IBM Infrastructure Security Services Managed Security Information and Event Management

Service Description

Z126-6526-AT-1 04-2014 Page 1 of 34 Z126-6526-WW-1 04-2014

IBM Managed Security Information and Event Management Stand: April 2014

Table of Contents 1.0 Scope of Services ...................................................................................................................................................... 5 2.0 Definitions ................................................................................................................................................................... 5

2.1 General Terms ................................................................................................................................................... 5 2.2 QRadar Technology Terms ................................................................................................................................ 6 2.3 Service Roles ..................................................................................................................................................... 7

3.0 Managed SIEM Services Contacts ............................................................................................................................ 7 3.1 Security Operations Center ................................................................................................................................ 7 3.2 Points of Contact ................................................................................................................................................ 7

3.2.1 IBM Point of Contact Responsibilities .................................................................................................... 7 3.2.2 Your Point of Contact Responsibilities .................................................................................................. 8 3.2.3 IBM Authorized Services Contacts Responsibilities .............................................................................. 8 3.2.4 IBM Designated Services Contacts Responsibilities ............................................................................. 9 3.2.5 Your Authorized Security Contacts Responsibilities .............................................................................. 9 3.2.6 Your Designated Services Contacts Responsibilities ............................................................................ 9

4.0 Managed SIEM Foundational Features ..................................................................................................................... 9 4.1 MSS Portal ......................................................................................................................................................... 9

4.1.1 IBM MSS Portal Responsibilities ......................................................................................................... 10 4.1.2 Your MSS Portal Responsibilities ........................................................................................................ 10 4.1.3 IBM MSS Portal Users Responsibilities ............................................................................................... 10 4.1.4 Your MSS Portal Users Responsibilities ............................................................................................. 10

4.2 Security Reporting ............................................................................................................................................ 11 4.2.1 IBM Security Reporting Responsibilities .............................................................................................. 11 4.2.2 Your Security Reporting Responsibilities ............................................................................................ 11

4.3 IBM X-Force Threat Analysis ........................................................................................................................... 11 4.3.1 IBM Security Intelligence Responsibilities ........................................................................................... 11 4.3.2 Your Security Intelligence Responsibilities .......................................................................................... 12

5.0 Managed SIEM Service Phases ............................................................................................................................... 12 5.1 Phase One – Project Initiation and Planning .................................................................................................... 12

5.1.1 IBM Project Initiation and Planning Responsibilities ............................................................................ 12 Activity 1 - Kickoff ......................................................................................................................................... 12 Activity 2 - Requirements Definition and Planning Session .......................................................................... 13 5.1.2 Your Project Initiation and Planning Responsibilities ........................................................................... 13

5.2 Phase Two – SIEM System Design .................................................................................................................. 14

IBM Österreich Internationale Büromaschinen Gesellschaft m.b.H.

A-1020 Wien, Obere

Donaustraße 95

Telefon (01) 211 45-0*

Telefax (01) 216 08 86

Sitz: Wien Firmenbuchnum

mer FN 80000 y

Firmenbuchgericht HG Wien

DVR: 0003824

Z126-6526-AT-1 04-2014 Page 2 of 34 Z126-6526-WW-1 04-2014

5.2.1 IBM SIEM System Design Responsibilities ......................................................................................... 14 Activity 1 - Process and Data Gathering ....................................................................................................... 14 Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation .............. 14 Activity 3 - Architecture Design .................................................................................................................... 15 Activity 4 - System Design ............................................................................................................................ 15 Activity 5 - Design Review ............................................................................................................................ 16 5.2.2 Your SIEM System Design Responsibilities ........................................................................................ 16

5.3 Phase Three – Implementation ........................................................................................................................ 16 5.3.1 IBM SIEM System Implementation Responsibilities ............................................................................ 16 Activity 1 - Install Console Appliance ............................................................................................................ 17 Activity 2 - Customize Console Appliance .................................................................................................... 17 Activity 3 - Deploy Log Collection for Production Environment ..................................................................... 18 Activity 4 - Deploy Flow Collection for Production Environment ................................................................... 18 Activity 5 - Initial Tuning for Production Environment ................................................................................... 18 5.3.2 Your SIEM System Implementation Responsibilities .......................................................................... 18

5.4 Phase Four – Integration and Transition .......................................................................................................... 20 5.4.1 IBM Integration and Transition Responsibilities................................................................................... 20 Activity 1 - Staged Transition to Ongoing Operational Support .................................................................... 20 Activity 2 - Reports Definition and Validation ................................................................................................ 21 Activity 3 - Readiness Assessment .............................................................................................................. 22 Activity 4 - Initiate Steady State Operations ................................................................................................. 22 5.4.2 Your Integration and Transition Responsibilities ................................................................................. 22

5.5 Phase Five – Ongoing Operational Support ..................................................................................................... 23 5.5.1 IBM Ongoing Operational Support Responsibilities ............................................................................. 23 Activity 1 - Threat Analyst Event Monitoring and Notification ....................................................................... 23 Activity 2 - SIEM System Infrastructure Management .................................................................................. 24 Activity 3 - SIEM System Change Requests ................................................................................................ 25 5.5.2 Your Ongoing Operational Support Responsibilities ........................................................................... 25

6.0 Managed SIEM Optional Features ........................................................................................................................... 26 6.1 Custom Parser Creation ................................................................................................................................... 26

6.1.1 IBM Custom Parser Creation Responsibilities ..................................................................................... 26 Activity 1 - Custom Parser Creation ............................................................................................................. 26

6.2 Reports Generation, Review, and Analysis ...................................................................................................... 26 6.2.1 IBM Reports Generation, Review, and Analysis Responsibilities ........................................................ 26 Activity 1 - Reports Generation, Review, and Analysis ................................................................................. 26

6.3 General SIEM Consulting ................................................................................................................................. 27 6.3.1 IBM General SIEM Consulting Responsibilities ................................................................................... 27 Activity 1 - General SIEM Consulting ........................................................................................................... 27 6.3.2 Your General SIEM Consulting Responsibilities .................................................................................. 27

6.4 Ticket System Integration ................................................................................................................................. 27 6.4.1 IBM Ticket System Integration Responsibilities ................................................................................... 27 Activity 1 - Ticket System Integration ........................................................................................................... 27 6.4.2 Your Ticket System Integration Responsibilities.................................................................................. 27

6.5 Vulnerability Scanner Integration...................................................................................................................... 28 6.5.1 IBM Vulnerability Scanner Integration Responsibilities ....................................................................... 28 Activity 1 - Vulnerability Scanner Integration ................................................................................................ 28

6.6 QRadar Vulnerability Manager Integration and Management .......................................................................... 28 Z126-6526-AT-1 04-2014 Page 3 of 34 Z126-6526-WW-1 04-2014

6.6.1 IBM Qradar Vulnerability Manager Integration and Management Responsibilities .............................. 28 Activity 1 - Qradar Vulnerability Manager Integration and Management ...................................................... 28 6.6.2 Your QVM Responsibilities .................................................................................................................. 28

7.0 Service Level Agreements ....................................................................................................................................... 29 7.1 SLA Overview .................................................................................................................................................. 29 7.2 SLA Definitions ................................................................................................................................................. 29

7.2.1 Service Availability .............................................................................................................................. 29 7.2.2 Portal Availability ................................................................................................................................. 29 7.2.3 Security Incident Identification and Notification ................................................................................... 29 7.2.4 SIEM Agent Health Alerting ................................................................................................................. 30

7.3 SLA Root Cause Analysis ................................................................................................................................ 30 7.4 SLA Remedies ................................................................................................................................................. 31

8.0 Deliverable Materials ................................................................................................................................................ 31 9.0 Other Terms and Conditions ................................................................................................................................... 31

9.1 Intellectual Property Services Components ...................................................................................................... 31 9.2 Permission to Perform Testing ......................................................................................................................... 32 9.3 Disclaimer ........................................................................................................................................................ 33 9.4 Employment of Assigned Personnel ................................................................................................................. 33

* * *

Z126-6526-AT-1 04-2014 Page 4 of 34 Z126-6526-WW-1 04-2014

IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES DESCRIPTION INCLUDES THE “IBM MANAGED SECURITY SERVICES GENERAL PROVISIONS” (“GENERAL PROVISIONS”) LOCATED AT http://www-935.ibm.com/services/at/gts/html/contracts_landing.html AND INCORPORATED HEREIN BY REFERENCE.

1.0 Scope of Services IBM Managed Security Information and Event Management (“Managed SIEM”, “MSIEM” or “Services”) is designed to help you plan, implement, manage, and monitor a SIEM System based on your identified business requirements. The Services features described herein are dependent upon the availability and supportability of products and product features being utilized. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non-IBM-provided hardware, software, and firmware. This Services Description is between the Customer referenced herein (also called “you” and “your”) and International Business Machines Corporation (“IBM”, or “Service Provider”). The MSIEM Service is performed in phases. Phase One – Project Initiation and Planning: During this phase, IBM assists you with defining and compiling requirements and develops a Project Plan. Phase Two – System Design: During this phase, IBM creates an architectural and system design for your environment. If the SIEM System is already deployed, IBM performs a design review. Phase Three – Implementation: During this phase, if not already deployed, IBM installs and configures the SIEM System components and verifies that data is being transmitted and reported. Phase Four – Integration and Transition: During this phase, IBM develops processes and corresponding documentation and begins transitioning management and monitoring to the operational support team. Phase Five – Ongoing Operational Support: During this phase, IBM provides steady state management and monitoring of the SIEM infrastructure.

2.0 Definitions 2.1 General Terms

Alert Condition (“AlertCon”) – a global risk metric developed by IBM, using proprietary methods. The AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and global threat activity. The four levels of AlertCon are described in the MSS Portal. Authorized Security Contacts - your decision-maker on all operational issues pertaining to IBM Managed Security Services. Change Request (CR) – a specific modification to the SIEM System configuration after the initiation of steady state operations including Event Source and SIEM System component moves, adds, and deletes, SIEM Agent reorganization, network hierarchy modifications, correlation Rule and policy exception alert creation or revision, and report creation beyond the original set. Designated Services Contacts - your decision-maker on a subset of operational issues pertaining to IBM Managed Security Services. Education Materials – include, but are not limited to, lab manuals, instructor notes, literature, methodologies, electronic course and case study images, policies and procedures, and all other training-related property created by or on behalf of IBM. Where applicable, Education Materials may include participant manuals, exercise documents, lab documents, and presentation slides provided by IBM. End Date – the last date of Services based on the Project Start Date and Contract Period as specified in the Schedule. Event Source – any operating system, application, agent, daemon, appliance, or device that will be transmitting security event logs or data to the SIEM System. IBM Managed Security Services (“IBM MSS”) Portal (called “MSS Portal”) - provides access to an environment (and associated tools) designed to monitor and manage security posture by merging

Z126-6526-AT-1 04-2014 Page 5 of 34 Z126-6526-WW-1 04-2014

technology and service data from multiple vendors and geographies into a common, Web-based interface. Incident – a security event that requires analysis, investigation, containment, eradication, remediation, or prevention. Information Request – an email that IBM sends to an Authorized Security Contact or Designated Services Contact to assist IBM with Incident investigation, Offense Rules refinement, and the proactive integration of outputs from the Incident management lifecycle into the overall SIEM System configuration. Issue – a non-security event that requires analysis, investigation, or resolution. MSS Portal Users – users of the MSS Portal with different levels of authorization to the MSS Portal. MSS Portal Users can have restricted, regular, or administrative MSS Portal access to all MSS Agent(s) or just a subset of MSS Agents(s). The MSS Portal views and permissions available to the Portal Users are dictated by the Authorized Security Contact. Service Feature – a line item in the Schedule that describes a specific component of the Service and is associated with a one-time charge or monthly charge. Service Questionnaire – a pre-defined list of data collection questions presented by IBM to you for completion prior to deployment or transition. Services Recipient – any entity or individual receiving or using the Services, the results of the Services, or acting on behalf of the end user in receiving or using the Services, or the results of the Services. SIEM Agent - the term used to collectively describe any distributed SIEM component. SIEM System – the hardware and software components and modules that collectively make up the Security Information and Event Management infrastructure. Ticket – a record created in the problem reporting system that requires action to be taken by you or by IBM as appropriate.

2.2 QRadar Technology Terms Dashboard – the default view that is displayed when logging into QRadar; it provides a customizable workspace environment that supports multiple assortments which can be used to view network security, activity, or data that QRadar collects. Device Support Module (DSM) – the software component that parses incoming events into the QRadar standardized format. Flow – a collection of packets constituting communication between hosts that share some common properties. Log Source – maps incoming Event Source format to a DSM for parsing enhancement or parsing override. Magnitude - specifies the relative importance of the Offense and is a weighted value that is calculated based on relevance, severity, and credibility. Offense – (also referred to as Incident if declared as such), a message sent or event generated in response to a monitored condition. For example, an Offense informs you if a policy has been breached or the network is under attack. It is an event that has been processed through QRadar using multiple inputs, individual events, and events combined with analyzed behavior and vulnerabilities. Magistrate prioritizes the Offenses and assigns a Magnitude value based on several factors including number of events, severity, relevance, and credibility. Offense Manager – the interface used to configure Offenses. QRadar Vulnerability Manager (QVM) - this add-on module activated via a license key provides an integrated Dashboard which consolidates results from multiple vulnerability scanners, risk management solutions, and external threat intelligence; includes a high-speed internal scanner which supports discovery, non-authenticated, authenticated, and Open Vulnerability Assessment Language (OVAL) scans and external scanning capabilities to see the network from an attacker’s viewpoint; allows suppression of acceptable, false positive, or otherwise non-mitigated vulnerabilities from ongoing reporting and presents data within the overall context of security and threat posture. Can be set up to run both dynamic and periodic scans.

Z126-6526-AT-1 04-2014 Page 6 of 34 Z126-6526-WW-1 04-2014

Rules – a series of tests that monitors events and flows for a pattern or matching condition to generate a response, typically an Offense. Sentry – monitors collections of Views (flow filters) to generate events and alerts. uDSM – a “universal” Device Support Module that is customized by IBM to parse incoming events from the native format of a customer-specific Event Source into the QRadar standardized format. View – an on-screen display of data that is organized in a specific way that normalizes flow data and defines how flow data is filtered.

2.3 Service Roles Unless otherwise stated within the Communication Plan, the support resources assigned as Deployment Engineer, Security Services Manager, Senior Consultant, and Transition Architect will have limited hours of coverage and support will be provide 9:00 a.m. to 5:00 p.m. Monday through Friday in the time zone selected by you (also referred to as “Business Hours,”) except national and your designated holidays. Deployment Engineer – The Deployment Engineer (DE) assists with the installation of the SIEM System components. This role participates in Phases One through Three as needed. Security Services Manager – The Security Services Manager (SSM) also serves as an advisor and liaison to broader IBM resources, takes direction from your point of contact, and provides project management, contract management, oversight, service delivery expertise, and operational leadership to the IBM team. This role participates in all Phases throughout the contract term. Senior Consultant – The Consultant participates in Phases One through Four to collect and map functional and non-functional requirements, offer strategic advice to stakeholders as it pertains to in scope Services, and provide a macro and micro design or design review of the SIEM System. This role also participates in the Readiness Assessment to ensure that the SIEM configuration is primed for a smooth transition to the operational support team. SIEM System Administrator – The SIEM System Administrator (Admin) participates in Phases Three through Five to manage the SIEM System infrastructure and perform system administration, configuration, tuning, reports generation, and various customization activities for the environment. SIEM Analyst – The SIEM Analysts (also referred to as, “Threat Analysts,” and “SOC Analysts,”) participate in Phases Four and Five, comprising the operational support team that provides Rule customization recommendations and eyes on-screen monitoring for alert and Incident workflow management and daily manual reports review and analysis when this optional Service Feature is purchased. Transition Architect – The Transition Architect (TA) participates in Phases One through Four to coordinate and execute the transition activities to transfer management and monitoring of the SIEM System to the operational support team.

3.0 Managed SIEM Services Contacts 3.1 Security Operations Center

The Services are delivered from IBM Security Operations Centers (“SOCs”). IBM will provide access to the SOCs 24 hours per day, seven days per week during Steady State Operations.

3.2 Points of Contact To facilitate communications with the IBM team you will be asked to provide contacts and their access levels so that the IBM staff can validate the identity and authority of the contact prior to making system changes. Services Recipient may choose from multiple levels of access in order to accommodate varying roles within your organization: Transition Focal, Authorized Security Contacts, Designated Services Contacts, and MSS Portal Users.

3.2.1 IBM Point of Contact Responsibilities IBM will provide a Security Services Manager (SSM) who will be IBM’s focal point during performance of the Services. The IBM SSM will: a. review the Services Description and associated documents with your Point of Contact;

Z126-6526-AT-1 04-2014 Page 7 of 34 Z126-6526-WW-1 04-2014

b. serve as a single point of contact to the account management and delivery teams for operational security-related activities during Transition and as the contract focal during Steady State Opera-tions;

c. maintain and oversee relationships for delivery organizations providing security support; d. establish and maintain communications through your Point of Contact, as defined in the section ti-

tled “Your Point of Contact Responsibilities”; e. oversee the management of operational security activities, processes, and policies as required; f. coordinate and manage the technical activities of IBM’s assigned personnel; g. track and assist in the management of the resolution of reported operational security issues, rec-

ommend actions, review plans, and monitor progress of remediation activities; h. develop and maintain a Report List for the Monthly Status Report; i. work with the security team on the account to produce the Monthly Status Report and deliver to your

Point of Contact within the scheduled timeframe; j. work jointly with you to manage the priority of new Event Source deployment and participate in

technology roadmap discussions; k. manage Change Requests via the Contract Change Control Procedure specified in the Schedule; l. conduct weekly briefings via teleconference with your Point of Contact and your Key Stakeholders;

and m. conduct monthly operational review teleconferences or on-site meetings with your Point of Contact

and your Key Stakeholders to review security status, risks, Issues, Incidents, outstanding activities, and trends.

3.2.2 Your Point of Contact Responsibilities Prior to the start of the Services, you will designate a person ("your Point of Contact"), to whom all communications relative to the Service will be addressed and who will have the authority to act on your behalf in all matters regarding this Services Description until Authorized Security Contacts and Designated Services Contacts are defined and included in the Communications Plan and/or the MSS Portal. Your Point of Contact will: a. serve as the interface between IBM’s project team and your key stakeholders as it pertains to the

Service; b. provide an executive sponsor for the Service to communicate management commitment to the pro-

ject; c. facilitate IBM access to your existing applications and technical infrastructure; d. ensure all tasks that impact resource utilization are authorized in a timely manner; e. obtain and provide applicable information, data, consents, decisions and approvals as required by

IBM to perform the Services, within two business days of IBM’s request; f. ensure, to the extent possible, participation by various management levels with representative skills

and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility;

g. provide specific documentation with regard to information security policy, standards, and audit con-trols that could assist with the discovery and requirements definition process;

h. define Authorized Security Contacts; i. delegate authority for these responsibilities to at least one Authorized Security Contact if different

from your Point of Contact; and j. help resolve Services Issues and escalate Issues within your organization, as necessary.

3.2.3 IBM Authorized Services Contacts Responsibilities IBM will: a. allow you to create up to three Authorized Security Contacts; b. provide each Authorized Security Contact with:

Z126-6526-AT-1 04-2014 Page 8 of 34 Z126-6526-WW-1 04-2014

(1) administrative MSS Portal permissions to your MSS Agent(s) as applicable; (2) the authorization to create unlimited Designated Services Contacts and MSS Portal Users; (3) the authorization to delegate responsibility to Designated Services Contacts;

c. interface with Authorized Security Contacts regarding support and notification issues pertaining to the MSS Features; and

d. verify the identity of Authorized Security Contacts using an authentication method that utilizes a pre-shared challenge pass phrase.

3.2.4 IBM Designated Services Contacts Responsibilities IBM will: a. verify the identity of Designated Services Contacts using an authentication method that utilizes a

pre-shared challenge pass phrase; and b. interface only with Designated Services Contacts regarding the subset of operational issues for

which such contact is responsible. 3.2.5 Your Authorized Security Contacts Responsibilities

You agree to: a. provide IBM with contact information for each Authorized Security Contact. Such Authorized Secu-

rity Contacts will be responsible for: (1) creating Designated Services Contacts and delegating responsibilities and permissions to

such contacts, as appropriate; (2) authenticating with the SOCs using a pre-shared challenge pass phrase; and (3) maintaining notification paths and your contact information, and providing such information to

IBM; b. ensure at least one Authorized Security Contact is available 24 hours per day, seven days per

week; c. update IBM within three calendar days when your Authorized Security Contact information changes;

and d. acknowledge that you are permitted to have no more than three Authorized Security Contacts re-

gardless of the number of IBM Managed Security Services for which you have contracted. 3.2.6 Your Designated Services Contacts Responsibilities

You agree to: a. provide IBM with contact information and role responsibility for each Designated Services Contact

(such Designated Services Contacts will be responsible for authenticating with the SOCs using a passphrase); and

b. acknowledge that a Designated Services Contact may be required to be available 24 hours per day, seven days per week based on the subset of responsibilities for which he/she is responsible.

4.0 Managed SIEM Foundational Features Foundational features are included with all variations of the Managed SIEM service regardless of size, complexity, geography, or underlying SIEM technology and are not optional during the initial Contract Period. There may be different levels of a feature that are provided, however these features are included with all Managed SIEM services. IBM will provide MSIEM Transition based on the complexity level and for the one-time charge specified in the Schedule.

4.1 MSS Portal The MSS Portal provides access to an environment (and associated tools) designed to monitor and manage the security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED “AS IS” AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION,

Z126-6526-AT-1 04-2014 Page 9 of 34 Z126-6526-WW-1 04-2014

THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS.

4.1.1 IBM MSS Portal Responsibilities IBM will: a. provide access to the MSS Portal 24 hours per day, seven days per week, except during mainte-

nance windows and emergency maintenance if required. The MSS Portal will provide: (1) multiple levels of access for MSS Portal Users; (2) security intelligence awareness and alerting; (3) security Incident and/or service Ticket information; (4) ticketing and workflow initiation and updates; (5) interaction with SOC analysts; (6) access to Education Materials in accordance with the terms provided in the MSS Portal; and

b. provide a username, password, URL, and appropriate permissions to access the MSS Portal. 4.1.2 Your MSS Portal Responsibilities

You agree to: a. utilize the MSS Portal to perform daily operational Services activities; b. ensure your employees accessing the MSS Portal on your behalf comply with the Terms of Use

provided therein including, but not limited to, the terms associated with Educational Materials; c. appropriately safeguard your login credentials to the MSS Portal (including not disclosing such cre-

dentials to any unauthorized individuals); d. promptly notify IBM if a compromise of your login credentials is suspected; and e. indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from your

failure to safeguard your login credentials. 4.1.3 IBM MSS Portal Users Responsibilities

IBM will: a. provide multiple levels of access to the MSS Portal, as follows:

(1) administrative user capabilities which will include: (a) creating Portal users; (b) submitting Services requests to the SOCs; (c) “live chat” communications with SOC analysts regarding specific Incidents or tickets,

generated as part of the Services; (d) creating internal Services-related tickets and assigning such Tickets to Portal users; (e) querying, viewing, and updating Services-related tickets; and

(2) regular user capabilities which will include all of the capabilities of an administrative user, for the SIEM Agents to which they have been assigned, with the exception of creating Portal users;

(3) restricted user capabilities which will include all of the capabilities of a regular user, for the SIEM Agents to which they have been assigned, with the exception of: (a) creating and submitting Services requests; and (b) updating tickets; and

b. authenticate MSS Portal Users using a static password; and c. authenticate MSS Portal Users using two-factor authentication tokens you provide (RSA SecureID).

4.1.4 Your MSS Portal Users Responsibilities You agree: a. that Portal users will use the Portal to perform daily operational Services activities;

Z126-6526-AT-1 04-2014 Page 10 of 34 Z126-6526-WW-1 04-2014

b. to be responsible for providing IBM-supported RSA SecureID tokens (as applicable); and c. acknowledge the SOCs will only interface with Authorized Security Contacts and Designated Ser-

vices Contacts. 4.2 Security Reporting

Security reporting is provided using a combination of the MSS Portal and the native SIEM System console.

4.2.1 IBM Security Reporting Responsibilities IBM will provide you with access to reporting capabilities within the MSS Portal which includes relative information associated with the Service. Information may include, but is not limited to, some or all of the following (where applicable): a. number of SLAs invoked and met; b. number, types, and summary of Services requests / Tickets; c. number of security Incidents detected and their priority and status; and d. list and summary of security Incidents.

4.2.2 Your Security Reporting Responsibilities You agree to: a. generate MSS operational reports using the MSS Portal; b. be responsible for scheduling MSS operational reports as desired within the MSS Portal; and c. retrieve SIEM-generated reports from the SIEM System console.

4.3 IBM X-Force Threat Analysis Security intelligence is provided by the IBM X-Force Threat Analysis Center. The X-Force Threat Analysis Center publishes an Internet threat-level. The Internet threat-level describes progressive alert postures of current Internet security threat conditions. In the event Internet threat-level conditions are elevated to AlertCon 3, indicating focused attacks that require immediate defensive action, IBM will provide you with real-time access into IBM’s global situation briefing. Utilizing the MSS Portal, you can create a vulnerability watch list with customized threat information. In addition, each MSS Portal User can request to receive an Internet assessment email each business day. This assessment provides an analysis of the current known Internet threat conditions, real-time Internet port metrics data, and individualized alerts, advisories and security news. NOTE: Your access and use of the security intelligence provided via the Portal (including the daily Internet assessment email) is subject to the Terms of Use provided therein. Where such Terms of Use conflict with the terms of this Agreement, the Portal Terms of Use shall prevail over this Agreement. In addition to the Terms of Use provided in the Portal, your use of any information on any links or non-IBM Web sites and resources are subject to the terms of use posted on such links, non-IBM Web sites, and resources.

4.3.1 IBM Security Intelligence Responsibilities IBM will: a. provide access, via the MSS Portal, to the X-Force Hosted Threat Analysis Service for all MSS Por-

tal Users; b. display security information on the MSS Portal as it becomes available; c. if configured by you, provide security intelligence specific to your defined vulnerability watch list, via

the MSS Portal; d. if configured by you, provide an Internet security assessment email based on your subscription,

each business day; e. publish an Internet threat-level via the MSS Portal; f. declare an Internet emergency if the daily Internet threat-level level reaches threat-level 3; g. provide MSS Portal feature functionality to create and maintain a vulnerability watch list;

Z126-6526-AT-1 04-2014 Page 11 of 34 Z126-6526-WW-1 04-2014

h. provide additional information about an alert, advisory, or other significant security issue as IBM deems necessary; and

i. provide access to the regularly produced IBM X-Force Threat Analysis Service Reports, via the MSS Portal.

4.3.2 Your Security Intelligence Responsibilities You will use the MSS Portal to: a. subscribe to the daily Internet security assessment email, at your option; b. create a vulnerability watch list, if desired; c. access the IBM X-Force Threat Analysis Service Reports; and d. adhere to the licensing agreement and not forward Services information to individuals who do not

have a proper license.

5.0 Managed SIEM Service Phases 5.1 Phase One – Project Initiation and Planning

During Phase One, the Project Plan will be created, validated, and modified as required. At the completion of this phase and prior to proceeding with further activities in this Services Description, your Point of Contact and the IBM Security Services Manager will assess the results of the Planning Session and either: 1) continue with the Services as described in this Services Description, or 2) upon request, review the possibility of modifying your contract using the Contract Change Procedure. Upon Services renewal, Project Initiation and Planning activities are not included as part of your ongoing renewable services contract.

5.1.1 IBM Project Initiation and Planning Responsibilities Activity 1 - Kickoff The purpose of this activity is to finalize the project team members, develop a common understanding of the Service objectives, roles, and responsibilities, and assess your readiness to implement the Service by confirming that the appropriate information is documented. IBM will: a. facilitate a project initiation teleconference, for up to four hours, on a mutually agreed date and time

to: (1) initiate the project; (2) introduce the project participants; (3) discuss project team roles and responsibilities; (4) review the project objectives; (5) provide an overview of the project methodology; (6) review your environment and organization, including:

(a) location(s) to be included in the Services; and (b) emergency contact plan, including event triggers and establishment of designated

telephone number(s) and email address(es); b. provide the Service Questionnaire to you for completion which includes, but is not limited to, data

gathering questions such as: (1) team member names, contact information, roles and responsibilities; (2) unique country and site requirements; (3) network infrastructure, addressing, and environmental data; (4) Event Source inventory; and (5) key business drivers and/or dependencies that could influence Service delivery or timelines;

c. develop a preliminary schedule of activities; and d. agree on a date and time for the Planning Session.

Z126-6526-AT-1 04-2014 Page 12 of 34 Z126-6526-WW-1 04-2014

Completion Criteria: This activity will be complete when the project initiation teleconference has been conducted. Deliverable Materials: None

Activity 2 - Requirements Definition and Planning Session The purpose of this activity is to compile your requirements and create a Project Plan with timeline and milestones. IBM will conduct a Planning Session for up to eight hours in duration on your premise to assess the environment and define SIEM System requirements. During and subsequent to the Planning Session, IBM will: a. review the completed Service Questionnaire; b. review and confirm your business objectives; c. review existing security policy; d. review existing IT security environment; e. perform an architecture review and analysis to identify network infrastructure and communication

requirements; f. discuss industry regulations and standards that drive your data protection requirements for security

auditing and event management; g. provide you with a network access requirements document which details:

(1) how IBM will connect remotely to your network; and (2) specific technical requirements to enable such remote connectivity;

h. connect to your network through the Internet, using your standard access methods; i. if appropriate, utilize a site-to-site virtual private network (“VPN”) to connect to your network; j. create a Project Plan that includes:

(1) activities and tasks for this Services Description; (2) target start dates for the activities in this Services Description; (3) target completion dates for the deliverables in each activity as applicable; (4) identified milestones; and (5) responsible persons and organizations; and

k. review the Project Plan with your Point of Contact; Completion Criteria: This activity will be complete when IBM has delivered the initial Project Plan to your Point of Contact. Deliverable Materials: Project Plan, consisting of the following:

(1) activities and tasks for this Services Description; (2) target start dates for the activities in this Services Description; (3) target completion dates for the deliverables in each activity as applicable; (4) identified milestones; and (5) responsible persons and organizations.

5.1.2 Your Project Initiation and Planning Responsibilities You agree to: a. work with IBM to schedule the project initiation teleconference such that all participants have

enough notice to attend; b. ensure, to the extent possible, that all your key stakeholders participate in the project initiation tele-

conference and/or the Planning Session; c. work with IBM to schedule the Planning Session such that all participants have enough notice to at-

tend; d. invite and confirm attendance of all intended participants of the Planning Session, and arrange the

meeting room and all logistics on your premise; Z126-6526-AT-1 04-2014 Page 13 of 34 Z126-6526-WW-1 04-2014

e. complete and deliver to the SSM, the Service Questionnaire five days prior to the Planning Session; f. review each party’s respective responsibilities; g. schedule a review of the Project Plan such that all participants have enough notice to attend; h. review and comment on the draft Project Plan to ensure IBM can finalize the plan within five busi-

ness days after submitting the draft to your Point of Contact; and i. provide subject matter experts for each of the in-scope Event Sources.

5.2 Phase Two – SIEM System Design 5.2.1 IBM SIEM System Design Responsibilities

During this phase, IBM will work with you to design the elements of the SIEM System based on whether the Services include full implementation and transition or just transition if already deployed. Upon Services renewal, SIEM System Design activities are not included as part of your ongoing renewable services contract.

Activity 1 - Process and Data Gathering The purpose of this activity is to gather and review process documentation and data elements that will be needed to develop or review the SIEM strategy for your environment, objectives, and constraints. IBM will: a. conduct interview(s) and review documentation to establish the business goals, security objectives,

and high-level requirements relevant to the SIEM implementation; b. collect and review IT process documentation which may include:

(1) Incident management; (2) change management; (3) problem management; (4) configuration management (including asset management); (5) security management (including vulnerability management and risk assessments); (6) availability management; and (7) SOC operations;

b. collect and review the following data elements: (1) data and Log Sources; (2) Flow sources; (3) QFlow sources; (4) network structure; (5) vulnerability tools; (6) asset data; and (7) application listing; and

c. compile collected process documentation and data elements within a central repository for use by IBM delivery personnel and your Authorized Security and Designated Services Contacts.

Completion Criteria: This activity will be complete when the aforementioned process documentation and data elements have been collected or that collection is waived by you if non-existent, outdated, or otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If waived by you or IBM, IBM reserves the right to make assumptions in the design which may require a scope change via the Contract Change Procedure. Deliverable Materials: None

Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation The purpose of this activity is to define, document, and map (or review if already deployed) functional and non-functional requirements for the SIEM System. IBM will:

Z126-6526-AT-1 04-2014 Page 14 of 34 Z126-6526-WW-1 04-2014

a. collaborate with you to define, document, and map the following functional requirements as they pertain to the SIEM System: (1) logging; (2) Event collection; (3) normalization; (4) correlation; (5) storage; (6) system access; (7) reporting; and (8) customization requirements;

b. collaborate with you to define, document, and map the following non-functional requirements as they pertain to the SIEM System: (1) monitoring; (2) retention; (3) reporting; (4) regulatory and contractual considerations; (5) high availability; and (6) disaster recovery.

Completion Criteria: This activity will be complete when the aforementioned functional and non-functional requirements have been documented, or are waived by you if non-existent, outdated, or other-wise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If waived by you or IBM, IBM reserves the right to make assumptions in the design which may require a scope change via the Contract Change Procedure. Deliverable Materials: None

Activity 3 - Architecture Design The purpose of this activity is to develop, modify, or, if already deployed, review the high-level architectural design for the Service. IBM will: a. design and document or review architecture for installing the SIEM System hardware and software

components (if not already deployed); and b. review SIEM System architecture and make recommendations based on findings identified in the

Process and Data Gathering and Detailed Functional and Non-Functional Requirements Definition and Documentation Activities.

Completion Criteria: This activity will be complete when IBM has reviewed the SIEM System architecture. Deliverable Materials: None

Activity 4 - System Design The purpose of this activity is to develop both macro and micro system design elements to be implemented in order to reach an initial steady state of operations. IBM will: a. define at the macro system design level:

(1) data/event source collection protocols and methods; (2) asset risk weighting criteria; (3) asset classification profiles; (4) compliance groupings for assets; (5) vulnerability scanner usage, configuration, and frequency; (6) final reporting requirements (functional and non-functional); (7) custom data source requirements (or validate if already defined);

Z126-6526-AT-1 04-2014 Page 15 of 34 Z126-6526-WW-1 04-2014

(8) use case frameworks; (9) customization requirements; (10) Dashboard requirements for the SIEM console; and (11) user accounts and roles;

b. define at the micro system design level: (1) data/event source phased integration plan; (2) use cases; (3) alert classification criteria; (4) vulnerability management systems and process integration plan; and (5) your network hierarchy (including risk weighting) and associated objects;

c. prepare the SIEM Macro and Micro Design deliverable which will include: (1) strategy considerations including but not limited to SIEM business drivers and goals, SIEM

security objectives, and functional and non-functional requirements; and (2) architectural, macro, and micro design elements as defined in this Activity.

Completion Criteria: This activity will be complete when IBM has completed the system design. Deliverable Materials: None

Activity 5 - Design Review The purpose of this activity is to review the design and finalize the Project Plan. IBM will: a. review the architecture and system design; b. perform one revision of the Project Plan as appropriate; c. deliver the final Project Plan to your Point of Contact; d. deliver the SIEM Macro and Micro Design to your Point of Contact, and e. if requested, review the design and Project Plan with your Point of Contact and your key stakehold-

ers via teleconference or electronically. Completion Criteria: This activity will be complete when the SSM has delivered the SIEM Macro and Micro Design and the final Project Plan report to your Point of Contact. Deliverable Materials: SIEM System Macro and Micro Design and updated Project Plan The SIEM System Macro and Micro Design will comprise strategy considerations including SIEM business drivers, SIEM security objectives, and functional and non-functional requirements. Additionally at the macro and micro architectural level, it will include SIEM use cases, SIEM and vulnerability management system and process integration plan, SIEM alert classification criteria, SIEM data/log source phased integration plan, SIEM reporting requirements, SIEM user accounts and roles, SIEM Dashboards, SIEM uDSM integration, preliminary SIEM network hierarchy weighted by risk, and preliminary asset groups weighted by risk.

5.2.2 Your SIEM System Design Responsibilities In order to develop a successful system design for the Service, your participation is necessary. You agree to: a. provide current network topology diagrams and/or textual descriptions of data and communications

paths, protocols, media types, and bandwidth capacity to IBM; and b. participate in the design process as needed.

5.3 Phase Three – Implementation 5.3.1 IBM SIEM System Implementation Responsibilities

During this phase, if this optional Service Feature is purchased as specified in the Schedule, IBM will install and configure the SIEM System in the production environment and assist with transition to managed operations as documented in the Project Plan. Any required changes to the Project Plan will be handled by the IBM SSM who will either: 1) continue with the Services as described in this Services Description, or 2) use the Contract Change Procedure to modify the Services scope and corresponding

Z126-6526-AT-1 04-2014 Page 16 of 34 Z126-6526-WW-1 04-2014

Schedule. Completion of Phase Two activities, or making available information equivalent to that resulting from Phase Two activities, is a prerequisite for the commencement of the Implementation services described herein. Upon Services renewal, Implementation activities are not included as part of your ongoing renewable services contract.

Activity 1 - Install Console Appliance The purpose of this activity is to install and configure the console appliance. IBM will: a. configure the following settings:

(1) hostname; (2) IP address; (3) default gateway; (4) domain name servers (DNS); (5) email server; (6) passwords; and (7) license key;

b. test connectivity through HTTPS and SSH and ensure that the system is functioning correctly; c. login to the administrative interface to perform the following:

(1) user and role creation and management; (2) system configuration (thresholds, authentication); (3) Log Source configuration; (4) Flow Source configuration, if included in the SIEM Macro and Micro Design: (5) vulnerability assessment configuration, if included in the SIEM Macro and Micro Design; (6) Offense resolution configuration; (7) Sentry and View configuration; (8) license management; (9) backup and restore functions; (10) local firewall; (11) management of internal collector interfaces; (12) system date and time; (13) database retention periods and filtering options, if applicable; (14) SNMP settings; and (15) automatic updates.

Completion Criteria: This activity will be complete when the console appliance is installed and functioning as documented in the Project Plan. Deliverable Materials: None

Activity 2 - Customize Console Appliance The purpose of this activity is to customize and tune the console appliance for your environment. IBM will: a. customize Views; b. build basic network hierarchy; c. backup the configuration file; d. analyze and review traffic; e. determine if equations for detecting threats in traffic are appropriate for your requirements; f. adjust equations in accordance with your needs; g. create a threat exception group if necessary; h. create Sentries for alerts;

Z126-6526-AT-1 04-2014 Page 17 of 34 Z126-6526-WW-1 04-2014

i. analyze and identify appropriate Views/layers where Sentry can be applied; j. add one of each type of Sentry to a View; k. verify that Sentry works as desired; l. configure Offense Manager; m. create and test one custom Rule; n. configure custom Dashboard for up to 10 users; o. demonstrate capabilities of Dashboard to your staff; and p. configure additional SIEM Agents per the SIEM Macro and Micro Design. Completion Criteria: This activity will be complete when the console appliance has been customized for your environment. Deliverable Materials: None

Activity 3 - Deploy Log Collection for Production Environment The purpose of this activity is to deploy log collection in the production environment. IBM will collect events from up to three instances of the Log Source types as defined in the design phase. Only Log Sources natively supported by standard Device Support Modules (DSMs) will be collected. No custom parsers or uDSMs will be created in this activity. Log Source collection is limited to standard configuration guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to you upon request. Completion Criteria: This activity will be complete when IBM has collected events from up to three instances of the Log Source types for the production environment. Deliverable Materials: None

Activity 4 - Deploy Flow Collection for Production Environment The purpose of this activity is to deploy Flow collection in the production environment if Flow Collectors/Processors are included in the SIEM Macro and Micro Design. IBM will collect network activity from up to three instances of Flow sources. Flow Source collection is limited to standard configuration guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to you upon request. Completion Criteria: This activity will be complete when IBM has deployed flow collection, if applicable, in the production environment. Deliverable Materials: None

Activity 5 - Initial Tuning for Production Environment The purpose of this activity is to perform initial tuning which is focused on enabling out-of-the-box content as well as reducing white noise and false positives. IBM will: a. refer to the system design to perform initial tuning to include:

(1) identifying and removing sources of noise; (2) activating Rules, saved searches, and accumulated time series graphs; (3) scheduling reports and modifying reports to meet your requirements; and (4) customizing Dashboards per the SIEM Macro and Micro Design;

b. lead your technical personnel through the tuning process to reduce the number of Offenses to a practical level for the environment; and

c. collaborate with you and other IBM delivery personnel to determine which standard alerting and re-porting elements to enable.

Completion Criteria: This activity will be complete when IBM has performed initial tuning in the production environment. Deliverable Materials: None

5.3.2 Your SIEM System Implementation Responsibilities You agree to:

Z126-6526-AT-1 04-2014 Page 18 of 34 Z126-6526-WW-1 04-2014

a. be responsible for the procurement and provision of all hardware and software; b. be responsible for the physical installation, rack mounting, powering, and network addressing of all

SIEM System components and any other necessary equipment; c. ensure and validate that backups of system and user data have been performed before the SIEM

System components are deployed; d. provide change management control for your infrastructure changes; e. meet the following pre-requisites prior to the commencement of Phase Three:

(1) make final selection of solution and technical architectures; (2) request support access; (3) request license keys from IBM Support; (4) record installation key(s) located on appliance(s) (sticker placed on top of appliance or located

with shipping documentation); (5) rack, power, and cable the appliances; (6) attach monitor & keyboard (or provide KVM/DRAC equivalent) to all appliances or provide

equivalent access, if requested; (7) provide hot network connectivity to all appliances; (8) identify appliance network settings: Hostname, IP Address, Subnet mask, Default gateway,

NTP/DNS/Mail servers; (9) if requested, provide a workstation to IBM delivery personnel for connecting to the QRadar

console that has the following attributes: (a) can access the QRadar console on TCP ports 22, 10000, 80 and 443; (b) has operational secure shell (SSH) and secure copy (SCP/SFTP) programs installed; (c) has a recent version of Mozilla Firefox (preferred), or Internet Explorer 8.0 or 9.0 with

Compatibility View enabled; (d) has Java Runtime Environment version 1.6 or above installed; and (e) has Adobe Flash 10.x installed;

(10) if requested, configure firewalls between the workstation and the QRadar console to allow the specified connections as instructed by QRadar technical product documentation;

(11) configure span/mirror ports and/or taps, if necessary and defined in the SIEM Macro and Micro Design;

(12) identify Event Sources, type, and numbers for log collection; (13) identify vulnerability scanner systems desired for integration into QRadar if included in the

SIEM Macro and Micro Design; (14) identify Network Hierarchy: Subnet Name, Description, IP/CIDR values, Risk weight (see

Install Guide and/or Admin Guide for additional information); (15) identify Critical Assets: Hostname, IP address(s), type (domain controller, mail, web, DNS,

scanners, firewalls, etc.); f. enable appropriate audit (log) settings and communications channels on the Event Sources and di-

rect the Event Sources to the SIEM System; g. configure Event Sources per the Configuring DSMs Guide; h. be responsible for configuring audit settings in support of certain report features; i. be responsible for validating and approving outputs from each activity as requested by IBM; j. be responsible for system and data restore in the event of a production system malfunction after the

SIEM Agent is deployed; k. be responsible for defining your data security and protection requirements and ensuring IBM has all

relevant inputs to proceed with documenting and prioritizing the policies and deployment;

Z126-6526-AT-1 04-2014 Page 19 of 34 Z126-6526-WW-1 04-2014

l. grant access up to and including full administrative rights as appropriate to IBM personnel for SIEM System components as required for on-site and remote service delivery within one week of Contract Start Date;

m. provide a general description of Event Sources, including applicable Log Sources, Flow Sources, and Assets as identified by vulnerability scans to IBM;

n. provide Log Source samples to IBM for the creation of uDSMs/custom agents if requested; o. provide direct access by IBM to subject matter experts who are responsible for the management of

the core purpose of each Event Source platform; p. ensure that your staff is available to provide such assistance as IBM reasonably requires and that

IBM is given reasonable access to your senior management, as well as any members of your staff to enable IBM to provide the Services and ensure that your staff has the appropriate skills and ex-perience;

q. provide all information and materials reasonably required to enable IBM to provide the Services and that all information disclosed or to be disclosed to IBM is and will be true, accurate, and not mislead-ing in any material respect;

r. provide configuration information as requested by IBM to deliver the Services; s. attend project meetings as requested by IBM to deliver the Services; t. make available appropriate staff to shadow deployment activities for knowledge transfer purposes;

and u. acknowledge that IBM will not be liable for any loss, damage, or deficiencies in the Services, if any,

arising from inaccurate, incomplete, or otherwise defective information and materials supplied by you.

5.4 Phase Four – Integration and Transition During this phase, IBM will transition the Service to the IBM operational support team, as documented in the Project Plan. Any required changes to the Project Plan will be handled by the IBM SSM who will either: 1) continue with the Services as described in this Services Description, or 2) use the Contract Change Procedure to modify the Services scope and corresponding Schedule. Completion of Phase Three activities, or making available information equivalent to that resulting from Phase Three activities, is a prerequisite for the commencement of the Integration and Transition activities described herein. Upon Services renewal, Integration and Transition activities are not included as part of your ongoing renewable services contract.

5.4.1 IBM Integration and Transition Responsibilities

Activity 1 - Staged Transition to Ongoing Operational Support The purpose of this activity is to document essential operational elements of the Service and begin the transition of SIEM System management and monitoring to IBM. IBM will: a. review existing security operations processes and documentation; b. create a Communications Plan; c. create a Runbook; d. work jointly with you to define, and document how changes are considered, initiated, processed,

recorded, and administered into a mutually agreed upon change management process; e. determine, develop, and review detailed reporting requirements for in scope Event Sources; f. review transition procedures and processes; g. demonstrate MSS Portal features to MSS Portal Users; h. review connectivity needs and access establishment for ongoing service readiness; i. review the draft documents with your Point of Contact; j. recommend modifications, upgrades, or policies based on findings; and k. perform one revision of the documents, if required.

Z126-6526-AT-1 04-2014 Page 20 of 34 Z126-6526-WW-1 04-2014

Completion Criteria: This activity will be complete when IBM has delivered the Runbook and Communications Plan electronically to your Point of Contact. Deliverable Materials: Runbook and Communications Plan The Communications Plan will comprise:

(1) information and knowledge sharing process and vehicle among workgroups, business units, and third party entities as it pertains to the Service;

(2) Your Point of Contact and Backup Point of Contact; (3) Authorized Security Contacts; (4) Designated Services Contacts; (5) report recipient list; (6) your key stakeholder list; (7) communications criteria including rules of engagement; (8) security Incident escalation paths; (9) your satisfaction escalation paths; (10) IBM sales points of contact; and (11) your feedback mechanism for enhancements and continuous quality improvement.

The Runbook will comprise: (1) your relevant organizational structure; (2) IBM delivery team organizational structure; (3) contact list with name, title, vendor, email address, phone number, location, role description,

and asset ownership (if applicable) for IBM and your personnel associated with the project; (4) security Incident severity definitions including severity level, classification criteria, and severity

description; (5) Incident management process as it pertains to the Services; (6) change management process as it pertains to Project Change Requests; (7) your applications that will be used by IBM in the delivery of services, such as the SIEM

System and one other application, if requested; (8) your contact for each application that will be used by IBM in the delivery of services; (9) the business purpose of each application that will be used by IBM in the delivery of services; (10) software release management procedures for in-scope Event Sources; and (11) the agreed-to interconnectivity and network access solution to be used by IBM in the delivery

of services.

Activity 2 - Reports Definition and Validation The purpose of this activity is to define regular reports for review and analysis by you and/or by IBM if the Reports Generation, Review, and Analysis optional feature is included in the Services as specified in the Schedule. If the optional Reports Generation, Review, and Analysis feature is not included, reports defined in this activity may not be manually reviewed or analyzed by IBM prior to being provided to you, with the exception of the Monthly Status Report which is a formal deliverable. IBM will: a. work with you to define substance, criteria, filters, format, distribution vehicle, recipients, and fre-

quency of SIEM-generated reports; b. work with you to define substance, format, distribution vehicle, recipients, and frequency of

operational status reports; c. configure Event Source communication disruption alerting to be sent via email daily to one or more

Authorized Security Contacts or Designated Services Contacts as defined in the Communications Plan, if requested, and allows IBM to configure communication settings for your mail server in the SIEM System;

d. review the reports with your Point of Contact; Z126-6526-AT-1 04-2014 Page 21 of 34 Z126-6526-WW-1 04-2014

e. perform one revision of the reports, if requested; and f. deliver the reports to your Point of Contact. Once accepted by you, the identified reports will remain the same for the duration of the contract unless modified via the change management process as documented in the Runbook. Completion Criteria: This activity will be complete when the agreed upon report set and Monthly Status Report sample have been delivered to Your Point of Contact. Deliverable Materials: Monthly Status Report The Monthly Status Report will be prefaced by the Report List. The Report List will comprise a summary of the reports being provided, including the long form report title, the data source, the format, the report recipient, and the distribution mechanism. The Report List will be developed prior to steady state operations and will be mutually agreed upon. Each report will consist of the following as appropriate: a. SIEM-generated reports which may include but are not limited to;

(1) compliance-oriented reports for daily review; (2) security Incident summary and details; (3) trend analyses that reveal trends in policy exceptions and user behavior; (4) average Events per second (EPS) (5) average actionable alerts per day; and (6) Event Source inventory and summary; and

b. status information including, but not limited to, the following content as appropriate: (1) activities performed during the reporting period; (2) activities planned for the next reporting period; (3) Change Request summary; (4) Project Change Control summary; (5) SLA adherence summary; (6) trends, Issues, concerns, and recommendations; (7) monthly operational review data.

Regular monthly reports will be consolidated into one Word document or PowerPoint presentation and delivered to your Point of Contact electronically. The Monthly Status Report will be made available by the 15th of the next calendar month or at a later date if mutually agreed.

Activity 3 - Readiness Assessment The purpose of this activity is to document the as-built state of the environment in a presentation and assess readiness for transitioning to steady state operations. IBM will: a. verify that in-scope Event Sources are functional with regard to the Services to be delivered; b. re-baseline Service Features to determine whether any project changes need to be executed; c. verify that the completion criteria has been met for each activity in this phase; d. verify that the Deliverable Materials have been provided for each activity in this phase; e. obtain Your Point of Contact acceptance of the applicable deliverable materials; f. prepare a transition summary presentation that describes the fulfillment of the Project Plan; and g. conduct a readiness assessment teleconference for up to two hours to review the transition sum-

mary presentation with Your Point of Contact or your key stakeholders, if requested. Completion Criteria: This activity will be complete when IBM has completed the readiness assessment teleconference. Deliverable Materials: None

Activity 4 - Initiate Steady State Operations The purpose of this activity is to initiate steady state operations. IBM will conduct a Steady State Initiation teleconference for up to two hours, to:

Z126-6526-AT-1 04-2014 Page 22 of 34 Z126-6526-WW-1 04-2014

a. introduce your contacts to the IBM service delivery team; b. set expectations for IBM and you regarding roles and responsibilities; and c. formally close out the Integration and Transition phase. Completion Criteria: This activity will be complete when IBM has conducted the Steady State Initiation teleconference. Deliverable Materials: None

5.4.2 Your Integration and Transition Responsibilities a. work with IBM to meet the schedule defined in the Project Plan; b. provide IBM with access and appropriate permissions to the SIEM System components and in

scope Event Sources; c. identify reporting requirements for in scope Event Sources; d. provide IBM with workflow for Ticket routing to appropriate workgroup pertaining to technologies in

scope; e. acknowledge that the Communications Plan may be superseded by MSS Portal contact information

during the Contract Period; f. ensure, to the extent possible, participation by various management levels with representative skills

and data protection ownership and mandates within the business units including security teams, in-formation technology groups, audit and risk departments, and operations management at your facili-ty;

g. enable appropriate audit (log) settings and communications channels on the Event Sources; h. provide specific documentation with regard to information security policy, operations, networks, sys-

tems, standards and audit controls that could assist the discovery and requirements definition pro-cess and provide assistance for clarification and interpretation, if requested;

i. other than as set forth in this Services Description, be responsible for defining your data security and protection requirements and ensuring IBM has all relevant inputs to proceed with documenting and prioritizing the policies and deployment;

j. schedule meetings and/or teleconferences such that all participants have enough notice to attend; and

k. review and comment on the draft Deliverable Materials to ensure IBM can finalize them within 10 business days after submitting the draft to Your Point of Contact.

5.5 Phase Five – Ongoing Operational Support During Phase Five - Ongoing Operational Support (Steady State Operations), IBM will provide remote operational support, management, and monitoring services for the SIEM System.

5.5.1 IBM Ongoing Operational Support Responsibilities

Activity 1 - Threat Analyst Event Monitoring and Notification The purpose of this activity is to provide you with ongoing event monitoring and Incident management for the SIEM System. When this Service Feature is included in the Services as specified in the Schedule, IBM will: a. monitor alerts and policy exceptions (security events) generated by the SIEM System. After analy-

sis by a SIEM Analyst, security events may be classified as security Incidents. Whether or not a security event is considered a security Incident is determined solely by IBM. Identified security events will be classified, prioritized, and escalated as IBM deems appropriate. Security events that are not eliminated as benign triggers are classified as a security Incident.

b. classify security Incidents into one of the three priorities described below: (1) Priority 1 - a high priority security Incident in which IBM recommends immediate defensive

action be taken; (2) Priority 2 – a medium priority security Incident in which IBM recommends action be taken

within 12 - 24 hours of notification; and

Z126-6526-AT-1 04-2014 Page 23 of 34 Z126-6526-WW-1 04-2014

(3) Priority 3 – a low priority security Incident in which IBM recommends action be taken within one to seven days of notification;

c. when possible, eliminate false positives and benign triggers; d. escalate security Incidents to an Authorized Security Contact or Designated Services Contact in ac-

cordance with processes as defined during the Integration and Transition Phase; e. provide remediation/countermeasure recommendations, if applicable; f. assist your security teams with performing root cause and impact analysis; g. adjust alert prioritization options based on criticality; h. consider ongoing policy improvements and notify you of IBM recommended policy changes; i. perform analysis of potentially harmful security alerts; j. perform updates to existing policy Rules; k. provide Incident handling support, consisting of:

(1) creating Incident tickets as required; (2) tracking progress of open tickets; (3) managing the tickets to resolution / closure, in accordance with the processes as defined in

the Integration and Transition Phase; (4) providing escalation and exception handling for Tickets, consistent with defined processes;

and (5) closing Tickets upon resolution.

Completion Criteria: This is an ongoing activity that will be considered complete at the end of the Services. Deliverable Materials: Monthly Status Report (Ongoing)

Activity 2 - SIEM System Infrastructure Management The purpose of this activity is to provide ongoing management and monitoring of the SIEM System infrastructure, including hardware and software components. When this Service Feature is included in the Services as specified in the Schedule, IBM will: a. monitor IBM’s ability to access the SIEM System; b. assist you with troubleshooting steps to be performed by you in order to re-establish connectivity

between the SIEM System and IBM; c. provide software-level management for the SIEM System components; d. verify data collection and log continuity; e. manage user access including user and group permissions updates; f. review application performance, capacity, and availability make recommendations as appropriate; g. review SIEM System disk space usage; h. verify time synchronization among SIEM System components; i. perform archival management and retrieval per change management process; j. provide problem determination / problem source identification for the SIEM System, consisting of:

(1) creating tickets as required; (2) tracking progress of open tickets; (3) managing tickets to resolution / closure, in accordance with the processes as defined in the

Integrated and Transition Phase; (4) providing escalation and exception handling for tickets in accordance with defined processes;

and (5) closing tickets upon resolution;

l. review SIEM vendor announcements;

Z126-6526-AT-1 04-2014 Page 24 of 34 Z126-6526-WW-1 04-2014

m. manage SIEM System update alerts; n. schedule and test application upgrades with you; o. install application patches and software updates in order to improve performance, or enable addi-

tional functionality (IBM assumes no responsibility for, and makes no warranties concerning, third party vendor-provided patches, updates, or security content);

p. declare a maintenance window in advance of SIEM Agent updates that may require platform down-time or your assistance to complete;

q. perform research and investigation if the SIEM Agent does not perform as expected or a potential SIEM Agent health issue is identified;

r. review on a quarterly basis new security correlation Rules supplied by the vendor and apply to SI-EM Agents if applicable, in accordance with the change management process; and

s. review and modify, if necessary, each uDSM on an annual basis when the optional Service Feature for Custom Parser Creation is included with the Services for the quantity specified in the Schedule.

Completion Criteria: This is an ongoing activity that will be considered complete at the end of the Services. Deliverable Materials: Monthly Status Report (Ongoing)

Activity 3 - SIEM System Change Requests The purpose of this activity is to process Change Requests to add, update, delete, or modify SIEM System functions, components, or outputs. When SIEM System Infrastructure Management is included in the Services as specified in the Schedule, IBM will: a. review submitted Change Requests to verify justification, feasibility, and completeness; Change

Requests may include but are not limited to the following adjustments: (1) moving, adding, or deleting Event Sources; (2) assisting you with directing Event Sources to the SIEM System; (3) creating, modifying, or implementing SIEM System policies or rules; and (4) responding to complex audit requests;

b. notify the requester if additional information is needed; c. implement approved Change Requests in accordance with your change management process as

documented in the Runbook; d. if necessary, notify the requester that the change exceeds service scope and assist requester with

the Contract Change Procedure; and e. summarize changes in the Monthly Status Report. Completion Criteria: This is an ongoing activity that will be considered complete at the end of the Services. Deliverable Materials: Monthly Status Report (Ongoing)

5.5.2 Your Ongoing Operational Support Responsibilities In order to provide successful ongoing operational support, your participation is necessary. When one or more Service Features in Phase Five are included in the Services as specified in the Schedule, you agree to: a. provide IBM with current documentation of your environment; b. inform IBM of changes within your environment that is relevant to the Service; c. enable appropriate audit (log) settings and communications channels on the Event Sources; d. inform IBM within three calendar days of a change in Your Point of Contact information; e. provide email aliases, as necessary, to facilitate notification; f. ensure that network infrastructure devices, systems, servers, and applications sending security

events and logs to the SIEM System meet the most current minimum application system require-ments as defined by IBM;

Z126-6526-AT-1 04-2014 Page 25 of 34 Z126-6526-WW-1 04-2014

g. be responsible for your own security governance and strategy, including security Incident response procedures;

h. work with IBM to optimize the Service; i. participate in troubleshooting sessions with IBM, as required; and j. maintain current licensing, support, and maintenance contracts. In addition, if Threat Analyst Event Monitoring and Notification is included in the Services as specified in the Schedule, You agree to:

(1) view details of security Incident reports; and (2) provide feedback on security Incident reports.

In addition, when SIEM System Infrastructure Management is included in the Services as specified in the Schedule, You agree to:

(1) create and submit a Change Request for all changes as defined in the change management process and documented in the Runbook;

(2) ensure all Change Requests are submitted by an Authorized Security Contact or a Designated Services Contact, in accordance with the change management process;

(3) be responsible for providing sufficient information for each Change Request to allow IBM to successfully perform such change;

(4) contact IBM in the event that the troubleshooting steps do not resolve a SIEM Agent performance or health issue;

(5) assist IBM with remote configuration and troubleshooting of SIEM System components and Event Source transmission issues and be responsible for their ultimate resolution;

(6) allow IBM to monitor the administrative interfaces and/or event stream of the managed SIEM Agents;

(7) acknowledge that: (a) all updates are transmitted and applied via the Internet; (b) data traveling across the Internet is encrypted using industry-standard strong encryption

algorithms whenever possible; and (c) IBM will not initiate additional troubleshooting steps until after notification from you that

initial troubleshooting steps did not resolve SIEM Agent performance or health issues; (d) if the managed SIEM Agent is eliminated as the source of a given problem, no further

troubleshooting will be performed by IBM; (e) all changes will be completed by IBM and not by you;

6.0 Managed SIEM Optional Features Managed SIEM Optional features are dependent on the complexity level and quantity of the selected optional fea-tures specified in the Schedule. IBM will provide MSIEM Optional features based on selection and the additional charges specified in the Schedule. 6.1 Custom Parser Creation 6.1.1 IBM Custom Parser Creation Responsibilities

Activity 1 - Custom Parser Creation The purpose of this activity is to configure uDSMs to parse the logs for Log Sources in which there is no native DSM and map the individual log messages into QRadar’s ID map (QIDMAP). At your request, and for an additional charge as specified in the Schedule for this optional Service Feature. IBM will configure uDSMs, up to the quantity as specified in the Schedule for this optional Service Feature, using up to 15 event messages per uDSM. IBM will provide Custom Parser Creation during your Contract Period at a usage rate specified in the Schedule. Once delivered, the maintenance of these uDSMs will be performed by IBM as described in Phase Five of this Services Description.

Z126-6526-AT-1 04-2014 Page 26 of 34 Z126-6526-WW-1 04-2014

Completion Criteria: This activity will be complete when the uDSMs have been configured and are transmitting data to the SIEM System. Deliverable Materials: None

6.2 Reports Generation, Review, and Analysis 6.2.1 IBM Reports Generation, Review, and Analysis Responsibilities

Activity 1 - Reports Generation, Review, and Analysis The purpose of this activity is to provide daily manual review and analysis by SIEM Analysts of certain report data as defined in the Integration and Transition Phase when this optional Service Feature is included in the Services as specified in the Schedule. At your request, and for an additional charge as specified in the Schedule for this optional Service Feature. IBM will: a. generate daily reports up to the quantity specified in the Schedule; b. manually review and analyze reports; c. investigate anomalous data; d. perform analysis of potentially harmful security alerts based on report data; e. create Incident tickets as required based on report data; f. escalate security Incidents to an Authorized Security Contact or Designated Services Contact in ac-

cordance with processes as defined during the Integration and Transition Phase; g. upload log files and reports electronically and in their native formats to a central repository provided

by Customer for audit purposes; h. manage report distribution; and i. incorporate findings into weekly briefings and monthly operational reviews. Completion Criteria: This is an ongoing activity that will be considered complete at the end of the Services. Deliverable Materials: None

6.3 General SIEM Consulting 6.3.1 IBM General SIEM Consulting Responsibilities

Activity 1 - General SIEM Consulting The purpose of this activity is to accommodate potential changes or additional requirements that may arise during the Contract Period in order to prime the environment for a smooth transition to managed operations or provide a higher level of advisory services during steady state. Such support may include Incident response guidance, SIEM reconfiguration, expansion assistance, and security operations and optimization. IBM will provide General SIEM Consulting during your Contract Period at a usage rate specified in the Schedule. General SIEM Consulting units (days/weeks) specified in the Schedule must be utilized during the initial contract term. These optional Service Features may be purchased in advance based on pre-sales solution design recommendations or via the Contract Change Procedure at any time during the Contract Period. General SIEM Consulting will be provide 9:00 a.m. to 5:00 p.m. Monday through Friday in the time zone selected by you (also referred to as “Business Hours,”) except national and your designated holidays. Completion Criteria: This activity will be considered complete when one of the following first occurs: 1) the number of units (days/weeks) specified in the Schedule has been provided for the corresponding Service Features; or 2) the initial Contract Period term has passed. Deliverable Materials: None

6.3.2 Your General SIEM Consulting Responsibilities You agree to: a. acknowledge, that under this Services Description, General SIEM Consulting will be provided based

on the usage charge specified in the Schedule; and

Z126-6526-AT-1 04-2014 Page 27 of 34 Z126-6526-WW-1 04-2014

b. be responsible for all usage charges associated with General SIEM Consulting you request during the term of the Contract Period specified in the Schedule.

6.4 Ticket System Integration 6.4.1 IBM Ticket System Integration Responsibilities

Activity 1 - Ticket System Integration The purpose of this activity is to provide a mechanism to you for leveraging existing trouble ticketing and case management investments. At your request, and for an additional charge as specified in the Schedule for this optional Service Feature, IBM will provide an application programming interface (API) to allow for customized integration with external ticketing systems.

6.4.2 Your Ticket System Integration Responsibilities You agree to: a. be responsible for all additional charges associated with API Ticket integration; b. utilize the API package to facilitate Ticket integration; c. be responsible for all engineering and development issues associated with Ticket integration; and d. acknowledge that IBM will not provide assistance or consulting for your ticketing system integration. Completion Criteria: This activity will be complete when IBM has provided the API to you. Deliverable Materials: None

6.5 Vulnerability Scanner Integration 6.5.1 IBM Vulnerability Scanner Integration Responsibilities

Activity 1 - Vulnerability Scanner Integration The purpose of this activity is to configure third party vulnerability assessment scanners as data sources for the SIEM System when this optional Service Element is included in the Services as specified in the Schedule. At your request, and for an additional charge as specified in the Schedule for this optional Ser-vice Feature, IBM will: a. include vulnerability scanner integration into the solution design; b. configure the vulnerability scanner instances per the SIEM Macro and Micro Design; and c. validate that vulnerability assessment data populates asset records in the SIEM System. Completion Criteria: This activity will be complete when IBM has integrated third party vulnerability scan data into the SIEM System. Deliverable Materials: None

6.6 QRadar Vulnerability Manager Integration and Management 6.6.1 IBM Qradar Vulnerability Manager Integration and Management Responsibilities

Activity 1 - Qradar Vulnerability Manager Integration and Management The purpose of this activity is to provide support for the QVM module, if licensed and included in the SI-EM Macro and Micro Design, including setup, configuration, maintenance, and periodic report generation. At your request, and for an additional charge as specified in the Schedule for this optional Service Fea-ture, IBM will: a. work with your technical contacts to configure QVM scan policies for the quantity of IP addresses as

specified in the Schedule; b. work with your technical contacts to configure dynamic and near-real-time scanning options as ap-

plicable; c. work with your technical contacts to define QVM reports for monthly generation; d. provide you with read-only QRadar console access so you may view QVM reports and related in-

formation (no administrator access will be granted); e. ensure QVM data is integrated logically in the overall SIEM solution; f. incorporate QVM findings into weekly briefings and monthly operational reviews; and

Z126-6526-AT-1 04-2014 Page 28 of 34 Z126-6526-WW-1 04-2014

g. implement QVM-related Change Requests in accordance with the defined change management process as documented in the Runbook.

Completion Criteria: This is an ongoing activity that will be considered complete at the end of the Services. Deliverable Materials: None

6.6.2 Your QVM Responsibilities You agree to: a. convey scan policy and scheduling requirements to IBM delivery personnel; b. work with IBM delivery personnel to ensure QVM related reports map to your requirements; c. access the QRadar console to retrieve QVM-related reports and data; d. notify IBM of any network or system changes that would prevent the QVM module from successfully

completing the scans; e. be responsible for the remediation of vulnerabilities discovered by the QVM module or made availa-

ble to you in the reports; and f. submit Change Requests for any QVM-related changes using the change management process as

defined in the Runbook.

7.0 Service Level Agreements 7.1 SLA Overview

IBM Service Level Agreements (SLAs) establish response time goals (“Service Level Targets”) for specific activities. The SLAs become effective at the commencement of Phase Five, Ongoing Operational Support (“Steady State Operations”). The SLA defaults described below comprise the measured metrics for the delivery of the Service. Unless explicitly stated below or as set forth in the Agreement, no warranties of any kind shall apply to Services delivered under this Services Description. Upon the initiation of Steady State as mutually agreed upon by you and IBM, the Service Level Agreements become effective. Service Level Agreements (also referred to as “SLA Availability,” in the Schedule) are as follows:

Service Feature SLA Target SLA Remedy

Service Availability 100% Service Credit equal to one day of the monthly fee for Steady State Operations

Portal Availability 99.9% Service Credit equal to one day of the monthly fee for Steady State Operations

Priority 1 Security Incident Notification

15/30/60 Minutes

Service Credit equal to one day of the monthly fee for Steady State Operations

Priority 2 Security Incident Notification

12 Hours Service Credit equal to one day of the monthly fee for Steady State Operations

Priority 3 Security Incident Notification

24 Hours Service Credit equal to one day of the monthly fee for Steady State Operations

SIEM Agent Health Alerting

30 Minutes Service Credit equal to one day of the monthly fee for Steady State Operations

Service Level Agreements 7.2 SLA Definitions 7.2.1 Service Availability

IBM will provide 100% Service availability for the SOCs during Steady State Operations. 7.2.2 Portal Availability

IBM will provide 99.9% accessibility for the Portal except as specified in Scheduled and Emergency Maintenance.

Z126-6526-AT-1 04-2014 Page 29 of 34 Z126-6526-WW-1 04-2014

7.2.3 Security Incident Identification and Notification When Threat Analyst Event Monitoring and Notification is included in the Services as specified in the Schedule, IBM will analyze SIEM System output to identify Priority 1, 2, and 3 Security Incidents. Whether or not a security event is considered an Incident is determined solely by IBM. The Security Incident Notification timer begins once IBM has identified, classified, and prioritized an Offense and has created an Incident Ticket. Your Authorized Security Contact or Designated Services Contact will be notified by telephone and email for the first instance of a Priority 1 Incident and via email for the first instance of a Priority 2 or 3 Incident. During a Priority 1 Incident notification, IBM will continue attempting to contact the Authorized Security Contact or Designated Services Contact until such contact is reached for that instance or all notification contacts have been exhausted. Operational activities related to Incidents and responses will be docu-mented and time-stamped within the IBM ticketing system. Such documentation and time-stamp shall be used as the sole authoritative information source for the purposes of this SLA. IBM will initiate notification for Incidents within the timeframe specified in the Service Level Agreements, for Priority 2 and 3 Inci-dents, and as specified in the Schedule for Priority 1 Incidents. Incident priorities are defined as follows: Priority 1 Incident: This prioritization includes actionable, high-risk events / policy violations that have the potential to cause severe damage to client environments. Examples include system or data compromises; privacy breaches; worm infections/propagation; massive Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks; zero day threats; creation of id’s with elevated privileges or adding elevated privileges to existing id’s outside of change control processes; tampering of critical system files, application files, or databases that will impact system integrity; enterprise wide malware outbreak; authorized policy changes; and deletion of audit log files. For investigations that result in a Priority 1 classification, IBM recommends that customers take immediate defensive actions. Priority 2 Incident: This prioritization includes unauthorized user activities that do not have ability to impact system performance or harm data. Examples include unauthorized local scanning activity; attacks targeted at specific servers or workstations; unauthorized creation of IDs on critical systems; user- caused contiguous failed/successful login attempts; failed attempts of tampering with critical systems, applications, audit log files, and databases; accessing critical systems or application files; and malware outbreaks impacting a business unit or a territory. For a Priority 2 Incident, IBM recommends that customers take action within 12-24 hours of notification. Priority 3 Incident: This prioritization includes encompasses activities such as user errors, misconfigurations, non-compliance, and scanning. Examples include Discovery scanning; information gathering scripts; other reconnaissance probes; unauthorized system reboots; use of accounts (service, administrator, system accounts); activity with account names that do not follow approved naming standards; suspect file names; any unauthorized change or activity conducted during non-business hours; and certain types of malware outbreaks. For a Priority 3 Incident, IBM recommends that customers take action within one to seven days of notification. You acknowledge that: a. additional instances of the same Priority 1, 2, or 3 Incident may be suppressed and/or rolled into the

primary ticket of the first instance of the Incident but contact will not be attempted for each new in-stance of the same Incident other than regular reports as mutually agreed upon during Phase Four, Activity 2, Reports Definition and Validation;

b. lack of feedback or timely response from an Authorized Security Contact or Designated Services Contact after IBM has attempted to make contact three times over a seven day period can result in a lower prioritization of persistent or recurring activity as it pertains to Priority 1, 2,and 3 Incidents;

c. IBM will stop contacting an Authorized Security Contact or Designated Services Contact if after four Information Requests, an adequate response has not been provided by you within seven days of the fourth Information Request for the same Incident or aggregated, related Incidents;

d. if a response is needed from an Authorized Security Contact or Designated Services Contact in or-der to investigate and close a Ticket, tune Rules, or otherwise enhance the delivery of the Services, possible response options will be listed for you in the Information Request, such that selecting any one of the possible response options will be deemed an adequate response for the purposes of the Information Request; and

Z126-6526-AT-1 04-2014 Page 30 of 34 Z126-6526-WW-1 04-2014

e. if IBM does not receive an adequate response to an Information Request after four attempts, IBM reserves the right to make environmental assumptions and take one or more of the following ac-tions: (1) add, modify, or delete Rules; (2) suppress Offenses; and (3) make any other configuration change to the SIEM System.

7.2.4 SIEM Agent Health Alerting When SIEM System Infrastructure Management is included in the Services as specified in the Schedule, IBM will notify you within the timeframe specified in the Service Level Agreements, for SIEM Agent Health Alerting after IBM determines that the SIEM Agent is unreachable via standard in-band connectivity.

7.3 SLA Root Cause Analysis IBM will maintain a root cause analysis (“RCA”) process and perform, at IBM’s discretion, the activities required to diagnose, analyze, resolve, and report on Incidents or problems prior to an SLA Remedy being enforced. IBM will: a. identify, record, track, and manage the Incident and/or problem identified as potentially having IBM

SLA implications from identification through service restoration by: (1) determining the ownership of the issue as assignable to IBM; (2) determining the scope of the Incident and/or problem; and (3) utilizing the ticketing system described herein to manage workflow and reporting;

c. identify the root cause of problems or failures, where possible; d. identify and remedy the failure, and report on any consequences of the failure; e. provide you with a written, electronic report detailing the cause of and procedure for correcting such

failure; and f. if the RCA points to MSS or the SIEM System, substantiate to you that all reasonable actions have

been taken to prevent recurrence of such failure and notify you that the service has been restored. 7.4 SLA Remedies

You will be entitled to a Service Credit if a Service Feature does not meet the corresponding Service Level Target. The amount of any such Service Credit shall be determined using then-current Schedule(s). You may obtain no more than one Service Credit for each SLA per day, and aggregate Service Credits in a calendar month shall not exceed a total of the Steady State Operations monthly fee. Each Service Credit will be applied as a one-time credit on the invoice for the month following the month in which IBM failed to meet an SLA. The IBM MSS Remedy system will be used as the system of record for managing and tracking Service Level Agreement metrics and adherence. Such Service Credit is the sole remedy for failure to meet any of the SLAs described in this Services Description.

8.0 Deliverable Materials The Deliverable Materials, identified as Type II Materials, are summarized below and subject to the Deliverable Materials Acceptance Procedure: a. Initial Project Plan b. SIEM System Macro and Micro Design c. Communications Plan d. Runbook e. Monthly Status Report Each of the above Deliverable Material will be reviewed and accepted in accordance with the following procedure, however, subsequent submissions of Monthly Status Reports are not subject to the following which are considered accepted upon delivery:

(1) One copy of the Deliverable Material will be submitted to your Point of Contact, Authorized Security Contact, or Designated Services Contact as defined in the Communications Plan for

Z126-6526-AT-1 04-2014 Page 31 of 34 Z126-6526-WW-1 04-2014

each Deliverable Material. It is the responsibility of your contact to make and distribute additional copies to any other reviewers.

(2) Within five business days of receipt, your contact will either accept the Deliverable Material or provide IBM with a written list of requested revisions. If IBM receives no response from your contact within five business days, then the Deliverable Material will be deemed accepted.

(3) IBM will consider your contact’s timely request for revisions, if any, within the context of IBM’s obligations as stated in the Deliverable Materials descriptions.

(4) The revisions recommended by your contact and agreed to by IBM will be made and the Deliverable Material will be resubmitted to your contact, at which time the Deliverable Material will be deemed accepted.

(5) The revisions recommended by your contact not agreed to by IBM will be managed in accordance with the Contract Change Procedure specified in the Schedule.

(6) Any conflict arising from the acceptance of Deliverable Materials, you agree your Point of Contact will help resolve Services Issues and escalate Issues within your organization, as necessary.

9.0 Other Terms and Conditions 9.1 Intellectual Property Services Components

IPSC Definition Intellectual Property Services Components ("IPSCs") are pre-existing IBM or third party proprietary liter-ary works or other works of authorship (such as programs, program listings, programming tools, docu-mentation, reports, drawings and similar works) that IBM may license to you or that IBM may use when providing Services. IPSCs are not Products or Materials, as such terms are defined in the IBM Customer Agreement (called “ICA”). The terms of the ICA shall otherwise apply to IPSCs, except that the section entitled "Limitation of Liability," shall apply to IPSCs as if an IPSC was a "Product" for purposes of that section without reference to any other section. IBM or third parties have all right, title, and interest (in-cluding ownership of copyright) in IPSCs and IPSCs are licensed, not sold. Except as provided by man-datory law, without the possibility of contractual waiver or limitation, IBM provides IPSCs WITHOUT IN-DEMNITIES OR WARRANTIES OF ANY KIND. IPSC License Grant Subject to the IPSC Special Terms below, IBM grants you a revocable, nonexclusive, paid-up license to use, within your Enterprise only, the following IPSC: Universal Log Agent

IPSC Special Terms a. IBM may terminate this license if you do not comply with any of the terms of this SOW. b. Upon termination of this license, you agree to destroy all copies of, and make no further use of,

Universal Log Agent, and certify such destruction to IBM. By accepting receipt of the Universal Log Agent, you agree to the following Terms of Use: During the term of your IBM Managed Security Services, IBM grants you a limited nonexclusive, nontransferable li-cense solely to internally use the Universal Log Agent. Except as otherwise provided herein, the terms of your agreement for the Managed Security Services with IBM shall apply to IBM's provision, and your use, of any Universal Log Agent. No title to or ownership in the Universal Log Agent is transferred to you. Your rights will at all times be subject to IBM's copyrights and other intellectual property rights, and IBM will retain all right, title and interest in the Universal Log Agent and any derivative works thereof. UNI-VERSAL LOG AGENT IS PROVIDED "AS IS" AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. Universal Log Agent may not be: 1) used, copied, modified, or distributed except as expressly provided herein; 2) reverse assembled, reverse com-piled, or otherwise translated, except as specifically permitted by law without the possibility of contractual waiver; 3) sublicensed, rented, or leased; or 4) used for commercial purposes, including commercial re-search, consulting or running a business. You may not create derivative works based on the Universal Log Agent and shall not remove any notices included in the Universal Log Agent. You may not use the

Z126-6526-AT-1 04-2014 Page 32 of 34 Z126-6526-WW-1 04-2014

Universal Log Agent to design, develop or test software applications for any commercial purposes. You may not allow others to use your passwords to gain access to IBM's restricted Web sites or use the Uni-versal Log Agent for any purposes. The Universal Log Agent is considered confidential to IBM and you shall hold such confidential information ("Information") in trust and confidence for IBM. You will use the same care and discretion to avoid disclosure of the Information as you use with your own similar infor-mation which you do not wish to disclose. During such period, you may only disclose the Information to (1) your employees who have a need to know, and (2) any other party with IBM's prior written consent. Prior to any such disclosure, you must have a written and appropriate agreement with your employees and any other party authorized to receive such Information sufficient to require the party to treat the In-formation in accordance with these Terms of Use. You may use such Information only for the purpose for which it was disclosed or otherwise for the benefit of IBM. These Terms of Use impose no obligation up-on you regarding the Universal Log Agent or any information contained in it where such items: (1) are or become publicly available through no fault of yours; or (2) are developed independently by you.

9.2 Permission to Perform Testing Certain laws prohibit any unauthorized attempt to penetrate or access computer systems. You authorize IBM to perform the Services as described herein and acknowledge that the Services constitute authorized access to your computer systems. IBM may disclose this grant of authority to a third party if deemed necessary to perform the Services. The Services that IBM performs entail certain risks and You agree to accept all risks associated with such Services; provided, however, that this does not limit IBM’s obligation to perform the Services in accordance with the terms of this Services Description. You acknowledge and agree to the following: a. excessive amounts of log messages may be generated, resulting in excessive log file disk space

consumption; b. the performance and throughput of your systems, as well as the performance and throughput of

associated routers and firewalls, may be temporarily degraded; c. some data may be changed temporarily as a result of probing vulnerabilities; d. Your computer systems may hang or crash, resulting in system failure or temporary system

unavailability; e. any service level agreement rights or remedies will be waived during any testing activity; f. a scan may trigger alarms by intrusion detection systems; g. some aspects of the Services may involve intercepting the traffic of the monitored network for the

purpose of looking for events; and h. new security threats are constantly evolving and no service designed to provide protection from

security threats will be able to make network resources invulnerable from such security threats or ensure that such service has identified all risks, exposures and vulnerabilities.

9.3 Disclaimer You understand and agree: a. that it is solely within your discretion to use or not use any of the information provided pursuant to

the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose not to take based on the Services performed and/or deliverables provided hereunder;

b. that it is your sole responsibility to provide appropriate and adequate security for the company, its assets, systems and employees;

c. that IBM’s performance of the Services does not constitute any representation or warranty by IBM about the security of your computer systems including, but not limited to, any representation that your computer systems are safe from intrusions, viruses, or any other security exposures.

d. That Linux and any other Open Source Software (“OSS”), including patches, fixes, and updates, which IBM installs, configures, updates, operates, or otherwise assists in procuring on your behalf as a result of providing services under this Services Description are licensed and distributed to you by Linux and OSS distributors and/or respective copyright and other right holders, including Red Hat, Inc. and/or Novell, Inc. (“Right Holders”) under such Right Holders’ terms and conditions. IBM is not a party to the Right Holders’ terms and conditions, and installs any OSS ‘AS IS’. You and IBM agree that any modification or creation of derivative works of OSS is outside the scope of this

Z126-6526-AT-1 04-2014 Page 33 of 34 Z126-6526-WW-1 04-2014

Services Description. IBM is not a distributor of OSS and does the work described in this Services Description for you upon your specification. You receive no express or implied patent or other license from IBM with respect to any OSS. IBM makes no representations and disclaims all warranties with respect to any OSS, express or implied, including the implied warranties of merchantability and fitness for a particular purpose. IBM does not indemnify against any claim that OSS infringes a third party's intellectual property rights. UNDER NO CIRCUMSTANCES SHALL IBM BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OSS.

9.4 Employment of Assigned Personnel This Services Description shall not affect the employment relationship that exists between IBM’s assigned personnel and IBM during the applicable Contract Period. No IBM assigned personnel shall be deemed for any purpose to be the agent, servant, employee, or your representative in the performance of his or her services hereunder. a. IBM staffs Services on a national basis with either local or non-local resources based upon resource

availability at Services enablement. At the start of Services and on an ongoing basis, our point of contacts will work together to mutually determine any on-site requirements of non-local perform resources. For on-site engagements spanning multiple weeks, the typical 40 hour work week of full time non-local resources normally consists of the resource traveling to your site(s) on Monday, returning to their home city at the end of the work day on Thursday and performing Services related activities remotely on Friday, as applicable. During weeks with a national holiday or during periods when a resource is not required to be on-site full time, both parties will work together to define an alternate full time work schedule. Such alternate work schedule may include the resource performing applicable Services-related activities remotely.

b. You acknowledge that: (a) IBM is not required to perform any work outside the scope described in this Services Description, (b) to the extent IBM does perform any work outside of scope, IBM may cease to perform such work at any time and (c) any changes to the scope must be agreed to in accordance with the Contract Change Procedure specified in the Schedule.

Z126-6526-AT-1 04-2014 Page 34 of 34 Z126-6526-WW-1 04-2014