Managed Security Services - Endpoint Managed Security on Cloud

Transcription

1 Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document for IBM Security Services ( Order Document ). If there is a conflict between the terms in the documents, the terms of the Order Document prevail over those of this document, and the terms of this document prevail over those of the agreement specified in the Order Document ("the Agreement"). Capitalized terms not otherwise defined in this document are defined in the Agreement or any other referenced document, and have the same meaning in this document as ascribed to them therein. This document describes the Services and incorporates by reference the following contract document(s). The terms and conditions contained in the incorporated document(s) are in addition to the terms and conditions contained herein. Contract Document(s) Document # Managed Security Services General Provisions I Standard Services Deployment and Activation I The document(s) identified above are located at: From this security services contract documents portal, Client selects the applicable country to access the above documents. If any documents are not accessible, please request a copy from Client's IBM sales contact. 1.1 Services IBM will provide Endpoint Managed Security on Cloud ( Services ) which include advanced malware protection, detection and environment monitoring. Services will provide support for a variety of endpoint/host platforms such as laptops, desktops, and servers and are available under three (3) service tier levels: Essential, Standard, and Enterprise. Services may include the following core service features as selected in the Order Document. Additionally, the Client may purchase add-on(s) to the core offering as described in this document. This Service provides the following capabilities: a. Essential service tier provides support of server endpoints only via a centralized, multi-tenant management console where monitoring and reporting are provided in support of regulatory compliance; b. configuration of the management infrastructure; c. connection to a security event and incident management tool for threat intelligence and analytics (optional); d. automated threat monitoring and threat detection; e. advanced correlation and threat prioritization; f. Enterprise service tier provides advice on remediation actions; however, this level of support is optional for other service tiers; g. quarterly checkpoints; and h. ongoing configuration and endpoint telemetry (policy) tuning. Optional Services Optional services are available to provide a more comprehensive level of support, increasing IBMs ability to support remediation and reporting activities. If any of the following optional services are selected or specified in the Order Document, IBM will provide support for these services upon Client request. Vendor Liaison Support including 24x7 Severity 1 response including level 3 support. Specialized Policy Configuration requests provide for the Client to request changes to the policy s managing the Client s servers. I EN Page 1 of 7

2 Additional Meeting Attendance can be provided to allow attendance at an additional weekly meeting in support of Client needs. Customized Report Design and Daily Execution based upon the Client requirement. Consulting Services which allow for the Client to request IBM assistance to investigate and resolve specific issues Services Activities Implementation IBM will provide implementation based on service tier level selected in the Order Document. IBM Responsibilities IBM will: (1) complete initial environmental assessment as part of implementation; (2) provide security product technical support information for implementation provided by the vendor to delivery team; (3) provide high level transition plan for Client execution; (4) onboard tenant onto vendor management console and test connectivity; and (5) configure vendor management console and policies based on standard vendor s best practices. b. if Standard or Enterprise service tier is selected, perform the activities above related to Essential service tier and provide a remote (usually via conference call) 2-hour workshop including: (1) introduction of personnel providing service(s), confirmation of location(s); (2) review of IBM incident management and workflow procedures and processes; (3) discussion of pre-emptive incident preparation best practices; and (4) discussion of current threat and risk levels, and telemetry policy tuning. Client Responsibilities Client will: (1) provide a single point of contact to work with the IBM on issues pertaining to implementation; (2) support the environmental assessment; (3) execute transition plan provided by IBM (task tracking, change management, communication, status reporting, etc.); (4) endpoint support teams are required to provide software installation, troubleshooting of managed endpoints (system administration team for servers) including installing security product/upgrades on servers; (5) provide the necessary network access and remote access to allow server endpoints to access the vendor management console or cloud instance and support testing the access; (6) be responsible for verification and resolution for any compliance issues including maintaining documentation for audit readiness; (7) be responsible for purchase of any hardware and/or software required for Services as well as updates as required by IBM; (8) open any ticket required via the problem management system used by the Client to support the server s security software implementation for endpoints; and (9) be responsible for ensuring vendor support contract for agent s license support is in place and maintained at the level the Client determines is required and I EN Page 2 of 7

3 (10) provide client relationship management and assume all Client interfacing responsibilities during onboarding. b. if Standard or Enterprise service tier is selected, perform the activities above related to Essential service tier and the following: (1) agree to identify relevant subject matter experts and/or Client contact(s) to participate in the workshop and provide required information as required by the environmental assessment; (2) within one month of any expiration or termination of Services, unless agreed in writing by IBM at the time, return all products or assets (including without limitation all whole or partial copies thereof) and destroy and certify as such in writing to IBM all documentation and all IBM Confidential Information; (3) provide Agent instance and support subscription at recommended level (purchasing assistance may be provided by IBM; (4) provide the necessary network connectivity for endpoints to access the Agent cloud instance; (5) be responsible for ensuring vendor support contract for agent s license support is in place and maintained at the level the Client determines is required; and (6) be responsible for verification and resolution for any compliance issues including maintaining documentation for audit readiness Services Activities Steady State As steady state begins there will be an initial tuning phase for telemetry tuning, learning, and contextual awareness. During this phase, IBM will provide steady state activities listed below for a specific set of endpoints and/or for a duration (not to exceed eight (8) weeks) mutually agreed upon by Client and IBM during the Service kickoff. Following the completion of the tuning phase, the Service is considered to be in Steady State. IBM will provide Steady State support during 08:00 AM 05:00 PM, Monday Friday in delivery center s local time zone and based on service tier level selected in the Order Document. IBM Responsibilities IBM will: (1) maintain and monitor health and availability of vendor management console applications to ensure proper function, including downloading new definition, pattern files, vendor product updates, and policy and configuration updates; (2) perform daily status checks of the console once daily; (3) inform Client s Point of Contact when endpoint security software upgrade should be executed, as required; (4) respond to any health and availability issues pertaining to the vendor console management application; (5) notify Client when endpoint security software upgrade should be executed (e.g., endpoints reporting out of date components), as required; (6) attend up to one hour-long meeting per quarter to review anti-virus status; (7) notify Client or appropriate agents via standard monthly report of any anomalous events e.g., malware detected, but not cleaned, endpoints reporting out of date components; (8) notify Client s Point of Contact, if malware is detected on a Client supported endpoint; (9) provide one (1) monthly malware defense management report; and (10) modify console alerts for notification of compliance issues per vendor recommendation only. b. if Standard service tier is selected, perform the activities above related to Essential service tier and the following: I EN Page 3 of 7

4 (1) provide automated detection and threat monitoring based on the intelligence feed, and other telemetry obtained from a security information and event management system, if applicable); (2) categorize security events/incidents priority based on the National Institute of Standards and Technology s security incident categorization, modified as follows: (a) (b) (c) (d) critical event: critical business impact, unauthorized access, brand damage, data theft, compromised asset; high event: significant business impact, potential loss of data, denial of service; medium event: malware or malicious code, potential loss of service, data, business impact; and low event: reconnaissance or scans or probes, policy violations or improper usage, others and uncategorized event. (3) provide correlation and prioritization of threat events using knowledge of Client s environment, current threat landscape and global threat intelligence; (4) notify Client contact(s) regarding security events using one or more of the following means: electronically or via telephone; (5) make recommendations to Client as to any remediation actions to be performed on endpoints in response to an identified threat, if applicable; (6) take additional action in the case malware detected warrants further remediation, which may include but not limited to: (a) (b) banning process hashes (ban a process hash so that the process cannot be run again on hosts reporting to this management server and any running version of it is terminated); and endpoint isolation (isolate a computer from the rest of the network, leaving only connections needed for access to its sensor by the management server. (7) provide a digital threat/incident summary report and remediation recommendations/actions taken, if applicable; (8) make up to five (5) policy changes per month, as appropriate and required; (9) provide quarterly briefing checkpoints (up to two (2) hours via conference call) to review incident reports, any changes to incident reporting procedures, telemetry, processes, workflows, and technologies; (10) host operational cadence call one (1) hour per month; (11) provide one (1) weekly standard report for threat and incident; (12) monitor the Services infrastructure and remediate issues as necessary; (13) perform patches and upgrades of the management system; (14) notify Client if sensors require updating; and (15) notify Client if parts of the IBM solution become unreachable. c. If Enterprise service tier is selected, perform the activities above related to Essential and Standard service tiers and the following: (1) provide 24x7 on-call support for Severity 1 related Client situations; (2) act as primary vendor interface for any issues or communication requiring the vendor s assistance; (3) deliver intelligence and remediation instructions as applicable; (4) respond to Client s requests for investigations; (5) make up to five (5) additional policy changes for a total of ten (10) per month, as appropriate and required; (6) host operational cadence call one (1) hour per week; I EN Page 4 of 7

5 (7) provide one (1) daily standard reports for threat and incident; (8) provide up to five (5) customized designed reports for execution; (9) meet with Client to identify specific requirement; (10) develop the custom report and adjust the steady state processes to include delivery of the report; and (11) execute the custom report daily and delivery to Client s Point of Contact. Client Responsibilities Client will: (1) provide a single point of contact to work with the IBM on issues pertaining to Steady State support; (2) maintain all software licenses for software products used as part of the service; (3) notify the IBM focal point, through an agreed upon process, when there are standardized software image upgrades and/or change schedules; (4) coordinate incident management responsibilities and respond to all health and availability issues not directly related to the security management console; (5) be responsible for verification and resolution for any compliance issues including maintaining documentation for audit readiness; (6) open any ticket required via the problem management system used by the Client to support the server s security software for endpoints including but not limited to security product remediation, repair, a product patch or minor upgrade, as applicable; and (7) endpoint support teams are required to provide support for software installation, troubleshooting and maintenance of managed endpoints and relays (e.g., System Administrator or Server Support teams for servers). b. if Standard or Enterprise service tier is selected, perform the activities above related to Essential service tier and the following: (1) maintain Agent instance (assistance may be provided by IBM); (2) identify endpoint support teams required for support related to software installation, troubleshooting and maintenance of managed endpoints (system administration team for servers); (3) identify endpoint support teams required for support related to software installation, troubleshooting and maintenance of managed endpoints (system administration team for servers); (4) maintain all software licenses for software products used as part of the Services; (5) review incident tickets, alerts, reports, and events provided to the Client via other electronic and/or telephone means; (6) implement recommended remediation techniques, if available and applicable; (7) request threat hunting / additional analysis for up to any remaining number of investigations specified in the Order Document, if applicable; (8) provide written approval for any and all remediation and recommended actions as required by IBM; (9) give IBM prior written notice of any software or hardware alterations or attachments which may affect Services; (10) ensure appropriate Client entities are available for quarterly briefings; (11) install sensors as recommended by IBM; and I EN Page 5 of 7

6 (12) be responsible for verification and resolution for any compliance issues including maintaining documentation for audit readiness Optional Services Activities IBM will provide support for the following optional services based on the selection specified in the Order Document and upon Client request. IBM Responsibilities a. If Essential or Standard service tier and if Vendor Liaison is selected in the Order Document, IBM will: (1) act as primary vendor interface for any issues or communication requiring the vendor s assistance; (2) provide 24x7 on-call support for Severity 1 related Client situations; (3) deliver Intelligence and remediation instructions as applicable; and (4) respond to Client s requests for investigations. b. If Specialized Policy Configuration is selected in the Order Document, IBM will implement policy changes to the infrastructure for specific servers at the Client s request. c. If Customized Report Design and Daily Execution is selected in the Order Document, IBM will: (1) meet with Client to identify specific requirement; (2) develop the custom report and adjust the steady state processes to include delivery of the report; and (3) execute the custom report daily and delivery to Client s Point of Contact; d. If Additional Meeting Requirement is selected in the Order Document, IBM will participate in a weekly one (1) hour meeting as an additional meeting requirement during the contract period. e. If Consulting Service Requirement is selected in the Order Document, IBM will provide up to eight (8) hours of consulting services. Client Responsibilities a. If Essential or Standard service tier and if Vendor Liaison is selected in the Order Document, Client will: (1) ensure that requests for level 3 support are submitted by the assigned focal point; (2) be responsible for ensuring vendor support contract(s) is established and maintained at the tier level as identified by the vendor through the life of the contracts; (3) acknowledge that IBM recommends that Client s support contracts include 24x7 access to a named technical account manager assigned to the Client account by the software vendor; and (4) acknowledge that if the appropriate vendor level of support is not maintained by the Client, the Client is responsible for any impact the level of vendor support may have on Services. b. If Specialized Policy Configuration is selected in the Order Document, Client will: (1) provide IBM with details of requested report; and (2) accept delivery of customized reports daily for distribution to tenant. c. If Customized Report Design and Daily Execution is selected in the Order Document, Client will: (1) provide IBM with details of requested report; and (2) accept delivery of customized reports daily for distribution to tenant. d. If Additional Meeting Requirement is selected in the Order Document, Client will: (1) provide invitation to additional one (1) hour weekly meeting; and (2) outline agenda to be considered. I EN Page 6 of 7

7 e. If Consulting Service Requirement is selected in the Order Document, Client will provide direction regarding requested activity. I EN Page 7 of 7