Common use of Logical Security Administration Clause in Contracts

Logical Security Administration. (a) Supplier’s logical security administration responsibilities include: (b) Compliance with Gap Policies and Procedures, as they may be revised or updated from time to time during the Term of the Agreement. (c) Working in conjunction with Gap security to support, establish and maintain safeguards against the unauthorized access, destruction, loss or alteration of Gap assets, data, and information under the control of Supplier. (d) Comply with all Gap documented information security procedures pertaining to Supplier-operated systems and developing, maintaining, updating and implementing security procedures for Supplier-operated systems with Gap’s Approval, including physical access strategies, procedures and standards. Supplier shall follow the requirements of the Gap security hardening standards. Exhibit A.4 Gap Confidential and Proprietary Information Second Amended Master Services Agreement (e) Utilize Gap provided action plan and escalation procedures for any potential or detected electronic or physical security breaches and reporting any detected security breaches to Gap per the action plan. (f) In conjunction with Gap security, respond to security incidents by assisting with the following: (1) Collect local device and system logs, where available, deliver to security as needed. (2) Assisting with periodic reviews, as appropriate and in accordance with the Gap process to validate that access to programs and data maintained on Supplier-operated systems is appropriate and that the use thereof is consistent with the scope of such employee’s access authority. (3) Upon identification, immediately notify Gap (including appropriate Gap security personnel) in the event of a security violation or unauthorized attempt to access or alter Gap’s assets, systems, information, or data. (4) Assist in reviews as required by the Gap process to validate that access and levels to programs and data is authorized. (5) Support with security audits, providing Incident investigation support where possible, and implementing corrective actions to minimize and prevent security breaches as directed and Approved by Gap. Where applicable, Supplier will report observed security violations to Gap. (g) Supplier shall be responsible for ensuring all remote access connections are authorized by Gap Security, and follow requirements identified in the hardening standards. (h) Supplier shall be responsible for ensuring all Supplier user access requests are approved by an authorized approver prior to provisioning in accordance with the established Gap process. (i) Accepting and complying with instructions from Gap on the security configuration of Equipment and Software. (j) Responding to all security audit or security compliance review requests from Gap and/or regulatory authorities. (k) Cooperating and assisting with efforts by Gap and/or representatives of Gap for security tests, security compliance reviews, and investigations (e.g., assistance with capturing emails and other electronic files as may be requested by Gap to comply with litigation discovery rules and regulations).

Logical Security Administration. (a) Supplier’s logical security administration responsibilities include: (ba) Compliance with Gap Policies and Procedures, as they may be revised or updated from time to time during the Term of the Agreement. (cb) Working in conjunction with Gap security Security to support, establish and maintain safeguards against the unauthorized access, destruction, loss or alteration of Gap assets, data, and information under the control of Supplier. (dc) Comply with all Gap documented information security procedures pertaining to Supplier-operated systems and developing, maintaining, updating and __________________________ *Certain information on this page has been omitted and filed separately with the Commission. Confidential treatment has been requested with respect to the omitted portions. Exhibit A.8 Gap / IBM Proprietary and Confidential Information Second Amended and Restated Master Services Agreement implementing security procedures for Supplier-operated systems with Gap’s Approval, including physical access strategies, procedures and standards. Supplier shall follow the requirements of the Gap security hardening standards. Exhibit A.4 Gap Confidential and Proprietary Information Second Amended Master Services Agreement*. (ed) Utilize Gap provided action plan and escalation procedures for any potential or detected electronic or physical security breaches and reporting any detected security breaches to Gap per the action plan. (fe) In conjunction with Gap securitySecurity, respond to security incidents by assisting with monitoring the followingsystems and Services for authorized access, including: (1) Collect local device reviewing and system logs, where available, deliver responding in a timely and appropriate manner to security violations of internal and external physical or electronic access as neededrequested by Gap. (2) Assisting with periodic reviews, as appropriate and in accordance with the Gap process to validate that access to programs and data maintained on Supplier-operated systems is appropriate and that the use thereof is consistent with the scope of such employee’s access authority. (3) Upon identification, immediately notify Gap (including appropriate Gap security personnel) in the event of a security violation or unauthorized attempt to access or alter Gap’s assets, systems, information, or data*. (4) Assist in reviews as required by the Gap process to validate that access and levels to programs and data is authorized*. (5f) Support with security audits, providing Incident investigation support where possiblesupport, and implementing initiating corrective actions to minimize and prevent security breaches as directed and Approved by Gap. Where applicable, Supplier will report observed security violations *Certain information on this page has been omitted and filed separately with the Commission. Confidential treatment has been requested with respect to Gapthe omitted portions. (g) Supplier shall be responsible for ensuring all remote access connections are authorized by Gap Security, and follow requirements identified in the hardening standardsGap’s *. (h) Supplier shall be responsible for ensuring all Supplier user access requests are approved by an authorized approver prior to provisioning in accordance with the established Gap process. (i) Accepting and complying with instructions from Gap on the security configuration of Equipment and Software. (j) Responding to all security audit or security compliance review requests from Gap and/or regulatory authorities. (k) Cooperating and assisting with efforts by Gap and/or representatives of Gap for security tests, security compliance reviews, and investigations (e.g., assistance with capturing emails and other electronic files as may be requested by Gap to comply with litigation discovery rules and regulations).

Logical Security Administration. (a) Supplier’s logical security administration responsibilities include: (ba) Compliance with Gap Policies and Procedures, as they may be revised or updated from time to time during the Term of the Agreement. (cb) Working in conjunction with Gap security to supportsecurity, establish and maintain safeguards against the unauthorized access, destruction, loss or alteration of Gap assets, data, and information under the control of Supplier. Supplier shall implement safeguards in compliance with the Procedures Manual and the Service Levels set forth in Exhibit B (Service Level Agreement) of the Agreement. (dc) Comply Reviewing with Gap all Gap documented information security procedures pertaining to Supplier-operated systems and developing, maintaining, updating and implementing security procedures for Supplier-operated systems with Gap’s Approval, including physical access strategies, procedures and standards. Supplier Such approval shall follow the requirements of the Gap security hardening standards. Exhibit A.4 Gap Confidential and Proprietary Information Second Amended Master Services Agreementnot be unreasonably withheld. (ed) Utilize Gap provided Assisting in the development, Documentation and utilization of an action plan and escalation procedures for any potential or detected electronic or physical security breaches and reporting any detected security breaches to Gap per the action plan. (fe) In conjunction with Gap security, respond to security incidents by assisting with monitoring the followingsystems and Services for authorized access, including: (1) Collect local device Using *, monitoring, reviewing and system logs, where available, deliver responding in a timely and appropriate manner to security violations of internal and external physical or electronic access as neededidentified in the Procedures Manual. (2) Assisting with periodic reviews, as appropriate and in accordance with the Gap process Procedures Manual to validate that access to programs and data maintained on Supplier-operated systems is appropriate and that the use thereof is consistent with the scope of such employee’s access authority. (3) Upon identification, immediately notify Gap (including appropriate Gap security personnel) in the event of a security violation or unauthorized attempt to access or alter Gap’s assets, systems, information, or data. * Certain information on this page has been omitted and filed separately with the Commission. Confidential treatment has been requested with respect to the omitted portions. (4) Assist in reviews as required by the Gap process Procedures Manual to validate that access and levels to programs and data is authorized. (5) Support Capturing data regarding routine and non-routine access exceptions for audit trail purposes, archiving such data according to Gap data retention policies, and making such data available to Gap upon Gap’s request. (6) Assisting with security audits, providing Incident investigation support where possiblesupport, and implementing initiating corrective actions to minimize and prevent security breaches as directed and Approved by Gap. Where applicableSupplier shall conduct for the Gap IT Environment, Supplier will * of * and * and shall report observed security violations the result of * to Gap. (7) Provide to Gap reports on violation and access attempts, and retaining Documentation of the investigation. (f) With prior Gap Approval, installing, updating and maintaining Software as listed in Exhibit D.8 (Existing Agreements) that provides security monitoring, alarming, and access tracking functionality for Supplier-operated systems and Software. (g) Supplier shall be responsible Providing security access control tools for ensuring all remote access connections are authorized by Gap SecurityGap’s performance of user id administration for systems, data, Software, and follow requirements identified Networks for which Supplier is responsible in compliance with the hardening standardsProcedures Manual and maintaining such security and access control devices in proper working order. (h) Supplier shall be responsible for ensuring all Supplier user access requests are approved by an authorized approver prior to provisioning in accordance with the established Gap process. (i) Accepting and complying with instructions from Gap on the security configuration of Equipment and Software. (ji) Responding to all security audit or security compliance review requests from Gap and/or regulatory authorities. (kj) Cooperating and assisting with efforts by Gap and/or representatives of Gap for security tests, security compliance reviews, and investigations (e.g., assistance with capturing emails and other electronic files as may be requested by Gap to comply with litigation discovery rules and regulations)investigations.

Logical Security Administration. (a) Supplier’s logical security administration responsibilities include: (ba) Compliance with Gap Policies and Procedures, as they may be revised or updated from time to time during the Term of the Agreement. (cb) Working in conjunction with Gap security to supportsecurity, establish and maintain safeguards against the unauthorized access, destruction, loss or alteration of Gap assets, data, and information under the control of Supplier. Supplier shall implement safeguards in compliance with the Procedures Manual and the Service Levels set forth in Exhibit B (Service Level Agreement) of the Agreement. (dc) Comply Reviewing with Gap all Gap documented information security procedures pertaining to Supplier-operated systems and developing, maintaining, updating and implementing security procedures for Supplier-operated systems with Gap’s Approval, including physical access strategies, procedures and standards. Such approval shall not be unreasonably withheld. Supplier shall follow the requirements of the GSD331 version 2.0 dated March 2, 2009 (Attachment A.2.1 to Exhibit A.2). * from the Effective Date, Gap security hardening standardswill have * to review the GSD to confirm that all needed controls are identified in the GSD and that all such controls are effective. Exhibit A.4 Gap Confidential will base its review on the Gap IT Security Policies in place as of March 2, 2009, as reflected in the GSD331 version 2.0. Should Gap determine that the GSD does not contain needed controls or that the controls as designed are ineffective, Gap will notify Supplier identifying the impacted controls or areas needing additional controls. Upon receipt of such notification from Gap, Gap and Proprietary Information Second Amended Master Services Supplier will have * to agree on the changes needed to meet Gap’s Security Policies. Should the parties fail to agree within this * period, this matter will be resolved through the process specified in Section 31 (“Internal Dispute Resolution”) of the Agreement. (ed) Utilize Gap provided Assisting in the development, Documentation and utilization of an action plan and escalation procedures for any potential or detected electronic or physical security breaches and reporting any detected security breaches to Gap per the action plan. (fe) In conjunction with Gap security, respond to security incidents by assisting with monitoring the followingsystems and Services for authorized access, including: (1) Collect local device Using *, monitoring, reviewing and system logs, where available, deliver responding in a timely and appropriate manner to security violations of internal and external physical or electronic access as neededidentified in the Procedures Manual. * Certain information on this page has been omitted and filed separately with the Commission. Confidential treatment has been requested with respect to the omitted portions. (2) Assisting with periodic reviews, as appropriate and in accordance with the Gap process Procedures Manual to validate that access to programs and data maintained on Supplier-operated systems is appropriate and that the use thereof is consistent with the scope of such employee’s access authority. (3) Upon identification, immediately notify Gap (including appropriate Gap security personnel) in the event of a security violation or unauthorized attempt to access or alter Gap’s assets, systems, information, or data. (4) Assist in reviews as required by the Gap process Procedures Manual to validate that access and levels to programs and data is authorized. (5) Support Capturing data regarding routine and non-routine access exceptions for audit trail purposes, archiving such data according to Gap data retention policies, and making such data available to Gap upon Gap’s request. (6) Assisting with security audits, providing Incident investigation support where possiblesupport, and implementing initiating corrective actions to minimize and prevent security breaches as directed and Approved by Gap. Where applicableSupplier shall conduct for the Gap IT Environment, Supplier will * of * and * and shall report observed security violations the result of * to Gap. (7) Provide to Gap reports on violation and access attempts, and retaining Documentation of the investigation. (f) With prior Gap Approval, installing, updating and maintaining Software as listed in Exhibit D.8 (Existing Agreements) that provides security monitoring, alarming, and access tracking functionality for Supplier-operated systems and Software. (g) Supplier shall be responsible Providing security access control tools for ensuring all remote access connections are authorized by Gap SecurityGap’s performance of user id administration for systems, data, Software, and follow requirements identified Networks for which Supplier is responsible in compliance with the hardening standardsProcedures Manual and maintaining such security and access control devices in proper working order. (h) Supplier shall be responsible for ensuring all Supplier user access requests are approved by an authorized approver prior to provisioning in accordance with the established Gap process. (i) Accepting and complying with instructions from Gap on the security configuration of Equipment and Software. * Certain information on this page has been omitted and filed separately with the Commission. Confidential treatment has been requested with respect to the omitted portions. (ji) Responding to all security audit or security compliance review requests from Gap and/or regulatory authorities. (kj) Cooperating and assisting with efforts by Gap and/or representatives of Gap for security tests, security compliance reviews, and investigations (e.g., assistance with capturing emails and other electronic files as may be requested by Gap to comply with litigation discovery rules and regulations).