DELL SECUREWORKS CONSULTING SERVICES AGREEMENT STATEMENT OF WORK NUMBER #____ This STATEMENT OF WORK (“SOW”), effective as of Insert Date is made pursuant to the [Master Services Agreement], [Consulting Services Agreement] [Consulting Services Addendum] dated Insert Date by and between Dell Corporation Limited trading as Dell SecureWorks with its registered office address at Dell House, Cain Road, Bracknell, Berkshire RG12 1LF (“Dell SecureWorks”) and Insert Company Name with its principal place of business located at Insert Company Location (“Client”). 1.0Scope Geographic Locations Some work for this engagement may be performed remotely, as necessary and appropriate. The scope of this engagement includes travel to the following areas: XYZ City, State, Zip Code XYZ City, State, Zip Code - Corporate Headquarters Data Centre Information Security Assessment The scope of the engagement includes the following: Up to XX servers Up to XX workstations Up to XX systems that handle Personally Identifiable Information (PII) Up to XX interview/elicitation sessions to complete onsite Assessment will be performed from one of the facilities listed in the Geographic Locations section above Testing timelines and schedules All onsite manual testing and assessment work will occur Monday-Friday, 8 a.m. – 6 p.m. local time. Work required outside of these normal business hours will incur an upcharge, to be approved by customer in advance. Automated testing may be performed outside of this window if it can be scheduled in advance. All remote manual testing and assessment work will occur Monday-Friday, 8 a.m. – 8 p.m. local time. Work required outside of these normal business hours will incur an upcharge, to be approved by customer in advance. Automated testing may be performed outside of this window if testing can be scheduled in advance. Out of Scope Locations, devices or personnel not specifically listed as in scope is out of scope. Note: If any IP addresses, hosts, facilities or web applications within scope are owned or hosted with a service provider or other third party, it will be necessary for you to obtain permission from that party before Dell SecureWorks will perform testing in writing or through email. Or you may provide a suitable alternate testing environment. 1 of 7 2.0Statement of Work 2.1 Information Security Assessment Dell SecureWorks will review your Information Security Program to assess its compliance with regulatory requirements and best practices. This includes reviewing policies, standards, guidance, procedures and other documents. Spot checks will be performed of controls in place where appropriate. Risk Assessment and Treatment IT controls result from an effective risk assessment process. Therefore, the ability to mitigate IT risks is dependent upon risk assessments and risk analysis. We will assess whether operations and senior management has identified, measured, controlled and monitored technology to avoid risks that threaten the safety and soundness of your institution. We will assess that you have planned for use of technology, assessed the risk associated with technology, decided how to implement the technology and established a formal process to measure and monitor risk that is taken on. We will assess that you have: An effective planning process that aligns IT and business objectives An on-going risk assessment process that evaluates the environment and potential changes Technology implementation procedures that include appropriate controls Measurement and monitoring efforts that effectively identify ways to manage risk exposure Security Policy We will assess if management has set clear policy direction in line with business objectives and if it demonstrates support and commitment to information security through: Information security policy documentation Review of information security policy Information Security Organisation We will assess organisational aspects of your security program through a review of: Management commitment Information security coordination Assignment of roles and responsibilities Authorisation processes Communication strategies Service Provider Oversight We will evaluate your controls over service provider arrangements and determine whether such arrangements provide an effective means to support the institution’s technology needs while retaining your responsibility for managing risk. We will evaluate the following areas: SSAE 16 (formerly SAS-70) reviews Due diligence Control and security service level agreements Asset Management We will assess the controls surrounding the protection of your assets. We will review documentation regarding: Responsibility for assets Information categorization 2 of 7 Personnel Security We will evaluate controls over legitimate users and their access and credentialing for system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorised users pose a potential threat to systems and data. We will evaluate the following areas: Background checks and screening Confidentiality, non-disclosure and authorised use agreements Job descriptions Training Physical Security We will assess your ability to maintain the confidentiality, integrity and availability of information, and evaluate the assurances provided by physical access controls. We will review: Data centre security Cabinet and vault security Physical security Communications and Operations Management We will assess the controls surrounding: Operational procedures Service delivery management System planning and acceptance Protection against malicious and mobile code Back-up and restore Network security management Media handling Exchange of information E-commerce service delivery Monitoring Logical and Administrative Access Control We will assess the logical and administrative access controls, and evaluate their ability is to restrict access to system resources. We will review the following areas: Business requirements for access control User access management User responsibilities Network access controls Operating system access controls Application and information access controls Mobile computing and communications Systems Development, Acquisition and Maintenance We will evaluate your system development, acquisition and maintenance functions and assess the establishment of security controls into software prior to development, acquisition and implementation. We will review controls in the following areas: Security requirements of information systems Correct processing in applications Cryptography Security of system files Security in development and support processes 3 of 7 Technical vulnerability management Incident Management We will assess your capability to detect and react to an intrusion into your information systems. Security systems must restrict access and protect against the failure of those access restrictions. But detection and response capabilities must detect and react to intrusions when those systems fail. This control area is critical for an effective response program. We will evaluate the following areas: Intrusion detection capabilities Intrusion response capabilities Incident handling procedures (including risk escalation and notification) Business Continuity We will evaluate your business continuity plans, including whether the plan contains significant security and availability considerations. Business continuity plans will be reviewed as an integral part of the security process. Compliance We will determine if controls are in place that will protect against breach of law, regulatory, contract obligations or security requirements. Controls we will review include: Compliance with legal requirements Compliance with security policies, standards and technical compliance Information systems audit 3.0Deliverables 3.1 Draft and Final Report Dell SecureWorks will provide preliminary draft findings to the technical point of contact for review and clarification. The final report will be issued after review and discussion are complete. Presentation of the findings and exact deliverables are custom tailored to the type of work performed, and to customer needs. Final reporting and deliverables will be defined during the project, as well as interim or ad-hoc reporting. Dell SecureWorks deliverables typically follow a standard format with two sections: The first section is targeted toward a non-technical audience - Senior Management, Auditors, Board of Directors and other concerned parties: Executive summary: A jargon and buzz-word free true executive-level summary. Summary of findings and recommendations: Describes the environment and high-level findings and root causes. We make recommendations based on risk to your organisation. Risk analysis matrix: Details high-risk findings with recommendations for curative actions. Remediation priority matrix: Prioritises high-risk finding remediation is prioritised based on severity of risk to business processes, not just technology. Remediation work effort matrix: Provides “level of effort” estimates to remediate high-risk findings. A detailed project plan is included if appropriate. Controls in place matrix: Acknowledge existing controls for your most critical risks. The second section is targeted to technical staff and provides more granular detail: Summary of methods: Contains details specific to the engagement methodology. Detailed findings and recommendations: Documents the details of any findings, as well as recommendations for remediation. Evidence of controls and information sufficient to replicate the findings is included. Recommendations are based on these root causes and prioritised for a risk-based remediation with an estimation of relative work effort. Any strong controls in place that have been identified are described, as well as their impact to the security of the organisation. 4 of 7 3.2 Attachments: Provides details and specific examples, including screen shots, technical details, code excerpts and other relevant observations. This section also contains documents or data that are relevant but do not fit in other categories. Report Timing Within three weeks of concluding the work described above, we will issue a draft formal report to your point of contact. The three weeks following delivery of this draft report are your opportunity to provide comments concerning the nature and scope of the engagement to be included in the report. If there are no comments in the three-week comment period, we will finalise the report for distribution. If no changes are required, we encourage you to accept the formal report prior to the three week waiting period to expedite final delivery. 4.0Timing and Fees 4.1 Fees The work shall be delivered as a fixed price engagement and limited to a maximum of <insert> days. The cost of this engagement excluding expenses is £ZZZ Including expenses, client's total payments under this SOW shall be limited to a maximum of £ZZZZ excluding VAT. Terms for this engagement; X% billed at point Y The work is estimated as requiring <insert> days. This SOW is a Time & Materials engagement with an estimated cost of £ZZZZ excluding VAT based on a daily billing rate of £XXXXX. The final amount shall be determined on the basis of the actual amount of time spent on the work. The Parties shall agree any increase of the cost limit in advance, in writing. Client will be invoiced monthly for work activity conducted against this SOW. The price for the engagement is based on the target environment as discussed with Dell SecureWorks. If the assumptions, client responsibilities and parameters within the scope of work used to develop this proposal are found to be incorrect, or to have changed, the parties agree to pursue resolution through change management. If any of the assumptions used in developing this proposal (including, time on tasks, locations and service consumption) and relied upon by Dell SecureWorks vary by +/- five (5%) percent, Dell SecureWorks reserves the right to adjust the pricing to reflect such changes. Any additional work required beyond our current estimate will be added to our invoices at the daily billing rate given above. The following conditions apply to this SOW; 4.2 ● The fees outlined in our scope of services include all incidental out-of-pocket expenses including report preparation and reproduction, faxes, copying, etc. ● The fees outlined in our scope of services do NOT include out-of-pocket travel expenses, including reasonable transportation, meals and lodging expenses incurred to perform any of the services outlined hereunder. Such reasonable out of pocket expenses will be added at cost to Client’s invoice. ● Terms for payments are net 30. ● VAT, at the prevailing rate, will be added to all applicable charges. Timing Dell SecureWorks will make commercially reasonable efforts to meet Client’s requests for dates and times for the contracted work to be performed. The fees do not include weekend or after hours work. Such work can only be 5 of 7 scheduled by mutual agreement, in advance. After hours and weekend work will be conducted at 1.5 times our quoted rate. Email confirmation of an agreed upon schedule, sent by Dell SecureWorks, confirmed by email by the Client, shall constitute formal acceptance of such schedule. Once scheduling of any work has been mutually agreed upon, and the schedule is formally accepted by the Client, changes by the Client within 2 weeks of the project initiation will incur a one day rate re-scheduling fee for each instance. Dell SecureWorks has made the following assumptions in creating this SOW: 4.3 ● Client resources are scheduled and available to Dell SecureWorks; ● Client has provided suitable workspace for Dell SecureWorks’ staff and equipment, ● Client’s computer systems and network for testing, building access, etc. is made available to Dell SecureWorks; and ● Client replies to all document requests and other information in a timely manner. Term The term of this SOW and the Services hereunder shall commence on the date this SOW is executed by both parties and terminate on the date which is one (1) year thereafter. 5.0 Disclaimers Applicable to Security Services: Should a Statement of Work include security scanning, testing, assessment, forensics, or remediation Services (“Security Services”), Client understands that Dell SecureWorks may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities. Client authorises Dell SecureWorks to perform such Security Services (and all such tasks and tests reasonably contemplated by or reasonably necessary to perform the Security Services or otherwise approved by Client from time to time) on network resources with the IP Addresses identified by Client. Client represents that, if Client does not own such network resources, it will have obtained consent and authorisation from the applicable third party, in form and substance satisfactory to Dell SecureWorks, to permit Dell SecureWorks to provide the Security Services. Dell SecureWorks shall perform Security Services during a timeframe mutually agreed upon with Client. The Security Services, such as penetration testing or vulnerability assessments , may also entail buffer overflows, fat pings, operating system specific exploits, and attacks specific to custom coded applications but will exclude intentional and deliberate Denial of Service Attacks. Furthermore, Client acknowledges that the Security Services described herein could possibly result in service interruptions or degradation regarding the Client’s systems and accepts those risks and consequences. Client hereby consents and authorises Consultant to provide any or all the Security Services with respect to the Client’s systems. Client further acknowledges it is the Client’s responsibility to restore network computer systems to a secure configuration after Consultant testing. Applicable to Compliance Services: Should a Statement of Work include compliance testing or assessment or other similar compliance advisory Services (“Compliance Services”), Client understands that, although Dell SecureWorks' Compliance Services may discuss or relate to legal issues, Dell SecureWorks does not provide legal advice or services, none of such Services shall be deemed, construed as or constitute legal advice and that Client is ultimately responsible for retaining its own legal counsel to provide legal advice, Furthermore, any written summaries or reports provided by Dell SecureWorks in connection with any Compliance Services shall not be deemed to be legal opinions and may not and should not be relied upon as proof, evidence or any guarantee or assurance as to Client’s legal or regulatory compliance. Applicable to PCI Compliance Services: Should a Statement of Work include PCI compliance auditing, testing or assessment or other similar PCI compliance advisory Consulting Services (“PCI Compliance Services”), Client understands that Dell SecureWorks' PCI Compliance Services do not constitute any guarantee or assurance that security of Client’s systems, networks and assets cannot be breached or are not at risk. These Services are an assessment, as of a particular date, of whether Client’s systems, networks and assets, and any compensating controls meet the applicable PCI standards. Mere compliance with PCI standards may not be sufficient to eliminate all risks of a security breach of Client’s systems, networks and assets. Furthermore, Dell SecureWorks is not responsible for updating its reports and assessments, or enquiring as to the occurrence or absence of such, in light of subsequent 6 of 7 changes to Client’s systems, networks and assets after the date of Dell SecureWorks’ final report, absent a signed Statement of Work expressly requiring the same. Purchase Orders: This Statement of Work is agreed to by the parties. Any terms and conditions attached to, or described within any purchase order outside of this Statement of Work by Client in connection with this Statement of Work are null and void. Applicable to Onsite Services: Notwithstanding employees’ placement at the Client location, Dell SecureWorks retains the right to control the work of the employee. For international travel, Onsite Services may require additional documentation, such as Visas, visitor invitations, etc. which may affect timing and out of pocket costs. DELL CORPORATION LIMITED Insert Company Name By:_________________________ By:_____________________________ Title:_______________________ Title:___________________________ _____________________________ Date ________________________________ Date 7 of 7