ENTERPRISE AGREEMENT
Effective December 13, 2001
Exhibit 10.24
-------------------------------------------------------------------------------
ServiceWare Technologies, Inc.
has requested that the marked portions of this document be granted confidential
treatment pursuant to Rule 24b-2 under the Securities Exchange Act of 1934
-------------------------------------------------------------------------------
SOFTWARE LICENSE AND MAINTENANCE AGREEMENT
This Software License and Maintenance Agreement (the "Agreement"),
dated this 13th day of December, 2001, is by and between ServiceWare
Technologies, Inc., a Delaware corporation, having offices at 000 Xxxxxxxxx
Xxxxxx, Xxxxxxx, Xxxxxxxxxxxx 00000 (hereinafter referred to as "Licensor" or
"SERVICEWARE") and Cingular Wireless LLC, (hereinafter referred to as
"Licensee"), on behalf of itself and its affiliates, a Delaware limited
liability corporation, having its principal offices at 0000 Xxxxxxxxx Xxxxxxxxx
Xxx, Xxxxxxx, Xxxxxxx, 00000.
R E C I T A L S:
---------------
A. SERVICEWARE wishes from time to time to provide software and provide
software maintenance for Licensee and Licensee wishes to engage
SERVICEWARE for such purposes.
B. SERVICEWARE and Licensee wish to agree in advance as to certain terms
and conditions under which such products and services may be rendered.
THEREFORE, for good and valuable consideration given pursuant to the
terms, conditions and covenants contained herein, SERVICEWARE and Licensee
hereby agree as follows:
SECTION 1: DEFINITIONS
As used in this Agreement,
1.1 "AUTHORIZED USER" means (i) any employee of Licensee, and/or
(ii) any contractor, agent or representative of Licensee (and
their employees) who is authorized by Licensee to use the
Products as provided in Sections 2.1 and 2.3.1.
1.2 "DOCUMENTATION" means the Product(s)' user manuals,
specifications, including additional, updated or revised
Documentation, if any, supplied to Licensee by SERVICEWARE on
computer media and/or hard copy.
1.3 "ERROR" means any failure of a Product(s) to conform in any
material aspects to its published Documentation.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
1
ENTERPRISE AGREEMENT
Effective December 13, 2001
1.4 "LICENSED SITE(S)" means the location(s) specified on Exhibit
"A". Licensed Sites may be changed from time to time as
provided in Section 2.3.2.
1.5 "MAINTENANCE RELEASE" means a new release of a Product(s) with
a change in the ZZ component of that Product(s)' X.YY.ZZ
version number or a fix.
1.6 "MAJOR RELEASE" means a new release of a Product(s) with a
change in the X component of that Product(s)' X.YY.ZZ version
number.
1.7 "MODIFICATIONS" means changes, upgrades or enhancements in the
specifications, functionality, delivery systems, rules or
operation, security measures, accessibility, procedures and
any other matters relating to the Product(s).
1.8 "NEW VERSION" means a new release of a Product(s) with a
change in the X component of that Licensed Program's X.YY.ZZ
version number.
1.9 "REASONABLE OUT-OF-POCKET EXPENSES" means travel
(coach-economy), lodging, meals, automobile expenses
(including rentals) and other Cingular pre-approved actual
expenses incurred by SERVICEWARE while performing work under
this Agreement. Expenses shall be in accordance with the
maximum amounts allowed by IRS guidelines.
1.10 "REMEDIATION SERVICES" means error correction services,
consisting of SERVICEWARE using all reasonable commercial
efforts to design, code and implement programming changes to
the Software, and modifications to the documentation, to
correct reproducible errors therein so that the Software is
brought into substantial conformance with its Documentation.
1.11 "SERVER" means the computers of Licensee on which the
Product(s) may be used as the same may be changed from time to
time as provided in Section 2.3.2.
1.12 "SOFTWARE PRODUCTS" (the "Product(s)") shall mean the runtime
version of SERVICEWARE's licensed Products specified in
Exhibit "A" and any improvement or modification thereof, as
well as Documentation relating thereto, and including any
third party products licensed by SERVICEWARE and embedded in
the Products. The terms "Software", "Software Products" and
"Product(s)" may be used interchangeably and shall have the
same meaning for purposes of this Agreement.
1.13 "UPDATES" shall mean unspecified improved releases of the
Product(s) which are generally made available to SERVICEWARE
supported licensees consistent with prices, terms and
conditions of the Maintenance provisions of this Agreement.
"Updates" ("Updated Product(s)") shall not include any options
or future Products or modules which SERVICEWARE licenses
separately or are generally licensed for an
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
2
ENTERPRISE AGREEMENT
Effective December 13, 2001
additional license fee. The term "Upgrade" shall be used
interchangeably with "Update".
1.14 "WORKSTATION" means a computer workstation or terminal of an
Authorized User with respect to which Licensee has paid a
license fee for use of the Products. The initial number of
Authorized Users is set forth on Exhibit "A"
SECTION 2: LICENSED MATERIALS
2.1 GRANT OF LICENSE. SERVICEWARE hereby grants to Licensee a
nonexclusive, nontransferable license, without the right to
sublicense, for Licensee's and its Authorized Users' own
internal use, and described as such on Exhibit "A".
2.2 DOCUMENTATION. SERVICEWARE shall deliver to Licensee the
Software accompanied by at least one (1) copy of the related
Documentation on computer media or hard copy.
2.3 RESERVATION. All rights to the Product(s) not expressly
granted to Licensee in this Agreement are reserved by
SERVICEWARE. Without limiting the generality of the foregoing,
Licensee shall use the Product(s) only for the purposes
specified in Section 2.1 and in accordance with the following:
2.3.1 Users. Any employee, contractor, agent or
representative of Licensee shall qualify as an
Authorized User only in accordance with Licensee's
obligations under this Section 2. Licensee shall
ensure that all Authorized Users comply with Sections
2 and 13 of this Agreement.
2.3.2 Location and Relocation of Workstations and Servers.
Only locations under the control of Licensee shall
qualify as Licensed Sites. If Licensee installs the
Product(s) at a different location, Licensee must
give written notice to SERVICEWARE of the address of
the new Licensed Site.
2.3.3 Back-up Copies. Licensee may reproduce the Product(s)
as necessary for bona fide back-up or archival
purposes.
2.3.4 Modifications. Licensee assumes full responsibility
for any changes, modifications to the Product(s) made
by any person other than SERVICEWARE or SERVICEWARE's
authorized agent. Licensee hereby releases
SERVICEWARE from all liability and waives all rights,
claims and remedies against SERVICEWARE for any and
all damages of any kind or nature, to the extent that
they arise out of any such changes, modifications or
improvements made by Licensee.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
3
ENTERPRISE AGREEMENT
Effective December 13, 2001
2.3.5 No Conveyance of Ownership; Trade Secrets.
SERVICEWARE and its licensors shall retain all title,
copyrights, patents and other proprietary rights to
the Product(s). This Agreement does not convey to
Licensee ownership of the Product(s) or any media
delivered to Licensee on which the Product(s) shall
be stored, but only the right to use the Product(s)
as provided in this Agreement. Licensee acknowledges
that the Product(s) and all Documentation, technical
data and information associated therewith constitute
trade secrets and are the valuable property of
SERVICEWARE and its licensors, and that the
Product(s) are protected by copyright and trademark
rights, and that SERVICEWARE has applied for patent
protection for the Product(s).
2.3.6 Proprietary Legends. Licensee shall not remove,
obscure or alter any notice of copyright, patent,
trade secret, trademark or other proprietary right
appearing in or on Product(s) and shall ensure that
each copy of all or any portion of the Product(s)
made by Licensee includes such notices.
2.3.7 Reverse Engineering. Licensee shall not modify,
translate, decompile, disassemble, create or attempt
to create, by reverse engineering or otherwise, the
source code from the object code supplied hereunder
or use the Product(s) to create a derivative work. In
no event shall Licensee modify or use the Product(s)
to create a standalone software program. Without
limiting the generality of the foregoing, Licensee
shall not use the Product(s) as a basis to create or
develop or contribute to the creation or development
of any standalone software program that incorporates
any portion of the Product(s) makes direct function
calls to or operation of which is otherwise dependent
upon any portion of the Product(s), and shall not
create or develop or contribute to the creation or
development of any program or suite of programs
functionally similar to the Product(s) unless
independently developed by Licensee without access or
reference to the Product(s) except as required for
use with Licensee's product(s).
2.4 SITE PREPARATION. It is Licensee's obligation to provide
computer hardware, software and facilities, and a compatible
computing environment (the "Site") necessary for the Software
to operate according to its Documentation prior to scheduling
installation of the Software. Licensee shall have trained
personnel available to assure the adequacy of the Site
preparation. If the Software does not function as designed due
to the Site preparation, the Licensee will take all steps
necessary to immediately remedy the deficiency.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
4
ENTERPRISE AGREEMENT
Effective December 13, 2001
SECTION 3: CHARGES, FEES, PAYMENT AND INVOICING
3.1 RATES. SERVICEWARE's schedule of fees for Software Licenses,
related Maintenance and Support, shall be set forth in the
applicable Exhibit A attached hereto.
3.2 INVOICING AND PAYMENT TERMS. SERVICEWARE shall submit invoices
for payment and Licensee shall pay for such invoices as
follows or other terms set forth in the applicable Exhibit A:
3.2.1 For Software. SERVICEWARE shall issue an invoice to
Licensee for all Software License fees due under this
Agreement upon execution of this Agreement, Exhibit
A, or receiving a firm commitment or purchase order
from the Licensee.
3.2.2 For Maintenance and Support. SERVICEWARE shall
invoice the Licensee for Maintenance and Support
("Maintenance Fee") for one year's coverage in
advance upon execution of this Agreement, Exhibit A,
or Licensee purchase order.
3.2.3 Payment Terms. All undisputed invoices are due and
payable in 30 days unless other terms are stated in
Exhibit "A" or on the invoice.
3.3 SALES TAXES. The prices and charges hereunder do not include
any excise, sales or use taxes or duties. If any excise, sales
or use taxes or duties, are, or should ultimately be, assessed
against or is required to be collected by SERVICEWARE or by
any taxing authority in connection with their performance
required hereunder, Licensee agrees to pay an amount equal to
any and all such charges, except where Licensee is exempt by
law and Licensee provides a bona fide exemption certificate to
SERVICEWARE.
SECTION 4: PERSONNEL
4.1 INDEPENDENT CONTRACTOR. The only relationship between
SERVICEWARE and Licensee which is intended to be created by
this Agreement is that of licensee and licensor and neither
party will be, nor represent itself to be, an agent, employee,
or partner of the other. SERVICEWARE is an independent
contractor. Neither SERVICEWARE nor any of SERVICEWARE's
agents, subcontractors, or employees are or shall be deemed
for any purpose to be employees of Licensee. Licensee shall
not be responsible for, and SERVICEWARE shall indemnify and
hold Licensee harmless against, any cost, expense, liability,
claim, damages, action, or proceeding relating to any
payroll-related taxes for any person who produces any
Products, or provides maintenance, support or training to be
performed, produced or
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
5
ENTERPRISE AGREEMENT
Effective December 13, 2001
provided by SERVICEWARE hereunder or any claim arising out of
or relating to the employment or application for employment of
any such person.
4.2 EMPLOYMENT OF EACH OTHERS EMPLOYEES. During the term of this
Agreement and for one (1) year thereafter and without the
other's prior written consent, neither SERVICEWARE nor
Licensee shall knowingly solicit or hire any employee from the
other which has been involved in the implementation or
provision of any part of this Agreement during such
involvement and for a period of one (1) year following the
completion of such individual's work in connection with this
Agreement.
4.3 NONEXCLUSIVE. SERVICEWARE shall retain the right to perform
work for others during the terms of this Agreement. Licensee
shall retain the right to cause work of the same or a
different kind to be performed by its own personnel or other
contractors during the term of this Agreement.
SECTION 5: MAINTENANCE AND SUPPORT
5.1 SERVICES PROVIDED. During the term of this Agreement,
SERVICEWARE shall support Product(s) by providing the services
described in the following paragraphs of this Section.
SERVICEWARE has no obligation to correct or support Errors
resulting from Licensee's, or its Authorized Users, misuse,
improper use, alteration, or damage to the Product(s) or
Licensee's, or its Authorized Users, combining or merging the
Product(s) with any hardware or software not identified as
compatible by SERVICEWARE.
5.2 TECHNICAL SUPPORT. SERVICEWARE will provide telephone
technical support regarding use of the Product(s) and
resolution of Errors to Designated Contacts in accordance with
SERVICEWARE's Customer Support Center Policies and Procedures
set forth in Exhibit C.
5.2.1 Notwithstanding anything to the contrary regarding
service responsibilities of ServiceWare in this
Agreement, if ServiceWare is responsible for severity
events leading to complete loss of service to
Licensee, then ServiceWare, at no cost to Licensee,
will provide onsite staff for the duration of time in
order to resolve and restore normal service to
Licensee. ServiceWare shall not be responsible for
such no-cost restoration if severity events causing
complete downtime of service of Licensee are outside
the control of ServiceWare.
5.3 SUBSEQUENT RELEASE(S). SERVICEWARE will send Major Releases
and New Versions to Licensee when made generally available by
SERVICEWARE to its customers; provided that Licensee has paid
the Maintenance Fee for that year. Maintenance Releases will
also be provided to Licensee pursuant to Section 2.3 when
Licensee is experiencing or in SERVICEWARE's sole judgment may
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
6
ENTERPRISE AGREEMENT
Effective December 13, 2001
experience a high priority situation. Each Major Release,
Maintenance Release and New Version delivered by SERVICEWARE
under this Agreement shall be automatically deemed to be
included under the definition of Product(s) under this
Agreement. All Major Releases, New Versions and Maintenance
Releases will be shipped FOB Licensee, freight prepaid by
SERVICEWARE.
5.4 LIMITS OF SUPPORT. This Agreement covers the support that
SERVICEWARE is able to provide for Product(s) by telephone,
fax or electronic mail. Support shall either be performed on
site at the Licensee's premises or off site by remote linkage
as shall be mutually determined by SERVICEWARE and Licensee.
5.5 On-site support assistance, if required and outside the scope
of this Agreement, will be provided at Professional Service
rates then in effect, unless primarily in the nature of
Remediation Services, in which case there shall be no
additional fee for providing on-site service, except that
Licensee shall in all events be responsible for reasonable and
actual out-of-pocket expenses. Professional Services provided
as part of this Agreement shall be billed at the rates listed
in Exhibit A for the term of this Agreement.
SECTION 6: COOPERATION AND MAINTENANCE CONTACTS.
6.1 DESIGNATED CONTACTS. Licensee will designate no more than two
(2) authorized Designated Contacts and agrees that each
Designated Contact will be knowledgeable in all aspects of the
Licensee's operating environment in which the Product(s) is
(are) being used.
6.2 RESTORATION OF DATA. Licensee shall be responsible for data
backup and to periodically test the backup system to ensure
that it is functioning properly. IN NO EVENT SHALL SERVICEWARE
BE RESPONSIBLE FOR FAILED BACKUPS OR LOSS OF DATA DUE TO LACK
OF PROPER BACKUPS.
6.3 REQUIRED MAINTENANCE COVERAGE. The following maintenance
coverage conditions must be satisfied in order for this
Section 6 to continue to be effective: 1) All Product(s)
licensed by Licensee must be included, and 2) all Product(s)
to be covered by this Agreement on the effective date of this
Agreement are no greater than two releases behind the then
current Product(s) furnished by SERVICEWARE. Thereafter,
Licensee may remain on a previously supported version of the
Product(s) for one (1) year from the release date of the
current version to receive coverage under this Agreement.
6.4 NOTICE OF CHANGE IN ANNUAL FEE. SERVICEWARE may change its
Maintenance Fee terms and conditions upon ninety (90) days
written notice, but no such change will be effective prior to
the end of the then current term. SERVICEWARE reserves
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
7
ENTERPRISE AGREEMENT
Effective December 13, 2001
the right upon ninety (90) days' written notice to increase
Maintenance Fees in subsequent years. Licensee reserves the
right to renew or terminate maintenance or this Software
License and Maintenance Agreement based on such change in
terms, conditions and Maintenance Fee for the ServiceWare
notice given to Licensee.
6.5 ADDITIONAL PRODUCT(S). If after the execution of this
Agreement, Licensee increases the Authorized Users of the
Product(s) or acquires additional Product(s), Licensee shall
pay an additional Maintenance Fee proportional to the increase
in license fees under the License Agreement pro-rated in order
to reflect how much of the annual term is then remaining in
the current annual term. Licensee shall pay this additional
pro-rated fee to SERVICEWARE within thirty (30) days after the
date of the SERVICEWARE invoice.
6.6 TERM. The duration of the initial Maintenance term shall be
one (1) year and shall commence ninety (90) days from the
Effective Date of this Agreement. The Maintenance term shall
automatically renew for one (1) year periods unless notice of
termination is provided by Licensee prior to the end of the
current term.
6.7 ServiceWare will work in a professional and workmanlike manner
to implement this program in conjunction with any third party
that Cingular has chosen for implementation services.
6.8 ServiceWare and Licensee shall enter into a software escrow
agreement with a mutually agreeable escrow agent in
substantially the form set forth in Exhibit B hereto, or in
such other form as ServiceWare and Licensee may mutually agree
in writing.
SECTION 7: WARRANTIES
7.1 MEDIA. SERVICEWARE represents to Licensee that the media on
which the Product(s) is delivered by SERVICEWARE to Licensee
will be virus fee and free from defects in materials and
workmanship for a period of ninety (90) days from the date of
delivery of the Product(s) to be used in the live production
environment.
7.2 INFRINGEMENT. SERVICEWARE represents to Licensee that use in
accordance with this Agreement of the Product(s) as delivered
by SERVICEWARE to Licensee does not infringe any valid
copyright, patent or trademark laws of the United States.
7.3 BUGS AND ABATEMENT. Without limiting the foregoing,
SERVICEWARE does not warrant that the Product(s) is (are) free
from bugs, errors, or omissions, nor does it warrant that the
operation of the Product(s) will be uninterrupted or error
free in all circumstances, or that it will operate in the
combinations that may be selected for use by Licensee or an
Authorized User.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
8
ENTERPRISE AGREEMENT
Effective December 13, 2001
7.4 YEAR 2000 COMPLIANCE. SERVICEWARE represents that any Software
or customization of third party Software developed by
SERVICEWARE and provided to Licensee hereunder, will properly
(a) record, store, process, calculate or present calendar
dates falling on and after (and if applicable, spans of time
including) January 1, 2000 as a result of the occurrence, or
use of data consisting of, such dates, and (b) calculate any
information dependent on or relating to dates on or after
January 1, 2000 in the same manner, and with the same
functionality, data integrity and performance, as such
Product(s), records, stores, processes, calculates and
presents calendar dates on or before December 31, 1999, or
information dependent on or related to such dates.
7.5 WARRANTY OF TITLE. SERVICEWARE represents that it has all
right, title, and interest in the Product(s) and the
Documentation and that its execution of this Agreement does
not violate any contract it is presently a party to nor does
it violate the rights or interests of any third party.
7.6 PERFORMANCE. SERVICEWARE represents to Licensee that the
Software as delivered by SERVICEWARE to Licensee shall perform
in all material respects in accordance with the Documentation
for a period of ninety (90) days from the date the Product(s)
is used in the production environment.
7.6.1 ServiceWare represents to Licensee that the
Unix/Solaris version of the Software shall perform in
all material respects.
7.6.2 ServiceWare represents that the Software is suitable
for use in an environment with approximately 14,000
active users with an average response time of under
five seconds during peak workload provided that
Licensee uses the appropriate hardware as mutually
agreed as outlined in RFP DV92401.
7.7 AUTHORITY. SERVICEWARE represents that it has the requisite
corporate authority to enter into this Agreement and to grant
the license hereunder, and that there are no outstanding
assignments, grants, licenses, encumbrances, obligations or
agreements of SERVICEWARE which would prevent SERVICEWARE from
performing under the terms of this Agreement.
7.8 EXCEPT AS OTHERWISE SET FORTH IN THIS AGREEMENT, SERVICEWARE
MAKES NO REPRESENTATION OR WARRANTY, AND HEREBY DISCLAIMS ANY
OTHER REPRESENTATION OR WARRANTY, EXPRESS OR IMPLIED, ARISING
BY LAW OR OTHERWISE, WITH REGARD TO THE PRODUCT(S)
DOCUMENTATION OR OTHER ITEMS OR SERVICES FURNISHED UNDER THIS
AGREEMENT, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
9
ENTERPRISE AGREEMENT
Effective December 13, 2001
A PARTICULAR PURPOSE, OR ANY IMPLIED WARRANTY ARISING FROM THE
COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE, OR
ANY CLAIM OF OR IN THE NATURE OF INFRINGEMENT.
SECTION 8: LIMITATIONS OF LIABILITY
8.1 LIMITATION OF LIABILITY. EXCEPT AS STATED HEREIN, NEITHER
PARTY SHALL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT
AND/OR CONSEQUENTIAL DAMAGES OF ANY KIND, RESULTING FROM
EITHER PARTY'S PERFORMANCE OR FAILURE TO PERFORM PURSUANT TO
THE TERMS OF THIS AGREEMENT OR ANY OF THE ATTACHMENTS OR
EXHIBITS HERETO, OR RESULTING FROM THE FURNISHING, PERFORMANCE
OR USE OR LOSS OF ANY LICENSED PRODUCTS OR OTHER MATERIALS
DELIVERED TO LICENSEE THEREUNDER, INCLUDING WITHOUT LIMITATION
ANY INTERRUPTION OF BUSINESS, WHETHER RESULTING FROM BREACH OF
CONTRACT OR BREACH OF WARRANTY, EVEN IF THE PARTIES HERETO
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT
BREACHES OF SECTION 9 AND 10, IN NO EVENT WILL EITHER PARTY'S
LIABILITY ARISING UNDER OR RELATED TO THIS AGREEMENT EXCEED
THE FEES PAID BY LICENSEE HEREUNDER.
8.2 LIMITS OF LIMITATION OF LIABILITY. Notwithstanding anything
set forth in this Agreement, no limitation of liability or
exculpation of either party hereto shall apply to:
(a) losses by the other party (or any of its affiliates)
that arise in connection with any infringement or
misappropriation of the other party's (or any of its
affiliate's) intellectual property by the party to be
exculpated (or any of its affiliates);
(b) any liability, loss or claim arising out of or
related to any claim of infringement of any
copyright, trade secret or other proprietary right of
a third party.
8.3 BREACH OF WARRANTY. EXCEPT AS PROVIDED IN SECTION, 6.5, 6.7
AND 10.2, IN THE EVENT OF ANY BREACH OF WARRANTY OR THE
FAILURE OF THE PRODUCT(S) TO PERFORM IN CONFORMITY WITH THE
DOCUMENTATION, LICENSEE'S SOLE REMEDY SHALL BE FOR SERVICEWARE
TO PROVIDE, IN SERVICEWARE's SOLE DISCRETION, BUG FIXES,
CORRECTED DOCUMENTATION AND/OR NEW PRODUCT(S) RELEASES AS
DEFINED IN THE MAINTENANCE AND SUPPORT SECTION OF THIS
AGREEMENT. IN NO EVENT SHALL SERVICEWARE BE LIABLE
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
10
ENTERPRISE AGREEMENT
Effective December 13, 2001
TO THE LICENSEE, ITS SUCCESSORS AND/OR ASSIGNS FOR SPECIAL,
COLLATERAL, EXEMPLARY, INDIRECT, INCIDENTAL OR CONSEQUENTIAL
DAMAGES AS A RESULT OF BREACH OF ANY OF THE PROVISIONS OF THIS
AGREEMENT EVEN IF SERVICEWARE HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
SECTION 9: NON-DISCLOSURE
If either party receives from the other party information which due to
the nature of such information is reasonably understood to be Confidential
and/or Proprietary, the receiving party agrees that it shall not use or disclose
such information except in the performance of this Agreement, and further agrees
to exercise the same degree of care it uses to protect its own information of
like importance, but in no event less than reasonable care. "Confidential
Information" shall include all nonpublic information. Confidential Information
includes, without limitation, financial, marketing, research and development,
organizational, technical, merger or acquisition, and other information related
to the other party, information relating to released or unreleased software or
hardware products, source code, technical proprietary information, the marketing
or promotion of either party's product, a party's business policies or
practices, and information received from third parties that a party is obligated
to treat as confidential. Confidential Information includes not only written
information but also information transferred orally, visually, electronically,
or by other means. Confidential Information disclosed to either party by any
subsidiary and/or agent of the other party is covered by this Agreement. The
foregoing obligations of non-use and nondisclosure shall not apply to any
information that (i) has been disclosed in publicly available sources; (ii) is,
through no fault of the party receiving the information hereafter disclosed in a
publicly available source; (iii) is in rightful possession of the party
receiving the information without an obligation of confidentiality; (iv) is
required to be disclosed by operation of law so long as the disclosing party is
given prompt written notice prior to such disclosure; or (v) is independently
developed by the receiving party without reference to information disclosed by
the other party hereunder. Both parties warrant that any information disclosed
to the other will not contain any trade secrets of any third party, unless
disclosure is permitted by such third party. This Section 9 shall survive the
expiration or termination of this Agreement. In the event that either party is
required by law, regulation or court order to disclose any Confidential
Information of the other, the disclosing party shall promptly notify the other
in writing prior to making such disclosure in order to facilitate that party to
seek a protective order or other appropriate remedy from the proper authority.
Both parties agrees to cooperate with the other in seeking such court order or
other remedy, and further agrees that if a court order or other remedy is not
successfully obtained it will furnish only that portion of the other party's
Confidential Information that is legally required and will exercise all
reasonable efforts to obtain reliable assurances that confidential treatment
will be accorded the Confidential Information.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
11
ENTERPRISE AGREEMENT
Effective December 13, 2001
SECTION 10: REMEDIES
10.1 PERFORMANCE REMEDY. If any Product(s) fails to comply with the
warranties set forth in Sections 7.1 and 7.6 and Licensee
provides written notice of the same to SERVICEWARE within the
warranty period, then SERVICEWARE will either repair or, at
its option, replace any non-conforming media or Software. The
warranties in Section 7 shall automatically xxxxx to the
extent that the Product(s) has been damaged, abused, modified,
or combined with other software by persons other than
SERVICEWARE's authorized employees or representatives, or
other than at SERVICEWARE's express direction or, to the
extent that the Product(s) fails to perform due to bugs caused
by defects, problems or failures of hardware or software not
provided by SERVICEWARE or by the negligence of Licensee or an
Authorized User.
10.2 INFRINGEMENT REMEDY. SERVICEWARE shall defend and indemnify
Licensee against any proceeding based upon any failure to
satisfy the warranty set forth in Section 7.2, provided that
(a) Licensee shall notify SERVICEWARE in writing of any
claim of infringement promptly after it has been
made,
(b) Licensee shall provide such assistance in defense of
the proceeding as SERVICEWARE may reasonably request,
at SERVICEWARE's reasonable expense, and
(c) Licensee shall comply with any settlement or court
order made in connection with the proceeding. In the
event that use of the Product(s) becomes, or in
SERVICEWARE's reasonable opinion is likely to become,
the subject of a claim of infringement of any
intellectual property right of any third party,
SERVICEWARE shall have the right to:
(a) procure the continuing right of Licensee to
use the Product(s); replace or modify the
Product(s) in a functionally equivalent
manner so that it no longer infringes; or
(b) terminate the License and refund to Licensee
an amount equal to the license fee paid by
Licensee. SERVICEWARE shall have no
liability or obligation under this Agreement
or otherwise to Licensee or any other
indemnities or anyone claiming through or on
behalf of Licensee or any indemnities for
any patent, copyright, trade secret or other
intellectual property right infringement or
misappropriation or any claim thereof based
upon (i) compliance with one or more
designs, SOWs or specifications of or any
program loaded by Licensee or an
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
12
ENTERPRISE AGREEMENT
Effective December 13, 2001
Authorized User, (ii) use of a altered
release of the Software if such infringement
would have been avoided by use of a current
release, (iii) the combination or use of the
Product(s) with software, hardware or other
materials not furnished by SERVICEWARE if
such infringement would have been avoided by
use of the Product(s) alone,
(c) use of any aspect of the Product(s) in an
application or environment for which it was
not designed or contemplated,
(d) any claim of infringement of an intellectual
property right in which Licensee or an
Authorized User or an affiliate thereof has
an interest or license. The foregoing states
the entire liability of SERVICEWARE with
respect to infringement or misappropriation
of patent, copyright, trade secret or other
intellectual property rights or by the
performance, operation or use of the
Product(s) and is (are) in lieu of (and
SERVICEWARE hereby disclaims) any other
warranty, express or implied, as to any such
infringement or misappropriation.
SECTION 11: TERM AND TERMINATION
11.1 TERM. The term of the license(s) granted to Licensee under
Section 2 shall commence upon delivery of the Software and of
payment in full for such licenses and the term for Maintenance
shall commence in accordance with Section 6 and each shall
continue unless this Agreement shall be terminated in
accordance with Section 11.
11.2 Termination.
11.2.1 Termination by Licensee. Licensee may terminate this
Agreement at any time after installation of Software
by: (a) removing and returning all copies of the
Software and Documentation then in its possession to
SERVICEWARE or destroying all copies of the Software
and Documentation in whatever form then in its
possession; and (b) certifying in writing to
SERVICEWARE that all of such copies have been
returned or destroyed.
11.2.2 Termination for Breach. This Agreement may be
terminated if either party materially breaches the
terms of this Agreement and, if said breach is
curable, the party having so breached the Agreement
fails to begin good faith efforts to cure the breach
within thirty (30) days of written notification by
the other party that the breach has occurred. Such
written notice will specify the default and state the
intention to terminate if the default is not cured.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
13
ENTERPRISE AGREEMENT
Effective December 13, 2001
11.3 POST-TERMINATION OBLIGATION. In the event of termination or
expiration of this Agreement, (i) all indemnification and
confidentiality obligations shall survive, (ii) all
Licensee's rights to use the Product(s) shall cease, and
Licensee shall have no further rights hereunder to Updates,
Modification or any notices with respect to any Product(s),
and (iii) SERVICEWARE shall no longer have any obligation to
provide Licensee with technical support services. Following
termination of this Agreement, however arising, Licensee
shall destroy all copies of the Product(s) within fifteen
(15) days of such termination, and all copies of Product
Documentation within fifteen (15) days of such termination,
including any modified, partial or merged versions, and
immediately thereafter provide SERVICEWARE with a written
certification signed by an authorized representative of
Licensee certifying that all copies of the Software have been
destroyed and all use of the Product(s) has been
discontinued.
SECTION 12: COMPLIANCE WITH LAW
Licensee shall comply with all applicable laws and regulations in the
use of the Product(s). Without limiting the generality of the foregoing,
Licensee shall not export or re-export, directly or indirectly, any Product(s)
in violation of any applicable export control laws and regulation and shall
promptly provide SERVICEWARE with any "letter of assurance" required by
SERVICEWARE pursuant to such laws and regulations.
SECTION 13: PROTECTION AGAINST UNAUTHORIZED USE
Licensee shall promptly notify SERVICEWARE of any unauthorized use of
any Product(s) of which Licensee becomes aware. In the event of any unauthorized
use by any user (or by any employee, agent, representative or contractor of
Licensee or of any user), Licensee shall use its commercially reasonable best
efforts to immediately terminate and prevent further occurrences of such
unauthorized use. In the event that Licensee commences any legal proceeding in
connection with such unauthorized use, SERVICEWARE may, at its option and
expense, participate in any such proceeding. In such event, Licensee and
SERVICEWARE shall each provide the other with such authority, information and
assistance related to such proceeding as may be reasonably necessary to
safeguard SERVICEWARE's interests and Licensee's rights under this Agreement.
SECTION 14: MISCELLANEOUS
14.1 If any provision of this Agreement is declared or found to be
invalid, illegal, unenforceable or void, then both parties
shall be relieved of all obligations arising under such
provision, but only to the extent that such provision is
invalid, illegal, unenforceable or void, it being the intent
and agreement of the parties that this Agreement shall be
deemed amended by modifying such provision to the extent
necessary to make it valid, legal and enforceable while
preserving its intent or, if that is not possible, by
substituting therefor another provision that is valid, legal
and
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
14
ENTERPRISE AGREEMENT
Effective December 13, 2001
enforceable and achieves the same objective. Each party agrees
that it will perform its obligations hereunder in accordance
with all applicable laws, rules and regulations now or
hereafter in effect.
14.2 Headings are for reference purposes only.
14.3 Any notices required or permitted to be sent hereunder shall
be served personally or by registered or certified or
electronic mail, return receipt requested, reputable overnight
delivery services such as Federal Express, Airborne Express or
DHL, or by facsimile with confirmation of receipt, to the
addresses listed above.
14.4 This Agreement shall be interpreted and construed in
accordance with the Copyright laws of the United States and
the internal law of State of Georgia, without regard to the
conflicts of law principles thereof, and any action brought in
relation to this Agreement shall be brought in a Federal or
state court. This Agreement may not be modified or altered
except by a written instrument executed by both parties. The
failure of either party to exercise in any respect any right
provided for herein shall not be deemed a waiver of any
rights. This Agreement constitutes the entire agreement
between the parties with respect to the subject matter hereof
and supersedes and all prior proposals, understandings and all
other agreements, oral and written between the parties
relating to such subject matter.
14.5 The contract documents are personal to the Parties and neither
the Contract Documents nor any of the rights or duties under
them may be assigned or otherwise transferred by either Party
without the other Party's prior written consent, subject to
the following exceptions: (a) a Party shall be permitted to
assign to any person or entity acquiring greater than 30% of
the assets or voting securities of the assigning Party if the
assignee assumes the assigning Party's obligations under the
Contract Documents and gives the other Party written notice of
that assignment.
14.6 ServiceWare will issue to Licensee a press release for
Cingular Wireless Public Relations review and approval prior
to release.
14.7 Unless otherwise agreed to, any preprinted terms set forth on
the reverse side of a Licensee purchase order shall be
considered null and void and of no effect. Unless specifically
provided otherwise in the purchase order or SOW, in the event
of any conflict between the terms of this Agreement and the
terms set forth in a purchase order or SOW, the terms of this
Agreement shall govern.
14.8 This Agreement may be executed in two or more counterparts,
each of which shall be deemed an original, but all of which
taken together shall constitute one and the same instrument.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
15
ENTERPRISE AGREEMENT
Effective December 13, 2001
IN WITNESS WHEREOF, the parties, by their duly authorized
representatives, hereto have executed this Agreement as of the day and year
noted below.
SERVICEWARE TECHNOLOGIES, INC. CINGULAR WIRELESS LLC
By: /s/ Xxxx Xxxxxxxxx By: /s/ Xxxxx Xxxxxxx
------------------------------------ ---------------------------
Name: Xxxx Xxxxxxxxx Name: Xxxxx Xxxxxxx
----------------------------------------- ------------------------
Title: General Counsel /Asst. Corporate Secretary Title SVP Customer Service
------------------------------------------ -----------------------
Date: 12-14-01 Date: 12-12-01
------------------------------------------- ----------------------
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
16
PRICING SCHEDULE
Exhibit A
EXHIBIT A
Schedule No. 001
----------------
This Schedule, dated as of November 16, 2001, is issued pursuant to,
and incorporates herein, the Software License and Maintenance Agreement dated as
of November 14, 2001 ("Agreement"), by and between ServiceWare Technologies,
Inc. ("Licensor" or "SERVICEWARE") and Cingular Wireless LLC ("Licensee"), and
Licensee's Authorized Users. Any capitalized term herein shall have the meaning
ascribed to it in the Agreement.
LICENSED SITE(S): SHIP TO: XXXX TO:
All Cingular Authorized User locations Cingular Wireless LLC Cingular Wireless Accts.Payable
Xxxxxx Xxxxxxxx 0000 Xxxxxxxxx Xxxx, Xxxxx 000
5565 Glenridge Connector 000 Xxxxxxxxx Xxxx Xxxxxx
Xxxxx 0000 Xxxxxxx, XX00000
Xxxxxxx, XX 00000 (000) 000-0000
(000) 000-0000
ENTERPRISE LICENSED PRODUCTS LICENSE FEE
---------------------------- -----------
Enterprise Product License (including first
year of annual maintenance and 135 days of
professional services*) $3,375,000
==========
-------------------------------------------------------------------------------
TOTAL LICENSED PRODUCT(S) $3,375,000*
===========
-------------------------------------------------------------------------------
*PLUS REASONABLE OUT-OF-POCKET EXPENSES
PROFESSIONAL SERVICES SERVICES FEE
--------------------- ------------
All subsequent professional services $1,600/day*
*PLUS REASONABLE OUT-OF-POCKET EXPENSES
MAINTENANCE
ANNUAL MAINTENANCE LICENSE FEE RATE ANNUAL MAINTENANCE FEE
------------------ ----------- ---- ----------------------
All subsequent years of annual
maintenance $3,050,000 14% $427,000
========= == =======
ADDITIONAL TERMS AND CONDITIONS: Notwithstanding anything to the contrary
elsewhere in the Agreement, the terms herein shall prevail.
On behalf of Cingular Wireless, all rights are reserved.
SERVICEWARE TECHNOLOGIES, INC. CINGULAR WIRELESS LLC
By: /s/Xxxx Xxxxxxxxx By: /s/ Xxxxx Xxxxxxx
------------------------------------ ------------------------
Name: Xxxx Xxxxxxxxx Name: Xxxxx Xxxxxxx
----------------------------- -------------------
Title: General Counsel /Asst. Corporate Secretary Title SVP Customer Service
------------------------------------------ ---------------------
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
17
PRICING SCHEDULE
Exhibit A
Date: 12-14-01 Date: 12-12-01
------------------------------------------- ---------------------
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
18
ESCROW AGREEMENT
Exhibit B
EXHIBIT B
FORM OF SOFTWARE ESCROW AGREEMENT
THIS ESCROW AGREEMENT, effective 2001, (the "Escrow Agreement"), is among
Cingular Wireless LLC ("CINGULAR"), and ServiceWare Technologies Inc.
("Supplier") and __________________________ ("Escrow Agent").
Pursuant to that certain Software License and Maintenance Agreement ("the
Agreement"), the parties agree as follows:
1. Supplier agrees to keep current copies of the source code and other
materials for the Supplier Licensed Software ("Deposit Materials")
described in ATTACHMENT 1, attached hereto and made a part hereof,
(herein referred to as the "Software") in escrow with Escrow Agent
during the license term of such Software in accordance with the
provisions of the Agreement and this Escrow Agreement.
2. CINGULAR and Supplier shall share equally all costs of providing and
maintaining the Deposit Materials in escrow, including the fees of
Escrow Agent. The copy of the Deposit Materials provided to CINGULAR
placed in escrow shall be reproduced and maintained on magnetic tape
compatible with workstations and the Systems on which the Software will
operate and shall be accompanied by full documentation therefor. When a
new release or substantial change to the current release of the
Software is issued by or on behalf of Supplier during the term of the
Escrow Agreement, the revised Deposit Materials, including the change,
shall be delivered to the Escrow Agent as soon as practicable after the
change is effected by or on behalf of Supplier. Copies of the revised
Deposit Materials and the Deposit Materials prior to the then latest
revision, shall be maintained in escrow as provided herein.
3. Escrow Agent shall release the Deposit Materials to CINGULAR under the
following conditions (a "Release Condition"):
a. Supplier's failure to cure a Material breach under and within
the timeframes specified in the Agreement, or applicable Work
Order; or
b. Except as limited below, existence of any one or more of the
following circumstances, uncorrected for more than sixty (60)
days: entry of an order for relief under Title 11 of the
Federal Bankruptcy Code; the making by Supplier of a general
assignment for the benefit of creditors; the appointment of a
general receiver or trustee in bankruptcy of Supplier's
business or property; or action by Supplier under any state
insolvency or similar law for the purpose of its bankruptcy,
reorganization, or liquidation. Notwithstanding the foregoing,
the occurrence of the described events will not trigger
release of the Deposit Materials if, within the specified
sixty (60) day period, Supplier provides to CINGULAR adequate
assurances, reasonably acceptable
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
19
ESCROW AGREEMENT
Exhibit B
to CINGULAR, of its continued ability and willingness to
fulfill all of its maintenance and support obligations.
If CINGULAR believes in good faith that a Release Condition
has occurred, CINGULAR may provide to Escrow Agent written
notice of the occurrence of the Release Condition and a
request for the release of the Deposit Materials ("REQUEST FOR
RELEASE"). Such Request for Release shall be accompanied by an
affidavit (the "AFFIDAVIT") signed by CINGULAR attesting:
1. To a full description of the Release Condition; and
2. That the Deposit Materials shall continue to be the
sole property of Supplier and shall be subject to the
confidentiality provisions of the Agreement; and
3. That the Deposit Materials shall be used solely for
CINGULAR's support and maintenance, modification or
correction of the Supplier Licensed Software licensed
by Supplier to CINGULAR, including the creation of
derivative works in order to provide CINGULAR the
benefits intended under the Agreement or Work Order
(but not for purposes of sublicensing); and
4. That a copy of the Request for Release and said
Affidavit have been provided to Supplier.
Within three (3) business days of receipt of a Request for
Release, Escrow Agent shall provide a copy of the Request for
Release and the Affidavit to Supplier, by certified mail,
return receipt requested, or by commercial express mail.
From the date Escrow Agent mails the notice requesting release
of the Deposit Materials, Supplier shall have ten (10)
business days to deliver to Escrow Agent contrary
instructions. "CONTRARY INSTRUCTIONS" shall mean the written
representation by Supplier that a Release Condition has not
occurred or has been cured. Upon receipt of Contrary
Instructions, Escrow Agent shall send a copy to CINGULAR by
certified mail, return receipt requested, or by commercial
express mail. Additionally, Escrow Agent shall notify both
CINGULAR and Supplier that there is a dispute to be resolved
pursuant to the Dispute Resolution section of the Agreement.
Escrow Agent will continue to store the Deposit Materials
without release pending the first to occur of: (a) joint
instructions from Supplier and CINGULAR; (b) resolution
pursuant to the Dispute Resolution provisions; or (c) order of
a court.
If Escrow Agent does not receive Contrary Instructions from
Supplier, Escrow Agent is authorized to release the Deposit
Materials to CINGULAR
4. Escrow Agent shall be responsible to perform its obligations under this
Agreement and to act in a reasonable and prudent manner with regard to
this Escrow Agreement. Provided Escrow Agent has acted in the manner
stated in the preceding sentence, the party on whose
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
20
ESCROW AGREEMENT
Exhibit B
behalf, or pursuant to whose direction Escrow Agent acts, shall
indemnify, defend and hold harmless Escrow Agent from any and all
claims, actions, damages, arbitration fees and expenses, costs,
attorney's fees and other liabilities incurred by Escrow Agent relating
in any way to this Escrow Agreement. Absent any such direction,
Supplier and CINGULAR shall jointly and severally indemnify and hold
harmless Escrow Agent from any and all claims, actions, damages,
arbitration fees and expenses, costs, attorney's fees and other
liabilities incurred by Escrow Agent relating in any way to this Escrow
Agreement, except for any Liability, costs or expenses that may be
sustained or incurred by the gross negligence or willful misconduct on
the part of Escrow Agent, its employees or agents.
5. Any dispute relating to or arising from this Escrow Agreement shall be
resolved by arbitration under the Commercial Rules of the American
Arbitration Association. Any court having jurisdiction over the matter
may enter judgment on the award of the arbitrator(s). Service of a
petition to confirm the arbitration award may be made by First Class
mail or by commercial express mail, to the attorney for the party or,
if unrepresented, to the party at the last known business address.
6. In the event of the nonpayment of fees owed to Escrow Agent, Escrow
Agent shall provide written notice of delinquency to the parties to
this Agreement affected by such delinquency. Any such party shall have
the right to make the payment to Escrow Agent to cure the default. If
the past due payment is not received in full by Escrow Agent within one
(1) month of the date of such notice, then at any time thereafter
Escrow Agent shall have the right to terminate this Agreement to the
extent it relates to the delinquent party by sending written notice of
termination to such affected parties. Escrow Agent shall have no
obligation to take any action under this Agreement so long as any
payment due to Escrow Agent remains unpaid.
7. Upon termination of this Agreement by joint instruction of Supplier and
CINGULAR, Escrow Agent shall destroy, return, or otherwise deliver the
Deposit Materials in accordance with such instructions. Upon
termination for nonpayment, Escrow Agent may, at its sole discretion,
destroy the Deposit Materials or return them to Supplier. Escrow Agent
shall have no obligation to return or destroy the Deposit Materials if
the Deposit Materials are subject to another escrow agreement with
Escrow Agent.
8. All notices, invoices, payments, deposits and other documents and
communications shall be given to the parties specified this Agreement.
It shall be the responsibility of the parties to notify each other as
provided in this Section in the even of a change of address. The
parties shall have the right to rely on the last known address of the
other parties. Unless other wise provided in this Agreement, all
documents and communications may be delivered by First Class mail.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
21
ESCROW AGREEMENT
Exhibit B
IN WITNESS WHEREOF, the foregoing Agreement has been executed by authorized
representatives of the parties hereto, in duplicate, as of the date first set
forth above.
SERVICEWARE TECHNOLOGIES INC. CINGULAR WIRELESS LLC.
By: By:
----------------------------------- ------------------------------
-------------------------------------- ---------------------------------
Print Name Print Name
Title: Title:
-------------------------------- ---------------------------
Date Signed: Date Signed:
-------------------------- ---------------------
--------------------------------------
(ESCROW AGENT)
By:
----------------------------------
--------------------------------------
Print Name
Title:
--------------------------------
Date Signed:
--------------------------
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
22
SUPPORT SERVICES
Exhibit C
EXHIBIT C
SERVICEWARE SUPPORT SERVICES STANDARD POLICIES AND PROCEDURES (REV. 3-7-00)
OBJECTIVE: Provide timely support for the installation and usage of a standard
configuration for ServiceWare's product line in response to Authorized User
requests.
HOURS OF OPERATION
Support Services is staffed from 8:00 a.m. to 9:00 p.m. Eastern Standard Time,
Monday through Friday, excluding Company Holidays. In the event Licensee
contacts support via the phone during non-business hours a technical support
analyst will be paged . The analyst will contact Licensee and will attempt to
resolve Severity 1 & 2 issues or escalate as appropriate. Issues with Severity 3
or 4 will be addressed the next business day.
METHODS OF COMMUNICATION TO SUPPORT SERVICES
---------------------------------------------------------------------------------------------------------------------
METHOD CONTACT INFORMATION AVAILABILITY WHEN TO USE
---------------------------------------------------------------------------------------------------------------------
Phone 000-000-0000, ext. 431 Standard Business Hours* All incidents
---------------------------------------------------------------------------------------------------------------------
E-mail xxxxxxx@xxxxxxxxxxx.xxx Messages can be sent 24X7, Recommended for less
but will be addressed time critical incidents
within the first 3 Standard or as a means of
Business Hours* of receipt communication to Support
---------------------------------------------------------------------------------------------------------------------
Fax 000-000-0000 Faxes can be sent 24X7, but Recommended for less
will be addressed within time critical incidents
the first 3 Standard
Business Hours* of receipt
---------------------------------------------------------------------------------------------------------------------
Self-Support web site xxx.xxxxxxxxxxx.xxx The knowledge base is Recommended as your
available 24X7. Feedback first method for
Available only to Designated and Escalations will be solving issues
Contacts addressed within 3 Standard
Business Hours* of receipt
(See Customer Responsibilities
on the following page)
---------------------------------------------------------------------------------------------------------------------
*STANDARD BUSINESS HOURS: 8:00 a.m. to 9:00 p.m. Eastern Standard Time, Monday
through Friday, excluding Company Holidays.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
23
SUPPORT SERVICES
Exhibit C
PRIORITIZING INCIDENTS
To help us handle calls efficiently, the Support Services group will jointly
determine the severity of the incident reported with the Licensee and assign a
severity level to each case based on the descriptions below. The severity level
relates to the impact of the incident on the Licensee's ability to use the
product.
SEVERITY LEVELS
SEVERITY 1: SEVERE/SYSTEM CRASH:
The production system is completely down. There is no workaround for the
problem, and there is a high sense of urgency for solving the problem. The
Licensee will receive a call from Support within 15 minutes of the call being
received during normal business hours. Licensees who cannot get through the
Support line are encouraged to ask the SERVICEWARE operator to page a member of
the Support Services team.
SEVERITY 2: MAJOR CORRUPTION/DEGRADATION:
The incident severely restricts the usability of the application in a production
environment, but the application itself is running. There is no workaround
available and there is a high sense of urgency for solving the problem. The
Licensee will receive a call from Support within 30 minutes of receiving the
call or incident during normal business hours.
SEVERITY 3: MODERATE/WORKAROUND AVAILABLE:
The product is up and running, but there is a moderate impact on the usability
of the application. There is a workaround available. The Licensee will receive
contact from Support within 1 hour of the incident being received during normal
business hours.
SEVERITY 4: MINOR FLAW/COSMETIC:
The product is running with a minor flaw. There is a workaround for the problem
and the usability of the application is not effected. The Licensee will receive
contact from Support within 12 hours of the incident being received during
normal business hours.
SEVERITY 5: ENHANCEMENT OR INQUIRY
The customer has a suggestion for an enhancement or a question about the
product. There is little or no impact on the Licensee's normal business
operations. The Licensee will receive contact from Support within 1 business day
of the incident being received.
Notwithstanding anything to the contrary regarding service responsibilities of
ServiceWare in this Agreement, if ServiceWare is responsible for severity events
leading to complete loss of service to Licensee, then ServiceWare, at no cost to
Licensee, will provide onsite staff for the duration of time in order to resolve
and restore normal service to Licensee. ServiceWare shall not be responsible for
such no-cost restoration if severity events causing complete downtime of service
of Licensee which are outside the control of ServiceWare.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
24
SUPPORT SERVICES
Exhibit C
ESCALATION PROCEDURE
ESCALATION CHART DURING STANDARD BUSINESS HOURS
----------------------------------------------------------------------------------------------------------------
Severity Level Recipient Response Time Escalation Time Escalate to
----------------------------------------------------------------------------------------------------------------
Severity 1 - First Level - 15 minutes - 30 minutes - Second Level, Support
Services Director
- Second Level
- 3 hours - Engineering
- Engineering
- 24 hours - Executive Management
----------------------------------------------------------------------------------------------------------------
Severity 2 - First Level - 30 minutes - 30 minutes - Second Level
- Second Level - 6 hours - Engineering
- Engineering - 48 hours - Executive Management
----------------------------------------------------------------------------------------------------------------
Severity 3 - First Level - 60 minutes - 1 hour - Second Level
- Second Level - 48 hours - Engineering
- Engineering - 72 hours - Support Services Director
----------------------------------------------------------------------------------------------------------------
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
25
SUPPORT SERVICES
Exhibit C
----------------------------------------------------------------------------------------------------------------
Severity 4 - First Level - 12 hours - 24 hours - Second Level
- Second Level - 48 hours - Support Services Director
----------------------------------------------------------------------------------------------------------------
Severity 5 No escalation
required - 24 hours
----------------------------------------------------------------------------------------------------------------
CUSTOMER RESPONSIBILITIES
- During implementation, Licensee will assign no more than two points of
contact per site to be the Designated Contacts. These Designated
Contacts will be provided user names and passwords by the SERVICEWARE
Support Services organization.
- The Licensee will make appropriate resources available for problem
diagnosis and resolution.
PRIVATE / PROPRIETARY / LOCK
Contains private and/or proprietary information. May not be used or disclosed
outside Cingular Wireless LLC, ServiceWare or their affiliated or
subsidiary Companies except pursuant to a separate written agreement.
26
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
NOTICE
For the purpose of this document, the term "Contractor" referred to herein shall
mean contracted individual. The term "Supplier's Employees and Subcontractors"
referred to herein shall mean supplier's employees, subcontractors, agents or
representatives. The term "Supplier" referred to herein shall mean the provider
of goods and/or services pursuant to a written contractual agreement with
Cingular Wireless.
Liability to anyone arising out of use or reliance upon any information set
forth herein is expressly disclaimed, and no representations or warranties,
express or implied, are made with respect to the accuracy or utility of any
information set forth herein.
This document is not to be construed as a suggestion to any manufacturer to
modify or change any of its products or services, nor does this document
represent any commitment by Cingular Wireless to purchase any product or service
whether or not it provides the described characteristics.
Nothing contained herein shall be construed as conferring by implication,
estoppel or otherwise, any license or right under any patent, whether or not the
use of any information herein necessarily employs an invention of any existing
or later issued patent.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 27
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
TABLE OF CONTENTS
1. Introduction
1.1 General
1.2 Scope
1.3 Reason for Issuance
1.4 Enforcement
1.5 Accountability
1.6 Remedies
2. Glossary
3. Contractor and Supplier
Responsibilities
3.1 General
3.2 Request for Waiver
3.3 Waiver Submission and Approval
3.4 Absence of Waiver
4. Contractor and Supplier Requirements
4.1 General
4.2 Operability
5. System and Software Security Feature
Requirements
5.1 General
5.2 Identification
5.3 Authentication
5.4 Access Control
5.5 Network Connections
5.6 Confidentiality
5.7 Data and System Integrity
5.8 Service Availability
5.9 Accountability
6. Use of Root or Administrator Level Access
6.1 General
6.2 Execution and Operation Requiring
Root or Administrator Level Access
7. System Administration
7.1 General
8. Access by Contractor and Supplier's
Employees and Subcontractors
8.1 Logical Access Requirements
9. Software Integrity
9.1 General
10. Warranty for Year 2000 Issues
10.1 Contract Warranty
1. Introduction
1.1 GENERAL - The information in this document is subject to review and
modification. Accordingly, this document may be subject to change at
any time. Future issues of this document and/or Cingular Wireless's
internal security requirements may differ extensively in content,
substance and format. In the event that this document is modified,
Cingular Wireless shall provide written notification to Contractor or
Supplier along with a copy of the modified document. Upon reaching
mutual agreement between the parties, the new document shall control.
If no agreement is reached between the parties, then this document
shall continue to be in full force and effect.
Cingular Wireless reserves the right to select and utilize any
Contractor, Supplier or any of Supplier's Employees or Subcontractors
based on its own internal criteria at any time, under any
circumstances, whether or not the requirements in this document are
met.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 28
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
Cingular Wireless does not recommend computer-related products or
services and nothing contained herein is intended nor should it be
construed as a recommendation of any product or service to anyone.
Further, Contractors or Suppliers are not to relate their products,
goods, services, etc., to these guidelines in order to infer or imply
that such items meet any particular standard of use or utility.
1.2 SCOPE - This standard applies to the purchase from, or development,
maintenance, and/or support of Cingular Wireless's information
resources by, any person who is not an employee of Cingular Wireless.
For the purposes of this document, information resources shall include
but are not limited to, computers, computer peripherals, computer
communications networks, computer systems/applications/software, public
telephone network elements, and their support systems. This includes
the protection of all corporate information stored, processed or
transmitted on these facilities. Product trials and evaluations using
Cingular Wireless information resources shall also be governed by this
document.
-------------------------------------------------------------------
EXCEPTION 1: Mass produced software packages available for general
public use that can be purchased over-the-counter from retail sales
establishments within the immediate community are not subject to
these requirements. However, the security features available in
such products must be evaluated in relation to the functional
environment in which the product may be used in Cingular Wireless.
If this evaluation identifies shortcomings in the product that, if
corrected or eliminated, would enhance security in the Cingular
Wireless functional environment, such changes may be requested of
the owner/developer/seller of the product.
-------------------------------------------------------------------
-------------------------------------------------------------------
EXCEPTION 2: Systems based on micro or personal computers are not
subject to these requirements if the micro-computer or personal
computer based system is being used as a single user, stand-alone
personal computer for general office use, and the PC is not to be
connected to any other computer system, server, or computer
communications network, including a local area network.
-------------------------------------------------------------------
1.3 REASON FOR ISSUANCE - N/A
1.4 ENFORCEMENT - Contractors, Suppliers and Supplier's Employees and
Subcontractors shall protect Cingular Wireless Information Resources in
accordance with the terms and conditions of applicable contractual
agreements between the Contractor or Supplier and Cingular Wireless.
In addition, it is the responsibility of all Contractors, Suppliers and
Supplier's Employees and Subcontractors to comply with federal, state,
and local acts, statutes, and regulations which relate to the control
and authorized use of Cingular Wireless's information and Information
Resources.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 29
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
1.5 ACCOUNTABILITY - Contractors, Suppliers and Supplier's Employees and
Subcontractors shall be held accountable for compliance with the
standards in this practice. System vulnerabilities identified by these
groups and individuals must be reported to the appropriate Cingular
Wireless Corporate Security Team.
1.6 REMEDIES - Violations of Cingular Wireless computer, network, and
information security policies and standards or governmental statutes
may result in remedies up to and including termination of a contractual
agreement or any other rights and remedies that Cingular Wireless may
have in equity and law.
2. GLOSSARY
- Shall - The word "shall" indicates a requirement that is to be
met unless Cingular Wireless Corporate Security Team approves a
waiver or variance.
- Must - The word "must" indicates a requirement that is to be met
unless Cingular Wireless Corporate Security Team approves a
waiver or variance.
- Should - The word "should" indicates a guideline more than a
requirement. Waivers or variances are not required for
noncompliance with guidelines.
3. CONTRACTOR AND SUPPLIER RESPONSIBILITIES
3.1 GENERAL - It is the responsibility of each Contractor and Supplier to
assure Cingular Wireless that its requirements for the security of
corporate Information Resources, and the information stored,
transmitted, and/or processed on these resources, are met.
3.2 REQUEST FOR WAIVER - A prospective Contractor or Supplier who wishes to
provide Cingular Wireless with an Information Resource which is not in
compliance with these standards shall document the deviations in a
written WAIVER request. The waiver request must specify the following:
- Area(s) of non-compliance
- Reason(s) for the non-compliance
- Available alternative(s)
- Reason(s) why an alternative or an omission should be accepted
3.3 WAIVER SUBMISSION AND APPROVAL - Waiver requests shall be submitted
through the appropriate Cingular Wireless purchasing organization or person to
the Corporate Security Team. The Corporate Security Team will either approve the
waiver request, negotiate changes/conditions necessary for approval of the
waiver request, or deny the waiver request
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 30
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
Cingular Wireless Corporate Security Team has the sole responsibility for waiver
and variance approval in Cingular Wireless. Contractors and Suppliers shall
comply with these standards unless a written waiver or variance is issued as
noted above.
Waiver approvals and other related correspondence may be transmitted via
electronic mail or other more formal means of documentation. Approved waivers
will be filed with the Cingular Wireless copy of the Agreement and will be
retained during the retention period for that Agreement.
3.4 ABSENCE OF WAIVER - Contractors and Suppliers are hereby notified that this
Cingular Wireless Corporate Security Technical Reference shall be enforced in
its entirety, and the involved Contractor/Supplier shall be held in breach of
his/her/its agreement with Cingular Wireless for any omission, unless a waiver
is approved, as noted above, for any requirement herein.
4. CONTRACTOR AND SUPPLIER REQUIREMENTS
4.1 GENERAL - Contractors and Suppliers:
- Shall protect Cingular Wireless proprietary information provided
in accordance with this agreement.
- Shall encrypt all Cingular Wireless proprietary information
transmitted over a public network such as the Internet.
- Shall test all system and/or software security features.
- Shall deliver all systems and software with security mechanisms
installed and functioning.
- Shall deliver all systems and software with default passwords
expired except for the password needed to install and initially
boot the system.
- Shall provide documentation on security setup and administration
for system administrators.
- Shall not provide user documentation that may compromise
security.
- Shall provide written documentation to Cingular Wireless
concerning any and all known security flaws.
- Shall provide security flaw remedies or "fixes" to Cingular
Wireless at no additional cost to Cingular Wireless. Such "fixes"
shall be supplied to Cingular Wireless in a timely manner
commensurate with the threat.
- Should have an internal security policy governing its development
of systems and software.
- Should have a change/configuration management system in place.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 31
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
- Should not allow programmers to be custodians of production
software.
4.2 OPERABILITY - Contractor and/or Supplier warrants that information
resource(s) provided under the terms of this agreement shall operate in a manner
satisfactory to Cingular Wireless while all required security controls and
features are installed and functioning.
5. SYSTEM AND SOFTWARE SECURITY FEATURE REQUIREMENTS
5.1 GENERAL - It is the policy of Cingular Wireless to protect its corporate
information resources and the information stored, transmitted, and/or processed
on those resources. When some type of security is necessary in order to meet
this policy, that security shall comply with the following requirements. The
security may be provided by the product itself, an underlying operating system,
a front-end or intermediary security device, or a combination of any of the
above.
5.2 IDENTIFICATION
a. The system shall provide an adequate number of UserIDs. The number of
UserIDs provided shall be large enough to ensure that each person using
the system can have an individual UserID.
b. The system shall provide the capability to individually identify each
person including users, and development, maintenance and support
persons.
c. The system and/or software shall require each person to identify
themselves with their assigned UserID before allowing any actions or
access to be accomplished.
d. There shall be no way to bypass identification mechanisms.
e. The system shall support a UserID containing at least seven characters.
In the character fields, the system must accept any character appearing
in the English language alphabet and any number from 0 to 9.
5.3 AUTHENTICATION
a. Each entered UserID shall be authenticated using a password or other
authentication mechanism associated with that UserID.
------------------------------------------------------------------
NOTE: It is Cingular Wireless's strategic direction to move away
from passwords as primary authentication devices. Cingular Wireless
will negotiate the use of other authentication mechanisms such as
X.509 digital certificates, token based authentication devices,
smart cards or biometric devices. Cingular Wireless Corporate
Security Team shall specify/approve the certification authority for
any and all certificates used for access to Cingular Wireless
networks and systems. Approval shall be obtained through the use of
a waiver as described earlier in this document.
------------------------------------------------------------------
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 32
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
b. There shall be no way to bypass the authentication mechanism and
obtain entry into the system. Any trust relationships shall be
documented by the supplier and submitted to Cingular Wireless for
approval prior to execution of the agreement.
-------------------------------------------------------------------
NOTE: Use of .rhost files, host.equiv, NT shares, NFS, etc.,
frequently result in bypassing authentication.
-------------------------------------------------------------------
c. Authentication mechanisms and/or data shall be protected from
unauthorized access or manipulation.
d. Authentication data, including passwords, shall be one-way encrypted
in a system's database.
e. Passwords stored for use by a system to access external systems,
applications and/or data stores must not be stored in clear text.
f. If passwords are used as the authentication device, the system or
software shall:
1. Not allow anyone other than the owner of the password to know
that password.
2. Enforce password aging at least every sixty (60) days.
3. Prevent reuse of a password for at least six months, three aging
periods, or at least five password changes, whichever is feasible
and longer.
4. Allow the holder of a password to change it at least daily.
5. Not allow any password field to be null or blank.
6 Not display a password on any entry device or associated printer.
7. Require a password to be at least eight characters in length.
8. Allow a password to be at least eight characters in length.
9 Require a password to contain at least one numeric character from
0 to 9.
10. Require a password to contain at least one character from the
English Language alphabet.
11. Support the use of all special and/or punctuation characters
found on a standard U.S. computer keyboard unless restricted by
the operating system.
g. Unless necessary for normal and efficient system operation, and to the
extent possible, all default and/or hidden UserIDs and passwords will be
removed from the system before delivery to Cingular Wireless. Any
remaining default and/or hidden UserIDs or passwords
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 33
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
will be disclosed to Cingular Wireless, in writing, upon delivery.
Such UserIDs and passwords shall be changeable by Cingular Wireless.
h. Where Personal Identification "Numbers" (PINs) are used as part of an
authentication procedure and no other authentication device is
required to be in the possession of the user, the PIN code is
effectively a password, and must be created and aged using the
password requirements above.
i. Passwords or PINs associated with dynamic password devices, e.g.,
token cards, must be expired at least every 120 days.
j. An IP address shall not be used in lieu of a password or other form of
authentication mechanism.
k. System to system, application to application and/or machine to machine
authentication relationships must be evaluated on a specific basis and
meet criteria as established by the Cingular Wireless Corporate
Security Team. A copy of this information will be provided to
developers of such security relationships upon request.
5.4 ACCESS CONTROL
a. Each access shall be controlled by an access control mechanism.
b. The access control mechanism shall be protected from unauthorized
access, modification or destruction.
c. The access control mechanism shall allow or deny access based on an
individual authenticated identification of the UserID entered.
d. There shall be no way to bypass access control mechanisms.
e. There shall be no mode of entry, for any reason, that is not
documented in the system documentation provided to Cingular Wireless.
f. There shall be multiple access control mechanism permission groups.
g. An access control mechanism that allows all persons to access all data
and/or system capabilities is not acceptable to Cingular Wireless. At
a minimum, the access control mechanism shall provide one class of
permissions for those who administer the system and one or more
classes of permissions for those who use the system.
h. The number of access control mechanism permission groups shall be
sufficient to ensure that all persons have access to ONLY the data
and/or system capabilities necessary to accomplish their assigned
jobs.
i. Access control mechanisms shall provide a default of "no capability"
for any ID not defined in the access control mechanism.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 34
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
j A "time-out" feature shall invoke re-authentication after no more than
fifteen minutes of inactivity.
k. The login feature shall abort if the ID and authentication procedure
is incorrectly performed three times.
l. The ability to authorize or revoke access privileges and grant access
to system resources shall be restricted to Cingular Wireless appointed
system administrators.
m. A Cingular Wireless copyright notice is required on the initial entry
page for any system or software developed by or for Cingular Wireless,
or on any system or software for which Cingular Wireless has purchased
the copyright.
n. The following Cingular Wireless proprietary information statement and
no trespassing warning shall be displayed on an initial entry screen
before any logical access is allowed.
-------------------------------------------------------------------------
PRIVATE/PROPRIETARY/LOCK:
NO DISCLOSURE OUTSIDE CINGULAR WIRELESS EXCEPT BY WRITTEN AGREEMENT.
ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF
CINGULAR WIRELESS SYSTEMS OR DATA MAY RESULT IN CIVIL
AND/OR CRIMINAL PROSECUTION, EMPLOYEE DISCIPLINE
UP TO AND INCLUDING DISCHARGE, OR THE TERMINATION
OF VENDOR/SERVICE CONTRACTS.
CINGULAR WIRELESS MAY PERIODICALLY MONITOR
AND/OR AUDIT SYSTEM ACCESS/USAGE
------------------------------------------------------------------------
5.5 NETWORK CONNECTIONS
a. No device shall be connected to a Cingular Wireless network, including
LANs and switching elements, without the knowledge of, and permission
from, the network's administrator.
b. Persons using remote, e.g., in-dial, ISDN, wireless or other public
switched network access shall be individually identified and
authenticated by an independent dedicated access control device such
as a network access controller. The remote authentication process must
utilize a dynamic password, such as a token card. This requirement may
be met independently by the Contractor or Supplier's Employees and
Subcontractors, or by utilization of a Cingular Wireless system or
network access device provided for such purposes.
c. Internet (including VPN), extranet, or other direct network access
arrangements shall be approved by the Cingular Wireless Corporate
Security Team prior to implementation.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 35
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
Approval shall be obtained through the use of a waiver as described
earlier in this document.
d. Remote access connections to Cingular Wireless internal networks are
prohibited unless special arrangements are approved by the Cingular
Wireless Corporate Security Team well in advance of the needed access.
This includes any provision for remote application or system support,
development, and/or other miscellaneous access. Types of remote access
may include but are not limited to direct connections or Internet
based connections. Approval shall be obtained through the use of a
waiver as described earlier in this document.
e. Cingular Wireless's internal IP networks may make use of internal
firewalls to form IP partitions. The supplier shall document the
compatibility of their product with firewalls for IP networks and that
documentation shall be submitted to Cingular Wireless for approval
prior to execution of the Agreement. Examples of incompatibility
include the use of port or socket negotiation for communication, e.g.
rpc's and portmapper.
f. Use of UDP shall be avoided where possible.
g. Any and all traffic traversing a remote access link to a Cingular
Wireless internal network is subject to monitoring at any time and
without advance warning. There shall be no expectation of privacy in
the use of a Cingular Wireless internal network. Cingular Wireless
shall have the right to terminate any remote link if illegal or
improper traffic is observed.
h. Any device connected to a Cingular Wireless internal network shall be
subject to security scans (unless a firewall prevents such scans) and
other security audit procedures. These scans may be conducted without
prior notice. The scans will test the connected platform for security
vulnerabilities and compliance with Cingular Wireless security
standards. It should be noted that the security scanners do test for
denial of service vulnerabilities, may attempt system access and
perform other intrusive activities such as password cracking. Cingular
Wireless expects connected devices to resist such scanning without
affecting service availability. Cingular Wireless further expects
Supplier to correct discovered vulnerabilities.
i. Remote access connections to Cingular Wireless internal networks may
be refused, disconnected or otherwise limited at any time, for any
reason and without warning.
j. Filter and/or firewall policies used to control access to Cingular
Wireless networks shall be under the control of Cingular Wireless
personnel, reside on Cingular Wireless owned equipment and shall use a
default access policy of "fail all".
k. Access to Cingular Wireless networks shall not include access to any
infrastructure services such as DNS, mail systems, domain controllers,
Internet gateways, etc., without prior approval of the Cingular
Wireless Corporate Security Team. Approval shall be obtained through
the use of a waiver as described earlier in this document.
l. External use of network access translation (NAT) for access to
Cingular Wireless internal networks may be permissible but must be
approved in advance by the Cingular Wireless
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 36
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
Corporate Security Team. Approval shall be obtained through the use of
a waiver as described earlier in this document. In general, pooled NAT
and address hiding cannot be supported due to the risks involved.
--------------------------------------------------------------
NOTE: To prevent routing difficulties and for security reasons,
Cingular Wireless does not normally route external IP addresses
(from business partner networks) in its internal networks.
Cingular Wireless does not allow its internal private addresses
advertised outside of its internal networks. Network Address
Translation (NAT) is used to conform with these requirements.
NAT can result in problems with certain services and
applications and may render a service or application unusable.
--------------------------------------------------------------
m. Support for migration of any existing access to new, revised or
alternate accesses or methods of authentication shall be provided upon
request by Cingular Wireless and at no charge to Cingular Wireless.
n. Operators and administrators of systems included in remote access
arrangements as well as other individuals using the access arrangement
shall be in compliance with Paragraph 8, Access by Contractors and
Supplier's Employees and Subcontractors, below.
o. All remote access to Cingular Wireless internal networks shall be
sponsored by Cingular Wireless personnel. All modification requests to
access policies and procedures shall be submitted to the Cingular
Wireless Corporate Security Team through that Cingular Wireless
sponsor.
5.6 CONFIDENTIALITY - When directed by Cingular Wireless, encryption mechanisms
shall be created to protect critical stored or transmitted data. However, no
Cingular Wireless proprietary information, including passwords, shall be sent or
transmitted over the Internet or another public network unless it is encrypted.
5.7 DATA AND SYSTEM INTEGRITY
a. Modifications shall be allowed by authorized entities only.
b. The origin of data should be identified and maintained.
c. Error detection and correction protocols should be used.
5.8 SERVICE AVAILABILITY - The capability shall be provided to back-up or
duplicate system software and data.
5.9 ACCOUNTABILITY
a. An audit mechanism shall provide sufficient information for an
after-the-fact investigation of loss or impropriety.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 37
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
b. The audit mechanism shall provide end-to-end accountability for all
significant events.
c. The audit mechanism shall record who did what, and when it was done.
d. The audit mechanism shall be protected from unauthorized access,
modification or destruction.
e. The audit mechanism shall be capable of recording:
1. Invalid identification and authentication attempts.
2. Valid logins by all users including administrative and
special privileged users.
3. Unauthorized data or transaction access attempts.
4. Creation, modification or deletion of system resources and
data.
5. Action taken by administration or special privileged users.
6 Other security events specified by Cingular Wireless.
f. The audit record shall record the following:
1. Date and time of the event.
2. The ID used.
3. The type of event, i.e., read, update, delete.
4. Name of resources accessed.
5. Success or failure of the event.
g. The audit record shall not contain actual or attempted unencrypted
passwords or other authentication data.
h. The audit mechanism shall be of sufficient size to maintain records for
at least thirty days.
i. The system should have alarm mechanisms that report significant security
threats to system administration.
6. USE OF ROOT OR ADMINISTRATOR LEVEL ACCESS
6.1 GENERAL - Most operating systems have privileged accounts with
unlimited or nearly unlimited access to the resources of any given system. Some
examples of such privileged accounts are:
- On UNIX and UNIX-like systems, any account which maps to a UID or EUID
of zero (0),
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 38
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
- On Novell servers, any account which has privileges equivalent to those
of the user SUPERVISOR , and
- On Microsoft Windows NT and similar systems, any account which has
administrator privileges or authority.
For the purposes of this standard, the use of such privileged accounts will
hereinafter be referred to as using root or administrator access.
6.2 EXECUTION AND OPERATION REQUIRING ROOT OR ADMINISTRATOR LEVEL ACCESS -
While software may require root or administrator level access to the operating
system for installation, controls must be provided to restrict root or
administrator level access for normal execution and/or administration of the
software.
7. SYSTEM ADMINISTRATION
7.1 GENERAL - If system administration is included as a part of an
agreement, Contractors, Suppliers and Supplier's Employees and Subcontractors
shall comply with appropriate Cingular Wireless Corporate security polices and
standards.
8. ACCESS BY CONTRACTORS AND SUPPLIER'S EMPLOYEES AND SUBCONTRACTORS
8.1 LOGICAL ACCESS REQUIREMENTS
a. The contractual agreement or a separate access control document executed
between Cingular Wireless and the Contractor or Supplier shall set out
the purpose, terms, conditions and parameters for logical access to
Cingular Wireless Information Resources.
b. Any and all logical access shall be governed by the contractual
agreement or a separate access control document and shall be pursuant to
the terms, conditions and parameters contained therein. No logical
access outside that which is documented shall be allowed by Cingular
Wireless, or attempted by Contractor and Supplier's Employees or
Subcontractors.
c. Contractor or Supplier's Employees and/or Subcontractors shall not be
allowed to logically access or utilize a Cingular Wireless information
resource unless Security Requirements for System or Network Access by
Vendor, Contractor and Supplier Personnel has been incorporated into the
agreement between Cingular Wireless and the Contractor or Supplier, and
the requirements set forth therein have been met.
9. SOFTWARE INTEGRITY
9.1 GENERAL - The Contractor/Supplier certifies that:
a. Computer code created or modified for, or otherwise supplied to Cingular
Wireless:
1. Contains only what is stated in the documentation provided,
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 39
[CINGULAR WIRELESS LOGO]
SECTION 1:
SECTION 2:
-------------------------------------------------------------------------------
400-200-TR - SECURITY REQUIREMENTS FOR PURCHASED OR EXTERNALLY DEVELOPED
COMPUTER SYSTEMS, APPLICATIONS AND SOFTWARE
-------------------------------------------------------------------------------
2. Is free of any master access key (ID, password, trap door,
Trojan horse, back door, etc.) to the system,
3. Has been checked for a computer virus or other destructive code
using a regularly updated software package designed for such
purpose and has been inspected by seller's authorized personnel,
and
4. Is not known by Contractor or Supplier's Employees or
Subcontractors to contain a computer virus, other destructive
code or expiration date.
b. The provided application or other software has not been modified so as
to degrade security by interfering with or modifying the normal
functions of the operating system on which the application will reside.
c. No modifications that will degrade current or future security shall be
made to the operating system, application code or other software.
10. WARRANTY FOR YEAR 2000 ISSUES
10.1 CONTRACT WARRANTY - All contracts with software/hardware suppliers shall
include a Year 2000 warranty statement. The following is an example of a
Cingular Wireless approved warranty statement. Other versions designed to meet
individual Cingular Wireless entity needs may be used, but only with prior
approval by its Legal organization.
-----------------------------------------------------------------------
"Supplier warrants that all Software licensed or developed and delivered
hereunder (i) will record, store, process and display calendar dates
falling on or after January 1, 2000, in the same manner, and with the
same functionality as such Software records, stores, processes and
displays calendar dates falling on or before December 31, 1999; and,
(ii) shall include without limitation date data century recognition,
calculations that accommodate same century and multicentury formulas and
date values, and date data interface values that reflect the century.
Supplier warrants that all Software will be tested for compliance with
the requirements herein, and such test results shall be provided to
Customer prior to acceptance of such Software by Customer."
-----------------------------------------------------------------------
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 40
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
NOTICE
For the purpose of this document, the term "Contractor" referred to herein shall
mean contracted individual. The term "Supplier's Employees and Subcontractors"
referred to herein shall mean supplier's employees, subcontractors, agents or
representatives. The term "Supplier" referred to herein shall mean the provider
of goods and/or services pursuant to a written contractual agreement with
Cingular.
Liability to anyone arising out of use or reliance upon any information set
forth herein is expressly disclaimed and no representations or warranties,
express or implied, are made with respect to the accuracy or utility of any
information set forth herein.
This document is not to be construed as a suggestion to any manufacturer to
modify or change any of its products or services, nor does this document
represent any commitment by Cingular to purchase any product or service whether
or not it provides the described characteristics.
Nothing contained herein shall be construed as conferring by implication,
estoppel or otherwise, any license or right under any patent, whether or not the
use of any information herein necessarily employs an invention of any existing
or later issued patent.
TABLE OF CONTENTS
1. Introduction
1.1 General
1.2 Scope
1.3 Reason for Issuance
1.4 Enforcement
1.5 Accountability
1.6 Remedies
2. Contractor and Supplier Responsibilities
2.1 General
3. Security Waivers
3.1 Request for Waiver
3.2 Waiver Submission and Approval
3.3 Absence of Waiver
Exhibit 1 - RF-6835, Contract Personnel Certification Form
Exhibit 2 - List of Cingular Corporate Security Standards
Exhibit 3 - Cingular Vendor, Contractor and Supplier Personnel Security
Requirements
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 41
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
-------------------------------------------------------------------------------
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
1. INTRODUCTION
1.1 GENERAL - This document sets out the security requirements
that each Contractor and Supplier shall comply with before
their employees and/or subcontractors will be allowed
to access Cingular's computers, computer peripherals,
computer communications networks, computer
systems/applications/software, public telephone network
elements and their support systems, and the information
stored, transmitted, and/or processed using these resources,
(referred to herein as "Information Resources").
The information in this document is subject to review and modification.
Accordingly, this document may be subject to change at any time. Future issues
of this document and/or Cingular's internal security requirements may differ
extensively in content, substance and format. In the event that this document is
modified, Cingular shall provide written notification to the Contractor or
Supplier along with a copy of the modified document. Upon reaching mutual
agreement between the parties, the new document shall control. If no agreement
is reached between the parties, then this document shall continue to be in full
force and effect.
Cingular reserves the right to select and utilize any Contractor or Supplier
based on its own internal criteria at any time, under any circumstances, whether
or not consistent with the terms of this document. Further, readers are
specifically advised that each Cingular operating entity or subsidiary may have
requirements additional to those found herein.
Cingular does not recommend computer-related products or services and nothing
contained herein is intended, nor should it be construed, as a recommendation of
any product or service to anyone. Further, Contractors and Suppliers are not to
relate their products, goods, services, etc., to these standards in order to
infer or imply that such items meet any particular standard of use or utility.
1.2 SCOPE - The standards in this document apply to all
Contractors and Suppliers whose Employees and Subcontractors
will have a need to access a Cingular Information Resource.
Such persons shall not be allowed access to Cingular
Information Resources until the requirements of Section 2 of
this document have been accomplished and the assigned Cingular
management employee in the organization receiving the service,
(referred to herein as "Cingular Sponsor") has received a
properly executed Form RF-6835 shown as Exhibit 1 in this
document. Product trials and evaluations shall also be
governed by the requirements of this document.
NOTE: As used in this standard, access refers to logical,
e.g., computer/electronic access, rather than physical
access unless otherwise noted.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 42
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
-------------------------------------------------------------------------------
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
1.3 REASON FOR ISSUANCE - This practice has been revised to:
[ ] Clarify contractor and supplier responsibilities,
[ ] Clarify background check requirements,
[ ] Add waiver requirements, and
[ ] Make other minor wording changes for clarity.
1.4 ENFORCEMENT - Contractors, Suppliers and Contractor and
Supplier's Employees and Subcontractors shall protect Cingular
Information Resources in accordance with the terms and conditions
of applicable contractual agreements between the Contractor or
Supplier and Cingular. In addition, it is the responsibility of
all Contractors, Suppliers and Contractor and Supplier's
Employees and Subcontractors to comply with federal, state, and
local acts, statutes, and regulations which relate to the control
and authorized use of a company's information resources.
Violations of any of the above shall be reported to the
appropriate Cingular Security Organization.
1.5 ACCOUNTABILITY - Contractors and Suppliers are responsible for
ensuring that they, and their Employees and Subcontractors who
work with Cingular accounts on their behalf, comply with Section
2 of this document.
1.6 REMEDIES - Failure of a Contractor or Supplier, or a Supplier's
Employee or Subcontractor to comply with the requirements of
Section 2 of this CSS-TR may result in remedies up to and
including termination of the contractual agreement or any other
rights that Cingular may have in equity and law.
2. CONTRACTOR AND SUPPLIER RESPONSIBILITIES
2.1 GENERAL - Contractor and/or Supplier shall:
- Permit Cingular to inspect, at its discretion, all computer
equipment utilized in the conduct of Cingular business
whether such equipment is owned, leased or controlled by the
Contractor, Supplier or the Contractor or Supplier's
Employees and Subcontractors.
- Protect and otherwise secure all Cingular proprietary and/or
private data and information including data and information
concerning Cingular's employees. This includes data and
information derived or assimilated.
- Use Cingular proprietary information and/or data including
information and data concerning Cingular's employees only as
authorized in this agreement.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 43
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
-------------------------------------------------------------------------------
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
- Return and otherwise support Cingular in any attempt to have returned,
Cingular proprietary and/or private data/information and other
resources used or obtained in the performance of this agreement unless
other arrangements are made and approved by both parties in writing.
- Ensure that each Contractor and Supplier's Employee and Subcontractor
who will access a Cingular Information Resource is aware of (1) the
security information in Exhibit 3 of this document, and (2) that
Cingular has written Security Standards as listed in Exhibit 2.
- Provide each Contractor and Supplier's Employee and Subcontractor with
a copy of Exhibits 2 and 3 of this document if requested. Copies
should be made locally as needed.
- Ensure that Contractor and/or Supplier is bound by a nondisclosure
agreement and/or an information exchange agreement with Cingular.
- Ensure that each of Contractor and Supplier's employees is covered by
a legally binding nondisclosure agreement and/or information exchange
agreement between their employer and Cingular.
- Ensure that Contractor and Supplier's subcontractors are covered by a
nondisclosure and/or information exchange agreement with Contractor or
Supplier.
- Perform an appropriate background check to ensure that no person
assigned to a Cingular account is allowed access to a Cingular
Information Resource if the person:
- has been convicted of a felony offense,
- has been convicted of a misdemeanor offense related to computer
- security, theft, fraud or violence, or
- is currently awaiting trial for any of the above-stated offenses.
- Support any effort by Cingular to perform its own background check of
individuals assigned to a Cingular account:
- As a part of a random sampling for security verification purposes,
- As a part of regular screenings to strengthen Cingular security, or
- If Cingular has reasonable cause to suspect one is needed.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 44
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
-------------------------------------------------------------------------------
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
NOTE: For the purposes of the document, an appropriate background
check shall consist of research at the county courthouse level for the
felony and misdemeanor offenses described above and any pending trial
dates for such offenses. Research shall be conducted in all the
counties in which the Employee or Subcontractor has resided within the
five years prior to proposed assignment to Cingular.
- Have each of its employees, subcontractors, agents and
representatives who will access a Cingular Information Resource
provide the information requested and sign a copy of the Cingular Form
RF-6835 shown as Exhibit 1 to this document, and
- Complete the "Employing Company Certification" section and forward
the signed form RF-6835 to the Cingular Sponsor assigned
responsibility for the Contractor and Supplier's Employees and
Subcontractors.
3. SECURITY WAIVERS
3.1 REQUEST FOR WAIVER - A prospective Contractor or Supplier
shall comply with the requirements of Paragraph 2.1 above unless a
security waiver is approved in advance. The waiver request shall
document the changes/deviations needed or desired and must also
specify the following:
- Reason for the request,
- Available alternative(s), if any, and
- Reason why the request should be accepted.
3.2 WAIVER SUBMISSION AND APPROVAL - Waiver requests shall be submitted
through the appropriate Cingular Security Management which will either
approve the waiver request, negotiate changes/conditions necessary for
approval of the waiver request, or deny the waiver request. If a
waiver request is denied, the denial may be appealed by a Cingular
management person using the variance process documented in Cingular
Corporate Security Standard (CSS) 000-100, Security Management
Process. Cingular Corporate Security Management has the sole
responsibility for waiver and variance approval in Cingular.
Contractors and Suppliers shall
comply with these standards unless a written waiver or variance is issued as
noted above.
3.3 ABSENCE OF WAIVER - Contractors and Suppliers are hereby notified that this
Cingular Corporate Security Standard Technical Reference shall be enforced in
its entirety, and the involved Contractor/Supplier shall be held in breach of
his/her/its agreement with Cingular for any omission, unless a waiver is
approved, as noted above, for any requirement in paragraph 2.1.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 45
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 46
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
EXHIBIT 1
RF-6835
(6/2001)
CONTRACT PERSONNEL CERTIFICATION
FOR USE BY A CONTRACT PERSON'S EMPLOYER
I have read and acknowledge the Cingular Vendor, Contractor and Supplier
Personnel Security Requirements.
By: ______________________________________________ Date: ______________
(Signature) (MMDDYYYY)
Name: _______________________________________________________________
(Type or Print the Name of the Person)
Social Security Number: ____________________ Date of Birth: _________________
(MMDDYYYY)
EMPLOYING COMPANY CERTIFICATION
The above named employee of ____________________________________________
has signed above and acknowledged receipt of the Cingular Vendor, Contractor and
Supplier Personnel Security Requirements. This person is covered by a legally
binding nondisclosure agreement between Cingular and my company.
Employing Company Representative: ______________________ Date: ________
(Authorized Signature) (MMDDYYYY)
Name: ___________________________________ Title: ______________________
(Type or Print Name of Employing Company Representative Signing Above)
Company Name: __________________________ Tel. Number: _________________
Business Address: _____________________________________________________
---------------------------------------------------------------------
PROVIDE THE ORIGINAL OF THIS FORM TO THE CINGULAR MANAGER SPONSORING THIS
PERSON'S WORK.
Name of Cingular Sponsor: ____________________ Tel. Number _____________
(Type or Print Name)
THE CINGULAR SPONSOR SHALL (1) RETAIN THIS FORM FOR ONE YEAR AFTER THE PERSON'S
WORK HAS ENDED, AND (2) PROVIDE A COPY OF THIS FORM TO THE APPROPRIATE CINGULAR
SECURITY ORGANIZATION.
REPRODUCE LOCALLY
PRIVATE/PROPRIETARY/LOCK
Contains Private and/or Proprietary Information When Completed. May Not Be Used
Or Disclosed Outside The Cingular Companies Except Pursuant To A Written
Agreement. Must Be Stored in Locked Files When Not In Use.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 47
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
EXHIBIT 2
CINGULAR CORPORATE SECURITY STANDARDS
The following list provides general information about Cingular's current
Corporate Security Standards, which are available for, reference purposes. This
list is subject to change without further notice. If needed, copies of these
Standards may be obtained through your Cingular Sponsor when required for work
being performed for Cingular.
SECURITY MANAGEMENT PROCESS AND ADMINISTRATION STANDARDS
000-100 Security Management Process
000-200 General Security Standards for Users of Information Resources
000-300 Security Administration Standards
000-400 Security Vulnerability Management Standards
000-500 Administration of Proprietary Information
000-575 Records Retention Standards (Planned)
000-600 Security Intrusion Response
SYSTEMS STANDARDS
100-000 General System Security Standards
100-100 Personal and Portable Computing Security Standards
100-150 Windows NT Workstation Security Standards
100-220 Novell Server Security Standards
100-250 Windows NT Server Security Standards
100-300 UNIX Security Standards
100-500 OS/390 Security Standards
100-600 AS/400 Security Standards
100-700 Database Security Standards
100-800 Public Telephone Network Security Standards
COMMUNICATIONS NETWORK STANDARDS
200-000 General Data Communications Network Security Standards
200-100 Security Standards for Provisioning and Administration of Internal
Voice Communications Services
200-200 Electronic Communications Security Standards
200-300 Internet/Intranet Usage Standards
PHYSICAL SECURITY STANDARDS
300-000 Physical Security Standards for Information Resources
300-100 Physical Site Review Process Standards
300-200 Security Se1f-Assessment Standards
300-300 Disaster Recovery and Contingency Planning Standards for Information
Resources
VENDOR, CONTRACTOR AND SUPPLIER STANDARDS
400-000 Security Requirements for Use and Development of Information Resources
by Vendors, Contractors and Suppliers
400-100 Security Standards for Purchased or Externally Developed Computer
Systems, Applications and Software
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 48
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
400-200-TR Security Requirements for Purchased or Externally Developed Computer
Systems, Applications and Software *
400-300 Security Standards for System or Network Access by Vendor, Contractor
and Supplier Personnel
400-400-TR Security Requirements for System or Network Access by Vendor,
Contractor and Supplier Personnel *
400-500 Security for Sourced Work
SYSTEM DEVELOPMENT SECURITY STANDARDS
500-000 Security Issues for System/Application Development and Maintenance
500-100 Web Site Development, Maintenance and Administration Standards
GENERAL SECURITY STANDARDS
800-100 Data Encryption Standards
800-200 Virus Protection Standards
800-300 E-mail Security Standards
800-400 Telecommuting and Mobile Computing Security Standards
* Not proprietary
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 49
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
EXHIBIT 3
CINGULAR VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL SECURITY REQUIREMENTS
1. GENERAL
1.1 It is the responsibility of each Contractor and Supplier's Employee and
Subcontractor to conduct business with Cingular in a legal and ethical manner.
1.2 Cingular's Information Resources shall be used only for Cingular approved
purposes.
1.3 Cingular's Information Resources shall be protected from unauthorized use,
theft, misuse, accidental or unauthorized modification, disclosure, transfer or
destruction.
1.4 The security, reliability and integrity of Cingular's Information Resources
and information processing
activities shall be protected.
1.5 Each Contractor and Supplier's Employee and Subcontractor shall permit
Cingular to audit/inspect computer equipment and those files located on such
equipment that are utilized in the conduct of Cingular business whether such
equipment is owned, leased or controlled by the Contractor, Supplier, Supplier's
Employees and Subcontractors, or Cingular itself.
1.6 Only Cingular management may borrow or authorize the borrowing of equipment
for use by, or in the name of Cingular.
2. EXPECTATION OF PRIVACY
2.1 Cingular's Information Resources including, but not limited to, computers,
voice and data networks, electronic mail and voice mail are the property of
Cingular and as such, are to be used only for purposes approved by Cingular.
Cingular shall, therefore, have the right to audit/inspect any or all computer
equipment, including software, used by Contractor or Supplier's Employees and
Subcontractors in the performance of work under a contractual agreement with
Cingular. Additionally, Cingular may periodically monitor, and/or review after
the fact, the use of its Information Resources. Contractor and Supplier's
Employees and Subcontractors who use Cingular's Information Resources in an
inappropriate manner may be subject to remedies up to and including dismissal
from a Cingular account and any other rights and remedies in equity and law.
3. VIOLATIONS REPORTING
3.1 Whether observed by a Cingular employee or a Contractor or Supplier's
Employee or Subcontractor performing work for Cingular, all violations of
Cingular policy or standards, federal, state or local laws, or licensing
agreements, shall be immediately reported to the Cingular Security Organization.
3.2 No independent action to correct a security problem should be taken unless
failure to immediately respond will result in irreparable harm to Cingular. If
action is taken to prevent irreparable harm, include that action along with the
report of the problem to the Cingular Security Organization at the earliest
possible time. Follow Cingular Security Organization instructions.
3.3 No independent investigation of a security problem or violation shall be
undertaken by anyone unless directed by the Cingular Security Organization.
4. VIRUSES AND EXPLOITIVE COMPUTER CODE
4.1 Contractor or Supplier's employees and subcontractors shall endeavor to keep
Cingular's information resources free of viruses and other exploitive or
destructive computer code. The standards outlined below shall be adhered to.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 50
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
a. A contractor or Supplier's Employee and Subcontractor may transfer data files
for business purposes from their business computer to a Cingular computer.
However, Contractor and Supplier's Employees and Subcontractors undertaking such
activity shall use their best efforts to ensure no jeopardy to Cingular.
b. Contractor and Supplier's Employees and Subcontractors shall use Cingular
approved and provided virus scanning software in an active monitoring mode when
using computer equipment provided by Cingular.
c. Contractor and Supplier's Employees and Subcontractors shall use a regularly
updated virus scanning software product in an active monitoring mode when using
computer equipment provided by their employer.
d. Contractor and Supplier's Employees and Subcontractors may be held
accountable for any damages or costs incurred by Cingular due to a virus or
other exploitive or destructive code knowingly or negligently introduced into
Cingular Information Resources.
5. SOFTWARE USE RESTRICTIONS
5.1 Software used on Cingular equipment shall be obtained from a Cingular
approved source.
5.2 Contractor and Supplier's Employees' and Subcontractors' personal software
shall not be used on Cingular computers.
5.3 Importation, use or distribution of public domain software is not allowed in
Cingular except as directed by the Cingular Sponsor in accordance with Cingular
Corporate Security Standards.
5.4 Software licensing and copyright agreements/restrictions shall be complied
with at all times.
5.5 Preventative measures, e.g., locked cabinets, shall be used to prevent the
unauthorized use, copying or theft of software.
6. SOFTWARE DEVELOPMENT RESTRICTIONS
6.1 Computer code created, modified for, or otherwise supplied to Cingular:
a. Shall be fully documented,
b. Shall not contain any master access key (ID, password, trap door, Trojan
horse, back door, etc.) to the system, and shall not contain any computer virus
or other exploitive or destructive code, device or expiration date.
c. Shall not degrade security by interfering with or modifying the normal
functions of the operating system on which the software will reside.
6.2 Contractor and Supplier's Employees and Subcontractors performing system or
software development under the management of Cingular shall comply with all
development and security requirements in the Cingular Corporate Security
Standards. Copies of these Standards are available through the Sponsor.
6.3 Contractor and Supplier's Employees and Subcontractors performing work as a
part of a Cingular outsourcing agreement, shall follow the software development
requirements in the Cingular Corporate Security Standards and other specified
affiliated company standards.
6.4 No modification shall be made to the operating system, application code, or
other software that will negatively impact the present or future security of the
computing environment.
7. PORTABLE COMPUTERS
7.1 Portable computer equipment shall be protected from theft.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 51
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
7.2 When directed by Cingular, proprietary information stored on portable
computers shall be encrypted to avoid loss or disclosure if the hardware is lost
or stolen.
8. INFORMATION BACK-UP
8.1 Timely back-ups of Cingular work and information shall be accomplished.
8.2 Back-up copies shall be stored off-site or at least outside the immediate
work area, i.e., physically separated by a rated fire wall.
9. GOVERNMENT CLASSIFIED INFORMATION
9.1 Government classified or other sensitive information shall be safeguarded in
accordance with Cingular policy and applicable laws.
10. PROPRIETARY INFORMATION
10.1 Contractor and Supplier's Employees shall be covered by a nondisclosure
agreement and/or an information exchange agreement between their employer and
Cingular.
10.2 Contractor and Supplier's subcontractors shall be covered by a
nondisclosure agreement and/or an information exchange agreement with Contractor
or Supplier.
10.3 Cingular's and Cingular's customer proprietary information is private and
confidential and shall not be accessed, used, transferred, modified, disclosed,
destroyed or disposed of except in accordance with the contractual agreement.
If, no agreement has been reached by the parties, then the Contractor or
Supplier's Employees and Subcontractors may not access Cingular's and Cingular's
customer proprietary information.
10.4 Cingular may pursue available legal remedies, both civil and criminal,
against Contractor and Supplier's Employees and Subcontractors who violate
Cingular's policies and standards or applicable laws for the protection of
private and/or proprietary information.
10.5 Cingular proprietary information and Cingular customer proprietary
information shall not be transmitted across a public network, e.g., the
Internet, unless it is encrypted in accordance with Cingular standards.
10.6 All Cingular proprietary information shall be disposed of in accordance
with Cingular standards.
11. INTELLECTUAL PROPERTY
11.1 In the event that a Contractor or Supplier has not entered into a
contractual agreement with Cingular which includes ownership of intellectual
property issues, then each of that Contractor or Supplier's Employees and
Subcontractors who will be accessing Cingular Information Resources shall be
covered by a separate intellectual property agreement between their employer and
Cingular or between the Contractor and Cingular.
11.2 Knowledge contracted individuals gain about Cingular, its work, equipment,
installations, networks, computer systems, plans, procedures, etc., while
working for/with Cingular shall not be used for personal gain or for the gain of
other persons, companies, organizations or governments.
11.3 Cingular intellectual property including software developed by or for
Cingular shall not be used by and/or disclosed to others.
11.4 Cingular may pursue available legal remedies, both civil and criminal,
against Contractor and Supplier's Employees and Subcontractors who violate
Cingular's policies and standards or applicable laws for the protection of
intellectual property.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 52
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
12. SOCIAL ENGINEERING
12.1 Social engineering is the art of impersonating an individual or job
position in order to obtain information or services in a fraudulent manner. The
"social engineer" manipulates a person through conversation or other
communications to gain needed knowledge or information. Contractor and
Supplier's Employees and Subcontractors may be the target of a "social engineer"
while performing work for Cingular.
12.2 Contractor and Supplier's Employees and Subcontractors shall provide
information only to persons known or independently verified to have a Cingular
need to know such information.
12.3 Contractor and Supplier's Employees and Subcontractors shall not "chat"
with unknown callers or provide information that is outside the scope of their
responsibility to give to callers.
12.4 If a Contractor or Supplier's Employee or Subcontractor is unsure of what
to do and a caller persists, the Contractor or Supplier's Employee or
Subcontractor shall obtain a call back name, company, address and telephone
number, then discuss the request with, and follow the directions of, his/her
Cingular Management Sponsor or other designated Cingular management contact.
12.5 If a caller does not appear to be legitimate, immediately report the
incident to the appropriate Cingular Security Organization.
13. IDENTIFICATION
13.1 Contractor and Supplier's Employees and Subcontractors shall have
individual UserIDs for Cingular computer, system and network access.
13.2 Cingular shall be provided with the name, address and contact telephone
number of each Contractor and Supplier's Employee or Subcontractor who will
access a Cingular system.
13.3 Contractor and Supplier's Employees and Subcontractors shall provide their
Social Security Numbers upon request. The Social Security Number will be used
for individual user identification in the information resource access process.
Do not share your UserID or use the UserID of someone else.
14. AUTHENTICATION
14.1 Passwords and other authentication mechanisms shall be protected.
14.2 Passwords shall be manually entered in order to log into any Cingular
computer asset.
14.3 Passwords or other authentication mechanisms shall not be programmed into a
device or software package in order to avoid manually entering the
authentication mechanism at the time of logon. Exceptions shall be approved only
by the Cingular Security Segment Team.
14.4 No password shall be used for longer than sixty days.
14.5 No previously used password shall be reused.
14.6 A password shall be known only to the user who creates it. No one shall
share a password except in a temporary emergency situation. If a situation
requires a password to be revealed to a second person, the owner of the password
shall change the password as soon as possible after the emergency situation has
passed.
14.7 A compromised password, i.e., a password that has become known to anyone
else at any time, shall never be reused.
14.8 Passwords shall be a minimum of eight characters in length. System
administrative and other special privileged user passwords should be a minimum
of eight characters in length.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 53
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
14.9 Passwords shall contain at least one alpha character and at least one
numeric character unless prevented by the computer asset. Passwords should
contain at least one special or punctuation character.
14.10 Passwords shall not contain common proper names, words from the English
language, or any substring greater than three characters of the UserID.
14.11 Passwords shall not contain a string of three of more identical
characters, letters or numbers such as 777 or XXX.
14.12 Passwords shall not contain a string of three or more ascending or
descending numeric or alphabetic characters such as 123, XYZ.
14.13 Passwords shall not contain a string of four or more characters of the
same type, either alpha, numeric or special/punctuation characters, e.g., ABCD,
XXXX, 1492, 1994, or ?@!%.
14.14 Passwords shall not contain all or any part of an associated telephone
number, social security number, street address, date of birth, company acronym
or work group name.
15. ACCESS CONTROL
15.1 Access controls shall be complied with and not circumvented.
15.2 Unauthorized exploring or pinging of systems and networks is strictly
prohibited. Any attempt at hacking or gaining unauthorized access to Cingular's
Information Resources, or those of others, is prohibited. This includes any form
of system or security penetration such as probing, sniffing, browsing or
looping.
15.3 No device shall be connected to a Cingular network without permission from
the network's administrator.
15.4 System access devices shall not be left signed on when unattended.
Individuals are accountable for system usage traced to their UserID.
15.5 Access to Cingular Information Resources shall be authorized by the
Cingular sponsor or his/her delegate.
15.6 Access arrangements shall only be disclosed to persons having a
need-to-know and who are authorized to receive such information.
15.7 Contractor and Supplier's Employees and Subcontractors shall not be allowed
to remotely access any Cingular asset and change any computer code unless it is
a written and approved part of the work description to do so.
15.8 Contractor and Supplier's Employees and Subcontractors shall have access to
only the actual Cingular information resources necessary to accomplish their
work.
15.9 Because of the critical nature of certain Cingular Information Resources,
Cingular management of the system(s) involved must authorize access permission
for Contractor and Supplier's Employees and Subcontractors.
15.10 Appropriate nondisclosure, information exchange and intellectual property
agreements shall be in place between Cingular and the Contract company or
Cingular and the Supplier company, and if necessary, the applicable Contractor
and Supplier's Employee or subcontractor, before access to a Cingular
Information Resource is allowed.
15.11 A Contractor or a Supplier's Employee or Subcontractor may be granted
remote, e.g., in-dial, ISDN, or Internet, access to only the systems they have
been previously approved to access. All remote access shall be in accordance
with Cingular's approved access methods.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 54
[CINGULAR WIRELESS LOGO]
SECTION 3:
SECTION 4:
400-400-TR - SECURITY REQUIREMENTS FOR SYSTEM OR NETWORK ACCESS BY
VENDOR, CONTRACTOR AND SUPPLIER PERSONNEL
-------------------------------------------------------------------------------
15.12 Any access device, e.g. a SecurID card, shall be returned to Cingular when
work has ended by the Contractor or Supplier's Employee or Subcontractor.
16. ACCOUNTABILITY
16.1 A violation of Cingular's policies and standards shall, at Cingular's
option, be grounds for termination of contract and possible civil action against
a Contractor or Supplier's Employee or Subcontractor.
16.2 A violation of any federal, state or local statute or law shall, at
Cingular's option, be grounds for termination of contract, and possible civil
action and/or criminal prosecution.
16.3 Any Cingular equipment used by a Contractor or Supplier's Employees and
Subcontractors shall be immediately returned to Cingular once work is completed
or has otherwise ended.
17. SECURITY ADMINISTRATION
17.1 Neither a Contractor nor a Supplier's Employee or Subcontractors shall be
allowed to perform security administration functions except when approved by a
Cingular Sponsor in accordance with Cingular Corporate Security Standards.
18. VARIANCES FROM SECURITY REQUIREMENTS
18.1 Occasionally, a Contractor or a Supplier's Employee or Subcontractor may
feel there is a need to take action that is not in accordance with Cingular
policy or standards. If that person's Cingular Sponsor feels that a potential
variance has merit, the Sponsor may submit a variance request.
-------------------------------------------------------------------------------
Revision 1: June 5, 2001 55
