TRANSITION SERVICES AGREEMENT
EXHIBIT 10.3
THIS TRANSITION SERVICES AGREEMENT (this “Agreement”) is made as of August 31, 2007, by and between ARCELOR S.A., a Luxembourg corporation with an address at 00, xxxxxx xx xx Xxxxxxx, X-0000 Xxxxxxxxxx (“Arcelor”) and NOBLE EUROPEAN HOLDINGS B.V., a private limited liability company (besloten vennootschap) organized under the laws of the Netherland with an address at 00000 Xxx Xxxx Xxxxxx, Xxxxxx, Xxxxxxxx 00000 XXX (“Noble BV”).
Recitals
X. Xxxxx International, Ltd. (“Noble”) and Arcelor have entered into a Share Purchase Agreement, dated March 15, 2007 (the “Purchase Agreement”), providing, among other things, for the acquisition by Noble of the laser-welding assets and certain related liabilities of Arcelor (the “TBA Business”) in exchange for cash, a subordinated promissory note and 9,375,000 shares of common stock of Noble (the “Acquisition”). Execution and delivery of this Agreement is a condition to the effectiveness of the Acquisition. Capitalized terms used herein and not otherwise defined herein have the meanings specified in the Purchase Agreement.
B. At the request of certain commercial lenders, Noble, Noble BV, Noble TSA, LLC, a Delaware limited liability company (“Noble, LLC”) and Arcelor have entered into an Assignment and Assumption Agreement on the date hereof whereby Noble assigned its contractual rights under the Purchase Agreement with regard to purchasing TB Holding, BV, a private limited liability company (besloten vennotschap) organized under the laws of the Netherlands to Noble BV and Noble assigned its contractual rights in the Purchase Agreement with regard to purchasing Tailor Steel America, LLC, a Delaware limited liability company to Noble, LLC.
C. In order to provide a smooth transition of the TBA Business from Arcelor to Noble BV, the parties desire to enter into an interim arrangement for the provision of certain transition services on the terms and conditions set forth herein.
Terms of Agreement
Accordingly, the parties hereby agree as follows:
1. General Cooperation. During the term of this Agreement, the parties shall use their reasonable efforts to cooperate with each other with a view to achieving a smooth transition following the Acquisition, including (a) permitting Noble BV to manage the TBA Business efficiently while integrating the TBA Business into Noble BV’s business, and (b) permitting Arcelor to fulfill any contractual or other obligations not transferred to Noble BV that would, but for the Acquisition, have been be fulfilled by Arcelor through the TBA Business.
2. Services to be Provided. Subject to the terms and conditions of this Agreement, (a) Arcelor, directly or through one or more of its Affiliates, shall provide to Noble BV the corporate, financial, legal, human resources, accounting, controlling, administrative, on-site support, payroll management, training, SAP software and maintenance support, software and hardware supply, support and
maintenance, network access and other services and support described on Schedule A to this Agreement (collectively, the “Arcelor Services”), in each case, on the same terms and conditions as such services were provided to the Group Members effective as of January 1, 2007; and (b) Noble BV, directly or through one or more of its Affiliates, shall provide to Arcelor all such reasonable transition services as Arcelor and its Affiliates need or that are desirable in order to fulfill any contractual or other obligations not transferred to Noble BV that would, but for the Acquisition, be fulfilled by Arcelor or its Affiliates with use of the personnel and assets of the TBA Business and the other services and support (if any) described on Schedule B to this Agreement (collectively, the “Noble BV Services”, and together with the Arcelor Services, the “Services”). The Arcelor Services are services which Arcelor, directly or through one or more of its Affiliates, provided to the TBA Business during the 24 months prior to the date of this Agreement. Each of Noble BV (with respect to the Arcelor Services listed on Schedule A) and Arcelor (with respect to the Noble BV Services listed on Schedule B) acknowledges and agrees that the services listed are, to the best of its knowledge and belief, all of the services it will require the other party to perform under this Agreement.
3. Transition. During the term of this Agreement, each party shall use commercially reasonable efforts to obtain the Arcelor Services or the Noble BV Services, as applicable, independently of the other party as soon as reasonably practicable. Arcelor shall provide such assistance as may be reasonably requested by Noble BV to transition the Arcelor Services to Noble BV or a third party provider. Noble BV shall provide such assistance as may be reasonably requested by Arcelor to transition the Noble BV Services to Arcelor or a third party provider. Arcelor shall terminate, at no cost to Noble BV, all agreements between any Group Member, on one hand, and Arcelor or any of its non-Group Member Affiliates, on the other hand, under which the Arcelor Services were provided prior to the date hereof.
4. Compensation for Arcelor Services. In consideration for the Arcelor Services, Noble BV shall pay to Arcelor the prices invoiced by Arcelor from time to time, which prices shall equal the prices paid by the Group Members for such services as of January 1, 2007; provided, that the aggregate amount charged to Noble BV for the Arcelor Services for each of the first two years of the Term shall not exceed €3,300,000 (the “Maximum Annual Fee”). During the first six months of the Term, Arcelor shall pay any and all one-time fees payable to third-party providers in connection with the transition of the Arcelor Services to Noble BV, and such costs shall be included in the Maximum Annual Fee. Thereafter, Arcelor may charge to Noble BV, and Noble BV shall reimburse Arcelor for, any such one-time fees payable to third-party providers without regard to the Maximum Annual Fee. Arcelor shall invoice Noble BV at least quarterly for the Arcelor Services. Except as otherwise expressly set forth in Schedule A to this Agreement, all amounts due under this Section 4 shall be paid by Noble BV within 30 days after the end of the month in which the Arcelor invoice is issued.
5. Compensation for Noble BV Services. In consideration for the Noble BV Services, Arcelor shall pay to Noble BV the prices invoiced by Noble BV from time to time, which prices shall not exceed the direct internal cost (excluding overhead) actually incurred by Noble BV to provide such Noble BV Services, without xxxx-up. Xxxxx BV shall invoice Arcelor at least quarterly for the Noble BV Services. Except as otherwise expressly set forth in Schedule B to this Agreement, all amounts due under this Section 5 shall be paid by Arcelor within 30 days after the end of the month in which the Noble BV invoice is issued.
- 2 -
6. Performance Standard. Each party shall provide, or cause its Affiliates to provide, the Arcelor Services or Noble BV Services in accordance with all applicable laws and otherwise in the same general manner as the same or similar services were provided in connection with the TBA Business immediately prior to the date of this Agreement.
7. Employee Obligations. Except as expressly set forth in the Purchase Agreement or the Schedules hereto, each party and its Affiliates (a) shall be solely responsible for payment of compensation to their employees for the provision of services hereunder; (b) shall be solely responsible for maintenance of and payment for such party’s employee benefits including retirement plans, health insurance and life insurance; (c) shall be solely responsible for any injury to such employees suffered in the course of providing services hereunder other than injuries arising from the gross negligence or willful misconduct of employees or agents of the other party, compensation for which shall be the sole responsibility of such other party; and (d) shall have full responsibility for payment of all federal, state and local taxes or contributions imposed or required under unemployment insurance, social security and income tax laws with respect to such party’s or its Affiliates’ employees.
8. Audit of Books and Records.
(a) During the Term and for a period of 9 months thereafter, each party (the “Audited Party”) and its Affiliates shall permit the other party (the “Auditing Party”) and its Affiliates and the Auditing Party’s employees, auditors and other representatives to have reasonable access, during normal business hours and upon reasonable advance notice, to the books and records of the Audited Party and its Affiliates, to the extent such access is reasonably required to verify the accuracy of the amounts charged by the Audited Party or its Affiliates pursuant to Section 4 or Section 5 of this Agreement. Audits pursuant to this Section 8(a) may be requested no more frequently than once per calendar year.
(b) If an audit pursuant to Section 8(a) reveals an overcharge, and the Audited Party or its Affiliates do not successfully justify any charge questioned by such audit, the Audited Party or its Affiliates shall promptly pay to the Auditing Party or its Affiliates the amount of such overcharge, together with interest from the date of receipt of such overcharge to the date of payment at a rate per annum equal to LIBOR, plus 100 basis points. (For purposes of this Agreement, “LIBOR” means, at the time in question, the rate per annum appearing on Xxxxxx’x Online Money Rates (xxxx://xxxxxx.xxxxxxx.xxx/xxxxxx/xxxx/xxxx_xxxxx_xxxxx.xxxx) (or any successor Internet site) as the latest LIBOR Interbank Rate in U.S. dollars for a six-month term.) In addition, if any such audit reveals an overcharge of more than 10% of the audited invoices in the aggregate for the audited period, the Audited Party or its Affiliates shall promptly reimburse the Auditing Party or its Affiliates for the actual out-of-pocket cost of such audit (including auditor’s fees).
- 3 -
(c) Upon request by either party, the parties shall meet promptly upon the completion of any audit or the issuance of an interim or final report to the parties following such audit (but in no event more than 15 days after the later thereof). The parties shall develop and agree upon an action plan to address and resolve any issues discovered through such audit within 30 days, unless a shorter resolution time is mutually agreed to by the parties in writing, and shall implement any remedial action required to avoid the making of overcharges in the future.
(d) During the Term and for a period of 9 months thereafter, the Audited Party and its Affiliates shall permit the Auditing Party and its employees, auditors and other representatives to have reasonable access, during normal business hours and upon reasonable advance notice, to books and records and appropriate personnel of the Audited Party and its Affiliates with respect to the TBA Business, to the extent such access is reasonably requested by the Auditing Party in order to permit the evaluation of, and any required reporting, certifications and attestations with respect to, internal controls, processes and systems in connection with the provision of the Services for purposes of compliance with the Xxxxxxxx-Xxxxx Act of 2002, as it may be amended from time to time. Nothing in this Section 8(d) shall require an Audited Party to maintain its books and records relating to the Services in a manner inconsistent with the manner that it maintains its books and records with respect to its other businesses. If the Auditing Party requests a change to the Audited Party’s internal controls, processes or systems, the Auditing Party shall bear the cost of any change that is agreed to by the Audited Party.
9. Coordination Meetings. The parties agree to meet not less frequently than quarterly to discuss the Services as well as problems that arise in connection with the Services. Each party agrees to provide the other party reasonable advance notice of any issues to be addressed at such coordination meetings. Each party shall be represented at these meetings by an executive authorized to resolve disputes that may arise under this Agreement or in connection with the Services. These meetings may overlap with coordination meetings required under other Ancillary Agreements.
10. Confidentiality Obligations.
(a) During the Term and thereafter, each party and its Affiliates shall maintain the confidentiality of all confidential and proprietary information of the other party and its Affiliates (collectively, “Confidential Information”) and shall not disclose such Confidential Information without the prior written consent of the other party, except for (i) disclosures that are required by applicable law, (ii) disclosures that are required to enforce the rights of such party under this Agreement, and (iii) disclosures to any of such party’s Affiliates or other representatives and agents that such party reasonably believes needs to know such Confidential Information to perform its obligations hereunder; provided, that, before any disclosure is made pursuant to applicable law, the disclosing party shall, if permitted by applicable law, give advance written notice of such disclosure to the other party so that such other party may seek a protective order against such disclosure. In the absence or unavailability of any such protective order, the disclosing party shall take all reasonable and lawful actions to seek confidential treatment for such disclosure and, to the extent practicable, to minimize the extent of such disclosure. Without limiting the foregoing, the parties and their Affiliates shall utilize the same methods and practices in the protection of the other’s Confidential Information as each utilizes in protecting its own Confidential Information.
- 4 -
(b) Upon the earlier of the expiration of this Agreement or the written request of the owner of the Confidential Information, (i) all Confidential Information received by a party and its Affiliates shall be returned to the owner thereof; (ii) no copies of Confidential Information shall be retained by any receiving party or any of its Affiliates; and (iii) no receiving party nor any of its Affiliates shall thereafter utilize the Confidential Information of the other party in any respect whatsoever.
(c) The parties shall be responsible for any breach of this Section 10 by their respective Affiliates, representatives and agents. The parties’ obligations under this Section 10 shall survive the expiration or termination of this Agreement.
11. Termination.
(a) Unless the parties mutually agree to extend the term of this Agreement, the term of this Agreement (the “Term”) shall commence on the date hereof and shall continue for a period of three years for all Arcelor Services and Noble BV Services other than Arcelor Services that are information technology-related services which shall continue for a period of four years.
(b) Noble BV may terminate any Arcelor Service, in whole or in part, prior to the expiration of the Term, by providing to Arcelor written notice of termination not less than 90 calendar days (or any shorter period to which Arcelor has consented in writing) before the effective date of such termination, in which case the provision of such Arcelor Service hereunder shall terminate at the end of the period specified in such notice; provided, that termination of any or all Arcelor Services shall not operate as a termination of this Agreement.
(c) Arcelor may terminate any Noble BV Service, in whole or in part, prior to the expiration of the Term, by providing Noble BV written notice of termination not less than 90 calendar days (or any shorter period to which Noble BV has consented in writing) before the effective date of such termination, in which case the provision of such Noble BV Service hereunder shall terminate at the end of the period specified in such notice; provided, that termination of any or all Noble BV Services shall not operate as a termination of this Agreement.
(d) Subject to the provisions of Section 12 of this Agreement, this Agreement may be terminated by either party if:
(i) the other party is in material breach of any provision of this Agreement; provided that the party seeking to terminate this Agreement for breach shall notify the other party in writing of such breach and provide such other party with 30 calendar days to cure such breach; or
(ii) (A) the other party files a petition for bankruptcy or is otherwise declared or adjudicated to be bankrupt or insolvent, (B) a petition for bankruptcy is filed against the other party and such petition is not dismissed within 90 calendar days, or (C) either party discontinues its business or voluntarily submits to, or is ordered by a bankruptcy court to undergo liquidation pursuant to Chapter 7 of the U.S. Bankruptcy Code, as amended, or any successor thereto.
- 5 -
(e) Termination of this Agreement shall not release any party from any obligation accrued prior to the date of such termination.
(f) The agreements set forth in Section 4 (Compensation for Arcelor Services), Section 5 (Compensation for Noble BV Services), Section 8 (Audit of Books and Records), Section 10 (Confidentiality), Section 12 (Indemnification) and Section 13 (Miscellaneous) hereof shall survive termination of this Agreement for any reason.
12. Indemnification. Each party shall indemnify, defend and hold harmless the other party and the other party’s shareholders, Affiliates, and its and their respective directors, officers, employees, controlling persons and agents (each an “Indemnified Party”), from and against all claims asserted against, resulting to, imposed upon or incurred by such Indemnified Party, directly or indirectly, by reason of, arising out of or resulting from (a) the breach of any representation, warranty or covenant made by such party in this Agreement or (b) the gross negligence or willful misconduct on the part such party or any of its Affiliates, employees, agents, representatives or licensees in connection with the performance of such party’s obligations under this Agreement. Any such indemnification shall be subject to the procedures set forth in Section 14.6 (Procedure for Indemnification Claims) of the Purchase Agreement.
13. Relationship of Parties. The parties understand and agree that this Agreement does not make either of them an agent or legal representative of the other for any purpose whatsoever. No party is granted by this Agreement any right or authority to assume or create any obligation or responsibilities, express or implied, on behalf of or in the name of any other party, or to bind any other party in any manner whatsoever. The parties expressly acknowledge that (a) the parties and their respective Affiliates are independent contractors in all respects, including with respect to the provision of the Arcelor Services and the Noble BV Services; and (b) the parties are not partners, joint venturers, employees or agents of or with each other.
14. No Third Party Beneficiaries. This Agreement is for the sole benefit of the parties hereto, and nothing herein expressed or implied shall give or be construed to give any other person any legal or equitable rights.
15. Miscellaneous.
(a) Notices. All notices, requests, claims, demands or other communications that are required or may be given to Noble BV or Arcelor pursuant to the terms of this Agreement shall be given in accordance with Section 17.3 (Notices) of the Purchase Agreement.
(b) Entire Agreement. This Agreement (including the Schedules attached hereto) contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, written or oral, with respect thereto.
(c) Waivers and Amendments. This Agreement may be amended, superseded, canceled, renewed or extended only by a written instrument signed by all of the parties. The provisions hereof may be waived only in writing signed by the party or parties waiving compliance. No delay on the part of any party in exercising any right, power or privilege hereunder shall operate as a waiver thereof, nor shall any waiver on the part of any party of any such right, power or privilege, nor any single or partial exercise of any such right, power or privilege, preclude any further exercise thereof or the exercise of any other such right, power or privilege.
- 6 -
(d) Severability. If any provision of this Agreement for any reason shall be held to be illegal, invalid or unenforceable, such illegality shall not affect any other provision of this Agreement, but this Agreement shall be construed as if such illegal, invalid or unenforceable provision had never been included herein.
(e) Assignment; Binding Effect; Benefit. No assignment by any party of its rights nor delegation by any party of its obligations under this Agreement shall be permitted unless the other party consents in writing thereto, except that Noble BV may, in its sole discretion and without the consent of Arcelor, assign any or all of Noble BV’s rights, interests and obligations under this Agreement to any assignee of Noble BV’s rights under the Purchase Agreement, provided that no such assignment shall relieve Noble BV of any obligation hereunder. This Agreement shall be binding upon and shall inure to the benefit of the parties and their respective successors and permitted assigns.
(f) Governing Law; Submission to Jurisdiction. This Agreement shall be governed by, and construed and enforced in accordance with, the laws of France other than conflict of laws principles thereof directing the application of any law other than that of France. The provisions of Section 17.7, subsections (b), (c), (d) and (e) (Venue; Waiver of Jury Trial), of the Purchase Agreement are hereby incorporated in this Agreement, mutatis mutandis, as if fully set forth herein.
(g) Interpretation. The parties have participated jointly in the negotiation and drafting of this Agreement. In the event an ambiguity or question of intent or interpretation arises, this Agreement shall be construed as if drafted jointly by the parties, and no presumption or burden of proof shall arise favoring or disfavoring any party by virtue of the authorship of any provisions of this Agreement.
(h) Rules of Construction. All definitions shall apply equally to both the singular and plural forms of the terms defined. Whenever the context may require, any pronoun shall include the corresponding masculine, feminine and neuter forms. The words “include,” “includes” and “including” shall be deemed to be followed by the phrase “but not limited to.” “Or” shall be disjunctive but not necessarily exclusive. All references herein to Sections and Schedules shall be deemed references to Sections of and Schedules to this Agreement unless the context otherwise requires. Words such as “herein,” “hereof,” “hereto,” “hereby” and “hereunder” refer to this Agreement and to the Schedules, taken as a whole. Except as otherwise expressly provided herein, any reference in this Agreement to any agreement shall mean such agreement as amended, restated, supplemented or otherwise modified from time to time. The captions to Sections and subdivisions thereof shall not be deemed to be a part of this Agreement.
(i) Counterparts. This Agreement may be executed and delivered (including by facsimile transmission) in one or more counterparts, and by the different parties in separate counterparts, each of which when executed and delivered shall be deemed to be an original but all of which taken together shall constitute one and the same agreement.
[Signature Page Follows]
- 7 -
Execution
IN WITNESS WHEREOF, the undersigned have duly executed and delivered this Transition Services Agreement as of the date first written above.
ARCELOR S.A. | ||
By: |
| |
Name: | ||
Title: | ||
By: |
| |
Name: | ||
Title: | ||
NOBLE EUROPEAN HOLDINGS B.V. | ||
By: |
| |
Name: | ||
Title: |
- 8 -
SCHEDULE A
TO TRANSITION SERVICES AGREEMENT
Arcelor Services
Attached.
- 9 -
SCHEDULE B
TO TRANSITION SERVICES AGREEMENT
Noble BV Services
Attached.
- 10 -
SCHEDULE A
TO TRANSITION SERVICES AGREEMENT
Arcelor Services
This Schedule A sets forth a summary description of the Arcelor Services to be provided under the terms of this Agreement and is comprised of the following parts:
a. Part I which is a non-exclusive and illustrative description of the Arcelor Services; and
b. Part II which contains more detailed descriptions of those services described on Part I and written descriptions of certain oral arrangements for services not described on Part I.
Confidential
List of Contracts* with Arcelor entities |
# | Service |
ATB party |
Arcelor party |
Written |
Document collected |
Signature date |
End date |
2007 Cost | ||||||||
1 | TB Lorraine | Arcelor SA | Yes | No | Perpetual | Perpetual | ||||||||||
8 Corporate Service Contracts | Sidmar | Arcelor SA | Yes | No | Perpetual | Perpetual | ||||||||||
including services in: Financial, Legal, Human Resources | TB Genk | Arcelor SA | Yes | No | Perpetual | Perpetual | ||||||||||
+ | TB Xxxxxxxx | Xxxxxxx SA | Yes | No | Perpetual | Perpetual | €500K | |||||||||
8 Sector fee contracts (support | TB Bremen | Arcelor SA | Yes | No | Perpetual | Perpetual | ||||||||||
on accounting, controlling and | TB Xxxxxx | Xxxxxxx SA | Yes | No | Perpetual | Perpetual | ||||||||||
other sector level issues) | TSA | Arcelor SA | Yes | No | Perpetual | Perpetual | ||||||||||
16 | LWB | Arcelor SA | Yes | No | Perpetual | Perpetual | ||||||||||
17 | TB Gent | Sidmar | Yes | Yes | Renewed yearly | Renewed yearly | €1012K | |||||||||
18 | 4 administrative and on-site | TB Genk | Sikel | Yes | Yes | Renewed yearly | Renewed yearly | €665K | ||||||||
19 | support contracts | TB Bremen | Arcelor Bremen | Yes | Yes | Renewed yearly | Renewed yearly | €305K | ||||||||
20 | TB Xxxxxxxx | Xxxxxxx Spain | Yes | Yes | Renewed yearly | Renewed yearly | ~€40K | |||||||||
21 | 1 Payroll Management contract | TB Xxxxxxxx | USP | Yes | Xxxx | No info | No info | €36K | ||||||||
22 | 1 Training contract | TB Xxxxxxxx | Xxxxxxx Univ | Yes | No | No info | No info | 0 | ||||||||
23 | TB Lorraine | Arcelor Systems | Yes | Yes | End 2006 | End 2007 | ||||||||||
24 | 5 SAP software support and | Sidmar | Arcelor Systems | Yes | Yes | End 2006 | End 2007 | |||||||||
25 | maintenance contracts | TB Genk | Arcelor Systems | Yes | Yes | End 2006 | End 2007 | ~€200K | ||||||||
26 | TB Xxxxxxxx | Xxxxxxx Systems | Yes | Yes | End 2006 | End 2007 | ||||||||||
27 | TB Xxxxxx | Xxxxxxx Systems | Yes | Yes | End 2006 | End 2007 | ||||||||||
28 | 4 Office soft & hardware supply, | TB Lorraine | Arcelor Techno. | Yes | Yes | No info | No info | |||||||||
29 | support and maintenance | Sidmar | Arcelor Techno. | Yes | Yes | No info | No info | |||||||||
30 | contracts | TB Genk | Arcelor Techno. | Yes | Yes | No info | No info | |||||||||
31 | TB Xxxxxx | Xxxxxxx Techno. | Yes | Yes | No info | No info | ||||||||||
32 | TB Lorraine | Arcelor Techno. | Yes | ~€550K | ||||||||||||
33 | 7 Network access | Sidmar | Arcelor Techno. | Yes | ||||||||||||
34 | Agreements (no written | TB Genk | Arcelor Techno. | Yes | N.A | N.A | N.A | |||||||||
35 | contract) | TB Xxxxxx | Xxxxxxx Techno. | Yes | ||||||||||||
36 | TB Xxxxxxxx | Xxxxxxx Techno. | Yes | |||||||||||||
37 | TB Bremen | Arcelor Techno. | Yes |
=> 37 contracts and agreements | TOTAL | €3.3M |
Note: (*) These contracts do not include services covered by the steel supply & service agreement, nor the supply of energy, transport to customers and insurance
SCHEDULE A
TO THE TRANSITION SERVICES AGREEMENT
Part II
ARCELOR SERVICES
A. | Services Provided by Arcelor Steel Belgium N.V. (Genk Site) to Arcelor Tailored Blank Genk N.V. B |
B. | Services Provided by Arcelor Bremen GmbH to Arcelor Tailored Blank Bremen |
C. | Services Provided by Steel Service Center of ArcelorMittal to Arcelor Tailored Blank Xxxxxx in connection with lease for industrial premises |
D. | Legal Services Provided by ArcelorMittal Legal Affairs to TBA Companies |
E. | Human Resources Services and Various Support to TBA Companies |
F. | Services Provided by Arcelor Atlantique et Xxxxxxxx et al. to ATB Xxxxxxxx |
X. | Services Provided by Arcelor Spain Holding SL to Arcelor Tailored Blank Xxxxxxxx |
H. | IT Services |
Appendix 1 – ATB Corporate
Appendix 2 – ATB Gent
Appendix 3 – ATB Bremen
Appendix 4 – ATB Xxxxxx
Appendix 5 – ATB Xxxxxxxx
Appendix 6 – List of People to be Contacted
Appendix 7 – ArcelorMittal Information Security Policies
A. SERVICES PROVIDED BY ARCELOR STEEL BELGIUM N.V. (GENK SITE) TO ARCELOR TAILORED BLANK GENK N.V.
1: Delivery of externally purchased natural gas
- Terms and conditions: same as those of the Arcelor Steel Belgium (Genk Site) contract with Distrigas.
- Measurement:
• | The meter reading at the purchase point of Arcelor Steel Belgium (Genk Site) is used as reference for the monthly billing for the consumption of gas by Arcelor Tailored Blank Genk |
• | The warehouse clerks of Arcelor Steel Belgium (Genk Site) records this meter reading every first work day of the month and send it on to the bookkeeping office at Arcelor Steel Belgium (Genk Site). |
• | They then transmit these data to Arcelor Tailored Blank Genk. |
- Fee: Costs in proportion to Arcelor Tailored Blank Genk’s consumption with respect to Arcelor Steel Belgium (Genk Site)’s total consumption, increased by 10% as compensation for the fixed costs sustained by Arcelor Steel Belgium (Genk Site). The cost of natural gas is not included in the annual cap under Section 4 of the Transition Services Agreement.
2: OWB processing, as follows:1
- Arcelor Tailored Blank Genk may give an order to Arcelor Steel Belgium (Genk Site) for the processing of steel coils (SP-quality) on the rewinding inspection line at Arcelor Steel Belgium (Genk Site). This processing may consist of:
• | Rewinding of steel coils |
• | Inspecting of steel coils |
• | Oiling of steel coils |
• | Edge cutting of steel coils |
• | Client coil shaping (slitting, welding) of steel coils |
- Planning:
• | Orders must be communicated with 14 days notice to the planning department at Arcelor Steel Belgium (Genk Site) |
• | These coils are planned for the end of an Arcelor Steel Belgium (Genk Site) SP campaign |
- Price:
• | Processing of the coils on the rewinding line: unit price per processed ton 40 €/ton; including oil applied |
• | Packing costs: calculated per coil in accordance with the desired packing code and the applicable price list of the packing company |
With respect to the foregoing, any services provided under the Steel Supply and Arcelor Auto Services Agreement are excluded from the Transition Services Agreement.
2
3: Delivery of Demineralized water
Delivery of demineralized water, as follows:
- Purchase point:
Outside at the storage tank demiwater N001R
- Collecting:
• | Arcelor Tailored Blank Genk notifies the production team leaders in advance. |
• | The quantities of water taken are transmitted to Arcelor Steel Belgium (Genk Site)’s guest team leader. |
• | The Arcelor Steel Belgium (Genk Site) installations are left in proper order, care is taken that water does not flow away needlessly. |
- Price: free of charge to the extent that collection remains restricted to a maximum of 1 m3/week; collections exceeding 1 m3/week to be paid at 10 €/m3. Any cost of demineralized water is not included in the annual cap under Section 4 of the Transition Services Agreement.
4: Delivery of fuel oil
Delivery of fuel, as follows:
- Purchase point:
Pump at the height of gate 231 of the coil warehouse
- Inventory/use measurement:
• | Inventory/use measurement is be done on weekdays between 08:00 and 16:00 hours. Arcelor Tailored Blank Genk must be accompanied by an Arcelor Steel Belgium (Genk Site) warehouse clerk who must be advised in advance. |
• | The tanked quantities each time are recorded by the warehouse clerk, signed for receipt by Arcelor Tailored Blank Genk and transmitted to Arcelor Steel Belgium (Genk Site)’s bookkeeping service. |
- Price: spot price on the day of delivery. The cost of fuel oil is not included in the annual cap under Section 4 of the Transition Services Agreement.
5: Delivery of Externally Provided Electricity2
Delivery of electricity as follows:
- Counter positions:
• | The meter readings of active and reactive energy in the rooms at Arcelor Steel Belgium (Genk Site) to be used as reference for calculating the invoice for electricity use by Arcelor Tailored Blank Genk. |
• | The electricity office at Arcelor Steel Belgium (Genk Site) to record these meter readings every first working day of the month and send them on to the bookkeeping office at Arcelor Steel Belgium (Genk Site). |
• | This office to then transmit these data to Arcelor Tailored Blank Genk. |
- Price: 75.5 €/MWh The cost of electricity is not included in the annual cap under Section 4 of the Transition Services Agreement.
3
6: Use of physics lab
- Limited use, as follows, of the physics lab at Arcelor Steel Belgium (Genk Site) for the following applications:
• | Performing Xxxxxxx tests |
• | Performing tensile tests |
• | Making a metallographical cross-section |
Permission to use the lab and accessory apparatus must be separately requested for each occasion from the responsible executives at Arcelor Steel Belgium (Genk Site) (X. Xxxxxx and X. Xxxxxxxx), who provide a written permit specifying the stipulations (validity period, type of application, hours allowed, supervision or guidance on the part of Arcelor Steel Belgium (Genk Site) personnel required or not, permitted consumption of Arcelor Steel Belgium (Genk Site) goods, etc.). In case of urgent or unexpected need for use of the physics lab, the consent of the aforementioned executives must still be requested in advance. If this should happen outside of the normal office working hours, the consent may only be given by the engineer on duty.
Each time that Arcelor Tailored Blank Genk effectively wants to make use of this, the production team leaders present must be advised and the written consent must be submitted. The names of the Arcelor Tailored Blank Genk persons present are recorded, together with the nature and duration of the activities performed.
Arcelor Tailored Blank Genk sends trained and competent operators. The Arcelor Steel Belgium (Genk Site) premises are left neat and clean. All refuse is placed in the locations designated for that purpose. Any consumption of goods is communicated to Arcelor Steel Belgium (Genk Site).
- Price:
• | per intervention: fixed cost of 50 €/hour of use (hours to be rounded up to the higher unit) |
• | assistance by Arcelor Steel Belgium (Genk Site) personnel: 30 €/hour |
7: Spare parts warehouse
Limited use of the spare parts warehouse at Arcelor Steel Belgium (Genk Site), as follows:
- Arcelor Tailored Blank Genk follows Arcelor Steel Belgium (Genk Site)’s internal procedure.
- Access to the warehouse must be restricted to week days from 08:00 to 16:00. Outside of these hours access may only be granted for urgent reasons by Arcelor Steel Belgium (Genk Site)’s engineer on duty via the production team leaders.
- Price: actual purchase price of the spare parts taken + 15% The cost of spare parts is not included in the annual cap under Section 4 of the Transition Services Agreement.
8: Stocking pallets with blanks
Use of the Arcelor Steel Belgium (Genk Site) coil warehouse in order to temporarily store pallets with blanks, as follows:
4
- Terms and Conditions:
• | Arcelor Tailored Blank Genk each time contacts Arcelor Steel Belgium (Genk Site) (shipping office) in advance in order to ascertain whether there is storage capacity available at Arcelor Steel Belgium (Genk Site). |
• | The quantities and the time periods are fixed in advance (a maximum of 2 months). |
- Transportation:
• | Transportation of these pallets between Arcelor Tailored Blank Genk and Arcelor Steel Belgium (Genk Site), both bringing them in and picking them up, is handled by Arcelor Tailored Blank Genk with lift fork devices belonging to Arcelor Tailored Blank Genk. |
• | The normal routine at Arcelor Steel Belgium (Genk Site) may not be compromised during this process. |
• | This transportation preferably takes place between 08:00 and 16:00 hours, at times when no rail cars are present in Arcelor Steel Belgium (Genk Site)’s storage hall. |
- Location:
• | A limited number of zones between the columns of column row C may be made available if needed. |
• | The normal passageways must at all times be kept free for both personnel, rail cars and trucks. |
- Protection:
• | Arcelor Tailored Blank Genk ensures that the stored goods are safely left in place. |
• | There may be no risk with regard to the safety of personnel. |
• | Any protective devices against moisture and dust are installed by Arcelor Tailored Blank Genk. |
- Price: 300 €/month per zone between 2 columns that is used.
9: Road Salt
- Inclusion of the roads and the parking lot at Arcelor Tailored Blank Genk in Arcelor Steel Belgium (Genk Site) road salt rounds.
Contact person:
All practical appointments regarding spreading of the salt to be made via the Arcelor Steel Belgium (Genk Site) coordinator, Mr. L. Van Reusel
- Price: 20% of the total spreading cost (purchase of road salt and hours of spreading service) The cost of road salt is not included in the annual cap under Section 4 of the Transition Services Agreement.
10: Use of the First Aid station
Availability of First Aid services to Arcelor Tailored Blank Genk, as follows:
- The use of the Arcelor Steel Belgium (Genk Site) First Aid station to be allowed in exceptional cases of urgent basic assistance where no direct intervention of a physician is required. The station may also be used for consultations with the company doctor.
- Arcelor Steel Belgium (Genk Site)’s production team leaders who are present must be advised in advance.
5
- Arcelor Tailored Blank Genk to always have the injured person assisted by a trained and competent industrial consultant. This does not relieve Arcelor Tailored Blank Genk from its obligation to prepare a First Aid station of its own.
- Price: 30 €/treatment or consultation
11: On-Site Transportation
On-site transportation services, as follows:
- The moving of Arcelor Tailored Blank Genk’s rail cars from place to place on the company grounds of Arcelor Steel Belgium (Genk Site) and Arcelor Tailored Blank Genk is handled by personnel members and equipment of Arcelor Steel Belgium (Genk Site). The central dispatching of all rail cars is handled by the clerks of the shipping service at Arcelor Steel Belgium (Genk Site). All contact with the N.M.B.S. for the bringing in and picking up of rail cars is done by the clerks of the shipping service at Arcelor Steel Belgium (Genk Site). This manner of operating is necessary because Arcelor Tailored Blank Genk does not have a direct connection to the railroad network of the N.M.B.S. and is therefore not considered a client by the N.M.B.S.
- Price:
• | 50% of all direct costs of Arcelor Steel Belgium (Genk Site) |
• | any demurrage charged by the NMBS to Arcelor Steel Belgium (Genk Site) and caused by rail cars intended for Arcelor Tailored Blank Genk: to be invoiced to Arcelor Tailored Blank Genk. The cost of demurrage is not included in the annual cap under Section 4 of the Transition Services Agreement. |
12: Security
Security services, as follows:
- Security service for the company grounds is handled by security guards of an external firm (presently GROEP 4 Securitas). These guards perform the following tasks, among others, for Arcelor Tailored Blank Genk:
• | Reception of visitors; |
• | Inspection of vehicles and persons; |
• | Management of incoming and outgoing freight transport; |
• | Central dispatching |
- Price: 1/3 of the costs of the security firm + 15% as coverage for costs associated with the security station.
13: Infrastructure
Use of infrastructure, as follows:
- The road infrastructure, property of Arcelor Steel Belgium (Genk Site), is made available to Arcelor Tailor Blank Genk.
- Price:
• | 25% of the total direct costs that Arcelor Steel Belgium (Genk Site) spends on track work, work on lighting, … |
• | 10% of the total direct costs that Arcelor Steel Belgium (Genk Site) spends on maintenance work on public gardens and canals. |
6
14: Delivery of municipal (external) water
Delivery of municipal water as follows:
- Terms and Conditions: the same as those of the Arcelor Steel Belgium (Genk Site) contract with VMM.
- Measurement:
• | The meter reading on the meter at the purchase point of Arcelor Steel Belgium (Genk Site) is used as reference for the monthly billing for the consumption of water by Arcelor Tailored Blank Genk |
• | The warehouse clerks of Arcelor Steel Belgium (Genk Site) record this meter reading each first work day of the month and send it on to the bookkeeping office at Arcelor Steel Belgium (Genk Site). |
• | They shall then transmit these data to Arcelor Tailored Blank Genk. |
- Price: in proportion to Arcelor Tailored Blank Genk’s consumption with respect to Arcelor Steel Belgium (Genk Site)’s total consumption. The cost of municipal water is not included in the annual cap under Section 4 of the Transition Services Agreement.
15: Copying
Services regarding copying of plans, as follows:
- Rates:
• | A0: 5 € |
• | A1: 4 € |
• | A2: 3 € |
• | A3/A4: 2 € |
7
C. SERVICES PROVIDED BY ARCELOR BREMEN GmbH (“ABG”) TO ARCELOR TAILORED BLANK BREMEN (“ATBB”)
NOTE: Prices for the services described in Items C.1 through C.12 appear after Item C.12.
1: Supply of Outside Resources/Applicable Terms of Delivery
ABG permits ATBB to use the facilities of ABG listed below:
a) | internal plant road network and access to the rail network |
b) | weighing facilities at the entries to the plant |
c) | electric power network |
d) | pipes |
e) | sewer lines and canals |
f) | telecommunications |
In connection with its existing third-party supply agreements, ABG supplies ATBB with the amounts of electricity, natural gas and drinking water required by ATBB. To that extent, the terms of delivery agreed between ABG and the suppliers of these media and the normal delivery restrictions also apply to ATBB. ATBB may inspect the specific terms of delivery and the delivery restrictions.
If ATBB no longer wants to be supplied by ABG with electricity, natural gas or drinking water, or if ABG is not, or will in the future no longer be, authorized to supply electricity, natural gas and drinking water to ATBB, ABG allows ATBB to procure its own supply of the respective media. ATBB indemnifies ABG against all costs incurred as a result of the construction and operation of corresponding supply facilities.
2: Delivery of Resources Produced by the Plant
ABG delivers the purified water that ATBB requires for its operations from ABG’s own internal network.
The purified water to be delivered under paragraph 1 shall be delivered over the existing pipes of the plant network and shall be measured using new meters still to be installed by ATBB.
3: Scope of Delivery/Delivery Restrictions
The resources described in sections 1 and 2 are delivered using existing production facilities, pipe networks, transformer substations and cable networks in accordance with the capability and capacity of ABG. A prerequisite, in particular, is that ABG continues to be supplied under its existing contractual relationships with its providers.
In the event of damage to the production facilities/transformer substations used for the media purchased by ABG or to the pipe networks/cable networks on the plant site, ABG is released from its obligation to supply ATBB with the aforementioned media for the interruption period. To that extent, ATBB has claims for damages or compensation against ABG only if ABG has failed to exercise the care that it applies in its own affairs.
8
ABG informs ATBB of any damage sustained by its production facilities/transformer substations or pipe network/cable network. Furthermore, ABG does everything necessary to restore operability of the affected facilities. Any maintenance work required is coordinated in advance with ATBB and is performed expeditiously.
ATBB informs ABG in a timely manner if its requirements are expected to increase significantly. ABG delivers the additional amounts required, unless operational concerns prevent it from doing so. Any costs that may accrue in connection with the delivery of additional amounts is borne by ATBB.
ATBB is familiar with the meaning of the 1/4-hour billing maximum in connection with the electricity supply agreement between the electric utility and ABG and the effect this has on the price of electricity. It is also familiar with the standard operational control measures taken by ABG, such as disconnecting individual power consumers. At this time, ATBB is not participating in the automatic disconnection procedure. ABG reserves the right to include ATBB in the automatic disconnection procedure if necessary and to charge it for all the consequences of exceeding the 1/4-hour billing maximum that are attributable to the electricity consumption of ATBB.
4: Other Resources
At the request of ATBB ABG may supply ATBB with other resources to the extent possible and after prior coordination. ATBB is responsible for installing the required line networks.
5: Waste Disposal
ATBB conducts its domestic sewage through a line directly into the public sewage system.
The terms and conditions for waste disposal are as follows:
- Trash
ATBB shall purchase a suitable container at its own expense. Trash is collected by a third-party company selected by ABG (currently Nehlsen) up to 3 times per week if necessary. ATBB coordinates collection frequency with the environmental department of ABG. An allocation key defined based on the number of containers and collections is used for billing purposes.
- Recyclable materials (cardboard, oil, cardboard packaging)
ATBB purchases two suitable containers at its own expense. Recyclables are collected every two weeks on Thursdays by a third-party company selected by ABG (currently Nehlsen). ABG may change the collection day if necessary for organizational reasons. An allocation key defined based on the number of containers and collections is used for billing purposes.
- Batteries (including button batteries, starter batteries, etc.)
ABG supplies ATBB with a suitable container at no charge. Batteries are collected as needed at ATBB’s request by the environmental department of ABG. Collection and disposal are free of charge for ATBB as long as the battery vendors are required by law to accept the used batteries at no charge.
9
- Oil-containing supplies (e.g. cleaning rags)
ATBB has two containers within the plant (referred to as ASP800s), which are emptied as needed. Collection is at ATBB’s request, or regularly if necessary, by ABG’s service department [Einsatzbetrieb]. Disposal costs are billed based on the average weight of a completely filled bin. The average weight is determined by ABG during the first two months after signature of the Transition Services Agreement.
- (Old) lumber
Old lumber is collected by the transportation service of ABG. At the request of ATBB the transportation service provides a suitable container (dumpster with a capacity of 4.4 m3) for transport, which ATBB is to fill with the (old) lumber within a reasonably short period. If the time normally required to fill the container is significantly exceeded, ATBB shall pay rent for the container to ABG. ABG is entitled to use recyclable (old) lumber free of charge for its own purposes after collection. At the time of collection, the weight of the (old) lumber is determined and recorded on a weight card. The disposal costs are billed based on the weights determined.
- Toner (e.g. toner cartridges, ink ribbons)
ATBB purchases a suitable bin at its own expense and shall label it accordingly. Toner is collected by ABG only as needed at ATBB’s request. Collection and disposal are free of charge to ATBB as long as the toner materials are accepted by a recycling company free of charge.
- Other types of waste (e.g. fluorescent tubes)
The disposal of other types of waste by ABG may be agreed from time to time on a case-by-case basis. ATBB ensures disposal as required by law.
6: Transportation
ABG provides the transportation services by rail or truck that are necessary for the operations of ATBB at the request of ATBB and performs the transshipment in the [Hüttenhafen] requested by ATBB within a scope that is operationally reasonable.
7: Weighing
Incoming and outgoing deliveries for and from ATBB may be weighed on the plant-owned scales, which are certified by the Board of Weights and Measures. The weight cards are provided to ATBB and are valid for internal as well as external transportation between ATBB and third parties.
If ATBB uses its own scales for weighing, ATBB provides the weight information to ABG.
10
8: Other Services
ABG provides ATBB with the following services of its technical service departments:
• | Energy maintenance |
• | Service Center electrical |
• | Service Center mechanical |
• | Crane maintenance |
• | Construction |
• | Quality Assurance services (TQ) |
ATBB has the right to procure material from ABG’s warehouses and spare parts stockrooms within a scope that is operationally reasonable for ABG.
If ATBB desires additional services, ABG shall meet its requests to the extent possible.
9: Flat Cost Fee
ABG provides the following services to ATBB within the scope of its existing capacities:
• | services of the fire department for regular fire fighting, including ambulance service (preventive fire protection measures, e.g., inspection of fire extinguishers are not included in this flat fee and is billed when these services are provided) |
• | inclusion of ATBB in the emergency management of the site |
• | plant security |
• | use of general plant facilities (plant road network, including snow clearance, etc.) weighing facilities |
• | upon request advice and support by ABG personnel regarding waterways, waste disposal, emissions, noise, hazardous materials and work safety |
• | the plant’s internal telephone network |
• | messenger/mail service |
• | use of the cafeteria |
• | use of Lotus Notes server and IT services, such as VPN and fixed lines, etc. |
Other services (e.g., health services, landscaping, work safety) are billed when these services are provided.
10: Spheres of Responsibilities
The boundaries of the spheres of responsibility between the facilities of ABG and those of ATBB as well as the delivery points for the delivery of resources are determined based on the criteria of ownership and use and as identified in planning documents.
11: Compliance with Statutory Provisions and Other Regulations
In connection with its activities on the plant site, ATBB complies with the relevant federal and state laws, regulations and government ordinances and directives. ATBB also complies with accident prevention regulations, accepted engineering standards and the accident prevention and other relevant environmental and safety regulations applicable in this connection.
11
12: Plant Inspections
ATBB complies with the plant regulations of ABG and submits to the standard inspections by plant security. This also applies to incoming and outgoing shipments of material.
ATBB complies with the instructions of the environmental department of ABG to the extent that ATBB’s activities affect the interests of ABG.
PRICES | AS OF JANUARY 2007 | |
Price for drinking water | 2.35 €/m3 |
This is the actual purchase price paid by ABG, including costs of internal conduction as determined by ABG’s cost center accounting. The price does not include the sewage charge, which is to be billed separately. The price is adjusted monthly. The cost of drinking water is not included in the annual cap under Section 4 of the Transition Services Agreement.
Price for domestic sewage | 2.79 €/m3 |
This is the actual sewage charge paid by ABG as determined by ABG’s cost center accounting. The price is adjusted monthly. The amount of sewage is determined based on the amount of drinking water delivered.
Price for electricity | 36.96 €/MWh |
The electricity price is based on the purchase price paid by ABG, including costs of internal conduction as determined by ABG’s cost center accounting. The price is adjusted monthly. The electricity price is based on a power consumption of 400 kW ( 1/4-hour maximum). This is based on an annual consumption of 3.0 million kWh/a. If there is an appreciable change in the annual consumption (deviation of ±10%), the 1/4-hour maximum to be redefined by common agreement. The cost of electricity is not included in the annual cap under Section 4 of the Transition Services Agreement.
For purposes of monthly billing, a preliminary electricity price shall be estimated at the beginning of each calendar year. The final electricity price to be determined and settled at the beginning of the following calendar year.
Price of electricity tax (environmental tax) | 12.30 €/MWh |
The then applicable electricity tax (environmental tax)—the currently reduced rate is 12.30 €/MWh— is billed in addition to the electricity price. The cost of the electricity tax is not included in the annual cap under Section 4 of the Transition Services Agreement.
12
Price of EEG charge (charge under the Renewable Energy Act) | 8.90 €/MWh |
The EEG charge to be billed in addition to the electricity price. The EEG charge is not included in the annual cap under Section 4 of the Transition Services Agreement.
Price for natural gas | 23.38 €/MWh |
This is the actual purchase price paid by ABG, including internal conduction costs as determined by ABG’s cost center accounting. The price is adjusted monthly. The cost of natural gas is not included in the annual cap under Section 4 of the Transition Services Agreement.
Price of energy tax on natural gas | 3.66 €/MWh |
The energy tax on natural gas to be billed in addition to the natural gas price. The energy tax is not included in the annual cap under Section 4 of the Transition Services Agreement.
Price for purified water | 7.89 €/1000 m3 |
These are the actual full costs incurred by ABG, including internal conduction costs as determined by ABG’s cost center accounting. The price is adjusted monthly. This price does not include the sewage charge, which is to be billed separately only if the purified water is discharged through ABG’s own sewage system.
Price for sewage | 7.95 €/1000 m3 |
This is the actual sewage charge paid by ABG, including internal costs for conducting the sewage into the Weser as determined by ABG’s cost center accounting. The price is adjusted monthly. The amount of sewage is based on the amount of purified water delivered.
Prices for the disposal of trash and recyclables
Trash and recyclables are removed by a third-party company selected by ABG. The invoice issued by that company is charged to ATBB.
Prices for the disposal of oil-containing supplies
Oil containing supplies are disposed of by the service department of ABG at the request of ATBB or regularly if required. Disposal costs are billed based on the average weight of a completely filled bin. The average weight is determined by ABG during the first two months after the date of the Transition Services Agreement. Transportation costs are billed separately.
Price for the disposal of old lumber
Old lumber is disposed of by the transportation department of ABG. The disposal costs are billed based on the determined weights. Transportation costs are billed separately.
Prices for transportation services
These prices are applicable for calendar year 2007 and are reviewed annually and adjusted to reflect the actual full costs as determined by ABG’s cost center accounting.
13
Plant railroad | 0.24€/tkm | |
Transport operations, including driver: | ||
• Wheel loader |
€81.68/h | |
• Dump truck |
€62.44/h | |
• Tractor |
€43.22/h | |
• Trailer |
€4.00/h | |
• Other vehicles |
per agreement |
Prices for technical services
Based on use. Technical services are billed based on the “full costs of actual rates” as determined by ABG’s cost center accounting. Any machine hours are billed based on actual use.
Flat cost fee in accordance with section 9 | €4,400/month |
Against payment of a monthly flat cost fee ATBB may use the services listed in section 9. The monthly flat fee is based on 53 employees. If the number of employees changes by ±20%, the flat fee shall be adjusted accordingly. In addition, the monthly flat fee shall be reviewed annually and adjusted based on the following escalator clause:
• | 80% through personnel costs. Escalation is based on the development of the union wage rate, wage group 7 of the collective bargaining agreement applicable to ABG, basis €11.53/h (January 2007). |
• | 20% through cost of materials. Escalation is based on the Consumer Price Index for Germany published on the web site of the German Federal Statistical Office xxx.xxxxxxxx.xx (January 2007: 110.9). |
Prices for materials in stock
Moving average of the book value plus 10% administrative costs.
Prices of other services
Based on use. The price is coordinated with the respective department of ABG.
13: Occupational Health Services
ABG makes occupational health services available to ATBB employees, particularly under § 3 of the German Occupational Health and Safety Act (ASiG), to include the following services:
• | Occupational safety committee meetings |
• | Plant inspections |
• | Workstation inspections |
• | Counseling if a job change is necessary for health reasons and integration and re-integration of the handicapped in the work process |
• | Comments on all occupational health questions |
• | First aid organization within the plant |
14
• | Preventive screenings, particularly pursuant to § 3(1) No. 2 of the German Occupational Health and Safety Act and § 15 and 16 of the German Hazardous Substances Regulation (GefStoffV) and BGV A 2 and BGI 504 (selection criteria for special occupational health screenings). |
Occupational health services are provided by the plant physician working for ABG and/or by his deputy, who has corresponding qualifications. The plant physician is authorized to perform preventive screenings.
ATB retains the plant physician in accordance with § 2 of the German Occupational Health and Safety Act and BGV A 2 “Plant Physicians” (version of 01 July 2005) for the minimum number of hours defined therein. Accordingly, the required service hours of the plant physicians are as follows:
Group A (including metal workers): 0.6 hrs. per year and employee
Group B (all sectors except those listed in Group A or C): 0.5 hrs. per year and employee
Group C (business and administrative sector): 0.2 hrs. per year and employee
The non-specific preventive occupational health screenings are included in these service hours. These screenings currently include, for example:
G 23 Obstructive respiratory disease
G 24 Skin disorders (except skin cancer)
G 25 Driving, controlling and monitoring jobs
G 37 Jobs using display terminals
G 41 Work involving the risk of falling
The specific occupational health screenings (e.g. screenings for G 7 “carbon monoxide,” G 15 “chromium,” G 20 “noise,” G 26 “respiratory protection,” G 30 “heat,” G 39 “welding smoke,” or G 42 “infection hazards”) are not included in the service hours (in accordance with the Federal Minister of Labor and Social Affairs). For these services, the following additional service hours are estimated:
0.38 hrs. per year and employee for Group B (2007)
0.0 hrs. per year and employee for Group C (2007)
At 01 July 2007 there were 53 employees, 42 in Group B and 11 in Group C. Accordingly, for calendar year 2007, the service hours total 23.20 (per year).
The required service hours are reviewed once a year (in January) and adjusted if necessary. For this purpose, ATBB notifies ABG of the number of its employees as of 31 December of each year on its own initiative by 15 January at the latest (even if there has been no change).
For the following year, ATBB retains the plant physician for the defined minimum number of hours in accordance with BGV A 2 no later than by 31 December of the previous year.
15
14: Other Medical Services
The services of ABG further include other medical services, including the following:
• | Primary care office hours, including physical therapy with infrared light therapy, inhalation therapy and drug therapy for minor infections, sprains, etc. provided that the medications are available in stock |
• | Vaccinations |
• | Pre-employment medical examinations, including medical examinations of minors as provided for under the German Youth Protection Act |
• | Training of first aid personnel of ATB |
16
D. SERVICES PROVIDED BY STEEL SERVICE CENTER OF ARCELORMITTAL (“A3S”) TO ARCELOR TAILORED BLANK SENICA (“ATB Senica”) IN CONNECTION WITH LEASE FOR INDUSTRIAL PREMISES
A3S is the owner of Industrial premises situated in Senica, province of Trnava, Slovakia (“Industrial Leasehold Premises”).
ATB Senica rents and leases a part (with the following dimensions: 30 meters of width, 60 meters of lengths and 9 meters of height) of this Industrial Leasehold Premises, at a rate of 60 €/m2/year.
ATB Xxxxxx uses and occupies the Industrial Leasehold Premises for Industrial Manufacturing purposes only and for no other purpose.
A3S provides the following services:
PHONE: installation and maintenance of telephone service at least for 4 lines, and furnishing of the phone numbers.
IT: installation and maintenance of IT cable service and furniture of the available network channels. Service fees required for the installation of these utilities are covered by A3S.
GAS, ELECTRIC AND WATER: A3S provides the gas, electrical and water installation and the monthly costs during the period of Industrial lease contract. A3S provides a separate electrical meter for the electrical consumption of production line. The cost of gas, electricity and water is not included in the annual cap under Section 4 of the Transition Services Agreement.
SAFETY and SECURITY: A3S provides safety and security of Industrial premises. Fire extinguisher, smoke detectors are provided by A3S and installed in this industrial premises. A3S maintains its appliance including testing periodically and replacing all safety equipment and batteries as recommended by the manufacturer and applicable law. In the event the detector is missing or inoperative, ATB Xxxxxx has an affirmative duty to notify A3S immediately.
CLEANING: A3S keeps and maintains the cleaning and the Leasehold Premises, parking, toilets, offices, and locker room area in a clean and sanitary condition at all times. Any related service cost is covered by A3S. ATB Xxxxxx keeps and maintains the manufacturing area.
1. ATB Xxxxxx pays for the electrical consumption of production equipments (welding line, shear centre etc.) and monthly phone and internet charges.
2. A3S provides a locker room for workers of ATB Xxxxxx. Any service fees required for the installation of these utilities and maintenance to be covered by A3S.
3. A3S provides parking spaces for 10 motor vehicles in the parking lot at a space to be designated by A3S. Any rules or regulations established by A3S relating to parking are strictly observed by XX Xxxxxx and may be subject to change at A3S’s discretion.
4. A3S provides for the necessary repairs and maintenance of the Industrial Leasehold Premises. ATB Xxxxxx does not provide nor arrange for any repair or maintenance of the Leasehold Premises, and A3S is not responsible or liable to ATB Xxxxxx, or to any other person, for the costs of any repair or maintenance provided or arranged by ATB Xxxxxx.
17
5. A3S provides garbage containers. A recycling container is also provided to ATB Xxxxxx for paper, glass, and plastic and aluminum cans.
18
E. LEGAL SERVICES PROVIDED BY ARCELORMITTAL LEGAL AFFAIRS (“AMLAF”) TO TBA COMPANIES
1. Day-to-day and general assistance
AMLAF carries out and deal with legal matters on behalf of and for the TBA Companies, including commercial law, company law, merger & acquisitions, real estate law, labour law, environmental law, etc.
2. Litigation
AMLAF deals with litigation, i.e: litigation with customers, suppliers, public authorities, resulting from accidents, occupational illness, injury, transport, debt collection, insolvency, etc.
A litigation report which describes outstanding cases (company involved, status, type and summary, coverage by insurance policy, provisions set up) is available upon request. AMLAF gives its opinion about the reserves which have to be set up in the TBA Company’s accounts.
19
F. HR SERVICES AND VARIOUS SUPPORT TO TBA COMPANIES
1. Payroll, etc.
Services of Xxxxxxx Xxxxx, Guido Van Assche and Xxxxxxxx Meulemann to the HR manager of TBA, Xxxxxxxx Xxxxx, for the starting implementation of the payroll of the company Noble Metal Processing Belgium and the starting implementation of the payroll of the establishment of the company ATB Xxxxxxxx in Saint-Denis.
Carrying out of the payroll of ATB Xxxxxxxx by USP Montataire and the establishment of Saint-Denis
Payroll–related management and labor law counseling provided to Arcelor Tailored Blank Xxxxxxxx by Xxxxxxx España SA
2. Training
Access to the vocational training of ArcelorMittal University
Client Team School
3. International Mobility Platform
Management of Expatriates
4. Other Services
Offices at Saint-Denis + Dalkia services (mail service, management of grounds, photocopying, electrical maintenance, …)
Employment-related medical and infirmary services at Saint-Denis
Corporate dining services at Saint-Denis
Car rental management
20
G. SERVICES PROVIDED BY ARCELOR ATLANTIQUE ET XXXXXXXX ET AL. TO ATB XXXXXXXX
1. Industrial Safety Services.
Arcelor Atlantique et Xxxxxxxx Florange offers its industrial safety services (annual extinguisher verification, anti-intrusion rounds, periodic safety/evacuation exercises) and makes available firefighting services for all planned interventions and in case of casualty. (38,000 euros per year in 12 equal monthly payments.)
2. Medical Service.
Arcelor Atlantique et Xxxxxxxx Florange offers its work-related medical services and accident management (infirmary, ambulance, examinations, certain vaccinations, etc.). (145 euros per person, in equal quarterly installments.)
3. Travel Services.
ATB Xxxxxxxx benefits from car rental reservation services, airplane and train ticketing services and hotel reservation services linked to the contract between Arcelor and the travel agency retained by Arcelor.
4. Arcelor Human Resources Services.
ATB Xxxxxxxx benefits from payroll and monthly reporting to social institutions and mutual insurance companies, annual reporting to the institutions TDS-DAS, DADS et CRC, planning, handicapped declarations, IRR, IPP, profit sharing, FCP and [bonus] CET placement.
5. Services by the Unité de Service Partagée Mobilité et Recruitment (USMR) of Florange in the framework of PSE started in May 2007 (there remain some personnel to reclassify).
6. Tax accounting services by the Unité de Service Partagée Comptabilité (USPC) are offered for 2008 only, with regard to fixed assets (depreciation, dispositions, audit), deferred tax, tax consolidation for 2007.
7. Industrial food services by Services Généraux de Florange (SGE).
21
H. SERVICES PROVIDED BY ARCELOR SPAIN HOLDING SL TO ARCELOR TAILORED BLANK XXXXXXXX
1. Legal Services
Legal advice, other than labor law
2. Tax Services
Tax affairs counseling
22
I. IT SERVICES
IT Services
23
TABLE OF CONTENTS
1. SERVICES DELIVERED BY ARCELOR TECHNOLOGIES |
29 | |
1.1. LIST OF SERVICES |
29 | |
1.1.1. Service catalogue |
29 | |
1.1.2. Application Infrastructure Services |
29 | |
1.1.3. Network Services |
33 | |
1.1.4. Technologies Enabler Services |
33 | |
1.2. SLA |
35 | |
1.3. Price – Compensation rules |
36 | |
2. Services Delivered By Arcelor Systems |
37 | |
2.1. List of Services |
37 | |
2.1.1. Applications in scope |
37 | |
2.1.2. Recurrent maintenance |
37 | |
2.1.3. Evolutive maintenance |
37 | |
2.2. SLA |
37 | |
2.3. Price |
38 | |
3. Additional Services Delivered by Arcelor Systems to ATB Gent |
38 | |
3.1. List of Services |
38 | |
3.1.1. Applications in scope |
38 | |
3.1.2. Services |
39 | |
3.2. SLA |
39 | |
3.3. Price |
40 | |
4. Services Delivered by Arcelor Steel Belgium N.V. (Genk Site) |
40 | |
4.1. List of services |
40 | |
4.2. Price |
40 | |
APPENDICES TO THE IT SECTION OF SCHEDULE A |
41 | |
APPENDIX 7 TO THE IT SECTION OF SCHEDULE A: |
48 |
24
ARCELORMITTAL INFORMATION SECURITY POLICIES |
48 | |
1. INFORMATION SECURITY POLICIES FRAMEWORK |
49 | |
1.1 Background |
49 | |
1.2 Scope |
49 | |
1.3 Key actors |
49 | |
Corporate information Security Officer |
49 | |
Local Information Security Officer |
49 | |
Security Workgroups |
50 | |
IT Steering Committee |
50 | |
Internal audit |
50 | |
Three operational responsibilities: Owner, Custodian and User |
50 | |
1.4 The baseline policies and their target |
52 | |
1.5 Legal Affairs link |
52 | |
1.6 Critical systems |
52 | |
1.7 Non-compliance |
53 | |
1.8 Definitions |
53 | |
Policy |
53 | |
Standard |
53 | |
Guideline |
53 | |
2. PROTECTION AGAINST MALICIOUS CODE POLICIES |
53 | |
2.1 Abstract |
53 | |
2.2 Definitions |
54 | |
System Assets |
54 | |
Malicious code |
54 | |
Virus |
54 | |
Worm |
54 | |
Trojan horses |
54 |
25
Macro Viruses |
54 | |
Anti-Virus Software |
54 | |
Signatures |
55 | |
Red Alert State |
55 | |
Hoax |
55 | |
2.3 Protection Against Malicious Code policies |
55 | |
2.4 Protection Against Malicious Code Standards |
56 | |
2.5 Protection Against Malicious Code Guidelines |
57 | |
3. VULNERABILITIES AND SECURED CONFIGURATION MANAGEMENT POLICIES |
58 | |
3.1 Abstract |
58 | |
3.2 Definitions |
58 | |
Vulnerability |
58 | |
Threat analysis |
58 | |
Secured configuration |
58 | |
3.3 Vulnerabilities and Secured Configuration Management policies |
58 | |
3.4 Vulnerabilities and Secured Configuration Management Standards |
59 | |
3.5 Vulnerabilities and Secured Configuration Management Guidelines |
60 | |
4. LOGICAL ACCESS CONTROL POLICIES |
60 | |
4.1 Abstract |
60 | |
4.2 Definitions |
61 | |
Identification and User ID |
61 | |
Authentication |
61 | |
Authorization |
61 | |
4.3 Policies |
61 | |
4.3.1. IDENTIFICATION |
61 | |
4.3.1.1 User registration |
61 | |
4.3.1.2 Automatic terminal Identification |
62 |
26
4.3.1.3 Log-on procedures |
62 | |
4.3.1.4 Log-on procedure guidelines |
63 | |
4.3.2. AUTHENTICATION |
63 | |
4.3.2.1 User Password Management |
63 | |
4.3.2.2 User Password Management guideline |
63 | |
4.3.2.3 Password management systems |
63 | |
4.3.2.4 Password management guidelines |
64 | |
4.3.3. AUTHORIZATION |
64 | |
4.3.3.1 Privilege management |
64 | |
4.3.3.2 Privilege management guideline |
65 | |
4.3.3.3 User access rights |
65 | |
4.3.4. MONITORING |
65 | |
5. NETWORK SECURITY POLICIES |
66 | |
5.1 Abstract |
66 | |
5.2 Policies |
66 | |
5.2.1 General principles |
66 | |
5.2.2 Internet connections |
66 | |
5.2.3 Remote accesses |
67 | |
5.2.4 Wireless LAN |
67 | |
5.2.5 Physical and Logical Access to Network devices |
67 | |
5.2.6 Application system design |
67 | |
5.2.7. Network monitoring |
68 | |
5.2.8 Critical networks and servers |
68 | |
6. DATA BACK-UP POLICIES |
68 | |
7. BCP/DRP SECURITY POLICIES |
69 | |
7.1 Abstract |
69 | |
7.2 BCP/DRP Security Policies |
69 |
27
7.3 BCP/DRP Security Guideline |
70 | |
8. BEHAVIOR ADVICE TO USERS TO IMPROVE THE SECURITY LEVEL |
71 | |
8.1 Password management |
71 | |
8.2 Locking an unattended workstation |
71 | |
8.3 Social engineering |
71 | |
8.4 Data back-ups |
71 | |
8.5 Virus protection |
72 | |
8.6 Security incident reporting |
72 | |
8.7 Confidential information protection at printing time (as well in communicating and storing the information) |
72 |
28
1. SERVICES DELIVERED BY ARCELOR TECHNOLOGIES
To:
ATB Genk
ATB Gent (to be added)
ATB Xxxxxxxx
ATB Xxxxxxxx
ATB Xxxxxx
ATB Bremen
ATB Belgium & France (to be added)
1.1. LIST OF SERVICES
1.1.1. Service catalogue
Services delivered from service catalogue contains end-user access product services, such as
• | Workstations, printers, peripheral devices described in the document ‘Arcelor Technologies North—Catalogue Site Ghent’. For the French perimeter (Xxxxxxxx and Paris), the catalogue is accessible through the services portal xxxx://xxx-xxxxxxxxxxx.xxxxx.xxx/xxxxxx/xxxxxx/ |
• | On demand, Arcelor Technologies supplies a detailed list of all current, active workstations and setup (what software). Also the cost is detailed per user and service. |
1.1.2. Application Infrastructure Services
1.1.2.1. Application Hosting Services
Arcelor Technologies provides application hosting services on several platforms: Mainframe (z/OS), SAP on AIX servers, Windows Servers, OpenVMS Servers, Lotus Notes Domino Servers, …. As such Arcelor Technologies performs the operational, planning, design, build and test, monitoring and reporting processes.
• | Operational processes |
Assure the operations to keep the solutions running
• | Incident management: |
Solve incidents that have been detected either by the customer, by the provider or that have been submitted automatically.
Arcelor Technologies subscribes to underpinning contracts with Vendors to solve incidents with hardware configurations and to solve incidents with malfunctioning software.
• | Problem management |
Evaluate incidents and propose proactive measures.
29
• | Performance management and tuning |
Evaluate response times and propose corrective measures.
• | Release management |
ARCELOR Technologies carries out all the operations to install the updates needed to keep the systems running.
This includes applying relevant upgrades, releases, service packs, patches, hotfixes, …
This includes state of the art software to secure the infrastructure against malicious code.
Arcelor Technologies subscribes—with regard to the software that is managed directly by Arcelor Technologies—to contracts with Vendors to obtain the media and the non exclusive right to use new versions, releases, service packs, patches hotfixes, .
Arcelor Technologies foresees the necessary tools so that the customer is able to install third party/customer’s software on the servers managed by Arcelor Technologies. In case the existing deployment tool (for the moment only present on MES-servers in Genk, Xxxxxxxx and Xxxxxx) cannot be used to install the software, Arcelor Technologies installs the software. It is important that all the software on the servers is known by Arcelor Technologies to be able to give the necessary support.
• | Planning processes |
• | Availability |
Planned interventions are possible on request.
These interventions occur:
• | As needed to deploy a new functional release |
• | Once per month to apply security patches (duration < 1 hour) |
• | Two per year to maintain the RDBMS (durations depends on the size of the database). |
• | They need to be validated by the Noble service coordinator, A&M development team and I&O delivery manager. A warning is published also on the IS/IT supply intranet. |
Urgent interventions are possible on request (with at least 2 hour advance warning)
These interventions can occur to prevent a pending incident. The frequency depends on the nature of the risk involved. They need to be validated by the local Noble service coordinator, A&M development team and I&O delivery manager. A warning is published also on the IS/IT supply intranet.
Unavailability impact:
When the system is unavailable during service hours, A&M development team and I&O delivery manager warn the local Noble service coordinator by e-mail.
30
• | Capacity management |
Arcelor Technologies plans and proposes configurations to provide to the customer the needed capacity.
Arcelor Technologies define programs to adapt (replacements and evolution) the infrastructure.
• | IT Service Continuity management |
Backup services
Restore services
Disaster Recovery Services
Storage management
• | Design, Build and Test |
Arcelor Technologies designs the server environments needed to host the applications in close cooperation with customer representatives.
• | Arcelor Technologies performs the impact analysis to cope with planned changes, and proposes optimal solutions. |
• | Arcelor Technologies builds and tests the ordered solutions, based on the proposals that are the result of a previous impact analysis. |
• | Arcelor Technologies implements the requests that have been ordered through request management applications such as |
• | For the Ghent perimeter: “PC Bestellingen”, “Autorisatie Aanvragen”, “IBO aanvragen” |
• | For the French perimeter: “Cyberforms”, “Le panier commercial” |
• | As such Arcelor Technologies performs the system administration, the user administration, the storage administration processes |
• | Monitoring processes |
Server and storage infrastructure is supervised and controlled continuously (24h/24 and 7 days/week), using appropriate tools.
• | Mainframe: the supervision is operated by a central and a local team. Xxxxx, Xxxxxxxx, Paris |
• | Unix/SAP, Open VMS, Windows, Domino Servers, SAN Storage, Tape Libraries,…: the supervision is operated by several dedicated and specialized teams in Ghent and Dunkerque. |
1.1.2.2. Application Support Services
Application Support Services are delivered on several platforms: Mainframe, SAP on AIX servers, Windows Server, OpenVMS Servers, Domino Servers,
Related services are delivered to the customer in cooperation with the developer community:
• | Development environment: |
• | Development on z/OS (Assembler, PL/I, Cobol, Rexx,…) |
• | Development on SAP (ABAP,…) |
31
• | Development on OpenVMS (Fortran, C, C++, DECForms, FMS,…) |
• | Development on Windows (VB6, Visual Studio .net, …) |
• | Development using CASE tools (AllFusion:Gen,…) |
• | Fault & Debug management tools |
• | Source configuration and release management: on z/OS, SAP and Windows |
• | Database administration and performance tuning: |
• | DB2 on z/OS, |
• | SQLServer and Oracle Server on Windows Server, |
• | Oracle RDB, Oracle CDD,… on OpenVMS, |
• | Oracle Server on AIX |
• | General accounting, application performance management & application tuning: z/OS SAP and Windows |
• | Capacity planning & Trend Analysis. |
1.1.2.3. Commodity Application Services
Several commodity applications are delivered and operated:
• | Document Management |
• | Mainframe End User Computing |
• | Support end user with the conception of some special operations |
• | QMF-DB2 query and Reporting support |
• | Interfacing with OFFICE and other reporting Products, |
• | Data Base administration |
• | PROMA (Ghent perimeter) |
• | The PROMA application is used to support the incident and the problem management processes. |
• | The Service Desk uses PROMA to register manually the incidents that end users submit by phone. |
• | The end users of the customer can use a PROMA interface to register and handle incidents they detected. |
• | All other incidents (detected automatically) can be (and are) registered automatically in PROMA. |
• | CSD (French perimeter) |
• | Consolidated Service Desk by Ps Soft; this module replaces the actual incident handling module of Qualiparc. |
1.1.2.4. Development and Customization Services
Development services and Customization services are delivered to bridge the gap between the operating system software and the layered software products as they are acquired, and the operational conditions needed for the hosted applications.
Development services occur to develop middleware components on all platforms. Examples are SIVAX on OpenVMS, UCM tools on Windows,…
Customization services occur to shape the conditions to operate third party products. Examples are customizations of Axways’ Inter.Pel on all platforms, Development lifecycle support tools to operate AllFusion.Gen on z/OS and OpenVMS,…
32
1.1.3. Network Services
All the services described hereafter are parts of the categories LAN, WAN, Internet +RAS and Div. Infrastructure + cabling services.
• | Supervision |
• | Hardware supervision |
• | Availability of the functionalities |
• | Network Services management |
• | LAN and WAN study and implementation |
• | LAN and WAN management |
• | Remote Access Services |
• | Internet services |
• | Firewall and Proxy management |
• | Security management and rules |
• | User administration |
• | Other hardware supported by Network service |
• | VT terminals |
• | Thermal Transfer printers |
• | Badge readers (access control systems, time registration systems) |
• | IP Camera’s, Barcode Scanners, Hand-held terminals |
• | Other services provided by Network team |
• | Infrastructure computer room management (power, climatization, …) |
• | Server infrastructure: racks, cabling, power distribution, …) |
• | Coordination of the cabling projects and management of the external suppliers |
1.1.4. Technologies Enabler Services
• | Service Desk |
• | For Ghent perimeter: |
• | The service desk in Ghent can be reached 24hours/day 7days/week at a central telephone number: x00 (0) 000 0000 or by e-mail: xxxxxxxx@xxxxxx.xxxxxxx.xxx |
• | The service desk uses a tool (PROMA) to register all the calls of the end users and all the events that need a problem management. |
• | The PROMA-tool is used for manual and automatic registration of incidents. |
• | Whenever a registered incident needs immediate intervention, the Service Desk to call the relevant specialist to solve the problem. Therefore Arcelor Technologies organizes duty guards. |
• | For French perimeter |
• | The Service Desk in Dunkerque can be reached 24hours/day 7days/week at a central telephone number: x00 (0) 0 00 00 00 59 |
• | The service desk uses a tool CSD (Consolidated Service Desk) to register all the call of the end-users and all the events that need a problem management. |
33
• | For any other country |
• | access to the service desks can be found on the site xxxx://xxx-xx.xxxxxxx.xx/ in the tab “End-user support/Help Desk” |
• | Incident management |
• | Incident declaration procedure |
• | Incident handling and solving can be invoked through the AT Service Desks |
• | Incidents can be declared as well by automated monitoring services. Events causing alert situations are detected automatically and forwarded to the incident management system, where they are treated according to their criticality. |
• | Incident handling |
• | Incident handling starts within 4 working hours. |
• | When a fatal hardware incident occurs, AT diagnoses the problem and calls the hardware provider within 2 working hours. |
• | The hardware service provider then starts intervention within 4 working hours following AT’s request. As a consequence, remedial action starts within 6 working hours. |
• | Escalation |
• | When a critical incident cannot be solved timely, it is escalated. |
• | Warning and subsequent concertation of these incidents is assigned to: |
• | The corporate Noble service coordinator |
• | Engagement manager |
• | Application and Maintenance Delivery |
• | Infrastructure and Operations Delivery |
They jointly decide on an appropriate action plan, setting actions and priorities and reporting on incident solution status.
• | Provide Technology, know-how and competence |
• | All platforms |
• | Deliver consulting services in the context of their know-how and competence. |
• | Contacts with the suppliers and designers |
• | SAP Team |
• | Netweaver, X/0, Xxxxxx, XX, XXX, Xxxxxxxxxx Portal, … |
• | Active role in the customer SAP competence center |
• | Assets Management, Configuration Management, Change Management |
• | All the assets are registered in a local tool (Configuration Management) used by the Service Desk and the “Work Place Infrastructure” services. |
• | Proposals for cost-reductions and optimizations on a yearly basis |
34
• | ATB employees whose mailboxes are hosted on the consolidated ArcelorMittal messaging infrastructure, are able to use the ArcelorMittal contact database. For other users, a solution can be designed to deliver the same contact database in a form that can be loaded by Noble. This service is not included in the current agreement. |
1.2. SLA
• | SLA’s are defined as follows: |
• | Operational requirements |
For products in the catalogue counting from receipt of the approved request up to signature for the installation report by the user.
Standard user requests |
Reference Level of Service (working days) | |
New workstation |
10 | |
Network printer |
20 | |
Moving an existing user within the same infrastructure environment |
5 | |
Moving an existing user outside the infrastructure environment |
10 | |
Creation of a new user |
10 | |
Teledistribution of software (*) |
2 | |
Urgent teledistribution of software (*) |
1 | |
Extension of drive |
2 | |
Extension of Mailbox |
2 | |
Authorization to shared folder |
2 |
(*) | on condition that there is no need for compatibility investigation, thus not for new or complex program groups |
• | Incident reactions |
The maximum period agreed for resolving an incident is defined in relation to the type of hardware and the level of maintenance required by the customer.
Incident |
Reference Level of Service (working days) | |
Workstation |
Next business day | |
Network printer |
Next business day | |
PDA (Blackberry, Qtek) |
Next business week, but phone functionality within next business day | |
Infrastructure servers |
Next business day | |
Software |
Next business day | |
LAN |
Next business day | |
WAN |
Next business day |
35
• | An official request for quotation or related demands sent to Arcelor Technologies should be replied to within 5 working days, in order to define a time frame for final delivery of the proposal. |
• | Arcelor Technologies to foresee a SLA follow-up report. |
Arcelor Technologies to assure that all measures to ensure the security of data and communications are in force on the date of the starting up, and that the general principle of confidentiality and Arcelor Technologies safety policy are applied and respected. Noble must respect ArcelorMittal security policies and assure that all users of information systems delivered by Arcelor Technologies respect the “ArcelorMittal Security Charter” (see attached Appendix 7).
1.3. Price – Compensation rules
General
Each month the compensation is split in two parts.
Part 1 to compensate the services that correspond with the consumption of services as defined in the current service catalogue.
Part 2 to compensate services based on a budget charge-back mechanism. The repartition of the services that are subject to both parts and the corresponding reference budget is specified in appendices 1 through 6 to this Schedule A to the Transition Services Agreement.
Specific services with respect to certain ATB entities appear in Appendices 1 through 6
Adaptations to appendices 1 through 6 (adding service, adding site, changing from part, etc.) can be realized on month boundaries, upon mutual, written agreement of both parties to replace the current attachment with a new version.
Specific compensation rules for part 2
The following principles apply:
• | The amount of the invoice is 1/12 of the yearly budget specified in the then governing appendix |
• | The invoice only mentions one line with the provision of the month |
• | The provision is detailed as specified in the then governing appendix |
• | At the end of the year, a review is made for basic recurring services, for the next year. |
• | New projects (extensions) not included in this document, to be invoiced additionally. |
36
2. Services Delivered By Arcelor Systems
To:
ATB Genk
ATB Gent (to be added)
ATB Xxxxxxxx
ATB Xxxxxxxx
ATB Xxxxxx
ATB Bremen
ATB Belgium + France (to be added)
2.1. List of Services
2.1.1. Applications in scope
Recurrent and Evolutive Maintenance of following applications:
Applications |
Quick description in functional terms | |
SAP Leverage | Integration of TBA in the commercial application Leverage (Order entry, MDI, Invoicing and claims handling). In scope for so far the cost/developments are not covered by CVT. | |
SAP Aristos | Back office system of TBA, implemented in SAP (modules: FI, MM, CO, AA) | |
RFQ-database | Library for quotes |
2.1.2. Recurrent maintenance
• | Application administration and system monitoring |
• | Bug fixing |
• | User assistance |
2.1.3. Evolutive maintenance
• | Budget + time spent implementation and follow-up of every request for minor evolution (estimate delivery, estimate validation by the client) |
• | Adaptation of team size depending on workload and time changes requested by the client |
• | Management of budget progress all over the year |
Arcelor Systems reserves the right to charge any additional costs for the training and working-in period of new persons who have not worked on this perimeter before. This in case if Arcelor Systems has to strengthen its maintenance team in order to respond to increasing activities requested by the customer and not foreseen in the previous quarter.
2.2. SLA
On the perimeter of the proposal, the following indicators are set up and managed.
37
During office hours |
Outside office | |||
Response Time Service desk |
Immediately | Immediately | ||
Response Time preferred consultant |
During office hours | — | ||
Fix Time (problem solved or work-around established) |
During office hours | — |
Noble must respect ArcelorMittal security policies and guarantees that all users of information systems delivered by Arcelor Technologies to respect the “ArcelorMittal Security Charter” attached as Appendix 7 to this Schedule A.
2.3. Price
695€/Day
3. Additional Services Delivered by Arcelor Systems to ATB Gent
To: ATB Gent
3.1. List of Services
3.1.1. Applications in scope
Applications |
Quick description in functional terms | |
NIPOS | System for order management and material follow-up. This system allows the different production orders to be put on the process-systems, managed by IAM-department. These process-systems monitor and capture the processes and send their information back to the NIPOS system. This system allows to have a material genealogy & traceability. | |
ISLA | This mainframe application prints out the necessary dispatching documents and registers the dispatching | |
PROMA | Problem management system for IT | |
XXXX | Dispatching application on regional computer, managed by IAM, that interfaces with ISLA & KLOVIS | |
RIMSES | System to track the maintenance activities | |
Database Welding Parameters |
Storage of welding and machine set-up parameters per blank. | |
Metal Balance | System that tracks the materials consumption and production | |
Mainframe end-user environment |
All production data are available for the end-user on a separate platform |
38
3.1.2. Services
• | The provider maintains all the used software packages and informs the customer well in advance of all modifications with noticeable impact for the customer. Upward compatibility is foreseen. |
• | If inevitable modifications must be performed, no extra costs for the customer to originate from this, if those modifications are irrelevant to the customer. If these modifications should involve production limitations, these should be minimized and pre-validated by the customer |
• | The provider gives the necessary training and documentation to the customer to permit the customer to use the software services put at its disposal in an efficient way. |
3.2. SLA
• | For interventions on critical applications, the provider’s staff is available according to the principles of the providing of helpdesk functionalities. This helpdesk coordinates application and infrastructure responsibilities who are on call for these applications. |
• | For interventions of non-critical applications, the provider’s staff is available during normal office hours. The tool to be used for recurrent maintenance is for Arcelor Systems: PROMA (problem management) or via call to helpdesk (tel + 00 0 000 00 00). |
Following severity codes are defined:
Priority |
Scope | |
1 | The system cannot be used, with critical consequences for the production environment, the situation requires a rapid solution | |
2 | The system is operational. The critical activities supported by the application can be carried out, but the fault must be repaired as soon as possible. | |
Production is not adversely affected by the fault |
Priority 1
During office hours |
Outside office hours | |||
Response Time Service desk |
Immediately | Immediately | ||
Response Time preferred consultant |
30 minutes | 30 minutes | ||
Fix Time (problem solved or work-around established) |
2 Hours | 4 Hours |
39
Priority 2
During office hours |
Outside office hours | |||
Response Time Service desk |
Immediately | Immediately | ||
Response Time preferred consultant |
During office hours |
— | ||
Fix Time (problem solved or work-around established) |
During office hours |
— |
Arcelor Systems shall aim to remedy/deal with priority 1 incident:
• | within 2 hours in 90% of cases |
• | within 4 hours in 95% of cases |
• | within 8 hours in 98% of cases. |
• | Within 16 hours in 100% of cases. If this last result is not reached, following escalation procedure is foreseen: |
a management team meeting is set up as soon as possible, this team consists of Arcelor Systems, and ATB Gent. They set up an action plan and make decisions immediately.
This result should be measured per calendar year.
3.3. Price
Based on budget chargeback mechanism of total cost. Budget reviewable at end of every year.
4. Services Delivered by Arcelor Steel Belgium N.V. (Genk Site)
To: ATB Genk
4.1. List of services
• | Network infrastructure, including dataline between TB Genk, Sikel and Xxxxxxx Xxxx |
4.2. Price
• | 33% of total costs dataline, 15% if total costs use and maintenance network infrastructure |
• | 100% of costs for interventions on infrastructure only of interest to TBA Genk |
40
APPENDICES TO THE IT SECTION OF SCHEDULE A
APPENDIX 1 – ATB Corporate
This Appendix 1 to Schedule A to the Transition Services Agreement is the result of the validation of the Service Catalogue “End User IT Access Products” on May 11th, 2006
PART ONE
SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.
Service Description |
Estimated Value (€) | |
On demand project services |
mandays at 77,5 €/Hr | |
Workstation Services provided by AT Gent |
30.000 €/year | |
Workstation Services provided by AT France |
20.630 €/year | |
SAP services |
1.860 €/year |
• | To start execution of on demand projects, both parties must agree in writing. |
• | Charge back of “Workstation Services” is based on the implementation of the pay for service model as specified in the Service Catalogue “End User IT Access Products”. |
• | Before applying changes to the Service Catalogue “End User IT Access Products”, both parties must agree in writing. |
• | For the Gent perimeter: the Lotus Notes Application “PC Bestellingen” is needed to order items on the service catalogue. As a result of those change requests the estimated budget changes accordingly. |
• | For the French perimeter: for the moment, Cyberforms is used, but this is phasing out and is to be replaced by “le panier commercial” |
PART TWO
YEARLY BUDGET: BASIC RECURRING SERVICES
Service Description |
Value (€) | |
SAP services |
||
LAN |
||
WAN |
||
INET + RAS |
||
Div. Infrastructure |
||
Lotus Notes + Mails |
||
Windows servers |
||
Appl. Support Mainframe |
||
Mainframe EUC |
||
Mainframe services |
||
Application Helpdesk |
||
Global charge | 44.939 | |
Service Description |
Value (€) | |
RFQ database |
||
(2006-04-CRM-2212 XXX Xxxxxx xxxxxxxx XXX) |
000 |
00
• |
This budget does not include the new project costs nor its impact on the recurrent services, for such new projects as are initiated by ATB Gent for corporate since January 1st, 2007. |
• | To change the perimeter of the now current portfolio of services, both parties must agree in writing. |
42
APPENDIX 2 – ATB Gent
This Appendix 2 to the Section 1 of the Chapter 7 is the result of the validation of the Service Catalogue “End User IT Access Products” on May 11th, 2006
PART ONE
SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.
Service Description |
Estimated Value (€) | |
On demand project services |
mandays at 77,5 €/Hr | |
Workstation Services |
100.920 €/year |
• | To start execution of on demand projects, both parties must agree in writing. |
• | Charge back of “Workstation Services” is based on the implementation of the pay for service model as specified in the Service Catalogue “End User IT Access Products”. |
• | Before applying changes to the Service Catalogue “End User IT Access Products”, both parties must agree in writing. |
• | The Lotus Notes Application “PC Bestellingen” is needed to order items on the service catalogue. As a result of those change requests the estimated budget changes accordingly. |
PART TWO
YEARLY BUDGET: BASIC RECURRING SERVICES
Service Description |
Value (€) | |
Open VMS Servers |
22.862 | |
Service Description |
Value (€) | |
LAN |
||
WAN |
||
INET + RAS |
||
Div. Infrastructure |
||
Lotus Notes + Mails |
||
Windows servers |
||
Appl. Support Mainframe |
||
Mainframe EUC |
||
Mainframe services |
||
Application Helpdesk |
||
Global charge |
88.019 |
• |
This budget does not include the new project costs nor its impact on the recurrent services, for such new projects as may be initiated by ATB Gent since January 1st, 2007. |
• | To change the perimeter of the now current portfolio of services, both parties must agree in writing. |
43
APPENDIX 3 – ATB Bremen
This Appendix 3 to Schedule A to the Transition Services Agreement is the result of the validation of the Service Catalogue “End User IT Access Products” on May 11th, 2006
SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.
Service Description |
Estimated Value (€) | |
On demand project services |
mandays at 77,5 €/Hr |
• | To start execution of on demand projects, both parties must agree in writing. |
44
APPENDIX 4 – ATB Xxxxxx
This Appendix 4 to Schedule A to the Transition Services Agreement is the result of the validation of the Service Catalogue “End User IT Access Products” on May 11th, 2006
PART ONE
SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.
Service Description |
Estimated Value (€) | |
On demand project services |
mandays at 77,5 €/Hr |
• | To start execution of on demand projects, both parties must agree in writing. |
PART TWO
YEARLY BUDGET: BASIC RECURRING SERVICES
Service Description |
Value (€) | |
Windows Server Infrastructure |
||
2006 07 CRM 2211 TBA Serveurs Xxxxxx |
4.700 |
• |
This budget does not include the project costs nor its impact on the recurrent services, for projects that as may be initiated by ATB Xxxxxx since January 1st, 2007. |
• | To change the perimeter of the now current portfolio of services, both parties must agree in writing. |
45
APPENDIX 5 – ATB Xxxxxxxx
This Appendix 5 to Schedule A to the Transition Services Agreement is the result of the validation of the Service Catalogue “End User IT Access Products” on May 11th, 2006
PART ONE
SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.
Service Description |
Estimated Value (€) | |
On demand project services |
mandays at 77,5 €/Hr | |
Workstation Services provided by AT France |
104.500 €/year | |
Messaging |
5.000 €/year | |
Printers |
5.400 €/year |
• | To start execution of on demand projects, both parties must agree in writing. |
• | Charge back of “Workstation Services” is based on the implementation of the pay for service model as specified in the Service Catalogue “End User IT Access Products”. |
• | Before applying changes to the Service Catalogue “End User IT Access Products”, both parties must agree in writing. |
• | For the French perimeter: for the moment, Cyberforms is used to order items on the service catalo, but this is phasing out and is to be replaced by “le panier commercial”. As a result of those change requests the estimated budget changes accordingly. |
PART TWO
YEARLY BUDGET: BASIC RECURRING SERVICES
Service Description |
Value (€) | |
Data storage |
6.223 €/year | |
Network Services |
285 €/year | |
AS400 |
39.681 €/year | |
Application Servers |
20.563 €/year | |
Global charge |
66.752 €/year |
• |
This budget does not include the new project costs nor its impact on the recurrent services, for such new projects as may be initiated by ATB Xxxxxxxx since January 1st, 2007. |
• | To change the perimeter of the now current portfolio of services, both parties must agree in writing. |
46
APPENDIX 6 – List of people to be contacted
1. Escalation Procedure in incident management
• | Corporate Noble service coordinator: |
Xxxx Xxx Xxxx; Tel. x00 (0) 0 000 00 00 / / Cell phone x00 (0) 000 000 000
• | Engagement Manager: |
Xxxxxx X’Xxxxxxx; Tel. x00 (0) 0 000 00 00
• | Infrastructure and Operations Delivery: |
• | for Belgian perimeter: |
Philippe Van Rietvelde; Tel. x00 (0) 0 000 00 00 / Cell phone x00 (0) 000 000 000
• | for French perimeter: |
Xxxxxxxxx Xxxxxx; Tel. x00 (0) 000 00 00 00 / Cell phone x00 (0) 00 000 00 00
2. Escalation Procedure in persistent non-compliance of SLA’s
• | Head of Customer Care: |
Xxxxxx Xxxxx; Tel x00 (0) 000 00 00 00 / Cell phone x00 (0) 000 00 00 00
• | CFO: |
Xxxx Goascoz; Tel. x00 (0) 000 00 00 00 / Cell phone x00 (0) 000 00 00 00
• | Regional manager: |
for North Region:
Xxxx Xxxxxx; Tel. x00 (0) 0 000 00 00 / Cell phone x00 (0) 000 00 00 00
for Centre Region:
Xxxxxxxx Xxxxxxx; Tel. x00 (0) 000 00 00 00 / Cell phone x00 (0) 000 00 00 00
for the Factory:
Xxxxx Xxxxxx; Tel. x00 (0) 000 00 00 00 / Cell phone x00 (0) 000 00 00 00
3. Coordination of the customer relationship management
At the signature of the Agreement, the Agreement Manager designated by the Provider is:
Engagement Manager: Xxxxxx X’Xxxxxxx; Tel. x00 (0) 0 000 00 00
and the Agreement Manager designated by the Customer is:
Xxxx Xxx Xxxx; Tel. x00 (0) 0 000 00 00
47
APPENDIX 7 TO THE IT SECTION OF SCHEDULE A:
ARCELORMITTAL INFORMATION SECURITY POLICIES
ARCELORMITTAL INFORMATION
SECURITY POLICIES
Date: 2003-12-01 / version n°
48
1. INFORMATION SECURITY POLICIES FRAMEWORK
1.1 Background
ARCELORMITTAL is critically dependent on information and information systems. If important information were disclosed to inappropriate persons, the company could suffer serious losses. The good reputation that ARCELORMITTAL enjoys is also directly linked with the way that it manages both information and information systems. For example, if private customer information were to be publicly disclosed, the organization’s reputation would be harmed. For these and other important business reasons, the IS/IT steering committee has initiated and continues to support an information security effort. One part of that effort is the definition of the information security policies.
1.2 Scope
Involved Persons
Every worker at ARCELORMITTAL must comply with the information security policies and related information security documents.
Every internal or external service provider must also comply with these policies.
Involved Systems
These policies apply to all computer and network systems owned by or administered by ARCELORMITTAL. These policies apply to all operating systems, computer sizes, and application systems. They cover only information handled by computers and networks.
1.3 Key actors
Corporate information Security Officer
The Corporate Information Security Officer is responsible for:
• | Establishing and maintaining ARCELORMITTAL-wide information security policies, standards and guidelines (see definitions in point 1.8 below) in a collaborative manner with the ARCELORMITTAL entities representatives. See Security Workgroups below. |
• | Checking compliance to ensure that organizational units are operating in a manner consistent with the policies. |
• | Managing information security training and awareness programs to ARCELORMITTAL users. |
Local Information Security Officer
There is one Local Security Officer function per IT Delivery Organization. Their main tasks are setting up the local security compliance plan, following it up, communicating and promoting the policies within their local entity (See point 1.4 below). In order to fulfill these tasks, the Local Security Officer must have a global view across all security domains within his or her entity. There is one security domain per security policy. The seven security domains are:
49
1. | Protection against malicious code |
2. | Vulnerabilities management and secured configurations |
3. | Logical access controls |
4. | Network security |
5. | Data back-up |
6. | Disaster recovery |
7. | Charter. |
Security Workgroups
Each security domain is tackled by one specific security workgroup. This workgroup contains technical experts from ARCELORMITTAL IT Delivery Organizations having the best knowledge about one security domain.
These small workgroups first main task is defining the security policies with the corporate security officer.
Following the security policies validation by the IT Steering Committee, this workgroup to possibly choose the best technology to implement them and to write the implementation standards and best practices to be used by all the IT delivery organizations. E.g. writing system hardening checklist in the framework of the secured configurations policies.
IT Steering Committee
The IT Steering Committee validates the information security policies.
Internal audit
The internal audit can be asked by a Business Unit to audit their security position against the security policies.
Three operational responsibilities: Owner, Custodian and User
In order to make the policies operational, three categories of persons are defined, at least one of which applies to each ARCELORMITTAL Group member. These categories are Owner, Custodian, and User. These categories define general responsibilities with respect to information security.
Owner Responsibilities
Information Owners are the department managers, members of the top management team, or their delegates within ARCELORMITTAL who bear responsibility for the acquisition, development, and maintenance of production applications that process ARCELORMITTAL information. Production applications are computer programs that regularly provide reports in support of decision making and other business activities.
All production application system information must have a designated Owner.
For each application, Owners, based on the information sensitivity, define which users to be granted access, and approve requests for various ways in which the information to be utilized.
50
Custodian Responsibilities
Custodians are in physical or logical possession of either ARCELORMITTAL information or information that has been entrusted to ARCELORMITTAL. While IT department staff members clearly are Custodians, local system administrators are also Custodians. Whenever information is maintained only on a personal computer, the User is also a Custodian. Each type of production application system information must have one or more designated Custodians.
Custodians are responsible for safeguarding the information, including implementing access control systems to prevent inappropriate disclosure, and making backups so that critical information not to be lost. Custodians are also required to implement, operate, and maintain the security measures defined by information Owners.
User Responsibilities
Users are responsible for familiarizing themselves with and complying with all ARCELORMITTAL policies, standards and guidelines dealing with information security. Particularly the ARCELORMITTAL Charter when it will be completed. In a first step, advices in using the data processing resources to be published. A recurrent awareness program, managed by the Information Security Committee, to help in maintaining good user behavior.
51
1.4 The baseline policies and their target
The priority policies that have been worked out by small group of technical people (member of the above custodian category) cover the following information security topics:
• | Protection against malicious code |
• | Vulnerabilities management and secured configurations |
• | Logical access control |
• | Network security |
• | Data back-up |
• | Business Continuity Planning and Disaster Recovery Planning (BCP and DRP) |
• | Advices to users in using the data processing resources |
These policies to be communicated according the following chart:
Owner (Within the Business Community) |
Custodian (Within the IS/IT |
Users | ||||
Protection against malicious code |
X | |||||
Vulnerabilities management and secured configuration |
X | |||||
Logical access control |
X | X | ||||
Network security |
X | X | ||||
Data back-up |
X | X | ||||
BCP and DRP |
X | X | ||||
Advices to users in using the data processing resources |
X | X | X |
Every ARCELORMITTAL Group member to receive only the policies in which they are involved.
The Local Information Security Officers to relay the policies within their scope.
1.5 Legal Affairs link
The present Policy must be notified to every Service Provider or external entity that is granted an access to our internal network, prior to any access. Notification can be made via the contract: for that purpose, the present policy may be attached to the contract with said entity as a binding document.
1.6 Critical systems
Beyond the baseline controls applied to every data processing platform, the information owners to identify additional needs in security measures in order to increase the security level of critical systems. In that case, risk analysis to be used to be sure the extra cost to be less than the risk itself.
52
1.7 Non-compliance
In rare cases, a business case for non-compliance can be established. In all such cases, the non-compliance situation must be approved in advance through a risk acceptance process. This process requires a risk acceptance memo signed by a department manager and approved by the Information System Security Committee.
1.8 Definitions
Policy
A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.
Standard
A standard is typically collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to xxxxxx a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.
Guideline
A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are recommended.
2. PROTECTION AGAINST MALICIOUS CODE POLICIES
2.1 Abstract
Computer viruses and other forms of malicious code are constantly being developed and transmitted via many methods to unsuspecting computer users around the world. The purpose of this policy is to ensure that ARCELORMITTAL-controlled system assets are suitably protected. This can be accomplished via an appropriate mix of preventive measures, including policy, anti-virus software. Education and awareness programs can also play an important role.
53
2.2 Definitions
System Assets
System assets include information, hardwares, softwares and services required to support the functions of the ARCELORMITTAL Business Units
Malicious code
Malicious code is a catch-all term used to refer to various types of software that can cause problems or damage computers. The more common classes of program referred to as malicious code are viruses, worms, Trojan horses and macro viruses.
Virus
A virus is malicious code that replicates itself. New viruses are discovered daily. Some exist simply to replicate themselves. Others can do serious damage such as erasing files or even rendering the computer itself inoperable.
Worm
A worm is similar to a virus. They replicate themselves like viruses, but do not alter files like viruses do. The main difference is that worms reside in memory and usually remain unnoticed until the rate of replication reduces system resources to the point that it becomes noticeable, e.g. when they generate high network traffic.
Trojan horses
A Trojan horse is called such as a reference to the story of the Trojan horse from Greek legend. It is a malicious program disguised as a normal application. Trojan horse programs do not replicate themselves like a virus, but they can be propagated as attachments to a virus. Such a malicious code can be used for an unauthorized person to get remote control of the platform on which it has been furtively installed.
Macro Viruses
A macro virus is a computer virus that “infects” a Microsoft Word or similar application and causes a sequence of actions to be performed automatically when the application is started or something else triggers it. Macro viruses tend to be surprising but relatively harmless. A typical effect is the undesired insertion of some comic text at certain points when writing a line. A macro virus is often spread as an e-mail virus. A well-known example in March, 1999 was the Xxxxxxx virus.
Anti-Virus Software
A commercially available computer program that detects and eradicates malicious code.
54
Signatures
Known virus patterns used by anti-virus software to detect known viruses. The signatures are contained in a file regularly updated with new viruses information by the anti-virus software provider.
Red Alert State
The Red alert state is declared when a new virus has been detected somewhere in the world, and new signatures are not yet available from the anti-virus provider. Should this new virus enter the internal ARCELORMITTAL network, it would be impossible for the used anti-virus software to detect it. So, it’s a critical period of time until the new signatures are received and made operational.
Hoax
A virus hoax is a false warning about a computer virus. Typically, the warning arrives in an e-mail note or is distributed through a note in a company’s internal network. These notes are usually forwarded using distribution lists and they will typically suggest that the recipient forward the note to other distribution lists.
2.3 Protection Against Malicious Code policies
2.3.1. Any software or files entering the ARCELORMITTAL internal network must be screened for virus by anti-virus software before general distribution, whatever the media.
2.3.2. Anti-virus software must be installed and continuously enabled on all ARCELORMITTAL Internet gateways, FTP servers, mail servers, infrastructure servers, application servers and desktop machines. MVS Operating Systems are out of scope.
2.3.3. Signatures updates must be done automatically on a regular basis without any user action. System administrator must take care to update the engine when necessary. See standard 2.4.1. on next page.
2.3.4. All emails entering the ARCELORMITTAL internal network must be screened by an anti-virus software package.
Anti-virus update frequency must be very high at these entry points. See standard 2.4.1. on next page.
2.3.5. Compliance with software licenses is mandatory, in case of new installation as well as extension of a product already used. Prohibiting the use of unauthorized software is a key factor in malicious code protection.
2.3.6. All file sharing must be access control protected.
2.3.7. Any systems without anti-virus software must be isolated from the ARCELORMITTAL network in order to avoid potential spreading of virus. These systems can only have access to a restricted number of protected devices inside the ARCELORMITTAL internal network. MVS Operating Systems are out of scope.
55
2.3.8. Systems that are virus-infested must be immediately cleaned or disconnected from the ARCELORMITTAL network.
2.3.9. All known executable files attached to an external e-mail must always be blocked in order to mitigate any new virus spreading. See standard 2.4.2 on next page.
2.3.10. The present Policy must be notified to every Service Provider or external entity that is granted an access to our internal network, prior to any access. Notification can me made via the contract: for that purpose, the present policy may be attached to the contract with said entity as a binding document.
The following statements are user oriented, but must be taken in account by this policy target people working in the malicious code protection area:
2.3.11. Users must not attempt to remove a computer virus from any system unless they do so while in communication with a system administrator.
2.3.12. Users must not employ any electronic mail addresses other than official ARCELORMITTAL electronic mail addresses for all company business matters.
2.3.13. Users must not open electronic mail attachments unless they were expected from a known and trusted sender, and unless these attachments have been scanned by an approved anti-virus software package.
2.3.14. When users receive unwanted and unsolicited electronic mail, they must forward the message to the electronic mail administrator, or to their ordinary contact, only and not respond directly to the sender.
2.4 Protection Against Malicious Code Standards
2.4.1. These updates and scan frequencies must be applied to the different platforms:
Platform |
Update frequency |
Scan frequency | ||
SMTP relay | At least every three hours | N/A | ||
Internet interface (http, ftp,…) | At least every three hours | N/A | ||
Infrastructure servers | Every day | Once per week | ||
Application servers | Every day | Once per week | ||
Workstations | Every day | Not mandatory |
2.4.2. All the following known attachments must be blocked:
56
BAT | Batch File | |
CHM | Compiled HTML Help File | |
CMD | Windows NT Command Script | |
COM | MS-DOS Application | |
CPL | Control Panel Extension | |
EXE | Application | |
HLP | Help File | |
HTA | HTML Applications | |
INF | Setup Information File | |
INS | Internet Communication Settings | |
ISP | Internet Communication Settings | |
JS | JScript File | |
JSE | JScript Encoded Script File | |
LNK | Shortcut | |
MSC | Microsoft Common Console Document | |
MSI | Windows Installer Package | |
MSP | Windows Installer Patch | |
PCD | Photo CD Image or Microsoft Visual Test Compiled Script | |
PIF | Shortcut to MS-DOS Program | |
REG | Registration Entries | |
SCR | Screen Saver | |
SCT | Windows Script Component | |
SHB | Document Shortcut File | |
SHS | Shell Scrap Object | |
VB | VBScript File | |
VBE | VBScript Encoded Script File | |
VBS | VBScript Script File | |
WSC | Windows Script Component | |
WSF | Windows Script File | |
WSH | Windows Scripting Host Settings File |
2.5 Protection Against Malicious Code Guidelines
2.5.1 In case red alert:
• | All incoming mail should be blocked; |
• | Alert messages towards the end users at the time the red alert state is discovered and at the end of this state should be sent. |
2.5.2. In case of high virus activity period, the server anti-virus should be activated for all in-going and out-going flows.
2.5.3. The e-mail pre-view function should be disabled for incoming and suppressed mail, in order to avoid automatic code execution.
57
3. VULNERABILITIES AND SECURED CONFIGURATION MANAGEMENT POLICIES
3.1 Abstract
System components security vulnerabilities and exposures are regularly discovered and documented on Internet. Approximately six vulnerabilities are published per day across all type of platforms. Moreover, platform default configuration parameters are not security minded. These policies prescribe preventive measures to ensure that at any time, the platforms security levels are maintained at an optimum level. Particularly for the more exposed platforms in the DMZ, that is to say, the platforms the nearest of Internet.
3.2 Definitions
Vulnerability
A flaw or weakness in system design that can be exploited to violate the system security.
Threat analysis
A vulnerability measurement that includes the susceptibility of a particular system to a specific attack, and the opportunities available to a threat agent to mount that attack.
Secured configuration
A secured configuration is a configuration whose default security parameters leading often to low platform security level have been scrutinized in order to reinforce the platform security level. This system hardening process include also the removal of all unnecessary system features or services in order to dissuade and defeat intrusion or security breach attempts
3.3 Vulnerabilities and Secured Configuration Management policies
3.3 1. Every ARCELORMITTAL computers or computers used inside the ARCELORMITTAL infrastructure must be configured according to security requirements published by the ARCELORMITTAL Information Security Committee.
3.3.2. There must be a vulnerability management process in place in each ARCELORMITTAL IS/IT entity. This process must include:
• | Vulnerabilities capturing from warnings, provider alarms or attack simulation (scan) on a regular basis. |
• | Vulnerabilities threat analysis whose conclusion can be to apply or not to apply security measures such as patches or reconfiguration,… |
• | Applying security measures in the framework of change management process. |
3.3.3. All critical systems, especially those directly connected to the Internet must be subjected to an automated threat analysis
58
performed by vulnerability identification software at least once a month. Moreover, this threat analysis must also be performed immediately after any change in system or software configuration.
3.3.4. Any vulnerability identification software or other tools that could be used to compromise the security of information systems must not be found on any computer without formal authorization by the local information security officer.
Detailed inventory of such tools must be maintained by the local security officer.
3.3.5. Specific information about information system vulnerabilities, such as the details of a recent system break-in, must not be distributed to persons who do not have a demonstrable need to know.
3.3.6. Any information about information systems security events is to be considered as confidential, unless compelled by the law. As a consequence, any public disclosure is strictly prohibited.
3.3.7. Everybody must report all suspected information security incidents as quickly as possible through the approved ARCELORMITTAL internal channels only, that is to say not to discuss about with other people.
ARCELORMITTAL internal channels are based on local IS/IT specific coordination and its link to the ARCELORMITTAL Information Security Committee.
3.3.8. When a new and serious information systems security vulnerability associated with a particular vendor’s hardware or software is discovered, it must be immediately documented in detail and reported in written to the vendor by the IT staff. All elements that could be used as a direct or indirect evidence of the problem and its consequences have to be immediately archived and secured.
3.4 Vulnerabilities and Secured Configuration Management Standards
3.4.1. As an example, security standard configuration documents must at least contain these following items:
• | All vendor-supplied default passwords must be changed before any computer or communications system is used for ARCELORMITTAL business. |
• | Services to let open |
• | Remove unused software |
• | …… |
3.4.2. There must be one security standard configuration per platform type.
As far as the servers are concerned, the NT4, 2000, 2003 and LINUX platforms must at least be covered.
As far as the workstation are concerned, the NT4, 2000 and XP platforms must at least be covered.
59
3.4.3. There must also be one security standard for all used application platform, such as SQL server, Oracle, IIS, Apache, ……
3.5 Vulnerabilities and Secured Configuration Management Guidelines
3.5.1. All ARCELORMITTAL critical computers and servers should run on a regular basis integrity checking software that detects changes in configuration files, system software files, application software files, and other system resources.
3.5.2. When vulnerability identification software is not being actively used, it should be removed from the system on which it has been run.
4. LOGICAL ACCESS CONTROL POLICIES
4.1 Abstract
The logical access control consists of four pillars: These are identification, authentication, authorization, and last but not least monitoring.
Authorization is based on a person identified by a user ID well authenticated, whom are granted the system privileges and / or the access rules necessary to perform her / his task.
In terms of baseline controls, authentication by password can be considered as a good minimum security level, provided the management of the user IDs, password and authorization are compliant with the policies presented below.
By ensuring that only an involved end user knows his or her own password, it permits system activity logged with a corresponding personal user ID to be uniquely attributable to a certain user.
The information owner is responsible for validating access requests to her or his applications and data.
The hereafter policies are structured based on the four access control pillars:
1. | Identification |
2. | Authentication |
3. | Authorization |
4. | Monitoring |
60
4.2 Definitions
Identification and User ID
In order to get access to an information system, a user has to identify himself to the information system access control system by entering a specific code called user ID. This user ID is defined and provided by a local security administration team based on a validated request.
Authentication
Authentication is the process of determining the true identity of someone. Basic authentication is simply using a password to verify that a user is who he says he is. In that case, authentication is based on something the user knows. Stronger authentication mechanism can also be used accordingly to the sensitivity of information accessed:
• | Tokens and smart cards are authentication devices authenticating a user based on something he knows (Personal identification number comparable to a password) and something he has (the token or the smart card). |
• | Biometrics devices are device authenticating a user based on what he is, e.g. based on fingerprints or retina scans. |
Authorization
Once a user has been authenticated, authorization establishes what resources he can access and what he is allowed to do with these resources.
4.3 Policies
4.3.1. IDENTIFICATION
4.3.1.1 User registration
4.3.1.1.1. All user IDs on ARCELORMITTAL computers and networks must be constructed according to the user ID construction standard used by local IS/IT delivery organization registering the user for the first time.
4.3.1.1.2. Each computer and communication system user ID must uniquely identify only one user.
Shared or group user IDs must not be created or used except in the cases where personnel is working in shifts with restricted access. In that latter case, a responsible has to be namely designated. Any other exception must be approved by the Local Security Officer.
4.3.1.1.3. Every user must have a single unique user ID and a personal secret password for access to ARCELORMITTAL multi-user computers and computer networks. Whenever possible, these user IDs must be the same on every computer system. The user IDs must not be reassigned after a user terminates her or his relationship with ARCELORMITTAL.
61
4.3.1.1.4 When a user moves from one entity to another inside the ARCELORMITTAL Group, he or she keeps his or her user ID.
4.3.1.1.5. Every user ID established for a non-ARCELORMITTAL employee must have a specified expiration date, with a default expiration of 30 days when the actual expiration is unknown. In the case userID expiration is not automated, the contracting authority must alert the IT Delivery Organization for explicit expiration at the time the non-ARCELORMITTAL employee contract is terminated.
4.3.1.1.6. All ARCELORMITTAL information systems user IDs must be promptly terminated at the time that a worker ceases to provide services to ARCELORMITTAL.
4.3.1.1.7. All user IDs must automatically be revoked after a 90-day period of inactivity.
4.3.1.1.8. Whenever ARCELORMITTAL opens a new user ID, authentication of the user identity must be done in a definitive manner.
4.3.1.1.9 All requests for a user ID on ARCELORMITTAL multi-user systems must be submitted on a completed system access request form that is authorized by the user’s immediate manager.
4.3.1.2 Automatic terminal Identification
4.3.1.2.1 When terminal identification is used to authenticate a terminal connection to a specific location, the physical access to the terminal must be restricted to those workers with a need to know. These terminals can only be found in an assembly line function in a manufacturing facility to ensure an uninterrupted flow of product and services.
4.3.1.3 Log-on procedures
4.3.1.3.1. All workstations including, but not limited to, personal computers, portable computers, transportable computers, and handhelds, must employ an access control system approved by the ARCELORMITTAL Information Security Committee.
4.3.1.3.2. Password-protected screensavers must be configured and permanently activated on any active terminal such as workstation.
4.3.1.3.3. ARCELORMITTAL application systems developers must consistently rely on the access controls provided by operating systems, commercially-available access control systems that enhance operating systems, gateways or firewalls, and must not construct other mechanisms to collect access control information, or construct or install other mechanisms to identify or authenticate the identity of users without the advance permission of the ARCELORMITTAL Information Security Committee.
62
4.3.1.4 Log-on procedure guidelines
4.3.1.4.1. When logging into an ARCELORMITTAL computer or data communications system, if any part of the logon sequence is incorrect, the user should be given only feedback that the entire logon process was incorrect.
4.3.1.4.2. Every logon screen for multi-user computers should include a special notice that must state that the system may only be accessed by authorized users, users who logon represent that they are authorized to do so.
4.3.1.4.3. At logon time, every user should be given information reflecting the last logon time and date.
4.3.2. AUTHENTICATION
4.3.2.1 User Password Management
4.3.2.1.1. First or newly issued passwords must expire, forcing the user to choose another password during the first logon process.
4.3.2.1.2 The initial password for a new user must be securely provided.
4.3.2.1.3. All ARCELORMITTAL computer systems that employ fixed passwords at log on must be configured to permit only six attempts within a day to enter a correct password, after which the user ID is deactivated and can only be reset by the Help Desk staff or system administrator after authenticating the user’s identity.
4.3.2.1.4. Passwords must never be hard-coded into software.
4.3.2.1.5. Security administrators may only disclose passwords to a user provided his or her identity has been proven, and only in the following cases: a new user ID is being assigned, the involved user has forgotten or misplaced her or his password, the involved user is locked out.
4.3.2.2 User Password Management guideline
4.3.2.2.1. All fixed password resets or changes must be promptly confirmed by regular mail so that the authorized user can readily detect and report any fraudulent or abusive behavior. This mail must contain instructions to the user.
4.3.2.2.2 If a privileged user ID has been compromised by an intruder or another type of unauthorized user, all passwords on that system should be immediately changed.
4.3.2.3 Password management systems
4.3.2.3.1. All passwords must have at least six characters and its length must always be checked automatically at the time that users construct or select their password.
63
4.3.2.3.2. Users must not construct passwords that are identical to the five passwords that they had previously employed.
4.3.2.3.3. Users must not be able to successfully modify their password more than one time a day.
4.3.2.3.4. All user passwords must not be easily guessable.
4.3.2.3.5. The display and printing of passwords must be masked, suppressed, or otherwise obscured so that unauthorized parties not to be able to observe or subsequently recover them.
4.3.2.3.6. Unencrypted passwords must not be recorded in system logs.
4.3.2.3.7. Passwords must always be encrypted when held in storage.
4.3.2.3.8. ARCELORMITTAL information systems must never store any access control information in cookies deposited on, or stored on, end-user computers.
4.3.2.4 Password management guidelines
4.3.2.4.1 All users should be automatically required to change their passwords at least once every 90 days.
4.3.3. AUTHORIZATION
4.3.3.1 Privilege management
4.3.3.1.1. The computer and communications system privileges of all users, systems, and programs must be restricted based on the need to know.
4.3.3.1.2. System administrators managing multi-user computer systems must have at least two user IDs, one that provides privileged access, and the other to perform her or his normal day-to-day work.
4.3.3.1.3. Current records reflecting all the system privileges the users have on all the computer systems must be maintained.
4.3.3.1.4. The system privileges granted to every user must be reevaluated by the user’s immediate manager every year to determine whether currently-enabled system privileges are needed to perform the user’s current job duties.
4.3.3.1.5. The number of privileged user IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized purposes.
4.3.3.1.6. Attribution of system privileges must be approved by the IS/IT management.
64
4.3.3.1.7. Special system privileges, such as the ability to examine the files of other users or to change the security state of the system, must be restricted to those directly responsible for system management or security, and granted only to those who have attended an approved system administrator training class.
4.3.3.2 Privilege management guideline
4.3.3.2.1. When technically possible, system privileges should be defined so that non-production staff including, but not limited to, internal auditors, information security administrators, and computer operators are not permitted to update production business information.
As far as the programmers are concerned, their intervention must be fully justified and documented.
4.3.3.3 User access rights
4.3.3.3.1. Users access rights must be restricted based on the need to know.
4.3.3.3.2. Users access rights must be approved by the information owner.
4.3.3.3.3. The users access rights to sensitive information must be reevaluated by the information owner every year to determine whether currently-enabled access rights are needed to perform the user’s current job duties.
4.3.3.3.4. All requests for user access rights to ARCELORMITTAL multi-user systems must be submitted on a completed system access request form that is authorized by the user’s immediate manager.
4.3.4. MONITORING
4.3.4.1. All computer systems running ARCELORMITTAL production application systems must include logs that record, at a minimum, user session activity including user IDs, logon date and time, logoff date and time, and applications invoked, changes to critical application system files, additions and changes to the privileges of users, and system start-ups and shut-downs)
4.3.4.2. All production application systems that handle sensitive ARCELORMITTAL information must generate logs that capture every addition, modification, and deletion to such sensitive information.
4.3.4.3. Computer systems handling sensitive, valuable, or critical information must securely log all significant security relevant events including, but not limited to, password guessing attempts, attempts to use privileges that are not authorized, modifications to production application software, and to system software.
4.3.4.4. Computerized logs containing security relevant events about critical systems must be securely retained for at least three months, during which time they must be secured such that they cannot be modified, and such that they can be read only by authorized persons. If more than three-month retention is requested by the information owner, it is mentioned in an SLA contract.
65
4.3.4.5. All user ID creation, deletion, and privilege change activity performed by system administrators and others with privileged user IDs must be securely logged.
5. NETWORK SECURITY POLICIES
5.1 Abstract
Communication networks vehicle information and provide access to information systems. They are highly vulnerable to disruption and abuse. So, safeguarding business communications require robust and secure network design and strict control by ARCELORMITTAL over all types of access paths.
5.2 Policies
5.2.1 General principles
5.2.1.1 Only ARCELORMITTAL controlled computers are allowed to access the ARCELORMITTAL internal network.
5.2.1.2 All computer systems and network segments must meet the security criteria established by Information Security Committee before it can be connected to the ARCELORMITTAL network.
5.2.1.3 No one is allowed to modify the network and telecommunication infrastructure, except under control of the local IT team.
5.2.1.4 The establishment of a direct connection between ARCELORMITTAL systems and computers at external organizations must be secured.
5.2.2 Internet connections
5.2.2.1 There must not be any direct connection between internal network and Internet. Two levels of different gateways (internal, external) must be implemented to ensure optimum protection. E.g. one router and a firewall.
5.2.2.2 All web servers accessible through the Internet must be protected by a secured gateway and must be placed on subnets separate from internal ARCELORMITTAL networks.
5.2.2.3 All Internet access from computers in ARCELORMITTAL offices must be routed through a secured gateway.
5.2.2.4 Secured gateway configuration rules must only be changed based on business needs, documented, and in compliance with the ARCELORMITTAL security rules.
66
5.2.2.5 All publicly-modifiable directories on ARCELORMITTAL Internet-connected computers are prohibited. If a need to deposit and share information among the ARCELORMITTAL community appears, the ARCELORMITTAL portal usage is mandatory.
5.2.2.6 User Internet access must be approved by the relevant user direct manager who assures that the user has a demonstrable business need for such access.
5.2.3 Remote accesses
5.2.3.1 Usage of modems is prohibited on computers connected to the internal network.
5.2.3.2 All remote accesses through a public network to the ARCELORMITTAL internal network with full access, privileged access or access to sensitive information must employ stronger user authentication.
(This statement is still pending)
5.2.4 Wireless LAN
5.2.4.1 ARCELORMITTAL wireless installation must be approved by the local IT team
5.2.4.2. ARCELORMITTAL wireless networks must always be configured to employ encryption and access control.
5.2.5 Physical and Logical Access to Network devices
5.2.5.1 All business-critical devices supporting the ARCELORMITTAL telephone system, intranet, local area networks, and the wide area network must be centralized in dedicated rooms with at least physical access controls and environmental monitoring systems.
5.2.5.2 All ARCELORMITTAL internal network devices must be password-protected and passwords must be changed from installation defaults.
5.2.6 Application system design
5.2.6.1 ARCELORMITTAL systems designers and developers must restrict their usage of external network interfaces and protocols to those that have been expressly approved by Information Security Committee.
5.2.6.2 When designing ARCELORMITTAL Internet web application gathering of personal data, compliance with local laws must be ensured.
5.2.6.3 The internal system addresses, configurations, and related system design information for ARCELORMITTAL networked computer systems must be restricted such that both systems and users outside the ARCELORMITTAL internal network cannot access this information
67
5.2.7. Network monitoring
5.2.7.1 All Internet-connected web servers must be protected by a network-based intrusion detection system approved by the Information Security Committee.
5.2.7.2 The Local Security Officer must maintain a current inventory of all connections to external networks.
5.2.8 Critical networks and servers
5.2.8.1 All ARCELORMITTAL critical network services must be identified by the business community. These critical servers to have their security level improved with the hereafter policies.
5.2.8.2 In terms of availability, management must design communications networks so that no single point of failure could cause critical network services to be unavailable.
5.2.8.3 Due to the ARCELORMITTAL trusted network across all the ARCELORMITTAL entities which is crossing national and organizational boundaries, there must have separately-defined logical domains, each protected with suitable security perimeters and access control mechanisms in order to host critical servers.
5.2.8.4 All critical internal networks must be configured such that they can prevent or detect attempts to connect unauthorized computers.
5.2.8.5 Every high-security and high-reliability system managed by or owned by ARCELORMITTAL must have its own dedicated computers and networks
5.2.8.6 All critical Internet-connected systems used for production purposes must employ integrity assessment tools.
5.2.8.7 A host-based intrusion detection system approved by the Information Security Committee must be continuously running on all ARCELORMITTAL critical servers that are connected to any outside network.
6. DATA BACK-UP POLICIES
6.1. In order to prevent loss of essential information and software, back-up versions of essential information and software used by the applications must be taken regularly, according to a defined cycle.
6.2. The retention period for essential business information, and also any requirement for archive copies to be permanently retained, must be determined. Retention period is a key factor in case of logically corrupted data.
68
6.3. In order to be compliant with the needs of the business continuity planning / Disaster recovery planning (disaster), information and software backups must be stored in an environmentally protected and access-controlled site that is a sufficient distance away from the originating facility.
6.4. Nomad users must make their own data backup accordingly to the local procedures.
6.5. Back-up information must be given an appropriate level of physical and environmental protection similar to the one applied at the main site. Particularly, all areas where backup media is stored must be kept fully closed when not in active use.
6.6. Data back-ups should be given a level of logical access similar to the one to the data backed-up.
6.7. Back-up media should be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary.
6.8. Computer media storage procedures must assure that back-up or archive information stored for prolonged periods of time are not lost due to deterioration, and are periodically tested for reliability.
7. BCP/DRP SECURITY POLICIES
7.1 Abstract
An ARCELORMITTAL Business Unit process for developing and maintaining both business contingency plans and computer contingency plans must be documented and maintained by Information Systems management in order to be compliant with the hereafter policies 1 to 7.
It is worth mentioning that the planning process itself ordinarily would involve areas such as:
• | identification and prioritization of critical business processes, based on risk analysis, |
• | documentation of procedures and processes, |
• | identifying and assigning responsibility for handling emergencies and disasters, |
• | education of staff, |
• | periodic testing of plans. |
7.2 BCP/DRP Security Policies
7.2.1. In conjunction with the information Owners, Information Systems Management must perform a business impact analysis that will specify the degree of criticality of all production multi-user computer applications. The criticality must be representative of the maximum period that the ARCELORMITTAL BU can go without critical information processing services, the time period in which management must decide whether to activate the recovery plan, and the minimum acceptable production information systems recovery configuration.
69
7.2.2. Information Systems management must establish and use a logical framework for classifying all information resources by recovery priority that will permit the most critical information resources to be recovered first.
See guideline 1.
7.2.3. Management must prepare, periodically update, and regularly test a business recovery plan that specifies how alternative facilities to be provided so that workers can continue operations in the event of a business interruption. Updating must be done after any modification relative to any theme of the plan. Testing must be done every year.
In addition of the normal services restoration procedures, the business recovery plan must include:
• | The roles and responsibilities for both information systems contingency planning and information systems recovery. These roles and responsibilities must also be reviewed and updated by Information Security management. |
• | Manual procedures in case of critical business activities could reasonably be performed in that way. |
• | A call tree indicating every available telephone number for every worker involved in information-systems-related contingency planning, and disaster and emergency response. This call tree must also be tested and updated. |
7.2.4. The workers playing a role in recovery operations with an ARCELORMITTAL Business Unit information systems must be identified and must have the technical knowledge needed to perform each essential recovery task.
7.2.5. User department management and Information Technology management must agree and document the support levels that to be provided in the event of a disaster or emergency.
7.2.6. The business recovery test must be followed up with a brief report to top management detailing the results.
7.2.7. Business and information systems contingency plans must be continuously accessible.
7.2.8. All contracts to be signed with Service Providers in the scope of the present Policy are subject to close legal scrutiny from ARCELORMITTAL’s Legal Affairs, e.g. as regard to liability and insurance Clause.
7.3 BCP/DRP Security Guideline
7.3.1. Levels of criticality (as an example)
• | highly critical (very high availability – strategic level) The maximum period that the ARCELORMITTAL BU can go without critical information processing services is less than four hours without data loss. |
70
• | Critical (high avaibility – critical level) |
The maximum period that the ARCELORMITTAL BU can go without critical information processing services is less than one day without data loss.
• | Sensible (Standard avaibility – sensible level) |
The maximum period that the ARCELORMITTAL BU can go without critical information processing services is less than two days. Data loss less than one working day.
• | Weak (low availability – low level) |
• | The maximum period that the ARCELORMITTAL BU can go without critical information processing services is more than two days. Data loss less than one working day. |
8. BEHAVIOR ADVICE TO USERS TO IMPROVE THE SECURITY LEVEL
8.1 Password management
8.1.1. Always choose a password not guessable.
8.1.2. Never write down your password and leave it in a place where unauthorized persons might discover it.
8.1.3. Change regularly your password. Change it immediately if you suspect an unauthorized usage of your user ID by another person (The last connection date and time can prove it).
8.1.4. By keeping your password not guessable and confidential, you ensure somebody else can not use your user ID in order to benefit from your information access.
8.2 Locking an unattended workstation
8.2.1. Always activate the password-protected screensaver when you leave your desk.
8.2.2. Configure the screensaver so that it will automatically activate itself after 10 to 15 minutes.
8.3 Social engineering
8.3.1 Never answer request for any confidential information such as your password from somebody you do not know, even if he or she claims to be, for example, an expert who needs it for troubleshooting.
8.4 Data back-ups
8.4.1 Make regular data backups accordingly to the local procedure in order to prevent loss of your information. If you use a desktop, this can be done automatically by your local IS/IT team procedures. In that latter case, please, ensure it.
71
8.5 Virus protection
8.5.1 Always keep your anti-virus up-to–date (in the case it is not yet done automatically by the infrastructure).
8.5.2 Never open a mail and attachments coming from unknown source.
8.5.3 Be aware that an encrypted documents are not virus screened.
8.5.4 If you suspect an infection by a virus, immediately shut-down your PC, make no attempt to eradicate the virus and call the help desk.
8.5.5 When receiving a virus alert message which is not coming from your local IS/IT team, do not send this message all around you. Instead, transfer it only to the IS/IT team for analysis.
8.5.6 Be aware that creating non-protected share can cause virus spreading through the share. So, if you create a share, always protect it by a password.
8.6 Security incident reporting
8.6.1 Always call your local help desk.
8.7 Confidential information protection at printing time (as well in communicating and storing the information)
8.7.1 Confidential information is to be protected not only on your workstation and during communication, but also when you print it on a shared printer.
* * * *
72
SCHEDULE B
TO THE TRANSITION SERVICES AGREEMENT
NOBLE SERVICES
1. SERVICES PROVIDED BY ATB BREMEN (“Storage Provider”) TO XXXXXXX XXXXXX GMBH (“ABG”)
1. Preamble:
Connecting rail: Connecting rail Tailored Blank Bremen
Opening hours of the storage: Monday to Friday from 6 AM to 10 PM and by individual agreement
Services generally, logistics, turnover
The storage and the timely delivery of steel, delivered in coils and packages to ABG customers.
ABG handles the transportation to the storage by truck, train, coil carrier, etc.
Any and all turnover activities by the Storage Provider must be carried out in a material protecting, corrosion avoiding manner, and, if possible, indoors. The storage must be clean and free of odor.
The outdoor handling of material that is sensitive to rain must be carried out in dry weather.
2. Tasks of the Storage Provider:
Storage:
Acceptance, inspection and unloading of goods from the respective transportation facility.
Immediate inspection of the goods for their correspondence with the shipping documents.
AGB must be informed of any discrepancy without undue delay.
Immediate inspection of the incoming steel deliveries for obvious defects in the material. The defect must be noted on the storage- and freight documents (kind and quantity of the defect).
ABG must be informed of any defects without undue delay.
Initiating of any necessary measures in order to ensure ABG’s claims: e.g., the reservation of any rights vis-à-vis the delivering carrier, preparing a facts report in case of external train deliveries, providing information to the shipping department in case of internal deliveries or, upon approval by ABG, the involvement of a claims agent paid by ABG or the transportation insurance.
Storage/ Turnover/ Handling:
Adequate storage and protection of the steel goods with adequate resources:
Lifting accessories for packages: belts and strapping
Lifting accessories for coils: Coil magnet attached to gantry crane
In general, chains must not be used. A chain-rope combination can only be used if damage to the stored goods is prevented.
At maximum three coils are stored on top of each other, provided, however, the following conditions are met:
• | thickness of the material > 1,5 mm – no shiny or polished surfaces |
• | width of the coils > 1000 mm – only un-galvanized material |
Should just one of the forgoing conditions not be fulfilled, only two coils may be stored on top of each other. Only two coils from the company BREGAL are stored on top of each other, unless ABG agrees in writing that three can be stored on top of each other.
• | Coils with a thickness of <= 1,2 mm are only to be stored on top of a pile or separately. |
At most eight packages are stored on top of each other, provided, however, the measurement is at minimum 1000—2000 mm, otherwise only four.
Heating must be provided to avoid corrosion resulting from change in temperature and humidity.
Dispatch of Stored Goods:
ABG prepares the necessary accompanying documents for the delivery to the customer.
Delivery, inspection and loading of the goods on the trucks, freight car, coil carrier, etc.
Immediately after dispatch of the goods from storage ABG receives copies of all bills of delivery (dispatch from storage shall be deemed delivery) by data submission [DFÜ]. In case DFÜ submission is impossible it shall be sent by Telefax to No. 0421/648-3244.
Administration:
Accounting of all incoming and outgoing goods in a storage bookkeeping system
Preparation of an inventory and turnover list
Notification of incoming and outgoing goods according to guidelines
Ongoing inventory
ABG remains owner of all documents and materials of the storage bookkeeping conducted for ABG. The Storage Provider keeps these documents on behalf of ABG as part of its responsibilities as diligent storage provider. However, it is obliged to hand them over to ABG at any time upon ABG’s request.
At any time, upon the Storage Provider’s consent, ABG is granted access to the part of the storage facility where ABG’s goods are stored in order to inspect the inventory.
In order to guarantee proper administration, the Storage Provider must only hire trained personnel, and must, in addition to the updated notifications of incoming and outgoing goods, prepare a turnover protocol on a monthly basis. The turnover protocol is prepared on the last day of the month and contains the following information: inventory, additions, disposals, weight, identification
2
number of the general terms and conditions, package number and coil number, and shall be sent to ABG (shipping department) by data processing [DFÜ] or e-mail. The Storage Provider is responsible that the turnover protocol is delivered to ABG on the third business day following the last day of the month, at the latest.
3. Tasks of ABG:
ABG coordinates the delivery of the goods to the storage facility in a timely manner, so that all data related to the goods (EDI) are updated in the Storage Provider’s data system before the goods arrive. In case of non-compliance with this, the goods are not unloaded until such data are provided.
In case goods are delivered for which no EDI is available (e.g., coils without commission, OK), ABG announces such delivery separately and agrees with the Storage Provider on an adequate handling. The Storage Provider is allowed to charge further costs for this. ABG announces the delivery of such goods to the storage in a timely manner.
ABG ensures that all delivered goods are marked by the producer in a clear way and can be identified easily.
The responsibilities of the Storage Provider according to Section 2 remain unchanged by this Section 3.
4. Insurance:
The Storage Provider is obliged to obtain adequate insurance for property and liability risks, or be itself responsible for such risks.
Exhibit 1 of point 1
Infrastructure and equipment of the storage
1. | Delivery by | x truck | x freight car | ¨ barge | ¨ ocean-going vessel | |||||
addresses for: | truck deliver | Walzwerkstraße | ||||||||
freight car delivery | Anschlußgleis Tailored Blanks Bremen | |||||||||
ship deliver | ||||||||||
max. Truck number per day approx. 50 | ||||||||||
max. Freight car number per day: 20 capacity of connecting rail: 20 freight cars | ||||||||||
2. | Dispatch by | x truck | x freight car | ¨ barge | ¨ ocean-going vessel | |||||
3. | Storage location | x hall |
3
x heated | ¨ not heated | |||||
min./max. Temperature °C | ||||||
max. humidity % | ||||||
x totally closed | x | loading-/unloading in possible in hall: | ||||
¨ open, quay side | x per truck | |||||
x isolated | x per freight car | |||||
¨ Cement walls | ||||||
x Metal walls | ||||||
¨ OTHERS | ||||||
what: | ||||||
x Roof isolation | ||||||
x lockable doors | ||||||
4. | Storage (floor) | |||||
¨ Cement floor | ||||||
x Other Asphalt | ||||||
max. Floor loading 10 to / m² | ||||||
point loading 30 to / m² | ||||||
Coils stored on: | ¨ Cement floor | |||||
¨ Wood | ||||||
x Coilstorage out of wood | ||||||
¨ others | ||||||
Pile heights for Coils: | ¨ single | |||||
x threefold (max.) according to special arrangement in agreement | ||||||
Pile heights for packages: | x eightfold (max.) according to special arrangement in agreement | |||||
5. | Turnover equipment/ lifting equipment | |||||
x gantry crane | Pieces: 2 | carrying capacity: 35 to. | ||||
x Other, Magnet | Pieces: 2 | carrying capacity: 30 to. |
4
¨ Coil gripper | ||||||
¨ C-hook | ||||||
¨ steel mat | ||||||
¨ [Stroppen] | ||||||
x forklift | Pieces: 1 | carrying capacity: 5,5 to. | ||||
¨ Coilcarrier | Pieces: | carrying capacity t: | ||||
¨ [Staplerdorn] | ||||||
¨ Coil shoes for für [Gabeln] | ||||||
¨ Forks for forklift, not encased | ||||||
6. | Facility Security | |||||
Fire protection System | x yes | ¨ no | ||||
x Fire Extinguisher | x Fire Alarm | ¨ Sprinkling system | ||||
x own fire dept. (company operated fire dept. Arcelor Bremen) | ||||||
Responsible Person in the company ¨ yes ¨ no | ||||||
7. | Quality Standards | |||||
Storage Administrator: | ||||||
Quality manager in the company | ¨ yes x no, in preparation | |||||
Company certificate according to EN ISO 9002 | ¨ yes x no, in preparation | |||||
Storage Provider: | ||||||
Quality manager in the company | ¨ yes x no, in preparation | |||||
Company certificate according to EN ISO 9002 | ¨ yes x no, in preparation |
5