Transcription

Security Vulnerability Scanning (SVS)Service Schedule to the General TermsContentsA note on ‘you’. 2Words defined in the General Terms . 2Part A – The BT Security Vulnerability Scanning Service. 21Service Summary . 22Standard Service Components. 23Service Options . 24Service Restrictions . 35Data Sovereignty . 36Delivery Model . 37Service Management Boundary. 48Associated Services and Third Parties . 49Specific Terms . 5Part B- SVS Service Delivery . 710BT’S Obligations . 711Your Obligations . 813Notification of Incidents . 1214Invoicing . 1215Charges at the End of the Contract. 1316SVS Service Amendment . 13Part C – Service Levels . 1317Service Care Levels . 1318On-Time Delivery . 1419Service Availability . 1420Requests for Service Credits . 14Part D – Defined Terms . 15Appendix 1 – Software and Suppliers . 18Appendix 2 – Supplier (Qualys) Data Storage Locations . 19British Telecommunication plc. 2021SVSServiceSchedule v2 Published April 2021.docxPage 1 of 19of 19

BT Security Vulnerability Scanning (SVS) Service ScheduleA note on ‘you’‘You’ and ‘your’ mean the Customer.Words defined in the General TermsWords that are capitalised but have not been defined in this Schedule have the meanings given to themin the General Terms.Part A – The BT Security Vulnerability Scanning Service1Service SummaryBT will work with our Supplier (Qualys) to provide you with a cloud-based Security VulnerabilityScanning (“SVS”) Service that will scan the network, security devices and other server applicationsacross your network comprising:1.1The Standard Service Components; andThe Service Options, if any, as set out in any applicable Order, up to the point of the ServiceManagement Boundary as set out in paragraph 7 below (the “BT Security Vulnerability Scanning(SVS) Service”).2Standard Service ComponentsBT will provide you with the following standard service components (“Standard ServiceComponents”) in accordance with the details as set out in any applicable Order:2.1Qualys licence pack: This is Supplier Software for the licence period as set out in the Order for you todownload to enable you to use the BT Security Vulnerability Scanning (SVS) Service. If you purchaseany additional licence packs during the Minimum Period of Service, such licences will terminate atthe end of the Minimum Period of Service.2.2Qualys Portal: This is a portal that provides you with a right to access and use:(a)(b)(c)2.3vulnerability scan data;current and historic vulnerability scan reports; anddashboards that analyse vulnerability on various assets in your organization and provide inputto take mitigation and remediation steps.First Line Support – Service DeskThe first line support (Service Desk) will triage any queries. BT will generate a Ticket which will then besent to the second line support if not resolved at First line.2.4Second Line Support – SOMThe second line support will assist on initial set-up and the use of the Service and Qualys Portal;provide automated reports; receive queries from you and can accommodate ad hoc requests(scans, service changes). The SOM will also respond to any Tickets generated by first line support. orescalate to Third Line Support if incapable of resolution at this stage.2.5Third Line Support – SOM/QualysThird line support will deal with escalations from second line support (provided by BT) and will beprovided by the SOM or Qualys depending on the nature of the issue.3Service OptionsBT will provide you with any of the following options (“Service Options”) as set out in any applicableOrder and in accordance with the details as set out in that Order. Note that Delivery Model Optionsare subject to an eligibility requirement:3.1 Delivery Model OptionsThe standard BT delivery model for the Service is described at paragraph 6.1 below, however ifpreferred you may request the following variations to the standard delivery model.3.1.1Customer Provided Software Licenses and Virtual or Hardware ScannerSVSServiceSchedule v2 Published April 2021.docxSVSServiceSchedule v2 Published April2021.docxSVSServiceSchedule v2 Published April 2021.docxPage 2 of 19

BT Security Vulnerability Scanning (SVS) Service ScheduleYou may own and purchase the vulnerability scanning Software license, virtual scanner orhardware scanner to be installed on the hardware or virtual appliances. Note that thisoption is available at BT’s sole discretion and is subject to an assessment by BT that thehardware and software you are proposing will be suitably specified and fully compatiblewith the Scanner Appliances. If BT agrees to such a request, this will be set out in the Ordertogether with any conditions set by BT.3.1.2BT Takeover Delivery ModelYou may request to use fully installed, configured and operational Customer Equipment forthe Security Vulnerability Scanning Service. Note that this option is available at BT’s solediscretion and is subject to an assessment by BT that the Customer Equipment is suitable foruse with the SVS Service. This assessment will be carried out once you have provided therequired information as set out in, and in accordance with paragraph 9.3. If BT agrees tosuch a request, this will be set out in the Order together with any conditions set by BT.3.2Vulnerability ScanningBT will provide you with any of the following vulnerability scanning options as set out in the applicableOrder:3.2.1Internal Vulnerability ScanningBT will provide you with a virtual or hardware Scanner Appliance(s) to be hosted in your DCor network that will perform the scan of your internal IP Addresses in accordance with theagreed schedule; and3.2.2External Vulnerability ScanningBT will provide you with external vulnerability scanning performed through a Supplier(Qualys) scanner hosted in the Supplier’s cloud. BT will implement scanning of your externalIP Addresses in accordance with the agreed schedule.3.3Ad Hoc Professional Consultancy Service:BT will provide ad hoc professional consultancy services on an individual case basis, which will bedelivered remotely unless otherwise set out in any applicable Order.3.43.5All Service Options may not be available in all countries and Service Levels may vary depending onSite location.Some Service Options may not be available on all Scanner Appliances.4Service Restrictions4.1BT does not warrant that the SVS Service will be error-free, free from interruption or failure, or securefrom unauthorized access, or that it will detect every vulnerability in your network, or that the resultsgenerated by the SVS Service will be error-free, accurate, or complete.The SVS Service may become unavailable due to any number of factors including scheduled orunscheduled maintenance, technical failure of the software, telecommunications infrastructure, orthe Internet.4.25Data Sovereignty5.1BT’s provision of the BT Security Vulnerability Scanning (SVS) Service uses our ‘follow the sun’ modelto ensure 24x7x365 coverage. Any specific data handling requests will be considered at BT’s solediscretion and priced at the time of the Order.5.2The Supplier (Qualys) will select the most appropriate location for storage of your vulnerability data,but you may choose another location from the list set out at Appendix 2 – Supplier’s (Qualys) DataStorage Locations, if you prefer.6Delivery Model6.1BT Delivery ModelBT will provide you with the complete SVS Service which will include:6.1.1A vulnerability scan on internal IP Addresses and external IP Addresses, performed throughour Supplier’s (Qualys) vulnerability license tool. For internal vulnerability scans, a virtualSVSServiceSchedule v2 Published April 2021.docxSVSServiceSchedule v2 Published April2021.docxSVSServiceSchedule v2 Published April 2021.docxPage 3 of 19

BT Security Vulnerability Scanning (SVS) Service Schedulescanner or hardware scanner is required which needs to be hosted in your DC or networkto perform the scan on the IP assets. For external vulnerability scanning, the scanning isperformed through a Supplier (Qualys) scanner hosted in their cloud. If you select ahardware scanner to sit on your premises, then you will install, set up and configure theScanner Appliance. If you select a virtual scanner, then BT will send you the configurationguide to download and configure the scanner.6.2Change ManagementYou may submit change requests to BT to make changes to your SVS tool, including change oflocation, the introduction of new functionality, frequency and adjusting baseline scanning policies(“Change Management Request”).6.2.1In response to a Change Management Request, BT will confirm the competency of theChange Management Request and:(a) Triage the Change Management Request according to BT’s other obligations under theSVS Service and in accordance with your direction;(b) Provide you with an estimated implementation time for the Change ManagementRequest to be completed;(c) Implement and document the Change Management Request; and(d) Confirm to you that the Change Management Request has been implemented asrequested.6.2.2If BT is unable to confirm the competency of the Change Management Request, BT will adviseyou accordingly and will work with you to find an alternative solution.6.2.3BT may charge you additional Charges for such Change Management Request, except fora Change Management Request in respect of adjusting baseline scanning policies.6.2.4If a change needs to be made to the SVS Service in the event of an Incident and BT hascontacted your Customer Contact, where required, BT will request your authorisation for BTto make any necessary changes. You will provide BT with the authorisation for the changewithin the duration that BT advises you. On receipt of your authorisation, BT will follow theprocess set out in paragraph 6.2.1 above.7Service Management Boundary7.1BT will provide and manage the SVS Service as set out in Parts A, B and C of this Schedule and as setout in any applicable Order from either the virtual scanner or the hardware scanner up to a cloudplatform gateway (“Service Management Boundary”).7.2BT will have no responsibility for the SVS Service outside the Service Management Boundary.7.3BT does not make any representations, whether express or implied, about whether the SVS Servicewill operate in combination with any of your equipment or software.7.4BT will not be responsible if BT is unable to deliver the SVS Service or any part of the SVS Servicebecause of lack of capacity or any other relevant limitations on Customer Equipment.7.5BT does not guarantee that the SVS Service will detect or scan all vulnerabilities on the machine.7.6Certain Service Options may require you to have specific Customer Equipment and Enabling Servicesthat meet any minimum specifications, communicated to you by BT. BT will not be responsible forany inability to provide the SVS Service if you do not have and maintain the required CustomerEquipment or Enabling Services.8Associated Services and Third Parties8.1You will have the following services in place that will connect to the SVS Service and are necessaryfor the SVS Service to function and will ensure that these services meet the minimum technicalrequirements that BT specifies:8.1.1Internet connectivity;SVSServiceSchedule v2 Published April 2021.docxSVSServiceSchedule v2 Published April2021.docxSVSServiceSchedule v2 Published April 2021.docxPage 4 of 19

BT Security Vulnerability Scanning (SVS) Service Schedule8.1.2wide area network (WAN) connectivity;8.1.3local area network (LAN) connectivity and associated infrastructure;8.1.4any additional switches that may be required for the SVS Service that are not provided by BTas set out in any applicable Order;8.1.5any server platforms that may be required for the SVS Service; and8.1.6Vulnerability Scanner Appliances, if you have selected the BT Takeover Delivery Model option,(Each an “Enabling Service”).8.299.1If BT provides you with any services other than the SVS Service including, but not limited to anyEnabling Service, this Schedule will not apply to those services and those services will be governedby their respective separate terms.Specific TermsMinimum Period of Service and Renewal Period9.1.1Unless one of us gives notice to the other of an intention to terminate the SVS Service at least60 days before the end of the Minimum Period of Service or a Renewal Period (“Notice ofNon-Renewal”), at the end of the Minimum Period of Service or any subsequent RenewalPeriod, the SVS Service will automatically extend for the Renewal Period, and both of us willcontinue to perform each of our obligations in accordance with the Contract.9.1.2If one of us gives a Notice of Non-Renewal, BT will cease delivering the SVS Service at the timeof 23:59 on the last day of the Minimum Period of Service or subsequent Renewal Period.9.1.3BT may propose changes to this Schedule or the Charges (or both) by giving you notice atleast 90 days before the end of the Minimum Period of Service and each Renewal Period(“Notice to Amend”).9.1.4Within 30 days of any Notice to Amend, you will provide BT Notice:(a) Agreeing to the changes BT proposed, in which case those changes will apply from thebeginning of the following Renewal Period;(b) requesting revisions to the changes BT proposed, in which case both of us will enter intogood faith negotiations for the remainder of that Minimum Period of Service or RenewalPeriod, as applicable, and, if agreement is reached, the agreed changes will apply fromthe beginning of the following Renewal Period; or(c) terminating the Contract at the end of the Minimum Period of Service or Renewal Period,as applicable.9.29.39.1.5If we have not reached an agreement in accordance with paragraph 9.1.4(b) by the end ofthe Minimum Period of Service or the Renewal Period, as applicable, the existing terms of thisSchedule will apply from the beginning of the following Renewal Period unless you elect togive Notice in accordance with paragraph 9.1.4(c) or BT may give Notice of termination, inwhich case BT will cease delivering the SVS Service at the time of 23:59 on the last day of theMinimum Period of Service or subsequent Renewal Period.9.1.6Regardless of the termination and Notice to Amend provisions set out this section 9.1, if youhave agreed to a Minimum Period of Service of more than 12 months, then BT may haveapplied a discount to the Charges. That discount will only apply to the Minimum Period ofService and BT may remove the discount in any subsequent Renewal Period that is shorterthan the initial Minimum Period of Service.Customer Committed Date9.2.1If you request a change to the SVS Service or any part of the SVS Service, including anyPurchased Equipment or any IP Address location, then BT may revise the CustomerCommitted Date to accommodate that change.9.2.2BT may expedite delivery of the SVS Service for operational reasons or in response to a requestfrom you, but this will not revise the Customer Committed Date.Service TransitionSVSServiceSchedule v2 Published April 2021.docxSVSServiceSchedule v2 Published April2021.docxSVSServiceSchedule v2 Published April 2021.docxPage 5 of 19

BT Security Vulnerability Scanning (SVS) Service Schedule9.3.1If you are transitioning your existing SVS Service or any Scanner Appliances to BT, you willprovide any information or access BT reasonably requests at least 30 days before the SVSService Start Date, including:(a)make and model of the Scanner Appliance;location of the Scanner Appliance;Software licence information;network diagrams;Scanner Appliance name and IP addresses on which scanning is to beperformed;details of any third-party contracts, service level agreements andequipment;9.3.29.4BT may require the Scanner Appliance to pass a transition test before the commencementof the SVS Service.Supplier (Qualys) Master Cloud Services Agreement (EULA)SVSServiceSchedule v2 Published April 2021.docxSVSServiceSchedule v2 Published April2021.docxSVSServiceSchedule v2 Published April 2021.docxPage 6 of 19

BT Security Vulnerability Scanning (SVS) Service S