The URL can be used to link to this page

Skelly_IT Strategic Plan Refresh Update_20220505_GTG-Proposal 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022. All rights reserved. Proposal for Information Technology Strategic Plan Refresh to South Tahoe Public Utility District 1275 Meadow Crest Dr. South Lake Tahoe, CA 96150 From 2930 Geer Rd Suite 273 Turlock, CA 95382 (209) 678-3077 projects@GovTechGroup.net 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022. All rights reserved. Contents Executive Summary .......................................................................................................................... 6 Firm Qualifications ............................................................................................................................ 9 Project Team Qualifications ............................................................................................................ 11 Project Approach ............................................................................................................................ 14 Project Time Schedule .................................................................................................................... 24 Proof of Insurance ........................................................................................................................... 26 Exhibit A – Scope of Work .............................................................................................................. 27 Exhibit B – Project Costs and Standard Fee Schedule .................................................................... 30 Exhibit C – Security Assessment Scope.......................................................................................... 33 Exhibit D - Additions and Exceptions ............................................................................................... 43 Exhibit E - Project References ........................................................................................................ 44 Exhibit F - Resumes ........................................................................................................................ 46 Exhibit G - Backup, Restore, Disaster Recovery (BRDR) ............................................................... 52 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022. All rights reserved. Letter of Transmittal 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022. All rights reserved. March 23, 2022 Chris Skelly, Information Technology Manager South Tahoe Public Utility District 1275 Meadow Crest Dr. South Lake Tahoe, CA 96150 Subject: Information Technology Strategic Plan Proposal by Government Technology Group, LLC Dear Mr. Skelly, Government Technology Group, LLC (GTG) respectfully submits this proposal of work to South Tahoe Public Utility District to complete an Information Technology Strategic Plan Refresh that will guide district technology for the next 5 years. GTG is a technology consulting firm comprised of public service information technology leaders. We have extensive experience in local government with practical, hands-on, real-life expertise delivering traditional business applications and network infrastructure technologies. We have developed and implemented technology plans for Dublin San Ramon Services District; the cities of Victorville, Concord, Danville, Hayward, Sunnyvale, Ventura, Chico, Vacaville, Santa Barbara; the housing authorities of Alameda and San Mateo; and Riverside County. We will deliver the same for the South Tahoe Public Utility District. In addition, GTG has partnered with Spirent for their security expertise in technology-based penetration and vulnerability testing/reporting. Spirent’s experience includes substantial work for agencies world-wide including the following government agencies City of San Jose, City of Mission Viejo and City of Rockville, MD. Spirent will provide support for security testing as outlined in exhibit C. We are confident that, based on the Request for Proposal (RFP), Government Technology Group meets or exceed the conditions asked for in the selection criteria. In this Covid-19 era, most of the consulting and engineering work will be primarily performed virtually using Zoom. If, as is being projected, the pandemic recedes by mid-year then on-site work can be reevaluated. Thank you for your consideration and we look forward to discussing the proposed projects further with you. Sincerely, Jeff Lewis Jeff Lewis, PMP, CGEIT Principal Consultant Jeff@GovTechGroup.net 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 5 Executive Summary 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 6 Executive Summary Technology plays a vital role in helping the South Tahoe Public Utility District (STUPD) improve service delivery and streamline district operations to achieve cost efficiencies and increased productivity. Technology enables innovation in business and operational processes and users are demanding new technology to simplify or speed their work. The extensive integration of technology into the District’s operations and services and its great potential to deliver benefit requires the District to make careful decisions about when, where, and how to use it. Business and operational strategies and the resource management of personnel, assets, and services drive informational requirements and strategies. Only then can the organization move from data, to insight, to action, to outcome using technology to deliver actionable information to power business and operational decisions. Government Technology Group LLC (GTG), a consulting group of former, local government CIO’s and IT leaders, with the support of our sub-contractor Spirent, a security expert with extensive penetration and vulnerability testing, will provide STUPD an Information Technology Strategic Plan that will ensure STUPD’s ability to effectively use technology to support, optimize, enhance, and extend its operations and business processes while protecting it from security threats. We do this through a structured, phased approach that builds on the earlier stages and findings to discover and resolve foundational gaps in technology and organization, recommend road maps and prioritizations, and enlighten and energize workforce support for a coherent and integrated district-wide technology portfolio. Each subject discipline is addressed through technical research that become part of the greater Information Technology Strategic Plan as outlined in our Statement of Work. The information reviewed in our analysis is a collaborative effort with District staff through conversations, surveys, meetings, workshops, and reviews, supplemented by subject matter expertise and awareness of industry best practices and evolving trends. Extensive communication is key, and our project initiation process ensures that joint expectations are fully understood and met throughout the project with regular meetings and reporting. Our schedule, a work plan of twenty to twenty-two weeks (Strategic plan and Disaster recovery at same time vs contiguous), is exemplary of how each project phase is memorialized in a milestone and it is flexible to meet District staffing and operational requirements. Background preparatory activities for each milestone will be continuous throughout the project to meet the stated objectives and deliverables. As technology leaders in our recent organizations and now in consulting, GTG provides significant, hands-on project experience delivering technology advancement in cities, agencies, and districts, working with public funds while answering to City Councils and District Boards of Directors. Like you, we have continually held the responsibility to design, plan and implement complex network and software projects. We get it done! Recent projects include network upgrades, cybersecurity, telephony, ERP implementations, enterprise content document management systems, websites, SCADA networks and security, CMMS asset management systems, cloud office systems, among others. We have been successful through partnering with the user communities to accomplishing these upgrades, conversions, and replacements without interruption to the critical work of the organizations. Spirent has a long history of successful security analysis, design, development, and resolution of for high level corporations. The combined strength of these two firms meets all the required qualifications with a history of accomplishment delivering technology-based strategic plans and security assessments for local government agencies to take advantage and protect itself with new technologies. Our two firms are prepared to assist with the District’s Technology Plan that will position the agency to embrace these advancements. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 7 STUPD’s Information Technology Strategic Plan will become a framework for the next 5 years that will facilitate the alignment of technology to the strategic intent of the District operations and allow the District to target investments and develop capabilities that contribute to achieving strategic and organizational objectives while protecting its assets and reputation. The resulting governance structure will provide a process discipline to ensure that new projects and opportunities are thoroughly vetted. The Plan will guide and enable decisions on how technologies support operational and business processes and help staff collaborate within and across divisional boundaries. A portfolio of systems perspective on systems integration will guarantee that enterprise business rules are consistently applied, that the integrity of data is not compromised, interfaces and information flows are standardized, and that connectivity, security and interoperability requirements are managed. It will lay out steps towards technology convergence, striving towards a standard, supportable technology portfolio for the District. If STUPD proceeds with the Disaster Recovery Plan refresh, the Government Technology Group will complete the project in conjunction with the Strategic Plan refresh or serially as desired by the agency and staff resource availability. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 8 Firm Qualifications 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 9 Firm Qualifications Government Technology Group LLC (GTG), formed in 2019 (combining Priest Consulting with the Government Technology Group representing 10 years of Consulting Services), represents over 100 years of professional technology experience by its principals. After 20 plus years of joint inter-agency cooperation, consulting and personal collaboration with each other and their respective agencies’ technologies, a group of former Bay Area CIO's expanded a technology consulting firm that specializes in government technology challenges. We have assisted a number of clients with IT assessments, strategic planning, and master plans which includes Victorville, Santa Barbara, Hayward, Vacaville, DSRSD, Housing Authority of Sant Clara County, Housing Authority of Alameda, and the Greater Vallejo Recreation District to name a few. This includes Water/Wastewater/Recycled Water Special District and municipalities with water/wastewater facilities. Our expertise includes planning and implementation of complex, major software installations and operations in the following areas, where we have provided problems that impact organizations such as STUPD: Network Infrastructure Enterprise Network Architecture Network Operations & Engineering SCADA WAN & IP Network Engineering Availability & Capacity Management Contingency Planning/ Business Resumption Security Administration – Zero Trust Firewall/VPN/IDP/AntiVirus/ AntiSpyware/AntiMalware/Web Filtering Internet Service Provision Telephony - Voice - Telephones - Cell Phones - Call Center - Presence – Messaging System Administration Windows System Administration File and Print Services Microsoft Office 365 Local & Cloud Directory Services Administration Server Configuration Management Storage Area Network Administration ECMS (Enterprise Content Management) System Administration Application & Storage Virtualization Exchange Messaging Operations Backup Operations Desktop and Mobile Hardware & Software Software Licensing Application Administration Application Support and Administration Application Change/Release Management Application Integration Application Configuration Reporting Programming eO&M Automated Meter Infrastructure Secure Utility Billing and Permitting Customer Internet Portals Help Desk Management Management Information Systems Data Warehousing Business Intelligence Management Dashboard Cloud Technical Workforce Management Enterprise Resource Planning (ERP) SQL Database Operations & Administration Software Training Internet Websites SharePoint CMMS Asset Management 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 10 Spirent Security Labs has more than 1,700 customers across Africa, Asia, Europe, Latin America, and North America. Spirent’s team of experts are dedicated to providing penetration testing, managed vulnerability scanning services, and security best practices training. Our team has experience working with numerous global institutions providing scanning and penetration services 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 11 Project Team Qualifications 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 12 Project Team Qualifications Government Technology Group GTG will assign Mr. Jeff Lewis as the primary consultant, and Mr. Guenther and Mr. Priest as subject matter experts (SME)/Senior consultants to the project. GTG will also be partnering with Spirent Security Labs for this project to enhance our expertise in penetration testing, managed vulnerability scanning services, and security best practices. Jeff Lewis, MPA, PMP, CGEIT – Project Manager Jeff Lewis is a veteran in the field of Information Technology and has a career that spans over thirty-eight years in public, private, and non-profit sectors including positions in local government, medical, and technology consulting. He has served as Chief Information Officer for multiple local government and non-profit agencies, is a founding member of the Government Technology Group (www.GovTechGroup.net) and has served as the Director of Smart Region Initiative at Joint Venture Silicon Valley. As a CIO Jeff has led Smart City, broadband, technology strategic and GIS planning, enterprise architecture, policy, and research initiatives for local government. Mr. Mark Guenther, CGCIO - Systems and Programming Expert Mr. Guenther is a retired municipal Chief Information Officer with a wide range of hands-on technical expertise. In both the CIO and consulting roles, he has overseen the successful implementation of citywide enterprise resource planning (ERP) systems, permitting systems and utility billing functions, including secure online customers access to permit and utility accounts. Mr. Clancy Priest, IEEE – Network and Systems Expert Mr. Priest is a retired 30+ year municipal Chief Information Officer who has been part of several organizations. Mr. Priest is currently an independent technology consultant offering a wide range of technical expertise. His education is in the technical field with a BS in engineering. Mr. Priest has a wide range of technical abilities with an emphasis on project and program management, with extensive experience in various forms of information technology and executive management. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 13 Spirent Team Credentials and Certifications • OSCP (Offensive Security Certified Professional) • OSCE (Offensive Security Certified Expert) • OSWE (Offensive Security Web Expert) • GXPN (GIAC Certified exploit researcher and advanced penetration tester) • GPEN (GIAC Penetration Tester) • GICSP (Global Industrial Cyber Security Professional) • NSA ISAM (NSA InfoSec Assessment Methodology Certification) • CISSP (Certified Information Systems Security Professional) • CREST CCT APP (Crest Certified Tester – Applications) • CREST CPSA (CREST Practitioner Security Analyst) • CREST CRT (CREST Registered Penetration Tester) • UCP (Unix Certified Programmer) • M.S Computer Science • M.S Electrical Engineering • B.S Computer Science • B.S Mechanical Engineering 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 14 Project Approach 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 15 Project Approach GTG’s assessment and strategic technology planning methodology is built on the combined experience of our group in delivering services to public agencies. GTG will perform an assessment of STUPD’s current technology use and the strengths and weaknesses of the current technology. The technology assessment activities will provide the foundation upon which the Information Technology Strategic Plan will be built. The principal consultants that will be involved with this project have completed a number of projects similar to the one proposed. Below is a list of IT Master/Strategic plans or IT Assessments that were completed by our team: City of Victorville – IT Strategic Plan – 2021 City of Hayward – IT Strategic Plan - 2009 City of Santa Barbara – IT Strategic Plan – 2012 Hayward Unified School District – Fiber Optic Plan - 2013 Alameda County Office of Education – IT Assessment – 2013 City of Benicia – IT Assessment – 2013 City of Alameda Housing Authority – IT Master Plan -2013 City of San Leandro – Wireless master Plan - 2013 City of Vacaville – IT Master Plan – 2014 City of Cupertino – IT Assessment – 2015 City of San Rafael – Document Management Plan - 2015 Dublin Unified School District – IT Assessment – 2015 Greater Vallejo Recreation District – IT Assessment – 2018 Town of Danville – IT Master Plan – 2016 Dublin San Ramon Service District – IT Master Plan – 2017 GTG’s methodology will be focused on the involvement and interaction with the department users of technology and those setting the business and operations direction for STUPD. GTG’s Information Technology Strategic Planning methodology creates processes that yield positive results. GTG’s proposed work plan includes several phases that build upon one another through actions and technical reports that ultimately become part of the South Tahoe Public Utility District Information Technology Strategic Plan: The first phase establishes the foundation for effective communication and the successful completion of the project. The second phase focuses the assessment on STUPD’s current environment and how technology resources support operations, gaps, opportunities and of STUPD’s technology service delivery and management. The next phase builds the tools and vision for the future of STUPD Portfolio of Technology. Here workshops and road maps contribute to the understanding of how that future can be achieved. The final step, which follows a structured methodology to develop a Master Plan that is supported by the information gathered in the “Assessment” and “Vision” phases to develop recommendations and projections for future technological improvements and business and operational process changes. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 16 PROJECT INITIATION Planning Meeting The purpose of this phase is to share our proposed work plan and schedule. This stage includes confirming GTG’s understanding, as well as the understanding of the stakeholders, regarding the scope of work and the process for accomplishing the overall objectives of the project. GTG will meet with STUPD’s Project Manager and other key staff to refine and confirm the detailed scope of work, project timeline, deliverables, project status reporting methods, project participants (i.e., sponsor, subject matter experts, technical resources, etc.), and other items to ensure a well-planned project. During this step, we will tentatively build with STUPD workshop attendance lists as needed. Based on GTG’s experience on similar projects, Project Timeline, the project schedule shall be refined with the project manager from STUPD. The success of achieving this schedule largely depends on the availability, participation, and knowledge of STUPD assigned staff. GTG will submit monthly progress reports to STUPD showing completion progress for each task and associated subtasks. GTG will also provide an earned value report to compare completion progress versus budget spent. Deliverables: Draft and Final Project Plan. Project Initiation Meeting Since the project will have an organization-wide impact, it is important to proactively communicate with all impacted staff to ensure a clear understanding of project goals and objectives, roles and responsibilities, approach, tasks, and timeline. This meeting also provides the opportunity to introduce the GTG personnel to STUPD staff and should involve senior level management and project sponsors. It is important that all STUPD staff that will be involved in the project, regardless of their role, participate in the Project Initiation Meeting. Deliverable: Project Initiation Meeting ASSESSMENT PHASE In this step, GTG will work closely with the organization’s technology stakeholders to perform a comprehensive assessment of existing technologies and staffing, including technology and skill gaps that will identify current strengths and weaknesses, including high level documentation of existing District information systems. To reduce cost and add value, GTG plans to use STUPD’s existing survey conducted in 2020 to assess and determine overall satisfaction in terms of technology service delivery, support and projects desired. STUPD’s existing survey will be the mechanism that provides all technology users input into future technology needs. GTG will document the STUPD’s future vision for the use of technology and the gap analysis between that vision and the current technological realities. In those areas where the assessment provides an inventory of opportunities, GTG will provide one or more recommended actions, an assessment as to the relative priority of each recommendation, and an action plan that considers the relative importance of each recommendation and a recommended timeframe for implementation. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 17 VISION PHASE Using the assessment of the current environment, the next phase focuses on planning the future. Key to how GTG’s Technology Assessment evaluates whether STUPD’s technology infrastructure and support organization is prepared to support the current and future needs of STUPD is by reviewing key operational “assessment dimensions,” which are described briefly below. This will assist GTG to collaboratively develop plans for STUPD’s systems. ♦ Governance – Evaluation of the current technology organization and assessment of its skills, staffing levels, and capability to maintain and support operation of current and future systems. ♦ Service Delivery – Evaluation of the daily operation of the technology environment including budget, service metrics, maintenance, help desk, configuration management, change management and capacity management. ♦ Application Support – Evaluation of the processes and methods to support business and operational applications. ♦ Security – Evaluation of STUPD’s technology security and data protection practices. ♦ Infrastructure – High level review of the network, servers, desktops, telephony, storage configurations, remote access, data storage, server management, telephony, enterprise systems, plant technology, enterprise asset management, document management, mobile technology, security, database architecture analysis, software applications, and operational procedures. ♦ Administration – Examination of the technology documentation relative to processes, policies, and procedures, standards, file retention, operating manuals, and training. These evaluative considerations will become a part of a framework to ensure current and future technology projects meet STUPD needs and can be supported long term. Using the above criteria and findings to date, GTG will facilitate a series of workshops with STUPD system users to assess and collaboratively develop plans for the current technology environment, articulate barriers to full utilization of those technologies, industry best practices, “Best of Breed” research, and planned uses and expansion of the technology in the future. The workshops will be held for the aggregated identified systems in the RFP and attended by department managers, super users and key support staff as directed by STUPD. GTG will work with STUPD to review and use the findings of previous stages. During this phase, GTG will facilitate workshops that uses a multi-step process to arrive at a STUPD -wide prioritization of identified projects that will provide the basis for roadmaps for the Information Technology Strategic Plan. The scope of work outlines the many documents that will make up the milestones to support the Plan. STRATEGIC PLAN GTG will incorporate work products and technical research from previous tasks as the foundation for the development of STUPD’s Strategic. GTG will use this information, as well as other information provided by staff and independent research, to create a draft of the Strategic Plan and review it with STUPD. Upon completion and acceptance of the final Technology Master Plan, GTG will give a professional presentation summary to multiple audiences, including the Executive Team and the Board if desired. Deliverable: Draft and Final Master Plan and Master Plan 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 18 PENETRATION TESTING GTG will be using SecurityLabs (sub-contractor) to perform the security testing segment of our tasks. SecurityLabs team of experts are dedicated to providing penetration testing, managed vulnerability scanning services, and security best practices training. Our team has experience working with numerous global institutions providing scanning and penetration services on networks, applications, and IoT devices as well as source code analysis. Following is a summary of the work they will perform as outlined in exhibit C. Proposed Scope of Testing Spirent will perform security testing services for the client including Internal Network Vulnerability Scan and External Network Penetration Testing. Internal Network Vulnerability Scan Spirent SecurityLabs Internal Network Vulnerability Scan will perform a thorough assessment of the in-scope target environment and outputs detailed recommendations to improve the security posture of the client’s internal infrastructure. Project Planning: • Spirent SecurityLabs and representatives of the client will formalize the scheduling, logistics and identifying client contacts. Assessment and analysis: • Spirent SecurityLabs will conduct an interactive port scan of the client’s internal infrastructure to identify active IP addresses and open ports. • All open ports on active IP addresses are analyzed to determine software, services and configurations. This information is then cross-referenced with a comprehensive commercial knowledge base of vulnerabilities to identify potential threats to the client's internal infrastructure. External Network Penetration Testing Spirent SecurityLabs External Network penetration test represents an effort to discover network infrastructure and services configuration weaknesses and to uncover exploitable vulnerabilities regarding insecure server configuration, default system passwords, unpatched servers with known vulnerabilities, insecure firewall configuration, insecure communications, information leakage and improper error handling. This test will be focused on pen testing network infrastructure such as firewalls, external routers, e-mail servers, web servers and virtual hosts, etc. through both automated and manual pen testing techniques, and then create a list of actionable weaknesses. The penetration testing project proceeds in the following phases: Project Planning: • Spirent SecurityLabs and representatives of the client will formalize the scheduling, logistics and identifying client contacts. Assessment and analysis: • Spirent SecurityLabs will perform Open-Source Intelligence (OSINT) to gather as much information as possible about the client’s Internet footprint. • Spirent SecurityLabs will conduct an interactive port scan of the client’s external infrastructure to identify 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 19 active IP addresses and open ports. • All open ports on active IP addresses will then be analyzed to determine software, services, version and configuration for hosts. • While the exact activities within a penetration test will vary depending upon the technology used in the environment, engagements will generally adhere to the following approach: Reconnaissance – Passive information gathering about the target organization and the associated network. • Network Mapping • Automated Vulnerability Scanning • Service Enumeration • Service Banner and Version Enumeration • Testing for Published Vulnerabilities and Misconfigurations: o Insufficient and/or lack of authentication o Protocol weaknesses o Configuration issues o Unpatched Services, Applications as well as Operating Systems o Information Leakage • Exploitation • Identifying Administrative Interfaces: o Username Enumeration o Check for default and/or common passwords o Check for authentication/authorization issues o Logical errors • Post Exploitation • Data Exfiltration • Clean-up 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 20 Deliverables Spirent SecurityLabs will deliver a comprehensive report detailing any discovered security vulnerabilities, impact, suggested remediation, and ample evidence needed to support the finding, as well as information needed to reproduce the finding. Assumptions • Services will be provided remotely from Spirent Security Labs. • Client will provide access to specified target(s) to be assessed. • Client to identify the process to communicate any critical findings during assessment engagement. Remote assessment using a jump-box Testing will be conducted by SecurityLabs consultants remotely via a jump-box. The jump-box is a physical or virtual device (a virtual machine) that will be provided to the client prior to the commencement of the engagement and to be connected to their internal infrastructure in scope. We were provided with the information that the internal network is split into segments (three VLANs) so the client should work together with Spirent SecurityLabs on the assignment and help with switching the jump-box from one VLAN to another on-demand. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 21 Roles and Responsibilities • Client - Complete an Assessment Questionnaire. • Client and Spirent SecurityLabs Consultant - Conduct a kick-off call prior to testing. • Spirent SecurityLabs Consultant to establish connectivity to the target(s). • Spirent SecurityLabs Consultant to Test the target(s). • Spirent SecurityLabs Consultant to Deliver reports and review findings Length of Testing The testing will be done in blocks, some done sequentially, some done concurrently by several individuals, in close coordination. The length of testing for the work currently proposed is 1- 2 weeks. The time period includes testing, creation of the draft report, review of draft report with the client, and issuance of the final report. Testing Locations Assessment Type Testing Location Internal Network Vulnerability Scan Remote with Spirent provided Jumpbox with the client’s onsite support External Network Penetration Test Remote 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 22 Quality Assurance/Quality Control Program GTG follows the Project Management Book of Knowledge waterfall process to monitor and manage quality control. This includes creating approval criteria and setting quality standards during the initiating phase, deciding on what to focus on and building quality into the project during the planning phase, tracking status reporting and change control during the Executing, Monitoring and Controlling phase and documenting lessons learned and importing documents during the closing phase as outlined in the following image. The following five steps will be used during the four phases of the project management process to develop a quality control process: Phase I – Initiating Step 1. Set your quality standards. Phase II - Planning Step 2. Decide which quality standards to focus on. This allows your agency and GTG to ensure quality in all aspects of the project by focusing on the most important measures — those that have the biggest effect on your agency and your customer experience. This will improve the ability to get results quickly and also keeps the project team focused and avoiding becoming overwhelmed. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 23 3. Create processes to build quality into the project. Well-designed processes lead to high-quality products and services. This step will include working closely with STUPD’s project manager in creating requirements to measure to and documenting team responsibilities for accountability. In addition to this, the two project managers will work closely together and with their teams to build a communication plan including Technical Memorandums, weekly status reports, the project schedule, budget, change and quality plans to monitor and control. Phase III – Executing, Monitoring and Controlling 4. Review your results to ensure quality standards are being met. During this step status reporting will be reviewed regularly to see how well the Technology Plan process is meeting its quality standard including change control and contract management. 5. Make improvements to ensure quality in future projects. There are always room for improvement. This phase includes a project evaluation and review of deliverables, lessons learned and archiving of documents for future projects to improve upon. GTG recommends creating a SharePoint or Cloud storage area hosted by STUPD for sharing documents during the project to assist with project collaboration, tracking and quality control. Outputs of Perform Quality Control • Measurements • Validated changes • Updates to project management plan and project documents • Change requests • Lessons learned • Validated deliverables 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 24 Project Time Schedule 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 25 Schedule The vulnerability assessment and Information Technology Strategic Plan Refresh will be done in conjunction with each other. The Disaster Recovery Plan refresh can be done in conjunction as well or start at the end of the assessment and plan completion. If on its own, we anticipate sixty days for completion. We anticipate the Disaster Recovery Plan update would be best done during the Strategic Plan Refresh to reduce cost. The time estimate stays the same, 60 days, either during or after the Strategic Plan process. If during, the cost to complete the DR refresh is $10,000. If after, we estimate $18,000 due to duplicating meetings and effort required if it is a standalone project. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 26 Proof of Insurance Prior to commencement of work, Government Technology Group (GTG) will provide the South Tahoe Public Utility District with evidence of appropriate insurance, including general liability, professional liability, and automobile. GTG has no employees and is exempt from workers' compensation insurance coverage per state law. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 27 Exhibit A – Scope of Work 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 28 Scope of Work to be Performed by GTG A: Expected Actions 1. Conduct an analysis of the District’s current technology environment. 2. Conduct an assessment of the District’s IT Governance. 3. Identify practical and relevant public sector industry standards related to IT management, internal and external factors and perform a SWOT Analysis. 4. Identify any existing and available outsourcing relationships and opportunities. 5. Conduct and internal and external penetration test per exhibit C. 6. Evaluate and identify means to accommodate current and emerging technology requirements and trends facing the district. 7. Assess organizational IT needs by meeting with representatives from the operational areas that IT supports either by producing a stakeholder survey results document or using the existing one performed by the agency to reduce strategic planning costs. 8. Identify workflow processes to ensure efficient service management and delivery to business units and the public. 9. Evaluate and identify IT processes or staffing deficiencies based on a global view of the projects identified both in the updated IT Strategic plan and the district’s ten-year plan. 10. Identify and assess any deficiencies or gaps in infrastructure, equipment, software, security, networks, email services, or business continuity. 11. As requested, perform a Disaster Recovery Plan Update per Exhibit F. Disaster Recovery (DR) is a strategic security planning model that seeks to protect an enterprise from the effects of natural or human-induced disaster. A DR plan maintains critical functions before, during, and after a disaster event, thereby causing minimal disruption to business continuity. Disaster recovery and data backups go hand in hand to support Business Continuity (BC). 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 29 B: Deliverables A final strategic plan will comprise: 1. An executive summary that effectively communicates the information reviewed 2. A summary of findings and prioritized recommendations 3. A comprehensive document of findings and prioritized recommendations 4. A project plan outlining projects by priority that includes timelines and cost estimates 5. Technology Stakeholder findings based off the Q4 2020 survey. 6. IT focused Disaster Recovery Plan 7. Executive summary and detailed findings documents from the penetration test C: ANTICIPATED WORK PRODUCTS GTG will draft a 5-year IT Master Plan consisting of an executive summary, findings, recommendations, prioritized recommendations, and proposed implementation plan consistent with the Request for Proposal. The plan shall compare current operations with industry standards and use such comparison as the basis for recommended actions. After review and consultation of the draft IT Master Plan with District staff, a final IT Master Plan, which will be created from the draft IT Master Plan and incorporate recommendations and strategies from District staff, will be submitted to the District for approval as necessary. Both the draft and final IT Master Plan shall include order of magnitude cost estimates associated with proposed work and resource procurement. As a final deliverable, GTG will provide a presentation to District if desired of the IT Master Plan, including methodologies utilized in its development. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 30 Exhibit B – Project Costs 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 31 Standard Fee Schedule: The total fixed cost to the South Tahoe Public Utility District for an Information Technology Strategic Plan Refresh and Security test is $78,340 and includes all work to be completed by GTG as stated in this proposal including the Security Assessment and Disaster Recovery plan update. Both the Security Assessment and Disaster Recovery cost can be removed as desired by STUPD. If the Disaster Recovery Plan piece is removed, we estimate an additional $8,000 to complete the project on its own. GTG will invoice STUPD per the schedule below. Invoices are payable on net 30 terms from the date of invoice. This is an estimate per the documented scope of work (SoW) and is subject to change if the SoW changes. Description Cost Project Management $8,970.00 Project Initiation Project Kickoff Meeting Meetings and Plan Management Discovery $10,725.00 Asset Inventory Technology Trends and Review Needs and Goals Assessment Gap Analysis Vision $9,945.00 Develop Technology Recommendations Create Confidential Security Report Phased Implementation Plan Strategic Master Plan Final $13,650.00 Master Plan Draft STUPD Review of Master Plan Draft and Security Findings Report Out to Board, Management, Divisions Incidentals & Travel $1,950.00 Security Assessment and Vulnerability Testing $23,100.00 Disaster Recovery Refresh $10,000.00 Not to Exceed $78,340.00 Proposed Fee Schedule $23,502 upon contract signature $23,502 upon start of Vision Phase $23,502 upon start of Technology Master Plan $7,834 upon completion of Technology Master Plan 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 32 The following is GTG standard hourly fee schedule for prime and subconsultant’s project team members and administrative staff. All rates do include base wages, fringes, insurance, taxes, expendables, overhead, and profit. Hourly charge justification will be described in our issued invoices outside the scope work. Descriptions for work outside the scope will include date performed, description on worked performed and number of hours to complete the work. Prime/Senior Consultants - $195.00 per hour Subconsultants – Spirent’s standard rate outside the scope of this project is $250 per hour o Hourly travel rate for key personnel and any per-diem rates are not applicable for this project. o There are no anticipated rate increases for the duration of this project. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 33 Exhibit C – Security Assessment Scope: Spirent SecurityLabs Proposal for South Tahoe Public Utility District (STUPD) CREST Certified International Member Company Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services 1. INTRODUCTION .................................................................................................................................... 3 1.1 About Spirent.................................................................................................................................................... 3 1.2 About Spirent SecurityLabs ........................................................................................................................ 3 1.3 Proposed Scope of Testing ............................................................................................................... 4 1.3.1 Internal Network Penetration Testing ......................................................................................... 4 1.3.2 External Network Penetration Testing ........................................................................................ 6 1.3.3 Wireless Penetration Test ............................................................................................................ 7 1.4 Deliverables ..................................................................................................................................... 8 1.5 Assumptions ..................................................................................................................................... 8 1.6 Roles and Responsibilities ................................................................................................................ 9 1.7 Pricing .............................................................................................................................................. 9 1.8 Length of Testing ............................................................................................................................ 10 1.9 Testing Locations ........................................................................................................................... 10 1.10 Team Credentials and Certifications .............................................................................................. 11 1.11 Media and Publications .................................................................................................................. 11 Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services 1. INTRODUCTION 1.1 About Spirent Spirent Communications enables innovations in communications technologies that help connect people. Whether it is service providers, data centers, enterprise IT networks, mobile communications, connected cars vehicles, or the Internet of Things, Spirent solutions are working behind the scenes to help the world communicate and collaborate faster, better, and more securely. The world’s leading innovators rely on Spirent's expertise to help them design, develop and deliver best-in-class solutions to their customers. Our broad portfolio of innovative products and services is organized into three operating segments that address a wide range of our customers’ needs. Spirent’s Networks and Applications, Wireless and Service Experience, and Service Assurance solutions support customers’ needs across the entire technology lifecycles from proof of concept to subscriber experience. With more than 1,700 customers across Africa, Asia, Europe, Latin America, and North America our cutting-edge verification, assessments, and analytics solutions help to deliver unsurpassed service experience while meeting business objectives of reducing churn, increasing revenue, and strengthening market share. Spirent specializes in helping enterprises and government agencies effectively create custom testing strategies to test and monitor critical infrastructures such as networks, wireless, web and mobile applications, embedded devices, IoT devices, and industrial control systems. Our customers depend on us to help them take proactive measures to protect against cybercrime and data breaches from internal and external threats. 1.2 About Spirent SecurityLabs SecurityLabs team of experts are dedicated to providing penetration testing, managed vulnerability scanning services, and security best practices training. Our team has experience working with numerous global institutions providing scanning and penetration services on networks, applications, and IoT devices as well as source code analysis with extensive experience with local government clients such as: • City of San Jose, CA • City of Mission Viejo, CA • City of Rockville, MD Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services 1.3 Proposed Scope of Testing Spirent will perform security testing services for the client including Internal Network Penetration Testing, External Network Penetration Testing, and Wireless Penetration Testing. 1.3.1 Internal Network Penetration Testing Spirent SecurityLabs Internal Network penetration test performs a thorough assessment of the in- scope target environment and outputs a detailed deliverable with both tactical & strategic recommendations to improve the security posture of the customer’s infrastructure. Although the entire process comprises both automated and manual testing, the main emphasis is placed on manual penetration testing to avoid generic output. The internal network penetration test report outlines the customer’s current state of security through an executive summary, implemented protection mechanisms, discovered vulnerabilities, their exploitation, and impact, evidence of exploitation, risk rating, as well as strategic recommendations. While the exact activities within a penetration test will vary depending upon the technology used in the target environment, the following list illustrates some of the attack vectors covered by Spirent SecurityLabs:  Unauthenticated  Host discovery  Vulnerability Scan  Port Scan 1-65535 (TCP and UDP) with ping disabled  Enumerate Domain Users  Service enumeration and banner grabbing  Identify admin interfaces  OS Fingerprint  Default and Common passwords check  SNMP Test - Read and Write using common strings  SMB Check  ARP cache poisoning  LLMNR / NBT-NS spoofing  Authenticated  Enumeration of local users through NetBIOS NULL session.  Check user permissions  Check user groups Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services  Check the last logged on date  Enumerate other users on the system  Check running services  Enumerate other network interfaces  Perform traffic capture  Identify established sessions/connections  Enumerate connected users  Authenticated Scan (key-based for Linux)  Check running services  Check services that run on startup  Perform scanning and analysis on network peers  Windows o Unauthenticated  Enumerate open ports  Establish null session  Enumerate Shares  Audit NetBIOS  SMB Scanning  Bruteforce Shares  Enumerate Users  Enumerate Active Sessions o Authenticated  Dump SAM File for offline cracking  Enumerate Shares  Enumerate Active Processes  System Information  Missing Patches and Known Vulnerabilities  Linux o Unauthenticated  Authentication Options  Identify default or weak SSH Keys  Root logins  Inetd services  Session prediction  Unauthenticated services (anonymous FTP, NFS, etc.)  Unencrypted services Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services o Authenticated  View files in other user's directories  Check SU ID on binaries  Check shells available to users  Check for locations logs are written to  Check for trusted systems  Examine .history, .bash history etc.  Check for cron jobs for anything writing to a remote system  Check for credentials in scripts  Check for SSH keys to other systems  Copy shadow password file for offline cracking 1.3.2 External Network Penetration Testing Spirent SecurityLabs External Network penetration test represents an effort to discover network infrastructure and services configuration weaknesses and to uncover exploitable vulnerabilities regarding insecure server configuration, default system passwords, unpatched servers with known vulnerabilities, insecure firewall configuration, insecure communications, information leakage, and improper error handling. This test will be focused on pen testing network infrastructure such as firewalls, external routers, e-mail servers, web servers, virtual hosts, etc. through both automated and manual pen testing techniques, and then create a list of actionable weaknesses. The penetration testing project proceeds in the following phases: 1. Project Planning: • Spirent SecurityLabs and representatives of the client will formalize the scheduling, logistics, and identifying client contacts. 2. Assessment and analysis: • Spirent SecurityLabs will perform Open Source Intelligence (OSINT) to gather as much information as possible about the client’s Internet footprint. • Spirent SecurityLabs will conduct an interactive port scan of the client’s external infrastructure to identify active IP addresses and open ports. • All open ports on active IP addresses will then be analyzed to determine software, services, version, and configuration for hosts. • While the exact activities within a penetration test will vary depending upon the technology used in the environment, engagements will generally adhere to the following approach: Reconnaissance – Passive information gathering about the target organization and Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services the associated network. i. Network Mapping ii. Automated Vulnerability Scanning iii. Service Enumeration iv. Service Banner and Version Enumeration v. Testing for Published Vulnerabilities and Misconfigurations: 1. Insufficient and/or lack of authentication 2. Protocol weaknesses 3. Configuration issues 4. Unpatched Services, Applications as well as Operating Systems 5. Information Leakage vi. Exploitation vii. Identifying Administrative Interfaces: 1. Username Enumeration 2. Check for default and/or common passwords 3. Check for authentication/authorization issues 4. Logical errors viii. Post Exploitation ix. Data Exfiltration x. Clean-up 1.3.3 Wireless Penetration Test The Spirent SecurityLabs Wireless Penetration test aims to gauge the resilience of our customer’s wireless infrastructure against various attack vectors. 1. Project planning: • Spirent consultants identify key characteristics of the customer’s asset and construct guidelines for an assessment. 2. Assessment and analysis: The wireless security assessment ensures a thorough coverage through various phases starting with a site survey to map the wireless network and identify rogue access points. Although not exhaustive, below is a list of tests performed during the wireless Pen test: • Site Survey and Enumerate wireless networks • 802.11 Network Reconnaissance Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services • Enumeration of Authentication Protocols • Testing Access Control • Testing segregation between guest and corporate network • Identify weakly encrypted networks • Capture and analyze wireless network traffic to gain information about internal systems and wireless network peers • Attack captive-portal authentication gateways • Gain unauthorized access to the administrative interfaces • Perform Evil-Twin attacks, spoofing, or wireless Man-in-the-Middle as allowed by the Rules of Engagement. • Access point de-authentication to test resiliency against Denial-of-Service attacks • Access point configuration review, including:  Network design & architecture  Policies  RADIUS server configuration review (if any)  Rules review for Access control, filtering, authentication/authorization, logging, and segmentation 1.4 Deliverables Report Spirent SecurityLabs will deliver a comprehensive report detailing any discovered security vulnerabilities, impact, suggested remediation, and ample evidence needed to support the finding, as well as information needed to reproduce the finding. 1.5 Assumptions o Services will be provided remotely from Spirent Security Labs. o The client will provide access to specified target(s) to be assessed. o Client to identify the process to communicate any critical findings during assessment engagement. 1.5.1.1 Remote assessment using a jump-box Testing will be conducted by SecurityLabs consultants remotely via a jump-box. The jump-box is a physical or virtual device (a virtual machine) that will be provided to the client prior to the commencement of the engagement and to be connected to their internal infrastructure in scope. Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services We were provided with the information that the internal network is split into segments (three VLANs) so the client should work together with Spirent SecurityLabs on the assignment and help with switching the jump-box from one VLAN to another on-demand. 1.6 Roles and Responsibilities • Client - Complete an Assessment Questionnaire. • Client and Spirent SecurityLabs Consultant - Conduct a kick-off call prior to testing. • Spirent SecurityLabs Consultant to establish connectivity to the target(s). • Spirent SecurityLabs Consultant to Test the target(s). • Spirent SecurityLabs Consultant to Deliver reports and review findings Spirent SecurityLabs © Spirent Communications . All Rights Reserved. Spirent.com/ product s / security labs - cybersecurity - services 1.7 Length of Testing The testing will be done in blocks, some done sequentially, some done concurrently by several individuals, in close coordination. The length of testing for the work currently proposed is 2-3 weeks. The time period includes testing, creation of the draft report, review of the draft report with the client, and issuance of the final report. 1.8 Testing Locations Assessment Type Testing Location Internal Network Penetration Test Remote with Spirent provided Jumpbox with the client’s onsite support External Network Penetration Test Remote Wireless Penetration Test Remote with Spirent provided Jumpbox with the client’s onsite support 1.9 Media and Publications Spirent SecurityLabs Website: https://www.spirent.com/products/securitylabs-cybersecurity-services Blog: http://www.spirent.com/Blogs/Security Twitter: @SpirentSecurity Spirent Security Channel: https://www.youtube.com/channel/UCj4pLd3dUdl4p5w1Gcv-hmQ 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 43 Exhibit D – Additions and Exceptions: 1. Contract Article III Section F.1 GTG does not have employees, Workers Compensation is not needed. 2. Contract Article III Section F.2 The agency does not own any company cars. It’s Principals maintain $500,000 personal auto coverage. 3. The City included options for a Strategic Plan Refresh, Vulnerability Assessment and Disaster Recovery plan option. These projects can work in conjunction or independently including inclusion or exclusion of cost to complete them as outlined in the Standard Fee Schedule section exhibit B. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 44 Exhibit E – Project References 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 45 Project References Three Project References that best support the proposed teams’ stated qualifications: Janine Burrier Assistant Director of Housing: Policy, Training and Outreach Janine.Burrier@scchousingauthority.org Office - (408)993-3067 Santa Clara County Housing Authority Project Manager for Interest List, Tenant Application Portal Business Systems June 2019 – November 2021 Savita Chaudhary Director of Information Technology/CIO, City of Berkeley SChaudhary@ci.berkeley.ca.us Office – (510) 981-6426 City of Berkeley (formally with the City of Vacaville) Vacaville IT Strategic Planning, Technology Assessment, Gap Analysis, Business Process Review 2016 City of Lancaster (formerly with the City of Victorville) Joe Haggard Senior IT Manager jhaggard@cityoflancasterca.org (661) 723-6060 Victorville IT Master Plan, 2021 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 46 Exhibit F - Resumes JEFF LEWIS, PMP, CGEIT – Principal Consultant for Overall Project Management Jeff Lewis is a veteran in the field of Information Technology and has a career that spans over thirty-eight years in public, private, and non-profit sectors including positions in local government, medical, and IT consulting. He has served as Chief Information Officer for multiple local government and non-profit agencies, is a founding member of the Government Technology Group (www.GovTechGroup.net) and has served as the Director of Smart Region Initiative at Joint Venture Silicon Valley. As a CIO Jeff has led Smart City, broadband, IT strategic and GIS planning, enterprise architecture, policy, and research initiatives for local government. Specific areas of responsibility included developing and advancing Smart City initiatives, digital government, security policy, innovation, and emerging technologies. During this tenure, he served as the lead executive for numerous enterprise IT initiatives, projects, and efforts to improve business processes. Jeff is a lifetime member of the Municipal Information Systems Association of California (MISAC) and has won the MISAC Excellence award 10 years in a row for implementing best practices in local government. Jeff has served as President of MISAC, and currently serves on the Education and Smart City committees. EDUCATION:  Masters Public Administration (MPA) Stanislaus State, Turlock CA  Bachelor of Science, Stanislaus State, Turlock, CA Emphasis: Computer Science  Minor Stanislaus State, Turlock, CA Emphasis: Business Administration  Certified in the Governance of Enterprise IT (CGEIT) Information Systems Audit and Control Association (ISACA)  Project Management Professional (PMP) Project Management Institute (PMI) 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 47 QUALIFICATIONS: • Technology Strategic Planning • Project management and oversight services. • Broadband Solutions: Creation of Broadband plans, networks and best practices. • Smart City: Development and implement Smart City Solutions including support for the Internet of Things (IoT). • Cloud Strategy and Implementation • Security: IT Security audits and implementations protecting intellectual property. • Business Process Improvement • Contract Negotiation • Mobility: e-commerce, e-business strategies and wireless infrastructure for field operations and community access. • Network Planning: Architect enterprise wide network infrastructure. • Project Management: Created project management program and materials. • Governance: Develop governance programs • Training Program Development • Systems Migration Planning • Policies and Procedures Development • MISAC Award Application Assistance • Business Continuity and Disaster Recovery expertise. • Geographical Information Systems (GIS). • Cable Franchise Agreements (PEG). • Change Management expertise. • eBusiness/eGovernment and World Wide Web presence. • Enterprise Resource Planning (ERP) implementation. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 48 MARK GUENTHER, CGCIO – Principal Consultant for Systems Review and Evaluation Mr. Guenther is also a recently retired municipal Chief Information Officer who has been part of several organizations as detailed in his résumé. Mr. Guenther is currently an independent technology consultant offering a wide range of technical expertise. In both the CIO and consulting roles, he has overseen the successful implementation of city wide enterprise systems including finance (AP, GL, PR, Budget), community development (Permits) and utility billing functions including online access to permit and utility accounts for customers (Tyler Munis) for Hayward, California and Danville, California. Prior to focusing on IT management, he implemented numerous systems, both those which were developed in-house and others that were configured commercial packages which created automated systems for financial and community development functions. EDUCATION:  Certified Government Chief Information Officer (CGCIO™) Rutgers University/Public Technology Institute, Newark, New Jersey  Bachelor of Science University of San Francisco Major: Applied Economics  Associate of Arts Diablo Valley College, Pleasant Hill, California Emphasis: Computer Science QUALIFICATIONS: • 30+ years’ experience in the information technology field • Staff development and mentoring • Project management and oversight • Change Management expertise. • Enterprise Resource Planning (ERP) implementation • Permit and Inspection System implementation • Public Safety System implementation, including Police and Fire • Document and Enterprise Content Management • Business Analysis and Business Process Review • eBusiness/eGovernment and Web presence. • Internal Service Fund (ISF) budget preparation and oversight. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 49 EXPERIENCE: Government Technology Group Principal, Information Technology Consultant, June 2019 to Present City of Hayward, California Director of Information Technology/CIO, September 2012 to May 2015 (Retired) Information Technology Manager, September 2002 to September 2012 (Retired) Programmer/Analyst, January 1990 to September 2002 Western Exhibitors, Inc, San Francisco, California Data Processing Manager, April 1982 to January 1990 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 50 CLANCY PRIEST, IEEE – Principal Consultant for Network(s) Review and Evaluation Mr. Priest is a retired 30+ year municipal Chief Information Officer who has been part of several organizations as detailed in his résumé. Mr. Priest is currently an independent technology consultant offering a wide range of technical expertise. His education is in the technical field with a baccalaureate in engineering. Mr. Priest has a wide range of technical abilities with an emphasis on project and program management, with extensive experience in various forms of information technology and executive management. Mr. Priest has a vast knowledge base of the various forms of automation and of the continual technological evolutions that prevail in the technology profession. EDUCATION:  Energy Systems Engineer Oberstufenzentrum für Elektro-und Energietechnik, Berlin, Germany Major: Electro-Mechanical Engineering. (Baccalaureate)  Energy Systems Practical Internship Ausbildungszentrum für Siemens Aktiengesellshaft, Berlin, Germany Practical Internship in Engineering Program. (Professional License)  Commercial & Industrial Development Management University of California, Irvine 2-year program for Project Management. (Certificate) QUALIFICATIONS: • Technology Strategic Planning • Project management and oversight services. • Change Management expertise. • Independent Validation & Verification (IV&V) of projects. • Telecommunications and Interoperability planning, including RoIP, P25 compliance. • Public Safety technologies, including Police, Fire and Military • Business Process Review and engineering. • Business Continuity and Disaster Recovery expertise. • Network Systems (LAN, WAN, MAN), including infrastructure planning. • Dataflow planning (routing, switching, etc.). • Geographical Information Systems (GIS). • Telephony telecommunications including Cellular, PBX and VoIP. • Cable Franchise Agreements (PEG). • eBusiness/eGovernment and World Wide Web presence. • Inter- Intra- and Extranet planning and implementation. • Enterprise Resource Planning (ERP) implementation. • Document and Enterprise Content Management. • Disaster Recovery, Database Management and System Security. • Training and needs assessment, Technology Strategic Planning. • Total Cost of Ownership (TCO) and Return on Investment (ROI) studies. • Internal Service Fund (ISF) budget preparation and oversight. • Inter-Departmental technology planning. 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 51 EXPERIENCE: Government Technology Group Principal, Information Technology Consultant, June 2019 to Present City of Hayward, California Director of Information Technology/CIO, February 2002 to September 2012 (Retired) C. R. Priest, Consulting Sole Proprietor, Independent Information Technology Consultant, March 2001 to February 2002 and September 2012 to June 2019 City of San Buenaventura, (Ventura) California CIO, April 1999 to March 2001 City of Chico, California Director of Information Systems, January 1996 to April 1999 County of Riverside - GSA Purchasing and Material Services Department Departmental Information Systems Coordinator, September 1992 to January 1996 RELATED PROFESSIONAL QUALIFICATIONS:  State License; Energy Systems Engineer issued by the Department of Industry and Commerce, Federal Republic of Germany  State License; Energy Systems Technician issued by the Department of Industry and Commerce, Federal Republic of Germany  City of Chico Management Academy Graduate (with curriculum from CSU Chico) VOLUNTEER WORK:  Advisory Committee Member/Speaker, Bay Area Technology Forum, 2008 - present.  Technical advisor to the Bay Area UASI BayRICS Communication System 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 52 Exhibit G – Backup, Restore, and Disaster Recovery (BRDR) 209.678.3077 ♦ Projects@govtechgroup.net Copyright© Government Technology Group (GTG) 2022 All rights reserved. Page | 53 Backup, Restore, and Disaster Recovery Backup and Restore (BR): The copying of data into a secondary form (i.e., archive file), which can be used to restore the original file in the event of a disaster event. Disaster Recovery (DR): A strategic security planning model that seeks to protect an enterprise from the effects of natural or human-induced disaster, such as a tornado or cyber-attack. A DR plan aims to maintain critical functions before, during, and after a disaster event, thereby causing minimal disruption to business continuity. Disaster recovery and data backups go hand in hand to support Business Continuity (BC). The Differences Backups are the copies of essential files that enable a full restore. Most organizations utilize multiple backup solutions at the same time. Listed below are some of different types of backup solutions: • Full Backup • Incremental Backup • Differential Backup • Mirror Backup • Local Backup • Offsite Backup • Online Backup Remote backups refer to the actual copies or copying of files and data. Disaster recovery (DR), on the other hand, encompasses the full strategy for responding to a disaster event and putting the backups into action. DR is the umbrella under which backups reside. You may have a specific data backup strategy but responding to a disaster means preparing for a worst-case scenario. Who oversees getting applications back online? How will you manage customer relations if there is a data breach? The difference between disaster recovery and backups is about answering these types of questions and go to the core of a BRDR plan. Creating A Disaster Recovery Plan The difference between disaster recovery and backups is about strategy versus solution. A DR plan is strategic and encompasses a whole philosophy of thinking. Creating a disaster recovery plan is dependent on completing a risk assessment, business impact analysis and infrastructure assessment that will help you identify critical applications, IT services and the infrastructure to support it. Then an organization can create Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) based on the unique environment. Only after completing these initial steps can an organization begin the process of developing a disaster recovery plan that includes both prevention and response protocols. GTG approach to BRDR The difference between disaster recovery and backups may be clear, but a comprehensive BRDR plan will leverage those differences to develop a comprehensive DR strategy that includes an effective backup policy, disaster prevention strategies, and response protocols. Almost 90% of businesses without a DR plan fail after a disaster. The best way to prevent this type of failure is to be prepared by creating a disaster recovery strategy before disaster strikes.