DS&P Contracts Review Worksheet

Project Profile

Project Name Medtronic Inc.

Work Number(s)
Brief Description of Project Scope –
what is the project hired to do?
List all contract documents reviewed;
MSA, SOW, DOU, PCR etc.
Project Start Date
Project Manager
WNMST, W559U, WC81V, WN0CV, WN0MV, WN2GV, WN2KV, WFMKV, WNJLV, W2ZTV, WAHHW
Extension of Support and Enhancement through 4-30-2021
IBM is currently providing the following AMS services:
Project Management; Support Service and provides for Level 2 and Level 3 diagnosis and problem resolution for
requests related to production Applications and Databases; User profile or security administration/ support of
defined Application and Database environments; Interface & batch support; Application administration &
Database support; and custom application development for these business areas: SAP, SAP RICEF,
Oracle PeopleSoft, Web & Mobile applications, WebMethods, Java, Siebel, BAO, and BW.
• ICA Amendment Privacy and Data Protection HIPAA dated June 6 2005
• Business Associate Addendum dated July 7, 2010
• SOW between Medtronic and IBM dated May 19, 2011
• PCR Final_CCR095 and CCR096 IBM AMS amendment to managed services contract
• DOU Ref. No. 2004-10506 between US IBM& GDC India dated August 19, 2011
• DOU Ref. No. 2011-10158 between US IBM & PH GDC dated 15 June 2011
• DOU Ref # between AMS US and AMS Brazil dated August 17, 2012
• DOU Ref. No. 2012-12509 between IBM US and IBM China GBS DC dated June 19, 2012
• B92 BI/DW Services IBM_MDT dated 091313
• SOW between Medtronic and IBM dated May 19,2018
01/02/2016 Project End Date 4/30/2021
Claudia Corino, DPE (US) 8/17/2016
SenthilKumar, Manager PMO Start Date on Project 5/16/2018

Michael Via 3/15/2016

Security Expert Start Date on Project
Chintan Bhankharia 8/1/2018

Review History
By including your name in the review list, you sign that you agree with the requirements defined in this review worksheet.

Name Role Date Reviewed Comments

Michael Via DS&P SE 8/10/2017 RRA gaps addressed on 3/7/18.
Chintan Bhankharia DS&P SE 20/02/2020 Update with Work numbers

DS&P Contracts Review Worksheet v1 Page 1

 DS&P Contracts Review Worksheet
Contract Details
Include security requirements from the SOW, MSA, and any PCRs. Refer to the items to consider during review but remember these are examples.

Section or Page Controls

Security Requirement Reference Document
# Implemented
IBM’s Information Data Security Obligation Medtronic SOW Execution Pg #39, Section Client
Copy 05-19-11 16.8 Requirements
(a) Security Standards. IBM shall adhere to Best Practices security standards in Security Plan
as it pertains to the technology environment controlling access to the MDT System
provided by
IBM and/or holding any MDT Confidential Information at IBM. Without limiting the
foregoing:
(i) IBM shall maintain a commercially reasonable information
protection program with appropriate administrative, technical and physical safeguards and
written security management policies and procedures designed to monitor, prevent, detect,
contain, and correct violations of measures taken to protect the confidentiality, integrity,
availability, and security of IBM’s technology environment used to access the MDT System
and/or access and/or hold the MDT Confidential Information. Such policies and procedures
shall: (A) assign specific data security responsibilities and accountabilities to specific
individual(s); (B) include a formal risk management program which includes periodic risk
assessments; and (C) provide an adequate framework of controls that safeguard the
technology
environment controlling access to the MDT System. The locations from which IBM will
deliver
the Services will satisfy 133 ISO27001 Security Control Points, including IP Protection, and
are
currently measured semi-annually. IBM reserves the right to modify or change its internal
policies and procedures, including security control points, for its locations. In the event such
change would no longer satisfy the requirements of this provision, or if IBM no longer
satisfies
133 ISO27001 Security Control Points or an equivalent, then IBM will notify MDT of such
change.
(ii) IBM shall use all appropriate security to protect MDT’s
Confidential Information from unauthorized access and disclosure (internally or externally),
and
IBM acknowledges that the use of such security does not give rise to any privacy rights in
the
communication as between IBM and MDT.
(iii) IBM shall ensure that its internal systems include up-to-date antiviral
software that are reasonably designed to prevent viruses from reaching the MDT System
through IBM systems. IBM shall use appropriate safeguards to prevent unauthorized
access to

DS&P Contracts Review Worksheet v1 Page 2

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
the MDT System through the IBM systems.
(iv) IBM shall require that IBM Personnel do not use any VPN or other
device to simultaneously connect machines on any MDT System to any machines on any
IBM or
third party systems, without: (A) using only a remote access method approved in writing
and in
advance by MDT that is subject to MDT’s security policies; (B) providing MDT with the full
name of each individual who uses any such VPN and the phone number at which the
individual
may be reached while using the VPN; and (C) ensuring that any computer used by IBM
Personnel to remotely access any part of the MDT System will not simultaneously access
the
Internet or any other third party network while logged on to MDT Systems.
(b) Infrastructure Protection. IBM shall maintain procedures in accordance
with Best Practices to protect IBM’s technology environment used to access the MDT
System
and/or to access and/or hold the MDT Confidential Information, including, at a minimum:
(i) Formal security programs (policies, standards, processes, etc.);
(ii) Processes for becoming aware of, and maintaining, security
patches and fixes;
(iii) Router filters, firewalls, and other mechanisms to restrict access to
the IBM environment, including without limitation, all local site networks which may be
accessed via the Internet (whether or not such sites transmit information);
(iv) Resources used for mobile access to the MDT System shall be
protected against attack and penetration through the use of firewalls; and
(v) Processes to prevent, detect, and eradicate malicious code (e.g.,
viruses, etc.) and to notify MDT of instances of malicious code detected in the IBM
environment
which affect the MDT System.
(c) Security Evaluations. IBM shall periodically (no less than annually)
evaluate its processes and systems to ensure continued compliance with obligations
imposed by
Laws applicable to it as an information technology provider and this SOW with respect to
the
confidentiality, integrity, availability, and security of the MDT System and IBM technology
environment used to access the MDT System and/or to access and/or hold the MDT
Confidential
Information. IBM shall document the results of these evaluations and any remediation
activities
taken in response to such evaluations, and provide to MDT a copy upon request.
(d) MDT Audits. Every year during the Term of this SOW upon request by

DS&P Contracts Review Worksheet v1 Page 3

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
MDT, IBM will provide a warranty in writing to MDT that IBM has complied in all material
respects with its obligations to implement the control processes and procedures in
accordance
with the terms and conditions of this SOW. This warranty will not create any rights or
causes of
actions under this SOW or otherwise. MDT, directly or through an agent, may audit IBM’s
security program to verify compliance with the requirements of this SOW, subject to the
limitation set forth in Section 14.2, above. Audits shall be conducted at agreed-upon times,
during normal business hours, upon reasonable written notice, and no more often than
once per
calendar year. MDT may audit more than once a year if it has a reasonable belief IBM has
materially breached its security obligations. In addition to the right to audit, upon written
request,
IBM shall provide MDT a summary of external audit reports relevant to relating to IBM’s
security program that have been created in the 18 months prior to the request and which
may be
disclosed without causing IBM to breach a contract with a third party.
(e) Audit Practices. IBM shall provide to MDT, at least annually, information
on its audit processes, procedures and controls related to the Services, including a report
on any
findings and remediation efforts. IBM shall also provide to MDT an independent attestation
of
IBM’s security practices and process controls that provide sufficient evidence of such
practices
and controls (e.g., Statements on Auditing Standards 70 Type II equivalent, SSAE 16
assessment
etc.).
(f) Security Incidents.
(i) “Security Incident” means the attempted or successful
(i) unauthorized access, use, disclosure, modification, or destruction of
information or interference
with systems operations in the IBM technology environment which may affect the MDT
Data,
MDT Confidential Information or other MDT information or the security of the MDT System.
(ii) In the event IBM learns of a Security Incident, IBM shall
immediately notify MDT. In addition, IBM will, no more than two (2) hours from learning of
any Security Incident, submit to MDT an initial plan of action to cure or remedy the Security
Incident.
(iii) If MDT considers the security compromise to be a high risk, then
IBM must cure or remedy the high risk Security Incident within twenty-four (24) hours of
notifying MDT of IBM’s plan of action. If IBM does not cure the high risk security

DS&P Contracts Review Worksheet v1 Page 4

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
compromise
within twenty-four (24) hours of notifying MDT of IBM’s plan of action, then in addition to all
other rights and remedies of law or equity or otherwise, MDT will have the right to
immediately
terminate access to MDT System from the IBM system causing the Security Incident. If
MDT
considers the Security Incident to be a medium to low risk, then IBM must cure or remedy
the
medium to low risk Security Incident within two (2) to five (5) business days of notifying
MDT
of IBM’s plan of action. If IBM does not cure the medium to low risk Security Incident two
(2)
to five (5) business days of notifying MDT of IBM’s plan of action, then in addition to all
other
rights and remedies of law or equity or otherwise, MDT will have the right to immediately
terminate access to MDT System. To the extent any non-access to a system prevents (in
the
sense that there is no access using any workarounds) IBM from satisfying its Service Level
requirements, IBM shall be excused from satisfying such requirements to the extent of such
lack
of access, provided it complies with the terms of Section 18.4 (Excusing Events).
(iv) Without limiting the terms of subsection (iii) above, in the event
that MDT determines or reasonably suspects that IBM’s security standards are not in
compliance
with Section 16.8(a), MDT may suspend IBM’s connection to the MDT System to the extent
reasonably necessary to protect the MDT Data and other MDT information and the security
of
the MDT System (collectively, a “Threat”). IBM shall work continuously and diligently to
remedy the Threat. To the extent any non-access to a system prevents (in the sense that
there is
no access using any workarounds) IBM from satisfying its Service Level requirements, IBM
shall be excused from satisfying such requirements to the extent of such lack of access,
provided
it complies with the terms of Section 18.4 (Excusing Events).
(g) Security Requirements. In addition to the foregoing, IBM shall, and shall
ensure that the IBM Personnel shall, comply with the additional security requirements in
Appendix K –Security Requirements.

Compliance to HIPAA regulation, including provisions to provide administrative, physical Amendment to ICA Pg #2-3 Security Plan
and technical safeguards to PHI/ EPHI, correction of medical record set, and reporting of
disclosure of protected data

DS&P Contracts Review Worksheet v1 Page 5

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
Medtronic personnel information is Confidential information; requirements for handling and Amendment to ICA, Pg #4-6 Security Plan
processing of personal information including provisions for physical, technical, and Exhibit A
organizational security measures
Policies & Procedures/ Training: - M shall ensure that all IBM Personnel who provide SOW 9 Security Plan
Services shall review MDT’s then-current policies and procedures made available in writing
to IBM, including those posted on-site at MDT locations, and those posted online, prior to
such IBM Personnel performing any Services, and shall comply with all such policies and
procedures at all times when performing Services.

Background checks and drug screening requirements SOW 11, 12 Security

Plan,On&Off
boarding
- Compliance to MDT Sarbanes Oxley processes SOW 7 Security plan
- Execute MDT-developed SOX control requirements SOW D-3
Training: SOW 17 Security Plan
IBM shall ensure that all IBM Personnel performing Services shall be fully trained in MDT’s
QSRs, and shall maintain currency with such training. JDE SOW 323
In e-Business Hosting services – training requirements at induction, testing requirements,

Security Standards for Confidential information: SOW 38, 39 Security Plan

IBM shall maintain Confidential information and apply safeguards to protect it.
Notify MDT of an loss of confidential information in writing.
IBM may not obtain any MDT Confidential Information (that IBM is not permitted to obtain
or that is not delivered to IBM by MDT or with MDT’s consent), including MDT’s employee
information, contractor business contact information, and any PII, outside of the MDT
facilities or MDT System, including on laptops, on removable media such as smart cards,
USB devices, CDs, DVDs, removable hard drives and tapes, and on other media and
devices or by pulling MDT Data onto IBM’s own systems electronically or otherwise.

Security Standards: SOW 38 Security Plan

IBM shall maintain a commercially reasonable information protection program with
appropriate administrative, technical and physical safeguards and written security
management policies and procedures designed to monitor, prevent, detect, contain, and
correct violations of measures taken to protect the confidentiality, integrity, availability, and
security of IBM’s technology environment used to access the MDT System and/or access
and/or hold the MDT Confidential Information.

Security Standards: SOW 40 Security Plan

IBM Personnel may not use any VPN or other device to simultaneously connect machines
on any MDT System to any machines on any IBM or third party systems, without:

DS&P Contracts Review Worksheet v1 Page 6

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
(A) using only a remote access method approved in writing and in advance by MDT that is
subject to MDT’s security policies;
(B) providing MDT with the full name of each individual who uses any such VPN and the
phone number at which the individual may be reached while using the VPN; and
(C) ensuring that any computer used by IBM Personnel to remotely access any part of the
MDT System will not simultaneously access the Internet or any other third party network
while logged on to MDT Systems.
SOW 42 Security Plan
IBM Subcontractors are not permitted to connect to the MDT System directly. If IBM uses
IBM Subcontractors, all access to the MDT System by such IBM Subcontractors must be
through IBM’s connections to the MDT System with
passwords issued to such IBM Subcontractors by MDT
Security Incident and Incident Response: SOW 42 Security Plan
IBM shall notify MDT immediately of any security incident and respond with an action plan
with 2 hours of learning of incident. If security incident is considered high risk by MDT, the
action plan must be remedied within 24 hours.

Sub-contractors: SOW Sec. 18.2 , 46 Security Plan

(a) Use of IBM Subcontractors. IBM may subcontract its responsibilities
without MDT’s prior written approval; provided, however, that IBM may not subcontract
more
than an aggregate of 20% of the Services at any point in time without MDT’s prior written
approval.
Disaster Recovery: SOW -18 c. 46 Security Plan
- Upon the occurrence of a Force Majeure Event, IBM shall implement immediately, as Appendix D D – 11
applicable, its disaster recovery plan and provide disaster recovery services. DOU (PH) 9
- Database Account Management: Participate in Business Continuity testing.
- Create and conduct annual testing of BCP.
IBM shall inform MDT of the name of each IBM Personnel that IBM desires MDT to SOW K-1 User ID ,
authorize to access the MDT System. IBM shall also notify MDT immediately if any such Security
IBM Personnel has been, Plan,On &Off
(i) terminated from the employment (for employees) or board process
(ii) Re-assigned and no longer requires access to the MDT System.
engagement (for contractors) by IBM for any reason
Security requirements on use, accessibility, monitoring & searches on use of MDT data and SOW, Appendix K K-1 Security Plan
systems.
IBM for itself and IBM Personnel acknowledges that the MDT System is MDT-owned SOW K-2 Security
property, and that MDT reserves the right in its sole and absolute discretion to monitor, Plan,User ID
record, and investigate IBM’s (including any IBM Personnel’s) use of the MDT System, and Admin doc
to monitor, review, audit, intercept, access, archive and/or disclose materials sent over,

DS&P Contracts Review Worksheet v1 Page 7

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
received by or from, or stored in any part of the MDT System, including all e-mail or other
communications sent to, from, or through the MDT System, regardless of the content of
such communications. This includes email communications sent by users across the
internet and intranet from and to any domain name owned or operated by MDT.
MDT reserves the right, for any business purposes, to search all work areas (for example, SOW K-2 Security Plan
offices, cubicles, desks, drawers, cabinets, computers, computer disks and files) and all
personal items brought onto MDT property or used to access MDT Confidential Information
or the MDT System. MDT reserves the right to override any security passwords to obtain
access to voicemail, email, computer (and software or other applications) and/or computer
disks on the MDT System.
Geo PM will instruct IBM India team on operational processes which govern Access to DOU (IN) 9 Security Plan
Customer Applications, Data Privacy and how sensitive PI/SPI data should be handled by
the IBM India team. Document it clearly in this (DoU). Ensure there is clear responsibility
delineated between what Geo will track and IBM India will track with regard to DS&P and
KCO Testing responsibilities.
*IBM US will be responsible for adhering to any security requirements requested by the DOU (IN) 9 Security Plan
IBM Customer and instruct the IBM India team on the processes and procedure to be
followed.
*IBM US would provide client confirmation of revocation of access to client systems within
2 business days of receiving the request from IBM India,
*IBM US will communicate to IBM India, project specific security requirements including
Data Security and Privacy requirements to be followed by IBM India at its IBM India
locations.
IBM India follows IBM WW IT Security standards to ensure compliance as mandated on DOU (IN) 11 Security Plan
IBM standard equipment / environment. IBM US will communicate to IBM India, project
specific security requirements to be followed by IBM India at its RDC locations
Ensure timely training of all GDC resources in client and project specific procedures, DOU (PH) 9 Security Plan,
including those related to data Security and privacy. On &Off
Identify, track and manage all Data Security and Privacy risks and communicate them to boarding , User
the Geo contract owner. Id Admin.

Database management, security management, database responsibilities SOW, Appx. D D-10 Security Plan
Application system administration, user profile administration & management, End-user SOW, Appx. D D-12/13/14/15 Security Plan,
administration responsibilities. On &Off
Technical & End user support responsibilities, backup responsibilities, requirements & boarding , User
design responsibilities, programming & development, implementation & code migration, Id Admin.
configuration management roles & responsibilities.
GDPR is applicable as data processing, handling, deletion requirements and technical and Medtronic - JDE SOW Attachment D SOW,Security
organizations measures listed in Appendix D page 39 and all this should be followed. Plan,TOM
Wizard

DS&P Contracts Review Worksheet v1 Page 8

 DS&P Contracts Review Worksheet
Section or Page Controls
Security Requirement Reference Document
# Implemented
workbook,Sub
Processing
agreement

DS&P Contracts Review Worksheet v1 Page 9

 DS&P Contracts Review Worksheet
Here are items to consider during the contracts review:
 Client requirements
- Information Security Roles & Responsibilities Table
- Files can not be moved or copied
- Papers with confidential/sensitive information must be shredded daily
- Sensitive data can not be left in a voicemail message
 Client requirements – hiring
- Key words – background checks, drug testing, non disclosure agreement, right to work, confidentiality, certification, terms and conditions, employment
 Client requirements – user responsibilities
- Key words – data classification, handling data, non company sponsored, personal business, offensive, permissible use
 Client requirements – inappropriate websites
- Key words – web sites, inappropriate, unlawful, unlicensed, offensive, internet, publicly accessible
 Client requirements – materials
- Key words – destruction, electronic, hardcopy, recycle, degaussed, fax, print
 Separation of duties and internal controls
- Key words – separation of duties, segregation, business needs, access, irregularities, conceal
 Access to environments or systems
- Reference to development, test, maintenance, pre-production, quality assurance, production environments
- Can be stated as SIT, Integration, UAT environments for business applications, training,
- Remote network access
- VPN access
 Sensitive data
- Production data is used for test data
- Reports are generated containing transactional data
- Source code is developed/modified
- Screen shots of customer data will be used for User Interface enhancements
 Elevated access
- Access to production
- Reference to systems administrator, data base administrator, security administrator
- Promoting code to production
- Use of Shared or Emergency IDS
 Subcontractors
- Vendor personnel including affiliates, subcontractors etc.
 Access suspension/termination
- Key words – end, termination, suspension, disable, notify
 Mobile devices and PDAs
- Key words – mobile, cellular, PDAs, disable, usage
 Privacy laws
- Financial or health privacy
- Key words – SSNs, financial information, drivers license numbers, medical records, payment card data
- Europe – race/ethnic origin, religious beliefs, trade union membership, data concerning health, data relating to criminal convictions
 Disclosure of confidential information
- Key words – confidential information, disclosure, safeguard, reasonable care, sensitive data, personal information, business sensitive
 Export control
- Export administration regulations
- International Trade in Arms Regulations

DS&P Contracts Review Worksheet v1 Page 10