THIS PAGE NOT FOR RELEASE TO CUSTOMER

Transcription

1 Guidance for Use of This Document THIS PAGE NOT FOR RELEASE TO CUSTOMER Use this Guidance page to determine if this SOW fits your Customer's needs. Discard it prior to presenting the SOW to your Customer. Overview: Specific instructions and suggestions pertaining to each section are contained in NOTE(s) TO CONTRACT PREPARER. These instructions and suggestions are intended to remain in the document when you make it available for use in your country. Please note these documents may have different names in different countries. All NOTE(s) TO CONTRACT PREPARER must be read, followed, and then deleted prior to presenting the document to the Customer. Contract Structure: The attached SOW can be used between IBM and the Customer (Direct Relationship or Complementary (also known as lead pass or closed contract )). When to Use: a. This SOW is intended for use only to support transactions in which a Customer has locations within the same country where the contract originates. b. In the case of an opportunity where a Customer has additional locations outside of the country where the contract originates and globally wants a single set of terms and conditions for services in such global locations within that Customer s Enterprise. A separate Local Transaction Document (LTD) must be created for each country and must be signed by the local Customer company and the local IBM Company listed in the Schedule to this SOW. Change Authorisations may be created to amend the terms of this SOW in a particular country. Like LTDs, Change Authorisations must be signed by the local Customer company and the local IBM Company listed in the Schedule to this SOW. Candidates for this SOW must meet the following criteria: 1. The Customer has an executed IBM International Customer Agreement (IICA) in place and on file. The IICA establishes, with a Customer choosing to do business in more than one country, the ongoing relationship terms under which IBM and the Customer will do business in each of those countries. The IICA contains terms for all machines, programs and services which IBM markets. The Acceptance Transaction Document (ATD), which is part of the IICA, must be signed anytime a new country requiring support will be added to the relationship. Applicable International Contracting Business Processes: The Lead Country Opportunity Owner ( OO )/Global Bid Manager ( GBM ) who has a qualified opportunity for standard services notifies International Customer Fulfillment ( ICF ) and pulls this SOW, along with the Local Transaction Document ( LTD ) template from the Standard Contracts and SOW Templates database. ICF or the OO must communicate with all participating countries. A LTD is prepared for each of the participating countries with contact and applicable country unique terms included. The OO/GBM engages the Global Contract Office ( GCO ) for pricing via ebid submission and sends them the SOW and LTD, along with inventory information. The GCO develops the pricing release letter and copies Legal and QA. Please ensure that both the subscription services charges and term are reflective of the rates and term specified in the Price Release Letter. Participating country Services and QA groups confirm delivery capability if not available in the WW Capabilities database. The OO/GBM manually builds the contract package for the customer's signature. The OO/GBM validates there is a current IICA or equivalent agreement executed, completes the SOW with Customer information, completes a LTD template and obtains service delivery information. (Note: Service delivery information may be specified in a separate document that must be attached to the LTD in order to complete contract package.) The OO/GBM CANNOT USE any local tool-generated LTDs or schedules. The LTD must be built manually, reference the SOW and contain the proper country unique terms and inventory information.) The LTD MUST be SIGNED! Administrative Considerations: The signed SOW must be placed into the ifacts database and signed LTDs into ADIAR, or send to Global ICF. Send to local CSO for manual contract registration and inventory registration in local tools. Additional International Information: For detailed information about international contracting, see International Transactions on the Legal Information Systems site Transactions INTC Page 1 of 14

2 The contract structure supported by this SOW and its applicable Schedule is outlined in the following table. Contract Structure Document Name: Document Type: Between Direct Relationship IBM Customer Agreement ( ICA ) or equivalent Governing IBM and Customer. Form: ICA12-1INT Agreement for Exchange of Confidential Information ( AECI ): Form: INTC-4322 Governing document IBM and Customer Statement of Work ( SOW ) for Cybersecurity Assessment and Response Services - Emergency Response Services Subscription Form: INTC Schedule for Cybersecurity Assessment and Response Services - Emergency Response Services Subscription Form: INTC (Direct) Applicable Business Processes: Standard SOW Incorporated by reference into the applicable Schedule Signature not required Schedule to the standard SOW Incorporates ICA, AECI, and SOW by reference Signature required by both parties IBM and Customer IBM and Customer All existing business processes remain unchanged (WWQA/MD, Quality Assurance, Pricing, etc.). This means all contracts created using this SOW must be Priced and Quality Assured in accordance with the current guidelines. Although the language contained within each module has been previously reviewed by QA, an overall QA review of the specific terms you select for this transaction must be performed. The current versions of the appropriate governing documents are incorporated by reference into each transaction. Such incorporation is stated in the applicable Schedule. In addition, it is critical that IDs and Work Numbers are in place prior to commencement of Services. End of Guidance INTC Page 2 of 14

3 IBM AUSTRALIA LIMITED ABN: Level 13, IBM Centre, 601 Pacific Highway, St Leonards, NSW 2065 Statement of Work for Services IBM Cybersecurity Assessment and Response Services Emergency Response Services Subscription This Statement of Work ( SOW ) is between the Customer (also called you and your ) and the IBM legal entity ( IBM ) specified in the Schedule for IBM Cybersecurity Assessment and Response Services Emergency Response Services Subscription ( Schedule ). 1. Scope of Work The IBM Cybersecurity Assessment and Response Services - Emergency Response Services Subscription (called Services ) are designed to provide resources to assist you with computer security incidents or assist with emergency response preparation. IBM will provide resources to assist you in preparing for, managing, and responding to computer security incidents, including steps for analysis, intelligence gathering, containment, eradication, recovery, and prevention. IBM will use existing, commercially available tools, as well as IBM proprietary tools, to perform the Services. Such tools and their associated documentation remain the property of IBM or third parties. The details of the Services are specified in the Schedule. 2. Definitions 3. Services Purchased Subscription Hours Number of Emergency Incident Support or consulting hours included annually for the contract term. Emergency Incident Declaration (EIR) a request for assistant responding to a computer security incident CSIRP Computer Security Incident Response Plan. CSIRT Computer Security Incident Response Team. Alert Condition ( AlertCon ) a global risk metric developed by IBM, using proprietary methods. AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and global threat activity. Education Materials include, but are not limited to, lab manuals, instructor notes, literature, methodologies, electronic course and case study images, policies and procedures, and all other training-related property created by IBM. Where applicable, Education Materials may include participant manuals, exercise documents, lab documents and presentation slides provided by IBM. 3.1 Services Coordination IBM Services Coordination Responsibilities IBM will provide an IBM Services specialist who will be IBM s focal point during performance of the Services. The IBM Services specialist will: a. review the SOW, and any associated documents, with your Point of Contact; b. establish and maintain communications through your Point of Contact, as defined in the section entitled Your Point of Contact Responsibilities below; c. review and administer a Project Change Control Procedure with your Point of Contact, as defined in the applicable Schedule; and INTC Page 3 of 14

4 d. coordinate and manage the technical activities of IBM s assigned personnel. Completion Criteria: This is an ongoing activity that will be considered complete at the end of the Services. Deliverable Materials: None Your Point of Contact Responsibilities Prior to the start of the Services, you will designate a person ("your Point of Contact"), to whom all communications relative to the Services will be addressed and who will have the authority to act on your behalf in all matters regarding this SOW. Your Point of Contact will: a. serve as the interface between IBM s project team and all of your departments participating in the Services; b. obtain and provide applicable information, data, consents, decisions and approvals as required by IBM to perform the Services, within two business days of IBM s request; and c. help resolve Services issues, and escalate issues within your organisation, as necessary Your General Responsibilities IBM's performance is dependent upon your management and fulfillment of your responsibilities under this SOW and the Agreement specified in the Schedule ( Agreement ), at no charge to IBM. You agree to: a. make appropriate personnel available to assist IBM in the performance of IBM s responsibilities; b. provide safe access, suitable office space, supplies, furniture, high speed connectivity to the Internet, and other facilities for IBM s personnel while working at Customer s location; c. ensure that current maintenance and license agreements are in place with applicable vendors for those products and services upon which IBM is relying to provide the Services described herein; NOTE TO CONTRACT PREPARER: If the Customer objects to the inclusion of the following item (i.e., being used as a reference), you may delete this item. d. allow IBM to cite your company name and the general nature of the Services IBM performed for you to IBM s other customers and other prospective customers; NOTE TO CONTRACT PREPARER: Delete the following item if the IBM Customer Agreement, or any equivalent agreement, is already in effect with your customer and contains these terms. e. agree that IBM may process the business contact information of your employees and contractors and information about your company as a legal entity (contact information) in connection with IBM Products and Services or in furtherance of IBM s business relationship with you. This contact information can be stored, disclosed internally and processed by International Business Machines Corporation and its subsidiaries, Business Partners and subcontractors wherever they do business, solely for the purpose described above provided that these companies comply with applicable data privacy laws related to this processing. Where required by applicable law, you have notified and obtained the consent of the individuals whose contact information may be stored, disclosed internally and processed and will forward their requests to access, update, correct or delete their contact information to IBM who will then comply with those requests; f. acknowledge and agree that IBM does not provide legal services or represent or warrant that the services or products IBM provides or obtains on your behalf will ensure your compliance with any particular law, including but not limited to any law relating to safety, security or privacy; NOTE TO CONTRACT PREPARER: The following term relates to Data Privacy and Personal Information. The Customer knows its data better than IBM does, therefore Customer is responsible for knowing what laws apply to its data, including any laws or regulations regarding transfer of data outside of the originating country. Data Privacy is concerned with information that relates directly or indirectly to individuals ' but may in some countries include data about legal entities. Examples include information about the Customers, the Customer's employees and the Customers of the Customer. You should also consider information about IBM employees, IBM subcontractors and vendors. IBM is concerned about the collection, use, storage, disclosure, and processing of information about individuals. INTC Page 4 of 14

5 Personal Information is any information that identifies (or can reasonably be used to identify), contact, or locate the individual to whom such information pertains. Typical examples of such information include an individual's name in conjunction with his or her home or business address, telephone number, address, or other data elements that reflect the individual's physical, social or financial characteristics. g. obtain any necessary consents and take any other actions required by applicable laws, including but not limited to data privacy laws, prior to disclosing any of your employee information to IBM. You also agree that with respect to data that is transferred or hosted outside of the country or countries specified in the Schedules, you are responsible for ensuring that all such data transmitted outside of the country or countries specified in the Schedules adheres to the laws and regulations governing such data; h. be responsible as sole Data Controller for complying with all applicable data protection or similar laws regulating the processing of any Personal Data (as such terms are defined in Directive 95/46/EC) provided by or through you to IBM. IBM will only process such Personal Data in a manner which is reasonably necessary to provide the Services and only for that purpose. IBM will follow your reasonable processing instructions with respect to the Personal Data and IBM will use its reasonable endeavors to apply the security measures as set forth in this SOW and the Agreement or as notified to IBM in writing in advance. You are responsible for determining that these measures provide an appropriate level of protection. IBM, in providing the Services, may transfer your data, including Personal Data, across a country border, including outside the European Economic Area ( EEA ), if IBM reasonably considers such transfer appropriate or useful for IBM's performance of the Services and reasonably cooperates with you to meet legal requirements. You are solely responsible for determining that any transfer by you or IBM of your data, including Personal Data, across a country border under the SOW and the Agreement complies with the applicable data protection laws; i. before making available any facilities, software, hardware or other resources, obtain any licenses or approvals related to these resources that may be necessary for IBM and its subcontractors to perform the Services and develop Materials. IBM will be relieved of its obligations that are adversely affected by your failure to promptly obtain such licenses or approvals. You agree to reimburse IBM for any reasonable costs and other amounts, including costs of litigation and settlements, that IBM may incur from your failure to obtain these licenses or approvals; j. be responsible for the content of any database, the selection and implementation of controls on its access and use, backup and recovery, and the security of the stored data. This security will also include any procedures necessary to safeguard the integrity and security of software and data used in the Services from access by unauthorised personnel; be responsible for the identification of interpretation of, and compliance with, any applicable laws, regulations, and statutes that affect your existing systems, applications, programs, or data to which IBM will have access during the Services, including applicable data privacy, export, and import laws and regulations. It is your responsibility to ensure the systems, applications, programs, and data meet the requirements of those laws, regulations and statutes; k. be responsible for providing and paying for Internet access service or telecommunications transport circuits; and l. be responsible for your own network security policy and security violation response procedures Mutual Responsibilities Each of us will comply with applicable export and import laws and regulations, including those of the country or countries specified in the Schedules that prohibit or limit export for certain uses or to certain end users. Each of us will cooperate with the other by providing all necessary information to the other, as needed for compliance. Each of us will provide the other with advance written notice prior to providing the other party with access to data requiring an export license. 3.2 Emergency Response Services IBM Emergency Response Services Responsibilities Activity 1 - Project Initiation The purpose of this activity is to review the processes for making a declaration for a computer security incident that presents a real or a possible threat to your computer system and network environment ( Emergency Incident Declaration ), and to validate the schedule (see Estimated Schedule section). INTC Page 5 of 14

6 Task 1 - Conduct a Project Kickoff Workshop IBM will facilitate an on-site or remote project initiation workshop, for up to one day (eight hours), on a mutually agreed date and time. a. introduce the personnel to be providing the Services; b. confirm your locations to be included in the Services; c. define the process for making an Emergency Incident Declaration, including establishing the designated telephone number(s) and address(es); d. review processes for responding to an Emergency Incident Declaration and for exchanging security incident data in a secure manner; e. discuss preemptive incident preparation tasks, listed in Preemptive Incident Preparation, you can elect to perform using Purchased Subscription Hours; f. mutually agree to preemptive incident preparation tasks listed in Preemptive Incident Preparation, and the allocation of hours to each for the contract term; g. develop a Service Calendar outlining regular checkpoint schedules, and selected preemptive incident preparation tasks; and h. discuss Additional emergency incident hourly support if required to conduct your selected preemptive incident preparation tasks. Completion Criteria: This activity will be considered complete when the project kickoff workshop has been conducted and the Service Calendar delivered. Deliverable Materials: Service Calendar Activity 2 - Preemptive Incident Preparation Utilising Purchased Subscription Hours, IBM will perform preemptive incident preparation tasks as mutually agreed. Exact scope will be determined and mutually agreed upon prior to starting each task. Additional hours may be purchased at the Usage charge rate listed in the Schedule. Task 1 - Active Threat Assessment (1) discuss the current threat and risk level of your enterprise; (2) perform tool-based analysis through active scanning or passive monitoring to attempt to discover any potential malware or botnet activities in the selected environment; (3) identify and document security exposures that may be internally or externally exploitable based on scan; (4) assess the vulnerability of critical external facing assets by conducting network technical testing across Customer-specified Internet-facing IP network addresses; (5) attempt to exploit key identified vulnerabilities and target specific systems and attempt to gain direct access to confidential data and administrator or elevated access privileges on vulnerable systems; (6) attempt to compromise internal networks and systems by leveraging limited external access; (7) demonstrate specific or systematic security weaknesses, if present; and (8) as applicable, analyse and document its findings and recommendations to be included in the Active Threat Assessment Report. Task 2 - Computer Security Incident Response Plan (CSIRP) Gap Assessment (1) discuss the business units and processes in your enterprise with which your current computer security incident response plan interfaces; INTC Page 6 of 14

7 (2) review how the current computer security incident process impacts these business units and processes; (3) review the current computer security incident response team, including its roles, responsibilities, organisation, and reporting hierarchy; (4) review the current computer security incident response plan for your enterprise, if available, and identify potential issues in a CSIRP gap assessment report; (5) conduct interviews, via conference call, with key CSIRP participants such as I/T system administration, I/T network administration, I/T security, corporate security, business continuity, legal, human resources, and public relations; (6) document findings and recommendations in a CSIRP gap assessment report; and (7) discuss findings, for up to two hours, via conference call with your computer security incident response team. Task 3 - Incident Response Training and Incident Simulation (1) conduct a workshop for up to eight hours to provide first responder training, for up to 12 attendees; (2) work remotely with your key members to develop a computer security incident simulation exercise that will test your computer security incident response plan and procedures, with focus on the areas that may need to be updated or improved; (3) conduct and supervise the incident simulation exercise on-site for up to eight hours at your location, paying particular attention to: whether your computer security incident response team is properly notified of the incident, and how long notification takes; how well the members of your computer security incident response team work with each other and members of higher management; how well your computer security incident response team performs in the five phases of incident response (analysis, containment, eradication, recovery, and prevention); how well your computer security incident response team interfaces with external entities (Internet service providers, administrators of other sites, other response teams, law enforcement entities, etc.); and how well your computer security incident response team communicates with customers, external users, employees, and the public media. (4) document findings in Incident Response Training and Simulation Report. Completion Criteria: This activity will be considered complete when IBM has provided the number of hours mutually agreed upon or provides the deliverable material for the task(s) performed, or when the contract end date has passed. Deliverable Materials: Active Threat Assessment Report, as applicable; CSIRP gap assessment report, as applicable; and Incident Response Training and Simulation Report, as applicable. Activity 3 - Emergency Incident Support The purpose of this activity is to provide emergency response for each Emergency Incident Declaration for the term of this SOW. a. provide emergency response 24 hours/day, 7 days/week for Emergency Incident Declarations per the term of this SOW and Schedule. Such response will utilise included subscription hours for onsite and/or remote support for the designated physical locations as specified in the Schedule. If INTC Page 7 of 14

8 additional physical location coverage is required in response to an incident, additional charges may apply; b. within approximately one hour after receiving your call or for an Emergency Incident Declaration, host a conference call with your designated personnel to discuss the symptoms you are observing, actions taken and similar items; c. provide assistance and advice if possible for handling the Emergency Incident Declaration including: (1) analysis of computer security incident data to determine the source of the incident, its cause, and its effects; (2) preventing the effects of the computer security incident from spreading to other computer systems and networks; (3) stopping the computer security incident at its source and/or protecting your computer systems and networks from the effects of the computer security incident; (4) recommendations for restoration of the affected computer systems and networks to normal operation; and (5) suggesting protection methods for your computer systems and networks from future occurrences of the computer security incident; d. prepare and provide an After-Incident Report to your Point of Contact describing the computer security incident, causes and effects, actions taken by IBM, and recommended future actions to mitigate risk; and e. provide additional emergency incident hourly support, in response to your written request. Such support will be provided based on the Usage charge specified as Additional emergency incident hourly support in the Charges section of the Schedule. Note: The tasks outlined in this section, if performed, will consume Purchased Subscription Hours. Additional hours may be purchased at the Usage charge rate listed in the Schedule. Completion Criteria: This activity will be considered complete when the contract end date has passed. Deliverable Materials: After-Incident Report, as applicable. Activity 4 - Quarterly Incident Related Support and Status Update The purpose of this activity is to provide you with ongoing incident related support, up-to-date threat trends, and status updates. a. provide up to 8 hours telephone support each quarter with access to advice and assistance from ERS during normal business hours (currently 8 a.m. to 5 p.m., Eastern Time) on topics in the areas of security incident assessment, preparedness, management, response, and basic triage; b. provide a checkup via remote teleconference for up to 2 hours to review quarterly status, relevant events, service hours utilised and remaining, update service schedule, provide update on threat trends, ensure your incident response readiness, and provide recommendations if appropriate; and c. document result of each telephone support and discussion of the checkup teleconference in a quarterly status report. Completion Criteria: This activity will be considered complete when IBM has provided the following deliverable at the end of each quarter according to the service calendar. Deliverable Materials: Quarterly Status Report Activity 5 - IBM X-Force Hosted Threat Analysis Subscription The IBM X-Force Hosted Threat Analysis Subscription is a security intelligence service that is designed to deliver customised information about a variety of threats that could affect your network security. INTC Page 8 of 14

9 A Portal provides you with access to an environment (and associated tools) designed to monitor and manage your security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED AS IS AND WITHOUT WARRANTY, GUARANTEE OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS Task 1 - Deployment and Activation During deployment and initiation, IBM will enable Customer to access the Portal, and will work with you to activate the Services. a. provide access to the Portal 24 hours/day, 7 days/week; b. request one name and address for each Services subscription purchased; c. enable Services access for each subscription purchased; d. provide access to Education Materials in accordance with the terms provided in the Portal; and e. send each licensed Services user a welcome with a user ID and temporary password to the Portal. Task 2 - Security Intelligence Security intelligence is provided by the IBM X-Force Threat Analysis Center. The X-Force Threat Analysis Center publishes an Internet AlertCon threat level. The AlertCon describes progressive alert postures of current Internet security threat conditions. Utilising the Portal, you can create a vulnerability watch list with customised threat information. In addition, each Portal user can request to receive an Internet assessment each business day. This assessment provides an analysis of the current known Internet threat conditions, real-time Internet port metrics data, and individualised alerts, advisories and security news. a. provide you with access to the X-Force Hosted Threat Analysis Service; b. provide you with a username, password, URL and appropriate permissions to access the Portal; c. display security information on the Portal as it becomes available; d. if configured by you, provide security intelligence specific to your defined vulnerability watch list, via the Portal; e. if configured by you, provide an Internet security assessment each business day; f. publish an Internet AlertCon via the Portal; g. provide Portal feature functionality for you to create and maintain a vulnerability watch list; h. provide additional information about an alert, advisory, or other significant security issue as IBM deems necessary; and i. provide access to the Threat IQ via the Portal. Completion Criteria: This activity will be considered complete when IBM has provided two X-Force Hosted Threat Analysis Service annual subscription seats. Deliverable Materials: None Your Emergency Response Services Responsibilities You agree: a. and acknowledge: INTC Page 9 of 14

10 (1) that you may not make an Emergency Incident Declaration until after the project kickoff session has been conducted; (2) your additional locations, or locations not specified in the Schedule, must be contracted for separately; (3) one IBM consultant will be assigned for remote and/or on-site Emergency Incident Declaration response to the declared physical location. Additional IBM consultants must be contracted for separately and are subject to availability; and (4) that if IBM discovers what it considers, in its sole discretion, to be inappropriate content during the performance of the Services, IBM has the authority to report such information to law enforcement. Examples of what IBM would consider inappropriate content includes, but is not limited to, content or activity that involves obscene, pornographic or violent material; b. to provide the IBM Services specialist with the names and telephone numbers (including after hours telephone or pager numbers) of your lead investigator, technical and management contact personnel (including backup personnel) who have the authority to make Emergency Incident Declarations and act upon suggestions and recommendations made by IBM; c. to make appropriate personnel available during IBM s response to an Emergency Incident Declaration to answer questions, obtain requested data, perform suggested actions, and similar items; d. to provide copies of all configuration information, log files, intrusion detection events, and other data related to an Emergency Incident Declaration and its analysis; e. to manage the collection and dissemination of information regarding an Emergency Incident Declaration with your technical and managerial personnel, legal and public relations departments, others within your organisation, and other companies as applicable; f. to be responsible for and facilitate all communications between IBM and any third party vendors, including Internet service providers and content-hosting firms used by you to implement your Internet presence; g. to provide supervised access to your computer systems and computer networks during the agreed upon times and days; h. to provide IBM with an editable copy of you computer security incident response plan for review, if available; i. and acknowledge, that during the Computer Security Incident Response Assessment Report review cycle only three opportunities will be allowed to provide input; j. to provide your proposed changes, comments and feedback during the Computer Security Incident Response Assessment Report review cycle within 5 business days of the receipt of the report, at no additional charge to IBM; k. and acknowledge, that during an emergency incident and upon your request to IBM, additional emergency incident support hours will be provided based on Usage charge specified in the Schedule; l. to provide an executive sponsor for the Services to communicate management commitment to the project; and m. to be responsible for all charges associated with any additional Emergency Incident Declarations you make during the term of this SOW Your IBM X-Force Hosted Threat Analysis Subscription Responsibilities You agree to: a. utilise the Portal to perform daily operational Services activities; b. ensure your employees accessing the Portal on your behalf comply with the Terms of Use, provided therein including, but not limited to, the terms associated with Educational Materials; c. appropriately safeguard your login credentials to the Portal (including not disclosing such credentials to any unauthorised individuals); d. promptly notify IBM if a compromise of your login credentials is suspected; and INTC Page 10 of 14

11 e. indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from your failure to safeguard your login credentials. f. provide IBM with one name and address for each Services subscription purchased; and g. change your temporary password upon first login to the Portal. You agree to use the Portal to: a. subscribe to the daily Internet security assessment , if desired; b. create a vulnerability watch list, if desired; c. access the Threat IQ; and d. agree to adhere to an individual license which entitles a single person in an organisation to login to the IBM Managed Security Services ( IBM MSS ) portal (called Portal ) and customise the delivery of the Services content. This person is entitled to view information in the Portal and to receive notifications configured in the Portal. The individual is not authorised to share or distribute Services information. Although an organisation can transfer an individual license from one person to another if needed, an individual license cannot be shared with other individuals who do not have a proper license. 4. Deliverable Materials Service Calendar The Service Calendar is a Type II Material consisting of the following, as appropriate: (1) Selection and scope of preemptive incident preparation services; (2) Service schedule; and (3) Confirmed locations and contacts information. Active Threat Assessment Report, if applicable The Active Threat Assessment Report is a Type II Material consisting of the following, as appropriate: (1) Executive Summary - a high-level overview of the current risk level and threat posture; (2) Services Overview; (3) Assessment Findings Summary and Detail; and (4) Recommendations specific actions or considerations to address documented issues. CSIRP Gap Assessment Report, if applicable The Incident Response Training and Simulation Report is a Type II Material consisting of the following, as appropriate: (1) Recommended updates to the policy document for incident response plans; (2) Industry best practices for incident response plans as appropriate; (3) Recommended updates to the existing CSIRP that meets the Customer s organisational and business objectives; which will include at a minimum: o o o Incident Handling process defining incident severity and incident response escalation; process including points of contact based on information asset sensitivity and severity of the incident; Accountability matrix that identifies key contacts in the organisation for incident response; and Incident Response Checklist used to determine proper escalation and reporting of the IT security incidents; and (4) Gap analysis describing high level observations discovered while reviewing your current CSIRP. Incident Response Training and Simulation Report, if applicable The Incident Response Training and Simulation Report is a Type II Material consisting of the following, as appropriate: (1) Summary of the training; INTC Page 11 of 14

12 (2) Description of incident scenario; and (3) Any observations and recommendations resulting from the mock incident scenario. Quarterly Status Reports The Quarterly Status Report is a Type II Material consisting of the following, as appropriate: (1) Status of activities and tasks performed or in progress in the reporting quarter; (2) Summary hours used in the reporting quarter and remaining hours in the subscription; (3) Documentation of remote support provided in the reporting quarter; (4) Relevant trends and industry updates on incident management; and (5) Any issues or changes to service calendar and activity schedule. Incident Analysis Report The Incident Analysis Report is a Type II Material consisting of the following, as appropriate: (1) Executive Summary a high level overview of the background and findings related to the incident; (2) Data Collection and Preservation specific actions and steps performed to collect and preserve incident data; (3) Data Analysis detailed results of the incident analysis; and (4) Conclusions and Recommendations summary of the incident and specific actions or considerations to help mitigate the risk of future occurrences. IBM will deliver one copy of the applicable deliverable(s) electronically to your Point of Contact within five business days following the closing of the activity. 5. Estimated Schedule The estimated schedule for the Services is detailed in the Schedule and will be used to establish the contract term. Both parties agree to make reasonable efforts to carry out our respective responsibilities in order to achieve the estimated schedule. 6. Completion Criteria IBM will have fulfilled its obligations for the Services when any one of the following first occurs: a. when the contract end date has passed; or b. the Services are terminated in accordance with the provisions of the Agreement identified in the Schedule. 7. Charges The charges for the Services described in this SOW, exclusive of applicable taxes, are as specified in the Schedule. IBM shall not be responsible for delays or additional requirements imposed by any government agencies, labor disputes, fire, unavoidable casualties, or unforeseen conditions. 8. Other Terms and Conditions 8.1 Limitation of Services You acknowledge and agree that the following are not included as part of the Services described herein: a. services involving incidents of violence, injury to persons, or damage to or theft of tangible personal property; b. services to identify a perpetrator; however, determining the source of network traffic or specific digital activity may be included in the services; c. investigatory interrogation; d. testifying in judicial or administrative proceedings; e. communication on your behalf with any entity, such as law enforcement, the news media, or its customers; INTC Page 12 of 14

13 f. any services requiring professional licensing of the service provider; g. evidentiary chain of custody control or management, but IBM may adhere to your chain of custody procedures in performing its obligations hereunder, provided these are reviewed and agreed to by IBM prior to starting work; h. legal counsel of any kind; i. opinions as to the credibility of any person; or j. any other related services which IBM, at its reasonable discretion, may at any time decline. 8.2 Permission to Perform Testing Certain laws prohibit any unauthorised attempt to penetrate or access computer systems. You authorise IBM to perform the Services as described herein and acknowledge that the Services constitute authorised access to your computer systems. IBM may disclose this grant of authority to a third party if deemed necessary to perform the Services. The Services that IBM performs entail certain risks and you agree to accept all risks associated with such Services; provided, however, that this does not limit IBM s obligation to perform the Services in accordance with the terms of this SOW. You acknowledge and agree to the following: a. excessive amounts of log messages may be generated, resulting in excessive log file disk space consumption; b. the performance and throughput of your systems, as well as the performance and throughput of associated routers and firewalls, may be temporarily degraded; c. some data may be changed temporarily as a result of probing vulnerabilities; d. your computer systems may hang or crash, resulting in system failure or temporary system unavailability; e. any service level agreement rights or remedies will be waived during any testing activity; f. a scan may trigger alarms by intrusion detection systems; g. some aspects of the Services may involve intercepting the traffic of the monitored network for the purpose of looking for events; and h. new security threats are constantly evolving and no service designed to provide protection from security threats will be able to make network resources invulnerable from such security threats or ensure that such service has identified all risks, exposures and vulnerabilities. 8.3 Systems Owned by a Third Party For systems (which for purposes of this provision includes but is not limited to applications and IP addresses) owned by a third party that will be the subject of testing hereunder, you agree: a. that prior to IBM initiating testing on a third party system, you will obtain a signed letter from the owner of each system authorising IBM to provide the Services on that system, and indicating the owner's acceptance of the conditions set forth in the section entitled Permission to Perform Testing and to provide IBM with a copy of such authorisation; b. to be solely responsible for communicating any risks, exposures, and vulnerabilities identified on these systems by IBM s remote testing to the system owner, and c. to arrange for and facilitate the exchange of information between the system owner and IBM as deemed necessary by IBM. You agree: a. to inform IBM immediately whenever there is a change in ownership of any system that is the subject of the testing hereunder; b. not to disclose the deliverable Materials, or the fact that IBM performed the Services, outside your Enterprise without IBM s prior written consent; and c. to indemnify IBM in full for any losses or liability IBM incurs due to third party claims arising out of the your failure to comply with the requirements of this section entitled, "Systems Owned by a Third Party" and for any third party subpoenas or claims brought against IBM or IBM s subcontractors or agents arising out of (a) testing the security risks, exposures or vulnerabilities of the systems that INTC Page 13 of 14

14 8.4 Disclaimer are the subject of testing hereunder, (b) providing the results of such testing to you, or (c) your use or disclosure of such results. You understand and agree: a. that it is solely within your discretion to use or not use any of the information provided pursuant to the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose not to take based on the Services performed and/or deliverables provided hereunder; b. that it is your sole responsibility to provide appropriate and adequate security for the company, its assets, systems and employees; c. that it is your responsibility to add the IP addresses associated with the testers to any filtering devices, thereby permitting unfiltered network access to the target systems; d. not to modify the configurations of any in-scope systems and infrastructure devices during the period of testing; and e. that new technology, configuration changes, software upgrades and routine maintenance, among other items, can create new and unknown security exposures. Moreover, computer hackers and other third parties continue to employ increasingly sophisticated techniques and tools, resulting in ever-growing challenges to individual computer system security. IBM s performance of the Services does not constitute any representation or warranty by IBM about the security of your computer systems including, but not limited to, any representation that your computer systems are safe from intrusions, viruses, or any other security exposures. IBM does not make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information provided as part of the Services. INTC Page 14 of 14