Professional Documents
Culture Documents
Z126-6526-AT-1 04-2014
Page 1 of 34
Z126-6526-WW-1 04-2014
A-1020 Wien,
Obere
Donaustr
ae 95
Telefon (01) 211
45-0*
Telefax (01) 216
08 86
Sitz: Wien
Firmenbuchnum
mer FN
80000 y
Firmenbuchgeric
ht HG
Wien
DVR: 0003824
Table of Contents
1.0 Scope of Services ...................................................................................................................................................... 5
2.0 Definitions ................................................................................................................................................................... 5
2.1 General Terms ................................................................................................................................................... 5
2.2 QRadar Technology Terms ................................................................................................................................ 6
2.3 Service Roles ..................................................................................................................................................... 7
3.0 Managed SIEM Services Contacts ............................................................................................................................ 7
3.1 Security Operations Center ................................................................................................................................ 7
3.2 Points of Contact ................................................................................................................................................ 7
3.2.1 IBM Point of Contact Responsibilities .................................................................................................... 7
3.2.2 Your Point of Contact Responsibilities .................................................................................................. 8
3.2.3 IBM Authorized Services Contacts Responsibilities .............................................................................. 8
3.2.4 IBM Designated Services Contacts Responsibilities ............................................................................. 9
3.2.5 Your Authorized Security Contacts Responsibilities .............................................................................. 9
3.2.6 Your Designated Services Contacts Responsibilities ............................................................................ 9
4.0 Managed SIEM Foundational Features ..................................................................................................................... 9
4.1 MSS Portal ......................................................................................................................................................... 9
4.1.1 IBM MSS Portal Responsibilities ......................................................................................................... 10
4.1.2 Your MSS Portal Responsibilities ........................................................................................................ 10
4.1.3 IBM MSS Portal Users Responsibilities ............................................................................................... 10
4.1.4 Your MSS Portal Users Responsibilities ............................................................................................. 10
4.2 Security Reporting ............................................................................................................................................ 11
4.2.1 IBM Security Reporting Responsibilities .............................................................................................. 11
4.2.2 Your Security Reporting Responsibilities ............................................................................................ 11
4.3 IBM X-Force Threat Analysis ........................................................................................................................... 11
4.3.1 IBM Security Intelligence Responsibilities ........................................................................................... 11
4.3.2 Your Security Intelligence Responsibilities .......................................................................................... 12
5.0 Managed SIEM Service Phases ............................................................................................................................... 12
5.1 Phase One Project Initiation and Planning .................................................................................................... 12
5.1.1 IBM Project Initiation and Planning Responsibilities ............................................................................ 12
Activity 1 - Kickoff ......................................................................................................................................... 12
Activity 2 - Requirements Definition and Planning Session .......................................................................... 13
5.1.2 Your Project Initiation and Planning Responsibilities........................................................................... 13
5.2 Phase Two SIEM System Design.................................................................................................................. 14
Z126-6526-AT-1 04-2014
Page 2 of 34
Z126-6526-WW-1 04-2014
Page 3 of 34
Z126-6526-WW-1 04-2014
6.6.1 IBM Qradar Vulnerability Manager Integration and Management Responsibilities .............................. 28
Activity 1 - Qradar Vulnerability Manager Integration and Management ...................................................... 28
6.6.2 Your QVM Responsibilities .................................................................................................................. 28
7.0 Service Level Agreements ....................................................................................................................................... 29
7.1 SLA Overview .................................................................................................................................................. 29
7.2 SLA Definitions ................................................................................................................................................. 29
7.2.1 Service Availability .............................................................................................................................. 29
7.2.2 Portal Availability ................................................................................................................................. 29
7.2.3 Security Incident Identification and Notification ................................................................................... 29
7.2.4 SIEM Agent Health Alerting ................................................................................................................. 30
7.3 SLA Root Cause Analysis ................................................................................................................................ 30
7.4 SLA Remedies ................................................................................................................................................. 31
8.0 Deliverable Materials ................................................................................................................................................ 31
9.0 Other Terms and Conditions ................................................................................................................................... 31
9.1 Intellectual Property Services Components ...................................................................................................... 31
9.2 Permission to Perform Testing ......................................................................................................................... 32
9.3 Disclaimer ........................................................................................................................................................ 33
9.4 Employment of Assigned Personnel................................................................................................................. 33
***
Z126-6526-AT-1 04-2014
Page 4 of 34
Z126-6526-WW-1 04-2014
1.0
Scope of Services
IBM Managed Security Information and Event Management (Managed SIEM, MSIEM or Services) is
designed to help you plan, implement, manage, and monitor a SIEM System based on your identified
business requirements. The Services features described herein are dependent upon the availability and
supportability of products and product features being utilized. Even in the case of supported products, not
all product features may be supported. Information on supported features is available from IBM upon
request. This includes both IBM-provided and non-IBM-provided hardware, software, and firmware. This
Services Description is between the Customer referenced herein (also called you and your) and
International Business Machines Corporation (IBM, or Service Provider). The MSIEM Service is
performed in phases.
Phase One Project Initiation and Planning: During this phase, IBM assists you with defining and
compiling requirements and develops a Project Plan.
Phase Two System Design: During this phase, IBM creates an architectural and system design for
your environment. If the SIEM System is already deployed, IBM performs a design review.
Phase Three Implementation: During this phase, if not already deployed, IBM installs and configures
the SIEM System components and verifies that data is being transmitted and reported.
Phase Four Integration and Transition: During this phase, IBM develops processes and
corresponding documentation and begins transitioning management and monitoring to the operational
support team.
Phase Five Ongoing Operational Support: During this phase, IBM provides steady state management
and monitoring of the SIEM infrastructure.
2.0
Definitions
2.1
General Terms
Alert Condition (AlertCon) a global risk metric developed by IBM, using proprietary methods. The
AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits
for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and
global threat activity. The four levels of AlertCon are described in the MSS Portal.
Authorized Security Contacts - your decision-maker on all operational issues pertaining to IBM
Managed Security Services.
Change Request (CR) a specific modification to the SIEM System configuration after the initiation of
steady state operations including Event Source and SIEM System component moves, adds, and deletes,
SIEM Agent reorganization, network hierarchy modifications, correlation Rule and policy exception alert
creation or revision, and report creation beyond the original set.
Designated Services Contacts - your decision-maker on a subset of operational issues pertaining to
IBM Managed Security Services.
Education Materials include, but are not limited to, lab manuals, instructor notes, literature,
methodologies, electronic course and case study images, policies and procedures, and all other trainingrelated property created by or on behalf of IBM. Where applicable, Education Materials may include
participant manuals, exercise documents, lab documents, and presentation slides provided by IBM.
End Date the last date of Services based on the Project Start Date and Contract Period as specified in
the Schedule.
Event Source any operating system, application, agent, daemon, appliance, or device that will be
transmitting security event logs or data to the SIEM System.
IBM Managed Security Services (IBM MSS) Portal (called MSS Portal) - provides access to an
environment (and associated tools) designed to monitor and manage security posture by merging
Z126-6526-AT-1 04-2014
Page 5 of 34
Z126-6526-WW-1 04-2014
technology and service data from multiple vendors and geographies into a common, Web-based
interface.
Incident a security event that requires analysis, investigation, containment, eradication, remediation, or
prevention.
Information Request an email that IBM sends to an Authorized Security Contact or Designated
Services Contact to assist IBM with Incident investigation, Offense Rules refinement, and the proactive
integration of outputs from the Incident management lifecycle into the overall SIEM System configuration.
Issue a non-security event that requires analysis, investigation, or resolution.
MSS Portal Users users of the MSS Portal with different levels of authorization to the MSS Portal. MSS
Portal Users can have restricted, regular, or administrative MSS Portal access to all MSS Agent(s) or just
a subset of MSS Agents(s). The MSS Portal views and permissions available to the Portal Users are
dictated by the Authorized Security Contact.
Service Feature a line item in the Schedule that describes a specific component of the Service and is
associated with a one-time charge or monthly charge.
Service Questionnaire a pre-defined list of data collection questions presented by IBM to you for
completion prior to deployment or transition.
Services Recipient any entity or individual receiving or using the Services, the results of the Services,
or acting on behalf of the end user in receiving or using the Services, or the results of the Services.
SIEM Agent - the term used to collectively describe any distributed SIEM component.
SIEM System the hardware and software components and modules that collectively make up the
Security Information and Event Management infrastructure.
Ticket a record created in the problem reporting system that requires action to be taken by you or by
IBM as appropriate.
2.2
Z126-6526-AT-1 04-2014
Page 6 of 34
Z126-6526-WW-1 04-2014
Rules a series of tests that monitors events and flows for a pattern or matching condition to generate a
response, typically an Offense.
Sentry monitors collections of Views (flow filters) to generate events and alerts.
uDSM a universal Device Support Module that is customized by IBM to parse incoming events from
the native format of a customer-specific Event Source into the QRadar standardized format.
View an on-screen display of data that is organized in a specific way that normalizes flow data and
defines how flow data is filtered.
2.3
Service Roles
Unless otherwise stated within the Communication Plan, the support resources assigned as Deployment
Engineer, Security Services Manager, Senior Consultant, and Transition Architect will have limited hours
of coverage and support will be provide 9:00 a.m. to 5:00 p.m. Monday through Friday in the time zone
selected by you (also referred to as Business Hours,) except national and your designated holidays.
Deployment Engineer The Deployment Engineer (DE) assists with the installation of the SIEM System
components. This role participates in Phases One through Three as needed.
Security Services Manager The Security Services Manager (SSM) also serves as an advisor and
liaison to broader IBM resources, takes direction from your point of contact, and provides project
management, contract management, oversight, service delivery expertise, and operational leadership to
the IBM team. This role participates in all Phases throughout the contract term.
Senior Consultant The Consultant participates in Phases One through Four to collect and map
functional and non-functional requirements, offer strategic advice to stakeholders as it pertains to in
scope Services, and provide a macro and micro design or design review of the SIEM System. This role
also participates in the Readiness Assessment to ensure that the SIEM configuration is primed for a
smooth transition to the operational support team.
SIEM System Administrator The SIEM System Administrator (Admin) participates in Phases Three
through Five to manage the SIEM System infrastructure and perform system administration,
configuration, tuning, reports generation, and various customization activities for the environment.
SIEM Analyst The SIEM Analysts (also referred to as, Threat Analysts, and SOC Analysts,)
participate in Phases Four and Five, comprising the operational support team that provides Rule
customization recommendations and eyes on-screen monitoring for alert and Incident workflow
management and daily manual reports review and analysis when this optional Service Feature is
purchased.
Transition Architect The Transition Architect (TA) participates in Phases One through Four to
coordinate and execute the transition activities to transfer management and monitoring of the SIEM
System to the operational support team.
3.0
3.1
3.2
Points of Contact
To facilitate communications with the IBM team you will be asked to provide contacts and their access
levels so that the IBM staff can validate the identity and authority of the contact prior to making system
changes. Services Recipient may choose from multiple levels of access in order to accommodate varying
roles within your organization: Transition Focal, Authorized Security Contacts, Designated Services
Contacts, and MSS Portal Users.
3.2.1
review the Services Description and associated documents with your Point of Contact;
Z126-6526-AT-1 04-2014
Page 7 of 34
Z126-6526-WW-1 04-2014
3.2.2
b.
serve as a single point of contact to the account management and delivery teams for operational
security-related activities during Transition and as the contract focal during Steady State Operations;
c.
maintain and oversee relationships for delivery organizations providing security support;
d.
establish and maintain communications through your Point of Contact, as defined in the section titled Your Point of Contact Responsibilities;
e.
oversee the management of operational security activities, processes, and policies as required;
f.
g.
track and assist in the management of the resolution of reported operational security issues, recommend actions, review plans, and monitor progress of remediation activities;
h.
develop and maintain a Report List for the Monthly Status Report;
i.
work with the security team on the account to produce the Monthly Status Report and deliver to your
Point of Contact within the scheduled timeframe;
j.
work jointly with you to manage the priority of new Event Source deployment and participate in
technology roadmap discussions;
k.
manage Change Requests via the Contract Change Control Procedure specified in the Schedule;
l.
conduct weekly briefings via teleconference with your Point of Contact and your Key Stakeholders;
and
m.
conduct monthly operational review teleconferences or on-site meetings with your Point of Contact
and your Key Stakeholders to review security status, risks, Issues, Incidents, outstanding activities,
and trends.
3.2.3
a.
serve as the interface between IBMs project team and your key stakeholders as it pertains to the
Service;
b.
provide an executive sponsor for the Service to communicate management commitment to the project;
c.
d.
ensure all tasks that impact resource utilization are authorized in a timely manner;
e.
obtain and provide applicable information, data, consents, decisions and approvals as required by
IBM to perform the Services, within two business days of IBMs request;
f.
ensure, to the extent possible, participation by various management levels with representative skills
and data protection ownership and mandates within the business units, security group, information
technology, audit and risk departments, and operations management at your facility;
g.
provide specific documentation with regard to information security policy, standards, and audit controls that could assist with the discovery and requirements definition process;
h.
i.
delegate authority for these responsibilities to at least one Authorized Security Contact if different
from your Point of Contact; and
j.
help resolve Services Issues and escalate Issues within your organization, as necessary.
b.
Z126-6526-AT-1 04-2014
Page 8 of 34
Z126-6526-WW-1 04-2014
3.2.4
(1)
(2)
the authorization to create unlimited Designated Services Contacts and MSS Portal Users;
(3)
c.
interface with Authorized Security Contacts regarding support and notification issues pertaining to
the MSS Features; and
d.
verify the identity of Authorized Security Contacts using an authentication method that utilizes a preshared challenge pass phrase.
3.2.5
a.
verify the identity of Designated Services Contacts using an authentication method that utilizes a
pre-shared challenge pass phrase; and
b.
interface only with Designated Services Contacts regarding the subset of operational issues for
which such contact is responsible.
3.2.6
provide IBM with contact information for each Authorized Security Contact. Such Authorized Security Contacts will be responsible for:
(1)
(2)
authenticating with the SOCs using a pre-shared challenge pass phrase; and
(3)
maintaining notification paths and your contact information, and providing such information to
IBM;
b.
ensure at least one Authorized Security Contact is available 24 hours per day, seven days per
week;
c.
update IBM within three calendar days when your Authorized Security Contact information changes;
and
d.
acknowledge that you are permitted to have no more than three Authorized Security Contacts regardless of the number of IBM Managed Security Services for which you have contracted.
4.0
a.
provide IBM with contact information and role responsibility for each Designated Services Contact
(such Designated Services Contacts will be responsible for authenticating with the SOCs using a
passphrase); and
b.
acknowledge that a Designated Services Contact may be required to be available 24 hours per day,
seven days per week based on the subset of responsibilities for which he/she is responsible.
4.1
MSS Portal
The MSS Portal provides access to an environment (and associated tools) designed to monitor and
manage the security posture by merging technology and service data from multiple vendors and
geographies into a common, Web-based interface.
The Portal may also be used to deliver Education Materials. All such Education Materials are licensed
not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms
provided in the Portal. EDUCATION MATERIALS ARE PROVIDED AS IS AND WITHOUT WARRANTY
OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION,
Z126-6526-AT-1 04-2014
Page 9 of 34
Z126-6526-WW-1 04-2014
THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS.
4.1.1
b.
4.1.2
provide access to the MSS Portal 24 hours per day, seven days per week, except during maintenance windows and emergency maintenance if required. The MSS Portal will provide:
(1)
(2)
(3)
(4)
(5)
(6)
access to Education Materials in accordance with the terms provided in the MSS Portal; and
provide a username, password, URL, and appropriate permissions to access the MSS Portal.
4.1.3
a.
b.
ensure your employees accessing the MSS Portal on your behalf comply with the Terms of Use
provided therein including, but not limited to, the terms associated with Educational Materials;
c.
appropriately safeguard your login credentials to the MSS Portal (including not disclosing such credentials to any unauthorized individuals);
d.
e.
indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from your
failure to safeguard your login credentials.
4.1.4
(b)
(c)
live chat communications with SOC analysts regarding specific Incidents or tickets,
generated as part of the Services;
(d)
creating internal Services-related tickets and assigning such Tickets to Portal users;
(e)
(2)
regular user capabilities which will include all of the capabilities of an administrative user, for
the SIEM Agents to which they have been assigned, with the exception of creating Portal
users;
(3)
restricted user capabilities which will include all of the capabilities of a regular user, for the
SIEM Agents to which they have been assigned, with the exception of:
(a)
(b)
b.
c.
authenticate MSS Portal Users using two-factor authentication tokens you provide (RSA SecureID).
that Portal users will use the Portal to perform daily operational Services activities;
Z126-6526-AT-1 04-2014
Page 10 of 34
Z126-6526-WW-1 04-2014
4.2
b.
to be responsible for providing IBM-supported RSA SecureID tokens (as applicable); and
c.
acknowledge the SOCs will only interface with Authorized Security Contacts and Designated Services Contacts.
Security Reporting
Security reporting is provided using a combination of the MSS Portal and the native SIEM System
console.
4.2.1
4.2.2
a.
b.
c.
number of security Incidents detected and their priority and status; and
d.
4.3
a.
b.
be responsible for scheduling MSS operational reports as desired within the MSS Portal; and
c.
4.3.1
provide access, via the MSS Portal, to the X-Force Hosted Threat Analysis Service for all MSS Portal Users;
b.
c.
if configured by you, provide security intelligence specific to your defined vulnerability watch list, via
the MSS Portal;
d.
if configured by you, provide an Internet security assessment email based on your subscription,
each business day;
e.
f.
declare an Internet emergency if the daily Internet threat-level level reaches threat-level 3;
g.
provide MSS Portal feature functionality to create and maintain a vulnerability watch list;
Z126-6526-AT-1 04-2014
Page 11 of 34
Z126-6526-WW-1 04-2014
4.3.2
h.
provide additional information about an alert, advisory, or other significant security issue as IBM
deems necessary; and
i.
provide access to the regularly produced IBM X-Force Threat Analysis Service Reports, via the
MSS Portal.
b.
c.
d.
adhere to the licensing agreement and not forward Services information to individuals who do not
have a proper license.
5.0
5.1
5.1.1
b.
facilitate a project initiation teleconference, for up to four hours, on a mutually agreed date and time
to:
(1)
(2)
(3)
(4)
(5)
(6)
(b)
provide the Service Questionnaire to you for completion which includes, but is not limited to, data
gathering questions such as:
(1)
(2)
(3)
(4)
(5)
key business drivers and/or dependencies that could influence Service delivery or timelines;
c.
d.
Z126-6526-AT-1 04-2014
Page 12 of 34
Z126-6526-WW-1 04-2014
Completion Criteria: This activity will be complete when the project initiation teleconference has been
conducted.
Deliverable Materials: None
Activity 2 - Requirements Definition and Planning Session
The purpose of this activity is to compile your requirements and create a Project Plan with timeline and
milestones. IBM will conduct a Planning Session for up to eight hours in duration on your premise to
assess the environment and define SIEM System requirements. During and subsequent to the Planning
Session, IBM will:
a.
b.
c.
d.
e.
perform an architecture review and analysis to identify network infrastructure and communication
requirements;
f.
discuss industry regulations and standards that drive your data protection requirements for security
auditing and event management;
g.
(2)
h.
connect to your network through the Internet, using your standard access methods;
i.
if appropriate, utilize a site-to-site virtual private network (VPN) to connect to your network;
j.
k.
(1)
(2)
(3)
(4)
(5)
Completion Criteria: This activity will be complete when IBM has delivered the initial Project Plan to
your Point of Contact.
Deliverable Materials: Project Plan, consisting of the following:
5.1.2
(1)
(2)
(3)
(4)
(5)
work with IBM to schedule the project initiation teleconference such that all participants have
enough notice to attend;
b.
ensure, to the extent possible, that all your key stakeholders participate in the project initiation teleconference and/or the Planning Session;
c.
work with IBM to schedule the Planning Session such that all participants have enough notice to attend;
d.
invite and confirm attendance of all intended participants of the Planning Session, and arrange the
meeting room and all logistics on your premise;
Z126-6526-AT-1 04-2014
Page 13 of 34
Z126-6526-WW-1 04-2014
e.
complete and deliver to the SSM, the Service Questionnaire five days prior to the Planning Session;
f.
g.
schedule a review of the Project Plan such that all participants have enough notice to attend;
h.
review and comment on the draft Project Plan to ensure IBM can finalize the plan within five business days after submitting the draft to your Point of Contact; and
i.
provide subject matter experts for each of the in-scope Event Sources.
5.2
5.2.1
conduct interview(s) and review documentation to establish the business goals, security objectives,
and high-level requirements relevant to the SIEM implementation;
b.
b.
c.
(1)
Incident management;
(2)
change management;
(3)
problem management;
(4)
(5)
(6)
(7)
SOC operations;
(2)
Flow sources;
(3)
QFlow sources;
(4)
network structure;
(5)
vulnerability tools;
(6)
(7)
compile collected process documentation and data elements within a central repository for use by
IBM delivery personnel and your Authorized Security and Designated Services Contacts.
Completion Criteria: This activity will be complete when the aforementioned process documentation and
data elements have been collected or that collection is waived by you if non-existent, outdated, or
otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If
waived by you or IBM, IBM reserves the right to make assumptions in the design which may require a
scope change via the Contract Change Procedure.
Deliverable Materials: None
Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation
The purpose of this activity is to define, document, and map (or review if already deployed) functional and
non-functional requirements for the SIEM System. IBM will:
Z126-6526-AT-1 04-2014
Page 14 of 34
Z126-6526-WW-1 04-2014
a.
b.
collaborate with you to define, document, and map the following functional requirements as they
pertain to the SIEM System:
(1)
logging;
(2)
Event collection;
(3)
normalization;
(4)
correlation;
(5)
storage;
(6)
system access;
(7)
reporting; and
(8)
customization requirements;
collaborate with you to define, document, and map the following non-functional requirements as
they pertain to the SIEM System:
(1)
monitoring;
(2)
retention;
(3)
reporting;
(4)
(5)
(6)
disaster recovery.
Completion Criteria: This activity will be complete when the aforementioned functional and nonfunctional requirements have been documented, or are waived by you if non-existent, outdated, or otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If waived by
you or IBM, IBM reserves the right to make assumptions in the design which may require a scope change
via the Contract Change Procedure.
Deliverable Materials: None
Activity 3 - Architecture Design
The purpose of this activity is to develop, modify, or, if already deployed, review the high-level
architectural design for the Service. IBM will:
a.
design and document or review architecture for installing the SIEM System hardware and software
components (if not already deployed); and
b.
review SIEM System architecture and make recommendations based on findings identified in the
Process and Data Gathering and Detailed Functional and Non-Functional Requirements Definition
and Documentation Activities.
Completion Criteria: This activity will be complete when IBM has reviewed the SIEM System
architecture.
Deliverable Materials: None
Activity 4 - System Design
The purpose of this activity is to develop both macro and micro system design elements to be
implemented in order to reach an initial steady state of operations. IBM will:
a.
(2)
(3)
(4)
(5)
(6)
(7)
Z126-6526-AT-1 04-2014
Page 15 of 34
Z126-6526-WW-1 04-2014
(8)
(9)
customization requirements;
c.
(2)
use cases;
(3)
(4)
(5)
prepare the SIEM Macro and Micro Design deliverable which will include:
(1)
strategy considerations including but not limited to SIEM business drivers and goals, SIEM
security objectives, and functional and non-functional requirements; and
(2)
Completion Criteria: This activity will be complete when IBM has completed the system design.
Deliverable Materials: None
Activity 5 - Design Review
The purpose of this activity is to review the design and finalize the Project Plan. IBM will:
a.
b.
c.
d.
deliver the SIEM Macro and Micro Design to your Point of Contact, and
e.
if requested, review the design and Project Plan with your Point of Contact and your key stakeholders via teleconference or electronically.
Completion Criteria: This activity will be complete when the SSM has delivered the SIEM Macro and
Micro Design and the final Project Plan report to your Point of Contact.
Deliverable Materials: SIEM System Macro and Micro Design and updated Project Plan
The SIEM System Macro and Micro Design will comprise strategy considerations including SIEM
business drivers, SIEM security objectives, and functional and non-functional requirements. Additionally
at the macro and micro architectural level, it will include SIEM use cases, SIEM and vulnerability
management system and process integration plan, SIEM alert classification criteria, SIEM data/log source
phased integration plan, SIEM reporting requirements, SIEM user accounts and roles, SIEM Dashboards,
SIEM uDSM integration, preliminary SIEM network hierarchy weighted by risk, and preliminary asset
groups weighted by risk.
5.2.2
provide current network topology diagrams and/or textual descriptions of data and communications
paths, protocols, media types, and bandwidth capacity to IBM; and
b.
5.3
5.3.1
Z126-6526-AT-1 04-2014
Page 16 of 34
Z126-6526-WW-1 04-2014
Schedule. Completion of Phase Two activities, or making available information equivalent to that
resulting from Phase Two activities, is a prerequisite for the commencement of the Implementation
services described herein. Upon Services renewal, Implementation activities are not included as part of
your ongoing renewable services contract.
Activity 1 - Install Console Appliance
The purpose of this activity is to install and configure the console appliance. IBM will:
a.
hostname;
(2)
IP address;
(3)
default gateway;
(4)
(5)
email server;
(6)
passwords; and
(7)
license key;
b.
test connectivity through HTTPS and SSH and ensure that the system is functioning correctly;
c.
(2)
(3)
(4)
Flow Source configuration, if included in the SIEM Macro and Micro Design:
(5)
vulnerability assessment configuration, if included in the SIEM Macro and Micro Design;
(6)
(7)
(8)
license management;
(9)
customize Views;
b.
c.
d.
e.
determine if equations for detecting threats in traffic are appropriate for your requirements;
f.
g.
h.
Z126-6526-AT-1 04-2014
Page 17 of 34
Z126-6526-WW-1 04-2014
i.
j.
k.
l.
m.
n.
o.
p.
configure additional SIEM Agents per the SIEM Macro and Micro Design.
Completion Criteria: This activity will be complete when the console appliance has been customized for
your environment.
Deliverable Materials: None
Activity 3 - Deploy Log Collection for Production Environment
The purpose of this activity is to deploy log collection in the production environment. IBM will collect
events from up to three instances of the Log Source types as defined in the design phase. Only Log
Sources natively supported by standard Device Support Modules (DSMs) will be collected. No custom
parsers or uDSMs will be created in this activity. Log Source collection is limited to standard configuration
guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to
you upon request.
Completion Criteria: This activity will be complete when IBM has collected events from up to three
instances of the Log Source types for the production environment.
Deliverable Materials: None
Activity 4 - Deploy Flow Collection for Production Environment
The purpose of this activity is to deploy Flow collection in the production environment if Flow
Collectors/Processors are included in the SIEM Macro and Micro Design. IBM will collect network activity
from up to three instances of Flow sources. Flow Source collection is limited to standard configuration
guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to
you upon request.
Completion Criteria: This activity will be complete when IBM has deployed flow collection, if applicable,
in the production environment.
Deliverable Materials: None
Activity 5 - Initial Tuning for Production Environment
The purpose of this activity is to perform initial tuning which is focused on enabling out-of-the-box content
as well as reducing white noise and false positives. IBM will:
a.
(2)
(3)
(4)
b.
lead your technical personnel through the tuning process to reduce the number of Offenses to a
practical level for the environment; and
c.
collaborate with you and other IBM delivery personnel to determine which standard alerting and reporting elements to enable.
Completion Criteria: This activity will be complete when IBM has performed initial tuning in the
production environment.
Deliverable Materials: None
5.3.2
Z126-6526-AT-1 04-2014
Page 18 of 34
Z126-6526-WW-1 04-2014
a.
be responsible for the procurement and provision of all hardware and software;
b.
be responsible for the physical installation, rack mounting, powering, and network addressing of all
SIEM System components and any other necessary equipment;
c.
ensure and validate that backups of system and user data have been performed before the SIEM
System components are deployed;
d.
e.
(2)
(3)
(4)
record installation key(s) located on appliance(s) (sticker placed on top of appliance or located
with shipping documentation);
(5)
(6)
attach monitor & keyboard (or provide KVM/DRAC equivalent) to all appliances or provide
equivalent access, if requested;
(7)
(8)
identify appliance network settings: Hostname, IP Address, Subnet mask, Default gateway,
NTP/DNS/Mail servers;
(9)
if requested, provide a workstation to IBM delivery personnel for connecting to the QRadar
console that has the following attributes:
(a)
can access the QRadar console on TCP ports 22, 10000, 80 and 443;
(b)
has operational secure shell (SSH) and secure copy (SCP/SFTP) programs installed;
(c)
has a recent version of Mozilla Firefox (preferred), or Internet Explorer 8.0 or 9.0 with
Compatibility View enabled;
(d)
(e)
(10) if requested, configure firewalls between the workstation and the QRadar console to allow the
specified connections as instructed by QRadar technical product documentation;
(11) configure span/mirror ports and/or taps, if necessary and defined in the SIEM Macro and
Micro Design;
(12) identify Event Sources, type, and numbers for log collection;
(13) identify vulnerability scanner systems desired for integration into QRadar if included in the
SIEM Macro and Micro Design;
(14) identify Network Hierarchy: Subnet Name, Description, IP/CIDR values, Risk weight (see
Install Guide and/or Admin Guide for additional information);
(15) identify Critical Assets: Hostname, IP address(s), type (domain controller, mail, web, DNS,
scanners, firewalls, etc.);
f.
enable appropriate audit (log) settings and communications channels on the Event Sources and direct the Event Sources to the SIEM System;
g.
h.
i.
be responsible for validating and approving outputs from each activity as requested by IBM;
j.
be responsible for system and data restore in the event of a production system malfunction after the
SIEM Agent is deployed;
k.
be responsible for defining your data security and protection requirements and ensuring IBM has all
relevant inputs to proceed with documenting and prioritizing the policies and deployment;
Z126-6526-AT-1 04-2014
Page 19 of 34
Z126-6526-WW-1 04-2014
5.4
l.
grant access up to and including full administrative rights as appropriate to IBM personnel for SIEM
System components as required for on-site and remote service delivery within one week of Contract
Start Date;
m.
provide a general description of Event Sources, including applicable Log Sources, Flow Sources,
and Assets as identified by vulnerability scans to IBM;
n.
provide Log Source samples to IBM for the creation of uDSMs/custom agents if requested;
o.
provide direct access by IBM to subject matter experts who are responsible for the management of
the core purpose of each Event Source platform;
p.
ensure that your staff is available to provide such assistance as IBM reasonably requires and that
IBM is given reasonable access to your senior management, as well as any members of your staff
to enable IBM to provide the Services and ensure that your staff has the appropriate skills and experience;
q.
provide all information and materials reasonably required to enable IBM to provide the Services and
that all information disclosed or to be disclosed to IBM is and will be true, accurate, and not misleading in any material respect;
r.
s.
t.
make available appropriate staff to shadow deployment activities for knowledge transfer purposes;
and
u.
acknowledge that IBM will not be liable for any loss, damage, or deficiencies in the Services, if any,
arising from inaccurate, incomplete, or otherwise defective information and materials supplied by
you.
5.4.1
b.
c.
create a Runbook;
d.
work jointly with you to define, and document how changes are considered, initiated, processed,
recorded, and administered into a mutually agreed upon change management process;
e.
determine, develop, and review detailed reporting requirements for in scope Event Sources;
f.
g.
h.
review connectivity needs and access establishment for ongoing service readiness;
i.
j.
k.
Z126-6526-AT-1 04-2014
Page 20 of 34
Z126-6526-WW-1 04-2014
Completion Criteria: This activity will be complete when IBM has delivered the Runbook and
Communications Plan electronically to your Point of Contact.
Deliverable Materials: Runbook and Communications Plan
The Communications Plan will comprise:
(1)
information and knowledge sharing process and vehicle among workgroups, business units,
and third party entities as it pertains to the Service;
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(2)
(3)
contact list with name, title, vendor, email address, phone number, location, role description,
and asset ownership (if applicable) for IBM and your personnel associated with the project;
(4)
security Incident severity definitions including severity level, classification criteria, and severity
description;
(5)
(6)
(7)
your applications that will be used by IBM in the delivery of services, such as the SIEM
System and one other application, if requested;
(8)
your contact for each application that will be used by IBM in the delivery of services;
(9)
the business purpose of each application that will be used by IBM in the delivery of services;
(10) software release management procedures for in-scope Event Sources; and
(11) the agreed-to interconnectivity and network access solution to be used by IBM in the delivery
of services.
Activity 2 - Reports Definition and Validation
The purpose of this activity is to define regular reports for review and analysis by you and/or by IBM if the
Reports Generation, Review, and Analysis optional feature is included in the Services as specified in the
Schedule. If the optional Reports Generation, Review, and Analysis feature is not included, reports
defined in this activity may not be manually reviewed or analyzed by IBM prior to being provided to you,
with the exception of the Monthly Status Report which is a formal deliverable. IBM will:
a.
work with you to define substance, criteria, filters, format, distribution vehicle, recipients, and frequency of SIEM-generated reports;
b.
work with you to define substance, format, distribution vehicle, recipients, and frequency of
operational status reports;
c.
configure Event Source communication disruption alerting to be sent via email daily to one or more
Authorized Security Contacts or Designated Services Contacts as defined in the Communications
Plan, if requested, and allows IBM to configure communication settings for your mail server in the
SIEM System;
d.
Z126-6526-AT-1 04-2014
Page 21 of 34
Z126-6526-WW-1 04-2014
e.
f.
Once accepted by you, the identified reports will remain the same for the duration of the contract unless
modified via the change management process as documented in the Runbook.
Completion Criteria: This activity will be complete when the agreed upon report set and Monthly Status
Report sample have been delivered to Your Point of Contact.
Deliverable Materials: Monthly Status Report
The Monthly Status Report will be prefaced by the Report List. The Report List will comprise a summary
of the reports being provided, including the long form report title, the data source, the format, the report
recipient, and the distribution mechanism. The Report List will be developed prior to steady state
operations and will be mutually agreed upon. Each report will consist of the following as appropriate:
a.
b.
SIEM-generated reports which may include but are not limited to;
(1)
(2)
(3)
trend analyses that reveal trends in policy exceptions and user behavior;
(4)
(5)
(6)
status information including, but not limited to, the following content as appropriate:
(1)
(2)
(3)
(4)
(5)
(6)
(7)
Regular monthly reports will be consolidated into one Word document or PowerPoint presentation and
delivered to your Point of Contact electronically. The Monthly Status Report will be made available by the
15th of the next calendar month or at a later date if mutually agreed.
Activity 3 - Readiness Assessment
The purpose of this activity is to document the as-built state of the environment in a presentation and
assess readiness for transitioning to steady state operations. IBM will:
a.
verify that in-scope Event Sources are functional with regard to the Services to be delivered;
b.
re-baseline Service Features to determine whether any project changes need to be executed;
c.
verify that the completion criteria has been met for each activity in this phase;
d.
verify that the Deliverable Materials have been provided for each activity in this phase;
e.
f.
prepare a transition summary presentation that describes the fulfillment of the Project Plan; and
g.
conduct a readiness assessment teleconference for up to two hours to review the transition summary presentation with Your Point of Contact or your key stakeholders, if requested.
Completion Criteria: This activity will be complete when IBM has completed the readiness assessment
teleconference.
Deliverable Materials: None
Activity 4 - Initiate Steady State Operations
The purpose of this activity is to initiate steady state operations. IBM will conduct a Steady State Initiation
teleconference for up to two hours, to:
Z126-6526-AT-1 04-2014
Page 22 of 34
Z126-6526-WW-1 04-2014
a.
b.
set expectations for IBM and you regarding roles and responsibilities; and
c.
Completion Criteria: This activity will be complete when IBM has conducted the Steady State Initiation
teleconference.
Deliverable Materials: None
5.4.2
5.5
work with IBM to meet the schedule defined in the Project Plan;
b.
provide IBM with access and appropriate permissions to the SIEM System components and in
scope Event Sources;
c.
d.
provide IBM with workflow for Ticket routing to appropriate workgroup pertaining to technologies in
scope;
e.
acknowledge that the Communications Plan may be superseded by MSS Portal contact information
during the Contract Period;
f.
ensure, to the extent possible, participation by various management levels with representative skills
and data protection ownership and mandates within the business units including security teams, information technology groups, audit and risk departments, and operations management at your facility;
g.
enable appropriate audit (log) settings and communications channels on the Event Sources;
h.
provide specific documentation with regard to information security policy, operations, networks, systems, standards and audit controls that could assist the discovery and requirements definition process and provide assistance for clarification and interpretation, if requested;
i.
other than as set forth in this Services Description, be responsible for defining your data security
and protection requirements and ensuring IBM has all relevant inputs to proceed with documenting
and prioritizing the policies and deployment;
j.
schedule meetings and/or teleconferences such that all participants have enough notice to attend;
and
k.
review and comment on the draft Deliverable Materials to ensure IBM can finalize them within 10
business days after submitting the draft to Your Point of Contact.
5.5.1
monitor alerts and policy exceptions (security events) generated by the SIEM System. After analysis by a SIEM Analyst, security events may be classified as security Incidents. Whether or not a
security event is considered a security Incident is determined solely by IBM. Identified security
events will be classified, prioritized, and escalated as IBM deems appropriate. Security events that
are not eliminated as benign triggers are classified as a security Incident.
b.
classify security Incidents into one of the three priorities described below:
(1)
Priority 1 - a high priority security Incident in which IBM recommends immediate defensive
action be taken;
(2)
Priority 2 a medium priority security Incident in which IBM recommends action be taken
within 12 - 24 hours of notification; and
Z126-6526-AT-1 04-2014
Page 23 of 34
Z126-6526-WW-1 04-2014
(3)
Priority 3 a low priority security Incident in which IBM recommends action be taken within
one to seven days of notification;
c.
d.
escalate security Incidents to an Authorized Security Contact or Designated Services Contact in accordance with processes as defined during the Integration and Transition Phase;
e.
f.
assist your security teams with performing root cause and impact analysis;
g.
h.
consider ongoing policy improvements and notify you of IBM recommended policy changes;
i.
j.
k.
(2)
(3)
managing the tickets to resolution / closure, in accordance with the processes as defined in
the Integration and Transition Phase;
(4)
providing escalation and exception handling for Tickets, consistent with defined processes;
and
(5)
Completion Criteria: This is an ongoing activity that will be considered complete at the end of the
Services.
Deliverable Materials: Monthly Status Report (Ongoing)
Activity 2 - SIEM System Infrastructure Management
The purpose of this activity is to provide ongoing management and monitoring of the SIEM System
infrastructure, including hardware and software components. When this Service Feature is included in the
Services as specified in the Schedule, IBM will:
a.
b.
assist you with troubleshooting steps to be performed by you in order to re-establish connectivity
between the SIEM System and IBM;
c.
d.
e.
f.
g.
h.
i.
j.
provide problem determination / problem source identification for the SIEM System, consisting of:
l.
(1)
(2)
(3)
managing tickets to resolution / closure, in accordance with the processes as defined in the
Integrated and Transition Phase;
(4)
providing escalation and exception handling for tickets in accordance with defined processes;
and
(5)
Z126-6526-AT-1 04-2014
Page 24 of 34
Z126-6526-WW-1 04-2014
m.
n.
o.
install application patches and software updates in order to improve performance, or enable additional functionality (IBM assumes no responsibility for, and makes no warranties concerning, third
party vendor-provided patches, updates, or security content);
p.
declare a maintenance window in advance of SIEM Agent updates that may require platform downtime or your assistance to complete;
q.
perform research and investigation if the SIEM Agent does not perform as expected or a potential
SIEM Agent health issue is identified;
r.
review on a quarterly basis new security correlation Rules supplied by the vendor and apply to SIEM Agents if applicable, in accordance with the change management process; and
s.
review and modify, if necessary, each uDSM on an annual basis when the optional Service Feature
for Custom Parser Creation is included with the Services for the quantity specified in the Schedule.
Completion Criteria: This is an ongoing activity that will be considered complete at the end of the
Services.
Deliverable Materials: Monthly Status Report (Ongoing)
Activity 3 - SIEM System Change Requests
The purpose of this activity is to process Change Requests to add, update, delete, or modify SIEM
System functions, components, or outputs. When SIEM System Infrastructure Management is included in
the Services as specified in the Schedule, IBM will:
a.
review submitted Change Requests to verify justification, feasibility, and completeness; Change
Requests may include but are not limited to the following adjustments:
(1)
(2)
(3)
(4)
b.
c.
implement approved Change Requests in accordance with your change management process as
documented in the Runbook;
d.
if necessary, notify the requester that the change exceeds service scope and assist requester with
the Contract Change Procedure; and
e.
Completion Criteria: This is an ongoing activity that will be considered complete at the end of the
Services.
Deliverable Materials: Monthly Status Report (Ongoing)
5.5.2
b.
inform IBM of changes within your environment that is relevant to the Service;
c.
enable appropriate audit (log) settings and communications channels on the Event Sources;
d.
inform IBM within three calendar days of a change in Your Point of Contact information;
e.
f.
ensure that network infrastructure devices, systems, servers, and applications sending security
events and logs to the SIEM System meet the most current minimum application system requirements as defined by IBM;
Z126-6526-AT-1 04-2014
Page 25 of 34
Z126-6526-WW-1 04-2014
g.
be responsible for your own security governance and strategy, including security Incident response
procedures;
h.
i.
j.
In addition, if Threat Analyst Event Monitoring and Notification is included in the Services as specified in
the Schedule, You agree to:
(1)
(2)
In addition, when SIEM System Infrastructure Management is included in the Services as specified in the
Schedule, You agree to:
6.0
(1)
create and submit a Change Request for all changes as defined in the change management
process and documented in the Runbook;
(2)
ensure all Change Requests are submitted by an Authorized Security Contact or a Designated
Services Contact, in accordance with the change management process;
(3)
be responsible for providing sufficient information for each Change Request to allow IBM to
successfully perform such change;
(4)
contact IBM in the event that the troubleshooting steps do not resolve a SIEM Agent
performance or health issue;
(5)
assist IBM with remote configuration and troubleshooting of SIEM System components and
Event Source transmission issues and be responsible for their ultimate resolution;
(6)
allow IBM to monitor the administrative interfaces and/or event stream of the managed SIEM
Agents;
(7)
acknowledge that:
(a)
(b)
data traveling across the Internet is encrypted using industry-standard strong encryption
algorithms whenever possible; and
(c)
IBM will not initiate additional troubleshooting steps until after notification from you that
initial troubleshooting steps did not resolve SIEM Agent performance or health issues;
(d)
if the managed SIEM Agent is eliminated as the source of a given problem, no further
troubleshooting will be performed by IBM;
(e)
Managed SIEM Optional features are dependent on the complexity level and quantity of the selected optional features specified in the Schedule. IBM will provide MSIEM Optional features based on selection and the additional
charges specified in the Schedule.
6.1
6.1.1
Z126-6526-AT-1 04-2014
Page 26 of 34
Z126-6526-WW-1 04-2014
Completion Criteria: This activity will be complete when the uDSMs have been configured and are
transmitting data to the SIEM System.
Deliverable Materials: None
6.2
6.2.1
b.
c.
d.
e.
f.
escalate security Incidents to an Authorized Security Contact or Designated Services Contact in accordance with processes as defined during the Integration and Transition Phase;
g.
upload log files and reports electronically and in their native formats to a central repository provided
by Customer for audit purposes;
h.
i.
Completion Criteria: This is an ongoing activity that will be considered complete at the end of the
Services.
Deliverable Materials: None
6.3
6.3.1
6.3.2
acknowledge, that under this Services Description, General SIEM Consulting will be provided based
on the usage charge specified in the Schedule; and
Z126-6526-AT-1 04-2014
Page 27 of 34
Z126-6526-WW-1 04-2014
b.
be responsible for all usage charges associated with General SIEM Consulting you request during
the term of the Contract Period specified in the Schedule.
6.4
6.4.1
6.4.2
be responsible for all additional charges associated with API Ticket integration;
b.
c.
be responsible for all engineering and development issues associated with Ticket integration; and
d.
acknowledge that IBM will not provide assistance or consulting for your ticketing system integration.
Completion Criteria: This activity will be complete when IBM has provided the API to you.
Deliverable Materials: None
6.5
6.5.1
b.
configure the vulnerability scanner instances per the SIEM Macro and Micro Design; and
c.
validate that vulnerability assessment data populates asset records in the SIEM System.
Completion Criteria: This activity will be complete when IBM has integrated third party vulnerability scan
data into the SIEM System.
Deliverable Materials: None
6.6
6.6.1
work with your technical contacts to configure QVM scan policies for the quantity of IP addresses as
specified in the Schedule;
b.
work with your technical contacts to configure dynamic and near-real-time scanning options as applicable;
c.
work with your technical contacts to define QVM reports for monthly generation;
d.
provide you with read-only QRadar console access so you may view QVM reports and related information (no administrator access will be granted);
e.
f.
incorporate QVM findings into weekly briefings and monthly operational reviews; and
Z126-6526-AT-1 04-2014
Page 28 of 34
Z126-6526-WW-1 04-2014
g.
implement QVM-related Change Requests in accordance with the defined change management
process as documented in the Runbook.
Completion Criteria: This is an ongoing activity that will be considered complete at the end of the
Services.
Deliverable Materials: None
6.6.2
b.
work with IBM delivery personnel to ensure QVM related reports map to your requirements;
c.
d.
notify IBM of any network or system changes that would prevent the QVM module from successfully
completing the scans;
e.
be responsible for the remediation of vulnerabilities discovered by the QVM module or made available to you in the reports; and
f.
submit Change Requests for any QVM-related changes using the change management process as
defined in the Runbook.
7.0
7.1
SLA Overview
IBM Service Level Agreements (SLAs) establish response time goals (Service Level Targets) for
specific activities. The SLAs become effective at the commencement of Phase Five, Ongoing Operational
Support (Steady State Operations). The SLA defaults described below comprise the measured metrics
for the delivery of the Service. Unless explicitly stated below or as set forth in the Agreement, no
warranties of any kind shall apply to Services delivered under this Services Description. Upon the
initiation of Steady State as mutually agreed upon by you and IBM, the Service Level Agreements
become effective. Service Level Agreements (also referred to as SLA Availability, in the Schedule) are
as follows:
Service Feature
SLA Target
SLA Remedy
Service Availability
100%
Portal Availability
99.9%
Priority 1 Security
Incident Notification
15/30/60
Minutes
Priority 2 Security
Incident Notification
12 Hours
Priority 3 Security
Incident Notification
24 Hours
30 Minutes
7.2
SLA Definitions
7.2.1
Service Availability
IBM will provide 100% Service availability for the SOCs during Steady State Operations.
7.2.2
Portal Availability
IBM will provide 99.9% accessibility for the Portal except as specified in Scheduled and Emergency
Maintenance.
Z126-6526-AT-1 04-2014
Page 29 of 34
Z126-6526-WW-1 04-2014
7.2.3
additional instances of the same Priority 1, 2, or 3 Incident may be suppressed and/or rolled into the
primary ticket of the first instance of the Incident but contact will not be attempted for each new instance of the same Incident other than regular reports as mutually agreed upon during Phase Four,
Activity 2, Reports Definition and Validation;
b.
lack of feedback or timely response from an Authorized Security Contact or Designated Services
Contact after IBM has attempted to make contact three times over a seven day period can result in
a lower prioritization of persistent or recurring activity as it pertains to Priority 1, 2,and 3 Incidents;
c.
IBM will stop contacting an Authorized Security Contact or Designated Services Contact if after four
Information Requests, an adequate response has not been provided by you within seven days of
the fourth Information Request for the same Incident or aggregated, related Incidents;
d.
if a response is needed from an Authorized Security Contact or Designated Services Contact in order to investigate and close a Ticket, tune Rules, or otherwise enhance the delivery of the Services,
possible response options will be listed for you in the Information Request, such that selecting any
one of the possible response options will be deemed an adequate response for the purposes of the
Information Request; and
Z126-6526-AT-1 04-2014
Page 30 of 34
Z126-6526-WW-1 04-2014
e.
7.2.4
if IBM does not receive an adequate response to an Information Request after four attempts, IBM
reserves the right to make environmental assumptions and take one or more of the following actions:
(1)
(2)
(3)
7.3
7.4
identify, record, track, and manage the Incident and/or problem identified as potentially having IBM
SLA implications from identification through service restoration by:
(1)
(2)
(3)
utilizing the ticketing system described herein to manage workflow and reporting;
c.
d.
identify and remedy the failure, and report on any consequences of the failure;
e.
provide you with a written, electronic report detailing the cause of and procedure for correcting such
failure; and
f.
if the RCA points to MSS or the SIEM System, substantiate to you that all reasonable actions have
been taken to prevent recurrence of such failure and notify you that the service has been restored.
SLA Remedies
You will be entitled to a Service Credit if a Service Feature does not meet the corresponding Service
Level Target. The amount of any such Service Credit shall be determined using then-current
Schedule(s). You may obtain no more than one Service Credit for each SLA per day, and aggregate
Service Credits in a calendar month shall not exceed a total of the Steady State Operations monthly fee.
Each Service Credit will be applied as a one-time credit on the invoice for the month following the month
in which IBM failed to meet an SLA. The IBM MSS Remedy system will be used as the system of record
for managing and tracking Service Level Agreement metrics and adherence. Such Service Credit is the
sole remedy for failure to meet any of the SLAs described in this Services Description.
8.0
Deliverable Materials
The Deliverable Materials, identified as Type II Materials, are summarized below and subject to the
Deliverable Materials Acceptance Procedure:
a.
b.
c.
Communications Plan
d.
Runbook
e.
Each of the above Deliverable Material will be reviewed and accepted in accordance with the following
procedure, however, subsequent submissions of Monthly Status Reports are not subject to the following
which are considered accepted upon delivery:
(1)
One copy of the Deliverable Material will be submitted to your Point of Contact, Authorized
Security Contact, or Designated Services Contact as defined in the Communications Plan for
Z126-6526-AT-1 04-2014
Page 31 of 34
Z126-6526-WW-1 04-2014
each Deliverable Material. It is the responsibility of your contact to make and distribute
additional copies to any other reviewers.
(2)
Within five business days of receipt, your contact will either accept the Deliverable Material or
provide IBM with a written list of requested revisions. If IBM receives no response from your
contact within five business days, then the Deliverable Material will be deemed accepted.
(3)
IBM will consider your contacts timely request for revisions, if any, within the context of IBMs
obligations as stated in the Deliverable Materials descriptions.
(4)
The revisions recommended by your contact and agreed to by IBM will be made and the
Deliverable Material will be resubmitted to your contact, at which time the Deliverable Material
will be deemed accepted.
(5)
The revisions recommended by your contact not agreed to by IBM will be managed in
accordance with the Contract Change Procedure specified in the Schedule.
(6)
Any conflict arising from the acceptance of Deliverable Materials, you agree your Point of
Contact will help resolve Services Issues and escalate Issues within your organization, as
necessary.
9.0
9.1
IBM may terminate this license if you do not comply with any of the terms of this SOW.
b.
Upon termination of this license, you agree to destroy all copies of, and make no further use of,
Universal Log Agent, and certify such destruction to IBM.
By accepting receipt of the Universal Log Agent, you agree to the following Terms of Use: During the
term of your IBM Managed Security Services, IBM grants you a limited nonexclusive, nontransferable license solely to internally use the Universal Log Agent. Except as otherwise provided herein, the terms of
your agreement for the Managed Security Services with IBM shall apply to IBM's provision, and your use,
of any Universal Log Agent. No title to or ownership in the Universal Log Agent is transferred to you.
Your rights will at all times be subject to IBM's copyrights and other intellectual property rights, and IBM
will retain all right, title and interest in the Universal Log Agent and any derivative works thereof. UNIVERSAL LOG AGENT IS PROVIDED "AS IS" AND WITHOUT WARRANTY OR INDEMNITY OF ANY
KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF
PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. Universal Log Agent may not be: 1) used,
copied, modified, or distributed except as expressly provided herein; 2) reverse assembled, reverse compiled, or otherwise translated, except as specifically permitted by law without the possibility of contractual
waiver; 3) sublicensed, rented, or leased; or 4) used for commercial purposes, including commercial research, consulting or running a business. You may not create derivative works based on the Universal
Log Agent and shall not remove any notices included in the Universal Log Agent. You may not use the
Z126-6526-AT-1 04-2014
Page 32 of 34
Z126-6526-WW-1 04-2014
Universal Log Agent to design, develop or test software applications for any commercial purposes. You
may not allow others to use your passwords to gain access to IBM's restricted Web sites or use the Universal Log Agent for any purposes. The Universal Log Agent is considered confidential to IBM and you
shall hold such confidential information ("Information") in trust and confidence for IBM. You will use the
same care and discretion to avoid disclosure of the Information as you use with your own similar information which you do not wish to disclose. During such period, you may only disclose the Information to
(1) your employees who have a need to know, and (2) any other party with IBM's prior written consent.
Prior to any such disclosure, you must have a written and appropriate agreement with your employees
and any other party authorized to receive such Information sufficient to require the party to treat the Information in accordance with these Terms of Use. You may use such Information only for the purpose for
which it was disclosed or otherwise for the benefit of IBM. These Terms of Use impose no obligation upon you regarding the Universal Log Agent or any information contained in it where such items: (1) are or
become publicly available through no fault of yours; or (2) are developed independently by you.
9.2
9.3
a.
excessive amounts of log messages may be generated, resulting in excessive log file disk space
consumption;
b.
the performance and throughput of your systems, as well as the performance and throughput of
associated routers and firewalls, may be temporarily degraded;
c.
d.
Your computer systems may hang or crash, resulting in system failure or temporary system
unavailability;
e.
any service level agreement rights or remedies will be waived during any testing activity;
f.
g.
some aspects of the Services may involve intercepting the traffic of the monitored network for the
purpose of looking for events; and
h.
new security threats are constantly evolving and no service designed to provide protection from
security threats will be able to make network resources invulnerable from such security threats or
ensure that such service has identified all risks, exposures and vulnerabilities.
Disclaimer
You understand and agree:
a.
that it is solely within your discretion to use or not use any of the information provided pursuant to
the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose
not to take based on the Services performed and/or deliverables provided hereunder;
b.
that it is your sole responsibility to provide appropriate and adequate security for the company, its
assets, systems and employees;
c.
that IBMs performance of the Services does not constitute any representation or warranty by IBM
about the security of your computer systems including, but not limited to, any representation that
your computer systems are safe from intrusions, viruses, or any other security exposures.
d.
That Linux and any other Open Source Software (OSS), including patches, fixes, and updates,
which IBM installs, configures, updates, operates, or otherwise assists in procuring on your behalf
as a result of providing services under this Services Description are licensed and distributed to you
by Linux and OSS distributors and/or respective copyright and other right holders, including Red
Hat, Inc. and/or Novell, Inc. (Right Holders) under such Right Holders terms and conditions. IBM
is not a party to the Right Holders terms and conditions, and installs any OSS AS IS. You and
IBM agree that any modification or creation of derivative works of OSS is outside the scope of this
Z126-6526-AT-1 04-2014
Page 33 of 34
Z126-6526-WW-1 04-2014
Services Description. IBM is not a distributor of OSS and does the work described in this Services
Description for you upon your specification. You receive no express or implied patent or other
license from IBM with respect to any OSS. IBM makes no representations and disclaims all
warranties with respect to any OSS, express or implied, including the implied warranties of
merchantability and fitness for a particular purpose. IBM does not indemnify against any claim that
OSS infringes a third party's intellectual property rights. UNDER NO CIRCUMSTANCES SHALL
IBM BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OSS.
9.4
IBM staffs Services on a national basis with either local or non-local resources based upon resource
availability at Services enablement. At the start of Services and on an ongoing basis, our point of
contacts will work together to mutually determine any on-site requirements of non-local perform
resources. For on-site engagements spanning multiple weeks, the typical 40 hour work week of full
time non-local resources normally consists of the resource traveling to your site(s) on Monday,
returning to their home city at the end of the work day on Thursday and performing Services related
activities remotely on Friday, as applicable. During weeks with a national holiday or during periods
when a resource is not required to be on-site full time, both parties will work together to define an
alternate full time work schedule. Such alternate work schedule may include the resource
performing applicable Services-related activities remotely.
b.
You acknowledge that: (a) IBM is not required to perform any work outside the scope described in
this Services Description, (b) to the extent IBM does perform any work outside of scope, IBM may
cease to perform such work at any time and (c) any changes to the scope must be agreed to in
accordance with the Contract Change Procedure specified in the Schedule.
Z126-6526-AT-1 04-2014
Page 34 of 34
Z126-6526-WW-1 04-2014