completeness, or timeliness of any data obtained from third-party data sources and disclaims any liability arising out of or relating to the use of data from third-party data sources. Client acknowledges that any commercially available third-party data sources referenced by PM are licensed to PM and PM’s ability to share information obtained from commercially available third-party data sources is often restricted by the terms of use granted to PM by the licensor and, unless expressly set forth in the accompanying engagement letter, PM makes no representation or warranty that Client will have access to data obtained from third-party data sources. If and to the extent PM shares information obtained from third-party data sources with Client, Client agrees, to the extent allowed by law, not to disclose or redistribute any such third-party data to third parties without the express written consent of PM. This Agreement does not convey to Client a sublicense to any third-party data source unless expressly agreed to in writing and signed by a duly authorized representative of PM. However, nothing herein shall prevent Client from directly contracting with or obtaining a license from any third- IT Assessment Follow-on Services – PLANTE MORAN 32 | Page party data source if Client determines, in its sole discretion, that any such direct contract or license to be in its best interest. 8. Fee Quotes – In any circumstance where PM has provided estimated fees, fixed fees or not-to-exceed fees (“Fee Quotes”), these Fee Quotes are based on Client personnel providing PM staff the assistance necessary to satisfy Client responsibilities under the scope of services. This assistance includes availability and cooperation of those Client personnel relevant to PM’s project activities and providing needed information to PM in a timely and orderly manner. In the event that undisclosed or unforeseeable facts regarding these matters causes the actual work required for this engagement to vary from PM’s Fee Quotes, those Fee Quotes will be adjusted, with the written consent of the Client, for the additional time PM incurs as a result. In any circumstance where PM’s work is rescheduled by Client, PM offers no guarantee, express or implied, that PM will be able to meet any previously established deadline related to the completion of PM’s work. Because rescheduling its work imposes additional costs on PM, in any circumstance where PM has provided Fee Quotes, those Fee Quotes may be adjusted for additional time PM incurs as a result of rescheduling its work, with the written consent of the Client. PM will advise Client in the event these circumstances occur; however, it is acknowledged that the exact impact on the Fee Quote may not be determinable until the conclusion of the engagement. Such fee adjustments will be determined in accordance with the Fee Adjustments provision of this Agreement. 9. Payment Terms – Payment of PM’s invoices for professional services are due within thirty (30) days after receipt for all non-disputed charges (if disputed, Client shall notify PM of such dispute within 30 days of receipt of such invoice) unless otherwise specified in the accompanying engagement letter. In the event any of PM’s invoices are not paid in accordance with the terms of this Agreement, PM may elect, at PM’s sole discretion, to suspend work until PM receives payment in full for all amounts due or terminate this engagement. In the event that work is suspended, for nonpayment or other reasons, and subsequently resumed, PM offers no guarantee, express or implied, that PM will be able to meet any previously established deadlines related to the completion of PM’s consulting work or issuance of PM’s consulting report upon resumption of PM’s work. Client agrees that in the event that work is suspended, for non-payment or other reasons, PM shall not be liable for any damages that occur as a result of PM ceasing to render services. 10. Fee Adjustments – Any fee adjustments for reasons described in this Agreement will be determined based on the actual time expended by PM staff at PM’s current hourly rates, plus all reasonable and necessary travel and related costs PM incurs, and included as an adjustment to PM’s invoices related to this engagement, with the written consent of the Client. Client acknowledges and agrees that payment for all such fee adjustments will be made in accordance with the payment terms provided in this Agreement. 11. Force Majeure – Neither party shall be deemed to be in breach of this Agreement as a result of any delays or non-performance directly or indirectly resulting from circumstances or causes beyond its reasonable control, including, without limitation, fire or other casualty, acts of God, war, other violence, epidemic, pandemic, or other public health emergency or government mandated shut down (each individually a “Force Majeure Event”). A Force Majeure Event shall not excuse any payment obligation relating to fees or costs incurred prior to any such Force Majeure Event. 12. Exclusion of Certain Damages In no event shall the PM or Client or the PM Persons be liable, whether a claim be in tort, contract, or otherwise, for any consequential, indirect, IT Assessment Follow-on Services – PLANTE MORAN 33 | Page lost profit, punitive, exemplary, or other special damages. The exclusion of certain damages as set forth in this Section apply to any and all liabilities or causes of action against PM and/or the PM Persons, however alleged or arising, unless and to the extent otherwise prohibited by law. This provision shall survive the termination of this engagement. 13. Defense, Indemnification, and Hold Harmless – To the fullest extent permitted by law, PM shall defend (with counsel of Client’s choosing), indemnify and hold the Client, its officials, officers, employees, volunteers, agents, and representatives free and harmless from any and all claims, demands, causes of action, costs, expenses, liability, loss, damage or injury of any kind, in law or equity, to property or persons, including wrongful death, to the extent arising out of, pertaining to, or incident to any negligence or willful misconduct of PM, its officials, officers, employees, subconsultants or agents in connection with the performance of PM’s services or this Agreement, including without limitation the payment of all expert witness fees, attorney’s fees and other related costs and expenses except such loss or damage caused by the sole negligence or willful misconduct of the Client. PM's obligation to indemnify shall survive expiration or termination of this Agreement and shall not be restricted to insurance proceeds, if any, received by PM, the Client, its officials, officers, employees, agents, volunteers or representatives. 14. Conditions of PM Visit to Client Facilities – Client agrees that PM’s services will be provided remotely to the maximum extent possible. In order to facilitate the provision of services remotely, Client agrees to provide documentation and other information reasonably required by PM for PM’s performance of the engaged services electronically to the extent possible throughout the course of the engagement. In the event in-person visits to Client’s facility are determined by PM in its sole discretion to be necessary for the performance of the engaged services, Client agrees, as a pre-condition to any such in- person visit, to provide to PM for PM’s evaluation Client’s policies and procedures that Client has implemented and will adhere to relating to workplace safety and the prevention of the transmission of disease at its facility. In addition, Client affirms that it is in compliance with applicable Centers for Disease Control and Prevention and OSHA guidance pertaining to the prevention of the transmission of disease (collectively, “Applicable Preventative Guidance”) and agrees that it shall continue to comply with Applicable Preventative Guidance throughout any in-person visits by PM to Client’s facility. Client further affirms that it is in compliance and shall continue to comply with all other applicable laws, regulations, or executive orders relating to COVID-19 and the prevention of the spread thereof (collectively, “COVID-19 Laws”) and agrees that it shall continue to comply with COVID-19 Laws throughout any in-person visits by PM to Client’s facility. Notwithstanding the foregoing, PM reserves the right to suspend or refrain from any in-person visit by PM to Client’s facility or impose further conditions on any such in- person visit if and as PM deems necessary at its sole discretion. Client agrees and acknowledges that any determination by PM to visit Client’s facility is not and shall not be construed to be or relied on by Client as a determination by PM of Client’s compliance with Applicable Preventative Guidance or any COVID-19 Laws. IT Assessment Follow-on Services – PLANTE MORAN 34 | Page 15. Receipt of Legal Process – In the event PM is required to respond to a subpoena, court order, or other legal process (in a matter involving Client but not PM) for the production of documents and/or testimony relative to information PM obtained and/or prepared during the course of this engagement, Client agrees to compensate PM for the affected PM staff’s time at such staff’s current hourly rates, and to reimburse PM for all of PM’s out- of-pocket costs incurred associated with PM’s response unless otherwise reimbursed by a third party. 16. Termination of Engagement – This Agreement may be terminated by either party upon written notice. Upon notification of termination, PM’s services will cease, and PM’s engagement will be deemed to have been completed. Client will be obligated to compensate PM for all time expended and to reimburse PM for related costs PM incurs through the date of termination of this engagement. If this Agreement is terminated as provided herein, Client may, to the extent paid for by Client, require PM to provide all finished or unfinished documents, data and other information of any kind prepared by PM in connection with the performance of services under this agreement. 17. Entire Agreement – This Agreement is contractual in nature and includes all of the relevant terms that will govern the engagement for which it has been prepared. The terms of this Agreement supersede any prior oral or written representations or commitments by or between the parties regarding the subject matter hereof. Any changes or additions to the terms set forth in this Agreement will only become effective if evidenced by a written amendment to this Agreement, signed by all of the parties. 18. Severability – If any provision of this Agreement (in whole or part) is held to be invalid or otherwise unenforceable, the other provisions shall remain in full force and effect. 19. Conflicts of Interest – PM’s engagement acceptance procedures include a check as to whether any conflicts of interest exist that would prevent PM’s acceptance of this engagement. No such conflicts have been identified. Client understands and acknowledges that PM may be engaged to provide professional services, now or in the future, unrelated to this engagement to parties whose interests may not be consistent with interests of Client. 20. Agreement Not to Influence – Client and PM each agree that each respective organization and its employees will not endeavor to influence the other’s employees to seek any employment or other contractual arrangement with it, during this engagement or for a period of one year after termination of the engagement. Client agrees that PM employees are not “contract for hire.” PM may release Client from these restrictions if Client agrees to reimburse PM for its recruiting, training, and administrative investment in the applicable employee. In such event, the reimbursement amount shall be equal to two hundred hours of billings at the current hourly rate for the PM employee. 21. Signatures – Any electronic signature transmitted through DocuSign or manual signature on the accompanying engagement letter transmitted by facsimile or by electronic mail in portable document format may be considered an original signature. 22. Governing Law – This Agreement shall be governed by and construed in accordance with the laws of the State of California, and jurisdiction over any action to enforce this Agreement, or any dispute arising from or relating to this Agreement shall reside exclusively within Riverside County, California. IT Assessment Follow-on Services – PLANTE MORAN 35 | Page 23. Assignment; Subcontracting. PM shall not assign, sublet, or transfer this Agreement or any rights under or interest in this Agreement without the written consent of the Client, which may be withheld for any reason. Any attempt to so assign or so transfer without such consent shall be void and without legal effect and shall constitute grounds for termination. PM shall not subcontract any portion of the services required by this Agreement, except as expressly stated herein, without prior written approval of the Client. Subcontracts, if any, shall contain a provision making them subject to all provisions stipulated in this Agreement. 24. Insurance. PM shall, at its expense, procure and maintain for the duration of the Agreement such insurance policies as checked below and provide proof of such insurance policies in a form satisfactory to the Client. Commercial General Liability Insurance: $1,000,000 per occurrence/$2,000,000 aggregate. $2,000,000 per occurrence/$4,000,000 aggregate. Automobile Liability: $1,000,000 combined single limit for bodily injury and property damage. Workers’ Compensation: Statutory Limits / Employer’s Liability $1,000,000 per accident or disease and a waiver of subrogation in favor of the City and their respective officers, agents, employees, volunteers and representatives. Professional Liability (Errors and Omissions): Errors & Omissions liability insurance with a limit of not less than $1,000,000 per claim and in the aggregate. Vendor shall take out and maintain during this Agreement: A. Commercial General Liability Insurance for bodily injury, personal injury and property damage, at least as broad as Insurance Services Office Commercial General Liability coverage (Occurrence Form CG 0001). The policy must include contractual liability (subject to ordinary and customary conditions and exclusions) that has not been amended. Any endorsement restricting standard ISO “insured contract” language will not be accepted; B. Workers’ Compensation Insurance (Statutory Limits) and Employer’s Liability Insurance; and D. Professional Liability (Errors and Omissions) that covers the services to be performed in connection with this Agreement. Any policy inception date, continuity date, or retroactive date must be before the effective date of this agreement and PM agrees to maintain continuous coverage through a period no less than three years after completion of the services required by this Agreement. All insurance coverage maintained or procured pursuant to this agreement shall be endorsed to waive subrogation against the City of Palm Desert, and their elected or appointed officers, agents, officials, employees, volunteers, and representatives or shall specifically allow PM or others providing insurance evidence in compliance with these specifications to waive their right of recovery prior to a loss. For covered claims, PM hereby waives its own right of recovery against the City of Palm Desert or their elected or appointed officers, agents, officials, employees, volunteers and representatives and shall require similar written express waivers and insurance clauses from each of its subcontractors. Workers compensation coverage shall have a waiver of subrogation endorsement in favor of the City of Palm Desert, and their respective officers, agents, employees, volunteers and representatives. Insurance carriers shall be licensed and IT Assessment Follow-on Services – PLANTE MORAN 36 | Page authorized to do business in California except that insurance markets including based in London, and/or the domestic surplus lines markets that operate on a non-admitted basis are exempt from this requirement, provided that the contractor's broker can provide financial data to establish that a market is equal to or exceeds the financial strengths associated with the A.M. Best's rating of A:VI or better. Such insurance carrier shall have not less than an "A-:VII" rating according to the latest Best Key Rating unless otherwise approved by City’s Risk Manager. PM shall add the City, and their respective officers, officials, employees, agents, volunteers and representatives as additional insureds on PM’s Commercial General Liability, Automobile Liability, and if applicable, Pollution Liability and Cyber Liability policies. Coverage provided by PM shall be primary and any insurance or self-insurance procured or maintained by the City shall not be required to contribute with it. The City or its Risk Manager reserves the right at any time during the term of the Agreement to change the amounts and types of insurance (i.e. pollution, cyber, and fidelity coverages) required by giving the PM advance written notice of such change. If such change results in substantial additional cost to the PM, the City and PM may renegotiate PM’s compensation. If the City reduces the insurance requirements, the change shall go into effect immediately and require no advanced written notice. End of Professional Services Agreement – Consulting Services We look forward to working with you. Please contact us with any questions. Adam Rujan Partner 248-223-3328 adam.rujan@plantemoran.com