SLA and Customer and MSSP Responsibilities

IBM Infrastructure Security Services
Managed Security Information and Event Management

Service Description
Z126-6526-AT-1 04-2014
Page 1 of 34
Z126-6526-WW-1 04-2014
IBM sterreich Internationale Bromaschinen Gesellschaft

m.b.H.
IBM Managed Security Information and Event Management
A-1020 Wien,
Obere
Donaustr
ae 95
Telefon (01) 211
45-0*
Telefax (01) 216
08 86
Sitz: Wien
Firmenbuchnum
mer FN
80000 y
Stand: April 2014
Firmenbuchgeric
ht HG
Wien
DVR: 0003824
Table of Contents
1.0 Scope of Services ...................................................................................................................................................... 5
2.0 Definitions ................................................................................................................................................................... 5
2.1 General Terms ................................................................................................................................................... 5
2.2 QRadar Technology Terms ................................................................................................................................ 6
2.3 Service Roles ..................................................................................................................................................... 7
3.0 Managed SIEM Services Contacts ............................................................................................................................ 7
3.1 Security Operations Center ................................................................................................................................ 7
3.2 Points of Contact ................................................................................................................................................ 7
3.2.1 IBM Point of Contact Responsibilities .................................................................................................... 7
3.2.2 Your Point of Contact Responsibilities .................................................................................................. 8
3.2.3 IBM Authorized Services Contacts Responsibilities .............................................................................. 8
3.2.4 IBM Designated Services Contacts Responsibilities ............................................................................. 9
3.2.5 Your Authorized Security Contacts Responsibilities .............................................................................. 9
3.2.6 Your Designated Services Contacts Responsibilities ............................................................................ 9
4.0 Managed SIEM Foundational Features ..................................................................................................................... 9
4.1 MSS Portal ......................................................................................................................................................... 9
4.1.1 IBM MSS Portal Responsibilities ......................................................................................................... 10
4.1.2 Your MSS Portal Responsibilities ........................................................................................................ 10
4.1.3 IBM MSS Portal Users Responsibilities ............................................................................................... 10
4.1.4 Your MSS Portal Users Responsibilities ............................................................................................. 10
4.2 Security Reporting ............................................................................................................................................ 11
4.2.1 IBM Security Reporting Responsibilities .............................................................................................. 11
4.2.2 Your Security Reporting Responsibilities ............................................................................................ 11
4.3 IBM X-Force Threat Analysis ........................................................................................................................... 11
4.3.1 IBM Security Intelligence Responsibilities ........................................................................................... 11
4.3.2 Your Security Intelligence Responsibilities .......................................................................................... 12
5.0 Managed SIEM Service Phases ............................................................................................................................... 12
5.1 Phase One Project Initiation and Planning .................................................................................................... 12
5.1.1 IBM Project Initiation and Planning Responsibilities ............................................................................ 12
Activity 1 - Kickoff ......................................................................................................................................... 12
Activity 2 - Requirements Definition and Planning Session .......................................................................... 13
5.1.2 Your Project Initiation and Planning Responsibilities........................................................................... 13
5.2 Phase Two SIEM System Design.................................................................................................................. 14
Z126-6526-AT-1 04-2014
Page 2 of 34
Z126-6526-WW-1 04-2014
5.2.1 IBM SIEM System Design Responsibilities ......................................................................................... 14

Activity 1 - Process and Data Gathering....................................................................................................... 14
Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation .............. 14
Activity 3 - Architecture Design .................................................................................................................... 15
Activity 4 - System Design ............................................................................................................................ 15
Activity 5 - Design Review ............................................................................................................................ 16
5.2.2 Your SIEM System Design Responsibilities ........................................................................................ 16
5.3 Phase Three Implementation ........................................................................................................................ 16
5.3.1 IBM SIEM System Implementation Responsibilities ............................................................................ 16
Activity 1 - Install Console Appliance............................................................................................................ 17
Activity 2 - Customize Console Appliance .................................................................................................... 17
Activity 3 - Deploy Log Collection for Production Environment ..................................................................... 18
Activity 4 - Deploy Flow Collection for Production Environment ................................................................... 18
Activity 5 - Initial Tuning for Production Environment ................................................................................... 18
5.3.2 Your SIEM System Implementation Responsibilities .......................................................................... 18
5.4 Phase Four Integration and Transition .......................................................................................................... 20
5.4.1 IBM Integration and Transition Responsibilities................................................................................... 20
Activity 1 - Staged Transition to Ongoing Operational Support .................................................................... 20
Activity 2 - Reports Definition and Validation................................................................................................ 21
Activity 3 - Readiness Assessment .............................................................................................................. 22
Activity 4 - Initiate Steady State Operations ................................................................................................. 22
5.4.2 Your Integration and Transition Responsibilities ................................................................................. 22
5.5 Phase Five Ongoing Operational Support ..................................................................................................... 23
5.5.1 IBM Ongoing Operational Support Responsibilities............................................................................. 23
Activity 1 - Threat Analyst Event Monitoring and Notification ....................................................................... 23
Activity 2 - SIEM System Infrastructure Management .................................................................................. 24
Activity 3 - SIEM System Change Requests ................................................................................................ 25
5.5.2 Your Ongoing Operational Support Responsibilities ........................................................................... 25
6.0 Managed SIEM Optional Features........................................................................................................................... 26
6.1 Custom Parser Creation ................................................................................................................................... 26
6.1.1 IBM Custom Parser Creation Responsibilities ..................................................................................... 26
Activity 1 - Custom Parser Creation ............................................................................................................. 26
6.2 Reports Generation, Review, and Analysis ...................................................................................................... 26
6.2.1 IBM Reports Generation, Review, and Analysis Responsibilities ........................................................ 26
Activity 1 - Reports Generation, Review, and Analysis................................................................................. 26
6.3 General SIEM Consulting ................................................................................................................................. 27
6.3.1 IBM General SIEM Consulting Responsibilities ................................................................................... 27
Activity 1 - General SIEM Consulting ........................................................................................................... 27
6.3.2 Your General SIEM Consulting Responsibilities.................................................................................. 27
6.4 Ticket System Integration ................................................................................................................................. 27
6.4.1 IBM Ticket System Integration Responsibilities ................................................................................... 27
Activity 1 - Ticket System Integration ........................................................................................................... 27
6.4.2 Your Ticket System Integration Responsibilities.................................................................................. 27
6.5 Vulnerability Scanner Integration...................................................................................................................... 28
6.5.1 IBM Vulnerability Scanner Integration Responsibilities ....................................................................... 28
Activity 1 - Vulnerability Scanner Integration ................................................................................................ 28
6.6 QRadar Vulnerability Manager Integration and Management .......................................................................... 28
Z126-6526-AT-1 04-2014
Page 3 of 34
Z126-6526-WW-1 04-2014
6.6.1 IBM Qradar Vulnerability Manager Integration and Management Responsibilities .............................. 28
Activity 1 - Qradar Vulnerability Manager Integration and Management ...................................................... 28
6.6.2 Your QVM Responsibilities .................................................................................................................. 28
7.0 Service Level Agreements ....................................................................................................................................... 29
7.1 SLA Overview .................................................................................................................................................. 29
7.2 SLA Definitions ................................................................................................................................................. 29
7.2.1 Service Availability .............................................................................................................................. 29
7.2.2 Portal Availability ................................................................................................................................. 29
7.2.3 Security Incident Identification and Notification ................................................................................... 29
7.2.4 SIEM Agent Health Alerting ................................................................................................................. 30
7.3 SLA Root Cause Analysis ................................................................................................................................ 30
7.4 SLA Remedies ................................................................................................................................................. 31
8.0 Deliverable Materials ................................................................................................................................................ 31
9.0 Other Terms and Conditions ................................................................................................................................... 31
9.1 Intellectual Property Services Components ...................................................................................................... 31
9.2 Permission to Perform Testing ......................................................................................................................... 32
9.3 Disclaimer ........................................................................................................................................................ 33
9.4 Employment of Assigned Personnel................................................................................................................. 33
***
Z126-6526-AT-1 04-2014
Page 4 of 34
Z126-6526-WW-1 04-2014
IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES

DESCRIPTION INCLUDES THE IBM MANAGED SECURITY SERVICES GENERAL PROVISIONS
(GENERAL PROVISIONS) LOCATED AT
http://www-935.ibm.com/services/at/gts/html/contracts_landing.html AND INCORPORATED HEREIN

BY REFERENCE.
1.0
Scope of Services
IBM Managed Security Information and Event Management (Managed SIEM, MSIEM or Services) is
designed to help you plan, implement, manage, and monitor a SIEM System based on your identified
business requirements. The Services features described herein are dependent upon the availability and
supportability of products and product features being utilized. Even in the case of supported products, not
all product features may be supported. Information on supported features is available from IBM upon
request. This includes both IBM-provided and non-IBM-provided hardware, software, and firmware. This
Services Description is between the Customer referenced herein (also called you and your) and
International Business Machines Corporation (IBM, or Service Provider). The MSIEM Service is
performed in phases.
Phase One Project Initiation and Planning: During this phase, IBM assists you with defining and
compiling requirements and develops a Project Plan.
Phase Two System Design: During this phase, IBM creates an architectural and system design for
your environment. If the SIEM System is already deployed, IBM performs a design review.
Phase Three Implementation: During this phase, if not already deployed, IBM installs and configures
the SIEM System components and verifies that data is being transmitted and reported.
Phase Four Integration and Transition: During this phase, IBM develops processes and
corresponding documentation and begins transitioning management and monitoring to the operational
support team.
Phase Five Ongoing Operational Support: During this phase, IBM provides steady state management
and monitoring of the SIEM infrastructure.
2.0
Definitions
2.1
General Terms
Alert Condition (AlertCon) a global risk metric developed by IBM, using proprietary methods. The
AlertCon is based on a variety of factors, including quantity and severity of known vulnerabilities, exploits
for such vulnerabilities, the availability of such exploits to the public, mass-propagating worm activity, and
global threat activity. The four levels of AlertCon are described in the MSS Portal.
Authorized Security Contacts - your decision-maker on all operational issues pertaining to IBM
Managed Security Services.
Change Request (CR) a specific modification to the SIEM System configuration after the initiation of
steady state operations including Event Source and SIEM System component moves, adds, and deletes,
SIEM Agent reorganization, network hierarchy modifications, correlation Rule and policy exception alert
creation or revision, and report creation beyond the original set.
Designated Services Contacts - your decision-maker on a subset of operational issues pertaining to
IBM Managed Security Services.
Education Materials include, but are not limited to, lab manuals, instructor notes, literature,
methodologies, electronic course and case study images, policies and procedures, and all other trainingrelated property created by or on behalf of IBM. Where applicable, Education Materials may include
participant manuals, exercise documents, lab documents, and presentation slides provided by IBM.
End Date the last date of Services based on the Project Start Date and Contract Period as specified in
the Schedule.
Event Source any operating system, application, agent, daemon, appliance, or device that will be
transmitting security event logs or data to the SIEM System.
IBM Managed Security Services (IBM MSS) Portal (called MSS Portal) - provides access to an
environment (and associated tools) designed to monitor and manage security posture by merging
Z126-6526-AT-1 04-2014
Page 5 of 34
Z126-6526-WW-1 04-2014
technology and service data from multiple vendors and geographies into a common, Web-based
interface.
Incident a security event that requires analysis, investigation, containment, eradication, remediation, or
prevention.
Information Request an email that IBM sends to an Authorized Security Contact or Designated
Services Contact to assist IBM with Incident investigation, Offense Rules refinement, and the proactive
integration of outputs from the Incident management lifecycle into the overall SIEM System configuration.
Issue a non-security event that requires analysis, investigation, or resolution.
MSS Portal Users users of the MSS Portal with different levels of authorization to the MSS Portal. MSS
Portal Users can have restricted, regular, or administrative MSS Portal access to all MSS Agent(s) or just
a subset of MSS Agents(s). The MSS Portal views and permissions available to the Portal Users are
dictated by the Authorized Security Contact.
Service Feature a line item in the Schedule that describes a specific component of the Service and is
associated with a one-time charge or monthly charge.
Service Questionnaire a pre-defined list of data collection questions presented by IBM to you for
completion prior to deployment or transition.
Services Recipient any entity or individual receiving or using the Services, the results of the Services,
or acting on behalf of the end user in receiving or using the Services, or the results of the Services.
SIEM Agent - the term used to collectively describe any distributed SIEM component.
SIEM System the hardware and software components and modules that collectively make up the
Security Information and Event Management infrastructure.
Ticket a record created in the problem reporting system that requires action to be taken by you or by
IBM as appropriate.
2.2
QRadar Technology Terms

Dashboard the default view that is displayed when logging into QRadar; it provides a customizable
workspace environment that supports multiple assortments which can be used to view network security,
activity, or data that QRadar collects.
Device Support Module (DSM) the software component that parses incoming events into the QRadar
standardized format.
Flow a collection of packets constituting communication between hosts that share some common
properties.
Log Source maps incoming Event Source format to a DSM for parsing enhancement or parsing
override.
Magnitude - specifies the relative importance of the Offense and is a weighted value that is calculated
based on relevance, severity, and credibility.
Offense (also referred to as Incident if declared as such), a message sent or event generated in
response to a monitored condition. For example, an Offense informs you if a policy has been breached
or the network is under attack. It is an event that has been processed through QRadar using multiple
inputs, individual events, and events combined with analyzed behavior and vulnerabilities. Magistrate
prioritizes the Offenses and assigns a Magnitude value based on several factors including number of
events, severity, relevance, and credibility.
Offense Manager the interface used to configure Offenses.
QRadar Vulnerability Manager (QVM) - this add-on module activated via a license key provides an
integrated Dashboard which consolidates results from multiple vulnerability scanners, risk management
solutions, and external threat intelligence; includes a high-speed internal scanner which supports
discovery, non-authenticated, authenticated, and Open Vulnerability Assessment Language (OVAL)
scans and external scanning capabilities to see the network from an attackers viewpoint; allows
suppression of acceptable, false positive, or otherwise non-mitigated vulnerabilities from ongoing
reporting and presents data within the overall context of security and threat posture. Can be set up to run
both dynamic and periodic scans.
Z126-6526-AT-1 04-2014
Page 6 of 34
Z126-6526-WW-1 04-2014
Rules a series of tests that monitors events and flows for a pattern or matching condition to generate a
response, typically an Offense.
Sentry monitors collections of Views (flow filters) to generate events and alerts.
uDSM a universal Device Support Module that is customized by IBM to parse incoming events from
the native format of a customer-specific Event Source into the QRadar standardized format.
View an on-screen display of data that is organized in a specific way that normalizes flow data and
defines how flow data is filtered.
2.3
Service Roles
Unless otherwise stated within the Communication Plan, the support resources assigned as Deployment
Engineer, Security Services Manager, Senior Consultant, and Transition Architect will have limited hours
of coverage and support will be provide 9:00 a.m. to 5:00 p.m. Monday through Friday in the time zone
selected by you (also referred to as Business Hours,) except national and your designated holidays.
Deployment Engineer The Deployment Engineer (DE) assists with the installation of the SIEM System
components. This role participates in Phases One through Three as needed.
Security Services Manager The Security Services Manager (SSM) also serves as an advisor and
liaison to broader IBM resources, takes direction from your point of contact, and provides project
management, contract management, oversight, service delivery expertise, and operational leadership to
the IBM team. This role participates in all Phases throughout the contract term.
Senior Consultant The Consultant participates in Phases One through Four to collect and map
functional and non-functional requirements, offer strategic advice to stakeholders as it pertains to in
scope Services, and provide a macro and micro design or design review of the SIEM System. This role
also participates in the Readiness Assessment to ensure that the SIEM configuration is primed for a
smooth transition to the operational support team.
SIEM System Administrator The SIEM System Administrator (Admin) participates in Phases Three
through Five to manage the SIEM System infrastructure and perform system administration,
configuration, tuning, reports generation, and various customization activities for the environment.
SIEM Analyst The SIEM Analysts (also referred to as, Threat Analysts, and SOC Analysts,)
participate in Phases Four and Five, comprising the operational support team that provides Rule
customization recommendations and eyes on-screen monitoring for alert and Incident workflow
management and daily manual reports review and analysis when this optional Service Feature is
purchased.
Transition Architect The Transition Architect (TA) participates in Phases One through Four to
coordinate and execute the transition activities to transfer management and monitoring of the SIEM
System to the operational support team.
3.0
Managed SIEM Services Contacts
3.1
Security Operations Center

The Services are delivered from IBM Security Operations Centers (SOCs). IBM will provide access to
the SOCs 24 hours per day, seven days per week during Steady State Operations.
3.2
Points of Contact
To facilitate communications with the IBM team you will be asked to provide contacts and their access
levels so that the IBM staff can validate the identity and authority of the contact prior to making system
changes. Services Recipient may choose from multiple levels of access in order to accommodate varying
roles within your organization: Transition Focal, Authorized Security Contacts, Designated Services
Contacts, and MSS Portal Users.
3.2.1
IBM Point of Contact Responsibilities

IBM will provide a Security Services Manager (SSM) who will be IBMs focal point during performance of
the Services. The IBM SSM will:
a.
review the Services Description and associated documents with your Point of Contact;
Z126-6526-AT-1 04-2014
Page 7 of 34
Z126-6526-WW-1 04-2014
3.2.2
b.
serve as a single point of contact to the account management and delivery teams for operational
security-related activities during Transition and as the contract focal during Steady State Operations;
c.
maintain and oversee relationships for delivery organizations providing security support;
d.
establish and maintain communications through your Point of Contact, as defined in the section titled Your Point of Contact Responsibilities;
e.
oversee the management of operational security activities, processes, and policies as required;
f.
coordinate and manage the technical activities of IBMs assigned personnel;
g.
track and assist in the management of the resolution of reported operational security issues, recommend actions, review plans, and monitor progress of remediation activities;
h.
develop and maintain a Report List for the Monthly Status Report;
i.
work with the security team on the account to produce the Monthly Status Report and deliver to your
Point of Contact within the scheduled timeframe;
j.
work jointly with you to manage the priority of new Event Source deployment and participate in
technology roadmap discussions;
k.
manage Change Requests via the Contract Change Control Procedure specified in the Schedule;
l.
conduct weekly briefings via teleconference with your Point of Contact and your Key Stakeholders;
and
m.
conduct monthly operational review teleconferences or on-site meetings with your Point of Contact
and your Key Stakeholders to review security status, risks, Issues, Incidents, outstanding activities,
and trends.
Your Point of Contact Responsibilities

Prior to the start of the Services, you will designate a person ("your Point of Contact"), to whom all
communications relative to the Service will be addressed and who will have the authority to act on your
behalf in all matters regarding this Services Description until Authorized Security Contacts and
Designated Services Contacts are defined and included in the Communications Plan and/or the MSS
Portal. Your Point of Contact will:
3.2.3
a.
serve as the interface between IBMs project team and your key stakeholders as it pertains to the
Service;
b.
provide an executive sponsor for the Service to communicate management commitment to the project;
c.
facilitate IBM access to your existing applications and technical infrastructure;
d.
ensure all tasks that impact resource utilization are authorized in a timely manner;
e.
obtain and provide applicable information, data, consents, decisions and approvals as required by
IBM to perform the Services, within two business days of IBMs request;
f.
ensure, to the extent possible, participation by various management levels with representative skills
and data protection ownership and mandates within the business units, security group, information
technology, audit and risk departments, and operations management at your facility;
g.
provide specific documentation with regard to information security policy, standards, and audit controls that could assist with the discovery and requirements definition process;
h.
define Authorized Security Contacts;
i.
delegate authority for these responsibilities to at least one Authorized Security Contact if different
from your Point of Contact; and
j.
help resolve Services Issues and escalate Issues within your organization, as necessary.
IBM Authorized Services Contacts Responsibilities

IBM will:
a.
allow you to create up to three Authorized Security Contacts;
b.
provide each Authorized Security Contact with:
Z126-6526-AT-1 04-2014
Page 8 of 34
Z126-6526-WW-1 04-2014
3.2.4
(1)
administrative MSS Portal permissions to your MSS Agent(s) as applicable;
(2)
the authorization to create unlimited Designated Services Contacts and MSS Portal Users;
(3)
the authorization to delegate responsibility to Designated Services Contacts;
c.
interface with Authorized Security Contacts regarding support and notification issues pertaining to
the MSS Features; and
d.
verify the identity of Authorized Security Contacts using an authentication method that utilizes a preshared challenge pass phrase.
IBM Designated Services Contacts Responsibilities

IBM will:
3.2.5
a.
verify the identity of Designated Services Contacts using an authentication method that utilizes a
pre-shared challenge pass phrase; and
b.
interface only with Designated Services Contacts regarding the subset of operational issues for
which such contact is responsible.
Your Authorized Security Contacts Responsibilities

You agree to:
a.
3.2.6
provide IBM with contact information for each Authorized Security Contact. Such Authorized Security Contacts will be responsible for:
(1)
creating Designated Services Contacts and delegating responsibilities and permissions to

such contacts, as appropriate;
(2)
authenticating with the SOCs using a pre-shared challenge pass phrase; and
(3)
maintaining notification paths and your contact information, and providing such information to
IBM;
b.
ensure at least one Authorized Security Contact is available 24 hours per day, seven days per
week;
c.
update IBM within three calendar days when your Authorized Security Contact information changes;
and
d.
acknowledge that you are permitted to have no more than three Authorized Security Contacts regardless of the number of IBM Managed Security Services for which you have contracted.
Your Designated Services Contacts Responsibilities

You agree to:
4.0
a.
provide IBM with contact information and role responsibility for each Designated Services Contact
(such Designated Services Contacts will be responsible for authenticating with the SOCs using a
passphrase); and
b.
acknowledge that a Designated Services Contact may be required to be available 24 hours per day,
seven days per week based on the subset of responsibilities for which he/she is responsible.
Managed SIEM Foundational Features

Foundational features are included with all variations of the Managed SIEM service regardless of size,
complexity, geography, or underlying SIEM technology and are not optional during the initial Contract
Period. There may be different levels of a feature that are provided, however these features are included
with all Managed SIEM services. IBM will provide MSIEM Transition based on the complexity level and
for the one-time charge specified in the Schedule.
4.1
MSS Portal
The MSS Portal provides access to an environment (and associated tools) designed to monitor and
manage the security posture by merging technology and service data from multiple vendors and
geographies into a common, Web-based interface.
The Portal may also be used to deliver Education Materials. All such Education Materials are licensed
not sold and remain the exclusive property of IBM. IBM grants you a license in accordance with the terms
provided in the Portal. EDUCATION MATERIALS ARE PROVIDED AS IS AND WITHOUT WARRANTY
OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION,
Z126-6526-AT-1 04-2014
Page 9 of 34
Z126-6526-WW-1 04-2014
THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS.
4.1.1
IBM MSS Portal Responsibilities

IBM will:
a.
b.
4.1.2
provide access to the MSS Portal 24 hours per day, seven days per week, except during maintenance windows and emergency maintenance if required. The MSS Portal will provide:
(1)
multiple levels of access for MSS Portal Users;
(2)
security intelligence awareness and alerting;
(3)
security Incident and/or service Ticket information;
(4)
ticketing and workflow initiation and updates;
(5)
interaction with SOC analysts;
(6)
access to Education Materials in accordance with the terms provided in the MSS Portal; and
provide a username, password, URL, and appropriate permissions to access the MSS Portal.
Your MSS Portal Responsibilities

You agree to:
4.1.3
a.
utilize the MSS Portal to perform daily operational Services activities;
b.
ensure your employees accessing the MSS Portal on your behalf comply with the Terms of Use
provided therein including, but not limited to, the terms associated with Educational Materials;
c.
appropriately safeguard your login credentials to the MSS Portal (including not disclosing such credentials to any unauthorized individuals);
d.
promptly notify IBM if a compromise of your login credentials is suspected; and
e.
indemnify and hold IBM harmless for any losses incurred by you or other parties resulting from your
failure to safeguard your login credentials.
IBM MSS Portal Users Responsibilities

IBM will:
a.
provide multiple levels of access to the MSS Portal, as follows:

(1)
4.1.4
administrative user capabilities which will include:

(a)
creating Portal users;
(b)
submitting Services requests to the SOCs;
(c)
live chat communications with SOC analysts regarding specific Incidents or tickets,
generated as part of the Services;
(d)
creating internal Services-related tickets and assigning such Tickets to Portal users;
(e)
querying, viewing, and updating Services-related tickets; and
(2)
regular user capabilities which will include all of the capabilities of an administrative user, for
the SIEM Agents to which they have been assigned, with the exception of creating Portal
users;
(3)
restricted user capabilities which will include all of the capabilities of a regular user, for the
SIEM Agents to which they have been assigned, with the exception of:
(a)
creating and submitting Services requests; and
(b)
updating tickets; and
b.
authenticate MSS Portal Users using a static password; and
c.
authenticate MSS Portal Users using two-factor authentication tokens you provide (RSA SecureID).
Your MSS Portal Users Responsibilities

You agree:
a.
that Portal users will use the Portal to perform daily operational Services activities;
Z126-6526-AT-1 04-2014
Page 10 of 34
Z126-6526-WW-1 04-2014
4.2
b.
to be responsible for providing IBM-supported RSA SecureID tokens (as applicable); and
c.
acknowledge the SOCs will only interface with Authorized Security Contacts and Designated Services Contacts.
Security Reporting
Security reporting is provided using a combination of the MSS Portal and the native SIEM System
console.
4.2.1
IBM Security Reporting Responsibilities

IBM will provide you with access to reporting capabilities within the MSS Portal which includes relative
information associated with the Service. Information may include, but is not limited to, some or all of the
following (where applicable):
4.2.2
a.
number of SLAs invoked and met;
b.
number, types, and summary of Services requests / Tickets;
c.
number of security Incidents detected and their priority and status; and
d.
list and summary of security Incidents.
Your Security Reporting Responsibilities

You agree to:
4.3
a.
generate MSS operational reports using the MSS Portal;
b.
be responsible for scheduling MSS operational reports as desired within the MSS Portal; and
c.
retrieve SIEM-generated reports from the SIEM System console.
IBM X-Force Threat Analysis

Security intelligence is provided by the IBM X-Force Threat Analysis Center. The X-Force Threat
Analysis Center publishes an Internet threat-level. The Internet threat-level describes progressive alert
postures of current Internet security threat conditions. In the event Internet threat-level conditions are
elevated to AlertCon 3, indicating focused attacks that require immediate defensive action, IBM will
provide you with real-time access into IBMs global situation briefing. Utilizing the MSS Portal, you can
create a vulnerability watch list with customized threat information. In addition, each MSS Portal User can
request to receive an Internet assessment email each business day. This assessment provides an
analysis of the current known Internet threat conditions, real-time Internet port metrics data, and
individualized alerts, advisories and security news.
NOTE: Your access and use of the security intelligence provided via the Portal (including the daily
Internet assessment email) is subject to the Terms of Use provided therein. Where such Terms of Use
conflict with the terms of this Agreement, the Portal Terms of Use shall prevail over this Agreement. In
addition to the Terms of Use provided in the Portal, your use of any information on any links or non-IBM
Web sites and resources are subject to the terms of use posted on such links, non-IBM Web sites, and
resources.
4.3.1
IBM Security Intelligence Responsibilities

IBM will:
a.
provide access, via the MSS Portal, to the X-Force Hosted Threat Analysis Service for all MSS Portal Users;
b.
display security information on the MSS Portal as it becomes available;
c.
if configured by you, provide security intelligence specific to your defined vulnerability watch list, via
the MSS Portal;
d.
if configured by you, provide an Internet security assessment email based on your subscription,
each business day;
e.
publish an Internet threat-level via the MSS Portal;
f.
declare an Internet emergency if the daily Internet threat-level level reaches threat-level 3;
g.
provide MSS Portal feature functionality to create and maintain a vulnerability watch list;
Z126-6526-AT-1 04-2014
Page 11 of 34
Z126-6526-WW-1 04-2014
4.3.2
h.
provide additional information about an alert, advisory, or other significant security issue as IBM
deems necessary; and
i.
provide access to the regularly produced IBM X-Force Threat Analysis Service Reports, via the
MSS Portal.
Your Security Intelligence Responsibilities

You will use the MSS Portal to:
a.
subscribe to the daily Internet security assessment email, at your option;
b.
create a vulnerability watch list, if desired;
c.
access the IBM X-Force Threat Analysis Service Reports; and
d.
adhere to the licensing agreement and not forward Services information to individuals who do not
have a proper license.
5.0
Managed SIEM Service Phases
5.1
Phase One Project Initiation and Planning

During Phase One, the Project Plan will be created, validated, and modified as required. At the
completion of this phase and prior to proceeding with further activities in this Services Description, your
Point of Contact and the IBM Security Services Manager will assess the results of the Planning Session
and either: 1) continue with the Services as described in this Services Description, or 2) upon request,
review the possibility of modifying your contract using the Contract Change Procedure. Upon Services
renewal, Project Initiation and Planning activities are not included as part of your ongoing renewable
services contract.
5.1.1
IBM Project Initiation and Planning Responsibilities

Activity 1 - Kickoff
The purpose of this activity is to finalize the project team members, develop a common understanding of
the Service objectives, roles, and responsibilities, and assess your readiness to implement the Service by
confirming that the appropriate information is documented. IBM will:
a.
b.
facilitate a project initiation teleconference, for up to four hours, on a mutually agreed date and time
to:
(1)
initiate the project;
(2)
introduce the project participants;
(3)
discuss project team roles and responsibilities;
(4)
review the project objectives;
(5)
provide an overview of the project methodology;
(6)
review your environment and organization, including:

(a)
location(s) to be included in the Services; and
(b)
emergency contact plan, including event triggers and establishment of designated

telephone number(s) and email address(es);
provide the Service Questionnaire to you for completion which includes, but is not limited to, data
gathering questions such as:
(1)
team member names, contact information, roles and responsibilities;
(2)
unique country and site requirements;
(3)
network infrastructure, addressing, and environmental data;
(4)
Event Source inventory; and
(5)
key business drivers and/or dependencies that could influence Service delivery or timelines;
c.
develop a preliminary schedule of activities; and
d.
agree on a date and time for the Planning Session.
Z126-6526-AT-1 04-2014
Page 12 of 34
Z126-6526-WW-1 04-2014
Completion Criteria: This activity will be complete when the project initiation teleconference has been
conducted.
Deliverable Materials: None
Activity 2 - Requirements Definition and Planning Session
The purpose of this activity is to compile your requirements and create a Project Plan with timeline and
milestones. IBM will conduct a Planning Session for up to eight hours in duration on your premise to
assess the environment and define SIEM System requirements. During and subsequent to the Planning
Session, IBM will:
a.
review the completed Service Questionnaire;
b.
review and confirm your business objectives;
c.
review existing security policy;
d.
review existing IT security environment;
e.
perform an architecture review and analysis to identify network infrastructure and communication
requirements;
f.
discuss industry regulations and standards that drive your data protection requirements for security
auditing and event management;
g.
provide you with a network access requirements document which details:

(1)
how IBM will connect remotely to your network; and
(2)
specific technical requirements to enable such remote connectivity;
h.
connect to your network through the Internet, using your standard access methods;
i.
if appropriate, utilize a site-to-site virtual private network (VPN) to connect to your network;
j.
create a Project Plan that includes:
k.
(1)
activities and tasks for this Services Description;
(2)
target start dates for the activities in this Services Description;
(3)
target completion dates for the deliverables in each activity as applicable;
(4)
identified milestones; and
(5)
responsible persons and organizations; and
review the Project Plan with your Point of Contact;
Completion Criteria: This activity will be complete when IBM has delivered the initial Project Plan to
your Point of Contact.
Deliverable Materials: Project Plan, consisting of the following:
5.1.2
(1)
activities and tasks for this Services Description;
(2)
target start dates for the activities in this Services Description;
(3)
target completion dates for the deliverables in each activity as applicable;
(4)
identified milestones; and
(5)
responsible persons and organizations.
Your Project Initiation and Planning Responsibilities

You agree to:
a.
work with IBM to schedule the project initiation teleconference such that all participants have
enough notice to attend;
b.
ensure, to the extent possible, that all your key stakeholders participate in the project initiation teleconference and/or the Planning Session;
c.
work with IBM to schedule the Planning Session such that all participants have enough notice to attend;
d.
invite and confirm attendance of all intended participants of the Planning Session, and arrange the
meeting room and all logistics on your premise;
Z126-6526-AT-1 04-2014
Page 13 of 34
Z126-6526-WW-1 04-2014
e.
complete and deliver to the SSM, the Service Questionnaire five days prior to the Planning Session;
f.
review each partys respective responsibilities;
g.
schedule a review of the Project Plan such that all participants have enough notice to attend;
h.
review and comment on the draft Project Plan to ensure IBM can finalize the plan within five business days after submitting the draft to your Point of Contact; and
i.
provide subject matter experts for each of the in-scope Event Sources.
5.2
Phase Two SIEM System Design
5.2.1
IBM SIEM System Design Responsibilities

During this phase, IBM will work with you to design the elements of the SIEM System based on whether
the Services include full implementation and transition or just transition if already deployed. Upon
Services renewal, SIEM System Design activities are not included as part of your ongoing renewable
services contract.
Activity 1 - Process and Data Gathering
The purpose of this activity is to gather and review process documentation and data elements that will be
needed to develop or review the SIEM strategy for your environment, objectives, and constraints. IBM
will:
a.
conduct interview(s) and review documentation to establish the business goals, security objectives,
and high-level requirements relevant to the SIEM implementation;
b.
collect and review IT process documentation which may include:
b.
c.
(1)
Incident management;
(2)
change management;
(3)
problem management;
(4)
configuration management (including asset management);
(5)
security management (including vulnerability management and risk assessments);
(6)
availability management; and
(7)
SOC operations;
collect and review the following data elements:

(1)
data and Log Sources;
(2)
Flow sources;
(3)
QFlow sources;
(4)
network structure;
(5)
vulnerability tools;
(6)
asset data; and
(7)
application listing; and
compile collected process documentation and data elements within a central repository for use by
IBM delivery personnel and your Authorized Security and Designated Services Contacts.
Completion Criteria: This activity will be complete when the aforementioned process documentation and
data elements have been collected or that collection is waived by you if non-existent, outdated, or
otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If
waived by you or IBM, IBM reserves the right to make assumptions in the design which may require a
scope change via the Contract Change Procedure.
Activity 2 - Detailed Functional and Non-Functional Requirements Definition and Documentation
The purpose of this activity is to define, document, and map (or review if already deployed) functional and
non-functional requirements for the SIEM System. IBM will:
Z126-6526-AT-1 04-2014
Page 14 of 34
Z126-6526-WW-1 04-2014
a.
b.
collaborate with you to define, document, and map the following functional requirements as they
pertain to the SIEM System:
(1)
logging;
(2)
Event collection;
(3)
normalization;
(4)
correlation;
(5)
storage;
(6)
system access;
(7)
reporting; and
(8)
customization requirements;
collaborate with you to define, document, and map the following non-functional requirements as
they pertain to the SIEM System:
(1)
monitoring;
(2)
retention;
(3)
reporting;
(4)
regulatory and contractual considerations;
(5)
high availability; and
(6)
disaster recovery.
Completion Criteria: This activity will be complete when the aforementioned functional and nonfunctional requirements have been documented, or are waived by you if non-existent, outdated, or otherwise deemed by you or IBM not adequate for inclusion in the design strategy or deliverable. If waived by
you or IBM, IBM reserves the right to make assumptions in the design which may require a scope change
via the Contract Change Procedure.
Activity 3 - Architecture Design
The purpose of this activity is to develop, modify, or, if already deployed, review the high-level
architectural design for the Service. IBM will:
a.
design and document or review architecture for installing the SIEM System hardware and software
components (if not already deployed); and
b.
review SIEM System architecture and make recommendations based on findings identified in the
Process and Data Gathering and Detailed Functional and Non-Functional Requirements Definition
and Documentation Activities.
Completion Criteria: This activity will be complete when IBM has reviewed the SIEM System
architecture.
Activity 4 - System Design
The purpose of this activity is to develop both macro and micro system design elements to be
implemented in order to reach an initial steady state of operations. IBM will:
a.
define at the macro system design level:

(1)
data/event source collection protocols and methods;
(2)
asset risk weighting criteria;
(3)
asset classification profiles;
(4)
compliance groupings for assets;
(5)
vulnerability scanner usage, configuration, and frequency;
(6)
final reporting requirements (functional and non-functional);
(7)
custom data source requirements (or validate if already defined);
Z126-6526-AT-1 04-2014
Page 15 of 34
Z126-6526-WW-1 04-2014
(8)
use case frameworks;
(9)
customization requirements;
(10) Dashboard requirements for the SIEM console; and

(11) user accounts and roles;
b.
c.
define at the micro system design level:

(1)
data/event source phased integration plan;
(2)
use cases;
(3)
alert classification criteria;
(4)
vulnerability management systems and process integration plan; and
(5)
your network hierarchy (including risk weighting) and associated objects;
prepare the SIEM Macro and Micro Design deliverable which will include:
(1)
strategy considerations including but not limited to SIEM business drivers and goals, SIEM
security objectives, and functional and non-functional requirements; and
(2)
architectural, macro, and micro design elements as defined in this Activity.
Completion Criteria: This activity will be complete when IBM has completed the system design.
Activity 5 - Design Review
The purpose of this activity is to review the design and finalize the Project Plan. IBM will:
a.
review the architecture and system design;
b.
perform one revision of the Project Plan as appropriate;
c.
deliver the final Project Plan to your Point of Contact;
d.
deliver the SIEM Macro and Micro Design to your Point of Contact, and
e.
if requested, review the design and Project Plan with your Point of Contact and your key stakeholders via teleconference or electronically.
Completion Criteria: This activity will be complete when the SSM has delivered the SIEM Macro and
Micro Design and the final Project Plan report to your Point of Contact.
Deliverable Materials: SIEM System Macro and Micro Design and updated Project Plan
The SIEM System Macro and Micro Design will comprise strategy considerations including SIEM
business drivers, SIEM security objectives, and functional and non-functional requirements. Additionally
at the macro and micro architectural level, it will include SIEM use cases, SIEM and vulnerability
management system and process integration plan, SIEM alert classification criteria, SIEM data/log source
phased integration plan, SIEM reporting requirements, SIEM user accounts and roles, SIEM Dashboards,
SIEM uDSM integration, preliminary SIEM network hierarchy weighted by risk, and preliminary asset
groups weighted by risk.
5.2.2
Your SIEM System Design Responsibilities

In order to develop a successful system design for the Service, your participation is necessary. You
agree to:
a.
provide current network topology diagrams and/or textual descriptions of data and communications
paths, protocols, media types, and bandwidth capacity to IBM; and
b.
participate in the design process as needed.
5.3
Phase Three Implementation
5.3.1
IBM SIEM System Implementation Responsibilities

During this phase, if this optional Service Feature is purchased as specified in the Schedule, IBM will
install and configure the SIEM System in the production environment and assist with transition to
managed operations as documented in the Project Plan. Any required changes to the Project Plan will be
handled by the IBM SSM who will either: 1) continue with the Services as described in this Services
Description, or 2) use the Contract Change Procedure to modify the Services scope and corresponding
Z126-6526-AT-1 04-2014
Page 16 of 34
Z126-6526-WW-1 04-2014
Schedule. Completion of Phase Two activities, or making available information equivalent to that
resulting from Phase Two activities, is a prerequisite for the commencement of the Implementation
services described herein. Upon Services renewal, Implementation activities are not included as part of
your ongoing renewable services contract.
Activity 1 - Install Console Appliance
The purpose of this activity is to install and configure the console appliance. IBM will:
a.
configure the following settings:

(1)
hostname;
(2)
IP address;
(3)
default gateway;
(4)
domain name servers (DNS);
(5)
email server;
(6)
passwords; and
(7)
license key;
b.
test connectivity through HTTPS and SSH and ensure that the system is functioning correctly;
c.
login to the administrative interface to perform the following:

(1)
user and role creation and management;
(2)
system configuration (thresholds, authentication);
(3)
Log Source configuration;
(4)
Flow Source configuration, if included in the SIEM Macro and Micro Design:
(5)
vulnerability assessment configuration, if included in the SIEM Macro and Micro Design;
(6)
Offense resolution configuration;
(7)
Sentry and View configuration;
(8)
license management;
(9)
backup and restore functions;
(10) local firewall;

(11) management of internal collector interfaces;
(12) system date and time;
(13) database retention periods and filtering options, if applicable;
(14) SNMP settings; and
(15) automatic updates.
Completion Criteria: This activity will be complete when the console appliance is installed and
functioning as documented in the Project Plan.
Activity 2 - Customize Console Appliance
The purpose of this activity is to customize and tune the console appliance for your environment. IBM will:
a.
customize Views;
b.
build basic network hierarchy;
c.
backup the configuration file;
d.
analyze and review traffic;
e.
determine if equations for detecting threats in traffic are appropriate for your requirements;
f.
adjust equations in accordance with your needs;
g.
create a threat exception group if necessary;
h.
create Sentries for alerts;
Z126-6526-AT-1 04-2014
Page 17 of 34
Z126-6526-WW-1 04-2014
i.
analyze and identify appropriate Views/layers where Sentry can be applied;
j.
add one of each type of Sentry to a View;
k.
verify that Sentry works as desired;
l.
configure Offense Manager;
m.
create and test one custom Rule;
n.
configure custom Dashboard for up to 10 users;
o.
demonstrate capabilities of Dashboard to your staff; and
p.
configure additional SIEM Agents per the SIEM Macro and Micro Design.
Completion Criteria: This activity will be complete when the console appliance has been customized for
your environment.
Activity 3 - Deploy Log Collection for Production Environment
The purpose of this activity is to deploy log collection in the production environment. IBM will collect
events from up to three instances of the Log Source types as defined in the design phase. Only Log
Sources natively supported by standard Device Support Modules (DSMs) will be collected. No custom
parsers or uDSMs will be created in this activity. Log Source collection is limited to standard configuration
guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to
you upon request.
Completion Criteria: This activity will be complete when IBM has collected events from up to three
instances of the Log Source types for the production environment.
Activity 4 - Deploy Flow Collection for Production Environment
The purpose of this activity is to deploy Flow collection in the production environment if Flow
Collectors/Processors are included in the SIEM Macro and Micro Design. IBM will collect network activity
from up to three instances of Flow sources. Flow Source collection is limited to standard configuration
guidelines as documented in the latest version of the Configuring DSMs Guide which will be provided to
you upon request.
Completion Criteria: This activity will be complete when IBM has deployed flow collection, if applicable,
in the production environment.
Activity 5 - Initial Tuning for Production Environment
The purpose of this activity is to perform initial tuning which is focused on enabling out-of-the-box content
as well as reducing white noise and false positives. IBM will:
a.
refer to the system design to perform initial tuning to include:

(1)
identifying and removing sources of noise;
(2)
activating Rules, saved searches, and accumulated time series graphs;
(3)
scheduling reports and modifying reports to meet your requirements; and
(4)
customizing Dashboards per the SIEM Macro and Micro Design;
b.
lead your technical personnel through the tuning process to reduce the number of Offenses to a
practical level for the environment; and
c.
collaborate with you and other IBM delivery personnel to determine which standard alerting and reporting elements to enable.
Completion Criteria: This activity will be complete when IBM has performed initial tuning in the
production environment.
5.3.2
Your SIEM System Implementation Responsibilities

You agree to:
Z126-6526-AT-1 04-2014
Page 18 of 34
Z126-6526-WW-1 04-2014
a.
be responsible for the procurement and provision of all hardware and software;
b.
be responsible for the physical installation, rack mounting, powering, and network addressing of all
SIEM System components and any other necessary equipment;
c.
ensure and validate that backups of system and user data have been performed before the SIEM
System components are deployed;
d.
provide change management control for your infrastructure changes;
e.
meet the following pre-requisites prior to the commencement of Phase Three:

(1)
make final selection of solution and technical architectures;
(2)
request support access;
(3)
request license keys from IBM Support;
(4)
record installation key(s) located on appliance(s) (sticker placed on top of appliance or located
with shipping documentation);
(5)
rack, power, and cable the appliances;
(6)
attach monitor & keyboard (or provide KVM/DRAC equivalent) to all appliances or provide
equivalent access, if requested;
(7)
provide hot network connectivity to all appliances;
(8)
identify appliance network settings: Hostname, IP Address, Subnet mask, Default gateway,
NTP/DNS/Mail servers;
(9)
if requested, provide a workstation to IBM delivery personnel for connecting to the QRadar
console that has the following attributes:
(a)
can access the QRadar console on TCP ports 22, 10000, 80 and 443;
(b)
has operational secure shell (SSH) and secure copy (SCP/SFTP) programs installed;
(c)
has a recent version of Mozilla Firefox (preferred), or Internet Explorer 8.0 or 9.0 with
Compatibility View enabled;
(d)
has Java Runtime Environment version 1.6 or above installed; and
(e)
has Adobe Flash 10.x installed;
(10) if requested, configure firewalls between the workstation and the QRadar console to allow the
specified connections as instructed by QRadar technical product documentation;
(11) configure span/mirror ports and/or taps, if necessary and defined in the SIEM Macro and
Micro Design;
(12) identify Event Sources, type, and numbers for log collection;
(13) identify vulnerability scanner systems desired for integration into QRadar if included in the
SIEM Macro and Micro Design;
(14) identify Network Hierarchy: Subnet Name, Description, IP/CIDR values, Risk weight (see
Install Guide and/or Admin Guide for additional information);
(15) identify Critical Assets: Hostname, IP address(s), type (domain controller, mail, web, DNS,
scanners, firewalls, etc.);
f.
enable appropriate audit (log) settings and communications channels on the Event Sources and direct the Event Sources to the SIEM System;
g.
configure Event Sources per the Configuring DSMs Guide;
h.
be responsible for configuring audit settings in support of certain report features;
i.
be responsible for validating and approving outputs from each activity as requested by IBM;
j.
be responsible for system and data restore in the event of a production system malfunction after the
SIEM Agent is deployed;
k.
be responsible for defining your data security and protection requirements and ensuring IBM has all
relevant inputs to proceed with documenting and prioritizing the policies and deployment;
Z126-6526-AT-1 04-2014
Page 19 of 34
Z126-6526-WW-1 04-2014
5.4
l.
grant access up to and including full administrative rights as appropriate to IBM personnel for SIEM
System components as required for on-site and remote service delivery within one week of Contract
Start Date;
m.
provide a general description of Event Sources, including applicable Log Sources, Flow Sources,
and Assets as identified by vulnerability scans to IBM;
n.
provide Log Source samples to IBM for the creation of uDSMs/custom agents if requested;
o.
provide direct access by IBM to subject matter experts who are responsible for the management of
the core purpose of each Event Source platform;
p.
ensure that your staff is available to provide such assistance as IBM reasonably requires and that
IBM is given reasonable access to your senior management, as well as any members of your staff
to enable IBM to provide the Services and ensure that your staff has the appropriate skills and experience;
q.
provide all information and materials reasonably required to enable IBM to provide the Services and
that all information disclosed or to be disclosed to IBM is and will be true, accurate, and not misleading in any material respect;
r.
provide configuration information as requested by IBM to deliver the Services;
s.
attend project meetings as requested by IBM to deliver the Services;
t.
make available appropriate staff to shadow deployment activities for knowledge transfer purposes;
and
u.
acknowledge that IBM will not be liable for any loss, damage, or deficiencies in the Services, if any,
arising from inaccurate, incomplete, or otherwise defective information and materials supplied by
you.
Phase Four Integration and Transition

During this phase, IBM will transition the Service to the IBM operational support team, as documented in
the Project Plan. Any required changes to the Project Plan will be handled by the IBM SSM who will
either: 1) continue with the Services as described in this Services Description, or 2) use the Contract
Change Procedure to modify the Services scope and corresponding Schedule. Completion of Phase
Three activities, or making available information equivalent to that resulting from Phase Three activities, is
a prerequisite for the commencement of the Integration and Transition activities described herein. Upon
Services renewal, Integration and Transition activities are not included as part of your ongoing renewable
services contract.
5.4.1
IBM Integration and Transition Responsibilities

Activity 1 - Staged Transition to Ongoing Operational Support
The purpose of this activity is to document essential operational elements of the Service and begin the
transition of SIEM System management and monitoring to IBM. IBM will:
a.
review existing security operations processes and documentation;
b.
create a Communications Plan;
c.
create a Runbook;
d.
work jointly with you to define, and document how changes are considered, initiated, processed,
recorded, and administered into a mutually agreed upon change management process;
e.
determine, develop, and review detailed reporting requirements for in scope Event Sources;
f.
review transition procedures and processes;
g.
demonstrate MSS Portal features to MSS Portal Users;
h.
review connectivity needs and access establishment for ongoing service readiness;
i.
review the draft documents with your Point of Contact;
j.
recommend modifications, upgrades, or policies based on findings; and
k.
perform one revision of the documents, if required.
Z126-6526-AT-1 04-2014
Page 20 of 34
Z126-6526-WW-1 04-2014
Completion Criteria: This activity will be complete when IBM has delivered the Runbook and
Communications Plan electronically to your Point of Contact.
Deliverable Materials: Runbook and Communications Plan
The Communications Plan will comprise:
(1)
information and knowledge sharing process and vehicle among workgroups, business units,
and third party entities as it pertains to the Service;
(2)
Your Point of Contact and Backup Point of Contact;
(3)
Authorized Security Contacts;
(4)
Designated Services Contacts;
(5)
report recipient list;
(6)
your key stakeholder list;
(7)
communications criteria including rules of engagement;
(8)
security Incident escalation paths;
(9)
your satisfaction escalation paths;
(10) IBM sales points of contact; and

(11) your feedback mechanism for enhancements and continuous quality improvement.
The Runbook will comprise:
(1)
your relevant organizational structure;
(2)
IBM delivery team organizational structure;
(3)
contact list with name, title, vendor, email address, phone number, location, role description,
and asset ownership (if applicable) for IBM and your personnel associated with the project;
(4)
security Incident severity definitions including severity level, classification criteria, and severity
description;
(5)
Incident management process as it pertains to the Services;
(6)
change management process as it pertains to Project Change Requests;
(7)
your applications that will be used by IBM in the delivery of services, such as the SIEM
System and one other application, if requested;
(8)
your contact for each application that will be used by IBM in the delivery of services;
(9)
the business purpose of each application that will be used by IBM in the delivery of services;
(10) software release management procedures for in-scope Event Sources; and
(11) the agreed-to interconnectivity and network access solution to be used by IBM in the delivery
of services.
Activity 2 - Reports Definition and Validation
The purpose of this activity is to define regular reports for review and analysis by you and/or by IBM if the
Reports Generation, Review, and Analysis optional feature is included in the Services as specified in the
Schedule. If the optional Reports Generation, Review, and Analysis feature is not included, reports
defined in this activity may not be manually reviewed or analyzed by IBM prior to being provided to you,
with the exception of the Monthly Status Report which is a formal deliverable. IBM will:
a.
work with you to define substance, criteria, filters, format, distribution vehicle, recipients, and frequency of SIEM-generated reports;
b.
work with you to define substance, format, distribution vehicle, recipients, and frequency of
operational status reports;
c.
configure Event Source communication disruption alerting to be sent via email daily to one or more
Authorized Security Contacts or Designated Services Contacts as defined in the Communications
Plan, if requested, and allows IBM to configure communication settings for your mail server in the
SIEM System;
d.
review the reports with your Point of Contact;
Z126-6526-AT-1 04-2014
Page 21 of 34
Z126-6526-WW-1 04-2014
e.
perform one revision of the reports, if requested; and
f.
deliver the reports to your Point of Contact.
Once accepted by you, the identified reports will remain the same for the duration of the contract unless
modified via the change management process as documented in the Runbook.
Completion Criteria: This activity will be complete when the agreed upon report set and Monthly Status
Report sample have been delivered to Your Point of Contact.
Deliverable Materials: Monthly Status Report
The Monthly Status Report will be prefaced by the Report List. The Report List will comprise a summary
of the reports being provided, including the long form report title, the data source, the format, the report
recipient, and the distribution mechanism. The Report List will be developed prior to steady state
operations and will be mutually agreed upon. Each report will consist of the following as appropriate:
a.
b.
SIEM-generated reports which may include but are not limited to;
(1)
compliance-oriented reports for daily review;
(2)
security Incident summary and details;
(3)
trend analyses that reveal trends in policy exceptions and user behavior;
(4)
average Events per second (EPS)
(5)
average actionable alerts per day; and
(6)
Event Source inventory and summary; and
status information including, but not limited to, the following content as appropriate:
(1)
activities performed during the reporting period;
(2)
activities planned for the next reporting period;
(3)
Change Request summary;
(4)
Project Change Control summary;
(5)
SLA adherence summary;
(6)
trends, Issues, concerns, and recommendations;
(7)
monthly operational review data.
Regular monthly reports will be consolidated into one Word document or PowerPoint presentation and
delivered to your Point of Contact electronically. The Monthly Status Report will be made available by the
15th of the next calendar month or at a later date if mutually agreed.
Activity 3 - Readiness Assessment
The purpose of this activity is to document the as-built state of the environment in a presentation and
assess readiness for transitioning to steady state operations. IBM will:
a.
verify that in-scope Event Sources are functional with regard to the Services to be delivered;
b.
re-baseline Service Features to determine whether any project changes need to be executed;
c.
verify that the completion criteria has been met for each activity in this phase;
d.
verify that the Deliverable Materials have been provided for each activity in this phase;
e.
obtain Your Point of Contact acceptance of the applicable deliverable materials;
f.
prepare a transition summary presentation that describes the fulfillment of the Project Plan; and
g.
conduct a readiness assessment teleconference for up to two hours to review the transition summary presentation with Your Point of Contact or your key stakeholders, if requested.
Completion Criteria: This activity will be complete when IBM has completed the readiness assessment
teleconference.
Activity 4 - Initiate Steady State Operations
The purpose of this activity is to initiate steady state operations. IBM will conduct a Steady State Initiation
teleconference for up to two hours, to:
Z126-6526-AT-1 04-2014
Page 22 of 34
Z126-6526-WW-1 04-2014
a.
introduce your contacts to the IBM service delivery team;
b.
set expectations for IBM and you regarding roles and responsibilities; and
c.
formally close out the Integration and Transition phase.
Completion Criteria: This activity will be complete when IBM has conducted the Steady State Initiation
teleconference.
5.4.2
5.5
Your Integration and Transition Responsibilities

a.
work with IBM to meet the schedule defined in the Project Plan;
b.
provide IBM with access and appropriate permissions to the SIEM System components and in
scope Event Sources;
c.
identify reporting requirements for in scope Event Sources;
d.
provide IBM with workflow for Ticket routing to appropriate workgroup pertaining to technologies in
scope;
e.
acknowledge that the Communications Plan may be superseded by MSS Portal contact information
during the Contract Period;
f.
ensure, to the extent possible, participation by various management levels with representative skills
and data protection ownership and mandates within the business units including security teams, information technology groups, audit and risk departments, and operations management at your facility;
g.
enable appropriate audit (log) settings and communications channels on the Event Sources;
h.
provide specific documentation with regard to information security policy, operations, networks, systems, standards and audit controls that could assist the discovery and requirements definition process and provide assistance for clarification and interpretation, if requested;
i.
other than as set forth in this Services Description, be responsible for defining your data security
and protection requirements and ensuring IBM has all relevant inputs to proceed with documenting
and prioritizing the policies and deployment;
j.
schedule meetings and/or teleconferences such that all participants have enough notice to attend;
and
k.
review and comment on the draft Deliverable Materials to ensure IBM can finalize them within 10
business days after submitting the draft to Your Point of Contact.
Phase Five Ongoing Operational Support

During Phase Five - Ongoing Operational Support (Steady State Operations), IBM will provide remote
operational support, management, and monitoring services for the SIEM System.
5.5.1
IBM Ongoing Operational Support Responsibilities

Activity 1 - Threat Analyst Event Monitoring and Notification
The purpose of this activity is to provide you with ongoing event monitoring and Incident management for
the SIEM System. When this Service Feature is included in the Services as specified in the Schedule,
IBM will:
a.
monitor alerts and policy exceptions (security events) generated by the SIEM System. After analysis by a SIEM Analyst, security events may be classified as security Incidents. Whether or not a
security event is considered a security Incident is determined solely by IBM. Identified security
events will be classified, prioritized, and escalated as IBM deems appropriate. Security events that
are not eliminated as benign triggers are classified as a security Incident.
b.
classify security Incidents into one of the three priorities described below:
(1)
Priority 1 - a high priority security Incident in which IBM recommends immediate defensive
action be taken;
(2)
Priority 2 a medium priority security Incident in which IBM recommends action be taken
within 12 - 24 hours of notification; and
Z126-6526-AT-1 04-2014
Page 23 of 34
Z126-6526-WW-1 04-2014
(3)
Priority 3 a low priority security Incident in which IBM recommends action be taken within
one to seven days of notification;
c.
when possible, eliminate false positives and benign triggers;
d.
escalate security Incidents to an Authorized Security Contact or Designated Services Contact in accordance with processes as defined during the Integration and Transition Phase;
e.
provide remediation/countermeasure recommendations, if applicable;
f.
assist your security teams with performing root cause and impact analysis;
g.
adjust alert prioritization options based on criticality;
h.
consider ongoing policy improvements and notify you of IBM recommended policy changes;
i.
perform analysis of potentially harmful security alerts;
j.
perform updates to existing policy Rules;
k.
provide Incident handling support, consisting of:

(1)
creating Incident tickets as required;
(2)
tracking progress of open tickets;
(3)
managing the tickets to resolution / closure, in accordance with the processes as defined in
the Integration and Transition Phase;
(4)
providing escalation and exception handling for Tickets, consistent with defined processes;
and
(5)
closing Tickets upon resolution.
Completion Criteria: This is an ongoing activity that will be considered complete at the end of the
Services.
Deliverable Materials: Monthly Status Report (Ongoing)
Activity 2 - SIEM System Infrastructure Management
The purpose of this activity is to provide ongoing management and monitoring of the SIEM System
infrastructure, including hardware and software components. When this Service Feature is included in the
Services as specified in the Schedule, IBM will:
a.
monitor IBMs ability to access the SIEM System;
b.
assist you with troubleshooting steps to be performed by you in order to re-establish connectivity
between the SIEM System and IBM;
c.
provide software-level management for the SIEM System components;
d.
verify data collection and log continuity;
e.
manage user access including user and group permissions updates;
f.
review application performance, capacity, and availability make recommendations as appropriate;
g.
review SIEM System disk space usage;
h.
verify time synchronization among SIEM System components;
i.
perform archival management and retrieval per change management process;
j.
provide problem determination / problem source identification for the SIEM System, consisting of:
l.
(1)
creating tickets as required;
(2)
tracking progress of open tickets;
(3)
managing tickets to resolution / closure, in accordance with the processes as defined in the
Integrated and Transition Phase;
(4)
providing escalation and exception handling for tickets in accordance with defined processes;
and
(5)
closing tickets upon resolution;
review SIEM vendor announcements;
Z126-6526-AT-1 04-2014
Page 24 of 34
Z126-6526-WW-1 04-2014
m.
manage SIEM System update alerts;
n.
schedule and test application upgrades with you;
o.
install application patches and software updates in order to improve performance, or enable additional functionality (IBM assumes no responsibility for, and makes no warranties concerning, third
party vendor-provided patches, updates, or security content);
p.
declare a maintenance window in advance of SIEM Agent updates that may require platform downtime or your assistance to complete;
q.
perform research and investigation if the SIEM Agent does not perform as expected or a potential
SIEM Agent health issue is identified;
r.
review on a quarterly basis new security correlation Rules supplied by the vendor and apply to SIEM Agents if applicable, in accordance with the change management process; and
s.
review and modify, if necessary, each uDSM on an annual basis when the optional Service Feature
for Custom Parser Creation is included with the Services for the quantity specified in the Schedule.
Services.
Activity 3 - SIEM System Change Requests
The purpose of this activity is to process Change Requests to add, update, delete, or modify SIEM
System functions, components, or outputs. When SIEM System Infrastructure Management is included in
the Services as specified in the Schedule, IBM will:
a.
review submitted Change Requests to verify justification, feasibility, and completeness; Change
Requests may include but are not limited to the following adjustments:
(1)
moving, adding, or deleting Event Sources;
(2)
assisting you with directing Event Sources to the SIEM System;
(3)
creating, modifying, or implementing SIEM System policies or rules; and
(4)
responding to complex audit requests;
b.
notify the requester if additional information is needed;
c.
implement approved Change Requests in accordance with your change management process as
documented in the Runbook;
d.
if necessary, notify the requester that the change exceeds service scope and assist requester with
the Contract Change Procedure; and
e.
summarize changes in the Monthly Status Report.
Services.
5.5.2
Your Ongoing Operational Support Responsibilities

In order to provide successful ongoing operational support, your participation is necessary. When one or
more Service Features in Phase Five are included in the Services as specified in the Schedule, you agree
to:
a.
provide IBM with current documentation of your environment;
b.
inform IBM of changes within your environment that is relevant to the Service;
c.
enable appropriate audit (log) settings and communications channels on the Event Sources;
d.
inform IBM within three calendar days of a change in Your Point of Contact information;
e.
provide email aliases, as necessary, to facilitate notification;
f.
ensure that network infrastructure devices, systems, servers, and applications sending security
events and logs to the SIEM System meet the most current minimum application system requirements as defined by IBM;
Z126-6526-AT-1 04-2014
Page 25 of 34
Z126-6526-WW-1 04-2014
g.
be responsible for your own security governance and strategy, including security Incident response
procedures;
h.
work with IBM to optimize the Service;
i.
participate in troubleshooting sessions with IBM, as required; and
j.
maintain current licensing, support, and maintenance contracts.
In addition, if Threat Analyst Event Monitoring and Notification is included in the Services as specified in
the Schedule, You agree to:
(1)
view details of security Incident reports; and
(2)
provide feedback on security Incident reports.
In addition, when SIEM System Infrastructure Management is included in the Services as specified in the
Schedule, You agree to:
6.0
(1)
create and submit a Change Request for all changes as defined in the change management
process and documented in the Runbook;
(2)
ensure all Change Requests are submitted by an Authorized Security Contact or a Designated
Services Contact, in accordance with the change management process;
(3)
be responsible for providing sufficient information for each Change Request to allow IBM to
successfully perform such change;
(4)
contact IBM in the event that the troubleshooting steps do not resolve a SIEM Agent
performance or health issue;
(5)
assist IBM with remote configuration and troubleshooting of SIEM System components and
Event Source transmission issues and be responsible for their ultimate resolution;
(6)
allow IBM to monitor the administrative interfaces and/or event stream of the managed SIEM
Agents;
(7)
acknowledge that:
(a)
all updates are transmitted and applied via the Internet;
(b)
data traveling across the Internet is encrypted using industry-standard strong encryption
algorithms whenever possible; and
(c)
IBM will not initiate additional troubleshooting steps until after notification from you that
initial troubleshooting steps did not resolve SIEM Agent performance or health issues;
(d)
if the managed SIEM Agent is eliminated as the source of a given problem, no further
troubleshooting will be performed by IBM;
(e)
all changes will be completed by IBM and not by you;
Managed SIEM Optional Features
Managed SIEM Optional features are dependent on the complexity level and quantity of the selected optional features specified in the Schedule. IBM will provide MSIEM Optional features based on selection and the additional
charges specified in the Schedule.
6.1
Custom Parser Creation
6.1.1
IBM Custom Parser Creation Responsibilities

Activity 1 - Custom Parser Creation
The purpose of this activity is to configure uDSMs to parse the logs for Log Sources in which there is no
native DSM and map the individual log messages into QRadars ID map (QIDMAP). At your request, and
for an additional charge as specified in the Schedule for this optional Service Feature. IBM will configure
uDSMs, up to the quantity as specified in the Schedule for this optional Service Feature, using up to 15
event messages per uDSM.
IBM will provide Custom Parser Creation during your Contract Period at a usage rate specified in the
Schedule.
Once delivered, the maintenance of these uDSMs will be performed by IBM as described in Phase Five of
this Services Description.
Z126-6526-AT-1 04-2014
Page 26 of 34
Z126-6526-WW-1 04-2014
Completion Criteria: This activity will be complete when the uDSMs have been configured and are
transmitting data to the SIEM System.
6.2
Reports Generation, Review, and Analysis
6.2.1
IBM Reports Generation, Review, and Analysis Responsibilities

Activity 1 - Reports Generation, Review, and Analysis
The purpose of this activity is to provide daily manual review and analysis by SIEM Analysts of certain
report data as defined in the Integration and Transition Phase when this optional Service Feature is
included in the Services as specified in the Schedule. At your request, and for an additional charge as
specified in the Schedule for this optional Service Feature. IBM will:
a.
generate daily reports up to the quantity specified in the Schedule;
b.
manually review and analyze reports;
c.
investigate anomalous data;
d.
perform analysis of potentially harmful security alerts based on report data;
e.
create Incident tickets as required based on report data;
f.
escalate security Incidents to an Authorized Security Contact or Designated Services Contact in accordance with processes as defined during the Integration and Transition Phase;
g.
upload log files and reports electronically and in their native formats to a central repository provided
by Customer for audit purposes;
h.
manage report distribution; and
i.
incorporate findings into weekly briefings and monthly operational reviews.
Services.
6.3
General SIEM Consulting
6.3.1
IBM General SIEM Consulting Responsibilities

Activity 1 - General SIEM Consulting
The purpose of this activity is to accommodate potential changes or additional requirements that may
arise during the Contract Period in order to prime the environment for a smooth transition to managed
operations or provide a higher level of advisory services during steady state. Such support may include
Incident response guidance, SIEM reconfiguration, expansion assistance, and security operations and
optimization.
IBM will provide General SIEM Consulting during your Contract Period at a usage rate specified in the
Schedule. General SIEM Consulting units (days/weeks) specified in the Schedule must be utilized during
the initial contract term. These optional Service Features may be purchased in advance based on presales solution design recommendations or via the Contract Change Procedure at any time during the
Contract Period. General SIEM Consulting will be provide 9:00 a.m. to 5:00 p.m. Monday through Friday
in the time zone selected by you (also referred to as Business Hours,) except national and your
designated holidays.
Completion Criteria: This activity will be considered complete when one of the following first occurs: 1)
the number of units (days/weeks) specified in the Schedule has been provided for the corresponding
Service Features; or 2) the initial Contract Period term has passed.
6.3.2
Your General SIEM Consulting Responsibilities

You agree to:
a.
acknowledge, that under this Services Description, General SIEM Consulting will be provided based
on the usage charge specified in the Schedule; and
Z126-6526-AT-1 04-2014
Page 27 of 34
Z126-6526-WW-1 04-2014
b.
be responsible for all usage charges associated with General SIEM Consulting you request during
the term of the Contract Period specified in the Schedule.
6.4
Ticket System Integration
6.4.1
IBM Ticket System Integration Responsibilities

Activity 1 - Ticket System Integration
The purpose of this activity is to provide a mechanism to you for leveraging existing trouble ticketing and
case management investments. At your request, and for an additional charge as specified in the
Schedule for this optional Service Feature, IBM will provide an application programming interface (API) to
allow for customized integration with external ticketing systems.
6.4.2
Your Ticket System Integration Responsibilities

You agree to:
a.
be responsible for all additional charges associated with API Ticket integration;
b.
utilize the API package to facilitate Ticket integration;
c.
be responsible for all engineering and development issues associated with Ticket integration; and
d.
acknowledge that IBM will not provide assistance or consulting for your ticketing system integration.
Completion Criteria: This activity will be complete when IBM has provided the API to you.
6.5
Vulnerability Scanner Integration
6.5.1
IBM Vulnerability Scanner Integration Responsibilities

Activity 1 - Vulnerability Scanner Integration
The purpose of this activity is to configure third party vulnerability assessment scanners as data sources
for the SIEM System when this optional Service Element is included in the Services as specified in the
Schedule. At your request, and for an additional charge as specified in the Schedule for this optional Service Feature, IBM will:
a.
include vulnerability scanner integration into the solution design;
b.
configure the vulnerability scanner instances per the SIEM Macro and Micro Design; and
c.
validate that vulnerability assessment data populates asset records in the SIEM System.
Completion Criteria: This activity will be complete when IBM has integrated third party vulnerability scan
data into the SIEM System.
6.6
QRadar Vulnerability Manager Integration and Management
6.6.1
IBM Qradar Vulnerability Manager Integration and Management Responsibilities

Activity 1 - Qradar Vulnerability Manager Integration and Management
The purpose of this activity is to provide support for the QVM module, if licensed and included in the SIEM Macro and Micro Design, including setup, configuration, maintenance, and periodic report generation.
At your request, and for an additional charge as specified in the Schedule for this optional Service Feature, IBM will:
a.
work with your technical contacts to configure QVM scan policies for the quantity of IP addresses as
specified in the Schedule;
b.
work with your technical contacts to configure dynamic and near-real-time scanning options as applicable;
c.
work with your technical contacts to define QVM reports for monthly generation;
d.
provide you with read-only QRadar console access so you may view QVM reports and related information (no administrator access will be granted);
e.
ensure QVM data is integrated logically in the overall SIEM solution;
f.
incorporate QVM findings into weekly briefings and monthly operational reviews; and
Z126-6526-AT-1 04-2014
Page 28 of 34
Z126-6526-WW-1 04-2014
g.
implement QVM-related Change Requests in accordance with the defined change management
process as documented in the Runbook.
Services.
6.6.2
Your QVM Responsibilities

You agree to:
a.
convey scan policy and scheduling requirements to IBM delivery personnel;
b.
work with IBM delivery personnel to ensure QVM related reports map to your requirements;
c.
access the QRadar console to retrieve QVM-related reports and data;
d.
notify IBM of any network or system changes that would prevent the QVM module from successfully
completing the scans;
e.
be responsible for the remediation of vulnerabilities discovered by the QVM module or made available to you in the reports; and
f.
submit Change Requests for any QVM-related changes using the change management process as
defined in the Runbook.
7.0
Service Level Agreements
7.1
SLA Overview
IBM Service Level Agreements (SLAs) establish response time goals (Service Level Targets) for
specific activities. The SLAs become effective at the commencement of Phase Five, Ongoing Operational
Support (Steady State Operations). The SLA defaults described below comprise the measured metrics
for the delivery of the Service. Unless explicitly stated below or as set forth in the Agreement, no
warranties of any kind shall apply to Services delivered under this Services Description. Upon the
initiation of Steady State as mutually agreed upon by you and IBM, the Service Level Agreements
become effective. Service Level Agreements (also referred to as SLA Availability, in the Schedule) are
as follows:
Service Feature
SLA Target
SLA Remedy
Service Availability
100%
Service Credit equal to one day of the monthly fee for

Steady State Operations
Portal Availability
99.9%

Priority 1 Security
Incident Notification
15/30/60
Minutes

Priority 2 Security
12 Hours

Priority 3 Security
24 Hours

SIEM Agent Health

Alerting
30 Minutes

Service Level Agreements
7.2
SLA Definitions
7.2.1
Service Availability
IBM will provide 100% Service availability for the SOCs during Steady State Operations.
7.2.2
Portal Availability
IBM will provide 99.9% accessibility for the Portal except as specified in Scheduled and Emergency
Maintenance.
Z126-6526-AT-1 04-2014
Page 29 of 34
Z126-6526-WW-1 04-2014
7.2.3
Security Incident Identification and Notification

When Threat Analyst Event Monitoring and Notification is included in the Services as specified in the
Schedule, IBM will analyze SIEM System output to identify Priority 1, 2, and 3 Security Incidents.
Whether or not a security event is considered an Incident is determined solely by IBM. The Security
Incident Notification timer begins once IBM has identified, classified, and prioritized an Offense and has
created an Incident Ticket.
Your Authorized Security Contact or Designated Services Contact will be notified by telephone and email
for the first instance of a Priority 1 Incident and via email for the first instance of a Priority 2 or 3 Incident.
During a Priority 1 Incident notification, IBM will continue attempting to contact the Authorized Security
Contact or Designated Services Contact until such contact is reached for that instance or all notification
contacts have been exhausted. Operational activities related to Incidents and responses will be documented and time-stamped within the IBM ticketing system. Such documentation and time-stamp shall be
used as the sole authoritative information source for the purposes of this SLA. IBM will initiate notification
for Incidents within the timeframe specified in the Service Level Agreements, for Priority 2 and 3 Incidents, and as specified in the Schedule for Priority 1 Incidents. Incident priorities are defined as follows:
Priority 1 Incident: This prioritization includes actionable, high-risk events / policy violations that have
the potential to cause severe damage to client environments. Examples include system or data
compromises; privacy breaches; worm infections/propagation; massive Denial of Service (DoS) or
Distributed Denial of Service (DDoS) attacks; zero day threats; creation of ids with elevated privileges or
adding elevated privileges to existing ids outside of change control processes; tampering of critical
system files, application files, or databases that will impact system integrity; enterprise wide malware
outbreak; authorized policy changes; and deletion of audit log files. For investigations that result in a
Priority 1 classification, IBM recommends that customers take immediate defensive actions.
Priority 2 Incident: This prioritization includes unauthorized user activities that do not have ability to
impact system performance or harm data. Examples include unauthorized local scanning activity;
attacks targeted at specific servers or workstations; unauthorized creation of IDs on critical systems;
user- caused contiguous failed/successful login attempts; failed attempts of tampering with critical
systems, applications, audit log files, and databases; accessing critical systems or application files; and
malware outbreaks impacting a business unit or a territory. For a Priority 2 Incident, IBM recommends
that customers take action within 12-24 hours of notification.
Priority 3 Incident: This prioritization includes encompasses activities such as user errors,
misconfigurations, non-compliance, and scanning. Examples include Discovery scanning; information
gathering scripts; other reconnaissance probes; unauthorized system reboots; use of accounts (service,
administrator, system accounts); activity with account names that do not follow approved naming
standards; suspect file names; any unauthorized change or activity conducted during non-business
hours; and certain types of malware outbreaks. For a Priority 3 Incident, IBM recommends that customers
take action within one to seven days of notification.
You acknowledge that:
a.
additional instances of the same Priority 1, 2, or 3 Incident may be suppressed and/or rolled into the
primary ticket of the first instance of the Incident but contact will not be attempted for each new instance of the same Incident other than regular reports as mutually agreed upon during Phase Four,
Activity 2, Reports Definition and Validation;
b.
lack of feedback or timely response from an Authorized Security Contact or Designated Services
Contact after IBM has attempted to make contact three times over a seven day period can result in
a lower prioritization of persistent or recurring activity as it pertains to Priority 1, 2,and 3 Incidents;
c.
IBM will stop contacting an Authorized Security Contact or Designated Services Contact if after four
Information Requests, an adequate response has not been provided by you within seven days of
the fourth Information Request for the same Incident or aggregated, related Incidents;
d.
if a response is needed from an Authorized Security Contact or Designated Services Contact in order to investigate and close a Ticket, tune Rules, or otherwise enhance the delivery of the Services,
possible response options will be listed for you in the Information Request, such that selecting any
one of the possible response options will be deemed an adequate response for the purposes of the
Information Request; and
Z126-6526-AT-1 04-2014
Page 30 of 34
Z126-6526-WW-1 04-2014
e.
7.2.4
if IBM does not receive an adequate response to an Information Request after four attempts, IBM
reserves the right to make environmental assumptions and take one or more of the following actions:
(1)
add, modify, or delete Rules;
(2)
suppress Offenses; and
(3)
make any other configuration change to the SIEM System.
SIEM Agent Health Alerting

When SIEM System Infrastructure Management is included in the Services as specified in the Schedule,
IBM will notify you within the timeframe specified in the Service Level Agreements, for SIEM Agent Health
Alerting after IBM determines that the SIEM Agent is unreachable via standard in-band connectivity.
7.3
SLA Root Cause Analysis

IBM will maintain a root cause analysis (RCA) process and perform, at IBMs discretion, the activities
required to diagnose, analyze, resolve, and report on Incidents or problems prior to an SLA Remedy
being enforced. IBM will:
a.
7.4
identify, record, track, and manage the Incident and/or problem identified as potentially having IBM
SLA implications from identification through service restoration by:
(1)
determining the ownership of the issue as assignable to IBM;
(2)
determining the scope of the Incident and/or problem; and
(3)
utilizing the ticketing system described herein to manage workflow and reporting;
c.
identify the root cause of problems or failures, where possible;
d.
identify and remedy the failure, and report on any consequences of the failure;
e.
provide you with a written, electronic report detailing the cause of and procedure for correcting such
failure; and
f.
if the RCA points to MSS or the SIEM System, substantiate to you that all reasonable actions have
been taken to prevent recurrence of such failure and notify you that the service has been restored.
SLA Remedies
You will be entitled to a Service Credit if a Service Feature does not meet the corresponding Service
Level Target. The amount of any such Service Credit shall be determined using then-current
Schedule(s). You may obtain no more than one Service Credit for each SLA per day, and aggregate
Service Credits in a calendar month shall not exceed a total of the Steady State Operations monthly fee.
Each Service Credit will be applied as a one-time credit on the invoice for the month following the month
in which IBM failed to meet an SLA. The IBM MSS Remedy system will be used as the system of record
for managing and tracking Service Level Agreement metrics and adherence. Such Service Credit is the
sole remedy for failure to meet any of the SLAs described in this Services Description.
8.0
Deliverable Materials
The Deliverable Materials, identified as Type II Materials, are summarized below and subject to the
Deliverable Materials Acceptance Procedure:
a.
Initial Project Plan
b.
SIEM System Macro and Micro Design
c.
Communications Plan
d.
Runbook
e.
Monthly Status Report
Each of the above Deliverable Material will be reviewed and accepted in accordance with the following
procedure, however, subsequent submissions of Monthly Status Reports are not subject to the following
which are considered accepted upon delivery:
(1)
One copy of the Deliverable Material will be submitted to your Point of Contact, Authorized
Security Contact, or Designated Services Contact as defined in the Communications Plan for
Z126-6526-AT-1 04-2014
Page 31 of 34
Z126-6526-WW-1 04-2014
each Deliverable Material. It is the responsibility of your contact to make and distribute
additional copies to any other reviewers.
(2)
Within five business days of receipt, your contact will either accept the Deliverable Material or
provide IBM with a written list of requested revisions. If IBM receives no response from your
contact within five business days, then the Deliverable Material will be deemed accepted.
(3)
IBM will consider your contacts timely request for revisions, if any, within the context of IBMs
obligations as stated in the Deliverable Materials descriptions.
(4)
The revisions recommended by your contact and agreed to by IBM will be made and the
Deliverable Material will be resubmitted to your contact, at which time the Deliverable Material
will be deemed accepted.
(5)
The revisions recommended by your contact not agreed to by IBM will be managed in
accordance with the Contract Change Procedure specified in the Schedule.
(6)
Any conflict arising from the acceptance of Deliverable Materials, you agree your Point of
Contact will help resolve Services Issues and escalate Issues within your organization, as
necessary.
9.0
Other Terms and Conditions
9.1
Intellectual Property Services Components

IPSC Definition
Intellectual Property Services Components ("IPSCs") are pre-existing IBM or third party proprietary literary works or other works of authorship (such as programs, program listings, programming tools, documentation, reports, drawings and similar works) that IBM may license to you or that IBM may use when
providing Services. IPSCs are not Products or Materials, as such terms are defined in the IBM Customer
Agreement (called ICA). The terms of the ICA shall otherwise apply to IPSCs, except that the section
entitled "Limitation of Liability," shall apply to IPSCs as if an IPSC was a "Product" for purposes of that
section without reference to any other section. IBM or third parties have all right, title, and interest (including ownership of copyright) in IPSCs and IPSCs are licensed, not sold. Except as provided by mandatory law, without the possibility of contractual waiver or limitation, IBM provides IPSCs WITHOUT INDEMNITIES OR WARRANTIES OF ANY KIND.
IPSC License Grant
Subject to the IPSC Special Terms below, IBM grants you a revocable, nonexclusive, paid-up license to
use, within your Enterprise only, the following IPSC:
Universal Log Agent
IPSC Special Terms
a.
IBM may terminate this license if you do not comply with any of the terms of this SOW.
b.
Upon termination of this license, you agree to destroy all copies of, and make no further use of,
Universal Log Agent, and certify such destruction to IBM.
By accepting receipt of the Universal Log Agent, you agree to the following Terms of Use: During the
term of your IBM Managed Security Services, IBM grants you a limited nonexclusive, nontransferable license solely to internally use the Universal Log Agent. Except as otherwise provided herein, the terms of
your agreement for the Managed Security Services with IBM shall apply to IBM's provision, and your use,
of any Universal Log Agent. No title to or ownership in the Universal Log Agent is transferred to you.
Your rights will at all times be subject to IBM's copyrights and other intellectual property rights, and IBM
will retain all right, title and interest in the Universal Log Agent and any derivative works thereof. UNIVERSAL LOG AGENT IS PROVIDED "AS IS" AND WITHOUT WARRANTY OR INDEMNITY OF ANY
KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF
PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS. Universal Log Agent may not be: 1) used,
copied, modified, or distributed except as expressly provided herein; 2) reverse assembled, reverse compiled, or otherwise translated, except as specifically permitted by law without the possibility of contractual
waiver; 3) sublicensed, rented, or leased; or 4) used for commercial purposes, including commercial research, consulting or running a business. You may not create derivative works based on the Universal
Log Agent and shall not remove any notices included in the Universal Log Agent. You may not use the
Z126-6526-AT-1 04-2014
Page 32 of 34
Z126-6526-WW-1 04-2014
Universal Log Agent to design, develop or test software applications for any commercial purposes. You
may not allow others to use your passwords to gain access to IBM's restricted Web sites or use the Universal Log Agent for any purposes. The Universal Log Agent is considered confidential to IBM and you
shall hold such confidential information ("Information") in trust and confidence for IBM. You will use the
same care and discretion to avoid disclosure of the Information as you use with your own similar information which you do not wish to disclose. During such period, you may only disclose the Information to
(1) your employees who have a need to know, and (2) any other party with IBM's prior written consent.
Prior to any such disclosure, you must have a written and appropriate agreement with your employees
and any other party authorized to receive such Information sufficient to require the party to treat the Information in accordance with these Terms of Use. You may use such Information only for the purpose for
which it was disclosed or otherwise for the benefit of IBM. These Terms of Use impose no obligation upon you regarding the Universal Log Agent or any information contained in it where such items: (1) are or
become publicly available through no fault of yours; or (2) are developed independently by you.
9.2
Permission to Perform Testing

Certain laws prohibit any unauthorized attempt to penetrate or access computer systems. You authorize
IBM to perform the Services as described herein and acknowledge that the Services constitute authorized
access to your computer systems. IBM may disclose this grant of authority to a third party if deemed
necessary to perform the Services. The Services that IBM performs entail certain risks and You agree to
accept all risks associated with such Services; provided, however, that this does not limit IBMs obligation
to perform the Services in accordance with the terms of this Services Description. You acknowledge and
agree to the following:
9.3
a.
excessive amounts of log messages may be generated, resulting in excessive log file disk space
consumption;
b.
the performance and throughput of your systems, as well as the performance and throughput of
associated routers and firewalls, may be temporarily degraded;
c.
some data may be changed temporarily as a result of probing vulnerabilities;
d.
Your computer systems may hang or crash, resulting in system failure or temporary system
unavailability;
e.
any service level agreement rights or remedies will be waived during any testing activity;
f.
a scan may trigger alarms by intrusion detection systems;
g.
some aspects of the Services may involve intercepting the traffic of the monitored network for the
purpose of looking for events; and
h.
new security threats are constantly evolving and no service designed to provide protection from
security threats will be able to make network resources invulnerable from such security threats or
ensure that such service has identified all risks, exposures and vulnerabilities.
Disclaimer
You understand and agree:
a.
that it is solely within your discretion to use or not use any of the information provided pursuant to
the Services hereunder. Accordingly, IBM will not be liable for any actions that you take or choose
not to take based on the Services performed and/or deliverables provided hereunder;
b.
that it is your sole responsibility to provide appropriate and adequate security for the company, its
assets, systems and employees;
c.
that IBMs performance of the Services does not constitute any representation or warranty by IBM
about the security of your computer systems including, but not limited to, any representation that
your computer systems are safe from intrusions, viruses, or any other security exposures.
d.
That Linux and any other Open Source Software (OSS), including patches, fixes, and updates,
which IBM installs, configures, updates, operates, or otherwise assists in procuring on your behalf
as a result of providing services under this Services Description are licensed and distributed to you
by Linux and OSS distributors and/or respective copyright and other right holders, including Red
Hat, Inc. and/or Novell, Inc. (Right Holders) under such Right Holders terms and conditions. IBM
is not a party to the Right Holders terms and conditions, and installs any OSS AS IS. You and
IBM agree that any modification or creation of derivative works of OSS is outside the scope of this
Z126-6526-AT-1 04-2014
Page 33 of 34
Z126-6526-WW-1 04-2014
Services Description. IBM is not a distributor of OSS and does the work described in this Services
Description for you upon your specification. You receive no express or implied patent or other
license from IBM with respect to any OSS. IBM makes no representations and disclaims all
warranties with respect to any OSS, express or implied, including the implied warranties of
merchantability and fitness for a particular purpose. IBM does not indemnify against any claim that
OSS infringes a third party's intellectual property rights. UNDER NO CIRCUMSTANCES SHALL
IBM BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OSS.
9.4
Employment of Assigned Personnel

This Services Description shall not affect the employment relationship that exists between IBMs assigned
personnel and IBM during the applicable Contract Period. No IBM assigned personnel shall be deemed
for any purpose to be the agent, servant, employee, or your representative in the performance of his or
her services hereunder.
a.
IBM staffs Services on a national basis with either local or non-local resources based upon resource
availability at Services enablement. At the start of Services and on an ongoing basis, our point of
contacts will work together to mutually determine any on-site requirements of non-local perform
resources. For on-site engagements spanning multiple weeks, the typical 40 hour work week of full
time non-local resources normally consists of the resource traveling to your site(s) on Monday,
returning to their home city at the end of the work day on Thursday and performing Services related
activities remotely on Friday, as applicable. During weeks with a national holiday or during periods
when a resource is not required to be on-site full time, both parties will work together to define an
alternate full time work schedule. Such alternate work schedule may include the resource
performing applicable Services-related activities remotely.
b.
You acknowledge that: (a) IBM is not required to perform any work outside the scope described in
this Services Description, (b) to the extent IBM does perform any work outside of scope, IBM may
cease to perform such work at any time and (c) any changes to the scope must be agreed to in
accordance with the Contract Change Procedure specified in the Schedule.
Z126-6526-AT-1 04-2014
Page 34 of 34
Z126-6526-WW-1 04-2014

SLA and Customer and MSSP Responsibilities

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

SLA and Customer and MSSP Responsibilities

Enviado por

Direitos autorais:

Formatos disponíveis

IBM Infrastructure Security Services

Managed Security Information and Event Management

IBM sterreich Internationale Bromaschinen Gesellschaft

IBM Managed Security Information and Event Management

Stand: April 2014

5.2.1 IBM SIEM System Design Responsibilities ......................................................................................... 14

IN ADDITION TO THE TERMS AND CONDITIONS SPECIFIED BELOW, THIS SERVICES

http://www-935.ibm.com/services/at/gts/html/contracts_landing.html AND INCORPORATED HEREIN

QRadar Technology Terms

Managed SIEM Services Contacts

Security Operations Center

IBM Point of Contact Responsibilities

coordinate and manage the technical activities of IBMs assigned personnel;

Your Point of Contact Responsibilities

facilitate IBM access to your existing applications and technical infrastructure;

define Authorized Security Contacts;

IBM Authorized Services Contacts Responsibilities

allow you to create up to three Authorized Security Contacts;

provide each Authorized Security Contact with:

administrative MSS Portal permissions to your MSS Agent(s) as applicable;

the authorization to delegate responsibility to Designated Services Contacts;

IBM Designated Services Contacts Responsibilities

Your Authorized Security Contacts Responsibilities

creating Designated Services Contacts and delegating responsibilities and permissions to

Your Designated Services Contacts Responsibilities

Managed SIEM Foundational Features

IBM MSS Portal Responsibilities

multiple levels of access for MSS Portal Users;

security intelligence awareness and alerting;

security Incident and/or service Ticket information;

ticketing and workflow initiation and updates;

interaction with SOC analysts;

Your MSS Portal Responsibilities

utilize the MSS Portal to perform daily operational Services activities;

promptly notify IBM if a compromise of your login credentials is suspected; and

IBM MSS Portal Users Responsibilities

provide multiple levels of access to the MSS Portal, as follows:

administrative user capabilities which will include:

creating Portal users;

submitting Services requests to the SOCs;

querying, viewing, and updating Services-related tickets; and

creating and submitting Services requests; and

updating tickets; and

authenticate MSS Portal Users using a static password; and

Your MSS Portal Users Responsibilities

IBM Security Reporting Responsibilities

number of SLAs invoked and met;

number, types, and summary of Services requests / Tickets;

list and summary of security Incidents.

Your Security Reporting Responsibilities

generate MSS operational reports using the MSS Portal;

retrieve SIEM-generated reports from the SIEM System console.

IBM X-Force Threat Analysis

IBM Security Intelligence Responsibilities

display security information on the MSS Portal as it becomes available;

publish an Internet threat-level via the MSS Portal;

Your Security Intelligence Responsibilities

subscribe to the daily Internet security assessment email, at your option;

create a vulnerability watch list, if desired;

access the IBM X-Force Threat Analysis Service Reports; and

Managed SIEM Service Phases

Phase One Project Initiation and Planning

IBM Project Initiation and Planning Responsibilities