No preview available
HomeMy WebLinkAboutC16-147 The Center for Internet Security| ,. {t PURCHASE AGREDMENT FOR CYBER SECURI?Y SERVICPS This PURCHASE AGREEMENT (Agreement) by and betrveen the Center for Internet Security, Inc, {"CIS"), located at 31 Tech Valley Drive, Dast Greenbush, NY 12061- 4!34, and Eagle Couirty, CO ("Customer") with its principal place of business at: P.O. Box 850,500 Broadrvay, Eagle, CO 81631-OB5O for Cytrer Security Services, as defined herein belorv {CIS and Customer collectively referred to as the "Parties"). WITNESSETH: WI{pREAS, CIS, through its Multi-State Information Sharing and Analysis Center {MS-fSAC) has been recognized by the United States Department of Homeland Security as the governmental ISAC and as a key Cyber Security resource for all fifty states, localgovernments, tribal nations and United States teritories ("SLTTs"); and WH$REAS, CIS opetates trventlr*four hours a day, seven days per week {2417) Security Operations Center (SOC), as further described herein; and WHDRFAS, CIS offers certain fee-based Cyber Secririty Services {as defined herein) tc SLTTs and Customer desires to procure such Cyber Security Services, subject to the terms and conditions set forth herein. NOW, THEREFORE, in consideration of the rnutual covenants contained herein, the Parties do hereby agree as follorvs: l. Definitions A. Securlty Operatlon Center {SOC} - 24 X 7 X 365 rvatch and rvarning center that provides netrvork monitoring, dissemination of cyber threat rvarnings and vulnerability identification and mitigation recommendations. B. Cyber Securlty Servlces. Cyber Security Services consist of the follorving services, plus any adclitional services as CIS may add in the future: l. Device Monltorlng Services: Device Monitoring Services comprises the follorving, each of rvhich may be selected separately: a. Managed Security $ervices (MSS); rnonitoring andfor management of security devices, rvith security event analysis and notification. b. Netflorv/IDS Monitoring a@: combined Netflorv and intrusion detection system monitoring, rvith analysis of related data; event notification and delivery; and management of associated devices, including softrvare necessary for service delivery. Also referred to as Albert monitoring services. Eagle County Commissioners' OfficeC16-147 ."ll | " a tr Vulnerabllity Assessment Servlcesl services to identify, prioritize and report critical vulnerabilities rvith netrvork and rveb application assessments. Cyber Security Consulting Servlcos: customized cyber security services, including rvithout limitation, penetration testing, phishing exercises and revierv and development of cyber security policies. Selection of Cyber Security Services A. Subject to the terrns and conditions contairred herein, CIS hereby agrees to .supply Customer rvith the Cyber Security Services as requested during the term of this Agreement. Initially, CIS shall provide Customer rvith the Cyber Security Selices specified in Appendix A {"lnitial Cyber $ecurity Services"). Adclitional Cyber Securi$r Services may be ordered by Customer during the Term of this Agreement by submitting a Letter Order to CIS in the form attached to Appendix A; such purchases are also subject to the terms and conditions contained in Appendices B and C, described belorv, to extent applicable. The start date of subsequent orders for Cyber Security Services rvill be dependent upon CIS receiving sufficient information to begin services" Letter Order should be sent to: Center for Internet SecuritY, Inc. 31 Tech Valley Drive East Greenbush, NY 12061-4134 Attn: Partner Setvices or email to: Merk,Pefry@ciqeqlrritllgg B. At any time during the Term of this Agreement, CIS may offer nerv Cyb-er Security $eruices or cancel a Cyber Security Services offering; cancellations rvill be subject to the notice requirements set forth in Section V herein. C. CIS also offers Cyber Sectrrity Consulting Seruices. Because these selices are customized to meet Customer's particular needs, sUch seruices may be subject to specilic terms and conditions, rvhich can be done through a Letter Order and accompanying Statement of Work. Consideration, Payment Terms A. Consideration. As consideration for the lnitial Cyber Security Services requested by Customer, Custotner hereby agfees to pay to CIS the costs for such cyber security setvices as specified in Appendix A. B. Prtcing for Additional Cyber Security Services" Pricing for any additional Cyber Security Services rvill be provided by CIS to Customer at the time 2. 3. lt. III. D. C. of the request. Pl'jcine for Subsequent Terms, At least ninety, {90} days prior to the end of any Term of this Agreement, CIS shall provide Customer rvith updated pricing for Cyber Securi$' Services to apply for the subsequent Term.. Unless Customer terminates the Agreement in accordance n'ith the provision of Section V(A) of this Agreernent, the parties agree that Appendix A rvill be amended to inco:porate the updated pricing for the subsequent Term. Payment Terms. CIS shall invoice Customer monthly for Cyber Security Services, unless Customer has selected a service that is provided iess frequently than monthly, in rvhich case, CIS rvill invoice Customet'based on the frequency of the service provided, Unless otherwise agreed to by the Parties in rvriting, Customer shall pay CIS rvithin 30 days of receipt of invoice. Additional Terrns and Conditions A. Device Monitoring Services, Appendix B, rvhich is attached hereto and incorporated herein, contains additional terms and conditions applicable to the purchase and implementation of Device Monitoring Services. In the event that Customer purchases Device Monitoring Services at any time during the Term of this Agreement, Customel acknorvledges that purchase and acceptance of Device Monitoring Services is subject to the terms and conditions of Appendix B. B. Vulnerability Assessment Services. Appendix C, rvhich is attached hereto and incorporated herein, contains additional terms and conditions applicable to the purchase and implernentation of Vulnerability Assessment Services. In the event that Customer purchases Vulnerability Assessment Services at any time during the 'lerm of this Agreement, Customer acknorvledges that purchase ancl acceptance of Vulnerability Assessment Selices is subject to the terms and conditions of Appendix C. Term of this Agreement; Termination A, Term; Renerval. This Agrcement rvill commence on the date it is signed by both Parties (the "Effective Date"), and shall continue in full force and effect for a period of trvelve {12} months from the Effective Date {the "Term"}, unless otherrvise earlier terminated pursuant to the terrns of this Section V. The Agreement rvill antomatically renew for an additional term(s) of one year unless either party provides the other party rvith rvritten notice of its intent not to renew at least sixty (60) days prior to the end of the Term, B. Terminatio4. Either party may terminate this Agreernent during the Term by providing rvritten notice to the party ninety (90) days prior to termination. Unless othenvise specified in the additional terms and conditions related to the particular Cyber Security Service, either party may terminate a particular Cyber lv. V. Security Service being provided under this Agreernent by providing rvritten notice to the other party sixty (60) da.ys prior to tennination of the set'vice. VI. Title, Limitation of Warranties and Liability A. Title, CIS rvill at all tirnes retain title to hardrvare andfor softrvare provided to Customer during the Term of this Agreement. Upon termination or expiration {including non-r€newal) of this Agreernent,.Cnstomer rvill return all hardware andf or softnare provided under this Agreement rvjthin thirty (30) days of such expiration or termination. The Custorner shall orvn all right, title and interest in its dafa that is provicled to CI$ pursuant to this Agreement. Customer hereby gmnts CI$ a non- exclusive, non-transferable license to access and use such data to the extent necessary to provide Cyber Security $ervices under this Agreement. B. LIMITATION OF LIABILITV. CIS DOES NOT ASSUME ANY RESPONSIBILITY OR LIABILITY FOR ANY ACT OR OMISSION OR OTHER PERtrORMANCE RELATED TO THE PROVISION OF CYBTR SECURITY SERVICES, INCLUDING ANY ACT OR OMISSION BY CONTRACTORS OR SUBCONTRACTORS OF CIS, OR FOR THE ACCURACY OF THE INFORMATION PROVIDED AS PART OF TFIE SERVICPS. THE SERVICES ARE PROVIDED ON AN "AS-IS" BASIS, WITHOUT WARRANTY OF ANy IilND, EITHER EXPRESS OR IMPLIED. VII. Confidentiality 0bligation CIS acknos'ledges that certain confidential or proprietary infolmation may either be provided by Customer to CIS or generated in the performance of the Cyber $ecurity Services, inctuding rvithout lirnitation: information regarding the infrastructure and security of Customer information systems; assessments and plans that relate specifically and uniquely to the vulnerability of Customer information systems; the results of tests of the security of Customer information systerns insofar as those results may reveal specific vulnerabilities; or ilformation othenvise marked as conlidential by Customer {"Confidential Information"). The Customer acknorvledges that it may rcceive fi'om CIS trade secrets and confidential and p:'oprietary information {"Conlidential lnformation"). Both Parties agree to hold each other's Confidential Information irr confidence to the same extent and the same manner as each party protects its orvn conlidential information, but in no evenl rvill less than reasonable care be provided and a party's information rvill not be released in any identifiable form u,ithout the express rvritten permission of such party or as required pursuant to larvful$ authorized subpoena or similar compulsive directive or is required to be disclosed by larv, provided that the Customer shall be required to make reasonable efforts, consistent rvith applicable larv, to limit the scope and nature of such required clisclosure. CIS shall, hon€ver, be permitted to disclose relevant aspects of such Con{idential Information to its officers, employees, CIS's third party Cyber Security Services partners including federal partners provided that they agree to prctect the Con{idential Information to the same 4 extent as required undel' this Agreement. 'lhe Pariies agree to use all reasonable steps to ensure that Confidential Information received under this Agreement is not disclosed in violation of this Section VII. The obligations of the Parties pursuant to this paragraph shall survive the termination of this Agreement. Nothing in this Agreement shall prohibit CIS frorn using aggregated data of its custorners in any format for any purpose, provided that such data cannot be identified to or associated rvith Customer. VIIL Force Majeure Neither Party shall be liable for performance delays or for non*performance due to causes beyond its reasonable control. IX. No Third Party Rights Except as otheru'ise expressly stated herein, nothing in this Agreement shall create or give to third parties any claim or right of action of any nature against Customer or CIS. Assignment Neither Party may assign their rights and obligations under this Agreement tvithout the prior rvritten approval of the other party, rvhich approval shall not be unreasonably rvithheld, conditioned or delayed. This Agreement shall be binding upon and inure to the benefits of each Party and their respective successors and assigns. Notices A. A1l notices pennitted or required hereunder shall be in rvriting and shall be transmitted either: via certified or registered United States mail, return receipt requested; by facsimile transmission; by personal delivety; by expedited delivery service; or by ermail rvith acknorvledgement of receipt of the notice. Such notices shall be addressed as follorvs or to such different addresses as the Parties may from time-to-time designate: X. XI. cIs Name: Title: Address: Phone: E-Mail: Mark Perry Program Executive Center for lnternet Security, Inc. 31 Tech Valley Drive East Greenbush, NY 12061-4134 lsTBl266-3476 mark.perry@cisecurity. org Customer Name: Tltle: Address: Phone: Il-Mail: Jake l(learman lT Operations Manager P.O. Box 85O, 500 Broadrvay Eagle, CO 81631-0850 {970}328-35e5 j ake. klearrnan@eaglecou nty.us C. Any such notice shall be deemed to have been given either at the time of personal delivery or', in t-he case of expedited delivery service or certified or registered United States mail, as of the date of first attempted delivery at the address and in the manner pror.ided herein, or in the case of facsimile transmission or email, upon receipt. The Parties may, from time to time, specify any nerv or different contact information as their addrcss for purpose of receiving notice under this Agreement by giving fifteen (15) days rvritten notice to the other Party sent in accordance hereu,ith. The Parties agree to mutually designate individuals as their respective representatives for the pur?oses of receiving notices urrdel this Agreement. Additional individuals may be designated in rvriting by the Parties for purposes of implementation a*d administration, resolving issues and problems andfor for dispute resolution. XII. Governing Larv and Jurisdiction Unless othenvise specifically prohibited by the larvs of Customer's jurisdiction, any disputes arising in connection *'ith this Agreement shall be governed and interpreted by the larvs of the State of Coloraclo rvithout regard to its con{lict of larv provisions. In the event that the las's of Customer's jurisdiction require that the larvs of that jurisdiction apply to all contracts entered into by Custorner, then the larvs of that jurisdiction shall apply. XIII. Non*Waiver None of the provisions of this Agreement shall be considered rvaived by either Party unless such \r'aiver is given in writing by the other party. No such rvaiver shall be a lvaiver or any past or future default, breach or modification of any of the terms, provision, conditions or covenants of the Agreernent unless expressly set forth in such rvaiver. XIV. EntireAgreement;Amendments This Agreement aad the appendices attached hereto constitute the entire understanding and agreement betrveen the Parties rvith respect to the subject matter hereof and replace and supersede all prior understandings, B. communications, agreements or an'angements betrveen the parties rvith respect to this subject matter, rvhether oral or rvritten. This Agreement may only be amended as agreed to in rvriting by both Parties. XV. Partial lnvaliditv If any prcvision of this Agreement be adjudged by a collrt of competent jurtsdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherrvise remain in full force and effect and enforceable. XVI. TABOR Notrvithstanding anything to the contrary contained in this Agreement, Eagle County shall have no obligations under this Agreement aftet', nor shall any payments be made to Contractor in respect of any period after December 31 of any year, rvithout an appropriation therefor by Eagle County in accordance rvith a budget adopted by the Board of County Commissioners in compliance rvith Article 25, title 30 of the Colorado Revised Statutes, the Local Government Budget Lau' (C.R,S. 29-1-IAI et. seq.) and the TABOR Amendment (Colorado Constitution, Article X, Sec. 2O) The foregoing has been agreed to and accepted by the authorized representatives of each party rvhose signatures appear beiorv: CENTER FOR INTERNST sEcuRITY, INC. Federal Identilication No. Name: Title: Date: EAGLE COUNTY, CO Federal ldentification No. *,Ll - u0$) 1u.?_ ,,,4,/'7' Name: Brent McPall Title: County Manager ql t +l tta Date: L.IST OF APp.ENDICES APPPPNDIX A-Inltlal Cyber $ecurlty Servlces Order and Form of Letter Order APPENDIX B-Additional Terms and eondltions for Device Monitoring $ervices APPPNDIX C-Addlttonal Terms and Condltlons for Vulnerabllity Assessmont Services APPET.IDIX A INITIAL CYBDR SECURITY SDRVICES ORDER Deseription of Service Qtv Monthly Per Device One Time 1st Year Tstal CIS - NetfloMlD$ Monitoring & Analysis Service - lnternet Provisioned Connection Size > 1OMB - IOOMB 1 $940 $11,280 CIS NetflodlDS Monitoring & Analysis Service-Sensor lnitiation Service One Time Fee l $e00 $e00 Total $12,180 SKU Descriptlon of Service Qtv One Tlme Monthly Price Number of Months Total Grand Total YOAR LETTERTTEAD> <Date> Partner Services Center for Internet Security, Inc, 31 Tech Valley Drive Dast Greenbush, NY 12061-4134 ilnsprt: Name a.f Entltg> rvishes to purchase Cyber Security Services as defined in oul Purchase Agreement with the Center for Internet $ecurity, Inc. (CIS). We request that the follorving services be order-ed on our behalf and agree to pay CIS per the payment terms set for"th in the Purchase Agreement. The follorving services are reque$ted: (Please use the proper template belorv for the selvice oldered and remove this note) For Devlae Monltoting Services: For Vulnerability Asse*sment Servicesl SKU Deecrlptio:r of Servlce Qtv Annual Amount Total Grand Tstal For Cyber Security Consulting Servlces: [Please Desctlbe Servlces Requestedl l{Ie request that CIS prepare a statement of work for the above Cyber Secutlty Consultlng Servlces; lf additional informatlon ls reg:rired, please cont*ct me. Sincerely, <E ntltg P r o cur eme nt Otfi c e r> l0 APPENDIX B ADDITIONAL TERMS AND COI{DITIONS APPLICABLD TO DEVICE MONITORING SDRVICES The follorving terms and conditions apply to Device Monitoring Serrrices {provi<led by CIS to Customer, as specilied in the Initial Cyber Security Services set forth in Appendix A of the Agreementr or as set forth in a subsequent Letter Order provided to CIS b1'Customer. I. CIS Responslbilitles CIS rvill provide the follorving as part of the Cyber Security Seruices ("CSS"), as specified belorv: A. For all Device Monitortng Setvices, CIS rvill provide the follorving: 1. 24/7 telephone (1,-866-TB7-4722}availability for assistance rvith events detected by the CSS. 2. Analysis of logs fiom monitored security devices for attacks and malicious trafhc. 3. Analysis of security events. 4. Correlation of security data/logs/events'rvith information from other soufces. 5. Noti{ication of security events per the Escalation Procedures provided by Customer. F. For Netflow/IDS Monitoring and Analysis Services, CIS rvill provide the C, follorving: 1. Batch Queries: CIS tvill process batch queries of Netflorv data upon Customer request, rvith a limit of 1O queries per month. CIS maintains llorv records for a period of six (6) months. For Managed Security Services, CIS rvill provide Customer with: 1, Secure access to security events. 2. Monthly reports that include a summary of device availability, events and trouble tickets for the previous month and a sumrnary of securitSr incidents and log counts for Customer. For Managed Security Services involving maragement of security devices: 1. CIS rvill be responsible for ensuring that all upgrades, patches, conliguration ll D. changes and signature upgrades are applied to managed devices. 2. CIS rvill provide the appropriate license and support agreements for the upgrade for devices provided by CIS. The Customer is responsible for maintaining the appropriate license and support agreements for devices orvned by the Customer. 3" CIS rvill be responsible for the correct functioning of managed devices. I[, Customer Responslbilttles A. Customer acknorvledges and agrees that CIS's ability to perform the Device Monitoring Seruices purchased or provided by CIS for the benefit of Customer is subject to Customer fulfilling certain responsibilities listed belorv. Customer acknorvleclges and agrees that neither CIS nor any third parly provider shall have any responsibility rvhatsoever to perform or to continue to perform Device Monitoring Services irr the event Customer fails to meet its responsibilities described belo*,. B. For purposes of this Agreement, Customer acknowledges and agrees that only those security devices supported by CIS fall rvithin the scope of this Agreement. Customer rvill ensure the cor:ect functioning of devices except rvhere Customer selects Managed Security Services in u'hich CIS manages the device{s}. C. Customer shall provide logistic support in the form of rack space, electricity, lnternet connectivity, and any other infrastructure necessaty to support cornmunications at Customer's expense. D. Customer shall provide the follorving to CIS prior to the commencement of Device Monitoring Services and at any time during the Term of the Agreement if the inforrnation changes: l. Current netlork diagrams to facilitate analysis of security events on the portion(s) of Customer's netrvork being monitored. Netrvork diagrams rvill need to be revised rvhenever there is a substantial netrvork change; 2. Reasonable assistance to CIS, including, but not limited to, providing all technical and license information related to the Service(s) reasonably requested by CIS, to enable CIS to perfor:m the Service(s) for the benefit of Customer; 3, Supply onsite hardrvare, virtual machines or softrvare that is necessary in providing Device Monitoring Seruices, Customer also agrees onsite hardrvare, vlrtual machines and softrvare rvill meet specifications set forth by CIS and/or its third party providers. 4. Maintenance of all required hardrvare, vir.tual rnachines, or softrvare necessary for the log collection platform located at Customer's site, and enabling acceas to such hardrvare; virtual machines, or softrvare a$ nece$sary for CIS to provide services; l2 5. Public and Private IP addres$ ranges including a list of servers being monitored including the type, operating system and configuration information; 6. Completed Pre-Installation Questionnaires {PlQ). The PIQ rvill need to be revised rvhenever there is a change that rvould affect CIS's ability to provide the Cyber Device Monitoring Services; 7. A completed Escalation Procedure Fonn including the name, e-mail address and 24/7 contact information for all designated Points of Contact {POC B. The name, email address, and landline, mobile, and pager numbers for a1l shipping, installation and security points of contact. E. During the Term of this Agreement, Customer shall provide the follorving rvith respect to any Device Monitoring Seruices: 1. Written notification to CIS SOC {SQ@S!SegUg!:r.org) at least thirty (30} days in advance of changes in hard,ware or netrvork configuration affecting CIS's ability to provide Cyber Device Monitoring Services; 2. Written notilication to CIS SOC (ggg@SlgqSig$a.org) at least trvelve (12) hours in advance of any scheduled dos'ntime or other netrvork and system administmtion scheduled tasks that rvould affect CIS's ability to provide the seruice; 3. A revised Escalation Proeedure Form must be submitted rvhen there is a change in status for any POC, 4, Sole responsibility for maintaining current maintenance and technical support contracts rvith Customer's softrvare and hardrvare vendors for any device subject to Device Monitoring Services that has not been supplied by CIS; 5. Active involvement g,ith CIS SOC to resolve any tickets requiring Customer input or action; and 6. Reasonable assistance in remotely installing and troubleshooting devices including hard*'are and communications. F. For all Managed Security Selices, Customer shall ensure that any replacement devices to receive MSS during the Term of the Agreement rvill conform to the requiremerits stated in the Supported Produ-ct List ("SPL"), available on the portal. The SPL describes the supported devlces that may receive services. G. For Managed $ecurity Semices in nhich CIS is managing Customer's device(s), Customer shall provide to CIS: 1. In-band access via a secure Intelnet channel to manage the device(s). 2. Outbound access via a secure internet channel frir log transmission. 3. A permanent, dedicated analog telephone line and space to support the Out- of-Band {OOB) Managernent Solution, if CIS provides an OOB Management Solution to the Customer. Customer is responsible for the expense and for maintaining the functionality of this dedicated line. The OOB device is supplied by CIS. H. For Managed Security Services in rvhich CIS is monitoring Customef's device{s}, Customer shall: 1. Install all patches, updates and upgrades to security device(s) and operating system{s), as applicable but prior to the npgrade, Customer rvill ensure that the security device versioafrelease levels are supported by CIS. 2. Provide outtround access to CIS via a secure Internet channel to transmit device logs to ClS. IIL Addttional Term* and Condltlons from Thtrd Party Provlder Appllcable to Managed Security Serviees A. Custotner acknorvledges and agrees that as part of part of providing Managed Security Selices, CIS has contracted s'ith the third party provider, Symantec. Customer fnrther acknorvledges and agrees that in return for receipt of Managed Security $elices, it agrees to the follorving terms and conditions as an end user of Symantec services under this Agreement ("End User"): 1. Information about End Users. When providing to trnd User through this Agreement, Symantec may become aware of information such as business contact names, business telephone numbers, and business e-mail addresses, End user acknorvledges that Symantec is a global organization, and such information may be accessitrle on a global basis by Synrantec affiliates, by Synrantec partners and subcontractors, 2. Confidentiality. As an End User of Symantec services, the Entity may receive or obtain knorvledge of Symantec trade secrets and confidential and proprietary information ("Conlidential lnformation"), rvhich shall include, but not be limited to infor:mation related to the Authorized Services, software (both object and source code), $ymantec softrvare or hardrvare products ("Producf'), documentation, customer information, business data, techniques, intellectual property, technolory, ideas, documentation, knorv-hol, methodologies and prccesses and any materjals or documentation related thereto, including any financial data or pricing. All Confidential information shall remain the sole property of Symantec and the Entity, its employees and agents shall have no interest in or right to such Confidential Information. Errtity agrees that all Confidential Information of Symantec rvill be held in confidence and protected from unauthorized use, access, or disclosure in the same manner as Entity protects its orvn Confidential Informatiofl, and rvith no less than reasonable care. Entity will not use any Confidential lnformation for ally purpose other than in connection rvith the l4 services provided by CIS and/or Symantec under this Agreement rvithout the express rvritten consent of Symantec, and rvill disclose the Confidential Information of Symantec only to those employees rvho have a need to knorv such Confidential Information, and rvho are under a duty of confidentiality no less restrictive than the Entiff's dttty hereunder. The provisions of this section shall not apply to any information or materials: {i} rvhich are in or enter the public domain at the time of disclosure to the Entity; (ii) rvhich rvas legally in the possession of, or knorvn by, the Entiff prior to obtaining it in connection rvith services provided under this Agreement; {iii} rvhich are rightfully disclosed to the Entity by another person rlot in violation of the proprietary or other rights of S1'116r1"cr or any other person or entity; (iv) rvhich are independently developed by the Entity, or (v) is required to be disclosed by larv, provided that the Entity shall be required to make leasonable efforts, consistent rvith applicable larv, to limit the scope and nature of such required disclosure. The terms and conditions of this section shall survive the expiratio:r and any termination of this Agreement. 3. Intellectual Property Rights. Symantec and its licensors and vendors retain all title, copyright, and othel proprietary rights in the Authorized Services, and any improvements, enhancements, modifications, and derivative rvorks thereof, including rvithout limitation all patent, copyright, trade secret and trademark rights, Entity's rights to use the Authorized Services shall be limited to those expressly granted in the Agreement rvith ClS. 4. Warranties. Symantec's sole rvarranties related to the services provided in connection rvith this Agreement as a third party provider to CIS al'e as follorvs. The services rvill be performed in a good and rvorkmanlike manner and in accorclance rvith generally accepted industry standards. To the maximum extent permitted by applicable larv Symantec expressly disclaims all other rvarranties, including any implied rvarranties of satisfactory quality, merchantabilig, fitness for a particular purpose, and statutoly ol' other rvarranties of non-infringement of intellectual property rights rvith respect to the activities contemplated in Entity's agreernent rvith CIS. Symantec does not warrant that the services shall meet Entity's requirernents or that use of the services shall be unintermpted or error free. 5. Limitation of Liability. To the maximum extent permitted by applicable larv and regardless of rvhether any remedy set folth herein fails its essential purpose, in no event shall Symantec or its suppliers or vendors be liable to CIS, end user (Entity), or any other third party, rvhether in contract, tort or otherrvise for: 1) costs of pr"ocurement of substitute or replacement goods or services, lost business profits or revenue or lost or corrupted data, loss of production, loss of contracts, loss of goodrvill, or anticipated savings or rvasted management and staff time; or ii) any incidental, indirect, special or consequential damages, losses, expenses or costs of any kind; even if advised of the possibility and rvhether arising directly or indirectly out of the Agreement or use of the authorized services or the performance, defective performance, non-perfolmance or delayed performance by Symantec of any of its obligations under or in connection rvith the Agreement. l5 APPD!{DIX C ADDITIONAL TERIIIS AND CONDITIONS APPLICABLG TO VULNPRABIL:TY ASSESSMEI{T SDNVICES The follorving terms and conditions apply to vulnerability assessment services {thenVulnerability Services") provided by CIS to Customer, as specified in the Initial Cyber Security Services set forth in Appendix A of the Agreement, or as set forth in a subsequent Letter Order provided to CIS by Customer, L CIS Responellrlllties. A, CIS rvill provide the Vulnerability Assessment Serviccs specified in the Agreement or subsequent Letter Order. B. CIS rvill schedule scans of Customer's systems irr the portal operated bv a third party provider in accordance rvith the number and fiequency of assessments specified in the Letter Order. C. CIS rvill provide Customer rvith reports follorving each vulnerability scan as specified in the l,etter Order that includes the number and type of vulnerabilities ranked in or der of severity, and rvill provide recommenrlations for mitigation of vulnerabilities. For rveb application scans, due to likelihood of false positives being included in the initial third party asses$ment) CIS conducts a manual analysis of identified vulnerabilities and provides a subsequent report on its analysis and recommendations for mitigation. For the most serious vulnerabilities, CIS rvill open a ticket on the matter and rvill revierq subsequent scans to determine rvhether the vulnerability is still present and rvill rvork rvith Customer to effect mitigation measures. II. Customer Obllgatlons. A, Netrvork IPs and Domain Information 1, In ordqr to perform the Services, Customer rvill prcvide CIS rvith either a list of live IPs used by Customer, if knorvn, or the entire netnot'k range of prrblic IPs uEed by Customer in assessment(s), Customer rvill also provide CIS rvith a list of rvhat domains it orvns or uses and if knoln, its subdomains. 2. If Customer is using a third party provider to host its domain{s}, Customer ehall obtain the approval of that third party provider for CIS to conduct scans as part of the Vulnerability Seryices prior to CIS commencing the Vulnerability Seruices. 3. If the Vulnerability Services are being provided in response to a particular incident, Customer shall supply CIS rvith the particular IP or domain affected. B. Customer acknorvledges that CIS utilizes a third party provider to assist rvith the netrvork and rvetr application assessments and consents to use of such third party by CIS in performing the Vulnerability Services. In addition to the scheduled scans anallzed by CIS as part of the Vulnerability Selices, Customer rvill be given access to the third party's portal and may run unlimited additional scans on its own during the terrn of the Services, The third party provider rvill provide a limited scan report, rvhich does not include the level of analysis and prioritieation of wrlnerabilities provided by CIS in its reports to Customer, and CIS makes no representation as to the accuracy and suitability of sucl, third party reports. t6 ilI. Payment Terms Unless otherwise specified in the Agreement or Letter Order, CIS shall bill Customer for the Services on a per scan basis, in arrears, at the frequency and amount specified in the Agreement or subsequent Letter Order. ry. Additional Terms and Conditions From Third Party Provider A. Customer acknowledges that part of the Vulnerability Services includes provision of a web-based security assessment and policy compliance suite of services provided by Qualys,Inc. ("Qualys"), designed to identify and analyze the security ievel and vulnerabilities of Internet connections and computer networks (the "Qualys Service"), along with related hardware products offered for use with the Qualys Service, including the Qualys Intranet scanner appliance (the "Hardware"). B. Ownership 1. Qualys will at all times retain title to the Hardware. Upon termination or expiration of this Agreement, Customer will return all Hardware to CIS within thirty (30) days of such expiration or termination, in substantially the same condition in which it was delivered. 2. Qualys retains all ownership and intellectual property rights to the design and function of the Hardware, the Qualys Service and the reports generated pursuant to the Qualys Service (the "Reports"), other than the specific factual data gathered from Customer's network IP addresses. 3. Customer acknowledges that the Hardware, Qualys Service, the software that provides the Qualys Service and its structure, organization, and source code constitute valuable trade secrets of Qualys and Customer agrees not to: transfer possession of the Hardware to any third party other than CIS; reverse engineer, decompile, disassemble or otherwise attempt to derive the source code of the software that is embedded in the Hardware or that provides the Qualys Service; or use the Hardware or Qualys Service, or and data or information contained therein, except for the purpose of vulnerability management with regard to Customer'IP addresses. C. Customer acknowledges and agrees that Qualys is an intended third party beneficiary to this Agreement and as such may assert any applicable rights set forth herein as may be necessary to protect its intellectual property or other confidential or proprietar5r material. D. Customer shall keep confidential its username and password for access to the QualysGuard Enterprise Suite. E. If requested as part of the Vulnerability Services, Qualys will provide customized reports designed to evaluate Customer's compliance with the criteria of the PCI Security Standards Council (the "Card Program"). Customer acknowledges and agrees that third part payment card organizations, and not Qualys, establish the securit5r criteria and other terms and conditions of the Card Program. F. Confidentiality. During the term of this Agreement, either Customer or Qualys (the "Disclosing Party") may disclose to the other party (the "Receiving part5i") certain information, which the Disclosing Party considers proprietar5r or confidential. "ConIidential Information" means analytical information provided in reports and any other confidential information or either party, including software, source code, software tools, trade secrets, 1-tl know-how, inventions, processes, schematics, software source documents, query fields, testing criteria, user names, passwords and financial information and any other confidential information of the parties. Confidential Information shall not include information that is already in the public domain through no fault of the Receiving part5r, or was already known to the Receiving Party through no breach of a confidentiality obligation to the Disclosing Party. Without limitation of the foregoing: (1) all data and information contained within the Qualys Service or the Reports (other than the individual factual data gathered from Customer's network IP addresses), and all information concerning or materially relating to the Hardware, are Confidential Information of Qualys; anil(2) all data regarding Customer's IP addresses or network characteristics (including data that Qualysobtains as a result of its provision of the Service hereunder), is Conlidential Information of Customer. The Receiving Party will not use any Confidential Information of the Disclosing Part5r for any purpose not exirressly permitted by the Agreement, and will disclosure the Confidential Information of the Disclosing Party only to those employees under a duty of confidentiality no less restrictive than the Receiving Party's duty hereunder or is required to be disclosed by law, provided that the Receiving Party shall be required to make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure. The Receiving party will protect the Disclosing Part5r's Confidential Information from unauthorized tlse, access, or disclosure in the same inanner as the Receiving party protects its own confidential information of a similar nature, and with no less than reasonable care. Each party will return all Confidential Information to the other part5r after the other party requests that it be returned, or after this Agreement expires or is terminated. Nothing in this Appendix C or the Agreement shall prohibit Qualys from using aggregated data of its customers in any format for any purpose, provided that such data cannot be identified to or associated with Customer. G. LIMITATION OF LIABILITY. IN NO EVENT WILL QUALYS BE LIABLE TO CUSTOMER FOR ANY LOST PROFITS, LOSS OR CORRUPTION OF DATA, EQUIPMENT OR NETWORK DOWNTIME, OR FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, EXEMPLARY, OR INCIDENTAL DAMAGES, WHETHER IN CONTRACT, TORT, OR OTHtrRWISE, ARISING FROM OR RELATING TO THIS AGREEMENT OR THE USE OF THE HARDWARE, QUALYS SERVICE OR REPORTS, EVEN IF QUALYS HAS BEEN ADVISED OF THE POSSIBILITY OR SUCH DAMAGES. l8