EX-4.b.3

EX-4.B.3 2 d949903dex4b3.htm EX-4.B.3 EX-4.b.3

Exhibit 4.b.3

Confidential Materials omitted and filed separately with the

Securities and Exchange Commission. Double asterisks denote omissions.

Agreement Number 02026713.A.034

Amendment

No. 02026713.A.034

Between

Amdocs, Inc.

And

AT&T Services, Inc.

Proprietary Information

The information contained in this Agreement is not for use or disclosure outside AT&T, Supplier, their Affiliates and their third party representatives, except under written agreement by the contracting Parties.

Agreement Number 02026713.A.034

AMENDMENT NO. 34

AGREEMENT NO. 02026713

This Amendment No. 34, effective on the date when signed by the last Party (“Effective Date”), and amending Agreement No. 02026713, is by and between Amdocs, Inc., a Delaware corporation (“Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (“AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, AT&T and Amdocs are parties to that certain Agreement No. 02026713 for Software and Professional Services, dated as of August 7, 2003, (as previously amended, the “Agreement”) and

WHEREAS, AT&T and Supplier now desire to further amend the Agreement;

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree to changes to the Agreement as follows:

1.	Section 3, “AT&T Supplier Information Security Requirements”, of Appendix 8, “AT&T Rules, Supplier Information Security Requirements and Limited Offshore Remote Access”, is deleted in its entirety and replaced with the following:

3. AT&T Supplier Information Security Requirements

AT&T Supplier Information Security Requirements (SISR) – v5.2, December 1, 2013

The following AT&T Supplier Information Security Requirements (“Security Requirements”) apply to Amdocs, its affiliates, its Subcontractors, and each of their employees and/or temporary workers, contractors, vendors and/or agents who perform any Services for, on behalf of, and/or through AT&T and/or any other obligations (for the purpose of this Appendix, each or all “Supplier”) that include any of the following:

Supplier’s performance of Services that involve the collection, storage, handling, or disposal of AT&T’s Information;

Supplier-offered or -supported AT&T branded services using non-AT&T Information Resources (as defined below);

Connectivity to AT&T’s Nonpublic Information Resources (as defined below);

Custom Software development pursuant to Section 3.33 to the Master Services Agreement No. 02026713 to the extent produced or developed by or on behalf of Supplier, or forming part of any software pursuant to the Agreement to which these Security Requirements are attached (including under any statement of work, exhibit, order or other document under, subordinate to, or referencing this Agreement) for the development of which AT&T has been charged monies; or

Website hosting and development for AT&T and/or AT&T’s customers.

Proprietary Information

The information contained in this Agreement is not for use or disclosure outside AT&T, Supplier, their Affiliates and their third party representatives, except under written Agreement by the contracting Parties.

Agreement Number 02026713.A.034

Supplier represents and warrants that during the term of this Agreement and thereafter (as applicable with respect to Supplier’s obligations under the Survival of Obligations clause) Supplier is, and shall continue to be, in compliance with its obligations as set forth herein. In addition to all other remedies specified in the Agreement, Supplier agrees that AT&T shall be entitled to seek an injunction, specific performance or other equitable relief and be reimbursed the costs (including reasonable attorney’s fees) by Supplier to enforce the obligations in these Security Requirements, including those that survive Termination, Cancellation or expiration of this Agreement. The provisions of this Appendix shall not be deemed to, and shall not, limit any more stringent security or other obligations of the Agreement. Section and paragraph headings contained in parentheses following paragraphs in the table, below, in this Appendix are for reference purposes only and are not to affect the meaning or interpretation of this Agreement.

AT&T reserves the right to update or modify its Security Requirements from time to time. Upon notification by AT&T of its need to modify the Security Requirements, Supplier agrees to promptly negotiate in good faith and expedite execution of an amendment to this Agreement to incorporate any such modification. Supplier acknowledges that AT&T may require modifications to Security Requirements:

Upon extension or renewal of the Agreement;

Upon any change in work scope or other substantive modification of the Agreement; or

At such time that AT&T deems necessary.

3.1 Definitions:

Unless otherwise set forth or expanded herein, defined terms shall have the same meaning as set forth in the main body of the Agreement.

“Customer Facing System” means an Information Resource accessible from public networks, intended for use by AT&T and/or its customers and which resides in a Demilitarized Zone (DMZ), as defined below, and where that DMZ:

Is protected by firewalls located between the Internet and the DMZ, between that DMZ and all other DMZs, and between the DMZ and the AT&T intranet,

Prohibits incoming TELNET connections from public networks, and

Prohibits incoming File Transfer Protocol (FTP) connections from public networks except to specific systems known as “FTP drop boxes”.

Note: A Customer Facing System which also is used by AT&T employees, contractors, vendors or suppliers to perform work on behalf of AT&T is not considered a Customer Facing System when performing such work.

“CPNI” (Customer Proprietary Network Information) as that term is defined in the Telecommunications Act of 1996, 47 U.S.C. §222 (h)(1).

Proprietary Information

Agreement Number 02026713.A.034

“Demilitarized Zone” or “DMZ” is a network or sub-network that sits between a trusted internal network, such as a corporate private Local Area Network (LAN), and an untrusted external network, such as the public Internet. A DMZ helps prevent outside users from gaining direct access to internal Information Resources. Inbound packets from the untrusted external network must terminate within the DMZ and must not be allowed to flow directly through to the trusted internal network. All inbound packets which flow to the trusted internal network must only originate within the DMZ.

The DMZ must be separated from the untrusted external network by use of a Security Gateway and must be separated from the trusted internal network by use of either:

another Security Gateway, or

the same Security Gateway used to separate the DMZ from the untrusted external network, in which case the Security Gateway must ensure that packets received from the untrusted external network are either immediately deleted or if not deleted are routed only to the DMZ with no other processing of such inbound packets performed other than possibly writing the packets to a log.

The following must only be located within the trusted internal network:

Any of AT&T’s Sensitive Personal Information (SPI) stored without the use of Strong Encryption,

The official record copy of information to be accessed from requests originating from the untrusted external network,

The official record copy of information to be modified as the result of requests originating from the untrusted external network,

Database servers,

All exported logs, and

Development environments and source code.

The following must not be located within the DMZ:

Authentication credentials not protected by the use of Strong Encryption.

“Incident Management Process” is a Supplier-developed documented procedure to be followed in the event of an actual or suspected attack upon, intrusion upon, unauthorized access to, loss of, or other breach involving AT&T’s Information Resources.

“Information Resources” means systems, applications, networks, network elements and other computing and information storage devices, including smart phones, tablets, and USB memory sticks, and AT&T’s Information stored, transmitted, or processed with these resources in conjunction with supporting AT&T and/or used by Supplier in fulfillment of its obligations under this Agreement.

“Location Based Information” or “LBI” means information that identifies the current or past location of a specific individual’s mobile device. LBI contains two factors both of which must

Proprietary Information

Agreement Number 02026713.A.034

be present and able to be associated with each other. These two factors are: (1) a mobile device’s physical location (e.g. a map address, or latitude and longitude together with altitude where known) derived from the mobile device through activities such as GPS (Global Positioning System ) or network connectivity rather than as a result of user action (e.g. revealing location in the content of an email or SMS text message), and (2) an individual’s identity derived from a unique identifier assigned to that mobile device such as customer name, MSISDN (Mobile Subscriber Integrated Services Digital Network-Number), IMSI (International Mobile Subscriber Identity), IMEI (International Mobile Station Equipment Identity) or ICCID (Integrated Circuit Card Identifier).

“Mobile and Portable Devices” means mobile and/or portable computers, devices, media and systems capable of being easily carried, moved, transported or conveyed that are used in connection with the Agreement. Examples of such devices include laptop computers, tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), and wireless phones, such as smartphones.

“Nonpublic Information Resources” means those Information Resources used under the Agreement to which access is restricted and cannot be gained without proper authorization and identification.

“Sensitive Personal Information” or “SPI” means any information that: (a) requires a high degree of protection by law and where loss or unauthorized disclosure would require notification by AT&T to government agencies, individuals or law enforcement, and (b) any information that, if made public, could expose individuals to a risk of physical harm, fraud, or identity theft. Examples of SPI include, but are not limited to, social security numbers, national government, such as passport and visa numbers, state- or province-issued identification numbers, driver’s license numbers, dates of birth, bank account numbers, credit card numbers, customer authentication credentials, Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA) and Location Based Information (LBI) (as defined above). Note: Authentication credentials, encryption keys, and encryption passwords used to protect Sensitive Personal Information are themselves classified as Sensitive Personal Information.

“Security Gateway” means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples of Security Gateways include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.

“Strong Authentication” means the use of authentication mechanisms and authentication methodologies stronger than the passwords required by Security Requirement 34 herein. Examples of Strong Authentication mechanisms and methodologies include digital certificates, two-factor authentication, and one-time passwords.

Proprietary Information

Agreement Number 02026713.A.034

“Strong Encryption” means the use of encryption technologies with minimum key lengths of 128-bits for symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access, and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented procedure approved by the Supplier’s appropriate management level, for the management of the encryption keys and associated processes adequate to protect the confidentiality and privacy of the keys and passwords used as inputs to the encryption algorithm.

3.2 Security Requirements

In accordance with the foregoing, Supplier shall:

System Security

1.	Actively monitor industry resources (e.g., www.cert.org, pertinent software vendor mailing lists & websites) for timely notification of all applicable security alerts pertaining to Supplier’s Information Resources. (Security Alerts)

If commercially available and to the extent practicable, [**], and in addition immediately following all significant changes and upgrades, scan externally-facing Information Resources, including, but not limited to, networks, servers, & applications, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities. (Externally-facing System Scanning)

If commercially available and to the extent practicable, [**], and in addition immediately following all significant changes and upgrades, scan internal Information Resources, including, but not limited to, networks, servers, applications & databases, with applicable industry-standard security vulnerability scanning software to uncover security vulnerabilities, ensure that such Information Resources are properly hardened as documented in Security Requirement 9 below, and identify any unauthorized wireless networks, unless documented policies and processes are in place to proactively prevent the creation of unauthorized wireless networks. (Internal System Scanning)

RESERVED

In environments where such technology is commercially available and to the extent practicable, deploy one or more Intrusion Detection Systems (IDS) , Intrusion Prevention Systems (IPS), or Intrusion Detection and Prevention Systems (IDP) in an active mode of operation that monitors all traffic entering and leaving Information Resources in conjunction with the Agreement. (Intrusion Detection Systems)

Have and use a documented process to remediate security vulnerabilities in the Information Resources, including, but not limited to, those discovered through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be or is in the process of being exploited. (Remediating/Patching Service Vulnerabilities)

7.	Assign security administration responsibilities for configuring host operating systems to specific individuals. (Security Administration Responsibilities)

Proprietary Information

Agreement Number 02026713.A.034

8.	Ensure that its information security staff has reasonable and necessary experience in information and network security. (Necessary Staff Experience)

If commercially available and to the extent practicable, ensure that all of Supplier’s Information Resources are and remain ‘hardened’ including, but not limited to, removing or disabling unused network services (e.g., finger, rlogin, ftp, and simple Transmission Control Protocol/Internet Protocol (TCP/IP) services) and installing a system firewall, Transmission Control Protocol (TCP) wrappers or similar technology. (Hardened Systems)

10.	Change all default account names and/or default passwords. (Changing Default Account Names and Passwords)

11.	Limit system administrator (also known as root, privileged, or super user) access to operating systems intended for use by multiple users only to individuals requiring such high-level access in the performance of their jobs. (Limit Super User Privileges)

12.	Require application, database, network and system administrators to restrict access by users to only the commands, data and Information Resources necessary for them to perform authorized functions. (Administrators to Restrict User Access)

Physical Security

13.	Ensure that all of Supplier’s Information Resources intended for use by multiple users are located in secure physical facilities with access limited and restricted to authorized individuals only. (Information Resources in Secure Facilities)

14.	Monitor and record, for audit purposes, access to the physical facilities containing Information Resources intended for use by multiple users used in connection with Supplier’s performance of its obligations under the Agreement. (Monitoring and Recording Access)

Network Security

15.

When providing Internet-based services to AT&T, protect AT&T’s Information by the implementation of a network DMZ. Web servers providing service to AT&T shall reside in the DMZ. Information Resources storing AT&T’s Information (such as application and database servers) shall reside in a trusted internal network. (Internet Services Must Use DMZ)

16.	Upon AT&T’s request, provide to AT&T a logical network diagram documenting the Information Resources (including, but not limited to, Security Gateways, servers, etc.) that will support AT&T. (Provision of Logical Network Diagram)

17.	Have a documented process and controls in place to detect and handle unauthorized attempts to access AT&T’s Information. (Detection and Handling of Unauthorized Access).


18.	a.	Use Strong Encryption for the transfer of AT&T’s Information outside of AT&T-controlled or Supplier-controlled networks or when transmitting AT&T’s Information over any untrusted network.

	b.	Additionally, [**], always use Strong Encryption to protect AT&T’s SPI when transmitted over any AT&T-controlled or Supplier-controlled network.

	(Note: This also applies to AT&T’s Information contained in email, or the attachments embedded within the email, as the case may be. For greater clarity, if, for example, the text in an email does not contain AT&T’s Information, but the embedded attachments within that email do contain AT&T’s Information, then the embedded attachments, but not the email, need to be encrypted.) (Encryption of Information in Transit)

Proprietary Information

Agreement Number 02026713.A.034

19.	Require strong authentication for any remote access use of Nonpublic Information Resources. (Remote Access Authentication)

Information Security

20.

Isolate AT&T’s applications and AT&T’s Information from any other customer’s or Supplier’s own applications and information either by using physically separate servers or alternatively by using logical access controls where physical separation of servers is not implemented. (Separate AT&T’s Information from non-AT&T Information)

21.

Have documented procedures for the secure backup and recovery of AT&T’s Information which shall include, at a minimum, procedures for the transport, storage, and disposal of the backup copies of AT&T’s Information and, upon AT&T’s request, provide such documented procedures to AT&T. (Secure Backup, Transport, Storage and Disposal of AT&T’s Information)

22.

Maintain and, upon AT&T’s request, furnish to AT&T a documented business continuity plan that ensures that Supplier can meet its contractual obligations under the Agreement, including the requirements of any applicable Statement of Work or Service Level Agreement. Such plan shall include the requirement that the included procedures be regularly tested in accordance with Supplier’s documented risk management plan. Supplier shall promptly review its business continuity plan to address additional threat scenarios. (Business Continuity Plan)

23.	Use Strong Encryption to protect AT&T’s SPI when stored. (Encryption of SPI at Rest/Storage)

24.	Limit access to AT&T’s Information, including, but not limited to, paper hard copies, only to authorized persons or systems. (Limit Access to AT&T’s Information Regardless of Form)

25.

Be compliant with government- and generally known industry-mandated information security standards to the extent applicable to the Services provided by Supplier. (Examples of such standards include, but are not limited to, the Payment Card Industry-Data Security Standards (PCI-DSS), National Automated Clearing House Associates (NACHA) Rules, and Electronic Data Interchange (EDI) standards, and the information security requirements documented within laws, such as HIPAA.) (Compliance with Industry and Government Requirements)

In the event any such government- or industry-mandated information security standards cause Amdocs to incur additional costs to be compliant, [**].

26.	At no additional charge to AT&T:

Upon AT&T’s request, provide copies of any of AT&T’s Information to AT&T [**].

Return, or, at AT&T’s option, destroy all of AT&T’s Information, including electronic and hard copies, [**] after the sooner of:

expiration or Termination of the Agreement;

ii.

AT&T’s request for the return of AT&T’s Information; or

iii.

the date when Supplier no longer needs AT&T’s Information to perform Services under the Agreement.

In the event that AT&T approves destruction as an alternative to returning AT&T’s Information, then certify in writing the destruction (e.g., degaussing, overwriting, performing a secure erase, performing a chip erase, shredding, cutting, punching holes, breaking, etc.) as rendering the AT&T’s Information non-retrievable.

In the event that Supplier needs to retain copies of AT&T’s Information [**] either the expiration or Termination of the Agreement, or AT&T’s request for the return or destruction of AT&T’s Information, Supplier shall be allowed to retain such copies when elsewhere agreed to in writing with AT&T. Exception: Copies of AT&T’s Information retained as part of a backup-and-recovery, business continuity or disaster recovery process may be retained for [**] the expiration or Termination of the Agreement without obtaining agreement in writing from AT&T allowing such retention provided that all such copies are destroyed within [**] of creation. (Return of AT&T’s Information)

Proprietary Information

Agreement Number 02026713.A.034

27.

Unless otherwise instructed by AT&T in writing, when collecting, generating or creating Information for, through or on behalf of AT&T or under the AT&T brand, ensure that such Information shall be AT&T’s Information and, whenever practicable, label such Information of AT&T as “AT&T Proprietary Information” or, at a minimum, label AT&T’s Information as “Confidential” or “Proprietary”. Supplier acknowledges that AT&T’s Information shall remain AT&T-owned Information irrespective of labeling or absence thereof. (Confidential or Proprietary Markings)

28.	Assign unique UserIDs to individual users. (Unique User IDs)

29.

Have and use a documented UserID Lifecycle Management process including, but not limited to, procedures for approved account creation, timely account removal, and account modification (e.g., changes to privileges, span of access, functions/roles) for all Information Resources and across all environments (e.g., production, test, development, etc.). Such process shall include review of access privileges and account validity to be performed [**]. (UserID Life Cycle Management)

30.	Enforce the rule of least privilege (i.e., limiting access to only the commands and Information Resources necessary to perform authorized functions according to one’s job function). (Rule of Least Privilege)

31.

Limit failed login attempts to no more than [**] successive attempts and lock the user account upon reaching that limit. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after [**] from the last failed login attempt. Exception: Where elsewhere authorized in writing by AT&T, AT&T customer usage of Customer Facing Systems may be exempted from this requirement. (Limit Failed Logins)

32.

Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity [**]. Exception: Where elsewhere authorized in writing by AT&T, AT&T customer usage of Customer Facing Systems may be exempted from this requirement. (Terminate Inactive Interactive Sessions)

33.	Require password expiration at regular intervals not to exceed [**]. Exception: Where elsewhere authorized in writing by AT&T, AT&T customer usage of Customer Facing Systems may be exempted from this requirement. (Expire Passwords)

34.

Use an authentication method based on the sensitivity of AT&T’s Information. Whenever authentication credentials are stored, Supplier shall protect them using Strong Encryption.

Proprietary Information

Agreement Number 02026713.A.034

When passwords are used, they shall be complex and shall at least meet the following password construction requirements:

•

Be a minimum of six (6) characters in length.

•

Contain characters from at least two (2) of these groupings: alphabetic, numeric, and special characters.

•

Not be the same as the UserID with which they are associated.

•

Passwords must not contain repeating or sequential characters or numbers.

Exception: Where elsewhere authorized in writing by AT&T, AT&T customer usage of Customer Facing Systems may be exempted from the password construction requirements.

Applications housing more sensitive copies of AT&T’s Information, as identified in writing by AT&T, may require an authentication mechanism stronger than passwords. In such case the authentication mechanism shall be mutually agreed to in advance in writing. Examples of stronger authentication methods include Strong Authentication, passphrases, and biometrics. (Passwords and Construction Rules)

35.	Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards). (Use Secure Method to Convey UserIDs and Passwords)

Warning Banner

36.	For AT&T branded products or services or for software developed for AT&T, the Supplier shall display a warning banner on login screens or pages provided by AT&T. (Display Warning Banners)

Software and Data Integrity

37.

In environments where antivirus software is commercially available and to the extent practicable, have current antivirus software installed and running to scan for and promptly remove or quarantine viruses and other malware. (Note: For the avoidance of doubt, this requirement also applies to Mobile and Portable Devices where antivirus software is commercially available.) (Scan and Remove Viruses)

38.	Separate non-production Information Resources from production Information Resources. (Separate Production and Non-Production Information Resources)

39.	Have a documented change control process including back out procedures for all production environments. (Software Change Control Process)

40.	For applications which utilize a database that allows modifications to AT&T’s Information, have database transaction logging features enabled and retain database transaction logs [**]. (Utilize Database Transaction Logging)

41.

For all software developed under this Agreement, review such software to find and remediate security vulnerabilities during initial implementation and upon any modifications and updates.

Where technically feasible, for all software used, furnished and/or supported under the Agreement, review such software to find and remediate security vulnerabilities during initial implementation and upon any modifications and updates. (Review Code for Vulnerabilities)

Proprietary Information

Agreement Number 02026713.A.034

42.

Perform quality assurance testing for the security components (e.g., testing of identification, authentication, and authorization functions), as well as any other activity designed to validate the security architecture, during initial implementation and upon any modifications and updates. (Quality Assurance Test Security Components)

Privacy Issues

43.	Restrict access to any of AT&T’s CPNI and AT&T’s SPI to authorized individuals. (Restrict Access to AT&T CPNI and SPI)

44.

Not store AT&T’s CPNI and AT&T’s SPI on removable media (e.g., USB flash drives, thumb drives, memory sticks, tapes, CDs, or external hard drives) except: (a) for backup, business continuity, disaster recovery, and data interchange purposes as allowed and required under contract, and (b) using Strong Encryption. Exception: Where elsewhere authorized in writing by AT&T, AT&T’s CPNI stored for distribution to AT&T’s customers may be exempted from this requirement. (Control AT&T CPNI and SPI on Removable Media)

Monitoring and Auditing Controls

45.	Restrict access to security logs to authorized individuals, and protect security logs from unauthorized modification. (Restrict Access to Security Logs)

46.	Review, on [**], all security and security-related logs for anomalies and document and resolve all logged security problems in a timely manner. (Review Security Logs and Resolve Security Problems)

47.

Retain complete and accurate records relating to its performance of its obligations arising out of these Security Requirements and Supplier’s compliance herewith in a format that will permit assessment or audit for a period of [**], or longer as may be required pursuant to a court order or civil or regulatory proceeding. Notwithstanding the foregoing, Supplier shall only be required to maintain security logs for a [**]. (Retain Records)

48.

Permit AT&T to conduct an assessment or audit to verify Supplier’s compliance with the contractual obligations in connection with these AT&T Supplier Information Security Requirements. Upon AT&T’s request for audit, Supplier shall schedule a security audit to commence [**] days from such request. In the event that AT&T, in its sole discretion, deems that a security breach has occurred, which has not been promptly reported to AT&T in compliance with the Supplier’s Incident Management Process, Supplier shall schedule the audit to commence within [**] of AT&T’s notice requiring an audit. This provision shall not be deemed to, and shall not, limit any more stringent audit obligations permitting the examination of Supplier’s records contained in the Agreement. (Audit Rights)

49.

[**] of receipt of the assessment or audit report, provide AT&T a written report outlining the corrective actions that Supplier has implemented or proposes to implement with the schedule and current status of each corrective action. Supplier shall update this report to AT&T [**] reporting the status of all corrective actions through the date of implementation. Supplier shall implement all corrective actions [**] of Supplier’s receipt of the audit report. (Remediate Audit Findings)

Proprietary Information

Agreement Number 02026713.A.034

Reporting Violations

50.	Have and use an Incident Management Process and promptly notify AT&T whenever there is an attack upon, intrusion upon, unauthorized access to, loss of, or other breach of AT&T’s Information Resources at:

Asset Protection by telephone at 800-807-4205 from within the US and at 1-908-658-0380 from elsewhere, and

Supplier’s contact within AT&T for Service-related issues.

(Maintain and Use Incident Response Procedures)

51.

After notifying AT&T whenever there is an attack upon, intrusion upon, unauthorized access to, loss of, or other breach of AT&T’s Information Resources, provide AT&T with regular status updates, including, but not limited to, actions taken to resolve such incident, at mutually agreed intervals or times for the duration of the incident and, [**] of the closure of the incident, provide AT&T with a written report describing the incident, actions taken by the Supplier during its response and the Supplier’s plans for future actions to prevent a similar incident from occurring. (Provide AT&T Incident Response Status and Final Resolution)

Software Development

52.

RESERVED

Security Policies and Procedures

53.	Ensure that all personnel, subcontractors or representatives performing work under this Agreement are in compliance with these Security Requirements. (All Work to Be In Compliance with SISR)

54.

RESERVED

55.

Deactivate or Return all AT&T-owned or -provided access devices (including, but not limited to, SecurID^® tokens and/or software) as soon as practicable, but in no event [**] after the sooner of: (a) expiration or Termination of the Agreement; (b) AT&T’s request for the return of such property; or (c) the date when Supplier no longer need such devices. (Return all AT&T Owned or Provided Access Devices)

Mobile and Portable Devices


56.		a.		Supplier shall not store any of AT&T’s SPI on Mobile and Portable Devices unless AT&T’s SPI stored on such devices is protected by the use of Strong Encryption.

At execution of Amendment 34, Supplier shall use Strong Encryption to protect all of AT&T’s Information stored on Mobile and Portable Devices that are laptop computers.

By [**], for AT&T’s Information that is not SPI, Supplier shall use Strong Encryption to protect all of AT&T’s Information stored on Mobile and Portable Devices that are not laptop computers.

Supplier reserves the right to discuss with AT&T if issues are encountered during the implementation of Strong Encryption.


57.		a.		Supplier shall not use Mobile and Portable Devices to receive, transmit or remotely access AT&T’s SPI unless the SPI so transmitted is protected by the use of Strong Encryption.

Proprietary Information

Agreement Number 02026713.A.034

At execution of Amendment 34, Supplier shall use Strong Encryption to protect all of AT&T’s Information received by, transmitted using or remotely accessed by:

Network-aware Mobile and Portable Devices that are laptop computers; and

ii.

All other types of network-aware Mobile and Portable Devices whenever such transmissions take place over any network that is not part of the Supplier’s trusted, Supplier-controlled network.

By [**], for AT&T’s Information that is not SPI, Supplier shall use Strong Encryption to protect all of AT&T’s Information when received by, transmitted using or remotely accessed by Mobile and Portable Devices that are not laptop computers.

Supplier reserves the right to discuss with AT&T if issues are encountered during the implementation of Strong Encryption.

58.

When using network-aware Mobile and Portable Devices that are not laptop computers to access and/or store AT&T’s Information, such devices must be capable of deleting all stored copies of AT&T’s Information upon receipt over the network of a properly authenticated command. (Note: Such capability is often referred to as a “remote wipe” capability.)

Have documented policies, procedures and standards in place to ensure that the authorized individual who should be in physical control of a network-aware Mobile and Portable Device that is not a laptop computer and that is storing AT&T’s Information promptly initiates deletion of all AT&T’s Information when the device becomes lost or stolen.

Have documented policies, procedures and standards in place to ensure that Mobile and Portable Devices that are not laptop computers and are not network aware, will automatically delete all stored copies of AT&T’s Information after no more than three times the number of consecutive failed login attempts documented within Security Requirement 31.

59.	Have documented policies, procedures and standards in place which ensure that any Mobile and Portable Devices used to access and/or store AT&T’s Information:

Are in the physical possession of authorized individuals;

Are physically secured when not in the physical possession of authorized individuals; or

Have their data storage promptly and securely deleted when not in the physical possession of authorized individuals nor physically secured.

60.	Prior to allowing access to AT&T’s Information stored on or through the use of Mobile and Portable Devices, Supplier shall have and use a process to ensure that:

The user is authorized for such access; and

The identity of the user has been authenticated.

61.	Implement a policy that prohibits the use of any Mobile and Portable Devices that are not administered and/or managed by Supplier or AT&T to access and/or store AT&T’s Information.

62.	Review, [**], the use of, and controls for, all Supplier-administered or -managed Mobile and Portable Devices to ensure that the Mobile and Portable Devices can meet the applicable Security Requirements.

Proprietary Information

Agreement Number 02026713.A.034

Security Gateways

63.	Require Strong Authentication for administrative and/or management access to Security Gateways, including, but not limited to, any access for the purpose of reviewing log files.

64.	Have and use documented controls, policies, processes and procedures to ensure that unauthorized users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.

65.	At least [**], ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters ensures the following:

Internet Protocol (IP) source routing is disabled,

The loopback address is prohibited from entering the internal network,

Anti-spoofing filters are implemented,

Broadcast packets are disallowed from entering the network,

Internet Control Message Protocol (ICMP) redirects are disabled,

All rule sets end with a “DENY ALL” statement, and

Each rule is traceable to a specific business request.

66.	Ensure that monitoring tools are used to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.

67.	Ensure that all Security Gateways are configured and implemented such that all non-operational Security Gateways shall deny all access.

Wireless Networking

68.

When using radio frequency (RF) based wireless networking technologies to perform or support Services for AT&T, ensure that all of AT&T’s Information transmitted is protected by the use of appropriate encryption technologies sufficient to protect the confidentiality of AT&T’s Information; provided, however, that in any event such encryption shall use no less than key lengths of 256-bits for symmetric encryption and 256-bits for asymmetric encryption. Exception: The use of RF-based wireless headsets, keyboards, microphones, and pointing devices, such as mice, touch pads, and digital drawing tablets, is excluded from this requirement.

Connectivity Requirements

69.

In the event that a data connection agreement, such as a “Master Data Connection Agreement,” “Data Connection Agreement,” and/or “Connection Supplement” (“DCA”) exists between the Parties, and incorporates the Agreement by reference, or is otherwise integrated with, or used to govern the Parties’ connectivity obligations under, this Agreement, agree that any information security requirements incorporated within such DCA are hereby superseded by the terms of these Security Requirements, effective as of the date these Security Requirements become effective under

Proprietary Information

Agreement Number 02026713.A.034

the Agreement, and the terms of such DCA are amended to require that the Security Requirements and not the information security requirements incorporated within the DCA are controlling in the Agreement (as well as any agreements subordinate to the Agreement). Notwithstanding the foregoing, the DCA remains in full force and effect for all other agreements between the Parties to which it applies.

70.	In the event that Supplier has, or will be provided, connectivity to AT&T’s or AT&T’s customers’ Nonpublic Information Resources in conjunction with this Agreement, then in addition to the foregoing:

Use only the mutually agreed upon facilities and connection methodologies to interconnect AT&T’s and AT&T’s customers’ Nonpublic Information Resources with Supplier’s Information Resources.

NOT establish interconnection to AT&T’s and AT&T’s customers’ Nonpublic Information Resources without the prior consent of AT&T.

Provide AT&T access to any applicable Supplier facilities during normal business hours for the maintenance and support of any equipment (e.g., router) provided by AT&T under the Agreement for connectivity to AT&T’s and AT&T’s customers’ Nonpublic Information Resources.

Use any equipment provided by AT&T under this Agreement for connectivity to AT&T’s and AT&T’s customers’ Nonpublic Information Resources only for the furnishing of those Services or functions explicitly defined in the Agreement.

If the agreed upon connectivity methodology requires that Supplier implement a Security Gateway, maintain logs of all sessions using such Security Gateway. These session logs must include sufficiently detailed information to identify the end user or application, origination IP address, destination IP address, ports/service protocols used and duration of access. These session logs must be retained for a [**].

71.	In the event that Supplier has, or will be provided, connectivity to AT&T’s or AT&T’s customers’ Nonpublic Information Resources in conjunction with this Agreement, in addition to other rights set forth herein, permit AT&T to:

Gather information relating to access, including Supplier’s access to, AT&T’s and AT&T’s customers’ Nonpublic Information Resources. This information may be collected, retained and analyzed by AT&T to identify potential security risks without further notice. This information may include trace files, statistics, network addresses, and the actual data or screens accessed or transferred.

Immediately suspend or terminate any interconnection to AT&T’s and AT&T’s customers’ Nonpublic Information Resources if AT&T, in its sole discretion, believes there has been a breach of security or unauthorized access to or misuse of AT&T data facilities or Information.

Proprietary Information

Agreement Number 02026713.A.034

2.	Section 6.5, “Background Check/Drug Screening”, is deleted in its entirety and replaced with, Section 6.5, “Background Check/Drug Screening” as follows:

Background Check/Drug Screening [**] With respect to any Amdocs Personnel providing Services Amdocs shall comply with the requirements of Appendix 6.5 (Background Checks/Drug Screening).

The terms and conditions of Agreement No. 02026713 as previously amended in all other respects remain unmodified and in full force and effect.

IN WITNESS WHEREOF, the Parties have caused this Amendment to Agreement No. 02026713 to be executed, which may be in duplicate counterparts, each of which will be deemed to be an original but all of which together shall constitute only one instrument, as of the date the last Party signs.


Amdocs, Inc.		AT&T Services, Inc.

By:	/s/ Steve Pennington	By:	/s/ Deidre D. Byer
Name:	Steve Pennington	Name:	Deidre D. Byer
Title	Director of Operations	Title	Sr. Contract Manager – Global Supply Chain
Date:	12-29-2014	Date:	12/29/2014

Proprietary Information

Agreement Number 02026713.A.034

Appendix 6.5

Background Check/Drug Screening

Confidential materials omitted and filed separately with the Securities and Exchange Commission. A total of two pages were omitted. [**].

Proprietary Information

Amendment

No. 02026713.A.035

Between

Amdocs, Inc.

And

AT&T Services, Inc.

Proprietary Information

Agreement Number 02026713.A.035

AMENDMENT NO. 35

AGREEMENT NO. 02026713

This Amendment No. 35, effective on the date when signed by the last Party (“Effective Date”), and amending Agreement No. 02026713, is by and between Amdocs, Inc., a Delaware corporation (“Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (“AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, AT&T and Amdocs are parties to that certain Agreement No. 02026713 for Software and Professional Services, dated as of August 7, 2003, (as previously amended, the “Agreement”) and

WHEREAS, AT&T and Supplier now desire to further amend the Agreement;

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree to changes to the Agreement as follows:

1.	For purposes of extending the term of the Agreement, Section 3.32, “Term of Agreement”, is deleted in its entirety and replaced with the following:

3.32 Term of Agreement

This Agreement with an Effective Date of August 7, 2003, shall remain in effect for a term ending on June 30, 2015, unless earlier Terminated or Canceled as provided in this Agreement. The Parties may extend the term of this Agreement by agreement in writing.

The terms and conditions of Agreement No. 02026713 as previously amended in all other respects remain unmodified and in full force and effect.


Amdocs, Inc.		AT&T Services, Inc.

By:	/s/ Steven Pennington	By:	/s/ Deirdre D. Byer
Name:	Steven Pennington	Name:	Deidre D. Byer
Title	Director of Operations	Title	Sr. Contract Manager – Global Supply Chain
Date:	3/31/2015	Date:	3/31/2015

Proprietary Information

Amendment

No. 02026713.A.036

Between

Amdocs, Inc.

And

AT&T Services, Inc.

Proprietary Information

Agreement Number 02026713.A.036

AMENDMENT NO. 36

AGREEMENT NO. 02026713

This Amendment No. 36, effective on the date when signed by the last Party (“Effective Date”), and amending Agreement No. 02026713, is by and between Amdocs, Inc., a Delaware corporation (“Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (“AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, AT&T and Amdocs are parties to that certain Agreement No. 02026713 for Software and Professional Services, dated as of August 7, 2003, (as previously amended, the “Agreement”) and

WHEREAS, AT&T and Supplier now desire to further amend the Agreement;

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree to changes to the Agreement as follows:

1.	For purposes of extending the term of the Agreement, Section 3.32, “Term of Agreement”, is deleted in its entirety and replaced with the following:

3.32 Term of Agreement

This Agreement with an Effective Date of August 7, 2003, shall remain in effect for a term ending on July 31, 2015, unless earlier Terminated or Canceled as provided in this Agreement. The Parties may extend the term of this Agreement by agreement in writing.

2.	Appendix 1.2(2), “IT Professional Service Price(s)”, is hereby deleted and replaced with Appendix 1.2(2), “IT Professional Service Price(s)”, as attached.

The terms and conditions of Agreement No. 02026713 as previously amended in all other respects remain unmodified and in full force and effect.

Proprietary Information

Agreement Number 02026713.A.036


Amdocs, Inc.		AT&T Services, Inc.

By:	/s/ Ioannis Tinis	By:	/s/ Deidre D. Byer
Name:	Ioannis Tinis	Name:	Deidre D. Byer
Title	Director of Operations	Title	Sr. Contract Manager – Global Supply Chain
Date:	6/30/2015	Date:	6/30/2015

Proprietary Information

Agreement Number 02026713.A.036

Appendix 1.2(2)

IT Professional Service Price(s)

A.	Job Classification Descriptions

Senior Project Manager/Senior Team Lead: [**] or more years’ experience in information technology with at least [**] years in a Project Manager or Team Lead role. Proven ability to manage and lead projects of a large scale. Project Management Certification or Degree. Leadership and communication skills.

Project Manager/Team Leader: [**] or more years’ experience in information technology with at least [**] years in a Project Manager or Team Lead role. Supplier Certified as a specialist in at least two applications or systems areas relevant to the project. Demonstrated leadership experience, and solid communication skills; able to work independently and manage other employees.

Senior Programmer /Analyst: [**] or more years’ programming or equivalent technical experience; good communication skills; application design experience. Supplier Certified as a specialist in at least one application or system relevant to the project. Ability to create clear, concise and detailed design documents.

Programmer Analyst: [**] or more years’ experience, program design and development experience; knowledge of applications or systems relevant to the project; ability to write documentation and conduct unit and system level tests.

Entry Level Programmer: Entry Level, typically with a university degree or equivalent qualifications, with one year or less programming experience, knowledgeable of structured programming and computer science principles require to meet the needs of AT&T.

Senior System Architect: The Senior System Architect is responsible for the same activities as the Technical Architect but has a broader scope of responsibilities and more in-depth business and technical knowledge. Responsible for multiple projects or large complex projects with cross-functional teams and business processes. Demonstrate expert knowledge in multiple technical and business functional areas as well as performing a larger leadership role in the organization. Apply broad in-depth business and technical knowledge to establish technical direction and priorities. Resolve and work on issues across multiple functional areas. Effectively monitor and take action to ensure coordination and effectiveness of all components and activities and decide on issues requiring escalation. Incumbents understand the system flow for a project throughout an entire functional area (e.g., Billing, Customer Care) not just a subsystem area. They have medium to long range planning responsibilities.

System Architect: Responsible for providing technical system solutions and determining overall design direction. Provide technical leadership and are responsible for the technical integrity within a subsystem or application. Also provide technical expertise to generate

Proprietary Information

Agreement Number 02026713.A.036

maintainable, quality solutions. Includes documenting system requirements, creating application designs, validating high level designs to ensure accuracy and completeness against the business requirements and programming the solutions. Attend project meetings when technical advice is needed and communicate the project design to other architects. May resolve design issues and develop strategies to make ongoing improvements that support system flexibility and performance. Assess the technical feasibility of new technologies to enable integration into existing processes.

Senior Data Base Administrator: Responsible for high level database administration and related tasks on multiple DMBS platforms. Participates in the evaluation, selection and implementation of appropriate DBMS based on client requirements. May create logical model and transform logical design into efficient physical databases, performing data normalization/denormalization, and considering volume, capacity and requirements for performance, data conversion, purge/archive and operation viability. Responsible for implementing database architecture strategies. Manage database administration projects that may span across parts of the enterprise and ensure that deliverables are completed on time. Strives to drive overall costs lower for database performance, data conversion, and administration services. Acts as consultant to clients and other IT organizations on database-related issues. Leads efforts to implement standards across the enterprise for ease of support and recovery in relation to database administration (database security, disaster recovery, scripts, and database documentation). Evaluates and deploys new technology to improve database efficiency and recoverability. Performs advanced problem determination and recoveries. Mentors Database Administrators and Associate Analysts.

Database Administrator: Responsible for database administration and related tasks on one or more DMBS platforms. Under the guidance of the Sr. DBA, may create logical model and transform logical design into efficient physical databases, performing data normalization/denormalization, and considering volume, capacity and requirements for performance, data conversion, purge/archive and operation viability. Responsible for meeting assigned deliverables. Responsible for assisting in driving overall costs lower for database performance, data conversion, and administration services. Works with clients and other IT organizations to ensure positive impact. May consult with clients on database admin-related issues and design considerations. Implements standards across the enterprise for ease of support and recovery in relation to database administration (database security, disaster recovery, scripts, and database documentation standards).

B.	Rates before July 1, 2015

The fixed price for Software Development work [**]

ii.

Mobility Software Development

The [**] with the following exception:

•

[**].

Proprietary Information

Agreement Number 02026713.A.036

iii.

Production Support

[**].

iv.

Requirements/Consulting

[**].

Testing

[**]. This rate is conditional upon maintaining the current level or volume of testing services provided to AT&T upon signature of this Amendment. [**].

C.	Rates on and after July 1, 2015

All rates defined below are based on a fixed price monthly amount of [**] and are applicable to new Work Orders, additions of scope to existing Work Orders, and extensions of existing Work Orders executed between the Parties against this Master Services Agreement after the Effective Date of the Letter of Agreement No. 20150505.066.C.

ii.

Consulting Services

The fixed price for Consulting Services is a blended rate of [**].

iii.

Non-Consulting and Requirements Services

The fixed price for Non-Consulting and Requirements Services is a blended rate of [**].

iv.

Production Support Services

The fixed price for Production Support Services is a blended rate of [**].

Development Services

The fixed price for Development Services is a blended rate of [**].

vi.

Testing Services

The fixed price for Testing Services is a blended rate of [**].

Proprietary Information

Amendment

No. 02026713.A.037

Between

Amdocs, Inc.

And

AT&T Services, Inc.

Proprietary Information

Agreement Number 02026713.A.037

AMENDMENT NO. 37

AGREEMENT NO. 02026713

This Amendment No. 37, effective on the date when signed by the last Party (“Effective Date”), and amending Agreement No. 02026713, is by and between Amdocs, Inc., a Delaware corporation (“Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (“AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, AT&T and Amdocs are parties to that certain Agreement No. 02026713 for Software and Professional Services, dated as of August 7, 2003, (as previously amended, the “Agreement”) and

WHEREAS, AT&T and Supplier now desire to further amend the Agreement;

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree to changes to the Agreement as follows:

1.	For purposes of extending the term of the Agreement, Section 3.32, “Term of Agreement”, is deleted in its entirety and replaced with the following:

3.32 Term of Agreement

This Agreement with an Effective Date of August 7, 2003, shall remain in effect for a term ending on September 30, 2015, unless earlier Terminated or Canceled as provided in this Agreement. The Parties may extend the term of this Agreement by agreement in writing.

The terms and conditions of Agreement No. 02026713 as previously amended in all other respects remain unmodified and in full force and effect.


Amdocs, Inc.		AT&T Services, Inc.

By:	/s/ Thomas C. Drury	By:	/s/ Deidre D. Byer
Name:	Thomas C. Drury	Name:	Deidre D. Byer
Title	President	Title	Sr. Contract Manager – Global Supply Chain
Date:	7/29/2015	Date:	7/29/2015

Proprietary Information

Amendment

No. 02026713.A.038

Between

Amdocs, Inc.

And

AT&T Services, Inc.

Proprietary Information

Agreement Number 02026713.A.038

AMENDMENT NO. 38

AGREEMENT NO. 02026713

This Amendment No. 38, effective on the date when signed by the last Party (“Effective Date”), and amending Agreement No. 02026713, is by and between Amdocs, Inc., a Delaware corporation (“Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (“AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, AT&T and Amdocs are parties to that certain Agreement No. 02026713 for Software and Professional Services, dated as of August 7, 2003, (as previously amended, the “Agreement”) and

WHEREAS, AT&T and Supplier now desire to further amend the Agreement;

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree to changes to the Agreement as follows:

1.	For purposes of extending the term of the Agreement, Section 3.32, “Term of Agreement”, is deleted in its entirety and replaced with the following:

3.32 Term of Agreement

This Agreement with an Effective Date of August 7, 2003, shall remain in effect for a term ending on November 30, 2015, unless earlier Terminated or Canceled as provided in this Agreement. The Parties may extend the term of this Agreement by agreement in writing.

The terms and conditions of Agreement No. 02026713 as previously amended in all other respects remain unmodified and in full force and effect.


Amdocs, Inc.		AT&T Services, Inc.

By:	/s/ Ioannis Tinis	By:	/s/ Steve Wehde
Name:	Ioannis Tinis	Name:	Steve Wehde
Title	Director of Operations	Title	Sr. Contract Manager – Global Supply Chain
Date:	9/29/2015	Date:	September 29, 2015

Proprietary Information

Amendment

No. 02026713.A.039

Between

Amdocs, Inc.

And

AT&T Services, Inc.

Proprietary Information

AMENDMENT NO. 39

AGREEMENT NO. 02026713

This Amendment No. 39, effective on the date when signed by the last Party (“Effective Date”), and amending Agreement No. 02026713, is by and between Amdocs, Inc., a Delaware corporation (“Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (“AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties”.

WITNESSETH

WHEREAS, AT&T and Amdocs are parties to that certain Agreement No. 02026713 for Software and Professional Services, dated as of August 7, 2003, (as previously amended, the “Agreement”) and

WHEREAS, AT&T and Supplier now desire to further amend the Agreement;

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree to changes to the Agreement as follows:

1.	For purposes of extending the term of the Agreement, Section 3.32, “Term of Agreement”, is deleted in its entirety and replaced with the following:

3.32 Term of Agreement

This Agreement with an Effective Date of August 7, 2003, shall remain in effect for a term ending on January 31, 2016, unless earlier Terminated or Canceled as provided in this Agreement. The Parties may extend the term of this Agreement by agreement in writing.

The terms and conditions of Agreement No. 02026713 as previously amended in all other respects remain unmodified and in full force and effect.


Amdocs, Inc.		AT&T Services, Inc.

By:	/s/ Todd Cohen	By:	/s/ Steve Wehde
Name:	Todd Cohen	Name:	Steve Wehde
Title	Treasurer	Title	Sr. Contract Manager – Global Supply Chain
Date:	11-30-2015	Date:	November 30, 2015

Proprietary Information