Exhibit 2 - Proposal
IBM Security Services
IBM Security Transformation Services Agreement for
CITY OF DENTON DOU Rev Split 4-1-2024
Prepared for
CITY OF DENTON
ACCOUNTS PAYABLE
215 E MCKINNEY ST
Denton, TX 76201
US
02/21/24
Z126-6955-US-05 (Direct) Page 1 of 27
Table of Contents
1. Scope of Work ................................................................................................................... 3
1.1 Services Coordination ........................................................................................................ 3
1.2 Client Point of Contact Responsibilities ............................................................................ 3
1.3 Client General Responsibilities ......................................................................................... 3
2. Services .............................................................................................................................. 5
2.1 List of Services .................................................................................................................. 5
3. Estimated Schedule ............................................................................................................ 5
4. Facilities and Hours of Coverage ...................................................................................... 5
5. Deliverables ....................................................................................................................... 5
6. Completion Criteria ........................................................................................................... 5
7. Charges .............................................................................................................................. 5
8. Other Terms and Conditions .............................................................................................. 5
8.1 Termination ........................................................................................................................ 5
8.2 Limitation of Services ........................................................................................................ 6
8.3 Open-Source Software Disclaimer .................................................................................... 6
8.4 Employment of Assigned Personnel .................................................................................. 6
Appendix A: Project Procedures ................................................................................................................. 7
Appendix B: Service Descriptions .............................................................................................................. 8
9. IBM Security X-Force Incident Response Retainer .......................................................... 9
9.1 Service Activity – X-Force IR Retainer Project Initiation ................................................ 9
9.2 Other Terms and Conditions – Limitation of IBM X-Force Incident Response Retainer12
Appendix C: Deliverable Guidelines ........................................................................................................ 22
1. Consulting and System Integration Services ................................................................... 24
1.1 C&SI Estimated Schedule ............................................................................................... 24
1.2 C&SI Payment Terms ...................................................................................................... 24
1.3 C&SI Summary of Charges ............................................................................................. 24
1.4 Ongoing Support Services Transition .............................................................................. 24
2. Security Service Summary of Charges ............................................................................ 25
3. Additional Terms and Conditions .................................................................................... 25
3.1 Regulatory Services ......................................................................................................... 25
3.2 Disclaimer ........................................................................................................................ 25
3.3 Permission to Perform Testing ........................................................................................ 25
3.4 Systems owned by a Third Party ..................................................................................... 26
3.5 Security Data ................................................................................................................... 26
Z126-6955-US-05 (Direct) Page 2 of 27
4. Travel and Living Expenses ............................................................................................ 26
5. Taxes and Payment .......................................................................................................... 27
6. Billing for Online Orders ................................................................................................. 27
Z126-6955-US-05 (Direct) Page 3 of 27
Statement of Work for Services
Security Services
This Statement of Work (“SOW”) is governed by the terms and conditions of the agreement specified in
the Order Document for IBM Security Services (“Order Document”). If there is a conflict between the
terms in the documents, the terms of the Order Document prevail over those of the SOW, and the terms
of the SOW prevail over those of the agreement specified in the Order Document ("the Agreement").
Client means and includes the company, its authorized users, or recipients of the IBM Security Services
("Services").
Capitalized terms not otherwise defined in this SOW are defined in the Agreement and have the same
meaning in this SOW as ascribed to them therein.
1. Scope of Work
The IBM Security Services are comprised of a dynamic portfolio of offerings designed to provide tools,
technology, and expertise to help optimize Client’s existing security programs.
Services consist of the IBM X-Force Incident Response Retainer (IRIS). IRIS helps clients intelligently
prepare for, detect & respond to attacks, reducing the timeline for potential impact. Clients have 24x7x365
phone access to our elite team of IR consultants, with 24-48 hour boots on the ground emergency
incident support if needed.
1.1 Services Coordination
IBM Responsibilities
IBM will designate an IBM Services specialist who will be IBM’s focal point during performance of the
Services who, with Client Point of Contact, will:
a. review the SOW and any associated documents;
b. establish and maintain communications;
c. administer the Project Change Control Procedure described in the Project Procedures appendix;
and
d. coordinate the technical activities of IBM’s assigned personnel.
e. have completed Services Coordination when the remaining IBM activities specified in this Statement
or Work are complete.
1.2 Client Point of Contact Responsibilities
Prior to the start of the Services, Client will designate a Client Point of Contact to whom all
communications relative to the Services will be addressed, and who will have the authority to act on
Client's behalf in all matters regarding this SOW, applicable Service Description(s), and Order Document.
Client's Point of Contact will:
a. complete and return any questionnaires or checklists within business days of receipt, if applicable;
b. serve as the interface between IBM’s project team and all Client departments participating in the
Services;
c. attend status meetings, as required;
d. obtain and provide applicable information, data, consents, decisions, and approvals as required by
IBM to perform the Services, within business days of IBM’s request, unless Client and IBM agree in
writing to a different response time. As applicable, review deliverables submitted by IBM in
accordance with the Deliverable Acceptance Procedure described in the Project Procedures
appendix;
e. help resolve and escalate Services issues within Client's organization, as needed; and
f. administer the Project Change Control Procedure with the IBM.
1.3 Client General Responsibilities
IBM's performance is dependent upon Client's fulfillment of its responsibilities at no charge to IBM. Any
delay in performance of Client's responsibilities may result in additional charges and/or delay of the
completion of the Services and will be handled in accordance with the Project Change Control Procedure.
Z126-6955-US-05 (Direct) Page 4 of 27
Client will:
a. make appropriate personnel available to assist IBM in the performance of IBM’s responsibilities;
b. provide safe access, suitable office space, supplies, high speed connectivity to the Internet, and
other facilities needed by IBM personnel while working at the location specified in the Order
Document;
c. provide information and materials IBM requires to provide the Services. IBM will not be responsible
for any loss, damage, delay, or deficiencies in the Services arising from inaccurate, incomplete, or
otherwise deficient information or materials supplied by or on behalf of Client;
d. provide IBM with relevant information regarding Client’s current business environment. Such
information is to include:
e. provide IBM with information regarding Client’s current environment. Such information is to include:
(1) current and planned IT and projects and priorities;
(2) general IT and strategies, policies, and procedures;
(3) IT and security (physical and logical) policies, procedures, and standards; and
(4) service level agreements;
f. if making available to IBM any facilities, software, hardware, or other resources in connection with
IBM’s performance of Services, obtain at no cost to IBM any licenses or approvals related to these
resources that may be necessary for IBM to perform the Services. IBM will be relieved of its
obligations that are adversely affected by Client’s failure to promptly obtain such licenses or
approvals. Client agrees to reimburse IBM for any reasonable costs and other amounts, including
costs of litigation and settlements, that IBM may incur from Client’s failure to obtain these licenses
or approvals;
g. obtain all necessary permissions for IBM to use, provide, store and process data to which Client
gives IBM access to perform the Services. Client is responsible for the security and privacy of such
data. Client will not give IBM access to data subject to governmental regulation or requiring security
measures beyond those specified in this SOW unless IBM has first agreed in writing to implement
additional required security measures;
h. be responsible for implementing or not implementing IBM’s recommendations and for the results
achieved;
i. allow IBM to cite Client’s company name and the general nature of the Services IBM performed for
Client to IBM’s other clients and other prospective clients;
j. consent and will obtain any necessary consents for IBM and its subcontractors to process the
business contact information of Client, its employees, and contractors worldwide for our business
relationship. IBM will comply with requests to access, update, or delete such contact information;
k. acknowledge and agree that IBM does not provide legal services or represent or warrant that the
services or products IBM provides or obtains on Client's behalf will ensure Client's compliance with
any particular law, including but not limited to any law relating to safety, security, or privacy;
l. obtain any necessary consents and take any other actions required by applicable laws, including but
not limited to data privacy laws, prior to disclosing any of Client's employee information to IBM.
Client also agrees that with respect to data that is transferred or hosted outside of the country or
countries specified in the Order Document(s), Client is responsible for ensuring that all such data
transmitted outside of the country or countries specified in the Order Document(s) adheres to the
laws and regulations governing such data;
m. be responsible for the content of any database, the selection and implementation of controls on its
access and use, backup and recovery, and the security of the stored data. This security will also
include any procedures necessary to safeguard the integrity and security of software and data used
in the Services from access by unauthorized personnel; be responsible for the identification of
interpretation of, and compliance with, any applicable laws, regulations, and statutes that affect
Client's existing systems, applications, programs, or data to which IBM will have access during the
Services, including applicable data privacy, export, and import laws and regulations. It is Client's
responsibility to ensure the systems, applications, programs, and data meet the requirements of
those laws, regulations, and statutes; and
Z126-6955-US-05 (Direct) Page 5 of 27
n. be responsible, at its expense, for establishing, maintaining, and operating Client’s connection to
the Internet (the speed of which may have a significant impact on the responsiveness of the
Services) including all computer hardware and software, web browsers configured in accordance
with industry standards, modems, and access lines.
2. Services
2.1 List of Services
As part of this SOW, IBM will perform the services activities outlined in the following Services Description(s) which
can be found in the Services Description appendix:
3. Estimated Schedule
Services will be performed based on the estimated schedule detailed in the Order Document and will be
used to establish the contract term.
Both parties agree to make reasonable efforts to carry out our respective responsibilities in order to
achieve the estimated schedule.
4. Facilities and Hours of Coverage
a. Services will be performed off-site or on-site at Client's physical location(s) specified in Order
Document and may be performed at IBM location(s).
b. IBM may use personnel and resources in locations worldwide and third-party suppliers to support
the delivery of products and services.
c. IBM will provide Services during normal business hours specified in Order Document. Client may
be required to provide access to its locations outside normal business hours, as mutually agreed
between Client and IBM. Client may incur a charge for Services provided outside of normal
business hours, as mutually agree between Client and IBM, which may result in additional charges.
5. Deliverables
The deliverable Materials, resulting from completion of the Services, are detailed within the “Deliverable
Materials Table”, with can be found in the Deliverables Guidelines appendix A.
6. Completion Criteria
IBM will have fulfilled its obligations for the Services when any one of the following first occurs:
a. when the contract end date has passed; or
b. IBM completes the IBM responsibilities described in this SOW and the IBM responsibilities
described within the selected Services Description(s) specified in the Order Document, including
provision of the deliverables, if any; or
c. IBM has provided the number of hours specified in the Order Document, or in any subsequent
change authorization; or
d. this SOW expires; or
e. the Services are terminated in accordance with the provisions of this SOW, or the Agreement
identified in the Order Document.
7. Charges
The charges, if applicable for the Services are detailed in the Order Document.
IBM shall not be responsible for delays or additional requirements imposed by any government agencies,
labor disputes, fire, unavoidable casualties, or unforeseen conditions.
8. Other Terms and Conditions
8.1 Termination
Refer to the Order Document for any associated termination charges.
8.1.1 Termination for Cause
Either party may terminate this SOW for cause by giving the other party at least 30 days written notice.
Z126-6955-US-05 (Direct) Page 6 of 27
8.1.2 Termination of an SOW for Convenience
Either party may terminate this SOW by giving the other party at least written notice.
8.2 Limitation of Services
Client acknowledges and agrees:
a. IBM is not required to perform any work outside the scope described in the SOW
b. to the extent IBM does perform any work outside of scope, IBM may cease to perform such work at
any time; and
c. any changes to the scope must be agreed to in accordance with the Project Change Control
Procedure specified in this SOW.
8.3 Open-Source Software Disclaimer
Client understands and agrees that Linux and any other Open Source Software (“OSS”), including
patches, fixes, and updates, which IBM installs, configures, updates, operates, or otherwise assists in
procuring on Client's behalf as a result of providing services under this SOW are licensed and distributed
to Client by Linux and OSS distributors and/or respective copyright and other right holders, including Red
Hat, Inc. and/or Novell, Inc. (“Right Holders”) under such Right Holders’ terms and conditions. IBM is not
a party to the Right Holders’ terms and conditions and installs any OSS ‘AS IS’. Client and IBM agree
that any modification or creation of derivative works of OSS is outside the scope of this SOW. IBM is not
a distributor of OSS and does the work described in this SOW for Client upon Client's specification. Client
receives no express or implied patent or other license from IBM with respect to any OSS. IBM makes no
representations and disclaims all warranties with respect to any OSS, express or implied, including the
implied warranties of merchantability and fitness for a particular purpose. IBM does not indemnify against
any claim that OSS infringes a third party's intellectual property rights. UNDER NO CIRCUMSTANCES
SHALL IBM BE LIABLE FOR ANY DAMAGES ARISING OUT OF THE USE OF OSS.
8.4 Employment of Assigned Personnel
Client understands and agrees:
a. This SOW will not affect the employment relationship that exists between IBM’s assigned personnel
and IBM during the applicable contract period. No IBM assigned personnel will be deemed for any
purpose to be the agent, servant, employee, or Client's representative in the performance of his or
her services hereunder.
b. IBM staffs Services on a national basis with either local or non-local resources based upon resource
availability at Services enablement. At the start of Services and on an ongoing basis, our point of
contacts will work together to mutually determine any on-site requirements of non-local perform
resources. For on-site engagements spanning multiple weeks, the typical 40-hour work week of full
time non-local resources normally consists of the resource traveling to Client's site(s) on Monday,
returning to their home city at the end of the workday on Thursday and performing Services related
activities remotely on Friday, as applicable. During weeks with a national holiday or during periods
when a resource is not required to be on-site full time, both parties will work together to define an
alternate full-time work schedule. Such alternate work schedule may include the resource
performing applicable Services-related activities remotely.
Z126-6955-US-05 (Direct) Page 7 of 27
Appendix A: Project Procedures
Project Change Control Procedure
A Project Change Request (“PCR”) is used to document a change and the effect the change will have on
the Services. Both parties will review the PCR and agree, in writing, to implement it, recommend it for
further investigation, or reject it.
IBM will specify any charges for such investigation.
The requesting party will submit the PCR to the other party and Client agrees to notify its IBM Business
Partner of any proposed changes. Client's IBM Business Partner will inform Client of any revised charges
for proposed changes.
Escalation Procedure
Client and IBM will meet to resolve issues relating to the Services.
a. If an issue is not resolved within three (3) business days, Client’s executive sponsor will meet with
IBM’s Services Specialist to resolve the issue.
b. If the conflict is resolved, the resolution will be addressed through the Project Change Control
Procedure.
c. While a conflict is being resolved, IBM will provide Services relating to items not in dispute, to the
extent practicable pending resolution of the conflict; Client agrees to pay invoices per this SOW.
Z126-6955-US-05 (Direct) Page 8 of 27
Appendix B: Service Descriptions
Z126-6955-US-05 (Direct) Page 9 of 27
IBM Security X-Force Incident Response Retainer
The services described herein are governed by the terms and conditions of the agreement specified in the Order
Document for IBM Security Services (“Order Document”). If there is a conflict between the terms in the documents,
the terms of the Order Document prevail over those of this document, and the terms of this document prevail over
those of the agreement specified in the Order Document ("the Agreement").
Capitalized terms not otherwise defined in this document are defined in the Agreement, or any other referenced
document, and have the same meaning in this document as ascribed to them therein.
9. IBM Security X-Force Incident Response Retainer
IBM X-Force Incident Response (IR) Retainer (called “Services”) are designed to provide resources to assist Client
with computer security incidents or assist with emergency response preparation. IBM will provide resources to
assist Client in preparing for, managing, and responding to computer security incidents, including steps for analysis,
intelligence gathering, containment, eradication, recovery, and prevention. IBM will use existing, commercially
available tools, as well as IBM proprietary tools, to perform Services.
IBM X-Force IR Retainer is sold in tiers, where each tier involves different levels of services commitments. Each
tier includes a certain number of support hours (called “Purchased Retainer Hours) available to the Client for
emergency incident support or consulting hours included annually for the contract term and depending on tier level
selected by Client will also include additional services activities described herein. Services selected by the Client
will be specified in the Order Document.
Also, certain tiers contain additional services and service commitments, in the form of Proactive Units. Clients can
choose IBM to perform any of the following X-Force IR Retainer Proactive Services from the menu table below,
however, each service will utilize a specific number of Proactive Units as reflected in the table below. In order to use
X-Force IR Retainer Proactive Services, Clients must have contracted for the applicable number of Proactive Units
where the available number of Proactive Units will be specified in the Order Document. Additional terms supporting
X-Force IR Retainer Proactive Services will be presented as separate Services Descriptions.
Note: Purchased Retainer Hours and Proactive Units that are not used during the contract annually will expire.
X-Force IR Retainer Proactive Services Menu Proactive Units Document #
Incident Response Program Assessment 1 I126-8513
Cyber Threat Intelligence Program Assessment 1 I126-8514
Strategic Threat Assessment 1 I126-8025
Incident Response Playbook Customization 1 I126-8516
Tabletop Exercise 1 I126-8517
Cybersecurity Incident Response Plan – High Level Review 1 I126-8518
Dark Web Search Services 1 I126-8519
Security Incident First Responder Training 1 I126-8520
Cybersecurity Incident Response Plan – Full Development 4 I126-8521
Active Threat Assessment (up to 5000 endpoints) 4 I126-7516
Responsibilities matrix legend
The following responsibilities matrix describes the Services Activities to be provided and the responsibilities
of IBM and Client. The below responsibilities are necessary for successful delivery of the Services and are
assigned to the contracting parties, as follows:
O = Owner (Solely Responsible For)
P = Primary (Is Responsible, with assistance from Secondary)
S = Secondary (Participates or Assists, but is not responsible for)
9.1 Service Activity – X-Force IR Retainer Project Initiation
Z126-6955-US-05 (Direct) Page 10 of 27
The purpose of this services activity is to review the processes for making a declaration for a cybersecurity
incident that presents a real or a possible threat to Client’s computer system and network environment
(“Cybersecurity Incident Declaration”), review the menu of proactive services and to validate the Service
schedule.
Responsibilities IBM Client
a. Facilitate a remote project initiation workshop, for up to two (2) hours, on a mutually
agreed date and time; P S
b. Introduce the X-Force IR personnel that will provide Services; O
c. Confirm Client contacts authorized to utilize retainer hours (authorized incident
declarers); S P
d. Define the process for making a Cybersecurity Incident Declaration and for
exchanging security incident data in a secure manner; O
e. Review processes for responding to a Cybersecurity Incident Declaration and for
exchanging security incident data in a secure manner; O
f. Review the menu of proactive services and process for scheduling services; O
g. Ensure and mandate appropriate Client personnel participation during Services and
as required by IBM with responsibility ownership for the following areas:
(1) various management levels with representative skills; and
(2) identity and access ownership;
S P
h. Document the Service schedule in a document entitled “Service Calendar”. O
Completion Criteria: This service activity has been completed when IBM has conducted the project
initiation workshop and delivered the Service Calendar to Client's Point of Contact.
9.1.2 Service Activity – Cybersecurity Incident Support
The purpose of this services activity is to provide cybersecurity response for each Cybersecurity Incident
Declaration, based on the level of support (Tier1, Tier 2 or Tier 3) contracted by Client, with the
corresponding response time and as specified in the Order Document. The following responsibilities are
provided upon Client’s request and for the charges specified in the Order Document.
Responsibilities IBM Client
a. Provide cybersecurity incident response 24 hours/day, 7 days/week for Cybersecurity
Incident Declarations per the term of the Client’s contract; O
b. Agree and acknowledge, that if additional physical location coverage is required
outside of the country where the contract originates, a separate contract may be
required;
O
c. Provide the IBM Services specialist with the names and telephone numbers (including
after-hours contact information) of client’s lead investigator, technical and
management contact personnel (including backup personnel) who have authority to
make Cybersecurity Incident Declarations and act upon suggestions and
recommendations made by IBM;
O
d. Respond after receiving Client’s call or e-mail for a Cybersecurity Incident
Declaration, by:
(1) schedule and host a triage conference call with Client’s designated personnel to
discuss the symptoms;
O
Z126-6955-US-05 (Direct) Page 11 of 27
(2) if determined during the triage conference call, Client requires IBM to engage in
on-site support of the incident, provide an estimate of the Purchased Retainer
Hours and travel costs, if applicable, needed for response;
O
(3) help and advice for handling the Cybersecurity Incident Declaration, including: O
(a) analysis of computer security incident data to determine the source of the
incident, its cause, and effects; and O
(b) analysis of volatile and non-volatile electronic evidence including, but not
limited to computer disk images, memory images, log data, malware, or
other system artifacts;
O
(4) provide advice and short-term recommendations to contain an incident and
eradicate the threat actor from the impacted environment(s), including: O
(a) short-term containment and eradication measures tailored to the incident
and Client’s environment based on findings gathered from analysis; O
(b) guidance regarding benefits and operational risks associated with the
recommended measures; and O
(c) guidance on incident remediation planning and execution; O
(5) provide advice and long-term recommendations for establishing broader
security controls aimed at increasing cyber resiliency, incident response
program efficiency, and preventing or mitigating the risk of similar attacks in the
future; and
O
(6) prepare and provide an incident analysis report (“Incident Analysis Report”) to
Client’s Point of Contact describing the cybersecurity incident, causes and
effects, actions taken by IBM, and recommended future actions to mitigate risk;
O
e. Make appropriate personnel available during IBM’s response to a Cybersecurity
Incident Declaration to answer questions, obtain requested data, perform suggested
actions, and similar items;
O
f. Be responsible for executing and enforcing containment and remediation controls
recommended by IBM; O
g. Provide copies of all configuration information, log files, intrusion detection events,
and other data related to a Cybersecurity Incident Declaration and its analysis; O
h. Manage the collection and dissemination of information regarding a Cybersecurity
Incident Declaration with Client’s technical and managerial personnel, legal and
public relations departments, others within Client’s organization, and other
companies, as applicable;
O
i. Be responsible for, and facilitate all communications between IBM and any third-party
vendors, including internet service providers and content-hosting firms used by Client
to implement Client’s internet presence;
O
j. Provide supervised access to Client’s computer systems and computer networks
during the agreed upon times and days; and O
k. Provide an executive sponsor for Services to communicate management commitment
to the project. O
Completion Criteria: This service activity has is considered complete when IBM has delivered applicable
Incident Analysis Reports to the Client Point of Contact.
Z126-6955-US-05 (Direct) Page 12 of 27
9.1.3 Service Activity – Quarterly Incident Response (IR) Related Support and Status Update
The purpose of this services activity is to provide Client with ongoing IR related support, up-to-date threat
trends, and status updates.
Responsibilities IBM Client
a. Provide a quarterly email to Client’s Point of contact to review quarterly status,
relevant events, service hours used and remaining, update service schedule, provide
update on threat trends, and provide recommendations, if applicable; and
O
b. Designate a Point of Contact, to whom all communications relative to the Quarterly
Incident Related Support and Status Update will be addressed and who will have the
authority to act on Client’s behalf in all matters regarding this activity.
O
Completion Criteria: This service activity is considered complete when IBM has delivered the quarterly
email to Client’s Point of Contact.
9.1.4 Service Activity – Additional Retainer Hourly Support
The purpose of this services activity is to provide client ability to request additional hourly support as
needed.
Responsibilities IBM Client
a. Submit a written request to IBM for Additional Retainer Hourly Support during a
cybersecurity incident and/or as required for a proactive service; O
b. In response to Client’s written request, provide a recommendation as to how many
additional retainer hours may be required to fulfill Client’s written request; O
c. Provide additional cybersecurity incident and/or proactive services support beyond
Client’s contracted annual subscription hours limitation at the usage charge specified
in the Order Document; and
O
d. Be responsible for all charges associated with any additional cybersecurity incident
and/or proactive services hourly support beyond the number of Purchased Retainer
Hours specified in the Order Document.
O
9.2 Other Terms and Conditions – Limitation of IBM X-Force Incident Response Retainer
Client acknowledges and agrees that the following are not included as part of Services described herein:
a. services involving incidents of violence, injury to persons, or damage to or theft of tangible personal
property;
b. services to identify a perpetrator, however, determining the source of network traffic or specific digital
activity may be included in the Services;
c. investigatory interrogation;
d. communication on Client’s behalf with any entity, such as law enforcement, the news media, or its
customers;
e. any services requiring professional licensing of the service provider;
f. evidentiary chain of custody control or management, but IBM may adhere to Client's chain of custody
procedures in performing its obligations hereunder, provided these are reviewed and agreed to by
IBM prior to starting work;
Z126-6955-US-05 (Direct) Page 13 of 27
g. legal counsel of any kind;
h. opinions as to the credibility of any person; or
i. any other related services which IBM, at its reasonable discretion, may at any time decline.
Z126-6955-US-05 (Direct) Page 14 of 27
Consulting & System Integration – X-Force Incident Response and
Intelligence Services – Vision Retainer
This Service Description describes the Service IBM provides to Client.
10 Service
IBM X-Force Incident Response and Intelligence Services (IRIS) Vision Retainer (called “Services”) are
designed to provide resources to assist Client with computer security incidents or assist with emergency
response preparation. IBM will provide resources to assist Client in preparing for, managing, and
responding to computer security incidents, including steps for analysis, intelligence gathering,
containment, eradication, recovery, and prevention. IBM will use existing, commercially available tools,
as well as IBM proprietary tools, to perform Services.
IBM X-Force IRIS Vision Retainer is sold in tiers, where each tier involves different levels of services
commitments. Each tier includes a certain number of support hours (called “Purchased Retainer Hours)
available to the Client for emergency incident support or consulting hours included annually for the
contract term and depending on tier level selected by Client will also include additional services activities
described herein. Services selected by the Client will be specified in the Order Document.
Note: Purchased Retainer Hours that are not used during the Estimated Start and End dates specified in
the Order Document will expire.
10.1 Service Activities – X-Force IRIS Project Initiation
The purpose of this activity is to review the processes for making a declaration for a computer security
incident that presents a real or a possible threat to Client's computer system and network environment
(“Emergency Incident Declaration”), and to validate the schedule.
IBM Responsibilities
IBM will:
a. facilitate an on-site or remote project initiation workshop, for up to one day (eight business hours),
on a mutually agreed date and time;
b. introduce the X-Force IRIS management personnel that will be providing Services;
c. confirm Client's locations to be included for Services;
d. define the process for making an Emergency Incident Declaration, including establishing the
designated telephone number(s) and e-mail address(es);
e. review processes for responding to an Emergency Incident Declaration and for exchanging security
incident data in a secure manner;
f. document the Service schedule in a document entitled "Service Calendar"; and
g. have completed X-Force IRIS Project Initiation when IBM has conducted the project kickoff
workshop and delivered the Service Calendar to Client's Point of Contact.
Client Responsibilities
Client will:
a. assign internal resources with appropriate level of skill and responsibility to act on Client’s behalf
and to represent Client’s business interest as it pertains to security group, information technology,
audit, risk, and operations management at Client’s facility during Services; and
b. ensure and mandate appropriate Client personnel participation during Services and as required by
IBM with responsibility ownership for the following areas:
(1) various management levels with representative skills; and
(2) identity and access ownership.
Z126-6955-US-05 (Direct) Page 15 of 27
10.2 Service Activities – Incident Program Assessment
Incident Program Assessment services are provided, if selected by the Client and specified in the Order
Document.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. conduct a review of existing Incident Response program documentation;
b. identify five critical stakeholders to conduct a one-hour telephonic interview to provide greater depth
on the existing IR program documentation;
c. collate the interview and written documentation and map into a written deliverable (called the
"Incident Program Assessment final presentation") containing a one-year roadmap mapped to
maturing the program by identifying milestones to serve as future goals; and
d. have completed Incident Program Assessment when IBM has delivered the Incident Program
Assessment final presentation to Client's Point of Contact.
Client Responsibilities
Client will:
a. provide IBM the documentation requested for review within five (5) business days from the initial
request;
b. work with IBM to identify stakeholders needed for interview requests;
c. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible
request; and
d. ensure executive stakeholders are available to participate in the final briefing for IR Program
Assessment deliverable.
10.3 Service Activities – Incident Response (IR) Playbook Customization
IR Playbook Customization services are provided, if selected by the Client and specified in the Order
Document.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide Client with number of IR Playbook Customizations identified in the Order Document for the
contract term;
b. conduct a review of existing documented Incident Response playbooks;
c. upon review, work closely with Client to determine whether the existing playbooks represent the five
highest priority incidents to potentially occur within the environment;
d. edit the existing playbooks and/or create new playbooks targeted towards the top five highest
priority incidents to potentially occur within the environment; and
e. have completed IR Playbook Customization when IBM has delivered the number of IR Playbooks as
specified in the Order Document to Client's Point of Contact.
Client Responsibilities
Client will:
a. provide IBM the documentation requested within five business days of the initial request; and
b. for subsequent requests, provide IBM the documentation requested within a twenty-four (24) hour
timeframe.
Z126-6955-US-05 (Direct) Page 16 of 27
10.4 Service Activities – Incident Response Tabletop Exercise
Incident Response Tabletop Exercise services are provided, if selected by the Client and specified in the
Order Document.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide Client with number of Incident Response Tabletop Exercises identified in the Order
Document for the contract term;
b. conduct a targeted attack simulation for up to six (6) hours to provide first responder and executive
training, for up to twenty (20) attendees;
c. work remotely and/or onsite with Client's key members to develop a computer security incident
simulation exercise that will test Client's computer security incident response plan and procedures,
with focus on the areas that may need to be updated or improved;
d. conduct and supervise the incident simulation exercise on-site for up to six (6) hours at Client's
location, paying particular attention to:
(1) how Client's team properly triage the incident;
(2) how well the members of Client's computer security incident response teamwork with each
other;
(3) how well Client's computer security incident response team performs in the five phases of
incident response (analysis, containment, eradication, recovery, and prevention);
(4) how well Client's team interfaces with external entities (Internet service providers,
administrators of other sites, other response teams, law enforcement entities, etc.); and
(5) how well Client's team communicates with customers, external users, employees, and the
public media;
e. document findings and recommendations in a written deliverable (called "Incident Response
Tabletop Exercise Report");
f. discuss findings, for up to two (2) hours, via conference call with Client's computer security incident
response team; and
g. have completed Incident Response Tabletop Exercise when IBM has conducted the conference call
and delivered the Incident Response Tabletop Exercise Report to Client's Point of Contact.
Client Responsibilities
Client will:
a. provide IBM the documentation requested for review within five (5) business days from the initial
request;
b. work with IBM to identify stakeholders needed for interview requests and workshop attendance;
c. ensure stakeholders respond within a timely manner to schedule interviews at earliest possible
request; and
d. ensure executive stakeholders and security incident response team are available to participate in
the final briefing.
10.5 Service Activities - Emergency Incident Support
The purpose of this activity is to provide emergency response for each Emergency Incident Declaration.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide emergency response 24 hours/day, 7 days/week for Emergency Incident Declarations per
the term of Client's contract. Such response will utilize included subscription hours for on-site
and/or remote support for the designated physical locations as specified in the Order Document. If
additional physical location coverage is required in response to an incident, additional charges may
apply;
Z126-6955-US-05 (Direct) Page 17 of 27
b. host a conference call with Client's designated personnel to discuss the symptoms Client is
observing, actions taken and similar items within approximately 4 hours after receiving Client's call
or e-mail for an Emergency Incident Declaration;
c. provide an estimate of hours and costs with ‘best efforts’ availability for response, if it is determined
from the call that Client requires IBM to engage in support of the incident;
d. help and advice, if possible, for handling the Emergency Incident Declaration including:
(1) analysis of computer security incident data to determine the source of the incident, its cause,
and its effects;
(2) preventing the effects of the computer security incident from spreading to other computer
systems and networks;
(3) stopping the computer security incident at its source and/or protecting Client's computer
systems and networks from the effects of the computer security incident;
(4) recommendations for restoration of the affected computer systems and networks to normal
operation; and
(5) suggesting protection methods for Client's computer systems and networks from future
occurrences of the computer security incident.
e. prepare and provide an incident analysis report (“Incident Analysis Report”) to Client's Point of
Contact describing the computer security incident, causes and effects, actions taken by IBM, and
recommended future actions to mitigate risk; and
f. have completed Emergency Incident Support when IBM has delivered any Incident Analysis
Reports, as applicable and provided the Purchased Subscription Hours or the contract end date has
been reached.
Client Responsibilities
Client will:
a. agree and acknowledge:
(1) that Client may not make an Emergency Incident Declaration until after the project kickoff
session has been conducted;
(2) that Client's additional locations, or locations not specified in the Order Document, must be
contracted for separately;
(3) that one IBM consultant will be assigned for remote and/or on-site Emergency Incident
Declaration response to the declared physical location. Additional IBM consultants must be
contracted for separately and are subject to availability; and
(4) that if IBM discovers what it considers, in its sole discretion, to be inappropriate content during
the performance of Services, IBM has the authority to report such information to law
enforcement. Examples of what IBM would consider inappropriate content includes, but is not
limited to, content or activity that involves obscene, pornographic, or violent material.
b. provide the IBM Services specialist with the names and telephone numbers (including after-hours
telephone or pager numbers) of Client's lead investigator, technical and management contact
personnel (including backup personnel) who have the authority to make Emergency Incident
Declarations and act upon suggestions and recommendations made by IBM;
c. make appropriate personnel available during IBM’s response to an Emergency Incident Declaration
to answer questions, obtain requested data, perform suggested actions, and similar items;
d. provide copies of all configuration information, log files, intrusion detection events, and other data
related to an Emergency Incident Declaration and its analysis;
e. manage the collection and dissemination of information regarding an Emergency Incident
Declaration with Client's technical and managerial personnel, legal and public relations
departments, others within Client's organization, and other companies as applicable;
f. be responsible for and facilitate all communications between IBM and any third-party vendors,
including Internet service providers and content-hosting firms used by Client to implement Client's
Internet presence;
Z126-6955-US-05 (Direct) Page 18 of 27
g. provide supervised access to Client's computer systems and computer networks during the agreed
upon times and days;
h. provide an executive sponsor for Services to communicate management commitment to the project;
and
i. be responsible for all charges associated with any additional Emergency Incident Declarations
Client makes during the term of Client's contract.
10.6 Service Activities - Quarterly Incident Response (IR) Related Support and Status Update
The purpose of this activity is to provide Client with ongoing IR related support, up-to-date threat trends,
and status updates.
IBM Responsibilities
IBM will:
a. provide a checkup via remote teleconference for up to two (2) hours to review quarterly status,
relevant events, service hours utilized and remaining, update service schedule, provide update on
threat trends, ensure Client's incident response readiness, and provide recommendations if
appropriate;
b. document result of each telephone support and discussion of the checkup teleconference in a
quarterly status report (“Quarterly Status Report”); and
c. have completed Quarterly Incident Response Related Support and Status Update when IBM has,
per the service calendar, delivered the Quarterly Status Report to Client's Point of Contact and
provided the Purchased Subscription Hours or the contract end date has been reached.
Client Responsibilities
Client will designate a Point of Contact, to whom all communications relative to the Quarterly Incident
Related Support and Status Update will be addressed and who will have the authority to act on Client's
behalf in all matters regarding this activity.
10.7 Service Activities - IBM X-Force® Hosted Threat Analysis Service
IBM X-Force Hosted® Threat Analysis Services are provided, if selected by the Client and specified in the
Order Document.
The IBM X-Force® Hosted Threat Analysis Service is a security intelligence service that is designed to
deliver customized information about a variety of threats that could affect Client's network security.
The managed security services portal (called “Portal”) provides Client with access to an environment (and
associated tools) designed to monitor and manage Client's security posture by merging technology and
service data from multiple vendors and geographies into a common, Web-based interface.
The Portal may also be used to deliver Education Materials. All such Education Materials are licensed
not sold and remain the exclusive property of IBM. IBM grants Client a license in accordance with the
terms provided in the Portal. EDUCATION MATERIALS ARE PROVIDED “AS IS” AND WITHOUT
WARRANTY OR INDEMNITY OF ANY KIND BY IBM, EXPRESS OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT OF PROPRIETARY AND INTELLECTUAL PROPERTY RIGHTS.
IBM Responsibilities
At Client's request, and for the charges specified in the Order Document, IBM will:
a. provide Client with number of X-Force Hosted Threat Analysis Service seats identified in the Order
Document for the contract term;
b. enable Client to access the Portal, and will work with Client to activate Services during deployment
and initiation;
c. provide access to the Portal 24 hours/day, 7 days/week;
d. request one name and e-mail address for each seat purchased;
Z126-6955-US-05 (Direct) Page 19 of 27
e. enable Services access for each seat purchased;
f. provide access to Education Materials in accordance with the terms provided in the Portal;
g. send each licensed Services user a welcome e-mail with a user ID and temporary password to the
Portal;
h. provide Client with access to the X-Force® Hosted Threat Analysis Service;
i. provide Client with a username, password, URL, and appropriate permissions to access the Portal;
j. display security information on the Portal as it becomes available;
k. if configured by Client, provide security intelligence specific to Client's defined vulnerability watch
list, via the Portal;
l. if configured by Client, provide an Internet security assessment e-mail each business day;
m. publish an Internet AlertCon via the Portal;
n. provide Portal feature functionality for Client to create and maintain a vulnerability watch list;
o. provide additional information about an alert, advisory, or other significant security issue as IBM
deems necessary;
p. provide access to the Threat IQ via the Portal; and
q. have completed IBM X-Force® Hosted Threat Analysis Service when IBM has provided Client with
the number of X-Force Hosted Threat Analysis Service seats specified and provided the Purchased
Subscription Hours or the contract end date has been reached.
Client Responsibilities
Client will:
a. utilize the Portal to perform daily operational Services activities;
b. ensure Client's employees accessing the Portal on Client's behalf comply with the terms of use,
provided therein including, but not limited to, the terms associated with educational materials;
c. appropriately safeguard Client's login credentials to the Portal (including not disclosing such
credentials to any unauthorized individuals);
d. promptly notify IBM if a compromise of Client's login credentials is suspected;
e. indemnify and hold IBM harmless for any losses incurred by Client or other parties resulting from
Client's failure to safeguard Client's login credentials;
f. provide IBM with one name and e-mail address for each subscription purchased;
g. change Client's temporary password upon first login to the Portal;
h. agree to adhere to an individual license which entitles a single person in an organization to login to
the IBM Managed Security Services (“IBM MSS”) portal (called “Portal”) and customize the delivery
of Services content. This person is entitled to view information in the Portal and to receive e-mail
notifications configured in the Portal. The individual is not authorized to share or distribute Services
information. Although an organization can transfer an individual license from one person to another
if needed, an individual license cannot be shared with other individuals who do not have a proper
license; and
i. use the Portal to:
(1) subscribe to the daily Internet security assessment e-mail, if desired;
(2) create a vulnerability watch list, if desired; and
(3) access the Threat IQ.
10.8 Other Terms and Conditions – Limitation of IBM X-Force IRIS Vision Retainer
Client acknowledges and agrees that the following are not included as part of Services described herein:
a. Services involving incidents of violence, injury to persons, or damage to or theft of tangible personal
property;
Z126-6955-US-05 (Direct) Page 20 of 27
b. Services to identify a perpetrator; however, determining the source of network traffic or specific
digital activity may be included in Services;
c. investigatory interrogation;
d. testifying in judicial or administrative proceedings;
e. communication on Client's behalf with any entity, such as law enforcement, the news media, or its
customers;
f. any services requiring professional licensing of the service provider;
g. evidentiary chain of custody control or management, but IBM may adhere to Client's chain of
custody procedures in performing its obligations hereunder, provided these are reviewed and
agreed to by IBM prior to starting work;
h. legal counsel of any kind;
i. opinions as to the credibility of any person; or
j. any other related services which IBM, at its reasonable discretion, may at any time decline.
Supported Locations (US)
Supported Location
for Incident Response
(US State or Country)
Comments
Massachusetts Services performed on systems located in Massachusetts will be performed by IBM
personnel. Per the Certification Unit, Massachusetts State Police, applicable state law
may be interpreted to require computer forensics identifying a specific party to be
performed by a licensed party. Additional rates for IBM managed Subcontractor may
apply.
Maryland Services performed on systems located in Maryland will be performed by IBM
personnel. Please note that as of date of this SOW, applicable state law may be
interpreted to require computer forensics identifying a specific party to be performed by
a licensed party. Additional rates for IBM managed Subcontractor may apply.
Texas As of the date of this SOW, the Texas Private Security Bureau interprets applicable
state law, and state law explicitly requires, computer forensics to be performed by a
licensed investigator. Services performed on systems located in Texas will be
performed by a licensed subcontractor. Additional rates for IBM managed
Subcontractor may apply.
Michigan As of the date of this SOW, applicable state law explicitly requires computer forensics to
be performed by a licensed investigator, where such forensics are to be used as
evidence before a court, board, officer, or investigating committee. Services performed
on systems located in Michigan will be performed by licensed IBM personnel, as
required.
South Carolina As of the date of this SOW, the Office of the Attorney General and the South Carolina
Law Enforcement Division interpret applicable state law to require computer forensics to
be performed by a licensed investigator. Services performed on systems located in
South Carolina will be performed by licensed subcontractor. Additional rates for IBM
managed Subcontractor may apply.
Nevada As of the date of this SOW, applicable state law explicitly requires computer forensics to
be performed by a licensed investigator. Services performed on systems located in
Nevada will be performed by a licensed subcontractor. Additional rates for IBM
managed Subcontractor may apply.
Kentucky As of the date of this SOW, the Kentucky Board of Licensure for Private Investigators
interprets applicable state law to require computer forensics to be performed by a
licensed investigator. Services performed on systems located in Kentucky will be
Z126-6955-US-05 (Direct) Page 21 of 27
performed by a licensed subcontractor Additional rates for IBM managed Subcontractor
may apply.
Georgia As of the date of this SOW, the Office of the Secretary of State and the Georgia Board
of Private Detective and Security Agencies interpret applicable state law to require
computer forensics to be performed by a licensed investigator. Services performed on
systems located in Georgia will be performed by a licensed subcontractor. Additional
rates for IBM managed Subcontractor may apply.
All other US States Onsite Incident Response
Z126-6955-US-05 (Direct) Page 22 of 27
Appendix C: Deliverable Guidelines
C – 1: Terms
a. Any deliverables marked with an asterisk (*) are exempt from the Deliverable Acceptance
Procedure and will be considered accepted by Client upon delivery to the Client Point of Contact.
b. In the event a deliverable is inadvertently omitted from the list above, IBM will notify Client of the
identity and the appropriate designation of the deliverable through the Project Change Control
Procedure.
C – 2: Definitions
Project Materials - works of authorship IBM develops for Client under this document and Client will own
the copyright in Project Materials. IBM retains an irrevocable, nonexclusive, worldwide, paid-up license to
use, execute, reproduce, display, perform, sublicense, distribute, and prepare derivative works of Project
Materials.
Existing Works - works of authorship delivered to Client, but not created under this document, and any
modifications or enhancements of such works. IBM grants Client an irrevocable (subject to Client’s
payment obligations), nonexclusive, worldwide license to use, execute, reproduce, display, perform and
prepare derivatives of Existing Works.
Z126-6955-US-05 (Direct) Page 23 of 27
Order Document
Security Services
This Statement of Work (“SOW”) is governed by the terms and conditions of the Texas Department of Information
Resources Contract Number DIR-CPO-4942 (“Agreement”), effective through January 04, 2026 (the “Contract
Expiration Date”), between the State of Texas, on behalf of itself and its Affiliates, and International Business
Machines Corporation a New York corporation, with offices at 1 New Orchard Road, Armonk, New York 10504
(“Vendor”).
By signing this Order Document, Client is ordering the Services as specified in this Order Document, the
applicable Service Description(s) and Agreement between the Client and IBM.
Capitalized terms not otherwise defined in this document are defined in the Agreement or any other referenced
document and have the same meaning in this document as ascribed to them therein.
Client Information:
Company Name: CITY OF DENTON
Company Address: ACCOUNTS PAYABLE
215 E MCKINNEY ST
Denton, TX 76201
US
IBM Information:
Address: IBM Corporation
6303 Barfield Road
Atlanta, GA 30328
Client's Point of Contact:
Contact Name: Leisha Meine
Telephone: 940-349-7823
E-mail: leisha.meine@cityofdenton.com
IBM Contact:
Contact Name: Rob Koehler
Telephone: (505) 417-7689
E-mail: rob.koehler@ibm.com
Client's delivery location (if different from above):
Company Name: City of Denton
Company Address: 601 E Hickory Street, Suite A
Denton, TX 76205-4303
,
Telephone: 940-349-7823
Contact E-mail: leisha.meine@cityofdenton.com
Invoicing Information (if different from Client):
Company Name:
Invoicing Address: ACCOUNTS PAYABLE
215 E MCKINNEY ST
Denton, TX 76201
US
Invoice Contact Person: Leisha Meine
Invoice Contact E-mail:
leisha.meine@cityofdenton.com
Client identification number: DC3Y4QBP
Contract Number: CFTK0LS
Agreement: IBM Client Relationship Agreement
Document number: Z126-6548-US-XX
Confidentiality Agreement: Agreement for Exchange of
Confidential Information (“AECI”)
Document number: Z125-4322-XX
The above agreement document(s) can be found at: IBM Terms
Select region and the applicable country to access documents. If any documents are not accessible, please request a copy
from Client's IBM sales contact.
Offer Expiration Date: 05/31/24 Order Document Effective Date: 04/01/24
The date on this Order Document when signed by the last
party.
Revised Order Document: (Yes or No): ____
Order Document Transaction number: (if applicable)
Z126-6955-US-05 (Direct) Page 24 of 27
Offer Expiration Date is defined as the date after which the terms and conditions offered in this Order
Document are no longer valid.
Services will be provided to Client in accordance with the terms and conditions of this Order Document
and its incorporated documents, including the Services Descriptions.
Unless otherwise expressly stated in this Order Document or in a document incorporated by reference,
Services do not include hardware or software content, or maintenance subscriptions.
Client understands and acknowledges that IBM is permitted to use global resources (non-permanent
residents used locally and personnel in locations worldwide) for delivery of Services.
1. Consulting and System Integration Services
Consulting and System Integration Services (“C&SI”) are comprised of two parts; 1) the terms and
conditions detailed in the selected Services Descriptions, and 2) the Security Services Statement of Work
for Services (“SOW”) document number: I126-6954. The SOW is an integral part of each Services
Description.
The terms of the SOW prevail over those of the Agreement; the terms of the applicable Services
Description(s) prevail over those of the SOW; and the terms of this Order Document prevail over all
documents.
Normal business hours are defined as 8:00 a.m. to 5:00 p.m. through in Client's time zone, except
national holidays, unless otherwise specified.
1.1 C&SI Estimated Schedule
C&SI Services will begin on the start date of the first service activity and continue through the end date of
the last service activity specified in the Consulting & System Integration - Selectable Feature Summary
table, above (“the Estimated Schedule”).
If the Order Document signature date is beyond Estimated Start Date(s), Estimated Start Date(s) will
automatically be extended to the date of the last signature on this Order Document and Estimated End
Date(s) will automatically be extended by the same number of days.
1.2 C&SI Payment Terms
1.2.1 Fixed Price
The charges for the C&SI Services, exclusive of applicable taxes and travel expenses, are detailed
above. Unless otherwise stated herein, Services charges are based upon a contiguous work schedule.
Delays in the work schedule are subject to the Project Change Control Procedure detailed in the SOW
and may result in an increase in charges.
1.3 C&SI Summary of Charges
1.3.1 SKU Based C&SI Table
SKU # Product
Description
Quantity Selling
Frequency
Selling Term Total Charge
XF-
RETAINER-
T2-S
X-Force Incident
Response
Retainer - Tier 2
1.00 Monthly 12.00 90,000.00
Client will be invoiced monthly in advance for C&SI Charges.
1.4 Ongoing Support Services Transition
Ongoing support (called “Steady State”) is initiated once is complete and IBM has the necessary
environment details, tools, access, processes, and procedures to provide Managed Security Services
(“MSS”). MSS will begin on the day following completion of the “Transition to Managed Security Services”
event listed on the C&SI Payment Schedule, above (“the Contract Period Start Date”).
Z126-6955-US-05 (Direct) Page 25 of 27
2. Security Service Summary of Charges
Total Security Services Charges
C&SI Total Services Charges 90,000.00
Security Services Grand Total 90,000.00
3. Additional Terms and Conditions
3.1 Regulatory Services
IBM does not operate as a provider of services regulated by the Federal Communications Commission
(“FCC”) or state regulatory authorities (“State Regulators”) and does not intend to provide any services
which are regulated by the FCC or State Regulators. If the FCC or any State Regulator imposes
regulatory requirements or obligations on any services provided by IBM hereunder, IBM may: (a) modify,
replace, or substitute products at Customer’s expense, and/or (b) change the way in which such services
are provided to Client to avoid the application of such requirements or obligations to IBM (for example, by
acting as Client's agent for acquiring such services from a third party common carrier).
3.2 Disclaimer
Client understands and agrees:
a. that Products and Services are not warranted to operate uninterrupted or error free;
b. that Products and Services are not fault tolerant and are not designed or intended for use in
hazardous environments requiring fail-safe operation, including without limitation aircraft navigation,
air traffic control systems, weapon systems, life support systems, nuclear facilities, or any other
applications in which Product or Services failure could lead to death, personal injury, or property
damage;
c. that it is solely within Client's discretion to use or not use any of the information provided pursuant to
the Services hereunder. Accordingly, IBM will not be liable for any actions that Client takes or
chooses not to take based on the Services performed and/or deliverables provided hereunder;
d. that it is Client's sole responsibility to provide appropriate and adequate security for the company, its
assets, systems, and employees;
e. that it is Client's responsibility to add the IP addresses associated with the testers to any filtering
devices, thereby permitting unfiltered network access to the target systems;
f. not to modify the configurations of any in-scope systems and infrastructure devices during the
period of testing; and
g. that new technology, configuration changes, software upgrades and routine maintenance, among
other items, can create new and unknown security exposures. Moreover, computer “hackers” and
other third parties continue to employ increasingly sophisticated techniques and tools, resulting in
ever-growing challenges to individual computer system security. IBM’s performance of the Services
does not constitute any representation or warranty by IBM about the security of Client's computer
systems including, but not limited to, any representation that Client's computer systems are safe
from intrusions, viruses, or any other security exposures. IBM does not make any warranty,
express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or
usefulness of any information provided as part of the Services.
3.3 Permission to Perform Testing
Certain laws prohibit any unauthorized attempt to penetrate or access computer systems. Client
authorizes IBM to perform the Services as described herein and acknowledge that the Services constitute
authorized access to Client's computer systems. IBM may disclose this grant of authority to a third party
if deemed necessary to perform the Services.
The Services that IBM performs entail certain risks and Client agrees to accept all risks associated with
such Services; provided, however, that this does not limit IBM’s obligation to perform the Services. Client
acknowledges and agrees to the following:
a. excessive amounts of log messages may be generated, resulting in excessive log file disk space
consumption;
Z126-6955-US-05 (Direct) Page 26 of 27
b. the performance and throughput of Client's systems, as well as the performance and throughput of
associated routers and firewalls, may be temporarily degraded;
c. some data may be changed temporarily as a result of probing vulnerabilities;
d. Client's computer systems may hang or crash, resulting in system failure or temporary system
unavailability;
e. any service level agreement rights or remedies will be waived during any testing activity;
f. a scan may trigger alarms by intrusion detection systems;
g. some aspects of the Services may involve intercepting the traffic of the monitored network for the
purpose of looking for events; and
h. new security threats are constantly evolving, and no service designed to provide protection from
security threats will be able to make network resources invulnerable from such security threats or
ensure that such service has identified all risks, exposures, and vulnerabilities.
3.4 Systems owned by a Third Party
For systems (which for purposes of this provision includes but is not limited to applications and IP
addresses) owned by a third party that will be the subject of testing hereunder, Client agrees:
a. that prior to IBM initiating testing on a third-party system, Client will obtain a signed letter from the
owner of each system authorizing IBM to provide the Services on that system, and indicating the
owner's acceptance of the conditions set forth in the section entitled “Permission to Perform
Testing” and to provide IBM with a copy of such authorization;
b. to be solely responsible for communicating any risks, exposures, and vulnerabilities identified on
these systems by IBM’s remote testing to the system owner, and
c. to arrange for and facilitate the exchange of information between the system owner and IBM as
deemed necessary by IBM.
Client agrees:
d. to inform IBM immediately whenever there is a change in ownership of any system that is the
subject of the testing hereunder;
e. not to disclose the deliverables, or the fact that IBM performed the Services, outside Client's
Enterprise without IBM’s prior written consent; and
f. to indemnify IBM in full for any losses or liability IBM incurs due to third party claims arising out of
Client's failure to comply with the requirements of this section entitled, "Systems Owned by a Third
Party" and for any third party subpoenas or claims brought against IBM or IBM’s subcontractors or
agents arising out of (a) testing the security risks, exposures or vulnerabilities of the systems that
are the subject of testing hereunder, (b) providing the results of such testing to Client, or (c) Client's
use or disclosure of such results.
3.5 Security Data
As part of Service, that includes reporting activities, IBM will prepare and maintain de-identified and/or
aggregate information collected from Services (called "Security Data"). The Security Data will not identify
the Client, or an individual except as provided in (d) below. Client herein additionally agrees that IBM may
use and/or copy the Security Data only for the following purposes:
a. publishing and/or distributing the Security Data (e.g., in compilations and/or analyses related to
cybersecurity);
b. developing or enhancing products or services;
c. conducting research internally or with third parties; and
d. lawful sharing of confirmed third party perpetrator information.
4. Travel and Living Expenses
If travel is required, Client is responsible for all reasonable travel and living expenses, which would
include actual transportation and lodging, per diem meal expenses and other reasonable and necessary
charges associated with such travel and living expenses (e.g., luggage charges) incurred by IBM’s
personnel during the performance of the Services. Travel and living expenses are in addition to the
Z126-6955-US-05 (Direct) Page 27 of 27
above charges and are currently estimated at 20-25% of the total Services charge. Travel and living
expenses will be invoiced monthly after they are incurred.
5. Taxes and Payment
Client agrees to adhere to the taxes and payment terms of the Agreement.
Amounts are due upon receipt of the invoice and payable within 30.00 days of the invoice date to an
account specified by IBM.
Late payment fees may apply.
6. Billing for Online Orders
Based upon Client's selected payment method, IBM will bill such charges each month by sending Client
an invoice or, where available bill Client's credit card on file. IBM will add any custom, duty, tax (including
withholding tax), levy or fee imposed by any authority resulting from Client's purchase or use of this
Service.
Where applicable, taxes are based upon the location(s) Client identifies as receiving benefit of the
Services. IBM will apply taxes based upon the business address listed for the account as the primary
benefit location unless Client provides additional information to IBM. Client is responsible for keeping
such information current and providing any changes to IBM.