File Integrity Monitoring

Service Guide
 

Version Date: December 19, 2019
 

This Service Guide (“SG”) sets forth a description and technical details of the File Integrity Monitoring Service(“Service”) offered by CenturyLink. This SG is subject to and incorporated into the Agreement and the CenturyLink TS Service Exhibit including the Security Service Schedule between the parties. The specific details of the Service ordered by Customer will be identified on the relevant Service Order. For avoidance of doubt, any references in the Agreement, Schedule, or Service Orders to SSG, shall mean SG. CenturyLink will provide the service with service level targets only; no service level agreement applies to this Service.

 

1. Service Description

The File Integrity Monitoring Service monitors certain Customer designated files and directories and is designed to alert unexpected changes to those files and directories. The Service consists of the installation of a CenturyLink provided software agent (“FIM agent”), as well as the configuration, administration, monitoring, and maintenance and support of that agent. The FIM agent is installed on a CenturyLink managed host with supported operating systems associated with any of the CenturyLink managed hosting products listed below. “Host” refers to the server or compute infrastructure and its operating system.

 

CenturyLink managed hosting products:

  • Managed Server 1.0
  • Custom Managed Server 1.0
  • Virtual Intelligent Hosting Node
  • Custom Virtual Intelligent Hosting Node
  • Virtual Intelligent Hosting Instance

 

1.1 Installation

  • CenturyLink will host a pre-installation phone call to gather information and collaboratively define policy templates of file systems and directories that will be monitored.
  • In addition to operating system files and directories, the Service will support monitoring for up to two Customer-defined applications.
  • CenturyLink will remotely install the FIM agent on the supported host with sufficient privilege to scan all identified files and directories. In practice, this means root on UNIX systems and SYSTEM on Windows systems.
  • The installation of the FIM agent may have an impact on the performance (e.g. speed, CPU cycles, memory, etc.) of other applications operating on the host.

 

1.2 Configuration

  • Configuration of policies consists of:
    • Files and directories to be monitored
    • Scan intervals
    • Notification policy described in more detail below
  • The default scanning interval is once per 24-hour period and may be modified upon request, as specified in the Change Control section.
  • Up to two scan interval polices can be defined per host
  • Monthly recurring charges will commence upon the earlier of mutual agreement that policies are configured or 30 days following configuration.

 

1.3 Administration

  • Within 30 days following successful configuration and upon Customer request, CenturyLink will conduct a follow-on one-hour phone meeting with Customer to review policy configurations and modify if necessary.
  • Completing Customer change requests:
    • to add and/or delete scanned files and directories
    • to tune alerts
  • CenturyLink will maintain current supported versions of the FIM agent (and subsequent updates) as well as the supporting infrastructure (e.g. the management console, customer portal, etc.) that administers the FIM agent.

 

1.4 Monitoring

  • The Service will monitor changes to the scanned files and directories, per policy.
  • Changes to the files and directories monitored by the Service will generate an “event”, which is a violation (or change) to the monitored file. Such events are represented in a change report.
  • Reporting provided as part of the Service is available via the applicable CenturyLink portal or email:
    • Change report specific to what is collected by the FIM agent (available in CSV formats) per policy.
    • Reports can be generated in various intervals, e.g. 24 hours, one week, or one-month timeframes.
    • Syslog report formats are available by request.
    • Reports will be available for a rolling 90-day period online and are subsequently deleted.
  • The report policies are specific to this Service and do not alter report policies defined by other CenturyLink Service offerings a Customer may purchase.
  • Customer may request investigation of events that are reported.
    • Event investigation by CenturyLink will verify if changes were a CenturyLink initiated change to either a CenturyLink managed operating system or specific CenturyLink managed application being monitored by this Service.
    • CenturyLink will not investigate events on any operating systems or applications that are not CenturyLink managed.
    • CenturyLink reserves the right to deem any requested investigation out of scope. Out of scope investigations may require the purchase of additional services under separate terms and conditions.

 

1.5 Maintenance and Support

  • The Service includes support for Customer inquiries and problem resolution.
  • Passwords:
    • Configuration consistency and change accountability requires that all FIM passwords will be managed by CenturyLink. Customer will not have access to FIM passwords or be able to make direct changes to the FIM configurations.
    • Customer must request changes by first contacting the CenturyLink Response Center.
    • Customer must provide complete log-in credentials to the CenturyLink Response Center when requesting changes. These log-in credentials are the same as those used to log into CenturyLink’s portal.
  • Upgrades:
    • CenturyLink may periodically upgrade the FIM agent on the CenturyLink managed host or the management server to the latest versions. If CenturyLink determines that an upgrade is necessary, CenturyLink will schedule a time to make necessary changes, preferably during the normally scheduled data center maintenance window.
    • Customer will be notified by email or phone at least 10 days in advance of the upgrade.
    • Completion of scheduled upgrades are required or CenturyLink’s obligation to provide this Service will be suspended until Customer grants CenturyLink the access CenturyLink requires to make such changes.
    • If CenturyLink determines that an emergency change is required, CenturyLink will make the change as quickly as possible. CenturyLink will use commercially reasonable efforts to contact the Customer prior to making emergency changes.
  • Customer can request additional support or changes by opening a ticket with CenturyLink using the standard CenturyLink service request process.

 

1.6 Change Control

The Service is highly interdependent with the server operating systems and applications that it protects and upon which they reside and require a high degree of communication, collaboration, and change management between Customer and CenturyLink technical staffs.

CenturyLink will perform up to two change requests per month for the Customer. Additional changes may incur additional fees.

 

2. Customer Responsibilities

Customer acknowledges and agrees that its failure to perform its obligations set forth in this Service Guide or the Agreement may result in CenturyLink’s inability to perform the Services and CenturyLink shall not be liable for any failure to perform in the event Customer does not fulfill Customer’s responsibilities and requirements and in the event of Customer’s errors or omissions in setting up the required environment.

CenturyLink assumes no responsibility whatsoever for any damage to, loss, corruption or destruction of, or unauthorized disclosure of any of Customer’s hardware, software, files, data, information or peripherals, including any damages or losses which may result from Customer’s use of Service or Customer’s errors or omissions as noted herein. CenturyLink’s obligations related to Customer Data are exclusively governed by the Security and Compliance section of the TS Service Exhibit.

  • Customer must designate and maintain a Customer Contact during the service term and any applicable renewal term (including current contact information). “Customer Contact” means an English-speaking technical point of contact, available 24x7, with sufficient knowledge, authority and access to address configuration issues, event notifications, system or infrastructure modifications and authentication of applicable systems.
  • Customer will not have access to system passwords or be able to make changes to the system configurations and must instead submit change requests to CenturyLink.
  • In the event that Customer does own system passwords, Customer shall provide CenturyLink with necessary privileges and access to allow CenturyLink to install, configure, monitor and modify the Service.
  • Customer must not attempt or instruct, or allow others to attempt any testing, assessment, circumvention or other evaluation or interference with any Service without the prior written consent of CenturyLink.
  • Customer must notify CenturyLink at least 5 business days in advance of any changes that may affect the applicable Service (e.g., infrastructure, network topology changes).
  • Customer shall provide CenturyLink with access to a staging environment that matches production configuration to test configuration stability for use by CenturyLink prior to software changes, if Customer desires such testing. A successful test on the staging system does not guarantee that it will work on the production system.
  • If any third-party software, including any corresponding documentation, is provided to Customer by CenturyLink in connection with the Service, Customer agrees to use such third-party software strictly in accordance with all applicable licensing terms and conditions. CenturyLink makes no representations or warranties whatsoever with regard to such third-party software.
  • There may be incompatibilities between the Service and particular Customer environments which cannot be resolved. In such cases, CenturyLink reserves the right to withdraw the Service from those particular environments, but only to the extent necessary to resolve the incompatibility and without modifying either party’s obligations with regard to unaffected environments.
  • The agent must run with sufficient privilege to scan all identified files and directories. In practice, this means root on UNIX systems and SYSTEM on Windows systems.
  • Customer is required to notify CenturyLink of changes to the host. Failure to notify CenturyLink of changes will result in the Customer being billed for time and materials including, but not limited to, travel expenses, to resolve any Service-related issues associated with the change.
  • CenturyLink’s ability to provide the Service is dependent on the information provided by the Customer, the state of the Customer’s systems, and the level of security requested by the Customer. CenturyLink makes no guarantee that all security issues or weaknesses will be identified. Rather, CenturyLink’s efforts represent a limited assessment of the Customer’s system at a particular point in time.
  • The Customer acknowledges that there may be incompatibilities with the agent and the host which cannot be resolved, resulting in a service order change to remove the host from the Service.
  • Customer acknowledges they may incur additional charges if:
    • Customer impairs the Service;
    • If a Service requires reconfiguration or retuning for any reason, including reducing false positives and nuisance alerts, CenturyLink will contact Customer, if necessary, to schedule the activity (typically during normal maintenance windows) and Customer agrees to cooperate with CenturyLink to schedule such activity.
    • If CenturyLink determines that an emergency security change is required, CenturyLink will make the changes deemed necessary as soon as reasonably possible and will notify the Customer of the changes as soon as practicable.
  • Neither Customer nor its representatives shall attempt in any way to circumvent or otherwise interfere with any security precautions or measures of CenturyLink relating to the Service or any other CenturyLink equipment.
  • Customer acknowledges and agrees that it is solely responsible for selecting and ensuring its software and systems are up to date and supportable.
  • Customer consents to CenturyLink’s and its affiliates or subcontractors’ use and transfer to the United States, or other countries, information (including Customer Contact information such as names, phone numbers, addresses and/or email addresses) of the Customer for the sole purpose of: (i) fulfilling its obligations under the Agreement; and (ii) providing information to Customer about CenturyLink’s products and services. Customer represents that it will ensure that all information provided to CenturyLink is accurate at all times and that any business contact has consented to CenturyLink’s processing of such information for the purposes identified herein.
  • Customer consents to CenturyLink collecting and compiling system and security event log data to determine trends and threat intelligence. CenturyLink may associate this security event log data with similar data of other Customers so long as such data is merged in a manner that will not in any way reveal the data as being attributable to any specific Customer.
  • Customer is responsible for returning all hardware, software and any related components to CenturyLink upon expiration or termination of the Service.

 

3. Response Time Objectives

CenturyLink’s objective for response time notification for this Service is defined as follows:

 

Response Event Response Time Objective & Procedure
Service Configuration and Policy Change Request CenturyLink will complete configuration and policy change requests within 48 hours.
Event investigation CenturyLink will respond to a request for Event investigation within 4 hours if by email and 6 hours if by the portal.

 

CenturyLink’s objectives to meet stated Response Times will not apply to:

  • any problem caused by or associated with the Customer’s failure to meet specified Customer Responsibilities and Requirements in this Service Guide or the Agreement.
  • underlying Internet access service
  • any security tests