Additional Terms & Conditions

 

These Additional Terms & Conditions (the “ATCs”) to the FCI MSSP Master Service Agreement signed between FCI and CLIENT (the “AGREEMENT”) are available at:

fcicyber.com/additional-terms-conditions

Due to constant changes in cybersecurity regulations and solutions, FCI may, at any time, and at its sole discretion, modify the ATCs and notify CLIENT of such changes via email.

FCI and CLIENT can be designated together as the “PARTIES” or individually as a “PARTY”.

The PARTIES agree as follows:

 

1       Steering Committee

1.1       To facilitate the review of the AGREEMENT and the ATCs, and to further the anticipated cooperation hereunder, the PARTIES have the option to form a steering committee (the “STEERING COMMITTEE”) which will ensure governance, make decisions, and resolve escalated issues.

1.2       The STEERING COMMITTEE members shall be:

·       CLIENT: CEO or Executive, CISO/ISO, and Project/Operation Manager

·       FCI: Executive, Project Manager, Account Manager

1.3       CLIENT agrees that the CLIENT’s Project/Operation Manager role shall be performed by a CLIENT employee and shall not be assigned to and external IT firm representative.

1.4       The STEERING COMMITTEE reporting and calls shall be jointly planned and managed by the CLIENT Project/Operation Manager and FCI Project Manager.

 

2       Best-of-Breed Cybersecurity Software

2.1       To render the SERVICES, FCI selects, integrates, configures and manages commercially available best-of-breed cybersecurity software.

2.2       Such best-of-breed software were thoroughly tested by the best-of-breed software publishers, the clients of such software publishers, and FCI. In the event of a problem after the software is installed, the problem is usually related to a conflict with existing software or a problem with the computer. On rare occasions, the problem may be related to the software.

2.3       CLIENT agrees that, from time to time, FCI may change one or more of such best-of-breed software without advising CLIENT.

 

3       Client Information

3.1       As a policy, FCI does not access or store CLIENT’s non-public information (“NPI”).

3.2       In some cases, CLIENT’s contact information, device information, support tickets, configuration settings and disaster recovery image backups may be hosted at a third-party vendor cloud location in the United States. FCI confirms that such vendors were selected through the FCI documented vendor selection process and they met the cybersecurity standards expected from best-of-breed vendors.

 

4       Hosting Facility & Security Operation Center

4.1       FCI Hosting Facilities and Security Operation Center (SOC) are located in the United States.

 

5       No Offshoring

5.1       FCI asserts that it is not performing the SERVICES or any portion thereof, nor send or make available any CLIENT confidential information, outside the United States.

 

6       Employees and Subcontractors

6.1       All individuals working with FCI to render the SERVICES are employees or subcontractors of FCI for whom FCI does background checks leveraging a system called Good Hire that includes a comprehensive set of information including: Arrest records, birth records, court records, criminal records, criminal wants and arrest warrants, death records, jail and inmate records, police records, and sex offenders.

6.2       Employees and subcontractors are under contract and signed a non-disclosure agreement with FCI.

 

7       Non-Hire

7.1       The PARTIES shall not, during the term of the AGREEMENT, ensuing relationship and for one year after termination, attempt to solicit, solicit for employment or employ any person who is or has been employed by either PARTY as a full-time or contract employee without prior written consent from the other PARTY.

7.2       Should a PARTY breach this Section, that PARTY agrees to pay the aggrieved PARTY within 10 days of such hire, a sum equal to 30% of the hired person’s annualized ongoing compensation.

 

8       Warranties

8.1       FCI makes no representation or warranty whether express, implied or statutory, regarding the SERVICES, hardware and software provided by FCI, including but not limited to, any implied warranties of merchantability and non-infringement of any third-party rights.

8.2       The limit of liability of FCI for any acts or omissions shall be limited to the value of the SERVICES rendered. The sole remedy for hardware and/or software defects shall lie with the manufacturer of such hardware and/or software.

 

9       Insurance

9.1       FCI shall purchase and maintain insurance protection throughout the term of the AGREEMENT. This shall include, but not necessarily be limited to, (i) a broad form commercial general liability insurance of $1,000,000, (ii) a workers compensation and employers liability insurance of $500,000, (iii) an errors and omissions insurance of $1,000,000, and (iv) a network security insurance of $1,000,000.

10   Cooperation with Regulators, Authorities, Financial Institutions, and Insurance Companies

10.1    In the event of a cybersecurity audit, examination, incident or breach, FCI and CLIENT are committed to working together in good faith to resolve any request by Regulators, Authorities, Financial Institutions, and Insurance Companies.

10.2    CLIENT shall be liable for FCI’s reasonable additional costs that FCI incurs in connection with such effort. Such additional costs shall be estimated by FCI and pre-approved by CLIENT in the form of an email.

 

11   Cyber Services Types

11.1    Standard Services described in the ATCs are included in the SERVICES pricing and are provided at no additional cost.

11.2    Services described in the ATCs as Optional, Advanced Configuration, or charged per project or per hour, are not included in the SERVICES pricing and are provided at additional cost.

 

12   Hourly Rates

12.1    Hourly rate for Advanced or Optional services and for BILLABLE SUPPORT SERVICES are

·      Level 1 for Technicians: Remote $136, Onsite $152

·      Level 2 for Project and Department Managers: Remote $164, Onsite $182

·      Level 3 for Senior Management & Directors: Remote $219, Onsite $242

·      Level 4 for Compliance Support/Guidance & Cybersecurity Incident Response: Remote $296

 

13   Fees & Payment

13.1    Setup and monthly fees for the SERVICES are payable in advance.

13.2    The first invoice (i) shall include setup fees and fees for the first month, and (ii) is payable before the implementation project starts.

13.3    When the implementation project is completed, the paid first month fees are applied to the current month and the recurring monthly billing starts on the following month.

13.4    Monthly, FCI invoicing to CLIENT shall be based on the actual number of protected Endpoints & Networks for the selected SERVICES.

13.5    The Endpoint Security Services Setup Fees for new end-users added after the completion of the implementation project shall be billed at the Level 1 hourly rate.

13.6    All payments pursuant to the AGREEMENT are non-refundable.

13.7    FCI reserves the right to invoice CLIENT the lesser of twelve percent (12%) annual interest or the highest interest rate allowable under applicable laws for any outstanding, undisputed invoice not paid upon the terms defined in the AGREEMENT.

13.8    CLIENT shall pay for the SERVICES with a credit card or an automated bank transfer (ACH) through the FCI Payment Portal. CLIENT access to such Payment Portal shall be provided by FCI to CLIENT upon signature of the AGREEMENT.

13.9    On January 1st of every calendar year, CLIENT agrees that the price of the SERVICES shall automatically increase by 2.5%.

 

14   Trademark, Copyright & Intellectual Property

14.1    Each PARTY agree that they shall not knowingly infringe trademark, copyright, licenses or other intellectual property rights of the other PARTY.

14.2    FCI complies with the provisions of all applicable state and federal laws and regulations, the provisions of which are deemed incorporated by reference.

 

15   Restrictions

15.1    CLIENT shall not directly or indirectly (i) sell, lease, redistribute or transfer any of the SERVICES, (ii) decompile, disassemble, reverse engineer, or otherwise attempt to derive, obtain or modify the source code of the software provided with the SERVICES, (iii) reproduce, modify, translate or create derivative works of all or any part of the software provided with the SERVICES, (iv) rent, lease or loan the software provided with the SERVICES in any form to any third party or otherwise allow a third party to use the software provided with the SERVICES, (v) sublicense any of the rights granted to CLIENT in this AGREEMENT, or (vi) remove, alter or obscure any proprietary notice, labels, or marks of the software provided with the SERVICES.

 

16   Use of Company Names & Logos

16.1    CLIENT hereby grants to FCI the right to use CLIENT’s company name and logo in marketing, sales, and public relations materials and other communications solely to identify CLIENT as an FCI client.

16.2    FCI hereby grants to CLIENT the right to use FCI’s logo solely to identify FCI as a provider of cybersecurity services to CLIENT.

 

17   Email Distribution Lists

17.1    CLIENT shall create 2 email distribution lists to which automated and ad-hoc email communications shall be sent:

·       [email protected] shall receive reports

·       [email protected] shall receive cyber alerts

17.2    FCI recommends having the CLIENT’s CISO/ISO on both lists.

17.3  In the event that CLIENT does not want to create these mailing lists, then by default FCI shall only send the email messages to the CLIENT’s CEO.    

 

 

18   Managed Endpoint Security Services

18.1    Managed Endpoint Identification Services

• Monthly and On-Demand NIST-Based Asset Management Report & Cyber Posture of Devices
• Device Cyber Lifecycle Management (Onboarding, Ongoing, and Offboarding)
• FCI NIST-Based Technical Control Standard Enforcement
• Automated Tools to Set and Capture Proper Configuration/Controls:

·       On Desktops, Laptops, Servers, Virtual Servers, Smartphones & Tablets

·       Enforced Without User Involvement

·       Device Settings: Complex Password, Firewall, Logs, Screen Saver, OS Patches, etc.

·       Cyber Tools: Full-Disk Encryption, Antivirus, Antimalware, MFA

• Threat & Vulnerability Identification
• Options:
  
  • User Credential Management Recommendation and Configuration Support
  • Web Application Gateway to Private Data System
  • Correlation of Users, Devices & Web Applications with Private Data

18.2    Managed Endpoint Protection Services

• Security Awareness Training for Leadership (CEO, CISO, ISO, Train-the-Trainer, etc.)
• Data Loss Prevention through Managed Endpoint Protection:
  
  • Antivirus, Web Protection, Network Protection, Peripheral Protection, etc.
  • Malware Detection & Blocking
  • Full-Disk Encryption with Key Management Services
  • Data Leakage Protection (Advanced Configuration)
  • Application Protection (Advanced Configuration)
• Email Encryption Guidance & Recommendations
• For Smartphones and Tablets: Verification of settings configured by End-Users:: OS version, status of enabled security features (configured or disabled), full disk encryption, mobile device biometrics (Face ID/Touch ID); screen lock or tampered (jailbroken).
• Multi-Factor Authentication to Access Endpoints
• Options:
  
  • Multi-Factor Authentication to Access Web Applications with Private Data
  • Disaster Recovery Image Backup

18.3    Managed Endpoint Detection Services

• 24×7 Performance & Availability Monitoring
• 24×7 Cyber Threat Monitoring
• 24×7 Cyber Compliance Monitoring
• Endpoint Intrusion Detection & Prevention
• Security Incident Event Monitoring & Management
• Log/Data Aggregation
• Real-Time Security Alerts & Reporting
• Insider Threat

18.4    Managed Endpoint Response Services

• Active Automated Incident Response
• Cyber Expert Incident Response
• Mass Vulnerability Response for Imminent Risk (Zero-Day, etc.)
• Incident Response Support:
  
  • Documentation
  • Evidence Gathering, Preservation & Presentation
  • Cyber Incident Handling & Forensic Analysis During an Incident
  • Breach Determination

18.5    Managed Endpoint Recovery Services

• Automated Recovery Services
• Cyber Expert Recovery Services
• Option:
  
  • Full-Disk Encryption assistance for key recovery
  • Image Backup Restoration Recovery Services
  • Endpoint Password recovery

18.6    Endpoint Support Services

• Embedded Ticketing System for End-User Cyber Support
• Project Management

 

19   Notes Related to Endpoint Security Services

19.1    The Password Expiration field may show NOT APPLICABLE for Apple computers depending on computer model and MacOS version.

19.2    The Domain/Workgroup field for Apple computers may show a question mark depending on computer model and MacOS version.

19.3    On computers managed by a Server and Active Directory, Microsoft Accounts or Azure Active Directory the Password fields will show DOMAIN MANAGED, Microsoft Managed or Azure Managed respectively. In this case, it is not possible for FCI to Enforce the Password related settings on these computers.

19.4    On servers, FCI can only identify Anti-Virus installed and managed by FCI. If the Anti-Virus is not installed by FCI, it will show as NOT AVAILABLE.

19.5    Most of the best-of-breed software are recognized by the FCI system but it may happen that a software may not be recognized and appears as Unknown in a field. In this case, FCI will make best effort to configure FCI system to recognize such software and show the appropriate status in the field.

19.6    All computers must have the latest version of Windows 10 Pro or Mac OS Mojave/Catalina that are actively receiving security updates. All smartphones and Tablets must have the latest of their respective operating systems.

19.7    In the event that there were previous cyber tools installed on CLIENT Endpoints prior to the EFFECTIVE DATE, such tools shall be removed by CLIENT. If requested by CLIENT, FCI may remove such cyber tools and bill CLIENT for such work.

19.8    For Windows computers, all Microsoft Accounts must be Local (by default, Microsoft offers to manage the user accounts Online).

 

 

20   Endpoint Security Services Implementation

20.1    Included with the SERVICES

• Project management
• CISO/ISO support and training
• Cyber document templates
• WISP review and recommendations
• Cyber technicians for cyber tools installation, configuration, and testing
• End-user cyber support for FCI cyber tools
• Implementation with one CLIENT implementation team which members are also on the STEERING COMMITTEE (additional implementation with detached offices team are not included and shall be estimated)
• For additional CLIENT requests regarding implementation that are not included in this Section, FCI shall provide CLIENT with an estimate.

20.2    Timeframe

• Upon signature of the AGREEMENT, FCI shall have a maximum of 5 business days to send CLIENT (i) the first invoice, (ii) a welcome email, and (iii) instructions to access FCI Payment Portal for CLIENT to enter payment information and pay the first invoice.
• From the date the first invoice is paid and the name of the Identification System for MFA (or the  list of users and their mobile phone number) is provided to FCI, FCI shall have a maximum of 5 business days before the first implementation call.
• From the date of the first implementation call, FCI shall have a minimum of 2 weeks and a maximum of 2 months to complete the Implementation project.
• In the event that the implementation project is takes more than 2 months due to CLIENT, the situation shall be escalated to the STEERING COMMITTEE and FCI may charge additional setup fees to be estimated.

20.3    First Implementation call: WISP review and planning

• FCI and CLIENT jointly review the CLIENT WISP:
  
  • Screen Saver Enabled & Timeout
  • Event logging enabled
  • PC firewall enabled
  • Auto-updates enabled
  • Password Complexity
  • OS & Software Patches
  • Cyber Tools
• FCI and CLIENT jointly plan the CLIENT Launch Call to be done with all future users (management, staff, and advisors) and review/modify the presentation template to be provided by FCI. The CLIENT Launch Call shall include:
  
  • The SERVICES selected and not selected by CLIENT
  • The Cyber Support Services that are included and not included
  • The choice of CLIENT regarding approval of work for BILLABLE SUPPORT SERVICES
• FCI and CLIENT jointly review the email template to be sent to users to ask them to:
  
  • Click on the link to download the installer
  • Run the installer
  • Access the Support Portal to enter their contact information
• The installation shall not be initiated until all users are aware of the project and what is expected from them

20.4    Installation

• FCI configures the Endpoint Security installer and send the link to CLIENT
• CLIENT (with, if requested, an FCI representative) does the launch call with all users.
• CLIENT send the email with the installation link to all users.
• Users install the Endpoint Security software and enter their name in the Support Portal. It is critical that all users enter their name in the Support Portal so FCI knows who to contact in the case of an incident (the computer name is not always enough to identify the user).
• CLIENT is responsible to ensure that all users install the Endpoint Security and enter their name in the Support Portal. The Implementation project cannot continue until this step is finalized.
• Weekly, and on-demand, FCI shall provide an updated list of installed Endpoints.

20.5    Compliance Automation

When all users have installed the Endpoint Security software and enter their name in the Support Portal:

• Cyber Monitoring shall be activated.
• The WISP shall be automatically enforced on all Endpoints. 
• Managed AVM (Antivirus & Anti Malware)
  
  • Antivirus shall be automatically installed, configured, updated and managed if no AVM is installed on the workstation.
  • Upon request, current Antivirus uninstall services are available and billed at the Level 1 hourly rate.
  • Option: Data Leak Protection configuration according to CLIENT requirements (USB and External Drives, File Content/Type/Name Filtering, email content, etc.)
• Managed FDE (Full Disk Encryption)
  
  • BitLocker on Windows 10 Pro (or more recent) and FileVault on Mac OS High Sierra (or more recent)
  • To encrypt the drive:
    
    • Automated encryption configuration is included for computers with TPM Chip.
    • For computers without TPM Chip, simple encryption instructions shall be given by FCI to CLIENT end-users, which are responsible to execute such simple encryption instructions.
  • When the drive is encrypted, FCI shall capture the encryption key, and store such encryption key in a secure location within FCI Cyber platform.
  • Optional support services not included in the SERVICES and charged per hour:
    
    • Workstation recovery assistance
• MFA (Multi-Factor Authentication)
  
  • MFA requires unique usernames
  • Each end-user is required to use the same username on all workstations used by such end-user.
  • MFA is installed and configured to allow access to computers.
  • MFA Advanced Configuration services to allow access for additional Web Applications are available and shall be billed.

20.6    Second Implementation call: NIST-Based Asset Management Report Review

• An inventory of all the assets and cybersecurity tools is provided with their configuration, version, etc.
• The report is sent monthly and on-demand.
• The NIST-Based Asset Inventory Report provides this information:
  
  • Last Check-in Time
  • Contact Name
  • Last Logged In User
  • Computer Name
  • Operating System Version
  • Antivirus Product
  • Antivirus Definition Status – Current or not
  • Antivirus Real-time Scan Status
  • Antivirus Status Date
  • Whole Disk Encryption Product
  • Whole Disk Status – Encrypted or Not
  • Whole Disk Status Date
  • Firewall Status – Enabled or Disabled
  • Password Complexity
  • Screen Saver Timeout (seconds/minutes)
  • Screen Saver Secure – Yes or No
  • Event Logging – Enabled or Disabled
• Discovery
  
  • A Network-Attached Device Discovery Report shall be provided to identify unknow devices such as computers, printers, servers, firewalls, mobile phones, VOIP, etc.
  • CLIENT may identify unknown devices in the NIST-Based Asset Management Report by naming them in the report and send the report back to [email protected]
  • Report and services for one location is included, additional locations are considered Advanced Configuration.
  • If requested by CLIENT to FCI, an Email alerts shall be sent to the CLIENT CISO when unknown devices are connecting to the network.

• Gaps are identified and discussed.
• FCI gives recommendations regarding Endpoint and Enforcement settings

20.7    Third Implementation Call: STEERING COMMITTEE (Optional)

• In the event that CLIENT requests it, a third call shall be scheduled in which the implementation team members from FCI and CLIENT shall present the NIST-Based Asset Inventory Report to the STEERING COMMITTEE and review recommendations and/gaps.

 

21   Endpoint Onboarding

21.1    In the event that the FCI Endpoint Security software is installed on a computer between the 1st and the 20th of the month, the setup fee and the license fee for the following month will be charged for this Endpoint on the first day of the following month.

Example if installed on March 15: First time billed on April 1^st for the month of April.

21.2    In the event that the FCI Endpoint Security software is installed on a computer between the 21st and the last day of the month, the setup fee and the license fee shall be charged on the first day of the second following month, representing one month at no charge.

Example if installed on March 25: First time billed on May 1^st for the month of May.

 

22   Endpoint Offboarding

22.1    CLIENT or a CLIENT’s end-user shall make decommissioning request by opening a Support Ticket (“INITIAL REQUEST”). By doing so, CLIENT or CLIENT’s end-user makes the representation that CLIENT internal process to decommission a device was properly followed.

22.2    CLIENT’s CISO shall automatically receive copy of the INITIAL REQUEST and has 15 days to send an email to [email protected] to cancel the INITIAL REQUEST.

22.3    In the event that CLIENT does not want to wait 15 days, the CLIENT CISO shall send an email to [email protected] to request an early decommissioning of the device, which shall be done in the next 2 business days following reception the reception by FCI of such early decommissioning request.

22.4    In the event that the CLIENT’s CISO (i) did not cancel the INITIAL REQUEST and (ii) did not request an early decommissioning of the device:

• 7 days after the INITIAL REQUEST is made, FCI shall release the FCI cyber tools (Antivirus and MFA) to allow users to uninstall them
• 15 days after the INITIAL REQUEST is made, FCI shall remove the FCI cyber tools, if any left, and the cyber monitoring software. After removal of FCI tools, there may be some folders left on the device but no running applications.

22.5    In order for FCI to perform such decommissioning, the Endpoint to be decommissioned must be online.

22.6    The decommission/offboard process will take a maximum of 30 days and 1 device monthly fee shall be charged after the initial request date.

 

23   FCI Managed Network Services

23.1    FCI Managed Network Identification Services

• FCI NIST-Based Technical Control Standard Enforcement
• Automated Tools to Ensure Proper Configuration/Controls:
  
  • Firewall: No Opened Ports, No Remote Desktop Access, Logging Retention Period
  • Option: WiFi: Visible for Guest WiFi, Hidden for Staff & Advisors, Wired-Only Management
• Threat Identification

23.2    Managed Network Protection Services

• Security Awareness Training for Leadership (CEO, CISO, ISO, Train-the-Trainer, etc.)
• Data Loss Prevention through Managed Network Protection:
  
  • Firewall Patching & Updates
  • Network Content Filtering
  • Gateway SSL VPN configuration and training to one CLIENT or IT Firm employee. The trained person will add/delete users.
  • Data Leakage Protection

23.3    FCI Managed Network Detection Services

• 24×7 Cyber Threat Monitoring
• 24×7 Cyber Compliance Monitoring
• Network Intrusion Detection & Prevention
• Security Incident Event Monitoring & Management
• Log/Data Aggregation
• User Behavioral Analytics (UBA)
• Real-Time Security Alerts & Reporting
• Insider Threat

23.4    FCI Managed Network Response Services

• Active Automated Incident Response
• Cyber Expert Incident Response
• Mass Vulnerability Response for Imminent Risk (Zero-Day, etc.)
• Incident Response Support:
  
  • Documentation
  • Evidence Gathering, Preservation & Presentation
  • Cyber Incident Handling & Forensic Analysis During an Incident
  • Breach Determination

23.5    FCI Managed Network Recovery Services

• Automated Recovery Services
• Cyber Expert Recovery Services

23.6    FCI Network Support Services

• Phone & Email Cyber Support
• Ticketing System
• Project Management

 

24   Notes Related to Network Security Services

24.1    FCI Endpoint Security SERVICES are mandatory to get Network Security SERVICES.

24.2    FCI only offers Network Security Services with business-grade Sophos XG firewalls that can be purchased by CLIENT from a Third Party or from FCI. When purchased from FCI, Lifetime Security Services are included at the price of 3 years.

 

25   Network Security Services Implementation

25.1    The firewall shall be configured at FCI office and shipped to CLIENT.

25.2    Shipping cost is not included and shall be invoiced to CLIENT.

25.3    FCI shall remotely support CLIENT’s team for installation.

25.4    Allow 4 weeks for implementation.

25.5    Hardware (Firewalls, cables, switch, etc.) shall be quoted and billed separately (not included with the SERVICES).

25.6    Hardware shall be paid in advance.

25.7    Standard configuration includes:

• Firewall Patching & Updates.
• 24×7 Security, Performance & Availability Monitoring.
• Network Content Filtering, Threat Detection, Alerts, Logging & Reporting.
• Configuration & Implementation Support of WISP.
• Encrypted Offsite Cloud Logs Retention According to WISP.
• On-Demand Security & Compliance Reporting.
• SSL VPN Gateway configuration.
• Providing CLIENT 1 admin user access to add/remove SSL VPN Gateway users.

25.8    Optional Network Security services (not included with the SERVICES and billed per hour)

• Training to allow CLIENT 1 Admin User to add/remove SSL VPN Gateway users
• WiFi configuration, custom network requirements, etc.
• Advanced Firewall Configuration.

 

26   FCI Cybersecurity Technical Controls Risk Assessment Services

26.1    FCI Cybersecurity Technical Controls Risk Assessment Identification Services

• Technical Controls
  
  • Discovery Tasks
  • Issues Summary
  • Automated External & Internal Vulnerability Scan
  • Penetration Testing
  • Unrestricted Web Content
  • Local Security Policy Consistency
  • Identification of Unfollowed Technical Governance Procedures
  • Risk Score
• Evidence
  
  • Screenshots & Pictures
  • Summary & Detailed Reports
• Governance
  
  • Non-Technical Questionnaire
  • Policies & Procedures Review
  • Regulatory Compliance & Vendor Due Diligence Review
  • Onboarding & Decommission Device Process Review
  • Physical Security

26.2    FCI Cybersecurity Technical Controls Risk Assessment Response Services

• Remediation Plan of Actions and Milestones

26.3    FCI Cybersecurity Technical Controls Risk Assessment Protection Services

• Remediate with required Endpoint and/or Network Security Services

26.4    FCI Cybersecurity Technical Controls Risk Re-Assessment Services

• Re-Assessment Until In-Good-Order
• Re-Assessment Periodically

 

27   Notes Related to Cybersecurity Technical Controls Risk Assessment Services

27.1    FCI Endpoint Security SERVICES are mandatory to get Cybersecurity Technical Controls Risk Assessment SERVICES.

27.2    Two parties are required to deliver the Security Risk Assessment: FCI for the Technical Controls Assessment and another party for the Cyber Program Assessment (the “CYBER PROGRAM ASSESSOR”).  The CYBER PROGRAM ASSESSOR shall lead the Cyber Program Assessment through a series of qualitative, human-driven questions to uncover threats and vulnerabilities associated with policies and procedures (e.g. governance, regulatory compliance, vendor due diligence, onboarding and decommission computers processes, physical building and server room access, etc.). The CYBER PROGRAM ASSESSOR also acts as an independent third-party to audit the FCI deliverables.

27.3    In the event that CLIENT uses a firewall not managed by FCI, CLIENT shall ensure the administrator of the firewall will (i) participate in the Technical Controls Assessment, (ii) be available to join conference call, and (iii) provide the required information to FCI.

27.4    One Re-Assessment is included in the price. Additional Re-Assessment shall be billed at the then-current rate.

 

28   Cybersecurity Technical Controls Risk Assessment Services Project Description

28.1   At a minimum, and on every call, the Security Risk Assessment Team must include:

• From FCI
  
  • Project Manager
  • Technician
• From CLIENT
  
  • CISO
  • IT Representative

28.2   Before the project can start

• CLIENT shall provide FCI with:
  
  • External IP addresses
  • Multiple addresses IP range
  • How many domain controllers (physical and virtual)
  • List of main apps (email, file sharing, backup, etc.)
  • Environment description: Infrastructure, Firewalls, VPN, servers, etc.
  • Confirmation that an IT Representative will be on the first call with domain credentials
• CLIENT and FCI shall confirm that their respective teams can dedicate time to execute the project in a maximum of 3 weeks.

28.3   If during the Technical Controls Assessment FCI identifies an imminent cyber threat, it is immediately remediated. If additional costs are associated with such remediation, they shall pre-approved by CLIENT.

28.4    The services will be executed in 5 steps and 3 calls:

• Step 1 FCI: Initial Network and Security Technical Scans
  
  • First call
    
    • Introduction to FCI and the process
    • Connect and evidence corporate firewall settings as per WISP requirements
    • Domain scan, connect into the domain controller
    • Observation about local environment: Infrastructure, servers, email, etc.
    • Screenshots of settings for evidence of compliance
  • FCI performs the Initial Network and Security Technical Scans
• Step 2 FCI: Initial Gaps and Remediation report
  
  • Second call
    
    • FCI presents the initial Network and Security Technical Scans reports
    • FCI presents the initial Gaps and Remediation report
    • If required, FCI shall provide a cost estimate for the remediation of deficiencies related to cybersecurity technical controls
• Step 3: CLIENT: Remediation Plan
  
  • To ensure all components are in good order
  • Must be tracked into CLIENT’s Cyber Program
  • Defines the “who will do what by when”
  • Prioritizes the remediation tasks so that action is focused on the highest priority items
  • Separate what shall be remediated in 2 weeks and what shall be remediated later
  • Remediate what can be done in 2 weeks
• Step 4 FCI: Final Network and Security Technical Scans (maximum 2 weeks after first call)
  
  • FCI performs the final Network and Security Technical Scans
  • FCI gathers proof of remediation
• Step 5 In-good-order final report
  
  • Third call (a maximum of 3 weeks after the first call)
    
    • FCI presents the final Network and Security Technical Scans reports
    • FCI presents the final Gaps and Remediation report

28.5    CYBER PROGRAM ASSESSOR shall review:

• The Cyber Program
• Evidence that the Cyber Program is enforced
• Review of FCI’s Cybersecurity Technical Controls Risk Assessment Reports

 

29   Cyber Support Types

• Included with the SERVICES and non-billable
  
  • Support related to FCI Cyber Automation Services
  • Support related to the initial standard configuration of the SERVICES during the implementation project
  • Support when FCI initiates the call to CLIENT
• Not included with the SERVICES and billable at Level 1 hourly rate (the “BILLABLE SUPPORT SERVICES”)
  
  • Password resets
  • Full-Disk Encryption support for Full-Disk Encryption on computer without a TPM chip.
  • Full-Disk Encryption assistance for workstation recovery
  • Image Backup Restoration Recovery Services
  • Support and configuration when users switch endpoints
  • Support related to Optional or Advanced Configuration of the SERVICES

 

30   Cyber Support Portal

30.1    CLIENT shall use FCI Cyber Support Portal for all Support Requests. The procedure to open a Support Ticket is defined, and may change from time to time, at the following Web page:

https://fcicyber.com/ticket-creation-instructions/          

• A new Support Ticket shall be created to track a Support Request
• The Support Ticket remains opened until the request is completed, or the incident is resolved
• FCI shall provide regular status updates throughout the Support Ticket life-cycle
• CLIENT can check a Support Ticket status by accessing the Support Portal or calling FCI

30.2    In the event that CLIENT contacts FCI by phone or email without opening a Support Ticket in the Support Portal, FCI shall request CLIENT to open a Support Ticket, which CLIENT agrees to do in the next hour following such request.

 

31   Email Support

31.1    At any time, CLIENT may contact FCI support by sending an email to [email protected].

31.2    In the event that a member of the FCI Management or Sales teams receives a message regarding support, the email shall be forwarded to [email protected] and the original sender shall be copied.

31.3    If the issue cannot be resolved via email, the issue shall be escalated to Phone Support.

 

32   Phone Support

32.1    FCI provides Phone Support for the SERVICES. FCI employees are available to answer technical questions and provide assistance.

32.2    If the issue cannot be resolved via phone, the issue shall be escalated to Attended Remote Access Support.

 

33   Attended Remote Access Support

33.1    Remote Access Support services are performed using applications that allow FCI personnel remote connectivity to CLIENT’s environment. Remote connectivity shall only be performed in an effort to troubleshoot and resolve cybersecurity related issues.

33.2    To perform Attended Remote Access Assistance FCI does not require credentials (usernames and passwords) from CLIENT. Remote Access Support is done via a screen sharing session in which FCI technician works while CLIENT’s end-user views exactly what the FCI technician is doing. During a screen sharing session, CLIENT’s end-user may be required to enter its username and password to access certain applications.

33.3    If the issue cannot be resolved via Remote Access Support, the issue may be escalated to On-Site Support.

 

34   On-Site Support

34.1    FCI employees or contractors are available on a time-and-material basis to visit CLIENT site for issues that cannot be resolved from Phone or Remote Access Support.

34.2    FCI onsite visits, project implementation and maintenance must be scheduled at least two (2) business days in advance. Any unscheduled visits outside this window will be handled within a one-day response time and billed accordingly as EXPEDITED VISITS.

 

35   Additional Support

35.1    For any Cybersecurity support request for services other than the SERVICES selected by CLIENT, FCI support shall be provided on a best effort and invoiced time-and-material basis, according to the then-current price list.

 

36   Support Contact Information

• Phone (973) 227-8878
• Toll-Free (888) 434-6443
• Fax (973) 227-8795
• Email [email protected]

 

37   Hours of Operation

37.1    FCI business hours are between 8:00 AM and 5:30 PM Eastern Time (the “BUSINESS HOURS”), Monday through Friday, excluding nationally observed holidays (actual dates may vary).

37.2    Overtime & After Hours: Should CLIENT require work to be performed at a time outside BUSINESS HOURS or during a holiday, the service shall be provided at one and a half (1.5) times the then-current hourly rates.

 

38   Travel for Support

38.1    FCI may charge for travel and transportation expenses as required. These expenses must be pre-approved by CLIENT in the form of an email and may include travel time, food, lodging, airfare, car rental, gas, parking and/or highway tolls.

 

39   Client Responsibilities Related to Support Issue       

39.1    Before contacting FCI with a suspected issue, CLIENT undertakes to (i) analyze the suspected issue to determine if it is the result of CLIENT’s misuse or misunderstanding of the SERVICES, the performance of a third party or cause beyond FCI’s reasonable control, (ii) ascertain, if applicable, that the issue can be replicated and (iii) collect and provide to FCI all relevant information relating to the issue. If a reported issue is directly caused by or related to something that is not part of the SERVICES, then FCI is not obliged to perform support services in respect of such issue.

39.2    CLIENT agrees not to use language considered to be defamatory, offensive, or that could be perceived as threat, abuse or harassment. In the event that CLIENT or any of its management, staff, advisors, independent advisors and IT staff act in such a way with FCI employees, such employees are advised to (i) mention that in such situation they have to escalate the issue to the STEERING COMMITTEE, (ii) hang up the call or leave the location, and (iii) advise immediately the FCI Project Manager who will promptly escalate the issue to the STEERING COMMITTEE. The STEERING COMMITTE shall then discuss the case on a conference call.

 

40   Support Billing

40.1    ­­­Work performed outside normal working hours or during a holiday shall be invoiced at one and a half (1.5) times the normal FCI hourly rates. Unscheduled visits outside scheduling window (the “EXPEDITED VISITS”) shall be invoiced at two (2) times the normal FCI hourly rates.

40.2    To cover administration, infrastructure, project management, and technician costs, there is a minimum of one (1) billable hour with each on-site visit and a minimum of thirty (30) billable minutes associated with any phone or remote support.

 

41   Billable Support Services Approval

41.1    During the online signature process of the AGREEMENT, CLIENT shall indicate (by clicking on the appropriate checkbox) if FCI must request CLIENT approval prior to working on BILLABLE SUPPORT SERVICES requested from CLIENT end-users.

·       With CLIENT approval: FCI shall work on BILLABLE SUPPORT SERVICES requests from CLIENT end-users without getting CLIENT’s approval for each of these requests.

·       Without CLIENT approval: FCI shall not provide BILLABLE SUPPORT SERVICES to CLIENT end-users without CLIENT written approval.

o   When a BILLABLE SUPPORT SERVICES request is made, FCI shall advise the end-user to request CLIENT approval for the specific Support Ticket number.

o   To approve such request, CLIENT shall send an email to [email protected] to confirm the approval for to the Support Ticket number.

o   CLIENT understands that this process will slow down support response time.

41.2    FCI shall not automatically process payment for BILLABLE SUPPORT SERVICES. FCI shall post the support invoice on the Payment Portal and let CLIENT review such invoice before paying it.

41.3    In the event that CLIENT requests that FCI research and justify an invoice related to BILLABLE SUPPORT SERVICES, FCI may invoice CLIENT for such research and justification at the Level 2 hourly rate.

 

42   Cyber Issue Classification

42.1    When a cyber issue is reported, FCI shall analyze the information provided by CLIENT and classify such issue by assigning it an Incident Severity, an Incident Resolution Level, as well as a Generic or Specific SLA (the “ISSUE CLASSIFICATION”).

42.2    FCI shall share with CLIENT the initial ISSUE CLASSIFICATION and any updated ISSUE CLASSIFICATION in the form of email.

42.3    FCI shall work on an issue until FCI can confirm to CLIENT via email that the Incident Resolution Level is at level 3 (Complete Resolution). CLIENT shall confirm acceptance of such Incident Resolution via email.

42.4    In the EVENT that CLIENT does not confirm acceptance of the complete resolution of the issue in the next three (3) business days following reception of the confirmation from FCI, such issue shall be considered automatically closed.

42.5    Cybersecurity Incident Severities

 

Severity	Definition
1 Critical	System functionality is completely unavailable or inaccessible. The situation requires immediate attention. Examples: All services unavailable on a single platform – total loss of service Services unavailable to a multitude of platforms Suspected security breach
2 High	System functionality is severely limited, resulting in the prevention of key operations. With no available workaround, the situation requires urgent attention. Examples: Single service unavailable Loss of platform Backup failure Significant degradation of service / performance
3 Medium	The system is impaired, a single function is impacted but key business processes are not interrupted. Examples: Minor degradation of system performance Single user fault
4 Minor	The problem causes minimal operational or business impact. Examples: Minor issue with no impact on service Technical/Product query

 

42.6    Cybersecurity Incident Resolution Levels

 

Level	Definition
1 Response	Initialization of the support process, through engagement with the client. Email notification Information gathering Analysis Issue replication etc.
2 Partial Resolution	Provision of a solution to an incident or problem, either by employing a temporary fix, an answer, or a technique that protects client until a Complete Resolution is delivered.
3 Complete Resolution	Return to the normal or expected status.

 

43   Service Level Agreements (SLAs)

43.1    Cybersecurity Generic SLA

 

Severity	1 Response	2 Partial Resolution	3 Complete Resolution
1 Critical	1 Service Hour	2 Service Hours	1 Business Day
2 High	2 Service Hours	4 Service Hours	2 Business Days
3 Medium	1 Business Day	2 Business Days	4 Business Days
4 Minor	4 Business Days	8 Business Days	16 Business Days

 

43.2    Cybersecurity Specific SLA

 

Email or Phone confirmation of Support Request Reception	WISP Change	Cyber Tools & Security Operation Center (SOC) Uptime	Backup Restore	On-Demand Report
1 Hour	10 Business Days	99.9% Maximum Downtime: ·    8.76 hours / year ·    43.8 minutes / month ·    10.1 minutes / week	4 Service Hours	3 Business Days

 

43.3    Regulators & Client-Specific SLA: As part of the onboarding process, the PARTIES shall jointly work to define SLAs according (i) to CLIENT’s business continuity plan and (ii) to specific regulations that applies to CLIENT. In the event that such SLAs trigger additional costs, FCI shall provide CLIENT with an estimated cost to implement such SLAs. Upon acceptance by CLIENT of the cost estimate cost, FCI shall implement such SLAs.

 

44   Cyber Incident Management

44.1    Cyber Incident Detection & Notification: This process includes alert handling, describing what actions and countermeasures are taken when alerts are generated. Alerts are handled initially by automation, and when human action is required, a notification process delivers the information to an analyst.

44.2    Cyber Incident Response: This process includes (i) handoff from intrusion detection, (ii) triage of all detected intrusions and establishment of priorities, and (iii) how the service responds to a detected intrusion including:

• Internal FCI supervisor/manager notification
• Notifying CLIENT
• Containing the damage
• Returning systems to normal operation
• Exercising options for automated response
• Performing forensic analysis
• Preserving evidence
• Involving local, national, and international law enforcement
• Recommending improvement actions to ensure the same intrusion is not successful again

44.3    Incident Response Cost: If the Cyber Incident is related to the Cyber Tools & services FCI provides, there is no cost for CLIENT. If the Cyber Incident is not related to the Cyber Tools & Services FCI provides, FCI efforts shall be billed to CLIENT at the Level 4 hourly rate:

• Support the Incident Response Team to analyze the incident
• Participate in calls with Regulators, Authorities and Financial Institutions
• Remediate, if needed

 

45   Claims, Process & Remedies

45.1    The process for CLIENT to make claims for any SLAs that are not met and the remedies in connection therewith are set forth below. CLIENT agrees that its sole and exclusive remedy for any SLA that is not met is as set forth below.

45.2    Claim Submission: In order to receive a credit, CLIENT must submit a claim in the form of an email for the credit to [email protected] within seven (7) business days of the date on which the SLA was not met. The claim must contain the following information:

• “SLA Credit Request” in the email subject line
• CLIENT’s name, CLIENT’s contact name, and CLIENT’s contact phone number
• Description of the SLA not met and the date of such failure

45.3    Claim Review and Determination: Within seven (7) business days, FCI will make all credit determinations in its reasonable discretion and will notify the designated contact(s) in the form of an email of its decision. If any request is rejected, the notification from FCI will contain the reasons for such rejection.

45.4    Service Level Credits: For all accepted claim requests, FCI shall provide a service level credit to CLIENT equal to the pro-rated charges for one (1) full day of the affected services (i.e., 1/30 of the monthly fee, assuming a thirty (30) day month) for each day during which one or more of the SLAs was not met. Any service level credits accrued hereunder shall be credited against the fees owed by CLIENT to FCI. In the event that service level credits are still owed as of the termination or expiration of the applicable agreement, FCI shall pay to CLIENT the total amount of outstanding service level credits.

45.5    Service Level Credit Exceptions: Service level credits shall not be available to CLIENT if failure to meet the SLAs set forth above results in any way from (i) CLIENT’s failure to meet its obligations set forth in its agreement, (ii) CLIENT’s material impediment of FCI’s efforts to meet the SLAs, (iii) the negligent acts or omissions of CLIENT, its employees, contractors, agents or end users, (iv) the failure or malfunction of equipment, applications or systems not owned or controlled by FCI, (v) circumstances or causes beyond the control of FCI or (vi) scheduled services maintenance, alteration, or implementation.

45.6    Maximum Credits: In the event that CLIENT is entitled to multiple service level credits arising on the same day, such service level credits shall not be cumulative, and CLIENT shall be entitled to receive only a service level credit equal to no more than the pro-rated service charges for that day. Under no circumstances shall FCI be required to issue service level credits to CLIENT in any one (1) calendar month totaling more than fifteen (15) days of service fees.

 

46   Cybersecurity Policies, Procedures, & Regulations

46.1    FCI has a comprehensive set of documented, current policies that are periodically reviewed, updated, and enforced. Such security policies specifically address the purpose and scope of the SERVICES.

 

47   Compliance

47.1    FCI asserts that its security policies and procedures are compliant with the United States government regulations for the financial services industry and those that CLIENT has or may have provided to FCI and do not conflict. Where compliance and conflict issues exist, the PARTIES will jointly work to fix such issues.

47.2    FCI asserts that it meets applicable United States legal and regulatory requirements and commits to a timely implementation and demonstration of compliance procedures when such legal and regulatory requirements are created or updated.

47.3    FCI asserts that it is exercising an appropriate standard of due care with respect to securing information assets, primarily accomplished through security policies, procedures, and practices that are documented and enforced.

 

48   Contingency Planning, Operational & Disaster Recovery

48.1    FCI implemented business continuity and disaster recovery (BC/DR) plans for critical assets and asserts that they are periodically tested and found effective.

48.2    FCI has deployed operational redundancy (via a dual, high availability environment) in the event of a primary SOC failure and a failover site, physically and geographically separated from FCI’s primary site, exists in the event of a natural disaster (earthquake, hurricane) or other circumstances that affect business continuity such as interruptions in local/regional utility service (communications, gas, electric, sewer, water).

48.3    FCI can support periodic joint testing of both the PARTIES’ BC/DR plans. Such joint tests include impact scenarios that could potentially cause unacceptable interruption of the SERVICES.

 

49   Physical Security

49.1    FCI controls physical access to information assets, services and resources based on their importance, and monitors and reviews all physical access. This includes (i) identification and authentication of FCI employees who have physical access to assets providing the SERVICES, (ii) the process for requesting and approving physical access, and (iii) CLIENT asset protection from unauthorized physical access.

49.2    FCI asserts the presence of physical security systems such as uninterruptible power supplies, backup generators, redundant climate control systems, and a data-center-grade fire control system for prevention and protection.

 

50   Authentication & Authorization

50.1    FCI has implemented appropriate levels of user authentication and control of user access. User access can occur through network connections from both inside and outside FCI’s organization. FCI practices take into account levels of restricted access required for specific assets and levels of data classification.

50.2    FCI requires the use of at least two-factor authentication for administrative control of all devices and software relating to the SERVICES. FCI protects critical assets when authenticating and authorizing users and administrators working remotely. This is implemented by using strong encryption and virtual private networks, access controls at the level of networks, systems, files, and applications, and by restricting access to authorized times and tasks as required. These practices apply to wireless network access as well.

 

51   Software Integrity

51.1    FCI verifies the integrity of installed software by (i) regularly checking for all viruses, worms, Trojan horses, and other malicious software and eradicating them, (ii) keeping up-to-date virus signatures and other relevant signatures such as those for intrusion detection systems, and (iii) regularly comparing all file and directory cryptographic checksums with a trusted baseline.

 

52   Monitoring & Auditing

52.1    To monitor and audit its own systems and networks, FCI uses appropriate monitoring, auditing, and inspection tools and assigns responsibility for reporting, evaluating, and responding to system and network events and conditions. This includes (i) regularly using system and network monitoring tools and examining the results they produce and (ii) regularly using log filtering and analysis tools and examining the results they produce.

 

53   Governing Law, Arbitration, Jurisdiction, & Venue

53.1    This AGREEMENT shall be governed by, construed, interpreted and enforced in accordance with the laws of the State of New York, without giving effect to the principles of conflict of laws thereof.

53.2    The PARTIES agree that any dispute between the PARTIES arising out of this AGREEMENT may be required to be submitted by the aggrieved PARTY for binding arbitration under the auspices of the American Arbitration Association. Any demand for arbitration will be filed with the American Arbitration Association’s office in New York, New York, and the arbitration must be held in New York, New York.

53.3    The PARTIES agree the arbitration shall be conducted by a panel of three persons familiar with computer technology and software application matters, at least two of such persons being attorneys. One arbitrator shall be designated by each PARTY and the third neutral arbitrator shall be chosen jointly by the respective PARTY arbitrators.

53.4    Any award rendered by the arbitrator(s) may be entered as a judgment or order and confirmed or enforced by either PARTY in any state or federal court having competent jurisdiction thereof.

53.5    The arbitrators shall have the authority to award costs and attorneys’ fees as they deem proper.

53.6    The PARTIES knowingly and willingly waive any right they have under applicable law to a trial by jury in any dispute arising out of or in any way related to this agreement or the issues raised by that dispute.

53.7    The PARTIES covenant and agree to cooperate in good faith in all actions relating to this AGREEMENT, to communicate openly and honestly, and generally to attempt to avoid disputes in connection with this AGREEMENT.

53.8    If a dispute should arise in connection with this AGREEMENT, the PARTIES agree to act in good faith to resolve such dispute in a fair and equitable manner and without the need for costly and time-consuming litigation.

 

54. Confidential Information

54.1  Definition: The term “CONFIDENTIAL INFORMATION” shall mean: (i) any and all information which is disclosed by a PARTY (“OWNER”) to the other PARTY (“RECIPIENT”) verbally, electronically, visually, or in a written or other tangible form which is either identified or should be reasonably understood to be confidential or proprietary; and (ii) the terms of this AGREEMENT and any proposals or other documents that preceded this AGREEMENT. CONFIDENTIAL INFORMATION may include, but not be limited to, trade secrets, computer programs, software, documentation, formulas, data, inventions, techniques, marketing plans, strategies, forecasts, lists, employee information, financial information, confidential information concerning OWNER’s business or organization, as OWNER has conducted it or as OWNER may conduct it in the future. In addition, CONFIDENTIAL INFORMATION may include information concerning any of OWNER’s past, current, or possible future products or methods, including information about OWNER’s research, development, engineering, purchasing, manufacturing, accounting, marketing, selling, leasing, and/or software.

54.2  Treatment of CONFIDENTIAL INFORMATION: OWNER’s CONFIDENTIAL INFORMATION shall be treated as strictly confidential by RECIPIENT and shall not be disclosed by RECIPIENT to any third party except to those third parties operating under non-disclosure provisions no less restrictive than in this section 54 and who have a justified business “need to know”. This AGREEMENT imposes no obligation upon RECIPIENT with respect to CONFIDENTIAL INFORMATION which RECIPIENT can establish by legally sufficient evidence: (a) was in the possession of, or was rightfully known by the RECIPIENT without an obligation to maintain its confidentiality prior to receipt from OWNER; (b) is or becomes generally known to the public without violation of this AGREEMENT; (c) is obtained by RECIPIENT in good faith from a third party having the right to disclose it without an obligation of confidentiality; (d) is independently developed by RECIPIENT without the participation of individuals who have had access to the CONFIDENTIAL INFORMATION; or (e) is required to be disclosed by court order or applicable law, provided notice is promptly given to the OWNER and provided further that diligent efforts are undertaken to limit disclosure.

54.3  Survivability: The terms of this Section 54 shall survive termination of this AGREEMENT. If the PARTIES have executed or will execute a separate agreement that contains confidentiality terms, the separate confidentiality agreement shall remain in full force.