Z DK-1 01/2013 Page 1 of 38

Transcription

1 IBM Infrastructure Security Services Managed Network Security Services for Firewall Management Intrusion Detection and Prevention Management Unified Threat Management Secure Web Gateway Management Service description Z DK-1 01/2013 Page 1 of 38

2 Table of Contents 1. Managed Network Security Services Definitions Services Managed Network Security Services Foundational Features Management Network Security Services Contacts MSS Portal Security Reporting IBM X-Force Threat Analysis Deployment and activation SELM Services for Networks Deployment and Activation Redeployment and Reactivation Security Event and Log Collection (SELM) Managed Network Security Services Common Features Automated Analysis Threat Analyst Monitoring and Notification Policy Management Virtual Private Network Support Managed Agent Health and Availability Monitoring Agent Management Content Security Managed Network Security Services Optional Features Security Event and Log Delivery Cold Standby Warm Standby Virtual Instance Management High Availability On-site Aggregator Ticket System Integration Optional SELM Services for Networks Out-of-Band Access Service Level Agreements SLA Availability SLA Remedies Simulation Mode SLA Modification Intellectual Property Services Components...37 Z DK-1 01/2013 Page 2 of 38

3 IBM Managed Network Security Services IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES DESCRIPTION INCLUDES THE IBM MANAGED SECURITY SERVICES GENERAL PROVISIONS ( GENERAL PROVISIONS ) LOCATED AT AND INCORPORATED HEREIN BY REFERENCE. 1. Managed Network Security Services IBM Infrastructure Security Services Managed Network Security Services (called Managed Network Security, MNSS or Services ) is designed to provide monitoring, alerting and support of network security technologies (called Agents ) across a variety of platforms and technologies. Such Agents must not be used for any other purpose while under management by IBM. The services features described herein are dependent upon the availability and supportability of products and product features being utilized. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non-ibm-provided hardware, software, and firmware. The Services are delivered from a network of global IBM Security Operations Centers ( SOCs ). IBM will provide access to the SOCs 24 hours/day, 7 days/week. Firewall Management Services (FW) is designed to provide monitoring and support of network firewalls across a variety of supported platforms and technologies. Intrusion Detection and Prevention System (IDPS) Management is designed to provide monitoring, alerting and support of network intrusion detection and intrusion prevention systems across a variety of supported platforms and technologies. Unified Threat Management (UTM) is designed to provide monitoring, alerting and support of UTM Agent across a variety of supported platforms and technologies. Secure Web Gateway (SWG) is designed to provide alerting and support of SWG s across a variety of supported platforms and technologies. Security Event and Log Management (SELM) Services for Networks is designed to provide a securityenhanced Web-based solution for the collection, consolidation, analysis, correlation, alerting, trending and archiving of security event and log data from supported devices SELM Agents. IBM X-Force Hosted Threat Analysis Service (XFTAS) is a security intelligence service that is designed to deliver customized information about a variety of threats that could affect your network security. Each of the above mentioned services provide features that are categorized as Foundational, Common and Optional features. 2. Definitions Alert Condition ( AlertCon ) a global risk metric developed by IBM, using proprietary methods. The AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and global threat activity. The four levels of AlertCon are described in the IBM Managed Security Services ( IBM MSS ) portal (called Portal ). Antispam is designed to minimize the volume of spam to user mail boxes. Antivirus is designed to scan many kinds of file transfers (such as Web pages, traffic, and file transfer protocol ( FTP ) exchanges) for worms, viruses, and other forms of malware. Authorized Security Contact -- a decision-maker on all operational issues pertaining to the MNSS feature(s). Designated Services Contact -- a decision-maker on a subset of operational issues pertaining to each IBM MNSS feature, the feature s Agent(s), or a group of Agent(s). Education Materials -- include, but are not limited to, lab manuals, instructor notes, literature, methodologies, electronic course and case study images, policies and procedures, and all other trainingrelated property created by or on behalf of IBM. Where applicable, Education Materials may include participant manuals, exercise documents, lab documents and presentation slides provided by IBM. Z DK-1 01/2013 Page 3 of 38

4 Firewall a network security device that is designed to block unauthorized access and allow authorized communications based on a configuration of allow, deny, encrypt, decrypt, or proxy rules aligned with the Services Recipient s security policy. IBM Managed Security Services ( IBM MSS ) Portal (called MSS Portal ) -- The MSS Portal provides access to an environment (and associated tools) designed to monitor and manage security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. IDPS Agent (s) or Agent (s) -- is a new or existing Intrusion Detection of Prevention System device subscribing to IBM MSS. These devices while under management by IBM must not be used for any other purpose. intrusion detection and prevention system ( IDPS ) -- a network security device or software application that employs detection and prevention techniques to monitor network activities for malicious or unwanted behavior. Such monitoring may identify and, in some cases, block possible security breaches in real-time. MSS Agent(s) -- is a new or existing device subscribing to IBM MSS services. While under management by IBM, the MSS Agent(s) must not be used for any other purpose. MSS Portal Users are users of the MSS Portal with different levels of login access to the MSS Portal. MSS Portal Users can have restricted, regular, or administrative MSS Portal access to all MSS Agent(s), or just a subset of MSS Agent(s). The MSS Portal views and permissions available to the Portal Users are dictated by the Authorized Security Contact. Onsite Aggregator ( OA ) -- a required device that is deployed at the customer location and managed and monitored by IBM MSS for an additional charge. The OA aggregates, parses and normalizes unknown, text-based system activity log formats, compresses and encrypts security events and log data and transmits the security event and log data to the IBM MSS infrastructure. SELM Agent (s) or Agent (s) -- is a new or existing device subscribing to IBM MNSS services. These devices are subscribing to the Security Event Log and Management service for Networks. While under management by IBM the SELM Agent(s) must not be used for any other purpose. Universal Log Agent ( ULA ) -- IBM s ULA is a light-weight log collection application that runs on eligible SELM Agent(s) and gathers text-based logs locally from the SELM Agent and compresses, encrypts and securely forwards them to the Onsite Aggregator ( OA ). Unified Threat Management System ( UTM ) is a new or existing device subscribing to the IBM MNSS. This device includes but is not limited to the following functionality contained in one device: Firewall, IPS, Web Filtering, Antivirus, Antispam, and VPN connectivity. Virtual Private Network ( VPN ) -- utilizes public telecommunications networks to conduct private data communications, using encryption. Most implementations use the Internet as the public infrastructure, and a variety of specialized protocols to support private communications. Web filtering -- is designed to block objectionable content, mitigate Web-borne threats, and govern Web viewing behavior of personnel behind the UTM Agent(s). 3. Services The following table highlights the measurable Services features. The subsequent sections provide narrative descriptions of each Services feature. Please review the Schedule to identify the SLAs associated with your Foundational Services features and to review which optional features and SLAs were selected by your organization. Foundational Services Feature Summary Services Feature Metric or Qty Service Level Agreements Services availability 100% Services availability SLA IBM MSS Portal availability 99.9% IBM MSS Portal availability SLA Authorized Security Contacts 3 users N/A Log/event archival: Client defined 5 GB of compressed data per year for Z DK-1 01/2013 Page 4 of 38 N/A

5 each year of the contract (up to 7 years) Please see Schedule for selected duration. Supporting Common Services Feature Summary Services Feature Metric or Qty Service Level Agreements Security Incident Identification 100% Security Incident Identification SLA Security incident alert notification: Client defined Available in selectable duration. Please see Schedule for selected duration. Security incident alert SLA OA health alerting 15 minutes System monitoring SLA Policy change request acknowledgement 2 hours Policy change request acknowledgement SLA Policy change request implementation: Client Defined Content updates: Client Defined Agent health alerting: Client Defined Available in selectable duration. Please see Schedule for selected duration. Available in selectable duration. Please see Schedule for selected duration. Available in selectable duration. Please see Schedule for selected duration. Policy change request implementation SLA Content Update SLA System monitoring SLA 4. Managed Network Security Services Foundational Features Foundational features are provided with every Agent that is part of the MNSS and are not optional. There may be different levels of the feature that can be provided, however these features are included with all Managed Network Security Services. 4.1 Management Network Security Services Contacts You may choose from multiple levels of access to the SOC and the MSS Portal to accommodate varying roles within your organization: Authorized Security Contacts, Designated Services Contacts, and MSS Portal Users Authorized Security Contacts a. allow you to create up to three Authorized Security Contacts; b. provide each Authorized Security Contact with: (1) administrative MSS Portal permissions to your MSS Agent(s) as applicable; (2) the authorization to create Designated Services Contacts and MSS Portal Users; (3) the authorization to delegate responsibility to Designated Services Contacts; c. interface with Authorized Security Contacts regarding support and notification issues pertaining to the MSS Features; and d. verify the identity of Authorized Security Contacts using an authentication method that utilizes a preshared challenge pass phrase. You will: Z DK-1 01/2013 Page 5 of 38

6 a. provide IBM with contact information for each Authorized Security Contact. Such Authorized Security Contacts will be responsible for: (1) authenticating with the SOCs using a pre-shared challenge pass phrase; and (2) maintaining notification paths and your contact information, and providing such information to IBM; (3) creating Designated Services Contacts and delegating responsibilities and permissions to such contacts, as appropriate (4) creating Portal users b. ensure at least one Authorized Security Contact is available 24 hours/day, 7 days/week; c. update IBM within three calendar days when you contact information changes; and d. acknowledge that you are permitted to have no more than three Authorized Security Contacts regardless of the number of IBM services or MSS Agent(s) subscriptions for which you have contracted Designated Services Contacts a. verify the identity of Designated Services Contacts using a authentication method that utilizes a preshared challenge pass phrase; b. interface only with Designated Services Contacts regarding the subset of operational issues for which such contact is responsible. You will: a. provide IBM with contact information including roles and responsibilities for each Designated Services Contact. Such Designated Services Contacts will be responsible for authenticating with the SOCs using a pass phrase; and b. acknowledge that a Designated Services Contact may be required to be available 24 hours/day, 7 days/week based on the subset of responsibilities for which it is responsible (e.g., FW Agent(s) outage) MSS Portal Users a. provide multiple levels of access to the MSS Portal, as follows: (1) administrative user capabilities which will include: (a) (b) (c) (d) (e) (f) (g) (h) (i) (j) (k) (l) creating Portal users; creating and editing custom Agent groups; submitting policy change requests to the SOCs for a managed Agent or a group of Agents; submitting Services requests to the SOCs; live chat communicating with SOC analysts regarding specific incidents or tickets, generated as part of the Services; creating internal Services-related tickets and assigning such tickets to Portal users; querying, viewing, and updating Services-related tickets; viewing and editing Agent details; viewing Agent policies; creating and editing vulnerability watch lists; performing live event monitoring; querying security event and log data; (m) scheduling downloads of security event and log data; (n) scheduling and running reports; and Z DK-1 01/2013 Page 6 of 38

7 (o) when SELM Services for Networks is included as part of your Service contract, administrative user capabilities will also include: (i) (ii) (iii) parsing and normalizing unknown, text-based system activity logs from operating systems and applications; enabling/disabling automated intelligence ( AI ) analysis alert policy rules; creating custom user-defined correlation rules; (2) regular user capabilities which will include all of the capabilities of an administrative user, for the Agents to which they have been assigned, with the exception of creating Portal users; (3) restricted user capabilities which will include all of the capabilities of a regular user, for the Agents to which they have been assigned, with the exception of: (a) (b) (c) creating and submitting policy change requests; updating tickets; and editing Agent details; b. provide you with authorization to apply levels of access to an MSS Agent or groups of MSS Agents; c. authenticate MSS Portal Users using static password; d. authenticate MSS Portal Users using a public-key encryption technology you provide (for example, RSA SecureID token) based on your requirements. a. that Portal users will use the Portal to perform daily operational Services activities; b. to be responsible for providing IBM-supported RSA SecureID tokens (as applicable); and c. and acknowledge the SOCs will only interface with Authorized Security Contacts and Designated Services Contacts. 4.2 MSS Portal The MSS Portal provides access to an environment (and associated tools) designed to monitor and manage the security posture by merging technology and service data from multiple vendors and geographies into a common, Web-based interface. The Portal may also be used to deliver Education Materials. All such Education Materials are licensed not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED AS IS AND WITHOUT WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS IBM MSS Portal Responsibilities a. provide access to the MSS Portal 24 hours/day, 7 days/week. The MSS Portal will provide: (1) multiple levels of access for MSS Portal users which may be applied to an IBM Managed Security Service, an MSS Agent, or a group of Agent(s); (2) security intelligence awareness and alerting; (3) MSS Agent(s) configuration and policy details where applicable; (4) security incident and/or service ticket information; (5) ticketing and workflow initiation and updates; (6) interaction with SOC analysts; (7) a template-driven reporting dashboard; (8) access to real-time and archived MSS Agent(s) logs and events where applicable; (9) authorization to download log data when applicable; and (10) access to Education Materials in accordance with the terms provided in the MSS Portal; and (11) when SELM Services for Networks is included as part of your Service contract, the MSS Portal will include: Z DK-1 01/2013 Page 7 of 38

8 (a) (b) the ability to parse and normalize unknown, text-based system activity logs; and the ability to create user-defined correlation rules. b. maintain availability of the MSS Portal in accordance with the metrics provided in the section of this Services Description entitled Service Level Agreements, Portal Availability. c. provide a username, password, URL and appropriate permissions to access the MSS Portal; Your MSS Portal Responsibilities You agree to: a. utilize the MSS Portal to perform daily operational Services activities; b. ensure your employees accessing the MSS Portal on your behalf comply with the Terms of Use provided therein including, but not limited to, the terms associated with Educational Materials; c. appropriately safeguard your login credentials to the MSS Portal (including not disclosing such credentials to any unauthorized individuals); d. promptly notify IBM if a compromise of your login credentials is suspected; and e. indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from: (1) your failure to safeguard your login credentials; and. (2) when SELM Services for Networks is included as part of your Service contract: (a) (b) (c) (d) (e) (f) your incorrect use of regular expressions when parsing and normalizing event and log data; your incorrect use of user-defined correlation rules; to be responsible for parsing and normalizing unknown log formats in the Portal; to be solely responsible for testing and verifying the performance of log parsers and user-defined correlation rules; to enable and disable log parsers and user-defined correlation rules utilizing the Portal; and and acknowledge that: (i) (ii) (iii) 4.3 Security Reporting OA performance and the timely delivery of log data can be negatively affected by incorrectly written or inefficient log parsers; IBM is not responsible for the log parsers or user-defined correlation rules that are configured and saved in the Portal; and configuration assistance for parsing unknown log formats is not included in the Services. Utilizing the Portal, you will have access to Services information and reporting with customizable views of activity at the enterprise, work group and Agent levels. The Portal also provides you with the ability to schedule customized reporting IBM Security Reporting Responsibilities IBM will provide you with access to reporting capabilities within the Portal which includes relative information associated with the MNSS agent included as part of the service. Information may include but is not limited to some or all of the following: a. when IDPS Management, UTM and/or SELM Services for Networks is included as part of your Service contract, the information will include: (1) number of SLAs invoked and met; (2) number, types, and summary of Services requests/tickets; (3) number of security incidents detected, priority and status; (4) list and summary of security incidents; (5) MNSS Agent reports that include attack metrics, prevented attacks, vulnerability impact, event counts/trending; and (6) event correlation and analysis. Z DK-1 01/2013 Page 8 of 38

9 b. when SWG is included as part of your Service contract, the information will include: (1) number of SLAs invoked and met; (2) number, types, and summary of Services requests/tickets; and (3) system logs. c. when UTM is included as part of your Service contract, the information will include: (1) firewall reports that include summary, traffic analysis, protocol usage, targeted IP and rule utilization; and d. when SELM Services for Networks is included as part of your Service contract, the information will include: (1) Payment Card Industry ( PCI ) Audit Readiness Reports that tie system activity events on designated devices to specific PCI requirements e. where applicable, Advanced Analytics and Compliance reporting Your Security Reporting Responsibilities You agree to: a. generate MSS related reports using the MSS Portal; b. be responsible for scheduling reports (as desired); and c. when SELM Services for Networks is included as part of your Service contract, acknowledge that assistance from a PCI qualified security assessor ( QSA ) is not provided as part of the Services, but you may contract separately with IBM to address this need. 4.4 IBM X-Force Threat Analysis Security intelligence is provided by the IBM X-Force Threat Analysis Center. The X-Force Threat Analysis Center publishes an Internet threat-level. The Internet threat-level describes progressive alert postures of current Internet security threat conditions. In the event Internet threat-level conditions are elevated to AlertCon 3, indicating focused attacks that require immediate defensive action, IBM will provide you with real-time access into IBM s global situation briefing. Utilizing the MSS Portal, you can create a vulnerability watch list with customized threat information. In addition, each MSS Portal User can request to receive an Internet assessment each business day. This assessment provides an analysis of the current known Internet threat conditions, real-time Internet port metrics data, and individualized alerts, advisories and security news. NOTE: Your access and use of the security intelligence provided via the Portal (including the daily Internet assessment ) is subject to the Terms of Use provided therein. Where such Terms of Use conflict with the terms of this Agreement, the Portal Terms of Use shall prevail over this Agreement. In addition to the Terms of Use provided in the Portal, your use of any information on any links or non-ibm Web sites and resources are subject to the terms of use posted on such links, non-ibm Web sites, and resources IBM Security Intelligence Responsibilities a. provide access, via the MSS Portal, to the X-Force Hosted Threat Analysis Service; b. display security information on the MSS Portal as it becomes available; c. if configured by you, provide security intelligence specific to your defined vulnerability watch list, via the MSS Portal; d. if configured by you, provide an Internet security assessment based on your subscription, each business day; e. publish an Internet threat-level via the MSS Portal; f. declare an Internet emergency if the daily Internet threat-level level reaches threat-level 3; g. provide MSS Portal feature functionality to create and maintain a vulnerability watch list; h. provide additional information about an alert, advisory, or other significant security issue as IBM deems necessary; and i. provide access to the threat insight quarterly (Threat IQ) reporting via the MSS Portal. Z DK-1 01/2013 Page 9 of 38

10 4.4.2 Your Security Intelligence Responsibilities You will use the MSS Portal to: a. subscribe to the daily Internet security assessment , at your option; b. create a vulnerability watch list, if desired; and c. access the Threat IQ. d. agree to adhere to the licensing agreement and not forward Services information to individuals who do not have a proper license. 4.5 Deployment and activation During deployment and activation, IBM will work with you to deploy a new Agent or begin management of an existing Agent. Note: Deployment and Activation activities are performed one time during the performance of the services. If you choose to replace, upgrade, or move your Agent during the Services contract, IBM may require that such Agent be redeployed and reactivated (called Redeployment ). Such Redeployments will be provided at an additional charge as specified in an applicable schedule (called the Schedule ). Redeployment charges apply only to hardware replacements, upgrades, or moves that you initiate. Such charges do not apply to Agent failures resulting in Agent Return Material Authorization ( RMA ) activities. For Log and Alert services you may contract separately for IBM to provide physical installation and configuration services IBM Deployment and Activation Responsibilities Activity 1 - Project Kickoff The purpose of this activity is to conduct a project kickoff call. IBM will send you a welcome and conduct a kickoff call, for up to one hour for up to three of your personnel, to: a. introduce your Point of Contact to the assigned IBM deployment specialist; b. review each party s respective responsibilities; c. set schedule expectations; and d. begin to assess your requirements and environment. Completion Criteria: This activity will be complete when IBM has conducted the project kickoff call. Deliverable Materials: None Activity 2 - Network Access Requirements The purpose of this activity is to establish network access requirements. a. provide you with a document called Network Access Requirements, detailing: (1) how IBM will connect remotely to your network; (2) specific technical requirements to enable such remote connectivity; Note: IBM may make changes to the Network Access Requirements document, as it deems appropriate, throughout the performance of the Services. b. connect to your network through the Internet, using IBM standard access methods; and c. if appropriate, utilize a site-to-site virtual private network ( VPN ) to connect to your network. Such VPN may be provided by IBM for an additional charge as specified in the Schedule. Completion Criteria: This activity will be complete when IBM has provided your Point of Contact with the Network Access Requirements document. Deliverable Materials: Network Access Requirements document Z DK-1 01/2013 Page 10 of 38

11 Activity 3 - Assessment The purpose of this activity is to perform an assessment of your current environment, business and technology goals. In addition, this assessment will be used to help develop the required security strategy for all applicable Managed Network Security Services. Task 1 - Gather Data a. provide your Point of Contact with a data gathering form on which you will be asked to document: (1) team member names, contact information, roles and responsibilities; (2) unique country and site requirements; (3) your existing network infrastructure; (4) critical servers; (5) number and type of end users; and (6) key business drivers and/or dependencies that could influence Services delivery or timelines. Task 2 - Assess Environment a. use the information provided in the data gathering form to assess your existing environment; b. determine an optimal Agent configuration; and c. if applicable, provide: (1) recommendations to adjust the policy of an Agent; or (2) layout of the network to enhance security as part of MNSS, except where the SELM Services for Networks component is involved. d. when SELM Services for Networks is included as part of your Service contract, determine if Agent data collection will be implemented using the Universal Log Agent ( ULA ) or via SYSLOG. Task 3 - Assess Existing Agent This task will be performed as part of MNSS, except where the SELM Services for Networks component is involved. a. remotely assess the Agent to verify it meets IBM specifications; b. identify application and user accounts to be removed or added, as applicable; c. for Agents not meeting IBM s specifications: (1) identify Agent software requiring upgrading, and/or (2) identify Agent hardware requiring upgrading to meet applicable vendor compatibility lists. Completion Criteria: This activity will be complete when IBM has assessed your environment and existing Agent (as applicable). Deliverable Materials: None Activity 4 - Out-of-Band Access Out-of-band (called OOB ) access is a required feature that assists the SOCs if connectivity to an Agent is lost. If such connectivity problems occur, the SOC analysts can dial into the OOB device to verify the Agent is functioning properly and attempt to identify the source of the outage before escalating to you. a. provide live support, via phone and , to assist you in locating applicable vendor documents which detail physical installation procedures and cabling; b. configure the OOB device to access the managed Agents; or c. work in good faith with you to utilize an IBM-approved existing OOB solution. Z DK-1 01/2013 Page 11 of 38

12 NOTE: For purpose of clarification, if your internal security policy prohibits the use of an OOB device, IBM may waive this requirement. Such waiver may noticeably impact IBM s ability to effectively provide the Services. Completion Criteria: This activity will be complete when one of the following first occurs: IBM has configured the OOB device to access the managed Agent; or you have requested, and IBM has agreed, to waive the requirement for OOB access. Deliverable Materials: None Activity 5 - Implementation The purpose of this activity is to implement the Agent(s) for MNSS, except where the SELM Services for Networks component is involved. Task 1 - Configure the Agent a. remotely assess the Agent to verify it meets IBM specifications; b. identify Agent software, hardware, and/or content that does not meet current IBM-supported levels; c. as appropriate, identify required hardware upgrades to support applicable vendor hardware compatibility lists; d. remotely configure the Agent, including setting the policy, hardening the operating system, and registering the Agent with the IBM MSS infrastructure; e. provide live phone support and location of vendor documents to assist you in configuring the Agent with a public IP address and associated settings. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist; f. tune the Agent policy to reduce the number of erroneous alarms (if applicable); and g. at your request, exercise the configuration and policy on the existing Agent. Task 2 - Install the Agent a. provide live support, via phone and/or , to assist you in locating applicable vendor documents that detail physical installation procedures and cabling. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist; b. provide recommendations to adjust the layout of the network to enhance security (as applicable); c. remotely configure the Agent, including registering the Agent with the IBM MSS infrastructure; and d. tune the Agent policy to reduce the number of erroneous alarms (if applicable). Note: You may contract separately for IBM to provide physical installation services. Completion Criteria: This activity will be complete when the Agent is registered with the IBM MSS infrastructure. Deliverable Materials: None Activity 6 - Testing and Verification The purpose of this activity is to perform testing and verification of the Services. a. verify connectivity of the Agent or OA to the IBM MSS infrastructure; b. perform Services acceptance testing; c. verify delivery of log data from the Agent to the IBM MSS infrastructure; d. verify availability and functionality of the Agent in the Portal; e. perform quality assurance testing of the Agent; and Z DK-1 01/2013 Page 12 of 38

13 f. remotely demonstrate the primary features of the Portal for up to ten of your personnel, for up to one hour. Completion Criteria: This activity will be complete when IBM has verified availability and functionality of the Agent in the Portal. Deliverable Materials: None Activity 7 - Services Activation The purpose of this activity is to activate the Services. a. assume management and support of the Agent; b. set the Agent to active as part of MNSS, except where the SELM Services for Networks component is involved; and c. transition the Agent to the SOCs for ongoing management and support. Completion Criteria: This activity will be complete when the Agent is set to active. For Log & Alert services this activity will be complete when the SOC has assumed support of the Services. Deliverable Materials: None Your Deployment and Activation Responsibilities Activity 1 - Project Kickoff You agree to: a. attend the project kickoff call; and b. review each party s respective responsibilities. Activity 2 - Network Access Requirements You agree to: a. review and comply with the IBM Network Access Requirements document during deployment and throughout the term of the contract; and b. be solely responsible for any charges incurred as a result of IBM utilizing a site-to-site VPN to connect to your network. Activity 3 - Assessment Task 1 - Gather Data You agree to: a. complete and return any questionnaires and/or data gathering forms to IBM within five days of your receipt; b. obtain and provide applicable information, data, consents, decisions and approvals as required by IBM to perform the Services deployment, within two business days of IBM s request; c. work in good faith with IBM to accurately assess your network environment; d. provide contacts within your organization, and specify a notification path through your organization, in the event IBM must contact you; and e. update IBM within three calendar days when your contact information changes. Task 2 - Assess Environment This task will need to be performed by you for MNSS, except where the SELM Services for Networks component is involved. a. to maintain current licensing, and support and maintenance for the Agents; Z DK-1 01/2013 Page 13 of 38

14 b. to perform all IBM-requested changes to your network layout to enhance security; c. and acknowledge that protection provided by Agents deployed in passive mode will be substantially decreased; and d. and acknowledge that transition to an inline deployment at a later date will require advance notice. Task 3 - Assess Existing Agent This task will need to be performed by you for MNSS, except where the SELM Services for Networks component is involved. a. to ensure the existing Agent meets IBM s specifications; b. to remove or add IBM-specified applications and user accounts; c. if requested by IBM: (1) to upgrade IBM-specified Agent software; and (2) to upgrade IBM-specified Agent hardware. Activity 4 - Out-of-Band Access a. for new OOB solutions: (1) to purchase an IBM-supported OOB device; (2) to physically install and connect the OOB device to the Agent; (3) to provide a dedicated analog telephone line for access; (4) to physically connect the OOB device to the dedicated telephone line and maintain the connection; (5) to be responsible for all charges associated with the OOB device and telephone line; and (6) to be responsible for all charges associated with the ongoing management of the OOB solution; b. for existing OOB solutions: (1) to ensure the solution does not allow IBM to access non-managed devices; (2) to ensure the solution does not require installation of specialized software; (3) to provide IBM with detailed instructions for accessing managed Agents; and (4) to be responsible for all aspects of managing the OOB solution; c. and acknowledge that existing OOB solutions must be approved by IBM; d. to maintain current support and maintenance contracts for the OOB (as required); and e. and acknowledge that if you choose to deploy the Services without the required OOB access, or if OOB access is not available to IBM for any reason, then: (1) IBM is relieved of all SLAs which are directly influenced by the availability of such access; (2) IBM may require additional time to troubleshoot and/or maintain your devices; and (3) you will be required to provide on-site assistance with configuration, problem solving, device updates, troubleshooting and/or any other situation that would typically be performed using OOB access. Activity 5 - Implementation This activity will need to be performed by you for MNSS, except where the SELM Services for Networks component is involved. Task 1 - Configure the Agent You agree to: a. update Agent software or content to the most current IBM-supported version (i.e., physically load media as applicable); b. update hardware to support applicable vendor hardware compatibility lists (if applicable); Z DK-1 01/2013 Page 14 of 38

15 c. adjust the Agent policy as requested by IBM; d. configure the Agent with a public IP address and associated settings; and e. assist IBM in exercising the existing Agent configuration and policy (if applicable). Task 2 - Install the Agent a. to work with IBM in locating vendor documents that detail physical installation procedures and cabling. You will schedule such support in advance to ensure availability of an IBM deployment specialist; b. to be responsible for the physical cabling and installation of the Agent(s); c. to perform any IBM-specified adjustments to the layout of the network to enhance security; and d. and acknowledge that IBM recommends Agents be deployed inline and inside your firewall. Activity 6 - Testing and Verification a. to be responsible for development of all of your specific acceptance testing plans; b. to be responsible for performing acceptance testing of your applications and network connectivity; and c. and acknowledge that additional acceptance testing performed by you, or lack thereof, does not preclude IBM from setting the Agent to active in the SOCs for ongoing support and management. Activity 7 - Services Activation No additional responsibilities are required by you for this activity. 4.6 SELM Services for Networks Deployment and Activation During SELM Services for Networks Deployment and Activation, IBM will work with you to deploy a new Agent or begin management of an existing Agent. Activity 1 - On-Site Aggregator Implementation: The purpose of this activity is to configure the on-site aggregator ( OA ). The OA is a required device that you provide. Such device is deployed at your location and managed and monitored by IBM MSS for an additional charge, as specified in the Schedule. The basic functions of the OA are to: a. compile or otherwise combine the security events and log data; b. parse and normalize unknown, text-based system activity log formats for submission to the IBM MSS infrastructure; c. compress and encrypt the security events and log data; and d. transmit the security events and log data to the IBM MSS infrastructure. Core features of the OA are to: a. perform local spooling by queuing the events locally when a connection to the IBM MSS infrastructure is not available; b. perform unidirectional log transmission. OA communication is performed via outbound SSL/TCP- 443 connections; c. perform message throttling, if configured. This limits the bandwidth from the OA to the IBM MSS infrastructure (in messages per second) to preserve bandwidth; d. provide transmit windows, if configured. The transmit windows enable/disable event transmission to the IBM MSS infrastructure during the timeframe specified by you in the Portal; and IBM strongly encourages Out-of-Band ( OOB ) access to the OA, as described in the section of this Services Description entitled Out-of-Band Access. Task 1 - Configure the OA Z DK-1 01/2013 Page 15 of 38

16 a. provide live support, via phone and , and will assist you with the location of applicable vendor documents detailing the installation and configuration procedures for the OA operating system and IBM provided OA software. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist; b. provide you with hardware specifications for the OA platform; c. provide you with OA software and configuration settings; d. provide you with telephone and support to assist with the installation of the IBM-provided OA software on the hardware platform you provide. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist; e. at your request, and for an additional charge specified in the Schedule, provide software installation services; f. for existing platforms: (1) assess existing hardware configurations to ensure they meet IBM s specification; and (2) identify required hardware upgrades to be provided and installed by you. Task 2 - Install the OA a. provide live support, via phone and , and will assist you with location of applicable vendor documents detailing physical installation procedures and cabling of the OA. Such support must be scheduled in advance to ensure availability of an IBM deployment specialist; b. remotely configure the OA to include registration of the OA with the IBM MSS infrastructure and begin the deployment and management takeover process of the OA; and c. confirm the IBM MSS infrastructure is receiving communication from the OA. Completion Criteria: This activity will be complete when the OA is installed and configured and IBM has confirmed the IBM MSS infrastructure is receiving communications from the OA. Deliverable Materials: None Activity 2 - Universal Log Agent Implementation The ULA is a light-weight log collection application that runs on an Agent subscribing to the Services. The ULA gathers text-based logs locally from the Agent and securely forwards them to the OA. The OA then securely forwards the logs to the IBM MSS infrastructure for collection, long term storage, and display in the Portal. The basic functions of the ULA are to: a. collect events/logs locally from the Agent; b. compress the events/log data; c. encrypt the events/log data; and d. securely transmit the events/logs to the OA. Core features of the ULA are to: a. perform generic text file data collection; b. perform event log collection; c. perform system information collection, which may include: (1) operating system ( OS ) version; (2) memory; (3) CPU; (4) local user accounts; (5) network interface details; (6) running processes; and Z DK-1 01/2013 Page 16 of 38

17 (7) open network sockets; d. perform unidirectional log transmission. ULA communication is performed via outbound SSL/TCP- 443 connections; e. perform message throttling, if configured. This limits the bandwidth from the ULA to the OA, in messages per second, to preserve bandwidth; and f. provide transmit windows, if configured. The transmit windows enable/disable event transmission to the IBM MSS infrastructure during the timeframe specified by you in the Portal. Task 1 - Prepare Your Agent IBM will provide you with a list of Agents that require ULA installation. Task 2 - Install the ULA a. provide the ULA for download via the Portal; and b. provide you with access to the SELM Services for Networks ULA Installation Guide via the Portal. Task 3 - Configure the ULA IBM will provide you with instructions on how to login to the Portal and configure the Agent. Completion Criteria: This activity will be complete when IBM has provided you with a list of Agents requiring ULA installation. Deliverable Materials: None Activity 3 - Non-ULA Log Collection Implementation The purpose of this activity is to facilitate log collection via SYSLOG streams when it is not technically feasible or appropriate to install the ULA on an Agent. a. provide you with a list of Agents that require SYSLOG collection; b. provide the IP address of the OA to which the SYSLOG stream must be forwarded. Completion Criteria: This activity will be complete when IBM has provided your Point of Contact with the IP address of the OA to which the SYSLOG stream must be forwarded. Deliverable Materials: None Activity 4 - SELM Services for Networks Activation The purpose of this activity is to activate the SELM Services for Networks. a. assume support of the Agent; and b. transition the Agent to the SOCs for ongoing support. Completion Criteria: This activity will be complete when the Agent is set to active. For Log & Alert services this activity will be complete when the SOC has assumed support of the Services. Deliverable Materials: None Your SELM Services for Networks Deployment and Activation Responsibilities Activity 1 - On-site Aggregator Implementation Task 1 - Configure the OA Z DK-1 01/2013 Page 17 of 38

18 a. to provide IBM with an external IP address for the OA; b. to provide the hardware for the OA platform, based on IBM s recommendations and requirements; c. to maintain current licensing, and support and maintenance contracts for the hardware the OA is installed upon; d. to install the IBM-provided OA software on your provided hardware, under the guidance of IBM; e. to configure an external IP address and associated settings on the OA; f. to provide IBM with the OA IP address, hostname, machine platform, application version, and Agent time zone; and g. for existing platforms, to procure and install IBM-requested hardware upgrades. Task 2 - Install the OA a. to be responsible for physical installation and cabling of the OA; and b. to schedule live support with an IBM deployment specialist. Activity 2 - Universal Log Agent Implementation Task 1 - Prepare Your Agent a. to enable your organizations desired system, security and application-level auditing of the operating systems, or applications that will be monitored; and b. to verify connectivity between the Agent and the OA. Task 2 - Install the ULA a. to download the ULA software from the Portal; b. to install the ULA on Agent(s) subscribing to the Services; and c. and acknowledge, to be solely responsible for all ULA installation tasks. Task 3 - Configure the ULA a. to login to the Portal and confirm the Agent is available and is receiving logs within three business days of ULA installation and configuration; b. to configure the ULA with appropriate configuration settings (including: service level, site, platform, operating system and time zone; c. to update the ULA configuration settings (including service level, site, platform, operating system and time zone), within three days of any future device modification; d. to modify the ULA policy (if desired); and e. and acknowledge, to be solely responsible for all ULA configuration tasks. Activity 3 - Non-ULA Log Collection Implementation a. to configure the Agent to point SYSLOG streams to the OA under the guidance of IBM; b. to login to the Portal and confirm the Agent is available and is receiving logs within three business days; and c. and acknowledge, to be solely responsible for all SYSLOG installation tasks. Activity 4 - SELM Services for Networks Testing and Verification a. to be responsible for development of all of your specific acceptance testing plans; b. to be responsible for performing acceptance testing of your applications and network connectivity; c. to verify that the logs of each Agent are available in the Portal. Z DK-1 01/2013 Page 18 of 38

19 d. to update the ULA configuration settings (including service level, site, platform, operating system and time zone), within three days of any future device modification; and e. and acknowledge that additional acceptance testing performed by you, or lack thereof, does not preclude IBM from setting the Agent to active in the SOCs for ongoing support and management. Activity 5 - SELM Services for Networks Out-of-Band Access You agree to be responsible for performing all remote configuration activities for OOB and all OOB troubleshooting, if you elect not to implement an OOB solution or if the OOB solution is unavailable for any reason. 4.7 Redeployment and Reactivation During Redeployment and Reactivation, IBM will work with you to replace, upgrade, or move an MSS Agent. Note: Redeployment and Reactivation activities are performed on a one time basis. If you choose to replace, upgrade, or move its MSS Agent during the Services contract, IBM may require that such MSS Agent be redeployed. Such Redeployment and Reactivation will be provided at an additional charge via a Project Change Request. Redeployment and Reactivation charges apply only to hardware replacements, upgrades, or moves initiated by you. Such charges do not apply to MSS Agent failures resulting in Agent Return Material Authorization ( RMA ) activities. IBM will provide Redeployment and Reactivation activities as per the Deployment and Activation sections of this document. You will assume and acknowledge Redeployment and Reactivation activities as per the Deployment and Activation sections of this document. Note: For Log and Alert services you may contract separately for IBM to provide physical installation and configuration services. 4.8 Security Event and Log Collection (SELM) IBM utilizes the X-Force Protection System for collecting, organizing, archiving and retrieving security event and log data. The Portal provides you with a 24 hours/day, 7 days/week view into the Services, including online access to raw logs collected and stored within the X-Force Protection System infrastructure. Security event and log data will be viewable online in the Portal for the retention period specified in the Schedule. At the end of the one year period, the data will be transitioned to offline storage (if applicable). The SELM Services for Networks provides up to five (5) GB of compressed storage space for each year of the retention period contracted. On day one of the contract, IBM will make available the total storage space based on the contracted term (5 GB x n where n equals contract term). Additional storage space may be purchased for an additional charge, as specified in separate transaction IBM Event and Log Collection and Archival Responsibilities a. collect log and event data generated by the MSS Agent(s) as such data reaches the IBM MSS infrastructure; b. when SELM Services for Networks is included as part of your Service contract, utilize enabled parsers to normalize inbound log traffic for display and archival; c. throttle (i.e., slow) log and event data streams generated by the MSS Agent(s); d. uniquely identify collected log and event data; e. archive collected data in the IBM proprietary infrastructure; f. when SELM Services for Networks is included as part of your Service contract, provide storage for up to five GB of compressed log and event data for each year of the contract term; g. provide one year of log and event data storage unless otherwise specified by you and contained within the Schedule. Options for up to 7 years of log retention are available and specified as part of the Schedule. h. display collected log and event data in the MSS Portal for one year; i. where supported, normalize the log and event data for enhanced presentation in the MSS Portal; Z DK-1 01/2013 Page 19 of 38