Appendix J to DIR-TSO-3996 Statement of Work for

Appendix J Statement of Work Template Page 1 of 16

Appendix J to DIR-TSO-3996

Statement of Work

for

{Project Name}

Prepared for

{Customer Name}

{Address 1}

{Address 2}

{SOW Date}

[If applicable to the transaction, this template is to be used by the parties to draft SOW's. The sections

included below are suggestions of subjects to be discussed between the parties if applicable to the scope

of work.]

Appendix J Statement of Work Template  Page 2 of 16 
Table of Contents 
 
 Statement of Work.................................................................................................................................................. 3 
 Scope of Work ........................................................................................................................................................ 3 
 Resources and Hours of Coverage....................................................................................................................... 3 
 Definitions ............................................................................................................................................................... 3 
 Assumptions .......................................................................................................................................................... 3 
 IBM Responsibilities .............................................................................................................................................. 3 
1  Project Management ...................................................................................................................................... 3 
2  Information Security Management.................................................................................................................. 4 
Phase One - {Phase Name} ....................................................................................................................................................... 4 
3  Project Kickoff ................................................................................................................................................ 4 
4  {Activity Name} ............................................................................................................................................... 4 
5  {Activity Name} ............................................................................................................................................... 4 
Phase Two - {Phase Name} ....................................................................................................................................................... 5 
6  Assist Customer with {__________}............................................................................................................... 5 
 Customer Responsibilities .................................................................................................................................... 5 
1  Customer Project Manager ............................................................................................................................ 5 
2  Other Customer Responsibilities .................................................................................................................... 5 
3  {Phase Name} Phase Customer Responsibilities ........................................................................................... 6 
 Deliverables ............................................................................................................................................................ 6 
 Completion Criteria ................................................................................................................................................ 7 
 Estimated Schedule ............................................................................................................................................... 7 
 Charges ................................................................................................................................................................... 8 
 Additional Terms and Conditions ......................................................................................................................... 9 
 Acceptance ........................................................................................................................................................... 10 
 Confidentiality ...................................................................................................................................................... 10 
Exhibit A: Deliverable Guidelines ........................................................................................................................................... 12 
Exhibit B: Project Procedures ................................................................................................................................................. 13 
Exhibit C: Information Security Table of Roles and Responsibilities .................................................................................. 14 
   

Appendix J Statement of Work Template Page 3 of 16

1. Statement of Work

This Statement of Work (“SOW”) is between the Customer (also called “Customer”) and the IBM legal entity

referenced below (“IBM”) and adopts and incorporates by reference DIR Contract Number DIR-TSO-3996

identified in the Acceptance section. Customer means and includes the Customer company, its authorized

users or recipients of the Services.

Described within this SOW is the project, which consists of the deliverables to be provided by IBM, and the

IBM responsibilities and related Customer responsibilities to be provided in accordance with the terms of

this SOW.

Changes to this SOW will be processed in accordance with the procedure described in Project Change

Control Procedure in the Project Procedures appendix. The investigation and the implementation of

changes may result in modifications to the Estimated Schedule, Charges, and other terms of this SOW and

DIR Contract Number DIR-TSO-3996.

2. Scope of Work

In this project IBM will:

a. {x}

b. {y}

3. Resources and Hours of Coverage

a. Work under this SOW will be performed at the Customer facility in {Customer Location}, except for

any activities which IBM determines would be best performed on IBM’s or its subcontractor’s

premises. Such activities will be billable to Customer.

b. IBM will provide the Services under this SOW during normal business hours, {8:00 AM to 6:00 PM

Eastern Time, Monday through Friday}, except national holidays. If necessary, Customer will provide

after-hours access to Customer facilities to IBM personnel. Customer may incur a charge for Services

provided outside of normal business hours. Out-of-town personnel may work hours other than those

defined as normal business hours to accommodate their travel schedules.

4. Definitions

{xxxxx} –

5. Assumptions

{The parties should explain any requirements related to the environment necessary for performing or

receiving the services.}

6. IBM Responsibilities

6.1 Project Management

An IBM Project Manager will establish a framework for project planning, communications, reporting,

procedural and contractual activity, and other activities associated with the Services, and will:

a. Review the SOW and the contractual responsibilities of both parties with the Customer Project

Manager

b. Maintain project communications through the Customer Project Manager

c. Coordinate the establishment of the project environment

d. Establish documentation and procedural standards for deliverables

e. Prepare and maintain the IBM Project Plan which lists the activities, tasks, assignments, milestones

and estimates for performance of this SOW

f. Review project tasks, schedules, and resources and make changes or additions, as appropriate.

Measure and evaluate progress against the IBM Project Plan with the Customer Project Manager

Appendix J Statement of Work Template Page 4 of 16

g. Review the IBM standard invoice format and billing procedure to be used on the project, with the

Customer Project Manager

h. Work with the Customer Project Manager to address and resolve deviations from the IBM Project

Plan

i. Conduct regularly scheduled project status meetings

j. Prepare and submit {Periodic} Status Reports to the Customer Project Manager

k. Administer the Project Change Control Procedure with the Customer Project Manager

l. Coordinate and manage the technical activities of IBM project personnel

6.2 Information Security Management

IBM will provide ongoing Information Security Management for the activities defined in this SOW. The

purpose of this activity is to provide mutually agreed upon understanding of security measures to protect

information under this SOW.

IBM will:

a. Perform the IBM roles and responsibilities as indicated in the Information Security Table of Roles and

Responsibilities appendix

Completion Criteria: This activity will be complete when {IBM has documented the completion of the IBM

roles and responsibilities as indicated in the Information Security Table of Roles and Responsibilities

appendix - OR – IBM has documented the completion of the IBM roles and responsibilities listed in this

activity –OR- IBM has provided {xx} hours of Information Security Management activities}.

Phase One - {Phase Name}

6.3 Project Kickoff

IBM will facilitate a project kickoff meeting for up to ____(X) hours and with up to ___(X) Customer

participants, on a mutually agreed date and time.

IBM will:

a. discuss project team roles and responsibilities;

b. xxxx xxxxxxxxxxxxxxxxxxx;

c. review the completed data collection questionnaire and identify any missing information; and

d. develop a schedule of data collection activities.

Completion Criteria:

IBM has conducted the kickoff meeting.

6.4 {Activity Name}

IBM will {__________}.

This activity is composed of the following tasks:

a. {x}

b. {y}

c. Create the {__________} and {__________} Reports

Completion Criteria:

IBM has delivered {__________} and {__________} to the Customer Project Manager.

Deliverables:

● {__________} Report

6.5 {Activity Name}

IBM will {__________}.

This activity is composed of the following tasks:

a. {x}

Appendix J Statement of Work Template Page 5 of 16

b. {y}

c. {z}

Completion Criteria:

IBM has {insert objective, achievable results, e.g., "...IBM has documented the results of x, y, z"; OR

"...IBM has determined that x, y, z have been configured/developed/etc.

Phase Two - {Phase Name}

6.6 Assist Customer with {__________}.

IBM will provide up to {nn} hours of assistance to Customer as follows:

a. {x}

b. {y}

c. {z}

Completion Criteria:

IBM has provided up to {nn} hours of assistance for this activity.

7. Customer Responsibilities

IBM's performance is dependent upon Customer’s fulfillment of its responsibilities at no charge to IBM.

Any delay in performance of Customer’s responsibilities may result in additional charges and/or delay of

the completion of the Services and will be handled in accordance with the Project Change Control

Procedure.

7.1 Customer Project Manager

Prior to the start of this project, Customer will designate a person called the Customer Project Manager

who will be the focal point for IBM communications relative to this project and will have the authority to act

on behalf of Customer in all matters regarding this project. The Customer Project Manager's responsibilities

include the following:

a. Manage Customer personnel and responsibilities for this project;

b. Serve as the interface between IBM and all Customer departments participating in the project;

c. Administer the Project Change Control Procedure with the IBM Project Manager;

d. Participate in project status meetings;

e. Obtain and provide information, data, and decisions within {X} working days of IBM's request unless

Customer and IBM agree in writing to a different response time. Review deliverables submitted by

IBM in accordance with the Deliverable Acceptance Procedure;

f. Help resolve project issues and Customer’s deviations from the estimated schedule, and escalate

issues within Customer’s organization, as necessary; and

g. Review with the IBM Project Manager any Customer invoice or billing requirements. Such

requirements that deviate from IBM's standard invoice format or billing procedures may have an effect

on price and will be managed through the Project Change Control Procedure. IBM agrees that

standard or common invoice formats and billing procedures of the State of Texas will not affect price

and will not require management through the Project Change Control Procedure.

7.2 Other Customer Responsibilities

Customer will:

a. provide safe access, suitable office space, supplies, high speed connectivity to the Internet, and other

facilities needed by IBM personnel while working at Customer’s location. The IBM project team will

be located in an area reasonably near Customer’s project personnel, and all necessary security

badges and clearance will be provided for access to this area;

b. ensure that Customer staff is available to provide such assistance as IBM reasonably requires and

that IBM is given reasonable access to Customer senior management, as well as any members of its

staff to enable IBM to provide the Services. Customer will ensure that its staff has the appropriate

Appendix J Statement of Work Template Page 6 of 16

skills and experience. If any Customer staff fails to perform as required, Customer will make suitable

additional or alternative staff available;

c. provide all information and materials reasonably required to enable IBM to provide the Services. IBM

will not be responsible for any loss, damage, delay, or deficiencies in the Services arising from

inaccurate, incomplete, or otherwise deficient information or materials supplied by or on behalf of

Customer;

d. ensure Customer has appropriate agreements in place with third parties whose work may affect IBM’s

ability to provide the Services. Unless specifically agreed to otherwise in writing, Customer is

responsible for the management and performance of the third parties, and for any third party

hardware, software or communications equipment used in connection with the Services;

e. allow IBM to cite Customer’s company name and the general nature of the Services IBM performed

for Customer to IBM’s other Customers and other prospective Customers;

f. consent and will obtain any necessary consents for IBM and its subcontractors to process the

business contact information of Customer, its employees and contractors worldwide for our business

relationship. IBM will comply with requests to access, update, or delete such contact information.

g. if making available to IBM any facilities, software, hardware or other resources in connection with

IBM’s performance of Services, obtain at no cost to IBM, obtain any licenses or approvals related to

these resources that may be necessary for IBM to perform the Services. IBM will be relieved of its

obligations that are adversely affected by Customer’s failure to promptly obtain such licenses or

approvals. Customer agrees to reimburse IBM for any reasonable expenses that IBM may incur from

Customer’s failure to obtain these licenses or approvals;

h. be responsible for determining that any non-IBM products and their integration are in compliance with

national building and installation codes and other laws and regulations, including product safety

regulations.

i. perform Customer roles and responsibilities as indicated in the Information Security Table of Roles

and Responsibilities appendix.

OSS PROVIDED BY CUSTOMER

If the Customer is responsible for providing OSS that is required by a deliverable, include the following term:

j. Customer will provide the following Open Source Software (OSS) required by {Name of deliverable}.

At Customer’s request and acting on their behalf, IBM may obtain such OSS for Customer:

● {OSS NAME – VERSION #, RELEASE #}

Customer shall be the licensee of the {OSS NAME} and may obtain a copy of such license to {OSS

NAME} at: {HTTP://OSS NAME.ORG/DOWNLOAD.HTML}

7.3 {Phase Name} Phase Customer Responsibilities

Customer will:

a. {x}

b. {y}

8. Deliverables

The following deliverables are provided to Customer as part of the Services:

Project Materials

a. Solution Requirements Report

The Solution Requirements Report will consist of the following, as applicable:

(1) Xxxxxxxxxxxxxxxxxx

(2) Xxxxxxxxxxxxxxxxxxxx

Appendix J Statement of Work Template Page 7 of 16

IBM will deliver one (1) copy of the Solution Requirements Report to the Customer Point of Contact

as part of the AAA activity.

Existing Works

a. User Guide

The User Guide will consist of the following, as applicable:

(1) Xxxxxxxxxxxxxxxxxx

(2) Xxxxxxxxxxxxxxxxxxxx

IBM will deliver one (1) copy of the User Guide to the Customer Point of Contact as part of the AAA

activity.

Supplemental Notes - Deliverables

See the Deliverable Guidelines for a description of each deliverable.

Deliverables marked with an asterisk (*) are exempt from the Deliverable Acceptance Procedure and will

be considered accepted by Customer upon delivery to the Customer Project Manager.

In the event a deliverable is inadvertently omitted from the list above, IBM will notify Customer of the identity

and the appropriate designation of the deliverable.

9. Completion Criteria

IBM will have fulfilled its obligations under this SOW when any one of the following first occurs:

a. IBM completes the IBM Responsibilities including the provision of the deliverables, if any; or

b. IBM provides the number of hours of Services specified in the Charges section or in any approved

Project Change Request or change authorization; or

c. the Services are terminated in accordance with the provisions of this SOW and DIR Contract Number

DIR-TSO-3996.

10. Estimated Schedule

The Services in this SOW are estimated to be performed in a period of up to {nn} months from the

agreed upon estimated start date {as shown in the Acceptance section}.

IBM Activities

Mth 1

Mth 2

Mth 3

Mth 4

Mth 5

Mth 6

Mth 7

Mth 8

Mth 9

Mth 10

1. Ongoing Project Mgmt

2. {Phase/Activity A}

3. {Phase/Activity B}

4. {etc.}

Appendix J Statement of Work Template Page 8 of 16

11. Charges

TIME AND MATERIALS CONTRACTS

➔ STARTS HERE:

The Services will be conducted on a time and materials basis.

IBM will provide an estimated {Number of hours} hours for the Services at an hourly rate of {Hourly

rate}.

Services Description

Estimated

Hours

Hourly

Rate

Estimated Charges

{Enter Service Classification here}

{hours}

{rate}

{charges}

{Enter Service Classification here}

{hours}

{rate}

{charges}

{Estimated Total Hours and Charges

(excluding any applicable taxes. e.g.,

VAT, etc.)}

{hours total}

{fee total}

Travel Expenses

Estimated

Quantity and Cost

{Description}

The estimated Services charges are {Fee total}. Any estimate given by IBM of any charge whether for

planning or any other purpose is only an estimate. As these are estimated amounts, actual fees may differ.

If the customer WILL NOT require purchase orders for payment UNDER THIS SOW (whether they are a

PO driven OR non-PO driven customer), you must insert the following provision at this point in your SOW,

and delete all other guidance/provisions in this PO guidance block:

● “Notwithstanding the terms of DIR Contract Number DIR-TSO-3996, this SOW, or our prior

practice, payment is not contingent upon issuance of a Purchase Order”

If the customer WILL require purchase orders for payment UNDER THIS SOW (whether they are a PO

driven OR non-PO driven customer), you must insert the following provision at this point in your SOW, and

delete all other guidance/provisions in this PO block:

● “Purchase orders will be provided to IBM for charges as described in this Charges Section {2.8},

and are due prior to the performance of the Services. In the event that purchase orders are not received

in a timely manner, IBM may 1) suspend the provision of Services, and 2) terminate this SOW for

convenience. In the event of such termination, Customer agrees to pay IBM the amounts specified in

Section {2.9.1} Termination”

Appendix J Statement of Work Template Page 9 of 16

IBM will invoice Customer monthly for actual Services hours worked (whether above or below the

estimated hours), applicable taxes, travel and living expenses, and other reasonable expenses incurred in

connection with the Services.

For Customers outside the state of Texas, Customer shall reimburse IBM for any increased tax and

compliance costs incurred by IBM personnel or by IBM on account of IBM personnel performing services

in a country or state other than the one in which they are based.

FIXED PRICE CONTRACTS

The Services will be conducted on a fixed price basis. The fixed price for performing the Services defined

in the SOW will be {Fee total}. This fixed price is exclusive of any travel and living expenses, other

reasonable expenses incurred in connection with the Services, and any applicable taxes.

Customer will be billed actual travel and living costs subject to and in accordance with the State of Texas

Comptroller Travel Guide.

● “Notwithstanding the terms of DIR Contract Number DIR-TSO-3996, this SOW, or our prior practice,

payment is not contingent upon issuance of a Purchase Order”

If the customer WILL require purchase orders for payment UNDER THIS SOW (whether they are a PO

driven OR non-PO driven customer), you must insert the following provision at this point in your SOW, and

delete all other guidance/language in this PO block:

● “Purchase orders will be provided to IBM for charges as described in this Charges Section {2.8}, and are

due prior to the performance of the Services. In the event that purchase orders are not received in a timely

manner, IBM may 1) suspend the provision of Services, and 2) terminate this SOW for convenience. In the

event of such termination, Customer agrees to pay IBM the amounts specified in Section {2.9.1}

Termination”

IBM will invoice Customer for the Services performed {‘in equal monthly amounts over the period of

performance specified in the Estimated Schedule’; OR ‘on a milestone basis as set forth in the Payment

Schedule in the Charges section’; etc.}, plus applicable taxes. IBM will invoice monthly for travel and living

expenses, and other reasonable expenses incurred in connection with the Services.

Customer shall reimburse IBM for any increased tax and compliance costs incurred by IBM personnel or

by IBM on account of IBM personnel performing services in a country or state other than the one in which

they are based.

12. Additional Terms and Conditions

Termination

Customer may terminate this Statement of Work by giving IBM not less than {30} days written notice. IBM

and Customer will mutually agree to the work to be performed within the 30-day notice period. Upon

termination, subject to such agreement, Customer will pay the following amounts to IBM 1) the charges for

Services IBM provides and Products IBM delivers through termination, and all completed deliverables IBM

has prepared and delivered through termination, {2) any holdbacks retained by Customer for completed

and delivered deliverables and {3)} all costs and expenses IBM incurs through, but only to the extent that

such costs and expenses have been (a) itemized, as agreed by IBM and Customer in the 30-day notice,

and (b) duly documented by IBM to Customer as having been actually incurred.

Appendix J Statement of Work Template Page 10 of 16

If the IBM workforce (IBM employees and contractors) will use, access, process and/or transfer

Customer data (e.g., Personal Information (PI), Sensitive Personal Information (SPI), and/or

Business Sensitive Information (BSI)) as part of the Services, the SOW MUST INCLUDE the

following:

Information Security

{Parties to discuss applicable security requirements.}

Customer-Directed Suppliers

If Customer explicitly requests that IBM use {Supplier Name} as a subcontractor for or supplier of {Names

of Products or Services being provided}, as further described in this SOW, IBM will use such subcontractor

or supplier contingent upon successful negotiations and execution of an acceptable procurement

agreement, including pricing, with such subcontractor or supplier. Additionally, the use of such

subcontractor or supplier will be subject to the Project Change Control Procedure, if such use could impact

the project scope, schedule, cost, resources, or other terms of this SOW. IBM will have no obligation to

perform an independent assessment, nor makes any representation as to the qualifications or charging

practices of such subcontractor or supplier.

IBM Intellectual Capital

IBM will be using preexisting IBM proprietary tools, {tool a, tool b}, (“IBM Tool(s)”) during the Services to

perform the IBM responsibilities. These IBM Tools and associated documentation: 1) are not provided to

Customer under the terms of this SOW, 2) are not needed for Customer to receive the benefit of the

Services described in this SOW, and 3) remain the property of IBM.

IBM Third Party Resources

IBM will be using preexisting third party resources, {resource a, resource b}, (“Third Party Resource(s)”)

during the Services to perform the IBM responsibilities. These Third Party Resources and associated

documentation: 1) are not provided to Customer under the terms of this SOW, 2) are not needed for

Customer to receive the benefit of the Services described in this SOW, and 3) remain the property of the

third party.

Customer Obligations to Back Up Data

Customer will be responsible for data backups as described below.

Location of Customer Data

All Customer data will remain always and only within the continental United States, except as expressly

stated herein.

The data set(s) or type(s) listed below may be sent to the countrie(s) named or described below, limited to

only such countrie(s) as are expressly associated with the specific data set(s) or type(s).

13. Acceptance

{Parties should discuss the process and criteria for acceptance of the deliverables.}

14. Confidentiality

{Parties should discuss (1) return or destruction of confidential information; (2) time period of confidentiality;

(3) identification of confidential information disclosed.}

Appendix J Statement of Work Template Page 11 of 16

DIR Contract number DIR-TSO-3996, its Appendices and this SOW are the complete agreement regarding

Services, and supersede any course of dealing, discussions, or representations between Customer and IBM.

Each party accepts the terms of this SOW by signing this SOW by hand or, where recognized by law, electronically.

Any reproduction of this SOW made by reliable means is considered an original. If there is a conflict between the

terms of this SOW and DIR Contract number DIR-TSO-3996, DIR Contract number DIR-TSO-3996 will govern.

IBM agrees to provide the Services provided Customer accepts this SOW, without modification, by signing in the

space provided below on or before {insert date}.

Agreed to:

{Customer Legal Name}

Agreed to:

International Business Machines Corporation

By______________________________________

Authorized signature

By______________________________________

Authorized signature

Title:

Name (type or print):

Date:

Customer number:

Referenced Agreement name:

Agreement number:

Project Name: {Project Name}

SOW number:

Estimated Start Date: {mm/dd/yyyy}

Estimated End Date: {mm/dd/yyyy}

Confidentiality Agreement name:

Confidentiality Agreement number:

Customer address:

IBM address:

Once signed, please return a copy of this document to the IBM address shown above.

Appendix J Statement of Work Template Page 12 of 16

Exhibit A: Deliverable Guidelines

A - 1: {Acceptance Test Plan}

Purpose:

{The purpose of the Acceptance Test Plan is to establish and gain commitment on the objectives, criteria,

and scope of acceptance testing}

Content:

{This document, estimated to be up to {nn} pages in length, will consist of the following, as appropriate:}

a. {Test objectives}

b. {Functions/Features to be tested}

c. {Work items}

d. {Acceptance Test entry and exit criteria}

e. {Testing tools and techniques}

f. {Estimated testing schedule}

g. {Test environment requirements}

h. {Testing risks and contingencies}

i. {Test specifications, test scenarios, test matrices, test conditions, test cases, test data, test scripts}

Delivery:

{IBM will deliver one copy of this document in {hardcopy} format.}

A - 2: {Deliverable Name}

Purpose:

{This report will __________}

Content:

{The report, estimated to be up to {nn} pages in length, will generally consist of the following, as

appropriate:}

a. {x}

b. {y}

c. {z}

Delivery:

{IBM will deliver one copy of this document in {hardcopy} format}

Appendix J Statement of Work Template Page 13 of 16

Exhibit B: Project Procedures

A - 3: Project Change Control Procedure

A Project Change Request (“PCR”) is used to document a change and the effect the change will have on

the Services. Both Project Managers will review the PCR, agree, in writing, to implement it, recommend it

for further investigation, or reject it. IBM will specify any charges for such investigation.

A - 4: Deliverable Acceptance Procedure

a. Within five (5) business days of receipt, the Customer Project Manager will either accept the

deliverable or provide IBM with a written list of requested revisions; otherwise the deliverable will be

deemed accepted.

b. The revisions recommended by Customer and agreed to by IBM will be made and the deliverable will

be resubmitted and deemed accepted.

c. The Customer recommended by and not agreed to by IBM will be managed through the Project

Change Control Procedure.

A - 5: Escalation Procedure

Customer and IBM will meet to resolve issues relating to the Services:

a. If an issue is not resolved within three (3) business days, Customer’s executive sponsor will meet with

IBM management to resolve the issue.

b. If the issue is resolved, the resolution will be addressed through the Project Change Control

Procedure.

c. While an issue is being resolved, IBM will provide Services relating to items not in dispute, to the

extent practicable pending resolution. Customer agrees to pay invoices per this SOW.

Appendix J Statement of Work Template Page 14 of 16

Exhibit C: Information Security Table of Roles and Responsibilities

If the IBM workforce (IBM employees and contractors) will use, access, process and/or transfer Customer

data (e.g., Personal Information (PI), Sensitive Personal Information (SPI), and/or Business Sensitive

Information (BSI)) as part of the Services, the SOW MUST INCLUDE this appendix.

IBM and Customer will perform the responsibilities shown below in the Information Security Table of Roles and

Responsibilities.

Control

Area

INFORMATION SECURITY ROLES & RESPONSIBILITIES

IBM

Custo

mer

Security Policy

Determine appropriate information security policy requirements based on business objectives,

assessment of risk, and interpretation of legal, regulatory and contractual obligations

● Validate that the workstation and application security controls meet Customer requirements driven by

security policy and risk acceptance

● Identify security requirements for new applications

● Request exceptions to the base Roles and Responsibilities as defined in this GBS Information Security

Table of Roles and Responsibilities, as needed

Notify IBM if Customer information security requirements change through Project Change Control

Procedure, as defined by the Statement of Work so that parties may assess if and how to implement,

including impact to cost, scope or schedule

Review the Roles and Responsibilities as defined by this GBS Information Security Table of Roles and

Responsibilities periodically but at least every {18} months

Review the Roles and Responsibilities as defined by this GBS Information Security Table of Roles and

Responsibilities with Customer, periodically but at least every {18} months for projects longer than 18

mos.

Provide Customer with this GBS Information Security Table of Roles and Responsibilities which

communicates Customer and IBM responsibilities for Customer’s application development and

maintenance services and the handling of Customer’s data.

Respond to exception or Project Change Requests from Customer and determine if such requests result

in additional or modified Services or changes to information security Roles and Responsibilities, all of

which will be managed through the Project Change Control Procedure as defined by the Statement of

Work

Organization of Information Security

Designate a knowledgeable Customer focal point for information security related activities

Provide contact information for the primary contact and for an authorized secondary contact

Coordinate all information security activities with third parties other than those contracted by IBM

Designate a knowledgeable IBM focal point for information security related activities including:

● Interfacing with the Customer focal point on security requirements

● Implementation of security requirements for which IBM is responsible in accordance with the negotiated

and agreed to Roles and Responsibilities (as defined by this GBS Information Security Table of Roles

and Responsibilities)

Provide contact information for the primary contact and for an authorized secondary contact

Coordinate security activities with third parties contracted by IBM (as defined by this GBS Information

Security Table of Roles and Responsibilities)

Asset Management

Be responsible for its information assets, including software, physical assets, and services

Communicate to IBM any Customer European Economic Area (EEA) origin personal data and provide

IBM with data processing and data security instructions for such data

Identify and communicate to IBM any Customer data designated as confidential, business sensitive

information (BSI), personal information (PI), and sensitive personal information (SPI) that IBM will have

access to.

Provide data for testing that does not contain PI/SPI/BSI

Be responsible for identifying, providing and funding the appropriate information security controls and

communicating relevant requirements to IBM for:

● Data transmitted via public telecommunications facilities or services.

● Transport of confidential information, personal information, sensitive personal information and business

sensitive information (e.g., encryption, transport over secure lines); and

● Storing of confidential information, personal information, sensitive personal information and business

sensitive information (e.g., encryption of data on portable media or other special handling or treatment)

● Printing of Customer information

● Data discard or destruction requirements

Follow approved Project Change Control Procedure (defined in the GBS Statement of Work) for security

related changes

Appendix J Statement of Work Template Page 15 of 16

Handle information identified by the Customer as confidential, business sensitive, personal and sensitive

personal in accordance with the following controls:

● On applications, protect Customer data by access controls as specified under IBM Responsibilities, in

Area 6, ‘Access Control’

● Store portable storage media containing Customer data as defined in this GBS Information Security

Roles and Responsibilities Table or some other specifically named document.

● When information is printed at IBM locations, keep printed information identified by Customer as

confidential, business sensitive, personal and sensitive personal in a locked container or physically

controlled area

Human Resources Security

Address information security in the hiring, termination and personnel management processes for

Customer personnel

Provide security awareness training to Customer personnel and other network or system users authorized

by Customer

Identify and provide to IBM any Customer-specific personnel requirements such as background checks or

others applicable by law

Identify and provide to IBM any Customer-specific security training required for IBM personnel

Take appropriate management action if there is a misuse of authority by any Customer personnel

Address Customer security requirements in joining and leaving the project, and in personnel management

processes for IBM personnel

Provide the current IBM security education package to IBM personnel joining the project

Address agreed-to personnel requirements as described in this SOW

Take appropriate management action if there is a misuse of an IBM employee’s granted authorizations.

Physical and Environmental Security

Secure work areas and restrict access from general public at Customer sites where IBM personnel will

work

Identify and provide to IBM any Customer-specific information security requirements for printing, storing

and transmitting Customer information

Define where IBM personnel will work:

● IBM locations or Customer sites

● Define remote or work at home options

Supply and manage secure workstation image(s) including anti-virus software, firewall protection, and

whole-disk encryption for workstations provided by Customer to IBM personnel

Respond to virus attacks and initiate corrective action on workstations provided by Customer to IBM

personnel

Define requirements for return of assets and removal of access rights to Customer physical assets upon

IBM personnel termination or change of employment

Provide and manage physical security of IBM owned workstations

Perform workplace security inspections of IBM personnel at IBM sites and Customer sites (related to

execution of this SOW) where IBM personnel will work from

Provide security for work areas and restrict access from general public at IBM sites

Supply and install IBM anti-virus software and upgrades for IBM supplied workstations

Respond to virus attacks and initiate corrective action on IBM supplied workstations

Install whole-disk encryption on IBM-supplied workstations

Access Control

Authorize, administer and manage user IDs and passwords for Customer managed applications, systems

and subsystems

Provide unique login IDs and passwords to IBM personnel for Customer managed applications, systems

and subsystems

Define access control requirements and process and administer logical access for network infrastructure

systems and devices under Customer management

Define access control requirements for Customer applications, databases and other Customer software

on systems across all environments (development, test, production)

Define what constitutes privileged access and access control requirements for users with privileged

access to Customer applications, databases and other Customer software on systems across all

environments (development, test, production)

Administer revocation of access for Customer managed applications, systems and subsystems as

appropriate, based on validation activities and when requested by IBM

Define revocation requirements for Customer applications, databases and other Customer software on

systems across all environments (development, test, production)

Be responsible for revalidating the employment status and business need for access to Customer

applications and systems for Customer personnel

Be responsible for revalidating the business need for IBM personnel access to Customer managed

applications, systems and subsystems, periodically but at least every {12} months

Appendix J Statement of Work Template Page 16 of 16

Be responsible for implementing access changes to Customer managed applications, systems and

subsystems based on input from IBM employment validation activities for IBM personnel

Revalidate the list of privileges associated with User ID’s assigned to IBM personnel with access to

Customer managed applications, systems and subsystems, periodically but at least every {12} months,

Revalidate shared ID’s assigned to IBM with access to Customer applications, databases and other

Customer software on systems across all environments (development, test, production), periodically but at

least every {12} months

Validate User ID baseline inventory and share results of updates made to User IDs used by IBM staff

● Retain evidence of completion for two revalidation cycles

Define data protection technique requirements to be used to access Customer applications, databases

and other Customer software on systems across all environments (development, test, production), such

as data masking and encryption, and supply tools to meet requirements

Define requirements for secure disposal of Customer information from workstations or storage media

Define criteria for IBM personnel termination of access rights to Customer’s logical assets upon conclusion

of assignment or change of employment

Log and monitor activities of IBM privileged users with access to Customer managed applications and

systems; provide the monitoring results to IBM

Provide initial (one time) acknowledgement for shared ID’s that will be used by IBM personnel

Submit request to revoke access to Customer systems, applications, databases and other Customer

software when IBM personnel no longer require access

Respond to revalidation of employment status, business need and access privileges to Customer

systems, applications, databases, other Customer software assigned to IBM personnel

● Retain evidence of completion for two revalidation cycles

● Submit or notify Customer of access changes needed as a result of revalidation activities

Respond to revalidation of shared ID’s to Customer systems, applications, databases, other Customer

software assigned to IBM personnel Retain evidence of completion for two revalidation cycles

Submit or notify of access changes needed as a result of revalidation activities

Where IBM has the ability to establish password configuration settings on Customer applications, verify

that passwords for IBM personnel working on Customer applications conform to the IBM standards unless

Customer requirements are more stringent, at the discretion of IBM

Perform a baseline inventory of User ID’s to Customer systems, applications, databases, other Customer

software assigned to IBM personnel and communicate User ID baseline inventory to Customer for

validation

Adhere to Customer data protection technique requirements using tools provided by Customer

Provide follow-up for issues identified via monitoring of IBM privileged User IDs when alerted by Customer

Dispose Customer data in all forms within IBM's control based on Customer's classification and direction.

If Customer has not provided any data disposal direction, then data will be disposed of in a manner

consistent with IBM internal practices for IBM confidential information

Information Security Incident Management

Provide a 24/7 contact plan for reporting security incidents

● Inform IBM of any application and information security incidents involving IBM personnel

● Provide a Customer security incident coordinator

● Make decisions on actions to resolve security incidents involving Customer network, systems,

personnel or data, including, if appropriate, collection of evidence

● Interface, as needed, with external entities such as law enforcement, legal or regulatory agencies

Assist Customer in initial security incident evaluation for security incidents involving IBM personnel that

are reported by Customer as part of security incident management

Compliance

Identify and interpret legal, regulatory or contractual security requirements that are applicable to its

business and inform IBM of any additional or changed requirements (for example data export or transfer

restrictions and privacy laws)

Review periodic security reporting provided by IBM

Provide support for application assessments including Customer audit activities, issue management

services and closure of issues after audit (Closure of issues impacting cost, schedule, quality may require

that the Project Change Control Procedure be followed)

Provide periodic, basic security reporting as defined by IBM

Separation of Duties

Perform application separation of duties analysis and conflict resolution

Implement change management on separation of duties analysis

Perform annual review of separation of duties analysis

Authorize code promotions, data changes and database changes to production

Inform Customer of any role, responsibility, or access changes of IBM personnel