UBS SOC - Strategic Outline Work Version 2 with Comments

Summary:

The document from Hewlett-Packard (HP) to UBS AG outlines a partnership for security operations center assessment and improvement services with specific terms and conditions. Key points include: 1. **Definition of "Solution"**: Solutions proposed by HP are not guaranteed to meet the needs specified in the proposal, but they will be based on the best knowledge available at the time of submission. The scope may change after the engagement begins as more information becomes available. This flexibility allows for a tailored approach that can evolve with new data and insights. 2. **Roles and Responsibilities**: - UBS is responsible for managing communication, accepting deliveries, making modifications to the proposal, handling communications effectively, authorizing payments, and having an engagement manager available onsite during working hours with signatory and decision-making powers. This role includes providing data on risks and incident responses relevant to the assessment process, which may be presented in obfuscated format if required. - HP's responsibilities include coordinating dates for workshops, modifying proposals, holding status consultations, scheduling necessary staff members, and drafting reports. They must also provide specialist knowledge and expertise through recommended courses of action and strategies. 3. **Compliance Requirements**: UBS is responsible for ensuring compliance with all legal requirements and directives from relevant authorities that may impact the engagement. HP will assist in this effort as needed, particularly regarding security checks or clearances if mandated by law or policy. This includes special considerations for remote support during report and deliverable compilation phases. 4. **Resource Plan and Timeline**: A detailed plan outlining resources (human and material) and a timeline is agreed upon between UBS and HP to ensure smooth progress in the delivery of the assessment, aligning with both parties' commitments and timelines. This component helps manage expectations and milestones throughout the project lifecycle. 5. **Financial Arrangements**: The total fixed price for HP's deliverables excluding VAT (Value Added Tax) is CHF 175,000. Payments are scheduled according to a predetermined payment plan that adheres to agreed-upon terms and conditions. Prices include all expenses, and the agreement does not cover other offers; invoices must be paid within 30 days net from the invoice date. 6. **Authorization**: UBS authorizes HP to provide services without requiring a purchase order if such authorization is part of UBS's business practices. All changes are subject to mutual agreement in writing following the change management process, which ensures that modifications do not compromise contractual obligations agreed upon at the initiation of the engagement. 7. **Change Management Process**: This section details how proposed or requested changes must be communicated and mutually agreed upon by both parties. The change management process involves filling out a form to communicate any changes and ensuring decisions are made within five days if there are no issues, with additional time for resolution if further discussion is required. 8. **Termination**: The agreement provides terms for its termination, which includes notice periods and conditions under which either party can terminate the contract without legal repercussions or financial penalties beyond those specified in the agreement itself. This clause helps manage expectations about how disputes will be handled should they arise during the course of the consulting relationship. 9. **Miscellaneous**: The document also mentions that all provisions contained within this Agreement supersede any previous communications or agreements between the parties unless explicitly stated otherwise, and it is subject to Swiss law as the governing legal framework applicable to the contractual obligations and disputes arising from this agreement.

Details:

The document is a quotation from Hewlett-Packard (Schweiz) GmbH (hereinafter referred to as "HP") to UBS AG (hereinafter referred to as "UBS"). It includes confidential information about current HP products, sales, and service programs. The important notice states that the information contained in this document is considered confidential by HP and must not be disclosed or reproduced outside of the group responsible for evaluating its contents without prior authorization from HP. This information may include details about ongoing product lines, sales strategies, and support services which are subject to change at HP's discretion. HP has attempted to provide accurate and relevant data but does not guarantee the accuracy or completeness of the information provided. The document is intended solely for evaluation purposes and any reliance on it should be based on a mutually agreed-upon written contract signed by authorized representatives of both parties. The document outlines a set of terms and conditions for a proposed partnership between Hewlett-Packard (HP) and UBS AG, which includes the provision of security operations center assessment and improvement services. Here are the key points from the proposal as summarized in bullet points: 1. **Definition of "Solution":** In this context, "solution" refers to the products and services proposed by HP for UBS's project. These solutions do not guarantee compliance with UBS's specific requirements until further information is provided or agreed upon between the parties. 2. **Use of Term "Partner" or "Partnership":** The term "partner" or "partnership" in this proposal does not imply a formal, legal, or contractual relationship but rather signifies a collaborative working relationship developed through teamwork between HP and UBS. 3. **Pricing Estimates Validity:** Unless otherwise agreed upon in writing, pricing estimates provided by HP are valid for 30 days from the submission date of the proposal. 4. **Electronic vs. Hard Copy Proposal Submission:** If HP submits its proposal through both electronic and hard copy formats, and there are discrepancies between the contents of these documents, only the content of the hard copy will be considered as the valid proposal. If only electronic submissions differ, the PDF version will serve as the valid proposal. 5. **Contact for Concerns:** Any queries, concerns, or issues regarding this document should be directed to the respective sales representative. 6. **Table of Contents:** The table of contents is provided at the beginning of the document and includes references to sections such as "Work Package 1," "Work Package 2," and "Work Package 3" which are detailed in subsequent tables linked to other parts of the document. This summary highlights the main contractual elements and operational details agreed upon between HP and UBS for their collaborative security operations project. The document outlines a Statement of Work (SOW) between HP/Compaq and UBS, detailing specific consultancy services for security assessment and development. It states that any attachments or modifications must not alter the terms of the main SOW, which is governed by the Compaq Swiss Framework Agreement dated July 2001. If not executed, the SOW can expire after 30 days unless specified otherwise. The scope of services aims to improve UBS's security operations capability through SOC analysis and development of work packages. HP provides three main consulting services: SOC analysis preparation, analysis delivery and support, and report delivery in UBS's desired format. Each activity is described as a Work Package within the engagement, with changes requiring adherence to a change management process. To summarize, Hewlett Packard (HP) plans to have a planning session with the UBS team before the second phase of their work engagement. They will follow a similar preparation schedule as in phase 1 for setting up meetings and initial assessments. UBS has requested special focus on certain areas that were already mentioned in the proposal for this phase, along with reviewing the results from phase one. Phase 2's deliverables require some pre-requisites to be fulfilled: 1. Conduct a kick-off meeting with the end user point of contact to set up the schedule and necessary resources between HP and UBS. 2. Plan the SOC (Security Operations Center) analysis and improvement consulting services in consultation with UBS. A similar planning session will occur before this phase as well. 3. Gather appropriate documents for review and analysis by HP staff to assess the current SOC Maturity environment. If needed, these can be provided beforehand. 4. Identify suitable individuals for interviews by HP to evaluate the current SOC Maturity state of the customer. 5. Provide access to the customer site for HP personnel conducting the maturity assessment, including appropriate facilities if team members are geographically dispersed. 6. Ensure adequate rooms and interview spaces are available for document reviews and discussions, minimizing disruption. 7. Grant permission to use HP equipment on-site, such as laptops and mobile phones, for support during the engagement. The performance assessment involves several steps and considerations as outlined in the document. Initially, it is crucial to communicate any additional requirements, such as special security checks or clearances, language requirements, etc., to avoid last-minute issues (e.g., special security checks). It's important to notify HP of these requirements beforehand. Additionally, preparing an organization chart will facilitate the development of a schedule for interviews and discussions between UBS and HP. The assessment also involves collecting specific data related to risk and risk treatment from UBS, including Incident response data that is relevant to the assessment. This information can be presented in an obfuscated format if necessary. It's important to note any limitations, exclusions, dependencies, and assumptions pertinent to the onsite work, which should strictly take place in Altstetten, Switzerland, while remote support may be utilized for report and deliverable compilation. The roles and responsibilities section of this document clearly delineates what UBS and Hewlett-Packard (HP) are expected to do during the assessment process. Specifically:

• UBS is responsible for coordinating workshop dates with HP, hosting consultants providing analysis work, making modifications to the proposal, handling communications effectively, accepting deliveries, and authorizing payments. The engagement manager must have signatory and decision-making powers and be available at the customer location during working hours.

• HP's role is to provide specialist knowledge and expertise by recommending appropriate courses of action and strategies. The HP engagement manager is responsible for coordinating dates with UBS, making modifications to the proposal, holding status consultations, scheduling necessary staff members, and drafting reports.

Finally, a resource plan and timeline are agreed upon between UBS and HP, ensuring that the overall delivery of the assessment progresses smoothly according to both parties' commitments and timelines. This is information about how someone can get services from a company called HP. They need to send in a special order first (called a purchase order) so they can start providing things like time, places or other details that might change. If the person asks for changes after they've already received these services, they might have to pay extra money. When it comes to accepting documents and making sure everyone agrees on them, HP will show those papers to another big company called UBS (which stands for United Business Services). They look at the papers and then give feedback in writing within five days. If there are any things that need fixing, HP has five more days to do this work. If someone wants to change what they're doing with HP, they have to tell them about it by filling out a special form. UBS can ask for changes too, and if it takes longer than four hours to decide on those changes, then the cost of that extra time could be charged back to UBS. The people in charge will make sure everyone agrees with the new plan before moving forward. This document outlines the terms for a service agreement between HP and UBS, including financial details, payment plan, authorization, and other relevant information. The total fixed price for HP's deliverables is CHF 175,000 (excluding VAT), with payments due according to a specified schedule. Prices are exclusive of VAT, which will be shown as a separate line item on any invoice. All prices include all expenses, and the agreement does not apply to other offers. Invoices are due within 30 days net from the invoice date. The authorization section states that UBS's signature authorizes HP to provide services without requiring a purchase order if UBS doesn't issue them as part of its business practice. All changes must be mutually agreed upon in writing following the change management process. This agreement supersedes any previous communications or agreements. The text appears to be a heading from a legal or administrative document related to consulting services. Here's a simplified summary of its main components based on the information provided:

• **Effective Date**: The effective date of this provision is set as June 2, 2014. This indicates that any terms and conditions outlined in the document regarding consulting services apply from this specific date onward.

The rest of the document would typically contain detailed provisions about what constitutes "rk" (likely a company or abbreviation for a consultancy), details on the types of consulting services provided, client responsibilities, payment arrangements, contractual obligations, termination clauses, and other legal terms that both parties are expected to adhere to according to this agreement.