Datasheet
INTC-7816-01 02/2008 Page 6 of 18
change request, the change must be clearly identified as an emergency. Following electronic
submission, an authorized security contact must place a follow-up phone call to the SOC and escalate the
change submission to emergency status.
Reporting
The Customer will have access to comprehensive service information, via the Virtual-SOC, to review
service tickets and Security Incidents at any time. Once per month, IBM will produce a summary report
that includes:
a. number of SLAs invoked and met;
b. number and type of service requests;
c. list and summary of service tickets;
d. number of Security Incidents detected, priority and status; and
e. list and summary of Security Incidents.
2.2.2 Device Management
IBM will be the sole provider of software-level device management for the Agent. With root/super-
user/administrator level access to the device, along with an out-of-band system and an Agent installed on
the device, IBM will maintain system status awareness, apply operating system patches and upgrades,
troubleshoot problems on the device, and work with the Customer to help ensure the device remains
available. IBM will monitor for availability of the Agent, notify the Customer when certain utilization
thresholds have been met, and monitor the device 24 hours/day by 7 days/week.
Regular, automatic updates will be provided for the software and firmware.
On-site assistance can be provided by IBM PSS for an additional fee.
Management Connectivity
All security logs, events and management data travel between the SOC and the managed Agent via the
Internet. Data traveling across the Internet is encrypted using industry-standard strong encryption
algorithms whenever possible.
Requests for connectivity through alternate means (e.g., private data circuit and/or VPN) will be
addressed on a case-by-case basis. Additional monthly fees may apply to accommodate connection
requirements outside of the standard in-band connectivity.
Management Platforms
In many cases, IBM will use a management platform on IBM premises to manage the Agent.
For IBM Proventia® products, IBM will typically use the IBM SiteProtector™ management infrastructure to
control Agent policy and configuration, to push updates to the Agent, and to securely receive data from
the Agent using a SiteProtector event collector (called “Event Collector”).
In some cases, the Customer may already use SiteProtector, and may choose to connect the Agent to
the Event Collector on their premises. The Customer’s Event Collector will then connect to the
SiteProtector infrastructure at IBM. This configuration is commonly known as “stacking”. Any Customer
choosing to use a stacked SiteProtector configuration will be subject to additional responsibilities.
Log Storage
The X-Force® Protection System (“XPS”) serves as a data warehouse for event data from a variety of
security devices, applications, and platforms. Following display on the Virtual-SOC, logs are migrated to
a physical backup media such as tape or DVD. Backup media is archived in a secure, environmentally
controlled facility. Archived data will be available for a user-defined time period not to exceed seven
years from the date of log creation.
At the Customer’s request, IBM will submit a request for media location and retrieval. Hourly consulting
fees will apply for all time spent restoring and preparing data in the Customer’s requested format.
Health and Availability Monitoring
The health and performance of MSS for UTM is monitored by using a Host-based monitoring Agent
(when possible) or SNMP. The devices are regularly polled by the SOC, keeping IBM security analysts
informed of potential problems as they develop. Key metrics analyzed by the monitoring Agent include:
● hard disk capacity (if applicable);