Maintain high degree of confidence that remote access capability to each/all tools is available at all times.

Report accessibility at Monthly Service Reviews.

Remote access to all tools is always available.

Report of remote access unavailability to take place within 2 hours of identification.

Subscription updates are applied within 2 hours of release.

Application currency for approved security components is (i) within 2 weeks for interim – dot rev – releases, and (ii) installed within 3 months for major releases.

Infrastructure components installed are to be compatible for optimum operation and performance of the managed application.

100% of applications are to be running on appropriate versions of infrastructure components unless an exception has been approved by VP, Information Security.

Provide the list of tools for which bug tracking is to be performed.

Report all application bugs to Provider using an established submission form.

Drive application vendor to resolve bugs.

Maintain the list of application bugs with status (open, closed, reviewed, etc…).

Report bugs to application vendor.

Application bug tracker is maintained current within 72 hours of submission.

Bug status currency is maintained weekly.

Supply security policy updates to Provider using a standard submission form for each tool.

Assure policy updates are approved by the appropriate Leadership.

Standard policy updates are to be performed within 24 hours of submission to provider.

Emergency policy pushes are to be applied within 15 minutes of submission.

Maintain contract agreement for the receipt of subscription updates.

Periodically test tool(s) for subscription currency.

Subscription updates to enterprise platforms and all endpoints within 24 hours.

98% of all endpoints have subscriptions updated within 24 hours of availability by vendor.

Subscription updates are applied within 2 hours of release.

Application currency for security components is within 2 weeks for interim (dot revs) and 3 months for major releases.

Notify Provider of vulnerability assessment schedule.

Perform vulnerability assessments.

Schedule time for vulnerability assessments.

Monitor tool(s) during vulnerability assessments to ensure availability.

If vulnerability assessment renders the tool unusable, provide an alternative for monitoring environment.

Completion of monthly vulnerability assessments on agreed time schedule.

Review of vulnerability assessments findings with plan of action from Provider to Global Payments within 72 hours of report availability.

Maintain a continuous patching function and schedule for each tool.

Provide a maintenance window to Provider for the purpose of tool(s) patching.

Approve / reject patch implementations.

Perform software patch and configuration change updates.

Report success/fail for patch activities within 24 hours of performance.

Maintain patch implementation status report for each tool.

Maintain communications with all tools vendors to receive patches immediately upon release.

Communicate patch requests to vendors.

Implementation performed within 24 hours for High and Critical risk patches.

Implementation performed within 30 days for Low and Medium risk patches.

Furnish Provider with Common Security Criteria and Minimum Security Baselines.

Perform vulnerability assessments.

Perform penetration tests.

Furnish Provider with weakness reports.

Harden tools using Global Payments Commons Security Criteria, Minimum Security Baselines, and security recommendation from tool vendor(s).

Test for currency of hardening specifications.

Tools to be configured according to CSCs and MSBs or to have a Risk Acceptance waiver on file with VP, Information Security.

Vulnerability assessments to account for CSCs and MSBs.

Changes to CSC or MSB structures to be immediately escalated to VP, Information Security.

Make available to Provider all logs from systems, network components, security devices, host operating systems, applications, databases, environmentals/SCADA, workstations, infrastructure critical support systems (e.g. DNS, DHCP, Domain Controllers, etc…)

Configure logging to Provider’s specifications (intensity, frequency, interface type)

Accept or acquire logs on a predefined frequency.

Continuously monitor logs to ensure delivery.

Notify and escalate log lapses a Sev 3 event. Document all log lapses in Problem Management System.

Provide metrics on logging availability and throughput.

Forecast logging requirements (upcoming upgrades, capacity and performance management)

Tune all applications/tools to provide effective and efficient logging so as to enable security monitoring.

Notification of server log lapses within 15 minutes of occurrence.

Notification of workstation log lapses within 120 minutes of occurrence.

Ensure all logging and log parsing is taking place within SIEM. Notification and escalation to follow Problem Management process thresholds and requirements.

Accept Log Review summaries from Provider.

Assist with log review research; perform the Global Payment “single point of contact” function for Provider.

Perform log reviews on a predefined frequency.

Open problem tickets for all anomalies or logging error.

Notify and escalate using predefine criteria.

Provide the eGRC tool for centralized reporting.

Approve reporting content, format and frequency for each tool.

Develop, delivery, refine, and continuously update reporting functions for Global Payments.

Update eGRC tool.

Provide daily, weekly, monthly reports from each tool.

eGRC updates performed within 24 hours of event.

Provide reports on predefined schedule.

.

Attendance by Information Security Leadership (SVP, VP, Director, Manager).

Agenda updates furnished to Provider one week prior to meeting.

Attendance by Business Technology Service Leadership (CIO, SVPs)

Agenda updates furnished to Provider two weeks prior to meeting.

Make eGRC (Archer Tool) available.

Provide eGRC administration leadership

Provide eGRC training

Perform eGRC (Archer) tool updates as appropriate.

Schedule employees for eGRC (Archer tool) training.

Co-develop eGRC tool with Global Payments to make reporting available online.

Furnish Provider with input to measurement and metric reports.

Furnish Provider with set of baseline reports for daily, weekly, monthly, and quarterly production.

Furnish Provider with requested changes to reports.

Generate Standard reports each tool is capable of producing.

Deliver customized device / application specific reports that reflect:
> Effectiveness (ability to Secure Global Payments)
> Efficiency – throughput rates of events, alerts, changes
> Environmental – capacity and performance reporting
> “delta reporting” – show changes to effectiveness and efficiency week over wee, month over month.

Deliver Management Reports
> Change Management
> Problem Management
> Issues Tracking
> Bug Tracking
> SLA Performance

Provide 24×7 monitoring of all managed tools.

Real-Time troubleshooting to identify root cause and to affect resolution through repair or work-around.

Security tool and application availability at 99.95%

Notification and escalation performed in agreement with predefined process, thresholds, and durations.

Make available 6- 24 months of log data.

Make available real-time alerting.

Review Housekeeping task and performance reports.

Notify Provider of changes to Housekeeping functions (additions, retirement, modifications, thresholds)

Temporary File and Debris Removal.

Routine jobs performed to keep capacity and performance within appropriate ranges.

Archival of historical information that exceeds required time to maintain.

Daily, weekly, monthly, and quarterly Housekeeping tasks preformed on predefined times/dates.

Report(s) available at Monthly Service Reviews.

Furnish Provider with Healthcheck requests.

Receive Healthcheck reports and respond with feedback.

Perform Healthchecks on predefined, predetermined frequency.

Analyze results of Healthchecks and respond appropriately to ensure security and availability.

Develop new Healthchecks and retire outmoded Healthchecks when necessary.

100% of Healthchecks are performed in accordance with predefined schedule.

Daily reporting of Healthchecks.

Immediate notification of sub-optimum Healthcheck findings.

Healthcheck status report provided during Monthly Service Review.

Furnish Provider with documentation requirements.

Furnish Provider with documentation format.

Incorporate Provider’s documentation into SOC procedures. Reference using versioning nomenclature.

Review and approve documentation.

Establish an online library with Operations procedures and systems engineering specifications.

Make documentation available t Global Payments.

Keep documentation current.

Update Global Payments’ documentation systems/applications/databases.

Procedures available online to both parties.

Documentation updates take place within 24 hours of systems changes.

Documentation provided as part of Change Record(s).

Furnish Provider with Trouble Ticket system access.

Review of all High and Critical events.

Notify Provider of any event underway at Global Payments that could affect security or availability.

Trouble Ticket opened for every event (platform, endpoint, observed activity).

Classification of event in accordance with Global Payments categories.

On-Call support for SOC escalation

Trouble Ticket for every event.

Performance of research, containment, and resolution performed in accordance with event classification.
> Critical = within 2 hours
> High = within 24 hours
> Medium = within 72 hours
> Low = within 2 weeks

Reporting and after-action tasks to be completed within 72 hours of problem resolution.

Error Handling reporting to be provided in Monthly Service Review.

Perform CMDB updates when changes to environment take place.

Accept updates from multiple sources (i.e. Architecture, Engineering, Change Management)

CMDB updates are performed by Provider within 24 hours of notification.

Quarterly testing of CMDB components performed by Global Payments has no significant failures or missing items. 99% complete.

Attend Shift Turnover Meetings

Provide Change and Problem Management updates during Shift Turnover.

Provide status report during Shift Turnover.

Conduct Shift Turnovers in accordance with agreed schedule.

Update Shift Turnover report with all news for outgoing shift and all scheduled work for incoming shift.

Shift Turnovers performed by Provider.

Shift Turnovers actively participated by Global Payments.

Trouble Tickets included in Turnover Report for all events.

Furnish Provider with access to Change Management application.

Conduct weekly Change Management reviews.

Incorporate Provider operations functions into Change Management process.

Participate in Global Payments’ Change Management Process.

Accept changes through Change Management process.

Provide updates to change records.

100% of all standard changes to the environment are scheduled through the Change Management process.

Emergency change records are created during or immediately following the event.

Active participation in all Change Management meetings/reviews.

Monthly Service Review includes report on success/fail ratio of changes through Change Process.

Report issues to Provider. Assign a severity.

Assist Provider with resolution of issues.

Track issues and negotiated severity categorization.

For each tool maintain an Issues Tracking Database complete with a knowledge base, resolution to problems, component owners’ listing.

Information Security to report issues to Provider within 24 hours of identification.

Issues to be resolved according to severity:
> Critical = within 2 hours
> High = within 24 hours
> Medium = within 72 hours
> Low = within 2 weeks

Issues Tracking Report reviewed at Monthly Service Meeting

Publish updates to the Global Payments Incident Response Process and furnish approved version(s) to Provider.

Educate Provider employees on the Incident Response process.

Notify Provider of any Sev 1 and Sev 2 Incidents that could affect operations and/or require Provider to assist with containment and resolution.

Accept Incident Response updates from Global Payments.

Educate all employees on their Global Payments Incident Response process.

Upon notification of a Sev 1 or Sev 2 incident, perform functions of Provider as included in the Incident Response Process.

All Provider employees educated when the join Provider in support of Global Payments.

All Provider employees educated annually and when updates are furnished.

Provider furnishes support immediately upon being notified of a Sev 1 or Sev 2 condition.

Ensure all Provider employees have the appropriate (assigned) access rights for the tools they are supporting.

Notify Global Payments Information Security of any employee status changes that affect access rights (new hire, termination, function change)

Provider performs monthly access rights review and reports status in Monthly Service Review.

Provider notifies Global Payments immediately on all access rights modifications for employees supporting tools.

Access review (activity review for each tool) performed weekly by Provider.

Immediate reporting of inappropriate access or unusual behavior to Global Payments.

Global Payments furnishes Provider with Real-Time Problem Management methodology.

Provider follows problem management methodology as agreed with Global Payments.

Escalation and notification requirements are met.

When available, utilize Archer Incident Management tool.

Methodology and procedures follow according to agreed requirements.

Monthly Service Review includes review of all problems including root cause, difficulties encountered with resolution, duration, person leading the event, after-action items and resolution.

Subscribe to threat monitoring services and make findings available to Provider.

Customize/tune threat management service to reflect Global Payments deployed environment(s).

Perform vulnerability assessment scans on predefined frequency.

Update eGRC tool with threat input.

Validate that servers are configured securely and monitoring is in place before “go live” in production is achieved.

Confirm logging an monitoring is in place

Validate that endpoints are configured securely and monitoring is in place before “go live” in production is achieved

Confirm logging an monitoring is in place

Make available Backup and Recovery resources.

Perform daily backup function.

Validate backup contents and frequency is correct.

Validate backups occur.

Test recovery process.

Backup verification performed daily.

Restoration process tested every 6 months.

Furnish Provider with Disaster Recovery testing schedule.

Perform Disaster Recovery Testing.

Designate a person who is qualified to enact/enable Disaster Recovery operation.

Develop Disaster Recovery process for each tool.

Develop procedures for each tool.

Test Disaster Recovery process.

Disaster Recovery procedures are reviewed and approved by both parties.

Disaster Recovery testing performed every 6 months for each tool.

Maintain test environment availability.

Maintain test environment schedule of events.

Restore test environment to baseline state.

Maintain “secondary” relationship with tool / application vendor.

Drive vendor to resolution on bug repair and feature releases.

Monthly vendor reviews.

Monthly vendor reports

Validate Managed Tool inventory as maintained by Provider.

Drive changes to Global Payments’ uCMDB environment to reflect verified Provider configurations.

Perform enumeration of environment and match to tools coverage.

Ensure endpoints have latest tool versions

Ensure endpoints are configured according to approved baseline/config standard

Ensure endpoint is continuously logging

Ensure endpoint has latest security policy and/or subscription update.

Validate Managed Tool inventory as maintained by Provider.

Drive changes to Global Payments’ uCMDB environment to reflect verified Provider configurations.

Perform enumeration of environment and match to tools coverage.

Ensure servers have latest tool versions

Ensure servers are configured according to approved baseline/config standard

Ensure server is continuously logging

Ensure server has latest security policy and/or subscription update.