1. | Background, Goals and Objectives | 1 | ||||||
1.1 | Background, Goals and Objectives | 1 | ||||||
1.2 | Construction | 2 | ||||||
2. | Definitions | 2 | ||||||
2.1 | Certain Definitions | 2 | ||||||
2.2 | Inclusion of Affiliates in Definition of ACI and Vendor | 2 | ||||||
2.3 | Other Defined Terms | 2 | ||||||
3. | Services | 3 | ||||||
3.1 | General | 3 | ||||||
3.2 | Implied Services | 3 | ||||||
3.3 | Services Evolution | 4 | ||||||
3.4 | Services Variable in Scope and Volume | 5 | ||||||
3.5 | Work Prioritization | 5 | ||||||
3.6 | Services Performed by ACI or Third Parties | 5 | ||||||
3.7 | Existing Equipment and Vendor Supported Software | 6 | ||||||
3.8 | Transition | 6 | ||||||
3.9 | ACI IT Standards | 6 | ||||||
3.10 | End Users of the Services | 7 | ||||||
3.11 | Projects | 7 | ||||||
3.12 | Protection of ACI Information | 8 | ||||||
3.13 | Relocation of the Services | 8 | ||||||
3.14 | Acquisitions and Divestitures | 8 | ||||||
3.15 | ACI Retained Systems and Processes | 9 | ||||||
3.16 | Knowledge Sharing | 9 | ||||||
4. | Term of Agreement | 10 | ||||||
4.1 | Term | 10 | ||||||
4.2 | Extension of Term | 10 | ||||||
5. | Personnel | 10 | ||||||
Master Services Agreement
Page i
5.1 | Key Vendor Positions | 10 | ||||||
5.2 | Transitioned Personnel | 12 | ||||||
5.3 | Qualifications, Retention and Removal of Vendor Personnel | 13 | ||||||
6. | Responsibility for resources | 14 | ||||||
6.1 | Generally | 14 | ||||||
6.2 | Intentionally left blank | 14 | ||||||
6.3 | Financial Responsibility for Equipment | 14 | ||||||
6.4 | Equipment Access and Operational and Administrative Responsibility | 14 | ||||||
6.5 | Financial Responsibility for Software | 15 | ||||||
6.6 | Third Party Contracts | 16 | ||||||
6.7 | Required Consents | 16 | ||||||
6.8 | Straddle Agreements | 16 | ||||||
7. | Software and Proprietary Rights | 16 | ||||||
7.1 | ACI Software | 16 | ||||||
7.2 | Vendor Software | 17 | ||||||
7.3 | ISV Software | 18 | ||||||
7.4 | Rights in Newly Developed Software and Other Materials | 19 | ||||||
7.5 | Export | 21 | ||||||
8. | Office Space | 21 | ||||||
8.1 | ACI Obligations | 21 | ||||||
8.2 | Vendor Obligations within ACI Office Space | 21 | ||||||
8.3 | Use of Vendor Facilities by ACI | 22 | ||||||
9. | Service Levels | 22 | ||||||
9.1 | General | 22 | ||||||
9.2 | Failure to Perform | 22 | ||||||
9.3 | Critical Service Levels and Service Level Credits | 23 | ||||||
9.4 | Priority of Recovery Following Interruption of Services | 23 | ||||||
9.5 | User Satisfaction | 23 | ||||||
Master Services Agreement
Page ii
9.6 | Periodic Reviews and Adjustments to Service Levels | 24 | ||||||
9.7 | Measurement and Reporting | 24 | ||||||
10. | Project and Contract Management | 25 | ||||||
10.1 | Governance Guidelines and Principles | 25 | ||||||
10.2 | Executive Steering Committee | 25 | ||||||
10.3 | Reports | 25 | ||||||
10.4 | Meetings | 26 | ||||||
10.5 | Procedures Manuals | 26 | ||||||
10.6 | Change Control | 27 | ||||||
10.7 | Subcontracting | 29 | ||||||
10.8 | Technology Planning and Budgeting | 31 | ||||||
10.9 | Quality Assurance and Improvement Programs | 32 | ||||||
10.10 | Management of Issues | 32 | ||||||
11. | Audits, Record Retention | 33 | ||||||
11.1 | Intentionally left blank | 33 | ||||||
11.2 | Audit Rights | 33 | ||||||
11.3 | Vendor Internal Controls | 35 | ||||||
11.4 | Audit Follow-up | 35 | ||||||
11.5 | Records Retention | 36 | ||||||
11.6 | Discovery of Overcharge of ACI | 36 | ||||||
12. | ACI Responsibilities | 36 | ||||||
13. | Charges | 37 | ||||||
13.1 | General | 37 | ||||||
13.2 | Pass-Through Expenses | 37 | ||||||
13.3 | Incidental Expenses | 37 | ||||||
13.4 | Taxes | 37 | ||||||
13.5 | Extraordinary Events | 39 | ||||||
Master Services Agreement
Page iii
13.6 | New Services | 39 | ||||||
13.7 | Benchmarks for Cost of Services | 40 | ||||||
14. | Invoicing and Payment | 42 | ||||||
14.1 | Invoicing. | 42 | ||||||
14.2 | Payment Due | 42 | ||||||
14.3 | Accountability | 43 | ||||||
14.4 | Pro-ration | 43 | ||||||
14.5 | Prepaid Amounts | 43 | ||||||
14.6 | Refunds and Credits | 43 | ||||||
14.7 | Deduction | 43 | ||||||
14.8 | Disputed Charges | 43 | ||||||
15. | Safeguarding of Data; Confidentiality | 44 | ||||||
15.1 | General | 44 | ||||||
15.2 | Safeguarding ACI Data | 44 | ||||||
15.3 | Confidential Information | 45 | ||||||
15.4 | Corporate Information Risk Controls | 48 | ||||||
15.5 | Step-In Rights | 49 | ||||||
16. | Warranty | 49 | ||||||
16.1 | General | 49 | ||||||
16.2 | Work Standards | 50 | ||||||
16.3 | Maintenance | 50 | ||||||
16.4 | Efficiency and Cost Effectiveness | 50 | ||||||
16.5 | Technology | 50 | ||||||
16.6 | Non-Infringement; Licenses | 50 | ||||||
16.7 | Authorization and Other Consents | 51 | ||||||
16.8 | Inducements | 51 | ||||||
16.9 | Viruses | 51 | ||||||
Master Services Agreement
Page iv
16.10 | Disabling Code | 52 | ||||||
16.11 | Deliverables | 52 | ||||||
16.12 | Software Ownership or Use | 52 | ||||||
16.13 | Other | 52 | ||||||
16.14 | Application | 53 | ||||||
16.15 | Disclaimer | 53 | ||||||
17. | Insurance | 53 | ||||||
17.1 | Insurance | 53 | ||||||
17.2 | Insurance Provisions | 54 | ||||||
18. | Indemnities | 55 | ||||||
18.1 | Vendor Indemnities | 55 | ||||||
18.2 | ACI Indemnities | 56 | ||||||
18.3 | Infringement | 58 | ||||||
18.4 | Indemnification Procedures | 59 | ||||||
19. | Liability | 59 | ||||||
19.1 | General Intent | 59 | ||||||
19.2 | Liability Restrictions | 59 | ||||||
19.3 | Direct Damages | 61 | ||||||
19.4 | Duty to Mitigate | 61 | ||||||
19.5 | Disaster Recovery Plan | 61 | ||||||
19.6 | Force Majeure | 62 | ||||||
20. | Dispute Resolution | 63 | ||||||
20.1 | Informal Dispute Resolution Process | 63 | ||||||
20.2 | Litigation | 64 | ||||||
20.3 | Continued Performance | 64 | ||||||
20.4 | Governing Law | 64 | ||||||
21. | Termination | 65 | ||||||
21.1 | Termination For Cause By ACI | 65 | ||||||
Master Services Agreement
Page v
21.2 | Termination by Vendor | 65 | ||||||
21.3 | Termination for Convenience by ACI | 66 | ||||||
21.4 | Termination by ACI for Change of Control | 66 | ||||||
21.5 | Failure to Transition and Other Termination Rights | 66 | ||||||
21.6 | Termination Due To A Party’s Insolvency and Related Events | 66 | ||||||
21.7 | Intentionally left blank | 67 | ||||||
21.8 | Cumulative Termination Rights | 67 | ||||||
21.9 | Termination/Expiration Assistance | 67 | ||||||
21.10 | Bid Assistance | 69 | ||||||
21.11 | Equitable Remedies | 69 | ||||||
21.12 | Charge Adjustment | 69 | ||||||
22. | Compliance With Laws | 69 | ||||||
22.1 | Compliance with Laws and Regulations Generally | 69 | ||||||
22.2 | Liens | 70 | ||||||
22.3 | Sarbanes-Oxley | 70 | ||||||
22.4 | International Considerations | 71 | ||||||
22.5 | Privacy Laws | 71 | ||||||
23. | General | 72 | ||||||
23.1 | Binding Nature and Assignment | 72 | ||||||
23.2 | Mutually Negotiated | 72 | ||||||
23.3 | Joint Verification | 73 | ||||||
23.4 | Notices | 73 | ||||||
23.5 | Counterparts | 74 | ||||||
23.6 | Headings | 74 | ||||||
23.7 | Relationship of Parties | 74 | ||||||
23.8 | Severability | 74 | ||||||
23.9 | Consents and Approvals | 74 | ||||||
Master Services Agreement
Page vi
23.10 | Waiver of Default | 74 | ||||||
23.11 | Cumulative Remedies | 74 | ||||||
23.12 | Survival | 75 | ||||||
23.13 | Public Disclosures | 75 | ||||||
�� | 23.14 | Use of Name | 75 | |||||
23.15 | 365(n) | 75 | ||||||
23.16 | Third Party Beneficiaries | 75 | ||||||
23.17 | Covenant of Good Faith | 75 | ||||||
23.18 | Non-Solicitation | 75 | ||||||
23.19 | Order of Precedent | 76 | ||||||
23.20 | Entire Agreement; Amendment | 76 |
Master Services Agreement
Page vii
Schedule A | Statement of Work | |
Exhibit A-1 | Delivery Management Services (Cross Functional) | |
Exhibit A-2 | Asset Services | |
Exhibit A-3 | Service Desk Services | |
Exhibit A-4 | End User Services | |
Exhibit A-5 | Server Systems Management Services (including mainframe) | |
Exhibit A-6 | Storage Management Services | |
Exhibit A-7 | Data Network Services | |
Exhibit A-8 | Enterprise Security Management Services | |
Exhibit A-9 | Disaster Recovery and Business Continuity Services | |
Schedule B | Service Levels | |
Exhibit B-1 | SLA Matrix | |
Exhibit B-2 | Critical Service Levels and Key Measurements | |
Exhibit B-3 | Critical Deliverables | |
Exhibit B-4 | Severity Levels | |
Schedule C | Charges | |
Exhibit C-1 | Base Charges, Baselines, ARC/RRC Rates and Termination Charges | |
Exhibit C-2 | Financial Responsibility and Ownership Matrix | |
Exhibit C-3 | Form of Invoice | |
Exhibit C-4 | Base Case | |
Schedule D | Definitions | |
Schedule E | Intentionally left blank | |
Schedule F | Intentionally left blank | |
Schedule G | Third Party Contracts | |
Schedule H | Existing Equipment | |
Exhibit H-1 | ACI US Midrange Inventory | |
Exhibit H-2 | ACI Toronto Server Room Inventory | |
Exhibit H-3 | EMEA Server Equipment | |
Exhibit H-4 | ACI AP Midrange Inventory | |
Exhibit H-5 | Network Inventory | |
Exhibit H-6 | People Counts by Location | |
Schedule I | Vendor Supported Software | |
Exhibit I-1 | Framingham Workstations | |
Exhibit I-2 | Newton Workstations | |
Exhibit I-3 | Omaha Workstations |
Master Services Agreement
Page viii
Schedule J | ACI Policies and Standards | |
Schedule K | User Satisfaction Survey Guidelines | |
Schedule L | Transition and Transformation | |
Schedule M | Vendor Confidentiality Agreement | |
Schedule N | Approved Subcontractors | |
Schedule O | Approved Benchmarkers | |
Schedule P | Locations | |
Schedule R | Reports | |
Schedule S | Governance | |
Schedule T | Human Resources | |
Schedule U | Change Control Procedure | |
Exhibit U-1 | Form of Change Management Document | |
Schedule V | In-Flight Projects |
Master Services Agreement
Page ix
Master Services Agreement
Page 1
Master Services Agreement
Page 2
Master Services Agreement
Page 3
Master Services Agreement
Page 4
Master Services Agreement
Page 5
Master Services Agreement
Page 6
3.11 | Projects. |
Master Services Agreement
Page 7
Master Services Agreement
Page 8
3.16 | Knowledge Sharing. |
Master Services Agreement
Page 9
Master Services Agreement
Page 10
Master Services Agreement
Page 11
Master Services Agreement
Page 12
Master Services Agreement
Page 13
Master Services Agreement
Page 14
Master Services Agreement
Page 15
Master Services Agreement
Page 16
Master Services Agreement
Page 17
Master Services Agreement
Page 18
Master Services Agreement
Page 19
Master Services Agreement
Page 20
Master Services Agreement
Page 21
9.2 | Failure to Perform. |
Master Services Agreement
Page 22
Master Services Agreement
Page 23
9.7 | Measurement and Reporting. |
Master Services Agreement
Page 24
Master Services Agreement
Page 25
Master Services Agreement
Page 26
Master Services Agreement
Page 27
Master Services Agreement
Page 28
Master Services Agreement
Page 29
Master Services Agreement
Page 30
Master Services Agreement
Page 31
10.10 | Management of Issues. |
Master Services Agreement
Page 32
Master Services Agreement
Page 33
Master Services Agreement
Page 34
Master Services Agreement
Page 35
Master Services Agreement
Page 36
Master Services Agreement
Page 37
Master Services Agreement
Page 38
Master Services Agreement
Page 39
Master Services Agreement
Page 40
Master Services Agreement
Page 41
Master Services Agreement
Page 42
Master Services Agreement
Page 43
Master Services Agreement
Page 44
Master Services Agreement
Page 45
Master Services Agreement
Page 46
Master Services Agreement
Page 47
Master Services Agreement
Page 48
16.1 | General. |
Master Services Agreement
Page 49
Master Services Agreement
Page 50
Master Services Agreement
Page 51
Master Services Agreement
Page 52
Master Services Agreement
Page 53
Master Services Agreement
Page 54
Master Services Agreement
Page 55
18.2 | ACI Indemnities. |
Master Services Agreement
Page 56
Master Services Agreement
Page 57
Master Services Agreement
Page 58
Master Services Agreement
Page 59
Master Services Agreement
Page 60
Master Services Agreement
Page 61
Master Services Agreement
Page 62
Master Services Agreement
Page 63
Master Services Agreement
Page 64
Master Services Agreement
Page 65
Master Services Agreement
Page 66
Master Services Agreement
Page 67
Master Services Agreement
Page 68
Master Services Agreement
Page 69
22.3 | Sarbanes-Oxley. |
Master Services Agreement
Page 70
Master Services Agreement
Page 71
Master Services Agreement
Page 72
In the case of ACI: | with copies to: | |
ACI Worldwide, Inc. | ACI Worldwide, Inc. | |
Attention: Chief Administrative Officer | Attention: General Counsel | |
120 Broadway, Suite 3350 | 6060 Coventry Drive | |
New York, NY 10271 | Omaha, NE 68022 | |
In the case of Vendor to: | with copies to: | |
International Business Machines Corporation | International Business Machines Corporation | |
Attention: Vendor Project Executive | Office of Associate General Counsel | |
3613 Ruth Street | MD4202, Route 100 | |
Indian Trail, NC 28079 | Somers, NY 10589 |
Master Services Agreement
Page 73
Master Services Agreement
Page 74
23.17 | Covenant of Good Faith. |
Master Services Agreement
Page 75
Master Services Agreement
Page 76
INTERNATIONAL BUSINESS MACHINES CORPORATION | ACI WORLDWIDE, INC. | |||||
By: | /s/ Arthur G. Gopfert | By: | /s/ David N. Morem | |||
Name: | Arthur G. Gopfert | Name: | David N. Morem | |||
Title: | Director of Services- GTS | Title: | SVP, Global Business Operations | |||
Date: | March 17, 2008 | Date: | March 17, 2008 | |||
Master Services Agreement
Page 77
1.0 | INTRODUCTION | |
The following documents comprise the entire Statement of Work (SOW) in the Agreement; |
1. | Exhibit A-1 — Delivery Management Services (Cross Functional) |
1.1. | Attachment A-1 — Services Definitions |
2. | Exhibit A-2 — Asset Services | ||
3. | Exhibit A-3 — Service Desk Services | ||
4. | Exhibit A-4 — End User Services | ||
5. | Exhibit A-5 — Server Systems Management Services (including Mainframe) | ||
6. | Exhibit A-6 — Storage Management Services | ||
7. | Exhibit A-7 — Data Network Services | ||
8. | Exhibit A-8 — Enterprise Security Management Services | ||
9. | Exhibit A-9 — Disaster Recovery and Business Continuity Services |
Schedule A — Statement of Work
Page 1 of 1
1. | INTRODUCTION |
2. | SERVICES MANAGEMENT |
a. | Deploy a set of service support processes (ITIL V3.0-based) to enable consistent management of process-driven IT services seamlessly across a variable number of vendors. |
(1) | Design processes to enable the effective monitoring and reporting of the IT services in a multi-vendor environment through the appropriate deployment of the relevant tools and procedures globally. |
(a) | The deployment of tools across Vendor and third-party vendor(s) will go through the change management process. |
b. | Coordinate the execution of all the processes across Vendor and all third-party vendor(s) in order that all the individual components that make up the IT services are managed in an end-to-end manner. |
c. | Integrate any systems supporting these processes to provide a seamless view of Service delivery to ACI. |
2.1 | Process Interface Manual |
a. | The Process Interface Manual will: |
(1) | Document detailed processes requiring interface between the Vendor and ACI (for example, change management process, Problem Management/Incident Management, Asset Management). |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 1 of 41
(2) | Be used by Vendor to provide the Services. | ||
(3) | Identify the process interfaces. | ||
(4) | Describe how ACI and Vendor will interact during the Term. |
(5) | Document all operations procedures, Services, Equipment, and Software for which Vendor is responsible. |
(6) | Document, using ACI-provided information Application requirements that affect Operations, along with procedural information and contact information for each Application. |
(7) | Document procedures to be utilized by End Users for the correct use of the Services, Equipment, Software, connectivity, security, and Service Desk. |
b. | Vendor Responsibilities |
(1) | Assign an individual to be the single point of contact to ACI for the Process Interface Manual development and maintenance. |
(2) | Provide ACI the proposed table of contents and format for the Process Interface Manual for ACI’s review and approval. |
(3) | Develop and provide ACI the draft Process Interface Manual, which will be customized by Vendor to reflect the process interfaces between ACI and Vendor. |
(4) | Review ACI feedback and revise the draft Process Interface Manual to incorporate mutually agreed changes. |
(5) | Provide the final version of the Process Interface Manual to ACI. |
(6) | Conduct joint annual process maturity assessments, identify process inhibitors, and propose process improvements to ACI. |
(7) | Jointly review the Process Interface Manual on an annual basis or more frequently, as required, and update and maintain the Process Interface Manual accordingly. |
(8) | Provide appropriate Vendor employees with access to the Process Interface Manual, as required, with electronic copies provided to ACI. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 2 of 41
c. | ACI Responsibilities |
(1) | Assign an individual to be the single point of contact to Vendor for the Process Interface Manual development and maintenance. |
(2) | Review and approve the proposed table of contents and format for the Process Interface Manual. |
(3) | Review and provide to Vendor, in writing, ACI’s comments, questions and proposed changes to the draft Process Interface Manual. |
(4) | Acknowledge ACI’s receipt of the final version of the Process Interface Manual. |
(5) | Identify process inhibitors and propose process improvements to Vendor, as appropriate. |
(6) | Jointly review the Process Interface Manual on an annual basis or more frequently, as required. |
(7) | Provide appropriate ACI employees with access to the Process Interface Manual, as required. |
2.2 | Processes |
2.2.1 | CHANGE MANAGEMENT |
a. | The Vendor responsibilities include the following: |
(1) | Provide development, implementation, and ongoing management of the necessary ACI approved processes, procedures, and management discipline necessary to fulfill the Agreement’s change management process requirements. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 3 of 41
(2) | Communicate the change management process within Vendor’s own organization and to each third-party vendor(s). |
(3) | Verify that the effective execution of the change management process, as well as an appropriate review of planned changes, takes place with due consideration of the business and technology risk of planned changes, taking into consideration all defined criteria (such as complexity of change, the skill level of the individual(s) executing the change, the planned change execution timeframe, the change slot timeframe, the back-out timeframe, and the relevant business processing criticality). |
(4) | With proper authorization, stop any planned changes that, in the professional view of the person(s) performing the Services, would compromise the continuation of Services to ACI, and act as the gatekeeper to production, unless expressly overridden by the ACI’s Operations Manager in accordance with the approved Change Advisory Board escalation process. |
(a) | Assume responsibility for escalating any issues arising from the decision to stop a planned change. |
(5) | Manage and conduct the review of any change failures, and provide a strong interlock between change and Incident Management and Problem Management processes so that post-change issues can be linked to the change activity where relevant. |
(6) | Manage to resolution any deviation from effective change management process, ensuring the purposeful review and closure of failed changes. |
(7) | Facilitate and lead information exchange between and among Vendor and the third-party vendors in order to drive an effective end-to-end change management process. |
(8) | Do not make changes that (i) may adversely affect the function or performance of, or decrease the resource efficiency of the Services, (ii) increase ACI’s costs or fees, (iii) impact its customers or (iv) impact the way in which ACI conducts its business or operations, without obtaining prior ACI approval following ACI procedures. |
b. | ACI will provide Vendor with contact information related to change management process procedures. |
a. | The Vendor responsibilities include the following: |
(1) | Receive and record changes. | ||
(2) | Assess the impact and risk of the proposed changes. |
(3) | Provide and maintain compliance with ACI policies. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 4 of 41
(4) | Perform all changes in ACI’s IT environment pertaining to the Services, including changes to individual components and coordination of changes across all components. |
(5) | Make all changes in accordance with change management process procedures approved by ACI. | ||
(6) | Monitor and report on the change implementation. | ||
(7) | Review and close all changes. |
(8) | Integrate the Vendor change management process with ACI’s change management process and systems, as well as with the third-party vendor(s)’ change management process processes, and with where the processes interact. Cooperate with the Service Desk and third-party vendor(s) for changes across all applications, system components, and parties. |
(9) | Integrate the change management process with other Service Management processes, especially Incident Management, Problem Management, Configuration Management, and IT Service Continuity Management. |
(10) | Deploy workflow-based tools to automate the process of scheduling, describing, authorizing, tracking, and reporting on changes. | ||
(11) | Collect data on every change attempted, including: |
(a) | The reason for change. | ||
(b) | Detailed description of change. |
(c) | Whether the change was successful from the perspective of the authorized users of the system. |
(12) | Summarize the changes made each week, and report the information to ACI on a weekly basis. |
(13) | Capture all ACI change data centrally, and make it available to ACI. |
(14) | Provide an audit trail of any and all changes to the production environment in order to determine the change made and the authorization to make the change. |
(15) | Conduct post implementation reviews (PIR) on failed changes as requested by ACI. |
(16) | Confirm that all changes are performed to ACI’s specifications provided to Vendor as ACI determines necessary to conform to regulations (i.e., Sarbanes/Oxley Act) or requirements. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 5 of 41
(17) | Work diligently to ensure that the change management process achieves: |
(a) | Efficient implementation of changes. | ||
(b) | Clear accountability. | ||
(c) | Minimization of risk. | ||
(d) | Minimization of business disruption. | ||
(e) | Effective coordination and communication. |
b. | ACI will: |
(1) | Record changes in the change management process tool for Applications changes. |
(2) | Provide to Vendor the ACI specifications for conformance to regulations as set forth in the Sarbanes/Oxley Act. |
(3) | Conduct Post Implementation Reviews (PIR) on failed changes as requested by ACI for Applications changes. |
(4) | Provide lead personnel to lead, drive and respond to Application Incidents and Problems. |
a. | The Vendor responsibilities include the following: |
(1) | Develop and implement a standardized method and procedure for the efficient and effective handling of all changes (an overall change management process process), including the Change Advisory Boards (CAB) to manage changes to the Services, subject to approval from ACI, in a way that minimizes risk exposure and maximizes availability of the Services. |
(2) | Coordinate change management process activities across all functions, ACI Locations, regions, and third-party vendor(s) that provide services to ACI. |
(3) | Perform the function of promoting code to production (sometimes called, “move to production”), as requested. |
(4) | Deploy tools to automate the process of scheduling, describing, tracking, and reporting on changes to the environment. |
(5) | Integrate change management process processes with Tivoli Configuration Manager. |
(6) | Make any changes necessary to provide the Services and to meet all required Service Levels, based on ACI-approved change management process procedures. |
(7) | In an emergency, gain approvals from ACI according to change management process procedures. |
(8) | Designate and maintain clear ownership for individual changes throughout the process. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 6 of 41
b. | ACI will manage the control of the Application production libraries. |
a. | The Vendor responsibilities include the following: |
(1) | Document the change management process and procedures in accordance with the requirements in the Process Interface Manual and as stated in the Exhibit. |
(2) | On a weekly basis, participate in change management process meetings with ACI’s change manager or designee. |
(3) | Submit proposed changes, based on the impact and risk associated with a change, with non-emergency changes submitted, on average 2 weeks in advance to ACI. At a minimum, each submitted proposed change will include: |
(a) | A description of the change. |
(b) | The purpose and justification for the change, including any corresponding service request, or Incident, or Problem identifiers. |
(c) | A list of Service(s), internal or external customer(s), and third-party vendor(s) potentially affected by the change. |
(d) | The proposed schedule, including implementation date(s) and approximate time(s) for determination of any existing conflict with business events. | ||
(e) | The proposed implementation procedures. | ||
(f) | A rating of the potential risk, business impact, and/or complexity of the change. |
(g) | Where a proposed change represents a potentially high risk or high impact to ACI’s operations or business, or at the request of ACI, Vendor will also: |
(i) | Include a comprehensive end-to-end test plan (including clear change acceptance criteria), notification and escalation lists, and work-around plans. |
(ii) | Include a comprehensive contingency plan, including a back-out plan and procedures (with specific criteria to initiate the execution of the back-out plan). |
(4) | Verify, with ACI’s change manager, compliance with ACI policies. |
(5) | Review proposed changes and schedules with ACI, and obtain all necessary approvals for proposed changes. |
(6) | Coordinate with ACI all affected third parties and designated representatives at Locations potentially affected by a change in order to minimize disruption of normal business processes. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 7 of 41
(7) | Manage system changes and activities required by moves, upgrades, replacements, and migrations for those changes originating from a responsibility of Vendor. |
(8) | Include rollout, testing, and roll-back plans for every request for change. |
(9) | Provide information to ACI in accordance with ACI’s change management process on the outcome of any Request for change and the updated status after each change is implemented. |
(10) | Update all operational and other documentation affected by the change. |
(11) | Report the status of scheduled changes, including maintaining a comprehensive list of projects and dates. |
(12) | Collect data on every change attempted, which includes the following: |
(a) | Include the cause of any Incidents, measures taken to prevent recurrence, and whether the change was successful from the perspective of the End User or Third Party affected by the change. |
(b) | Summarize and report this data to ACI on a weekly basis. |
(13) | Provide an audit trail of any and all changes to all environments, which should include a record of the change made and the authorization to make the change. |
(14) | Conduct Post Implementation Reviews (PIR) on failed changes, if requested by ACI. |
(15) | Provide ACI with the ability to pre-approve certain types of routine operational changes (Standard Changes). Such approvals shall be documented in the Process Interface Manual. |
(16) | Assist ACI in developing test plans and contingency plans for Application changes. |
b. | For Application changes, ACI will: |
(1) | Include a comprehensive end-to-end test plan (including clear change acceptance criteria), notification and escalation lists, and work-around plans. |
(2) | Include a comprehensive contingency plan, including a back-out plan and procedures (with specific criteria to initiate the execution of the back-out plan). |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 8 of 41
a. | The Vendor responsibilities include the following: |
(1) | Perform routine maintenance during regular periods scheduled in advance and approved by ACI. |
(2) | Validate that systems will be unavailable during maintenance windows only to the extent necessary for systems maintenance purposes. |
(3) | Provide at least thirty (30) days prior notice to ACI of the maintenance to be performed during scheduled maintenance windows. |
(a) | Change scheduled maintenance windows at ACI’s request and upon reasonable notice. |
(4) | Schedule Outages for maintenance, expansions, and modifications during hours that meet ACI’s business needs and external contractual obligations. |
(a) | Allow ACI, at any time at its discretion, to specify “freeze” periods during which Vendor will not make any changes. |
(5) | If there is a need for emergency systems maintenance, provide ACI with as much notice as reasonably practicable (ACI has the final change authorization), and perform such maintenance so as to minimize interference with the business and operational needs of ACI. |
(6) | Fully test changes to the IT environment and resolve faults, if possible, prior to production startup, including inter-operability testing. |
b. | The Vendor responsibilities include the following: |
(1) | Create and maintain a Forward Schedule of change (FSC) of upcoming releases and changes as part of ACI’s change management process process. | ||
(2) | Provide monthly reports in a format agreed with ACI. |
(3) | Provide a weekly report in a format agreed with ACI that, at a minimum, includes: |
(a) | The status of all changes active at the beginning of the week and all changes raised during the week. | ||
(b) | The changes to be implemented the following week. | ||
(c) | The changes submitted for approval. |
(4) | Participate in or lead regularly scheduled change meetings with ACI and third-party vendor(s). |
(5) | Review proposed changes and schedules through a formal walk-through process with ACI and third-party vendor(s), and obtain all necessary approvals for proposed changes. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 9 of 41
2.2.2 | Escalation Management |
a. | Vendor responsibilities include: |
(1) | Escalate unresolved Incidents, problems and requests according to procedures approved by ACI, and automatically prioritize high-impact Applications, Software and Equipment so that, when outages occur, they are treated with the highest priority. |
(2) | Define, with ACI, and obtain ACI approval on Escalation procedures that reflect and describe: |
(a) | The Severity Level of the Incident. |
(b) | The Location of the Incident and the name and/or number of affected End User. |
(c) | The elapsed time before a Incident is escalated to the next higher Severity Level. |
(d) | The levels of involvement (and notification) of Vendor management and ACI management at each Severity Level. |
b. | ACI will provide Vendor with definition of high-impact Applications, Software and Equipment. |
c. | Vendor will provide a process for escalating to ACI, or the Vendor management, Incidents not resolved in the time frames appropriate to the severity of the Incident and the priority of the user. |
(1) | Escalate unresolved Incidents according to procedures approved by ACI, and automatically prioritize high-impact Applications, Software, and Equipment, such that they are treated with the highest priority. |
(2) | Implement escalation procedures that reflect and describe the following items: |
(a) | Severity Level of the Incident. |
(b) | Location of the Incident and the name and/or number of affected internal or external customers. |
(c) | Elapsed time before an Incident is escalated to the next higher Severity Level. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 10 of 41
(d) | The levels of involvement (and notification) of Vendor management and ACI management at each Severity Level. |
(e) | Investigative and diagnostic activities to identify workarounds for each Incident. |
(f) | Incident resolution activities to restore normal service in compliance with the Service Levels. |
(g) | Ability to resolve Incidents by matching Incidents to known errors that are stored in a known error database. |
(h) | Ability to resolve Incidents by implementing workarounds that are stored in a knowledge base. |
(i) | Escalation process used to escalate Incidents to appropriate support teams when necessary. |
(j) | Escalation process used to escalate Incidents to Vendor and/or ACI’s management team. |
(k) | Ability to generate change requests where necessary for the implementation of workarounds. |
(l) | Ability to record all information on the details of the Incident and the corrective action for later statistical analysis. |
(3) | Create an audit trail of all activity that creates, changes, or deletes data and user access to systems that contain ACI data. |
2.2.3 | Incident Management | |
Incident Management is the process for minimizing the impact of Incidents affecting the availability of the Services and the timely recovery of service delivery, which is accomplished through analysis, tracking, and prevention of Incidents. | ||
General |
a. | The Vendor responsibilities include the following: |
(1) | Provide an Incident Management process that will restore service operation as quickly as possible with minimum disruption to the business, thus enabling the best achievable levels of availability and service quality to be maintained to promote internal or external customer satisfaction. |
(2) | Manage the effective execution of Incident Management to achieve its primary purpose to restore service as quickly as possible with minimal business impact. |
(3) | Implement an Incident Management process that is flexible and facilitates effective communication and coordination across functions, ACI Locations, regions and third-party vendor(s). |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 11 of 41
(4) | Integrate the Vendor Incident Management process with the other Service Management processes, especially Problem Management, Configuration Management, and change management process. |
(5) | Validate that the Incident Management process provides an audit trail. |
(a) | It is essential that detailed audit information be recorded of all activity that creates, changes, or deletes data and user access to systems that contain ACI data. |
(b) | Audit information should be comprehensive spanning multiple applications, systems components, or parties, if applicable. |
(6) | Vendor will communicate the Incident Management process to the Vendor organization, ACI, and each third-party vendor(s) involved in the delivery of IT services. |
(7) | Facilitate and lead information exchange between and among Vendor, ACI, and/or third-party vendor(s) to improve end-to-end Incident Management. |
(8) | Develop and document processes regarding interfaces, interaction, and responsibilities between Level 1 support personnel, Level 2 support personnel, and any other internal or external persons or entities that may either raise an Incident, or receive an Incident. |
(9) | Wherever possible, designate end-to-end responsibility and ownership for each Incident to a single Vendor Service Desk staff member, thus minimizing redundant contacts with End Users. |
(10) | Provide a mechanism for expedited handling of Incidents that are of high business priority to ACI and third-party vendor(s), based on the assigned Severity Level, as per escalation processes described in the Incident and Problem Management Procedures. |
(11) | Develop and maintain a process to promote Incidents into the Incident Management process based on the Severity Level of the Incident. |
b. | ACI will validate that the Incident Management process provides an audit trail that meets the mandatory legislative and policy requirements to which ACI must comply. |
(1) | Receive and log all Incidents (including submissions received by telephone or electronically) and open an Incident Record. |
(2) | Provide Incident detection, reporting, recording, and initial support. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 12 of 41
(3) | For Incidents other then Application Incidents, provide Incident investigation, diagnosis, impact analysis, and reclassification, (as agreed to by ACI) as reasonably required. For Application Incidents, provide tracking, logging, reporting, Escalation Management, analysis and determination to escalate to ACI, and overall tracking until the Incident is closed. |
(4) | Utilize and update the Incident Management System with all relevant information relating to an Incident. | ||
(5) | Make an initial determination of the potential resolution. |
(6) | Link multiple contacts pertaining to the same Incident to the associated Incident Record. |
(7) | Resolve as many Incidents as possible during the End User’s contact with the Service Desk, without transferring the call or using any escalation. |
(8) | Resolve Incidents requiring Level 1 support and close the Incident after receiving confirmation from the affected End User that the Incident has been resolved. |
(9) | Resolve Incidents arising from or related to the Services, including break/fix Equipment and Software support. |
(10) | Act proactively, and coordinate with all other internal and external third parties to resolve Incidents. |
(11) | Transfer Incidents within specified time limits to the appropriate party without compromising Service Levels or security requirements. | ||
(12) | Provide or coordinate the final resolution. |
(13) | Escalate issues to the appropriate levels for resolution in accordance with escalation procedures approved by ACI. |
(14) | Escalate an Incident where the Incident cannot be resolved within the relevant Service Levels or agreed timeframe. |
(15) | Close an Incident either, after receiving confirmation from the affected End User that the Incident has been resolved, or after 3 unsuccessful attempts to contact the End User. |
(16) | Restore normal service operations as quickly as possible following an Incident, with minimum disruption to ACI’s business operations, and in compliance with Service Levels. |
(17) | Retain overall responsibility and ownership of all Incidents (including monitoring and escalation) until the Incident is closed subject to ACI approval. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 13 of 41
(18) | Track and report the progress of resolution efforts and the status of all Incidents, including: |
(a) | Review the proposed resolution time for each Incident with the appropriate party and update the status accordingly. |
(b) | Coordinate Incident tracking efforts, and provide and maintain regular communications between all parties and internal or external customers until Incident resolution. |
(c) | Keep ACI informed of changes in Incident status throughout the Incident life cycle in accordance with agreed Service Levels. |
(d) | Keep ACI informed of anticipated resolution times for active Incidents. |
(19) | Leverage a knowledge base to assist with the resolution of Incidents, including: |
(a) | Make the knowledge base available online to End Users for user self help. |
(b) | Track the use of the knowledge base and report usage statistics to ACI on a monthly basis, or as requested by ACI (i.e., the number of Incidents resolved using the knowledge base). |
b. | The Vendor responsibilities include the following: |
(1) | Provide regular progress notifications to ACI on current Severity Level 1 Incidents. The frequency of such notification is determined by the severity of the Incident as defined in the Process Interface Manual (every hour for Severity Level 1). |
(2) | Provide prompt notification via methods to be agreed upon by the Parties of system outages on critical systems; and otherwise provide affected internal or external customers with regular and timely progress updates that clearly indicate the following: |
(a) | Nature of the Incident. | ||
(b) | Estimated time to completion. | ||
(c) | Potential short-term alternatives. |
(3) | Maintain communications and provide reports to ACI, Service Desk and, as necessary, third-party vendor(s) from the time an Incident is identified through resolution, and, as necessary, through any follow-up communication and work required post-resolution. |
(4) | Provide the monthly report in electronic copy in a format agreed to with ACI, which at a minimum includes: |
(a) | Key issues relating to Incident Management. |
(b) | Number of Incidents during the month, grouped by severity, service, region, and classification. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 14 of 41
(c) | List of Incidents, short description, reference number, and a shortcut to detailed description. | ||
(d) | Detailed description, including timing of activities. |
(e) | Trend analysis of the Incidents reported for the past 13 months in accordance with Schedule R (Reports), for reporting as needed. |
(f) | Calculate statistics and provide monthly and annual reports and electronic data to ACI, which include: |
(i) | The number of Incidents. | ||
(ii) | Sources of the Incidents. |
(iii) | Frequency regarding the types or categories of Incidents. |
(iv) | The duration of open Incident (average and quantities by age). |
(v) | Number of Incidents resolved upon first contact. | ||
(vi) | The Service Desk call-abandoned rate. |
(vii) | Other pertinent information regarding Incident resolution, including Service Level measurement reporting. |
(5) | Track and report any backlog of unresolved Incidents on at least a daily basis, or more frequently as requested by ACI. |
(6) | If Vendor believes an Incident cannot be resolved, communicate the nature of the Incident to the appropriate level within ACI as directed by ACI, which includes: |
(a) | Communicate the reasons why Vendor believes the Incident cannot be resolved, and supply ACI with suggested alternatives. | ||
(b) | Obtain ACI approval before closing the Incident. |
(7) | In the event there is a recurrent Incident, at ACI’s request, conduct meetings to address the Vendor Incident Management activities. |
c. | The Measurements and Reporting process provides measurements to management and other service delivery processes to satisfy measurement requirements and comply with strategies, business needs, and key directions (in terms of quality, cost, performance, and resource control). This process is used to deliver contractually required service delivery, contractually required reports and support measurements associated with the Service Levels and includes management and control of the computation, storage, and delivery of formatted data, indicators and reports to the users of such measurements. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 15 of 41
2.2.4 | Service Requests |
(1) | Perform the same functions and assume the same responsibilities for Service Requests as required for Incident Management, including: |
(a) | Enter all Service Requests. | ||
(b) | Track and manage all Service Requests from End Users. |
(c) | Resolve Service Requests by working with service management teams, business owners, and third-party vendor(s). |
(d) | Provide liaison with change management process to confirm that Service Requests follow the change management process as appropriate. |
2.2.5 | Recovery Management |
a. | Recovery Management is the process for planning, establishing and testing the recovery procedures required to re-establish the functionality of systems included in the Services in the event of a system failure. This process also addresses the monitoring, assessing, and reporting of the test results to management. The intent of this process is to anticipate and minimize the impact of systems resource failure through the development of predefined, documented procedures and software/Equipment recovery capabilities. ACI and Vendor will agree on the procedures for recovery. Disaster Recovery Management is described more fully in Disaster Recovery SOW. |
2.2.6 | Availability Management |
a. | Availability Management is the process for coordinating the appropriate skills, information, tools and procedures required to manage the Services including, the availability of interactive networks and their supporting Equipment and software components. | ||
Availability Management will optimize the capability of ACI’s IT infrastructure and the supporting organization to deliver a cost-effective and sustained level of Service. |
b. | The Vendor responsibilities include the following: |
(1) | Optimize availability by collecting, monitoring, analyzing, and reporting on all key elements of availability. |
(2) | Predict and design for expected levels of availability based on ACI’ requirements. | ||
(3) | Continuously review and improve availability. |
(4) | Operate and maintain an Availability Management process to plan, implement, measure, and manage the availability and reliability of the Services to confirm that the levels of availability and reliability consistently meet the Service Levels. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 16 of 41
(5) | Integrate the Vendor Availability Management process with ACI’s and Third Party vendor(s)’ Availability Management processes, where the processes interact. |
(6) | Integrate the Availability Management process with other Service Management processes, especially Incident Management, change management process, Capacity Management, and Disaster Recovery. |
c. | The Vendor responsibilities include the following: |
(1) | Provide the levels of availability and reliability of the Services in compliance with the Service Levels. |
(2) | Produce availability plans using requirements, as specified by ACI, that address ACI’s business forecasts for availability and reliability, and capitalize on any technology changes that may cost-effectively improve levels of availability and reliability. | ||
(3) | Implement the availability plans after their approval by ACI. |
(4) | Produce availability and reliability impact assessments with respect to Requests for change and Service Requests in accordance with Service Levels. | ||
(5) | Produce Availability and reliability trend analyses. |
(6) | Manage the monthly number of availability-related Incidents in accordance with the Service Levels. |
(7) | Cooperate with ACI and its third-party vendor(s) to provide end-to-end availability and reliability of the Services. |
(8) | Retain the availability and reliability source data to enable trend analysis and to make such data available to ACI. |
(9) | Provide early warning or advice to ACI of potential or actual availability and reliability issues. Vendor will provide additional advice as the potential increases and as the threat becomes more imminent. |
d. | Reports are defined in Schedule R (Reports). The Vendor responsibilities include the following: |
(1) | Provide regular reporting of service Outages related to the Services that affect End Users irrespective of where the Outage occurred. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 17 of 41
(2) | Provide a monthly report in a format agreed upon with ACI that, at a minimum, includes the following: |
(a) | Compare performance and Availability statistics for each Application with planned performance and Availability. |
(b) | Provide a list of all outages, linked to an Incident, including the date and time the outage commenced, its duration, and the affected infrastructure and Applications. |
(c) | Provide trend analysis of the performance for each Application and Environment for the past 13 months in accordance with Schedule R (Reports), in order to provide data reporting as needed. |
(d) | Report on proposed preventative maintenance activities. |
(3) | Adhoc reports as occasionally requested by ACI and provide ACI with recommendations of preventative maintenance options. |
(4) | Provide a written report containing the findings and recommendations of each outage analysis. |
2.2.7 | Backup and Recovery Management |
a. | Backup and Recovery Management is the process for backing up data files and recovering such data to its original location in the event of data loss and includes planning, testing, and implementing procedures and standards required to provide the Services in the event of a failure. |
2.2.8 | Batch Management |
a. | Batch Management is the process for controlling production batch applications, including the scheduling of resources and the processing set up for data and transactions. |
2.2.9 | Capacity Management |
a. | Capacity Planning is the process for planning for adequate IT resources required to fulfill current and future resource requirements and includes planning for the efficient use of existing IT resources and identifying any change in the type and quantity of IT resources necessary to perform the Services. |
b. | Capacity Management, as described in this Exhibit, is the primary responsibility of Vendor. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 18 of 41
c. | Vendor responsibilities include the following: |
(1) | Formally review capacity requirements as part of ACI’s normal business planning cycle. |
(2) | Verify that there is adequate IT capacity to meet the required levels of service. | ||
(3) | Manage IT capacity to demand for the Services. |
(4) | Work with ACI governance to achieve optimal utilization of IT capacity. |
(5) | Provide additional capacity or advise ACI regarding the need for additional capacity, as appropriate. |
(6) | Monitor resources and system performance, system utilization, capacity limits, and expected capacity needs, and record appropriately to meet ACI’s reporting requirements in accordance with Schedule R (Reports). |
(7) | Produce regular management reports, including current usage of resources, trends and forecasts, and exceptions. |
(8) | Determine capacity requirements of all new systems to determine the necessary computer and network resources required, and then size such new systems taking into account Equipment utilization, performance Service Levels, and cost (minimizing cost to ACI). |
(9) | Utilize new Equipment and software products in Capacity Management in order to improve the efficiency and effectiveness of the process, as part of the continuous improvement and evolution of the Services. |
(10) | Carry out performance testing of new systems to confirm that such systems meet planned performance and utilization expectations and requirements. |
(11) | As requested by ACI, or as needed to deliver the Services, propose Service Levels that are maintainable and cost-justified. |
(12) | Tune systems to achieve optimum use of all Equipment and system software resources. |
(13) | Resolve non-Application performance-related Incidents and Problems. |
(14) | Perform capacity studies as reasonably requested by ACI or as needed to deliver the Services. |
(15) | In support of Application Development and Maintenance (ADM) activities, estimate applicable resource requirements, including impact on the capacity of the server environment, network environment, end-user computing environment, etc., as reasonably requested by ACI. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 19 of 41
(16) | Deploy proactive Capacity Management processes wherever practicable to do the following: |
(a) | Minimize Incidents and Problems related to resource utilization. | ||
(b) | Trend current system and resource utilization. |
(c) | Validate and verify that planned changes affect only the expected resource impact. |
(17) | Utilize reactive Capacity Management whenever necessary to facilitate successful performance of the Services. |
(18) | Investigate new technology applicable to the Services and with ACI approval, incorporate technological development, advances, and evolution into the Services. |
(19) | Align Capacity Management and the Vendor IT business plan with ACI’s Long-Range IT Plan. |
(20) | Apply Capacity Management’s tools, data, reports, and disciplines to Incident and Problem relating to poor performance as an active member of teams working to resolve such Incidents and Problems. |
(21) | Align Capacity Management outputs with the Service Levels and other performance requirements documented in the Agreement. |
(22) | Actively include Capacity Management in the change management process to assess all changes for their impact on the capacity of the systems and provide appropriate feedback to those submitting changes. |
(23) | Incorporate work schedules and dependencies between elements of the Services into Capacity Management planning. |
(24) | Perform short-term demand management as required to maintain delivery of the Services during failures, spikes in demand, or other spontaneous events. |
d. | ACI will, in support of Application Development and Maintenance (ADM) activities, estimate applicable resource requirements, including impact on the capacity of the server environment, network environment, end-user computing environment, etc., as required. |
a. | Vendor responsibilities include the following: |
(1) | Assist ACI in forecasting ACI’s capacity requirements and in monitoring and validating the capacity forecast against ACI’s actual utilization. |
(2) | Proactively develop and deliver to ACI forecasts of growth and other changes in response to the projected ACI business and operational needs disclosed by ACI to Vendor on an annual basis, or more frequently as ACI may reasonably require. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 20 of 41
(3) | Work with ACI to maintain knowledge base of future demand for the Services, and predict the effects of demand on Service Levels. |
(4) | Review ACI’s requirements, based upon ACI’s review of their business strategies, business plans, and financial plans and validate that Capacity Management requirements align with those plans. |
(5) | On an agreed schedule, or as requested by ACI, revise the capacity planning model based on actual performance. |
(6) | Using Commercially Reasonable Efforts, work with ACI to use Vendor’s modeling capabilities to assist ACI in long range planning. |
b. | The Capacity Plan will document the current levels of resource utilization and Service performance, and forecast future requirements accounting for ACI business strategies and plans. The plan must clearly document assumptions and include recommendations quantified in terms of resources required, costs, benefits, impact, etc. |
(1) | Produce or update the Capacity Plan in conjunction with ACI’s business planning cycle. |
(2) | Include the Capacity Plan in the Vendor annual publication of the IT business plan. |
(3) | Incorporate ACI’s capacity planning recommendations into the Capacity Plan. |
(4) | Be forward-looking by eighteen (18) months unless otherwise specified by ACI. |
c. | ACI employs business Capacity Management to facilitate alignment between its future IT requirements and future business requirements. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 21 of 41
d. | Vendor is responsible for service Capacity Management (the management of the capacity of the Services. Vendor responsibilities include the following: |
(1) | Investigate and research threshold breaches and near misses to determine what remedial action should be taken; then plan and perform such remedial actions through the change management process. |
(2) | Employ regular monitoring, identification of exceptions, and manual review of reports and trends. |
e. | Vendor is responsible for resource Capacity Management (the management of the capacity of the components comprising the Services). The Vendor responsibilities include the following: |
(1) | Maintain an understanding of the capacity and utilization of each of the IT components that Vendor manages, including Equipment, Software, and data circuits. |
(2) | As necessary to provide optimum resource usage (Equipment, circuits, etc.) in the delivery of the Services, install Equipment monitors, properly configure those monitors, and collect the resultant data. |
(3) | Upon request, estimate the resource and utilization effects of planned changes. |
(4) | Reactively respond to Incidents that are caused by a lack of resource or an inefficient use of a resource. |
(5) | Proactively identify components that are susceptible to failure, and recommend cost-effective solutions for ACI’s consideration and possible approval. |
(6) | Publish regular Capacity Management reports to ACI. Such reports will include current/recent utilization (and trends) compared to normal utilization, Service Levels, and previously identified baselines. |
2.2.10 | Configuration Management |
a. | Configuration Management is the process for designing, planning, and maintaining the physical and logical configuration of mainframe, midrange, server and desktop Equipment and software as well as network components and the way these resources are interrelated in ACI’s environment. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 22 of 41
a. | The Vendor responsibilities include the following: |
(1) | Use a Configuration Management process to: |
(a) | Maintain accurate configuration data for the configuration items including operations documents, Equipment, Software and applications used to provide the Services. |
(b) | Verify that only authorized and identifiable configuration items including operations documents, Equipment, Software and applications are accepted and recorded from receipt to disposal. |
(c) | Reproduce the configuration status of the configuration items — including operations documents, Equipment, Software and applications at any point in time throughout its life cycle. |
(d) | Conduct reviews and audit to verify the physical existence of Configuration Items including operations documents, Equipment, Software, and applications and to check that they are correctly recorded in the configuration management Tool. |
(e) | Produce and maintain current Equipment and Software, configuration documentation for issue to ACI upon request. |
(2) | Integrate the Vendor Configuration Management process with ACI’s and third-party vendor(s)’ Configuration Management processes, where the processes interact. |
(3) | Integrate the Configuration Management process with its other Service Management processes, especially Incident Management, Problem Management, change management process, and Asset Management. |
(4) | Use the Configuration management process to identify, control, maintain, and verify the configuration items approved by ACI as comprising the Equipment and Software to provide the Services. |
(5) | Verify that all CIs approved by ACI for the Equipment, Software, are incorporated into the configuration management tool. Vendor must complete this incorporation on a continuous basis. |
(6) | For each ACI-approved CI, use at least the attributes specified by ACI. |
(7) | Validate that any change to any CI record in the configuration management tool is the result of an approved Request for change. |
(a) | Validate the integrity and currency of the configuration management tool by continually validating the content of the configuration management tool against the CIs that provide the Services. |
(b) | If a discrepancy is found, take corrective action. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 23 of 41
(8) | Maintain the configuration management tool to meet performance standards, to maximize efficiency, and to minimize outages, as necessary. |
(9) | Maintain, update, and implement the configuration management tool archive processes and procedures needed to recover from an outage or corruption in a timely manner in order to meet the Service Levels. |
(10) | Provide configuration management tool physical database management support, including providing backups and restores of data in a timely manner. |
(11) | Install, maintain, and support configuration management tool - -related database Software products. |
(12) | Test and implement configuration management tool database environment changes, as approved by ACI. |
(13) | Proactively provide capacity planning for the configuration management tool to prevent situations caused by lack of capacity (i.e., dataset or table space capacity events, full log files, etc.). |
(14) | In the event of unusual activity, correct situations caused by lack of configuration management tool capacity in a timely manner (i.e., dataset or table space capacity events, full log files, etc.). |
(15) | Perform physical audits of all Equipment and Software configurations used to provide the Services in order to: |
(a) | Verify the existence of CIs recorded in the configuration management tool. |
(b) | Check the accuracy and completeness of the records in the configuration management tool. |
(c) | Identify any CIs not recorded in the configuration management tool. |
(16) | Take corrective action if a physical audit identifies any deficiency in the accuracy or completeness of the records in the configuration management tool. |
(17) | Control master copies of digital CIs in secure electronic libraries. |
(18) | Establish a baseline of CIs before a release into a development, test, or production environment. |
(19) | Verify release and configuration documentation before changes are made to the live environment. |
(20) | Maintain a secure audit trail of all configuration management tool transactions. |
(21) | With assistance from ACI, manage the process that gathers and compiles CIs and their attributes during the transition process. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 24 of 41
b. | ACI will |
(1) | Provide, with assistance from Vendor, configuration items. |
(2) | Provide with assistance from Vendor, configuration attributes. |
c. | The Vendor responsibilities include the following: |
(1) | Provide a monthly report on configuration changes made to the infrastructure, Equipment, and Software. |
(2) | Provide the following monthly report in a format agreed by ACI as described in Schedule R (Reports). This report includes: |
(a) | Number and classification of configuration changes made. |
(b) | Trend analysis of the configuration changes made for the past 13 months, for reporting in accordance with Schedule R (Reports). |
(3) | Provide a report containing the results of the biannual audit of the configuration management tool to ACI within ten (10) Business Days of each audit covering, at a minimum: |
(a) | Number of differences between the records and audit findings. |
(b) | Number of occasions on which a configuration was found to be unauthorized. |
(c) | Recommended corrective actions to resolve any process deficiencies or failures identified. |
(d) | Number of occasions on which a recorded CI could not be located. |
(e) | Statistical information about the structure and composition of the Equipment and Software. |
2.2.11 | Database Management |
a. | Physical Database Management is the process for the design, development, deployment, maintenance, and administration of ACI production databases used to support Vendor’s delivery of the Services. |
2.2.12 | Data Center Infrastructure Facilities Planning |
a. | Data Center Infrastructure Facilities planning is the process that defines the activities associated with the planning for and administration of dedicated Equipment facilities, including raised floor rooms, server rooms, labs and network closets. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 25 of 41
(1) | Establish and maintain proper and adequate facilities commensurate with a Tier 3 data center; Equipment (including Equipment supplied by ACI); and supplies at Vendor-owned locations, as well as a properly trained and appropriately sized management and support staff. |
(2) | Properly manage, coordinate, and oversee (and inform ACI of the results of) all maintenance, testing, and monitoring of facilities systems, air handlers and uninterruptible power supply systems at Vendor-owned facilities and ACI facilities operated by Vendor. |
(3) | Provide guidance, coordination and required installations for all activities during Equipment installations, routine maintenance, Incident and crisis management including interfacing with facilities and technology groups, third-party vendor(s) and other relevant groups. |
(4) | Provide physical security for the Vendor-owned facilities as described in the physical security requirements of the Security SOW. | ||
(5) | Comply with ACI security policies. |
(6) | Provide any and all data communication connectivity and capability that is required at Vendor-owned facilities (or between Vendor-owned Locations and ACI Locations) in order to provide the Services. |
(7) | Create, update, and maintain complete documentation of the Equipment that is located in Vendor-operated Data Center(s) (for example inventories, cabling, and installed Equipment diagrams) using computer-aided drafting (CAD) Software tools for changes to existing documentation and newly created documentation. |
(8) | Provide physical access procedures and standards for the Data Centers. |
(9) | At Vendor-operated Data Centers, initiate and track requests for space, power, and other Data Center modifications in support of Equipment installations. |
(10) | Provide requests to ACI sixty (60) days in advance for space and power modifications in support of Equipment at an ACI Data Center(s), computer room(s) and LAN closet(s) operated by Vendor. |
(11) | Allow physical access and facilitate inspections by government authorities with statutory authority for auditing the conduct of government business. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 26 of 41
(12) | Integrate its Facilities Management process with ACI’s and other vendor’s Facilities Management processes, where the processes interact. |
(13) | Integrate its Facilities Management process with Service Management processes, especially IT Service Continuity Management and Availability Management. |
2.2.13 | Deskside Support |
a. | Deskside Support is the process for providing technical assistance for End User requests that require a Vendor technician to provide on-site services at the End User’s Location. |
2.2.14 | Email and Collaboration Services |
a. | E-mail and Collaboration Services is the process that supports both actual product support, for Lotus Notes e-mail, Domino Web Access and Active Directory, and servers for Lotus Notes e-mail, Active Directory, BlackBerry, Sametime, FAX and SMTP (“E-mail and Collaboration Services”). |
(1) | Administer and maintain e-mail and Collaborative Applications services and systems. |
(2) | Deploy and support the e-mail and Collaborative Applications environment within ACI, including the underlying infrastructure and Equipment necessary for use of the Collaborative Applications. |
(3) | Proactively seek opportunities to deploy collaborative technology in ACI, including developing proposals for ACI businesses and functions. |
(4) | Provide consulting on the effective use of collaborative technologies. |
(5) | Monitor and manage logical security and access-related to e-mail and Collaborative Applications. |
(6) | Immediately report potential security issues related to e-mail and Collaborative Applications to ACI and take necessary steps to eliminate security breaches. |
(7) | Administer and maintain user IDs and passwords to enable the use of e-mail and Collaborative Applications. |
(8) | Assist End Users with problems, questions, or requests related to e-mail and Collaborative Services. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 27 of 41
b. | The Vendor responsibilities include the following: |
(1) | Assist ACI in architecting, designing and implement Active Directory, Lotus Notes e-mail, Domino Web Access and related Software. |
(2) | Implement policies and standards, developed by ACI, for the following Messaging Services; Active Directory, Lotus Notes e-mail, Domino Web Access, Sametime and Fax, via Internet and Intranet (collectively “Messaging Services”). |
(3) | Assist ACI on an as-requested basis in designing architecture for integrating business applications with Messaging Services and assist ACI in developing and implementing internal ACI e-mail usage policies. |
(4) | Document and coordinate ACI’s approval for any exceptions to messaging standards. |
(5) | Develop or assist in developing directory access methodology for multiple platforms (e.g., MS Windows, MacOS, Unix, etc.). |
(6) | Develop or assist in developing and implement a directory integration strategy. |
c. | The Vendor responsibilities include the following: |
(1) | Implement procedures, developed by Vendor in response to ACI requirements, for managing Messaging Services and e-mail usage. |
(2) | Provide End User training documentation to ACI for training or updating End Users on functionality changes related to Messaging Services. |
(3) | Implement messaging account administration process and systems, designed by ACI. |
(4) | Obtain ACI approval for any new or updated procedures that impact End Users. |
d. | The Vendor responsibilities include the following: |
(1) | Provide evaluation and testing support, including: |
(a) | Procure and maintain a test environment for messaging testing, rebuilding, as required. |
(b) | Recommend and deploy messaging service Software. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 28 of 41
(c) | Evaluate and test compatibility and integration of new products or standards, architecture, and design with existing infrastructure and applications. |
(d) | Test, certify, and coordinate installation, of service packs, hot fixes, Anti-Virus Software, and definition upgrades for all systems supporting all Messaging Services. |
(2) | Provide technical administration support, including: |
(a) | Create regional administrative and service messaging accounts and assign roles to these accounts. |
(b) | Create and manage the top-level Public Folder and assign rights as requested by ACI. |
(c) | Create, maintain and assign rights to the distribution lists and global distribution list management. |
(d) | Provide support and implementation of certificates on Messaging Services systems, based on the ACI requirement, provided to Vendor. |
(e) | Initiate and audit DNS records by working with the ACI telecom and architecture teams. |
(3) | Provide Messaging Server support, including: |
(a) | Support and maintain all server replication functionality. |
(b) | Administer and manage all database agents running on Lotus Notes e-mail server, Domino Web Access server, Sametime server and Blackberry server. |
(c) | Maintain virus protection Software on messaging servers. |
(d) | Provide support of servers used for web-based email services from the Internet. |
(4) | Provide Active Directory (“AD”) Services, which include the following: |
(a) | Provide LDAP directory resources (Lightweight Directory Access Protocol). | ||
(b) | Connect to enterprise directory. |
(c) | Authenticate service requests using enterprise directory structure. |
(d) | Provide authentication for all AD-provided services (file and print, mail, desktop, etc.). |
(e) | Provide and manage trust relationships to existing business-unit domains. |
(f) | Provide direction for group policy creation and management. | ||
(g) | Remove objects from AD as requested by ACI. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 29 of 41
(5) | Optimize disaster recovery procedures for Messaging Services and recommend enhancements if appropriate. | ||
(6) | Provide support to Messaging Operations, including: |
(a) | Develop, implement, and maintain Messaging Services monitoring and alerting strategy. |
(b) | Perform Lotus Notes E-mail server mailbox load balancing. | ||
(c) | Maintain and troubleshoot internal mail routing. |
(d) | Assist End-User Computing support group(s) with installation, configuration, and troubleshooting of Lotus Notes e-mail, Sametime, Domino Web Access, Blackberry (as it relates to server support only), and Active Directory. |
(e) | Work with third-party and other companies on Lotus Notes e-mail delivery issues. |
(f) | Escalate messaging issues to third-party service providers as required. | ||
(g) | Perform virus and hoax assessments. |
e. | The Vendor responsibilities include the following: |
(1) | Manage Active Directory, Lotus Notes e-mail, Domino Web Access and Sametime. |
(2) | Monitor gateways and connectors and troubleshoot both Intranet and Internet Lotus Notes e-mail, delivery issues. |
f. | The Vendor responsibilities include the following: |
(1) | Perform mailbox, mail item restores as requested by ACI. | ||
(2) | Support workflow applications using Active Directory. |
(3) | Move mailboxes between regions, sectors, divisions, and groups. |
(4) | Provide technical support for Lotus Notes e-mail, Domino Web Access and Sametime. | ||
(5) | Assist with creation of Lotus Notes E-mail forms. | ||
(6) | Correct errors found in the global address book. |
(7) | Assist with creation/maintenance of, and troubleshoot/resolve issues with conference rooms, public folders, calendars, mail lists, mailboxes, and other accounts required to support the business requirements. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 30 of 41
(8) | Provide search and data restore as requested by ACI departments such as Legal, Security, Audit, HR, and intellectual property discovery requests. |
(9) | Assist in coordination, building, formatting, sending, and processing of corporate-wide messages. |
2.2.15 | File and Directory Services (Active Directory) |
a. | File and Directory Services is the process used to support requirements for Microsoft Active Directory (AD), profiles and shares. |
2.2.16 | IMAC Coordination |
a. | IMAC Coordination is the process used for installation, move, add, change, and removal of End User Equipment and Software, including the coordination of various activities required to facilitate an upgrade or relocation. |
2.2.17 | IT Security Management |
a. | IT Security Management is the process for providing security protection for logical and physical inventory and assets that are associated with delivery of the Services. |
2.2.18 | Network Management |
a. | Network Management is the process used for the installation, administration, maintenance, monitoring, troubleshooting, restoration, and documentation of in-scope network devices within the Vendor-managed network. |
2.2.19 | Performance Management |
a. | Vendor will: |
(1) | Monitor, measure, analyze and tune system performance to meet agreed upon Service Levels. |
(2) | Recommend changes (i.e., Equipment and/or Software upgrades, configuration changes) to ACI to meet or exceed ACI’s expected performance levels and/or provide a reduction in costs. |
(3) | Provide recommendations for consolidations or other conversions to improve the efficiency/effectiveness of the environment. |
(4) | Define performance indicators and monitor systems performance against such indicators, providing trend analysis of the data for the past 13 months in accordance with Schedule R (Reports), for reporting as needed. |
(5) | Install management agents approved by ACI. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 31 of 41
(6) | Review configuration data and usage patterns monthly, or at ACI’s request. |
(7) | Establish performance thresholds and exception reporting procedures, reviewing with ACI quarterly with recommendations for resolution. |
(8) | With ACI’s assistance, establish a schedule for performing system maintenance (for example, virus detection, backup, and disk space cleanup) and modifications and enhancements so as maintain agreed upon Service Levels. |
(9) | Perform required system configurations and modifications necessary to enable Vendor to meet the Service Levels. |
(10) | Advise ACI of any recommended system configurations and modifications necessary to enable Vendor to meet the Service Levels. |
(11) | Provide system and subsystem performance reports, detailing key performance parameters and metrics, highlighting measurements that exceed thresholds, and trend analysis of the data for the past 13 months in accordance with Schedule R (Reports), for reporting as needed. |
b. | ACI will: |
(1) | Evaluate, approve recommendations (i.e., hardware and/or software upgrades), as appropriate, to enable system performance improvement. | ||
(2) | Provide requirements and approval for performance thresholds. |
2.2.20 | Print Management |
a. | Print Management is the process of maintaining the midrange server print queues for local printers. |
2.2.21 | Project Management |
a. | Project Management is the process used to initiate, execute and complete a project in accordance with the defined project scope, budget, timeline and completion criteria. |
2.2.22 | Technology Strategy and Refresh Management |
a. | Technology Strategy and Refresh Management is the process used to provide research, planning, and administrative support for periodically refreshing ACI’s IT environment with minimal disruption to ACI’s business objectives and business cycles. | ||
Refresh is described in Schedule H (Existing Equipment). | |||
Regardless of Equipment ownership, all Equipment, including storage and network devices, shall be covered by a maintenance agreement that is recognized by the manufacturer as a legitimate maintenance. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 32 of 41
b. | The Vendor responsibilities include the following: |
(1) | Upgrade and replace Equipment and Software (“Refresh”) as required throughout the Term, in accordance with the refresh table in Schedule H (Existing Equipment). |
(2) | Deploy Equipment and Software associated with any Refresh in accordance with the standards of ACI’s technical architecture and Long-Range IT Plan. |
(3) | Provide Refresh within the timeframes and other requirements associated with Refresh, as well as the financial responsibility for the underlying assets, as described in Exhibit C-2 (Financial Responsibility and Ownership Matrix) to Schedule C (Charges), including: |
(a) | Perform Refresh throughout the Term in accordance with the timeframes and other requirements. |
(b) | ACI reserves the right to modify the Refresh timeframes and requirements during the Term based on its business requirements, subject to the Contractual Change Control Procedures. |
c. | Vendor responsibilities include the following: |
(1) | Where Vendor is financially responsible for Equipment and Software used in conjunction with the Services, as listed in Exhibit C-2 (Financial Responsibility and Ownership Matrix) to Schedule C (Charges), the Vendor responsibilities include the following: |
(a) | Refresh the assets during the Term, including responsibility for the assets, the implementation, and ongoing support. |
(2) | Where ACI is financially responsible for Equipment and Software used in conjunction with the Services, Vendor will implement and support the new assets provided by ACI. |
(3) | Regardless of the ownership of underlying assets, the Vendor responsibilities include the following: |
(a) | Provide personnel who are adequately trained in the use of the Equipment or Software to be deployed as part of the Refresh, and provide such training prior to the Refresh. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 33 of 41
(b) | Provide minimal disruption to ACI’s business operations associated with technology Refresh. |
(c) | Use best practices and effective automation tools during Refresh deployment. |
(d) | Perform all changes to Equipment and Software in accordance with change management process procedures. |
(e) | Dispose of assets no longer required in accordance with the regional regulations and provide certification that disks have been cleansed prior to disposal. |
d. | The Vendor responsibilities include the following: |
(1) | Unless otherwise directed by ACI, provide and support Software under the Vendor operational responsibility at the N Release Level. |
(2) | As directed by ACI, also support release N-1 Release Level, the N-2 Release Level, and earlier versions of the Software for the longer of the following: |
(a) | The thirty-six (36) month period following version N Release Level’s general public availability. |
(b) | The time the third-party vendor ceases to support such version. |
(3) | Use Commercially Reasonable Efforts to support Software that is no longer supported by the third-party vendor. |
(4) | Provide support for all Software versions and release levels that exist as of the Effective Date until otherwise directed by ACI. |
(5) | Version upgrades for Systems Software (i.e., XP to Vista) may be done as a Project as agreed by the Parties. Maintain a standard current level of Software on ACI computing platforms, including: |
(a) | Following each new N Release Level issued by a vendor: | ||
Within an agreed upon period after the release of a new N Release Level by a Third-Party vendor, test and evaluate the new release in preparation for upgrading the global End User environment to the new standard level. | |||
Engage with ACI Application teams to understand the End User workload required to migrate the production environments to the new Software revision. | |||
Within an agreed upon period build a deployment strategy and plan, obtain ACI approval of that strategy and plan, and begin deployment in compliance with the ACI-approved deployment strategy and plan. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 34 of 41
(b) | In partnership with the Software manufacturer(s), build and maintain a schedule of anticipated releases of major and minor releases of Systems Software; and communicate these schedules to the ACI Application Teams to build awareness and preparedness to perform the necessary testing and porting of Applications into the new standard environments. |
e. | The Vendor responsibilities include the following: |
(1) | Develop an annual plan for Refresh, including: |
(a) | Within ninety (90) days after the Effective Date and then within sixty (60) days prior to ACI’s annual planning process meetings, review the asset inventory and produce a report that lists the assets that are due to be refreshed in the upcoming plan year, and provide such report to ACI’s annual planning process. |
(b) | Vendor and ACI will consider the usability of the assets and review alternatives to replace, re-lease, consolidate, or retain the assets. Based on the results of this review, Vendor will deliver the initial recommendations regarding such assets to ACI within thirty (30) days after the review. |
(c) | For Vendor-owned assets, Vendor and ACI will mutually determine whether Vendor will replace an asset and the appropriate replacement date. |
(d) | If Software changes are required due to replacement of assets, Vendor, in consultation with the ACI, will review alternatives for making changes to such Software. |
(e) | In accordance with Exhibit C-2 (Financial Responsibility and Ownership Matrix) and Schedule B (Service Levels), such replacement of the assets and Software will be at Vendor expense if the replacement is required to facilitate achievement of the agreed upon Service Levels or because the asset is obsolete (i.e., replacement parts cannot be acquired or the asset has become unserviceable). |
(f) | For ACI-owned and leased assets, based on the planning process outcome and direction established by ACI, Vendor will provide a proposal for refresh of those assets (replacement at ACI’s expense) to ACI. |
(2) | Adhere to ACI’s approved plan, and execute that plan utilizing established procurement processes, to initiate refresh and retirement activities. |
(a) | Provide monthly reports 180 days prior to lease expiration date showing assets to be refreshed with latest data. |
(b) | Notify ACI monthly of all open agreements related to assets that are retired or will retire within 180 days of the report date. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 35 of 41
(3) | Track and report on the completion progress of asset Refresh by lease-end date. | ||
(4) | Update and archive asset records after retirement. |
f. | For ACI owned or leased assets ACI will provide Vendor with Equipment purchase dates and/or Equipment lease expiration information for inclusion in the Refresh Plan. |
2.2.23 | Long-Range Planning |
a. | The Vendor responsibilities include the following: |
(1) | Assist in developing and updating the long-range, comprehensive plan for ACI’s information technology (IT) systems, processes, technical architecture and standards (“Long-Range IT Plan”). While ACI will be primarily responsible for this plan, Vendor will serve as a key collaborator. The Long-Range IT Plan will be developed on an annual basis, and will include a rolling three (3) year projection of anticipated changes (subject to ACI business and planning requirements). |
(2) | With ACI’s input regarding future business requirements Vendor will assist in developing IT requirements. |
(3) | Assist in projecting future volume, technology, and geographic changes that could impact ACI’s systems and technical architecture. |
(4) | Identify candidates and requirements for the deployment of new technology or the automation of tasks associated with the Services and/or ACI’s business processes. |
(5) | Proactively submit proposals regarding new technology, tools and automation to ACI for its review and approval. |
(6) | Proactively seek to automate manual tasks associated with the Services and advise ACI of such opportunities. |
(7) | Support ACI in the discussion and presentation of potential new technology product and service offerings. |
(8) | Facilitate and encourage active cross-functional, cross-group, and cross-location coordination and communication related to new technology and automation. |
(9) | Proactively identify strategies and approaches for future IT service delivery that Vendor believes will provide ACI with competitive advantages and that may result in increased efficiency, performance, or cost savings. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 36 of 41
(10) | As part of each annual planning cycle, provide specific, short-term steps and schedules for projects or changes expected to occur within the first twelve (12) months of each plan. |
(11) | Help to identify the projects to be performed, define associated high-level schedules, and perform cost benefit analyses. |
(12) | Help to specify the Equipment and Software architecture and standards, and participate in continuously keeping ACI’s technical architecture current. |
(13) | Provide access to specialists within the Vendor organization, as needed, to assist ACI in developing and updating the Long-Range IT Plan. |
(14) | Identify industry and technological trends that may impact ACI’s plan. |
(15) | Gather and incorporate the data and lessons learned from the operating environment that may impact ACI’s plan. |
(16) | Perform trend analysis from the resource consumption data to project future demand that may impact ACI’s plan. |
(17) | Cooperate with ACI in researching and implementing automated tools to improve Service Levels and/or performance of the distributed computing environment (including end-to-end performance associated with the server, networks, and End-User Computing (EUC) environments). Tool selection will be in accordance with ACI standards and technical architecture. |
2.2.24 | Evaluation and Testing |
a. | The Vendor responsibilities include the following: |
(1) | With direction and final approval from ACI, assume primary responsibility for evaluating and testing Equipment, Software, and related products or Services prior to their use or deployment in ACI’s environment. |
(2) | Participate in evaluations involving new third-party products and services. |
(3) | Upon request, provide corporate reports, summaries, or results of its evaluation and testing of Third-Party products and services. |
(4) | Benchmark new types of Equipment and Software (including testing of various configurations and combinations of Equipment and Software) that may be considered for deployment within ACI. |
(5) | Determine interoperability and performance measures for specific configurations of Equipment and/or Software, including unit testing, systems integration testing, connectivity testing, load testing. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 37 of 41
(6) | Identify, support, and coordinate as necessary with other ACI IT functions and third-party vendors, any specific Equipment, Software, and/or telecommunications required for interoperability and performance testing. |
(7) | Provide a complete test plan, for Vendor proposed changes, for ACI’s approval prior to testing. | ||
(8) | Report test findings and recommendations to ACI. |
(9) | Establish criteria that will be used to support the evaluation, technology selection, and testing for ACI’s review and approval. |
b. | ACI will: |
(1) | Assist Vendor in evaluating and testing Equipment, Software, and related products or services prior to their use or deployment in ACI’s environment. |
(2) | Determine interoperability and performance measures for specific configurations of Equipment and/or Software, including, applications integration testing. |
2.2.25 | User ID Administration |
a. | User ID Administration is the process for administering and handling ACI and Vendor User ID requests, including granting, changing, or deleting a user’s access rights, password resets or user group creation, deletion, or modification. |
3. | SERVICE HOURS |
Services | Service Hours | Notes | ||
ASSET SERVICES | ||||
• Initial Asset Inventory | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | Location Based | ||
• Asset Tracking | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday excluding Holidays | Local time zone in Argentina | ||
• Asset Inventory Capture | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | Location Based | ||
SERVICE DESK SERVICES | ||||
• Service Desk | 7 / 24 | |||
• Self Help | 7 / 24 | |||
END USER SERVICES |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 38 of 41
Services | Service Hours | Notes | ||
• Deskside Support | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | Location Based | ||
• IMAC | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | Location Based, at dedicated support sites only | ||
• Refresh | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | Location Based, at dedicated support sites only | ||
• Electronic Software Distribution | 7 / 24 | |||
SERVER SYSTEMS MANAGEMENT SERVICES | ||||
•Mainframe Services –Monitoring (Vendor System z) | 7 / 24 | |||
8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | ||||
•Linux (Intel | 7/ 24 | |||
• Intel and UNIX Server Services (includes HP Non-stop) – Monitoring | 7/24, except as otherwise stated in the Exhibit C-1 (Base Charges, Baselines, ARC/RRC Rates and Termination Charges) | |||
•Stratus | ||||
STORAGE MANAGEMENT SERVICES | ||||
• Managed Storage | 7/24 | |||
• Media Management | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | |||
DATA NETWORK SERVICES | ||||
• LAN management | 7 / 24 | |||
• WAN management | 7 / 24 | |||
• Firewall management | 7 / 24 | |||
ENTERPRISE SECURITY MANAGEMENT SERVICES | ||||
• Security Compliance and Regulatory | 8:00 a.m. to 5:00 p.m., Local Time Zone, Monday through Friday, excluding Holidays | Local Time Zone is Boulder | ||
• Infrastructure Protection | 7 / 24 | |||
• Authorized and Access | 7 / 24 | Via Service Desk |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 39 of 41
Services | Service Hours | Notes | ||
DISASTER RECOVERY SERVICES — Declaration | 7 / 24 | |||
DISASTER RECOVERY SERVICES — Testing | Yearly | As scheduled | ||
Business Continuity Testing | Yearly |
4. | TOOLS |
a. | Vendor will provide, install, configure, test, if applicable, and maintain the Tools listed in Schedule I (Vendor Supported Software) to enable Vendor to provide the Services. | ||
b. | ACI will: |
(1) | Allow Vendor to install the Tools that may be required by Vendor to provide the Services. |
(2) | Provide the system and network capacity and connectivity required to support the Tools. |
(3) | Sign the appropriate vendor license agreement (including Vendor’s), if required, for Vendor to install Tools on ACI ‘s equipment and/or premises. |
(4) | On expiration or termination of the Agreement, unless otherwise mutually agreed and stated in the Agreement, return all Tools in working order to Vendor. |
5. | OPERATIONS DOCUMENTATION |
a. | The Vendor responsibilities include the following: |
(1) | Develop and maintain documentation on all operations procedures, Services, Equipment, and Software for which Vendor is responsible. |
(2) | Incorporate Application requirements that affect Operations, along with procedural information and contact information for each Application into Process Interface Manual. |
(3) | Document procedures to be utilized by internal IT for the correct use of the Services, Equipment, Software, connectivity, security, and Service Desk. |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 40 of 41
(4) | Make all documentation available in paper copies and electronically, and, wherever possible, using documentation that is Web-enabled for access by ACI. |
(5) | Audit documentation regularly for completeness and accuracy, and verify that all documentation is present, organized, readable, and updated. |
(6) | Report the resultant audit findings to ACI on a regular basis, and where it is determined that documentation is inaccurate (for example, erroneous or out of date), correct and replace such documentation. |
b. | ACI will document and provide to Vendor, Application requirements that affect operations, along with procedural information and contact information for each Application. |
6. | BUSINESS DIVESTURES, ACQUISITIONS, CONSOLIDATIONS, AND RELOCATIONS |
Exhibit A-1 — Delivery Management Services (Cross Functional)
Page 41 of 41
1. | INTRODUCTION |
2. | INITIAL ASSET INVENTORY |
a. | During the Transition Period, Vendor will: |
(1) | conduct a planning session with ACI (or location-specific planning sessions for Locations with a sizable inventory) to review the plan for performing the inventory (the “Inventory Plan”). ACI will approve and sign-off on the plan. The Inventory Plan will document the following: |
(a) | the assets Vendor will inventory, types of data Vendor will collect, and the level asset are to be tracked, including all IT assets, whether such assets are owned or leased by ACI or the Vendor | ||
(b) | any Location-specific requirements and hours of access; |
(c) | required Location data (for example, floor plans, storage areas, equipment and software access requirements, safety and security requirements); |
(d) | Locations and End Users that Vendor will inventory using, for example, mail-in data collection kits as well as the respective return deadline date for each Location (to be returned before completion of the inventory at the applicable Location) (see table attached which will specify those Locations for which Vendor will perform a physical wall-to-wall inventory; all other ACI Locations will receive mail-in kits); |
Exhibit A-2 — Asset Services
Page 1 of 7
(e) | any inventory prerequisites as well as any procedures that Vendor and ACI will follow during the inventory and that ACI needs to communicate or that ACI’s business units and End Users need to perform; | ||
(f) | a tentative inventory schedule (by Location); |
(g) | a virus escalation process, including the name and telephone and pager numbers of the ACI Focal Point for use by Vendor in the event Vendor incidentally discovers viruses during an electronic inventory process; |
(h) | the user demographic information Vendor will collect (subject to the capabilities of the inventory tools, if applicable); and |
(i) | the electronic inventory tools and the asset (hardware and software) recognition capabilities of the electronic inventory tools as well as the alternative inventory techniques Vendor will use, if any, in the event Vendor cannot electronically inventory the assets; |
(2) | notify the ACI Focal Point per the virus escalation process if Vendor incidentally discovers viruses during the inventory process; |
(3) | coordinate and perform the asset inventory (using a combination of electronic and physical inventory techniques as determined by Vendor and agreed to by ACI to verify or establish the asset database; |
(4) | conduct a physical inventory of stand-alone machines (collected information should consist of a numeric or alphanumeric asset type, and may also include: manufacturer (for example, Vendor, HP, Apple); product description (for example, desktop, server); serial number or asset tag number, as applicable; asset location (for example, building address, room number, city and state); and demographic information); |
(5) | notify the ACI Focal Point of any obstacle that prevents Vendor from performing an initial electronic inventory of an asset, including: |
(a) | unavailability of, or failure to disable, a power-on or screen saver password; |
(b) | refusal by an End User to permit Vendor to perform the electronic asset inventory; | ||
(c) | untimely admittance to Locations or other areas; | ||
(d) | an operating failure of the desktop; or |
(e) | desktop executing software at the time of the scheduled inventory and the End User is unavailable to save open data; |
Exhibit A-2 — Asset Services
Page 2 of 7
(6) | if the initial electronic inventory attempt is unsuccessful due to an obstacle, perform a second attempt while in the same area to electronically audit the asset. If the second attempt is also unsuccessful due to an obstacle, perform a physical inventory of the asset; | ||
(7) | Collect serial numbers of inventoried equipment, as required,; |
(8) | prepare mail-in data collection kits and forward the kits to the ACI Focal Point for distribution to the Locations and End Users identified in the Inventory Plan; |
(9) | if applicable, provide and install the required software agent(s) to enable electronic scanning of assets to capture future asset database information; |
(10) | on completion of the inventory, reconcile the collected asset data including identifying and correcting (to the extent within Vendor’s control) the following, as applicable: |
(a) | missing and duplicate serial numbers; |
(b) | missing, duplicate and incorrect length of asset tag numbers; | ||
(c) | missing demographic information; and |
(d) | discrepancies resulting from IMAC activity performed during the inventory process, |
(11) | utilize ACI’s process to track and capture any IMACs performed during an asset inventory; | ||
(12) | obtain ACI’s approval for the asset inventory results; and |
(13) | establish the asset database within IMPACT to which ACI will have browser and adhoc reporting privileges (i.e., load the asset information obtained during the initial asset inventory) or validate the asset information provided by ACI using the information obtained during the asset inventory. |
b. | During the Transition Period, ACI will: |
(1) | Review with Vendor the Inventory Plan and provide final approval (or rejection) of such plan no later than ten days before the first Location inventory; | ||
(2) | at least ten days before each scheduled Location inventory: |
(a) | provide a listing of the contacts who will perform administrative responsibilities, including the ACI Focal Point, and ensure their availability, as required, for status meetings during the inventory; |
(b) | provide an estimate of the number of assets to be inventoried at each Location; |
(c) | provide current floor plans for each floor of each Location to be inventoried; |
Exhibit A-2 — Asset Services
Page 3 of 7
(d) | provide a soft copy listing (i.e., mail merge capable file) including the names of and mailing addresses for those End Users at each Location using mail-in collection kits; |
(e) | distribute mail-in data collection kits to the Locations and End Users identified in the Inventory Plan; and |
(f) | distribute the Vendor-supplied inventory worksheets to End Users with instructions to complete the demographic information sections of the worksheet before the scheduled date of the inventory. |
(3) | during the initial asset inventory: |
(a) | ensure the ACI Focal Point is available: |
(i) | to accompany Vendor on a walk-through of the Location; | ||
(ii) | in the event Vendor incidentally discovers viruses during the electronic inventory process; | ||
(iii) | to review and accept collected data on a daily basis; and | ||
(iv) | upon inventory completion at each Location, provide sign-off that the inventory process has been completed; |
(b) | provide a temporary work room that is large enough to accommodate the inventory team and provides access to a collection server, a printer on which to generate reports, a telephone with outside capability, and an analog phone line for modem dial out; |
(c) | provide reasonable and timely access to equipment to be inventoried; | ||
(d) | prohibit (or restrict) IMAC activity; and |
(e) | track and collect all mail-in data collection kits and forward all completed kits to Vendor before the completion of the inventory at the applicable Location; and |
(4) | provide the initial End User related data (i.e., name, phone number, location address, department number, network connection) in an electronic format required to establish End User records; and |
(5) | approve the asset inventory results for loading to the assets database. |
3. | ASSET TRACKING |
Exhibit A-2 — Asset Services
Page 4 of 7
a. | Vendor will: |
(1) | define and implement the asset tracking process |
(2) | maintain the asset database capturing changes Vendor or ACI made as a result of: |
(a) | receipt of new assets; |
(b) | data scrubbing and validation (i.e., checking for nomenclature and data entry discrepancies such as validating that the asset type is numeric or alphanumeric); |
(c) | IMAC, hardware maintenance, and deskside support Services activity; | ||
(d) | asset storage, retirement, and disposal; and |
(e) | changes to End User-related data (for example, name, phone number, location address, department number, network connection). |
(3) | perform electronic inventory and/or bar code scans on hardware in conjunction with performing on-site Services (for example, deskside support, IMAC, hardware maintenance) and update the asset database; |
(4) | add assets for which no record is found to the asset database as such assets are located during an inventory or are otherwise discovered, for example, during a Service Desk support call, and notify the ACI Focal Point of such additions; |
(5) | coordinate and perform periodic physical or electronic asset validations and report the results to ACI; |
(6) | forward information on all asset discrepancies and/or issues to the ACI Focal Point for resolution; |
(7) | provide reasonable assistance to ACI in resolving asset database discrepancies or issues; |
(8) | provide a monthly standard report and annual rollup report to ACI, as well as provide “as needed” reports in a mutually agreed upon timeframe; and |
(9) | Electronically link asset management tools, processes, and the Asset Inventory and Management System to the Incident Management System, Change Management procedures, and other Service Desk tools and processes in order to effectively leverage the information contained therein. |
b. | ACI will: |
(1) | assist Vendor in the definition of the asset tracking process; |
(2) | provide Vendor changes ACI made to the assets as a result of: |
Exhibit A-2 — Asset Services
Page 5 of 7
(a) | Asset disposal in sites where there is no on-site Vendor support; |
(b) | changes to End User-related data (for example, name, phone number, Location address, department number, network connection); |
(3) | ensure End Users perform their responsibilities in accordance with the established process during an asset validation or inventory; |
(4) | maintain responsibility for software license management (for example, auditing for compliance to vendor terms and conditions) for all software owned by or licensed to ACI; |
(5) | resolve all ACI asset policy discrepancies and issues and notify Vendor of the resolution; and |
(6) | Provide Vendor with information regarding what to maintain with respect to the asset records ACI deems necessary to meet ACI’s audit requirements and financial obligations. |
4. | LEASE TRACKING |
a. | The Vendor’s responsibilities include the following: |
(1) | Include within the asset tracking processes the capture of ACI-provided lease data as it relates to assets tracked |
(2) | Prepare and provide lease management reporting as required by ACI. |
5. | REDEPLOYMENT AND DISPOSAL OF EQUIPMENT |
a. | Vendor’s responsibilities include the following for ACI Locations where there is on-site Vendor support: |
(1) | Perform de-installation and/or re-deployment of Equipment in accordance with change management procedures, including: |
(a) | Comply with backup requirements. |
(b) | Provide permanent removal of any ACI Software or data that may exist on storage media (fixed, removable, or shared). |
(2) | Upon redeployment or disposal of Equipment, make the necessary changes in the asset inventory and management system. |
(3) | Work with ACI to establish an financial approval process to remove PCs; | ||
(4) | Package the equipment for shipment and coordinate pick-up; |
Exhibit A-2 — Asset Services
Page 6 of 7
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(5) | To the extent the Equipment is owned or leased by ACI, the Vendor’s responsibilities include the following: |
(a) | Return the Equipment to a central location at the ACI Location or immediately re-deploy Equipment as requested by ACI. |
(b) | If the Equipment is to be disposed of and is in usable condition, dispose of the Equipment as directed by ACI |
(c) | Dispose of unusable Equipment in an appropriate, environmentally responsible manner. Erase, overwrite or destroy all data and configuration information resident in the computer system, storage components, and/or devices in such a manner that makes the data irretrievable prior to disposing of equipment. If the Equipment is sold for salvage, provide any salvage value to ACI. |
b. | ACI’s responsibilities include the following: | ||
For ACI Locations where there is on-site Vendor support: |
(1) | Pay for the transportation and disposal costs via locally approved disposal or salvage process; |
(a) | In countries where Asset Services are supported, Vendor will offer transportation and disposal Services either as separate Pass-Through Expenses or via direct ACI contracts with third parties. |
c. | For ACI Locations where there is no on-site Vendor support, Vendor will, at ACI’s request, dispatch support for asset disposal assistance. Travel for such assistance will be a Pass-Through Expense. | ||
[ * ] |
* Represents two pages of redacted text |
Exhibit A-2 — Asset Services
Page 7 of 7
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION |
a. | As of the Service Tower Commencement Date, Vendor will provide Service Desk Services in accordance with this Exhibit. |
b. | Vendor shall be the single point of contact for End Users regarding Incidents and requests, which include events that cause or may cause an interruption or reduction of service for internal or external users of ACI’s IT Services along with any requests for service originating from End Users. |
c. | Vendor will staff an organization to act as a single point of contact for End Users who require assistance in the resolution of IT-related problems, concerns, and questions and to request Services (the “Service Desk”). |
d. | Vendor will provide Service Desk support in English only. |
2. | SERVICE DESK SERVICES |
2.1 | General |
a. | Vendor will: |
(1) | provide the Service Desk service on a 24 x 7 x 365 basis; |
(2) | provide the capability for End Users to submit Incidents via telephone, electronic mail and secure web site; |
(3) | provide a Service Desk with processes for Service Delivery and Service Management that are [ * ]; |
(4) | deliver Service Desk services that meet ACI’s established business continuity and disaster recovery requirements; |
(5) | provide Service Desk personnel who have the appropriate competencies to provide Service Desk services and have been provided with an orientation to ACI’s business to understand ACI processes and standard infrastructure and are appropriately trained to provide one call support of problem resolution, where feasible; |
(6) | provide Service Desk support using terms that are clearly understood by the End Users and consistent with those used by ACI; |
Exhibit A-3 — Service Desk Services
Page 1 of 5
(7) | provide a Service Desk that is in a location off-site from and approved by ACI; |
(8) | where more than one site is proposed by Vendor for the delivery of Service Desk services, including for the support of ACI’s business continuity and disaster recovery requirements, execute any switching between the sites in a manner transparent to customers of the Service Desk service; |
(9) | provide a toll free telephone number for calls to the Service Desk originating in the United States and Canada. For calls originating outside the US and Canada, the ACI voice network will be used to connect to the US toll free telephone number, for End Users calling from outside the US or Canada who require Service Desk assistance; |
(10) | handle via the escalation management process agreed upon by Vendor and ACI any problem that can not be resolved by telephone, and on a specified basis provide reports to ACI on these escalated problems; |
(11) | provide, program and maintain the automatic call distribution equipment Vendor requires to provide the Services; |
(12) | receive, log and dispatch or transfer calls, as appropriate; |
(13) | open an Incident record to document all Incidents. This record will include End User information, Incident record number, date and time opened, service requested, problem description or symptoms, assignment (for example, level 2, level 3), status, and Incident resolution and closure information; |
(14) | prioritize calls in accordance with the Severity Levels established by ACI and Vendor under this Agreement; |
(15) | perform problem analysis, including identification of the source of the problem; |
(16) | provide call status as the End User requests; |
(17) | perform password resets, except for password resets on Application IDs which ACI has retained, on a basis approved by ACI when requested by End Users; |
(18) | dispatch or arrange for on-site support or depot service, if required, for problem determination and/or resolution; |
(19) | notify the ACI Focal Point of systems or equipment failures, or of an emergency, according to the Process Interface Manual; |
(20) | provide a systems status recording and provide system status broadcast messages on the web portal and via e-mail for in-scope systems with status information such as known major Incidents and estimated recovery times; |
Exhibit A-3 — Service Desk Services
Page 2 of 5
(21) | interface with and coordinate problem determination and resolution with the ACI Focal Point and/or Third Party service providers, as appropriate; |
(22) | monitor problem status to facilitate problem closure within defined Service Level criteria and/or escalate in accordance with the escalation management process; |
(23) | provide input to ACI on End User training requirements based on problem Call tracking and analysis; |
(24) | with ACI’s assistance, establish and maintain Call prioritization guidelines and escalation procedures; |
(25) | develop Service Desk operational processes and procedures and provide to ACI for distribution; |
(26) | maintain a contact list of Vendor Focal Points, including names and telephone, pager and fax numbers, and provide to ACI for distribution; |
(27) | communicate to the ACI Focal Point on available Services and the procedures for accessing such Services; |
(28) | provide Level 1, and manage Level 2 and Level 3 support for the Equipment and Software; |
(29) | provide a standard monthly report to ACI summarizing the Incidents (by status code) received and handled by the Service Desk for the prior month; |
(30) | provide monthly reports to ACI, as further described in Schedule R (Reports); |
(31) | Conduct random surveys of End Users in accordance with Schedule K (User Satisfaction Survey Guidelines); and |
(32) | Provide information to ACI on Call trends and make recommendations (for example, additional End User training requirements), where appropriate. |
b. | ACI will: |
(1) | be responsible for all End User training in use of ACI hardware and software; |
(2) | for ACI-retained systems, provide systems status information to the Service Desk and updates as they occur. Vendor will maintain such information for up to five Business Days or until ACI is notified by Vendor within the five Business Days, after which time Vendor will delete it unless ACI requests otherwise; |
(3) | maintain and distribute a ACI contact list, including names and telephone, pager and fax numbers, for use by Service Desk staff to contact appropriate ACI personnel for problem determination assistance and escalation and ensure such personnel are available as required; |
Exhibit A-3 — Service Desk Services
Page 3 of 5
(4) | assist Vendor in establishing Call prioritization guidelines and escalation procedures; |
(5) | ensure End Users have a basic level of understanding of the Service Delivery Processes and adhere to such processes for accessing the Services; |
(6) | communicate support responsibilities and procedures to the ACI Focal Point and Third Party service providers (for example, providing Call status and resolution to the Service Desk) and ensure adherence to such procedures; |
(7) | assist Vendor, as requested and in a time frame commensurate with the assigned problem Severity Levels and associated Service Level commitment, in the resolution of recurring problems which are the result of End User error; |
(8) | resolve any ACI Third Party services provider performance problems affecting Vendor’s provision of the Services for any service provider arrangements that have not been assigned to Vendor; |
(9) | be responsible for all ACI Third Party support costs (for example, help lines); |
(10) | be responsible for the resolution or closure of all Incidents related to products and services that are not within the Services; |
(11) | authorize all system access; |
(12) | reset passwords and perform logon ID administration for application IDs; and |
(13) | allow Vendor to utilize remote access capability to remotely diagnose End User problems. |
2.2 | Performance Standards and Reporting for Service Desk |
Exhibit A-3 — Service Desk Services
Page 4 of 5
2.3 | Self Help |
a. | Vendor will provide tools and a web services portal to enable the End Users to: |
(1) | perform self help knowledge searches; |
(2) | submit problem and service request tickets; |
(3) | view online problem and service request ticket status; and |
(4) | view current system outages. |
b. | ACI will: |
(1) | provide and maintain an authentication methodology as part of ACI’s security guidelines; |
(2) | provide ACI’s existing processes and content to assist Vendor in providing self help Services; and |
(3) | promote and ensure the use of the self help Tools and processes to End Users. |
Exhibit A-3 – Service Desk Services
Page 5 of 5
1. | INTRODUCTION |
2. | DESKTOP SUPPORT SERVICES |
2.1 | Deskside Support Services |
a. | Vendor will: |
(1) | provide problem source identification, problem impact validation, and problem determination; |
(2) | with ACI’s approval, implement the deskside support Services operational procedures including the criteria for deployment of deskside support Services personnel; |
(3) | be responsible for all End User data migration, backup and restore, conversion, and erasure, as required, before and following the provision of deskside support Services; |
Exhibit A-4 — End User Services
Page 1 of 12
(4) | provide deskside support Services for Supported Desktop Standard Products at the End User’s work location within a End User Location in accordance with the established procedures; |
(5) | provide support Services for Supported Desktop Products at remote End User’s work location via network assist; |
(6) | manage the problem to resolution or closure, as appropriate, including: |
(a) | applying emergency software fixes in support of problem resolution; or |
(b) | performing virus eradication on the desktop device; or |
(c) | completely rebuild the system back to its original standard. |
(7) | update the status of the deskside support Services call to the Service Desk through to completion; |
(8) | When a new employee is hired, Vendor will receive from ACI an IMAC request with the End User requirements for a new Employee. |
(9) | on completion of the deskside support Services: |
(a) | close the ticket; and |
(b) | update the asset database; |
(10) | at ACI’s request, provide deskside support Services for Nonstandard Products on a Commercially Reasonable Efforts basis and based upon available resources. (See definition of “Nonstandard Product” in Attachment A-1 (Services Definitions)); and |
(11) | provide a monthly standard report using available problem management data to ACI summarizing the deskside support Services Vendor provided during the prior month. |
b. | ACI will: |
(1) | assist Vendor in implementing the deskside support Services operational procedures including the criteria for deployment of deskside support Services personnel; |
(2) | provide adequate and secure space for depot assets; and |
(3) | provide authorization and be responsible for all charges for deskside support Services Vendor provides at ACI’s request for Nonstandard Products and out-of-scope services (for example, ad hoc End User training, how to assistance). |
2.2 | Hardware Maintenance Services |
a. | Vendor will: |
(1) | coordinate hardware support for Maintained Equipment including the repair or exchange of such Maintained Equipment, as appropriate; |
Exhibit A-4 — End User Services
Page 2 of 12
(2) | at ACI’s request, coordinate hardware support for, Equipment not on warranty and without a maintenance agreement, including the repair or exchange of such Equipment as appropriate, on a Commercially Reasonable Efforts basis and based upon available resources; |
(3) | with ACI’s approval, implement the hardware maintenance Services operational procedures including the criteria for deployment of hardware maintenance Services personnel; |
(4) | coordinate and schedule maintenance activities with the ACI Focal Point or the requesting End User; |
(5) | dispatch hardware maintenance service personnel in accordance with the established procedures; |
(6) | document and provide recovery procedures to maintenance personnel necessary to recover the Equipment to its original state including foreign operating systems and individual country dictionaries; |
(7) | using ACI-provided warranty documentation, maintain the records necessary to support warranty service of Equipment on warranty installed as of the Effective Date (for example, serial number, program number, install date, location) within the asset database; |
(8) | coordinate warranty repair service with the appropriate equipment manufacturer; |
(9) | track and report observed failure trends for Critical Functions; |
(10) | on notice from ACI, perform service or provide instructions pertaining to OEM recall programs for ACI-owned Maintained Equipment consistent with the terms and conditions and instructions the manufacturer specifies; |
(11) | provide the procedures Mobile End Users and Remote End Users are to follow to obtain depot hardware maintenance Services for Supported Desktops to the ACI Focal Point for distribution to such End Users; |
(12) | update the status of the hardware maintenance Services calls to the Service Desk through to completion; |
(13) | on completion of hardware maintenance Services: |
(a) | close the ticket; and |
(b) | update the asset database; |
(14) | perform any required pre- and post maintenance activities before permitting and following hardware maintenance Services on equipment (for example, backup, remove, protect, and restore programs, data and removable storage media, remove and reload funds); |
(15) | on Vendor’s discovery of hardware Standard Products not included in the asset database, notify the ACI Focal Point of the same, so that ACI can place such hardware on maintenance, and update the asset database; |
Exhibit A-4 — End User Services
Page 3 of 12
(16) | at ACI’s request, provide hardware maintenance Services for Nonstandard Products on a Commercially Reasonable Efforts basis and based upon available resources; |
(17) | at ACI’s request, provide hardware maintenance Services on an hourly basis to repair or restore Maintained Equipment damaged as a result of: |
(a) | ACI’s misuse, accident, ACI’s modification, unsuitable physical environment in a End User Location, or a Force Majeure Event, or |
(b) | the provision of hardware maintenance services by other vendor, or |
(c) | the inappropriate use of, inadequate use of, or failure to use, appropriate supplies by ACI, or |
(d) | other actions by ACI not covered under a maintenance agreement or warranty services; and |
(18) | provide a monthly standard report to ACI, using available problem management data that summarizes the hardware maintenance Services Vendor provided during the prior month; |
(19) | notify ACI of any warranty issues; |
(20) | implement the hardware maintenance Services operational procedures including the criteria for deployment of hardware maintenance Services personnel. |
b. | ACI will: |
(1) | Provide warranty or maintenance agreements on all Supported Desktops and Nonstandard Products; |
(2) | Be financially responsible, for equipment not covered under warranty |
(3) | approve the hardware maintenance Services operational procedures including the criteria for deployment of hardware maintenance Services personnel; |
(4) | provide a suitable environment for the equipment to be maintained, as the equipment’s manufacturer specifies; |
(5) | provide Service Desk representatives with the information required for hardware maintenance Services (for example, machine type, serial number), and such other information, as requested, including location address, building and office number and contact name and phone number; |
(6) | coordinate and schedule maintenance activities with ACI’s internal support functions, as required; |
Exhibit A-4 — End User Services
Page 4 of 12
(7) | provide Vendor with manufacturers’ warranty documentation (for example, warranty certificate, type of warranty, duration, applicable terms and conditions) for Maintained Equipment installed as of the Effective Date and for equipment Vendor will maintain that ACI procures directly after such date; |
(8) | ensure all hardware that is procured by or for ACI after the Effective Date has the maximum warranty available or on schedule with the refresh cycle on all parts and labor (i.e., three-year on-site service, parts and labor warranty or equivalent) and warranty services are consistent with the Service Hours and applicable Service Levels; |
(9) | provide all hardware upgrades, maintenance parts, or replacement equipment not provided under a warranty or maintenance agreement; |
(10) | provide and maintain the inventory of all End User consumable supplies, such as paper, toner, printer cartridges, diskettes, compact disks, tapes, batteries, and other such items that comply with original equipment manufacturer’s specifications, and distribute or install such supplies as End Users require; |
(11) | provide the guidelines relative to and the spare parts inventory for Critical Functions, and the appropriate and secured storage area for such inventory; |
(12) | provide authorization and be responsible for all charges for hardware maintenance Services Vendor provides at ACI’s request to repair or restore Maintained Equipment damaged as a result of ACI action under Section 2.2(a)(17) of this Exhibit A-4; |
(13) | provide authorization and be responsible for all charges for hardware maintenance Services Vendor provides at ACI’s request for Nonstandard Products. |
3. | INSTALL, MOVE, ADD, CHANGE SERVICES |
a. | Vendor will: |
(1) | coordinate and perform IMACs for the Standard Products; |
(2) | with ACI’s approval, implement the IMAC Services operational procedures including the development of an IMAC checklist that defines the completion criteria for each IMAC Service; |
(3) | receive requests for IMAC Services via the established procedures and create the required documentation (for example, work order, call record update); |
(4) | schedule the IMAC perform date with the ACI Focal Point and the requesting End User; |
Exhibit A-4 — End User Services
Page 5 of 12
(5) | before the scheduled IMAC date, communicate to the ACI Focal Point any IMAC prerequisites and any procedures that need to be followed after the IMAC is completed; |
(6) | notify the ACI Focal Point of the required IMAC components that need to be available and site preparations (facilities and telecommunications modifications) that need to be completed before the scheduled IMAC date; |
(7) | perform the required pre delivery preparation for any new systems to be installed, including: |
(a) | build and configure the system in accordance with ACI-provided configuration specifications; | ||
(b) | run diagnostics on all configuration components; |
(c) | load and configure specified software Standard Products and replicate loading for site-licensed software Standard Products using the ACI-provided master diskette or compact disk; |
(d) | perform configuration testing, including operating system testing functions; |
(e) | perform hardware burn-in for the designated period of time for such hardware; and |
(f) | repackage the fully assembled and tested system, including configuration documentation and any vendor-provided operations manuals or other applicable documentation, in one container or as a banded unit, apply shipping labels, generate appropriate shipping documentation, and ship to the designated End User Location; |
(8) | before the scheduled IMAC date, verify with the End User, that he or she has complied with all IMAC prerequisites, all site modifications are complete, and that the necessary IMAC components have been received and will be available at the End User’s work location on the scheduled IMAC date . The ACI Focal Point will be contacted in the event that there is an issue related to the IMAC; |
(9) | perform the IMAC Services for desktop Standard Products according to the criteria specified in the IMAC checklist; |
(10) | obtain concurrence from the End User or the ACI Focal Point that the IMAC was completed in accordance with the IMAC checklist; |
(11) | assist ACI in resolving on a timely basis any issues impacting IMAC activity; |
(12) | prepare displaced hardware (i.e., wrap cords) and software and, if applicable, move to a designated staging area within the End User Location for removal by ACI; |
Exhibit A-4 — End User Services
Page 6 of 12
(13) | update the status of the IMAC Services call to the Service Desk through to completion; |
(14) | on completion of an IMAC: |
(a) | close the call; and |
(b) | collect the appropriate configuration data and update the asset database; |
(15) | implement a mutually agreed process for consolidating IMACs, when possible, into Projects; |
(16) | be responsible for all End User data migration, backup and restore, conversion, or erasure, as required, before and after the IMAC Service; |
(17) | provide a monthly standard report to ACI summarizing the IMAC Services Vendor performed during the prior month, including the current status of any IMAC Services requests that are in progress or pending; |
(18) | implement the IMAC Services operational procedures including the development of an IMAC checklist that defines the completion criteria for each IMAC Service; |
(19) | after the completion of the IMAC, return all services to operational status; and |
(20) | ensure all required IMAC components are at the designated staging area within the facility or at the End User’s work location, as applicable, on the scheduled IMAC date; escalate to ACI Focal Point if required |
b. | ACI will: |
(1) | Approve the IMAC Services operational procedures including the IMAC checklist that defines the completion criteria for each IMAC Service; |
(2) | provide to Vendor, via the established procedures, an authorized IMAC Services request that clearly defines all IMAC requirements and includes all information Vendor requests; |
(3) | provide all Equipment and Software components (for example, hardware, software and any associated components) necessary to perform an IMAC; |
(4) | through the ACI Focal Point: |
(a) | coordinate the activities related to and the completion of all required facilities and data telecommunications modifications before the scheduled IMAC date; |
Exhibit A-4 — End User Services
Page 7 of 12
(b) | at Vendor’s request, provide the status on ACI-retained activities (for example, anticipated completion date of site modifications) related to or impacting an IMAC; |
(c) | ensure End User compliance with all IMAC Services prerequisites, as set forth in the IMAC checklist or as Vendor or ACI otherwise communicates, before the scheduled IMAC date; |
(d) | at Vendor’s request, verify the completion of all End User IMAC prerequisites, site readiness, and the availability of all IMAC components; and |
(5) | define and provide Vendor the escalation procedures for situations where End Users have not completed the communicated IMAC prerequisites or where site preparations have not been completed within the defined time frames or in accordance with specifications; |
(6) | for IMAC activity not directly requested by the End User, notify the affected End User(s) of such planned IMAC activity; |
(7) | track End User software licenses and be responsible for End User compliance with all software vendor license terms and conditions; |
(8) | for new systems for which Vendor is providing pre-delivery preparation Services: |
(a) | define the configuration specifications; |
(b) | provide copies (via diskettes, compact disks, tapes or other approved media) of any site licensed software Standard Products, including the master to be loaded as part of a Standard Configuration; |
(c) | communicate to Vendor any applicable software vendor license terms and conditions; |
(d) | adhere to all software vendor license terms and conditions for any site licensed software Standard Products; and |
(e) | provide the ship-to location address for each system unit and the name and phone number of a designated contact person at such location; |
(9) | provide necessary End User orientation and education; |
(10) | provide all transportation of IMAC components to, between, and within Facilities and all transportation associated with the disposal or relocation of displaced hardware and software; |
(11) | be responsible for all costs and compliance with regulatory requirements for the disposal or relocation of packing materials and displaced or discontinued hardware and software and related materials (for example, batteries, manuals, supplies, cathode ray tubes); |
Exhibit A-4 — End User Services
Page 8 of 12
(12) | provide the packing materials and prepare all displaced hardware and software for shipping; |
(13) | provide a secure staging or storage area within the End User Location to store IMAC components to be used for a scheduled IMAC and the hardware and software (and associated documentation) displaced by an IMAC; |
(14) | assist Vendor to resolve on a timely basis any issues impacting an IMAC; and |
(15) | provide authorization and be responsible for all charges for IMAC Services Vendor provides at ACI’s request for Nonstandard Products. |
4. | REFRESH SERVICES |
a. | Vendor will: |
(1) | schedule the Refresh perform date with the ACI Focal Point and the requesting End User, and communicate any End User prerequisites prior to the scheduled Refresh date (according to the agreed Refresh plan); |
(2) | de-install and remove the End User’s existing Supported Desktop and configure, install and test the new system at the mutually agreed location (for example, desk or office); |
(3) | perform data backup from the End User’s existing Supported Desktop; |
(4) | perform electronic data migration up to two gigabyte from End User’s existing Supported Desktop to the new system; and |
(5) | update the image(s), as required. |
b. | ACI will: |
(1) | ensure the End User is available to Vendor during the Refresh process to provide any necessary information (for example, passwords); and |
(2) | define the content of the updated image(s) to deploy to all systems taking into consideration the needs of the various combinations of operating systems, hardware, and business unit applications. |
Exhibit A-4 — End User Services
Page 9 of 12
5. | ELECTRONIC SOFTWARE DISTRIBUTION (ESD) |
a. | Vendor will: |
(1) | with ACI’s assistance, define the ESD processes and procedures; |
(2) | provide the ESD processes and procedures including any ACI support requirements to the ACI Focal Point for distribution to ACI-designated personnel (for example, operators, systems engineers, problem support personnel); |
(3) | with ACI’s assistance, establish a distribution plan before each ESD including: |
(a) | the mutually agreed software Standard Products (consistent with the Supported Desktop Software standards) to be distributed; |
(b) | the schedule for distribution; |
(c) | any ESD prerequisites and post install procedures that need to be completed by End Users and ACI’s business units; and |
(d) | any End User training requirements related to the changes that will result from an ESD; |
(4) | communicate to the ACI Focal Point any ESD prerequisites and post install procedures that need to be completed by End Users and ACI’s business units; |
(5) | schedule and coordinate ESD activities with the ACI Focal Point; |
(6) | develop the how-to procedures End Users will follow to download the distributed software Standard Products from a Supported Server to the Supported Desktop and provide an electronic change notice to all End Users regarding upcoming distributions prior to the distribution itself; |
(7) | before an ESD, configure and test the software standard image included in the ESD to verify compatibility with existing Supported Server and Supported Desktop hardware and software configurations and directory structures and compliance with ACI policy; |
(8) | manage and administer the ESD, including: |
(a) | monitoring the ESD to verify the successful completion of the process; and |
(b) | taking corrective action, as appropriate, for problems resulting from the ESD to correct error conditions and facilitate application stability; |
(9) | communicate to the ACI Focal Point any problems that occurred during the distribution and a list of unsuccessful distributions; |
(10) | resolve unsuccessful distributions to the Supported Servers attributable to Vendor’s error; |
Exhibit A-4 — End User Services
Page 10 of 12
(11) | provide verification of each completed ESD to the ACI Focal Point; |
(12) | on completion of the ESD, update the asset database, as appropriate; and |
(13) | ensure Supported Servers are equipped with the required hardware and software and that sufficient network capacity and connectivity (i.e., end-to-end connectivity and telecommunications link with minimum capacity of 256 kb) exist to allow for centralized electronic software distribution; |
(14) | before an ESD, resolve configuration conflicts between software products existing on the Supported Servers and Supported Desktops and the software Standard Products included in the scheduled ESD; |
(15) | install software Standard Products that cannot be electronically distributed on a Project basis; and. |
(16) | Apply patches on periodic basis according to the ACI policies and procedures |
b. | ACI will: |
(1) | provide all software Standard Products (new and upgrades) included in an ESD or distributed on a Project basis; |
(2) | document and provide to Vendor ACI’s standard configuration and policy requirements; |
(3) | assist Vendor in establishing a distribution plan before each ESD; |
(4) | assist Vendor in testing the ESD process; |
(5) | ensure required End User training occurs before the scheduled ESD date; |
(6) | perform file conversion for application files, ACI proprietary application files, and End User data files; |
(7) | provide the necessary system support (for example, scheduling system downtime, if required) during an ESD; |
(8) | ensure compliance by End Users and ACI’s business units with the communicated ESD prerequisites and post install procedures; |
(9) | resolve unsuccessful distributions to the Supported Servers or Supported Desktops not attributable to Vendor’s error; |
(10) | provide to Vendor any software vendor license terms and conditions and maintenance requirements for newly distributed software Standard Products that could affect the ESD Services; |
(11) | notify Vendor of any distribution time frames specified by any regulatory agency that need to be met to accomplish compliance with ACI Regulatory Requirements; |
Exhibit A-4 — End User Services
Page 11 of 12
(12) | notify Vendor of any software to be deinstalled by Vendor (through the IMAC process or on a Project basis) in conjunction with an ESD; and |
(13) | dispose of all deinstalled software and discontinue the license and maintenance, if applicable, for such software. |
Exhibit A-4 — End User Services
Page 12 of 12
1. | GENERAL SERVICES |
1.1 | Introduction |
1.2 | Platform Support |
a. | Vendor will: |
(1) | provide server operation Services including the management of the Supported Server environment using the appropriate processes set forth in the Process Interface Manual; |
(2) | engineer, order, provision and deliver server services eliminating single points of failure and including redundant data paths, hot-swappable components, mirrored disk, and/or high availability services to provide a level of service that meets or exceeds the Service Levels; |
(3) | create, maintain and delete volumes and directory structures; |
(4) | define, implement and execute required backup and recovery procedures, specific to the individual server or as part of a logical group of servers utilizing common storage; |
(5) | test and validate data restoration and backout procedures, at least annually, or as required by customer contracts; |
(6) | ensure server services required for system monitoring are configured and available throughout the systems runtime; |
(7) | provide connectivity as defined by ACI to enable ACI to access their customer sites for problem resolution; |
(8) | modify file system sizes and permissions; |
(9) | verify mount point availability; |
(10) | repair defective file systems; |
Exhibit A-5 — Server Systems Management Services
Page 1 of 13
(11) | assign account, work group and print managers; |
(12) | administer directory distribution and replication; and |
(13) | define and manage resources and domains. |
b. | ACI will: |
(1) | provide the information, as requested by Vendor, required for Vendor’s initial evaluation of ACI’s operating system environment, such as an updated inventory of devices and their configuration; and |
(2) | support trusted Third Party security servers (for example, authentication). |
1.3 | Software |
1.3.1 | Installation, Upgrades and Changes |
a. | Vendor responsibilities include the following: |
(1) | Install, upgrade, and change all Software as required and in accordance with ACI technical architecture standards, and with ACI’s approval; |
(2) | Interface with retained ACI staff and other Third Parties to promote the compatibility of Software products; |
(3) | Unless otherwise directed by ACI, install, upgrade, and change Software to prescribed release levels; |
(4) | Provide installation of department or internal IT-specific Software as requested by ACI; |
(5) | Install vendor-supplied corrections for vendor Software problems, which include installation of vendor-supplied Software patches as required, and with ACI’s approval; |
(6) | Prior to the start of each calendar quarter, give written notice to ACI of all upgrades and Software changes that are proposed to occur in the following quarter. The Parties will mutually agree in writing on the timing for the implementation of upgrades; |
(7) | Coordinate testing, installation, customization, and support of Software with Application Development and Maintenance (ADM) personnel, and other Third Parties as required; |
(8) | Observe Change Management procedures while implementing changes, upgrades, or enhancements; |
(9) | For any changes, upgrades, or enhancements, advise ACI of any additional Equipment, network, environmental, or other requirements needed during integration testing and/or otherwise known to be necessary for the implementation; |
Exhibit A-5 — Server Systems Management Services
Page 2 of 13
(10) | Proactively provide ADM staff, ACI, and other Third Parties with support for Equipment and System Software used to support ADM activities; |
(11) | Prior to implementation or changes to Application Software, proactively provide ADM staff, ACI staff, and other Third Parties with information and constraints related to Equipment, System Software, and network requirements; and |
(12) | Assist ACI with production testing and implementation activities for Application Software with the ADM staff, ACI staff, and other Third Parties as required in order to successfully promote Application Software into the production environment. |
b. | ACI will: |
(1) | Provide Vendor with the ACI technical architecture standards; and |
(2) | Perform production testing and implementation activities for Application Software with the ADM staff, ACI staff, and other Third Parties as required in order to successfully promote Application Software into the production environment (except in certain cases where Vendor may be responsible for production moves). |
1.3.2 | Software Support |
a. | Vendor responsibilities include the following: |
(1) | Support all Software, excluding Applications supported by ACI’s retained staff or other Third Parties, as required and in accordance with ACI’s technical architecture standards, and with ACI’s approval; |
(2) | Support Software at prescribed release levels or as directed by ACI; |
(3) | Apply patches to Software as required, with ACI’s approval; |
(4) | For Systems Software, provide Level 1, Level 2, and Level 3 Support; |
(5) | Provide ACI internal with Software support, advice, and assistance; |
(6) | Maintain a library of Vendor-supplied and Vendor-developed documentation that identifies the Software supported by Vendor and the operational support procedures associated with the Software; and |
(7) | Maintain master copies of the ACI standard Software in a secure, central location. |
Exhibit A-5 — Server Systems Management Services
Page 3 of 13
1.3.3 | Virus Protection |
a. | Vendor responsibilities include the following: |
(1) | Install, update, operate, and maintain virus protection Software including but not limited to malware, Trojans, and spyware on all Equipment used to deliver or support the Services; |
(2) | Maintain subscription to the anti-virus Software support in order to proactively receive virus engine and pattern updates; |
(3) | Install thoroughly tested and change-controlled updates to virus-protection Software as needed or as directed by ACI, according to the Service Levels required by ACI, as defined in Schedule B (Service Levels) and its Exhibits, no later than twenty-four (24) hours after such updates are made available to Vendor (or qualified Third Parties selected by Vendor) and have been approved by ACI; |
(4) | Perform virus scans on all e-mails; |
(5) | Upon detection of a virus, take immediate steps to notify the Service Desk, including: |
(a) | Assess the scope of damage; |
(b) | Arrest the spread and progressive damage from the virus; |
(c) | Eradicate the virus; and |
(d) | Restore all data and Software to its original state (to the greatest extent possible); |
(6) | Develop any plans necessary to provide virus protection; |
(7) | Provide consulting services for virus protection; |
(8) | Respond to virus Incidents; |
(9) | Provide proactive alerts to End Users relative to current virus threats either specific to ACI’s environment, encountered in the Vendor environment, or based on industry information; |
(10) | Provide additional temporary resources in the event of a major computer virus outbreak so ACI’s performance does not degrade because of an unavailability of Vendor resources; and |
(11) | Provide daily and monthly reports that contain a summary of the number of viruses detected and cleaned, as well as a list of viruses caught. |
1.4 | Server Operations |
a. | System Operations |
(1) | Vendor will: |
(a) | manage server (including mainframe servers) resource availability for server and peripheral hardware and software; |
(b) | execute recovery procedures, as required, for server resources; |
Exhibit A-5 — Server Systems Management Services
Page 4 of 13
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(c) | provide support for servers supporting both production operations and application development in routine and emergency situations, including, but not limited to, problem diagnosis assistance, level 2 server and mainframe support data access, program testing, and promotion of data/programs from test into production; and |
(d) | provide server operating status, as requested. This includes but is not limited to version(s), patch level(s), logs, uptime statistics, performance data, utilization statistics, and historical data. |
(2) | ACI will: |
(a) | provide requirements and approval for incident escalation and change processes, expected incident response times, resolution times, and ACI contacts where appropriate; and |
(b) | notify Vendor of any planned or emergency changes to ACI’s environment affecting Vendor’s provision of the Services. |
1.5 | Operations Support |
a. | Vendor will perform the following console activities, utilizing automation where appropriate, during the Service Hours: |
(1) | console monitoring and message filtration; |
(2) | system and application restart and recovery; and |
(3) | automated problem reporting and paging. |
b. | ACI will: |
(1) | be consulted when any restore procedure needs to be performed; |
(2) | in those Locations where there is no Vendor staff on-site, assist Vendor, using ACI personnel, with server restarts, as reasonably requested (e.g., [ * ]). At no time will Vendor restart an application, service or device without a procedure defined or assistance or approval from ACI to perform such restart; and |
(3) | provide requirements and approval for application restart and recovery procedures. |
Exhibit A-5 — Server Systems Management Services
Page 5 of 13
1.6 | Server Planning Support |
a. | Vendor will: |
(1) | collect and analyze planned server requirements and workloads for development and production (includes, but is not limited to, server hardware, system software, server configuration, storage requirements and configuration, network requirements and middleware requirements); |
(2) | identify potential single points of failure and either a) provide a plan that remediates all SPOF’s or b) document acceptance of the SPOF and the specific exposures and predicted frequency of failure; |
(3) | schedule, order, install, configure, and deliver hardware and software based on ACI’s requirements; and |
(4) | use Commercially Reasonable Efforts in responding to requests for accelerated provisioning of server resources, based on customer support requirements, unplanned demand, or unanticipated workloads. |
b. | ACI will approve planned requirements for server resources based on planned development and production activities. |
1.6.1 | Hardware and Facilities Planning |
a. | Vendor will: |
(1) | coordinate with site facilities management to provide specified power to equipment, raised floor space, rack placement, and other physical environmental requirements for the Vendor Data Centers; |
(2) | coordinate hardware availability for scheduled maintenance (i.e., microcode updates, engineering changes); and |
(3) | maintain physical configuration plan. |
b. | ACI will assist Vendor in conducting system space planning and in assessing hardware and facility requirements for equipment located in ACI Locations. |
1.6.2 | Installation and Maintenance Services |
a. | Vendor will: |
(1) | install, configure, and perform cumulative maintenance to Supported Server Standard Products, including the base operating system, operating system utilities, functions, features, program products, and other supported products, BIOS, firmware (storage, and peripheral devices), and hardware with ACI’s final approval of the implementation; |
Exhibit A-5 — Server Systems Management Services
Page 6 of 13
(2) | establish a test and implementation plan, including backout contingencies, before each system upgrade Project; |
(3) | schedule and coordinate system testing and implementation with the ACI Focal Point; and |
(4) | communicate to the ACI Focal Point, via the change management process set forth in the Process Interface Manual, any installation prerequisites and any post install procedures that need to be followed after the installation is completed. |
b. | ACI will: |
(1) | provide Vendor with system requirements for each supported platform with specific customization, maintenance levels, and/or additional products required; |
(2) | assist Vendor in establishing a test and implementation plan before each system version upgrade; the final approval of any hardware/software upgrade rests on ACI; |
(3) | ensure compliance by End Users and ACI’s business units, via the change management process set forth in the Process Interface Manual, with any communicated change prerequisites and post change procedures; and |
(4) | before the system maintenance or upgrade scheduled date, or upon Vendor’s request, verify to Vendor via the ACI Focal Point that all communicated prerequisites have been completed. |
1.7 | Database Subsystem Support |
1.7.1 | Database Software Support and Operations |
a. | Vendor will: |
(1) | install, upgrade and maintain the Database Systems Software and associated utilities on all managed servers per ACI’s requirements; |
(2) | manage database subsystem resource availability; |
(3) | execute backup and recovery procedures, as required, for database subsystem resources; |
(4) | provide database subsystem status, as requested; and |
(5) | provide reports on database availability, utilization and performance, including trending, on a monthly basis, with trend analysis of the data for the past 13 months in accordance with Schedule R (Reports), to support ACI reporting as needed. |
Exhibit A-5 — Server Systems Management Services
Page 7 of 13
b. | ACI will: |
(1) | provide requirements and approval for handling all planned and unplanned outages affecting the database environment including review, approval, communication and proper documentation; and |
(2) | notify Vendor of any planned or emergency changes to ACI’s environment affecting Vendor’s provision of the Services. |
1.7.2 | Physical Database Administration |
a. | Vendor will: |
(1) | provide physical support of Oracle, SQL Server, C-tree, Informix and DB2 application databases which includes: |
(a) | creation of physical database objects (i.e., DDL, DBD, ACB, files); |
(b) | management and performance of physical database maintenance, modifications and enhancements in accordance with the mutually agreed schedule; |
(c) | maintaining mutually agreed database backup procedures, provided by ACI, to recover from database destruction or corruption or outage in accordance with the mutually agreed schedule; |
(d) | maintaining and implementing mutually agreed database archive processes and procedures; |
(e) | testing data recovery/backout procedures at least annually; |
(f) | monitoring and reporting of database performance and space utilization, with database reorganization and/or expansion as required, and trend analysis of the data for the past 13 months in accordance with Schedule R (Reports), to support ACI reporting as needed; |
(g) | recommending modifications for improved performance and implementing as approved by ACI; and |
(h) | interacting and interfacing with logical DBA’s providing support for their design and implementation(s). |
(2) | setup and retain exclusive use of DBMS system administration IDs and privileges; |
(3) | provide physical database maintenance for development and test environments; |
(4) | assist ACI in planning for database modifications as a result of changes in ACI’s business environment (i.e., growth, application development projects) and review ACI’s plans on a regular basis; |
(5) | promote ACI-approved database changes into the production environment; |
Exhibit A-5 — Server Systems Management Services
Page 8 of 13
(6) | develop, implement and maintain appropriate backout processes for changes where required; and |
(7) | perform access grants to database objects as requested by ACI. |
b. | ACI will: |
(1) | provide requirements and approval for performing production database maintenance, modifications, enhancements and backups; |
(2) | develop plan(s) for database modifications as a result of changes in ACI’s business environment (i.e., growth, application development projects) and review such plans with Vendor on a regular basis; |
(3) | provide Vendor the approved database changes; |
(4) | define database backup and recovery requirements; |
(5) | perform logical database design and data modeling and cooperate with Vendor during physical database design and review; and |
(6) | provide ACI’s access requirements (for example, name and authorization level) for database objects. |
1.8 | Data Communication Software Support and Operations |
a. | Vendor will: |
(1) | install, upgrade and maintain the Systems Software; |
(2) | manage the data communication subsystem resource availability; |
(3) | execute recovery procedures, as required, for data communication subsystem resources; |
(4) | install, test and implement software/microcode/hardware maintenance per vendor-specified schedules and approved by ACI; and |
(5) | provide data communication subsystem status, utilization, and availability data as requested. |
b. | ACI will: |
(1) | assist Vendor in developing procedures for handling all planned and unplanned outages affecting the data communication environment including review, approval, communication and proper documentation by providing requirements and approval; and |
(2) | notify Vendor of any planned or emergency changes to ACI’s environment affecting Vendor’s provision of the Services. |
Exhibit A-5 — Server Systems Management Services
Page 9 of 13
1.9 | Middleware Software Support and Operations |
a. | Vendor will: |
(1) | install, upgrade and maintain the Systems Software; |
(2) | manage the middleware subsystem resource availability; |
(3) | execute recovery procedures, as required, for middleware subsystem resources; |
(4) | provide middleware subsystem status, utilization, and availability data as requested; |
(5) | administer security resource definitions (for example, specific User IDs and group IDs); and |
(6) | monitor and manage messages remaining in the system dead letter queue after deadline scheduling queue (i.e., DLQ Handler) processing. |
b. | ACI will: |
(1) | assist Vendor in developing procedures for handling all planned and unplanned outages affecting the middleware environment including review, approval, communication and proper documentation by providing requirements and approval; and |
(2) | notify Vendor of any planned or emergency changes to ACI’s environment affecting Vendor’s provision of the Services. |
1.10 | Production Batch Operations |
1.10.1 | Production Batch Job Scheduling |
a. | Vendor will: |
(1) | perform production batch job set-up and scheduling tasks, such as: |
(a) | identification of critical paths based on statistics of execution; |
(b) | identification of jobs eligible for parallel processing (on same CPU or multiple CPUs) and reorganization of normal batch schedules; |
(c) | support of special batch schedules (e.g., for known peak periods); and |
(d) | recommend scheduling improvements and implement, as approved by ACI; |
(2) | resolve batch scheduling conflicts; |
(3) | based on ACI’s requirements and with ACI’s approval, develop and maintain standards for job acceptance and implementation; |
(4) | schedule batch jobs, as requested by ACI, which require expedited execution, subject to applicable Service Levels attainment relief; and |
(5) | develop and maintain any operational scripts required for the delivery of operational services by Vendor (e.g., backup/restore scripts). |
Exhibit A-5 — Server Systems Management Services
Page 10 of 13
b. | ACI will: |
(1) | provide ACI’s production batch scheduling requirements and procedures and any updates as they occur; |
(2) | assist Vendor in developing standards for job acceptance and implementation; |
(3) | provide required information (for example, requested time frames and priority sequence) for expedited batch job requests; and |
(4) | evaluate and approve scheduling improvement recommendations. |
1.10.2 | Production Batch Monitoring and Restart |
a. | Vendor will: |
(1) | monitor scheduled production batch jobs; |
(2) | resolve batch scheduling conflicts; |
(3) | monitor scheduler related incidents and develop and recommend changes to the scheduler database; |
(4) | schedule batch jobs, as requested by ACI, that require expedited execution; and |
(5) | perform job restarts, as necessary, in accordance with resolution and restart procedures. |
b. | ACI will: |
(1) | provide ACI’s resolution and restart procedures; and |
(2) | provide required information for expedited batch job requests. |
1.10.3 | Application Library Management |
a. | Vendor will: |
(1) | assist ACI in defining and documenting application code (i.e., JCL and application program elements) promotion standards and acceptance criteria for moving application code from test libraries into production libraries; and |
(2) | promote application code from development and/or test environments to production, including QA and UAT where required. |
b. | ACI will: |
(1) | promote application code from development and/or test environments to production, including QA and UAT where required; |
(2) | assist Vendor in defining application code (i.e., JCL and application program elements) promotion standards and acceptance criteria for moving application code from test libraries into production libraries; and |
(3) | provide ACI’s application code promotion requirements and procedures. |
Exhibit A-5 — Server Systems Management Services
Page 11 of 13
2. | MAINFRAME SERVICES |
2.1 | Introduction |
2.2 | Platform Support |
a. | Vendor will: |
(1) | provide technical support and advice for ACI’s application development and database administration personnel according to the following standards: |
(a) | Vendor will provide and support Systems Software products as listed in Schedule I (Vendor Supported Software), to support the development of Applications Software. Vendor will not discontinue use of such software products without ACI’s approval; provided, that ACI will assume support expenses for Systems Software products that ACI requires Vendor to retain after the manufacturer withdraws its support; |
(b) | in the event that Vendor desires to discontinue use of such products, Vendor may offer to migrate ACI onto another product having similar functions at Vendor’s expense, and ACI will not unreasonably withhold its approval of such migration; and |
(c) | if ACI requests additional application development support products, such request may be considered a New Service, unless it is replacing an existing service; |
(2) | provision, order, install, configure, upgrade and maintain the Systems Software with ACI’s direction and approval; |
(3) | perform preventive maintenance (patching) within specifications from the vendor and with agreement with ACI as to frequency and scheduling; |
(4) | install corrective maintenance as required to resolve defects, and/or to address issues discovered in the development or customer environments; and |
(5) | operate the Applications Software ACI selects, provided such Applications Software conforms to the operating environment standards specified in Schedule J (ACI Policies and Standards). |
Exhibit A-5 — Server Systems Management Services
Page 12 of 13
b. | ACI will: |
(1) | for Applications Software: |
(a) | select or define the requirements for all Applications Software; |
(b) | provide user exits existing as of the Country Effective Date. If ACI requests additional user exits, such requests may be considered a New Service; |
(c) | retain responsibility for maintenance, support and all license and related charges for Applications Software; |
(d) | retain responsibility for all license and related charges, including maintenance fees, and for prioritizing the AD/M workload necessary to maintain and support Applications Software; and |
(e) | have the right to audit, control and approve new Applications Software before its promotion into production; and |
(2) | for Application verification: |
(a) | with Vendor’s assistance, verify the results of Applications Software on-line and batch system support processing; |
(b) | provide Applications Software program problem determination and resolution, including providing support for application Abends and job recovery; |
(c) | attempt to minimize outages caused by application program failures; |
(d) | verify and evaluate any operating Systems Software and hardware changes recommended by Vendor; |
(e) | follow the existing change management process for all application changes, before submission or installation into the system; |
(f) | follow the problem management process, according to published problem resolution criteria set forth in the Process Interface Manual, and document problem resolution and closure; |
(g) | certify, in cooperation with Vendor, that existing applications function correctly when Vendor installs new Systems Software or upgrades to or new releases of current Systems Software; |
(h) | enhance applications as indicated by performance evaluations by ACI at the request of Vendor; and |
(i) | review, in conjunction with Vendor, that new applications or functions adhere to the standards specified in Schedule J (ACI Policies and Standards). |
Exhibit A-5 – Server Systems Management Services
Page 13 of 13
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | GENERAL SERVICES |
1.1 | Operations Support |
a. | Vendor will perform the following activities: |
(1) | monitoring; |
(2) | storage recovery; and |
(3) | problem reporting and paging. |
1.2 | Storage Planning Support |
1.2.1 | Hardware and Facilities Planning |
a. | Vendor will: |
(1) | collect and analyze planned storage requirements and workloads for development and production; |
(2) | [ * ]; and |
(3) | schedule, order, install, configure, and deliver Equipment and Software based on the defined requirements. |
b. | ACI will: |
(1) | provide planned requirements for storage resources based on planned development and production activities. |
1.2.2 | Installation and Maintenance Services |
a. | Vendor will: |
(1) | install, configure, maintain and perform cumulative hardware, software and microcode maintenance to supported storage environments, in accordance with the Change Control Procedure; |
(2) | schedule and coordinate storage testing and implementation with the ACI Focal Point; and |
Exhibit A-6 — Storage Management Services
Page 1 of 7
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(3) | communicate to the ACI Focal Point, via the change management process set forth in the Process Interface Manual, any installation prerequisites and any post install procedures that need to be followed after the installation is completed. |
b. | ACI will: |
(1) | provide Vendor with storage installation and customization requirements; |
(2) | assist Vendor in establishing a test and implementation plan before each storage upgrade; the final approval of any hardware/software upgrade rests on ACI; |
(3) | ensure compliance by End Users and ACI’s business units, via the change management process set forth in the Process Interface Manual, with any communicated change prerequisites and post change procedures; and |
(4) | before the storage maintenance or upgrade scheduled date, or upon Vendor’s request, verify to Vendor via the ACI Focal Point that all communicated prerequisites have been completed. |
1.3 | Data Replication Software Support and Operations for the [ * ] |
a. | Vendor will: |
(1) | install, upgrade and maintain the data replication Software; |
(2) | manage the data replication subsystem resource availability; |
(3) | provide replication services as specified by ACI; |
(4) | execute recovery procedures, as required, for data replication subsystem resources; |
(5) | install, test and implement software/microcode/hardware maintenance per vendor-specified schedules and approved by ACI; and |
(6) | provide data replication subsystem status, utilization, and availability data as requested. |
b. | ACI will: |
(1) | define replication specifications; |
Exhibit A-6 — Storage Management Services
Page 2 of 7
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(2) | assist Vendor in developing procedures for handling all planned and unplanned outages affecting the data replication environment including review, approval, communication and proper documentation; and |
(3) | notify Vendor of any planned or emergency changes to ACI’s environment affecting Vendor’s provision of the Services. |
2. | MANAGED STORAGE |
2.1 | Vendor will: |
a. | manage storage on all of ACI’s server platforms including, but not limited, to [ * ] and |
b. | manage storage in the ACI Locations listed in Schedule P (Locations). |
2.2 | File Management |
a. | Vendor will: |
(1) | manage files on the Equipment, including: |
(a) | managing non-root application file systems; |
(b) | modifying file system sizes; |
(c) | verifying mount point availability; |
(d) | repairing defective file systems; and |
(e) | modifying file system permissions; |
(2) | keep files under Vendor’s control, current and available during scheduled access times; |
(3) | initiate and complete required data processing activities concerning data integrity (for example, handling line transmission errors) of all processed files; |
(4) | verify the receipt of incoming files and the processing and transmission of outgoing files; |
(5) | conduct routine monitoring and corrective action according to procedures Vendor prepares and ACI approves for intermediate files used for on-line and batch processing; |
(6) | verify availability of adequate file space for processing; and |
(7) | report to ACI on ACI’s disk space utilization and requirements for ACI’s capacity planning purposes. |
b. | ACI will define requirements for job recovery management. |
Exhibit A-6 — Storage Management Services
Page 3 of 7
2.3 | Raw Storage Management |
a. | Vendor will: |
(1) | manage raw storage on the Equipment, including verifying raw storage availability; |
(2) | keep raw storage under Vendor’s control, current and available during scheduled access times; |
(3) | initiate and complete required data processing activities concerning data integrity (for example, handling line transmission errors) of all processed raw storage; |
(4) | verify availability of adequate raw storage space for processing; and |
(5) | report to ACI on ACI’s disk space utilization and requirements for ACI’s capacity planning purposes. |
2.4 | Storage Environment Management |
a. | Vendor will: |
(1) | perform storage device preparation and initialization; |
(2) | manage storage space through the implementation and customization of storage management software; |
(3) | manage space and utilization rate of storage hardware; |
(4) | verify availability and sufficient capacity of Vendor controlled file systems and raw devices during scheduled service times; and |
(5) | provide ACI reports of space utilization at a logical disk or DASD level on a monthly basis and as reasonably requested by ACI. |
b. | ACI will provide requirements for the storage environments (e.g., application or database file size or file layout). |
2.5 | Backup and Restore |
a. | Vendor will: |
(1) | based on ACI’s requirements and ACI’s approval, define the frequency, security, and types of required data backup as well as the retention periods for the data; |
(2) | document, maintain and, as appropriate, update and execute mutually approved backup and recovery procedures; |
(3) | provide the required on-site secure tape storage facilities at IBM Locations and off-site secure tape storage facilities for all Locations; |
(4) | perform data backup and recovery for all managed devices, including interfacing with on-site or off-site tape storage facilities, if any; |
Exhibit A-6 — Storage Management Services
Page 4 of 7
(5) | provide secure transport for any media transported outside the secure data center environments; |
(6) | perform daily review of backup logs, resolving all backup failures the day of occurrence; |
(7) | track the success or failure of backup and recovery processes; |
(8) | provide standard backup reports to ACI monthly including, but not limited to, a list of backup jobs with the details of data sets and schedules, success and failure rates of backup processes, failures and their resolutions; |
(9) | provide a recovery procedure for restoring the data image to a previous level within a mutually agreed time frame; |
(10) | conduct regularly scheduled backup and recovery processes as specified in the Process Interface Manual and as prioritized by ACI (for example, data set restore), so as to avoid impacting scheduled operations; |
(11) | perform test restores of selected data sets as required to demonstrate data integrity with input from ACI and review of the output by ACI; test results to be provided by Vendor to ACI; |
(12) | provide to ACI a full inventory report of backup tapes, their contents and locations, on a monthly basis and as reasonably requested; |
(13) | provide media destruction services for media that becomes defective or is retired from service and provide monthly reporting and certification of such media destruction; and |
(14) | provide recommendations to ACI regarding backup and recovery considerations such as improved levels of protection, efficiencies and cost reductions. |
b. | ACI will: |
(1) | with Vendor’s assistance, define the frequency, security, encryption level, and types of required data backup as well as the retention periods for the data; |
(2) | provide the required on-site secure tape storage facilities for ACI Locations; and |
(3) | specify which data sets to test restore and review the results. |
Exhibit A-6 — Storage Management Services
Page 5 of 7
3. | MEDIA MANAGEMENT |
a. | Vendor will: |
(1) | retain tapes for a mutually agreed retention period for auditing purposes; |
(2) | provide to ACI a full inventory report of backup tapes, their contents and locations on a monthly basis and as reasonably requested by ACI; |
(3) | provide media destruction services for media that becomes defective or is retired from service; |
(4) | rotate tapes, as required, for off-site storage; |
(5) | log and track physical tapes that are checked in and out of the Data Center by ACI or a Third Party; |
(6) | notify the Vendor or Third Party tape storage provider when it is time to scratch or return a tape; |
(7) | complete tape mounts in sufficient time to meet production processing requirements in accordance with the Service Levels; |
(8) | provide tape specifications to ACI; |
(9) | maintain adequate supplies for the tape environment and provide a sufficient scratch tape pool to service required processing needs, and notify ACI when additional tapes and other supplies are required; |
(10) | retrieve archived tapes and restore required files and data sets within mutually agreed time frames; and |
(11) | report tape utilization to ACI. |
b. | ACI will provide tapes as Vendor requests that meet the Vendor-provided tape specifications. |
3.2 | Portable Media Handling |
a. | Vendor will: |
(1) | develop and implement processes and procedures to control and manage ACI portable media inventory, secure handling and movement of such media, and destroy residual information; |
(2) | perform an initial inventory of ACI portable media and annually reconcile, as appropriate; and |
(3) | provide environmental protection for ACI portable media in accordance with the established procedures. |
b. | ACI will approve initial inventory of ACI portable media and provide any updates as they occur. |
Exhibit A-6 — Storage Management Services
Page 6 of 7
3.3 | Offsite Storage |
a. | Vendor will: |
(1) | provide the required on-site tape storage facilities for Vendor Locations and provide off-site secure tape storage facilities for Vendor Locations and ACI Locations; |
(2) | interface with on-site or off-site tape storage facilities, if any; |
(3) | store tapes and paper documentation, as appropriate, at the off-site storage facility; |
(4) | manage off-site storage of tape media for vital records, back-up and recovery; |
(5) | pack, label, scan and track all tape output and distribute to the mutually agreed drop point; and |
(6) | securely transport tapes from a non-Disaster Recovery off-site storage location to a designated facility. |
b. | ACI will: |
(1) | define requirements for off-site tape storage and archiving; and |
(2) | provide the required on-site tape storage facilities for ACI Locations. |
Exhibit A-6 — Storage Management Services
Page 7 of 7
1.0 | INTRODUCTION |
2.0 | COMMON DATA NETWORK SERVICES |
2.1 | Physical Scope |
2.1.1 | Locations |
2.1.2 | Demarcation Boundaries of the Services |
2.2 | General Services |
2.2.1 | General Management Services |
a. | Vendor will: |
1. | Act as a single point of contact for the management of the Data Network; |
2. | Develop and implement approved Data Network strategies in accordance with Change Management procedures; |
Exhibit A-7—Data Network Services
Page 1 of 22
3. | Provide End Users with technical support and advice regarding the proper use and functionality of Data Network Services; |
4. | Analyze and propose cost-effective Data Network Service alternatives; and |
5. | Support all telecommunication protocols that are approved for use by ACI. |
b. | ACI will provide requirements and approve Data Network strategies. |
2.2.2 | General Administration Services |
a. | The Vendor’s responsibilities include the following: |
1. | Administer all Data Network requirements and activities, including processing change requests and resolving Incident tickets; |
2. | Document all aspects of the Data Network Services for ACI, including: |
2.1. | Escalation procedures for all Data Network-related teams (including but not limited to data center vendor support teams, VAR/reseller team, network equipment vendor, and ACI teams that support services that interact with the network); |
2.2. | Service acceptance procedures; |
2.3. | Topology documentation; |
2.4. | Contact information for all Data Network-related teams (including but not limited to data center vendor support teams, VAR/reseller team, network equipment vendor, and ACI teams that support services that interact with the network); and |
2.5. | Inventory of network devices; |
3. | Document operations procedures and services; and |
4. | Update site logs. |
b. | ACI will: |
1. | provide Vendor with design criteria and standards for Data Network Services; and |
2. | assist Vendor in developing escalation procedures for all Data Network-related teams. |
2.2.3 | Third-Party Vendor Management and Coordination |
a. | The Vendor’s responsibilities include the following: |
1. | Manage and coordinate the activities of all third-party vendors where: |
1.1. | The third-party vendor provides services to ACI in direct support of the in-scope Data Network components; and |
1.2. | The activities of the third-party vendor directly impact the performance or availability of the Data Network; |
Exhibit A-7—Data Network Services
Page 2 of 22
2. | Maintain technical support relationships with third-party vendors to resolve Incidents and problems with the Data Network and to provide answers to technical questions and requirements related to the use of its products or services; and |
3. | Monitor third-party vendor service delivery and performance in regard to the Data Network, including: |
3.1. | Monitor the third-party vendor’s compliance with any service levels contained in any agreement between ACI and the third-party vendor; |
3.2. | Provide integrated compliance reporting for the monitoring and management of service levels contained in any agreement between ACI and the third-party vendor when the third-party vendor is contractually required to provide compliance reporting data in a mechanized format; |
3.3. | Integrate reporting from any and all subcontractors supporting network Equipment so that ACI receives consistent and comprehensive reports identified in Schedule R (Reports); |
3.4. | Notify ACI and the third-party vendor of each third-party vendor failure to perform in accordance with the provisions of its agreement; and |
3.5. | Evaluate and recommend retention, modification, or termination of a third-party vendor based on the performance or cost benefits to ACI as tracked by the Vendor. |
b. | ACI will: |
1. | Provide Vendor with all Data Network third-party vendor contracts; and |
2. | Provide Vendor with contact information for all Data Network third-party vendors. |
2.3 | Planning and Design Services |
a. | The Vendor’s responsibilities include the following: |
1. | Develop and propose new or enhanced Data Network plans and designs in conjunction with the ACI communicated strategic plans. This process would be initiated by ACI, will have requirements specified by ACI, and will be reviewed and approved by ACI. Vendor will be responsible for the design aspects of any such effort. |
2. | Conduct regular capacity planning reviews, identifying both the current state of the Data Network and long-term projected needs; |
3. | Provide plans and design for the following components: |
3.1. | Overall Data Network Topology, including the physical and logical layout of the Data Network (included in this Exhibit); |
3.2. | Addressing schemes; |
Exhibit A-7—Data Network Services
Page 3 of 22
3.3. | Optimal telecommunications protocols within the Data Network as necessary to satisfy ACI’s Service Levels, in accordance with this Exhibit and as follows: |
3.3.1. | Develop documented recommendations and plans for optimized network performance & measurements environment; |
3.3.2. | Assess and analyze ACI’s current network architecture and strategy to enable the design of business requirements into a network solution; |
3.3.3. | Define, document and acquire the, hardware and software for dedicated and/or shared network performance and measurements environment; |
3.3.4. | Provide network utilization and performance exception reports to ACI on a monthly basis (standard reports provided); |
3.3.5. | Define and document performance indicators; |
3.3.6. | Implement and maintain network performance measurement procedures; and |
3.3.7. | Where feasible and as approved by ACI, standardized (nonproprietary) protocols should be used; |
3.4. | Data Network Equipment; | ||
3.5. | Data Network Software; | ||
3.6. | Data transport systems; and |
3.7. | Cabling and wiring, which will be jointly coordinated between Vendor and ACI — in general the work will be contracted to a Third Party on an as-needed basis and, if coordinated by Vendor, Third Party Expenses would appear as a pass through; |
4. | Document the criteria and assumptions used to develop plans and designs, including: |
4.1. | Interoperability considerations and assumptions for all Equipment and Software potentially affected by the Data Network plans and design, including Equipment and Software in other Towers; |
4.2. | Data Network bandwidth and/or volume assumptions and projections; |
4.3. | Expected Data Network performance and quality of service based on designs and plans, and minimum performance and quality of service expectations; and |
4.4. | Expected Data Network availability, based on designs and plans for redundancy, and minimum availability expectations; |
5. | Utilize Data Network design techniques to appropriately prevent broadcast congestion and outages, including: |
5.1. | Design segmentation of Equipment, Data Network traffic, and design features to sufficiently control and contain Data Network traffic levels; and |
5.2. | Design sufficient redundancy and alternative routing to meet the Service Levels and ACI’s security and IT service continuity management requirements; |
Exhibit A-7—Data Network Services
Page 4 of 22
6. | Work cooperatively with third-party vendors, and ACI staff to facilitate effective planning and design of the Data Network Services; and |
7. | Provide reasonably requested analysis related to the potential operational and financial impact of ACI business plans on network capacity and performance. |
b. | The agreed upon network architecture is delineated in the attached Data Network Diagram. ACI will: |
1. | Provide Vendor with future business requirements for the purpose of Data Network plans and designs; and |
2. | Provide Vendor with Data Network strategy and architecture. |
2.4 | Performance Monitoring and Management Services |
2.4.1 | General Monitoring and Management |
a. | The Vendor’s responsibilities include the following: |
1. | Monitor and manage continuous end-to-end (router-to-router) performance of the Data Network, including: |
1.1. | Monitor the Data Network through to the End User Computing Equipment or other non-Data Network Equipment (e.g., mainframe or server Equipment) to measure and monitor end-to-end performance of the Data Network. From the data center perspective, specifically for bank/FI (Financial Institution) private network lines, monitor from the ACI network to the bank/FI side router and/or bank/FI side server(s). The service would be based upon the total number of end points on the network; |
1.2. | Monitor the level and quality of service of the Data Network, including monitoring compliance with Service Levels; |
1.3. | Monitor and manage the Data Network for service degradation, including detection, isolation, diagnosis, and correction of Incidents during the Service Hours; |
1.4. | Monitor physical and logical connections to the Data Network; |
1.5. | Provide all necessary monitoring, diagnostic, and maintenance systems and Software to meet Data Network monitoring and management requirements; |
1.6. | Support Data Network remote operations and monitoring, including remote diagnostics; remote administration; and remote Incident resolution and, if necessary, travel to remote sites; |
1.7. | Identify actual and potential Data Network bottlenecks; |
1.8. | Provide troubleshooting support for Data Network issues (including general issues where the Data Network issues need to be eliminated as a contributing factor); |
Exhibit A-7—Data Network Services
Page 5 of 22
1.9. | Employ element management system tools to monitor events that exceed Data Network design thresholds, as well as: |
1.9.1. | Use the tools to provide automated alarms and indication of Data Network Incidents when thresholds are exceeded; and |
1.9.2. | Integrate the tools to automatically generate an Incident within the Incident management system; |
1.10. | Detect other Data Network-exceeded thresholds or component faults; |
1.11. | Define reporting and corrective action procedures approved by ACI in the event design thresholds are exceeded; |
1.12. | On at least a monthly basis, proactively report to ACI on Data Network performance, resource shortages, utilization statistics, and trends; and |
1.13. | Provide a Web-based service, through the Service Desk Web portal or email or voice, if appropriate, and notices of current system outages to include the Data Network. |
2.4.2 | Capacity and Configuration Management |
a. | The Vendor’s responsibilities include the following: |
1. | Manage Data Network capacity based on current usage and forecasted demand, including: |
1.1. | Monitor Data Network capacity utilization as it relates to established capacity thresholds; |
1.2. | Identify future loads that could impact performance on the Data Network as requested by ACI with a minimum forward view of six (6) months, based on forecasts driven by the work authorization system, demand surveys, and analytical forecasting; |
1.3. | Propose to ACI for its approval, changes to improve performance in anticipation of such future loads, including performance improvement expectations; |
1.4. | Appropriately size inter-location and intra-location Data Network Equipment, Software, and data transport systems; and |
1.5. | Upgrade, remove, or add capacity as otherwise necessary to meet ACI’s requirements, or proactively recommend capacity changes where Vendor is not financially responsible for a specific Data Network component; |
2. | Develop, maintain, and adhere to configuration standards as approved by ACI; and |
3. | Participate in joint quarterly capacity planning reviews with ACI and any third-party vendor designated by ACI. |
b. | ACI will: |
1. | Provide Vendor with requirements for new demands of Data Network resources; and |
2. | Notify Vendor of any future project or change requests that may have a Data Network impact. |
Exhibit A-7—Data Network Services
Page 6 of 22
2.4.3 | Performance Optimization |
a. | The Vendor’s responsibilities include the following: |
1. | Optimize and improve the performance and design of the Data Network using data gathered from performance monitoring and forecasting activities; |
2. | Perform regular optimization analyses on at least a quarterly basis, and prior to and following any major transitions or changes; |
3. | Optimize cost-effectiveness and cost-efficiency, without sacrificing performance or the ability to meet the Service Levels; |
4. | Use modeling and other analysis tools where applicable to determine methods of improving the performance; |
5. | Assess and implement alternate methods and procedures to reduce Data Network errors and Data Network downtime; and |
6. | Review optimization activities and plans with ACI on at least a quarterly basis. |
2.5 | Data Transport Support Services |
2.5.1 | Data Transport Services |
a. | The Vendor’s responsibilities include the following: |
1. | Where the Vendor is financially responsible for data transport Services, as indicated in Exhibit C-2 (Financial Responsibility and Ownership Matrix) to Schedule C (Charges): |
1.1. | The Vendor is entirely responsible for the procurement and delivery of data transport Services to ACI; and. |
1.2. | The Vendor is entirely responsible for managing the existing data transport Services that are in place for office and data center networks, including managing the relationship and managing any direct or pass-through costs for any data transport Services owned/managed by external vendors. |
2.5.2 | Data Transport Systems |
a. | The Vendor’s responsibilities include the following: |
1. | Schedule, coordinate, and perform support activities for data transport systems in accordance with schedules approved by ACI, including: |
1.1. | Coordinate and manage the installation, testing, and support activities of transport vendors and vendors who contract with data transport vendors; |
1.2. | Perform additions and upgrades to data transport systems; | ||
1.3. | Perform changes to data transport systems; and |
Exhibit A-7—Data Network Services
Page 7 of 22
1.4. | Perform deletions to data transport systems; |
2. | Check that data transport vendors acknowledge orders on a timely basis; |
3. | Provide Level 1 and 2 technical support for the data transport systems; |
4. | Review and report monthly on the load and latency of data transport systems; |
5. | Provide a monthly acceptance report, including quality assurance information, prior to accepting billing for newly installed data transport Services; |
6. | Track and update relevant data transport system information in the Data Network management systems and asset inventory and management system; |
7. | Promptly disconnect the data transport systems upon the termination or reduction of data transport Services at a Location; |
8. | Ensure billing has promptly ceased upon the termination or reduction of data transport Services at a Location; |
9. | Remove all applicable Equipment upon the termination or reduction of data transport Services at a Location, or arrange for return of any ACI (bank/FI) owned Equipment; and |
10. | Verify that ACI will not be responsible for data transport Services payments associated after applicable data transport Services have been terminated or reduced. |
2.6 | Data Network Connectivity and Operations Services |
2.6.1 | Data Network Control and Connectivity Services |
a. | The Vendor’s responsibilities include the following: |
1. | Obtain approval from ACI prior to establishing Connectivity from the ACI Data Network to Vendor facilities or external networks; |
2. | Manage and control Connectivity to and between all Locations and external networks, including dedicated and all remote access connectivity; and |
3. | Manage and operate all Data Network Equipment and Software necessary to enable Connectivity, (or manage vendor actions for any vendor-managed Data Network Equipment and Software), including: |
3.1. | Configure Data Network Equipment, Software, data transport systems, and cabling; |
3.2. | Install Data Network Equipment, Software, data transport systems, and cabling; |
3.3. | Test Data Network Equipment, Software, data transport systems, and cabling; |
3.4. | Implement Data Network Equipment, Software, data transport systems, and cabling; |
3.5. | Support and monitor Data Network Equipment, Software, data transport systems, and cabling; |
Exhibit A-7—Data Network Services
Page 8 of 22
3.6. | De-install and remove Data Network Equipment, Software, data transport systems, and cabling as required; |
3.7. | Verify Connectivity of the Infrastructure and all other directly connected devices; and |
3.8. | For production data centers, ensure that all Data Network Equipment and Software is supported under a vendor maintenance agreement and replacement parts are available on-site in time for Vendor to meet the Service Levels. |
2.6.2 | Other Data Network Operations Services |
a. | The Vendor’s responsibilities include the following: |
1. | Develop acceptance test procedures for installation and changes to the Data Network, and for verifying restoration of availability following problems with the Data Network; |
2. | Manage media, including off-site storage; |
3. | Manage the naming and addressing of all Data Network devices based on schemes approved by ACI, including: |
3.1. | Document the current addressing scheme; and |
3.2. | Implement, coordinate, and update new addressing schemes, including developing associated migration plans; |
4. | Compose, edit, and download configuration files to Equipment using administration platforms designed to provide a single point of control, dissemination, and rollback capability; and |
5. | When installing or conducting changes to Data Network Equipment and Software at Locations, implement protection against lightning strikes (in accordance with industry practices), electric noise, power surges, and unauthorized access in accordance with the Change Management procedures and ACI’s security requirements. |
b. | ACI will provide requirements and approval to Vendor for naming and addressing schemes. |
2.7 | Installs, Moves, Adds and Changes (IMACs) Services |
a. | The Vendor’s responsibilities include the following: |
1. | Plan, schedule, manage, and/or perform IMACs as requested and approved by ACI at the Locations and Vendor-managed Locations on all hardware and software supported by the Vendor, including: |
1.1. | “Hard IMACs” (Hard IMACs are for Equipment); and |
1.2. | “Soft IMACs” (Soft IMACs are for Software, firmware or microcode and are done remotely); |
2. | Receive, validate, and track all IMAC orders from End Users; |
Exhibit A-7—Data Network Services
Page 9 of 22
3. | Install, maintain, and upgrade connections; |
4. | Use an automated system accessible to End Users by means of an online browser to track IMAC activity and produce reports on these activities on a monthly basis; |
5. | Monitor client satisfaction and closely monitor Service Levels throughout the IMAC activity; |
6. | With respect to authorized IMAC requests, execute the IMAC including: |
6.1. | Coordinate Vendor, ACI, and any third-party vendors to achieve high-quality execution of all IMACs; |
6.2. | Obtain or procure all required components and services necessary to perform IMAC Services; |
6.3. | Coordinate space requirements and logistics; |
6.4. | Coordinate, with the ACI Focal Point, pre-installation Location surveys to confirm that the Locations are properly surveyed and prepared to prevent delays in IMAC activities; |
6.5. | Coordinate and install changes to the cabling and other Infrastructure or Equipment for which the Vendor is responsible; |
6.6. | Schedule and dispatch technicians; | ||
6.7. | Perform related Software installs and upgrades; | ||
6.8. | Perform backups and reloads of data and Software; | ||
6.9. | Perform configuration functions; |
6.10. | For Hard IMACs, perform on-site operational testing, and provide appropriate back-out procedures as required; |
6.11. | Coordinate with the ACI Focal Point, for the End Users to test and verify the operation of all applications that utilize or depend on the Data Network resources being modified; |
6.12. | Provide on-site support as required to resolve Incidents associated with large-scale installations or moves (whether BAU or Project to be determined by the project scope and/or by mutual agreement based on the nature of the Incident); |
6.13. | Update the asset inventory and management system in a timely manner when any Data Network Equipment or Software changes are made by the Vendor or reported by ACI, along with all other related documentation (network topology maps in particular); and |
6.14. | Set up security, file access, and other administrative procedures associated with IMACs. |
b. | ACI will provide an ACI Focal Point for pre-installation Location surveys for IMAC activity. |
Exhibit A-7—Data Network Services
Page 10 of 22
2.8 | Physical Network Environment Services |
2.8.1 | Site Information and Documentation Services |
a. | The Vendor’s responsibilities include creating and maintaining the following: |
1. | Based upon the asset inventory and other site information provided to Vendor by ACI, document the current physical environment at the Locations, including: |
1.1. | Data transport systems; | ||
1.2. | Data Network Equipment; | ||
1.3. | Data Network connections (virtual and physical); |
1.4. | Demarcation of responsibilities and physical environment comprising the WAN and LAN; |
1.5. | Power, UPS, and overall space requirements; | ||
1.6. | Cabling and wiring; | ||
1.7. | Data transport vendor point of entry; and |
1.8. | Other relevant environmental requirements and/or attributes that are unique to a Location; |
2. | Document Location survey information and asset information in the asset inventory and management system.; and |
3. | Maintain Locations lists, Data Network diagrams, and other Data Network documentation and information. |
b. | ACI will provide Vendor with Location survey and physical environment information. |
2.8.2 | Power Supply |
a. | The Vendor’s responsibilities include the following: |
1. | Connect and maintain Equipment at ACI’s facilities to uninterruptible power supplies (UPS), as required by ACI; |
2. | When required, install UPS which may be on a Project basis; and |
3. | For production data centers: |
3.1. | Monitor and ensure continual uptime of all power supplies, including both primary and secondary power supplies on Data Network Equipment. |
2.8.3 | Cabling and Wiring Services |
Exhibit A-7—Data Network Services
Page 11 of 22
1. | Plan, procure, install, operate, administer, maintain, and manage the cabling and intra-floor and inter-floor wiring, within the Vendor physical demarcation boundaries as depicted in the Data Network Diagrams in this Exhibit; |
2. | Operate and maintain systems, including the physical cable plant, cable plant switching devices, encryption/security devices, intelligent/non-intelligent wiring hubs, and the various monitoring devices; |
3. | Provide for demarcation extensions from telco demark point to the ACI network; |
4. | Manage cable installations, repairs, and removal using a Software-based cable plant management system where applicable (i.e., in large installations with five (5) or more demarcations); |
5. | Interact with ACI real estate, landlord management, and other End Users so that cabling and wiring requirements are properly communicated and managed; |
6. | Coordinate with data transport vendor representatives for the planning, delivery, and maintenance of circuits; demarcation points; termination equipment; power and air conditioning (A/C) (if original building specification is at capacity and subject to agreed-upon funding by ACI); rack space; wall space; and plywood or other backboard materials needed for mounting distribution frames; |
7. | For each new installation, communicate accurate cabling and wiring specifications and costs to ACI real estate representatives no less than four (4) weeks in advance of installation; |
8. | Document changes to the cabling and wiring plan in the Location survey records, and all changes thereto in the asset inventory and management system; |
9. | Comply with ACI cabling and wiring standards; |
9.1. | In the absence of an ACI standard, use industry standards that meet or exceed local code or other requirements of applicable authorities; |
10. | Document, label, and map cable runs in the appropriate Location survey records; |
11. | Use ACI-approved and certified cable and wire installers to perform cabling and wiring Services; |
12. | Maintain up-to-date cable records in communications closets, wiring distribution rooms, and other areas where a high concentration of cabling exists; and |
13. | Maintain a secure, clean, well-lit, clutter-free cabling environment in all telecommunications closets and cable plant areas. |
Exhibit A-7—Data Network Services
Page 12 of 22
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.9 | Software Currency and Support Services |
a. | The Vendor’s responsibilities include the following: |
1. | Interface with other ACI third-party vendors to promote compatibility of Data Network systems, and manage the subcontractors that provide Software support to Data Network products for which the Vendor is responsible; |
2. | Fully test all code revisions, which also should have been used in the commercial marketplace, before their installation on the Data Network (e.g., version 1.xx); |
3. | Proactively notify ACI of availability of new versions of Software, including analysis of impact and/or value of the new version of Software (e.g., fixes and new features applicable to ACI technical and business environments); and |
4. | Coordinate that production levels are fully supported by third-party vendors; maintain a record (for each product in production) of version history and associated availability, as well as of any announced end-of-support or end-of-availability dates. |
2.10 | Network Security Services |
a. | A [ * ] MPLS closed network used for internal purposes will satisfy current requirements. In addition, the non-MPLS network (solution includes provisioning and support of both MPLS and non-MPLS circuits) which includes encryption in the firewall (a supported piece of Equipment) also satisfies current requirements. The Vendor’s responsibilities include the following: |
1. | Implement and maintain security tools, procedures, and systems required to protect the integrity, confidentiality, and availability of the ACI Data Network and data on the Data Network; |
1.1. | ACI will approve the selection of the security tools; |
2. | Comply with ACI’s Data Network security policies (described in Schedule J (ACI Policies and Standards), whereby the Vendor will follow the best practices of either ACI or Vendor, whichever requires greater security based on reasonable and prudent standard practices, with approval by ACI; |
3. | Perform quarterly assessments of risk exposure including: |
3.1. | Gap analyses to indicate exposure to security threats; |
Exhibit A-7—Data Network Services
Page 13 of 22
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
3.2. | Action plans to address gaps; and |
3.3. | Ratings to gauge progress against closure of gaps; |
4. | Provide access to and/or assist ACI’s designated third-party vendors in performing vulnerability assessments (of the Vendor support network infrastructure) [ * ] from ACI; |
5. | Perform reactive security assessments and Incident and problem determination in accordance with ACI network security policies; |
6. | Activate appropriate security monitoring tools, and back up and analyze the logs from these tools, in accordance with ACI security requirements; |
7. | Provide recommendations to remediate the gaps identified by analyzing the logs; |
8. | Utilize Access Control Lists (ACLs) on all networking devices in accordance with ACI network security policies; |
9. | Ensure proper isolation and separation of LAN and WAN traffic originating from and destined for ACI’s and remote sites (i.e., ensure and prevent individual bank/FI traffic from being able to be routed to other bank/FI locations or ACI Locations); |
10. | Take reasonable and appropriate action designed to prevent unauthorized access to the Data Network, in accordance with ACI’s requirements. This will include the following, where appropriate: |
10.1. | Use IPSEC security protocols for access for external networks that use IPSEC. The release and version of the selected software should stay [ * ] as agreed to by ACI; and |
10.2. | Shut down the Services to prevent further unauthorized access based upon joint agreement with the ACI Security group; and |
11. | Monitor usage patterns and investigate and report significant discrepancies in those patterns no later than [ * ] after their detection. |
3.0 | WIDE AREA NETWORK (WAN) SERVICES |
Exhibit A-7—Data Network Services
Page 14 of 22
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
3.1 | WAN Services — Technical Requirements |
a. | The Vendor’s responsibilities include the following: |
1. | Comply with or improve (subject to ACI’s approval) the WAN technical specifications as supplied by ACI, and as modified during the Term; |
2. | Install and maintain WAN Connectivity for approved End Users at all applicable Locations, as listed in Schedule P (Locations); |
3. | Manage a multi-protocol WAN, to include: |
3.1. | Manage the currently supported ACI protocols [ * ] and |
3.2. | Manage application-specific network addressing schemes [ * ] and |
4. | Provide a data transport Services profile that complies with applicable open system standards and specifications [ * ]. |
b. | The following items are part of new client addition activities that will be handled as a Project or BAU as agreed by the Parties on a case-by-case basis: |
1. | Provide WAN options to ACI’s bank/FI customers including (but not limited to) Frame Relay, MPLS, T1, and site-to-site (B-to-B) VPN; |
2. | On-site assistance or dispatch for on-site assistance for customer-owned equipment; |
3. | Rack and cabling new equipment; |
4. | All activities related to planning and conducting network equipment replacements and upgrades; |
5. | Escalations to network equipment vendors and all activities for information gathering and troubleshooting failures and issues; |
6. | Configuration and troubleshooting of equipment; |
7. | Sniffer/packet capture and analysis; |
8. | Deploy, manage, and support ACI-managed bank/FI customer routers; |
9. | Follow ticket and escalation process and work with [ * ] to deploy, manage, and support [ * ] routers; |
10. | Bank/FI customer routers and dispatches for on-site assistance; and |
11. | Follow ticket and escalation process and work with [ * ] for dispatches for on-site assistance. |
3.2 | WAN Services – Internet Access Services |
a. | The Vendor’s responsibilities include the following: |
1. | Configure, install, test, support, monitor and maintain the Data Network and Data Network Equipment used to access the Internet; |
Exhibit A-7—Data Network Services
Page 15 of 22
1.1. | This will include Connectivity support of high-speed servers to the Internet, and Connectivity with firewall protection in accordance with ACI’s information security standards; and |
1.2. | For production data center environments, ensure that all Data Network Equipment and Software is supported under a vendor maintenance agreement and replacement parts are available on-site in time for Vendor to meet the Service Level; |
2. | Manage Internet access and redundant data transport facilities; |
3. | Manage routes and filtering as necessary, working in conjunction with the ACI Security group to determine specific filtering levels. The ACI Security group should be provided management access to all logs involved; and |
4. | Deliver DNS services for domains required by the Vendor to manage the Equipment. |
3.3 | WAN Services – Extranet Access |
a. | The Vendor’s responsibilities include the following: |
1. | Support and maintain the Extranet and WAN DMZ environments between ACI and its partners, Third Party vendors, and customers; |
2. | Support and maintain high-speed circuits in a shared DMZ environment, and provide Connectivity with firewall protection in accordance with ACI’s information security standards; |
3. | Assist ACI with defining any security policies, permission, etc. that may be applicable specifically to the shared DMZ between ACI and other parties; |
4. | Configure, install, test, operate, and maintain ACI’s Extranet for all applicable End User computing devices or servers; |
5. | Use connection-based, session-based, or message-based services as appropriate, depending on the specific requirements of each End User, and support minimal and optional features as follows: |
5.1. | Employ appropriate encryption measures, such as Triple DES, IPSEC, AES, etc.; |
5.2. | Provide for and maintain confidentiality of transmitted data; | ||
5.3. | Provide authentication of parties exchanging data; and | ||
5.4. | Ensure no user account sharing is allowed; |
6. | Manage Extranet access and transport, inclusive of related Internet access and transport; |
7. | Configure, install, test, operate, monitor and maintain high-speed transport facilities to Internet servers for Extranet data access and file transfers; and |
8. | Manage routes and filtering as necessary to operate the Extranet Access Service, working in conjunction with the ACI Security group to determine specific filtering levels. The ACI Security group should be provided management access to all logs involved. |
Exhibit A-7—Data Network Services
Page 16 of 22
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
4.0 | LOCAL AREA NETWORK (LAN) SERVICES |
4.1 | LAN Services – Technical Requirements |
a. | The Vendor’s responsibilities include the following: |
1. | Install and maintain LAN Connectivity for approved End Users at all applicable Locations, as listed in Schedule P (Locations); |
2. | Provide ACI with a TCP/IP LAN network; |
3. | Manage the currently supported ACI protocols [ * ] |
4. | Manage ACI’s application-specific network addressing schemes [ * ] |
5. | Provide Vendor transmission Services profile that complies with applicable open system standards and specifications [ * ] |
6. | Use intelligent Data Network devices and systems to monitor LANs remotely; and |
7. | For production data centers, ensure that all Data Network Equipment and Software is supported under a vendor maintenance agreement and replacement parts are available on-site in time for Vendor to meet the Service Levels. |
4.2 | LAN Services – Installation and Removal Services |
a. | The Vendor’s responsibilities include the following: |
1. | Deploy new LAN Equipment and related Software to meet the Service Levels and in accordance with the IMAC process definitions; |
2. | Implement LAN connection(s) for new End Users as specified in the IMAC process; |
3. | Implement a dual LAN connection for production servers and network equipment, such as to provide connectivity to two physically separate network switches; |
4. | Configure and activate the appropriate LAN Equipment monitoring agent; and | ||
5. | Test LAN Equipment after implementation to include remote monitoring through agents and monitoring systems. |
Exhibit A-7—Data Network Services
Page 17 of 22
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
5.0 | VIDEO CONFERENCING SERVICES |
1. | SSL via multiple network appliance devices [ * ] scattered geographically throughout the network; |
2. | Secure Broadband connectivity via Third Party vendor services [ * ]; and |
3. | Dial-up connectivity globally via Third Party vendor services [ * ] in which calls are placed through local numbers and routed via [ * ] services into the ACI corporate network. |
1. | OS level and service patch; |
2. | A running copy of Antivirus Software; and |
3. | Antivirus definition files that are within [ * ] of the current date. |
1. | SSL via a standard set of AT&T supported VPN devices which include [ * ] These devices will be centralized; |
2. | Secure Broadband connectivity using [ * ]and |
3. | Dial-up connectivity globally via [ * ] in which calls are placed through local numbers and routed via AT&T services into the ACI corporate network. |
Exhibit A-7—Data Network Services
Page 18 of 22
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Exhibit A-7 – Data Network Services
Page 19 of 22
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION |
2. | SECURITY COMPLIANCE AND REGULATORY |
2.1 | Security Policy Management |
a. | Vendor will: |
(1) | with ACI’s assistance, gather information to document the security controls ACI has in place as of the Effective Date to establish ACI’s IT security baseline and to define the technical specifications for the systems managed by Vendor; |
(2) | perform a gap analysis between the security controls ACI has in place as of the Effective Date and the Information Security Controls Document; |
(3) | provide an initial threat identification summary based on the gap analysis and update the threat identification summary every 18 months thereafter; such summary will contain: |
(a) | identified threats organized by the [ * ] clauses, and | ||
(b) | suggested remediation actions for each identified threat; |
(4) | with ACI’s assistance, develop and implement the security document that is used to capture the security policies and technical controls that Vendor will implement, as requested by ACI, on Vendor managed systems, servers and networks (“Information Security Controls (ISeC) Document”); this is a critical deliverable and is to be included in the Process Interface Manual; |
Exhibit A-8 — Enterprise Security Management Services
Page 1 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(5) | define and document the privileged User IDs in the platform-specific technical specifications set forth in the Information Security Controls Document; and |
(6) | on a periodic basis, review the Information Security Controls Document with ACI and update, as appropriate. Interim changes can be accepted but a formal review and update will be performed only [ * ]. |
b. | ACI will: |
(1) | assist Vendor in documenting the security controls ACI has in place as of the Effective Date; |
(2) | provide contact, security policies and IT infrastructure information and any updates as they occur; |
(3) | assist Vendor in developing the Information Security Controls Document; |
(4) | review the threat identification summary and take action, as appropriate; and |
(5) | on a periodic basis, review the Information Security Controls Document with Vendor and provide recommended updates, as appropriate. Interim changes can be accepted but a formal review and update will be performed only every 18 months. |
2.2 | Security Compliance Support |
a. | Vendor will: |
(1) | perform periodic security reviews to validate compliance (for example, validating access authorization per ACI’s instruction, the correct use of logical control features) based on ACI’s security framework; and |
(2) | identify and manage security risks and exposures within Vendor’s control as part of the Services based on ACI’s security framework; |
(3) | in the course of their day-to-day support of the ACI security services, advise ACI in the event that a process appears to be non-compliant with Vendor’s understanding of industry-wide conventions;and |
(4) | as a part of its annual technology review and its 18 month security review, provide industry perspective on security compliance trends and regulatory changes and provide an industry update on security and regulatory changes. |
Exhibit A-8 — Enterprise Security Management Services
Page 2 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
b. | ACI will identify and interpret legal, regulatory or other security requirements applicable to ACI’s business and provide those requirements to Vendor for implementation. |
2.3 | Security Audit Management |
a. | Vendor will: |
(1) | provide a Vendor Focal Point with responsibility for account security audits; |
(2) | notwithstanding anything in the Agreement to the contrary, [ * ]; | ||
(3) | communicate with and respond to auditor’s requests; |
(4) | provide relevant data for security audits and reviews such as SAS70 Type II Audits described in the MSA and [ * ] as necessary; |
(5) | perform non-compliance support audit activities for Vendor internal audits, external client reviews and Third Party reviews; and |
(6) | coordinate issues resolution identified during the security audit process and provide recommendations for resolution, and provide resolution as it pertains to the scope of Vendor’s responsibility. |
b. | ACI will: |
(1) | provide an ACI Focal Point with responsibility for account security audits; |
(2) | during the Transition Period, perform a review of each Rebadged Employee’s system access authorizations to confirm the need for the same access requirements following the Effective Date and advise Vendor of any required changes which are congruent with applicable global privacy laws and regulations; and |
(3) | provide Vendor with ACI’s security audit history (both internal and external) and security policies, standards and practices in effect as of the Effective Date and any updates as they occur. |
Exhibit A-8 — Enterprise Security Management Services
Page 3 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.4 | Regulatory Program Management |
a. | Vendor will: |
(1) | assist ACI in the development of testing criteria for ACI-identified regulatory controls and implement them, as appropriate in accordance with Vendor’s and ACI’s security framework; |
(2) | utilize Vendor processes, tools, and infrastructure, as appropriate, and maintain supporting documentation in support of ACI-identified regulatory controls; |
(3) | in accordance with the ACI-identified regulatory controls, manage regulatory training for Vendor and maintain supporting documentation; and |
(4) | notwithstanding anything in the Agreement to the contrary, provide [ * ]. For purposes of clarity, [ * ]. |
b. | ACI will: |
(1) | provide ACI-identified regulatory controls; and |
(2) | develop, with Vendor’s assistance, testing criteria for ACI-identified regulatory controls. |
3. | SECURITY MANAGEMENT |
a. | Vendor will: |
(1) | provide a Vendor Focal Point with responsibility for day-to-day security management; |
(2) | review changes made or requested by ACI to its security policies and standards and advise ACI whether or not such changes: |
(a) | can be implemented; and |
(b) | if implemented, will be considered a New Service; |
(3) | perform risk and issue management, including: |
(a) | establishing procedures for logging, alarming and reporting of security violations and issues; |
(b) | managing to resolution security risks identified as a result of reviews and audits; changes in Vendor or ACI environment; and changes in operating practices, processes or technology; |
(c) | notify relevant parties of the risks, their potential impact and actions to mitigate the impact; and |
(d) | provide security procedures and knowledge transfer for ACI Focal Point on Vendor security management methodology and tools; and |
Exhibit A-8 — Enterprise Security Management Services
Page 4 of 15
(4) | provide monthly security reports as required under this Agreement. |
b. | ACI will: |
(1) | provide an ACI Focal Point with responsibility for day-to-day security management; |
(2) | communicate the security procedures to End Users (for example, login procedures, password requirements, use of Antivirus programs, data and Equipment security procedures); |
(3) | notify Vendor of changes ACI plans to make to its security policies and standards before implementation; and |
(4) | provide any additional or unique resources (for example, hardware, software or other components, personnel) and perform any site modifications required to enable Vendor to implement ACI’s security requirements per ACI’s access policies and standards. |
4. | INFRASTRUCTURE PROTECTION |
4.1 | Emergency Response Services |
a. | Vendor will: |
(1) | provide telephone support for remote security Incident response; |
(2) | perform initial security Incident consultation (scope and roles to be defined separately in Process Interface Manual); |
(3) | with ACI’s assistance, develop customized emergency response plans to help minimize the effect of future attacks; and |
(4) | provide advice and guidance on such topics as Internet security Incident assessment, preparedness, management, and response. |
b. | ACI will: |
(1) | assist in the development of customized emergency response plans; |
(2) | declare a security Incident; |
(3) | determine if a security Incident is a commercial privacy breach and implement emergency response plan, as appropriate; |
(4) | escalate declared security Incidents in the ACI organization, as appropriate; and |
(5) | provide contact and IT infrastructure information and any updates as they occur. |
Exhibit A-8 — Enterprise Security Management Services
Page 5 of 15
4.2 | X-Force Threat Analysis Services |
a. | Vendor will: |
(1) | manage daily security threats through comprehensive evaluation of global online threat conditions and detailed analyses tailored for ACI; |
(2) | provide daily summaries of current, and forecast assessments for, active vulnerabilities, viruses, worms and threats, including links to recommended fixes and security advice; |
(3) | provide customized and configurable notifications and current alert status; and |
(4) | provide alert trending and attack metrics. |
b. | ACI will: |
(1) | provide a list of End User e-mail addresses to be monitored and any updates as they occur; and |
(2) | maintain a list of End User notification preferences. |
4.3 | Managed Intrusion Detection |
a. | Vendor will: |
(1) | monitor, manage, configure and support network intrusion detection sensors; |
(2) | actively and passively monitor network traffic and block known malicious activity in accordance with the security policy configuration; |
(3) | escalate security events and Incidents via e-mail or the web portal, as appropriate; |
(4) | report findings following each escalation; |
(5) | provide high-level and in-depth reporting via the web portal on the security of ACI’s networks; |
(6) | assist ACI with resolving and remediating security events; and |
(7) | perform security policy configuration changes needed to resolve network connectivity issues and critical attacks. |
b. | ACI will: |
(1) | have access to IDS information; |
(2) | be responsible for resolving and remediating security events; |
(3) | provide information regarding ACI’s IT infrastructure and notify Vendor of changes made to such infrastructure that could impact the Services; and |
(4) | request policy configuration changes needed to resolve network connectivity issues. |
Exhibit A-8 — Enterprise Security Management Services
Page 6 of 15
4.4 | Managed Protection Services |
4.4.1 | Server |
a. | Vendor will: |
(1) | monitor, manage and configure Vendor Internet Security Systems (“ISS”) protection agents; |
(2) | provide server-based protection securing the underlying operating system by preventing attackers from exploiting the operating system and application level vulnerabilities; |
(3) | monitor all traffic to and from the servers: |
(a) | in compliance with ACI’s security framework, provided to Vendor (specifically PCI); |
(b) | to detect and prevent inbound and outbound attacks; and |
(c) | block new and unknown attacks such as Trojans, brute force attacks, unauthorized access and worms; |
(4) | escalate security events via e-mail or the web portal, as appropriate; |
(5) | implement virtual patches which provide active blocking capabilities so ACI is secure until patching of servers; |
(6) | provide Incident report following each escalation; |
(7) | assist ACI with resolving and remediating security events; and |
(8) | provide high-level and in-depth reporting via the web portal on the security of ACI’s servers. |
b. | ACI will: |
(1) | be responsible for resolving and remediating security events (ACI and Vendor roles to be defined separately); |
(2) | provide information regarding ACI’s IT infrastructure and notify Vendor of changes made to such infrastructure that could impact the Services. |
Exhibit A-8 — Enterprise Security Management Services
Page 7 of 15
TREATMENT FOR THE PORTIONS OF THIS AGREEMENT
DENOTED BY BOXES AND ASTERISKS PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934 PURSUANT TO AN ORDER
FROM THE SECURITIES AND EXCHANGE COMMISSION
ISSUED ON MAY 6 2008.
4.5 | Security Event and Log Management Services |
a. | Vendor will: |
(1) | collect security or log data in a text-based format; |
(2) | archive, analyze, correlate and trend events and logs, while managing response and remediation workflow; |
(3) | provide security events and log data online for one year; and |
(4) | analyze security events from select intrusion detection and intrusion prevention devices and provide alerts via the web portal. |
b. | ACI will: |
(1) | provide a list of devices and other required information (i.e., platform, software revision and version, IP addresses, log retention period per device) for which events and logs will be collected; |
(2) | update access control lists (ACLs) and firewall rules required for identified devices to communicate with Vendor; and |
(3) | install universal log agent on data sources, as applicable. |
4.6 | URL Filtering |
a. | Vendor will: |
(1) | with ACI’s assistance, develop, implement and maintain the URL filtering policy, including violation reporting procedures; |
(2) | install, test, configure and maintain the URL filtering environment; |
(3) | in accordance with the URL filtering policy, control End User access to web sites (i.e., allow or block access based on person(s), groups, time of day, IP addresses, bandwidth or time allotment); |
(4) | notify ACI, in accordance with the established procedures, of URL filtering violations; and |
(5) | provide monthly URL monitoring reports. |
b. | ACI will: |
(1) | provide ACI’s business guidelines for End User Internet access and any updates as they occur; |
(2) | assist Vendor in developing and implementing the URL filtering policy, including violation reporting procedures; and |
(3) | provide contact and IT infrastructure information and any updates as they occur. |
4.7 | E-mail Security |
a. | Vendor will: |
(1) | for anti-spam: |
(a) | with ACI’s assistance, develop, implement and maintain the e-mail security policy, including violation reporting procedures; |
Exhibit A-8 — Enterprise Security Management Services
Page 8 of 15
(b) | scan ACI’s inbound e-mail for spam; |
(c) | provide ACI with the capability to create filters to prevent spam and allow e-mail (i.e., black list, white list); |
(d) | using ACI provided black list and white list, identify spam and take action in accordance with the e-mail security policy (i.e., tag, redirect, delete); |
(e) | provide secure password access to a proprietary Internet-based reporting and management tool which allows ACI to view data and statistics and offers a number of configuration and management facilities; and |
(f) | provide weekly and monthly security reports via e-mail. |
(2) | for porn filtering: |
(a) | with ACI’s assistance, develop, implement and maintain the e-mail security policy, including violation reporting procedures; |
(b) | scan ACI’s inbound and outbound e-mail to detect potentially suspected pornographic images; |
(c) | implement sensitivity settings and routing options in accordance with the e-mail security policy (for example, e-mail containing suspect images can be logged only, tagged, sent or copied to a designated system administrator or deleted); |
(d) | provide secure password access to a proprietary Internet-based reporting and management tool which allows ACI to view data and statistics and offers a number of configuration and management facilities; and |
(e) | provide weekly and monthly security reports via e-mail. |
(3) | for e-mail Antivirus: |
(a) | with ACI’s assistance, develop, implement and maintain the e-mail security policy, including violation reporting procedures; |
(b) | scan ACI’s Internet level e-mail to detect viruses (i.e., known and unknown); |
(c) | notify appropriate contact (for example, e-mail sender, intended recipient, e-mail administrator), in accordance with the established procedures, if an e-mail or attachment contains a virus; |
(d) | handle infected e-mail in accordance with the established procedures; |
(e) | notify ACI of any virus infected e-mail that Vendor was unable to intercept; |
Exhibit A-8 — Enterprise Security Management Services
Page 9 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(f) | provide secure password access to a proprietary Internet-based reporting and management tool which allows ACI to view data and statistics as well as offers a number of configuration and management facilities; and |
(g) | provide weekly and monthly security reports via e-mail. |
b. | ACI will: |
(1) | configure an anti-spam black list and white list; |
(2) | provide ACI’s business guidelines for End User e-mail security and any updates as they occur; |
(3) | assist Vendor in developing and implementing the e-mail security policy, including violation reporting procedures; |
(4) | address any virus infected e-mail that Vendor was unable to intercept; and |
(5) | provide contact and IT infrastructure information and any updates as they occur. |
5. | SYSTEM CURRENCY |
5.1 | System Security Checking |
a. | Vendor will: |
(1) | install, test and maintain security policy verification software; |
(2) | perform system security checks of managed mainframes, mid-range servers, network devices, and system tools to validate compliance with the technical specifications documented in the [ * ]. System security checks will be performed on a sample of systems. Checks will verify that: |
(a) | Antivirus software is functional and operating on Supported Servers; |
(b) | technical controls to enforce operating system password policy are in place; and |
(c) | logs of privileged access and log-on/log-off activities are being captured as defined in the Information Security Controls Document technical specifications; and |
(3) | document identified issues and take corrective action on the findings, as appropriate. |
b. | ACI will permit Vendor to access systems as necessary to perform system security checks per ACI’s access policy, processes and standards. |
Exhibit A-8 — Enterprise Security Management Services
Page 10 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
5.2 | Security Advisory and Integrity |
a. | Vendor will for operating systems, software tools, and network infrastructure systems and devices (including desktop Equipment) managed by Vendor: |
(1) | monitor security patches; |
(2) | notify ACI within 3 Business Days of Vendor-rated high severity security patches or earlier depending on the criticality identified by the Vendor CERT team; |
(3) | install ACI-approved security patches within the following security change window parameters: |
(a) | minimum [ * ] security change window; |
(b) | [ * ] servers thereafter; and |
(c) | In the case of a high CERT criticality, implement the patch as per the CERT guidelines. |
b. | ACI will: |
(1) | evaluate advisory notifications from Vendor and approve security patches for installation at least one Business Day before scheduled implementation date; and |
(2) | provide an environment for testing security patches and perform such tests, as appropriate. |
5.3 | Malware Defense Management |
a. | Vendor will: |
(1) | install, test and maintain anti-malware software on Supported Servers and Windows Supported Desktops; |
(2) | push anti-malware definitions, vendor product updates, and policy and configuration updates to Supported Servers and Supported Desktops, as appropriate; |
(3) | if malware is detected, take corrective action in accordance with the Information Security Controls Document (i.e., prevent, detect and remove malware infections and respond to malware security incidents); |
Exhibit A-8 — Enterprise Security Management Services
Page 11 of 15
(4) | notify ACI, in accordance with the established procedures, if malware is detected on a Supported Server or Supported Desktop; |
(5) | perform virus definition, pattern file updates and policy configuration; and |
(6) | provide monthly malware defense management reports. |
b. | ACI will provide ACI’s security policy and any updates as they occur. |
5.4 | Vulnerability Management Services |
a. | Vendor will: |
(1) | maintain a list of ACI IP addresses to scan; |
(2) | identify vulnerabilities within the network perimeter using Vendor policies; |
(3) | perform historical trending of vulnerability data; |
(4) | provide vulnerability scanning reports which include: |
(a) | scan results reflecting identified vulnerabilities for corrective action to be taken, as appropriate; and |
(b) | summary reports and trend analysis provided via the web portal; |
(5) | with ACI’s assistance, schedule and perform scans; |
(6) | develop and maintain the scanning profile containing the following: |
(a) | system and network devices to be scanned; |
(b) | frequency of scanning; |
(c) | type of scan; |
(d) | vulnerabilities that are not security policy violations; and |
(e) | time frames when scans will be executed. |
b. | ACI will: |
(1) | assist Vendor in developing the scanning profile containing the following: |
(a) | system and network devices to be scanned; |
(b) | frequency of scanning; |
(c) | type of scan; |
(d) | vulnerabilities that are not security policy violations; and |
(e) | time frames when scans will be executed; and |
(2) | be responsible for resolving application-related issues discovered during a vulnerability scan. |
Exhibit A-8 — Enterprise Security Management Services
Page 12 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
6. | IDENTITY AND ACCESS |
6.1 | Management of Privileged User IDs and Vendor User IDs |
a. | For the operating systems, software tools and network infrastructure systems and devices under Vendor management, Vendor will: |
(1) | with ACI’s assistance, perform a baseline inventory of access IDs; |
(2) | perform the following provisioning and compliance activities: |
(a) | provision and manage User IDs for Vendor personnel to include special access and emergency access needs; |
(b) | perform employment verification upon hire and termination for Vendor personnel and remove Vendor User IDs, as appropriate; |
(c) | administer passwords for Vendor User IDs and privileged User IDs; |
(d) | provision and manage the Vendor and ACI privileged User IDs as defined in the platform-specific technical specifications set forth in the Information Security Controls Document; |
(e) | revalidate privileged authorizations annually and remove privileged User IDs, as appropriate; and |
(f) | provide ACI a list of ACI privileged User IDs for revalidation on request; |
(3) | maintain audit records for privileged User ID approvals, verifications and revalidations and retain such records for two years; |
(4) | provide for ACI’s review and approval, as appropriate, non-expiring passwords and policy exception requests; and |
(5) | capture system security logs of privileged access and log-on/log-off activities as defined in the Information Security Controls [ * ]. |
b. | ACI will: |
(1) | assist Vendor in performing a baseline inventory of access IDs for the systems for which Vendor has security responsibility; |
(2) | authorize and manage non-privileged User IDs and passwords for ACI personnel for the operating systems, software tools and network infrastructure systems and devices under Vendor management; |
Exhibit A-8 — Enterprise Security Management Services
Page 13 of 15
(3) | revalidate ACI privileged User IDs; and |
(4) | approve non-expiring passwords and policy exception requests, as appropriate. |
6.2 | Password Management for ACI User IDs |
a. | Vendor will: |
(1) | perform password resets for User IDs using ACI-provided and maintained employee authentication data; and |
(2) | investigate ACI User ID password issues, as identified by ACI. |
b. | ACI will: |
(1) | provide and maintain employee authentication data for ACI User IDs; and |
(2) | establish the criteria for resetting passwords and disclosing such passwords to authorized personnel. |
6.3 | ACI User ID Lifecycle Administration |
a. | For the operating systems, software tools and network infrastructure systems and devices under Vendor management, Vendor will: |
(1) | provision and manage ACI-identified User IDs for ACI personnel; and |
(2) | investigate ACI User ID security issues, as identified by ACI. |
b. | ACI will: |
(1) | identify ACI User IDs; and |
(2) | provide approved provisioning requests for User IDs for ACI personnel. |
6.4 | ACI User ID Administration Compliance Support |
a. | For ACI User IDs in-scope for ACI User ID Lifecycle Administration Services, Vendor will: |
(1) | perform annual employment verification and User ID revalidation for ACI personnel and remove User IDs, as appropriate; |
(2) | perform annual revalidation of privileges and access to shared User IDs and remove such privileges and access, as appropriate; |
(3) | maintain audit records for User ID and privileged User ID approvals, verifications and revalidations and retain such records for two years; and |
(4) | provide for ACI’s review and approval, as appropriate, non-expiring passwords and policy exception requests. |
Exhibit A-8 — Enterprise Security Management Services
Page 14 of 15
b. | ACI will: |
(1) | revalidate ACI User IDs, privileges and access to shared User IDs; and |
(2) | approve non-expiring passwords and policy exception requests, as appropriate. |
6.5 | Physical Security and Access Management |
a. | Vendor will: |
(1) | provide the following physical security controls at Vendor facilities: |
(a) | define controlled areas, perform a physical security assessment and document any identified control and audit issues; |
(b) | identify ownership of control and audit issues and manage closure of Vendor-owned issues; |
(c) | perform initial access baseline review and execute formal revalidation for new protected and restricted areas; |
(d) | develop and implement the access authorization processes; |
(e) | manage the implementation of the physical security environment for the controlled areas; |
(f) | perform maintenance, testing and daily operations of the physical security environment; and |
(g) | manage permanent and temporary access authorization devices. |
b. | ACI will: |
(1) | provide and manage physical security controls at the ACI Facilities; |
(2) | manage closure of ACI-owned control and audit issues; and |
(3) | protect LAN servers and infrastructure devices on ACI premises from unauthorized access. |
7. | ADDITIONAL SECURITY TERMS |
7.1 | General |
Exhibit A-8 — Enterprise Security Management Services
Page 15 of 15
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION |
* Represents one page of redacted tabular data |
2. | DISASTER RECOVERY PLAN |
a. | Vendor Responsibilities |
(1) | during Transition, develop the Disaster Recovery Plan , which will be ready at the end of each phase of Transition and will include the following: |
(a) | a brief description of the critical services and functions, including a prioritized listing of the Critical Functions; |
(b) | the agreed recovery times (RTO/RPO) for each Critical Function; |
(c) | the hardware and Software composing the Configuration; |
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 1 of 13
(d) | the Equipment and Software, including some existing ACI Equipment, necessary for connection to the ACI Data Network; |
(e) | Vendor’s and ACI’s recovery roles and responsibilities; |
(f) | contact listings of ACI and Vendor key employees; |
(g) | identification of recovery teams; |
(h) | recovery scenarios; |
(i) | criteria for Disaster declaration, recovery and testing; |
(j) | names of those individuals who are authorized by ACI and Vendor to declare a Disaster; |
(k) | backup process and components; |
(l) | the location and schedule for the periodic tape backup of Critical Functions; |
(m) | the location and schedule for off-site storage of the tape backups; |
(n) | notification procedures; |
(o) | recovery information, procedures, and schedules; |
(p) | testing results and any required corrective action plans; |
(q) | procedures for maintaining the Disaster Recovery Plan; and |
(r) | procedures for restoration back to original location or another permanent location; |
(2) | provide a representative who is knowledgeable in Disaster Recovery planning and the Disaster Recovery Plan to serve as a single point of contact for ACI’s Disaster Recovery-related communications and activities. The Vendor representative will be responsible for the development and maintenance of the Disaster Recovery Plan and will provide safe storage and distribution of copies as follows: |
(a) | off-site vital records storage; |
(b) | ACI’s Disaster Recovery coordinator; and |
(c) | Vendor’s Disaster Recovery coordinator; |
(3) | in cooperation with ACI, review and update, if necessary, the Disaster Recovery Plan on an annual basis or as warranted by business and/or technical changes to validate compatibility with ACI’s and Vendor’s overall Disaster Recovery strategies and related plans; |
(4) | in cooperation with ACI, test the Disaster Recovery Plan initially within 180 days after the Disaster Recovery Plan is completed, or the earliest time after 180 days that the Recovery Center is available, and annually thereafter to validate that the Disaster Recovery Plan and ACI-specific tests remain practicable and current; |
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 2 of 13
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(5) | conduct a Disaster Recovery test for EB On Demand by the start of the third quarter of 2008 using the Disaster Recovery Plan that is in place at that time; |
(6) | [ * ], unless more time is required to complete a successful test at the Vendor Recovery Center, for testing ACI’s Mainframe Test/Dev Disaster Recovery Plan; |
(7) | [ * ] unless more time is required to complete a successful test (ACI financially responsible for any additional [ * ] fees in the event more time is required), at the [ * ]; |
(8) | [ * ], unless more time is required to complete a successful test (ACI financially responsible for any additional [ * ] fees in the event more time is required), for testing the [ * ]; |
(9) | provide ACI with a report of the test results following each Disaster Recovery Plan test; |
(10) | remediate any issues uncovered during the test and retest if requested by ACI; and |
(11) | develop and maintain the Disaster Recovery Plan for network connectivity and recovery in the event of a Disaster. |
b. | ACI Responsibilities |
(1) | act as the primary interface to Vendor’s Disaster Recovery representative; |
(2) | be available on a continuous basis in the event a Disaster is declared; |
(3) | assist Vendor in the development of the Disaster Recovery Plan; |
(4) | in cooperation with Vendor, test the Disaster Recovery Plan; and |
(5) | provide the Vendor Disaster Recovery representative with ACI’s updates to the Disaster Recovery Plan to ensure the Disaster Recovery Plan remains current. |
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 3 of 13
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
3. | DISASTER RECOVERY |
a. | Vendor Responsibilities |
(1) | deliver the data and Software archived in off-site storage to the Recovery Center designated in the Disaster Recovery Plan or at such other location as may be established by Vendor thereafter; |
(2) | reroute the affected data communications circuits from the Data Center to the Recovery Center; |
(3) | operate the Critical Functions on the Configuration at the Recovery Center; and |
(4) | pay all travel and living expenses Vendor incurs in the performance of Vendor’s Disaster Recovery responsibilities. |
b. | ACI Responsibilities |
(1) | perform its Disaster Recovery responsibilities as set forth in this Exhibit and the Disaster Recovery Plan; |
(2) | comply with recovery procedures, including those for safety and security; |
(3) | pay all costs associated with the storage of data and Software at locations other than the Data Centers, including all storage facility charges and charges for transporting such data and Software to, from and between the storage facility, the Data Centers and/or the Recovery Center; and |
(4) | pay all travel and living expenses ACI incurs in the performance of ACI’s Disaster Recovery responsibilities. |
4. | NETWORK RECOVERY |
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 4 of 13
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
5. | DISASTER RECOVERY FOR ACI-HOSTED SERVERS |
a. | ACI will be responsible for the provision of disaster recovery services for the ACI-hosted server environment, excluding the specific list of Equipment Vendor is providing Disaster Recovery Services for identified in this Exhibit, including any costs associated with backup, connectivity and support of Supported Desktops, Supported Servers and affected networks. |
b. | In the event a declared Disaster interrupts the Services Vendor provides to ACI, Vendor will make [ * ]to provide the Services during such Disaster. |
c. | Vendor will cooperate with ACI in the development of ACI’s distributed environment disaster recovery plan as it pertains to the Services Vendor provides under the Agreement. If ACI requests Vendor to provide distributed environment disaster recovery services, Vendor will provide such services as a New Service in accordance with Schedule C (Charges). |
6. | END USER RECOVERY |
7. | RESOURCES AND GROWTH |
8. | NEW SERVICE |
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 5 of 13
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
9. | CONFIGURATION |
Note: | The software Configuration will be the Systems Software specified in Schedule I (Vendor Supported Software). |
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 6 of 13
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 11 of 13
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 12 of 13
Exhibit A-9 — Disaster Recovery and Business Continuity Services
Page 13 of 13
1.0 | GENERAL |
2.0 | EXHIBITS |
3.0 | MEASUREMENT |
Schedule B — Service Levels
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule B — Service Levels
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
4.0 | REPORTING |
5.0 | SERVICE LEVEL CREDITS |
1. | Subject to Item 5 of this Section 5 and Sections 6 and 7, Vendor will provide ACI a Service Level Credit if a Service Level Default has occurred. |
2. | [ * ] However, if the Vendor fails to meet the applicable Minimum Service Level for a Key Measurement, [ * ]. |
3. | Service Levels Descriptions to this Exhibit sets forth the information required to calculate the Service Level Credit in the event of a Service Level Default. For each Service Level Default, the Vendor shall pay to ACI, subject to Item 5 of this Section 5 below, a Service Level Credit that will be computed in accordance with the following formula: | ||
[ * ] | |||
* Represents one page of redacted text |
4. | [ * ] |
5. | [ * ] |
6. | [ * ] |
7. | [ * ] |
8. | [ * ] |
6.0 | EXCEPTIONS |
1. | If any events or periods that are measured as part of a Service Level are not successfully achieved in accordance with the relevant performance standard specified in the Service Level and the Vendor demonstrates that such failure would not have occurred but for any of the following, then such events or periods shall be disregarded for the purpose of calculating the relevant Service Level (and shall be excluded from both the numerator and the denominator for the purposes of calculating whether the Service Level has been achieved): | ||
1.1 | [ * ] | ||
1.2 | [ * ] | ||
1.3 | [ * ] | ||
1.4 | [ * ] | ||
1.5 | [ * ] | ||
1.6 | [ * ] | ||
1.7 | [ * ] | ||
1.8 | [ * ] |
2. | For purposes of calculating actual uptime and availability, all planned downtime shall be excluded (for example, preventive maintenance, circuit upgrades, etc.). The Vendor shall maintain Availability during such periods to the extent reasonably practicable as agreed to by the Parties. |
Schedule B — Service Levels
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE SECURITIES EXCHANGE ACT OF 1934.
7.0 | [ * ] |
8.0 | CHANGES TO SERVICE LEVELS | |
8.1 | [ * ] | |
* | Represents one page of redacted text | |
8.2 | Additions, Deletions, and Modifications |
1. | Subject to the remainder of this Section 8.2 and Section 8.3, ACI may, by sending written notice to the Vendor at least 90 calendar days prior to the effective date of the change: | ||
1.1. | Add or delete Performance Categories. | ||
1.2. | Add, modify, or delete Critical Service Level allocations between Performance Categories. | ||
1.3. | Add or delete Service Levels. | ||
1.4. | Change Service Levels from Critical Service Levels to Key Measurements or from Key Measurements to Critical Service Levels. | ||
1.5. | Modify the Service Level Credit Allocation Percentages for any Critical Service Levels. | ||
2. | [ * ] | ||
3. | [ * ] | ||
4. | [ * ] | ||
5. | [ * ] |
8.3 | Performance Standards for Additional Service Levels |
1. | [ * ] | ||
2. | [ * ] | ||
3. | [ * ] | ||
4. | [ * ] |
9.0 | CRITICAL DELIVERABLES |
1. | Certain of the Vendor’s obligations under the Agreement are one-time or periodic obligations to deliver Critical Deliverables. Exhibit B-1 (Service Level Matrix) to this Schedule sets forth the Deliverable Credits that shall be payable by the Vendor to ACI in the event the Vendor fails to deliver any of the Critical Deliverables by the due date, specified in Exhibit B-1 (Service Level Matrix) to this Schedule. In this regard: |
1.1 | [ * ] | ||
1.2 | [ * ] | ||
1.3 | [ * ] | ||
1.4 | [ * ] | ||
1.5 | [ * ] |
Schedule B — Service Levels
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE SECURITIES EXCHANGE ACT OF 1934.
* | Represents one page of redacted text |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
* | Represents one page of redacted text |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
* | Represents one page of redacted text |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
CRITICAL DELIVERABLES
1.0 | CRITICAL SERVICE LEVELS — INTRODUCTION |
1.1 | Performance Category — Server Availability |
1.1.1 | Server Availability — High Category |
1. | “Available for Use”with respect to all High Category Servers shall mean that the System—including the processor and associated storage devices, cabling, peripherals, and other equipment—is running properly so as to enable the proper execution of transactions on those Applications scheduled to run on such System and access to updated current data that is intended to be used in conjunction with such Applications. |
2. | “System Scheduled Uptime”shall mean the amount of minutes within the applicable Measurement Window for the System as set forth in Exhibit B-1 (Service Level Matrix). The hours of scheduled uptime are designated in the Service Delivery Statement of Work. |
3. | “System Downtime”shall mean the total time per calendar month out of the System Scheduled Uptime, as measured in minutes, that the System for which availability is being computed is not Available for Use. |
4. | “Scheduled System Downtime”shall mean the total time per month that this classification of server is allowed to be unavailable for use to ACI and/or its clients so that the Vendor may perform routine maintenance. For High Category servers [ * ] is acceptable ([ * ] is acceptable for those servers not having the ability to do maintenance while the application remains available to the client) but by [ * ], no Scheduled System Downtime will be the requirement to the extent all HA Servers have the ability to do maintenance while the application remains available to the client. |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 1 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.1.2 | Server Availability — Medium Category |
1. | “Available for Use”with respect to all Medium Category Servers shall mean that the System—including the processor and associated storage devices, cabling, peripherals, and other equipment—is running properly so as to enable the proper execution of transactions on those Applications scheduled to run on such System and access to updated current data that is intended to be used in conjunction with such Applications. |
2. | “System Scheduled Uptime”shall mean the amount of minutes within the applicable Measurement Window for the System as set forth in Exhibit B-1 (Service Level Matrix). |
3. | “System Downtime”shall mean the total time per calendar month out of the System Scheduled Uptime, as measured in minutes, that the System for which availability is being computed is not Available for Use. |
4. | “Scheduled System Downtime”shall mean the total time per month that this classification of server is allowed to be unavailable for use to ACI and/or its clients so that the Vendor may perform routine maintenance. For Medium Category servers this is to be [ * ] per month. |
1.1.3 | Server Availability — Low Category |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 2 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | “Available for Use”with respect to all Low Category Servers shall mean that the System—including the processor and associated storage devices, cabling, peripherals, and other equipment—is running properly so as to enable the proper execution of transactions on those Applications scheduled to run on such System and access to updated current data that is intended to be used in conjunction with such Applications. |
2. | “System Scheduled Uptime”shall mean the amount of minutes within the applicable Measurement Window for the System as set forth in Exhibit B-1 (Service Level Matrix). |
3. | “System Downtime”shall mean the total time per calendar month out of the System Scheduled Uptime, as measured in minutes, that the System for which availability is being computed is not Available for Use. |
4. | “Scheduled System Downtime”shall mean the total time per month that this classification of server is allowed to be unavailable for use to ACI and/or its clients so that the Vendor may perform routine maintenance. For Low Availability servers this is to be [ * ] per month. |
1.1.4 | Percent of Processing Delivered On-Time |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 3 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
/ (10 job steps x 30 times)
= 99.67%
1.1.5 | System Backups Completed |
1.2 | Performance Category — Incident Management |
1.2.1 | Time to Respond — Severity 1 & 2 |
1.2.2 | Restoration of Service — Severity 1 Incidents |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 4 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.2.3 | Restoration of Service — Severity 2 Incidents |
1.2.4 | Root Cause Problem Analysis |
1.2.5 | Severity 1 and 2 Problem Resolution |
1.3 | Performance Category — End User / Service Desk |
1.3.1 | Service Desk Speed to Answer |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 5 of 15
1.3.2 | Service Desk Call Non-Abandon Rate |
1.3.3 | Service Desk First-Call Incident Resolution |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 6 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.3.4 | Hard IMAC Completion Time |
a. | There will be a separate MAC for each item to be installed. |
b. | These MACs will be excluded from the performance calculation. |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 7 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.3.5 | Service Desk/Deskside Support Request Completion Time |
Desktop Support | Measurement | Measurement | ||||||
Measurement Description | Value | Frequency | ||||||
Exception Requests | [ * ] | [ * ] | ||||||
Centralized Supported Desktop support — All locations (Campus, Metro and Remote) | [ * ] | [ * ] | ||||||
Deskside Support / Software Break/Fix — Campus | [ * ] | [ * ] | ||||||
Deskside Support / Software Break/Fix — Metro | [ * ] | [ * ] | ||||||
Deskside Support / Software Break/Fix — Remote | [ * ] | [ * ] |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 8 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.3.6 | Anti-Virus/Security Critical Updates |
1.4 | Performance Category — Network Management |
1.4.1 | Site Availability — Client to Prod Data Center |
1.4.2 | Site Availability — Dev Center |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 9 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.4.3 | End to End Transaction Response Time — Retail |
1.4.4 | Network Response Time — Client to Prod Data Center |
1.4.5 | Network Response Time — Dev Centers |
2.0 | KEY MEASUREMENTS — INTRODUCTION |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 10 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.1 | Performance Category — Incident Management |
2.1.1 | Time to Respond — Severity 3 & 4 |
2.1.2 | Restoration of Service — Severity 3 & 4 Incidents |
2.1.3 | Severity 3 and 4 Problem Resolution |
2.2 | Performance Category — Change Management |
2.2.1 | Change Management Effectiveness |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 11 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.2.2 | Timely Patch Application |
2.3 | Performance Category — Reporting |
2.3.1 | Report Delivery |
2.4 | Performance Category — Project Management |
2.4.1 | Milestones Delivered On-Time |
2.4.2 | Proposals Delivered On-Time |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 12 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.5 | Performance Category — Asset Management |
2.5.1 | Hardware and Software Asset Management |
2.6 | Performance Category — User Satisfaction |
2.6.1 | User Satisfaction Rating |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 13 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.7 | Performance Category — Network Management |
2.7.1 | Internet Connectivity |
2.7.2 | WAN Outages |
2.7.3 | Site Availability — Corporate Offices |
2.7.4 | Network Response Time — Corporate Offices |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 14 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.7.5 | Internal VPN Access Response Time |
Exhibit B-2 — Critical Service Levels and Key Measurements
Page 15 of 15
1.0 | INTRODUCTION | |
This Exhibit B-3 sets forth certain obligations of the Vendor regarding Critical Deliverables. If the Vendor fails to deliver to ACI any Critical Deliverables as described below in format and content specified in this Exhibit B-3, and such failure is solely as a result of Vendor’s failure to perform its obligations, the associated Deliverable Credit set forth in Exhibit B-1 (Service Level Matrix) will be paid to ACI. | ||
Unless otherwise specified below, the Vendor shall provide each Critical Deliverable set forth in Exhibit B-1 (Service Level Matrix) to Schedule B (Service Levels) on or before the date specified in Exhibit B-1 or this Exhibit B-3, as applicable. | ||
2.0 | COMPLETE ANNUAL DR TEST — RE-TEST IF TEST FAILS | |
The Vendor will complete a successful annual Disaster Recovery (DR) Test as described in the Disaster Recovery Plan. If the DR Test fails and such failure was the result of Vendors actions or inactions, the Vendor will at its expense re-test until the DR Test is successful. The first annual test will be conducted on the anniversary of the Server Systems Management Services Service Tower Commencement Date. | ||
3.0 | DELIVER ANNUAL SAS 70 TYPE II REPORT | |
The Vendor will deliver an annual SAS 70 Type II audit report as specified in Section 11.3 of the Master Services Agreement. | ||
4.0 | PROVIDE PROCESS INTERFACE MANUAL/KNOWLEDGE BASE | |
4.1 | Provide Process Interface Manual | |
Vendor shall deliver to ACI, on or before the required date indicated in Exhibit B-1 (Service Level Matrix), the completed and approved final Process Interface Manual which will describe the following: |
• | Organizational overview; | ||
• | Performance management procedures; | ||
• | Financial management procedures; | ||
• | Contract management procedures; | ||
• | Relationship management procedures; and | ||
• | Vendor operational procedures. |
Exhibit B-3 — Critical Deliverables
Page 1 of 3
4.2 | Knowledge Base |
5.0 | PROVIDE INITIAL DISASTER RECOVERY PLAN |
6.0 | COMPLETE INITIAL WALL TO WALL HARDWARE INVENTORY & INITIAL ELECTRONIC SOFTWARE INVENTORY |
Exhibit B-3 — Critical Deliverables
Page 2 of 3
7.0 | CONDUCT ANNUAL INVENTORY AND PROVIDE REPORT | |
The Vendor will conduct on an annual basis the electronic Equipment and software inventory as described in Exhibit A-2 Asset Management, and will provide the report to ACI. | ||
8.0 | PROVIDE ANNUAL PLANNING REPORTS | |
The Vendor will provide on an annual basis the annual planning reports as described in the Statements of Work and Schedule S (Governance). | ||
9.0 | DELIVER INITIAL MONTHLY REPORTS | |
Vendor will deliver the first set of monthly reports including the Service Level reports in accordance with the Service Level Methodology and Schedule R (Reports). The Service Level report(s) will indicate Service Levels (Critical Service Levels, Critical Deliverables, and Key Measurements) for which Vendor is responsible, the actual attainment of the associated Expected Service Levels and Minimum Service Levels as well as attainment of the Critical Deliverables and any Service Level Credit(s) that may apply. | ||
Vendor will provide standard report(s) after the completion of the second full calendar month of providing Service after Service implementation has been completed. | ||
10.0 | CONDUCT THREAT IDENTIFICATION SUMMARY ASSESSMENT | |
The Vendor shall complete a vulnerability assessment at the level and frequency described in Exhibit A-8 (Enterprise Security Management Services) and provide a report to ACI that identifies any serious vulnerabilities along with a mitigation plan. | ||
11.0 | DELIVERY OF A DETAILED TRANSITION PLAN | |
Within 60 days after the Effective Date, Vendor is to provide a detailed Transition Plan. | ||
12.0 | TRANSITION COMPLETION | |
The Vendor will complete all stages of Transition by the applicable “Go-Live” date specified in the Transition Plan in accordance with the completion criteria to be developed during Transition. |
Exhibit B-3 — Critical Deliverables
Page 3 of 3
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.1 | Severity Level 1 |
1.2 | Severity Level 2 |
1.3 | Severity Level 3 |
Exhibit B-4 — Severity Levels
Page 1 of 2
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1.4 | Severity Level 4 |
• | [ * ] |
Exhibit B-4 — Severity Levels
Page 2 of 2
1.0 | GENERAL |
• | Exhibit C-1 (Base Charges, Baselines, ARC/RRC Rates and Termination Charges) - Specifies the details of the Charges: the Monthly Base Charges for each Service, the monthly resource baseline volume levels included in the Monthly Base Charges (“Resource Volume Baselines”), the Charges related to performance of the Transition (“Transition Fees”), the incremental Charges to ACI in the event that the number of Resource Units utilized exceeds the Resource Volume Baselines (“ARC”), the incremental credits due to ACI in the event that the number of Resource Units actually utilized are below the Resource Volume Baselines (“RRC”), and defines the fees to be charged by the Vendor in the event of termination for convenience by ACI (“Termination Charges”). |
• | Exhibit C-2 (Financial Responsibility and Ownership Matrix) — This exhibit describes the financial responsibility of ACI and the Vendor for functions and assets associated with the Services. |
• | Exhibit C-3 (Form of Invoice) — Sample of the invoice to be provided on a monthly basis by Vendor. |
• | Exhibit C-4 (Base Case) — Defines the financial scope of what is assumed by Vendor and retained by ACI. This exhibit contains ACI’s projection of its expenses associated with the Services if ACI were not to enter into this Agreement with the Vendor. |
2.0 | SERVICES CHARGES |
2.1 | General |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.1.1 | This Schedule C defines the Resource Units, Charges, pricing provisions, Resource Volume Baselines and the ARCs and RRCs should the actual volume of Resource Units utilized by ACI vary from the Resource Volume Baselines. |
2.1.2 | [ * ] |
2.3 | Base Service Charges |
2.3.1 | General. The Monthly Base Charge for each contract month is set forth in Exhibit C-1, and is the firm fixed Charge to ACI for Vendor’s provision of the Services for the applicable Resource Volume Baselines after the applicable Service Tower Commencement Date, subject to the provisions of this Schedule C. [ * ] |
2.3.2 | Monthly Invoice. In accordance with the Agreement, Vendor shall invoice ACI on a monthly basis for the Monthly Base Charges. |
[ * ] | ||
2.4 | Resource Units |
2.4.1 | Mainframe Services |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.4.3 | Messaging Services |
1. | The Messaging Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1. |
2. | The messaging billable Resource Units are defined as follows: |
2.1 | [ * ] |
2.4.4 | Network Management Services |
1. | The Network Management Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1. | ||
2. | The Network Management billable Resource Units are defined as follows: | ||
2.1 | WAN Management | ||
2.1.1. | The WAN Management pricing is based on the Resource Volume Baselines contained in Exhibit C-1. | ||
2.1.2. | Vendor Managed | ||
2.1.2.1. | Complex Device | ||
i.) [ * ] | |||
2.1.2.2. | Standard Device | ||
i.) [ * ] | |||
2.1.2.3. | Simple Device | ||
i.) [ * ] | |||
2.1.3. | Vendor Owned and Managed | ||
2.1.3.1. | Complex Device | ||
i.) [ * ] | |||
2.1.3.2. | Standard Device | ||
i.) [ * ] | |||
2.1.3.3. | Simple Device | ||
i.) [ * ] | |||
2.2 | LAN Management | ||
2.2.1 | The LAN Management pricing is based on the Resource Volume Baselines contained in Exhibit C-1. | ||
2.2.2 | Vendor Managed | ||
2.2.2.1 | Complex Device | ||
i.) [ * ] | |||
2.2.2.2 | Standard Device | ||
i.) [ * ] | |||
2.2.2.3 | Simple Device | ||
i.) [ * ] | |||
2.2.3 | Vendor Owned and Managed | ||
2.2.3.1 | Complex Device | ||
i.) [ * ] | |||
2.2.3.2 | Standard Device | ||
i.) [ * ] |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.2.3.3 | Simple Device | ||
i.) [ * ] | |||
2.3 | Firewall Management | ||
2.3.1 | The Firewall Management pricing is based on the Resource Volume Baselines contained in Exhibit C-1. | ||
2.3.2 | Vendor Managed | ||
2.3.2.1 | Complex Device | ||
i.) [ * ] | |||
2.3.2.2 | Standard Device | ||
i.) [ * ] | |||
2.3.2.3 | Simple Device | ||
i.) [ * ] | |||
2.3.3 | Vendor Owned and Managed | ||
2.3.3.1 | Complex Device | ||
i.) [ * ] | |||
2.3.3.2 | Standard Device | ||
i.) [ * ] | |||
2.3.3.3 | Simple Device | ||
i.) [ * ] |
2.4 | Network Management IMAC | ||
2.4.1 | [ * ] | ||
2.4.2 | [ * ] |
2.4.5 | Network Transport Services |
1. | The Network Transport Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1 | ||
2. | The Network Transport billable Resource Units are defined as follows: | ||
2.1. | MPLS Transport | ||
2.1.1. | [ * ] | ||
2.1.2. | The speeds for the above are as documented in Exhibit C-1. | ||
2.2. | Other Connectivity | ||
[ * ] | |||
2.2.1 | [ * ] | ||
2.2.2 | The speeds for the above are as documented in Exhibit C-1. |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2.3. | Internet Connectivity | ||
2.3.1 | [ * ] | ||
2.3.2 | The speeds for the above are as documented in Exhibit C-1. |
2.4.6 | Security Services |
1. | The Security Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1. | ||
2. | The Security billable Resource Units are defined as follows: | ||
2.1 | [ * ] | ||
2.2 | [ * ] | ||
2.3 | [ * ] | ||
2.4 | [ * ] | ||
2.5 | [ * ] | ||
2.6 | [ * ] | ||
2.7 | [ * ] |
2.4.7 | Disaster Recovery Services |
1. | The Disaster Recovery Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1 | ||
2. | The Disaster Recovery billable Resource Units are defined as follows: | ||
2.1 | [ * ] | ||
2.2 | [ * ] |
2.4.8 | End-User Computing Services |
1. | The End-User Computing Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1 | ||
2. | [ * ] | ||
3. | [ * ] | ||
4. | [ * ] | ||
5. | [ * ] |
2.4.9 | Help Desk Services |
1. | The Help Desk Services pricing is based on the Resource Volume Baselines contained in Exhibit C-1. | ||
2. | The Help Desk billable Resource Units are defined as follows: | ||
2.1. | Help Desk Services | ||
2.2 | [ * ] | ||
3. | [ * ] |
2.4.10 | Projects |
1. | Project Pool |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
• | IT work efforts that relate to Vendor’s support or maintenance (e.g., patches, memory upgrades, or database re-indexing) of Equipment, Software or other elements of the ACI IT environment used by Vendor to deliver the Services (including as necessary to meet Service Levels); or |
• | IT work efforts that relate to Vendor’s support, maintenance, enhancement or refresh of Equipment, Software or other elements of the Vendor Service infrastructure used by Vendor to deliver the Services (including as necessary to meet Service Levels) |
• | IT work efforts that result in an increase in or new Resource Units consumed as provided for in Schedule C |
2. | As part of the Services, [ * ]. The Resource Volume Baseline for Projects can be adjusted on an annual basis, based on a request by ACI, as a part of the annual technology planning process. Any adjustment to the Resource Volume Baseline of Project hours will result in a corresponding adjustment in the monthly service Charge for Projects with the calculation to be based on the Base unit rates for Projects as defined in Exhibit C-1. In addition, in Contract Year One, Vendor will provide an ARC rate for any hours requested by ACI in excess of the Resource Volume Baseline. |
3. | It is envisioned that the Vendor will perform most new infrastructure Projects using hours from the Project Pool until such time that the hours are exhausted or that ACI requests an alternative proposal. If and to the extent ACI authorizes Vendor to exceed the applicable Baseline Project Hours in any Contract Year, ACI shall pay Vendor for such |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
4. | [ * ] These Projects will be viewed as separate events requiring separate pricing. Nothing in this provision should be interpreted as limiting ACI’s right to perform itself or have third parties perform Projects regardless of their size. |
5. | All Projects, regardless of whether the hours are to come from the Project Pool or from the rate card, will be estimated and a cost estimate provided to ACI for approval prior to work commencing. Where practical, the Vendor will provide fixed cost (or fixed hours) pricing for a given Project. [ * ] |
6. | For Projects that cannot be easily quantified at the outset, Vendor pricing may be established, based on ACI written approval, on a time and materials basis utilizing the Rate Card. | ||
7. | [ * ] |
8. | Vendor shall report monthly on Projects in accordance with Schedule R. Such reports shall specify, among other things, the Vendor Charges, hours, resources and expenses for each Project for the applicable month and Contract Year and any other pertinent information reasonably requested by ACI. | ||
9. | Items Not Separately Billable |
[ * ] * Represents one page of redacted text |
3.0 | ADDITIONAL AND REDUCED RESOURCE CHARGES (ARCS AND RRCS) |
3.1 | The Vendor shall track the number of Resource Units actually utilized by ACI during [ * ] |
3.2 | ARC — Additional Resource Charge: [ * ] |
3.3 | [ * ] |
4.0 | RETAINED EXPENSES |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
5.0 | INCENTIVES TO REDUCE COSTS |
6.0 | ECONOMIC CHANGE ADJUSTMENT |
6.1 | [ * ] |
6.2 | [ * ] |
6.3 | The following indices are applicable to the Services provided by Vendor to ACI under the Agreement. | |
[ * ] | ||
6.4 | [ * ] | |
6.5 | [ * ] | |
6.6 | [ * ] | |
6.7 | [ * ] * Represents one page of redacted text |
7.0 | OTHER CHARGES, CREDITS, AND SERVICES | |
7.1 | Telecommunication Transport Charges | |
Vendor will assume responsibility for the Charges for ACI to ACI [ * ] | ||
7.2 | Third Party Charges | |
Vendor will assume responsibility for all Charges for the [ * ] as of the Service Tower Commencement Date. | ||
7.3 | Termination Charges | |
Exhibit C-1 sets forth the amounts payable by ACI in the event that ACI terminates the Agreement under the circumstances specified in the Agreement. |
Schedule C — Charges
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
8.0 | OTHER ITEMS |
8.1 | Resource Unit Classification for New Technologies | |
ACI and Vendor will review, on a quarterly basis, the impact of new technologies on the existing Resource Units. Specifically, this is necessary for Resource Units that are categorized into Complex, Standard, and Simple Devices. | ||
8.2 | Vendor Travel | |
[ * ] as specified in Schedule A (Statement of Work) and the Exhibit C-2 (Financial Responsibility and Ownership Matrix). To the extent that ACI requires the Vendor to travel for approved billable Projects, the Vendor will bill these travel related expenses as Pass-Through Expenses. | ||
8.3 | Rebadged Employee Equipment | |
Rebadged Employees will continue to use their existing personal computer equipment and software (subject to software license restrictions) until such point that Equipment or Software is due for refresh. [ * ] The Vendor shall perform [ * ] (Statement of Work). [ * ] |
Schedule C — Charges
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
BASE CHARGES, BASELINES, ARC/RRC RATES AND TERMINATION CHARGES
[ * ] |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
FINANCIAL RESPONSIBILITY AND OWNERSHIP MATRIX
MEANING OF HEADINGS
ACI Worldwide Confidential | Meaning of Headings |
Page 1
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
FINANCIAL RESPONSIBILITY AND OWNERSHIP MATRIX
ACI Worldwide Confidential | Personnel |
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE SECURITIES EXCHANGE ACT
OF 1934.
FINANCIAL RESPONSIBILITY AND OWNERSHIP MATRIX
ACI Worldwide Confidential | Equipment |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934.
FINANCIAL RESPONSIBILITY AND OWNERSHIP MARTIX
ACI Worldwide Confidential | Software |
PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934.
FINANCIAL RESPONSIBILITY AND OWNERSHIP MARTIX
ACI Worldwide Confidential | Facilities |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
FINANCIAL RESPONSIBILITY AND OWNERSHIP MARTIX
ACI Worldwide Confidential | Other |
THAT THE PORTIONS OF THIS DOCUMENT
DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934.
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934.
BASE CASE
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
1. | [ * ] | |
2. | “ACI” is defined in the preamble to the Agreement, subject to Section 2.2. | |
3. | [ * ] | |
4. | “ACI Confidential Information” is defined in Section 15.3. | |
5. | “ACI Contract Executive” is defined in Section 12. | |
6. | “ACI Contractor Agreements” is defined in Section 5.2. | |
7. | “ACI Contractor Personnel” is defined in Section 5.2. | |
8. | “ACI Data” means all data regarding ACI’s personnel, subcontractors or other aspects of ACI’s business made available to Vendor or entered in any Software or Equipment, together with any data derived from such data, including Personally Identifiable Information. | |
9. | “ACI Equipment” means machines that are: (i) owned, leased or rented by ACI on or after the Effective Date; (ii) [ * ] | |
10. | “ACI Focal Point” means the individual designated by ACI to act as the single point of contact within a specified Services area or Location to whom Vendor may direct all communications related to such Services area. | |
11. | “ACI Indemnitees” is defined in Section 18.1. | |
12. | “ACI Information Security Requirements” is defined in Section 15.2. | |
13. | “ACI IT Standards” is defined in Section 3.9. | |
14. | “ACI Laws” is defined in Section 22.1. | |
15. | “ACI Office Space” is defined in Section 8.1. | |
16. | “ACI-Provided Product” means any equipment, system, program, product, or business process provided to Vendor by ACI under the Agreement [ * ]. | |
17. | “ACI Provided Technology” is defined in Section 18.2. | |
18. | “ACI Risk Control Requirements” is defined in Section 15.4. |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
19. | “ACI Software” means Software owned by ACI or its Affiliates. | |||
20. | [ * ] | |||
21. | “Adjustment” is defined in Section 11.2. | |||
22. | [ * ] | |||
23. | [ * ] | |||
24. | “Agreement” means the Master Services Agreement to which this Schedule D is attached, including its Schedules, Exhibits and Attachments, as the same may be amended by the Parties from time to time. | |||
25. | [ * ] | |||
26. | “Applicable Law” means any United States and non-United States federal, state or local law (including common law), statute, ordinance, rule, regulation (including NASD rules, regulations and notices as well as any and all rules, pronouncements and interpretations issued by self regulatory authorities), order, decree writ, injunction, judgment, permit, governmental agreement, member advisory bulletins or decree of a government entity applicable to the Party or other entity indicated by the context, including, as applicable, to such Party’s or entity’s Affiliates, assets, directors, employees and agents in such capacities. | |||
27. | [ * ] | |||
28. | [ * ] | |||
29. | [ * ] | |||
30. | [ * ] | |||
31. | “Auditors” is defined in Section 11.3. | |||
32. | “Benchmarker” is defined in Section 13.7. | |||
33. | “Business Day” means every Monday through Friday, [ * ] In the Agreement references to days that do not specifically refer to Business Days are references to calendar days and, unless otherwise provided, any specified number of days that expires on a day other than a Business Day will be automatically extended to the next following Business Day. | |||
34. | “Business Hours” means the normal business hours for the facility being audited. | |||
35. | [ * ] | |||
36. | “Change Control Procedure” is defined in Section 3.10(b). | |||
37. | “Changed Service Level” is defined in Section 9.6. |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
38. | “Charges” is defined in Section 13.1. | |||
39. | “Code” is defined in Section 23.15. | |||
40. | “Commencement Date” means the Effective Date or [ * ]. | |||
41. | [ * ] | |||
42. | [ * ] | |||
43. | “Confidential Information” is defined in Section 15.3. | |||
44. | [ * ] | |||
45. | [ * ] | |||
46. | “Contractual Change Control Procedure” is defined in Section 10.6. | |||
47. | [ * ] | |||
48. | “CPU” means central processing unit. | |||
49. | [ * ] | |||
50. | [ * ] | |||
51. | [ * ] | |||
52. | “Critical Service Levels” is defined in Section 9.3. | |||
53. | “DASD” means direct access storage device. | |||
54. | [ * ] | |||
55. | [ * ] | |||
56. | [ * ] | |||
57. | “Data Owner” is defined in Section 22.5. | |||
58. | [ * ] | |||
59. | [ * ] | |||
60. | “Developed ACI Software” is defined in Section 7.4. | |||
61. | “Developed Vendor Software” is defined in Section 7.4. | |||
62. | [ * ] |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
63. | [ * ] | |||
64. | [ * ] | |||
65. | [ * ] | |||
66. | “Dispute Date” is defined in Section 20.1. | |||
67. | “DM” is defined in Section 20.1. | |||
68. | “DR/BC Plans” is defined in Section 19.5. | |||
69. | [ * ] | |||
70. | “Effective Date” is defined in the preamble to the Agreement. | |||
71. | [ * ] | |||
72. | “End User Equipment” means all workstations, terminals, printers and associated peripheral equipment located at Locations. | |||
73. | “End User Locations” means locations at which the Services are received or used bythe End Users. | |||
74. | “End User Services” means the Services set forth in Exhibit A-4 (End User Services) of Schedule A (Statement of Work) of the Agreement. | |||
75. | “End Users” is defined in Section 3.10(a). | |||
76. | “Enhancement Activities” is defined in Section 10.8. | |||
77. | [ * ] | |||
78. | “Equipment” means the [ * ]. Equipment includes the following: (i) computer equipment, including associated attachments, features, accessories, peripheral devices, front end devices, and other computer equipment, and (ii) telecommunications equipment, including private branch exchanges, multiplexors, modems, hubs, bridges, routers, switches and other telecommunications equipment. | |||
79. | “Executive Steering Committee” is defined in Section 10.2. | |||
80. | “Existing Third Party Systems Software” means Third Party Systems Software that exists on the Effective Date and was being utilized by ACI or its Affiliates immediately prior to the Effective Date [ * ]. | |||
81. | [ * ] | |||
82. | “Extraordinary Event” is defined in Section 13.5. |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
83. | [ * ] | |||
84. | “Force Majeure Event” is defined in Section 19.6. | |||
85. | “Go Live Date” means the last Service Tower Commencement Date. | |||
86. | “Holidays” means the days specified in the Process Interface Manual. | |||
87. | “I-9” is defined in Section 16.13. | |||
88. | [ * ] | |||
89. | “Including” and its derivatives (such as “include” and “includes”) means | |||
“including, without limitation.” This term is as defined, whether or not capitalized in the | ||||
Agreement. | ||||
90. | [ * ] | |||
91. | “Install, Move, Add, Change or IMAC” means Install, Move, Add, Change events. | |||
92. | [ * ] | |||
93. | “Intellectual Property Rights” means all rights, title, and interest arising under U.S. common and statutory law and the laws of other countries to all (i) patents and all filed, pending or potential applications for patents, including any reissue, reexamination, division, continuation, or continuation-in-part applications throughout the world now or hereafter filed; (ii) trade secret rights and equivalent rights (including know-how); (iii) copyrights, moral rights, other literary property or authors’ rights; (iv) proprietary indicia, trademarks, trade names, symbols, logos, or brand names; and (v) mask works and mask work rights. | |||
94. | “Internet” means a worldwide network of TCP/IP-based networks. | |||
95. | [ * ] | |||
96. | [ * ] | |||
97. | “IT” means information technology. | |||
98. | “Joint Verification Period” is defined in Section 23.3. | |||
99. | “Key Measurements” is defined in Section 9.7. | |||
100. | “Key Rebadged Employees” is defined in Section 5.2. | |||
101. | “Key Vendor Positions” is defined in Section 5.1. | |||
102. | [ * ] | |||
103. | [ * ] |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
104. | [ * ] | |||
105. | [ * ] | |||
106. | [ * ] | |||
107. | [ * ] | |||
108. | [ * ] | |||
109. | “Location” means any location: [ * ]; and (ii) that is listed in Schedule P (Locations) of the Agreement. | |||
110. | “Losses” means all losses, fines, punitive awards, monetary sanctions, restitution, liabilities, damages and claims, payable to unaffiliated third parties and/or governmental or regulatory agencies, and all related third-party costs and expenses. | |||
111. | [ * ] | |||
112. | [ * ] | |||
113. | [ * ] | |||
114. | “Mandatory Employment Period” is defined in Section 5.2. | |||
115. | “Minimum Revenue Commitment” or “MRC” is defined in Section 3.6(a). | |||
116. | [ * ] | |||
117. | [ * ] | |||
118. | [ * ] | |||
119. | [ * ] | |||
120. | “Monthly Performance Report” is defined in Section 10.3. | |||
121. | [ * ] | |||
122. | “New Entity” is defined in Section ý3.14. | |||
123. | “New Services” is defined in Section 13.6. | |||
124. | [ * ] | |||
125. | [ * ] | |||
126. | “Notice of Election” is defined in Section 18.4. |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
127. | “OEM” means original equipment manufacturer. | |||
128. | [ * ] | |||
129. | [ * ] | |||
130. | “Party” means either ACI or Vendor and “Parties” means both ACI and Vendor. | |||
131. | “Pass-Through Expenses” is defined in Section 13.2. | |||
132. | “PDP” means pre delivery preparation. | |||
133. | [ * ] | |||
134. | “Performance Information” is defined in Section 9.7. | |||
135. | “Personally Identifiable Information” means any nonpublic personal information, as defined under any Applicable Law. | |||
136. | [ * ] | |||
137. | “Potentially Rebadged Employees” is defined in Section 5.2. | |||
138. | “Privacy Laws” means all Applicable Laws set forth in Section 22.5. | |||
139. | “Procedures Manual” is defined in Section 10.5. [ * ] | |||
140. | [ * ] | |||
141. | [ * ] | |||
142. | “Rebadged Employees” is defined in Section 5.2. | |||
143. | [ * ] | |||
144. | [ * ] | |||
145. | [ * ] | |||
146. | “Relocation Notice” is defined in Section 3.13. | |||
147. | “Remote End User” means an End User who has only dial-up access to a LAN. | |||
148. | “Required Consents” means such consents as may be required or desirable for the assignment to Vendor, or the grant to Vendor of rights of use, of resources provided for in the Agreement. | |||
149. | [ * ] | |||
150. | [ * ] |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
151. | [ * ] | |||
152. | [ * ] | |||
153. | “Retained Processes” is defined in Section 3.15. | |||
154. | “Retained Systems” is defined in Section 3.15. | |||
155. | “RMON” means remote network monitoring. | |||
156. | “SAS 70 Type II Report” is defined in Section 11.3. | |||
157. | “Schedule” means any of the schedules attached to the Agreement as the same may be amended by the Parties from time to time in accordance with the Agreement. | |||
158. | [ * ] | |||
159. | “Section 404” means Section 404 of SOX and the rules and regulations promulgated thereunder. | |||
160. | “Security Plan” is defined in Section 15.2. | |||
161. | [ * ] | |||
162. | [ * ] | |||
163. | [ * ] | |||
164. | [ * ] | |||
165. | [ * ] | |||
166. | [ * ] | |||
167. | “Service Level Credits” is defined in Section 9.3. | |||
168. | [ * ] | |||
169. | [ * ] | |||
170. | [ * ] | |||
171. | [ * ] | |||
172. | “Service Levels” is defined in Section 9.1. | |||
173. | “Service Locations” means locations at which Services are performed by any Vendor Personnel. |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
174. | [ * ] | |||
175. | “Service Provider” is defined in Section 22.5. | |||
176. | [ * ] | |||
177. | [ * ] | |||
178. | “Services” is defined in Section 3.1. | |||
179. | [ * ] | |||
180. | [ * ] | |||
181. | [ * ] | |||
182. | [ * ] | |||
183. | [ * ] | |||
184. | [ * ] | |||
185. | [ * ] | |||
186. | “Software Capital Costs” is defined in Section 6.5. | |||
187. | “Software Operational Support Costs” is defined in Section 6.5. | |||
188. | “SOX” means the Sarbanes Oxley Act of 2002, as amended, and the rules and regulations promulgated thereunder. | |||
189. | [ * ] | |||
190. | [ * ] | |||
191. | [ * ] | |||
192. | [ * ] | |||
193. | [ * ] | |||
194. | [ * ] | |||
195. | [ * ] | |||
196. | [ * ] | |||
197. | [ * ] |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
198. | [ * ] | |||
199. | [ * ] | |||
200. | “Technology Plan” is defined in Section 10.8. | |||
201. | “Term” is defined in Section 4.1. | |||
202. | [ * ] | |||
203. | “Termination/Expiration Assistance” is defined in Section 21.9. | |||
204. | “Termination/Expiration Assistance Period” is defined in Section 21.9. | |||
205. | “Third Party or Third Parties” means any entity or person other than Vendor and ACI and their respective Affiliates, directors, officers, and employees. | |||
206. | [ * ] | |||
207. | “Third Party Contracts” means agreements pursuant to which any third party agrees with Vendor, ACI or any of their Affiliates to provide products or services constituting or used in providing the Services, including contracts for the services of non-employee personnel to provide Services. [ * ] | |||
208. | [ * ] | |||
209. | [ * ] | |||
210. | “Transformation” means the portion of the Transition Services detailed in the Transformation Plan. | |||
211. | “Transformation Period” means the portion of the Transition Period during which the Transformation occurs. | |||
212. | Transformation Plan” means the section of the Transition Plan that describes the transformation activities. | |||
213. | “Transition” is defined in Section 3.8. | |||
214. | [ * ] | |||
215. | “Transition Period” means the period, defined in the Transition Plan, [ * ] | |||
216. | “Transition Plan” is defined in Section 3.8. | |||
217. | “Use” means to use, copy, maintain, modify, enhance or create derivative works. | |||
218. | “User ID” means a string of characters (i.e., a user name or a password) that uniquely identifies a user to a system and enables access to a system or specific data residing on a system. |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
219. | [ * ] | |||
220. | [ * ] | |||
221. | “Vendor Developed IP” is defined in Section 7.4. | |||
222. | “Vendor Focal Point” means the individual designated by Vendor to act as the single point of contact within a specified Services area or Location to whom ACI may direct all communications related to such Services area or Location. | |||
223. | “Vendor” is defined in the preamble to the Agreement, subject to Section 2.2. | |||
224. | “Vendor Indemnitees” is defined in Section 18.2. | |||
225. | “Vendor Laws” is defined in Section 22.1. | |||
226. | [ * ] | |||
227. | “Vendor Preexisting IP” is defined in Section 7.4. | |||
228. | “Vendor Delivery Project Executive” is defined in Section 5.1. | |||
229. | [ * ] | |||
230. | [ * ] | |||
231. | [ * ] | |||
232. | [ * ] | |||
233. | “Vendor Transition Manager” is defined in Section 5.1. | |||
234. | [ * ] | |||
235. | [ * ] | |||
236. | [ * ] | |||
237. | [ * ] | |||
238. | “Work Product” is defined in Section 7.4. | |||
239. | [ * ] |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule G — Third Party Contracts
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
• | Exhibit H-1 (ACI US Midrange Inventory) |
• | Exhibit H-2 (ACI Toronto Server Room Inventory) |
• | Exhibit H-3 (EMEA Server Equipment) |
• | Exhibit H-4 (ACI AP Midrange Inventory) |
[ * ]
Schedule H — Existing Equipment
Page 1 of 3
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule H — Existing Equipment
Page 2 of 3
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934.
ACI US MIDRANGE INVENTORY
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE SECURITIES EXCHANGE
ACT OF 1934.
ACI TORONTO SERVER ROOM INVENTORY
THE PORTIONS OF THIS DOCUMENT DENOTED BY
BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE SECURITIES
EXCHANGE ACT OF 1934.
EMEA SERVER EQUIPMENT
THAT THE PORTIONS OF THIS DOCUMENT
DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED
UNDER THE SECURITIES EXCHANGE ACT OF
1934.
ACI AP MIDRANGE INVENTORY
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
NETWORK INVENTORY
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
PEOPLE COUNTS BY LOCATION
OF THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule I — Vendor Supported Software
OF THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE
24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
• | Exhibit I-1 — Framingham Workstations |
• | Exhibit I-2 — Newton Workstations |
• | Exhibit I-3 — Omaha Workstations |
Schedule I — Vendor Supported Software
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
FRAMINGHAM WORKSTATIONS
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES
AND ASTERISKS BE ACCORDED CONFIDENTIAL
TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE SECURITIES EXCHANGE
ACT OF 1934.
NEWTON WORKSTATIONS
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
OMAHA WORKSTATIONS
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Page | ||||||||
1. | [ * ] | 2 | ||||||
2. | Business Ethics Policy | 7 | ||||||
3. | [ * ] | 14 | ||||||
4. | [ * ] | 15 | ||||||
5. | [ * ] | 25 | ||||||
6. | [ * ] | 29 | ||||||
7. | [ * ] | 32 | ||||||
8. | [ * ] | 35 | ||||||
9. | [ * ] | 38 | ||||||
10. | [ * ] | 42 | ||||||
11. | [ * ] | 47 | ||||||
12. | [ * ] | 49 | ||||||
13. | [ * ] | 54 | ||||||
14. | [ * ] | 60 | ||||||
15. | [ * ] | 63 | ||||||
16. | [ * ] | 65 | ||||||
17. | [ * ] | 68 | ||||||
18. | [ * ] | 71 | ||||||
19. | [ * ] | 74 | ||||||
20. | [ * ] | 79 | ||||||
21. | [ * ] | 81 | ||||||
22. | [ * ] | 114 | ||||||
23. | [ * ] | 126 | ||||||
24. | [ * ] | 131 | ||||||
25. | [ * ] | 135 | ||||||
26. | [ * ] | 136 | ||||||
27. | [ * ] | 138 | ||||||
28. | [ * ] | 140 | ||||||
29. | [ * ] | 142 |
Confidential | ||||
Schedule J – ACI Policies and Procedures | Page 1 of 144 |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 2 of 144 |
Policy Contact | ||||
Information: | This Policy Applies To: | |||
Dennis Byrnes | Group | Except | ||
mailto:byrnesd@ACIinc.com | þ All Contractors | |||
(402) 390-8993 | o USA-based Contractors | |||
o Omaha-based Contractors | ||||
o IT Support Staff — Omaha-based | ||||
o IT Support Staff — All Locations | ||||
þ Other: Authorized Non-contractors | ||||
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 7 of 144 |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 8 of 144 |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 9 of 144 |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 10 of 144 |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 11 of 144 |
A. | In writing to either: |
(i) | The Company’s General Counsel, at 224 S. 108th Avenue, Omaha, NE 68154-26841325; or | ||
(ii) | The Chairman of the Company’s Audit Committee, at 224 S. 108th Avenue, Omaha, NE 68154-26841325. |
B. | By anonymously contacting the third-party service provider identified in the Company’s Whistleblower Protection Policy. That service provider will notify the Company’s senior officers of any report but will not disclose the identity of the reporting person if that person requests anonymity. |
A. | Initially address your concern with either your supervisor or a member of the Human Resources department. |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 12 of 144 |
B. | If at any time you are not satisfied that your concern is being adequately addressed, you should bring the matter to the attention of the Company’s General Counsel. | ||
C. | If you are still unsatisfied with the resolution of, or attention to, the matter, you should contact the Chairman of the Audit Committee. |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 13 of 144 |
website and will be made available upon request sent to the Company’s Secretary. The Company’s
annual report to stockholders will state that this Code is available on the Company’s website and
will be made available upon request sent to the Company’s Secretary.
Signature | Date | |||
Print Name |
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 14 of 144 |
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Confidential | ||||
Schedule J — ACI Policies and Procedures | Page 15 of 144 |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION |
2. | GENERAL REQUIREMENTS |
a. | Vendor’s responsibilities include the following: |
(1) | During Transition, develop and submit for ACI’s approval a complete and comprehensive customer satisfaction survey process, including the content and format of each customer satisfaction survey (each, a “Survey”). Such process shall be deemed to be the “Survey Process” for purposes of this Agreement. | ||
(2) | Conduct Surveys for the following categories of End Users: |
[ * ] |
(3) | At ACI’s request, work with the Executive Steering Committee and/or the Management Committee to determine the list of ACI personnel and other End Users to be included in each Survey; provided that the individuals to be included in any Survey (the “Participants” for such Survey) shall be subject to the ACI’s written approval. | ||
(4) | Conduct each Survey for its Participants in accordance with the Survey Process and any ACI-approved materials and methodologies specific to such Survey, using tools agreed upon by the Parties. | ||
(5) | [ * ] | ||
(6) | Measure customer satisfaction in all Surveys for a selection of the following general attributes: | ||
(a) | [ *] | ||
(b) | [ *] | ||
(c) | [ *] | ||
(d) | [ *] | ||
(e) | [ *] | ||
(f) | [ *] | ||
(g) | [ *] | ||
(h) | [ *] |
(7) | At ACI’s direction and in cooperation with ACI, use the Survey results to plan and implement measurable improvements to those portions of the Services requiring attention (provided that any such improvements to the Services shall be subject to ACI’s written approval). | ||
(8) | In response to a pattern of issues raised by each Survey, promptly prepare and provide to ACI a set of recommendations for Vendor to further improve its provision of the Services. | ||
(9) | Work in good faith with ACI to remedy issues or concerns raised in each Survey. |
Schedule K — User Satisfaction Survey Guidelines
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
3. | EXECUTIVE CUSTOMER SATISFACTION SURVEYS |
a. | The Vendor’s responsibilities include the following: |
(1) | [ * ] | ||
(2) | [ * ] | ||
(3) | [ * ] | ||
(4) | [ * ] | ||
(5) | Report the results of the Survey in writing (in a format acceptable to ACI) to the ACI Contract Executive within thirty (30) Business Days after the completion of the Survey. | ||
(6) | Along with ACI, conduct follow-on reviews as requested by the ACI Contract Executive, including reviewing the results of Executive Customer Satisfaction Surveys in the next Executive Steering Committee meeting. |
4. | NON-EXECUTIVE CUSTOMER SATISFACTION SURVEYS |
a. | The Vendor’s responsibilities include the following: |
(1) | [ * ] | ||
(2) | [ * ] | ||
(3) | [ * ] | ||
(4) | [ * ] | ||
(5) | Report the results of the Survey in writing (in a format acceptable to ACI) to the ACI Contract Executive within thirty (30) Business Days after the completion of the Survey. | ||
(6) | Along with ACI, conduct follow-on reviews as requested by the ACI Contract Executive, including reviewing the results of non-Executive Customer Satisfaction Surveys in the next Executive Steering Committee meeting. |
5. | POINT-OF-SERVICE CUSTOMER SATISFACTION SURVEYS |
Schedule K — User Satisfaction Survey Guidelines
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION | |
This portion of the Schedule describes the Transition scope and approach used to manage the Transition, including the subprojects that will be further defined in the detailed Transition Plan. The terms and conditions of this Agreement will apply to the Transition, except to the extent expressly amended by the applicable Transition Plan. | ||
Vendor will begin Transition activities on the Agreement Effective Date and complete the subprojects needed for Vendor to provide service as of the Service Tower Commencement Date. Each subproject produces deliverables, (including installed tools and documented processes and procedures amended by knowledge transfer from appropriate ACI employees), for the Vendor service delivery team. Each subproject generally represents a specific Service Tower competency such as Service Desk, Data Network Services, Enterprise Security Management Services, etc. In addition, there are two data center moves occurring during the Transition: [ * ] | ||
The general workflow and timelines for key subprojects are described below. The complete listing of subprojects will be described in the detailed Transition Plan. The actual dates are subject to change after the joint planning session with ACI that will be scheduled after the Agreement Effective Date. These dates will be reflected in the detailed Transition Plan to be delivered 60 days after the Agreement Effective Date. | ||
The initial 30 — 45 days after the Agreement Effective Date includes the acquisition of internal Vendor resources, a joint planning session with ACI that will produce the detailed Transition Plan, as well as joint verification of baselines. The governance structure will be described to ACI and established as the Vendor Program Management Office is implemented. The signed Agreement will be registered and a complete deliverables list will be created and provided to the Vendor service delivery team and ACI. These activities and others to be described in the detailed Transition Plan are represented in the Planning and Startup arrow as well as the PE Project Office arrow in Exhibit L-1. | ||
The [ * ] data center move will be addressed as a Transition project with a Vendor project manager, working with an ACI project manager, coordinating all of the Vendor and ACI resources needed to remove Equipment and associated Software from the [ * ] data center and relocate to the [ * ] Location. The planning stage will include coordination with existing ACI move plans and preparation. Work activities will include obtaining sufficient raised floor, outfitting with any new Equipment needed, installing local shared Internet access Equipment, preparation for [ * ], packing and shipping Equipment from [ * ], installing Equipment and re-installing existing Software, performing testing of installation and turning over to steady state operations. The actual move will occur over a three-day weekend period with advance notice to End Users. This activity is schedule for completion on August 1, 2008. These activities and overall start and stop dates are represented by the [ * ]. |
Schedule L — Transition and Transformation
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule L — Transition and Transformation
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Exhibit L-1 [ * ] |
* Represents one page of tabular data |
Schedule L — Transition and Transformation
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
2. | TRANSITION MANAGEMENT | |
2.1 | Transition Personnel | |
Vendor’s Transition management approach provides that: |
a. | the Vendor project executive has overall responsibility and accountability to meet agreed upon quality, cost, schedule and technical objectives of the Transition; | ||
b. | ACI and Vendor will each assign the appropriate employees and subcontractors to comprise the Transition Team. Such Transition Team members will be assigned specific tasks to be accomplished within the time frames set forth in the Transition Plan; | ||
c. | ACI and Vendor will each assign an individual (each a “Transition Manager” and collectively the “Transition Managers”) who will serve as the single point of contact and be responsible for overseeing the completion of its Transition Plan responsibilities and coordinating activities with the other; and | ||
d. | the Transition Managers will orient the Transition Team members regarding the Transition management approach and the Transition Plan, including individual responsibilities, deliverables, and schedules. Each Transition Manager will provide operational guidance to, manage and be accountable for the performance of its employees and subcontractors assigned to the Transition. |
2.2 | Roles and Responsibilities |
a. | Vendor will: |
1) | with ACI’s assistance, develop and maintain the detailed Transition Plan and any associated documentation; | ||
2) | establish and implement a project management system and control structure, including processes for managing Transition activities, milestones, support resources and deliverables status, issues, risks, changes and quality; | ||
3) | manage the Transition including planning, directing and monitoring Transition activities and assigned resources, according to the agreed schedule and processes; | ||
4) | implement all changes consistent with the change control process set forth in Section 5 (Change Control Process); | ||
5) | identify, address and resolve deviations from the Transition Plan and any business and/or technical issues that may impact the Transition; | ||
6) | develop the Transition meetings (i.e., planning, review, status) schedule with ACI, including the frequency and location for such meetings; |
Schedule L — Transition and Transformation
7) | coordinate and conduct Transition meetings in accordance with the established schedule; and | ||
8) | provide to ACI periodic written status report(s) which include information such as schedule status, Transition progress, issue identification and related action plans. |
b. | ACI will: |
1) | serve as the interface between the Transition Team and ACI’s business functions, units, or Affiliates participating in the Transition to define ACI’s business and technical requirements for Transition and to validate that the Transition Plan meets such requirements; | ||
2) | assist Vendor in the development and maintenance of the detailed Transition Plan and any associated documentation; | ||
3) | review and approve the Transition Critical Deliverables; | ||
4) | provide Vendor’s employees and subcontractors with access (i.e., physical and logical) to the ACI Service Locations and systems affected as a result of the Transition or required by Vendor to provide the Services; | ||
5) | assign ACI’s resources and manage the completion of the ACI-owned Transition activities according to the agreed schedule and processes; | ||
6) | implement all changes consistent with the change control process set forth in Section 5 (Change Control Process); | ||
7) | obtain and provide current information, data and documentation related to the Transition (for example, Third Party supplier and vendor information, Service Location data, inventory data, existing operational processes and procedures, systems documentation, configuration documentation), decisions and approvals, within the agreed time period, which will be within five Business Days of Vendor’s request, unless otherwise mutually agreed; | ||
8) | assist Vendor in identifying, addressing and resolving deviations from the Transition Plan and any business and/or technical issues that may impact the Transition; and | ||
9) | develop the Transition meetings (i.e., planning, review and status) schedule with Vendor, including the frequency and location, and attend such meetings in accordance with the established schedule. |
3. | TRANSITION PLAN | |
3.1 | Overview | |
The detailed Transition Plan will contain the following information: |
a. | Management Summary | ||
This section will provide a management summary of the overall Transition strategy and approach. | |||
b. | Background and Business Objectives | ||
This section will provide an overview of the Agreement and ACI’s business objectives. |
Schedule L — Transition and Transformation
c. | Transition Objectives and Scope of Work | ||
This section will provide a summary of the overall Transition and define the scope of work to be performed. | |||
d. | Transition Organization and Responsibilities | ||
This section will identify ACI’s and Vendor’s respective Transition Managers, Transition Team and key responsibilities that ACI and Vendor are required to perform in order to complete the Transition. | |||
e. | Assumptions and Dependencies | ||
This section will describe any key assumptions or dependencies upon which the Transition was based and/or is dependent upon for completion. | |||
f. | Milestones and Deliverables | ||
This section will provide a schedule of key Transition milestones and a description of items to be delivered by Vendor to ACI under the Transition. | |||
g. | Completion Criteria | ||
This section will describe the completion criteria that Vendor must meet in order to satisfy its obligations under the Transition. |
3.2 | Transition Subprojects | |
The detailed Transition Plan will further define each Transition subproject set forth below, including a set of objectives, assumptions, dependencies, milestones, deliverables, and completion criteria. | ||
3.2.1 | Human Resources | |
The Human Resources subproject will describe the tasks necessary to facilitate Vendor’s hiring of the ACI employees and address the incorporation of these new employees into the Vendor culture. Vendor will: |
a. | assist in communicating to the Affected Employees regarding employment status and Vendor’s employment process; | ||
b. | provide the Rebadged Employees with orientation to Vendor; | ||
c. | provide the Rebadged Employees with Vendor cultural training; and | ||
d. | provide the Rebadged Employees with initial training in the use of Vendor internal tools. |
3.2.2 | Workplace Services | |
The Workplace Services subproject will address the establishment of a productive working environment at the Service Locations for Vendor (i.e., Rebadged Employees, Vendor account team, Transition Team) to provide the Services to ACI. Vendor will: |
a. | obtain access, as authorized and provided by ACI, to the Service Locations and systems affected by Transition or required by Vendor to provide the Services; |
Schedule L — Transition and Transformation
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
b. | coordinate the resources (for example, Service Locations, office consumables, pagers, cellular phones, home connectivity, access to internal support) required by Vendor to provide the Services; and | ||
c. | coordinate the deployment of workstation tools (for example, laptops, desktops, desktop software applications, system IDs and training, Network connectivity) required by Vendor to provide the Services. |
3.2.3 | [ * ] |
3.2.4 | [ * ] |
3.2.5 | [ * ] |
a. | [ * ] |
b. | ACI will: |
1) | perform a review of each Rebadged Employee’s system access authorizations to confirm the need for the same access requirements following the Effective Date and advise Vendor of any required changes; and | ||
2) | perform other activities as described in Exhibit A-8 (Enterprise Security Management Services) of Schedule A (Statement of Work). |
3.2.6 | [ * ] |
3.2.7 | [ * ] |
a. | develop and execute the process to transfer assets from ACI to Vendor, including using the appropriate forms, obtaining the authorized signatures and maintaining the required documentation; and | ||
b. | with ACI’s assistance, develop a list of ACI assets to be transferred to Vendor, including all computer assets (e.g., PCs) used by Rebadged Employees prior to the Effective Date. |
3.2.8 | [ * ] |
3.2.9 | [ * ] |
3.2.10 | [ * ] | ||
* | represents two pages of redacted text |
3.2.11 | [ * ] | ||
* | represents one page of redacted text |
3.2.12 | [ * ] |
3.2.13 | [ * ] |
3.2.14 | [ * ] |
3.2.15 | [ * ] | ||
* | represents one page of redacted text |
4. | COMPLETION |
a. | Vendor will notify ACI in writing when the completion criteria for a Transition deliverable have been met. | ||
b. | ACI must inform Vendor, in writing, within ten Business Days following receipt of Vendor’s notification if ACI believes Vendor has not met the completion criteria, together with reasonable detail as to the reasons for such belief. | ||
c. | The Vendor Transition Manager will consider ACI’s timely request for revisions, if any, within the context of Vendor’s obligations. | ||
d. | ACI revisions, agreed to by Vendor, will be made and the deliverable will be resubmitted to the ACI Transition Manager, at which time such deliverable will be deemed accepted. | ||
e. | If Vendor does not receive written notice from ACI within the time frame specified above, then the Transition deliverable(s) will be deemed accepted by ACI. |
Schedule L — Transition and Transformation
5. | CHANGE CONTROL PROCESS | |
The change control process is part of the overall project management system which will be implemented by Vendor to control changes to the Services. Either ACI or Vendor may request a change to Transition subject to the following change control process: |
a. | The Transition, as described in this Agreement and the Transition Plan, may be changed only by a writing signed by authorized representatives of ACI and Vendor. | ||
b. | All Project Change Requests (“PCRs”) to Transition will be submitted in writing by the requesting Vendor or ACI Transition Manager. The PCR will reference the Transition, describe at a reasonable level of detail the change, the rationale for the change and the impact the change may have on the Transition if it is accepted and if it is rejected. | ||
c. | The Transition Managers will review the PCR and either: |
1) | recommend approval of the change by authorized representatives of ACI and Vendor signing the PCR. Upon such approval, the change will be implemented; or | ||
2) | agree in writing to submit the PCR for further investigation and to pay Vendor for its reasonable charges, if any, for Vendor’s investigation. Such investigation will determine the technical merits and the effect on price, schedule, and other terms and conditions that may result from the implementation of the PCR. ACI and Vendor will then agree to mutually approve or reject the PCR. If ACI and Vendor do not agree, either Vendor or ACI may submit such PCR to the project executives for resolution; or | ||
3) | reject the PCR. If rejected, the PCR will be returned to the requesting Transition Manager along with the reason for rejection. |
6. | PERFORMANCE |
a. | Vendor will perform the Transition and implement the Transition Plan in accordance with the timetable and milestones set forth in the Transition Plan, and ACI will reasonably cooperate with Vendor to assist Vendor in implementing the Transition Plan. Vendor will provide all cooperation and assistance reasonably required or requested by ACI in connection with ACI’s evaluation or testing of the deliverables resulting from implementation of the Transition Plan. Vendor will implement the Transition Plan in a manner that will not: |
1) | materially disrupt or have a material adverse impact on the business or operations of ACI or the End Users; | ||
2) | degrade the Services then being received by ACI and the End Users; or | ||
3) | interfere with ACI’s or the End Users’ ability to obtain the full benefit of the Services, except as may be otherwise provided in the Transition Plan. |
b. | Prior to undertaking any Transition activity, Vendor will discuss with ACI all known ACI-specific material risks and will not proceed with such activity until ACI is reasonably satisfied with the plans with regard to such risks (provided that, neither Vendor’s disclosure of any such risks to ACI nor ACI’s acquiescence in Vendor’s plans will operate or be construed as limiting Vendor’s responsibilities under this Agreement). Vendor will identify and resolve, with ACI’s reasonable assistance, any problems that may impede or delay the timely completion of any phase of the Transition Plan. |
Schedule L — Transition and Transformation
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION |
a. | This portion of the Schedule sets forth an outline of the Transformation activities that ACI and Vendor will perform during the Transformation Period. During the Transition phase, a team of the appropriate Vendor employees and ACI employees (the “Transformation Team”) will draft a detailed Transformation Plan. The Transformation Plan will describe: |
• | the specific objectives of each portion of the Transformation; | ||
• | the equipment, software and resources ACI and Vendor require to complete the Transformation during the Transformation Period; | ||
• | the technical assumptions and dependencies inherent in the Transformation Plan; | ||
• | any unique Transformation requirements related to the Service Locations; and | ||
• | the required time frames, activity dates and people responsible for individual tasks throughout the Transformation Period. |
b. | The Transformation Plan will specify ACI’s and Vendor’s respective Transformation responsibilities. It will contain descriptions and schedules for the required tasks. | ||
c. | Upon completion of the Transformation Plan, the Transformation Team will meet regularly as mutually agreed, and will review and update the Transformation Plan to reflect mutually agreed upon changes such as revisions to schedules, resource requirements, dependencies, and priorities. |
2. | [ * ] | ||
* | represents one page of redacted text |
3. | GENERAL ROLES AND RESPONSIBILITIES |
a. | Vendor Responsibilities | ||
Vendor will take the leadership role in the development and implementation of the Transformation Plan. Vendor will provide the resources necessary to perform its responsibilities set forth in the Transformation Plan. In addition, Vendor will establish a Transformation project office, manage at a minimum monthly Transformation status meetings, and track and report on the status of all tasks. Vendor will provide regular updates to ACI management describing the following: |
1) | activities scheduled during the current reporting period; | ||
2) | activities planned for the next reporting period; and | ||
3) | change control activity: | ||
• | cumulative; | ||
• | approved; |
Schedule L — Transition and Transformation
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
• | rejected; | ||
• | in progress, concerns; and | ||
• | recommendations. |
b. | ACI Responsibilities | |
ACI will assign the appropriate employees to the Transformation Team to assist Vendor in the development and implementation of the Transformation Plan. ACI will provide the resources necessary to perform its responsibilities set forth in the Transformation Plan, including: |
1.) | assigning the appropriate employees and subcontractors to develop, jointly with Vendor, individual Transformation Plan sections and identify the tasks required to complete each major Services area Transformation; | ||
2.) | providing representation and input from the End User organizations that will be required to assist in defining the criteria for the Transformation of operations; | ||
3.) | providing Vendor’s employees with access to the Service Locations and systems affected as a result of the Transformation or required by Vendor to provide the Services; | ||
4) | providing, to the extent available, current documentation related to the Transformation (for example, Third Party supplier and vendor information, facility data, existing operational processes and procedures, systems documentation, configuration documentation, and inventory data); and | ||
5) | identifying all current and future known activities that Schedule V (In-Flight Projects) does not address and that may impact upon Vendor’s provision of the Services. |
4. | [ * ] | ||
* | represents three pages of redacted text |
Schedule L — Transition and Transformation
COMPANY: | [ ] | |
ADDRESS: | [ ] | |
CITY: | [_____] | |
STATE: | [___] | |
ZIP: | [_____] |
1. CONFIDENTIALITY |
Schedule M — Vendor Confidentiality Agreement
Page 1 of 4
2. EXCLUSIONS. |
3. RETURN OF CONFIDENTIAL INFORMATION. |
4. REMEDIES. |
5. NO WARRANTIES OR FURTHER RIGHTS. |
Schedule M — Vendor Confidentiality Agreement
Page 2 of 4
6. EXPORT RESTRICTION. |
7. SECURITY POLICIES. |
8. MISCELLANEOUS. |
Schedule M — Vendor Confidentiality Agreement
Page 3 of 4
COMPANY: | ||||
Signature: | ||||
Name: | ||||
Title: | ||||
Date: | ||||
Schedule M — Vendor Confidentiality Agreement
Page 4 of 4
THIS DOCUMENT DENOTED BY BOXES AND ASTERISKS BE
ACCORDED CONFIDENTIAL TREATMENT PURSUANT TO RULE 24b-2
PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION | |
This Schedule identifies the Approved Subcontractors as of the Effective Date. |
[ * ] |
Schedule N — Approved Subcontractors
Page 1 of 1
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule O — Approved Benchmarkers
Page 1 of 1
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Location | Address | City | State | Zip Code | Country | [ * ] | Comments | |||||||||||
1 | New York City (Corp) | 120 Broadway, Suite 3350 | NYC | NY | 10271 | USA | [ * ] | [ * ] | ||||||||||
2 | New York City (Sales) | 150 Broadway, Suite 1910 | NYC | NY | 10271 | USA | [ * ] | [ * ] | ||||||||||
3 | New Brunswick | 113 North Center Drive North Brunswick, NJ 02460 | North Brunswick | NJ | 02460 | USA | [ * ] | [ * ] | ||||||||||
4 | Naples, ITALY | Via Scarlatti, 88 80127 Napoli, Italy | Napoli | Italy | [ * ] | [ * ] | ||||||||||||
5 | Moscow | Riverside Towers Building 1A 11th Floor 52/1 Kosmodamianskaya Nab Moscow 113054 | Moscow | Russia | [ * ] | [ * ] | ||||||||||||
6 | Mexico City | Insurgentes Sur 1605,Piso 14, Modulo 1Torre Mural San José Insurgentes Méx D.F. 03900 | Mexico City | Mexico | [ * ] | |||||||||||||
7 | Melbourne | Level 2, 789 Toorak Road Hawthorn East Vic 3123 Australia | Melbourne | Australia | [ * ] | [ * ] |
Schedule P — Locations
Page 1 of 6
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Location | Address | City | State | Zip Code | Country | [ * ] | Comments | |||||||||||
8 | Manama | PO Box 15134, Diplomatic Area Al-Salam Tower, 9th Floor Manama Bahrain | Manama | Bahrain | [ * ] | [ * ] | ||||||||||||
9 | Madrid | No 93 Alle Calendula Suite 462 28109 Aconbendas Madrid, Spain | Madrid | Spain | [ * ] | [ * ] | ||||||||||||
10 | Leeds, UK | 23-37 Cookridge Street Suite 4, 2nd Floor Leeds, Yorkshire, UK | Leeds | UK | [ * ] | [ * ] | ||||||||||||
11 | Kuala Lumpur | No 17-2, Jalan PJU 5/13, PJU 5, Dataran sunway, Kota Damansara 47810 Petaling Jaya, Selangor Darul Ehsan, Malaysia | Kuala Lampur | Malaysia | [ * ] | [ * ] | ||||||||||||
12 | Johannesburg | P.O. Box 55553 Northlands 2116 Johannesburg South Africa | Johannesburg | South Africa | [ * ] | [ * ] | ||||||||||||
13 | Gouda, NETH | Antwerpseweg 1 P.O. Box 867 2800 AW Gouda, The Netherlands | Gouda | The Netherlands | [ * ] | [ * ] | ||||||||||||
14 | Frankfurt | Am Limespark 2 D-65843 Sulzbach, GERMANY | Frankfurt | Germany | [ * ] | [ * ] | ||||||||||||
15 | Framingham | 492 Old Connecticut Path, Suite 600 Framingham, MA 01701-4584 | Framingham | MA | 01701-4584 | USA | [ * ] | [ * ] |
Schedule P — Locations
Page 2 of 6
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Location | Address | City | State | Zip Code | Country | [ * ] | Comments | |||||||||||
16 | Newton | 320 Nevada Street Newton, MA 02460 | Newton | MA | 2460 | USA | [ * ] | |||||||||||
17 | Dubai | Building 2, Suite 2 Dubai Internet City United Arab Emirates | Dubai | UAE | [ * ] | [ * ] | ||||||||||||
18 | Clearwater | 15500 Roosevelt Boulevard Clearwater, FL 33760 | Clearwater | FL | 33760 | USA | [ * ] | [ * ] | ||||||||||
19 | Bangalore | #104, First Floor Prestige Omega, EPIP Zone, Whitefield, Bangalore- 560 066 | Bangalore | India | [ * ] | [ * ] | ||||||||||||
20 | Buenos Aires | Sarmiento 552, Piso 15 Ciudad Autónoma de Buenos Aires 1041 | Buenos Aires | Argentina | [ * ] | [ * ] | ||||||||||||
21 | Athens | Athens Tower, Building B 2-4 Mesogeion Ave Athens, Greece | Athens | Greece | [ * ] | [ * ] | ||||||||||||
22 | Watford | 55 Clarendon Road, Watford, Herts, WD17 1FQ, UK | Watford | UK | [ * ] | |||||||||||||
23 | Victoria | 1501 E. Mockingbird Lane, Suite 401 Victoria, TX 77904 | Victoria | TX | 77904 | USA | [ * ] | [ * ] | ||||||||||
24 | Toronto | 200 Wellinton Street, Toronto, Ontario M5V 3C7 | Toronto | Ontario | Canada | [ * ] | [ * ] | |||||||||||
25 | Tokyo | BUREX Kyobashi 711, 2-7-14 Kyobashi Chuo-ku Tokyo 104-0031, JAPAN | Tokyo | Japan | [ * ] | [ * ] | ||||||||||||
26 | Timisoara, ROMANIA | Str. Pestalozzi nr. 22 Timisoara 300115, Romania | Timisoara | ROMANIA | [ * ] | [ * ] |
Schedule P — Locations
Page 3 of 6
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Location | Address | City | State | Zip Code | Country | [ * ] | Comments | |||||||||||
27 | Sydney | Level 2, 50 Margaret Street Sydney, NSW Australia 2000 | Sydney | Australia | [ * ] | [ * ] | ||||||||||||
28 | Singapore | 3 Tampines Grande AIA Tampines, #08-01 Singapore 528799 | Singapore | Singapore | [ * ] | [ * ] | ||||||||||||
29 | Sao Paulo | Rua Luigi Galvani, 200-10 Andar Sao Paulo-SP CEP 04575-020 BRAZIL | Sao Paulo | Brazil | [ * ] | [ * ] | ||||||||||||
30 | Shannon, IRELAND | National Technology Park Roselawn House Limerick Republic of Ireland | Limerick | IRELAND | [ * ] | [ * ] | ||||||||||||
31 | Providence | 100 Amaral Street East Providence, RI 02915 | Providence | RI | 02915 | USA | [ * ] | [ * ] | ||||||||||
32 | Plano | 4965 Preston Park Blvd. Suite 90 Plano, Texas 75093 | Plano | TX | 75093 | USA | [ * ] | [ * ] | ||||||||||
33 | Paris | 30 bis rue du Vieil Abreuvoir 78100 St. Germain en Laye France | Paris | France | [ * ] | [ * ] | ||||||||||||
34 | Omaha (current location) | 330 South 108th Ave, Omaha NE 68154 | Omaha | NE | 68154 | USA | [ * ] | |||||||||||
35 | Omaha (new location) | 6060 Coventry Drive, Omaha, NE 68022 | Omaha | NE | 68022 | USA | [ * ] | |||||||||||
36 | Makati City, Philippines | 1100 88 Corporate Center Valero cor Sedeno Sts. Salcedo Village, Makati City, Manila 1227 | Makati City | Philippines | [ * ] |
Schedule P — Locations
Page 4 of 6
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Location | Address | City | State | Zip Code | Country | [ * ] | Comments | |||||||||||
37 | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||||
38 | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||||
39 | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||||
40 | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] |
Schedule P — Locations
Page 5 of 6
THE PORTIONS OF THIS DOCUMENT DENOTED
BY BOXES AND ASTERISKS BE ACCORDED
CONFIDENTIAL TREATMENT PURSUANT TO
RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1943.
Location | Address | City | State | Zip Code | Country | Comments | ||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] | ||||||||
[ * ] | [ * ] | [ * ] | [ * ] | [ * ] |
Schedule P — Locations
Page 6 of 6
1.1 | Schedule R is the Vendor reporting requirements and lists all reports to be provided by Vendor in accordance with the Statements of Work. ACI acknowledges that reports are required following the Service Tower Commencement Date. | |
1.2 | All report descriptions set out in the Vendor Reporting Requirements Chart are for reference only and are intended to provide a general list of items which the Vendor shall include in the applicable report. |
2.1 | Subject to the Change Control Procedure, ACI may require the Vendor to submit additional reports and may change or request new Reports from time to time. |
3.1 | The Vendor shall submit reports on time as set out in this Schedule R, unless otherwise mutually agreed to by both Parties. | |
3.2 | The Vendor shall submit all reports to the ACI Contract Manager via the Vendor portal. |
Schedule R — Reports
Page 1 of 17
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
Schedule R — Reports
Page 2 of 17
1.0 | INTRODUCTION |
1.1 | Purpose |
• | Governance organization and staffing. | ||
• | Governance joint committee structures. |
2.0 | KEY GOVERNANCE RESPONSIBILITIES |
2.1 | ACI |
2.1.1 | ACI Engagement Executive |
1. | Manage the overall relationship with the Vendor. |
2. | Provide leadership and guidance to the ACI Governance organization. |
Page 1 of 15
3. | Work with the Vendor Project Executive and the Vendor Delivery Project Executive to progress the goals and objectives of the arrangement. |
4. | Resolve escalated issues in accordance with the Governance escalation procedures. |
5. | Provide liaison activities and guidance with the Vendor’s corporate executive leadership in regard to the strategic needs of ACI. |
2.1.2 | ACI Engagement Manager |
1. | Monitor Vendor and ACI compliance with the obligations of the Agreement. |
2. | Monitor Vendor contract-level deliverable commitments. |
3. | Track fulfillment of Vendor deliverables. |
4. | Ensure audit-ability of Vendor processes. |
5. | Manage Benchmarking activities. |
6. | Staff and manage the ACI Governance organization. |
7. | Resolve escalated issues according to the Governance escalation procedures. |
8. | Approve (or decline) all work requests that are in excess of pre-established expenditure amounts or circumstances. |
9. | Evaluate Performance Credits and approve any action plans resulting from critical service performance failures. |
10. | Approve, authorize, and oversee all contract-related policies and procedures. |
2.1.3 | ACI Engagement Administrator |
1. | Ensure receipt and review of all Vendor reports required per the Agreement. |
2. | Develop standard reporting and communication requirements between the Vendor and various staff and organizations within ACI. |
3. | Develop and assist with negotiations related to all addendums and updates to the Agreement that are required during the Term. |
4. | Assist with interpretation and intent of the Parties in regard to the terms and conditions of the Agreement. |
Page 2 of 15
2.1.4 | ACI Engagement Transition Manager |
1. | Approve the Transition Plan. |
2. | Manage ACI’s obligations under the Transition Plan. |
2.1.5 | ACI Business-Unit Coordinator |
1. | Provide advice and counsel to ACI business units regarding the terms and conditions of the Agreement. |
2. | Provide support to ACI business units in regard to questions and issues arising from the delivery of Services. |
3. | Act as the primary interface between the Vendor’s organization and the ACI business units. |
2.1.6 | ACI’s Finance Manager |
1. | Establish and manage the overall budget in connection with the Agreement. |
2. | Monitor to ensure that savings objectives for the Agreement are being met. |
3. | Review financial analysis for all Vendor-sponsored initiatives to ensure financial viability. |
4. | Assist in and support, as needed, the review of monthly charges to assure the accuracy of Vendor charges, ACI retained costs, and pass-through expenses. |
5. | Ensure that anticipated and agreed-upon Vendor financial responsibilities are not converted to ACI retained or pass-through expenses. |
6. | Investigate variances in forecasted expenses or usage. |
7. | Establish and maintain the ACI charge-back process and systems. |
8. | Ensure that ACI and Vendor have the necessary internal financial controls in place to comply with the Sarbanes-Oxley Act of 2002. |
Page 3 of 15
2.1.7 | ACI Service Manager(s) |
1. | Review all Service Levels and contractual commitments for the respective Service Tower. |
2. | Assist both ACI and the Vendor with forecasting resource requirements. |
3. | Provide support to ACI and Authorized Users in accordance with the Problem Management process, as described in Exhibit A-1 (Delivery Management Services (Cross Functional)) of Schedule A (Statement of Work). |
4. | Review and approve specific project plans and Change Management activities for a Service Tower. |
2.2 | Vendor |
2.2.1 | Vendor Project Executive |
1. | Manage the overall relationship regarding Vendor and ACI. |
2. | Assure the successful Transition of the Agreement to operational status. |
3. | Oversee the fulfillment of Vendor’s obligations under the Agreement. |
4. | Work with the ACI Governance Team to establish, manage, and meet commitments, requirements, and expectations. |
5. | Work with ACI executives and business-unit managers to align the delivery of Services with the strategic needs of ACI. Such activities will be performed with the approval and in conjunction with the ACI Service Delivery Managers. |
6. | Inform ACI about new corporate capabilities and developments within Vendor’s organization, and propose ideas and solutions that will provide ongoing benefit to ACI. |
7. | Act as the primary Vendor focus for new service establishment for ACI. |
8. | Implement a client satisfaction survey for the account in accordance with Schedule K (User Satisfaction Survey Guidelines). |
Page 4 of 15
2.2.2 | Vendor Transition Manager |
1. | Establish the account infrastructure necessary to operate the account, including financial, human resources, security, facilities, and communication. |
2. | Develop and implement the Service delivery plan. |
3. | Install all Service delivery processes and confirm that the Service Level reporting mechanisms are established and operational. |
4. | Transition all of ACI’S applicable personnel and subcontractors seamlessly to Vendor. |
2.2.3 | Vendor Delivery Project Executive |
1. | Meet all Service Levels and contractual commitments for the respective Service Tower. |
2. | Provide support to ACI and End Users in accordance with the Problem Management process, as described in the Exhibit A-1 (Delivery Management Services (Cross Functional)) of Schedule A (Statement of Work). |
3. | Provide all Service Level reporting to the service control function. |
4. | Verify that Vendor’s performance requirements as they relate to ACI business requirements and business objectives are satisfied. |
5. | Assure operational compliance with the Agreement and confirm that Vendor fulfills its obligations under the Agreement, including all obligations relating to deliverables. |
6. | Establish and execute the account management disciplines, business management processes, and associated reporting. |
Page 5 of 15
7. | Confirm prompt identification and resolution of Service delivery issues. |
8. | Confirm that Vendor’s performance requirements as they relate to the ACI strategic business planning (business and architecture, strategic options, business assessment, business operating plans) requirements are met. |
9. | Manage any selection of subcontractors. |
10. | Manage shared resource centers within the ACI account. |
11. | Interface as needed with ACI. |
12. | Establish Vendor metrics program. |
13. | Construct the performance reports and manage the monthly reporting. |
14. | Establish Vendor Benchmarking methodology in accordance with the Agreement. |
15. | Introduce Vendor’s processes and delivery models to the account. |
16. | Establish training programs as required by the Agreement. |
17. | Provide process ownership for Service delivery processes. |
18. | Provide Vendor quality assurance function. |
19. | Manage other administrative functions including security as required by the Agreement. |
20. | Provide for the receipt and review of Vendor reports required per the Agreement. |
21. | Develop standard reporting and communication requirements between Vendor and various staff and organizations within ACI. |
2.2.4 | Vendor Service Delivery Managers |
1. | Meet all Service Levels and contractual commitments. |
2. | Provide all Service Level reporting to the service control function. |
Page 6 of 15
3. | Verify that Vendor’s performance requirements as they relate to ACI business requirements and business objectives are satisfied. |
4. | Establish and execute the account management disciplines, business management processes, and associated reporting. |
5. | Confirm prompt identification and resolution of Service delivery issues. |
6. | Manage shared resource centers within the ACI account. |
7. | Interface as needed with ACI. |
8. | Establish Vendor metrics program. |
9. | Construct the performance reports and manage the monthly reporting. |
10. | Establish training programs as required by the Agreement. |
11. | Provide Vendor quality assurance function. |
12. | Manage other administrative functions including security as required by the Agreement. |
13. | Provide for the receipt and review of Vendor reports required per the Agreement. |
14. | Develop standard reporting and communication requirements between Vendor and various staff and organizations within ACI. |
2.2.5 | Vendor Financial Analyst |
1. | Provide the monthly invoice and all account billing and reporting functions. |
2. | Provide all financial reporting, including exception reporting, to ACI, in accordance with Schedule C (Charges). |
2.2.6 | Vendor Human Resource Manager |
1. | Establish personnel administration policies for the account. |
2. | Provide the Human Resources management function for the account. |
3. | Provide the recruitment and placement function for the account. |
4. | Provide the communication forms for the account. |
Page 7 of 15
3.0 | Committees and Teams |
1. | An Executive Steering Committee will be formed, consisting of an equal number of both ACI and Vendor executives, to provide business oversight and ensure that the Service delivery objectives are achieved. This committee will also direct the ACI / Vendor relationship and assist the ACI Engagement Executive and Vendor Project Executive in decisions that directly affect this Agreement. |
2. | An ACI Engagement Manager and a Vendor Delivery Executive will be appointed by the Parties to liaise with the Executive Steering Committee and to monitor and resolve, where possible, any issues raised by the ACI Service Manager(s) and Vendor Service Delivery Manager. |
3. | The appropriate ACI Service Manager(s) and Vendor Service Delivery Manager(s) will carry out the day-to-day coordination of Service delivery, and will include other ACI representatives as required. |
4. | ACI and Vendor will jointly develop and implement agreed performance management and business assurance processes. |
5. | The performance management and business assurance processes and procedures will be deployed at the designated ACI Locations, which will confirm the stable start-up and efficient delivery of the Services. |
3.1 | Executive Steering Committee |
• | Discussing the evolving business agenda of both companies. | ||
• | Reviewing and refreshing the strategic goals for the partnership. | ||
• | Identifying change on the horizon that will need to be managed. | ||
• | Reviewing performance against the strategic goals, both business and relationship, and assessing client satisfaction. | ||
• | Exploring ways to extend the relationship to solve new business challenges. | ||
• | Reviewing and discussing how the parties can leverage new skills, techniques, and knowledge gained by Vendor through research and development initiatives and experiences with other clients. |
Page 8 of 15
3.1.1 | Members |
1. | ACI Global CIO. |
2. | Vendor Vice President, Global Technology Services, Banking Industry. |
3. | Vendor Delivery Director Global Technology Services, Financial Services Sector. |
4. | ACI Business Unit Coordinators. |
5. | Vendor Client Executive. |
6. | Other ACI and Vendor personnel as required. |
3.1.2 | Key Responsibilities |
1. | Ensure business alignment between the Parties, analysis of ACI and Vendor business plans, and oversight of new or modified Services during the Term. |
2. | Develop strategic requirements and plans associated with the Services or New Services during the Term. |
3. | Resolve issues escalated by the Management Committee. |
3.1.3 | Reports (to be provided by Vendor) |
3.1.4 | Meetings |
3.2 | Management Committee |
• | Developing strategies to meet the goals that are set by the Executive Steering Committee. | ||
• | Addressing any systemic contractual or management issues. | ||
• | Periodically assessing the quality of the working relationship and planning the appropriate actions to strengthen the relationship. | ||
• | Identifying and resolving conflict. | ||
• | Identifying and managing impending change. | ||
• | Reviewing business volumes and service performance. | ||
• | Investigating new opportunities to deliver business value. | ||
• | Making recommendations to the Executive Steering Committee on significant changes to objectives, strategies, or the contract. | ||
• | Defining the procedures and practices to be followed by the Service Delivery Committee. |
Page 9 of 15
3.2.1 | Members |
1. | ACI Engagement Executive. |
2. | Vendor Project Executive. |
3. | Other ACI and Vendor personnel as required. |
3.2.2 | Authority |
1. | Proposing changes to the Agreement. |
2. | Adding, modifying, and/or removing Services covered by the Agreement. |
3. | Operational, technical, financial, and general management oversight of the Agreement. |
4. | Resolving issues escalated by the Service Delivery Committee. |
3.2.3 | Key Responsibilities |
1. | Manage the performance of the Parties’ respective roles and responsibilities under the Agreement. |
2. | Implement/execute the Agreement. |
3. | Manage risks and opportunities for improvement. |
4. | Monitor Service delivery and Transition activities based on reporting and coordination with the Service Delivery Committee. |
5. | Consider and approve, where possible, operational and technical changes in accordance with the Change Management requirements set out in Exhibit A-1 (Delivery Management Services (Cross Functional)) of Schedule A (Statement of Work). |
Page 10 of 15
6. | Consider and approve, where possible, changes to the Agreement and to the Services in accordance with the Change Control procedures to be approved by ACI. |
7. | Seek to resolve any issues escalated by the Service Delivery Committee in accordance with Section 4.0 (Issue Escalation Procedures) in this Schedule. |
8. | Produce any Management Committee summary reports as set out in Schedule R (Reports) and submit them for Executive Steering Committee review. |
9. | Approve the following and report, as required, to the Executive Steering Committee with respect to: |
9.1. | Service Levels, Service Level Credits, and Earnback, as described in Schedule B (Service Levels). |
9.2. | Continuous improvement and quality assurance measures. |
9.3. | Proposals for reset of Service Levels. |
9.4. | Review of financial performance. |
9.5. | Pricing. |
9.6. | Customer satisfaction surveys. |
9.7. | Audit results. |
9.8. | Benchmarking results. |
10. | Monitor and review the ongoing status of Third Party Contracts as appropriate. |
11. | Initiate, as appropriate, the recommendations and suggestions made by the Executive Steering Committee relating to the Services and/or this Agreement. |
12. | Ensure the implementation of process/infrastructure, financial and resource plans. |
13. | Review business proposals as submitted by ACI business sponsors and/or Vendor personnel. |
14. | Recommend new proposals to the Executive Steering Committee. |
15. | Provide advice and direction to the Service Delivery Committee for performance improvement. |
16. | Delegate any powers it considers appropriate to the Service Delivery Committee. |
3.2.4 | Reports (to be prepared by Vendor) |
Page 11 of 15
3.2.5 | Meetings |
1. | Contract Management and Change Control. |
2. | Service delivery. |
3. | Transition management (as required). |
4. | Transformation management (as required). |
5. | Change Management. |
6. | Technical planning. |
3.3 | Service Delivery Committee |
• | Identifying and addressing day-to-day service and change management issues. | ||
• | Preparing reports for the Management Committee, to highlight service issues. | ||
• | Identifying upcoming events that may result in changes in service demand. | ||
• | Reviewing and discussing client satisfaction and service quality improvements. | ||
• | Reviewing monthly reports and Service Level attainment. | ||
• | Continually reviewing support processes, tools, and methodologies. |
3.3.1 | Members |
1. | ACI Service Manager(s). |
2. | ACI Business-Unit Coordinator. |
3. | ACI Site Managers (as required). |
4. | Vendor Delivery Project Executive. |
5. | Vendor Service Delivery Manager. |
6. | Other ACI and Vendor personnel as required. |
Page 12 of 15
3.3.2 | Authority |
1. | Review and approval, where possible, of the short-term and long-term plans and activities in regard to the delivery of the Services. |
2. | Resolution of Service delivery problems. |
3. | Upward notification of all opportunities or issues that might result in the addition, deletion, or modification of the Services, or the terms of the Agreement, irrespective of the initiating Party. |
4. | Agreement of local Service delivery initiatives, where approved by appropriate level. |
3.3.3 | Key Responsibilities |
1. | Monitor Critical Deliverables and Service Levels. |
2. | Coordinate and communicate day-to-day Service delivery issues; address, co-coordinate, and prioritize the issues affecting the provision of the Services to ACI. |
3. | Review and escalate operational problems and issues in accordance with the Procedures Manual. |
4. | Review and schedule change requests in accordance with the Change Management requirements described in Schedule A (Statement of Work). |
5. | Ensure efficient flow of documentation as required by the Agreement. |
6. | Handle disputes within the authority of the ACI and Vendor representatives, and refer others to the Management Committee in accordance with Section 4.0 (Issue Escalation Procedures) of this Schedule. |
7. | Submit issues concerning the relationship between the Parties to the Management Committee for its guidance and recommendations. |
8. | Submit reports as required and as defined in Schedule R (Reports) to the Management Committee. |
9. | Advise the Management Committee of new opportunities and proposals. |
10. | Identify and refer matters outside the authority of ACI and Vendor representatives to the Management Committee. |
11. | Review and present recommendations and suggestions made by ACI representatives and Vendor representatives relating to the Services, and initiate appropriate actions. |
12. | Identify issues that may have an impact outside the relevant Locations and refer these to the Management Committee and, as appropriate, to other Locations as required. |
Page 13 of 15
13. | Review and adjust the following, as directed by the Management Committee: |
13.1. | Service Levels. |
13.2. | Continuous improvement and quality assurance measures. |
13.3. | Customer satisfaction surveys. |
13.4. | Audits. |
13.5. | Benchmarking results. |
3.3.4 | Reports (to be prepared by Vendor) |
1. | Regional/Management Reports. |
2. | Service Levels and Service delivery results (as required). |
3. | Minutes. |
3.3.5 | Meetings |
1. | Contract issues. |
2. | Service delivery. |
3. | Transition management (as required). |
4. | Transition/projects (as required). |
4.0 | Issue Escalation Procedures |
1. | Notification: Either Party may decide that escalation is desirable when resolution of an issue appears unachievable at the current management level. In this case, the Party desiring escalation provides written notice of its intention to the member(s) of the other Party currently involved in the dispute. At either Party’s request, the Parties currently engaged in attempting to resolve the issue shall meet again to attempt resolution of the issue prior to escalation to the next level. When and if the issue cannot be resolved at the current management level, the issue will then be escalated after good faith attempts by both Parties to resolve the issue at the current level. |
Page 14 of 15
2. | Documentation: Both Parties will jointly develop a short briefing document calledStatement of Issue for Escalationthat describes the issue, relevant impact, and positions of both Parties. |
3. | Request for Assistance: A meeting will be scheduled with appropriate individuals as described below (phone or videoconference in most cases).The Statement of Issue for Escalationwill be sent in advance to the participants. |
4. | It is the intention of ACI and Vendor that issues are escalated for review and resolution to the next level of management. |
Page 15 of 15
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
1. | INTRODUCTION |
2. | DEFINITION OF CHANGE |
3. | CHANGE CONTROL PROCEDURES |
3.1 | If ACI desires a Change, ACI will deliver a written notice to the Vendor Delivery Executive, which generally describes the proposal (a “Change Request”). |
3.2 | If Vendor wishes on its own initiative to propose a Change, Vendor will deliver a draft Change Management Document (as defined below) for ACI’s review. |
3.3 | Vendor will conduct an impact assessment of any Changes initiated under Section 3.1 or 3.2 above, at no incremental charge, to determine what Service modifications implementing the Change would require, including whether there would be resulting changes in Charges, and to document the impact of the Change (the “Change Management Document”). Each Change Management Document provided by Vendor will be in substantially the form attached hereto asExhibit U-1, including: |
(A) | [ * ] |
(B) | [ * ] |
(C) | [ * ] |
(D) | [ * ] |
(E) | [ * ] |
(F) | [ * ] |
(G) | for the implementation of a New Service, when and to the extent appropriate: |
(1) | a transition plan, including milestones, Deliverables and Deliverable Credits; |
(2) | a transformation plan, including milestones and a schedule for completing the transformation; |
(3) | a draft plan for the provision of Termination/Expiration Assistance for the New Service; and |
(4) | a draft update or supplement to Vendor’s then-current disaster recovery plan documents and the Procedures Manual to incorporate the New Service. |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
3.4 | First drafts of the Change Management Document for Change Requests by ACI will be delivered based on the following classification: |
3.5 | If Vendor, in proposing a Change or responding to a Change Request, proposes new Charges, or an increase in existing Charges, the Change Management Document will include the underlying financial assumptions and a reasonably detailed demonstration of the increased resources required to accommodate the Change. |
3.6 | Vendor acknowledges that not every Change will necessarily result in new Charges or an increase in existing Charges. Notwithstanding any term of this Schedule U to the contrary, no additional Charges will be payable for a Change (a) that can be handled with the resources then currently utilized by Vendor to deliver the Services without materially impacting Vendor’s ability to meet Service Levels or other obligations under this Agreement (such as Changes to operating procedures, schedules and equipment configurations), (b) that is required to cure a defective Deliverable or other Service default, or (c) that does not cause a net increase in Vendor’s cost of providing the Services, taking into account any cost savings arising from the Change. |
3.7 | All Changes will be reviewed and prioritized by the Relationship Management Team. |
3.8 | If ACI elects to accept the Change Management Document (as modified from the original version proposed by Vendor by agreement of the Parties), as evidenced by the written approval of the ACI Contract Executive, the Parties will execute the Change Management Document. |
(A) | Except as expressly provided to the contrary herein with respect to emergency Changes, no Change will become effective without the written approval of the ACI Contract Executive and the Vendor Delivery Executive. |
(B) | Until such time as a Change has such written approval, Vendor shall, unless otherwise agreed in writing, continue to provide the Services as if the Change Request had not been made. |
(C) | Any discussions which may take place between the Parties in connection with a Change Request before the authorization of a resultant Change Management Document shall be without prejudice to the rights of either Party. |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(D) | Each Change Management Document will, until signed, serve as an administrative instrument to guide and organize the Parties’ deliberations regarding the proposed Change. However, the final Change Management Document that is signed will be limited to defining the Change itself (including all impacts to compensation). Accordingly, before being signed and becoming effective, each Change Management Document will be reviewed and revised to delete Section A (of Exhibit U-1) and any other terms other than the agreed terms of the Change. |
3.9 | All Change Management Documents will be logged and documented by Vendor and designated, as specified by ACI, within one of the following priority categories: |
4. | MANDATORY CHANGES |
4.1 | [ * ] |
4.2 | Notwithstanding any term or condition of this Schedule U to the contrary, if ACI exercises its right to require a Mandatory Change, it will deliver a Change Notice to Vendor that describes the nature of the required Mandatory Change in sufficient detail to allow for Vendor to commence implementation thereof, expressly designates the Change as a Mandatory Change and authorizes Vendor to commence such implementation (the “Mandatory Change Notice”). Unless otherwise instructed by ACI in the Mandatory Change Notice, Vendor will begin implementing the Mandatory Change immediately after receipt of the Mandatory Change Notice. |
4.3 | Vendor’s preparation and the Parties’ finalization of the Change Management Document for a Mandatory Change will take place concurrently with Vendor’s implementation of the Mandatory Change. Vendor shall also prepare and deliver to ACI a good faith estimate of the impact on the Charges as a result of implementation of the Mandatory Change. |
4.4 | If the Parties are unable to agree on the impact on the Charges within thirty (30) days after the Mandatory Change Notice, then (i) Vendor will charge ACI for the work performed at the rates listed in Schedule C (Charges) for the level of resource that is reasonably required to complete the Mandatory Change, plus reasonable out-of-pocket expenses, pre-approved by ACI in writing, directly attributable to the Mandatory Change until such time as the Parties agree, as documented under this Contractual Change Control Procedure, to the actual costs of the Mandatory Change and (ii) either Party may consider such failure to agree to be a dispute, and may escalate such dispute for resolution in accordance with Article 20 of the Agreement. Promptly following the resolution of such dispute, the Parties shall conduct a true-up process to reconcile the Charges paid by ACI for such Mandatory Change with the ultimate resolution of the dispute. |
5. | IMPACT ON ENVIRONMENT |
5.1 | Notwithstanding anything to the contrary in the Agreement, the Procedures Manual, or ACI’s existing procedures, Vendor will not make any Change that has a material adverse affect on the functions or performance, or materially decreases the operational efficiency, of the Services, including the implementation of technological Changes, without first obtaining ACI’s written approval, except as described in Section 5.2 below. |
5.2 | Emergency Changes may be needed in exceptional circumstances. In such a circumstance, Vendor must make commercially reasonable efforts to obtain approval prior to making the Change from the ACI Contract Executive or another ACI Relationship Management Team member. If none are available, and in the opinion of the Vendor, a delay in implementing the Change is reasonably likely to result in some material failure of a Service obligation, breach of ACI information security, violation of Applicable Law or other material adverse impact to ACI or its business, Vendor may make the Change, and then report the incident to ACI at the first opportunity, and prepare a Change Management Document form in accordance with this Schedule U. |
6. | CHANGE TRACKING |
(A) | Prepare a monthly report listing any open Change Requests or Change Management Documents; |
(B) | Inform ACI, in writing, of the completion of approved Changes; and |
(C) | Provide testing and demonstration of the completed implementation as agreed by the Parties. |
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
FORM OF CHANGE MANAGEMENT DOCUMENT
[ * ] |
SECTION C. APPROVALS | ||||||
ACI WORLDWIDE, INC. | INTERNATIONAL BUSINESS MACHINES CORPORATION | |||||
By: | By: | |||||
Name: | Name: | |||||
Title: | Title: | |||||
1. | INTRODUCTION |
2. | IN-SCOPE PROJECTS |
a. | Vendor will: |
(1) | assess project schedules and budgets for completeness and viability; |
(2) | for those projects that do not meet the project schedule and budget criteria, provide an action plan for ACI’s approval; and |
(3) | perform project activities set forth in the plan based upon ACI’s project prioritization. |
b. | ACI will: |
(1) | review and approve the action plan provided by Vendor for those In-scope Projects which do not meet the project schedule and budget criteria; and |
(2) | review and reprioritize In-scope Projects, as appropriate, and notify Vendor. |
3. | PROJECT MANAGEMENT PROCESS |
a. | Vendor’s Project management process is based upon the premise that the Vendor Delivery Project Executive has overall responsibility and accountability to meet the agreed upon quality, cost, schedule and technical objectives of the Project. |
b. | ACI and Vendor will each assign an individual to a Project (each a “Project Manager” and collectively the “Project Managers”) who has the authority to represent and bind ACI and Vendor, respectively, for that Project and who will have specific operational roles as described below and further delineated in the Project Plan. A Project Manager may be assigned to oversee more than one Project at a time. ACI and Vendor will each provide the other reasonable advance written notice of a change to their respective Project Manager and will discuss any objections the other has to such change. |
c. | ACI and Vendor will develop a Project Plan as specified in Section 5 (Project Plan) below, as applicable. Upon ACI’s and Vendor’s signature of such Project Plan, the Project Plan will be assigned a sequential number and will be attached to, and become a part of, this Schedule, for example, Project Plan V-1 (Title), Project Plan V-2 (Title). The terms and conditions of this Agreement will apply to all Projects, except to the extent expressly amended by the applicable Project Plan. |
Page 1 of 7
4. | PROJECT MANAGERS |
a. | Vendor Responsibilities |
(1) | be the single point of contact to ACI for establishing and maintaining communications through the ACI Project Manager regarding the Project; |
(2) | develop the detailed Project Plan in conjunction with the ACI Project Manager; |
(3) | measure, track and evaluate progress against the Project Plan; |
(4) | maintain files of the Project Plan and any associated documentation; |
(5) | manage the Project for Vendor including planning, directing, and monitoring all Project activities; |
(6) | establish the Vendor Project team and, in conjunction with the ACI Project Manager, orient team members regarding the Project management process and the Project Plan, including individual responsibilities, deliverables and schedules; |
(7) | provide operational guidance to, manage and be accountable for the performance of Vendor’s employees and Approved Subcontractors assigned to the Project; |
(8) | define and monitor the support resources required for the Project; |
(9) | implement all changes consistent with the Project change control process set forth in Section 6 (Change Control Process) below; |
(10) | resolve deviations from the Project Plan with the ACI Project Manager; |
(11) | identify and address Project issues with the ACI Project Manager; |
(12) | plan, schedule, conduct and participate in periodic Project planning, review, and status meetings, as applicable, including review of the Work Products being produced; |
(13) | coordinate and schedule the attendance of Vendor’s employees and Approved Subcontractors, as appropriate, at such periodic planning, review, and status meetings; and |
(14) | provide periodic written status reports to ACI that provide information such as schedule status, technical progress, issue identification and related action plans. |
b. | ACI Responsibilities |
(1) | be the single point of contact for the management of ACI’s obligations under the Project; |
(2) | serve as the interface between the Project team members and ACI’s business functions, units, or Affiliates participating in the Project; |
(3) | define ACI’s business and technical requirements for each Project; |
(4) | assist Vendor in Vendor’s development of the detailed Project Plan and validate that the Project Plan meets ACI’s business and technical requirements; |
Page 2 of 7
(5) | establish the ACI Project team and, in conjunction with the Vendor Project Manager, orient team members regarding the Project management process and the Project Plan, including individual responsibilities, deliverables, and schedules; |
(6) | provide operational guidance to, manage and be accountable for the performance of ACI’s employees and Approved Subcontractors assigned to the Project; |
(7) | implement all changes consistent with the Project change control process set forth in Section 6 (Change Control Process) below; |
(8) | participate in and provide necessary support during periodic Project planning, review, and status meetings, as scheduled by Vendor; |
(9) | obtain and provide information, data, decisions and approvals, within the agreed time period, which, for existing Projects, will be within five Business Days of Vendor’s request, unless otherwise mutually agreed; |
(10) | coordinate and schedule the attendance of ACI employees and Approved Subcontractors, as appropriate, at planning, review, and status meetings scheduled by Vendor; |
(11) | identify and address Project issues with the Vendor Project Manager; |
(12) | escalate Project issues within ACI’s management as needed; |
(13) | assist Vendor in resolution of deviations from the Project Plan; |
(14) | participate in periodic Project reviews, as requested by Vendor; and |
(15) | review the deliverables to determine if they meet the Completion Criteria set forth in the applicable Project Plan and, within the specified time frame, inform the Vendor Project Manager in writing of the results of such review. |
5. | PROJECT PLAN |
a. | Project Managers |
b. | Purpose and Scope of Work |
c. | Assumptions and Dependencies |
d. | Definitions |
e. | Vendor Responsibilities |
Page 3 of 7
f. | ACI Responsibilities |
g. | Required Equipment and Materials |
h. | Deliverables |
i. | Estimated Schedule |
j. | Completion Criteria |
k. | Charges |
l. | Additional or Unique Terms and Conditions |
6. | CHANGE CONTROL PROCESS |
a. | A Project may be changed only by a writing signed by authorized representatives of ACI and Vendor. |
b. | All Project Change Requests (“PCRs”) to a Project will be submitted in writing by the requesting Vendor or ACI Project Manager. The PCR will reference the Project, describe at a reasonable level of detail the change, the rationale for the change and the impact the change may have on the Project both if it is accepted and if it is rejected. |
c. | The Project Managers will review the PCR and either: |
(1) | recommend approval of the change by authorized representatives of ACI and Vendor signing the PCR. Upon such approval, the change will be implemented; or |
Page 4 of 7
PORTIONS OF THIS DOCUMENT DENOTED BY BOXES AND
ASTERISKS BE ACCORDED CONFIDENTIAL TREATMENT
PURSUANT TO RULE 24b-2 PROMULGATED UNDER THE
SECURITIES EXCHANGE ACT OF 1934.
(2) | agree in writing to submit the PCR for further investigation and to pay Vendor for its reasonable charges, if any, for Vendor’s investigation. Such investigation will determine the technical merits and the effect on price, schedule, and other terms and conditions that may result from the implementation of the PCR. ACI and Vendor will then agree to mutually approve or reject the PCR. If ACI and Vendor do not agree, either Vendor or ACI may submit such PCR to the Project Executives for resolution; or |
(3) | reject the PCR. If rejected, the PCR will be returned to the requesting Project Manager along with the reason for rejection. |
7. | COMPLETION |
a. | Vendor will notify ACI in writing when the Completion Criteria for a deliverable has been met. |
b. | ACI must inform Vendor, in writing, within ten Business Days following receipt of Vendor’s notification if ACI believes Vendor has not met the Completion Criteria, together with reasonable detail as to the reasons for such belief. |
c. | The Vendor Project Manager will consider ACI’s timely request for revisions, if any, within the context of Vendor’s obligations. |
d. | ACI revisions, agreed to by Vendor, will be made and the Project deliverable will be resubmitted to the ACI Project Manager, at which time such deliverable will be deemed accepted. |
e. | If Vendor does not receive written notice from ACI within the time frame specified above, then the Project deliverable will be deemed accepted by ACI. |
Page 5 of 7