CIS Managed Security Services Terms and Conditions

Upon acceptance by Customer, these Terms and Conditions shall constitute an Agreement and shall govern the purchase of Managed Security Services, as defined herein below, between Center for Internet Security, Inc. (“CIS”) located at 31 Tech Valley Drive, East Greenbush, NY 12061-4134, and Customer (CIS and Customer each a “Party” and collectively referred to as the “Parties”).

I. Definitions

A. Security Operation Center (SOC) – 24 X 7 X 365 watch and warning center that provides network monitoring, dissemination of cyber threat warnings and vulnerability identification and mitigation recommendations.

B. Managed Security Services (MSS): monitoring and/or management of security devices, with security event analysis and notification.

C. Effective Date: The last date on which these Terms and Conditions shall have been executed by both Parties.

II. Term of this Agreement; Termination

A.  Term. This Agreement will commence on the date it is accepted by Customer (the “Effective Date”), and Managed Security Services will start as of the date that all pre-service requirements as set forth in Section V are met and Managed Security Services are available (the “Service Start Date”). This Agreement shall continue in full force and effect from the Service Start Date for the time period set forth in an Order (the “Term”).

B. Termination. Unless otherwise agreed to between the Parties, either Party may terminate this Agreement and any Managed Security Services being provided under this Agreement by providing written notice to the other Party ninety (90) days prior to such termination.

III. Payment Terms

A. As consideration for the Managed Security Services requested by Customer, Customer hereby agrees to pay to CIS the costs for the period set forth in an Order submitted to Customer. Unless otherwise agreed to by the Parties in writing, Customer shall pay CIS within 30 days of receipt of Invoice. For renewals, Customer agrees to remit payment in full prior to the Subscription Renewal Date, which is the date on which the subscription shall renew.

B. If a device is terminated by Customer during the one-year term, Customer will remain responsible for the payment for that device for the remainder of the Term. HOWEVER, an existing device may be removed and replaced with a new device upon the following conditions:

  1. Customer shall pay a one-time onboarding fee for the new device; and
  2. If the pricing for the new device is the same as the device being removed, Customer shall continue to pay the same amount for that device for the remainder of the Term; or
  3. If the pricing for the new device is greater than the device removed (i.e. an IDS/IPS device is removed and a firewall is added), then Customer shall be required to pay the amount for the higher-priced device for the remainder of the Term; or
  4. If the pricing for the new device is less than the device being removed (i.e. a firewall is removed and an IDS/IPS device is added), then Customer shall pay the lower amount for the remainder of the Term or, if Customer has prepaid in advance, Customer shall receive the difference in cost as a credit for the next renewal Term. If Customer does not renew for another Term, Customer shall not be entitled to a refund or credit pursuant to this subsection.

C. Upon completion of the Term, the Service shall not automatically renew and may renew only upon mutual agreement of both Parties. CIS shall provide Customer with the costs for any renewal terms no less than sixty (60) days prior to the renewal date. Any pricing increases upon renewal shall not exceed 3% of the costs being paid by Customer for the then-current Term. Payment for a renewal term shall be due on or before the Subscription Renewal Date, which shall be the anniversary date from the date on which services commenced.

IV. CIS Responsibilities

CIS will provide the following as part of the Managed Security Services, as specified below:

A.    CIS will provide the following:

    1. 24/7 telephone (1-866-787-4722) availability for assistance with events detected by the MSS.
    2. Analysis of logs from monitored security devices for attacks and malicious traffic.
    3. Analysis of security events, including correlation of security data/logs/events with information from other sources.
    4. Notification of security events per the Escalation Procedures provided by Customer.
    5. Secure access to security events via secure portal.
    6. Monthly reports that include a summary of device availability, events and trouble tickets for the previous month and a summary of security incidents and log counts for Customer.
    7. Monitoring and Management of Intrusion Detection / Protection System (IDPS) sensors. CIS will be responsible for ensuring that all upgrades, patches, configuration changes and signature updates are applied to managed devices and will be responsible for the correct functioning of managed devices. The Customer is responsible for maintaining the appropriate license and support agreements for any managed devices owned by Customer.

V. Customer Responsibilities

A.  Customer acknowledges and agrees that CIS’s ability to perform the Managed Security Services provided by CIS for the benefit of Customer is subject to Customer fulfilling certain responsibilities listed below.  Customer acknowledges and agrees that neither CIS nor any third-party provider shall have any responsibility whatsoever to perform or to continue to perform Managed Security Services in the event Customer fails to meet its responsibilities described below.

B.  Customer acknowledges and agrees that only those security devices supported by CIS fall within the scope of this Agreement.

C.  Customer shall provide logistic support in the form of rack space, electricity, Internet connectivity, and any other infrastructure necessary to support communications at Customer’s expense.

D.  Subject to any confidentiality terms between CIS and Customer, Customer shall provide the following to CIS prior to the commencement of Managed Security Services and at any time during the term of the engagement with CIS if the information changes:

    1. Current network diagrams to facilitate analysis of security events on the portion(s) of Customer’s network being monitored. Network diagrams will need to be revised whenever there is a substantial network change;
    2. Reasonable assistance to CIS, including, but not limited to, providing all technical and license information related to the Service(s) reasonably requested by CIS, to enable CIS to perform the Service(s) for the benefit of Customer;
    3. Supply onsite hardware, virtual machines or software that is necessary in providing Managed Security Services. Customer also agrees onsite hardware, virtual machines and software will meet specifications set forth by CIS and/or its third-party providers.
    4. Maintenance of all required hardware, virtual machines, or software necessary for the log collection platform located at Customer’s site, and enabling access to such hardware, virtual machines, or software as necessary for CIS to provide services;
    5. Public and Private IP address ranges including a list of servers being monitored including the type, operating system and configuration information;
    6. Completed Pre-Installation Questionnaires (PIQ). The PIQ will need to be revised whenever there is a change that would affect CIS’s ability to provide the Managed Security Services;
    7. A completed Escalation Procedure Form including the name, e-mail address and 24/7 contact information for all designated Points of Contact (POCs).
    8. The name, email address, and landline, mobile, and pager numbers for all shipping, installation and security POCs.

E.  During the term of the Services, Customer shall provide the following:

    1. Written notification to CIS SOC (SOC@cisecurity.org) at least thirty (30) days in advance of changes in hardware or network configuration affecting CIS’s ability to provide Managed Security Services;
    2. Written notification to CIS SOC (SOC@cisecurity.org) at least twelve (12) hours in advance of any scheduled downtime or other network and system administration scheduled tasks that would affect CIS’s ability to provide Managed Security Services;
    3. A revised Escalation Procedure Form must be submitted when there is a change in status for any POC.
    4. Sole responsibility for maintaining current maintenance and technical support contracts with Customer’s software and hardware vendors for any device subject to Managed Security Services that has not been supplied by CIS;
    5. Active involvement with CIS SOC to resolve any tickets requiring Customer input or action; and
    6. Reasonable assistance in remotely installing and troubleshooting devices including hardware and communications.
    7. Customer shall ensure that any replacement devices to receive Managed Security Services during the term will conform to the requirements set forth in this Agreement.
    8. Customer shall provide to CIS:
      • In-band access via a secure Internet channel to manage the device(s).
      • Outbound access via a secure Internet channel for log transmission.
      • A permanent, dedicated analog telephone line and space to support the Out-of-Band (OOB) Management Solution, if CIS provides an OOB Management Solution to the Customer. Customer is responsible for the expense and for maintaining the functionality of this dedicated line. The OOB device is supplied by CIS.

VI. Additional Terms and Conditions from Third Party Provider Applicable to Managed Security Services

A. Customer acknowledges and agrees that as part of part of providing Managed Security Services, CIS has contracted with the third-party provider, Accenture. Customer further acknowledges and agrees that in return for receipt of Managed Security Services, it agrees to the following terms and conditions as an end user of Accenture services as part of the CIS Managed Security Services (“End User”):

    1. Use of End User Data. When providing services to End User through the Statement of Work with CIS, Accenture may use End User data to the extent necessary for the purposes of detecting, blocking, analyzing and reporting cyber-threats in the delivery of its products and services and in the development and enhancement of any Accenture products and services. End User is responsible for its data and accepts full responsibility for backing up and protecting its data against loss, damage or destruction.
    2. Configurations. End User shall be responsible for selecting its configurations and assuring that its selection conforms to its policies and procedures, and complies with all applicable laws and regulations in which it is accessing the Services. Accenture’s delivery of the Services does not include End User’s configurations, nor policies and procedures implemented and set by End User that are available during the Term.
    3. End User Obligations. End User is responsible for obtaining all approvals and consents required by any third parties to use the Service. Accenture is not in default of its obligations if it cannot provide the Service when approvals or consents have not been obtained or any third party otherwise validly prevents Accenture from providing the Service. End User is responsible for such third party’s account information, passwords and other login credentials and must notify Accenture immediately of any known unauthorized possession or use of its credentials.
    4. Indemnification
      • Accenture will defend, indemnify and hold End User harmless against any claims asserting that the services infringe any patent, copyright, trademark, or trade secret of a third party, and will pay any and all damages finally awarded by a court and actually paid by End User, or agreed to in a final settlement by Accenture and attributable to such claim. Accenture’s obligations under this provision are subject to End User not having compromised or settled such claim and doing the following: (i) notifying Accenture of the claim in writing, as soon as End User learns of it; (ii) providing Accenture with all reasonable assistance and information to enable Accenture to perform Accenture’s duties under this Section; and (iii) allowing Accenture and its Affiliates sole control of the defense and all related settlement negotiations. Notwithstanding the foregoing, End User may participate at its expense in the defense of any such claim with its own counsel, provided that Accenture and its Affiliates retain sole control of the claim. End User has the right to approve any settlement that affirmatively places on End User an obligation that has a material adverse effect on it other than the obligations to cease using the affected Online Service or to pay sums indemnified under this Section. Such approval will not be unreasonably withheld.
      • If the services are found to infringe, or if Accenture determines in Accenture’s sole opinion that the services are likely to be found to infringe, then Accenture will either: (i) obtain for End User the right to continue to use the service(s); or (ii) modify the service(s) (including, if applicable, any Service Component(s)) so as to make it non-infringing, or replace it with a non-infringing equivalent substantially comparable in functionality, and in the case of infringing Service Component(s), End User will stop using any infringing version of such Service Component(s)); or, if Accenture determines in its sole opinion that “(i)” and/or “(ii)” are not reasonable, Accenture may (iii) terminate End User’s rights and Accenture’s obligations under this Agreement with respect to such services, and in such case shall refund any pre-paid fees for the relevant services. Notwithstanding the above, Accenture will not be liable for any infringement claim to the extent that it is based upon: (1) modification of the services other than by Accenture; (2) combination, use, or operation of the service(s) with products not specifically authorized by Accenture to be combined with the service(s); (3) use of the service(s) other than in accordance with this Agreement; or (4) End User’s continued use of infringing service(s) after Accenture, for no additional charge, supplies or offers to supply modified or replacement non-infringing service(s).
      • This section states End User’s sole and exclusive remedy and Accenture’s sole and exclusive liability with respect to claims of infringement or misappropriation of any intellectual property.

5. Confidentiality.

      •  “Confidential Information” means, for purposes of this Agreement, the non-public information provided by a party (“Discloser”) to the other party (“Recipient”) related to the business opportunities between the parties, provided that such information is: (1) identified as confidential at the time of disclosure by the Discloser, or (2) if the initial disclosure is not in written or other tangible form, the Confidential Information will be so identified at the time of disclosure and reduced to written or other tangible form, appropriately marked and submitted by the Discloser to the Recipient as soon as reasonably practicable thereafter, but no later than thirty (30) days after disclosure. Confidential Information of Accenture shall include product architecture, product research and development plans, non-public financial data and roadmaps, whether marked as confidential or not. A Recipient may use the Confidential Information that it receives from the Discloser solely for the purpose of performing activities contemplated under this Agreement. For a period of five (5) years following the applicable date of disclosure of any Confidential Information, a Recipient will not disclose the Confidential Information to any third party. A Recipient will protect it by using the same degree of care, but no less than a reasonable degree of care, to prevent the unauthorized use, dissemination or publication as the Recipient uses to protect its own confidential information of a like nature. The Recipient may disclose the Confidential Information to its affiliates, agents and subcontractors with a need to know in order to fulfill the purpose of this Agreement, under a nondisclosure agreement at least as protective of the Discloser’s rights as this Agreement.
      • (b) This Section imposes no obligation upon a Recipient with respect to Confidential Information which: (i) is or becomes public knowledge other than by breach of this Agreement; (ii) was in the Recipient’s possession before receipt from the Discloser and was not subject to a duty of confidentiality; (iii) is rightfully received by the Recipient without any duty of confidentiality; (iv) is disclosed generally to a third party by the Discloser without a duty of confidentiality on the third party; or (v) is independently developed by the Recipient without use of the Confidential Information.
      • (c) The Recipient may disclose the Discloser’s Confidential Information as required by law or court order provided: (1) the Recipient promptly notifies the Discloser in writing of the requirement for disclosure, if legally permissible; and (2) discloses only as much of the Confidential Information as is required.
      • (d) Each party will retain all right, title and interest to such party’s Confidential Information. The parties acknowledge that a violation of the Recipient’s obligations with respect to Confidential Information may cause irreparable harm to the Discloser for which a remedy at law would be inadequate. Therefore, in addition to any and all remedies available at law, Discloser will be entitled to seek an injunction or other equitable remedies in all legal proceedings in the event of any threatened or actual violation of any or all of the provisions. Subject to the terms of this Agreement: (i) Discloser may request the return of Confidential Information; (ii) or upon termination or completion of the Agreement or any Online Services, Recipient will either return (if technically feasible to do so) or destroy the Confidential Information and upon request of Discloser, will certify such destruction. Notwithstanding the foregoing and provided that such information is protected in accordance with the terms of this Agreement, the Recipient may continue to maintain copies of Confidential Information: (i) that is included in its data backup, which will be destroyed in accordance with the Recipient’s data retention policies; or (ii) as required to comply with applicable law, which will be destroyed when such obligation is met.
  1.  6. Intellectual Property Rights. The services and related processes, instructions, methods, and techniques are owned by or have been developed by Accenture and/or its licensors, and shall remain the sole and exclusive property of Accenture and/or its licensors. End User may not reverse engineer the services. End User may not assert any rights in Accenture’s intellectual property or data, including limitations provided in FAR 12.212 and DFAR section 227-7202. Accenture will not assert any ownership rights in End User’s data.
  2. 7. Warranties. Accenture’s sole warranties related to the services provided in connection with the Managed Security Services as a third-party provider to CIS are as follows. The services will be performed using reasonable care and skill in accordance with Accenture’s Managed Security Services Service Description. Accenture’s warranty ends when the Term ends. Accenture does not warrant uninterrupted or error-free service or that Accenture will identify all threats or vulnerabilities, correct all defects or prevent third-party disruptions or unauthorized third-party access.  These warranties are the exclusive warranties from Accenture and replace all other warranties, including the implied warranties or conditions of satisfactory quality, merchantability, non-infringement, and fitness for a particular purpose. Accenture’s warranties will not apply if there has been misuse, modification, damage not caused by Accenture, failure to comply with instructions provided by Accenture.
  3. 8. Limitation of Liability. Nothing in these terms shall exclude or limit: (i) Accenture’s liability for death or personal bodily injury to the extent caused by its negligence; (ii) Accenture’s indemnification obligations outlined herein; or (iii) any other liability which cannot be excluded by law.To the maximum extent permitted by applicable law and regardless of whether any remedy set forth herein fails of its essential purpose, in no event shall Accenture or its licensors be liable to CIS or End User (Entity), whether in contract, tort or otherwise for: 1) any costs of procurement of substitute or replacement goods and services, loss of profits, diminution in stock price or reputational harm, loss of or corruption to data, business interruption, loss of production, loss of revenues, loss of contracts, loss of goodwill, anticipated savings, wasted management and staff time; whether (in any such case) arising directly or indirectly out of these terms or use of the services, and whether or not Accenture or its licensors have been advised such damages or losses might occur; or  any other special, consequential or incidental or indirect damages. To the extent permitted by applicable law, Accenture and its licensors’ total aggregate liability for all claims arising under or in connection with these terms, whether in contract, tort (including negligence), statute or otherwise, regardless of the theory of liability, is limited to the greater of the fees actually paid by End User for the services giving rise to the claim during the twelve (12) months before the cause of action arose.

VII. Force Majeure

Neither Party shall be liable for performance delays or for non-performance due to causes beyond its reasonable control.

VIII. No Third-Party Rights

Except as otherwise expressly stated herein, nothing in this Agreement shall create or give to third parties any claim or right of action of any nature against Customer or CIS.

IX. Assignment

Neither Party may assign their rights and obligations under this Agreement without the prior written approval of the other Party, which approval shall not be unreasonably withheld, conditioned or delayed. This Agreement shall be binding upon and inure to the benefits of each Party and their respective successors and assigns.

X. Notices

A. All notices permitted or required hereunder shall be in writing and shall be transmitted either: via certified or registered United States mail, return receipt requested; by facsimile transmission; by personal delivery; by expedited delivery service; or by e-mail with acknowledgement of receipt of the notice.

Such notices shall be addressed as follows or to such different addresses as the Parties may from time-to-time designate:

CIS

Name:             CIS Services

Address: Center for Internet Security, Inc.
31 Tech Valley Drive
East Greenbush, NY 12061-4134      

Phone:            (518) 880-0766              

E-Mail:           [email protected]

                        With a copy to [email protected]

Customer shall provide appropriate notice information to CIS.

B. Any such notice shall be deemed to have been given either at the time of personal delivery or, in the case of expedited delivery service or certified or registered United States mail, as of the date of first attempted delivery at the address and in the manner provided herein, or in the case of facsimile transmission or email, upon receipt.

C. The Parties may, from time to time, specify any new or different contact information as their address for purpose of receiving notice under this Agreement by giving fifteen (15) days written notice to the other Party sent in accordance herewith. The Parties agree to mutually designate individuals as their respective representatives for the purposes of receiving notices under this Agreement.  Additional individuals may be designated in writing by the Parties for purposes of implementation and administration, resolving issues and problems and/or for dispute resolution.

XI. Governing Law and Jurisdiction

Unless otherwise specifically prohibited by the laws of Customer’s jurisdiction, any disputes arising in connection with this Agreement shall be governed and interpreted by the laws of the State of New York without regard to its conflict of law provisions. In the event that the laws of Customer’s jurisdiction require that the laws of that jurisdiction apply to all contracts entered into by     Customer, then the laws of that jurisdiction shall apply.

XII. Non-Waiver

None of the provisions of this Agreement shall be considered waived by either Party unless such waiver is given in writing by the other Party.  No such waiver shall be a waiver or any past or future default, breach or modification of any of the terms, provision, conditions or covenants of the Agreement unless expressly set forth in such waiver.

XIII. Entire Agreement; Amendments

This Agreement and the appendices attached hereto constitute the entire understanding and agreement between the Parties with respect to the subject matter hereof and replace and supersede all prior understandings, communications, agreements or arrangements between the parties with respect to this subject matter, whether oral or written. This Agreement may only be amended as agreed to in writing by both Parties.

XIV. Partial Invalidity

If any provision of this Agreement be adjudged by a court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.