|
New Hanover County Information Technology Department |
Issued: 03/19/02 |
|
|
Policy Number: 6-03 |
||
|
Subject: THIRD PARTY CONNECTION AGREEMENT |
||
This Third Party Network Connection Agreement (the “Agreement”) by and between New Hanover County Government located at 230 Government Center Drive, Wilmington, NC, (“NHC") and ______________________, with principal offices at _____________________________ (“Company”), is entered into as of the date last written below (“the Effective Date”).
This Agreement consists of this signature page and the following attachments that are incorporated in this Agreement by this reference:
1. Attachment 1: Third Party Network Connection Agreement Terms and Conditions
2. Attachment 2: Network Connection Policy
3. Attachment 3: Third Party Connection Request - Information Requirements Document
This Agreement is the complete agreement between the parties hereto concerning the subject matter of this Agreement and replaces any prior oral or written communications between the parties. There are no conditions, understandings, agreements, representations, or warranties, expressed or implied, which are not specified herein. This Agreement may only be modified by a written document executed by the parties hereto. North Carolina State law without regard to choice of law provisions shall govern any disputes arising out of or in connection with this Agreement.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be duly executed. Each party warrants and represents that its respective signatories whose signatures appear below have been and are on the date of signature duly authorized to execute this Agreement.
___________________ (“Company”) New Hanover County Government (“NHC”)
___________________ _____________________________
Authorized Signature County Manager
___________________ _____________________________
Name Name
___________________ _____________________________
Date Date
Attachment 1
THIRD PARTY CONNECTION AGREEMENT
TERMS AND CONDITIONS
Object: To ensure that a secure method of connectivity is provided between New Hanover County Government and Company and to provide guidelines for the use of network and computing resources associated with the Network Connection as defined below.
Definition: "Network Connection" means one of the New Hanover County Government connectivity options listed in Section B of the Network Connection Policy.
1. Right to Use Network Connection. Company may only use the Network Connection for business purposes as outlined by the Third Party Connection Request - Information Requirements Document.
2. New Hanover County Government-Owned Equipment.
2.1 The New Hanover County Government may loan to Company certain equipment and/or software for use on Company premises (the New Hanover County Government-Owned Equipment). New Hanover County Government-Owned Equipment will only be configured for TCP/IP, and will be used solely by Company on Company’s premises and for the purposes set forth in this Agreement.
2.2 Company may modify the configuration of the New Hanover County Government-Owned Equipment only after notification and approval in writing by authorized New Hanover County Government personnel.
2.3 Company will not change or delete any passwords set on New Hanover County Government-Owned Equipment without prior approval by authorized New Hanover County Government personnel. Promptly upon any such change, Company shall provide New Hanover County Government with such changed password.
3. Network Security.
3.1 Company will allow only Company employees approved in advance by New Hanover County Government (“Authorized Company Employees”) to access the Network Connection or any New Hanover County Government-Owned Equipment. Company shall be solely responsible for ensuring that Authorized Company Employees are not security risks, and upon New Hanover County Government’s request, Company will provide New Hanover County Government with any information reasonably necessary for New Hanover County Government to evaluate security issues relating to any Authorized Company Employee's access to the Network Connection or any New Hanover County Government-Owned Equipment
3.2 Company will promptly notify New Hanover County Government whenever any Authorized Company Employee leaves Company’s employ or no longer requires access to the Network Connection or New Hanover County Government-Owned Equipment.
3.3 Each party will be solely responsible for the selection, implementation, and maintenance of security procedures and policies that are sufficient to ensure that (a) such party’s use of the Network Connection (and Company’s use of New Hanover County Government-Owned Equipment) is secure and is used only for authorized purposes, and (b) such party’s business records and data are protected against improper access, use, loss alteration or destruction.
4. Notifications. Company shall notify New Hanover County Government in writing promptly upon a change in the user base for the work performed over the Network Connection or whenever in Company’s opinion a change in the connection and/or functional requirements of the Network Connection is necessary.
5. Payment of Costs. Each party will be responsible for all costs incurred by that party under this Agreement, including, without limitation, costs for phone charges, telecommunications equipment and personnel for maintaining the Network Connection.
6. DISCLAIMER OF WARRANTIES. NEITHER PARTY MAKES ANY WARRANTIES, EXPRESSED OR IMPLIED, CONCERNING ANY SUBJECT MATTER OF THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
7. LIMITATION OF LIABILITY. EXCEPT WITH RESPECT TO A PARTY’S CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, ANY DAMAGES RESULTING FROM ANY DELAY, OMISSION OR ERROR IN THE ELECTRONIC TRANSMISSION OR RECEIPT OF DATA PURSUANT TO THIS AGREEMENT, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, AND WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
8. Confidentiality. The parties acknowledge that by reason of their relationship to each other hereunder, each will have access to certain information and materials concerning the others technology and products that is confidential and of substantial value to that party, which value would be impaired if such information were disclosed to third parties (“Confidential Information”). Should such Confidential Information be orally or visually disclosed, the disclosing party shall summarize the information in writing as confidential within thirty (30) days of disclosure. Each party agrees that it will not use in any way for its own account, except as provided herein, nor disclose to any third party, any such Confidential Information revealed to it by the other party. Each party will take every reasonable precaution to protect the confidentiality of such Confidential Information. Upon request by the receiving party, the disclosing party shall advise whether or not it considers any particular information or materials to be Confidential Information. The receiving party acknowledges that unauthorized use or disclosure thereof could cause the disclosing party irreparable harm that could not be compensated by monetary damages. Accordingly each party agrees that the other will be entitled to seek injunctive and preliminary relief to remedy any actual or threatened unauthorized use or disclosure of such other party’s Confidential Information. The receiving party’s obligation of confidentiality shall not apply to information that: (a) is already known to the receiving party or is publicly available at the time of disclosure; (b) is disclosed to the receiving party by a third party who is not in breach of an obligation of confidentiality to the party to this agreement which is claiming a proprietary right in such information; or (c) becomes publicly available after disclosure through no fault of the receiving party.
9. Terms, Termination and Survival. This Agreement will remain in effect until terminated by either party. Either party may terminate this agreement for convenience by providing not less than thirty (30) days prior written notice, which notice will specify the effective date of termination. Either party may also terminate this Agreement immediately upon the other party’s breach of this Agreement. Sections 5, 6, 7, 8, 10.1 and 10.2 shall survive any termination of this Agreement.
10.
MISCELLANEOUS.
10.1
Severability. If for any reason a court of competent jurisdiction finds
any provision or portion of this Agreement to be unenforceable, that provision
of the Agreement will be enforced to the maximum extent permissible so as to
effect the intent of the parties, and the remainder of this Agreement will
continue in full force and effect.
10.2
Waiver. The failure of any party to enforce any of the provisions of this
Agreement will not be construed to be a waiver of the right of such party
thereafter to enforce such provisions.
10.3
Assignment. Neither party may assign this Agreement, in whole or in part,
without the other party’s prior written consent. Any attempt to assign
this Agreement, without such consent, will be null and of no effect.
Subject to the foregoing, this Agreement is for the benefit of and will be
binding upon the parties' respective successors and permitted assigns.
10.4
Force Majeure. Neither party will be liable for any failure to perform
its obligations in connection with any Transaction or any Document if such
failure results from any act of God or other cause beyond such party's
reasonable control (including, without limitation, any mechanical, electronic
or communications failure) which prevents such party from transmitting or
receiving any Documents.
Attachment 2
NETWORK CONNECTION POLICY
Purpose: To ensure that a secure method of network connectivity between New Hanover County Government and all third parties and to provide a formalized method for the request, approval and tracking of such connections.
Scope: External company data network connections to New Hanover County Government can create potential security exposures if not administered and managed correctly and consistently. These exposures may include non-approved methods of connection to the New Hanover County Government network, the inability to shut down access in the event of a security breach, and exposure to hacking attempts. Therefore, all external data network connections will be via connections approved by the IT Department. This policy applies to all new Third Party Network Connection requests and any existing Third Party Network Connections. When existing Third Party Network Connections do not meet all of the guidelines and requirements outlined in this document, they will be re-engineered as needed
Definitions: A "Network Connection" is defined as one of the connectivity options listed in Section B. below. “Third Parties” is defined as New Hanover County Government Partners, Vendors, Suppliers and the like.
A. Third-Party Connection Requests and Approvals
The required information is outlined in the Third Party Connection Request - Information Requirements Document (See Attachment 3 of this document). All information requested on this form must be completed prior to approval and sign off. It is Company’s responsibility to ensure that Company has provided all of the necessary information and that such information is correct.
All Third Party connection requests must have a New Hanover County Government IT Department Head signature for approval. In some cases approval may be given at a lower level with pre-authorization from the appropriate New Hanover County Government IT Department Head.
As a part of the request and approval process, the technical and administrative contact within Company’s organization or someone at a higher level within Company will be required to read and sign the "Third Party Connection Agreement ".
B. Connectivity Options
The following five connectivity options are the standard methods of providing a Third Party Network Connection. Anything that deviates from these standard methods must have a waiver sign-off at the New Hanover County Government IT Department Head level.
1) Leased line (e.g. T1) - Leased lines for Third Parties will be terminated on the New Hanover County Government network.
2) ISDN/FR - Dial leased lines will terminate on a Third Party only router located on the New Hanover County Government network. Authentication for these connections must be as stated in Section E. below.
3) Encrypted Tunnel - Encrypted tunnels must be terminated on the New Hanover County Government network whenever possible. In certain circumstances, it may be required to terminate an encrypted tunnel on the dirty subnet, in which case the normal New Hanover County Government perimeter security measures will control access to Internal devices.
4) Telnet access from Internet - Telnet access from the Internet will be provided by first telneting to the Third Party gateway machine, where the connection will be authenticated per Section E. below. Once the connection is authenticated, telnet sessions to internal hosts will be limited to those services needed by using the authorization capabilities of New Hanover County Government.
5) Remote Dial-up via PPP/SLIP - Remote dial-up via PPP/SLIP will be provided by a separate Third Party modem pool. The connection will be authenticated per Section E. below
C. Third Party (Partner) Access Points
When possible, Third Party (Partner) Access Points (PAPs) should be established in locations such that the cost of the access is minimized. Each PAP should consist of at least one router with leased line with Frame Relay and/or ISDN capability.
D. Services Provided
In general, services provided over Third Party Network Connections should be limited only to those services needed, and only to those devices (hosts, routers, etc.) needed. Blanket access will not be provided for anyone. The default policy position is to deny all access and then only allow those specific services that are needed and approved by New Hanover County Government pursuant to the established procedure.
In no case shall a Third Party Network Connection to New Hanover County Government be used as the Internet connection for the Third Party.
The standard set of allowable services are listed below:
File Exchange via ftp – Where possible, file exchange via ftp should take place on the existing New Hanover County Government ftp servers (ftp.co.new-hanover.nc.us).
Electronic Mail Exchange – Business-related email exchange between New Hanover County Government and Third Parties may be conducted over the Network Connection as needed. Mail from Third Party sites to non-New Hanover County Government addresses will not be allowed over the Network Connection.
Telnet Access – Telnet access will be provided to specific New Hanover County Government hosts, as needed. Employees from Third Parties will only be given accounts on the specific New Hanover County Government hosts that are needed. Where possible, router access control lists (ACLs) and static routes will be used to limit the paths of access to other internal New Hanover County Government hosts and devices. NOTE: NIS accounts and Directory Services are not to be established for employees of Third Parties who have accounts on New Hanover County Government hosts.
Web Resource Access – Access to internal web resources will be provided on an as-needed basis. Mirroring the appropriate web resources to a web server that resides on the Partners Network will provide access. Access to New Hanover County Government’s public web resources will be accomplished via the normal Internet access for the Third Party.
Access to Source Code Repositories This access will be decided on case-by-case basis.
Print Services – Print services can be provided to New Hanover County Government IT-supported Third Party connections by via two print spoolers on the New Hanover County Government Partners Network. New Hanover County Government-owned printers, that boot off the print spoolers will be located on the New Hanover County Government –extended network at the Third Party sites.
SQL*Net Access – This will be decided on a case-by-case basis.
ERP Access – This will be decided on a case-by-case basis.
NT File Exchange – NT file servers located on the New Hanover County Government Partners Network will provide File exchange. Each Third Party needing NT File exchange will be provided with a separate folder that is only accessible to that Party and the necessary people at New Hanover County Government.
E.
Authentication for Third Party Network Connections
Third Party Network Connections will be authenticated on a case-by-case basis. Access control lists, virtual private networks and remote dial-up applications are some examples of authentication methods that can be utilized.
In many cases it may be necessary to have New Hanover County Government-owned and maintained equipment at a Third Party site. All such equipment will be documented on the Third Party Connection Request – Information Requirements Document. Access to network devices such as routers and switches will only be provided to New Hanover County Government support personnel. All New Hanover County Government-Owned Equipment located at Third Party sites must be used only for business purposes. Any misuse of access or tampering with New Hanover County Government-provided hardware or software, except as authorized in writing by New Hanover County Government, may, in New Hanover County Government’s sole discretion, result in termination of the connection agreement with the Third Party.
G. Protection of Company Private
Information and Resources
The New Hanover County Government network support group responsible for the installation and configuration of a specific Third Party Connection must ensure that all possible measures have been taken to protect the integrity and privacy of New Hanover County Government confidential information. At no time should New Hanover County Government rely on access/authorization control mechanisms at the Third Party’s site to protect or prohibit access to New Hanover County Government confidential information.
Security of Third Party Connections will be achieved by implementing “Access Control Lists” on the Partner Gateway routers to which the Third Party sites are connected. The ACLs will restrict access to pre-defined hosts within the internal New Hanover County Government network. The ACLs will be determined by the appropriate support organization. A set of default ACLs may be established as a baseline.
Enable-level access to New Hanover County Government-owned/maintained routers on Third Party premise will only be provided to the appropriate support organization. All other business personnel (i.e. Partner Site local technical support personnel) will have restricted access/read-only access to the routers at their site and will not be allowed to make configuration changes.
New
Hanover County Government shall not have any responsibility for ensuring the
protection of Third Party information. The Third Party shall be entirely
responsible for providing the appropriate security measures to ensure
protection of their private internal network and information.
H.
Audit and Review of Third Party Network Connections
The appropriate New Hanover County Government network support group will monitor all aspects of Third Party Network Connections - up to, but not including Company’s firewall. Where possible, automated tools will be used to accomplish the auditing tasks.
Quarterly audits will be performed on all New Hanover County Government-owned/maintained Third Party router/network device configurations and the appropriate New Hanover County Government network support group will review the output. Any unauthorized changes will be investigated immediately.
All Third Party Network Connections will be reviewed on a quarterly basis and information regarding specific Third Party Network Connection will be updated as necessary. Obsolete Third Party Network Connections will be terminated.
I. New Hanover County Government Corporate IT Information Security Organization
New Hanover County Government Corporate IT Computer Services Division has the responsibility for maintaining related policies and standards. Computer Services Division will also provide advice and assistance regarding judgment calls, and will facilitate information gathering in order to make a correct decision. Global coordination of confidentiality and non-disclosure agreements with all third parties is also the responsibility of New Hanover County Government Computer Services Division.
J. New Hanover County Government Network Services
The Computer Services Division is responsible for all global firewall design, configuration and engineering required for support of the New Hanover County Government Network.
Attachment 3
THIRD PARTY CONNECTION REQUEST - INFORMATION
REQUIREMENTS DOCUMENT
In accordance with the Network Connection Policy, this completed Information Requirements Document must accompany all requests for Third Party Network Connections. The New Hanover County Government person or group requesting the Network Connection should complete this document.
A.
Contact Information
Requester Information
Name:
Department Number:
Manager's Name:
Director's Name:
Phone Number:
Email Address:
Technical Contact Information
Name:
Department:
Manager's Name:
Director's Name:
Phone Number:
Pager Number:
Email Address
Back-up Point of Contact:
Name:
Department:
Manager's Name:
Director's Name:
Phone Number:
Pager Number:
Email Address
B.
Problem Statement/Purpose of Connection
What is the desired end result? Company must include a statement about the business needs of the proposed connection.
C.
Scope of Needs (In some cases, the scope of needs may be jointly
determined by the supporting organization and the Third Party.)
What services are needed? (See Section D. of Network Connection Policy)
What are the privacy requirements (i.e. do you need encryption)?
What are the bandwidth needs?
How long is the connection needed?
Future requirements, if any.
D.
Third Party Information
Third Party Name
Management contact (Name, Phone number, Email address)
Location (address) of termination point of the Network Connection (including building number, floor and room number)
Main phone number
Local Technical Support Hours (7X24, etc).
Escalation List
Host/domain names of the Third Party
Names (Email addresses, phone numbers) of all employees of the Third Party who will use this access. If not appropriate to list the names of all employees, then provide a count of the number of employees who will be using the connection.
E.
What type of work will be done over the Network Connection?
What applications will be used?
What type of data transfers will be done?
How many files are involved?
What are the estimated hours of use each week? What are peek hours?
F.
Are there any known issues such as special services that are required? Are
there any unknown issues at this point, such as what internal New Hanover
County Government services are needed?
G.
Is a backup connection needed? (e.g., are there any critical business needs
associated with this connection?)
H.
What is the requested installation date? (Minimum lead-time is 60 days)
I.
What is the approximate duration of the Third Party Network Connection?
J.
Has a Non-Disclosure Agreement been sign with the Third Party or the
appropriate employees of the Third Party?
K.
Are there any exiting Network Connections at New Hanover County Government with
this company?
L. Other useful information
CHANGE HISTORY:
|
Version |
Date |
Author |
Comments |
|
A |
03/19/02 |
SCT |
Original Document |
|
B |
07/22/02 |
SCT |
Revised references to Computer Services Division |
|
C |
07/08/04 |
SCT |
Editing Changes only |
|
|
|
|
|