1. This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorised recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Consulting for Cloud: Gartner Security & Risk Management — Cloud Security Readiness Assessment & Validation Gartner G-Cloud Service Definition For further information on Gartner support for Cloud initiatives visit: http://www.gartner.com/technology/research/cloud-computing/services.jsp

2. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 1 Price ■Gartner will charge a firm fixed price of £32,456 excl. VAT, incl. all expenses for this service. Gartner Service Definition — Cloud Security Readiness Assessment & Validation Service Description Gartner will provide facilitated interactive planning sessions to help clients to understand the security issues, benefits, costs, risks and vendor landscape for clients considering moving infrastructure components and services to the Cloud. These sessions have been developed to assist clients who are tasked with architecting, recommending, or implementing an organisation’s data security strategy in the Cloud. It will answer the following questions? ■What are the security implications for your data – both at rest and in transit? ■ What applications are supported and what service levels are appropriate and who are the leading vendors? ■Rethinking security programmes and processes (monitoring audit, investigations, policy) when moving Services to the Cloud. ■Identity management, authentication, authorisation, and federation. This workshop was developed over many years of in-depth research and consulting. It exploits Gartner frameworks to provide independent and detailed analysis of the feasibility, value and risks for your cloud planning activities. Key Deliverables Cloud Readiness Interactive Planning Session that provides: ■Kick-off meeting to set requirements, expectations, scope and schedule. ■A maximum of four interviews with client stakeholders to gather information required to tailor the Workshop. ■Two day interactive planning session. ■Relevant Gartner research and examples. ■High-level conceptual architecture and strategy report detailing conclusions, points for development and an action plan for moving forward. Key Benefits Interactive planning sessions which explores the client’s security options with the client in order to: ■Drive consensus toward a feasible Cloud security strategy for the organisation with a high level actionable action plan. ■Identify at a high level potential gaps between your business current state and desired state with respect to Cloud security readiness based on the explored workloads considered in the sessions. ■Identify Cloud Security issues clearly and determine how to prepare for possible migration to Cloud services in an orderly, well-thought-out approach that does not put the organisation at undue risk.

3. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 2 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Deliverables ■Cloud Readiness Interactive Planning Sessions that provide: ■Kick-off meeting to set requirements, expectations, scope and schedule – with a maximum of four interviews with client stakeholders to gather information required to tailor the Workshop. ■Two day interactive planning session: ■Day 1: Structured Training Format - Security Strategies for Cloud Computing. ■Day 2: Assess and develop strategies: ■Participants describe their environments via 20 minute ‘mini presentations’ to the group. ■Gartner facilitates the develop a high-level conceptual architecture and strategy – if jointly deemed feasible. ■Workshop materials with supporting analysis, research, and other relevant work products. ■Workshop Report detailing Workshop conclusions, high-level conceptual architecture and strategy develop and an action plan for moving forward.

4. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 3 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Project Schedule ■Gartner anticipates completion of this engagement within two weeks. Client Project Team Roles ■Project Sponsor ■Project Manager ■Key stakeholders Project Benefits Intensive planning session which explores security options with the client team in helping to: ■Drive consensus toward a feasible cloud security strategy for the client with a high level action plan. ■Identify at a high level potential gaps between the client’s current and desired state with respect to cloud security readiness based on the workloads considered in the workshop. ■Identify Cloud Security issues clearly, and determine how to prepare for possible migration to cloud services in an orderly, well-thought-out strategy that does not put the organisation at undue risk. Gartner Project Team Roles Project Approach ■Week 1: Project initiation ■Conduct 4 key stakeholder interviews. ■Send a self survey with key stakeholders to scheduled workshop participants in order to capture a snapshot of the organizations overall IT infrastructure and key applications in order to tailor the Workshop. ■Tailor the Workshop for the client focus areas with relevant Gartner Security and Risk Management Research, Market clocks, Hype Cycles and Cloud Vendor Research. ■Week 2: Workshop Delivery ■Delivery a two day scheduled session onsite. ■Develop Report conclusions, high-level conceptual architecture and strategy develop options and the action plan. ■Present report to executive stakeholders. Staff Day rate (as per rate card) Head count Duration Director Per SFIA level 6 12 Associate Director Per SFIA level 4/5 19 Senior Consultant Per SFIA level 3 19

5. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 4 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Any Additional Information ■There is no additional information related to this service. Prerequisites ■Garter will only provide the stated service if the client cloud transformation project in question is officially approved to commence and has officially commenced.

6. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 5 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Changes to Scope ■The scope of the engagement is defined herein. All client requests for changes must be set forth and explained in writing. As soon as practicable, Gartner shall advise of the cost/schedule implications of requested changes and any other necessary details to allow both parties to decide whether to proceed with the requested changes. The parties shall agree in writing upon any requested changes prior to Gartner commencing work. ■As used herein, “changes” are defined as work activities or work products not originally planned for or specifically defined by this service definition. Assumptions ■The client will designate a project manager as primary point of contact who will work closely with Gartner as needed and will: (a) approve priorities/task plans/schedules; (b) facilitate scheduling of interviews with personnel; (c) notify Gartner in writing of project issues and assist in their resolution. ■Client will review and approve documents within five business days. If no formal approval/rejection is received within that time, the deliverable is considered accepted. ■Client personnel will be made available per the schedule agreed in the kickoff meeting. ■The due diligence (as ‑ is) data are reasonably available via interviews and documentation review. ■Client provides timely access to personnel to be interviewed. These personnel will be able to answer questions, provide documentation and attend sessions. ■Project pricing assumes that Gartner will conduct 3 remote interviews and 1 workshops (2 days) over a period of 3 days and that the client will arrange all sessions with the client’s personnel. ■All data collection/interviews/workshops will take place via phone or in person as agreed at the project kickoff. ■With the exception of meetings and workshops, Gartner work will be performed at Gartner locations. ■Offices, phones, printing/copying and Internet access will be available to Gartner at client locations. ■Gartner will use Microsoft Office for the production of any engagement documentation ■Any requests for additional information and/or deliverables(beyond the details described in this service definition) that are made will be considered a change in scope and will be handled accordingly (see Changes to Scope). This does not apply to clarification questions.

7. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 6 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Backup Restore and Disaster Recovery ■The Gartner service under discussion does not require Gartner to manage or store any critical client data. Therefore, as there is no risk to the client and no break in service that will affect the client experience, there is no applicable policy needed in relation to this specific issue. Information Assurance ■Gartner possesses analysts and consultants with various security clearances, or we will, within reason, acquire those clearances as the client demands. ■Gartner associates are bound by very specific rules around client confidentiality and security given that our clients reveal to us their greatest challenges and difficulties in order that we can help and support them most effectively. Data Restoration ■No client data is retained by Gartner as part of the client’s access to this service and therefore there is no data restoration process related to this service. Service Migration ■There is no need for a Service Migration plan given the nature of the service under discussion. The client is able to complete and conclude the service without any ongoing process being required for transfer of service or information to an alternative provider or successor. At the conclusion of the service described all deliverables and any supporting information is handed over to the client.

8. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 7 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Offboarding ■Gartner does not offer offboarding services, however, Gartner will close down the engagement, upon conclusion, ensuring all necessary skills and information are transferred appropriately and in a timely manner to the client. Onboarding ■Gartner does not offer onboarding services, however, Gartner will hold a kickoff meeting with the client to ensure understanding of the engagement objectives, scope, schedule, and milestones, roles, responsibilities and required resources for Gartner and the client. Gartner will also discuss anticipated risks and mitigation plans, based on lessons learned from past experience. Gartner will gather any relevant background material from the client.

9. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 8 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Ordering and Invoicing Process ■Gartner will bill for 100% of the professional fees at contract signing. ■All invoices are payable net 30 days from date of invoice. While Gartner does not itemise billing for professional services, Gartner agrees and will comply with any reasonable requests for records substantiating our invoices. Pricing ■Gartner will charge a firm fixed price of £32,456 excl. VAT, incl. all expenses for this service. Financial Recompense Model ■In the event that a Service does not meet the specifications set out in the applicable Service Description, the breach will be handled in accordance with the Liability and Termination terms set out in the Call-Off Agreement. Termination Terms (by Consumer / by the Supplier) ■Services may be terminated without cause by the Customer on at least thirty (30) Working Days’ notice.

10. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 9 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Service Management ■This is not applicable to this service. The service will be managed as described under the Statement of Work component of this Service Definition. Service Constraints ■This is not applicable to this service. Service Levels ■This is not applicable to this service.

11. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 10 Gartner Service Definition — Cloud Security Readiness Assessment & Validation Trial Service ■Gartner does not offer a trial service option in relation to this service. Training ■Gartner will provide Cloud Security Strategy and general project management coaching to the client's cloud transformation project manager. Consumer Responsibilities ■Provision of the necessary resources, systems and documentation for review ■Responsible for managing logistics on client’s site for the duration of the engagement ■Assign a client Project Manager to work as a single point contact between the Gartner team and the client ■Identify the right people for the interviews/ workshops, schedule and communicate the intent of the engagement ■Provide facilities for workshops and Gartner Work Space ■Collate and send all relevant data prior to the meeting ■Ensure attendance at kickoff meeting and any subsequent interviews and meetings by Project Sponsor, Project Manager and other key stakeholders, as determined prior, during and post kickoff Technical Requirements ■Gartner will require access to: ■Any information requested (some may be potentially sensitive) regarding the cloud transformation project electronically and /or in paper format ■Organizations overall IT Security infrastructure and key applications information electronically and/or in paper format