managed network security services

IBM Infrastructure Security Services Managed Network Security Services for

Firewall ManagementIntrusion Detection and Prevention Management

Unified Threat ManagementSecure Web Gateway Management

Service description

Z126-5942-CA-1 01/2013 of 39

Table of ContentsIBM Managed Network Security Services.................................................................................................................................4

1.Managed Network Security Services............................................................................................................................42.Definitions.......................................................................................................................................................................43.Services...........................................................................................................................................................................54.Managed Network Security Services – Foundational Features..................................................................................6

4.1Management Network Security Services Contacts...............................................................................................64.1.1Authorized Security Contacts..................................................................................................................64.1.2Designated Services Contacts.................................................................................................................74.1.3MSS Portal Users....................................................................................................................................7

4.2MSS Portal............................................................................................................................................................84.2.1IBM MSS Portal Responsibilities.............................................................................................................84.2.2Your MSS Portal Responsibilities............................................................................................................9

4.3Security Reporting................................................................................................................................................94.3.1IBM Security Reporting Responsibilities..................................................................................................94.3.2Your Security Reporting Responsibilities...............................................................................................10

4.4IBM X-Force Threat Analysis..............................................................................................................................104.4.1IBM Security Intelligence Responsibilities.............................................................................................104.4.2Your Security Intelligence Responsibilities............................................................................................11

4.5Deployment and activation..................................................................................................................................114.5.1IBM Deployment and Activation Responsibilities...................................................................................114.5.2Your Deployment and Activation Responsibilities.................................................................................14

4.6SELM Services for Networks Deployment and Activation..................................................................................164.6.2Your SELM Services for Networks Deployment and Activation Responsibilities...................................19

4.7Redeployment and Reactivation.........................................................................................................................204.8Security Event and Log Collection (SELM).........................................................................................................20

4.8.1IBM Event and Log Collection and Archival Responsibilities.................................................................204.8.2Your Collection and Archival Responsibilities........................................................................................21

5.Managed Network Security Services – Common Features.......................................................................................225.1Automated Analysis............................................................................................................................................22

5.1.1IBM Automated Analysis Responsibilities..............................................................................................225.1.2Your Automated Analysis Responsibilities............................................................................................22

5.2Threat Analyst Monitoring and Notification.........................................................................................................235.2.1IBM Threat Analyst Monitoring and Notification Responsibilities...........................................................235.2.2Your Threat Analyst Monitoring and Notification Responsibilities.........................................................23

5.3Policy Management............................................................................................................................................245.3.1IBM Policy Management Responsibilities..............................................................................................245.3.2Your Policy Management Responsibilities.............................................................................................25

5.4Virtual Private Network Support..........................................................................................................................255.4.2IBM Virtual Private Network Support Responsibilities:.........................................................................265.4.3Your Virtual Private Network Support Responsibilities.........................................................................26

5.5Managed Agent Health and Availability Monitoring............................................................................................265.5.1IBM Managed Agent Health and Availability Monitoring Responsibilities..............................................265.5.2Your Managed Agent Health and Availability Monitoring Responsibilities.............................................27

5.6Agent Management.............................................................................................................................................28Z126-5942-CA-1 01/2013 of 39

5.6.1IBM Agent Management Responsibilities..............................................................................................285.6.2Your Agent Management Responsibilities.............................................................................................28

5.7Content Security.................................................................................................................................................285.7.1IBM Internal Content Security Responsibilities......................................................................................285.7.2Your Internal Content Security Responsibilities.....................................................................................29

6.Managed Network Security Services – Optional Features........................................................................................296.1Security Event and Log Delivery.........................................................................................................................29

6.1.1IBM Security Event and Log Delivery Responsibilities..........................................................................296.1.2Your Security Event and Log Delivery Responsibilities.........................................................................29

6.2Cold Standby......................................................................................................................................................306.2.1IBM Cold Standby Responsibilities........................................................................................................306.2.2Your Cold Standby Responsibilities.......................................................................................................30

6.3Warm Standby....................................................................................................................................................306.3.1IBM Warm Standby Responsibilities......................................................................................................306.3.2Your Warm Standby Responsibilities....................................................................................................30

6.4Virtual Instance Management.............................................................................................................................316.4.1IBM Virtual Instance Responsibilities.....................................................................................................316.4.2Your Virtual Instance Responsibilities...................................................................................................31

6.5High Availability...................................................................................................................................................316.5.1IBM High Availability Responsibilities....................................................................................................326.5.2Your High Availability Responsibilities...................................................................................................32

6.6On-site Aggregator..............................................................................................................................................326.6.1IBM On-site Aggregator Responsibilities...............................................................................................336.6.2Your On-site Aggregator Responsibilities..............................................................................................34

6.7Ticket System Integration...................................................................................................................................346.7.1IBM Ticket System Integration Responsibilities.....................................................................................356.7.2Your Ticket System Integration Responsibilities....................................................................................35

6.8Optional SELM Services for Networks Out-of-Band Access..............................................................................356.8.1IBM SELM Services for Networks Out-of-Band Access Responsibilities..............................................356.8.2Your SELM Services for Networks Out-of-Band Access Responsibilities.............................................35

7.Service Level Agreements...........................................................................................................................................357.1SLA Availability...................................................................................................................................................357.2SLA Remedies....................................................................................................................................................377.3Simulation Mode SLA Modification.....................................................................................................................377.4Intellectual Property Services Components........................................................................................................38N

NOTE TO CONTRACT PREPARER: Edit the link provided below, to take the user directly to the appropriate documents on the MSS landing page for the appropriate country.

IBM Managed Network Security Services IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES DESCRIPTION INCLUDES THE “IBM MANAGED SECURITY SERVICES GENERAL PROVISIONS” (“GENERAL PROVISIONS”) LOCATED AT http://www.ibm.com/services/iss/wwcontracts/us/mssgp AND INCORPORATED HEREIN BY REFERENCE.

1. Managed Network Security Services IBM Infrastructure Security Services – Managed Network Security Services (called “Managed Network Security”, “MNSS” or “Services”) is designed to provide monitoring, alerting and support of network

Z126-5942-CA-1 01/2013 of 39

http://www.ibm.com/services/iss/wwcontracts/us/mssgp

security technologies (called “Agents”) across a variety of platforms and technologies. Such Agents must not be used for any other purpose while under management by IBM. The services features described herein are dependent upon the availability and supportability of products and product features being utilized. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non-IBM-provided hardware, software, and firmware. The Services are delivered from a network of global IBM Security Operations Centers (“SOCs”). IBM will provide access to the SOCs 24 hours/day, 7 days/week.Firewall Management Services (FW) is designed to provide monitoring and support of network firewalls across a variety of supported platforms and technologies. Intrusion Detection and Prevention System (IDPS) Management is designed to provide monitoring, alerting and support of network intrusion detection and intrusion prevention systems across a variety of supported platforms and technologies. Unified Threat Management (UTM) is designed to provide monitoring, alerting and support of UTM Agent across a variety of supported platforms and technologies. Secure Web Gateway (SWG) is designed to provide alerting and support of SWG’s across a variety of supported platforms and technologies. Security Event and Log Management (SELM) Services for Networks is designed to provide a security-enhanced Web-based solution for the collection, consolidation, analysis, correlation, alerting, trending and archiving of security event and log data from supported devices SELM Agents. IBM X-Force Hosted Threat Analysis Service (XFTAS) is a security intelligence service that is designed to deliver customized information about a variety of threats that could affect your network security.Each of the above mentioned services provide features that are categorized as Foundational, Common and Optional features.

2. DefinitionsAlert Condition (“AlertCon”) – a global risk metric developed by IBM, using proprietary methods. The AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and global threat activity. The four levels of AlertCon are described in the IBM Managed Security Services (“IBM MSS”) portal (called “Portal”).Antispam – is designed to minimize the volume of spam e-mail to user mail boxes. Antivirus – is designed to scan many kinds of file transfers (such as Web pages, e-mail traffic, and file transfer protocol (“FTP”) exchanges) for worms, viruses, and other forms of malware. Authorized Security Contact -- a decision-maker on all operational issues pertaining to the MNSS feature(s). Designated Services Contact -- a decision-maker on a subset of operational issues pertaining to each IBM MNSS feature, the feature’s Agent(s), or a group of Agent(s). Education Materials -- include, but are not limited to, lab manuals, instructor notes, literature, methodologies, electronic course and case study images, policies and procedures, and all other training-related property created by or on behalf of IBM. Where applicable, Education Materials may include participant manuals, exercise documents, lab documents and presentation slides provided by IBM. Firewall – a network security device that is designed to block unauthorized access and allow authorized communications based on a configuration of allow, deny, encrypt, decrypt, or proxy rules aligned with the Services Recipient’s security policy.IBM Managed Security Services (“IBM MSS”) Portal (called “MSS Portal”) -- The MSS Portal provides access to an environment (and associated tools) designed to monitor and manage security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. IDPS Agent (s) or Agent (s) -- is a new or existing Intrusion Detection of Prevention System device subscribing to IBM MSS. These devices while under management by IBM must not be used for any other purpose.

Z126-5942-CA-1 01/2013 of 39

intrusion detection and prevention system (“IDPS”) -- a network security device or software application that employs detection and prevention techniques to monitor network activities for malicious or unwanted behavior. Such monitoring may identify and, in some cases, block possible security breaches in real-time. MSS Agent(s) -- is a new or existing device subscribing to IBM MSS services. While under management by IBM, the MSS Agent(s) must not be used for any other purpose.MSS Portal Users – are users of the MSS Portal with different levels of login access to the MSS Portal. MSS Portal Users can have restricted, regular, or administrative MSS Portal access to all MSS Agent(s), or just a subset of MSS Agent(s). The MSS Portal views and permissions available to the Portal Users are dictated by the Authorized Security Contact. Onsite Aggregator (“OA”) -- a required device that is deployed at the customer location and managed and monitored by IBM MSS for an additional charge. The OA aggregates, parses and normalizes unknown, text-based system activity log formats, compresses and encrypts security events and log data and transmits the security event and log data to the IBM MSS infrastructure. SELM Agent (s) or Agent (s) -- is a new or existing device subscribing to IBM MNSS services. These devices are subscribing to the Security Event Log and Management service for Networks. While under management by IBM the SELM Agent(s) must not be used for any other purpose. Universal Log Agent (“ULA”) -- IBM’s ULA is a light-weight log collection application that runs on eligible SELM Agent(s) and gathers text-based logs locally from the SELM Agent and compresses, encrypts and securely forwards them to the Onsite Aggregator (“OA”). Unified Threat Management System (“UTM”) – is a new or existing device subscribing to the IBM MNSS. This device includes but is not limited to the following functionality contained in one device: Firewall, IPS, Web Filtering, Antivirus, Antispam, and VPN connectivity. Virtual Private Network (“VPN”) -- utilizes public telecommunications networks to conduct private data communications, using encryption. Most implementations use the Internet as the public infrastructure, and a variety of specialized protocols to support private communications.Web filtering -- is designed to block objectionable content, mitigate Web-borne threats, and govern Web viewing behavior of personnel behind the UTM Agent(s).

3. ServicesThe following table highlights the measurable Services features. The subsequent sections provide narrative descriptions of each Services feature. Please review the Schedule to identify the SLAs associated with your Foundational Services features and to review which optional features and SLAs were selected by your organization.Foundational Services Feature Summary

Services Feature Metric or Qty Service Level Agreements

Services availability 100% Services availability SLA

IBM MSS Portal availability 99.9% IBM MSS Portal availability SLA

Authorized Security Contacts 3 users N/A

Log/event archival: Client defined

5 GB of compressed data per year for each year of the contract (up to 7 years)Please see Schedule for selected duration.

N/A

Supporting Common Services Feature Summary

Services Feature Metric or Qty Service Level Agreements

Security Incident Identification 100% Security Incident Identification SLA

Z126-5942-CA-1 01/2013 of 39

Security incident alert notification: Client defined

Available in selectable duration. Please see Schedule for selected duration.

Security incident alert SLA

OA health alerting 15 minutes System monitoring SLA

Policy change request acknowledgement 2 hours Policy change request acknowledgement SLA

Policy change request implementation: Client Defined


Policy change request implementation SLA

Content updates: Client Defined


Content Update SLA

Agent health alerting: Client Defined


System monitoring SLA

4. Managed Network Security Services – Foundational FeaturesFoundational features are provided with every Agent that is part of the MNSS and are not optional. There may be different levels of the feature that can be provided, however these features are included with all Managed Network Security Services.

4.1 Management Network Security Services ContactsYou may choose from multiple levels of access to the SOC and the MSS Portal to accommodate varying roles within your organization: Authorized Security Contacts, Designated Services Contacts, and MSS Portal Users.

4.1.1 Authorized Security ContactsIBM will:a. allow you to create up to three Authorized Security Contacts;b. provide each Authorized Security Contact with:

(1) administrative MSS Portal permissions to your MSS Agent(s) as applicable;(2) the authorization to create Designated Services Contacts and MSS Portal Users; (3) the authorization to delegate responsibility to Designated Services Contacts;

c. interface with Authorized Security Contacts regarding support and notification issues pertaining to the MSS Features; and

d. verify the identity of Authorized Security Contacts using an authentication method that utilizes a pre-shared challenge pass phrase.

You will:a. provide IBM with contact information for each Authorized Security Contact. Such Authorized

Security Contacts will be responsible for:(1) authenticating with the SOCs using a pre-shared challenge pass phrase; and(2) maintaining notification paths and your contact information, and providing such information to

IBM; (3) creating Designated Services Contacts and delegating responsibilities and permissions to

such contacts, as appropriate(4) creating Portal users

b. ensure at least one Authorized Security Contact is available 24 hours/day, 7 days/week;

Z126-5942-CA-1 01/2013 of 39

c. update IBM within three calendar days when you contact information changes; andd. acknowledge that you are permitted to have no more than three Authorized Security Contacts

regardless of the number of IBM services or MSS Agent(s) subscriptions for which you have contracted.

4.1.2 Designated Services ContactsIBM will:a. verify the identity of Designated Services Contacts using a authentication method that utilizes a pre-

shared challenge pass phrase; b. interface only with Designated Services Contacts regarding the subset of operational issues for

which such contact is responsible. You will:a. provide IBM with contact information including roles and responsibilities for each Designated

Services Contact. Such Designated Services Contacts will be responsible for authenticating with the SOCs using a pass phrase; and

b. acknowledge that a Designated Services Contact may be required to be available 24 hours/day, 7 days/week based on the subset of responsibilities for which it is responsible (e.g., FW Agent(s) outage).

4.1.3 MSS Portal Users IBM will:a. provide multiple levels of access to the MSS Portal, as follows:

(1) administrative user capabilities which will include:(a) creating Portal users;(b) creating and editing custom Agent groups;(c) submitting policy change requests to the SOCs for a managed Agent or a group of

Agents;(d) submitting Services requests to the SOCs;(e) “live chat” communicating with SOC analysts regarding specific incidents or tickets,

generated as part of the Services; (f) creating internal Services-related tickets and assigning such tickets to Portal users;(g) querying, viewing, and updating Services-related tickets;(h) viewing and editing Agent details;(i) viewing Agent policies;(j) creating and editing vulnerability watch lists;(k) performing live event monitoring;(l) querying security event and log data;(m) scheduling downloads of security event and log data;(n) scheduling and running reports; and(o) when SELM Services for Networks is included as part of your Service contract,

administrative user capabilities will also include:(i) parsing and normalizing unknown, text-based system activity logs from operating

systems and applications; (ii) enabling/disabling automated intelligence (“AI”) analysis alert policy rules; (iii) creating custom user-defined correlation rules;

(2) regular user capabilities which will include all of the capabilities of an administrative user, for the Agents to which they have been assigned, with the exception of creating Portal users;

(3) restricted user capabilities which will include all of the capabilities of a regular user, for the Agents to which they have been assigned, with the exception of:

Z126-5942-CA-1 01/2013 of 39

(a) creating and submitting policy change requests; (b) updating tickets; and(c) editing Agent details;

b. provide you with authorization to apply levels of access to an MSS Agent or groups of MSS Agents;c. authenticate MSS Portal Users using static password;d. authenticate MSS Portal Users using a public-key encryption technology you provide (for example,

RSA SecureID token) based on your requirements.You agree:a. that Portal users will use the Portal to perform daily operational Services activities; b. to be responsible for providing IBM-supported RSA SecureID tokens (as applicable); and c. and acknowledge the SOCs will only interface with Authorized Security Contacts and Designated

Services Contacts.4.2 MSS Portal

The MSS Portal provides access to an environment (and associated tools) designed to monitor and manage the security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface.The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED “AS IS” AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS.

4.2.1 IBM MSS Portal ResponsibilitiesIBM will:a. provide access to the MSS Portal 24 hours/day, 7 days/week. The MSS Portal will provide:

(1) multiple levels of access for MSS Portal users which may be applied to an IBM Managed Security Service, an MSS Agent, or a group of Agent(s);

(2) security intelligence awareness and alerting; (3) MSS Agent(s) configuration and policy details where applicable; (4) security incident and/or service ticket information;(5) ticketing and workflow initiation and updates;(6) interaction with SOC analysts; (7) a template-driven reporting dashboard;(8) access to real-time and archived MSS Agent(s) logs and events where applicable;(9) authorization to download log data when applicable; and(10) access to Education Materials in accordance with the terms provided in the MSS Portal; and (11) when SELM Services for Networks is included as part of your Service contract, the MSS

Portal will include:(a) the ability to parse and normalize unknown, text-based system activity logs; and(b) the ability to create user-defined correlation rules.

b. maintain availability of the MSS Portal in accordance with the metrics provided in the section of this Services Description entitled “Service Level Agreements”, “Portal Availability”.

c. provide a username, password, URL and appropriate permissions to access the MSS Portal; 4.2.2 Your MSS Portal Responsibilities

You agree to:a. utilize the MSS Portal to perform daily operational Services activities;

Z126-5942-CA-1 01/2013 of 39

b. ensure your employees accessing the MSS Portal on your behalf comply with the Terms of Use provided therein including, but not limited to, the terms associated with Educational Materials;

c. appropriately safeguard your login credentials to the MSS Portal (including not disclosing such credentials to any unauthorized individuals);

d. promptly notify IBM if a compromise of your login credentials is suspected; ande. indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from:

(1) your failure to safeguard your login credentials; and.(2) when SELM Services for Networks is included as part of your Service contract:

(a) your incorrect use of regular expressions when parsing and normalizing event and log data;

(b) your incorrect use of user-defined correlation rules;(c) to be responsible for parsing and normalizing unknown log formats in the Portal;(d) to be solely responsible for testing and verifying the performance of log parsers and

user-defined correlation rules;(e) to enable and disable log parsers and user-defined correlation rules utilizing the Portal;

and(f) and acknowledge that:

(i) OA performance and the timely delivery of log data can be negatively affected by incorrectly written or inefficient log parsers;

(ii) IBM is not responsible for the log parsers or user-defined correlation rules that are configured and saved in the Portal; and

(iii) configuration assistance for parsing unknown log formats is not included in the Services.

4.3 Security ReportingUtilizing the Portal, you will have access to Services information and reporting with customizable views of activity at the enterprise, work group and Agent levels. The Portal also provides you with the ability to schedule customized reporting.

4.3.1 IBM Security Reporting ResponsibilitiesIBM will provide you with access to reporting capabilities within the Portal which includes relative information associated with the MNSS agent included as part of the service. Information may include but is not limited to some or all of the following:a. when IDPS Management, UTM and/or SELM Services for Networks is included as part of your

Service contract, the information will include:(1) number of SLAs invoked and met;(2) number, types, and summary of Services requests/tickets;(3) number of security incidents detected, priority and status;(4) list and summary of security incidents;(5) MNSS Agent reports that include attack metrics, prevented attacks, vulnerability impact, event

counts/trending; and(6) event correlation and analysis.

b. when SWG is included as part of your Service contract, the information will include:(1) number of SLAs invoked and met; (2) number, types, and summary of Services requests/tickets; and(3) system logs.

c. when UTM is included as part of your Service contract, the information will include:(1) firewall reports that include summary, traffic analysis, protocol usage, targeted IP and rule

utilization; and

Z126-5942-CA-1 01/2013 of 39

d. when SELM Services for Networks is included as part of your Service contract, the information will include:(1) Payment Card Industry (“PCI”) Audit Readiness Reports that tie system activity events on

designated devices to specific PCI requirementse. where applicable, Advanced Analytics and Compliance reporting

4.3.2 Your Security Reporting ResponsibilitiesYou agree to:a. generate MSS related reports using the MSS Portal;b. be responsible for scheduling reports (as desired); andc. when SELM Services for Networks is included as part of your Service contract, acknowledge that

assistance from a PCI qualified security assessor (“QSA”) is not provided as part of the Services, but you may contract separately with IBM to address this need.

4.4 IBM X-Force Threat AnalysisSecurity intelligence is provided by the IBM X-Force Threat Analysis Center. The X-Force Threat Analysis Center publishes an Internet threat-level. The Internet threat-level describes progressive alert postures of current Internet security threat conditions. In the event Internet threat-level conditions are elevated to AlertCon 3, indicating focused attacks that require immediate defensive action, IBM will provide you with real-time access into IBM’s global situation briefing. Utilizing the MSS Portal, you can create a vulnerability watch list with customized threat information. In addition, each MSS Portal User can request to receive an Internet assessment e-mail each business day. This assessment provides an analysis of the current known Internet threat conditions, real-time Internet port metrics data, and individualized alerts, advisories and security news. NOTE: Your access and use of the security intelligence provided via the Portal (including the daily Internet assessment e-mail) is subject to the Terms of Use provided therein. Where such Terms of Use conflict with the terms of this Agreement, the Portal Terms of Use shall prevail over this Agreement. In addition to the Terms of Use provided in the Portal, your use of any information on any links or non-IBM Web sites and resources are subject to the terms of use posted on such links, non-IBM Web sites, and resources.

4.4.1 IBM Security Intelligence ResponsibilitiesIBM will:a. provide access, via the MSS Portal, to the X-Force Hosted Threat Analysis Service;b. display security information on the MSS Portal as it becomes available;c. if configured by you, provide security intelligence specific to your defined vulnerability watch list, via

the MSS Portal;d. if configured by you, provide an Internet security assessment e-mail based on your subscription,

each business day; e. publish an Internet threat-level via the MSS Portal;f. declare an Internet emergency if the daily Internet threat-level level reaches threat-level 3;g. provide MSS Portal feature functionality to create and maintain a vulnerability watch list;h. provide additional information about an alert, advisory, or other significant security issue as IBM

deems necessary; andi. provide access to the threat insight quarterly (Threat IQ) reporting via the MSS Portal.

4.4.2 Your Security Intelligence ResponsibilitiesYou will use the MSS Portal to: a. subscribe to the daily Internet security assessment e-mail, at your option;b. create a vulnerability watch list, if desired; andc. access the Threat IQ.d. agree to adhere to the licensing agreement and not forward Services information to individuals who

do not have a proper license.

Z126-5942-CA-1 01/2013 of 39

4.5 Deployment and activationDuring deployment and activation, IBM will work with you to deploy a new Agent or begin management of an existing Agent. Note: Deployment and Activation activities are performed one time during the performance of the services. If you choose to replace, upgrade, or move your Agent during the Services contract, IBM may require that such Agent be redeployed and reactivated (called “Redeployment”). Such Redeployments will be provided at an additional charge as specified in an applicable schedule (called “the Schedule”). Redeployment charges apply only to hardware replacements, upgrades, or moves that you initiate. Such charges do not apply to Agent failures resulting in Agent Return Material Authorization (”RMA”) activities. For Log and Alert services you may contract separately for IBM to provide physical installation and configuration services.

4.5.1 IBM Deployment and Activation Responsibilities

Activity 1 - Project Kickoff The purpose of this activity is to conduct a project kickoff call. IBM will send you a welcome e-mail and conduct a kickoff call, for up to one hour for up to three of your personnel, to:a. introduce your Point of Contact to the assigned IBM deployment specialist; b. review each party’s respective responsibilities;c. set schedule expectations; andd. begin to assess your requirements and environment.Completion Criteria: This activity will be complete when IBM has conducted the project kickoff call.Deliverable Materials: ● None

Activity 2 - Network Access Requirements The purpose of this activity is to establish network access requirements. IBM will:a. provide you with a document called “Network Access Requirements”, detailing:

(1) how IBM will connect remotely to your network;(2) specific technical requirements to enable such remote connectivity;Note: IBM may make changes to the “Network Access Requirements” document, as it deems appropriate, throughout the performance of the Services.

b. connect to your network through the Internet, using IBM standard access methods; and c. if appropriate, utilize a site-to-site virtual private network (“VPN”) to connect to your network. Such

VPN may be provided by IBM for an additional charge as specified in the Schedule. Completion Criteria: This activity will be complete when IBM has provided your Point of Contact with the Network Access Requirements document.Deliverable Materials: ● Network Access Requirements document

Activity 3 - Assessment The purpose of this activity is to perform an assessment of your current environment, business and technology goals. In addition, this assessment will be used to help develop the required security strategy for all applicable Managed Network Security Services.Task 1 - Gather DataIBM will: a. provide your Point of Contact with a data gathering form on which you will be asked to document:

(1) team member names, contact information, roles and responsibilities; Z126-5942-CA-1 01/2013 of 39

(2) unique country and site requirements; (3) your existing network infrastructure; (4) critical servers;(5) number and type of end users; and(6) key business drivers and/or dependencies that could influence Services delivery or timelines.

Task 2 - Assess EnvironmentIBM will:a. use the information provided in the data gathering form to assess your existing environment;b. determine an optimal Agent configuration; andc. if applicable, provide:

(1) recommendations to adjust the policy of an Agent; or(2) layout of the network to enhance security as part of MNSS, except where the SELM Services

for Networks component is involved. d. when SELM Services for Networks is included as part of your Service contract, determine if Agent

data collection will be implemented using the Universal Log Agent (“ULA”) or via SYSLOG.Task 3 - Assess Existing AgentThis task will be performed as part of MNSS, except where the SELM Services for Networks component is involved.IBM will:a. remotely assess the Agent to verify it meets IBM specifications; b. identify application and user accounts to be removed or added, as applicable; c. for Agents not meeting IBM’s specifications:

(1) identify Agent software requiring upgrading, and/or(2) identify Agent hardware requiring upgrading to meet applicable vendor compatibility lists.

Completion Criteria: This activity will be complete when IBM has assessed your environment and existing Agent (as applicable).Deliverable Materials: ● None

Activity 4 - Out-of-Band Access Out-of-band (called “OOB”) access is a required feature that assists the SOCs if connectivity to an Agent is lost. If such connectivity problems occur, the SOC analysts can dial into the OOB device to verify the Agent is functioning properly and attempt to identify the source of the outage before escalating to you. IBM will:a. provide live support, via phone and e-mail, to assist you in locating applicable vendor documents

which detail physical installation procedures and cabling;b. configure the OOB device to access the managed Agents; orc. work in good faith with you to utilize an IBM-approved existing OOB solution.NOTE: For purpose of clarification, if your internal security policy prohibits the use of an OOB device, IBM may waive this requirement. Such waiver may noticeably impact IBM’s ability to effectively provide the Services. Completion Criteria: This activity will be complete when one of the following first occurs: ● IBM has configured the OOB device to access the managed Agent; or ● you have requested, and IBM has agreed, to waive the requirement for OOB access.

Z126-5942-CA-1 01/2013 of 39

Deliverable Materials: ● None

Activity 5 - Implementation The purpose of this activity is to implement the Agent(s) for MNSS, except where the SELM Services for Networks component is involved.Task 1 - Configure the AgentIBM will:a. remotely assess the Agent to verify it meets IBM specifications;b. identify Agent software, hardware, and/or content that does not meet current IBM-supported levels; c. as appropriate, identify required hardware upgrades to support applicable vendor hardware

compatibility lists;d. remotely configure the Agent, including setting the policy, hardening the operating system, and

registering the Agent with the IBM MSS infrastructure; e. provide live phone support and location of vendor documents to assist you in configuring the Agent

with a public IP address and associated settings. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

f. tune the Agent policy to reduce the number of erroneous alarms (if applicable); andg. at your request, exercise the configuration and policy on the existing Agent.Task 2 - Install the AgentIBM will:a. provide live support, via phone and/or e-mail, to assist you in locating applicable vendor documents

that detail physical installation procedures and cabling. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

b. provide recommendations to adjust the layout of the network to enhance security (as applicable);c. remotely configure the Agent, including registering the Agent with the IBM MSS infrastructure; andd. tune the Agent policy to reduce the number of erroneous alarms (if applicable). Note: You may contract separately for IBM to provide physical installation services.Completion Criteria: This activity will be complete when the Agent is registered with the IBM MSS infrastructure.Deliverable Materials:

● None

Activity 6 - Testing and Verification The purpose of this activity is to perform testing and verification of the Services. IBM will:a. verify connectivity of the Agent or OA to the IBM MSS infrastructure; b. perform Services acceptance testing; c. verify delivery of log data from the Agent to the IBM MSS infrastructure;d. verify availability and functionality of the Agent in the Portal;e. perform quality assurance testing of the Agent; andf. remotely demonstrate the primary features of the Portal for up to ten of your personnel, for up to

one hour. Completion Criteria: This activity will be complete when IBM has verified availability and functionality of the Agent in the Portal.Deliverable Materials: ● None

Z126-5942-CA-1 01/2013 of 39

Activity 7 - Services Activation The purpose of this activity is to activate the Services. IBM will:a. assume management and support of the Agent;b. set the Agent to “active” as part of MNSS, except where the SELM Services for Networks

component is involved; andc. transition the Agent to the SOCs for ongoing management and support.

Completion Criteria: This activity will be complete when the Agent is set to “active”. For Log & Alert services this activity will be complete when the SOC has assumed support of the Services.Deliverable Materials: ● None

4.5.2 Your Deployment and Activation Responsibilities

Activity 1 - Project Kickoff You agree to:a. attend the project kickoff call; andb. review each party’s respective responsibilities.

Activity 2 - Network Access Requirements You agree to:a. review and comply with the IBM “Network Access Requirements” document during deployment and

throughout the term of the contract; and b. be solely responsible for any charges incurred as a result of IBM utilizing a site-to-site VPN to

connect to your network.

Activity 3 - Assessment Task 1 - Gather DataYou agree to:a. complete and return any questionnaires and/or data gathering forms to IBM within five days of your

receipt;b. obtain and provide applicable information, data, consents, decisions and approvals as required by

IBM to perform the Services deployment, within two business days of IBM’s request; c. work in good faith with IBM to accurately assess your network environment;d. provide contacts within your organization, and specify a notification path through your organization,

in the event IBM must contact you; ande. update IBM within three calendar days when your contact information changes. Task 2 - Assess EnvironmentThis task will need to be performed by you for MNSS, except where the SELM Services for Networks component is involved. You agree:a. to maintain current licensing, and support and maintenance for the Agents;b. to perform all IBM-requested changes to your network layout to enhance security;c. and acknowledge that protection provided by Agents deployed in passive mode will be substantially

decreased; andd. and acknowledge that transition to an inline deployment at a later date will require advance notice. Task 3 - Assess Existing AgentThis task will need to be performed by you for MNSS, except where the SELM Services for Networks component is involved.

Z126-5942-CA-1 01/2013 of 39

You agree:a. to ensure the existing Agent meets IBM’s specifications; b. to remove or add IBM-specified applications and user accounts; c. if requested by IBM:

(1) to upgrade IBM-specified Agent software; and(2) to upgrade IBM-specified Agent hardware.

Activity 4 - Out-of-Band Access You agree:a. for new OOB solutions:

(1) to purchase an IBM-supported OOB device;(2) to physically install and connect the OOB device to the Agent;(3) to provide a dedicated analog telephone line for access; (4) to physically connect the OOB device to the dedicated telephone line and maintain the

connection; (5) to be responsible for all charges associated with the OOB device and telephone line; and(6) to be responsible for all charges associated with the ongoing management of the OOB

solution; b. for existing OOB solutions:

(1) to ensure the solution does not allow IBM to access non-managed devices;(2) to ensure the solution does not require installation of specialized software;(3) to provide IBM with detailed instructions for accessing managed Agents; and(4) to be responsible for all aspects of managing the OOB solution;

c. and acknowledge that existing OOB solutions must be approved by IBM; d. to maintain current support and maintenance contracts for the OOB (as required); ande. and acknowledge that if you choose to deploy the Services without the required OOB access, or if

OOB access is not available to IBM for any reason, then:(1) IBM is relieved of all SLAs which are directly influenced by the availability of such access;(2) IBM may require additional time to troubleshoot and/or maintain your devices; and(3) you will be required to provide on-site assistance with configuration, problem solving, device

updates, troubleshooting and/or any other situation that would typically be performed using OOB access.

Activity 5 - Implementation This activity will need to be performed by you for MNSS, except where the SELM Services for Networks component is involved.Task 1 - Configure the AgentYou agree to:a. update Agent software or content to the most current IBM-supported version (i.e., physically load

media as applicable); b. update hardware to support applicable vendor hardware compatibility lists (if applicable); c. adjust the Agent policy as requested by IBM;d. configure the Agent with a public IP address and associated settings; and e. assist IBM in exercising the existing Agent configuration and policy (if applicable). Task 2 - Install the AgentYou agree:

Z126-5942-CA-1 01/2013 of 39

a. to work with IBM in locating vendor documents that detail physical installation procedures and cabling. You will schedule such support in advance to ensure availability of an IBM deployment specialist;

b. to be responsible for the physical cabling and installation of the Agent(s);c. to perform any IBM-specified adjustments to the layout of the network to enhance security; andd. and acknowledge that IBM recommends Agents be deployed inline and inside your firewall.

Activity 6 - Testing and Verification You agree:a. to be responsible for development of all of your specific acceptance testing plans; b. to be responsible for performing acceptance testing of your applications and network connectivity;

andc. and acknowledge that additional acceptance testing performed by you, or lack thereof, does not

preclude IBM from setting the Agent to “active” in the SOCs for ongoing support and management.

Activity 7 - Services Activation No additional responsibilities are required by you for this activity.

4.6 SELM Services for Networks Deployment and ActivationDuring SELM Services for Networks Deployment and Activation, IBM will work with you to deploy a new Agent or begin management of an existing Agent.

Activity 1 - On-Site Aggregator Implementation: The purpose of this activity is to configure the on-site aggregator (‘OA”). The OA is a required device that you provide. Such device is deployed at your location and managed and monitored by IBM MSS for an additional charge, as specified in the Schedule. The basic functions of the OA are to:a. compile or otherwise combine the security events and log data;b. parse and normalize unknown, text-based system activity log formats for submission to the IBM

MSS infrastructure;c. compress and encrypt the security events and log data; andd. transmit the security events and log data to the IBM MSS infrastructure. Core features of the OA are to:a. perform local spooling by queuing the events locally when a connection to the IBM MSS

infrastructure is not available; b. perform unidirectional log transmission. OA communication is performed via outbound SSL/TCP-

443 connections;c. perform message throttling, if configured. This limits the bandwidth from the OA to the IBM MSS

infrastructure (in messages per second) to preserve bandwidth;d. provide transmit windows, if configured. The transmit windows enable/disable event transmission to

the IBM MSS infrastructure during the timeframe specified by you in the Portal; andIBM strongly encourages Out-of-Band (“OOB”) access to the OA, as described in the section of this Services Description entitled “Out-of-Band Access”. Task 1 - Configure the OAIBM will:a. provide live support, via phone and e-mail, and will assist you with the location of applicable vendor

documents detailing the installation and configuration procedures for the OA operating system and IBM provided OA software. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

e. provide you with hardware specifications for the OA platform;f. provide you with OA software and configuration settings;

Z126-5942-CA-1 01/2013 of 39

g. provide you with telephone and e-mail support to assist with the installation of the IBM-provided OA software on the hardware platform you provide. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

h. at your request, and for an additional charge specified in the Schedule, provide software installation services;

i. for existing platforms:(1) assess existing hardware configurations to ensure they meet IBM’s specification; and(2) identify required hardware upgrades to be provided and installed by you.

Task 2 - Install the OAIBM will:a. provide live support, via phone and e-mail, and will assist you with location of applicable vendor

documents detailing physical installation procedures and cabling of the OA. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

b. remotely configure the OA to include registration of the OA with the IBM MSS infrastructure and begin the deployment and management takeover process of the OA; and

c. confirm the IBM MSS infrastructure is receiving communication from the OA.Completion Criteria:

This activity will be complete when the OA is installed and configured and IBM has confirmed the IBM MSS infrastructure is receiving communications from the OA.Deliverable Materials: ● None

Activity 2 - Universal Log Agent Implementation The ULA is a light-weight log collection application that runs on an Agent subscribing to the Services. The ULA gathers text-based logs locally from the Agent and securely forwards them to the OA. The OA then securely forwards the logs to the IBM MSS infrastructure for collection, long term storage, and display in the Portal. The basic functions of the ULA are to:a. collect events/logs locally from the Agent;b. compress the events/log data;c. encrypt the events/log data; andd. securely transmit the events/logs to the OA.Core features of the ULA are to:a. perform generic text file data collection;b. perform event log collection;c. perform system information collection, which may include:

(1) operating system (“OS”) version; (2) memory; (3) CPU;(4) local user accounts; (5) network interface details;(6) running processes; and (7) open network sockets;

d. perform unidirectional log transmission. ULA communication is performed via outbound SSL/TCP-443 connections;

e. perform message throttling, if configured. This limits the bandwidth from the ULA to the OA, in messages per second, to preserve bandwidth; and

Z126-5942-CA-1 01/2013 of 39

f. provide transmit windows, if configured. The transmit windows enable/disable event transmission to the IBM MSS infrastructure during the timeframe specified by you in the Portal.

Task 1 - Prepare Your AgentIBM will provide you with a list of Agents that require ULA installation. Task 2 - Install the ULAIBM will:a. provide the ULA for download via the Portal; andb. provide you with access to the SELM Services for Networks ULA Installation Guide via the Portal. Task 3 - Configure the ULAIBM will provide you with instructions on how to login to the Portal and configure the Agent.Completion Criteria: This activity will be complete when IBM has provided you with a list of Agents requiring ULA installation. Deliverable Materials: ● None

Activity 3 - Non-ULA Log Collection Implementation The purpose of this activity is to facilitate log collection via SYSLOG streams when it is not technically feasible or appropriate to install the ULA on an Agent. IBM will:a. provide you with a list of Agents that require SYSLOG collection;b. provide the IP address of the OA to which the SYSLOG stream must be forwarded.Completion Criteria: This activity will be complete when IBM has provided your Point of Contact with the IP address of the OA to which the SYSLOG stream must be forwarded. Deliverable Materials: ● None

Activity 4 - SELM Services for Networks Activation The purpose of this activity is to activate the SELM Services for Networks. IBM will:a. assume support of the Agent; andb. transition the Agent to the SOCs for ongoing support.

Completion Criteria: This activity will be complete when the Agent is set to “active”. For Log & Alert services this activity will be complete when the SOC has assumed support of the Services.Deliverable Materials: ● None

4.6.2 Your SELM Services for Networks Deployment and Activation Responsibilities

Activity 1 - On-site Aggregator Implementation Task 1 - Configure the OAYou agree:a. to provide IBM with an external IP address for the OA;b. to provide the hardware for the OA platform, based on IBM’s recommendations and requirements;c. to maintain current licensing, and support and maintenance contracts for the hardware the OA is

installed upon;d. to install the IBM-provided OA software on your provided hardware, under the guidance of IBM;

Z126-5942-CA-1 01/2013 of 39

e. to configure an external IP address and associated settings on the OA;f. to provide IBM with the OA IP address, hostname, machine platform, application version, and Agent

time zone; andg. for existing platforms, to procure and install IBM-requested hardware upgrades.Task 2 - Install the OAYou agree:a. to be responsible for physical installation and cabling of the OA; andb. to schedule live support with an IBM deployment specialist.

Activity 2 - Universal Log Agent Implementation Task 1 - Prepare Your AgentYou agree:a. to enable your organizations desired system, security and application-level auditing of the operating

systems, or applications that will be monitored; andb. to verify connectivity between the Agent and the OA.Task 2 - Install the ULAYou agree:a. to download the ULA software from the Portal;b. to install the ULA on Agent(s) subscribing to the Services; andc. and acknowledge, to be solely responsible for all ULA installation tasks.Task 3 - Configure the ULAYou agree:a. to login to the Portal and confirm the Agent is available and is receiving logs within three business

days of ULA installation and configuration; b. to configure the ULA with appropriate configuration settings (including: service level, site, platform,

operating system and time zone;c. to update the ULA configuration settings (including service level, site, platform, operating system

and time zone), within three days of any future device modification;d. to modify the ULA policy (if desired); ande. and acknowledge, to be solely responsible for all ULA configuration tasks.

Activity 3 - Non-ULA Log Collection Implementation You agree:a. to configure the Agent to point SYSLOG streams to the OA under the guidance of IBM; b. to login to the Portal and confirm the Agent is available and is receiving logs within three business

days; andc. and acknowledge, to be solely responsible for all SYSLOG installation tasks.

Activity 4 - SELM Services for Networks Testing and Verification You agree: a. to be responsible for development of all of your specific acceptance testing plans; b. to be responsible for performing acceptance testing of your applications and network connectivity;c. to verify that the logs of each Agent are available in the Portal. d. to update the ULA configuration settings (including service level, site, platform, operating system

and time zone), within three days of any future device modification; ande. and acknowledge that additional acceptance testing performed by you, or lack thereof, does not

preclude IBM from setting the Agent to “active” in the SOCs for ongoing support and management.

Z126-5942-CA-1 01/2013 of 39

Activity 5 - SELM Services for Networks Out-of-Band Access You agree to be responsible for performing all remote configuration activities for OOB and all OOB troubleshooting, if you elect not to implement an OOB solution or if the OOB solution is unavailable for any reason.

4.7 Redeployment and ReactivationDuring Redeployment and Reactivation, IBM will work with you to replace, upgrade, or move an MSS Agent. Note: Redeployment and Reactivation activities are performed on a one time basis. If you choose to replace, upgrade, or move its MSS Agent during the Services contract, IBM may require that such MSS Agent be redeployed. Such Redeployment and Reactivation will be provided at an additional charge via a Project Change Request. Redeployment and Reactivation charges apply only to hardware replacements, upgrades, or moves initiated by you. Such charges do not apply to MSS Agent failures resulting in Agent Return Material Authorization (”RMA”) activities. IBM will provide Redeployment and Reactivation activities as per the “Deployment and Activation” sections of this document.You will assume and acknowledge Redeployment and Reactivation activities as per the “Deployment and Activation sections of this document. Note: For Log and Alert services you may contract separately for IBM to provide physical installation and configuration services.

4.8 Security Event and Log Collection (SELM)IBM utilizes the X-Force Protection System for collecting, organizing, archiving and retrieving security event and log data. The Portal provides you with a 24 hours/day, 7 days/week view into the Services, including online access to raw logs collected and stored within the X-Force Protection System infrastructure. Security event and log data will be viewable online in the Portal for the retention period specified in the Schedule. At the end of the one year period, the data will be transitioned to offline storage (if applicable).The SELM Services for Networks provides up to five (5) GB of compressed storage space for each year of the retention period contracted. On day one of the contract, IBM will make available the total storage space based on the contracted term (5 GB x n where “n” equals contract term). Additional storage space may be purchased for an additional charge, as specified in separate transaction.

4.8.1 IBM Event and Log Collection and Archival ResponsibilitiesIBM will:a. collect log and event data generated by the MSS Agent(s) as such data reaches the IBM MSS

infrastructure;b. when SELM Services for Networks is included as part of your Service contract, utilize enabled

parsers to normalize inbound log traffic for display and archival;c. throttle (i.e., slow) log and event data streams generated by the MSS Agent(s);d. uniquely identify collected log and event data;e. archive collected data in the IBM proprietary infrastructure; f. when SELM Services for Networks is included as part of your Service contract, provide storage for

up to five GB of compressed log and event data for each year of the contract term;g. provide one year of log and event data storage unless otherwise specified by you and contained

within the Schedule. Options for up to 7 years of log retention are available and specified as part of the Schedule.

h. display collected log and event data in the MSS Portal for one year; i. where supported, normalize the log and event data for enhanced presentation in the MSS Portal; j. begin purging collected log and event data using a first in, first out (“FIFO”) method:

(1) based on the default (one year) retention period or your defined retention periods (if applicable); or

Z126-5942-CA-1 01/2013 of 39

(2) when SELM Services for Networks is included as part of your Service contract, your storage space has been exceeded (if applicable); or

(3) when the log and event data age has exceeded seven years;Note: Notwithstanding any retention periods defined by you, IBM will not retain log and event data for more than seven years. If you exceed your seven year retention period at any time during the contract period, IBM will begin purging the collected log and event data using the FIFO method.

k. if it deems it appropriate, recommend a site-to-site VPN be utilized to encrypt traffic that is not natively encrypted by the MSS Agent(s);

l. use the MSS Portal to review and query security event and log data; andm. use the MSS Portal to maintain available log and event storage space awareness.

Note: Data traveling across the Internet is encrypted using industry-standard encryption algorithms provided natively by the Agent only when the Agent (provided by you) is equipped with the capability to do so.

4.8.2 Your Collection and Archival ResponsibilitiesYou will:a. provide IBM security event and log retention periods not to exceed seven years or, not to exceed

five GB of compressed storage space for each year of the contract term; b. use the MSS Portal to review and query security event and log data;c. use the MSS Portal to maintain available log and event storage space awareness;d. to ensure an active Services contract is being maintained for each unique security event and log

source; andNote: If the Services are terminated for any reason whatsoever, IBM will be relieved of its obligation to store your security event and log data.

e. use the MSS Portal to review and query security event and log data;f. acknowledge that:

(1) unless otherwise specified in writing by you , IBM will maintain the collected log and event data for one year (i.e., the most recent twelve (12) months);

(2) all log and event data will be transmitted to the SOCs via the Internet;(3) should you choose not to utilize an IBM-recommended site-to-site VPN for MSS Agent(s) that

does not provide encryption algorithms natively, log and event data transmitted via the Internet will not be encrypted;

(4) IBM only collect and archive log and event data that successfully reaches the IBM MSS infrastructure;

(5) IBM does not guarantee the legal submission of any security event or log data into any domestic or international legal system. Admissibility of evidence is based on the technologies involved and your ability to prove proper data handling and chain of custody for each set of data presented;

(6) IBM has the right to throttle log and event streams generated by the MSS Agent(s) (if required);

(7) when SELM Services for Networks is included as part of your Service contract, IBM will begin purging data using a FIFO method when collected log and event data exceeds allocated storage space;

(8) your defined retention periods may not exceed seven years, since IBM will not store log and event data for more than seven years; IBM will begin purging data using the FIFO method when collected log and event data exceeds seven years, regardless of your specified retention periods; and

(9) when SELM Services for Networks is included as part of your Service contract, IBM may collect, gather and compile the log parsers and data utilized by the MNSS Services for the purposes of: a) sanitizing and publishing parsers for general use, and b) identifying trends, and real or potential threats. IBM may compile or otherwise combine this information with that

Z126-5942-CA-1 01/2013 of 39

of other customers so long as such data is compiled or combined in a manner that will not in any way reveal the data as being attributable to you.

5. Managed Network Security Services – Common FeaturesCommon features allow you to define by device (where applicable) the necessary response, escalation, implementation or update timeframe associated with the service. The timeframe options provide multiple service options established, by device, in your contract. The various levels of service for the feature may have an SLA associated with the feature.

5.1 Automated AnalysisAutomated Analysis will be provided as part of MNSS, except where the SWG component is involved. Agents are capable of generating a high volume of alarms in response to the security conditions they are configured to detect. The actual security risk corresponding to a particular condition detected is not always clear, and it is not practical to block all data that may be harmful as the default. IBM has developed and maintains a proprietary automated intelligence (“AI”) analysis engine as part of the X-Force Protection System. Events from Agents are submitted to the AI analysis engine for correlation and identification, as they are collected. The AI analysis engine performs the following basic functions:● correlates both real-time and historical alarms;● utilizes statistical and rules-based analysis techniques;● leverages raw, normalized and consolidated data; and● operates on application and operating system alarms.X-Force Protection System AI alerts are made available to you via the Portal. IBM will send you an hourly X-Force Protection System alert notification e-mail, summarizing the AI alerts, if you select this option in the Portal. Automated analysis and the subsequent AI alerts generated by the X-Force Protection System are available only on IBM-specified platforms.

5.1.1 IBM Automated Analysis ResponsibilitiesIBM will: a. submit collected event data to the X-Force Protection System AI analysis engine for correlation and

identification; b. when SELM Services for Networks is included as part of your Service contract, utilize user-defined

correlation rules that are enabled for analysis and alerting;c. where applicable, display applicable alerts generated by the X-Force Protection System AI analysis

engine in the Portal, as such alerts become available; and d. if configured by you, deliver X-Force Protection System alert notification within the timeframes

established in the section of this Services Description entitled “Service Level Agreements”, “Security incident alert notification”.

5.1.2 Your Automated Analysis ResponsibilitiesYou agree:a. to be responsible for enabling/disabling applicable AI analysis engine rules, using the Portal; b. to be responsible for scheduling X-Force Protection System alert notification, using the Portal; c. and acknowledge:

(1) the Portal can be used to monitor and review alerts generated by the X-Force Protection System AI analysis engine; and

(2) that automated analysis is available only on IBM-specified platforms or the log sources you normalize utilizing the custom log parser except when the SELM Services for Networks component is involved.

5.2 Threat Analyst Monitoring and NotificationThreat Analyst Monitoring and Notification will be provided as part of MNSS, except where the SWG and FW components are involved. IBM MSS security analysts will perform event monitoring and analysis of

Z126-5942-CA-1 01/2013 of 39

intrusion event AI alerts generated by the X-Force Protection System which result from automated analysis performed on supported network IDS/IPS events. Whether or not a security event is considered a security incident is determined solely by IBM. Identified events will be classified, prioritized, and escalated as IBM deems appropriate. Alerts that are not eliminated as benign triggers are classified as a security incident (“SI”). Security incidents (“SI”) are classified into one of the three priorities described below:● SI – Priority 1

Investigations that result in a high priority classification (i.e., Priority 1) require immediate defensive action.

● SI – Priority 2Investigations that result in a medium priority classification (i.e., Priority 2) require action within 12 - 24 hours of notification.

● SI – Priority 3Investigations that result in a low priority classification (i.e., Priority 3) require action within 1 – 7 days of notification.

5.2.1 IBM Threat Analyst Monitoring and Notification ResponsibilitiesIBM will: a. request modification to the Agent IDS/IPS configuration, to be implemented by you, if the current

policy prevents the SOC from processing event data satisfactorily and the device is not under management by the IBM MSS SOC;

b. notify you via email at the start and finish of the event monitoring and notification window notifying you that monitoring has commenced/completed;

c. perform investigation and analysis of AI alerts; d. when possible, eliminate false positives and benign triggers and classify them as commented

security incidents (“CSI”); e. identify alerts that are not eliminated as benign triggers and classify such alerts as security incidents

(“SIs”):(1) start the SLA timers; and(2) prioritize the SI as either high, medium or low;

f. using the standard notification path that you provide, escalate SIs to an Authorized Security Contact or Designated Services Contact based on IBM security notification “best practices” within the time frame and using the medium (for example e-mail or telephone) established in the section of this Services Description entitled “Service Level Agreements”, “Security Incident Notification”;

g. provide remediation/countermeasure recommendations, if applicable;h. document details of CSIs and SIs in the IBM ticketing system; andi. list CSIs and SIs in the Portal.

5.2.2 Your Threat Analyst Monitoring and Notification ResponsibilitiesYou agree:a. to utilize the Portal to schedule event monitoring and notification; b. to implement MSS request policy changes to the Agent prior to the next monitoring period, if the

device is not under management by IBM; c. to utilize the Portal for investigation of audit events or ongoing events that are not considered to be

immediate threats; d. to provide IBM with current in-depth documentation of your environment; e. to update IBM within three calendar days of changes within your environment;f. to provide IBM with the following information, and keep such information current via the Portal;

(1) information about critical servers (for example, name, platform, operating system (“OS”), Internet protocol (“IP”) address and network segment type);

(2) information about monitored networks;Z126-5942-CA-1 01/2013 of 39

(3) information about devices utilizing network address translation (‘NAT”) (for example, name, platform, OS, and network segment type);

(4) proxy servers; and (5) authorized scanners;

g. to provide and keep current a linear contact notification path, including telephone numbers and e-mail addresses;

h. to update IBM, via the Portal, within three calendar days of a change in your contact information; i. to provide e-mail aliases, as necessary, to facilitate notificationj. to ensure an Authorized Security Contact or Designated Services Contact listed in the notification

path is available 24 hours /day, 7 days / week;k. to view details of CSIs and SIs via the Portal;l. to work with IBM to optimize the monitoring service;m. to provide feedback on CSIs and SIs via the Portal; n. and acknowledge that:

(1) once IBM has escalated an SI, you are solely responsible for all SI incident responses, and remediation activities; and

(2) not all investigations of suspicious activity will result in the declaration of an SI.(3) Event Monitoring and Notification applies only to AI alerts resulting from automated analysis

performed on network IDS/IPS events; and (4) lack of feedback can result in a lower prioritization of persistent or recurring activity.(5) if you do not make the requested policy modifications prior to the next monitoring period, the

Security Incident Notification SLA established in the section of this Services Description entitled “Service Level Agreement” will be null and void

5.3 Policy ManagementPolicy Management will be provided as part of MNSS, except where the SELM Services for Networks component is involved. IBM defines a single rule-based Agent policy/configuration change as any authorized request for the addition or modification of one rule on one context with five or fewer objects in a single request. A change request requiring the addition of six or more objects or the manipulation of two or more rules will be counted as two or more requests. If the request applies to changes outside of the rule-based Agent policy, each submitted request will be considered a single change.You may configure the managed Agent with a single global policy that applies to all ports.

5.3.1 IBM Policy Management ResponsibilitiesIBM will:a. accept policy change requests up to the designated number of changes selected by you per month

from Authorized Security Contacts or Designated Services Contacts, via the Portal;b. acknowledge policy change requests via the Portal within the timeframes established in the section

of this Services Description entitled “Service Level Agreements”, “Policy change request acknowledgement”;

c. review submitted policy change requests to verify you have provided all required information in such requests;

d. if necessary, notify the submitter that additional information is needed. During this time, service level agreement (“SLA”) timers will be placed on hold;

e. prepare and review the policy change configuration as requested by you;f. implement policy change requests within the time specified in the Schedule as the Time to

Implement which is selected by you when initiating your change request through the MSS Portal. Time to Implement options are established in the section of this Services Description entitled “Policy change request implementation”;

g. document details of the policy change request in the IBM MSS ticketing system;h. display policy change request tickets in the Portal;

Z126-5942-CA-1 01/2013 of 39

i. rollover any unused policy change requests from the current month to the next month; rollover policy change requests will be available for use until the last day of the following month, at which point, if unused, these rollover policy change requests will expire;

j. at your request, and for an additional charge (and subject to availability of IBM resource), provide up to the number of policy changes as specified in the Schedule;

k. perform daily configuration backup of the managed Agent; l. maintain 14 configuration backups; m. display the current configuration of the Agent in the Portal; andn. on a quarterly basis upon your written request:

(1) audit your policy settings to verify accuracy; and (2) work with you to review Agents under management and provide recommended changes to the

network protection strategy. 5.3.2 Your Policy Management Responsibilities

You agree:a. to ensure all policy change requests are submitted by an Authorized Security Contact or a

Designated Services Contact, using the Portal, in accordance with the established procedures identified above;

b. to be responsible for providing sufficient information for each requested policy change to allow IBM to successfully perform such change;

c. to be responsible for notifying IBM if you wish IBM to perform a quarterly policy review; d. to be solely responsible for your own security strategy, including security incident response

procedures; ande. and acknowledge:

(1) all policy changes will be completed by IBM and not by you;(2) implementation of policy changes that IBM has deemed as having an adverse impact on the

Agents’ ability to protect the network environment will result in the suspension of applicable SLAs;

(3) following closure of a calendar month, unused changes will be used upon request by you for an extended period of 30 days. After this 30 day period, these changes will no longer be available. Unused policy changes that have rolled over to the following month will be used first before using the new month’s policy changes;

(4) to clearly identify a policy change that requires an emergency implementation when submitting such a request in the Portal; and

(5) to contact the SOC via telephone, following submission of an emergency policy change request using the Portal, to escalate such policy change request to an emergency status.

5.4 Virtual Private Network SupportUsing one or more of the following methods, IBM will enable your requested VPN features of the FW and (UTM) Agent(s): a. site-to-site VPNs between two IBM-managed VPN capable Agents, or one IBM-managed Agent and

a non-IBM-managed VPN capable device;b. client-to-site VPNs through a model where IBM establishes the configuration and enables you to

administer client-to-site VPN users; orc. Secure Sockets Layer (“SSL”) VPNs through a model where IBM establishes the configuration and

enables you to administer SSL VPN users.Note: Support for client-to-site and SSL VPNs are available only on IBM-specified platforms.

5.4.2 IBM Virtual Private Network Support Responsibilities: IBM will:a. configure up to two site-to-site VPNs during the deployment and activation of each FW or UTM

Agent(s); Z126-5942-CA-1 01/2013 of 39

b. provide support for static and dynamic authentication methods of the VPN configuration;c. setup and test up to five client-to-site VPN users;d. setup and test up to five SSL VPN users; e. provide you with appropriate access permissions to administer your client-to-site or SSL VPN users;

andf. provide you with a demonstration of client-to-site or SSL VPN user administration (if applicable).

5.4.3 Your Virtual Private Network Support ResponsibilitiesYou agree:a. to provide IBM with all required information to enable your requested VPN features;b. to be solely responsible for creating and administering all client-to-site and SSL VPN users after the

initial enablement by IBM; andc. and acknowledge:

(1) any site-to-site VPNs you requests after deployment and activation of the FMS or UTM Agent(s) will be counted against the current month’s policy change allocation;

(2) you are solely responsible for the procurement and all associated charges for any required client-to-site or SSL VPN administration applications from the FW or UTM Agent(s) manufacturer;

(3) you are solely responsible for the deployment, testing, support and maintenance, and all associated charges, for any required client-to-site or SSL VPN administration applications assigned to the FW or UTM Agent(s) manufacturer;

(4) that all client-to-site VPN solutions regarding MNSS must be approved by IBM; and(5) certificate-based authentication is not currently supported as part of the VPN configuration.

5.5 Managed Agent Health and Availability Monitoring IBM will monitor the health status and availability of the managed Agents, except where the SELM Services for Networks component is involved. Such monitoring is designed to assist in increasing availability and uptime of the Agents.

5.5.1 IBM Managed Agent Health and Availability Monitoring Responsibilities

Activity 1 - Monitoring The purpose of this activity is to monitor the health and performance of the Agents. IBM MSS will perform this activity using either Agent-based monitoring or Agentless monitoring.

Agent-Based MonitoringWhen technically feasible, IBM will install software on eligible Agents to monitor system health and performance, and report metrics back to the SOCs. IBM will:a. for eligible platforms, install monitoring software on the Agents; b. analyze and respond to key metrics, which may include:

(1) hard disk capacity;(2) CPU utilization;(3) memory utilization; and(4) process availability; and

c. respond to alerts generated by the monitoring software.

Agentless MonitoringWhen it is not technically feasible to install monitoring software, IBM will monitor the data stream coming from the Agents and/or poll administrative interfaces on the Agents. IBM will:a. monitor the administrative interfaces of the Agents; and/or

Z126-5942-CA-1 01/2013 of 39

b. monitor the event stream generated by the Agents; andc. initiate additional time-based checks if contact with a managed Agent is lost.

Activity 2 - Troubleshooting The purpose of this activity is to perform research and investigation if the Agents do not perform as expected or a potential Agent health issue is identified. IBM will:a. create a trouble ticket in the event of an Agent performance problem or potential Agent health issue; b. begin research and investigation of the documented issue; c. if the Agent is identified as the potential source of a network-related problem, examine the Agent

configuration and functionality for potential issues; and d. display the Agent health and outage ticket in the Portal.

Activity 3 - Notification The purpose of this activity is to notify you if the Agent becomes unreachable through standard in-band means. IBM will:a. notify you if the Agent becomes unreachable through standard in-band means. Such notification

will be via telephone using a predetermined notification procedure within the timeframe established in the section of this Services Description entitled “Service Level Agreements”, “Proactive system monitoring”;

b. begin investigation of problems related to the configuration or functionality of the Agent, following initiation of telephone notification; and

c. display Agent health and outage tickets in the Portal.

5.5.2 Your Managed Agent Health and Availability Monitoring Responsibilities

Activity 1 - Monitoring You agree:a. to allow IBM to install monitoring software on all managed Agents, where such installation is

deemed by IBM to be technically feasible; orb. to allow IBM to monitor the administrative interfaces and event stream of the managed Agents when

it is not technically feasible to install monitoring software on such Agents.

Activity 2 - Troubleshooting You agree:a. to participate in troubleshooting sessions with IBM (as required); b. to be responsible for providing all remote configuration and troubleshooting, if you have elected not

to implement an OOB solution, or if the OOB solution is unavailable for any reason; and c. and acknowledge that if the managed Agent is eliminated as the source of a given problem, no

further troubleshooting will be performed by IBM.

Activity 3 - Notification You agree:a. to provide your notification paths and contact information; b. to update IBM within three calendar days when your contact information changes; andc. to ensure an Authorized Security Contact or Agent outage Designated Services Contact is available

24 hours/day, 7 days/week. 5.6 Agent Management

Agent Management will be performed by IBM for MNSS, except where the SELM Services for Networks component is involved. Agent application and security updates are critical components of an enterprise and are available as part of MNSS, however, is not included as part of SELM Services for Networks. IBM uses a vendor agnostic approach to Agent management.

Z126-5942-CA-1 01/2013 of 39

5.6.1 IBM Agent Management ResponsibilitiesIBM will:a. be the sole provider of software-level management for the Agents;b. maintain system status awareness;c. install new security content updates on the IDPS and UTM Agents, as they become generally

available from the applicable vendor, within the timeframe established in the section of this Services Description entitled “Service Level Agreements”, “Proactive security content update”;

d. install patches and software updates in order to improve performance, enable additional functionality, or resolve an application problem. IBM assumes no responsibility for, and makes no warranties concerning, vendor-provided patches, updates or security content;

e. declare a maintenance window in advance of Agent updates that may require platform downtime or your assistance to complete; and

f. clearly state, within the maintenance window notification, the expected impacts of a scheduled maintenance and your specific requirements.

5.6.2 Your Agent Management ResponsibilitiesYou agree:a. to perform IBM-specified hardware upgrades to support the current software and firmware; b. to work with IBM to perform Agent updates (as required);c. to be responsible for all charges associated with hardware upgrades;d. to maintain current licensing, and support and maintenance contracts;e. to ensure appropriate consents are in place with your vendors to allow IBM to leverage existing

support and maintenance contracts on your behalf. If such agreements are not in place, IBM will not be able to contact the vendor directly to resolve support issues; and

f. and acknowledge:(1) all updates are transmitted and applied via the Internet;(2) if vendor consents are not obtained or are revoked at any point during the contract period,

Services and/or SLAs may be suspended by IBM;(3) noncompliance with IBM-required software upgrades may result in suspension of Services

delivery and/or SLAs; and(4) noncompliance with IBM-required hardware upgrades may result in suspension of Services

delivery and/or SLAs.5.7 Content Security

IBM specified Agent(s) can be configured to enable an internal content security solution (such as; Web filtering, IPS, antispam or antivirus) on certain IBM-specified platforms upon your request. The Agent can be configured to enable an external content security solution (such as Web filtering or antivirus) on certain IBM-specified platforms.

5.7.1 IBM Internal Content Security ResponsibilitiesIBM will:a. configure the Agent to support an internal content security solution on an IBM-specified platform; b. configure your specific Web filtering content security policy during deployment and activation of the

Agent that includes: (1) category lists – a selection of content categories to block;(2) destination white lists – specific sites that should be allowed even if they exist within a denied

content category;(3) destination black lists – specific sites that should be blocked even if they exist within an

allowed content category; and(4) source white list – specific IP addresses that should be excluded from content filtering;

c. configure your specific antispam policy during deployment and activation of the Agent that includes:

Z126-5942-CA-1 01/2013 of 39

(1) white lists – specific e-mail addresses and/or domains to always pass; and(2) black lists – specific e-mail addresses and/or domains that should be blocked.

d. enable antivirus support during deployment and activation of the Agent;e. apply content security updates as described in the section of this Services Description entitled

“Agent Management”; and f. accept and apply content security policy changes as described in the section of this Services

Description entitled “Policy Management”. 5.7.2 Your Internal Content Security Responsibilities

You agree:a. to be responsible for providing sufficient information for each requested policy change to allow IBM

to successfully perform such change; and b. and acknowledge:

(1) you are responsible for the procurement, support, licensing, maintenance, and other associated charges for the content security solution; and

(2) all changes to the content security policy requested after deployment and activation of the Agent will be counted against the current month’s policy change allocation.

6. Managed Network Security Services – Optional FeaturesOptional services selected by you, and any additional charges for such services, will be specified in the Schedule.

6.1 Security Event and Log DeliveryAt your request, IBM will retrieve log and event data from the IBM MSS Infrastructure and make it available for download from a secured IBM server. In cases where the amount of log and event data is warranted by IBM as too excessive to make available via download, IBM will store the data on encrypted media and ship it to a specified location of your choice. The feasibility of delivery via download will be assessed on a case-by-case basis.

6.1.1 IBM Security Event and Log Delivery ResponsibilitiesAt your request, and for an additional charge specified in the Schedule IBM will:a. upon your request (via the Portal), retrieve specified data from the IBM MSS infrastructure and

make it available to you for download on a secured IBM server; andb. advise you of additional charges for all time and materials utilized to retrieve and prepare the data.

6.1.2 Your Security Event and Log Delivery ResponsibilitiesYou will:a. to request security event log delivery via the Portal; b. to download requested data from a secured IBM server; c. and acknowledges that requests for retrieval of excessively large amounts of data may require data

be stored on encrypted media and shipped to a specified location of your choice; and d. to be responsible for all time and material charges, and shipping charges (as applicable) associated

with log delivery. 6.2 Cold Standby

Cold standby is an optional service component for MNSS, except where the SELM Services for Networks component is involved. Cold standby is a method of disaster recovery whereby a spare Agent is available as a substitute in the event the primary Agent has a hardware and/or software failure. Cold standby Agents are not powered or ready for use, and do not contain active configuration, policy, or content updates.

6.2.1 IBM Cold Standby ResponsibilitiesAt your request, for no additional charge, IBM will:a. work with you to transition the cold standby Agent to production and set such Agent to “active” in the

event the primary Agent fails;

Z126-5942-CA-1 01/2013 of 39

b. apply required content updates to the cold standby Agent in the event the primary Agent fails; and c. apply the active current configuration to the Agent in the event the primary Agent fails.

6.2.2 Your Cold Standby ResponsibilitiesYou agree:a. to provide a secondary Agent to act as a cold standby Agent;b. to maintain current licensing, and support and maintenance contracts, for the cold standby Agent;c. to work with IBM to transition the cold standby Agent to production and set such Agent to “active” in

the event the primary Agent fails; andd. and acknowledge that:

(1) cold standby Agents are not managed and maintained by IBM unless they are transitioned to “active”;

(2) cold standby Agents require configuration changes in order to transition to “active”; and(3) cold standby Agents may not generate traffic for the SOCs unless the primary Agent has failed

and the cold standby Agent has been placed into production and transitioned to “active”.6.3 Warm Standby

Warm standby is an optional service component for MNSS, except where the SELM Services for Networks component is involved. Warm standby is a method of redundancy that can reduce downtime due to Agent hardware and/or software failures. Warm standby management is designed to provide you with the option of having IBM manage and keep up to date a single spare Agent. In the event your primary Agent fails, the spare or “warm” Agent will be on-hand to restore Services more quickly. A standby Agent may not generate any traffic for the SOCs unless it is placed into production and set to “active”. IBM strongly encourages OOB access to the warm standby Agent as described in the section of this Services Description entitled “Out-of-Band Access”.

6.3.1 IBM Warm Standby ResponsibilitiesAt your request, and for an additional charge specified in the Schedule, IBM will:a. maintain health and availability status of the warm standby Agent as described in the section of this

Services Description entitled “Managed Agent Health and Availability Monitoring”; b. apply content updates to the warm standby Agents as described in the section of this Services

Description entitled “Agent Management”; andc. transition the warm standby Agent to “active” in the event the primary Agent fails.

6.3.2 Your Warm Standby ResponsibilitiesYou agree:a. to maintain current licensing, and support and maintenance contracts, for all warm standby

platforms; b. to be responsible for all charges associated with ongoing management of the warm standby Agent;c. to provide secondary IP addressing; d. to comply with and perform Your Managed Agent Health and Availability Monitoring Responsibilities

as described in the section of this Services Description entitled “Managed Agent Health and Availability Monitoring”;

e. to comply with and perform Your Agent Management Responsibilities as defined in the section of this Services Description entitled “Agent Management”;

f. and acknowledge that:(1) policy changes made to the primary Agent will not be reflected on the warm standby Agent; (2) standby Agents may not generate traffic for the SOCs unless they have been placed into

production and set to “active”; andg. to be responsible for providing all remote configuration and troubleshooting, if you elect not to

implement an OOB solution or if the OOB solution is unavailable for any reason.

Z126-5942-CA-1 01/2013 of 39

6.4 Virtual Instance ManagementVirtual instance management provides for managing virtual instances of network security devices. Virtual firewall technology is a specialized firewall feature which provides for multiple logical firewalls “contexts” for multiple networks on a single system. Virtual firewall contexts running as part of a virtualized platform will be limited to firewall and VPN functionality enabled by the respective platform. All other features will not be supported unless explicitly stated within this document. The initial platform and virtual firewall instance are supported through management services specified for a firewall device, however additional firewall virtual instances are subject to the specific activities provided in the following Virtual Instance sections. For Virtual firewalls running in transport mode, IBM requires that each layer 2 virtual context have a layer 3 IP address assigned in order for IBM to effectively manage and monitor the individual contexts.

6.4.1 IBM Virtual Instance ResponsibilitiesIBM will:a. work with you to help determine an optimal firewall configuration based on your network and firewall

configuration and the most active worldwide threats (as determined by the IBM Global Threat Operations Center);

b. apply configuration changes as specified in the Schedule within the implementation time specified; and

c. provide event and log collection and archival as specified in this service description and as appropriate for the logs and events received from the virtual instance.

6.4.2 Your Virtual Instance ResponsibilitiesYou agree:a. to indicate which virtual context(s) are affected when making a Policy Change Request;b. to deploy an IBM-supported OOB device and provide a dedicated analog telephone line for access;

andc. to acquire and pay for the device and telephone line and pay for the ongoing management of same.

6.5 High AvailabilityHigh Availability is an optional service component for MNSS, except where the SELM Services for Networks component is involved. To help protect against hardware and/or software failure and provide high availability (“HA”), two managed protection Agents may be configured and deployed; one fully operational and the other waiting as a backup to take over should the first Agent fail. Some Agents can also be deployed as clusters, such that multiple Agents operate and share network load. Active/Passive ImplementationsIn this configuration, a second Agent is configured, ready to begin serving the network if the primary Agent experiences a critical hardware or software failure. In such a scenario, failover is automatic and expected to be immediate. Active/Active ImplementationsActive/active clusters use two or more Agents to handle the network traffic simultaneously. In this configuration, each Agent handles a share of the network packets, determined by a load-balancing algorithm. If one Agent fails, the other Agent(s) is/are designed to automatically handle all of the traffic until the failed Agent has been restored. IBM strongly encourages OOB access to all Agents in the high availability configuration, as described in the section of this Services Description entitled “Out-of-Band Access”.

6.5.1 IBM High Availability ResponsibilitiesAt your request, and for an additional charge specified in the Schedule, IBM will:a. configure a secondary Agent in either an active/passive or active/active configuration, as specified

by you;b. when either FW, UTM, SWG or IDPS Management are included as part of your Service contract,

IBM will configure active/active configurations utilizing three or more Agents (“cluster”) in unicast mode (i.e., communication between a single sender and a single receiver over a network);

Z126-5942-CA-1 01/2013 of 39

Note: IBM does not support active/active configurations in multicast mode.c. manage and monitor the HA solution; d. maintain health and availability status of the secondary Agent as described in the section of this

Services Description entitled “Managed Agent Health and Availability Monitoring”;e. apply content updates to the secondary Agent(s) as described in the section of this Services

Description entitled “Agent Management”; andf. update the policy of the secondary Agent as described in the section of this Services Description

entitled “Policy Management”.6.5.2 Your High Availability Responsibilities

You agree:a. to provide a secondary Agent; b. to make any required changes to software licensing;c. to provide secondary IP addressing;d. to be responsible for all charges associated with ongoing management for the secondary Agent;e. to comply with and perform:

(1) Your Managed Agent Health and Availability Monitoring Responsibilities as defined in the section of this Services Description entitled “Managed Agent Health and Availability Monitoring”;

(2) Your Agent Management Responsibilities as defined in the section of this Services Description entitled “Agent Management”;

(3) Your Policy Management Responsibilities as defined in the section of this Services Description entitled “Policy Management”;

f. to be responsible for providing all remote configuration and troubleshooting, if you elect not to implement an OOB solution on both the primary and secondary Agents or if the OOB solution is unavailable for any reason; and

g. and acknowledge that:(1) the Services do not support non-integrated HA solutions;(2) IBM supports active/active configurations utilizing three or more Agents in unicast mode only.

6.6 On-site AggregatorOn-site Aggregator is an optional service component for MNSS, except where the SELM Services for Networks service components are involved. The On-site Aggregator (“OA”) is a device you provide that is deployed at your location. The purpose of the OA is to centralize the collection of log and security event data when you have multiple Agents subscribing to IBM MSS, and securely transmit this data to IBM MSS for further processing and long-term storage.

The basic functions of the OA are to:a. compile or otherwise combine the security events and log data;b. compress the security events and log data;c. encrypt the security events and log data; andd. transmit the security events and log data to the IBM MSS infrastructure.

Core features of the OA are:a. perform local spooling by queuing the events locally when a connection to the IBM MSS

infrastructure is not available; b. perform unidirectional log transmission. OA communication is performed via outbound SSL/TCP-

443 connections;c. perform message throttling, if configured. This limits the bandwidth from the OA to the IBM MSS

infrastructure (in messages per second) to preserve bandwidth; andd. provide transmit windows, if configured. The transmit windows enable/disable event transmission to

the IBM MSS infrastructure during the timeframe specified by you in the Portal. Z126-5942-CA-1 01/2013 of 39

IBM strongly encourages OOB access to the OA, as described in the section of this Services Description entitled “Out-of-Band Access”.

6.6.1 IBM On-site Aggregator ResponsibilitiesAt your request, and for an additional charge specified in the Schedule, IBM will provide the following services.

Activity 1 - Configuration The purpose of this activity is to configure the OA. IBM will:a. provide live support, via phone and e-mail, and will assist you with the location of applicable vendor

documents detailing the installation and configuration procedures for the OA operating system and IBM provided OA software. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

b. provide you with hardware specifications for the OA platform;c. provide you with OA software and configuration settings;d. provide you with telephone and e-mail support to assist with the installation of the IBM-provided OA

software on the hardware platform you provide. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

e. at your request, and for an additional charge specified in the Schedule, provide software installation services;

f. for existing platforms:(1) assess existing hardware configurations to ensure they meet IBM’s specification; and(2) identify required hardware upgrades to be provided and installed by you.

g. if the OA is installed on a virtual platform, IBM is solely responsible for the OA Virtual Machine management and has no responsibility on the Virtualization infrastructure management; and

h. when having an OA running on a Virtual Machine, the “Proactive System Monitoring” SLA will become a Service Level Objective (SLO) and the penalty specified on the “SLA Remedies” section of this Service Description will be void.

Activity 2 - Installation The purpose of this activity is to install the OA. IBM will:a. provide live support, via phone and e-mail, and will assist you with location of applicable vendor

documents detailing physical installation procedures and cabling of the OA. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist;

Note: You may contract separately for IBM to provide physical cabling and installation services.b. remotely configure the OA to include registration of the OA with the IBM MSS infrastructure and

begin the deployment and management takeover process of the OA; andc. confirm the IBM MSS infrastructure is receiving communication from the OA.

Activity 3 - Ongoing Management and Support The purpose of this activity is to provide ongoing management and support of the OA. IBM will:a. set the OA to “active” in the SOCs for ongoing support and management;b. maintain health and availability status of the OA as described in the section of this Services

Description entitled “Managed Agent Health and Availability Monitoring”;c. apply software updates to the OA as described in the section of this Services Description entitled

“Agent Management”; andd. be responsible for the management and monitoring of the OA for the term of the contract and during

any renewal period.

Z126-5942-CA-1 01/2013 of 39

6.6.2 Your On-site Aggregator Responsibilities

Activity 1 - Configuration You agree:a. to provide IBM with an external IP address for the OA;b. to provide the hardware for the OA platform, based on IBM’s recommendations and requirements;c. to install the IBM-provided OA software on your provided hardware, under the guidance of IBM;d. to configure an external IP address and associated setting on OA;e. to provide IBM with the OA IP address, hostname, machine platform, application version, and Agent

time zone; andf. for existing platforms, to procure and install IBM-requested hardware upgrades.

Activity 2 - Installation You agree to:a. be responsible for physical installation and cabling of the OA; andb. schedule live support with an IBM deployment specialist.

Activity 3 - Ongoing Management and Support You agree to:a. be responsible for procuring and installing required hardware upgrades to the OA platform for the

term of the contract; b. comply with and perform Your Managed Agent Health and Availability Monitoring Responsibilities as

described in the section of this Services Description entitled “Managed Agent Health and Availability Monitoring”;

c. comply with and perform Your Agent Management Responsibilities as described in the section of this Services Description entitled “Agent Management”;

d. when using virtual instances as a part of this Service, to be solely responsible for the management of the Virtualization Infrastructure, if the OA is running on a Virtual Machine;

e. when using virtual instances as a part of this Service, that if any maintenance is being performed on the Virtualized Server which could potentially impact the operation of the OA Virtual Machine image slice, a ticket must be created to notify IBM and schedule a configuration window in the event that the OA needs to be safely shut down; and

f. when using virtual instances as a part of this Service, to provide enough dedicated resources to the OA Virtual Machine in order to meet the minimum requirements specified by IBM.

6.7 Ticket System IntegrationIf you wish to leverage existing trouble ticketing and case management investments, IBM will provide an application program interface (“API”) which allows for customized integration with external ticketing systems.

6.7.1 IBM Ticket System Integration ResponsibilitiesAt your request, and for an additional charge specified in the Schedule, IBM will provide an API to allow for customized integration with external ticketing systems.

6.7.2 Your Ticket System Integration ResponsibilitiesYou agree:a. to be responsible for all additional charges associated with API ticket integration;b. to utilize the Portal API package to facilitate ticket integration; c. to be responsible for all engineering and development issues associated with ticket integration; and d. and acknowledge that IBM will not provide assistance or consulting for your ticketing system

integration.

Z126-5942-CA-1 01/2013 of 39

6.8 Optional SELM Services for Networks Out-of-Band AccessSELM Services for Networks Out-of-Band Access is an optional service component for MNSS when the SELM Service for Networks component is involved. SELM Services for Networks OOB assists the SOCs if connectivity to an Agent is lost. If such connectivity problems occur, the SOC analysts can dial into the OOB device to verify the Agent is functioning properly and attempt to identify the source of the outage before escalating to you.

6.8.1 IBM SELM Services for Networks Out-of-Band Access ResponsibilitiesAt your request, and for an additional charge specified in the Schedule, IBM will:g. provide live support, via phone and e-mail, to assist you in locating applicable vendor documents

which detail physical installation procedures and cabling;h. configure the OOB device to access the managed Agents; ori. work in good faith with you to utilize an IBM-approved existing OOB solution.NOTE: For purpose of clarification, if your internal security policy prohibits the use of an OOB device, IBM may waive this requirement. Such waiver may noticeably impact IBM’s ability to effectively provide the Services. Completion Criteria: This activity will be complete when one of the following first occurs: ● IBM has configured the OOB device to access the managed Agent; or ● you have requested, and IBM has agreed, to waive the requirement for OOB access.Deliverable Materials: ● None

6.8.2 Your SELM Services for Networks Out-of-Band Access ResponsibilitiesNo additional responsibilities are required by you for this activity.

7. Service Level AgreementsIBM SLAs establish response time objectives and countermeasures for specific events resulting from the Services. The SLAs become effective when the deployment process has been completed, the Agent has been set to “active”, and support and management of the Agent have been successfully transitioned to “active” in the SOCs. The SLA remedies are available provided you meet your obligations as defined in this Services Description and all associated contract documents.

7.1 SLA AvailabilityThe SLA defaults described below comprise the measured metrics for delivery of the Services. Unless explicitly stated below, no warranties of any kind shall apply to Services delivered under this Services Description. The sole remedies for failure to meet the SLA defaults are specified in the section of this Services Description entitled “SLA Remedies”. a. Log Management and archival – IBM will provide for the archival of log and event data generated by

MNSS devices for the duration as specified in the Schedule. b. Security incident alert notification – If X-Force Protection System alert notification has been

configured by you in the Portal and an alert has been generated, IBM will send an hourly e-mail notification to the Designated Services Contact, summarizing the X-Force Protection System AI alerts. This SLA only applies to the initial sending of the X-Force Protection System alert notification; not the confirmed delivery to the end recipient(s)For purpose of clarification, an e-mail notification will be sent only if an alert has been generated during the preceding hour

c. Security incident identification, except where the FW or SWG service components are involved – IBM will identify all events it deems to be Priority 1, 2, and 3 level security incidents based on Agent IDS/IPS event data received by the SOCs. (1) Priority 1 incidents: high-risk events that have the potential to cause severe damage to your

systems or environments and require immediate defensive action. Priority 1 incident examples include system or data compromises, worm infections/propagation, and massive denial of service (“DOS”) attacks.

Z126-5942-CA-1 01/2013 of 39

(2) Priority 2 incidents: lower-risk events that have the potential to impact your systems or environments and require action within 12-24 hours of notification. Priority 2 incident examples include unauthorized local scanning activity and attacks targeted at specific servers or workstations.

(3) Priority 3 incidents: low-risk or low confidence events that have the potential to impact your systems or environments. This category of investigation encompasses activity on a network or server that should be further investigated within 1-7 days but may not be directly actionable. Discovery scanning, information gathering scripts, and other reconnaissance probes are grouped into this category.

Note: Whether or not a security event is considered a security incident is determined solely by IBM.d. Security incident notification, except where the FW or SWG service components are involved - IBM

will initiate notification for all identified security incidents within the selected Incident Response SLA. Your Authorized Security Contact or Designated Services Contact will be notified by telephone for Priority 1 security incidents and via e-mail for Priority 2 and 3 security incidents. During a Priority 1 security incident notification, IBM will continue attempting to contact the Authorized Security Contact or Designated Services Contact until such contact is reached or all notification contacts have been exhausted.Operational activities related to security incidents and responses will be documented and time-stamped within the IBM trouble ticketing system. Such documentation and time-stamp shall be used as the sole authoritative information source for purposes of this SLA.The incident response SLA that applies is based on the following options and is specified in the Schedule.

e. Policy change request acknowledgement, except where the SELM Services for Networks component is involved – IBM will acknowledge receipt of your policy change request by IBM within the Policy change request acknowledgement response time specified in the Schedule. This SLA is only available for policy change requests submitted by an Authorized Security Contact or a Designated Services Contact in accordance with the established procedures documented in the Portal.

f. Policy change request implementation, except where the SELM Service for Networks component is involved – IBM will implement your policy change requests within the selected Time to Implement number of hours. The Time to Implement hours will be met by IBM unless the request has been placed in a “hold” status due to insufficient information required to implement the submitted policy change request. This SLA is only available for policy change requests submitted by an Authorized Security Contact or a Designated Services Contact in accordance with the established procedures documented in the Portal.The policy change request implementation SLA that applies is based on the following Time to Implement options and is specified in the Schedule.

g. Proactive system monitoring – IBM will notify you within the Response Time designated after IBM determines your Agent is unreachable via standard in-band connectivity. The Response Time SLA that applies is based on the following Response Time options and is specified in the Schedule.

h. Proactive security content update, except where the FW or SELM Services for Networks components are involved – IBM will begin application of new security content or device updates within the Agent Update Time specified in the Schedule after the following sequential events occur:(1) the update is published as generally available by the applicable vendor; (2) IBM has successfully completed an evaluation period with positive results; and (3) a confirmation (if required) has been received from you to apply the update within the Agent

Update time as specified in the Schedule unless we mutually agreed to apply the update time at a later time. The approved update will be applied consistent with specific change window requirements indicated by you and may require confirmation prior to application. The Agent Update Time SLA that applies is based on the Agent Update Time options as specified in the Schedule.

i. Services availability – IBM will provide 100% service availability for the SOCs.j. Portal availability – IBM will provide 99.9% accessibility for the Portal outside of the times specified

in the section of this Services Description entitled “Scheduled and Emergency Portal Maintenance”. Z126-5942-CA-1 01/2013 of 39

7.2 SLA Remediesa. Security incident identification remedy – If IBM fails to meet this SLA in a given calendar month, a

credit will be issued as specified below;(1) Priority 1 incidents: Failure to identify the security event(s) as a security incident will result in

a one month credit for the initial Agent that reported the event(s).(2) Priority 2 incidents: Failure to identify the security event(s) as a security incident will result in

a one week credit for the initial Agent that reported the event(s).(3) Priority 3 incidents: Failure to identify the security event(s) as a security incident will result in

a one day credit for the initial Agent that reported the event(s).b. Security incident alert notification, policy change request acknowledgement, policy change request

implementation, proactive system monitoring, proactive security content update, services availability and Portal availability credits – If IBM fails to meet any of these SLAs, a credit will be issued for the applicable charges for one day of the monthly monitoring charge for the affected Agent and, if applicable, the specific managed security platform for which the respective SLA was not met.

SLAs and Remedies Summary

Service Level Agreements Availability Remedies

Security incident identification Credit for 1 month, 1 week, or 1 day for the initial Agent that reported the event, as indicated above

Policy change request implementation Credit based on the monthly fee for the policy change implementation that was not met.

Policy change request acknowledgement

Credit of 1 day of the monthly charge for the affected Agent

Security Incident Alert Notification

Security incident notification

Proactive system monitoring

Proactive security content update

Services availability

Portal availability

7.3 Simulation Mode SLA Modification The IBM Security Network Intrusion Prevention System appliance provides you with the opportunity to run in simulation mode allowing you to view virtual blocking and prevent attacks. When a device is in simulation mode, you may view a complete list of simulated prevented attacks specific to its network, via the Portal. You may enable and disable simulation mode at any time by one of the following methods: a. pre-deployment - you must provide a written or e-mail policy change request to the assigned IBM

deployment specialist. b. post-deployment – you must submit requests to begin or end simulation mode via a service ticket or

policy change request within the Portal. During simulation mode, all active blocking functionality will be disabled, thereby preventing active blocking by the device, and IBM will cease to provide you with the security incident prevention SLA as described in the section of this Services Description entitled “SLA Availability”. All other SLAs and remedies shall remain in effect, with the following as the sole remedies which will be available for failure to meet the applicable SLA, provided that as stated above no remedy shall be available for the security incident prevention SLA.

Z126-5942-CA-1 01/2013 of 39

Simulation Mode SLAs and Remedies Summary

Service Level Agreements Availability Remedies

Intrusion event countermeasure Credit of 1 month of the monitoring charge for the affected Agent

Security incident identification Credit for 1 month, 1 week, or 1 day for the initial Agent that reported the event, as indicated above

Security incident alert notificationCredit of 1 day of the monthly monitoring charge for the affected Agent

Security incident notification

7.4 Intellectual Property Services ComponentsIPSC DefinitionIntellectual Property Services Components ("IPSCs") are pre-existing IBM or third party proprietary literary works or other works of authorship (such as programs, program listings, programming tools, documentation, reports, drawings and similar works) that IBM may license to you or that IBM may use when providing Services. IPSCs are not Products or Materials, as such terms are defined in the IBM Customer Agreement (called “ICA”). The terms of the ICA shall otherwise apply to IPSCs, except that the section entitled "Limitation of Liability," shall apply to IPSCs as if an IPSC was a "Product" for purposes of that section without reference to any other section. IBM or third parties have all right, title, and interest (including ownership of copyright) in IPSCs and IPSCs are licensed, not sold. Except as provided by mandatory law, without the possibility of contractual waiver or limitation, IBM provides IPSCs WITHOUT INDEMNITIES OR WARRANTIES OF ANY KIND. IPSC License GrantSubject to the IPSC Special Terms below, IBM grants you a revocable, nonexclusive, paid-up license to use, within your Enterprise only, the following IPSC: ● Universal Log Agent

IPSC Special Terms

a. IBM may terminate this license if you do not comply with any of the terms of this SOW. b. Upon termination of this license, you agree to destroy all copies of, and make no further use of,

Universal Log Agent, and certify such destruction to IBM. By accepting receipt of the Universal Log Agent, you agree to the following Terms of Use: During the term of your IBM Managed Security Services, IBM grants you a limited nonexclusive, nontransferable license solely to internally use the Universal Log Agent. Except as otherwise provided herein, the terms of your agreement for the Managed Security Services with IBM shall apply to IBM's provision, and your use, of any Universal Log Agent. No title to or ownership in the Universal Log Agent is transferred to you. Your rights will at all times be subject to IBM's copyrights and other intellectual property rights, and IBM will retain all right, title and interest in the Universal Log Agent and any derivative works thereof. UNIVERSAL LOG AGENT IS PROVIDED "AS IS" AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. Universal Log Agent may not be: 1) used, copied, modified, or distributed except as expressly provided herein; 2) reverse assembled, reverse compiled, or otherwise translated, except as specifically permitted by law without the possibility of contractual waiver; 3) sublicensed, rented, or leased; or 4) used for commercial purposes, including commercial research, consulting or running a business. You may not create derivative works based on the Universal Log Agent and shall not remove any notices included in the Universal Log Agent. You may not use the Universal Log Agent to design, develop or test software applications for any commercial purposes. You may not allow others to use your passwords to gain access to IBM's restricted Web sites or use the Universal Log Agent for any purposes. The Universal Log Agent is considered confidential to IBM and you shall hold such confidential information ("Information") in trust and confidence for IBM. You will use the same care and discretion to avoid disclosure of the Information as you use with your own similar information which you do not wish to disclose. During such period, you may only disclose the

Z126-5942-CA-1 01/2013 of 39

Information to (1) your employees who have a need to know, and (2) any other party with IBM's prior written consent. Prior to any such disclosure, you must have a written and appropriate agreement with your employees and any other party authorized to receive such Information sufficient to require the party to treat the Information in accordance with these Terms of Use. You may use such Information only for the purpose for which it was disclosed or otherwise for the benefit of IBM. These Terms of Use impose no obligation upon you regarding the Universal Log Agent or any information contained in it where such items: (1) are or become publicly available through no fault of yours; or (2) are developed independently by you.

Z126-5942-CA-1 01/2013 of 39

managed network security services

Documents