Table of Contents 1.1 Service Service Activity Subscription and Managed Service Management

Transcription

1 Table of Contents 1.1 Service Service Activity Subscription and Managed Service Management Services Activity Annual Subscription and Managed Service Management I EN Page 1 of 17

2 Service Description Managed Security Services X-Force Red Offensive Security Testing Services The services described herein are governed by the terms and conditions of the agreement specified in the Order Document for IBM Security Services ( Order Document ). If there is a conflict between the terms in the documents, the terms of the Order Document prevail over those of this document, and the terms of this document prevail over those of the agreement specified in the Order Document ("the Agreement"). Capitalized terms not otherwise defined in this document are defined in the Agreement or any other referenced document, and have the same meaning in this document as ascribed to them therein. This document describes the Services and incorporates by reference the following contract document(s). The terms and conditions contained in the incorporated document(s) are in addition to the terms and conditions contained herein. Contract Document(s) Document # Managed Security Services General Provisions I The document(s) identified above are located at: From this security services contract documents portal, Client selects the applicable country to access the above documents. If any documents are not accessible, please request a copy from Client's IBM sales contact. 1.1 Service X-Force Red Offensive Security Testing Services provide both tool-based and manual security testing across applications, network, hardware/embedded devices and human. X-Force Red includes a suite of service levels, of which the Client may utilize for the charges specified in the Order Document. The following describes the available X-Force Red Offensive Security Testing Services. Application security testing involves manual penetration testing, code review and vulnerability assessments of web, mobile, terminal, client-server, mainframe and middleware platforms. Application Security Testing Services include various levels of testing including tool-based unvalidated, raw scanning, validated vulnerability assessments, manual penetration testing, tool-based unvalidated, raw source code scanning and manual source code reviews on internal and external web, mobile, terminal, client-server, mainframe and middleware platforms. This level of Service involves Application Vulnerability Scanning, Application Vulnerability Assessment, Application Penetration Testing and Manual source code review of application, as described in the service activities below. Network security testing involves manual penetration tests and vulnerability assessments of internal, external, Wi-Fi and other radio frequencies, and supervisory control and data acquisition (SCADA) systems. Network Security Testing Services assess the security of devices from a network perspective, focusing on exposed services, configuration, and infrastructure. This level of Service involves Network Vulnerability Assessment and Network Penetration Testing Services, as described in the service activities below. Hardware security testing involves security tests that span the digital and physical realms, including Internet of Things, wearable devices, point-of-sale systems, ATMs, automotive systems, video equipment, self-checkout kiosks and other devices. This level of Service involves Hardware and Device Penetration Testing, as described in the service activities below. Human security testing involves simulations of phishing campaigns, social engineering, ransomware and physical security violations to determine risks of human behavior. This level of Service involves Standard Physical security testing/social engineering (onsite), Advanced Physical Security Testing (onsite), Standard Social Engineering Test (remote), Advanced Social Engineering Test (remote), Standard Phishing Security Testing, Advance Phishing Security Testing and Targeted/Spear-Phishing Campaign, as described in the service activities below. MSS X-Force Red Offensive Security Testing Services are available as a subscription model, which allows Clients to commit to a set budget for X-Force Red Offensive Security Testing Services charges over a specific contract period, where an establish monthly charge for Services will apply. Under this model, IBM offers security testing and program management for X-Force Red Offensive Security Testing Services, where the level of support can be planned as part of the Client s established budget. During the contract term, Clients may request as many tests using any number of the supported testing methods they would like to have IBM execute, however, the charge for each type of test specified in the Order I EN Page 2 of 17

3 Document will be deducted from Client s total X-Force Red Offensive Security Testing Services charges. In addition, Clients have the option to contract for Program Management, which allows Clients who wish to have their security testing program run by an IBM senior technical resource. This IBM resource will create and run a security testing program on the Client s behalf as part of the Service. If Program Management is included with Client s order, charges for such services are based on the quantity of hours included as part of Client s contract and will be specified in the Order Document separately as a monthly reoccurring charge. IBM will conduct reviews with the Client every 3 months, where Client will be informed of their current usage consumption and when the Client s total funding commitment is near exhaustion. If Client s annual testing services charges or consumption of Program Management support hours exceeds the total monthly reoccurring charges established within the same calendar year, Client will be invoiced annually for the difference, which will be determined by IBM and based on Client s testing usage at the charge rate for each type of test and the usage charge for Program Management as specified in the Order Document. At the end of the contract term, any remaining budget or hours on the contract will expire and do not carry forward Services Activity - X-Force Red Portal The Red Portal (called Red Portal ) provides access to an environment (and associated tools) designed to centralize the management, collaboration and reporting of security testing services delivered by IBM X- Force Red (called XFR ) into a common, web-based interface. a. provide Client with a username, password, URL and appropriate permissions to access the Red Portal. The Red Portal provides Client with: (1) interaction with the XFR security team; (2) the ability to submit security test requests; and (3) access to security test findings and reports. b. provide Client with access to the Red Portal and Client s data for up to one (1) year after the termination of the contract. Client agrees to: a. utilize the Red Portal to perform daily operational Services activities; b. perform no security testing against the Red Portal without IBM's explicit permission; c. ensure Client's employees accessing the Red Portal on Client's behalf comply with the terms of use provided therein; d. appropriately safeguard Client's login credentials to the Red Portal (including not disclosing such credentials to any unauthorized individuals); e. promptly notify IBM if a compromise of Client's login credentials is suspected; f. indemnify and hold IBM harmless for any losses incurred by Client or other parties resulting from Client's failure to safeguard Client's login credentials; and g. the all terms of use as documented in the Red Portal, including after the termination of this contract for up to one (1) year or as long as the Client s accesses to the Red Portal to retrieve Client s data Services Activity - Application Vulnerability Scanning Application Vulnerability Scanning Services includes tool-based unvalidated, raw application scanning on internal and external web, mobile, terminal, client-server, mainframe and middleware platforms, for either dynamic or static, as selected in the Order Document. I EN Page 3 of 17

4 a. if selected or specified in the Order Document, perform dynamic unvalidated raw vulnerability automated scanning of Client identified targeted application(s) to identify common vulnerabilities (web server configuration flaws, insecure network communication, SQL injection, or cross-site scripting, etc.); b. if selected or specified in the Order Document, perform static unvalidated raw vulnerability automated scanning of Client provided source code to identify common vulnerabilities (injection flaws, insecure memory management, cross-site scripting, improper exception handling, etc.); c. produce a report (called Vulnerability Scan Report ) that reflects the identified vulnerabilities; and d. have completed Application Vulnerability Scanning when IBM has delivered the Vulnerability Scan Report to Client's Point of Contact. a. if applicable, provide IBM with network access to any network services required for normal application use during dynamic unvalidated raw vulnerability automated scanning; b. if applicable, provide IBM with valid user credentials prior to the initiation of dynamic unvalidated raw vulnerability automated scanning, if authenticated testing is desired; and c. if applicable, provide IBM with source code that IBM can compile including all external dependencies (libraries, frameworks, etc.) prior to the initiation of static unvalidated raw vulnerability automated scanning; and d. if applicable, install a testing device on Client s network Services Activity - Application Vulnerability Assessment Application Vulnerability Assessment includes tool-based dynamic validated vulnerability assessments, on internal and external web, mobile, terminal, client-server, mainframe and middleware platforms. a. perform automated scanning and manually review the scanner output for any false positives that can be identified through remote application interactions of the targeted application to identify common vulnerabilities (web server configuration flaws, insecure network communication, SQL injection, or cross-site scripting, etc.); b. produce a document (called Vulnerability Assessment ) that reflects the identified common vulnerabilities; and c. have completed Application Vulnerability Assessment when IBM has delivered the Vulnerability Assessment Report to Client s Point of Contact. a. provide network access to any network services required for normal application use; b. provide working user credentials if authenticated testing is desired; and c. if applicable, install a testing device on Client s network Services Activity - Application Penetration Testing The purpose of this service is to use a human tester to manually discover and exploit vulnerabilities in the target application to simulate a real world attack. This service is available in the three predefined levels of Entry/Compliance, Standard and Advanced. I EN Page 4 of 17

5 a. facilitate a project initiation call for up to one (1) hour to review Client s environment and organization, including application platform, architecture, frameworks, supporting infrastructure, known security problems or concerns associated with the application, preliminary testing schedule and emergency contact plan; b. if Entry/Compliance Application Penetration Test is selected, provide an IBM resource to perform testing and exploitation of the application for which the priority focus areas will include: (1) Mis-configured web servers; (2) Proper network encryption (SSL/TLS); (3) Single-step logic flaws; (4) Basic injection vulnerabilities (basic SQL injection, cross-site scripting, etc.); (5) Simple session management flaws; and (6) Authentication/authorization functionality; c. if Standard Application Penetration Test is selected, provide an IBM resource to perform testing and exploitation of the application for which the priority focus areas will include: (1) All vulnerabilities from Entry-Level Application Penetration Tests; (2) Logic flaws in multi-step work flows; (3) Insecure file uploads; (4) Advanced versions of injection flaws (blind/timing-based SQL injection, OS command injection, XPath, etc.); and (5) Basic data encryption flaws (reused keys, encryption/decryption oracles, etc.); d. if Advanced Application Penetration Test is selected, provide an IBM resource to perform testing and exploitation of the application for which the priority focus areas will include: (1) All vulnerabilities from Standard Application Penetration Tests; (2) Serialization/marshaling flaws; and (3) Advanced encryption attacks (padding oracle attacks, improper block modes, etc.); Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. e. produce a report (called Application Penetration Test Report ) that reflects the identified vulnerabilities; f. conduct report briefing call for up to one (1) hour to explain the findings and associated risks; and g. have completed Application Penetration Testing when the Application Penetration Test Report has been delivered to Client s Point of Contact and a report briefing has been provided or declined. a. work with IBM to schedule the project initiation conference call such that all participants have enough notice to attend; b. provide the required information prior to the project initiation call, including: (1) a definition of the targeted application; (2) a list of supporting infrastructure components that should be considered in-scope; (3) a list of any resources (servers, webpages, etc.) that should not be tested; (4) sufficient user credentials to access all aspects of the application and verify proper authorization enforcement; and (5) any specialized software required to use the application; c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; I EN Page 5 of 17

6 d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. provide a technical support point-of-contact (POC) for use during the engagement; f. ensure that the in-scope systems and infrastructure remain in a static state throughout the testing period; Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results. g. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems; and h. acknowledge that Client has two (2) weeks after receiving the Application Penetration Test Report to request a report briefing or decline, otherwise IBM will consider Client s acceptance of Application Penetration Test Report, as-is Services Activity - Manual Source Code Review of Application This purpose of this service is use a human tester to manually review provided source code identify vulnerabilities and poor programming practices that can impact the security of an application. a. facilitate a project initiation call for up to one (1) hour to review Client s source code structure, supporting libraries and frameworks, build requirements, known security problems or concerns associated with the application, preliminary testing schedule and emergency contact plan; b. provide an IBM resource to review source code provided by Client: (1) Priority focus areas will include: (a) (b) (c) (d) (e) Improper input sanitization (SQL injection, cross-site scripting, etc.); Authentication or authorization bypass; Insecure serialization/marshaling practices; Encryption flaws (weak algorithms, reused keys, oracles, etc.); and Insecure data storage; Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. c. document findings in a document (called Source Code Review Report ); d. deliver the final Source Code Review Report; e. if applicable, conduct report briefing call for up to one (1) hour to explain the findings and associated risks; and f. have completed Manual Source Code Review of Application when IBM has delivered the Source Code Review Report has been delivered to Client s Point of Contact and a report briefing has been provided or declined. a. work with IBM to schedule the project initiation conference call such that all participants have enough notice to attend; b. provide the required information prior to the project initiation call, including: (1) a description of the targeted application; (2) a list of supporting libraries that should be considered in-scope; and (3) a list of any source code that should not be reviewed; I EN Page 6 of 17

7 c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. provide a technical support point-of-contact (POC) for use during the engagement; f. provide access to the source code, relevant supporting libraries, and directions on how to create a build environment and compile the source code; and g. acknowledge that Client has two (2) weeks after receiving the Source Code Review Report to request a report briefing or decline, otherwise IBM will consider Client s acceptance of Source Code Review Report, as-is Services Activity- Network Vulnerability Scanning The purpose of this service is to conduct tool-based unvalidated, raw network scanning on internal and external networks with X-Force Red s automated suite of tools to identify potential security vulnerabilities. a. for up to the total number of internal or external IP addresses specified in the Order Document, scan the targeted addresses for known issues and vulnerabilities that could lead to remote exploitation; b. produce a report (called Vulnerability Scanning Report ) that reflects the identified vulnerabilities; and c. have completed the Network Vulnerability Scanning when IBM has delivered the Vulnerability Scanning Report to Client's Point of Contact. a. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; b. provide details required for testing in a timely manner, including IP addresses, domain names, network diagrams, and other relevant data; c. provide a technical support point-of-contact (POC) for use during the engagement; d. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges. e. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems Services Activity - Network Vulnerability Assessment If ordered by Client, IBM will provide services to identify active hosts and services, for up to the total number of in-scope active IP addresses as specified in the in the Order Document, and discover known vulnerabilities on these systems using automated scanning tools. a. scan up to the total number of IP addresses specified in the Order Document and focus on the targeted addresses for known issues and vulnerabilities that could lead to remote exploitation; I EN Page 7 of 17

8 b. manually review the scanner output for any false positives that can be identified through remote server interaction; c. produce a report (called Vulnerability Assessment Report ) that reflects the identified vulnerabilities; and d. have completed the Network Vulnerability Assessment when IBM has delivered the Vulnerability Assessment Report to Client's Point of Contact. a. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; b. provide details required for testing in a timely manner, including IP addresses, domain names, network diagrams, and other relevant data; c. provide a technical support point-of-contact (POC) for use during the engagement; d. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges. e. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems Services Activity - Network Penetration Testing Services The purpose of this activity is to attempt to exploit identified vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios against the devices associated with up to the total number of in-scope active IP addresses for Penetration Test specified in the Order Document. a. exploit key identified vulnerabilities: (1) on perimeter (remotely accessed) systems; and (2) on internal (locally accessed) systems; Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. b. target specific systems and attempt to gain direct access to confidential data and administrator or elevated access privileges on vulnerable systems; c. demonstrate specific or systematic security weaknesses, if present; Note: Examples of methods used to demonstrate such weaknesses may include: (1) mining of login Credentials; (2) brute-force password cracking directly against applications and virtual private networks ( VPNs ); (3) exploitation of buffer overflow and format string vulnerabilities; and (4) session hijacking, if possible; d. document the findings from the simulated attack in a report (called Final Penetration Testing Report ); and e. have completed Network Penetration Testing when IBM has delivered the Final Penetration Testing Report to Client's Point of Contact. I EN Page 8 of 17

9 a. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; b. provide details required for testing in a timely manner, including IP addresses, domain names, network diagrams, and other relevant data; c. provide a technical support point-of-contact (POC) for use during the engagement; d. ensure the in-scope systems and infrastructure remain in a static state throughout the testing period; and e. ensure the IP addresses associated with the technical testers are whitelisted as appropriate on filtering devices (such as firewalls and intrusion prevention systems), according to the rules of engagement negotiated, such that the testers have appropriate access to the target systems. Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results, and may incur additional charges Services Activity - Hardware/Device Penetration Testing The purpose of this activity is to provide a human tester to manually discover and exploit vulnerabilities in a hardware device or embedded system to simulate a real-world attack. Client may choose from Standard Hardware/Device Penetration Test or Advanced Hardware/Device Penetration Test, for which each test will be charged at the rate specified in the Order Document. a. facilitate a project initiation call for up to one (1) hour to review Client s environment and organization, including device platform, architecture, frameworks, supporting infrastructure, known security problems or concerns associated with the device, preliminary testing schedule and emergency contact plan; b. if Standard Hardware/Device Penetration Test is selected, provide an IBM resource to perform testing and exploitation of a device for which the priority focus areas will include: (1) Weak physical locks; (2) Chassis intrusion or modification; (3) Insufficient anti-skimming controls; (4) Undetected foreign devices; (5) Insecure data storage (plaintext data, weak encryption algorithms, key storage, etc.); (6) Proper network encryption (SSL/TLS); (7) Mis-configured network services; (8) Flaws related to user management functions like login, password recovery, or password policy; (9) Authentication/authorization bypass; (10) Memory corruption vulnerabilities (buffer overflows, format strings, null dereferencing, etc.); and (11) Logic flaws; c. if Advanced Hardware/Device Penetration Test is selected, provide an IBM resource to perform testing and exploitation of a device for which the priority focus areas will include: (1) All vulnerabilities from Standard Hardware Penetration Tests; (2) Malicious hardware commands (e.g., dispense cash); (3) Application-level vulnerabilities in backend services; (4) Backend injection flaws (blind/timing-based SQL injection, OS command injection, XPath, etc.); I EN Page 9 of 17

10 (5) Serialization/marshalling flaws; (6) Advanced encryption attacks (padding oracle attacks, improper block modes, etc.); and (7) Hidden vulnerabilities only discoverable through executable or source code analysis; Note: Only vulnerabilities believed to contribute to a viable attack scenario, as determined by IBM, will be targeted. b. document findings in a report (called Hardware Penetration Test Report ); c. deliver the final Hardware Penetration Test Report; d. conduct report briefing call for up to one (1) hour to explain the findings and associated risks; and e. have completed Hardware/Device Penetration Testing when the Hardware Penetration Test Report has been delivered to Client s Point of Contact and a report briefing has been provided or declined. a. work with IBM to schedule the project initiation conference call such that all participants have enough notice to attend; b. provide the required information prior to the project initiation call, including: (1) a description of the targeted device including its standard deployment scenario; (2) a list of supporting infrastructure components that should be considered in-scope; (3) a list of any resources (servers, webpages, etc.) that should not be tested; (4) sufficient user credentials to access all aspects of supporting applications and verify proper authorization enforcement; and (5) any specialized software required to use the device; c. invite and confirm attendance of all intended participants of the project initiation conference call, and arrange the meeting room and all logistics at your premises; d. ensure, to the extent possible, participation by various management levels with representative skills and data protection ownership and mandates within the business units, security group, information technology, audit and risk departments, and operations management at your facility; e. provide the tester with physical access to the targeted device; f. ensure that the in-scope systems and infrastructure remain in a static state throughout the testing period; and Note: Configuration or infrastructure modifications made during the testing may cause inconsistencies in the results. g. if applicable, ensure that a virtual or hardware appliance has network access to a user segment from which network testing will be conducted and that the source IP addresses provided by the testers are added to any filtering devices (such as firewalls and intrusion prevention systems) to allow testers proper access to the target systems Services Activity On-site Physical Security Testing On-site Physical Security Testing is conducted when a consultant travels to the designated location(s), and attempts to gain access to physical buildings, critical infrastructure, or confidential computing systems. Client may choose from On-site Physical Security Testing - Standard or On-site Physical Security Testing - Advanced, for which each test will be charged at the rate specified in the Order Document. a. if On-site Physical Security Testing - Standard is selected, provide an IBM resource to perform physical security testing for which the priority focus areas will include: (1) visit one (1) Client location as specified in the Order Document, and attempt to gain access and compromise computing infrastructure; I EN Page 10 of 17

11 (2) perform a light level of open-source intelligence ( OSINT ) researching publicly available badging procedures, door locations, maintenance or building contracts, etc.; b. if On-site Physical Security Testing - Advanced is selected, provide an IBM resource to perform physical security testing for which the priority focus areas will include: (1) visit four (4) Client locations as specified in the Order Document, and attempt to gain access and compromise computing infrastructure; (2) perform a full level of OSINT researching publicly available badging procedures, door locations, maintenance or building contracts, etc.; c. work with Client to identify attack scenarios such as posing as a vendor, or partner in an attempt to gain unauthorized access; d. request information about the location(s), on-site POC (if needed), and require appropriate level executive sign-off on activities and locations; e. provide basic statistics in terms of strengths, and weaknesses in locations security controls (lights, cameras, door locks, etc.); f. if written consent is provided by Client, and if access is gained to a datacenter, attempt limited testing of access to non-critical systems; g. not knowingly destroy, or damage company property when attempted to gain access to buildings or locations; h. produce a report (called Social Engineering Physical Report ) that reflects IBM s successes and failures in identifying vulnerabilities; and i. have completed On-site Physical Security Testing when IBM has attempted to comprise the targeted location and delivered the Social Engineering Physical Report to Client's Point of Contact. a. engage with the security consultant to have the kick-off call; b. provide a specific list of the location with full addresses; c. provide information around badging and access control procedures; d. sign-off from appropriate level executive; and e. provide consultant with letter of intent, and no-harm in the event that the consultant is detained by on-site staff, or law enforcement Services Activity Off-site Social Engineering IBM will attempt to gain access to Client s computing environment by means of social, or electronic coercion. Client may choose from Off-site Social Engineering - Standard or Off-site Social Engineering - Advanced, for which each test will be charged at the rate specified in the Order Document. a. if Off-site Social Engineering - Standard is selected, provide an IBM resource to perform social engineering testing for which the priority focus areas will include: (1) call up to thirty (30) individual users of the company in an attempt to gain access to restricted company information or user credentials; (2) develop up to two (2) storyboards during the kick-off call with Client, so the social engineering campaign can be as successful as possible; (3) request s and addresses for USB drive to be sent; (4) perform light level of OSINT to compliment the information provided by Client in order to optimize the test results; and (5) attempt to compromise up to five (5) end-points during the test, and attempt basic lateral movement within the network environment; I EN Page 11 of 17

12 b. if Off-site Social Engineering - Advanced is selected, provide an IBM resource to perform social engineering testing for which the priority focus areas will include: (1) call up to sixty (60) individual users of the company in an attempt to gain access to restricted company information or user credentials; (2) develop up to three (3) storyboards during the kick-off call with Client, so the social engineering campaign can be as successful as possible; (3) validate identified addresses and physical locations for USB drives to be sent; (4) perform custom OSINT to gather as much information about the target, it s employees, and under-stand how the company culture may allow for a security breech; and (5) attempt to compromise end-points during the test, and attempt basic lateral movement within the network environment; c. provide statistics including how many employees divulged company information, how many individuals inserted the USB drive, and how many had their computer compromised; d. create and develop malicious files or payloads for the users as part of the test, and, if applicable, send files with custom tailored macros in order to track open-files and other actions from the users; e. produce a report (called Social Engineering Off-site Report ) that reflects the identified vulnerabilities for which IBM was successful or fail to gain access to Client s computing environment; and f. have completed Off-site Social Engineering when IBM has delivered the Social Engineering Off-site Report to Client's Point of Contact. a. engage with the security consultant to have the kick-off call; b. provide the list of s and locations that the off-site social engineering will be targeted against; c. if Off-site Social Engineering - Standard is selected, provide an acceptable level of information, so the testing phone calls & USB devices reach their targets; and d. if Off-site Social Engineering - Advanced is selected, provide basic level of information, so the testing phone calls & USB drives reach their targets Services Activity Phishing Test The purpose of this activity is to provide phishing testing services to identity human vulnerabilities and user base knowledge of phishing threats to promote security awareness within Client s organization. Client may choose from Phishing Standard, Phishing Test Advanced or Phishing Test - Targeted Attack, for which each test will be charged at the rate specified in the Order Document. a. if Phishing Test - Standard is selected, provide an IBM resource to perform testing for which the priority focus areas will include: (1) send phishing up to one thousand (1,000) mailboxes; (2) develop one (1) storyboard during the kick-off call with Client, so the phishing campaign can be as successful as possible; (3) request as much information as possible about the target environment and users, so a broader audience is reached by the phishing campaign, so Client will have as much information as possible to boost their security-awareness program; (4) provide basic statistics in terms on how many people opened those s, how many people acted on those s (links that were clicked in what could have been a malicious URL); (5) perform a minimal level of OSINT since most of the information will be provided by Client; (6) not collect any user information (domain credentials) as part of the test, hence no attribution will be provided; I EN Page 12 of 17

13 (7) not send any malicious files or payloads to the users as part of the test; (8) not guarantee compatibility with Client s mobile platforms; and (9) not compromise any end-points during the test, nor attempt any lateral movement within the net-work environment; b. if Phishing Test - Advanced is selected, provide an IBM resource to perform testing for which the priority focus areas will include: (1) send phishing up to over one thousand (1,000) mailboxes or create a more sophisticated campaign with more statistics and attribution; (2) develop up to two (2) storyboards during the kick-off call with Client, so the phishing campaign can be as successful as possible; (3) request some information about the target environment and users to see how some of Client s defenses are working against phishing attacks; (4) provide more granular statistics in terms on how many people opened those s, how many people acted on those s (opened files or links that have been clicked in what could have been a malicious URL), how long a user might have spent in the landing page; (5) perform some level of OSINT to compliment the information provided by Client in order to optimize the test results; (6) define with Client if any credentials (usernames and/or passwords) will be collected to also provide attribution as part of the test results; (7) not send any malicious files or payloads to the users as part of the test, but, if applicable, will send files with custom tailored macros in order to track open-files and other actions from the users; and (8) will use templates compatible with the commonly used mobile platforms; (9) not compromise any end-points during the test, nor attempt any lateral movement within the network environment; c. if Phishing Test - Targeted Attack is selected, simulate what advanced adversaries would do to compromise an organization through the attack vector, where the priority focus areas will include: (1) develop a custom-tailored plan during the kick-off call with Client to define test objectives and target users; (2) perform OSINT in order to have as much information and context about the targets; (3) send crafted, targeted s carefully developed to bypass all defense mechanisms and convince the user to take an action that might go against the organization s security policy; (4) if applicable, use custom internet domains, SSL certificates, and custom server in order to interact with potential victims; (5) provide detailed statistics; (6) if available, collect user credentials (usernames and/or passwords) to provide attribution as part of the test results: (7) if applicable, compromise the target environment like an adversary would do; (8) if applicable, send malicious files or payloads to the users as part of the test; (9) if applicable, send files with custom tailored macros to track open-files and other actions from the users; (10) use templates compatible with the commonly used mobile platforms; d. produce a report (called Final Phishing Security Testing Report ) that reflects the documented simulated attacks and identified vulnerabilities; and e. have completed the Phishing Test when IBM has delivered the Final Phishing Security Testing Report to the Client s Point of Contact. Client agrees to: I EN Page 13 of 17

14 a. engage with the security consultant to have the kick-off call; b. if Phishing Test - Standard is selected, provide: (1) the list of s that the phishing will be sent (up to one thousand (1,000) mailboxes; and (2) as much information as possible about the target environment and users, so the phishing s reach as many users as possible so Client has a good idea on the security posture of their user-base; c. if Phishing Test - Advanced is selected, provide: (1) the list of s that the phishing will be sent; and (2) requested information about the target environment and users d. if Phishing Test Targeted Attack is selected, provide: (1) define the objectives of the test with the consultant during the kick-off call; and (2) inform the consultant whether they want to be notified when the test will be performed or not Services Activity Managed Service - Program Management The purpose of this activity is to provide the Client with a dedicated X-Force Red resource to create and run a security testing program on the Client s behalf. As part of this support, the security testing program is customized for each Client, but often the details include: discovering testing targets (i.e., applications and networks), prioritizing targets, identifying proper testing levels, coordinating testing with Client s internal teams, tracking and prioritizing remediation, and coordinating retesting efforts. IBM will provide Client with Managed Service Program Management for up to the quantity of hours and charges specified in the Order Document. a. provide a dedicated senior testing consultant during normal business hours M-F, 8AM-5PM local time that will be responsible for: b. running the Client s security testing program; c. identifying and prioritizing the Client s testing targets; d. selecting the proper security testing levels; e. tracking and coordinating the Client s remediation efforts to address identified vulnerabilities resulting from the security testing methods used; and f. have completed Managed Service Program Management when IBM has used all of the contracted hours or when Client has terminated the service for convenience. a. provide the consultant with a list of assets, or provide consultant with access required to perform asset discovery; b. assist in identifying asset owners; c. ensure that asset owners provide documentation on how assets are deployed, what data they handle, how the asset interacts with users and other systems, and what business role the asset plays; d. provide documentation about business priorities that define risk, or make staff available for interviews so consultant can compile the information; e. provide documentation about change management procedures and appropriate access to tracking systems; and f. provide documentation about defect tracking software and appropriate access to systems. I EN Page 14 of 17

15 Services Activity internal testing components As part of this services activity, IBM may use enabling software, hardware (also called Agents ) and/or third party services that are to be used for testing. The title to such Agent(s) will remain with IBM, or third party services vendor, as determined by IBM. At IBM's discretion, IBM will select and provide Client with selected Agent(s), this includes both IBM and non-ibm third party services. Client has the right to use the selected Agent(s) only as directed by IBM. Such Agent(s), provided by IBM are to be managed by IBM as part of the Services and may not be used for any other purpose during the term. If enabling software/and or hardware is accompanied by a separate license agreement, the terms of such license agreement also apply. At IBM's discretion, IBM will provide the following services where applicable. a. acquire Agent(s) specified in the Order Document; b. facilitate system design, and selection and use of the Agent(s) and features specified under this Services Description and associated contractual documents; and c. coordinate with vendor, to include those products provided by IBM or a third party, for the provision of support and maintenance for security technologies specified in the Order Document. As part of on premise testing, Client will need to agree to the following responsibilities. Client agrees: a. that other than as specified in this Services Description, use of the Agent(s) supplied hereunder will be subject solely to the manufacturer s terms and conditions third party or otherwise; b. use of the Agent(s) and features specified under this Services Description and associated contractual documents; c. to be responsible for: (1) receiving and signing for the security technologies at Client's delivery location specified in the Order Document or mutually agreed designated Client location. Any visible shipping damage shall be immediately reported to the shipper and IBM; (2) complying with and performing any applicable tasks called out as Client's responsibilities in this Services Description; (3) maintaining insurance on the Agent(s) throughout the contract period specified in the Order Document; and (4) determining that the Agent(s), and the integration of such products, are in compliance with national building and installation codes and other laws and regulations, including product safety regulations; d. that support and maintenance for the Agent(s) described herein will be coordinated by IBM and will not have to be obtained separately by Client; e. and acknowledges, Client is not permitted to physically move Agent(s) without expressed consent of IBM; f. to submit requests for in country physical moves of Agent(s) or services within 60 days of requested move date; g. physical moves of Agent(s) are subject to additional fees and local tax implications; h. due to regulations, cross border movement of Agent(s) or services will not be permitted; i. any fix IBM makes available as part of support and maintenance is made on behalf of the security technology vendor and is licensed by security technology vendor to Client under the terms of the applicable EULA. IBM provides any such Fixes AS IS AND WITHOUT WARRANTIES OF ANY KIND from IBM; and j. and acknowledges, should Client elect not to return the security technology Agent(s) upon nonrenewal, Client also agrees to pay IBM the then current fair market value of the security technology Agent(s), as determined by IBM. I EN Page 15 of 17

16 Disposition of Agents At the end of the contract period, or upon termination of the contract, or upon completion of relevant security test Client agrees: a. to work with IBM regarding the return of the security technology Agent(s); b. to return all Agent(s) to a shipping location specified by IBM; c. to be responsible for all return shipping charges; d. to ensure the equipment is returned in the same condition (excepting reasonable wear and tear) as delivered to Client; e. to be responsible for charges incurred as a result of misuse or damage of the Agent(s); and IBM may invoice Client directly for such misuse or damage; and f. in the event, it does not return the equipment, to be responsible for paying for the residual value of the equipment as invoiced by IBM End User License Agreement(s) for on premise testing On premise testing may include security technology Agent(s) from vendors other than IBM and as such, the terms set forth in the applicable End User License Agreement(s) are solely between Client and the applicable security technology vendor. Client agrees to be bound by the terms and conditions set forth in following End User License Agreement(s) ( EULA ) as they pertain to the security technology Agent(s) included as part of the on premise testing. The applicable Non-IBM Product EULA(s) are available for review at: From this security services contract documents portal, Client selects the applicable country to access the documents under the Third Party End User License Agreements section. 1.2 Service Activity Subscription and Managed Service Management The purpose of this activity is to provide Client with status reviews every three (3) months during the contract term regarding Client s subscription and managed service usage, if mutually agreed by IBM and Client and as applicable. a. mutually establish a service schedule with Client for status reviews, as applicable; b. conduct a teleconference for up to two (2) hours every three (3) months during the contract term to review usage of Client s subscription and managed service budget including service components utilized and remaining, update service schedule and provide recommendations if appropriate; c. document the results of each teleconference in a status report; and d. have completed Subscription and Managed Service Management, when IBM has delivered the status report at the end of each three (3) month review period or according to the service calendar to the Client s Point of Contact. Client agrees to make appropriate personnel available during status reviews to answer questions, obtain requested data, perform suggested actions, and similar items. 1.3 Services Activity Annual Subscription and Managed Service Management The purpose of this activity is to provide Client with status reviews every twelve (12) months during the contract term regarding Client s subscription and managed service usage, if mutually agreed by IBM and Client and as applicable. I EN Page 16 of 17

17 a. mutually establish a service schedule with Client for status reviews, as applicable; b. conduct a teleconference for up to two (2) hours to review annual usage of Client s subscription and managed service budget including service components utilized and remaining, update service schedule and provide recommendations if appropriate; c. if applicable, inform Client of subscription usage for testing services charges or consumption of Program Management support hours that exceeds the total monthly reoccurring charges established within the same calendar year and if appropriate, invoice Client at the usage rates specified in the Order Document for usage that exceeds the yearly allowance; d. document the results of each teleconference in an annual status report; and e. have completed Annual Subscription Management, when IBM has provided the annual status report at the end of each twelve (12) month review period or according to the service calendar to the Client s Point of Contact. Client agrees to: a. make appropriate personnel available during each twelve (12) month status reviews to answer questions, obtain requested data, perform suggested actions, and similar items; and b. be responsible for all usage charges that exceeds the Client s total monthly reoccurring charges established within the same calendar year at the charge rate for each type of test and the usage charge for Program Management as specified in the Order Document. I EN Page 17 of 17