DATE: July 18, 2023
TO: Board of Supervisors
SUBMITTED BY: Robert W. Bash, Director, Internal Services/Chief Information Officer
SUBJECT: Amendment No. 2 to Agreement with Troncore, LLC.
RECOMMENDED ACTION(S):
TITLE
Approve and authorize the Chairman to execute the Second Amendment to Agreement with Troncore, LLC, for additional information technology (IT) security auditing and testing, effective upon execution, with no change to the term of October 6, 2020 through October 5, 2025 and increasing the maximum compensation amount by $132,000 to a total of $747,000.
REPORT
There is no additional Net County Cost associated with approval of the recommended action, which will increase the maximum agreement compensation to account for costs associated with necessary additional internal and external penetration testing of the County’s IT network and infrastructure to comply with current IT security standards and with the increasingly stringent security testing required for Health Insurance Portability and Accountability Act (HIPAA) compliance. This item is countywide.
ALTERNATIVE ACTION(S):
Should your Board not approve the recommended action, the Internal Services Department - Information Technology (ISD - IT) division would be unable to meet HIPAA compliance requirements for information technology security, and may not be able to identify and minimize potential network vulnerabilities.
FISCAL IMPACT:
There is no increase in Net County Cost associated with the recommended action. The recommended agreement increases the maximum compensation by $132,000 to a total of $747,000 and will be funded with portions of the rates charged to user departments. Sufficient appropriations and estimated revenues have been included in the ISD-IT Org 8905 FY 2023-24 Recommended Budget and will be requested in future years.
DISCUSSION:
On October 6, 2020, your Board approved Agreement No. 20-394 with Troncore, LLC (“Troncore”) for IT security auditing and testing services for the County’s IT systems (Agreement). After commencing services, ISD - IT identified a need to amplify these services for continued compliance with increasingly stringent HIPAA regulations, as well as a greater need to increase the security of the County’s IT systems from possible outside intrusions. In order to minimize areas of vulnerability ISD - IT anticipates greater usage of Troncore’s services. Should an intrusion attempt be successful, considerable amounts of sensitive health information in the possession of the County could become compromised.
On February 22, 2022, your Board approved Amendment No. 1 to the Agreement to increase the maximum total by $300,000 to a total of $615,000 in order to mitigate the increased need for HIPAA compliance.
Troncore provides internal and external network penetration testing of technology networks, data analysis services, and provides findings and recommendations to County departments.
At this time, ISD - IT maintains extensive sensitive information associated with covered entities, County employees, and County vendors. The County is committed to the protection of this information therefore ISD-IT has identified a need to expand the scope of the current internal and external penetration testing of the County’s IT network and infrastructure by Troncore, in order to identify network vulnerabilities. As such, there is need to increase the maximum compensation by $132,000.
Approval of the recommended action will increase the maximum compensation amount by $132,000 to a total amount of $747,000, and will allow ISD-IT to maximize their use of internal and external penetration testing, in order to improve the security of the County’s IT systems, minimize network vulnerabilities and maintain compliance with HIPAA regulations.
REFERENCE MATERIAL:
BAI #44, February 22, 2022
BAI #33, October 6, 2020
ATTACHMENTS INCLUDED AND/OR ON FILE:
On file with Clerk - Amendment No. 2
CAO ANALYST:
Ahla Yang