GLOBAL DATABASE ACTIVITY MONITORING SERVICE DEFINITION

Transcription

1 GLOBAL DATABASE ACTIVITY MONITORING SERVICE DEFINITION AUTHOR: VENKAT LUCKYREDDY VERSION MARCH 2012 COPYRIGHT 2011 COMPUTER SCIENCES CORPORATION. ALL RIGHTS RESERVED

2 Amendment History Issue Date Amended By Amendment Details February 2010 Troy Miller Initial Draft February 2010 Troy Miller CTO comments April 2010 Troy Miller Finalized March 2012 Venkat Luckyreddy Updated for GLS Distribution CSC Approvals Name Role Date Graham Logsdon Bob Besharat Deputy Director, Global Product Solutions Acting CTO - GSS Page 2 of 21 Printed copies of this document DAM are Service for reference only.

3 Abstract This document describes the high-level services associated with the Database Activity Monitoring service. Page 3 of 21 Printed copies of this document DAM are Service for reference only.

4 Table of Contents TABLE OF CONTENTS INTRODUCTION BUSINESS DRIVERS Market Considerations SCOPE In-Scope Out-of-Scope SERVICE PRE-REQUISITES GSS Consulting Services Setting Expectations DEFINITION OF SERVICES Service Levels Service Tiers Modules Monitoring Protection Vulnerability Management Data Leak Prevention Enterprise System Integration Management Policy Creation Service Baselining Build initial policies Tuning Policies Add Enforcement/Blocking Reporting Infrastructure Elements Infrastructure Integration SERVICE OPERATION Phased Deployment Event Management Incident Management Trouble Tickets and Fault Resolution Request Fulfillment Problem Management Service Desk Change Control Change Management Access Management Service Operation Roles and Responsibilities Security Operations Center (SOC) REPORTING Baseline Documentation Set Audit Reports Daily and Weekly Reporting Monthly Reporting Page 4 of 21 Printed copies of this document DAM are Service for reference only.

5 8. CONTINUAL SERVICE IMPROVEMENT Service Measurement Periodic Service Assessment Service Reporting Performance Indicators / SLAs Service Life Cycle Backup Business Continuity Planning Disaster Recovery Disengagement Activities Technology Refresh and Service Extensibility APPENDIX A GLOSSARY TABLE OF ACRONYMS Page 5 of 21 Printed copies of this document DAM are Service for reference only.

6 1. Introduction This document describes the Database Activity Monitoring Service (DAM), and its various components, as delivered by Global Security Solutions (GSS) Security Operations Centers (SOC) maintained by CSC. DAM provides enterprises with specialized event collection and analysis capabilities for compliance reporting and security management, which are increasingly important due to increased focus in security legislation (SOX, HIPAA, PCI, etc.) on the identification and protection of personally identifiable information, personal health information and other regulated data types. This technology, which generally doesn't depend on native database audit functions, provides embedded knowledge about database structures, and access that can be used to provide context for analytics and reporting. DAM tools use several data collection mechanisms (such as server based agent software and outof-band network collectors), aggregate the data in a central location for analysis, and report based on behaviours that violate signatures or indicate behavioural anomalies. DAM demand is driven primarily by the need for privileged user monitoring to address compliance-related audit findings, and by threat-management requirements to monitor database access. Enterprise DAM requirements are beginning to broaden, extending beyond basic functions, such as the capability to detect malicious activity or inappropriate or unapproved database administrator (DBA) access. CSC s powered by IBM s Guardium suite of products allows CSC to deliver and provide robust database protection including the ability to discover data and databases, harden the database, audit and report access, and protect against inappropriate access. Page 6 of 21 Printed copies of this document DAM are Service for reference only.

7 2. Business Drivers The Database Activity Monitoring Service helps organizations monitor privileged user access, improve visibility into application traffic and provides the ability to block or prevent malicious activity Market Considerations 3. Scope The primary market considerations include: Active discovery of at-risk data Integration with SIEM technologies Improved auditing capabilities Improved proactive at-risk data protection Discovery of sensitive data and who is accessing it Compliance auditing SQL Injection attacks 3.1. In-Scope GSS will work with Client to determine the scope and potential impact of the Database Activity Monitoring Service. The primary GSS support language will be English Out-of-Scope The following items are considered as out-of-scope for the Database Activity Monitoring Service baseline offering, although support is available to deploy the necessary prerequisites it should be noted that this would be on a project basis. Please contact the respective Security Operations Manager for additional information regarding the following items: Creation and management of hardened security baseline for database configuration. The ability to require change control approval for database changes. The ability to locate and protect at-risk data beyond the capabilities provided in the baseline offering. The ability to systematically interact with a trouble ticket/help desk tracking system. The ability to protect data that is not stored in the supported RDMSs listed in the supported RDMS table included in the appendix. Report generation that is not included in baseline offering. 4. Service Pre-Requisites The GSS SOC will support the Database Activity Monitoring Service when the following service pre-requisites have been satisfied: The satisfactory completion of the Service Initiation Worksheet. Page 7 of 21 Printed copies of this document DAM are Service for reference only.

8 Risk assessment and customer approvals are made. Identification of primary and secondary level points of contact (based on service level). Documented agreement on the scope and associated cost of SOC service provision. Setup and monitoring of full and incremental backups. Regulatory or compliance requirements must be met between the CSC account team and the customer via the Master Service Agreement ( the outsourcing contract ). All Guardium devices and in-scope servers hosting databases must synchronize with a common time source, for both the customer and the SOC. Guardium GS 2000 Appliance has been deployed into the customer s environment. Guardium S-Taps have been installed on the monitored database servers. Guardium Appliance in customer s environment has been configured to alert and report to the Guardium Central Aggregator Application. Guardium Appliance in customer s environment has been configured to be managed by Guardium Central Manager Application. A template has been created for executive and detailed reporting GSS Consulting Services The customer may request a pre-service consulting engagement with GSS to determine what sensitive database objects need to be protected and where these objects reside Setting Expectations The single most important factor for any successful DAM deployment is properly setting expectations at the initiation of the service. The DAM service solution is powerful, but does not make all data completely secure. CSC will meet with all key stakeholders to define what is achievable with the DAM service solution, as well as the following: What types of content can be protected based on the capabilities of the solution. Expected accuracy rates for the various types of monitoring/enforcement policies. For example, there is a higher false positive rate with statistical/conceptual techniques than partial document or database matching. Protection options - monitoring, logging, alerting, blocking. Performance based on the level of scanning. Reporting and workflow capabilities. 5. Definition of Services This Service Definition provides a guide to the Database Activity Monitoring suite of service offerings supported by GSS. Page 8 of 21 Printed copies of this document DAM are Service for reference only.

9 5.1. Service Levels While working closely with the client, CSC will define the level of protection that is needed. CSC will also determine the data, databases, servers, and types of access that is to be monitored. Additionally, the type of protection necessary (audit only, blocking, etc.) will be established. Level Bronze Silver Gold Capabilities Description Includes 10 to 100 database server cpus being monitored. Includes 101 to 250 database server cpus being monitored. Includes 251 to 500 database server cpus being monitored. There is an additional onetime fee for each additional 500 database servers monitored Service Tiers Tier Modules Description Sensitive Object Monitoring CSC Enhance CSC Extend CSC Elevate Sensitive Object Protection Vulnerability Management Database Content Classifier Change Audit System Provides monitoring of all access to predetermined sensitive database objects on all protected servers. Provides the ability to block unauthorized access to the same sensitive objects. Provides the capability for systematically hardening protected databases. Provides the ability to locate sensitive data within protected databases and provide specific protections to that data. Provides the ability to integrate DAM into the change management workflow For more detailed information pertaining to each individual service level technical operation, not specifically defined in this document, please refer to the Conceptual and Logical Technical Models Modules Monitoring Guardium s real-time monitoring technology uses both policy-based controls and anomaly detection to prevent unauthorized activities by potential hackers, privileged insiders, and endusers. The DAM solution consolidates and normalizes audit information from disparate systems into a centralized audit repository. This is accomplished by a local agent running in the operating system of the database server with ties into the database software. This data is then exported to a central data collector. This audit data warehouse can then be used for enterprise-wide compliance auditing and reporting, correlation, and forensics. DAM continuously tracks all DBMS traffic at the network level and on database servers themselves. By doing so, it provides a full set of detective controls with 100 percent visibility into all database activities, without impacting the performance of business-critical applications and databases. There are three levels of auditing that can be deployed: privileged access, sensitive object access and comprehensive auditing. Privileged access provides auditing for Page 9 of 21 Printed copies of this document DAM are Service for reference only.

10 access to all databases on a protected server, but only for users or services with privileged access to the database. Sensitive object access provides auditing of all access, but only access to predefined database objects. Comprehensive audit logs all traffic to the protected databases Protection DAM provides a rich set of preventive policy-based actions for implementing granular access controls to sensitive data. These controls range from real-time alerts to blocking unauthorized local-access connections to customizable policy actions such as automated lock-outs and VPN port shut-downs. As such rules can be created on the management appliances to allow only wanted traffic to the protected databases while blocking all other traffic Vulnerability Management DAM can locate database vulnerabilities including missing patches, misconfigured privileges, default accounts, and weak passwords. Guardium utilizes assessment tests to identify static vulnerabilities and dynamic or behavioral vulnerabilities, such as sharing of administration accounts and excessive administrator logins, by monitoring actual user activity over time. Finally, it includes embedded knowledge about enterprise applications such as Oracle EBS and SAP, to protect critical tables reserved for these applications (an essential control for SOX). Additionally, DAM can protect unpatched systems with real-time controls. Vulnerable systems can take 3-6 months to patch. Guardium s solution protects databases before and after they re patched, through database activity monitoring and signature-based policies, along with preventive controls such as real-time alerts, automated account lockouts and blocking. Policies and activity baselining can also protect against application vulnerabilities such as SQL injection and buffer overflow Data Leak Prevention DAM is able to utilize Guardium s Data Content Classifier to auto-discover and classify sensitive data. Guardium s Classifier uses a database crawler to look for patterns such as 16- digit credit card numbers and 9-digit Social Security numbers in corporate databases. The system generates alerts when it locates sensitive data for the first time. The data can then be tagged with meta-data classifications. DAM can then use these classifications to define access policies and audit processes that like other DAM monitoring/blocking rules can the protect the data from improper modification in the database or export from the system Enterprise System Integration DAM provides connecters for integration with enterprise support applications such as: LDAP, Kerberos, Microsoft Active Directory, RSA SecurID for authentication; SMTP, SNMP, Syslog and API integration with SIEM tools such as ArcSight, envision, McAfee epo, Symantec; Remedy and other helpdesk ticketing systems; and data export standards for reporting in PDF, CSV, XML formats Management All DAM capabilities will be managed through the same server, maintaining consistent policies, workflow and incident handling. Page 10 of 21

11 Policy Creation DAM policies will be completely integrated with all customer policies. This enables CSC to define the protection once and then apply appropriate alerting, logging and blocking rules as a single policy. CSC will work with the customer to define their business processes dealing with DAM policy creation and violation before the service is activated. Listed below are process recommendations for defining new policies. 1. Business unit requests a policy from the DAM team to protect the identified database objects. 2. DAM team meets with business unit to determine goals and protection requirements. 3. DAM team engages with legal and compliance groups to determine any legal or contractual requirements or limitations. 4. DAM team defines draft policy. 5. Draft policy tested in monitoring mode without full workflow. Policy is tuned to acceptable level of accuracy. 6. DAM team defines workflow for selected policy. 7. DAM team reviews final policy and workflow with business unit to confirm needs have been met. 8. Appropriate business units are notified of new policy and of any newly required changes in business processes. 9. The policy is deployed into the production environment in monitoring mode, but with full workflow enabled. 10. The policy is certified as stable. 11. Any blocking actions are enabled. Listed below are the process recommendations for defining policy violations: 1. Violation is detected and appears in incident handling queue. 2. Incident handler confirms incident and severity. 3. If action is required, the incident handler escalates and opens an investigation. 4. LIRM for client affected by the triggered policy is notified. 5. The incident is evaluated. 6. Protective actions are taken. 7. If data is access improperly, notify LIRM and flag data with appropriate contact information. 8. LIRM will notify application owner, data owner, and DBA if corrective action is required. 9. Perform post mortem. 10. Close incident. NOTE: Both the DAM team and incident handler are members of CSC and the customer Service Baselining The initial DAM policies will be deployed on a limited number of database servers (or endpoints). Once CSC can verify the effectiveness of the policies, performance, and enterprise integration, then CSC will expand into a wider deployment, covering more of the customer s enterprise. Page 11 of 21

12 Build initial policies For the initial deployment, CSC will start with a small subset of policies, or even a single policy, in monitoring mode Tuning Policies Even stable policies may require tuning over time. In some cases it will be to improve effectiveness and reduce false positives, and in other cases to adapt to evolving business needs. While the policies are initially tuned during baselining, CSC will continue to tune them as the deployment expands, in order to keep the customer policies current with the enterprise requirements Add Enforcement/Blocking CSC will meet with the customer stakeholders to report on the effectiveness of the DAM policies and the education of the users where policy violations were found. An agreement then will be made to start switching to blocking unapproved or improper access to database objects. When a DAM policy is violated the appropriate incident response procedure will be followed as defined in the DAM Concept of Operations and the customer service agreement. If there is ever a major change to an established business process, the CSC DAM Administrator will scale down enforcement options on the respective business unit(s) Reporting Reporting will include content-specific reports, especially audit reports to help with compliance efforts. Also the DAM service will provide the ability to generate reports for business unit managers, database administrators, audit/legal/compliance, and other non-technical personnel. Since scans are run periodically, the DAM service will allow the customer to automatically schedule and distribute reports, rather than requiring them to be run manually every time Infrastructure Elements The customer establishes the infrastructure in-scope requirements of supported devices. Based on the selected service level and options, the DAM Logical Technical Model (LTM) will completely define and explain what the infrastructure elements will be comprise of, for each individual customer. Please refer the DAM Conceptual Technical Model (CTM) as well Infrastructure Integration The DAM service requires an application to be installed locally into the database server s operating system. CSC will work with the customer to define the initial database servers to monitor and with install the agents or provide the DAM team credentials to do so. 6. Service Operation The purpose of Service Operation is to deliver agreed levels of service to customers, and to manage the applications, technology and infrastructure that support delivery of the DAM services. It is only during this stage of the lifecycle that services actually deliver value to the Page 12 of 21

13 customer, and it is the responsibility of the CSC Service Operation staff to ensure that this value is delivered Phased Deployment CSC will implement a controlled, staged rollout that slowly expands breadth of infrastructure coverage and types of content to protect, for both the Monitor and Protect tiered service offerings. CSC will begin with a monitoring and alerting deployment, which will generate incidents in the DAM management console and are then followed up on by incident handlers. These deployments will be for sensitive databases where the customer does not need immediate Protection, but does want to prompt corrective actions. After a specified period of time, CSC will initiate deployment to add data protective actions, is the customer so desires Event Management An event may indicate that something is not functioning correctly, leading to an incident being logged. Events may also indicate normal activity, or a need for routine intervention such as changing a tape. Event management depends on monitoring, but it is different. Event management generates and detects notifications, whilst monitoring checks the status of components even when no events are occurring Incident Management The purpose of Incident Management is to restore normal service as quickly as possible, and to minimize the adverse impact on business operations. Incidents are often detected by event management, or by users contacting the service desk. Incidents are categorized to identify who should work on them and for trend analysis, and they are prioritized according to urgency and CSC customer impact. If an incident cannot be resolved quickly, it may be escalated. Functional escalation passes the incident to a technical support team with appropriate skills; hierarchical escalation engages appropriate levels of management. After the incident has been investigated and diagnosed, and the resolution has been tested, the CSC Service Desk will ensure that the customer is satisfied before the incident is closed. Incidents considered to be of a severe nature will result in the customer invoking their Incident Management Procedure and may result in a Service Restoration Team (SRT) being formed and ultimately the Root Cause Analysis (RCA) process being initiated. Visibility of any associated incident information will be limited on a 'need-to-know' basis Trouble Tickets and Fault Resolution Depending on the level of service selected, a problem ticket will be raised within an agreed customer application (USD or Remedy). This will apply both to the SOC and the CSC service delivery personnel supporting the customer. The SOC will maintain a record of all problems or incidents. Each problem ticket update will be made by named individuals for audit purposes. Each problem ticket may only be closed upon authorization of nominated customer personnel. Page 13 of 21

14 Audit trail for problem tickets in weekly and monthly reports (based on selected service). Problem ticket data will be made available to the customer when requested in a suitable format (based on selected service) Request Fulfillment The purpose of Request Fulfillment is to enable customers to request and receive standard services; to source and deliver these services; to provide information to customers about services and procedures for obtaining them; and to assist with general information, complaints and comments. All requests will be logged and tracked. The process will include the appropriate approval before fulfilling the request Problem Management The key objectives of Problem Management are to prevent problems and resulting incidents from happening, to eliminate recurring incidents and to minimize the impact of incidents that cannot be prevented. Problem Management includes diagnosing causes of incidents, determining the resolution, and ensuring that the resolution is implemented. Problem Management also maintains information about problems and the appropriate workarounds and resolutions Service Desk The CSC Service Desk will be the primary point of contact in the event an end user s action is blocked. An example of this action is the failure application due to an inability of the application to be able to access the database. The CSC Service Desk will assign a ticket to the region s Operations Center which will then contact the account LIRM Change Control The SOC and the customer will record configuration changes on the in-scope devices or applications via an agreed change control process and reflected within an electronic change ticket (i.e. GCARS). The customer will approve each change ticket prior to implementing the proposed change. Change events include: SOC outage (network), SOC service infrastructure modification (relating to the customer), customer network topology changes, monitored device update etc Change Management The CSC service delivery team is responsible for ensuring that the GSS SOC is made aware of all network infrastructure, or changes to the in-scope devices, that could impact the DAM service offering or which might otherwise cause an outage.. It is the responsibility of the SOC team to understand and comply with the customer s change management requirements Access Management The purpose of the Access Management process is to provide the rights for customers to be able to access the DAM services, while preventing access to non-authorized users. Access Management helps to manage confidentiality, availability and integrity of the data and intellectual property. Page 14 of 21

15 6.7. Service Operation Roles and Responsibilities Based on the selected service, the SOC will ensure that the appropriate CSC service delivery personnel are contacted so preliminary and follow-up activities can be implemented. The CSC LIRM for the customer will provide a single point of contact to act as the coordinator for any customer communications. Position Role Description of Responsibilities CSC LIRM Primary SOC interface To identify key contacts for incident escalation and change management activities SOC Operations Manager SOC Analyst SOC Administrator and/or Engineer Oversees the SOC operations as specified in the terms and conditions of the Service Definition Executes the daily operation of the SOC Supports SOC Operations Manager and SOC Analyst Ensure that the SOC is notified of any changes that may impact service Meet with SOC representatives to verify CSC account and customer satisfaction Address any SOC issues that arise Escalate to the CSC GIS Product Lines and the SOC, as necessary Overall responsibility for delivery of the services defined in this document Point of contact for problem escalation and reporting Manages customer satisfaction of deliverables Manages adherence to performance requirements Organizing regular service reviews Addresses and resolve customer specific concerns Source of assistance for customer billing questions or concerns Collection and management of service improvement requests Measuring and tracking customer satisfaction feedback Escalation point for SOC service issues Support service enhancement activities Report security incident to nominated points-of-escalation within the customer organization Where appropriate, creation of an initial incident reports Provide further investigation support using reasonable endeavors if possible Update and issue final incident report Subject Matter Expert (SME) Assist customer projects in standing up Page 15 of 21

16 Roles and Responsibilities Table DAM solutions within customer account (this is viewed as a project-funded activity) DAM user account provisioning 6.8. Security Operations Center (SOC) The SOC will take every effort not to destroy or corrupt evidence and will perform forensicallysound evidence gathering so preserving legal admissibility of any incident. 7. Reporting 7.1. Baseline Documentation Set Prior to formal DAM service commencement (i.e. Go-Live), the SOC will submit a baseline documentation set describing the key support processes Audit Reports Audit reports will be generated showing exactly which systems were scanned, what was found, and how it was removed or protected. The customer s auditor will very likely accept the report, which will reduce audit time and costs materially (more than the total cost of the DAM service). The DAM Discovery service can be used to scan the entire enterprise at least once a quarter, with critical systems scanned on either a daily or weekly basis. The customer will improve security and reduced risk by reducing the potential number of targets, and reduced compliance costs by being able to provide auditors with acceptable reports demonstrating compliance Daily and Weekly Reporting Optional daily and weekly reporting via secure or customer account or shared network drive. No reporting to be sent 'in-clear' across the Internet. Report should consider: Open and Closed trouble tickets/change/investigation Overall event and alert summaries 7.4. Monthly Reporting In addition to the daily and weekly reports, the following reports will be sent on a monthly basis. Reports should consider: Service performance and adherence to SLA's Event/attack trends across the monitored customer environment Capacity management issues (statistics and performance) Change control issues Scheduled and unscheduled service outages An event breakdown across all security devices by numbers of attacks by level Page 16 of 21

17 Ticket statistics 8. Continual Service Improvement Continual Service Improvement (CSI) is concerned with maintaining value for customers through the continual evaluation and improvement of the quality of services and the overall maturity of the IT Service Management (ITSM) service lifecycle and underlying processes. CSI combines principles, practices and methods from quality management, Change Management and capability improvement, working to improve each stage in the service lifecycle, as well as the current services, processes, and related activities and technology Service Measurement Service measurement will provide a view of the true customer experience of services being delivered. There are three types of metrics that CSC will collect to support CSI activities as well as other process activities. Technology metrics: often associated with component and application based metrics such as performance, availability. Process metrics: captured in the form of Critical Success Factors (CSFs), Key Performance Indicators (KPIs) and activity metrics. Service metrics: the results of the end-to-end service. Component/technology metrics are used to compute the service metrics Periodic Service Assessment The DAM service will be subject to review. This will be performed regularly against a set of evolving criteria based upon initial criteria employed to assess the SOC service offering. This ensures the customer receives 'value-for-money'. A comparison against review reports generated from previous assessments will be performed to determine whether the SOC service is improving or worsening. The results will be discussed between the customer and the SOC and appropriate corrective actions will be taken to resolve any problems. Corrective actions will be monitored between service reviews (i.e. monthly rather than every four months). The SOC recommends a 6 monthly review with the customer Service Reporting A significant amount of data is collated and monitored by CSC in the daily delivery of the DAM service, but only a small subset is of real interest and importance to the customer. A historical representation of the past period s service performance will be generated Performance Indicators / SLAs The Performance Indicators identified in the following table reflects those associated with the standard DAM service offerings for all Tiers. In the event of conflict between this document and/or any other GSS documentation, including marketing literature, the Performance Indicators outlined below will prevail. Service Area Performance Indicator Page 17 of 21

18 Incident Handling An will be sent to the approved Incident handler within 15 minutes after an incident occurs. Reporting Services Daily reports will be delivered by 9AM containing the previous day s data Weekly reports will be delivered on Mondays by 9AM containing the previous week s data Monthly reports will be delivered within 5 days of the 1 st of the Month containing the previous Month s data Real time Data Real time Data will be held for 6 months Archived Data Archived Data will be help up to 7 years or in accordance to the customer s requirements DAM Application Updates DAM Application updates will be applied within 5 business days of the Vendors release DAM Policy Creation or change Policy creation or change will be initiated within 24 hours of the request. Performance Indicators Table CSC is not responsible for ensuring the customer network is operational. As such, CSC is not liable for failure to meet Performance Indicators resulting from network issues outside the control of CSC Service Life Cycle Along with the service assessments describe in section 9.2, it is recommended that the processes and service descriptions defined in this document be reviewed on an annual basis Backup The standard CSC backup solution will be using the following backup regime: All appliances backed up Full once a week, Incremental backup performed daily. Tape storage 8.6. Business Continuity Planning The SOC facility has an established and regularly tested Business Continuity Plan (BCP) including documented and tested procedures for the SOC operation. The SOC has: Relevant support process documentation to support BCP Strong physical security of primary SOC location Redundant power supplies and building UPS The customer and the SOC will ensure each is aware of each other s BCP's Disaster Recovery All customer data (stored on magnetic media) is to be destroyed in accordance with its sensitivity, or returned back to the customer. Page 18 of 21

19 All open problem tickets need to be concluded to the satisfaction of the customer to ensure proper closure. Removal of any equipment needs to be through change control and with minimal impact to the overall operation of the customer network. Where an investigation into a possible security incident is ongoing, the data will need to be returned back to the customer in a form which maintains its legal admissibility Disengagement Activities All customer data (stored on magnetic media) is to be destroyed in accordance with its sensitivity, or returned back to the customer. All open problem tickets need to be concluded to the satisfaction of the customer to ensure proper closure. Removal of any equipment needs to be through change control and with minimal impact to the overall operation of the customer network. Where an investigation into a possible security incident is ongoing, the data will need to be returned back to the customer in a form which maintains its legal admissibility Technology Refresh and Service Extensibility The SOC will make all commercially reasonable efforts to offer and accommodate new and improved security concepts within the service provision to continually improve standards. 9. Appendix A Glossary Term Client Definition The organization requesting Managed Encryption Services from CSC. This could be a CSC account or a request for services directly from a CSC client. CSC Desktop Operations The onsite support team that will provide hands on support for device installation and deployment. Page 19 of 21

20 GSS SOC The organization within Global Security Solutions performing the service delivery for Managed Security Services. Page 20 of 21

21 Table of Acronyms CSC GSS SLA PI SOC DAM RDMS CSC (CSC) Global Security Solutions Service Level Agreement Performance Indicators Security Operations Center Database Activity Monitoring Relational Database Management System Supported Operating Systems OS Type Version 32-bit, 64-bit AIX 5.1, 5.2, 5.3, 6.1 Both HP-UP 11.00, 11.11, 11.31, 11.23PA, Both 11.23IA64 Red Hat Enterprise 2, 3, 4, 5 Both SUSE Linux 9, 10 Both Solaris Sparc 6, 8, 9, 10 Both Solaris Intel/AMD 10 Both Tru64 5.1A, 5.1B 64-Bit Windows NT, 2000, 2003, 2008 Both Supported RDMSs RDMS Version Oracle 8i, 9i, 10g (r1, r2), 11g Microsoft SQL Server 2000, 2005, 2008 IBM DB2 UDB 9.1, 9.5 IBM DB2 for z/os 8.1, 9.1 IBM DB2 UDB for iseries V5R2, V5R3, V5R4, V6R1 IBM Informix 7, 8, 9, 10,11 Sun MySQL 4.1, 5, 5.1 Sybase ASE 12, 15 Sybase IQ 12.6 Teradata 6.01, 6.02 Page 21 of 21