IBM Infrastructure Security Services - Managed Security Information and Event Management (Managed SIEM)

IBM Infrastructure Security Services - Managed Security Information and Event Management (Managed SIEM) DK_INTC-8838-00 11-2011 Page 1 of 17

Table of Contents 1.Scope of Services...3 2.Definitions...3 3.Services...4 3.1Global Delivery Center...4 3.2Services Contacts...4 3.2.1IBM Services Contacts Responsibilities...4 3.2.2Your Services Contacts Responsibilities...4 3.3Single Point of Contact...5 3.3.1Single Point of Contact Responsibilities...5 3.3.2Your Single Point of Contact Responsibilities...5 3.4Phase One...6 3.4.1IBM Phase One Responsibilities...6 3.4.2Your Phase One Responsibilities...7 3.5Phase Two Implementation Services...8 3.5.1IBM Phase Two Responsibilities...8 3.5.2Your Phase Two Responsibilities...10 3.6Phase Three Transition Services...11 3.6.1IBM Phase Three Responsibilities...11 3.6.2Your Phase Three Responsibilities...12 3.7Phase Four Ongoing Operational Support...12 3.7.1IBM Phase Four Responsibilities...12 3.7.2Your Phase Four Responsibilities...15 4.Service Level Objectives...17 4.1SLO Availability...17 DK_INTC-8838-00 11-2011 Page 2 of 17

Service Description IBM Infrastructure Security Services - Managed SIEM IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES DESCRIPTION INCLUDES THE IBM MANAGED SECURITY SERVICES GENERAL PROVISIONS ( GENERAL PROVISIONS ) LOCATED AT http://www-935.ibm.com/services/multimedia/dk_intc-8484-02.pdf AND INCORPORATED HEREIN BY REFERENCE. 1. Scope of Services IBM Security Services Managed Security Information and Event Management ( SIEM ) (called Managed SIEM or Services ) is designed to help you plan, implement and manage a SIEM solution, based on your identified business requirements. The SIEM solution makes use of SIEM Agents and such Agents must not be used for any other purpose while under management by IBM. The Services will typically be performed in four phases: Phase One - Planning Workshop During this phase, IBM will provide consulting services to assist you in defining the overall requirements and assess your readiness and develop roadmap to implement the Services; Phase Two - Implementation Services During this phase, IBM will design, plan and implement the Services; Phase Three Transition Services During this phase, IBM will develop and execute transition plan to transfer security operations ownership to ongoing operational support team; and Phase Four - Ongoing Operational Support During this phase, IBM will provide ongoing operational services for Managed SIEM. The Services features described herein are dependent upon the availability and supportability of products and product features being utilized. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non-ibm-provided hardware, software, and firmware. 2. Definitions Console -- User Interface consists of a series of tabs and/or links allowing the user to navigate and focus on specific SIEM information of the collected, analyzed and displayed data. Dedicated Service Model -- IBM resources assigned to a dedicated service model will provide exclusive support to a single customer who has contracted for the dedicated service model as specified in the Schedule. Deployment Specialist The Deployment Specialist coordinates and performs agent solution deployment activities. Education Materials -- include, but are not limited to, lab manuals, instructor notes, literature, methodologies, electronic course and case study images, policies and procedures, and all other trainingrelated property created by or on behalf of IBM. Where applicable, Education Materials may include participant manuals, exercise documents, lab documents and presentation slides provided by IBM. Event Source also known as Log and Data Source - The heterogeneous data sources supported by SIEM Agent, including network devices, security devices, security programs and servers. Project Leader The Project Leader also serves as your Information Security Advisor (ISA), takes direction from your designated point of contact, and provides project management, oversight, and strategic direction to the IBM team. Security Specialist The Security Specialists comprise the operational support team that provides 24x7x365 eyes on-screen monitoring, alert management, incident classification, escalation, and resolution. Shared Service Model IBM resources assigned to a shared service model will provide shared support to two or more customers who have contracted for shared service model as specified in the Schedule. SIEM Agent The SIEM technology that implements a mix of log management, reporting and real-time event management capabilities. DK_INTC-8838-00 11-2011 Page 3 of 17

Transition Architect The Transition Architect is involved in project initiation and transition phases to develop the detailed migration planning, governance model, and communication plan. 3. Services 3.1 Global Delivery Center The Services are delivered from a IBM Global Deliver Centers ( GDC ). IBM will provide access to the GDC 24 hours/day, 7 days/week; however, access to the IBM Project Leader for Managed SIEM is provided from 8:30 AM to 5:15 PM, Eastern Time zone, Monday through Friday, except holidays. 3.2 Services Contacts You may choose from multiple levels of access to the GDC to accommodate varying roles within your organization. Authorized Security Contacts An Authorized Security Contact is defined as a decision-maker on all operational issues pertaining to IBM Managed Security Services. These contacts will have access to all objects within the Scanning Platform and optionally have the ability to create and execute scans. Designated Services Contacts A Designated Services Contact is defined as a decision-maker on a subset of operational issues pertaining to IBM Managed Security Services, an Agent, or a group of Agents. IBM will only interface with a Designated Services Contact regarding operational activities that fall within the subset for which such contact is responsible (for example, designated Agent outage contact). 3.2.1 IBM Services Contacts Responsibilities Authorized Security Contacts a. allow you to create up to three Authorized Security Contacts who are authorized to interact with the Project Leader; b. provide each Authorized Security Contact with the authorization to create Designated Services Contacts for Managed SIEM up to a mutually agreed upon number determined during transition; c. interface with Authorized Security Contacts regarding support and notification issues pertaining to the Services; and d. verify the identity of Authorized Security Contacts using an authentication method that utilizes a preshared challenge pass phrase. Designated Services Contacts a. verify the identity of Designated Services Contacts using an authentication method that utilizes a pre-shared challenge pass phrase; and b. interface only with Designated Services Contacts regarding the subset of operational issues for which such contact is responsible. 3.2.2 Your Services Contacts Responsibilities Authorized Security Contacts a. to provide IBM with contact information for each Authorized Security Contact. Such Authorized Security Contacts will be responsible for: (1) creating Designated Services Contacts and delegating responsibilities and permissions to such contacts, as appropriate; (2) authenticating with the GDCs using a pre-shared challenge pass phrase; and (3) maintaining notification paths and your contact information, and providing such information to IBM; b. to ensure at least one Authorized Security Contact is available 24 hours/day, 7 days/week; DK_INTC-8838-00 11-2011 Page 4 of 17

c. to update IBM within three calendar days when your Authorized Security Contact information changes; and d. and acknowledge that you are permitted to have no more than three Authorized Security Contacts regardless of the number of IBM services or SIEM Agent subscriptions for which you have contracted. Designated Services Contacts e. to provide IBM with contact information and role responsibility for each Designated Services Contact. Such Designated Services Contacts will be responsible for authenticating with the GDCs using a pass phrase; and f. and acknowledge that a Designated Services Contact may be required to be available 24 hours/day, 7 days/week based on the subset of responsibilities for which it is responsible (i.e., SIEM Agent outage). 3.3 Single Point of Contact 3.3.1 Single Point of Contact Responsibilities During the Services engagement, a. provide an IBM client focal called ( Project Leader ) whose responsibilities may include, but are not limited to; (1) provide a single point of contact to the account management and delivery teams for operational security-related activities for the customer account; (2) maintain and oversee relationships for delivery organizations providing security support; (3) establish and maintain communications through your Point of Contact (4) oversee the management of operational security activities, processes, and policies as required; (5) coordinate and manage the technical activities of IBM s assigned personnel; (6) track and assist in the management of the resolution of reported operational security issues, recommend actions, review plans, and monitor progress of remediation activities; (7) manage to resolution security risks identified as a result of reviews and audits, changes in IBM or customer environment, changes in operating practices or processes, changes in technology; (8) work jointly with customer to manage the priority of new Event Source deployment and participate in technology roadmap discussions; (9) on a regular basis (recommended at least monthly), meet with the account team to review security status, review any risks, issues, incidents, outstanding activities, and current and planned changes; (10) work with the security team on the account to produce the monthly status reports and deliver them within the scheduled timeframe; and (11) review and administer the change requests with your Point of Contact, as defined in the Schedule; b. manage project change requests and balance workload (change requests, new Event Sources enablement, and tracking SLO s). This activity will be complete when IBM has assigned a Project Leader to work with Your Point of Contact. 3.3.2 Your Single Point of Contact Responsibilities a. to provide Authorized Security Contacts or Designated Services Contacts to the Project Leader, with the ability to make business decisions; DK_INTC-8838-00 11-2011 Page 5 of 17

b. to provide resources to represent each appropriate area relating to the services delivered during monthly service delivery meetings where applicable; and 3.4 Phase One c. to provide required access to systems and applications During Phase One, the project plan will be created, validated and modified as required. At the completion of this phase and prior to proceeding with further activities under this Services Description, your Point of Contact and the IBM Delivery Project Leader will assess the results of the workshop and either: 1) continue with the implementation of the Services as described in this Services Description, or 2) upon request, review the possibility of modifying your contract using the Schedule. 3.4.1 IBM Phase One Responsibilities IBM will perform the following activities in order to enable your Service. Activity 1 - Planning Workshop During Planning Workshop (called Phase One ), IBM will provide consulting services to assist you in establishing your readiness to begin the Services. Task 1 - Project Kickoff The purpose of this activity is to conduct a project kickoff call. a. provide your Point of Contact with a data gathering form on which you will be asked to document: (1) team member names, contact information, roles and responsibilities; (2) unique country and site requirements; (3) your existing network infrastructure; (4) number and type of Services Recipients; (5) key business drivers and/or dependencies that could influence Services delivery or timelines; and b. update the data gathering form, as applicable, throughout the performance of the Services. This activity will be complete when IBM Project Leader has provided the data gathering form and scope validation to your Point of Contact. Task 2 - On-Site Planning Session The purpose of this activity is to review the project objectives, roles, and responsibilities, and assess your readiness to implement the Services. IBM will facilitate a planning session, at your site, for up to two business days on a mutually agreed date and time, to: a. introduce the project participants; b. discuss project team roles and responsibilities; c. review the project objectives; d. provide an overview of the project methodology; e. review and approve customer trouble ticketing system; f. work with you to confirm the requirements to support your stated business needs, such as: (1) redundancy requirements; (2) capacity issues; (3) bandwidth sizing; and (4) staffing expectations. DK_INTC-8838-00 11-2011 Page 6 of 17

This activity will be complete when IBM has conducted the planning session. Task 3 - Architecture and Implementation Design The purpose of this activity is to develop a high-level architecture and implementation design for the Managed SIEM Services. a. review existing documentation provided by you during the On-Site Planning Session; b. review the findings from the On-Site Planning Session activity; c. develop and document an architecture and implementation plan in a draft Service Implementation Plan. This activity will be complete when IBM has completed the Architecture and Implementation Design. Task 4 - Policy and Reporting Design SIEM solutions collect data from any sources (called Event Sources or Log and Data Sources ).The purpose of this activity is to develop a high-level event feed grouping, policy and reporting design for the Services. a. review existing documentation provided by you during the On-Site Planning Session; b. perform data analysis and review the findings from the On-Site Planning Session activity; c. develop solution planning and document a Event Feed grouping, policy and reporting design plan in the draft Service Implementation Plan. This activity will be complete when IBM has completed the Policy and Reporting review requirements and finalized solution planning. Task 5 - Plan Review and Workshop Completion The purpose of this activity is to review and finalize the Service Implementation Plan report. a. review the draft finalized solution and Service Implementation Plan; with your Point of Contact by telephone or other electronic means; b. perform one revision of the report, if required and deliver the final Service Implementation Plan to your Point of Contact; and c. if requested, conduct a review of the final report with your management team, by telephone or other electronic means. This activity will be complete when IBM Project Leader has delivered the final Service Implementation Plan report to your Point of Contact. Service Implementation Plan report 3.4.2 Your Phase One Responsibilities In order to provide for successful planning workshop of your service, participation in the following will be necessary. DK_INTC-8838-00 11-2011 Page 7 of 17

Activity 1 - Planning Workshop Task 1 - Project Kickoff a. attend the project kickoff call; b. review each party s respective responsibilities: and c. complete and return the data gathering form(s) within five days of receipt of such form. Task 2 - On-Site Planning Session a. schedule the planning session identified in the On-Site Planning Session activity such that all participants have enough notice to attend; b. invite and confirm attendance of all intended participants of the planning session, and arrange the meeting room and all logistics at your premises; and c. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility. Task 3 - Architecture and Implementation Design a. participate as required such that all required information is provided to IBM is accurate and complete. Task 4 - Policy and Reporting Design a. participate as required such that all required information is provided to IBM and is accurate and complete. Task 5 - Plan Review and Workshop Completion a. schedule a review of the Service Implementation Plan such that all participants have enough notice to attend; b. invite and confirm attendance of all intended participants; and c. review and comment on the draft Service Implementation Plan to ensure IBM can finalize such report within five business days after submitting the draft to your Point of Contact. 3.5 Phase Two Implementation Services Completion of Phase One or making available information equivalent to that resulting from Phase One is a prerequisite to commencing the Services and the Ongoing Services described herein. 3.5.1 IBM Phase Two Responsibilities IBM will perform the following activities in order to enable your Service. Activity 1 - Implementation Services During Implementation Services (called Phase Two ), IBM will implement the Services, as documented during Phase One in the Service Implementation Plan, in your environment. Any required changes to the Services Implementation Plan Report will be handled by the IBM Delivery Project Leader who will either: 1 ) continue with the implementation of the Services as described in this Services Description and Order, or 2) use the Project Change Control Procedure to modify this Services Description and Order. Task 1 - Primary Component Installation The purpose of this activity is to install software and hardware components (called Primary Components ) set forth below and provided by you, and configure the base functionality and policies, prior to testing of such components. a. configure network parameters including: (1) Hostname DK_INTC-8838-00 11-2011 Page 8 of 17

(2) IP Address (3) Default Gateway (4) DNS Servers (5) E-mail Server (6) Passwords (7) Enable License Key b. setup, configure and validate flow & event collection for the Log and Data Source; (1) Management of internal collector interfaces (2) Database retention periods and filtering options (3) Enable automatic updates (4) Create user accounts and roles (up to 10 users) (5) Console, report and DNS settings (6) Enable/disable views, as required c. deployment of high availability system and test of failure/recovery scenarios; and d. facilitate install collection mechanism on the specified Log and Data Sources. This activity will be complete when the software components set forth above have been installed and are ready for testing.. Task 2 - Primary Component Testing The purpose of this activity is to test the technology components installed during the Primary Component Installation activity to verify correct functional operation and behavior as specified in the product documentation. a. test management server(s) and collection agent connectivity; and b. perform system health checks to confirm they are functioning as designed. This activity will be complete when IBM has successfully tested the installation of the SIEM Components.. Task 3 - Product Deployment The purpose of this activity is to deploy the SIEM Agent in a production environment. a. review the Project Plan with up to 15 of your participants for up to two hours, by telephone or other electronic means; b. assist you with configuring your audit (log) settings on specified and in scope Event Sources; c. facilitate install and configure console and collector to the specified Event Sources; (1) Configure settings on internal collector (2) Configure internal/external flow sources (3) Verify flows are being received and stored (4) Add Log and Data Sources to internal Event Collector in the Event View (up to 5 from supported DSM list) (5) Verify events are being received and stored (6) Verify flows are being received and stored in Console d. provide your users with appropriate application access and control; DK_INTC-8838-00 11-2011 Page 9 of 17

(1) within the application: (2) implement groups; (3) implement policies; e. configure collection schedules and refine the groups and policies, correlation rules; and (1) Analyze and identify appropriate views/layers where sentry can be applied (2) Add one of each type of sentry to any view (3) Verify sentry works as desired (4) deployed rules and building blocks (5) Create and test custom rule f. verify reports are being generated. This activity will be complete when IBM has successfully deployed console and collectors into your production environment 3.5.2 Your Phase Two Responsibilities In order to provide for successful implementation services of your service, participation in the following will be necessary. Activity 1 - Implementation Services Task 1 - Primary Component Installation a. be responsible for the procurement and provision of all hardware and software before deployment to production environment begins; b. provide change management control for your infrastructure changes; c. ensure that hardware and software prerequisites are implemented and ready for the IBM implementation team prior to the team arriving onsite or performing any activities described in this section. This includes: (1) physical installation and cabling of all hardware devices; (2) installation of operating systems software, current patches, and any required applications; d. be responsible for defining your data security and protection requirements and ensuring IBM has all relevant inputs to proceed with documenting and prioritizing the policies and deployment; e. be responsible for configuring audit settings in support of certain report features; f. be responsible for validating and approving outputs from each activity as requested by IBM; g. make available the latest copy of your information security policy and provide assistance for clarification and interpretation, if requested by IBM; h. be responsible for hardware and software testing and validation in your test environment before deployment to production equipment begins; i. ensure backups of system and user data are performed before the SIEM Agent is implemented; and j. be responsible for system and data restore in the event of a production system malfunction after the SIEM Agent is deployed. Task 2 - Primary Component Testing a. be responsible for defining your data security and protection requirements and ensuring IBM has all relevant inputs to proceed with documenting and prioritizing the policies and deployment; b. be responsible for configuring audit settings in support of certain report features; c. be responsible for validating and approving outputs from each activity as requested by IBM; DK_INTC-8838-00 11-2011 Page 10 of 17

d. be responsible for hardware and software testing and validation in your test environment before deployment to production equipment begins; e. ensure backups of system and user data are performed before the SIEM Agent is implemented; and f. be responsible for system and data restore in the event of a production system malfunction after the SIEM Agent is deployed. Task 3 - Product Deployment You agree: a. ensure backups of system and user data are performed before the SIEM Agent is implemented; and b. be responsible for system and data restore in the event of a production system malfunction after the SIEM Agent is deployed. 3.6 Phase Three Transition Services Completion of Phase Two or making available information equivalent to that resulting from Phase Two is a prerequisite to commencing the Transition Services described herein. 3.6.1 IBM Phase Three Responsibilities IBM will perform the following activities in order to enable your Service. Activity 1 - Transition Services During Transition Services (called Phase Three ), IBM will transition the Services, as documented during Phase One in the Service Implementation Plan, in your environment. Any required changes to the Services Implementation Plan Report will be handled by the IBM Delivery Project Leader who will either: 1 ) continue with the implementation of the Services as described in this Services Description and Order, or 2) use the Project Change Control Procedure to modify this Services Description and Order. Task 1 - Staged Transition to Ongoing Services The purpose of this activity is to deliver Ongoing Services as defined herein at a rate determined during Phase One and as documented in the Service Implementation Plan. a. develop and review Governance and Communication model; b. develop and review Change Management Process; c. determine, develop and review reporting requirements for in scope and agree Event Sources; d. deliver Ongoing Services to a portion of the as defined scope as determined and agreed upon in the Service Implementation Plan; e. review transition procedures and processes; f. document agreed change management processes; g. review connectivity needs and access establishment for ongoing services readiness; and h. review the draft Transition Summary Presentation with your Point of Contact by telephone or other electronic means. This activity will be complete when IBM has executed the staged transition to Ongoing Services per the Service Implementation Plan and the IBM Project Leader has reviewed the Governance and Communication Model and the Change Management Process documents. Governance and Communication model document Change Management Process document Task 2 - Transition Completion The purpose of this activity is to document the as-built state of the environment in an Implementation and Transition Summary Presentation and perform a final end-of-phase review with your project sponsor. a. prepare a Transition Summary Presentation that provides a summary project history and exit of Phase Two status; DK_INTC-8838-00 11-2011 Page 11 of 17

b. review the draft Transition Summary Presentation ; with your Point of Contact by telephone or other electronic means; c. perform one revision of the presentation, if required and deliver the final Transition Summary Presentation to your Point of Contact; and d. if requested, conduct a review of the final presentation with your management team, by telephone or other electronic means. This activity will be complete when IBM Project Leader has delivered the Transition Summary Presentation to your Point of Contact. Transition Summary Presentation 3.6.2 Your Phase Three Responsibilities In order to provide for successful transition services of your service, participation in the following will be necessary. Activity 1 - Transition Services Task 1 - Staged Transition to Ongoing Services a. work with IBM to meet the schedule defined in the Service Implementation Plan; b. provide IBM with access and administrative permission to your Console; c. provide IBM with access and appropriate permissions to support trouble ticket creation and modification; d. identify reporting requirements for in scope Event Sources; and e. provide IBM with workflow for ticket routing to appropriate workgroup pertaining to technologies in scope. Task 2 - Implementation and Transition Completion a. schedule a review of the Transition Summary Presentation such that all participants have enough notice to attend; b. invite and confirm attendance of all intended participants; and c. review and comment on the draft Transition Summary Presentation to ensure IBM can finalize such report within five business days after submitting the draft to your Point of Contact. This activity will be complete when IBM Project Leader has completed the review of Transition Summary Presentation to your Point of Contact. Transition Summary Presentation 3.7 Phase Four Ongoing Operational Support During Phase Four - Ongoing Operational Support ( Ongoing Support ), IBM will provide remote operational services for the SIEM Agent. 3.7.1 IBM Phase Four Responsibilities In order to provide for successful ongoing operational support services of your service, participation in the following will be necessary. Activity 1 - Ongoing Operational Support IBM will perform the following activities in order to activate your Service. Task 1 - Change Management DK_INTC-8838-00 11-2011 Page 12 of 17

a. define a change as any authorized request for the addition or modification of the SIEM environment to include collection agent groupings, correlation rule or policy exception alerts, and any other application configuration; Note: Changes must be submitted by your Authorized Security Contacts to the IBM Project Leader via the Change Management Process. b. accept changes from Authorized Security Contacts via the Change Management Process; c. review submitted change requests to verify you have provided all required information in such requests; d. if necessary, notify the submitter that additional information is needed; e. review submitted change requests to verify the change does not exceed service scope; f. if necessary, notify the submitter that the requested change exceeds service scope; g. consider ongoing grouping, configuration and rule improvements and notify customer of IBM recommended policy changes; h. create new groupings, configurations and rules in accordance with the Change Management Process; i. perform updates to existing groupings, configurations and rules; j. create new grouping, configurations and rules in accordance with the Change Management Process; k. creating and optimizing policies based on the justification provided; l. creating new policy for baseline, if there is no policy exists.; and m. fine tuning policies based on the compliance and regulations; n. manage user and group access requests in accordance with the Change Management Process; o. at your request, provide a monthly review of policy exceptions and refine policies and rules; p. implement change requests within the timeframes established by the IBM Project Leader is accordance with the Change Management Process; and q. document details of the policy change request in the client ticketing system; and r. at your request, and for an additional charge (and subject to availability of IBM resource), provide additional service scope and capacity to support the change. This is an on-going activity. Task 2 - Event Monitoring and Notification a. monitor alerts and policy exceptions (security events) that result from automated real-time analysis as generated by the SIEM Agent.). After analysis by an IBM MSS security analyst, security events may be classified as a security incident. Whether or not a security event is considered a security incident is determined solely by IBM. Identified security events will be classified, prioritized, and escalated as IBM deems appropriate. Security events that are not eliminated as benign triggers are classified as a security incident. b. classify security incidents into one of the three priorities described below: (1) security incident Priority 1 when investigations that result in a high priority classification (i.e., Priority 1) require immediate defensive action. (2) security incident Priority 2 when investigations that result in a medium priority classification (i.e., Priority 2) require action within 12-24 hours of notification. (3) security incident Priority 3 when investigations that result in a low priority classification (i.e., Priority 3) require action within 1 7 days of notification. c. perform investigation and analysis of security events; DK_INTC-8838-00 11-2011 Page 13 of 17

d. when possible, eliminate false positives and benign triggers; a. identify security events that are not eliminated as benign triggers and classify such alerts as security incidents: (1) start the SLO timers; and (2) prioritize the security incident as either high, medium or low; b. using the standard notification path that you provide, escalate security incidents to an Authorized Security Contact or Designated Services Contact based on IBM security notification within the time frame and using the medium (for example e-mail or telephone) established in the Governance and Communication Plan documented during the Transition Phase (Phase Three); c. provide remediation/countermeasure recommendations, if applicable; d. document details of security incidents in the client ticket system; and e. assist client security teams to perform root cause and do impact analysis. This is an on-going activity. Task 3 - Managed SIEM Agent Health and Availability Monitoring Monitoring a. monitor the ability for IBM to access the SIEM Agent. Notification a. notify you if the SIEM Agent and Event Source becomes unreachable through standard in-band means: (1) notify you (using a method chosen by IBM) if the SIEM Agent becomes unreachable through standard in-band means. Such notification process will be established in the Governance and Communication Plan documented during the Transition Phase (Phase Three); (2) assist you with troubleshooting steps to be performed by you in order to re-establish connectivity between the SIEM Agent and IBM; and (3) identify and report Event Source logging and connectivity issues. Troubleshooting a. perform research and investigation if the SIEM Agent does not perform as expected or a potential SIEM Agent health issue is identified; and b. upon your notification that the troubleshooting steps did not resolve the SIEM Agent performance problem or potential SIEM Agent health issue, (1) create a trouble ticket in the client trouble ticketing system; (2) begin investigation of problems related to the configuration or functionality of the SIEM Agent; and (3) if the SIEM Agent is identified as the potential source of a network-related problem, examine the SIEM Agent configuration and functionality for potential issues. This is an on-going activity. Task 4 - SIEM Management DK_INTC-8838-00 11-2011 Page 14 of 17

a. be the sole provider of software-level management for the SIEM Agents; f. maintain system status awareness; g. install patches and software updates in order to improve performance, or enable additional functionality. IBM assumes no responsibility for, and makes no warranties concerning, vendorprovided patches, updates or security content; h. declare a maintenance window in advance of SIEM Agent updates that may require platform downtime or your assistance to complete; i. clearly state, within the maintenance window notification, the expected impacts of a scheduled maintenance and your specific requirements; and j. review on a quarterly basis new security correlation rules supplied by the vendor and apply to your SIEM Agent if applicable, in accordance with the documented Change Management Process established in the Transition Phase (Phase Three). This is an on-going activity. Task 5 - Security Reporting a. provide you with access to reporting, which include: (1) number of SLO s invoked and met; (2) number of security incidents detected, priority and status; (3) list and summary of security incidents; (4) trend analysis; (a) (b) provide a weekly/monthly trend analysis report including trends in policy exceptions and user behavior; and alert prioritization options per criticality; (5) provide recommendations on what events should be categorized as special attentions ; (a) perform a weekly & monthly review (via telephone) for up to one hour to analyze report findings, groups, users, false positives, and progress reporting. b. provided weekly Services information and reporting to Your Point of Contact. This is an on-going activity. 3.7.2 Your Phase Four Responsibilities In order to provide for successful ongoing operational services of your service, participation in the following will be necessary. Activity 1 - Ongoing Operational Support Task 1 - Change Management You agree: a. create formal requests for group, configuration and rule changes following the Change Management process; b. to ensure all policy change requests are submitted by an Authorized Security Contact or a Designated Services Contact, in accordance with the documented Change Management Process; c. to be responsible for providing sufficient information for each requested policy change to allow IBM to successfully perform such change; d. to be responsible for notifying IBM if you wish IBM to perform a quarterly policy review; DK_INTC-8838-00 11-2011 Page 15 of 17

e. to be solely responsible for your own security strategy, including security incident response procedures; and f. and acknowledge: (1) all changes will be completed by IBM and not by you; (2) implementation of changes that IBM has deemed as having an adverse impact on the SIEM Agents ability to protect the network environment will result in the suspension of applicable SLOs; and (3) following closure of a calendar month, unused changes are considered void and may not be rolled over to the following month. Task 2 - Event Monitoring and Notification a. provide IBM with current documentation of your environment; g. update IBM of changes within your environment; h. update IBM within three calendar days of a change in your contact information; i. provide e-mail aliases, as necessary, to facilitate notification; j. ensure that network infrastructure devices, systems, servers and applications sending security events and logs to the SIEM Agent meet the most current minimum application system requirements as defined by the vendor; k. ensure an Authorized Security Contact or Designated Services Contact listed in the notification path is available 24 hours /day, 7 days / week; l. view details of security incidents reports; m. work with IBM to optimize the monitoring service; n. provide feedback on security incidents reports; o. and acknowledge that: (1) once IBM has escalated an security incident, you are solely responsible for all security incident responses, and remediation activities; and (2) not all investigations of suspicious activity will result in the declaration of an security incident. a. and acknowledge that, lack of feedback can result in a lower prioritization of persistent or recurring activity. Task 3 - Managed SIEM Agent Health and Availability Monitoring Monitoring a. allow IBM to monitor the administrative interfaces and/or event stream of the managed SIEM Agents. Notification b. provide your notification paths and contact information; c. update IBM within three calendar days when your contact information changes; and d. ensure an Authorized Security Contact or SIEM Agent outage Designated Services Contact is available 24 hours/day, 7 days/week. Troubleshooting You agree: a. to participate in troubleshooting sessions with IBM (as required); b. to contact IBM in the event that the troubleshooting steps do not resolve the SIEM Agent performance problem or SIEM Agent health issue; c. to be responsible for providing all remote configuration and troubleshooting; d. and acknowledge that: DK_INTC-8838-00 11-2011 Page 16 of 17

(1) health monitoring is limited to the SIEM Agent application and does not apply to the underlying hardware upon which the SIEM Agent applications are configured; (2) IBM will not initiate troubleshooting until after notification from you that the troubleshooting steps did not resolve SIEM Agent performance problems or SIEM Agent health issues; and (3) if the managed SIEM Agent is eliminated as the source of a given problem, no further troubleshooting will be performed by IBM. Task 4 - SIEM Management You agree: a. to perform IBM-specified hardware upgrades to support the current SIEM Agent software and firmware; p. to work with IBM to perform SIEM Agent updates (as required); q. to be responsible for all charges associated with hardware upgrades; r. to maintain current licensing, and support and maintenance contracts; s. and acknowledge: (1) SIEM Agent management updates are limited to the software SIEM Agent and do not apply to the underlying hardware upon which the SIEM Agent is configured; (2) all updates are transmitted and applied via the Internet; (3) data traveling across the Internet is encrypted using industry-standard strong encryption algorithms whenever possible; (4) noncompliance with IBM-required software upgrades may result in suspension of Services delivery; and (5) noncompliance with IBM-required hardware upgrades may result in suspension of Services delivery. Task 5 - Security Reporting You agree: a. that Console User will use the Console to review reports or generate reports. 4. Service Level Objectives IBM SLOs establish response time objectives and countermeasures for specific events resulting from the Services. The SLOs become effective when the Ongoing Services commence. 4.1 SLO Availability The SLO defaults described below comprise the measured metrics for the delivery of the Services. Unless explicitly stated below, no warranties of any kind shall apply to Services delivered under this Services Description. There are no remedies provided for failure to meet SLO defaults. b. Change request acknowledgement IBM will acknowledge receipt of your change request within two hours of receipt by IBM. This SLO is only measured for change requests submitted by Authorized Security Contacts in accordance with the established Change Management Process. c. Security incident identification IBM will identify all events it deems to be Priority 1, 2, and 3 level security incidents based on SIEM Agent data monitored by IBM. Note: Whether or not a security event is considered a security incident is determined solely by IBM. d. Security incident notification During the Ongoing Services, IBM will initiate notification for all identified security incidents for Dedicated Service Model within 30 minutes of such identification and for Shared Service Model within 2 hours of such identification. Your Authorized Security Contact or Designated Services Contact will be notified by telephone for Priority 1 security incidents and via email for Priority 2 and 3 security incidents. During a Priority 1 security incident notification, IBM will continue attempting to contact the Authorized Security Contact or Designated Services Contact until such contact is reach or all notification contacts have been exhausted. Operational activities related to security incidents and responses will be documented and time stamped within the customer trouble ticketing system. Such documentation and time-stamp shall be used as the sole authoritative information source for purposes of this SLO. e. Services availability IBM will provide 100% service availability for the Service. DK_INTC-8838-00 11-2011 Page 17 of 17