TRANSITION SERVICES AGREEMENT
Exhibit 10.1
Execution Copy
Execution Copy
This TRANSITION SERVICES AGREEMENT (this "Agreement") is made as of June !5, 2016 between Higher One, Inc., a Delaware corporation ("Seller") and Customers Bank, a bank chartered under the laws of the Commonwealth of Pennsylvania ("Buyer"). Seller and Buyer are referred to herein collectively as the "Parties" and individually as a "Party."
INTRODUCTION
WHEREAS, Seller and Buyer have entered into an Asset Purchase Agreement, dated as of December 15, 2015 (the "Purchase Agreement") (capitalized terms not defined in this Agreement shall have the meanings indicated in the Purchase Agreement);
WHEREAS, under the Purchase Agreement, Buyer has agreed to purchase from Seller certain assets related to Seller's business of disbursing refunds for its higher education institutional clients and servicing student-oriented checking accounts for the students of those clients (the "Business"), and the Purchase Agreement contemplates that the Parties shall execute and deliver this Agreement at the Closing; and
WHEREAS, Buyer and Seller desire that, after the Closing, Seller and/or certain of its Affiliates shall provide to Buyer, and Buyer and/or certain of its Affiliates shall provide to Seller, certain services on a transitional basis, as set forth herein.
NOW, THEREFORE, in consideration of the promises and covenants set forth herein and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:
ARTICLE I
TRANSITION SERVICES
TRANSITION SERVICES
Section 1.1 Transition Services.
(a) Scope and Duration of Seller Transition Services. Seller, itself and/or by and through its Affiliates, and its and their respective employees, agents or contractors, shall provide or cause to be provided to Buyer, solely for the benefit of Buyer, those services set forth on Annex A hereto, as it may be amended from time to time by mutual written agreement of the Parties (collectively, the "Seller Transition Services") until the earlier of (i) expiration of the service period applicable to such Transition Services as set forth with respect to each applicable Seller Transition Service on Annex A hereto, or (ii) expiration of the Term (as defined below). Seller shall not be obligated to provide any services other than the Seller Transition Services expressly provided herein. Seller shall not be required to perform Seller Transition Services hereunder in any manner that violates any applicable law or regulation. It is acknowledged by Seller that the objective of this Agreement is to obligate Seller to provide, throughout the Term, any and all services and functions that Buyer is unable to perform with respect to the assets purchased and employees hired pursuant to the Purchase Agreement in order for the Business to perform at a comparable level of operation and functionality achieved during the 180 days prior to the closing under the Purchase Agreement. In addition, Seller shall provide consulting services to Buyer related to the One Account structure and operation, marketing and managing relationships with colleges and universities, regulatory compliance matters, Department of Education introductions and relationship advice, product pricing matters, and contractual matters (with vendors as well as colleges and universities).
1
(b) Scope and Duration of Buyer Transition Services. Buyer, itself and/or by and through its Affiliates, and its and their respective employees, agents or contractors, shall provide or cause to be provided to Seller, solely for the benefit of Seller, those services set forth on Annex B hereto, as it may be amended from time to time by mutual written agreement of the Parties (collectively, the "Buyer Transition Services", and together with the Seller Transition Services, the "Transition Services") until the earlier of (i) expiration of the service period applicable to such Buyer Transition Services as set forth with respect to each applicable Buyer Transition Service on Annex B hereto, or (ii) expiration of the Term (as defined below).
(c) Modified Transition Services. Any modifications to the Transition Services shall be subject to mutual agreement pursuant to ARTICLE IX hereof.
(d) Subcontractors. Upon prior consent of the other Party, which consent shall not be unreasonably withheld, conditioned or delayed, Seller or Buyer may subcontract with an unaffiliated third party (a "Subcontractor") to provide any Transition Services; provided that no notice shall be required with respect to the continued use of subcontractors in the manner utilized by Seller in connection with the Business immediately prior to the Closing, or with respect to changes in subcontractors which are consistent with Seller's operation of the Business immediately prior to the Closing. Notwithstanding any subcontracting of Seller's or Buyer's obligations under this Agreement, each Party shall, for the term of this Agreement, remain primarily liable for the delivery and performance of the Transition Services.
Section 1.2 Service Coordinators and Issue Resolution.
(a) Seller and Buyer each hereby appoint as service coordinators their respective employees identified on Schedule 1.2 hereto (each, a "Service Coordinator") to be the primary point of contact between Seller and Buyer with respect to the Transition Services, including, and subject to the terms of this Schedule 1.2, with respect to disputes between the Parties arising out of or relating to this Agreement or the provision of Transition Services hereunder. Each Party shall have the right, upon reasonable advance written notice to the other Party, to replace its Service Coordinator with an employee or officer of such Party with comparable knowledge, expertise and decision-making authority.
(b) In the event the Service Coordinators fail to resolve any dispute arising between the Parties in connection with the Transition Services within a reasonable time of receiving notice of such dispute from a Party, and in any event within ten (10) Business Days of such notification, then Buyer shall designate an officer or officers holding the office of Senior Vice President (or equivalent office) or above (such officers, the "Senior Officers") and such Senior Officers shall attempt in good faith to conclusively resolve any such dispute (i) with the members of an operating committee designated by Seller, and (ii) in the event the Senior Officers and operating committee fail to resolve the dispute, an executive committee shall be designated by Seller and Buyer. If the Senior Officers and the operating and executive committees designated by Seller and Buyer cannot resolve such dispute within a reasonable period of time, and in any event within twenty (20) Business Days of the referral of such dispute to them, either Party may submit the dispute to litigation as provided for in Section 10.8.
(c) Any dispute arising out of or relating to this Agreement shall be submitted for resolution pursuant to this Section 1.2 before any Party may commence any legal proceeding in connection therewith. A Party's failure to comply with the preceding sentence shall constitute cause for the dismissal without prejudice of any such legal proceeding. This Section 1.2(c) is without prejudice to either Party's right to seek interim relief against the other Party (such as an injunction) to protect its rights and interests, or to enforce the obligations of the other Party and the parties need not negotiate disputes with respect to equitable remedies prior to seeking relief from a court of competent jurisdiction.
2
Section 1.3 Migration Plan.
(a) On or prior to the date hereof, the Parties shall have negotiated and materially finalized a plan to transition from the performance of the Seller Transition Services by Seller and its Affiliates to the performance of such services by Buyer, including moving the information technology systems and data used in the Business from Seller's infrastructure to Buyer's or its designee's infrastructure ("Migration") (such plan, the "Migration Plan"). The Migration Plan shall include a governance and arbitration process, in which both Parties shall agree to participate, which shall be subject to the change control process set forth in ARTICLE IX.
(b) Buyer shall be responsible for the Migration, including the construction and deployment of any systems or physical space required for the Migration. Seller shall use commercially reasonable efforts to assist Buyer in completing the Migration. Buyer shall be responsible for all fees and expenses incurred by Buyer and reasonable out-of-pocket third party costs of Seller incurred in the course of providing any assistance with the Migration requested by Buyer.
(c) The Parties acknowledge that the Migration Plan is a document that may change, and any such material changes will be subject to the change control process set forth in ARTICLE IX. Each Party shall use its commercially reasonable efforts to perform its obligations under the Migration Plan according to the schedule set forth in the Migration Plan, and each Party shall use sufficient and qualified resources and personnel to implement the Migration Plan, taking into account the need to reasonably manage the cost of such transition and minimize the disruption to the ongoing business activities of the Parties.
Section 1.4 Additional Transition Services. If requested by either Party, the other Party shall provide services in addition to the Transition Services ("Additional Transition Services"), as may be agreed pursuant to the Change Control process set forth in ARTICLE IX. The scope of any such Additional Transition Services, as well as the prices and other terms applicable to such additional services, shall be as mutually agreed by Buyer and Seller, as further contemplated by ARTICLE IX.
Section 1.5 Standard of Performance. Each Party shall use commercially reasonable efforts to perform or procure the provision of the Transition Services for the other Party to standards of performance comparable in all material respects to which such Transition Services were performed by Seller or its Affiliates in connection with the Business immediately prior to Closing; provided that Seller shall not be responsible for the performance of any product programs or features developed and/or implemented by Buyer after the Closing Date.
Section 1.6 Access. Each Party shall use good faith efforts to provide the other Party with access to information and computer systems, facilities, networks (including voice or data networks) or software to the extent reasonably necessary to enable the provision of Transition Services contemplated by this Agreement, subject to Section 7 hereof. The Party requesting access shall give the other Party reasonable prior written notice and justification of the need for such access.
Section 1.7 Independent Contractor. For all purposes hereof, each Party shall at all times act as an independent contractor and shall have no authority to represent the other Party in any way or otherwise be deemed an agent, lawyer, employee, representative, joint venturer or fiduciary of such other Party nor shall this Agreement or the transactions contemplated hereby be deemed to create any joint venture between the Parties. Each Party shall not declare or represent to any third party that such Party shall have any power or authority to negotiate or conclude any agreement, or to make any representation or to give any undertaking on behalf of the other Party in any way whatsoever.
3
ARTICLE II
SERVICE FEES AND EXPENSES
SERVICE FEES AND EXPENSES
Section 2.1 Service Fees.
(a) Subject to adjustment in accordance with this Section 2.1, Buyer shall pay a fee for the Seller Transition Services and Additional Transition Services it receives during the Term as follows (collectively, the "Buyer Service Fees"):
(i) with respect to the Seller Transition Services, $5,000,000, payable in twelve (12) equal monthly instalments of $416,666.67, each of which shall be due and payable on the fifteenth (15th) day of each month; and
(ii) with respect to any Additional Transition Services provided by Seller, on the timetable and in the amount agreed by the Parties and set out in the executed amendment to this Agreement under which such Additional Transition Services are provided as contemplated in Article IX.
(b) Subject to adjustment in accordance with this Section 2.1, Seller shall pay a fee (the "Seller Service Fee", and together with the Buyer Service Fees, the "Service Fees") for the Additional Transition Services it receives from Buyer during the Term on the timetable and in the amount agreed by the Parties and set out in the amendment to this Agreement under which such Additional Transition Services are provided, which shall be entered into in accordance with ARTICLE IX.
(c) The Service Fees are exclusive of any sales tax, transfer tax, value-added tax, goods and services tax or similar tax ("Taxes"). Any Taxes (but excluding any Tax based upon net income) payable with respect to the Service Fees shall be invoiced by the Party providing such services (the "Providing Party") and paid to such Party by the other Party (the "Receiving Party") within thirty (30) days of receipt of such invoice. The Party providing the service shall be responsible for remitting any such Taxes to the appropriate taxing authority.
(d) If the cost to either Party of providing a Transition Service increases as a result of actions taken outside the scope of this Agreement by or at the request of the Receiving Party or as a result of any change in applicable law or regulation or action of any Government Entity (collectively, "Imposed Changes"), then the resulting increase in costs will be passed through to the Receiving Party by means of an increase in the relevant Service Fees in the amount of such actual increase in the cost of the provision of such Transition Services, plus any direct, out of pocket, up-front costs of modifying the Transition Services as a result of such Imposed Changes, provided, however, that (i) in no event shall the Party providing the service be obligated to perform any service hereunder other than in accordance with applicable law and regulation, and (ii) the Party providing the service shall not be obligated to perform such Service unless the Receiving Party agrees to pay such costs of modifying the Transition Services to comply with such Imposed Changes and such increased Service Fees.
Section 2.2 Expenses. The Party receiving services shall be responsible for any direct third-party out-of-pocket costs or expenses incurred by the Party providing the services and disclosed in writing to the other Party prior to the date of this Agreement in connection with providing the Transition Services.
Section 2.3 Records. Each Party shall maintain records of all receipts, invoices, reports and other documents relating to the Transition Services rendered hereunder in accordance with applicable law and regulation and its standard accounting practices and procedures, which practices and procedures are employed by such Party in its provision of services for itself and its Affiliates.
4
ARTICLE III
PAYMENT
PAYMENT
Section 3.1 Invoicing and Payment. For the Transition Services described on Annex A on the date hereof, Buyer shall pay the net monthly fees set forth in Section 2.1 on or before each due date for such fee, without an invoice from Seller. For any Additional Transition Services, the net monthly fee shall be adjusted and paid by Buyer in accordance with the executed amendment to this Agreement under which such Additional Transition Services are provided. For any third-party expenses incurred by either Party in connection with providing the Transition Services and payable by Receiving Party in accordance with Section 2.2 hereof, Providing Party shall invoice Receiving Party, and Receiving Party shall remit payment to Providing Party for all such invoiced expenses within thirty (30) calendar days after receipt of each such invoice. Any undisputed amount unpaid after the expiration of thirty (30) calendar days after the due date shall bear interest equal to one-half percent (0.5%) per month of the overdue amount. Each invoice for expenses shall set forth in reasonable detail, for the period covered by such invoice, the source of the expenses incurred.
Section 3.2 No Set Off. Buyer shall not have the right to set off any claims of damages, under this Agreement, the Purchase Agreement or any other arrangement between Buyer and Seller, against payments owed under this Agreement with the exception of costs incurred under Section 2.2.
ARTICLE IV
TRANSITION
TRANSITION
Section 4.1 Return of Materials. Promptly at the end of the service period with respect to a Transition Service, at the end of the Term or upon termination of this Agreement in accordance with ARTICLE VI, as the case may be, the Receiving Party shall, at the other party's expense and written direction, return or destroy and certify the return or destruction of, any and all of the other Party's books, records, files, databases, intellectual property (including embodiments thereof), Confidential Information (as defined below) or information related to customer data in the possession, custody or control of the Receiving Party (the "Materials"); provided that a Receiving Party shall be permitted to retain one copy of the Materials solely as required in order to comply with applicable law and regulation, or for audit, compliance or regulatory purposes to the extent permitted by applicable law and regulation; and provided, further, that a Receiving Party shall not be obligated to destroy any Materials if such destruction would, in the reasonable opinion of counsel to such Receiving Party, constitute a violation of applicable law or regulation.
ARTICLE V
INTELLECTUAL PROPERTY
INTELLECTUAL PROPERTY
Section 5.1 Title to Intellectual Property.
(a) Each of the Parties agrees that any intellectual property of the other Party made available to it in connection with the Transition Services, and any derivative works, additions, modifications or enhancements thereof created by the other Party pursuant to this Agreement, are and shall remain the sole property of the other Party, and such Party hereby irrevocably assigns any and all right, title and interest therein to such other Party. Each Party agrees not to use, and to cause its Affiliates not to use, intellectual property of the other Party for any purpose other than in connection with the performance of the Transition Services during the Term.
(b) Each Party acknowledges that the other Party may be providing services similar to the Transition Services to its own businesses and/or to other third parties during the Term, without restriction hereunder.
Section 5.2 Use of Trademarks. Except as expressly set forth in the Purchase Agreement, neither Party shall use the other Party's trademarks, service marks, trade names, domain names or other source identifiers without such Party's prior written consent.
Section 5.3 Software Licenses and Data Subscriptions. Except as provided in the Purchase Agreement or as set forth on Schedule 5.3 hereto, Seller and its Affiliates shall not be required to transfer or assign to Buyer any third-party software licenses, data subscriptions or any software or hardware owned by Seller or any of its Affiliates in connection with the provision of the Seller Transition Services.
5
ARTICLE VI
TERM AND TERMINATION
TERM AND TERMINATION
Section 6.1 Term. The term of this Agreement (the "Term") shall commence on the Closing and continue from the Closing Date until June 30, 2017 (the "Termination Date"); provided that the Term of any individual Transition Service may be for a shorter period of time as may be set forth on Annex A hereto or as mutually agreed by the parties in writing.
Section 6.2 Termination for Cause. Either Party (the "Terminating Party") may terminate this Agreement with immediate effect by notice in writing to the other Party (the "Other Party") on or at any time after the occurrence of any of the following events:
(a) the Other Party is in default of any of its material obligations under this Agreement and (if the breach is capable of remedy) has failed to remedy the breach within thirty (30) days after receipt of notice in writing from the Terminating Party giving particulars of the breach;
(b) the Other Party shall commence a voluntary case or other proceeding seeking liquidation, reorganization or other relief with respect to itself or its debts under any bankruptcy, insolvency or other similar law now or hereafter in effect or seeking the appointment of a trustee, receiver, liquidator, custodian or other similar official for it or any substantial part of its property, or shall consent to any such relief or to the appointment of or taking possession by any such official in an involuntary case or other proceeding commenced against it, or shall make a general assignment for the benefit of creditors, or shall fail generally to pay its debts as they become due, or shall take any corporate action to authorize any of the foregoing;
(c) an involuntary case or other proceeding shall be commenced against the Other Party seeking liquidation, reorganization or other relief with respect to it or its debts under any bankruptcy, insolvency or other similar law now or hereafter in effect or seeking the appointment of a trustee, receiver, liquidator, custodian or other similar official for it or any substantial part of its property, and such involuntary case or other proceeding shall remain undismissed and unstayed for a period of sixty (60) days.
Section 6.3 Survival. Section 2.2 (Expenses), Section 2.3 (Records), ARTICLE III (Payments)(to the extent such fees accrued prior to termination, cancellation or expiration), Section 4.1 (Return of Materials), Section 5.1 (Intellectual Property), this Section 6.3 (Survival), Section 7.1 (Confidentiality), Section 8.2 (Limitations of Liability) and Article X (Miscellaneous) shall survive any termination or expiration of this Agreement.
ARTICLE VII
CONFIDENTIALITY
CONFIDENTIALITY
Section 7.1 Confidentiality.
(a) Each Party acknowledges that, in connection with the performance by a Party of its obligations hereunder, such Party may be provided with information about confidential and proprietary information of the other Party and third parties with which the other Party conducts business. The confidential information of such other Party and third parties is defined below and is collectively referred to as "Confidential Information." In recognition of the foregoing, each Party covenants and agrees:
(i) that it will keep and maintain all Confidential Information in confidence, using such degree of care as is appropriate to avoid unauthorized use or disclosure;
(ii) that it will not, directly or indirectly, disclose any Confidential Information to anyone outside of the other Party, except with the other Party's prior written consent or as may be permitted under this Article VII;
(iii) that such Party will not make use of any Confidential Information for its own purpose or the benefit of anyone or any other entity other than the other Party, provided that Buyer can make use of any Confidential Information related to the Business in its operation of the Business; and
(iv) that such Party will take no action with respect to the Confidential Information that is inconsistent with its confidential and proprietary nature.
(b) Each Party shall be permitted to disclose the Confidential Information only as follows:
(i) to its employees, agents, auditors, counsel, directors, officers and contractors ("Related Parties") and Subcontractors, having a need to know such information in connection with the performance of the Transition Services. Each Party shall be responsible for all its Related Parties and Subcontractors' compliance with the terms of this Agreement; and
(ii) if disclosure is required by applicable law or regulation, provided that a Party shall notify the other Party in writing as soon as reasonably practicable in advance of such disclosure, and provide the other Party with copies of any related information so that the other Party may take appropriate action to protect the Confidential Information.
6
(c) For purposes of this Agreement, Confidential Information shall include all business information of the other Party, including the following:
(i) information relating to the other Party's planned or existing computer systems and systems architecture, including computer hardware, computer software, source code, object code, documentation, methods of processing and operational methods;
(ii) sales, profits, organizational restructuring, new business initiatives and financial information;
(iii) information that describes the other Party's products, including product designs, and how such products are administered and managed;
(iv) information that describes the other Party's product strategies, tax interpretations, tax positions and treatment of any item; and
(v) confidential information and software of, and contracts with (and any information related thereto), third parties with which the other Party conducts business.
(d) Notwithstanding the foregoing, Confidential Information shall not include information that (i) is or becomes generally available to the public other than as a result of a disclosure directly or indirectly by a Party or its Related Parties or Subcontractors, (ii) was available to a Party on a non-confidential basis prior to its disclosure to such Party by the other Party or the other Party's Related Parties or Subcontractors or (iii) is or becomes available on a non-confidential basis to a Party from a Person other than the other Party, provided that such Person was not known to the receiving Party to be bound by any agreement with the disclosing Party to keep such information confidential or to be otherwise prohibited from transmitting the information. Each Party acknowledges that the disclosure of Confidential Information may cause irreparable injury and damages, that money damages would not be a sufficient remedy for any actual or threatened disclosure and that a Party shall (without proof of actual damages) be entitled to equitable relief, including an injunction and specific performance, as a remedy if the other Party breaches or threatens to disclose Confidential Information in violation hereof. A breaching Party shall not object to the entry of an injunction or other equitable relief against such Party on the basis that an adequate remedy is available at law or lack of irreparable harm. Without limitation of the foregoing, each Party shall advise the other Party promptly in the event that it learns or has reason to believe that any person or entity, which has had access to Confidential Information, has violated or intends to violate the terms of this Agreement. This provision shall not in any way limit such other remedies as may be available to either Party at law or in equity.
(e) With regard to any Confidential Information of the type specified in Section 7.1(c)(v), each Party agrees to execute any commercially reasonable document or take any commercially reasonable action required by any vendor or licensor of software to the other Party in order to access and use such vendor's software in connection with such vendor's contracts with the other Party.
Section 7.2 Systems Security. When Buyer is given access to Seller's computer system(s), facilities, networks (including voice or data networks) or software ("Systems") in connection with the Seller Transition Services or Migration Plan, Buyer shall comply with all lawful security regulations reasonably required by Seller from time to time "Security Regulations"), including without limitation the requirements set forth on Annex C hereto, and will not tamper with, compromise or circumvent any security or audit measures employed by Seller. Buyer's Related Parties may be required to execute a separate system access agreement for individuals who are to have access to Seller's Systems. Buyer shall ensure that only those users who are specifically authorized to gain access to Seller's Systems as necessary to utilize the Seller Transition Services or assist with the Migration gain such access and that such users do not engage in unauthorized destruction, alteration or loss of information contained therein. If at any time a Party determines that any personnel of Buyer has sought to circumvent or has circumvented Seller's Security Regulations or other security or audit measures or that an unauthorized person has accessed or may access Seller's Systems or a person has engaged in activities that may lead to the unauthorized access, destruction or alteration or loss of data, information or software, to the extent within Buyer's control, Buyer or Seller, as appropriate, shall immediately terminate any such person's access to Seller's Systems and immediately notify Seller. In addition, a material failure to comply with the Security Regulations shall be a breach of this Agreement; in which case, Seller shall notify Buyer and both Parties shall work together to rectify said breach. If the breach is not rectified within ten (10) days of its occurrence, the Service Coordinators of both Parties shall be advised in writing of the breach and work together to rectify said breach. If the breach has not been rectified within ten (10) days from such notice to the Service Coordinators, Seller shall be entitled to immediately terminate the Seller Transition Services to which the breach relates until such time as the breach is remedied.
Section 7.3 Insurance. To the extent it has not already done so, Buyer and Seller each shall obtain, within ninety (90) days of the date hereof, from a financially sound and reputable insurer, cyber security and data breach liability insurance in an amount equal to at least $10,000,000 on terms and conditions reasonably satisfactory to the other Party, and will cause such insurance policy to be maintained until the Termination Date.
7
ARTICLE VIII
REPRESENTATIONS AND WARRANTIES
REPRESENTATIONS AND WARRANTIES
Section 8.1 Representations and Warranties.
(a) Each Party represents and warrants that, on the Closing Date, it has the authority to enter into this Agreement and its performance under this Agreement will not conflict with any other obligation or agreement of such Party.
(b) Except as expressly provided in this Agreement, no representation, warranty or condition, express or implied, statutory or otherwise, as to condition, quality, satisfactory quality, performance or fitness for purpose or otherwise is given by either Seller or Buyer and all such representations, warranties and conditions are excluded except to the extent that their exclusion is prohibited by applicable law.
Section 8.2 Limitations of Liability.
(a) THE AGGREGATE LIABILITY OF EITHER PARTY IN CONNECTION WITH THE PERFORMANCE, DELIVERY OR PROVISION OF THE TRANSITION SERVICES UNDER THIS AGREEMENT SHALL, WITH THE EXCEPTION OF A DATA BREACH, BE LIMITED TO $2,500,000 CUMULATIVELY.
(b) EXCEPT FOR DAMAGES ARISING FROM THE GROSS NEGLIGENCE OR WILFUL MISCONDUCT OF SELLER, THE PARTIES EXPRESSLY WAIVE AND FOREGO ANY RIGHT TO RECOVER EXEMPLARY, LOST PROFITS, CONSEQUENTIAL OR SIMILAR DAMAGES IN ANY LITIGATION ARISING OUT OF OR RESULTING FROM ANY CONTROVERSY OR CLAIM RELATING TO THIS AGREEMENT OR ANY OF THE TRANSITION SERVICES PROVIDED HEREUNDER, WHETHER SUCH CLAIM IS BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY) OR OTHERWISE, EVEN IF AN AUTHORIZED REPRESENTATIVE OF SUCH PARTY IS ADVISED OF THE POSSIBILITY OR LIKELIHOOD OF THE SAME.
ARTICLE IX
CHANGE CONTROL
CHANGE CONTROL
Section 9.1 Change Control.
(a) Subject to this Article IX, either Party may propose any change or addition to the Transition Services by written notice to the other Party specifying the proposed change in reasonable detail (such notice, a "Change Request").
(b) Seller or Buyer shall provide the other Party with a reasonably detailed written outline specification describing the nature of the change, an assessment of the impact of the change on the Transition Services, the Service Fees (as applicable) and an estimate of the time required to implement the change, the costs associated with the change and the terms for payment of such costs (such outline, an "Evaluation Report") within twenty (20) Business Days of receiving the Change Request.
(c) The approving Party shall notify the requesting Party within ten (10) Business Days of the date on which the Evaluation Report was received whether or not the approving Party wishes to proceed with the Change Request; provided, however, that the Parties shall in good faith negotiate the terms and pricing of the Change Request before the requesting Party provides such notice to proceed.
(d) Within ten (10) Business Days of receipt of the requesting Party's notice to proceed with the Change Request, the approving Party shall produce a final Evaluation Report which shall include a comprehensive list of the charges for the implementation of the Change Request ("Change Request Charges"). Any Change Request Charges shall be calculated in a manner consistent with Section 2.1.
8
(e) Both the Seller and Buyer shall act in good faith in relation to Change Requests, and shall not unreasonably withhold any consent, or cause any delay in relation to them; provided that, notwithstanding anything to the contrary herein, the approving Party shall have sole discretion regarding whether to provide Additional Transition Services which were not performed by Seller or Buyer for the Business at any time during the one hundred eighty (180) day period prior to Closing. If the Seller and Buyer cannot agree upon a Change Request or the approving Party's final Evaluation Report (including the Change Request Charges), each of the Seller and Buyer may refer the matter to be resolved in accordance with Section 1.2.
(f) The Seller shall not have any obligation to commence work in connection with any change to the approving Party Transition Services or any Additional Transaction Services until the relevant Change Request and Evaluation Report has been agreed to by each Party in writing.
ARTICLE X
MISCELLANEOUS
MISCELLANEOUS
Section 10.1 No Third Party Beneficiaries. This Agreement shall not confer any rights or remedies upon any Person other than the Parties and their respective successors and permitted assigns and, to the extent specified herein, their respective Affiliates.
Section 10.2 Entire Agreement. This Agreement (including the Annexes and Schedule hereto), together with the Purchase Agreement and any other documents delivered by the Parties in connection herewith or therewith, constitutes the entire agreement between the Parties with respect to the subject matter hereof and thereof and supersede any prior agreements or understandings between the Buyer, on the one hand, and the Seller, on the other hand.
Section 10.3 Notices. All notices, requests, demands, claims and other communications hereunder shall be in writing. Any notice, request, demand, claim or other communication hereunder shall be deemed duly delivered four (4) Business Days after it is sent by registered or certified mail, return receipt requested, postage prepaid, or one (1) Business Day after it is sent for next Business Day delivery via a reputable nationwide overnight courier service, in each case to the intended recipient as set forth below:
If to the Buyer:
0000 Xxxx Xxxxxx, Xxxxx 000
Xxxxxxxxxx, XX 00000
Attention: Xxxxxx Xxxxxxx,
Chief Financial Officer
E-mail: xxxxxxxx@xxxxxxxxxxxxx.xxx
|
Copy to:
Xxxxxxxx Ronon Xxxxxxx & Xxxxx, LLP
0000 Xxx Xxxxxxxx Xxxxxx
Xxxxxxxxxxxx, XX 00000
Attention: Xxxxxxxxxxx X. Xxxxxxx, Esquire
Facsimile: 000-000-0000
E-mail: xxxxxxxx@xxxxxxxx.xxx
|
If to the Seller:
Higher One, Inc.
000 Xxxxxx Xx.
Xxx Xxxxx, XX 00000
Attention: Xxxxxxxxxxx Xxxx, Executive
VP and Chief Financial Officer
Email: xxxxxxxxxxx.xxxx@xxxxxxxxx.xxx
|
Copies to:
Xxxxxx and Xxxx LLP
One Century Tower
000 Xxxxxx Xxxxxx
Xxx Xxxxx, XX 00000
Attention: Xxxx Xxxxxx
Email: xxxxxxx@xxxxxx.xxx
|
9
Any Party may give any notice, request, demand, claim, or other communication hereunder using any other means (including personal delivery, expedited courier, messenger service, ordinary mail, or electronic mail), but no such notice, request, demand, claim or other communication shall be deemed to have been duly given unless and until it actually is received by the party for whom it is intended. Any Party may change the address to which notices, requests, demands, claims and other communications hereunder are to be delivered by giving the other Parties notice in the manner herein set forth.
Section 10.4 Amendment; Waiver. Subject to ARTICLE IX and Sections 1.4 and 10.10, any provision of this Agreement may be amended or waived if, and only if, such amendment or waiver is in writing and signed, in the case of an amendment, by both Parties, or in the case of a waiver, by the Party against whom the waiver is to be effective. No failure or delay by any Party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privilege.
Section 10.5 Severability. Any term or provision of this Agreement that is invalid or unenforceable in any situation in any jurisdiction shall not affect the validity or enforceability of the remaining terms and provisions hereof or the validity or enforceability of the offending term or provision in any other situation or in any other jurisdiction. If the final judgment of a court of competent jurisdiction declares that any term or provision hereof is invalid or unenforceable, the Parties agree that the body making the determination of invalidity or unenforceability shall have the power to reduce the scope, duration or area of the term or provision, to delete specific words or phrases, or to replace any invalid or unenforceable term or provision with a term or provision that is valid and enforceable and that comes closest to expressing the intention of the invalid or unenforceable term or provision, and this Agreement shall be enforceable as so modified.
Section 10.6 Binding Agreement; Assignment. No Party may assign either this Agreement or any of its rights, interests, or obligations hereunder without the prior written approval of the other Party, which written approval shall not be unreasonably withheld, delayed or conditioned. Notwithstanding the foregoing, this Agreement, and all rights, interests and obligations hereunder, may be assigned, without such consent, by either Party to an Affiliate thereof or an entity that acquires all or substantially all of such Party's or such Affiliate's business or assets. This Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.
Section 10.7 Governing Law. This Agreement and any disputes hereunder shall be governed by and construed in accordance with the internal laws of the State of New York without giving effect to any choice or conflict of law provision or rule (whether of the State of New York or any other jurisdiction) that would cause the application of laws of any jurisdiction other than those of the State of New York.
Section 10.8 Submission to Jurisdiction. Subject to Section 1.2 hereof, each of the Parties to this Agreement (a) agrees that all actions arising out of or relating to this Agreement or any of the transactions contemplated by this Agreement shall be heard and determined in the Federal Courts of the United States of America or the courts of the State of New York, in each case located in the City of New York and County of New York, (b) irrevocably consents to submit itself to the exclusive jurisdiction and venue of such courts in any action, (c) agrees that all claims in respect of such action shall be heard and determined in any such court, (d) agrees that it shall not attempt to deny or defeat such personal jurisdiction by motion or other request for leave from any such court, and (e) agrees not to bring any action arising out of or relating to this Agreement or any of the transactions contemplated by this Agreement in any other court. Each of the Parties hereto waives any defense of inconvenient forum to the maintenance of any action so brought and waives any bond, surety or other security that might be required of any other Party with respect thereto. Any Party hereto may make service on another Party by sending or delivering a copy of the process to the Party to be served at the address and in the manner provided for the giving of notices in Section 10.3. Nothing in this Section 10.8, however, shall affect the right of any Party to serve legal process in any other manner permitted by law.
Section 10.9 Waiver of Jury Trial. To the extent permitted by applicable law, each Party hereby irrevocably waives all rights to trial by jury in any action (whether based on contract, tort or otherwise) arising out of or relating to this Agreement or the transactions contemplated hereby or the actions of any Party in the negotiation, administration, performance and enforcement of this Agreement. Each Party (a) certifies that no Representative of the other Party has represented, expressly or otherwise, that such Party would not, in the event of any action, seek to enforce the foregoing waiver and (b) acknowledges that it and the other Party have been induced to enter into this Agreement, by among other things, the mutual waiver and certifications in this Section 10.9.
10
Section 10.10 Force Majeure. If either Party is prevented from complying, either totally or in part, with any of the terms or provisions of this Agreement by reason of fire, flood, storm, strike, lockout or other labor trouble, any law, order, proclamation, regulation, ordinance, demand or requirement of any governmental authority, riot, war, terrorist act, rebellion or other causes beyond the reasonable control of such Party, or other acts of God (a "Force Majeure Event"), then, upon written notice to the other, the affected provisions and/or other requirements of this Agreement shall be suspended or reduced by an amount consistent with reductions made to the other operations of such Party affected by the Force Majeure Event during the period of such disability and the affected Party shall have no liability to the other in connection therewith. Each Party shall use reasonable commercial efforts to remove such disability within fifteen (15) days of giving notice of such disability.
Section 10.11 Mutual Drafting. This Agreement is the mutual product of the Parties, and each provision hereof has been subject to the mutual consultation, negotiation and agreement of each of the Parties, and shall not be construed for or against any Party. Each Party acknowledges and represents that it has been represented by its own legal counsel in connection with the transactions contemplated hereby, with the opportunity to seek advice as to its legal rights from such counsel.
Section 10.12 Headings. The headings in this Agreement are for convenience of reference only and will not affect the construction of any provisions hereof.
Section 10.13 Conflicts. To the extent any term or provision of the Purchase Agreement, or any other document or other agreement executed in connection with the Purchase Agreement, is in conflict with any term or provision of this Agreement or any Annex or Schedule hereto, the terms and provisions of this Agreement and the Annexes or Schedules hereto shall govern solely to the extent of any such conflict. To the extent any term or provision of this Agreement is in conflict with any term or provision of any Annex or Schedule hereto, the terms and provisions of the Annex or Schedule hereto shall govern solely to the extent of any such conflict.
Section 10.14 Counterparts and PDF Signature. This Agreement may be signed in any number of counterparts, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument. The electronic transmission of any signed original counterpart of this Agreement shall be deemed to be the delivery of an original counterpart of this Agreement.
Section 10.15 Interpretation. For purposes of this Agreement, (a) the words "include," "includes" and "including" shall be deemed to be followed by the words "without limitation"; (b) the word "or" is not exclusive; and (c) the words "herein," "hereof," "hereby," "hereto" and "hereunder" refer to this Agreement as a whole. Unless the context otherwise requires, references herein: (x) to Articles, Sections, Schedules and Exhibits mean the Articles and Sections of, and Schedules and Exhibits attached to, this Agreement; (y) to an agreement, instrument or other document means such agreement, instrument or other document as amended, supplemented and modified from time to time to the extent permitted by the provisions thereof and (z) to a statute means such statute as amended from time to time and includes any successor legislation thereto and any regulations promulgated thereunder. This Agreement shall be construed without regard to any presumption or rule requiring construction or interpretation against the Party drafting an instrument or causing any instrument to be drafted. The Schedules and Exhibits referred to herein shall be construed with, and as an integral part of, this Agreement to the same extent as if they were set forth verbatim herein.
[End of Text; Signature Page Follows]
11
IN WITNESS WHEREOF, the Parties hereto have executed this Transition Services Agreement as of the date first written above.
HIGHER ONE, INC.
|
|
By: /s/ Xxxx Xxxxxxxxxx
|
|
Name: Xxxx Xxxxxxxxxx
|
|
Title: President & CEO
|
|
CUSTOMERS BANK
|
|
By: /s/ Xxxxxx X. Xxxxxxx
|
|
Name: Xxxxxx X. Xxxxxxx
|
|
Title: Executive Vice President & CFO
|
ANNEXES
ANNEX A
|
SELLER TRANSITION SERVICES
|
ANNEX B
|
BUYER TRANSITION SERVICES
|
ANNEX C
|
HIGHERONE SECURITY REQUIREMENTS
|
SCHEDULE 1.2
SERVICE COORDINATORS
Seller
Services Coordinator:
Xxxxxxx Xxxxxx
Chief Information Officer
000-000-0000 xxx 0000
Xxxxxxx.xxxxxx@xxxxxxxxx.xxx
Buyer
Services Coordinator:
Xxxx Xxxxxxx
Chief Informaiton Officer – Bankmobile
0000 Xxxx Xxx
Xxxxxxxxxx, XX 00000
000-000-0000
xxxxxxxx@xxxxxxxxxx.xxx
ANNEX A
TRANSITION SERVICES
TRANSITION SERVICES
Annex A – Section 1
Information Technology
Scope of Services
Seller, itself and/or by and through its Affiliates, shall provide or cause to be provided to Buyer the following information technology services in the manner set forth below:
· | Chennai Resources |
o | Provide engineering services relating to the Business furnished by personnel located in Chennai, India. |
o | Provide the Chennai resources listed below (the "Chennai Resources"): |
Xxxxx Xxxxx Xxxxxx
|
Senior Quality Analyst
|
Quality Assurance
|
Xxxxxxx Xxxxx Xxxxxxxxx
|
Senior Quality Analyst
|
Quality Assurance
|
Tamil Xxxxxx Xxxxx
|
Project Lead
|
Quality Assurance
|
Xxxxxxxx Xxxxxx
|
Xx. Software Engineer
|
Quality Assurance
|
Xxxxxxxxxx Xxxxxxxxxx
|
Technology Trainee
|
Quality Assurance
|
Xxxxxxxxxxxx Xxxxx
|
Technology Trainee
|
Quality Assurance
|
Xxxxxxxxxxxx Xxxxxxxxx
|
Associate Project Lead
|
Mobile Development
|
Xxxxxxxxxx Xxxxxxxxxxxx
|
Xx. Software Developer
|
Mobile Development
|
Varun Xxxxx
|
Xx. Quality Analyst
|
Mobile Development
|
Hari Xxxx Xxxxx
|
Lead Developer
|
OD/OA Development
|
Xxxxxx Xxxxxxx
|
Xx. Project Lead
|
OD/OA Development
|
Xxxxxx Xxxxxxxxx
|
Associate Project Lead
|
OD/OA Development
|
Xxxxxxxxxx Jenadoss
|
Lead Developer
|
OD/OA Development
|
Xxxxxxx Xxxxx
|
Xx. Software Developer
|
OD/OA Development
|
; subject to the following terms: (i) from September 19, 2016 until December 31, 2016, the Chennai Resources will be provided at an additional cost to Buyer of $25,000 per month, (ii) the Chennai Resources will be provided to Buyer until December 31, 2016, provided that Buyer may extend the use of such resources until the Termination Date upon ninety (90) days' written notice to Seller, (iii) the Chennai Resources shall be directed by a Manager selected by Buyer, (iv) onsite support shall be provided by Bala Meenakshisundarm (or other person at the sole discretion of Seller),and (v) Seller will provide support to Buyer in connection with Buyer's efforts to fill any vacancies created as a result of attrition of the Chennai Resources.
|
A-1
· | Consulting |
o | Provide up to 1600 "SME" consulting hours during the Term, not to exceed more than 140 hours per month. SME consulting hours are for consultation on the planning and design of Buyer's future operating environment. SME consulting hours are in addition to the hours required to support the tasks set forth below under the "Operations; IT Infrastructure" heading. Any consulting hours in excess of 1600 shall be provided upon Seller's written approval, at a mutually agreed upon price. |
· | Computers and Access |
o | Maintain ("break/fix") Transferred Employee computers, onsite and remote access, office phones, local and long distance service, print services and current network connectivity at current support levels for Seller employees; provided that Buyer shall be responsible for the replacement cost of any Transferred Employee or Other Transferred Employee computers or parts therefor. Changes to computers' configurations and installed software will not occur during the Term. |
o | Process new access/access change requests from Transferred Employees to systems supported by Seller. |
o | Process new password reset requests from Transferred Employees to systems supported by Seller. |
o | Create and support new access requests for up to twenty (20) Buyer employees who are not Transferred Employees to Seller IT systems, utilizing a computer provided by Seller that will use VPN with two-factor authentication for the sole purpose of accessing systems maintained on Seller's internal networks. All costs incurred by Seller in connection with transferred computer hardware and installed software will be reimbursed by Buyer. |
· | Email and Phone Systems |
o | Maintain email accounts and "read only" access to email accounts for Transferred Employees for a period of 45 days after the date hereof. |
o | Forward inbound emails to new Buyer email accounts until October 15, 2016. |
o | In accordance with Seller's data retention policies, maintain historical email files to allow customer requested research, customer complaint related research and regulatory inquiries. Seller data retention policies are subject to change. |
o | Maintain Phone setup, configuration and system maintenance for Transferred Employees. |
o | Provide support to offshore contact center configuration, similar to what was provided prior to the transfer date. |
o | Provide Transferred Employees the ability to access and take certain actions as required on certain internal email accounts. |
A-2
· | Operations; IT Infrastructure |
o | Maintain and support the production and backup environments located at the Seller data centers in New Haven, CT and Altanta, GA for the OneDisburse/OneAccount application. This includes all systems that are involved in supporting the OneDisburse/OneAccount application, including but not limited to the WAN and LAN network infrastructure, the security infrastructure, database infrastructure, application server infrastructure, monitoring systems, SAN/NAS infrastructure and appliances (Terradata, load balancers). All current vulnerability and penetration testing, patch management policies, applicable vendor relations and software licenses will be maintained. Support and maintenance contracts for the data center facilities, which include HVAC, UPS, fire suppression systems, access control and generators, will be maintained at current levels. |
o | Maintain and support the development environment located at the New Haven Seller data center for the OneDisburse/OneAccount application. This includes all systems that are involved in supporting the OneDisburse/OneAccount application, including but not limited to the WAN and LAN network infrastructure, the security infrastructure, database infrastructure, application server infrastructure, monitoring systems, SAN/NAS infrastructure and appliances (Terradata, load balancers). Also included are development tools utilized in the development of the OneDisburse/OneAccount software, including code repositories, testing tools, and required tools for audit and security. All current patch management policies, applicable vendor relations and software licenses will be maintained. Support and maintenance contracts for the data center facilities, which include HVAC, UPS, fire suppression systems, access control and generators, will be maintained at current levels. |
o | Maintain and support the QA/testing environment located at the New Haven Seller data center for the OneDisburse/OneAccount application. This includes all systems that are involved in supporting the OneDisburse/OneAccount application, including but not limited to the WAN and LAN network infrastructure, the security infrastructure, database infrastructure, application server infrastructure, monitoring systems, SAN/NAS infrastructure and appliances (Terradata, load balancers). Also included are QA/testing tools utilized in the QA/testing of the OneDisburse/OneAccount software, including code repositories, testing tools, and required tools for audit and security. All current patch management policies, applicable vendor relations and software licenses will be maintained. Support and maintenance contracts for the data center facilities, which include HVAC, UPS, fire suppression systems, access control and generators, will be maintained at current levels. |
o | Maintain and support back office systems that are currently in place and used by the OneDisburse/OneAccount employees, including but not limited to the file shares, Microsoft Exchange, Bugzilla, Chat and ALM. Seller will also maintain all access to 3rd party SaaS applications that are currently in place and used by the OneDisburse/OneAccount employees, including but not limited to WebEx, ADP, SalesForce and RightNow. Seller will maintain and support the underlying infrastructure, which includes but is not limited to the WAN and LAN network infrastructure, the security infrastructure, database infrastructure, application server infrastructure, monitoring systems and SAN/NAS infrastructure. All current patch management policies, applicable vendor relations and software licenses will be maintained. A list of the current back office systems and 3rd party SaaS applications are provided in the application and 3rd party SaaS application documents. |
o | Provide IT operations management reports at the same intervals such reports were generated prior to the Closing, including root cause analysis for systems outages impacting OneDisburse and/or OneAccount, Client Facing Systems Up Time, Quarterly Support Desk Metrics, Quarterly Ubiquity Ticket Volume, Quarterly Refunds Service Outage Report, Quarterly Product Change Management Report, any other IT operations management reports regularly generated by Seller prior to Closing, and any other reports mutually agreed upon by the Parties. |
o | Data extracts and configuration information or system clones, as determined by the Migration Plan, will be supplied for systems where data and configuration information has been agreed to be migrated to Buyer, including but not limited to Bugzilla, ALM, source code repositories, and "H" drive. |
o | Support implementation of Buyer initiated circuits. |
o | Continue providing the current disk storage for electronic files, data backups and backups of production and development environments. |
o | Continue to support existing integration between OneDisburse and CashNet (including Single Sign-on, refund data on ePayment and OneAccount as tender type on CashNet). |
A-3
o | Provide DNS services for critical websites, including xxxxxxxxxxxxxxxxxxxxxx.xxx, and xxxxxxxxxxx.xxx. |
o | Provide data security services for Seller's existing IT environment, including threat and event management, security monitoring, change management, access management, vulnerability and patch management, and information security review for vendors with access to non-public personal information. |
o | Buyer shall be responsible for any costs associated with changes to the existing computing environment proposed by Buyer and accepted by Seller. |
· | Governance |
o | A member of the Buyer transition team will be invited to the Seller change management board meetings for the OneDisburse/OneAccount environment and supporting systems changes. Buyer will create one or more distribution groups for system notifications which will be added to the Seller notification process. |
o | Define a mutually agreed upon governance process and participate with Buyer to support changes to the application environment and software for OneDisburse/OneAccount. |
o | Deploy OneDisburse/OneAccount code releases that are consistent with the OneDisburse/OneAccount product roadmap. Any releases that require changes to the existing computing environment shall be mutually agreed upon by Buyer and Seller. |
· | Audit |
o | Cooperate with Buyer, perform and maintain all current audit schedules for the SSAE16 and SOX audits on the OneDisburse/OneAccount environment during the Term. Seller is only responsible for performing and maintaining the current audit schedules for the environments under the Seller's control. Audits of environments that are implemented by the Buyer that are either in front of or behind the OneDisburse and/or OneAccount environments will be the responsibility of the Buyer. |
o | Cooperate with Buyer-initiated audits (financial, internal audit or any other audits) to the extent such audits are not duplicative of any audits performed by Seller. |
o | Perform the current DR testing plan one time on the OneDisburse/OneAccount environment during the Term, unless otherwise agreed by the Parties. |
Duration of Services
· | Cooperate with Buyer to identify and hire temporary staff resources in order to meet current demand. |
Unless otherwise set forth herein, the service period applicable to the Seller Transition Services set forth in this Annex A – Section 1 shall begin on the Closing Date and end on the Termination Date.
A-4
Annex A – Section 2
Accounting
Scope of Services
Seller, itself and/or by and through its Affiliates, shall provide or cause to be provided to Buyer the following accounting services in the manner set forth below:
· | Forward OneDisburse/OneAccount vendor invoices received by Seller after Closing. |
· | Provide access to the Accounts Receivable System (ACCPAC) for the purpose of creating client invoices. |
Duration of Services
The service period applicable to the Seller Transition Services set forth in this Annex A – Section 2 shall begin on the Closing Date and end on the Termination Date.
A-5
Annex A – Section 3
Legal
Scope of Services
Seller, itself and/or by and through its Affiliates, shall provide or cause to be provided to Buyer the following legal services in the manner set forth below:
· | Assist Buyer's legal team with the transfer of OneDisburse/OneAccount dedicated vendor contracts. |
· | Assist Buyer's legal team with the separation of vendor contracts that support both OneDisburse/One Account and the other businesses of Seller. |
· | Advise Buyer's legal team with respect to the transfer of customer agreements. |
· | Complete, at Buyers' reasonable request, any attestations required of Seller under Title IV regulations. |
Duration of Services
The service period applicable to the Seller Transition Services set forth in this Annex A – Section 3 shall begin on the Closing Date and end on the Termination Date.
A-6
Annex A – Section 4
Facilities
Lease
The provision of space described in this Section 4 is included in this Annex A for informational purposes only. The provision of the space, and other details in this Section 4, shall not constitute a Transition Service, or any other service or commitment, under this Agreement. The provision of the space shall be only as set forth in, and subject in all respects to, the Lease Agreement, dated as of the Closing Date, between Seller and Buyer (the "Lease").
Scope of Services
Seller, itself and/or by and through its Affiliates, shall provide or cause to be provided to Buyer the following facilities services in the manner set forth below:
· | Provide office space at 000 Xxxxxx Xxxxxx, Xxx Xxxxx. |
· | Maintain New Haven and Atlanta sites to current standards. |
· | Maintain employee access to Seller facilities for employees transferred to Buyer. |
· | Provide access to Seller facilities for Buyer employees who are not Transferred Employees. |
· | Provide mailroom services to employees at the New Haven location. |
· | Provide access to existing office equipment (e.g. copier, fax machine) at the New Haven location at a pass-through cost. |
· | Provide secure space for hard copy files at the New Haven location. |
· | Maintain existing copy files located at Iron Mountain and enable access to Transferred Employees. |
· | For so long as Seller provides food service to its employees in New Haven, provide food service to Buyer employees in New Haven, including lunch three times per week (Tuesday – Thursday), and coffee daily from 8:00a - 10:30a. |
· | Integrate into Buyer's business continuity and disaster recovery plan as related to data center operations and closures of New Haven and/or Atlanta Facilities. |
Duration of Services
The service period applicable to the Seller Transition Services set forth in this Annex A – Section 4 shall begin on the Closing Date and end on the Termination Date.
A-7
ANNEX B
BUYER TRANSITION SERVICES
BUYER TRANSITION SERVICES
Scope of Services
Buyer, itself and/or by and through its Affiliates, shall provide or cause to be provided to Seller the following services in the manner set forth below:
· | Banking Operations |
o | Provide sufficient ATM-related resources to complete Buyer's ATM Removal and Disposition Project. Such project, and the individuals involved therein, shall be directed by VP Deposit Operations or other appropriate manager appointed by Buyer. |
o | Provide ability for members of Seller's payments banking staff to process batch transactions to the Fiserv Signature Core for the purposes of posting entries and obtaining statement data. If such access is not provided, Buyer shall post entries and create statement copies for Seller. |
o | Seller will be solely responsible for the data and the results of processing batch transactions in the Fiserv Signature Core. |
· | Legal |
o | Provide assistance and cooperation as needed in connection with Seller's implementation of the consent orders relating to the matters set forth in Section 2.04(e) of the Disclosure Schedules (including the Restitution Plans which have been accepted by the Federal Reserve and which received a non-objection from the FDIC) (the "Consent Orders") until the expiration of the period applicable to each Consent Order. The assistance and cooperation shall include the following: |
§ | Provide to Seller promptly upon its request such account information, including name, postal address, email address, account balance, transaction detail, web site access, or other information as is necessary for Seller to make restitution payments (including credits for open and active accounts and checks for dormant or closed accounts) as is necessary for Seller to fully implement the Restitution Plans, including any audit, verification procedures required or information requests from the Federal Reserve or FDIC. |
§ | Provide Seller such access to information technology personnel, software, data retrieval systems, and vendors as is necessary to implement the Restitution Plans efficiently and cost effectively. |
§ | Provide Seller such access to and assistance of the Transferred Employees as is reasonably necessary for Seller to comply with the Consent Orders. |
§ | Maintain, establish and modify as required by the Restitution Plans and as otherwise required by the Federal Reserve or the FDIC the web page announcement referenced in Paragraph 7 of the Federal Reserve Consent Order and Paragraph 27 of the FDIC Consent Order. If third party costs are required, Seller shall be solely responsible. |
§ | Provide data and information as reasonably requested by Seller in connection with any Consent Order or other legal or regulatory matters to which Seller may be subject, for the duration of the applicable legal matter. |
§ | Provide assistance and cooperation as needed to WEX Bank in connection its compliance obligations under the Consent Orders and any other regulatory compliance obligations related to OneAccount. |
o | The service period applicable to the Buyer Transition Services set forth under this "Legal" heading shall begin on the Closing Date and end when the latter of the Federal Reserve and the FDIC determines that restitution is complete pursuant Paragraphs 10 and 34 of the Consent Orders, respectively. |
B-1
· | Information Technology |
o | Continue to support existing integration between OneDisburse and CashNet (including Single Sign-on and ePayment data presented on OneDisburse). |
o | Provide a secure method of communication between Buyer and Seller. |
o | During the term of the TSA, Seller shall maintain current business continuity services for the primary data center located in New Haven, CT from the backup data center located in Atlanta, GA. |
· | Finance |
o | Continue to provide access to HOBIT (Business Intelligence) to allow retrieval of payments reports (including MMDA Alert Report, MMDA Detail Report, Transaction Report with Account and Date Prompt, Transaction Report with Product Code and Date Prompt, Trial Balance Lookup with Account and Date Prompt, and Trial Balance Lookup with Product Code and Date Prompt). |
o | Provide payment of expenses for Seller's employees through existing OneAccount system. Seller shall reimburse Buyer for any such payments. |
· | Client Operations |
o | Provide clients of Seller's payments division access to the e-Train site (Moodlerooms) to retrieve training materials, software release notes and documents. |
Duration of Services
Unless otherwise set forth herein, the service period applicable to the Buyer Transition Services set forth in this Annex B shall begin on the Closing Date and end on the Termination Date.
B-2
ANNEX C
HIGHERONE SECURITY REQUIREMENTS
ACCESS TO HIGHER ONE CONFIDENTIAL INFORMATION
Higher One's Information Security Program is comprised of a number of policies, standards and guidelines, developed with reference to the source documents cited previously, as well as with consideration of the Company's business and regulatory needs. When referencing the Information Security Program any or all of these policies are included.
Privacy Policy
Overview
Higher One may log user system activity, record building access, monitor Internet usage and use security cameras to monitor building facilities. User's work output, regardless of storage format (e.g., paper, electronic, etc.) is the property of Higher One. The output, and any tools used to generate that output, is subject to review or monitoring by the Company at its discretion. User personal information is not used or disclosed except to comply with laws, and to protect our rights. It is used solely for business purposes including establishing, maintaining or terminating employment or contractual agreements between the user and Higher One.
Standards
Audits or investigations may be conducted to:
1) | Ensure integrity, confidentiality and availability of information and resources. |
2) | Investigate possible security incidents. |
3) | Ensure conformance to security policies. |
4) | Monitor system or user activity where appropriate. |
During an audit, all required data will be provided to the Information Security Office upon request. For the purpose of performing an investigation, any access required will be provided to the Information Security team members for the duration of the investigation. Such access may include:
1) | User and/or system level access to any computing or communications device. |
2) | Access to information, whether electronic or hard copy, that may be produced, transmitted or stored on Company equipment or premises. |
3) | Access to work areas such as labs, offices, cubicles or storage areas. |
4) | Access to interactively monitor and log traffic on networks. |
C-1
Password Management Policy
Overview
Higher One's Password Management Policy is directed to ensuring only strong, secure passwords are used on all accounts, systems and equipment. Password standards define the minimum length, composition, aging and re-use parameters, as well as lock out limitations. Password standards are enforced to protect Company systems, Company and customer data, as well as Higher One's reputation. Password guidelines provide additional information to assist users in protecting passwords and account access.
Standards (General)
All passwords must meet minimum requirements, within the capabilities of the applicable system. Password cracking exercises may be performed on a periodic basis by the Information Security Office. Passwords that are exposed during such an exercise will result in the user being required to change to a more secure password immediately.
Except where otherwise defined or dictated, minimum password requirements are:
1) | At least 8 (eight) characters in length, where applicable. |
2) | Contain both upper and lower case letters. |
3) | Contain at least one number. |
4) | Contain at least one special character (within the bounds of those special characters supported by the system in question). |
5) | May not contain more than 3 (three) consecutive identical characters. |
6) | System level passwords must expire and be changed no more than every 42 days. |
7) | At a minimum, the prior 13 (thirteen) passwords may not be reused. |
8) | Users must have the ability to change a password at any time. |
9) | Accounts must be locked after at least 5 (five) unsuccessful login attempts. |
10) | User accounts with elevated privileges must have a password that is unique to that account and not the same as lower-privileged account(s) held by the same user. |
11) | Passwords are to be treated as sensitive and confidential information and are not to be shared, written down or stored in an unsecured manner. |
12) | Passwords are not to be conveyed via email. |
13) | Passwords must not be displayed in clear text (e.g., must be masked) while being entered. |
14) | Default vendor or manufacturer accounts and passwords should be changed as soon as reasonably possible. |
15) | If a password is suspected to have been compromised, change the password immediately and report the incident to the IT Operations Support Desk, which will inform the Information Security Office. |
16) | Where Simple Network Management Protocol("SNMP") is used, the community strings must be defined as something other than the standard defaults of "public", "private" and "system", and must be different than the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2). |
17) | Passwords must be changed in the event of a user's departure. |
C-2
Guidelines
The guidelines provided herein are intended to assist users in protecting both their passwords, their access and their accounts from unauthorized use. These guidelines constitute established best practices. None of the examples cited below should be used as passwords.
· | Avoid poor, weak or common passwords such as Welcome123, Password1, or ChangeMe123. |
· | Avoid common words, even if spelled backwards or with the addition of a number, such as secret1, 1secret, or terces. |
· | Avoid patterns of numbers or letters such as aabbcc, qwerty, or 12344321. |
· | Avoid commonly known personal information such as birthdates, addresses, names of family members, friends or pets. |
· | Avoid work-related information such as company names, building sites, etc. |
· | Should not contain common nouns, proper names or dictionary words. |
· | To create a secure but memorable password, consider creating a passphrase based on a song title, affirmation or memorable phrase that contains multiple words. For instance, This May Be One Way To Remember could become the password TmB1w2R! or I saw my favorite band last Friday night! becomes IsmF3lFn!. |
Standards (Service Accounts)
Service Accounts are defined as system-level accounts that are not associated with one specific individual, but are used for administration, management, or maintenance of a system or application, or are required by a system or application. Service Accounts may also be either interactive or non-interactive.
Interactive Service Accounts are defined as those that meet all of the following criteria:
1) | Are highly privileged (e.g., have root level access on a Linux system, local or domain administrator access on a Microsoft Windows system, sa level access on a Microsoft SQL Server system, sys/system on an Oracle database, etc.). |
2) | Permits interactive logons (e.g., a user can use ssh to open a shell prompt on a Linux system, use Remote Desktop Services to access a desktop on a Microsoft Windows system, may use SQL Studio to perform queries on a Windows system, etc.). |
3) | The account passwords are retained (e.g., stored in Password Safe, Password Manager or some other location for future access). |
Non-interactive Service Accounts are defined as those that meet any of the following criteria:
1) | Are not highly privileged (e.g., do not have root level access on a Linux system, local or domain administrator access on a Microsoft Windows system, sa level access on a Microsoft SQL Server system, sys/system on an Oracle database, etc.). |
2) | Does not permit interactive logons (e.g., a user cannot use ssh to open a shell prompt on a Linux system, use Remote Desktop Services to access a desktop on a Microsoft Windows system, or use SQL Studio to perform queries on a Windows system, etc.). |
3) | The account passwords are not retained (e.g., not stored in Password Safe, Password Manager or some other location for future access). This circumstance applies to accounts where there is no need to use the password in the future and so the password is set to a long random value and not saved. |
C-3
Service Account standards must meet the criteria outlined in Standards (General) section, with the following exceptions:
1) | At least 12 (twelve) characters in length. |
2) | Service accounts shall have Deny Logon Locally or comparable attribute set if supported on the operating system. |
3) | Interactive Service Account passwords will expire and must be changed no more than every 90 days. |
4) | Non-interactive Service Account passwords will expire and must be changed no more than every 720 days. |
5) | In the event that the account password cannot be changed or the application vendor recommends against changing the password because it would adversely impact the application, an exception will be documented and approved by the Information Security Officer and that password will be exempt from periodic changes. |
Initial Passwords and Password Resets
Where supported by the system in question, initial passwords must be set to a temporary and unique value, and be reset by the user upon first use.
In the event a password must be reset, a temporary and unique value must be provided, and must be reset by the user at the time of successful login.
Identity and Access Policy
Overview
The Identity and Access Policy defines the tasks that principals can perform, resources they can access and defines which activities will be audited for regulatory compliance purposes. Access controls are established, documented and periodically reviewed, based on business needs and external requirements.
Standards
1) | Access Administration: This area focuses on ensuring authorized user access, and preventing unauthorized user access, to information and information systems. |
a. | Procedures covering all stages in the life-cycle of user access, from provisioning and modification to de-provisioning. |
b. | Documentation of approval from the hiring Supervisor or System Owner for each user's access, where appropriate. |
c. | Ensuring restricted or sensitive access is not granted until all authorization procedures are completed. |
d. | Special attention to control of privileged ("super-user") access rights. |
2) | Compliance |
a. | Attestation - Confirmation by a reviewing Supervisor or designee that each user's access is consistent with business purposes and with other security controls (e.g., segregation of duties). |
b. | Access Permissions Review - A formal process must be conducted periodically (quarterly) by System Owners to review user access rights to critical systems. This review shall be documented / approved by System Owners and retained by the Information Security Office (as defined below) for audit verification purposes. Each System Owner is accountable for identifying inappropriate access and inactive user access in a timely manner to the Security Administrators. |
c. | Access to non-critical systems will be reviewed based on risk but no less frequently than annually. |
C-4
User Identity Verification Policy
Overview
Higher One's User Identification Verification Policy contains information and requirements for verifying the identity of a system user when unlocking an account, resetting a password or otherwise assisting with logging in. This policy also defines the systems that are within the scope of the policy.
Standards
1) | This policy applies to the following systems: |
a. | Active Directory, any domain |
b. | RSA SecurID PIN |
c. | CASHNet/IDC |
d. | LDAP (Corporate and Production) |
e. | Xxxxxxxxxxxxxxxx.xxx |
f. | TPP Applications |
g. | NetPay Applications |
2) | A user's identity must be verified prior to resetting his/her password on any in-scope system. |
a. | If the request is made in person, photo identification is an acceptable means of verifying the user's identity. |
b. | If the request is made by telephone, the user must provide a matching and valid Employee ID which will be verified against records. |
c. | Requests by email will not be accepted, and the user will be instructed to telephone. |
3) | In the event the user cannot provide a valid Employee ID, the user's manager or (if a contractor) employee sponsor can verify the user's identity, after verifying his/her own identity. |
Privileged Account Policy
Overview
Privileged accounts are valid credentials used to gain access to information systems. Privileged credentials provide elevated, non-restrictive access to the underlying platform that non-privileged user accounts do not have access to. Root, local administrator, domain administrator and enable passwords are all examples of privileged accounts that have elevated access beyond that of a normal user.
If methods other than using privileged access will accomplish an action, those other methods must be used unless the burden of time or other resources required clearly justifies using privileged access. In addition, passwords for privileged accounts should be randomized, not memorized by anyone, and changed frequently. Whenever technically possible, gaining and using privileged access should be audited.
Privileged access to information systems is granted only to authorized individuals based on clearly defined and documented business need.
C-5
Standards
1) | System Approval and Authorization |
a. | Providing clarity on what administrative privileges are necessary. |
b. | Minimizing the use of shared administrative accounts. |
c. | Having a method of being able to verify the privileges associated with each account. |
2) | Privileged User ID Activity Logging: All ID creation, deletion, and privilege change activity performed by Systems/Security Administrators and others with privileged user IDs must be securely logged. |
3) | Privileged Account Types |
a. | Domain Administrative Accounts: These accounts give privileged administrative access across all workstations and servers within a Windows domain. While these accounts are few in number, they provide the most extensive and robust access across the network. |
b. | Emergency Accounts: These provide unprivileged users with administrative access to secure systems in the case of an emergency and are sometimes referred to as 'firecall' or 'breakglass' accounts. Access to these accounts typically requires managerial approval for security reasons. |
c. | Service Accounts: These can be privileged local or domain accounts that are used by an application or service to interact with the operating system. In some cases, these service accounts have domain administrative privileges depending on the requirements of the application they are being used for. Local service accounts can interact with a variety of Windows components |
d. | Application Accounts: These are accounts used by applications to access databases, run batch jobs or scripts, or provide access to other applications. These privileged accounts usually have broad access to underlying company information that resides in applications and databases. |
Remote Access Policy
Overview
Remote Access rules and requirements are designed to minimize the potential exposure to Higher One from damages which may result from unauthorized use of Higher One resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Higher One internal systems, and fines or other financial liabilities incurred as a result of those losses.
It is the responsibility of Higher One users with remote access privileges to Higher One's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Higher One. This policy applies to remote access connections used to do work on behalf of Higher One, including reading or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to Higher One networks.
C-6
Standards
1) | Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. |
2) | Authorized Users shall protect their login and password, even from family members. |
3) | All hosts that are connected to Higher One internal networks (including employee owned equipment) via remote access technologies must use up-to-date anti-virus software. Third party connections must comply with requirements as stated in the Third Party Agreement. |
4) | Users must not leave workstations unattended without locking or logging off the system. |
5) | Users must use personal desktop firewall software on any device connecting to Higher One networks or resources. |
6) | Higher One users who wish to implement non-standard Remote Access solutions to the Higher One production network must obtain prior approval from the Information Security Office. |
7) | The use of third-party managed remote access connections such as Webex and Go2MyPC can only be used for remote access in a support situation where personnel are present at both the asset being accessed and the system being used to obtain the remote access. This type of managed connection is explicitly not to be used to allow a user to remotely access a device which has been left unattended on the Higher One network. |
8) | Higher One Client VPN with the use of two-factor (FOB with Pin/Token plus password) authentication is required to connect to the HigherOne corporate network. |
Third-Party/Vendor Access Policy
Overview
Companies or entities with a business relationship with Higher One should only be permitted the least access required to any internal network or application system, based on the business need. The access mechanism may include direct connectivity to Higher One assets, or the exchange of electronic information.
Higher One must actively control third party access to information systems. Business needs should be considered and a risk assessment must be carried out to determine security implications and control requirements.
This section is not intended to restrict or control access to integrated third-party systems required by Higher One products.
Standards
1) | Controls and confidentiality clauses must be agreed on and defined in a contract with the third party. |
2) | All third party requests for Higher One data or connections to the Higher One network must be justified by business requirements, assessed for potential risks and control requirements, and then directed to appropriate Higher One management for review and approval. |
3) | All third party connections require approval from the Information Security Office. |
C-7
4) | Third-Parties must adhere to all Vendor Management Program requirements. |
5) | Reviews to ensure third-party access is still required and appropriate will be conducted periodically. |
6) | There are three methods allowed for direct connectivity between Higher One and third parties. |
a. | Dedicated circuits - A leased line obtained through a telephony-communication provider. |
b. | Site-to-Site Virtual Private Network (VPN) over the Internet – A two-way encrypted communications session between two networks that protect against eavesdropping by an unauthorized source and provides non-repudiation. |
c. | Client-based VPN |
Requirements for Connectivity
1) | Before connectivity is established with a third party, a risk assessment must be performed as part of the vendor management assessment to validate that there are no high-risk issues involved with connecting to an external entity's network. A third party must not be immediately trusted and given immediate access to Higher One's network or application system without performing an appropriate level of due diligence. |
2) | Firewalls must restrict third party access to Higher One's network and application systems for which they have a defined business purpose. |
a. | Explicit source and destination IP and ports must be defined in the firewall rules |
b. | Must not be able to access other business partners' networks. |
3) | Firewalls must restrict Higher One's users from unlimited access to the third party network. |
a. | Explicit source and destination IP and ports must be defined in the firewall rules |
b. | Must only be able to access business partners' networks for which the user has a business purpose. |
4) | A list of approved third party connections must be maintained by the Information Security Office. |
Data Classification
Overview
A data classification system sorts and labels every resource with its value, importance, sensitivity, cost, and other concerns in order to guide the implementation of security and prescribe processes of management and use. Assigning classification labels, such as public, private, sensitive, internal only, confidential, proprietary, etc., helps workers understand how to use and handle resources properly. Those resources with moderate to high value and sensitivity require greater control, tighter security, and stricter authentication. Often classification can improve the organizations defense against social engineering and other information leakage attacks. If workers know that certain information cannot be communicated via instant message, e-mail, or over the phone, then most socially guided attacks through those mediums will fail.
Asset Inventory
Higher One shall maintain a current inventory of all information assets, including hardware, software licenses and applications. The asset inventory must include at least the following elements:
1) | A clear definition of each asset, including its business purpose and security classification. |
2) | Location of the asset. |
3) | Whether or not the asset contains personally identifiable customer information or card-related data. |
C-8
Data Classification and Confidentiality
Higher One business units must classify information to indicate its level of sensitivity. Classifications dictate the priority and necessary degree of protection required to properly secure the information. Data classification classes are:
1) | Restricted - The Restricted class applied to business and customer related information requiring the highest level of protection. If Restricted Data is disclosed, it could result in financial loss, violation of privacy and other laws or Regulations and significant negative publicity. Disclosure of Restricted Data may require initiating state or federal disclosure requirements. (e.g., PCI, PII, HIPAA) |
2) | Confidential - The Confidential class applies to business and customer related information that requires role-based protection and is sensitive enough to require elaborate controls. If Confidential Data is disclosed, employees or customers could be negatively impacted, initiating possible state or federal disclosure requirements. |
3) | Private - The Private classification applies to business and customer related information that requires some level of protection but is not sensitive enough to require extensive controls. Disclosure of Private data should be avoided but will have minimal impact. |
4) | Public - The Public class applies to information that has been made available for public distribution through authorized Higher One channels or information that will not cause any damage to Higher One if accidentally disclosed. |
Credit Card Information Processing Applications
1) | All applications dealing with the processing or retrieval of cardholder information, must, where there is not a business need to display full primary account numbers (PAN), mask displayed PAN to no more than the first six (6) and last four (4) digits of the full PAN. |
2) | If the application is designed for a specific purpose in which the full PAN must be displayed, approval must be given by the Information Security Office during the Requirements Phase as described in the SDLC process. In all cases the application must limit the display of the full PAN to the fewest number of users possible. |
Credit Card Storage Applications
1) | All Higher One application systems dealing with the storage of cardholder data must be on an internal network segregated from the demilitarized zone ("DMZ"). |
2) | All access to networked storage devices containing cardholder data shall have its authentication communication encrypted. |
3) | The Primary Account Number ("PAN") must be rendered unreadable through one of the following: |
a. | Strong one-way hash functions (hashed indexes) such as Secure Hash Algorithm 1) SHA-1 with salts. |
b. | Truncation. |
c. | Index tokens and pads (pads must be securely stored). |
d. | Strong cryptography, based on industry-tested and accepted algorithms, with proper key management processes and procedures. |
C-9
4) | The PAN must never be stored in clear text in databases, files, or removable media. |
5) | The PAN must not be written to audit logs. |
6) | Full PAN must never be emailed or sent via instant messaging programs. |
Technology Equipment Policies
Overview
Desktop, laptops, servers and virtual computers, as well as the software contained thereon, are resources that are provided to Higher One users for the purpose of conducting business on behalf of the Company. Administration, installation and maintenance of technology equipment are the responsibility of the Information Technology departments.
Warning Banners
Overview
A warning banner sets appropriate expectations for users accessing a system or device regarding the appropriate use of the resource, and warnings regarding monitoring of usage or activities while using the resource.
Standards
1) | Higher One computing systems and devices, where supported by the device, must display a warning banner during the system login process. The message must state that the system must only be used for Higher One business purposes and is subject to monitoring. |
2) | Warning banners must be in a language consistent with the system's interface language. |
3) | The word "Welcome" or any similar language shall not be displayed prior to a successful user login. |
Physical and Virtual Workstations
Overview
Desktops, laptops and virtual workstations are provided to users based on job role, need, and are based on company standard hardware configurations.
Standards
In addition to those items detailed in the Acceptable Use Policy,
1) | Equipment is to be protected from theft or damage, including damage caused by foreign substances, impacts or misuse. |
2) | All laptop computers will be encrypted. |
3) | Online backup accounts will be provided to laptop users to ensure recoverability of data stored locally on the device. |
4) | Ensure that all vendor supplied defaults are changed before the system goes into production. |
5) | All desktops and laptops shall have personal firewall software which users should not be able to disable. |
6) | All desktops and laptops used to remotely access Higher One systems shall have VPN Client software capable of supporting the company's 2-factor authentication solution. |
7) | Workstation Configuration Standards will be reviewed on a periodic basis. |
C-10
Guidelines
Physical security of computing devices can include the following:
· | Having actual possession of a computer at all times. |
· | Locking the computer in an unusable state to an object that is immovable. |
· | Never leaving a laptop or other portable computing device unattended in a conference room, hotel room or on an airplane seat, etc. |
· | Locking the device in a hotel safe when traveling. |
Server and Network Devices
Overview
The purpose of this policy is to establish standards for the base configuration of internal server and network equipment that is owned and/or operated by Higher One. Effective implementation of this policy will minimize unauthorized access to Higher One proprietary information and technology.
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well.
Standards (Security)
All internal servers deployed at Higher One must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by IT and each application team, based on business needs and approved by Information Security.
1) | All servers and network devices should be designated for a single primary purpose where possible. |
2) | All servers and network devices, prior to deployment in the production environment must conform to the Company's System Configuration and Hardening Standards. |
3) | Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do. |
4) | Ensure that all vendor or manufacturer supplied defaults are changed before the server goes into production. |
5) | Servers storing or processing confidential or restricted information shall have file integrity monitoring software installed. |
6) | File integrity monitoring software shall alert IT personnel to unauthorized modification of critical system or content files. The file integrity monitoring software shall be configured to perform critical file comparisons at least daily and should be logged. Information Security should be alerted to any abnormal activity. |
7) | All servers must have anti-virus software installed. |
8) | Information in the server inventory list must be kept up-to-date. |
9) | Configuration changes for production servers must follow the appropriate change management procedures. |
10) | Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible. |
C-11
11) | Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient. |
12) | If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using Secure Shell ("SSH") or Internet Protocol Security "IPSec"). |
13) | Servers should be physically located in an access-controlled environment. |
14) | Servers are specifically prohibited from operating from uncontrolled cubicle areas. |
15) | For security, compliance, and maintenance purposes, authorized Information Security personnel may monitor and audit equipment, systems, processes, and network traffic. |
Standards (Configuration)
1) | Operating System configuration should be in accordance with approved System Configuration and Hardening Standards. |
2) | A valid business justification must exist for all deviations from published configuration standards. Deviations require written approval by the Chief Information Officer and must be noted on the asset inventory for the server. |
3) | Services and applications that will not be used must be disabled where practical. |
4) | All servers and network devices must be configured to use an internal authoritative time source to maintain time synchronization with other servers in the environment. |
5) | Server and network device Configuration Standards will be updated as new public standards become available and are approved by the Information Security Office and Information Technology. |
Standards (Monitoring)
1) | All security-related events on critical or sensitive systems must be logged and audit trails saved. |
2) | Security-related events will be reported to Information Security, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: |
a. | Port-scan attacks. |
b. | Evidence of unauthorized access to privileged accounts. |
c. | Anomalous occurrences that are not related to specific applications on the host. |
Cellular Device Policy
Overview
The Cellular Device Policy applies to any device that uses a wireless cellular network for communication, whether the device is supplied by Higher One or personally owned by the employee and used for business-related purposes. This policy applies to, but is not limited to, all devices and accompanying media that fit the following device classifications:
1) | Tablets |
2) | Mobile/Cellular/Smart Telephones |
3) | Mobile Broadband devices (MiFis) |
Standards
1) | IT reserves the right to refuse the ability to connect mobile devices to the Higher One infrastructure. |
Higher One's Cellular Device Policy can be found on the ADP portal under the heading Resources > Tools/References.
C-12
Equipment Disposal
Proper disposal of technology equipment is environmentally responsible and often required by law. To ensure that Higher One's electronic data, which may be stored on various types of storage media, is secured, all storage media must be completely erased or destroyed prior to release for disposal.
Standards
1) | All information assets or office equipment which may contain a storage media component is in scope or this policy. This includes such items as computer workstations, servers, storage arrays, fax machines, printers, and copiers. |
2) | All forms of electronic media (e.g., fixed hard disks, flash memory, external drives, CDs, DVDs, tapes, USB drives) are within the scope of this policy. |
3) | At the time an in scope device or media is decommissioned or replaced, the item shall be destroyed, disabled or disposed of using methods and timing consistent with Higher One's Record Retention policies, any applicable retention laws and with due consideration for any litigation hold requirements currently in force. |
a. | Hard drives will be erased to Department of Defense standards (DoD 5220.22M) or |
b. | Physically destroyed by drilling or shredding. |
4) | When a computer workstation is transferred to a new user, the storage media will be: |
a. | Replaced, if under a litigation hold, with the original component stored as per Higher One's procedures. |
b. | Reformatted, if not subject to litigation hold. |
5) | The Facilities department will ensure that vendors remove any storage media contained within copiers, printers and fax machines prior to removing any such item from Higher One's premises. |
6) | Information Technology will maintain: |
a. | Procedures for the proper erasure of data and/or destruction of storage media. |
b. | Procedures for secure storage of media prior to destruction or disposal. |
Software Installation Policy
Overview
Allowing users to install software on company computing devices opens the organization up to unnecessary exposure to risks such as the introduction of malware from infected installation files or software, unlicensed software, and programs which can be used to hack the organization's network.
Standards
1) | Users may not install software on Higher One's computing devices operated within the Higher One network. |
2) | Software must be selected from an approved software list, maintained by the Information Technology department, unless no selection on the list meets the requestor's need. |
3) | Requests for software installations must first be approved by the requestor's manager and then submitted to the IT Support Desk in writing. |
4) | Any requests for software not on the approved list must be reviewed and approved by Information Technology and Information Security before purchase or installation. |
The Information Technology Department will obtain and track the licenses and perform the software installation.
16873\75\3394687.9
C-13