ACCENTURE EMERGENCY INCIDENT RESPONSE SERVICES

ACCENTURE EMERGENCY INCIDENT RESPONSE SERVICES

Revision Date:April, 2022

This Service Description, together with any documents incorporated by reference ("Service Description") describes the service features and terms for Accenture's Emergency Incident Response Services (the "Services"). In order to purchase Services, Client must enter into a separate order confirmation, statement of work, or similar document to confirm the details and pricing for the Service ("Order Confirmation").

1. SERVICE SCOPE

1.1. Incident Response Agreement

This Agreement (as defined below) describes the service features and terms for the Services. The Order Confirmation details the countries in scope for support, the fees for the Services (including the prepaid amount and the applicable time and materials rates), the term of the agreement ("Term"), and any other Service specific parameters not otherwise addressed below.

1.2. Scope of Incident Response Services

Accenture will use different strategies and methodologies to complete the Services depending on the nature of the incident. Accenture will consult with Client at the outset of the investigation to identify initial objectives and regularly thereafter throughout the engagement to discuss updates to those objectives and other investigation decisions. Client will make any material decisions on investigation strategy. Accenture's Services may include Accenture conducting the activities below, however Client acknowledges and agrees that in providing the Services, Accenture may modify its approach as appropriate to assist Client in investigating a potential security incident:

? Analysis of pertinent data, logs, snapshots, or forensics images ? Operation of tools to collect network or log data ? Malware / binary analysis ? Client security team discussions ? Incident timeline analysis ? Post-incident briefing for executives and stakeholders

To the extent that an incident involves or impacts Client's OT Environment (as defined below) and/or the systems (including Industrial Control Systems, or "ICS") that reside within that environment, Accenture's Services may also include remote or on-site observation, investigation and/or analysis of, or interaction with, OT Environments or assets as part of the investigation and response. All activities with respect to OT Environment and/or ICS will be conducted in accordance with, and subject to, the terms attached as Exhibit 2 to this Service Description.

1.3. Written Reports and Presentations

In connection with an incident investigation, if and as requested by Client or Client's legal counsel, Accenture will deliver one or more of the following documents:

? Periodic Status Report summarizing work done during the period.

? Remediation Plan documenting recommended actions for remediating findings uncovered during the incident investigation.

? Incident Response Report documenting pertinent data uncovered during the incident investigation, identifying systems compromised, and characterizing data breach-related activity and root causes if known.

? Management Briefings summarizing pertinent information for use in briefing senior executive staff or Client board of directors.

Accenture will discuss with Client or Client's legal counsel the proposed content of any documented reports in advance of production or sharing. Such reports typically require up to ten business days for production and review. The reports will be provided to the Client and/or Client's legal counsel, as applicable, and Accenture will not be required to provide reports or documentation (or copies of them) to any other party or individual.

ACCENTURE CONFIDENTIAL AND PROPRIETARY

Page 1

During the Term, Accenture may provide threat intelligence information and research that has been collected, obtained, and/or analyzed by Accenture ("Threat Intelligence"), either during the course of Services or outside of the Services. All such Threat Intelligence constitutes Accenture intellectual property and Confidential Information.

1.4. Out of Scope

Accenture will perform the Services in a good and workmanlike manner; however, nothing in the Agreement serves as a guarantee that the Services will detect or identify all security or network threats, vulnerabilities or intrusions, decrypt or recover data, restore operations or return control of Client Property (as defined below) where unauthorized access or control has occurred. Applicable law or regulation(s) of the country in which Services will be performed may limit or alter the scope of the Services that can be provided in that country, in which case the parties will work collaboratively to determine the best course of action.

The following are not in scope for the Services:

? Expert testimony or litigation assistance or support services.

? Provision of any regulated service or activities. Accenture is not licensed or certified in any country, state, or province as a private investigator, legal advisor, auditor or licensed or certified engineer and is not being retained to provide investigatory services, legal advice, audit or internal control advisory services or engineering services that would require a license or certification.

? Implementation of any remediation plan and post implementation monitoring of systems and networks is out of scope of these Services; however, Client can contract for such support separately.

2. HARDWARE AND SOFTWARE

2.1. Hardware; Software.

If the Parties jointly determine that the installation of hardware and/or software will be necessary to gain additional visibility into Client's systems, networks, facilities, or equipment, Accenture will work with Client to install servers on Client's network and/or will set up capacity in Accenture or its vendor's cloud-based environment and connect to Client's network to collect endpoint, network, and log data, and will provide Client with the hardware and software components required to be installed on Client's network and endpoint devices. Any hardware or software provided by Accenture for installation on Client's Property ("Accenture Tools") remains the property of Accenture or its licensors and is subject to the additional terms set forth in Exhibit 1.

Client will:

? Obtain any certificates (or modify any certificates) required to enable installation of the devices or software on any network, device or endpoint.

? Perform testing on each of Client's classes of devices to determine and/or confirm that the software agents do not affect safety, reliability, or availability of the devices.

? Install the software agents on the agreed upon number of Client's endpoint devices and network in accordance with Accenture's instructions.

? Ensure that Client or Client's personnel and contractors do not interfere with or damage any hardware or software installed on Client's network or endpoint devices for purposes of the Services, or otherwise attempt to compromise such hardware or software.

Client shall cooperate with Accenture to remove, or upon request of Accenture, Client will promptly return, any of Accenture's physical devices installed on Cient's premises, systems or networks and confirm removal of any Accenture software from Client's devices. This includes removal from devices not connected to Client's network at the conclusion of the Services and therefore not subject to a bulk removal activity by Accenture.

3. CLIENT RESPONSIBILITIES

3.1. Client Property, Systems, Materials

a) Client will ensure the availability of Client resources as necessary for Accenture's performance of the Services, including the timely provision of information, access to systems, delivery of systems and logs, "out of band"

ACCENTURE CONFIDENTIAL AND PROPRIETARY

Page 2

communications systems, forensic imaging, data restoration, and backup of Client's systems (unless Accenture has agreed to perform or provide any of these resources). If Accenture is required to use Client's tools during an engagement, Client will enable Accenture to with appropriate access to such tools, including any necessary licenses.

b) Client will procure any applicable consents and authorizations that may be necessary under law or Client's agreements with third parties for Accenture to perform the Services (onsite or remotely, as applicable). In particular, unauthorized access to computer systems or data, or intrusion into hosts and network access points, may be prohibited by applicable law if not properly authorized by the system or data owners. Such consents and authorizations must allow Accenture to take all actions necessary to access and process any and all Client Property related to the Services, including without limitation, if applicable, consent to connect to Client's computer network, install software and/or hardware, collect and analyze host and network based data such as memory, disk, logs, data, and historic or real time network traffic as well as any malware ("Forensics Data"), and archive, analyze, and retain all Forensics Data captured or obtained as part of Services. Client is solely responsible for providing instructions or obtaining any necessary consents for Accenture to provide the Services in compliance with laws, including without limitation, any laws relating to network integrity or security or to data privacy or data protection. If Client fails to obtain any such consents, Client agrees to be solely and fully responsible for any related claims or liabilities (notwithstanding any contrary terms in the Agreement).

c) Client will work with Accenture to help reduce the risk of damage to Client Property or impact to Client's operations resulting from incident investigation activities. There is inherent risk in incident response activities, which may lead to operational degradation, performance impact, incidents of non-compliance with internal policies or industry standards, or other impairment to Client Property, or downstream effects. As long as Accenture is using reasonable care in the performance of Services, Accenture will not be liable for any such damage or impacts arising out of the Services.

d) Client will notify Accenture of any applicable export control requirements related to Client Property and obtain any required licenses with respect to the export of any such Client Property in connection with the Services.

e) Client will make any decisions required of Client promptly and without delay and Accenture shall be entitled to rely on all decisions and approvals from Client's Authorized Personnel.

f) Where applicable, Client will provide support for Accenture to obtain any required visas and/or travel authorizations.

4. SERVICE SPECIFIC TERMS

4.1. Legal Privilege. If requested by Client, Accenture will provide the Services described herein solely under the direction of and control of Client's legal counsel. In such case, all information requested or obtained by Accenture from Client or prepared for Client under this Agreement will be deemed to be requested or obtained by Client's legal counsel for the purpose of it providing legal advice to Client. Accenture will use its best efforts to adhere to Client's legal counsel instructions regarding (a) Marking documents selected and identified by Client's legal counsel as "Attorney Client Privileged" and (b) Communicating information Client's legal counsel deems Attorney Client Privileged, including limiting recipients and utilizing requested markings. Accenture will provide results of such Services and any related findings or reports to Client's legal counsel, or its designee, as instructed by Client's legal counsel.

4.2. Conflict of Interest. Client acknowledges that Accenture may be providing separate services to Client that may in some way relate to an incident investigation performed under this Agreement. Provided that Accenture implements reasonable procedures to mitigate any potential conflict of interest, Client will not make claims against Accenture on the basis of conflict of interest.

4.3. Reporting. While delivering the Services, Accenture may become aware of issues such as data breaches, network intrusions, or the presence of malware, and that such issues may give rise to regulatory reporting obligations which Client may be subject to in one of more territories in which Client operates. Client will remain solely responsible for all such reporting requirements and Accenture shall not have an obligation to report unless applicable legal or regulatory obligations require Accenture to do so. If Accenture is required to report any Client information to law enforcement or regulatory authorities, Accenture will use reasonable endeavors to notify Client in advance of responding to any such requirements and, if possible, will allow Client the opportunity to raise an objection with such authorities. Subject to the foregoing, notwithstanding anything to the contrary in the Agreement, Client hereby gives Accenture explicit permission to comply with requirements of law enforcement authorities or regulatory authorities in connection with the Services.

ACCENTURE CONFIDENTIAL AND PROPRIETARY

Page 3

4.4. Metadata. Accenture may retain and use for its business purposes any indicators of compromise, malware, anomalies, or other metadata found as part of, or related to, the performance of the Services ("Metadata"). Accenture may analyze, copy, store, and use such Metadata in a de-identified manner to improve its offerings and services, including for purposes of developing threat intelligence resources aimed at improving security.

4.5. Third Party Claims. The Services are provided for Client (and, if applicable, its legal counsel), and not for the benefit of any third parties. If a third party includes Accenture on any lawsuit or similar claim related to a Client security incident for which Accenture provided Services hereunder, Client will defend and hold harmless Accenture against such claims, including any related costs and liabilities.

4.6. Termination of an Incident Investigation. Either party can terminate the incident investigation by providing five (5) days' notice to the other party hereunder.

5. CLIENT PERSONAL DATA

In the course of the Services, Accenture may have access to (or obtain incidentally) Client Personal Data. The types of Client Personal Data that may be processed by Accenture may include (depending on the incident): personal contact information such as name, business address, business phone number, home address, home telephone or mobile number, fax number, email address, and passwords, user ids, information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, social security details; financial details including bank account data, credit or debit card data, payment or purchase history, device identifiers (such as serial numbers, mobile phone UDIDs), Internet Web Universal Resource Locators (URLS) and Internet Protocol (IP) addresses, or any other Client Personal Data contained within the systems with respect to which the Services are provided. The Client Personal Data transferred may concern the following special categories of data: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; genetic data; and biometric data where processed to uniquely identify a person. The categories of data subjects involved may include any of Client's representatives, such as employees, job applicants, contractors, collaborators, partners, and clients of the Client. Accenture will process Client Personal Data only for purposes described herein and in accordance with the terms of the Agreement.

If Accenture obtains access to Client Personal Data during the course of the Services, Accenture will process the Client Personal Data in accordance with the applicable data protection terms of the Agreement. Accenture will also take appropriate technical and organizational measures to protect personal information against accidental loss or destruction of, or damage to, that Client Personal Data, as set forth in Accenture's Data Safeguards, available at , subject to the following modifications specific to the nature of the incident response Services provided under this Service Description:

? Network and Application Design and Management: The parties acknowledge and agree that the use of network based web-filtering, email based DLP, and/or security tools which actively block or prevent the transportation and investigation of potentially malicious software may not be implemented on all infrastructure dedicated to the delivery of incident response Services.

? Workstations: The parties acknowledge and agree that the use of host based web-filtering and/or security tools which actively block or prevent the transportation and investigation of potentially malicious software may not be implemented on specific workstations dedicated to the delivery of incident response Services.

6. DEFINITIONS

Capitalized terms used in this Service Description, and not otherwise defined in the Agreement, have the meaning given below:

"Accenture" means the Accenture entity named in the Order Confirmation and/or its affiliates.

"Agreement" means collectively the Order Confirmation, this Service Description, and the Terms and Conditions (as defined below) in that order of precedence.

"Client" shall mean the Client identified in the Order Confirmation.

ACCENTURE CONFIDENTIAL AND PROPRIETARY

Page 4

"Client Personal Data" means Client-owned or controlled personal data provided by or on behalf of Client to Accenture or an Accenture Affiliate or subcontractor for processing in connection with the Services.

"Client Property" means computer systems; servers; technology infrastructures; telecommunications or electronic communications systems and associated communications; confidential information; data (including Client Personal Data, employee identification, authentication or credential data user details and other sensitive information); assets; devices; intellectual property; and/or physical premises, that are used by the Client, its employees, clients, or suppliers, whether owned or otherwise controlled by the Client or owned by a third party.

"Industrial Control Systems" or "ICS" means the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or assisted or automated control of physical assets or devices, such as motors, valves, pumps and other electronic actuators.

"OT Environments" include, without limitation, the hardware and software for the mechanical systems, physical processes and networked electronic systems with automation or control capabilities involved in the operation, production or delivery of goods and services.

"Terms and Conditions" means the terms and conditions published by Accenture at (or succesor URL), unless otherwise specified in the Order Confirmation.

ACCENTURE CONFIDENTIAL AND PROPRIETARY

Page 5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download