IBM Infrastructure Security Services Managed Security Information and Event Management Service Description

IBM Infrastructure Security Services Managed Security Information and Event Management Service Description Z126-6526-SSA-1 04-2014 Page 1 of 34

Table of Contents 1.0 Scope of Services... 5 2.0 Definitions... 5 2.1 General Terms... 5 2.2 QRadar Technology Terms... 6 2.3 Service Roles... 7 3.0 Managed SIEM Services Contacts... 7 3.1 Security Operations Center... 7 3.2 Points of Contact... 7 3.2.1 IBM Point of Contact Responsibilities... 7 3.2.2 Your Point of Contact Responsibilities... 8 3.2.3 IBM Authorized Services Contacts Responsibilities... 8 3.2.4 IBM Designated Services Contacts Responsibilities... 9 3.2.5 Your Authorized Security Contacts Responsibilities... 9 3.2.6 Your Designated Services Contacts Responsibilities... 9 4.0 Managed SIEM Foundational Features... 9 4.1 MSS Portal... 9 4.1.1 IBM MSS Portal Responsibilities... 10 4.1.2 Your MSS Portal Responsibilities... 10 4.1.3 IBM MSS Portal Users Responsibilities... 10 4.1.4 Your MSS Portal Users Responsibilities... 10 4.2 Security Reporting... 11 4.2.1 IBM Security Reporting Responsibilities... 11 4.2.2 Your Security Reporting Responsibilities... 11 4.3 IBM X-Force Threat Analysis... 11 4.3.1 IBM Security Intelligence Responsibilities... 11 4.3.2 Your Security Intelligence Responsibilities... 12 5.0 Managed SIEM Service Phases... 12 5.1 Phase One Project Initiation and Planning... 12 5.1.1 IBM Project Initiation and Planning Responsibilities... 12 Activity 1 - Kickoff... 12 Activity 2 - Requirements Definition and Planning Session... 13 5.1.2 Your Project Initiation and Planning Responsibilities... 13 5.2 Phase Two SIEM System Design... 14 5.2.1 IBM SIEM System Design Responsibilities... 14 Activity 1 - Process and Data Gathering... 14 Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation... 14 Activity 3 - Architecture Design... 15 Activity 4 - System Design... 15 Activity 5 - Design Review... 16 5.2.2 Your SIEM System Design Responsibilities... 16 5.3 Phase Three Implementation... 16 5.3.1 IBM SIEM System Implementation Responsibilities... 16 Activity 1 - Install Console Appliance... 17 Activity 2 - Customize Console Appliance... 17 Activity 3 - Deploy Log Collection for Production Environment... 18 Activity 4 - Deploy Flow Collection for Production Environment... 18 Z126-6526-SSA-1 04-2014 Page 2 of 34

Activity 5 - Initial Tuning for Production Environment... 18 5.3.2 Your SIEM System Implementation Responsibilities... 18 5.4 Phase Four Integration and Transition... 20 5.4.1 IBM Integration and Transition Responsibilities... 20 Activity 1 - Staged Transition to Ongoing Operational Support... 20 Activity 2 - Reports Definition and Validation... 21 Activity 3 - Readiness Assessment... 22 Activity 4 - Initiate Steady State Operations... 22 5.4.2 Your Integration and Transition Responsibilities... 22 5.5 Phase Five Ongoing Operational Support... 23 5.5.1 IBM Ongoing Operational Support Responsibilities... 23 Activity 1 - Threat Analyst Event Monitoring and Notification... 23 Activity 2 - SIEM System Infrastructure Management... 24 Activity 3 - SIEM System Change Requests... 25 5.5.2 Your Ongoing Operational Support Responsibilities... 25 6.0 Managed SIEM Optional Features... 26 6.1 Custom Parser Creation... 26 6.1.1 IBM Custom Parser Creation Responsibilities... 26 Activity 1 - Custom Parser Creation... 26 6.2 Reports Generation, Review, and Analysis... 26 6.2.1 IBM Reports Generation, Review, and Analysis Responsibilities... 26 Activity 1 - Reports Generation, Review, and Analysis... 26 6.3 General SIEM Consulting... 27 6.3.1 IBM General SIEM Consulting Responsibilities... 27 Activity 1 - General SIEM Consulting... 27 6.3.2 Your General SIEM Consulting Responsibilities... 27 6.4 Ticket System Integration... 27 6.4.1 IBM Ticket System Integration Responsibilities... 27 Activity 1 - Ticket System Integration... 27 6.4.2 Your Ticket System Integration Responsibilities... 27 6.5 Vulnerability Scanner Integration... 28 6.5.1 IBM Vulnerability Scanner Integration Responsibilities... 28 Activity 1 - Vulnerability Scanner Integration... 28 6.6 QRadar Vulnerability Manager Integration and Management... 28 6.6.1 IBM Qradar Vulnerability Manager Integration and Management Responsibilities... 28 Activity 1 - Qradar Vulnerability Manager Integration and Management... 28 6.6.2 Your QVM Responsibilities... 28 7.0 Service Level Agreements... 29 7.1 SLA Overview... 29 7.2 SLA Definitions... 29 7.2.1 Service Availability... 29 7.2.2 Portal Availability... 29 7.2.3 Security Incident Identification and Notification... 29 7.2.4 SIEM Agent Health Alerting... 30 7.3 SLA Root Cause Analysis... 30 7.4 SLA Remedies... 31 8.0 Deliverable Materials... 31 Z126-6526-SSA-1 04-2014 Page 3 of 34

9.0 Other Terms and Conditions... 31 9.1 Intellectual Property Services Components... 31 9.2 Permission to Perform Testing... 32 9.3 Disclaimer... 33 9.4 Employment of Assigned Personnel... 33 Z126-6526-SSA-1 04-2014 Page 4 of 34

IBM Managed Security Information and Event Management IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES DESCRIPTION INCLUDES THE IBM MANAGED SECURITY SERVICES GENERAL PROVISIONS ( GENERAL PROVISIONS ) LOCATED AT http://www- 935.ibm.com/services/us/iss/html/contracts_worldwide_landing.html AND INCORPORATED HEREIN BY REFERENCE. 1.0 Scope of Services IBM Managed Security Information and Event Management ( Managed SIEM, MSIEM or Services ) is designed to help you plan, implement, manage, and monitor a SIEM System based on your identified business requirements. The Services features described herein are dependent upon the availability and supportability of products and product features being utilized. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non-ibm-provided hardware, software, and firmware. This Services Description is between the Customer referenced herein (also called you and your ) and International Business Machines Corporation ( IBM, or Service Provider ). The MSIEM Service is performed in phases. Phase One Project Initiation and Planning: During this phase, IBM assists you with defining and compiling requirements and develops a Project Plan. Phase Two System Design: During this phase, IBM creates an architectural and system design for your environment. If the SIEM System is already deployed, IBM performs a design review. Phase Three Implementation: During this phase, if not already deployed, IBM installs and configures the SIEM System components and verifies that data is being transmitted and reported. Phase Four Integration and Transition: During this phase, IBM develops processes and corresponding documentation and begins transitioning management and monitoring to the operational support team. Phase Five Ongoing Operational Support: During this phase, IBM provides steady state management and monitoring of the SIEM infrastructure. 2.0 Definitions 2.1 General Terms Alert Condition ( AlertCon ) a global risk metric developed by IBM, using proprietary methods. The AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and global threat activity. The four levels of AlertCon are described in the MSS Portal. Authorized Security Contacts - your decision-maker on all operational issues pertaining to IBM Managed Security Services. Change Request (CR) a specific modification to the SIEM System configuration after the initiation of steady state operations including Event Source and SIEM System component moves, adds, and deletes, SIEM Agent reorganization, network hierarchy modifications, correlation Rule and policy exception alert creation or revision, and report creation beyond the original set. Designated Services Contacts - your decision-maker on a subset of operational issues pertaining to IBM Managed Security Services. Education Materials include, but are not limited to, lab manuals, instructor notes, literature, methodologies, electronic course and case study images, policies and procedures, and all other trainingrelated property created by or on behalf of IBM. Where applicable, Education Materials may include participant manuals, exercise documents, lab documents, and presentation slides provided by IBM. End Date the last date of Services based on the Project Start Date and Contract Period as specified in the Schedule. Event Source any operating system, application, agent, daemon, appliance, or device that will be transmitting security event logs or data to the SIEM System. Z126-6526-SSA-1 04-2014 Page 5 of 34

IBM Managed Security Services ( IBM MSS ) Portal (called MSS Portal ) - provides access to an environment (and associated tools) designed to monitor and manage security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. Incident a security event that requires analysis, investigation, containment, eradication, remediation, or prevention. Information Request an email that IBM sends to an Authorized Security Contact or Designated Services Contact to assist IBM with Incident investigation, Offense Rules refinement, and the proactive integration of outputs from the Incident management lifecycle into the overall SIEM System configuration. Issue a non-security event that requires analysis, investigation, or resolution. MSS Portal Users users of the MSS Portal with different levels of authorization to the MSS Portal. MSS Portal Users can have restricted, regular, or administrative MSS Portal access to all MSS Agent(s) or just a subset of MSS Agents(s). The MSS Portal views and permissions available to the Portal Users are dictated by the Authorized Security Contact. Service Feature a line item in the Schedule that describes a specific component of the Service and is associated with a one-time charge or monthly charge. Service Questionnaire a pre-defined list of data collection questions presented by IBM to you for completion prior to deployment or transition. Services Recipient any entity or individual receiving or using the Services, the results of the Services, or acting on behalf of the end user in receiving or using the Services, or the results of the Services. SIEM Agent - the term used to collectively describe any distributed SIEM component. SIEM System the hardware and software components and modules that collectively make up the Security Information and Event Management infrastructure. Ticket a record created in the problem reporting system that requires action to be taken by you or by IBM as appropriate. 2.2 QRadar Technology Terms Dashboard the default view that is displayed when logging into QRadar; it provides a customizable workspace environment that supports multiple assortments which can be used to view network security, activity, or data that QRadar collects. Device Support Module (DSM) the software component that parses incoming events into the QRadar standardized format. Flow a collection of packets constituting communication between hosts that share some common properties. Log Source maps incoming Event Source format to a DSM for parsing enhancement or parsing override. Magnitude - specifies the relative importance of the Offense and is a weighted value that is calculated based on relevance, severity, and credibility. Offense (also referred to as Incident if declared as such), a message sent or event generated in response to a monitored condition. For example, an Offense informs you if a policy has been breached or the network is under attack. It is an event that has been processed through QRadar using multiple inputs, individual events, and events combined with analyzed behavior and vulnerabilities. Magistrate prioritizes the Offenses and assigns a Magnitude value based on several factors including number of events, severity, relevance, and credibility. Offense Manager the interface used to configure Offenses. QRadar Vulnerability Manager (QVM) - this add-on module activated via a license key provides an integrated Dashboard which consolidates results from multiple vulnerability scanners, risk management solutions, and external threat intelligence; includes a high-speed internal scanner which supports discovery, non-authenticated, authenticated, and Open Vulnerability Assessment Language (OVAL) scans and external scanning capabilities to see the network from an attacker s viewpoint; allows suppression of acceptable, false positive, or otherwise non-mitigated vulnerabilities from ongoing reporting and presents data within the overall context of security and threat posture. Can be set up to run both dynamic and periodic scans. Z126-6526-SSA-1 04-2014 Page 6 of 34

Rules a series of tests that monitors events and flows for a pattern or matching condition to generate a response, typically an Offense. Sentry monitors collections of Views (flow filters) to generate events and alerts. udsm a universal Device Support Module that is customized by IBM to parse incoming events from the native format of a customer-specific Event Source into the QRadar standardized format. View an on-screen display of data that is organized in a specific way that normalizes flow data and defines how flow data is filtered. 2.3 Service Roles Unless otherwise stated within the Communication Plan, the support resources assigned as Deployment Engineer, Security Services Manager, Senior Consultant, and Transition Architect will have limited hours of coverage and support will be provide 9:00 a.m. to 5:00 p.m. Monday through Friday in the time zone selected by you (also referred to as Business Hours, ) except national and your designated holidays. Deployment Engineer The Deployment Engineer (DE) assists with the installation of the SIEM System components. This role participates in Phases One through Three as needed. Security Services Manager The Security Services Manager (SSM) also serves as an advisor and liaison to broader IBM resources, takes direction from your point of contact, and provides project management, contract management, oversight, service delivery expertise, and operational leadership to the IBM team. This role participates in all Phases throughout the contract term. Senior Consultant The Consultant participates in Phases One through Four to collect and map functional and non-functional requirements, offer strategic advice to stakeholders as it pertains to in scope Services, and provide a macro and micro design or design review of the SIEM System. This role also participates in the Readiness Assessment to ensure that the SIEM configuration is primed for a smooth transition to the operational support team. SIEM System Administrator The SIEM System Administrator (Admin) participates in Phases Three through Five to manage the SIEM System infrastructure and perform system administration, configuration, tuning, reports generation, and various customization activities for the environment. SIEM Analyst The SIEM Analysts (also referred to as, Threat Analysts, and SOC Analysts, ) participate in Phases Four and Five, comprising the operational support team that provides Rule customization recommendations and eyes on-screen monitoring for alert and Incident workflow management and daily manual reports review and analysis when this optional Service Feature is purchased. Transition Architect The Transition Architect (TA) participates in Phases One through Four to coordinate and execute the transition activities to transfer management and monitoring of the SIEM System to the operational support team. 3.0 Managed SIEM Services Contacts 3.1 Security Operations Center The Services are delivered from IBM Security Operations Centers ( SOCs ). IBM will provide access to the SOCs 24 hours per day, seven days per week during Steady State Operations. 3.2 Points of Contact To facilitate communications with the IBM team you will be asked to provide contacts and their access levels so that the IBM staff can validate the identity and authority of the contact prior to making system changes. Services Recipient may choose from multiple levels of access in order to accommodate varying roles within your organization: Transition Focal, Authorized Security Contacts, Designated Services Contacts, and MSS Portal Users. 3.2.1 IBM Point of Contact Responsibilities IBM will provide a Security Services Manager (SSM) who will be IBM s focal point during performance of the Services. The IBM SSM will: a. review the Services Description and associated documents with your Point of Contact; b. serve as a single point of contact to the account management and delivery teams for operational security-related activities during Transition and as the contract focal during Steady State Operations; Z126-6526-SSA-1 04-2014 Page 7 of 34

c. maintain and oversee relationships for delivery organizations providing security support; d. establish and maintain communications through your Point of Contact, as defined in the section titled Your Point of Contact Responsibilities ; e. oversee the management of operational security activities, processes, and policies as required; f. coordinate and manage the technical activities of IBM s assigned personnel; g. track and assist in the management of the resolution of reported operational security issues, recommend actions, review plans, and monitor progress of remediation activities; h. develop and maintain a Report List for the Monthly Status Report; i. work with the security team on the account to produce the Monthly Status Report and deliver to your Point of Contact within the scheduled timeframe; j. work jointly with you to manage the priority of new Event Source deployment and participate in technology roadmap discussions; k. manage Change Requests via the Contract Change Control Procedure specified in the Schedule; l. conduct weekly briefings via teleconference with your Point of Contact and your Key Stakeholders; and m. conduct monthly operational review teleconferences or on-site meetings with your Point of Contact and your Key Stakeholders to review security status, risks, Issues, Incidents, outstanding activities, and trends. 3.2.2 Your Point of Contact Responsibilities Prior to the start of the Services, you will designate a person ("your Point of Contact"), to whom all communications relative to the Service will be addressed and who will have the authority to act on your behalf in all matters regarding this Services Description until Authorized Security Contacts and Designated Services Contacts are defined and included in the Communications Plan and/or the MSS Portal. Your Point of Contact will: a. serve as the interface between IBM s project team and your key stakeholders as it pertains to the Service; b. provide an executive sponsor for the Service to communicate management commitment to the project; c. facilitate IBM access to your existing applications and technical infrastructure; d. ensure all tasks that impact resource utilization are authorized in a timely manner; e. obtain and provide applicable information, data, consents, decisions and approvals as required by IBM to perform the Services, within two business days of IBM s request; f. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; g. provide specific documentation with regard to information security policy, standards, and audit controls that could assist with the discovery and requirements definition process; h. define Authorized Security Contacts; i. delegate authority for these responsibilities to at least one Authorized Security Contact if different from your Point of Contact; and j. help resolve Services Issues and escalate Issues within your organization, as necessary. 3.2.3 IBM Authorized Services Contacts Responsibilities IBM will: a. allow you to create up to three Authorized Security Contacts; b. provide each Authorized Security Contact with: (1) administrative MSS Portal permissions to your MSS Agent(s) as applicable; (2) the authorization to create unlimited Designated Services Contacts and MSS Portal Users; (3) the authorization to delegate responsibility to Designated Services Contacts; Z126-6526-SSA-1 04-2014 Page 8 of 34

c. interface with Authorized Security Contacts regarding support and notification issues pertaining to the MSS Features; and d. verify the identity of Authorized Security Contacts using an authentication method that utilizes a preshared challenge pass phrase. 3.2.4 IBM Designated Services Contacts Responsibilities IBM will: a. verify the identity of Designated Services Contacts using an authentication method that utilizes a pre-shared challenge pass phrase; and b. interface only with Designated Services Contacts regarding the subset of operational issues for which such contact is responsible. 3.2.5 Your Authorized Security Contacts Responsibilities You agree to: a. provide IBM with contact information for each Authorized Security Contact. Such Authorized Security Contacts will be responsible for: (1) creating Designated Services Contacts and delegating responsibilities and permissions to such contacts, as appropriate; (2) authenticating with the SOCs using a pre-shared challenge pass phrase; and (3) maintaining notification paths and your contact information, and providing such information to IBM; b. ensure at least one Authorized Security Contact is available 24 hours per day, seven days per week; c. update IBM within three calendar days when your Authorized Security Contact information changes; and d. acknowledge that you are permitted to have no more than three Authorized Security Contacts regardless of the number of IBM Managed Security Services for which you have contracted. 3.2.6 Your Designated Services Contacts Responsibilities You agree to: a. provide IBM with contact information and role responsibility for each Designated Services Contact (such Designated Services Contacts will be responsible for authenticating with the SOCs using a passphrase); and b. acknowledge that a Designated Services Contact may be required to be available 24 hours per day, seven days per week based on the subset of responsibilities for which he/she is responsible. 4.0 Managed SIEM Foundational Features Foundational features are included with all variations of the Managed SIEM service regardless of size, complexity, geography, or underlying SIEM technology and are not optional during the initial Contract Period. There may be different levels of a feature that are provided, however these features are included with all Managed SIEM services. IBM will provide MSIEM Transition based on the complexity level and for the one-time charge specified in the Schedule. 4.1 MSS Portal The MSS Portal provides access to an environment (and associated tools) designed to monitor and manage the security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED AS IS AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. 4.1.1 IBM MSS Portal Responsibilities IBM will: Z126-6526-SSA-1 04-2014 Page 9 of 34

a. provide access to the MSS Portal 24 hours per day, seven days per week, except during maintenance windows and emergency maintenance if required. The MSS Portal will provide: (1) multiple levels of access for MSS Portal Users; (2) security intelligence awareness and alerting; (3) security Incident and/or service Ticket information; (4) ticketing and workflow initiation and updates; (5) interaction with SOC analysts; (6) access to Education Materials in accordance with the terms provided in the MSS Portal; and b. provide a username, password, URL, and appropriate permissions to access the MSS Portal. 4.1.2 Your MSS Portal Responsibilities You agree to: a. utilize the MSS Portal to perform daily operational Services activities; b. ensure your employees accessing the MSS Portal on your behalf comply with the Terms of Use provided therein including, but not limited to, the terms associated with Educational Materials; c. appropriately safeguard your login credentials to the MSS Portal (including not disclosing such credentials to any unauthorized individuals); d. promptly notify IBM if a compromise of your login credentials is suspected; and e. indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from your failure to safeguard your login credentials. 4.1.3 IBM MSS Portal Users Responsibilities IBM will: a. provide multiple levels of access to the MSS Portal, as follows: (1) administrative user capabilities which will include: (a) creating Portal users; (b) submitting Services requests to the SOCs; (c) live chat communications with SOC analysts regarding specific Incidents or tickets, generated as part of the Services; (d) creating internal Services-related tickets and assigning such Tickets to Portal users; (e) querying, viewing, and updating Services-related tickets; and (2) regular user capabilities which will include all of the capabilities of an administrative user, for the SIEM Agents to which they have been assigned, with the exception of creating Portal users; (3) restricted user capabilities which will include all of the capabilities of a regular user, for the SIEM Agents to which they have been assigned, with the exception of: (a) creating and submitting Services requests; and (b) updating tickets; and b. authenticate MSS Portal Users using a static password; and c. authenticate MSS Portal Users using two-factor authentication tokens you provide (RSA SecureID). 4.1.4 Your MSS Portal Users Responsibilities You agree: a. that Portal users will use the Portal to perform daily operational Services activities; b. to be responsible for providing IBM-supported RSA SecureID tokens (as applicable); and c. acknowledge the SOCs will only interface with Authorized Security Contacts and Designated Services Contacts. Z126-6526-SSA-1 04-2014 Page 10 of 34

4.2 Security Reporting Security reporting is provided using a combination of the MSS Portal and the native SIEM System console. 4.2.1 IBM Security Reporting Responsibilities IBM will provide you with access to reporting capabilities within the MSS Portal which includes relative information associated with the Service. Information may include, but is not limited to, some or all of the following (where applicable): a. number of SLAs invoked and met; b. number, types, and summary of Services requests / Tickets; c. number of security Incidents detected and their priority and status; and d. list and summary of security Incidents. 4.2.2 Your Security Reporting Responsibilities You agree to: a. generate MSS operational reports using the MSS Portal; b. be responsible for scheduling MSS operational reports as desired within the MSS Portal; and c. retrieve SIEM-generated reports from the SIEM System console. 4.3 IBM X-Force Threat Analysis Security intelligence is provided by the IBM X-Force Threat Analysis Center. The X-Force Threat Analysis Center publishes an Internet threat-level. The Internet threat-level describes progressive alert postures of current Internet security threat conditions. In the event Internet threat-level conditions are elevated to AlertCon 3, indicating focused attacks that require immediate defensive action, IBM will provide you with real-time access into IBM s global situation briefing. Utilizing the MSS Portal, you can create a vulnerability watch list with customized threat information. In addition, each MSS Portal User can request to receive an Internet assessment email each business day. This assessment provides an analysis of the current known Internet threat conditions, real-time Internet port metrics data, and individualized alerts, advisories and security news. NOTE: Your access and use of the security intelligence provided via the Portal (including the daily Internet assessment email) is subject to the Terms of Use provided therein. Where such Terms of Use conflict with the terms of this Agreement, the Portal Terms of Use shall prevail over this Agreement. In addition to the Terms of Use provided in the Portal, your use of any information on any links or non-ibm Web sites and resources are subject to the terms of use posted on such links, non-ibm Web sites, and resources. 4.3.1 IBM Security Intelligence Responsibilities IBM will: a. provide access, via the MSS Portal, to the X-Force Hosted Threat Analysis Service for all MSS Portal Users; b. display security information on the MSS Portal as it becomes available; c. if configured by you, provide security intelligence specific to your defined vulnerability watch list, via the MSS Portal; d. if configured by you, provide an Internet security assessment email based on your subscription, each business day; e. publish an Internet threat-level via the MSS Portal; f. declare an Internet emergency if the daily Internet threat-level level reaches threat-level 3; g. provide MSS Portal feature functionality to create and maintain a vulnerability watch list; h. provide additional information about an alert, advisory, or other significant security issue as IBM deems necessary; and i. provide access to the regularly produced IBM X-Force Threat Analysis Service Reports, via the MSS Portal. Z126-6526-SSA-1 04-2014 Page 11 of 34

4.3.2 Your Security Intelligence Responsibilities You will use the MSS Portal to: a. subscribe to the daily Internet security assessment email, at your option; b. create a vulnerability watch list, if desired; c. access the IBM X-Force Threat Analysis Service Reports; and d. adhere to the licensing agreement and not forward Services information to individuals who do not have a proper license. 5.0 Managed SIEM Service Phases 5.1 Phase One Project Initiation and Planning During Phase One, the Project Plan will be created, validated, and modified as required. At the completion of this phase and prior to proceeding with further activities in this Services Description, your Point of Contact and the IBM Security Services Manager will assess the results of the Planning Session and either: 1) continue with the Services as described in this Services Description, or 2) upon request, review the possibility of modifying your contract using the Contract Change Procedure. Upon Services renewal, Project Initiation and Planning activities are not included as part of your ongoing renewable services contract. 5.1.1 IBM Project Initiation and Planning Responsibilities Activity 1 - Kickoff The purpose of this activity is to finalize the project team members, develop a common understanding of the Service objectives, roles, and responsibilities, and assess your readiness to implement the Service by confirming that the appropriate information is documented. IBM will: a. facilitate a project initiation teleconference, for up to four hours, on a mutually agreed date and time to: (1) initiate the project; (2) introduce the project participants; (3) discuss project team roles and responsibilities; (4) review the project objectives; (5) provide an overview of the project methodology; (6) review your environment and organization, including: (a) location(s) to be included in the Services; and (b) emergency contact plan, including event triggers and establishment of designated telephone number(s) and email address(es); b. provide the Service Questionnaire to you for completion which includes, but is not limited to, data gathering questions such as: (1) team member names, contact information, roles and responsibilities; (2) unique country and site requirements; (3) network infrastructure, addressing, and environmental data; (4) Event Source inventory; and (5) key business drivers and/or dependencies that could influence Service delivery or timelines; c. develop a preliminary schedule of activities; and d. agree on a date and time for the Planning Session. Completion Criteria: This activity will be complete when the project initiation teleconference has been conducted. Activity 2 - Requirements Definition and Planning Session The purpose of this activity is to compile your requirements and create a Project Plan with timeline and milestones. IBM will conduct a Planning Session for up to eight hours in duration on your premise to Z126-6526-SSA-1 04-2014 Page 12 of 34

assess the environment and define SIEM System requirements. During and subsequent to the Planning Session, IBM will: a. review the completed Service Questionnaire; b. review and confirm your business objectives; c. review existing security policy; d. review existing IT security environment; e. perform an architecture review and analysis to identify network infrastructure and communication requirements; f. discuss industry regulations and standards that drive your data protection requirements for security auditing and event management; g. provide you with a network access requirements document which details: (1) how IBM will connect remotely to your network; and (2) specific technical requirements to enable such remote connectivity; h. connect to your network through the Internet, using your standard access methods; i. if appropriate, utilize a site-to-site virtual private network ( VPN ) to connect to your network; j. create a Project Plan that includes: (1) activities and tasks for this Services Description; (2) target start dates for the activities in this Services Description; (3) target completion dates for the deliverables in each activity as applicable; (4) identified milestones; and (5) responsible persons and organizations; and k. review the Project Plan with your Point of Contact; Completion Criteria: This activity will be complete when IBM has delivered the initial Project Plan to your Point of Contact. Deliverable Materials: Project Plan, consisting of the following: (1) activities and tasks for this Services Description; (2) target start dates for the activities in this Services Description; (3) target completion dates for the deliverables in each activity as applicable; (4) identified milestones; and (5) responsible persons and organizations. 5.1.2 Your Project Initiation and Planning Responsibilities You agree to: a. work with IBM to schedule the project initiation teleconference such that all participants have enough notice to attend; b. ensure, to the extent possible, that all your key stakeholders participate in the project initiation teleconference and/or the Planning Session; c. work with IBM to schedule the Planning Session such that all participants have enough notice to attend; d. invite and confirm attendance of all intended participants of the Planning Session, and arrange the meeting room and all logistics on your premise; e. complete and deliver to the SSM, the Service Questionnaire five days prior to the Planning Session; f. review each party s respective responsibilities; g. schedule a review of the Project Plan such that all participants have enough notice to attend; h. review and comment on the draft Project Plan to ensure IBM can finalize the plan within five business days after submitting the draft to your Point of Contact; and i. provide subject matter experts for each of the in-scope Event Sources. Z126-6526-SSA-1 04-2014 Page 13 of 34

5.2 Phase Two SIEM System Design 5.2.1 IBM SIEM System Design Responsibilities During this phase, IBM will work with you to design the elements of the SIEM System based on whether the Services include full implementation and transition or just transition if already deployed. Upon Services renewal, SIEM System Design activities are not included as part of your ongoing renewable services contract. Activity 1 - Process and Data Gathering The purpose of this activity is to gather and review process documentation and data elements that will be needed to develop or review the SIEM strategy for your environment, objectives, and constraints. IBM will: a. conduct interview(s) and review documentation to establish the business goals, security objectives, and high-level requirements relevant to the SIEM implementation; b. collect and review IT process documentation which may include: (1) Incident management; (2) change management; (3) problem management; (4) configuration management (including asset management); (5) security management (including vulnerability management and risk assessments); (6) availability management; and (7) SOC operations; b. collect and review the following data elements: (1) data and Log Sources; (2) Flow sources; (3) QFlow sources; (4) network structure; (5) vulnerability tools; (6) asset data; and (7) application listing; and c. compile collected process documentation and data elements within a central repository for use by IBM delivery personnel and your Authorized Security and Designated Services Contacts. Completion Criteria: This activity will be complete when the aforementioned process documentation and data elements have been collected or that collection is waived by you if non-existent, outdated, or otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If waived by you or IBM, IBM reserves the right to make assumptions in the design which may require a scope change via the Contract Change Procedure. Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation The purpose of this activity is to define, document, and map (or review if already deployed) functional and non-functional requirements for the SIEM System. IBM will: a. collaborate with you to define, document, and map the following functional requirements as they pertain to the SIEM System: (1) logging; (2) Event collection; (3) normalization; (4) correlation; (5) storage; (6) system access; Z126-6526-SSA-1 04-2014 Page 14 of 34

(7) reporting; and (8) customization requirements; b. collaborate with you to define, document, and map the following non-functional requirements as they pertain to the SIEM System: (1) monitoring; (2) retention; (3) reporting; (4) regulatory and contractual considerations; (5) high availability; and (6) disaster recovery. Completion Criteria: This activity will be complete when the aforementioned functional and nonfunctional requirements have been documented, or are waived by you if non-existent, outdated, or otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If waived by you or IBM, IBM reserves the right to make assumptions in the design which may require a scope change via the Contract Change Procedure. Activity 3 - Architecture Design The purpose of this activity is to develop, modify, or, if already deployed, review the high-level architectural design for the Service. IBM will: a. design and document or review architecture for installing the SIEM System hardware and software components (if not already deployed); and b. review SIEM System architecture and make recommendations based on findings identified in the Process and Data Gathering and Detailed Functional and Non-Functional Requirements Definition and Documentation Activities. Completion Criteria: This activity will be complete when IBM has reviewed the SIEM System architecture. Activity 4 - System Design The purpose of this activity is to develop both macro and micro system design elements to be implemented in order to reach an initial steady state of operations. IBM will: a. define at the macro system design level: (1) data/event source collection protocols and methods; (2) asset risk weighting criteria; (3) asset classification profiles; (4) compliance groupings for assets; (5) vulnerability scanner usage, configuration, and frequency; (6) final reporting requirements (functional and non-functional); (7) custom data source requirements (or validate if already defined); (8) use case frameworks; (9) customization requirements; (10) Dashboard requirements for the SIEM console; and (11) user accounts and roles; b. define at the micro system design level: (1) data/event source phased integration plan; (2) use cases; (3) alert classification criteria; Z126-6526-SSA-1 04-2014 Page 15 of 34

(4) vulnerability management systems and process integration plan; and (5) your network hierarchy (including risk weighting) and associated objects; c. prepare the SIEM Macro and Micro Design deliverable which will include: (1) strategy considerations including but not limited to SIEM business drivers and goals, SIEM security objectives, and functional and non-functional requirements; and (2) architectural, macro, and micro design elements as defined in this Activity. Completion Criteria: This activity will be complete when IBM has completed the system design. Activity 5 - Design Review The purpose of this activity is to review the design and finalize the Project Plan. IBM will: a. review the architecture and system design; b. perform one revision of the Project Plan as appropriate; c. deliver the final Project Plan to your Point of Contact; d. deliver the SIEM Macro and Micro Design to your Point of Contact, and e. if requested, review the design and Project Plan with your Point of Contact and your key stakeholders via teleconference or electronically. Completion Criteria: This activity will be complete when the SSM has delivered the SIEM Macro and Micro Design and the final Project Plan report to your Point of Contact. Deliverable Materials: SIEM System Macro and Micro Design and updated Project Plan The SIEM System Macro and Micro Design will comprise strategy considerations including SIEM business drivers, SIEM security objectives, and functional and non-functional requirements. Additionally at the macro and micro architectural level, it will include SIEM use cases, SIEM and vulnerability management system and process integration plan, SIEM alert classification criteria, SIEM data/log source phased integration plan, SIEM reporting requirements, SIEM user accounts and roles, SIEM Dashboards, SIEM udsm integration, preliminary SIEM network hierarchy weighted by risk, and preliminary asset groups weighted by risk. 5.2.2 Your SIEM System Design Responsibilities In order to develop a successful system design for the Service, your participation is necessary. You agree to: a. provide current network topology diagrams and/or textual descriptions of data and communications paths, protocols, media types, and bandwidth capacity to IBM; and b. participate in the design process as needed. 5.3 Phase Three Implementation 5.3.1 IBM SIEM System Implementation Responsibilities During this phase, if this optional Service Feature is purchased as specified in the Schedule, IBM will install and configure the SIEM System in the production environment and assist with transition to managed operations as documented in the Project Plan. Any required changes to the Project Plan will be handled by the IBM SSM who will either: 1) continue with the Services as described in this Services Description, or 2) use the Contract Change Procedure to modify the Services scope and corresponding Schedule. Completion of Phase Two activities, or making available information equivalent to that resulting from Phase Two activities, is a prerequisite for the commencement of the Implementation services described herein. Upon Services renewal, Implementation activities are not included as part of your ongoing renewable services contract. Activity 1 - Install Console Appliance The purpose of this activity is to install and configure the console appliance. IBM will: a. configure the following settings: (1) hostname; (2) IP address; Z126-6526-SSA-1 04-2014 Page 16 of 34

(3) default gateway; (4) domain name servers (DNS); (5) email server; (6) passwords; and (7) license key; b. test connectivity through HTTPS and SSH and ensure that the system is functioning correctly; c. login to the administrative interface to perform the following: (1) user and role creation and management; (2) system configuration (thresholds, authentication); (3) Log Source configuration; (4) Flow Source configuration, if included in the SIEM Macro and Micro Design: (5) vulnerability assessment configuration, if included in the SIEM Macro and Micro Design; (6) Offense resolution configuration; (7) Sentry and View configuration; (8) license management; (9) backup and restore functions; (10) local firewall; (11) management of internal collector interfaces; (12) system date and time; (13) database retention periods and filtering options, if applicable; (14) SNMP settings; and (15) automatic updates. Completion Criteria: This activity will be complete when the console appliance is installed and functioning as documented in the Project Plan. Activity 2 - Customize Console Appliance The purpose of this activity is to customize and tune the console appliance for your environment. IBM will: a. customize Views; b. build basic network hierarchy; c. backup the configuration file; d. analyze and review traffic; e. determine if equations for detecting threats in traffic are appropriate for your requirements; f. adjust equations in accordance with your needs; g. create a threat exception group if necessary; h. create Sentries for alerts; i. analyze and identify appropriate Views/layers where Sentry can be applied; j. add one of each type of Sentry to a View; k. verify that Sentry works as desired; l. configure Offense Manager; m. create and test one custom Rule; n. configure custom Dashboard for up to 10 users; o. demonstrate capabilities of Dashboard to your staff; and p. configure additional SIEM Agents per the SIEM Macro and Micro Design. Z126-6526-SSA-1 04-2014 Page 17 of 34

Completion Criteria: This activity will be complete when the console appliance has been customized for your environment. Activity 3 - Deploy Log Collection for Production Environment The purpose of this activity is to deploy log collection in the production environment. IBM will collect events from up to three instances of the Log Source types as defined in the design phase. Only Log Sources natively supported by standard Device Support Modules (DSMs) will be collected. No custom parsers or udsms will be created in this activity. Log Source collection is limited to standard configuration guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to you upon request. Completion Criteria: This activity will be complete when IBM has collected events from up to three instances of the Log Source types for the production environment. Activity 4 - Deploy Flow Collection for Production Environment The purpose of this activity is to deploy Flow collection in the production environment if Flow Collectors/Processors are included in the SIEM Macro and Micro Design. IBM will collect network activity from up to three instances of Flow sources. Flow Source collection is limited to standard configuration guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to you upon request. Completion Criteria: This activity will be complete when IBM has deployed flow collection, if applicable, in the production environment. Activity 5 - Initial Tuning for Production Environment The purpose of this activity is to perform initial tuning which is focused on enabling out-of-the-box content as well as reducing white noise and false positives. IBM will: a. refer to the system design to perform initial tuning to include: (1) identifying and removing sources of noise; (2) activating Rules, saved searches, and accumulated time series graphs; (3) scheduling reports and modifying reports to meet your requirements; and (4) customizing Dashboards per the SIEM Macro and Micro Design; b. lead your technical personnel through the tuning process to reduce the number of Offenses to a practical level for the environment; and c. collaborate with you and other IBM delivery personnel to determine which standard alerting and reporting elements to enable. Completion Criteria: This activity will be complete when IBM has performed initial tuning in the production environment. 5.3.2 Your SIEM System Implementation Responsibilities You agree to: a. be responsible for the procurement and provision of all hardware and software; b. be responsible for the physical installation, rack mounting, powering, and network addressing of all SIEM System components and any other necessary equipment; c. ensure and validate that backups of system and user data have been performed before the SIEM System components are deployed; d. provide change management control for your infrastructure changes; e. meet the following pre-requisites prior to the commencement of Phase Three: (1) make final selection of solution and technical architectures; (2) request support access; Z126-6526-SSA-1 04-2014 Page 18 of 34

(3) request license keys from IBM Support; (4) record installation key(s) located on appliance(s) (sticker placed on top of appliance or located with shipping documentation); (5) rack, power, and cable the appliances; (6) attach monitor & keyboard (or provide KVM/DRAC equivalent) to all appliances or provide equivalent access, if requested; (7) provide hot network connectivity to all appliances; (8) identify appliance network settings: Hostname, IP Address, Subnet mask, Default gateway, NTP/DNS/Mail servers; (9) if requested, provide a workstation to IBM delivery personnel for connecting to the QRadar console that has the following attributes: (a) can access the QRadar console on TCP ports 22, 10000, 80 and 443; (b) has operational secure shell (SSH) and secure copy (SCP/SFTP) programs installed; (c) has a recent version of Mozilla Firefox (preferred), or Internet Explorer 8.0 or 9.0 with Compatibility View enabled; (d) has Java Runtime Environment version 1.6 or above installed; and (e) has Adobe Flash 10.x installed; (10) if requested, configure firewalls between the workstation and the QRadar console to allow the specified connections as instructed by QRadar technical product documentation; (11) configure span/mirror ports and/or taps, if necessary and defined in the SIEM Macro and Micro Design; (12) identify Event Sources, type, and numbers for log collection; (13) identify vulnerability scanner systems desired for integration into QRadar if included in the SIEM Macro and Micro Design; (14) identify Network Hierarchy: Subnet Name, Description, IP/CIDR values, Risk weight (see Install Guide and/or Admin Guide for additional information); (15) identify Critical Assets: Hostname, IP address(s), type (domain controller, mail, web, DNS, scanners, firewalls, etc.); f. enable appropriate audit (log) settings and communications channels on the Event Sources and direct the Event Sources to the SIEM System; g. configure Event Sources per the Configuring DSMs Guide; h. be responsible for configuring audit settings in support of certain report features; i. be responsible for validating and approving outputs from each activity as requested by IBM; j. be responsible for system and data restore in the event of a production system malfunction after the SIEM Agent is deployed; k. be responsible for defining your data security and protection requirements and ensuring IBM has all relevant inputs to proceed with documenting and prioritizing the policies and deployment; l. grant access up to and including full administrative rights as appropriate to IBM personnel for SIEM System components as required for on-site and remote service delivery within one week of Contract Start Date; m. provide a general description of Event Sources, including applicable Log Sources, Flow Sources, and Assets as identified by vulnerability scans to IBM; n. provide Log Source samples to IBM for the creation of udsms/custom agents if requested; o. provide direct access by IBM to subject matter experts who are responsible for the management of the core purpose of each Event Source platform; p. ensure that your staff is available to provide such assistance as IBM reasonably requires and that IBM is given reasonable access to your senior management, as well as any members of your staff to enable IBM to provide the Services and ensure that your staff has the appropriate skills and experience; Z126-6526-SSA-1 04-2014 Page 19 of 34

q. provide all information and materials reasonably required to enable IBM to provide the Services and that all information disclosed or to be disclosed to IBM is and will be true, accurate, and not misleading in any material respect; r. provide configuration information as requested by IBM to deliver the Services; s. attend project meetings as requested by IBM to deliver the Services; t. make available appropriate staff to shadow deployment activities for knowledge transfer purposes; and u. acknowledge that IBM will not be liable for any loss, damage, or deficiencies in the Services, if any, arising from inaccurate, incomplete, or otherwise defective information and materials supplied by you. 5.4 Phase Four Integration and Transition During this phase, IBM will transition the Service to the IBM operational support team, as documented in the Project Plan. Any required changes to the Project Plan will be handled by the IBM SSM who will either: 1) continue with the Services as described in this Services Description, or 2) use the Contract Change Procedure to modify the Services scope and corresponding Schedule. Completion of Phase Three activities, or making available information equivalent to that resulting from Phase Three activities, is a prerequisite for the commencement of the Integration and Transition activities described herein. Upon Services renewal, Integration and Transition activities are not included as part of your ongoing renewable services contract. 5.4.1 IBM Integration and Transition Responsibilities Activity 1 - Staged Transition to Ongoing Operational Support The purpose of this activity is to document essential operational elements of the Service and begin the transition of SIEM System management and monitoring to IBM. IBM will: a. review existing security operations processes and documentation; b. create a Communications Plan; c. create a Runbook; d. work jointly with you to define, and document how changes are considered, initiated, processed, recorded, and administered into a mutually agreed upon change management process; e. determine, develop, and review detailed reporting requirements for in scope Event Sources; f. review transition procedures and processes; g. demonstrate MSS Portal features to MSS Portal Users; h. review connectivity needs and access establishment for ongoing service readiness; i. review the draft documents with your Point of Contact; j. recommend modifications, upgrades, or policies based on findings; and k. perform one revision of the documents, if required. Completion Criteria: This activity will be complete when IBM has delivered the Runbook and Communications Plan electronically to your Point of Contact. Deliverable Materials: Runbook and Communications Plan The Communications Plan will comprise: (1) information and knowledge sharing process and vehicle among workgroups, business units, and third party entities as it pertains to the Service; (2) Your Point of Contact and Backup Point of Contact; (3) Authorized Security Contacts; (4) Designated Services Contacts; (5) report recipient list; (6) your key stakeholder list; (7) communications criteria including rules of engagement; (8) security Incident escalation paths; Z126-6526-SSA-1 04-2014 Page 20 of 34