To identify and assess a security breach affecting any electronic records containing personal information, and to take necessary steps to notify those individuals affected.
Method
Measurement
Interval
Immediate and Continuous Notification to the MBTA.
Responsibility
Reporting Period
Within five (5) minutes of discovery of event, provided the Operator is in compliance with all security obligations.
Operator shall be responsible for all costs of notification and remediation for the security breach.
To engage a cyber security forensic vendor for forensic review of a known security breach upon discovery of the security breach promptly after discovery of a security breach, provided the Operator is in compliance with all security obligations.
Method
Measurement
Interval
Immediate and Continuous Notification to the MBTA
Responsibility
Hours of Support
7x24x365
Service Level
Service Level
Notify the MBTA immediately and continuously after the discovery of a security breach and engage a forensic vendor within twelve (12) hours of notification of the MBTA. The forensic vendor must commence analysis within twenty-four (24) hours of such notification to the MBTA (pending MBTA approval of such vendor).
To timely report PCI-DSS validation data to the MBTA for compliance with PCI-DSS reporting and validation requirements.
To permit the MBTA to validate its compliance with the Payment Card Security Standards and the compliance of its relevant vendors, either via a Qualified Security Assessor, an Approved Scanning Vendor, or a Self-Assessment Questionnaire (as those positions are detailed in Section 2.3 (Validation) of Schedule 3.17 (IT Security).
Responsibility
Reporting Period
Submit PCI Quarterly Scan results to the MBTA. All other obligations as required under PCI-DSS, or as requested by the MBTA.
Completed Annual PCI-DSS Attestation documentation is due to the MBTA annually on April 1 to CISO and continuous compliance is required (7x24x365).
In each case of a failure to achieve this Service Level, the MBTA shall be entitled to recover a Sev 3 Service Credit.
Time to Meet Service Level
Time to Meet Service Level
Upon Activation of Commuter Rail IT Environment.
Provision of Data for SSAE16 Auditing
Provision of Data for SSAE16 Auditing
Service Level Specification
Service Category
Compliance Services.
Objective
To timely report SSAE16 Auditing data to the MBTA for compliance with SSAE16 standards (if applicable).
Method
Responsibility
Reporting Period
As required under SSAE16 standards.
Hours of Support
7x24x365
Resource Range
N/A
Service Level
Service Level
≥ 99.00% of data reports are provided to auditor within twenty-four (24) hours of due date.
Service Credits
Failure to Achieve Service Level
In each case of a failure to achieve this Service Level, the MBTA shall be entitled to recover a Sev 3 Service Credit.
Time to Meet Service Level
Time to Meet Service Level
Upon Activation of Commuter Rail IT Environment.
GUARANTEED ASSET INVENTORY AND CONNECTION DIAGRAMS
Guaranteed Asset Inventory and Connection Diagrams
Service Level Specification
Objective
To ensure accurate accounting for and tracking of IT assets and configurations, the Operator shall prepare and update an asset inventory and connection diagrams.
Method
Measurement
Interval
Monthly
Data Collection
Spot checks, auditing, scans, and other reviews ("Reviews").
Responsibility
Reporting Period
Monthly
Service Level
Service Level
In 98% of the Reviews, the inventory and connection diagrams reported accurately reflect the actual inventory and connections.
Service Credits
Failure to Achieve Service Level
In each case of a failure to achieve this Service Level, the MBTA shall be entitled to recover a Sev 3 Service Credit.
Time to Meet Service Level
Time to Meet Service Level
Upon Activation of Commuter Rail IT Environment.
BUSINESS CONTINUITY AND CONTINUATION OF OPERATIONS
Business Continuity and Continuation of Operations
Service Level Specification
Objective
To ensure business continuity, the Operator shall have a fail-over disaster recovery plan, and shall test this failover twice per year.
Method
Measurement
Interval
Two (2) tests per year
Responsibility
Reporting Period
6 months
Service Level
Service Level
The system shall failover without incident; Operator shall maintain an updated failover disaster recovery plan
Service Credits
Failure to Achieve Service Level
In each case of a failure to achieve this Service Level, the MBTA shall be entitled to recover a Sev 2 Service Credit.
Time to Meet Service Level
Time to Meet Service Level
Upon Activation of Commuter Rail IT Environment.
RFID
RFID
Service Level Specification
Objective
To ensure accurate reporting of maintenance and repair efforts.
Method
Measurement
Interval
Time of ticket update vs. automatic ticket creation.
Test Method
Ticket needs an update of the issue description by a technician within thirty (30) minutes of the train / car entering a repair facility.
Ticket needs an update of the issue resolution by a technician within thirty (30) minutes of the train / car leaving a repair facility.
Foreperson must close tickets within one hour of final technician update if the issue is resolved with appropriate data as directed by the MBTA.
Responsibility
Reporting Period
As required
Service Level
Service Level
98% completion within the parameters outlined above.
Service Credits
Failure to Achieve Service Level
In each case of a failure to achieve this Service Level, the MBTA shall be entitled to recover a Sev 3 Service Credit.
Time to Meet Service Level
Time to Meet Service Level
Upon Activation of Commuter Rail IT Environment.
SERVICE LEVEL DEFINITIONS AND METRICS FOR AGREEMENT SERVICES OTHER THAN OPERATOR IT SERVICES
The following Service Levels and Service Credits apply to Agreement Services other than Commuter Rail IT Services:
Warranty Requirements
Warranty Requirements
Service Level Specification
Service Category
All work completed for vehicles deemed under warranty need to have a work order history that includes: date of failure, in-service date, vehicle class, vehicle number, mileage, major component serial number, complaint, cause, correction, labor details, and parts usage details.
Method
Measurement Interval
Complete capture of all repairs that for vehicles that are deemed warrantable.
Responsibility
Reporting Period
Monthly
Hours of Support
7x24x365
Service Level and Service Credits
Service Level and Failure to Achieve Service Level
100% generation of warranty claims for warrantable maintenance.
