Amendment to Master Services Agreement

THIS AMENDMENT(the “Amendment”) to the Master Services Agreement dated as of November 3, 2010, as amended (the “Master Agreement” and together with the Exhibits thereto entered into thereunder, the “Agreement”), by and among, on the one hand, Infosys Limited (formerly known as Infosys Technologies Limited), an Indian corporation (“Infosys”), Infosys BPM Limited (formerly known as Infosys BPO Limited), an Indian corporation (“Infosys BPM”), and Infosys McCamish Systems LLC, a Georgia limited liability company (“McCamish”) (Infosys, Infosys BPM and McCamish being jointly or severally referred to as the “Supplier”), and, on the other hand, Teachers Insurance and Annuity Association of America, a New York corporation (the “Customer”), is entered into as of August 1, 2018 (the “Amendment Effective Date”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to such terms in Exhibit 1 [Definitions] or elsewhere in the Agreement.

WHEREAS,the Customer has engaged the Supplier to perform certain information technology and business process services pursuant to the Master Agreement and Statements of Work thereunder; and

WHEREAS, the Parties wish to extend the Term of the Agreement and to amend certain terms as set forth in this Amendment;

NOW THEREFORE,in consideration of the foregoing and the on-going mutual rights and obligations set forth in the Agreement as amended hereby, the Parties agree as follows:

1. Term of Agreement (Section 1.3 of the Master Agreement). The Term of the Agreement is hereby extended for sixty (60) months, so that Section 1.3 is amended to read as follows (modified language in italics):

“The term of the Agreement will begin as of the Effective Date and will expire on July 31, 2023 (sixty (60) full calendar months after this Amendment Effective Date), (the “Term”), unless earlier terminated in accordance with the provisions of the Agreement or extended pursuant to Section 1.4. However, in the event performance of Services under any SOW hereunder goes beyond the Term of the Agreement, this Agreement shall continue to be in full force and effect specifically for the purpose of such SOW. The SOW Term of each Statement of Work shall be set forth in each such Statement of Work. The Customer will remain responsible for the performance of the Services from the Effective Date to the Commencement Date(s), and the Supplier will provide assistance to the Customer in managing the delivery of the Services during that period.”

2. Extension of Services (Section 1.4 of the Master Agreement). The Customer shall continue to have the option to extend the Agreement and Services for up to two (2) twelve (12)-month Extension Periods pursuant to Section 1.4 (unmodified):

“The Customer may at its option request and the Supplier shall extend the provision of the Services including the Termination/Expiration Assistance for up to twelve (12) full calendar months (“Extension Period”) upon not less than ninety (90) days prior written notice before the scheduled termination or expiration of the provision of the Services including the Termination/Expiration Assistance, or if applicable, notice given at the time of the Customer’s delivery of any notice of termination for any reason by either Party. The Customer may, at its option, request and subject to an agreement on the revised Fees that shall apply during the Extension Period, the Supplier shall extend the provision of the Services for up to two (2) Extension Periods. Unless otherwise specified in a Statement of Work, the Parties shall mutually agree on the pricing terms and conditions that will apply during each Extension Period no later than six (6) months prior to the then-scheduled expiration date of the Agreement, or such later date as mutually agreed.

1

3. Benchmarking (Section 9.5 of the Master Agreement). Section 9.5 of the Master Agreement is hereby deleted in its entirety.

4. Intellectual Property Rights (Sections 10.1-.2 of the Master Agreement).

4.1 Supplier Materials (Section 10.1 of the Master Agreement). The following new Section 10.1.5 is hereby added to Section 10.1:

“For purposes of clarity, and notwithstanding anything to the contrary in this Section 10 or elsewhere in the Agreement, the Supplier hereby grants to the members of the Customer Group a worldwide, non-exclusive, non-transferable, license to use, modify, enhance and prepare Derivative Works of the Operational Data Store and components thereof that Supplier has developed or hereinafter develops specifically for Customer under the Agreement and which resides behind the Customer’s firewall in the Customer’s IT environment (hereinafter collectively referred to as the “ODS”), and other Deliverables that Supplier has developed or hereinafter develops specifically for Customer under the Agreement (hereinafter, “Custom Deliverables”), and any Derivative Works thereof, during the SOW Term. Further, notwithstanding any other provision of the Agreement to the contrary, to the extent the ODS (or component thereof) or any Custom Deliverable (as such terms are defined above) incorporates any pre-existing proprietary information, know-how, ideas, concepts or other intellectual property of the Supplier (“Incorporated Supplier IP”), the Supplier hereby grants to the members of the Customer Group a worldwide, non-exclusive, non-transferable, license to use, modify, enhance and prepare Derivative Works of such Incorporated Supplier IP solely in connection with their use and support of the ODS or such Custom Deliverable, as the case may be, for the purposes of the Customer Business during the SOW Term. The foregoing licenses shall include the right to allow third parties to access the ODS, Custom Deliverables and the Incorporated Supplier IP solely to provide services to the Customer Group, so long as any such third party is subject to obligations of confidentiality, non-disclosure and other restrictive covenants at least as restrictive and extensive in scope as those set forth in Article 11. For purposes of clarity, neither the Customer Group nor any third party providing services to the Customer Group shall have any right to use the Incorporated Supplier IP on a stand-alone basis separate and apart from the ODS or Custom Deliverable, as the case may be.”

5. Termination/Expiration Assistance (Section 12.3 of the Master Agreement). The following new Section 12.3.6 is hereby added at the conclusion of Section 12.3:

“In addition to its other responsibilities as set forth in this Section 12.3 and/or in the applicable Statement of Work, upon the termination or expiration of the Agreement or applicable Statement of Work, the Supplier shall, upon the Customer’s request, map and migrate the Customer Data in its possession and control to a data model as mutually agreed based on ACORD’s data standards for the insurance industry. The Supplier shall be entitled to charge the Customer for such efforts at the rates then in effect under the Agreement or for such charges as otherwise set forth in the applicable Statement of Work or mutually agreed by the Parties. In addition, upon the termination or expiration of the Agreement or applicable Statement of Work, Customer may elect to pay Supplier $400,000 to obtain a perpetual license (to be executed in a separate licensing agreement at the time of termination or expiration) to the ODS and the Incorporated Supplier IP incorporated into the ODS (or any component thereof) (as such terms are defined in Section 10.1.5 above), and pay an additional amount as mutually agreed for any additional licenses to the Custom Deliverables and other Supplier Materials as necessary for Customer to continue accessing, using and supporting the ODS and such Custom Deliverables and to enable the transition and support of services formerly performed by the Supplier. The foregoing license to the ODS and Incorporated Supplier IP shall be subject to the same rights and restrictions set forth in Section 10.1.5, except that the license shall be perpetual instead of being limited to the SOW Term.”

2

6. Insurance (Section 15.1.9). The following provision is added to Section 15.1.9 as new clause 15.1.9 (xiv):

“To the extent that Supplier is performing Services outside of the United States, Supplier shall comply with all insurance statutes and regulations in the country where the Services are being provided and shall provide Customer with equivalent evidence of coverage as required pursuant to Section 15.1.9 (ix).”

7. Rate Card Adjustments (Section 3.1 and Attachment 3-A of Exhibit 3 [Pricing and Financials]). As set forth in Section 3.1 of Exhibit 3 [Pricing and Financials] (as amended on June 1, 2015), the rates set forth in the Rate Cards included in Attachment 3-A [Rate Cards] (as amended on June 1, 2015) for Infosys, Infosys BPM and McCamish shall continue to apply, without adjustment, throughout the Term as extended hereby.

8. Business Continuity and Disaster Recovery Plans (Annexes 1-3 of Exhibit 5 [Business Continuity and Disaster Recovery Plans]). The terms and conditions and requirements of Exhibit 5 remain in full force and effect and unmodified hereby; however, the actual Business Continuity and Disaster Recovery Plans for Infosys McCamish originally set forth in Annexes 1, 2 and 3, respectively, of Exhibit 5 are hereby deleted. Updated Plans for Infosys McCamish have been made available to TIAA, and shall continue to be made available to TIAA, in accordance with Exhibit 5.

9. Policies (Exhibit 6 [Policies]). The Information Security Program Commitments set forth in Annex 1 of Exhibit 6 is hereby replaced with the updated Information Security Requirements attached hereto, and the Incident Management/Service Level Agreement Requirements Policy attached hereto is hereby added as Annex 5 of Exhibit 6, and such updated Policies are hereby incorporated into and made a part of the Agreement as of the Amendment Effective Date. The Background Screening Requirements, Code of Business Conduct and Travel Policy set forth in Annexes 2, 3 and 4, respectively, of Exhibit 6 remain in effect.

10. Business Associate Addendum (Section 11.6.9 and Exhibit 10 [Form of BAA] of the Master Agreement). Section 11.6.9 of the Master Agreement and the form of Business Associate Addendum (“BAA”) set forth in Exhibit 10 are hereby deleted in their entirety as of the Amendment Effective Date.

11. Use of Subcontractors (Section 8.5). The following provision is added to Section 8.5 as new clause 8.5.4:

“Supplier Personnel will work out of TIAA’s premises in Charlotte, NC (referred to as “TIAA Onsite”) and Supplier’s premises in Atlanta, GA (referred to as “Supplier Onsite”), and may (subject to the other provisions of this Section 8.5.4) sub-contract offshore effort to its group companies (Infosys Ltd. and its Affiliates) working out of Infosys locations in India (referred to as “Offshore”). Notwithstanding the foregoing, Supplier acknowledges and agrees that for any Services not provided from the Onsite Locations (TIAA Onsite and/or Supplier Onsite), such Services may only be provided from a location that has been approved in advance by TIAA Information Security and Corporate Security groups.

TIAA Onsite Location

8625 Andrew Carnegie Boulevard

Charlotte, NC 28262

Supplier Onsite Location

6425 Powers Ferry Road, NW

Atlanta, Georgia 30339

Offshore Locations

Survey No. 210,

Manikonda Village,

3

Lingampally,

RangaReddy (Dist)

Hyderabad – 500019

SEZ Survey No. 41(pt)50 (pt)

Pocharam Village,

Singapore Township PO,

Ghatkesar Mandal

Rangareddy District

Infosys BPM Limited

Plot No. 1, Building No. 4

Rajiv Gandhi InfoTech Park

Post Hinjewadi, Taluka Mulshi

Pune – 411057, India

Except as modified hereby, the terms and provisions of the Agreement remain unchanged and in full force and effect.

IN WITNESS WHEREOF, the Parties have executed this Amendment to the Master Agreement by their undersigned, duly authorized officers as of the Amendment Effective Date:

Infosys Ltd.	Infosys BPM Ltd.
Name:	Name:
Signature:	Signature:
Title:	Title:
Date:                , 201_	Date:                , 201_
Teachers Insurance and Annuity Association of America	Infosys McCamish Systems LLC
Name:	Name:
Signature:	Signature:
Title:	Title:
Date: August 6, 2018	Date:                , 201_

Attachments to Amendment to Master Services Agreement

• Annexes 1 & 5 of Exhibit 6 [Policies]

4

Exhibit 6

Updated Annexes 1 & 5

As of the Amendment Effective Date, Annex 1 (Information Security Program Commitments) of Exhibit 6 is replaced by the Information Security Requirements attached hereto, and the Incident Management/Service Level Agreement Requirements Policy attached hereto is added as Annex 5 of Exhibit 6.

5

Annex 1 (Information Security Requirements)

Supplier’s Written Information Security Program (“WISP”) shall be demonstrated during annual Audits by TIAA. Supplier’s WISP shall address, at a minimum, all security requirements as listed in this Annex 1,. At times of amendments made by TIAA to Annex 1, that are not considered an industry standard or a regulatory requirement may have an additional cost, at additional cost to TIAA, Supplier shall make commercially reasonable modifications to its WISP or to its data security controls in order to conform to the requirements set forth in this Annex 1, and TIAA reserves the right, in its sole discretion, to terminate Supplier’s access to PII and HCI until such time as Supplier has made such modifications to its WISP or data security controls.

All capitalized terms used in this Annex 1 that are not defined herein shall have the meanings assigned elsewhere in this Agreement. For purposes hereof, “HCI” (or “Highly Classified Information”) shall mean non-public information that, if disclosed in violation of the terms of the Agreement, could have a material adverse impact to TIAA’s business or operations, including, but not limited to, (i) material non-public information about TIAA’s business, finances or operations; (ii) authentication data, such as PINs or passwords; (iii) cryptographic keying material, with the exception of public keys; (iv) information related to an information security incident; or (v) other Confidential Information that TIAA classifies as HCI in accordance with TIAA’s data classification policies.

Written Information Security Program Commitments

Supplier shall notify TIAA of any planned system configuration changes or other changes affecting the WISP and shall set forth in detail how such changes which will impact TIAA PII and/or HCI.

At the cost of the Supplier, Supplier shall periodically perform penetration testing, not more than once a year, which may include the use of automated scans and manual testing reasonably acceptable to Supplier. Supplier may, in its discretion, request that testing be conducted by a third party. The scope and methodology, at a minimum should include the date the original test was performed, the name of the company that performed the test if a third party was used, the scope of the test and the count of issues identified by criticality.

Subject to the terms of this Agreement and the Schedules attached thereto, Supplier will use commercially reasonable efforts to prevent the unintended or malicious loss, destruction or alteration of TIAA’s files containing PII and/or HCI and other information received and held by Supplier pursuant to the Services provided under this Agreement. If Supplier will be the “system of record” in the provision of Services under this Agreement or if otherwise instructed by TIAA, Supplier shall maintain back-up files (including off-site back-up copies) thereof and of resultant output to facilitate their reconstruction in the case of such loss, destruction or alteration, in order to ensure uninterrupted Services in accordance with the terms of this Agreement, its Schedules, and Supplier’s business continuity Plans. Supplier shall be deemed the “system of record” if the PII and/or HCI is generated by Supplier or Supplier Personnel as part of the Services and not PII and/or HCI that is provided by TIAA to Supplier pursuant to this Agreement.

Detection

Supplier shall monitor its system and its procedures for security breaches, violations and suspicious (questionable) activity. This includes suspicious external activity (including, without limitation, unauthorized probes, scans or break-in attempts) and suspicious internal activity (including, without limitation, unauthorized system administrator access, unauthorized changes to its system or network, system or network misuse or theft or mishandling of PII and/or HCI). Supplier shall notify TIAA promptly (but no later than 24 hours after it is identified by Supplier) of any security breaches, including, without limitation, service attacks (e.g., denial of service attacks) that cause material performance issues or unauthorized access. Supplier will maintain appropriate security logs of all activities affecting security or integrity of TIAA PII or HCI. Supplier’s information security liaison shall validate that any security weakness or incident has been addressed.

6

Once a year, unless Supplier has a breach involving TIAA data, Supplier shall allow TIAA or a TIAA Representative to visually inspect the physical system equipment, operational environment and PII or HCI handling procedures in the course of an Information Security Audit. Supplier shall obtain permission of all Subcontractors that are part of or support Supplier’s Services for TIAA to conduct the same inspection at such Subcontractors.

Supplier acknowledges and agrees that records of system activity and of PII or HCI handling may be evidence (subject to appropriate chain of custody procedures) in the event of a security breach or other inappropriate activity involving TIAA data. Upon TIAA’s request, and at TIAA’s expense, Supplier shall deliver copies of such records to TIAA (after removing the Supplier proprietary and other Client confidential information) for use in any legal or regulatory proceeding or in any governmental investigation.

Response

Supplier shall notify TIAA, through TIAA’s Information Technology Security Hot Line (866-800-0012 or SecHotline@tiaa.org), or the TIAA Threat and Vulnerability Management Team (“TVM”), in the event of a breach of security and shall cooperate fully with all TIAA security investigation activities.

Supplier shall monitor industry-standard information channels for newly identified system vulnerabilities regarding the technologies and Services provided to TIAA and fix or patch any identified security problem in an adequate and timely manner. Unless otherwise expressly agreed in writing, “timely” shall mean that Supplier shall introduce such fix or patch as soon as commercially reasonable after Supplier becomes aware of the security problem. This obligation extends to all devices that comprise Supplier’s system, e.g., application software, databases, servers, firewalls, routers and switches, hubs, etc., and to all of Supplier’s other practices for handling PII or HCI.

Information Supplier Shall Provide

At TIAA’s request, Supplier shall meet with TIAA’s Information Security team at times and locations mutually agreed to by the Parties to discuss information security issues in greater detail.

Written Information Security Program Features

In addition to any other requirements set forth in this Agreement, and in particular any requirements otherwise set forth in this Schedule, Supplier’s WISP shall include, but shall not be limited to, the following:

(1).  Supplier shall name an information security liaison (and a backup information security liaison) to be available to TIAA’s Information Security department to review data security policy requirements, standards, practices, and security incident responses as set forth herein. If this liaison is not responsible for maintaining the WISP, Supplier shall designate one or more employees to maintain the WISP;

(2).  Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing PII or HCI, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: a) ongoing Supplier and Supplier Personnel training; and b) means for detecting and preventing security system failures.

(3).  Developing security policies for Supplier and Supplier Personnel that prevent Supplier and Supplier Personnel from storing, accessing or transporting records containing PII or HCI outside of business premises.

7

(4).  Imposing disciplinary measures for violations of the WISP rules.

(5).   Preventing involuntarily terminated Supplier employees and Supplier Personnel from accessing records containing PII or HCI by immediately terminating their physical and electronic access to such records and for voluntary terminations, revoking access within reasonable timeframe, but not more than 24 hours from their last working day, including deactivating their passwords and user names

(6).  Taking all reasonable steps to verify that any third-party service provider with access to PII or HCI has the capacity to protect such PII or HCI in the manner provided for herein; and taking all reasonable steps to ensure that such third party service provider is applying PII or HCI protective security measures at least as stringent as those required hereunder.

(7).  Limiting the amount of PII or HCI collected to that reasonably necessary to accomplish the Services; limiting the time such information is retained to that reasonably necessary to perform the Services; and limiting access to those persons who are reasonably required to access or handle the PII or HCI in order to perform the Services.

(8).  Identifying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store PII or HCI, to determine which records contain PII or HCI, except where the WISP provides for the handling of all records as if they all contained PII or HCI.

(9).  Reasonable restrictions upon physical access to records containing PII or HCI, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers.

(10).  Regular monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PII or HCI; and upgrading information safeguards as necessary to limit risks.

(11).  Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing PII or HCI.

(12).  Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of PII or HCI.

Computer System Security Requirements

1.    If Supplier or Supplier Personnel electronically stores or transmits PII or HCI, its written WISP shall include the establishment and maintenance of a security system covering its computers, including any wireless system that, at a minimum, shall have the following elements:

A.    Secure user authentication protocols including:

(i) control of user IDs and other identifiers;

(ii)  a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(iv) restricting access to active users and active user accounts only; and

8

(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

B.    Secure access control measures that:

(i)  restrict access to records and files containing PII or HCI to only those Supplier Personnel who need such information to perform the Services; and

(ii)  assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

C.          To the extent technically feasible, encryption of all transmitted records and files containing PII or HCI that will travel across public networks, and encryption of all data containing PII or HCI in use, in motion, and at rest. Encryption at rest will be at an additional cost.

D.          Reasonable monitoring of systems, for unauthorized use of or access to PII or HCI;

E.          No PII or HCI data shall be stored on laptops or other portable devices;

F.          For files containing PII or HCI on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the PII or HCI.

G.           Up-to-date versions of system security agent software which must include malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

H.          Education and training of Supplier employees and Supplier Personnel on the proper use of the computer security system and the importance of PII or HCI security.

I.          Supplier shall use generally accepted security management controls to ensure that none of Supplier’s other clients have access to PII or HCI.

J.          Supplier shall maintain software, hardware, intrusion detection system, personnel and other resources to ascertain whether a penetration attempt is being made against any part of Supplier’s network, mainframe, server or other infrastructure or facilities used by Supplier to process, store or transport PII or HCI. Supplier will immediately notify the Customer Information Security department of any unauthorized disclosure, misuse, alteration or destruction of or access to PII or HCI and promptly implement appropriate internal technical and procedural controls as reasonably required under the circumstances to prevent such intrusions.

K.          Storage, access, transmission or use of PII or HCI from a location outside the United States must be conducted from a secure workspace approved in writing in advance by TIAA. The secure workspace shall meet, at a minimum, the requirements set forth in the “Secure Workspace Requirements” section of this Annex 1.

INFORMATION DESTRUCTION REQUIREMENTS

Overall Requirements

Supplier shall destroy all PII and HCI at TIAA’s request or after it is no longer needed but in any event, upon termination of this Agreement. Upon termination of the Agreement all data will be deleted in the platform without any segregation at no cost. However, a copy of the data will be extracted and returned

9

to TIAA before deletion at TIAA’s cost upon termination but in any event, upon termination of this Agreement. Supplier must develop information destruction processes that meet industry standards and must be used in all cases when PII or HCI is no longer needed. These information destruction requirements are to be applied to paper, microfiche, disks, disk drives, tape and other destroyable electronic or digital media containing PII or HCI.

Paper and Other Shreddable Media

Paper and other shreddable media includes paper, microfiche, microfilm, compact disks (CDs) and any other media that can be shredded. This media must be shredded at TIAA’s request or when Supplier is finished with the PII or HCI contained thereon but in any event, upon termination of this Agreement. This media may be shredded immediately or temporarily stored in a highly secured, locked container. The media may be shredded at a location other than Supplier’s facilities; however it must be transferred in a highly secured, locked container. Supplier is responsible for supervising the shredding regardless of where the shredding activity occurs and by whom the shredding is performed. PII or HCI in this media must be completely destroyed by shredding such that the results are not readable or useable for any purpose.

Electronic Media

Electronic media includes, but is not limited to, disk drives, diskettes, tapes, universal serial bus (USB) and other media that is used for electronic recording and storage. This media is to be wiped or degaussed using an industry known degaussing tool. Wiping uses a program that repeatedly writes data to the media and thereby destroys the original content. Degaussing produces an electronic field that electronically eliminates the original data and clears the media. The resulting media must be free from any machine or computer content readable for any purpose.

Certification

These processes must be documented as a procedure by Supplier and should outline the techniques and methods to be used. The procedure must also indicate when and where PII or HCI is to be destroyed. Supplier shall keep records of all PII or HCI destruction completed and provide such records to TIAA upon demand or, in TIAA’s discretion, provide a certification by an officer of Supplier that all such information has been destroyed in accordance with this Information Destruction Section.

SECURE WORKSPACE REQUIREMENTS

(Applicable only for Operations area handling customer data)

1	Card key access or equivalent must be implemented for the Shared Secure Workspace.
2	All third parties entering the Shared Secure Workspace, are issued a visitor badge and are escorted by Supplier resources.
3	Closed Circuit TV (CCTV) camera is installed at all entrance and exit points of the Shared Secure Workspace.
4	Monitoring is configured to detect movement of people and equipment moving in and out of the Shared Secure Workspace.
5	CCTV recordings are stored and available for thirty (30) days...
6	Shared Secure Workspace is built to ensure that there is no visibility into the environment.
7	The entrance door to the shared secure workspace is secured.
8	Windows that are a part of the external building and below eye sight level from the ground are frosted (if the work space is visible externally).

10

9	All computers in the Shared Secure Workspace are configured so that screen-print/screen capture/cut & paste are disabled while connected to the TIAA network.
10	All computers in the Shared Secure Workspace are configured so that save local or save to a supplier network device is disabled while connected to the TIAA network.
11	All computers in the Shared Secure Workspace are configured so that connection to an external storage device (USB, CD, external drive, printer, etc.) is disabled while connected to the TIAA network.
12	All computers in the Shared Secure Workspace are configured so that printing is disabled while connected to the TIAA network.
13	Computers in the Shared Secure Workspace are configured so that they cannot connect directly to the public internet (i.e. no modem, cable, DSL, wireless while connected to the TIAA network, unless otherwise approved by the TIAA IT Risk & Information Security department).
14	Access to the TIAA network can only be conducted from within the Secure Workspace via the approved VDI.
15	Employees working from home will follow the guidelines defined in Exhibit 6

11

Annex 5 (Incident Management/Service Level Agreement Requirements Policy)

*Proprietary and confidential information intentionally removed*

Incident Management/Service Level Agreement Requirements

Overview and Application of Standards

This Schedule sets forth the TIAA incident management guidelines for Software, Services and infrastructure components that all Suppliers and Supplier Subcontractors must adhere to. Supplier’s Incident Management process must (i) encompass all proposed changes to the defined production environment; (ii) be logged in the TIAA common database; and (iii) meet all current TIAA information security and configuration standards.

The current internal definitions for lead time, notification, type and risk definition, as well as configuration item and approval requirements are consistently applied to Supplier changes in the exact same manner to which they apply to TIAA’s internal operations.

A. Systems Availability

B. Monitoring Requirements

Platform Monitored Conditions Description Action

12

C. Incident Management

13

14

OperationsRequests@tiaa-cref.org

D. Change Management

15