Exhibit 10.2

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 



 



MASTER SERVICES AGREEMENT

 

Between

 

Triple-S Salud, Inc.

 

and

 

OptumInsight, Inc.

 

Dated

 

August 29, 2017

 

 

 

 

 

 

 

 

 

 



Master Services Agreement Triple-S/Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

TABLE OF CONTENTS

 

1.   PREAMBLE 1 1.1   Background and Purpose 1 1.2   Goals and Objectives 1
1.3   Structure of Agreement 2 1.4   Defined Terms 3 2.   SERVICES 3
2.1   Provision of the Services 3 2.2   New Services 4 2.3   “Master” Nature of
the General Terms and Conditions 5 2.4   Services Commencement 6 2.5   Evolution
and Innovation of the Services 6 2.6   Users of the Services 6 2.7   Services
Not Exclusive; Variable 7 2.8   Cooperation and Coordination with Other Parties
8 3.   TERM AND REGULATORY APPROVALS 9 3.1   Initial Term 9 3.2   Renewal Terms
9 3.3   Regulatory and Regulatory Contract Approvals 9 3.4   Customer Approvals
9 3.5   Additional Contract Clauses 10 4.   PERFORMANCE 10 4.1   Performance,
Generally 10 4.2   Place of Performance 10 4.3   Time of Performance 11
4.4   Triple-S Policies and Procedures 12 4.5   Quality Assurance and Continuous
Improvement 12 4.6   Medicare Attestations 13 5.   SERVICE LEVELS AND CREDITS 13
5.1   General 13 5.2   Credits 13 6.   SUPPLIER PERSONNEL 13
6.1   Responsibility for Supplier Personnel, Generally 13 6.2   Screening and
Background Checks 14 6.3   Key Supplier Positions and Other Requirements 15
6.4   Removal and Replacement of Supplier Personnel 16 6.5   Controlling
Turnover of Supplier Personnel 17 6.6   Subcontracting 17 7.   TRIPLE-S
RESPONSIBILITIES 19 7.1   Appointment of Triple-S Program Management Office
(PMO) Personnel 19 7.2   Triple-S Cooperation Duties 19 7.3   Savings Clause 19
8.   CHARGES 20 9.   USE OF TRIPLE-S RESOURCES 20

 



Triple-S / Supplier Confidential

Page i



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
Table of Contents

 



 

9.1   Use Rights 20 9.2   Triple-S Equipment 20 9.3   Triple-S Third Party
Service Contracts 21 9.4   Triple-S Software and Triple-S Tools 21
9.5   Triple-S Facilities 22 9.6   Terms Applicable to Triple-S Facilities 22
9.7   Required Consents 23 10.   RESPONSIBILITY FOR RESOURCES DURING THE TERM 23
10.1   General Responsibility and Compatibility 24 10.2   Equipment 24
10.3   Third Party Services 24 10.4   Supplier Software and Tools 25
10.5   License During the Term and Disengagement Assistance Periods 26
10.6   Network Connectivity 27 10.7   Triple-S Personnel 27 10.8   Flow Down
Terms 28 11.   TRANSITION 28 11.1   Transition Overview 28 11.2   Transition
Defined and Start of Transition 28 11.3   Transition Documents 29
11.4   Transition Deliverables and Transition Milestones 29 11.5   Conduct of
the Transition 30 11.6   Triple-S Cooperation and Support 30 11.7   Completion
of Transition 30 11.8   In Flight Projects 31 12.   TRANSFORMATION AND CRITICAL
MILESTONES 31 12.1   Transformation 31 12.2   Critical Milestones 32
13.   COMPLIANCE WITH LAWS 33 13.1   Parties’ Compliance Obligations, Generally
33 13.2   Other Compliance Requirements 34 13.3   Import/Export Controls 36
13.4   Compliance with Data Privacy and Data Protection Laws, Regulations and
Policies 36 13.5   Business Associate Agreement 37 14.   DATA SECURITY AND
PROTECTION 37 14.1   Triple-S Data, Generally 37 14.2   Data Security 37
14.3   Security Breach 39 14.4   Intrusion Detection/Interception 40
14.5   Litigation and Investigation Requests 40 15.   INTELLECTUAL PROPERTY
RIGHTS 42 15.1   Independent IP 42 15.2   Intellectual Property Rights in Work
Product 43 15.3   Intellectual Property Rights Agreements with Supplier
Personnel 45

 



Triple-S / Supplier Confidential

Page ii



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
Table of Contents

 

15.4   Rights on Bankruptcy of Supplier 45 16.   TERMINATION 45
16.1   Termination by Triple-S 45 16.2   Termination by Supplier 49
16.3   Extension of Termination/Expiration Date 49 16.4   Partial Termination 50
17.   DISENGAGEMENT ASSISTANCE 51 17.1   General 51 17.2   Required Consents 53
17.3   Charges for Disengagement Assistance 54 17.4   Bid Assistance 55
18.   GOVERNANCE AND MANAGEMENT 56 18.1   Governance Structure and Processes 56
18.2   Reports 56 18.3   Procedures Manual 56 18.4   Change Control Process 57
18.5   Audits and Records 59 19.   REPRESENTATIONS, WARRANTIES AND COVENANTS 59
19.1   Work Standards 59 19.2   Maintenance 59 19.3   Efficiency and
Cost-Effectiveness 59 19.4   Deliverable Warranty 59 19.5   Intentionally
Omitted 60 19.6   Documentation 60 19.7   Compatibility 60 19.8   Open Source
Code 60 19.9   Non-Infringement 60 19.10   Viruses Impacting Triple-S 61
19.11   Disabling Code 62 19.12   Delivery Platforms 62 19.13   Corporate Social
Responsibility 63 19.14   Foreign Corrupt Practices Act 63 19.15   Debarment
from Federal Contracts and Termination. 64 19.16   Claims Procedures, Appeals
and External Review 65 19.17   No Improper Inducements 65 19.18   Immigration 65
19.19   [***] Software 65 19.20   Non-Infringement 66 19.21   Viruses Impacting
Supplier 67 20.   MUTUAL REPRESENTATIONS AND WARRANTIES; DISCLAIMER 67
20.1   Mutual Representations and Warranties 67 20.2   Disclaimer 68
21.   CONFIDENTIALITY 68 21.1   “Confidential Information” Defined 68
21.2   Obligations of Confidentiality 70

 



Triple-S / Supplier Confidential

Page iii



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
Table of Contents

 

21.3   No Implied Rights 71 21.4   Compelled Disclosure 72 21.5   Confidential
Treatment of this Agreement 72 21.6   Disclosure of Information Concerning Tax
Treatment 72 21.7   Return or Destruction 73 21.8   Destruction Obligations 74
21.9   Exceptions to Retention and Destruction Obligations 74 21.10   Duration
of Confidentiality Obligations 74 22.   INSURANCE 75 22.1   General Terms 75
22.2   Types and amounts of coverage 75 22.3   Terms of coverage 77
23.   INDEMNIFICATION 78 23.1   Indemnification by Supplier 78
23.2   Infringement Claims 80 23.3   Indemnification by Triple-S 80
23.4   Indemnification Procedures 82 23.5   Subrogation 85 24.   LIABILITY 85
24.1   General Intent 85 24.2   Limitations of Liability 85 24.3   Exceptions to
Limitations of Liability 86 24.4   Force Majeure 88 24.5   Disaster Recovery and
Business Continuity 89 25.   DISPUTE RESOLUTION 90 25.1   Informal Dispute
Resolution 90 25.2   Litigation 90 25.3   Continued Performance 91
25.4   Equitable Remedies 91 25.5   Disclaimer of Uniform Computer Information
Transactions Act 91 26.   RULES OF CONSTRUCTION 92 26.1   Entire Agreement 92
26.2   Contracting Parties; No Third Party Beneficiaries 92 26.3   Contract
Amendments and Modifications 92 26.4   Governing Law 92 26.5   Relationship of
the Parties 92 26.6   Consents and Approvals 92 26.7   Waiver 93 26.8   Remedies
Cumulative 93 26.9   References 93 26.10   Rules of Interpretation 93
26.11   Order of Precedence 94 26.12   Severability 94 26.13   Counterparts 94
26.14   Reading Down 94

 



Triple-S / Supplier Confidential

Page iv



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
Table of Contents

 

27.   GENERAL PROVISIONS 94 27.1   Survival 94 27.2   Binding Nature and
Assignment 95 27.3   Notices 95 27.4   Non-solicitation of Employees 96
27.5   Covenant of Good Faith 96 27.6   Public Disclosures 96 27.7   Service
Marks 96 27.8   Mutually Negotiated 97

 

Triple-S / Supplier Confidential

Page v



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

Master Services Agreement

 

This Master Services Agreement, effective as of August 31, 2017 (the “Effective
Date”), is between Triple-S Salud, Inc., a Puerto Rico corporation, with
principal offices located at #1441 F.D. Roosevelt Avenue, San Juan, Puerto Rico
00921 (“Triple-S”), and OptumInsight, Inc. (“Supplier”), a Delaware corporation,
having a primary place of business at 11000 Optum Circle, Eden Prairie, MN 55433
(each, a “Party” and collectively, the “Parties”). The Parties agree that the
following terms and conditions shall apply to the services to be provided by
Supplier to Triple-S under this Agreement, in consideration of certain payments
to be made by Triple-S, all as more specifically described below.

 

1. PREAMBLE

 

1.1 Background and Purpose

 

This Agreement is made and entered into with reference to the following:

 

(a) Triple-S is dedicated to providing its members with access to high-quality
care at an affordable price.

 

(b) Supplier and its Affiliates are providers of infrastructure, application
development and maintenance, business process, hosting and consulting services.

 

(c) After a comprehensive evaluation and negotiation process, Triple-S has
decided to contract with Supplier for Supplier to provide services to Triple-S,
as more fully described in this Agreement.

 

(d) The Parties are entering into this Agreement to set forth the terms under
which Supplier shall provide the Services to Triple-S, and Triple-S shall
receive such Services from Supplier.

 

1.2 Goals and Objectives

 

(a) Triple-S and Supplier have the following over-arching goals and objectives
associated with the execution of this Agreement and Supplier’s performance
hereunder:

 

(i) Improve the quality, effectiveness and efficiency of Triple-S operations;

 

(ii) Improve customer service and stakeholder satisfaction, including consistent
repeatable process models to reduce compliance risk;

 

(iii) Reduce Triple-S’s overall cost of providing services to its Members;

 

(iv) Implement a governance model in which Supplier is a single point of contact
for Triple-S with respect to the services and platforms provided by Supplier and
other third parties required for Triple-S to receive the Services under this
Agreement;

 

(v) Provide Triple-S with a predictable and inclusive pricing model that aligns
with Triple-S business metrics;

 



Triple-S / Supplier Confidential

Page 1 



 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

 

 

(vi) Implement a smooth and timely Transition and Transformation of, as
applicable, personnel, systems, suppliers and processes with no disruption in
Supplier’s provision of service to Triple-S and no disruption to Triple-S in the
general conduct of its business;

 

(vii) Through Supplier’s provision of the Services to Triple-S, allow Triple-S
to focus its efforts on creating membership growth for its existing products and
plans as well as driving business expansion into new service offerings; and

 

(viii) For Supplier to establish a new services center based in Puerto Rico to
service Triple-S and other Supplier customers throughout the Americas and for
Triple-S to share in the financial benefits as the services center grows during
the Term. The Parties intend for this service center to create additional jobs
in Puerto Rico.

 

(b) The goals and objectives set out in this Section 1.2 are intended to be a
general introduction to, and statement of the spirit of, this Agreement.

 

1.3 Structure of Agreement

 

This document (the “General Terms and Conditions”) sets out the basic terms and
conditions under which the Parties will conduct the transactions contemplated by
this Agreement. The following are additional Schedules that are a part of the
Agreement.

 

General Terms and Conditions Schedule A (Cross Functional Services) Schedule B
(Service Level Methodology) Schedule C (Charging Methodology) Schedule C-1
(Charges)   Schedule C-2 (T&M Rates) Schedule C-3 (Financial Responsibility
Matrix) Schedule C-4 (Termination Charges) Schedule C-5 (TSS Transferred
Contracts) Schedule D (Key Supplier Positions) Schedule E (Supplier Facilities)
Schedule F (Governance) Schedule G (Form of In-Scope Employee Agreement)
Schedule H (Form of Business Associate Agreement)   Schedule I (Disengagement
Assistance) Schedule J (Triple-S Policies and Procedures)   Schedule K (Reports)
Schedule L (IT Security Addendum) Schedule M (Audit and Record Retention
Requirements) Schedule N (Project Framework) Schedule N-1 (Deliverable and
Milestone Acceptance Procedures) Schedule O (Change Control Process)   Schedule
P (In-Flight Projects) Schedule Q (Supplier Affiliates)   

 



Triple-S / Supplier Confidential

Page 2 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

Schedule R (Approved Subcontractors) Schedule S (Supplier Software and Supplier
Tools) Schedule T (Background Checks)   Schedule U (CMS Attestation) Schedule V
(Intentionally Omitted) Schedule W (Regulatory  and Customer Flow Down
Requirements)   Schedule X (Source of Truth) Schedule Y (Subcontractor Flow-Down
Terms) Schedule AA (Glossary)

 

1.4 Defined Terms

 

Schedule AA (Glossary) lists each defined term used in this Agreement and sets
forth either its definition or a cross-reference to the document containing the
definition. Those terms, acronyms, and phrases utilized in the information
technology outsourcing or health and wellness industry which are not otherwise
defined in this Agreement shall be interpreted in accordance with their
generally understood meaning in such industry or business context.

 

2.                  SERVICES

 

2.1 Provision of the Services

 

(a) The “Services” consist of and include the following functions,
responsibilities, activities and tasks (collectively, “Functions”), as they may
evolve and be supplemented, enhanced, modified or replaced during the Term and
in accordance with this Agreement:

 

(i) any Functions expressly described in this Agreement;

 

(ii) the Transition Services, as further described in Section 11 (Transition)
and in the applicable Transition Documents;

 

(iii) the Transformation, as further described in Section 12 (Transformation)
and in the Transformation Documents;

 

(iv) Disengagement Assistance, as further described in Section 17 (Disengagement
Assistance) and Schedule I (Disengagement Assistance);

 

(v) any related services, Functions or responsibilities not specifically
described in this Agreement that are an inherent, necessary or customary part of
the Services or are required or customary for proper performance or provision of
the Services (including to complete Transition) in accordance with this
Agreement; and

 

(vi) any Functions that (A) are related to the Services described in this
Agreement; and (B) were performed during the twelve (12) months prior to the
Service Commencement Date of this Agreement (or during the twelve (12) months
prior to the execution of any document executed after the Effective Date (i.e.,

 



Triple-S / Supplier Confidential

Page 3 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

Statement of Work, Task Order, Change Order) regarding the Functions added by
such document) by Triple-S’s personnel (including employees and contractors and
the incumbent provider of such services) who were transitioned to Supplier or
displaced, or whose Functions were displaced, as a result of this Agreement or
such document (as applicable).

 

(b) The “Services” do not include those Functions expressly designated as
Functions for which Triple-S is responsible or otherwise expressly excluded from
scope through express qualifications, limitations and exclusions in this
Agreement.

 

(c) Triple-S’s or its Affiliates’ has certain obligations pursuant to that
certain Resolution Agreement entered into by Triple-S Management Corporation and
The United States Department of Health and Human Services, Office for Civil
Rights (“HHS”) dated November 20, 2015, including the Corrective Action Plan
incorporated into such Resolution Agreement (the Resolution Agreement and the
Corrective Action Plan collectively may be referred to as the “CAP”). Triple-S
remains responsible for compliance with the CAP. Supplier understands that
Supplier remains responsible for complying under the terms of this Agreement
with Triple-S Policies and Procedures and performing Services in accordance with
this Agreement, some of which impact Triple-S’ and its Affiliates’ ability to
comply with the CAP.

 

2.2 New Services

 

(a) Requests. If Triple-S requires the performance of New Services, Triple-S may
deliver to Supplier a written request, in such form as Triple-S reasonably
determines, for Supplier to implement such services, specifying the proposed
work and desired timeline with reasonable detail.

 

(b) Response. Within ten (10) Business Days (or, if the requested services
cannot reasonably be evaluated within such time period, then such longer period
of time as mutually agreed by Triple-S and Supplier) after the date of such
request, Supplier shall, at no charge to Triple-S, provide Triple-S with a
written evaluation of such request containing high level estimates of the scope
of the work and the cost and estimated timing of implementing such work, as well
as any impact on the pricing and Service Levels provided hereunder.

 

(c) Proposal. If Triple-S so requests, Supplier shall then provide a written
proposal (a “New Service Proposal”) containing, at a minimum, the following:
(i) reasonably detailed specifications, implementation plans, work schedules,
timeframes for performance, and Acceptance Criteria; and (ii) a price quote of
the fees that Supplier would charge for the services described therein, together
with adequate detail concerning the price quote for Triple-S to evaluate it,
including, where requested by Triple-S, details regarding the “total cost of
ownership,” including, as applicable, initial purchase price of hardware,
software (supplier owned and third party software), or services; labor hours;
labor skill levels; training; operations support; inventory management; warranty
support; transportation; licensing costs; and cost and quality criteria and
data. If the price is quoted on a T&M basis, the rates shall not exceed those
specified in the Skills

 



Triple-S / Supplier Confidential

Page 4 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

Matrix Rate Card for the applicable resources; provided, however, that Supplier
will provide T&M Rates in the New Service Proposal for any resources not
specified on the Skills Matrix Rate Card and required for the New Services.
Supplier shall also include in the proposal a draft Statement of Work for New
Services in a form specified by Triple-S in its reasonable discretion (a “New
Service Statement of Work”) and, to the extent applicable, a proposed amendment
to the Agreement for approval in accordance with Section 26.3 (Contract
Amendments and Modifications).

 

(d) New Service Statement of Work. Upon each Party’s written acceptance and
execution of the New Services Statement of Work, the draft New Service Statement
of Work shall be binding on the Parties and governed by and subject to the terms
of this Agreement.

 

(e) Documentation. Supplier will not perform, and will not be obligated to
perform, any additional Functions that would constitute New Services prior to
informing Triple-S of what the additional charges would be for performing them
(which shall take into account Supplier’s account resources and expenses for the
then-existing Services that would no longer be provided or incurred), and
receiving Triple-S’s written authorization to proceed. Upon execution of
appropriate documentation for New Services as described above, such New Services
shall be governed by this Agreement. If Supplier does perform the additional
Functions that constitute New Services without Triple-S’s prior written
authorization, such services will be deemed to have been performed as part of
the Services at no additional charge. Triple-S shall not be obligated to pay
for, and Supplier will not be obligated to perform, any New Service which has
not been properly authorized by Triple-S and agreed to in writing by Supplier.

 

2.3 “Master” Nature of the General Terms and Conditions

 

The Parties intend that these General Terms and Conditions and this Agreement
will govern the Services and any New Services that the Parties agree will be
provided by Supplier after the Effective Date.

 

(a) The Parties shall enter into statements of work (each a “Statement of Work”
or “SOW”) that will reflect the terms under which Services shall be provided by
Supplier to Triple-S.

 

(i) As of the Effective Date, the Parties are entering into the Initial SOWs.

 

(ii) If, after the Effective Date, the Parties agree upon additional services
that they desire to be governed by these General Terms and Conditions, they
shall enter into additional SOWs (“Future SOWs”) each in substantially the same
format and containing the same information as in the Initial SOWs.

 

(b) Changes to Services previously contracted for will be considered and carried
out in accordance with the terms relating to the Change Control Process set
forth in Section 18.4 and the Change Control Process set forth in Schedule O
(Change Control Process).

 

(c) Each Statement of Work, Task Order, Change Order and similar document
entered into under this Agreement is part of this Agreement as if fully set
forth herein and shall be governed by and subject to the terms of this
Agreement.

 



Triple-S / Supplier Confidential

Page 5 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(d) A duly executed Statement of Work, Task Order, Change Order or similar
document may override this Agreement with respect to that particular document
if, and only if, the document expressly states that the Parties intend to
deviate from the terms and conditions of this Agreement for that particular
document. Superseding provisions that pertain to the following will not be
effective unless first reviewed and approved in writing by the legal department
of each Party: (A) Section 14 (Data Security and Protection); (B) Section 15
(Intellectual Property Rights); (C) Supplier’s representations, warranties and
covenants set forth in Sections 19.4 (Deliverable Warranty) and 19.9
(Non-Infringement); (D) Section 23 (Indemnification); or (E) Section 24
(Liability).

 

2.4 Services Commencement

 

(a) Initial SOWs. Supplier shall commence performing applicable Transition
Services for the Initial SOWs on the Effective Date (or the date specified in
the Initial SOW, if later), and shall commence performing the steady state
Services for the Initial SOWs on the applicable Service Commencement Date for
such Services.

 

(b) Future Services. For future Services, Supplier shall commence providing the
Transition Services on the date of the applicable Statement of Work, Task Order,
Change Order or amendment adding such Services (or the date specified in the
applicable Statement of Work, Task Order, Change Order or amendment, if later),
and shall commence performing the steady state Services on the applicable
Service Commencement Date for such Services.

 

2.5 Evolution and Innovation of the Services

 

Throughout the Term, Supplier will improve the quality, efficiency and
effectiveness of the Services to keep pace with advances in technology and the
delivery of similar business process services to Supplier’s commercial customers
that support Triple-S’s (and its Affiliates’) evolving business needs and
efforts to maintain competitiveness in the markets in which it (and they)
competes. Without limiting the generality of the foregoing, Supplier will: (a)
identify and apply industry standards and Supplier’s ‘best practice’ or
‘leading’ techniques and methodologies in performing and delivering the Services
(subject to other obligations and other requirements under this Agreement); (b)
train Supplier Personnel in new techniques and technologies used generally
within Supplier’s organization for commercial customers; and (c) make
investments reasonably required to maintain the currency of Supplier’s Tools,
infrastructure, Software and other resources used by Supplier to render the
Services. Changes in the Services pursuant to this Section 2.5 will not be
considered New Services.

 

2.6 Users of the Services

 

(a) Supplier will provide the Services to Triple-S and, as designated by
Triple-S from time to time:

 

(i) to existing and future Triple-S Affiliates;

 

(ii) to Former Triple-S Affiliates;

 



Triple-S / Supplier Confidential

Page 6 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(iii) in support of employer groups to which Triple-S provides contracted
administrative services;

 

(iv) in support of any delegation or TPA (third party administrator)
arrangements existing as of the Effective Date or into which Triple-S or its
Affiliates may enter in the future; and

 

(v) to support any of Triple-S’s or Triple-S’s Affiliates’ contractual
obligations and business relationships with its customers, members and
providers.

 

(each such entity above “Service Recipient”), upon the terms and conditions
(including Charges) set forth in this Agreement.

 

(b) Services provided to such entities under this Agreement shall be deemed to
be Services provided to Triple-S.Triple-S shall be directly responsible for (i)
the payment of all Charges associated with Supplier’s provision of Services to
Service Recipients under this Agreement and (ii) as and to the extent related to
any Service Recipient’s use of the Services, the performance, breach or other
wrongful conduct of any such Service Recipient, as if they were Triple-S
(including acts or omissions of such Service Recipient) for purposes of
determining Triple-S’s liability under this Agreement (including Triple-S’s
indemnification and confidentiality obligations). Triple-S may exercise its
rights pursuant to this Section by providing written notice to Supplier of any
such Service Recipient.

 

(c) With respect to Former Triple-S Affiliates, Supplier will continue to
provide the Services being provided as of the date of divestiture as is
requested by Triple-S for as long as such entity continues to meet the
definition of Former Triple-S Affiliate (or such shorter period of time
designated by Triple-S) so long as (i) Triple-S continues to pay all applicable
Charges with respect to any such Services and remains responsible for the Former
Triple-S Affiliates as set forth in Section 2.6(b); and (ii) such Services
remain subject to the Change Control Process if material technology or other
Changes are required to provide Services to the Former Triple-S Affiliate.

 

(d) There shall be no additional charge or fee (i.e., charges or fees in
addition to the Charges for the actual Services as provided in this Agreement)
for the provision of Services to Service Recipients so long as the Services
remain subject to the Change Control Process if material technology or other
Changes are required to provide Services to the Service Recipients.

 

2.7 Services Not Exclusive; Variable

 

(a) This Agreement is non-exclusive. Nothing in this Agreement shall be
construed to limit in any way Triple-S’s ability to reduce the volumes of
Services being provided by Supplier pursuant to this Agreement or to contract
with other third parties to provide products or services that are the same as or
similar to the Services or that are part of the Services. Triple-S (and its
Affiliates) may also insource any such product or service and provide such
product or service to itself or its Affiliates. In the case of Triple-S’s
withdrawal of portions of the Services from Supplier (including a withdrawal by
Triple-S

 



Triple-S / Supplier Confidential

Page 7 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

of any volumes of Services or Functions from the scope of this Agreement), the
Charges shall be reduced using the unit rates and charging methodologies
provided in Schedule C (Charging Methodology), or otherwise in an equitable
manner to the extent such unit rates and charging methodologies do not apply to
the withdrawn portions of the Services.

 

(b) The Services are variable in volume. Such variations are provided for in the
charging mechanisms set forth in Schedule C (Charging Methodology). Supplier
shall be responsible for adjusting the resources used to provide the Services to
accommodate the changes in volume (regardless of the amount of time remaining in
the Term) in such a manner as to comply with all Service Levels. Supplier shall
not be entitled to receive an adjustment to the Charges resulting from such
variations in volume except as set forth in Schedule C (Charging Methodology).

 

(c) Triple-S (and its Affiliates) makes no commitment for any minimum or maximum
volume, scope, or value of the Services under this Agreement or to any minimum
or maximum payments to be made to Supplier (except to the extent that Triple-S
makes an express commitment to provide Supplier with such a minimum or maximum
volume, scope or payments in Schedule C (Charging Methodology)).

 

(d) This Section 2.7 is not intended to limit or modify any exclusivity, minimum
volume or minimum fee or Charge commitments (including any binding forecasts or
minimum membership levels) that may be expressly set forth in a Statement of
Work or in Schedule C (Charging Methodology).

 

(e) This Section 2.7 is subject in all respects to Section 16.4(c) (Partial
Termination).

 

2.8 Cooperation and Coordination with Other Parties

 

If Triple-S performs itself, or retains a third party to perform, any services
for Triple-S that interface or interact with the Services, or that formerly were
part of the Services, Supplier will cooperate and coordinate with Triple-S or
such third party as reasonably required for Triple-S or the third party to
perform such services. Supplier’s cooperation and coordination will include, as
applicable: (a) providing access to the facilities being used by Supplier to
provide the Services as necessary for Triple-S or the third party to perform its
work; (b) providing reasonable access to the Equipment and Software used in
providing the Services; and (c) providing such information regarding the
operating environment, system constraints and other operating parameters as a
person with reasonable commercial skills and expertise would find reasonably
necessary for Triple-S or the third party to perform its work. Triple-S will
require any such third parties to enter into an agreement with Triple-S with
confidentiality terms substantially similar to those in Section 21
(Confidentiality) of these General Terms and Conditions and to comply with the
other applicable terms of this Agreement. Notwithstanding anything in this
Section 2.8, Triple-S will not provide any such access to proprietary Supplier
Software or Supplier Tools to a third party under this Section 2.8 unless such
third party first enters into a user access or similar agreement directly with
Supplier that contains terms substantially similar to the terms of this
Agreement with respect to use, and restrictions on use, of Supplier Software,
Supplier Tools or Supplier Equipment, as applicable; provided that Supplier
acknowledges such access with be at no additional charge.

 



Triple-S / Supplier Confidential

Page 8 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



3. TERM AND REGULATORY APPROVALS

 

3.1 Initial Term

 

(a) The term of this Agreement shall commence on the Effective Date and expire
as of midnight Eastern Time on August 31, 2027, unless it is terminated earlier
or is extended pursuant to the terms of this Agreement (such period, together
with all extensions and Renewal Periods, the “Term”).

 

(b) The term of each Statement of Work, Task Order, and Change Order shall
commence on the Effective Date for such document and shall expire on the date
set forth in such document, unless it is terminated earlier or is extended
pursuant to the terms of this Agreement (such period, together with all
extensions and applicable Renewal Periods, the “Document Term”); provided,
however, that no Document Term will extend beyond the Term of this Agreement
(except those relating to Disengagement Assistance).

 

3.2 Renewal Terms

 

(a) By giving notice to Supplier no less than ninety (90) days prior to the
then-existing expiration date of this Agreement, Triple-S may extend the Term
for a period designated by Triple-S of up to one (1) year (each, a “Renewal
Period”) on the terms and conditions then in effect (including the Charges and
any applicable cost of living adjustments and applicable productivity increases
set forth in Schedule C (Charging Methodology)). Triple-S shall have two (2)
such extension options of up to one (1) year each.

 

(b) With respect to each Statement of Work, Task Order, Change Order or similar
document, Triple-S shall have the same rights to extend the applicable Document
Term that it has to extend the Term under this Section 3.2, unless such document
expressly provides otherwise, or by such other period as may be agreed by the
Parties, provided, however, that no Document Term will extend beyond the Term of
this Agreement (except those relating to Disengagement Assistance).

 

3.3 Regulatory and Regulatory Contract Approvals

 

The Parties acknowledge that Triple-S must obtain regulatory approvals or
approvals pursuant to Applicable Law or contracts involving government programs
in order for certain of the Functions and geographic scope that the Parties
contemplate to be included in the scope of this Agreement to be actually
included in the scope of this Agreement after the Effective Date. If Triple-S is
not able to obtain such approvals, or if Triple-S obtains such an approval that
is later revoked or threatened to be revoked (in each case, Triple-S will
provide Supplier prompt notice) and, in either case, the Parties are unable to
agree upon an equitable adjustment in the Charges or the scope of the affected
Services and other terms of this Agreement that would enable Triple-S to obtain
such approval or retain an approval that may be revoked (without adverse impact
to Triple-S), then (a) Triple-S shall have the right to remove any impacted
Services or volumes from the scope of the Agreement in accordance with Section
2.7(a), and (b) Triple-S shall have the termination rights set forth in Section
16.1(h) (Termination Relating to Regulatory Approval).

 







Triple-S / Supplier Confidential

Page 9 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

 

3.4 Customer Approvals

  



The Parties acknowledge that Triple-S must obtain approvals from certain
customers in order for certain of the Functions and geographic scope that the
Parties contemplate to be included in the scope of this Agreement to be actually
included in the scope of this Agreement after the Effective Date. If Triple-S is
not able to obtain any such approval, and the Parties are unable to agree upon
an equitable adjustment in the Charges or the scope of the affected Services and
other terms of this Agreement that would enable Triple-S to obtain such approval
(without adverse impact to Triple-S), then Triple-S shall have the right to
remove any impacted Services or volumes from the scope of the Agreement in
accordance with Section 2.7(a).

 

3.5 Additional Contract Clauses

 

Schedule W (Regulatory and Customer Flow-Down Terms) contains provisions which
Triple-S is obligated to include in any contract with any subcontractor. Such
provisions are hereby incorporated into this Agreement by reference. Supplier
agrees to comply with all such provisions to the extent such provisions are
applicable to Supplier as a Triple-S subcontractor. Supplier further agrees to
pass through such obligations to any Supplier Subcontractor (other than Non-Key
Subcontractors) in a similar manner and where the applicable agreement with the
Subcontractor is being entered into specifically for performance of the Services
or is up for a negotiated renewal between the parties (i.e., excluding evergreen
renewals).

 

4.                  PERFORMANCE

 

4.1 Performance, Generally

 

(a) Supplier is responsible for managing and successfully performing,
completing, and delivering the Services, subject to any overall direction
provided by Triple-S and with the cooperation and support of Triple-S, Service
Recipients and Managed Third Parties as specified in this Agreement.

 

(b) In cases where this Agreement does not prescribe or otherwise regulate the
manner or quality of Supplier’s performance, Supplier will render the Services
with at least the same degree of accuracy, quality, timeliness, responsiveness
and efficiency as was generally achieved or obtained by (or for) Triple-S (and
its Affiliates) prior to Supplier assuming responsibility under this Agreement
for the affected Functions.

 

4.2 Place of Performance

 

(a) Schedule E (Supplier Facilities) describes the Supplier facilities in the
United States and outside the United States from which Supplier is authorized to
provide Services as of the Effective Date, and identifies which Services are
authorized to be provided from each such Supplier facility (collectively, the
“Supplier Facilities”); provided, however, that Supplier may also perform
Services using field and remote (i.e., work from home) resources located in the
United States and (i) any location at which such Services are performed by field
or remote resources does not constitute a Supplier Facility for purposes of this
Agreement; and (ii) Supplier will cause all such Services to be performed in
accordance with Supplier’s policies and procedures for field and remote
resources and with applicable Triple-S Policies and Procedures.

 



Triple-S / Supplier Confidential

Page 10 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(b) During the Term and any Disengagement Assistance Period, Supplier will not
(i) change any location from which it provides Services to Triple-S, or (ii)
materially reallocate the volume or nature of work being performed from one
facility to another facility, without Triple-S’s prior written consent, which
Triple-S may grant or withhold in its reasonable discretion, provided that if a
proposed change in location or reallocation of volumes or nature of work
involves a change in location from a facility located in the United States to a
facility located in any other country, or a change from a facility located in
one country to a facility located in another country, then Triple-S’s prior
approval may be granted or withheld in Triple-S’s sole discretion. This Section
4.2(b) is not intended to limit Supplier’s right to change locations from a
production Supplier Facility to a back-up Supplier Facility listed in Schedule E
when necessary to execute its disaster recovery and business continuity plans.

 

(c) Notwithstanding anything else set forth in this Section 4.2 to the contrary,
all Supplier Facilities from which Services are provided shall be Top Tier
Facilities with respect to physical security, data security, employee background
checks and similar matters, and Supplier shall provide Services from Supplier
Facilities that are not Top Tier Facilities only with the prior written approval
of Triple-S, which prior approval may be granted or withheld in Triple-S’s
reasonable discretion and subject to such conditions as Triple-S considers
appropriate in the circumstances.

 

(d) Supplier will manage any relocations or reallocations of work in accordance
with standards practiced by tier 1 providers of services similar to the
Services, and in accordance with a migration plan to be prepared by Supplier,
which migration plan shall (i) be provided by Supplier to Triple-S not less than
sixty (60) days prior to the scheduled relocation or reallocation date, and (ii)
be subject to the prior written approval of Triple-S.

 

(e) Supplier will fully examine and evaluate the risks and anticipated effects
of the contemplated relocation or reallocation on the Services and Triple-S,
including the operational, technical, security, regulatory, and other effects,
and will prepare and submit to Triple-S an analysis of the effects not less than
sixty (60) days prior to the scheduled relocation or reallocation date.

 

(f) Supplier will be responsible for all direct and indirect costs, taxes and
other expenses incurred by Supplier, and any new or additional costs, taxes and
other expenses incurred by Triple-S, arising out of any Supplier-initiated
relocation of an operational facility from which the Services are provided or
any reallocation of volume or nature of Services being provided from one
Supplier Facility to another.

 

(g) The Parties acknowledge and agree that Supplier may use certain Triple-S
facilities (as agreed to by the Parties and documented in Schedule C-3
(Financial Responsibility Matrix)) to perform certain of the Services and the
requirements of Sections 4.2(a) through 4.2(d) (Place of Performance) do not
apply to Supplier’s use of such Triple-S facility.

 







Triple-S / Supplier Confidential

Page 11 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



4.3 Time of Performance

  



(a) Supplier will (and will provide the resources necessary to) complete the
Services in accordance with any applicable time schedules set forth in this
Agreement.

 

(b) Supplier will promptly notify Triple-S upon becoming aware of any
circumstances that may reasonably be expected to jeopardize the timely and
successful completion (or delivery) of any Service in a material manner.
Supplier will use Commercially Reasonable Efforts to avoid or minimize any
delays in performance and will inform Triple-S of the steps Supplier is taking
or will take to remediate any such problem, and the projected actual completion
(or delivery) time for remediating any such problem.

 

4.4 Triple-S Policies and Procedures

 

(a) Except as this Agreement expressly provides otherwise, Supplier will perform
the Services in compliance with Triple-S Policies and Procedures, provided that:

 

(i) any new Triple-S Policies and Procedures or modifications to Triple-S
Policies and Procedures will be disclosed to Supplier either (A) in writing or
(B) upon Supplier Personnel being notified of, and provided access to, such new
or modified Triple-S Policies and Procedures in the same manner as Triple-S
notifies its employees and other third parties (for example, posting a sign or
via Triple-S’ Compliance360 (or successor) portal); and

 

(ii) if compliance with any such new or modified Triple-S Policies and
Procedures introduced or modified after the Effective Date requires Supplier to
incur additional costs, and such compliance is not otherwise required by
Supplier under this Agreement (including as set forth in Section 13 (Compliance
with Laws), then such Changes shall be implemented through the Change Control
Process.

 

(b) Notwithstanding the foregoing, the date Supplier is required to comply with
any such new or revised Triple-S Policies and Procedures shall be the compliance
or effective date listed in the applicable Statement of Work, Task Order or
Change Order executed by both Parties, provided that in no event shall such date
be later than any date required by Law or Other Compliance Obligation for
implementation of such Change.

 

4.5 Quality Assurance and Continuous Improvement

 

In performing the Services, Supplier will follow commercially reasonable quality
assurance procedures designed to provide that the Services are performed with a
high degree of professional quality and reliability. Such procedures shall
include checkpoint reviews, testing, acceptance, and other procedures for
Triple-S to confirm the quality of Supplier’s performance. Supplier, as part of
its quality management process, will provide continuous quality assurance and
quality improvement through: (a) the identification and application of proven
techniques and tools from other installations within its operations; (b) the
implementation of programs, practices and measures designed to improve
performance (including the Service Levels); and (c) annual certification of the
quality and currency of all Documentation (e.g., procedures and runbooks).
Supplier will utilize project management tools, including productivity aids and
project management systems, as appropriate in performing the Services. Supplier
shall comply with any continuous improvement clauses set forth in the Regulatory
Contracts.

 



Triple-S / Supplier Confidential

Page 12 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



4.6 Medicare Attestations

 

At Triple-S’ request, Supplier shall complete an offshore attestation(s) in the
form substantially similar to Schedule U (Offshore Attestation Form) no later
than fifteen (15) Business Days after the receipt of such request. Schedule U-1
(Completed Offshore Attestation) contains a completed attestation from Supplier
relating to the Services that Supplier is authorized to provide from outside the
United States as of the Effective Date.

 

5. SERVICE LEVELS AND CREDITS

 

5.1 General

 

Service Levels are set forth in Schedule B (Service Level Methodology). Supplier
shall perform the Services at a level of performance that is equal to or better
than the Service Levels identified in Schedule B (Service Level Methodology) to
this Agreement. If Supplier fails to meet a Critical Service Level (as defined
in Schedule B (Service Level Methodology)), Supplier shall pay a Service Level
Credit to Triple-S in accordance with Schedule B (Service Level Methodology).

 

5.2 Credits

 

(a) Service Level Credits will not be construed as a penalty or as liquidated
damages and will not be deemed to constitute Triple-S’s remedy, exclusive or
otherwise, for any actual damages caused by a failure to meet a Critical Service
Level; provided, however, that if Triple-S receives any Service Level Credits as
a result of such a failure, then the amount of damages then recoverable by
Triple-S with respect to such failure shall equal (i) the total amount of
damages then recoverable under this Agreement by Triple-S with respect to such
failure, without consideration of whether any Service Level Credits resulting
from such failure had been provided to Triple-S; less (ii) any amounts received
by Triple-S as Service Level Credits that result from such failure.

 

(b) Nothing set forth in this Agreement shall preclude Triple-S from exercising
its termination rights (to the extent they would otherwise be available as set
forth in this Agreement) for a failure to meet a Critical Service Level, or from
exercising any other remedies available to Triple-S under the Agreement, at law,
or in equity to address any other non-duplicative damages Triple-S or its
Affiliates may suffer or incur as a result of such a failure by Supplier (or
another entity or person for which Supplier is responsible). Supplier hereby
irrevocably waives any claim or defense that Service Level Credits are not
enforceable or that they constitute Triple-S’s sole and exclusive remedy with
respect to a failure to meet a Critical Service Level.

 

6. SUPPLIER PERSONNEL

 

6.1 Responsibility for Supplier Personnel, Generally

 

(a) Supplier will manage, supervise and provide direction to Supplier Personnel
and cause them to comply with the obligations and restrictions applicable to
Supplier under this Agreement. Supplier will make Supplier Personnel aware of,
and cause them to comply with, applicable Triple-S Policies and Procedures
(including those regarding safety and

 



Triple-S / Supplier Confidential

Page 13 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

security) while they are performing Services at Triple-S Facilities or accessing
Triple-S Data or Triple-S systems. As between Supplier and Triple-S, Supplier is
responsible for all wages, salaries and other amounts due Supplier Personnel,
and for all tax withholdings, unemployment insurance premiums, pension and
social welfare plan contributions, and other employer obligations with respect
to Supplier Personnel, in each case to the extent such amounts are owed for
periods when such employees are employed by Supplier. Supplier is responsible
for the acts and omissions of Supplier Personnel under or relating to this
Agreement.

 

(b) As between Supplier and Triple-S, Triple-S is responsible for all wages,
salaries and other amounts due to Triple-S employees, and for all tax
withholdings, unemployment insurance premiums, pension and social welfare plan
contributions, and other employer obligations with respect to Triple-S
employees, in each case to the extent such amounts are owed for periods when
such employees are employed by Triple-S.

 

(c) Supplier shall provide any training reasonably necessary for Supplier
Personnel to perform the Services (including technical training). Training
required for Supplier Personnel shall not be chargeable to Triple-S.

 

(d) Supplier shall maintain staffing levels as required for Supplier to properly
perform Supplier’s obligations under and in accordance with this Agreement. If
any Supplier Personnel leave the employment of Supplier or the Triple-S account,
Supplier will provide any replacement personnel (as may be necessary for
Supplier’s continued performance of the Services) who have experience, skills
and technical expertise required to perform the related Services and are in the
same location as the Supplier Personnel they are replacing. Supplier shall
ensure (to the extent reasonably possible) that any outgoing Supplier Personnel
leaving the Triple-S account spend a reasonable period of time training the new
Supplier Personnel, if any, who will be replacing such outgoing personnel.
Furthermore, if the scope of the Services changes in a manner requiring staffing
adjustments of Supplier Personnel, the Parties shall work in good faith to
develop a mutually agreed solution for Supplier to staff the revised scope of
Services accordingly, which solution will be agreed to in the Statement of Work,
Change Order or Task Order. Supplier is responsible for taking action at its own
expense to ensure that Supplier Personnel assigned to perform Services have the
legal right to work in the countries in which they are assigned to work.

 

6.2 Screening and Background Checks

 

Supplier shall perform the screening, Background Checks and drug testing
described in Schedule T (Background Checks) for all Supplier Personnel;
provided, however, that (a) Supplier may omit the drug testing required under
Section 2(i) Schedule T (Background Checks) for certain Approved Subcontractors
in its reasonable discretion where such testing is not otherwise required by
Supplier’s internal compliance and subcontracting policies; and (b) Supplier may
omit other requirements of Schedule T (Background Checks) for Approved
Subcontractors so long as screening and Background Checks performed by Approved
Subcontractors comply with applicable Law and are substantially similar to the
other screening and Background Checks described in Schedule T (Background
Checks).

 



Triple-S / Supplier Confidential

Page 14 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



6.3 Key Supplier Positions and Other Requirements

 

(a) The “Key Supplier Positions” as of the Effective Date are listed in Schedule
D (Key Supplier Positions – Account Level) and in each Statement of Work. The
Supplier Account Executive will be one of the Key Supplier Positions. Supplier
will cause each of the Supplier Personnel filling the Key Supplier Positions
(whether as of the Effective Date, or replacement personnel filling such Key
Supplier Position during the Term or the Disengagement Assistance Period) to be
dedicated to the provision of the Services, except as otherwise specified on
Schedule D (Key Supplier Positions – Account Level). Supplier Personnel approved
as of the Effective Date to fill the Key Supplier Positions are listed in
Schedule D (Key Supplier Positions – Account Level) and in each SOW.

 

(b) Before the initial and each subsequent assignment of an individual to a Key
Supplier Position, Supplier will notify Triple-S of the proposed assignment and,
consistent with Supplier’s personnel practices, provide Triple-S a curriculum
vitae and other job-relevant information legally permissible under applicable
privacy Laws about the individual reasonably requested by Triple-S. Upon
Triple-S’s reasonable request, Supplier will provide Triple-S representatives an
opportunity to meet the individual. If Triple-S in good faith objects to the
proposed assignment, the Parties will attempt to resolve Triple-S’s concerns on
a mutually agreeable basis. If the Parties have not been able to resolve
Triple-S’s concerns within ten (10) Business Days, Supplier may not assign the
individual to that position and must propose the assignment of another suitably
qualified individual.

 

(c) Triple-S may, no more than once in each twelve (12) month period, change the
positions designated as Key Supplier Positions under this Agreement by providing
at least one hundred eighty (180) days prior written notice and so long as such
change does not increase the number of individuals filling Key Supplier
Positions, without Supplier’s consent. The provisions of this Section 6.3 will
extend to any re-designated positions, but will no longer apply to any positions
which were formerly a Key Supplier Position.

 

(d) Without prior written approval by Triple-S, which may be withheld in
Triple-S’s discretion (provided that Triple-S will not unreasonably withhold its
approval where Supplier requests relief from this requirement), and subject to
the last sentence of this Section and any exceptions set forth on Schedule D
(Key Supplier Positions – Account Level), Supplier will not reassign or replace
any person assigned to a Key Supplier Position during the first [***] of his or
her assignment to such Key Supplier Position. Subject to the prior sentence and
the last sentence of this Section, Supplier will give Triple-S at least 45 days
advance notice of a proposed change in personnel filling a Key Supplier
Position, and will discuss with Triple-S any objections Triple-S may have.
Supplier will arrange, at no charge, for the proposed replacement to work
side-by-side with the individual being replaced for not less than 30 days during
the notice period to effectuate a seamless transfer of knowledge prior to the
incumbent leaving the Key Supplier Position, unless the outgoing Supplier
Personnel is not available due to the circumstances described in the last
sentence of this Section. Subject to the last sentence of this Section,
individuals filling Key Supplier Positions may not be transferred or re-assigned
until a suitable replacement has been approved by Triple-S, and no such
re-assignment or transfer may occur at a time or in a manner that would have a
materially

 



Triple-S / Supplier Confidential

Page 15 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

adverse impact on delivery of the Services or Triple-S’s operations.
Notwithstanding anything herein to the contrary, Supplier may remove an
individual filling a Key Supplier Position for reasons of death, disability,
resignation, military leave, termination from employment by Supplier, leave
pursuant to the Family Medical Leave Act or maternity leave and other leaves
required by Law.

 

(e) Account Executives.

 

(i) During the Term and the Disengagement Assistance Period, Supplier will
provide a Supplier Account Executive (the “Supplier Account Executive”)
dedicated to the Triple-S account. The Supplier Account Executive shall be
available for meetings and work at the Triple-S San Juan offices or such other
Triple-S office as Triple-S reasonably requests. The Supplier Account Executive
will be a Key Supplier Position. The Supplier Account Executive will be
authorized to act as Supplier’s primary contact with respect to Supplier’s
obligations under this Agreement. The Supplier Account Executive will have
day-to-day responsibility for managing the delivery of the Services and
coordinating the delivery of the Services with the Program Manager (as defined
below). The Supplier Account Executive may designate in writing additional
Supplier Personnel to be a point of contact for Triple-S.

 

(ii) The Triple-S Program Manager described in Section 7 will be authorized to
act as Triple-S’s primary contact for Supplier with respect to Triple-S
obligations under this Agreement.

 

(f) Organizational Chart of Supplier and Supplier Personnel. On a quarterly
basis, Supplier will provide to Triple-S a reasonably detailed organizational
chart of Supplier’s then-current organization providing the Services.

 

(g) Resumes. Upon Triple-S’s request, Supplier shall provide copies of the
resumes of the Supplier Personnel filling Key Supplier Positions.

 

6.4 Removal and Replacement of Supplier Personnel

 

(a) Triple-S may immediately remove any individual Supplier Personnel from any
Triple-S Facilities if the person is threatening or abusive, commits a crime,
engages in an act of dishonesty while performing Services for Triple-S or
materially violates Triple-S Policies and Procedures, including those pertaining
to harassment, alcohol and drug free workplace, safety, or security or use of
Triple-S Facilities.

 

(b) If Triple-S determines in good faith that the continued assignment to
Triple-S’s account of any individual who is a Supplier Personnel is not in the
best interests of Triple-S, then Triple-S may give Supplier written notice to
that effect. After receipt of such a notice, Supplier will: (i) temporarily
remove such Supplier Personnel from the performance of the Services; and (ii)
have a reasonable period of time (not to exceed ten (10) Business Days after
receipt of Triple-S’s notice) in which to investigate the matters stated in the
notice, discuss its findings with Triple-S and resolve Triple-S’s concerns. If,
following such process, Triple-S requests permanent replacement of the
individual, Supplier will

 



Triple-S / Supplier Confidential

Page 16 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

(A) promptly remove such Supplier Personnel from the Triple-S account, and (B)
replace such Supplier Personnel or cause such Supplier Personnel to be replaced
with another suitably qualified person.

 

6.5 Controlling Turnover of Supplier Personnel

 

(a) Triple-S and Supplier agree that it is in their mutual best interests to
keep the turnover rate of Supplier Personnel to a reasonably low level.
Accordingly, if Triple-S believes that Supplier’s turnover rate is so excessive
that the Services are adversely affected in a material manner (in Triple-S’s
reasonable judgment), and so notifies Supplier, Supplier will provide data
concerning its turnover rate and meet with Triple-S to discuss the reasons for,
and impact of, the turnover rate. If requested by Triple-S, Supplier will submit
to Triple-S its proposals for reducing the turnover rate, and in addition to any
rights that Triple-S may have pursuant to Schedule B (Service Level
Methodology), if any, the Parties will mutually agree on a program to bring the
turnover rate down to an acceptable level. Supplier will provide Triple-S a
report describing Supplier Personnel turnover from time-to-time upon request,
but not more than once per twelve (12) month period.

 

(b) Notwithstanding any turnover of Supplier Personnel, Supplier remains
obligated to perform the Services in compliance with the requirements of this
Agreement.

 

6.6 Subcontracting

 

Supplier may subcontract or delegate the performance of Services only in
accordance with the following:

 

(a) Except as set forth in Section 6.6(g) and 6.6(h), Supplier shall not
subcontract for performance of, or delegate any of, its responsibilities under
this Agreement (including to any current or future Affiliates) without first
obtaining the prior written approval of Triple-S, which may be granted or
withheld in Triple-S’s reasonable discretion. When seeking such approval,
Supplier will give Triple-S reasonable prior written notice specifying the
components of the Services affected, the scope of the proposed subcontract, and
the identity and qualifications of the proposed Subcontractor. Supplier further
recognizes that it may not subcontract for performance of, or delegate any of,
its responsibilities under this Agreement without, to the extent approvals are
required, first obtaining certain regulatory approvals as set forth in Schedule
W (Regulatory Requirements) and certain customer approvals as set forth in
Section 3.4. Any such Subcontractor that meets the required regulatory approvals
and is approved by Triple-S (where such approval is required) and all other
Subcontractors for which Triple-S approval is not required (i.e., Non-Key
Subcontractors) shall be an “Approved Subcontractor” hereunder.

 

(b) For avoidance of doubt, nothing in this Section 6.6 (Subcontracting) will
limit the requirements under Section 4.2 (Place of Performance); provided that
such requirements do not apply to Non-Key Subcontractors.

 

(c) The Subcontractors that Triple-S has approved (where such approval is
required) as of

 



Triple-S / Supplier Confidential

Page 17 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

the Effective Date are listed in Schedule Q (Supplier Affiliates) and Schedule R
(Approved Subcontractors), and are deemed Approved Subcontractors by Triple-S
for the Functions applicable to each such Subcontractor set forth in Schedule Q
and Schedule R, respectively. If Triple-S approves (where such approval is
required) any additional Subcontractors after the Effective Date, they shall be
added to Schedule Q or Schedule R (as applicable). In addition, the Parties may
add Approved Subcontractors via letter or other informal written document signed
by both Parties.

 

(d) Supplier may use Approved Subcontractors to perform the Services to the
extent permitted by Triple-S’s approval (where such approval is required) as set
forth in Section 6.6(a) or, where Triple-S’s approval is not required, as
determined by Supplier. Supplier is responsible for managing all Subcontractors.
Supplier remains responsible for all Functions subcontracted or delegated to
Subcontractors to the same extent as if such Functions were to be or were
performed by Supplier acting through its officers, directors, employees, and
agents and, for purposes of this Agreement, such Functions will be deemed
Functions performed by Supplier.

 

(e) Supplier shall not restrict or prevent (including by contract) any
Subcontractor from entering into an agreement with Triple-S to perform services
directly for Triple-S.

 

(f) As between the Parties, Supplier shall be responsible for all acts and
omissions of:

 

(i) Supplier independent contractors and other Subcontractors as if they were
Supplier’s employees (including acts or omissions of such independent
contractors and Subcontractors) for purposes of determining Supplier’s liability
under this Agreement (including Supplier’s indemnification and confidentiality
obligations);

 

(ii) Supplier Personnel and Supplier Affiliates; and

 

(iii) any third party to whom Supplier permits access to Triple-S Data or
Triple-S Confidential Information.

 

(g) For clarification, Managed Third Parties (as defined in Schedule A (Cross
Functional Services)) shall not be considered Subcontractors for purposes of
this Agreement and all resources or items provided by Managed Third Parties
shall be deemed to be provided by Triple-S and shall be treated as such for
purposes of this Agreement, including provisions relating to facilities,
equipment, contracts, Software and Tools; provided Supplier remains responsible
for performing the vendor management services described in Schedule A (Cross
Functional Services) with respect to such Managed Third Parties.

 

(h) Supplier may, in the ordinary course of business and without obtaining the
prior approval of Triple-S, subcontract for third party services or products
(which include services and products from non-wholly owned Supplier Affiliates)
that satisfy each of the following conditions: (i) any such third party may not
be dedicated to performance of Services for Triple-S, (ii) any such
subcontracted services or products are not material to the performance of the
Services, and (iii) any such subcontracted services or products do not result in
a material change in the way Supplier conducts its business, and (iv) any such

 



Triple-S / Supplier Confidential

Page 18 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

third party does not have access to Triple-S’s PHI or Personally Identifiable
Information or Other Sensitive Confidential Information (collectively, “Non-Key
Subcontractors”). “Other Sensitive Confidential Information” means any
Confidential Information of Triple-S pertaining to Triple-S business strategy,
marketing strategy, trade secrets, pricing. Supplier will provide Triple-S with
a list of Non-Key Subcontractors on a quarterly basis. Each of the subcontracted
entities described in this Section 6.6(h) shall be considered Subcontractors for
the purposes of the Agreement. As of the Effective Date, there are no Non-Key
Subcontractors. All of the Subcontractors approved by Triple-S in Schedule R are
“key” Subcontractors.

 

(i) Notwithstanding anything to the contrary in this Agreement (including
Schedule Q (Supplier Affiliates) or Schedule R (Supplier Subcontractors) and
without limiting the restrictions in Section 19.19, Supplier shall not permit
personnel from any Affiliate or other entity other than Supplier, Optum Services
(Puerto Rico) LLC and Optum Global Services, Inc., to access the [***] Software.

 

7. TRIPLE-S RESPONSIBILITIES

 

7.1 Appointment of Triple-S Program Management Office (PMO) Personnel

 

Triple-S will designate an individual to serve as Triple-S’s “Program Manager”,
who will be Supplier’s principal point of contact for obtaining decisions,
information, approvals and acceptances required from Triple-S.

 

7.2 Triple-S Cooperation Duties

 

(a) In support of Supplier’s performance of the Services and subject to Section
7.3 (Savings Clause), Triple-S will perform the Functions identified in this
Agreement as retained Triple-S Functions and provide or make available to
Supplier the Equipment, Software, and other resources that this Agreement
expressly states are to be provided by Triple-S or that the Parties otherwise
agree in a Change Order, amendment or similar document executed by the Parties
after the Effective Date are to be provided or made available to Supplier by
Triple-S.

 

(b) Triple-S will cooperate with Supplier and its Subcontractors, including by
making available management decisions, information, approvals and acceptances as
reasonably requested by Supplier so that Supplier may accomplish its obligations
and responsibilities under this Agreement.

 

(c) Only personnel as expressly so designated by the Triple-S Program Manager
(which Triple-S will communicate to Supplier from time-to-time) will be
authorized to make commitments on the part of Triple-S that amend this Agreement
or commit resources that are subject to a Charge. To the extent Supplier relies
on the apparent authority of any other personnel it does so at its own risk and
without obligation on Triple-S’s part.

 



Triple-S / Supplier Confidential

Page 19 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

7.3 Savings Clause



 

Triple-S’s delay or failure to perform its responsibilities set forth in this
Agreement (or cause them to be performed) will not constitute grounds for
termination by Supplier except as provided in Section 16.2 (Termination by
Supplier). Supplier’s nonperformance of its obligations under this Agreement
will be excused if and to the extent (a) such Supplier nonperformance results
directly from the failure or delay by Triple-S to perform (or cause its Service
Recipients, agents or third party contractors to perform) Triple-S’s obligations
under this Agreement or from Triple-S or its Service Recipients, agents or third
party contractors, and (b) Supplier provides Triple-S with reasonable notice of
such nonperformance, including details of the impact that the nonperformance has
on Supplier’s ability to perform, and uses Commercially Reasonable Efforts to
perform notwithstanding the failure to perform. If Supplier’s use of
Commercially Reasonable Efforts to perform in such a circumstance would cause
Supplier to incur material additional cost and expense, Supplier may so notify
Triple-S. If it does, Supplier’s obligation to continue its efforts to work
around the failure to perform will be subject to Triple-S agreeing to reimburse
Supplier for such material costs and expenses incurred in the course of such
efforts.

 

8. CHARGES

 

Schedule C (Charging Methodology) sets forth all of the Charges payable to
Supplier for performing the Services and the associated invoicing and payment
procedures and terms.

 

9. USE OF TRIPLE-S RESOURCES

 

9.1 Use Rights

 

This Section 9 sets forth the terms under which certain resources used by
Triple-S prior to the Effective Date will be made available to Supplier for use
in providing the Services. RIGHTS OF USE GRANTED BY Triple-S TO SUPPLIER UNDER
THIS SECTION 9 ARE GRANTED ON AN “AS IS, WHERE IS” BASIS, WITHOUT WARRANTIES OF
ANY KIND, except as otherwise expressly provided in this Agreement. For clarity,
the rights granted to Supplier in this Section 9 include use of the resource by
Supplier’s Approved Subcontractors.

 

9.2 Triple-S Equipment

 

(a) The Triple-S Equipment that Triple-S is obligated to make available to
Supplier to provide the Services is listed in Schedule C-3 (Financial
Responsibility Matrix). All Triple-S Equipment made available to Supplier shall
be subject to the terms of this Section 9.2.

 

(b) Triple-S grants to Supplier, without sale or assignment, the right to use
such Triple-S Equipment that Triple-S is obligated to make available under C-3
(Financial Responsibility Matrix). Such Equipment shall be used solely as
necessary to perform the Services.

 

(c) With respect to any such Equipment that is Triple-S Leased Equipment (i) the
foregoing right to use is subject to Triple-S obtaining any Required Consents
pursuant to Section 9.7 (Required Consents); and (ii) Supplier will comply with
the terms and conditions imposed on Triple-S by the leases for such Equipment
that have been provided to Supplier in writing.

 



Triple-S / Supplier Confidential

Page 20 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



9.3 Triple-S Third Party Service Contracts

 

(a) The Triple-S Third Party Service Contracts, if any, that Triple-S is
obligated to make available to Supplier to provide the Services are listed in
Schedule X (Source of Truth). All Triple-S Third Party Service Contracts made
available to Supplier shall be subject to the terms of this Section 9.3.

 

(b) Triple-S grants to Supplier, without assignment of such contracts, but
subject to Triple-S obtaining any Required Consents pursuant to Section 9.7
(Required Consents), the right to use the services provided to Triple-S under
such Triple-S Third Party Service Contracts, if any, until such time as
determined pursuant to Section 9.3(d), solely as necessary to perform the
Services. Supplier will comply with the terms and conditions imposed on Triple-S
by such Triple-S Third Party Services Contracts that are disclosed to Supplier
in writing.

 

(c) For clarity, contracts for maintenance, support, repair and similar services
relating to Equipment and Software shall be treated the same as the associated
Equipment or Software and therefore governed by Sections 9.2 (Triple-S
Equipment) and 9.4 (Triple-S Software and Triple-S Tools) (as applicable), and
not as Triple-S Third Party Service Contracts under this Section 9.3.

 

(d) When any such Triple-S Third Party Service Contract is no longer required
for performance of the Services, and in any event upon the earlier of (i) the
cessation or termination of the applicable Services, (ii) the expiration of the
Term and Disengagement Assistance Period, or (iii) the end of the applicable
contract term (as such term may be described in Schedule X (Source of Truth)),
Supplier will cease use of such Triple-S Third Party Service Contract.

 

9.4 Triple-S Software and Triple-S Tools

 

(a) The Triple-S Software and Triple-S Tools, if any, that Triple-S is obligated
to make available to Supplier to provide the Services are listed in Schedule X
(Source of Truth). All Triple-S Software and Triple-S Tools made available to
Supplier shall be subject to the terms of this Section 9.4.

 

(b) Triple-S (and each of its Affiliates) or the applicable licensor retains all
of its right, title and interest in and to the Triple-S Software and Triple-S
Tools.

 

(c) Subject to Triple-S having obtained any Required Consents pursuant to
Section 9.7 (Required Consents), as of the Effective Date, Triple-S grants to
Supplier, without assignment of the license, the right during the Term and any
Disengagement Assistance Period (or the applicable license term or as set forth
in Section 9.4(e) below, if shorter as Triple S has (or later obtains)) to use
such Triple-S Licensed Software and Triple-S Licensed Tools, if any, solely as
necessary to perform the Services. Supplier will not seek to modify or otherwise
revoke such terms. Supplier will comply with the terms and conditions imposed on
Triple-S by the license for such Software and Tools that have been disclosed to
Supplier in writing.

 



Triple-S / Supplier Confidential

Page 21 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(d) Supplier is not permitted to use such Triple-S Software and Triple-S Tools
for the benefit of any entity other than Triple-S (and other Service Recipients
under this Agreement) without the prior written consent of Triple-S, which may
be withheld in Triple-S’s discretion.

 

(e) When Triple-S Software or Triple-S Tools are no longer required for
performance of the Services, or in any event upon the earlier of (i) the
cessation or termination of the applicable Services, (ii) the expiration of the
Term and the Disengagement Assistance Period or (iii) with respect to Triple-S
Licensed Software and Triple-S Licensed Tools, the end of the applicable license
term (as such term is described in Schedule X(Source of Truth), Supplier will
cease use of and return such Triple-S Software and Triple-S Tools to Triple-S in
an agreed format or, at Triple-S’s election, destroy them and certify the
destruction of all copies in Supplier’s (and any of its Subcontractor’s)
possession or control.

 

9.5 Triple-S Facilities

 

(a) Subject to Triple-S having obtained any Required Consents pursuant to
Section 9.7, Triple-S grants to Supplier the right, to access the Triple-S
Facilities, to the extent permitted by applicable lease agreements, solely to
perform the Services. Such space to be made available is described on Schedule
C-3 (Financial Responsibility Matrix).

 

(b) Such facilities shall be provided from the Services Commencement Date until
the time period identified in Schedule C-3 (Financial Responsibility Matrix).

 

(c) Supplier will comply with the duties imposed on Triple-S (or its Affiliate)
by each lease for the Triple-S Facilities that are disclosed to Supplier in
writing.

 

9.6 Terms Applicable to Triple-S Facilities

 

(a) Except as provided in Section 9.5 above, Supplier is responsible for
providing the facilities and facilities-related support it needs to provide the
Services.

 

(b) Supplier’s use of the Triple-S Facilities shall be for the sole and
exclusive purpose of providing the Services and shall be subject to the terms
set forth in this Section 9.6. Supplier is not permitted to use Triple-S
Facilities for the benefit of any entity other than Triple-S (and other Service
Recipients under this Agreement) without the prior written consent of Triple-S,
which may be withheld in Triple-S’s discretion.

 

(c) Supplier will use the Triple-S Facilities in an efficient manner and in a
manner that does not interfere with Triple-S’s business operations.

 

(d) Supplier will keep the Triple-S Facilities in good order, not commit or
permit waste or damage to them or use them for any unlawful purpose or act.
Supplier will comply with the Triple-S Policies and Procedures and with
applicable lease terms made available to Supplier in writing, each of the
foregoing regarding access to and use of the Triple-S Facilities, including
procedures for the physical security of the Triple-S Facilities. Supplier is
responsible for any damage to Triple-S Facilities resulting from the acts or

 



Triple-S / Supplier Confidential

Page 22 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



omissions of Supplier during its use of the Triple-S Facilities.

 

(e) Supplier will permit Triple-S and its agents and representatives to enter
any portions of the Triple-S Facilities occupied by Supplier Personnel at any
time.

 

(f) Supplier may not make improvements or changes involving structural,
mechanical or electrical alterations to the Triple-S Facilities without
Triple-S’s prior written approval. Any improvements to the Triple-S Facilities
will become the property of Triple-S.

 

(g) Upon the earlier to occur of (i) the expiration of the time period for which
Triple-S agreed to permit Supplier to use the Triple-S Facilities as described
in Section 9.5(b), or (ii) when Triple-S Facilities are no longer required for
performance of the Services, or (iii) upon expiration or termination of this
Agreement (or the applicable lease term (as such term is described in Schedule
C-3 (Financial Responsibility Matrix), if shorter), Supplier will return them to
Triple-S in substantially the same condition as when Supplier began use of them,
subject to reasonable wear and tear.

 

9.7 Required Consents

 

(a) Triple-S, with the reasonable cooperation of Supplier, is responsible for
obtaining Required Consents under any of the leases, contracts or licenses
referred to in this Section 9 (Use of Triple-S Resources) which Triple-S is
making available to Supplier for use in providing the Services (including use by
Subcontractors). Triple-S will work diligently to obtain such Required Consents
as soon as practicable after the Effective Date. Triple-S will bear the fees and
cost (such as transfer or upgrade fees) required to obtain such Required
Consents. Unless and until any Required Consent has been obtained, Supplier
will, pursuant to the Change Control Process, determine and adopt, subject to
Triple-S’s prior approval, such alternative approaches as are necessary and
sufficient for Supplier to provide the Services without the Required Consent.

 

(b) If Triple-S is not able to obtain any such Required Consent, or if Triple-S
elects not to obtain a Required Consent because of the cost or other terms
required to obtain such Required Consent, the Parties will use Commercially
Reasonable Efforts to identify alternative resources through the Change Control
Process.

 

(c) Supplier shall be responsible for obtaining any Required Consents for
leases, contracts or licenses relating to Software, Equipment and Third Party
Service Contracts that Supplier makes available to Triple-S (which, for clarity,
include the TSS Transferred Contracts but do not include Managed Third Parties)
during the Term and the Disengagement Assistance Period and thereafter, and will
pay any fees required to obtain such Required Consents. Triple-S shall provide
reasonable cooperation to Supplier in obtaining Required Consents with respect
to TSS Transferred Contracts.

 

10. RESPONSIBILITY FOR RESOURCES DURING THE TERM

 

This Section 10 describes each Party’s responsibility for providing and
operating certain resources required under this Agreement. Supplier shall be
compensated for the resources it

 



Triple-S / Supplier Confidential

Page 23 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



provides through the Charges provided in Schedule C (Charging Methodology), as
they may be adjusted in accordance with the terms of Schedule C (Charging
Methodology).

 

10.1 General Responsibility and Compatibility

 

(a) Except for (i) any resources which Triple-S has expressly agreed to provide
as set forth in Schedule X (Source of Truth), and (ii) items which are shown as
Triple-S Retained Expense in the Financial Responsibility Matrix attached as
Schedule C-3 (Financial Responsibility Matrix), Supplier is solely responsible
(and has Financial Responsibility) for providing, and shall have operational
responsibility for, all Equipment, Software, Tools, Third Party Service
Contracts, facilities, personnel, third party services and other resources as
required for Supplier to properly perform its obligations under and in
accordance with this Agreement, including modifications, upgrades, enhancements,
additions and replacements of such resources. Supplier’s Financial
Responsibility shall include such responsibility as set forth on Schedule C-3
(Financial Responsibility Matrix).

 

(b) Supplier will conform to and support Triple-S’s architecture, standards, and
strategic direction in rendering the Services as set forth in Triple-S Policies
and Procedures. Any Equipment and Software provided by or on behalf of Supplier
that connects to Triple-S’s IT infrastructure will comply with such
architecture, standards, and strategic direction, and any deviation from such
will be subject to the prior written approval of Triple-S. Supplier will notify
Triple-S if Triple-S’s architecture, standards or strategic direction conflicts
or is inconsistent with Supplier’s internal standards that would otherwise
enable achievement of efficiencies in providing the Services.

 

10.2 Equipment

 

Except for items which are shown as Triple-S Retained Expense in the Financial
Responsibility Matrix attached as Schedule C-3 (Financial Responsibility
Matrix), Supplier is responsible for acquiring, at its expense, the Equipment
(including modifications, upgrades, enhancements, additions and replacements of
Equipment) as required for Supplier to properly perform its obligations under
and in accordance with this Agreement. With respect to such Equipment:

 

(a) Supplier will acquire the Equipment in the name of Supplier; and

 

(b) Supplier will use Commercially Reasonable Efforts to acquire the right to
assign to Triple-S and a Successor Supplier the leases for Equipment exclusively
used to provide Services to Triple-S and which were entered into specifically
for performance of the Services (“Supplier Leased Equipment”) and applicable
maintenance contracts for such Supplier Leased Equipment if Supplier ceases to
provide the Services. If Supplier is unable to obtain such right to assign,
Supplier shall explore alternatives, and provide information to Triple-S
regarding any ramifications to the Services that may arise out of using
alternative Equipment.

 

10.3 Third Party Services

 

Except for (i) third party services which Triple-S has agreed to provide as
listed in Schedule X

 



Triple-S / Supplier Confidential

Page 24 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(Source of Truth), and (ii) items which are shown as Triple-S Retained Expense
in the Financial Responsibility Matrix attached as Schedule C-3 (Financial
Responsibility Matrix), Supplier is responsible for acquiring, at its expense,
any third party services as required for Supplier to properly perform its
obligations under and in accordance with this Agreement. With respect to such
third party services:

 

(a) Supplier will contract for such third party services in its own name;

 

(b) Supplier will use Commercially Reasonable Efforts to acquire the right to
assign to Triple-S and a Successor Supplier any Third Party Service Contract for
which Supplier has Financial Responsibility and that is exclusively used to
provide Services to Triple-S and which were entered into specifically for
performance of the Services (collectively, “Supplier Third Party Service
Contracts”) if Supplier ceases to provide the Services. If Supplier is unable to
obtain such right to assign, Supplier shall explore alternatives under which
other Third Party Service Contracts may be assignable to Triple-S as described
above, and provide information to Triple-S regarding any ramifications to the
Services that may arise out of using such alternative assignable Third Party
Service Contracts; and

 

(c) Supplier will not procure any such Supplier Third Party Service Contracts
for which Supplier would not have the right to assign as described above,
without Triple-S’s prior written consent.

 

10.4 Supplier Software and Tools

 

(a) Except for (i) Software and Tools which Triple-S has agreed to provide as
listed in Schedule X (Source of Truth), and (ii) items which are shown as
Triple-S Retained Expense in the Financial Responsibility Matrix attached as
Schedule C-3 (Financial Responsibility Matrix), Supplier is responsible for
acquiring, at its expense, the Software and Tools (including modifications,
upgrades, enhancements, additions and replacements of Software and Tools) as
required for Supplier to properly perform its obligations under and in
accordance with this Agreement. With respect to such Software and Tools:

 

(i) Supplier will acquire such Software and Tools in its own name.

 

(ii) Supplier shall not, without Triple-S’s prior written consent (including as
set forth on Schedule S (Supplier Software and Supplier Tools)), use any Non
Commercially Available Supplier Software or Supplier Tools (collectively, “Non
Commercially Available Items”) to provide the Services.

 

(iii) If Supplier uses such a Non Commercially Available Item which requires the
consent of Triple-S pursuant to Section 10.4(a)(ii) and Supplier fails to obtain
Triple-S’s prior written agreement that Triple-S waives its right to receive a
license to such Non Commercially Available Item as hereinafter described, then
upon the expiration or termination of this Agreement, any Statement of Work or
Task Order (or part thereof), or Services with respect to which such Non
Commercially Available Item was used: (i) in the case of Supplier Owned Software
or Supplier Owned Tools, Supplier grants to Triple-S and Triple-S Affiliates
(and their respective designees and contractors provided that such third

 



Triple-S / Supplier Confidential

Page 25 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

party is subject to a confidentiality agreement with Triple-S with terms
substantially similar to Section 21 (Confidentiality) of these General Terms and
Conditions and Triple-S is responsible for such third party’s compliance with
this Agreement), and (ii) in the case of Supplier Licensed Software or Supplier
Licensed Tools, Supplier shall procure for Triple-S and Triple-S Affiliates (and
their designees and contractors provided that such third party is subject to a
confidentiality agreement with Triple-S with terms substantially similar to
Section 21 (Confidentiality) of these General Terms and Conditions and Triple-S
is responsible for such third party’s compliance with this Agreement), in each
case, for no additional consideration, a perpetual, worldwide, fully paid up,
royalty-free, non-exclusive license to Use such Supplier Software or Supplier
Tool, as applicable (including Source Code, programmer interfaces, available
documentation, manuals, and other materials necessary for the Use thereof), for
the sole purpose of providing services to Triple-S and the Service Recipients.

 

(iv) Upon Triple-S’s request, Supplier shall also provide to or procure for
Triple-S a commercially reasonable maintenance and support agreement for such
Non Commercially Available Item, the charges for which will be Triple-S’s
responsibility with respect to the period after the Disengagement Assistance
Period.

 

(b) Without limiting the foregoing, Schedule S (Supplier Software and Supplier
Tools) sets forth a list of the Supplier Software and Supplier Tools to be used
by Supplier to provide the Services as of the Effective Date. The Parties agree
that for the Supplier Software and Supplier Tools set forth in Schedule S
(Supplier Software and Supplier Tools) that are designated as “Non Commercially
Available,” Triple-S: (i) consents to the use of such Software and Tools by
Supplier to provide the Services for the purposes described in Schedule S
(Supplier Software and Supplier Tools) (as such consent is contemplated by
Section 10.4(a)(ii) above), and (ii) waives its right to receive a license to
such Software or Tool as contemplated by Section 10.4(a)(iii) above.

 

(c) On an annual basis, Supplier shall provide updates to Schedule S (Supplier
Software and Supplier Tools) reflecting any additional Supplier Software and
Supplier Tools used by Supplier to provide the Services that is not shown on the
then-existing Schedule S (Supplier Software and Supplier Tools). (Such Software
shall not include any Triple-S Owned Software or Triple-S Licensed Software
provided by Triple-S for Supplier’s use under this Agreement.) The updates to
such Schedules required under this Section 10.4(c) will separately identify:

 

(i) Supplier Software that is Commercially Available,

 

(ii) Supplier Software that is Non-Commercially Available,

 

(iii) Third Party Software that is Commercially Available, and

 

(iv) Third Party Software that is Non-Commercially Available.

  



Triple-S / Supplier Confidential

Page 26 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

10.5 License During the Term and Disengagement Assistance Periods

 



(a) Supplier hereby grants to Triple-S and the Service Recipients (and their
respective service providers and contractors provided that Triple-S and such
third party are subject to a confidentiality agreement with terms substantially
similar to Section 21 (Confidentiality) of these General Terms and Conditions)
during the Term and any Disengagement Assistance Period, the right to use
Software made available by Supplier to Triple-S and Triple-S Affiliates during
the Term (including any updates and upgrades to such Software provided by
Supplier), solely for Triple-S (and its Affiliates and Service Recipients) to
receive or use the Services. For clarity, this license does not apply to
Software used by Supplier in performance of the Services that is not listed in
Schedule S (Supplier Software and Tools) and not otherwise made available during
the Term for access or use by Triple-S.

 

(b) Supplier hereby grants to Triple-S, its Affiliates and the Service
Recipients (and their respective service providers and contractors provided that
such third party is subject to a confidentiality agreement with Triple-S with
terms substantially similar to Section 21 (Confidentiality) of these General
Terms and Conditions and Triple-S is responsible for such third party’s
compliance with this Agreement) during the Term and any Disengagement Assistance
Period, the right to access and Use the systems used by Supplier to provide the
Services or the systems supported by Supplier as part of the Services (and
Triple-S Data stored or processed in such systems) solely for Triple-S, its
Affiliates and the Service Recipients (and their respective service providers
and contractors provided that such third party is subject to a confidentiality
agreement with Triple-S with terms substantially similar to Section 21
(Confidentiality) of these General Terms and Conditions and Triple-S is
responsible for such third party’s compliance with this Agreement) to perform
their designated roles for Triple-S and its Affiliates as reasonably required to
receive and use the Services or otherwise reasonably required to carry on
Triple-S’s and its Affiliates business operations and retained responsibilities.
By way of example and not limitation, Triple-S’s rights include the right to
access (or permit a service provider or contractor to access provided that such
third party is subject to a confidentiality agreement with Triple-S with terms
substantially similar to Section 21 (Confidentiality) of these General Terms and
Conditions and Triple-S is responsible for such third party’s compliance with
this Agreement) the systems used by Supplier to provide the Services in order to
access Triple-S Data, process claims that are not in the scope of the Services,
generate queries, run reports and perform retained Functions.

 

10.6 Network Connectivity

 

Financially Responsible for providing network connectivity between facilities
necessary to provide the Services is allocated in Schedule C-3 (Financial
Responsibility Matrix).

 

10.7 Triple-S Personnel

 

The In-Scope Employee Agreement (a form of which is attached as Schedule G)
provides obligations of the Parties relating to certain In-Scope Employees (as
defined in Schedule G). Supplier remains responsible for all Functions delegated
to the In-Scope Employees to the same extent as if such Functions were to be or
were performed by Supplier Employees, and for purposes of this Agreement, such
Functions will be deemed Functions performed by Supplier. Supplier shall be
responsible for all acts and omissions of the In-Scope Employees except to the

 



Triple-S / Supplier Confidential

Page 27 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



extent expressly provided otherwise in Schedule G. For purposes of clarity: (a)
Supplier’s failure to meet a Service Level or comply with any other obligation
under this Agreement shall not be excused under Section 2.5 of Schedule B
(Service Level Methodology) or otherwise under this Agreement as a result of an
In-Scope Employee’s acts or omissions; and (b) Supplier shall be liable for
Security Breaches, indemnification obligations, and other claims Triple-S may
have under this Agreement as a result of an In-Scope Employee’s acts or
omissions to the same extent Supplier would be liable for them had the acts or
omissions been by a Supplier Employee.

 

10.8 Flow Down Terms

 

Triple-S shall comply with the terms and conditions provided in Schedule Y
(Subcontractor Flow-Down Terms) regarding Triple-S’s use of Equipment, Third
Party Services, Software and Tools provided or made available by Supplier.

 

11. TRANSITION

 

11.1 Transition Overview

 

(a) This Section 11 (Transition) addresses at a high level the transition of the
Functions comprising the Services from Triple-S to Supplier. Each of the Initial
SOWs contains an exhibit describing the Transition approach and plans for that
Initial SOW.

 

(b) The Transition approaches, plans and schedules set forth in the Initial SOWs
reflect the Parties’ preliminary understanding as to how the Transition will be
conducted and will serve as preliminary Transition Documents. Promptly following
the execution of this Agreement, Supplier will work diligently with Triple-S’s
team leads for each SOW to develop and submit final Transition Documents for
Triple-S’s review and approval, and such plans will contain the necessary level
of operational detail, as set forth in Section 11.3.

 

11.2 Transition Defined and Start of Transition

 

(a) “Transition” means the process (and associated time period) of migrating
performance of the Services from Triple-S or from Triple-S’s then-current
service providers to Supplier, completing any contemplated movement of services
from onshore locations to alternate onshore locations, near shore locations and
offshore locations (each as contemplated by the applicable Transition
Documents), making any planned improvements to the process and methods and
infrastructure used to perform and deliver the Services that are intended to be
made during the period of Transition, and causing any required knowledge
transfer from Triple-S personnel to Supplier Personnel.

 

(b) The Transitions for each of the Initial SOWs (each, an “Initial SOW
Transition”) shall commence on the Effective Date or such date set forth in the
Statement of Work, if later, and continue through the date that Supplier has
assumed all responsibility with respect to the Services covered by the Initial
SOWs and completed the transition to the contemplated service delivery model.

 



Triple-S / Supplier Confidential

Page 28 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(c) The Transition for each Future SOW (each, a “Future SOW Transition”) shall
commence on the applicable SOW Effective Date or such date set forth in the
Statement of Work, if later, and continue through the date that Supplier has
assumed all responsibility with respect to the Services covered by such Future
SOW and completed the transition to the contemplated service delivery model (if
any).

 

11.3 Transition Documents

 

(a) Each Transition shall be conducted in accordance with a written plan and
documents (the “Transition Documents”) which shall include: (i) a description of
the operations being transitioned; (ii) a general description of the methods and
procedures, personnel and organization Supplier will use to perform the
Transition; (iii) a schedule of the Transition activities; (iv) a detailed
description of the respective roles and responsibilities of Triple-S and
Supplier; (v) Transition Milestones, Transition Deliverables and Acceptance
Criteria, as described in Section 11.4(b) below, and (vi) such other information
and planning as are necessary to conduct the Transition in accordance with the
other terms in this Agreement.

 

(b) A draft of the Transition Documents for the Initial SOWs Transition is
attached in each Initial SOW.

 

(c) A draft of the Transition Documents for any Future SOW Transition shall be
included as part of the applicable Future SOWs.

 

(d) Supplier shall be responsible for revising and finalizing the applicable
Transition Documents, provided that: (i) Supplier shall cooperate and work
closely with Triple-S in finalizing such Transition Documents (including
incorporating Triple-S’s reasonable comments); and (ii) any change to a
Transition Document after the Effective Date shall be subject to the prior
written approval of Triple-S.

 

(e) Supplier shall perform the Services necessary to complete the Transition of
the initial Services in accordance with the terms set forth in this Agreement,
including the Transition Documents (collectively, the “Transition Services”).

 

(f) Supplier shall be responsible for revising and finalizing the Transition
Documents.

 

11.4 Transition Deliverables and Transition Milestones

 

(a) Supplier will carry out and complete each Transition in accordance with the
applicable Transition Documents, including any time schedule and deadlines set
forth in such documents. Supplier shall complete the Transition by the
Transition Completion Date set forth in the Transition Documents.

 

(b) The Transition Documents will include, as critical components, clear
definitions of the waves, stages, and discrete work streams that will comprise
the Transition for each Initial SOW and a delineation of the Transition
Deliverables (“Transition Deliverables”) and Transition milestones (“Transition
Milestones”), and their respective Acceptance Criteria. The Transition
Deliverables and Transition Milestones will be used to

 



Triple-S / Supplier Confidential

Page 29 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

determine, at logical stages of each Transition, whether progress has been
sufficient to warrant proceeding to the next stage, whether there are any
corrective actions that should be taken before proceeding with dependent work,
the next stage or related Transition activities, and whether there are any
lessons learned from performance of Transition waves that should be documented
and communicated to the Transition teams working on other waves in order to
minimize the recurrence of problems during Transition.

 

(c) The Transition Deliverables and Transition Milestones for the initial
Transitions are set forth in each SOW.

 

(d) Schedule N-1 (Deliverable and Milestone Acceptance Procedures) details the
process by which Triple-S will determine whether the Acceptance Criteria for
each Transition Deliverable and Transition Milestone have been met.A Transition
Deliverable or Transition Milestone will be deemed to be Accepted at such time
as Triple-S agrees that all Acceptance Criteria have been satisfied and
completed to Triple-S’s satisfaction and Triple-S issues a written notice to
Supplier that the Transition Deliverable or Transition Milestone is complete.

 

11.5 Conduct of the Transition

 

Except as otherwise expressly provided in this Agreement or the Transition
Documents, Supplier’s responsibilities with respect to the Transition include:

 

(a) performing and managing the Transition and activities;

 

(b) performing the Transition activities without material interruption to any
services, and without materially disrupting Triple-S’s business operations; and

 

(c) otherwise performing such migration tasks as are necessary to enable
Supplier to complete the Transition and provide the Services.

 

11.6 Triple-S Cooperation and Support

 

Triple-S will cooperate with Supplier, and Triple-S shall use Commercially
Reasonable Efforts to cause its suppliers (including Managed Third Parties as
provided in Section 2.4(e) of Schedule A (Cross Functional Services)) to
cooperate with Supplier, in the conduct of the Transition and provide support as
described in the Transition Documents or as reasonably required for Supplier to
complete the Transition.

 

11.7 Completion of Transition

 

(a) Triple-S reserves the right to monitor, test and otherwise observe and
participate in the Transition. Supplier will notify Triple-S without delay if
any Triple-S monitoring, testing or participation has caused (or Supplier
expects it to cause) a problem or delay in the Transition and work with Triple-S
to prevent or circumvent the problem or delay. Supplier will not be responsible
for any problems or delays caused by any Triple-S monitoring, testing or
participation in the Transition (provided Supplier notifies Triple-S that such
monitoring, testing or participation may or does cause problems or delays).

 



Triple-S / Supplier Confidential

Page 30 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(b) Triple-S may elect at its reasonable discretion to suspend or delay a
Transition activity at any time, including in the event such Transition activity
is not proceeding in accordance with the requirements of the approved Transition
Project Plan and other Transition Documents or is causing unplanned disruptions
or other adverse effects to Triple-S (or its Affiliates). During any suspension
or delay period, Supplier, as practicable, will continue to perform the Services
as required under this Agreement in the manner the Services were performed prior
to the commencement of the applicable Transition activity. Suspension or delay
of a Transition activity, where arising out of Supplier’s failure to perform the
Transition in accordance with the requirements of the approved Transition
Documents or this Agreement, will, except as set forth in Section 11.7(a), be at
no additional charge to Triple-S and will continue until Supplier demonstrates,
to Triple-S’s reasonable satisfaction, that Supplier is ready to comply with
such requirements and/or end any disruptions or adverse effects. Supplier will
be responsible, at its own expense, for achieving the Transition schedule
notwithstanding the suspension or delay; provided, however, that if Triple-S
suspends or delays a Transition activity due to no fault of Supplier, and if the
suspension or delay would cause Supplier to incur reasonable additional
expenses, the deadlines for Transition will be equitably extended to account for
Triple-S’s suspension or delay and Supplier may so notify Triple-S, providing a
good faith estimate of such expenses Supplier expects to incur. In such case,
Triple-S’s right to continue the suspension or delay will be subject to Triple-S
agreeing to reimburse Supplier for such reasonable additional expenses incurred
as a result of the suspension or delay.

 

11.8 In Flight Projects

 

As part of the Transition, Supplier will also assume responsibility for
completing the projects listed or described in Schedule P (In-Flight Projects)
(to the extent Supplier is assigned responsibility on Schedule P (In-Flight
Projects)), which are in progress or planned as of the Effective Date and being
performed by resources of Triple-S or a prior service provider which are being
replaced by Supplier (the “In-Flight Projects”). After the Effective Date, the
Parties will work in good faith to update Schedule P (In-Flight Projects) to
describe the Deliverables that are Supplier’s responsibility and the resource
requirements for each In-Flight Project.

 

12.              TRANSFORMATION AND CRITICAL MILESTONES

 

12.1 Transformation

 

(a) “Transformation” means those activities primarily being performed following
completion of the Transitions (although certain Transformation activities will
be performed prior to the completion of the Transitions) to be performed by
Supplier that are set forth in SOW #2, Exhibit C (IT Solution) that are designed
to transform the environments used to deliver Services to Triple-S in accordance
with Triple-S requirements, including by further improving the quality,
responsiveness, flexibility, efficiency and productivity of Service delivery, by
undertaking those activities.

 

(b) Supplier will carry out and complete Transformation described in and in
accordance with SOW #2, Exhibit C (IT Solution) and its associated Schedules,
including any time schedules, project plans, deadlines, and other documents set
forth in such Schedule

 



Triple-S / Supplier Confidential

Page 31 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

(collectively, “Transformation Documents”). Supplier shall complete
Transformation by the dates set forth in the Transformation Documents.

 

12.2 Critical Milestones

 

(a) With respect to Transition and Transformation, the Parties shall agree upon
a set of Critical Milestones (each, a “Critical Milestone”). Supplier shall
complete each Critical Milestone by the applicable date the Parties agree on for
completion of such Critical Milestones (each such date, a “Critical Milestone
Completion Date”). The Critical Milestones and Critical Milestone Completion
Dates are set forth in SOW #1, Exhibit A-3-3 (Critical Milestones) and SOW #2,
Exhibit A-3-3 (Critical Transition and Transformation Milestones & Acceptance
Criteria).

 

(b) A Critical Milestone will be deemed to be complete at such time as Triple-S
agrees that all Acceptance Criteria have been satisfied and completed to
Triple-S’s satisfaction and Triple-S issues a written notice to Supplier that
the Critical Milestone is complete. The acceptance procedures described in
Schedule N-1 (Deliverable and Milestone Acceptance Procedures) to this Agreement
will apply with respect to such milestones. If Supplier fails to complete any
Critical Milestone by the applicable Critical Milestone Completion Date, such
failure shall be deemed to be a “Critical Milestone Failure”.

 

(c) If a Critical Milestone Failure occurs, then:

 

(i) If Supplier’s charges to Triple-S are greater than they would have been if
the delayed Transformation project had been completed on schedule, Triple-S will
receive a credit against Supplier’s monthly charges on the subsequent invoice(s)
in an amount equal to the difference between the actual charges being paid by
Triple-S and what Supplier’s charges would have been if the delayed
Transformation had been completed on schedule; and

 

(ii) Supplier will grant Triple-S an additional credit against Supplier’s
monthly charges on the subsequent invoice(s) in an amount sufficient to
reimburse Triple-S for any documented costs incurred for facilities, personnel,
third-party equipment, Software, services, and other operational costs that
would not have been incurred if the delayed Transformation had been completed on
schedule and in accordance with this Agreement (including costs of internal
Triple-S resources and amounts payable to third parties); provided that (A)
Triple-S shall use Commercially Reasonable Efforts to mitigate such costs, (B)
such costs may not include lost revenue or profits from potential forecasted
business benefits, and (C) such credit shall be reduced by the amount of any
Critical Transformation Credits paid by Supplier for the same Critical Milestone
Failure.

 

(d) Nothing set forth in Section 12.2 shall limit Triple-S’s right to make a
claim for damages relating to a Critical Milestone to the extent such damages
exceed the amount of the credits paid by Supplier to Triple-S related to such
Critical Milestone described in Section 12.2.

 



Triple-S / Supplier Confidential

Page 32 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



13. COMPLIANCE WITH LAWS

 

13.1 Parties’ Compliance Obligations, Generally

 

(a) Supplier’s Obligations.

 

(i) Supplier agrees at its cost and expense (subject to Sections 13.1(b) and
18.4(e)(ii)(B)): (x) to comply with its obligations under Schedule W (Regulatory
Requirements), and (y) obtain all necessary approvals, licenses (including
licensure requirements applicable to Supplier Personnel), and permits required
by Law, and to comply with all Laws, in each case as applicable to:

 

(A) its business (or that of any of its Affiliates);

 

(B) the performance of any of its obligations under this Agreement;

 

(C) the Services that Supplier is obligated to provide under this Agreement,
including as such obligations may evolve pursuant to this Agreement, including
Services provided with respect to any jurisdiction in which Triple-S does
business; or

 

(D) its obligations under this Section 13 (Compliance with Laws).

 

(ii) Supplier shall provide the Services in a manner that does not cause
Triple-S to be non-compliant with any Law relating to the provision or receipt
of the Services and to which Triple-S is subject.

 

(iii) Supplier shall identify, track and report any failure by Supplier to
comply with Laws or failure (or suspected failure) to comply with the Regulatory
Compliance Adherence Services set forth Schedule A (Cross Functional Services).
Such report shall be made to Triple-S in writing and directed to the Triple-S
Chief Legal Officer and the Chief Information Officer within five (5) days of
Supplier’s learning of same.

 

(b) Triple-S’s Obligations.

 

(i) Triple-S agrees at its cost and expense: (x) to comply with its obligations
under Schedule W (Regulatory Requirements), and (y) obtain all necessary
approvals, licenses and permits required by Law (including licensure
requirements applicable to Service Recipients), and to comply with all Laws, in
each case as applicable to:

 

(A) its business (or that of any of its Affiliates);

 

(B) the performance of any of its obligations under this Agreement; or

 

(C) its obligations under this Section 13 (Compliance with Laws).

 



Triple-S / Supplier Confidential

Page 33 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(ii) If Triple-S is charged with failing to comply with any such Laws it shall
promptly notify Supplier of the charges in writing.

 

(c) Each Party shall bear the risk of and have financial responsibility for any
change in Laws or new Laws for which it is responsible pursuant to Sections
13.1(a) (for Supplier) and 13.1(b) (for Triple-S) except to the extent otherwise
expressly provided in Schedule C (Charging Methodology) or Schedule K (Reports).

 

(d) Changes in Laws and New Laws Applicable to the Services.

 

(i) The Parties shall be jointly responsible for discovering, identifying, and
tracking new Laws and changes in Laws applicable to the Services; provided,
however that Triple-S’s responsibility under this Section 13.1(d)(i) shall not
relieve Supplier of its obligations under Section 13.1(a) and shall not relieve
Triple-S of its obligations under Section 13.1(b). Each Party shall provide
written notice to the other Party of any such Law that it identifies.

 

(ii) In the event there are new Laws or changes in Laws applicable to the
Services, Supplier and Triple-S shall jointly interpret such Laws and the extent
to which the Services must be changed to comply with such Laws, provided,
however, that in the event of a disagreement between the Parties regarding such
an interpretation, Triple-S’s interpretation shall govern.

 

(iii) Triple-S shall be responsible for making any necessary revisions to the
Triple-S Policies and Procedures necessary to comply with such new Laws and
changes to Laws. Supplier shall comply with such revised Triple-S Policies and
Procedures in accordance with Section 4.4 (Triple-S Policies and Procedures).

 

(iv) Subject to Section 18.4(e)(ii), Supplier shall be solely responsible for
making changes to Supplier’s operational processes and procedures required for
Supplier to comply with such change in Laws or new Laws.

 

13.2 Other Compliance Requirements

 

(a) Without limiting the generality of the foregoing, Supplier agrees as
follows:

 

(i) FAR Anti-Kickback Requirements. Supplier understands that with respect to
any attempt to provide or offer to provide any kickback prohibited by the
Anti-Kickback Law of 1986 (41 U.S.C. §§ 51-58), when Triple-S has reasonable
grounds to believe that a violation has occurred, Triple-S is obliged to report
such to the Federal government in writing and to cooperate fully with any
Federal investigation. Supplier further understands that the Federal government
may offset the amount of any kickback against any monies owed to the government,
or direct Triple-S to withhold that amount from any sums owed Supplier, with
notification to the government, and that the government may order that any
monies withheld from Supplier be paid to the government, unless already offset.

 



Triple-S / Supplier Confidential

Page 34 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(ii) Supplier Certification. If applicable, the Parties hereby incorporate the
requirements of 41 C.F.R. 60-1.4 (a)(7), 41 C.F.R. 60-300.5(a), 41 C.F.R.
60-741.5(a), 48 C.F.R. 19.702, and 48 C.F.R. 19.708.

 

(iii) Conviction of a Felony Involving Dishonesty or Breach of Trust. Supplier
understands that pursuant to 18 U.S.C. §1033, Triple-S is prohibited from
employing or contracting with, for any aspect of its business that involves the
“business of insurance,” any individual who: (A) (i) has been convicted of a
criminal felony or had a civil judgment rendered against it for offenses
involving dishonesty or a breach of trust (including the following offenses: any
type of fraud; any crime based on false representations; criminal impersonation;
fraudulent use of credit or debit charges; violation of a fiduciary
relationship; violation of federal or state antitrust statutes; offenses
involving the sale or exchange of securities; embezzlement; theft; forgery;
bribery; falsification or destruction of records; counterfeiting or passing
counterfeit money; money laundering; extortion; perjury and subornation of
perjury; knowingly issuing a bad check; theft by deception; knowingly receiving
or possessing stolen property; making false statements; tax evasion; or
receiving stolen property), or (ii) who has been convicted of an offense under
§1033 (any such person under (i) or (ii) a “Prohibited Person”); and (B) has not
obtained the prior written consent of the Commissioner of Insurance to engage in
the “business of insurance.” Supplier represents that Supplier, its Affiliates
and Subcontractors, and their employees, agents and representatives, were not a
Prohibited Person at the time hired by Supplier, and, either (1) is not a
Prohibited Person or (2) is a Prohibited Person, but has obtained the requisite
consent of the Commissioner of Insurance to engage in the business of insurance.
Should a Prohibited Person perform duties pursuant to this Agreement on behalf
of Supplier, Supplier agrees to so notify Triple-S in writing and provide a copy
of the consent of the Commissioner of Insurance within seven (7) days of
execution of this Agreement. Supplier certifies that none of Supplier or its
Affiliates or subcontractor(s), or its or their employees, agents or
representatives, have within a three (3) year period preceding the date of this
Agreement, had one or more public transactions (federal, state or local)
terminated for cause or default.

 

(iv) E-Verify. Supplier shall comply with Federal Acquisition Regulation
52.222-54, to verify the employment eligibility of Supplier employees and shall
cause all Subcontractors to comply with such regulation. Supplier shall promptly
execute an agreement to confirm the foregoing if requested by Triple-S.

 

(v) Other Federal Requirements. If applicable, Executive Order 11246, 29 C.F.R.
Part 471, Appendix A to Subpart A, and 41 C.F.R. Parts 60-1.4, 60-1.7, 60-4.3
are incorporated. Supplier and Subcontractors shall abide by the requirements of
41 C.F.R. 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination
against qualified protected veterans and against qualified individuals on the
basis of disability, and require affirmative action by covered prime contractors
and subcontractors to employ and advance in employment qualified protected
veterans and qualified individuals with disabilities.

 



Triple-S / Supplier Confidential

Page 35 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



13.3 Import/Export Controls

 

(a) The Parties acknowledge that certain computer hardware, software, technical
data, other items (or derivatives of any of the above) exchanged pursuant to
this Agreement may be subject to import/export controls under the Laws of the
United States and other countries.

 

(b) Each Party will be responsible for compliance with import/export control
Laws with respect to any items it is deemed under such Laws to have imported or
exported, including responsibility for preparing and filing all required
documentation and obtaining all licenses, permits and authorizations required
for compliance. Each Party will reasonably cooperate with the other Party in
that Party’s efforts to comply with applicable import/export control Laws.

 

(c) Neither Party will import, export or re-export any such items, any direct
product of those items, or any technical data or permit the shipment of the same
(i) in violation of applicable import/export control Laws; (ii) into any country
or region with respect to which the United States has imposed comprehensive
sanctions (as of the Effective Date, Cuba, North Korea, Iran, Sudan, Syria, and
the Crimea region); or (iii) to anyone on the U.S. Treasury Department’s List of
Specially Designated Nationals, List of Specially Designated Terrorists or List
of Specially Designated Narcotics Traffickers, or the U.S. Commerce Department’s
Denied Persons List.

 

(d) Supplier agrees that Supplier will not utilize any Supplier Personnel who
are nationals (citizens or lawful permanent residents) of the countries
described in Section 13.3(c)(ii) above or who fall within the criteria set forth
in 13.3(c)(iii) above, provided that for clarity, Supplier may utilize any
Supplier Personnel who have subsequent dual citizenship in the United States (or
another country that is not sanctioned) and one of the countries described in
Section 13.3(c)(ii) or who have lawful permanent residency in the United States
(or another country that is not sanctioned).

 

(e) Supplier will include with copies of all Software provided to Supplier by
Triple-S on a disc or other similar media and that Supplier will use outside of
the United States documentation stating that “These commodities, technology or
software were exported from the United States in accordance with Export
Administration Regulations. Diversion or re-export contrary to U.S. law is
prohibited”.

 

(f) Supplier agrees that any export by Triple-S to Supplier under this Agreement
shall be to Supplier or to Affiliates of Supplier that are a “U.S. subsidiary”
as defined in 15 C.F.R. 772.1, such that no export license or other
authorization is required to be obtained for its export.

 

13.4 Compliance with Data Privacy and Data Protection Laws, Regulations and
Policies

 

In carrying out its activities under this Agreement, each Party will observe and
comply with all applicable data privacy and data protection Laws, including the
relevant provisions of HIPAA and the HITECH Act. In addition, when accessing or
handling any Triple-S Data that contains Personally Identifiable Information,
Supplier will comply with the Triple-S Policies and Procedures and Schedule L
(IT Security Addendum) relating to the use and disclosure of such information.

 



Triple-S / Supplier Confidential

Page 36 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions





 

13.5 Business Associate Agreement

 

The Parties hereby agree to the terms of the Business Associate Agreement
attached as Schedule H (Business Associate Agreement), which is hereby
incorporated by reference. In the event of any conflict among the terms of this
Agreement (excluding Schedule H (Business Associate Agreement)) and the terms
and conditions of Schedule H (Business Associate Agreement), the terms and
conditions that are more protective of the PHI (as such term is defined in
Schedule H) shall govern to the extent of that conflict.

 

14. DATA SECURITY AND PROTECTION

 

14.1 Triple-S Data, Generally

 

(a) As between the Parties, Triple-S Data will be and remain the property of
Triple-S. Supplier may not use Triple-S Data for any purpose other than to
render the Services. No Triple-S Data will be sold, assigned, leased or
otherwise disposed of to third parties or commercially exploited by or on behalf
of Supplier (or any of its Subcontractors). Neither Supplier nor any of its
Subcontractors may possess or assert any lien or other right against or to
Triple-S Data. Without limiting the generality of the foregoing, (i) Supplier
may only use Triple-S Data as strictly necessary to render the Services and must
restrict access to such information to Supplier Personnel on a strict
need-to-know basis, and (ii) Supplier shall not download, copy, transmit or make
available any Triple-S Data to any third party, except as expressly permitted by
this Agreement, including (A) to Supplier Affiliates identified on Schedule Q
(Supplier Affiliates) or Approved Subcontractors, and then only as strictly
necessary for such entities to render the Services and subject to restrictions
that such Triple-S Data be made available to their employees on a strict
need-to-know basis and subject to the other requirements of this Agreement
regarding Triple-S Data, (B) as expressly permitted by this Agreement, or (C) as
required by Law.

 

(b) At Triple-S’s request at any time during the Term and any Disengagement
Assistance Period, Suppler shall provide Triple-S with access to and/or copies
of (in format reasonably requested by Triple-S and in a reasonable period of
time given the circumstances of the request) any Triple-S Data stored on
Supplier systems or otherwise under the control of Supplier.

 

14.2 Data Security

 

(a) Supplier shall establish an information security program with respect to
Triple-S Data which is designed to: (i) ensure the security and confidentiality
of such Triple-S Data; (ii) protect against any anticipated threats or hazards
to the security or integrity of such Triple-S Data, and (iii) protect against
any unauthorized use of or access to such Triple-S Data. Supplier shall also
establish and maintain network and internet security procedures, protocols,
security gateways and firewalls with respect to such Triple-S Data. All of the
foregoing shall be consistent with the Triple-S Policies and Procedures and

 



Triple-S / Supplier Confidential

Page 37 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

shall be no less rigorous than those maintained by Supplier for its own data and
information of a similar nature.

 

(b) When present at Triple-S Facilities or accessing Triple-S Data or Triple-S
systems, Supplier will observe and comply with Triple-S’s security procedures
that have been communicated to Supplier in writing (which also may be made
available to Supplier through other methods mutually agreed by the Parties), and
Supplier shall not, without Triple-S’s prior written consent, use any other
security procedure that results (or may result) in (i) an adverse operational or
other impact on Triple-S’s Facilities, systems or environment, or
(ii) additional cost to Triple-S.

 

(c) Supplier shall comply with the security requirements and standards set forth
in Schedule L (IT Security Addendum) as they relate to a vendor performing
services for Triple-S, which represent the minimum security requirements and
standards with which Supplier must comply. Supplier shall also comply with:

 

(i) All applicable Laws relating to privacy and information security, as they
may evolve during the Term and Disengagement Assistance Period, , the HITRUST
Common Security Framework, and as may be required for Triple-S to qualify for
the safe harbor exemption for de-identified health information under the HIPAA
Privacy Rule (45 C.F.R. 164.502(d)); and

 

(ii) the Payment Card Industry Data Security Standards (promulgated by the PCI
Data Security Standards Council) (“PCI DSS”).

 

(d) Supplier shall meet with Triple-S not less frequently than once every twelve
(12) months to review the continually evolving security threat environment and
potential changes to the applicable security standards to address the same.

 

(e) No Triple-S Data may be stored outside the United States.

 

(f) Except as permitted in a Statement of Work or Task Order, no Triple-S Data
may be accessed from outside the United States without Triple-S’s prior written
consent, which may be granted or withheld in Triple-S’s reasonable discretion,
except that Supplier may access Triple-S Data from Supplier Facilities shown on
Schedule E (Supplier Facilities) that are denoted as Facilities from which
Supplier may access Triple-S Data.

 

(g) Supplier will guard against the unauthorized access, alteration or
destruction of Software and Triple-S Data. Such measures will include the
installation of Software that: (i) requires all users to enter a user
identification and password prior to gaining access to the information systems;
(ii) controls and tracks the addition and deletion of users; (iii) controls and
tracks user access to areas and features of the information systems; and
(iv) encrypts Triple-S Data and Confidential Information that is stored on or
sent from Supplier Personnel personal computers.

 

(h) Triple-S will be provided with backup copies of Triple-S Data from the
Supplier upon written request. Supplier must store and transmit backup Triple-S
Data in accordance

 



Triple-S / Supplier Confidential

Page 38 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



with Schedule L (IT Security Addendum). Supplier will document such safeguards
in the Procedures Manual.

 

(i) Without limiting the generality of the foregoing:

 

(i) Supplier’s information security policies shall provide for (A) regular
assessment and re-assessment of the risks and vulnerabilities to the
confidentiality, integrity, and availability of Triple-S Data, including
electronic data, and systems acquired or maintained by Supplier and its agents
and contractors, including (1) identification of internal and external threats
that could result in a Security Breach, (2) assessment of the likelihood and
potential damage of such threats, taking into account the sensitivity of such
data and systems, and (3) assessment of the sufficiency of policies, procedures,
and information systems of Supplier and its agents and subcontractors, and other
arrangements in place, to control risks; (B) protection against such risks; and
(C) establishment and monitoring of key risk indicators (KRIs). Supplier shall
provide such policies, and, upon thirty (30) days’ advance written request and
no greater than twice per twelve (12) month period, and additionally as
necessary in connection with a regulatory inquiry, conduct and report on the
results of such assessments to Triple-S.

 

(ii) Supplier shall (A) require all users to enter a user identification and
password prior to gaining access to the information systems; (B) control and
track the addition and deletion of users; (C) control and track user access to
areas and features of Supplier’s information systems, and (D) encrypt Triple-S
Data in accordance with Schedule L (IT Security Addendum).

 

(iii) Supplier Personnel will not attempt to access, or allow access to, any
Triple-S Data that they are not permitted to access under this Agreement.

 

(iv) Except as provided in Section 21 (Confidentiality), Supplier shall (A)
remove all Triple-S Data from any media within the scope of the Services that is
taken out of service; (B) destroy or securely erase such media in accordance
with Triple-S Policies and otherwise in a manner designed to protect against
Security Breaches; and (C) provide to Triple-S, within ten (10) Business Days
after a receipt of a request from Triple-S, a notification of destruction, which
may be provided via an automated solution that creates an auditable record.

 

14.3 Security Breach

 

(a) If Supplier becomes aware of (or if Triple-S notifies Supplier of) any
actual, attempted, suspected or threatened Security Breach (but excluding
unsuccessful immaterial (1) attempts to breach firewalls, (2) penetrate systems,
(3) logon to systems, (4) denial of service attacks, or (5) malware, that do not
pose a threat to Triple-S Data), Supplier shall perform clauses (i) and (ii)
below, and as requested by Triple-S, clauses (iii) – (vii) below:

 

(i) as promptly as practicable and, in any case, [***] notify Triple-S’s Chief
Compliance Officer, Chief Information Security Officer and Chief Information

 



Triple-S / Supplier Confidential

Page 39 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Officer of such Security Breach and initiate a root cause analysis thereon, the
results of which shall be provided to Triple-S;

 

(ii) investigate such Security Breach and report its findings on a daily basis
to Triple-S;

 

(iii) provide Triple-S with a remediation plan, acceptable to Triple-S, to
address such Security Breach and prevent any further incidents;

 

(iv) execute the approved plan in order to remediate such Security Breach;

 

(v) conduct a forensic investigation to determine what systems, data and
information have been affected by such event, the results of which shall be
provided to Triple-S;

 

(vi) cooperate with Triple-S’s investigation of the Security Breach, including
promptly providing any information that Supplier has with respect to the
Security Breach; and

 

(vii) at Triple-S’s request, cooperate with any law enforcement or regulatory
officials, credit reporting companies, and credit card associations
investigating such Security Breach.

 

(b) Triple-S shall make the final decision on notifying Triple-S’s members,
employees, suppliers and/or the general public of such Security Breach, and the
implementation of the remediation plan.

 

14.4 Intrusion Detection/Interception

 

Upon request, Supplier will, to the extent applicable, provide Triple-S and its
representatives with:

 

(a) access to the redacted (to remove other customer information) evidence of
alerts, logs and data feeds from Supplier’s network intrusion detection systems,
host intrusion detection systems and anti-virus tools to enable Triple-S to have
adequate and timely access to system data regarding security incidents impacting
Triple-S Data or systems; and

 

(b) access to Supplier’s policies and procedures relating to intrusion detection
and interception with respect to the Supplier systems used to provide the
Services for the purpose of examining and assessing those policies and
procedures in accordance with Schedule M (Audit and Record Retention
Requirements).

 

14.5 Litigation and Investigation Requests

 

(a) Supplier recognizes that (i) Triple-S may, from time to time, sue third
parties, be sued by third parties, or have grounds to believe that one or more
lawsuits will be filed for or against Triple-S, (ii) Triple-S may be the subject
of governmental, regulatory or similar investigations and requests or demands
for information from third parties, (iii) Triple-S

 



Triple-S / Supplier Confidential

Page 40 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



may conduct internal investigations or audits at its own prerogative to obtain
information necessary to perform an internal audit or monitoring process, obtain
information necessary to respond to regulators or other external entities
(including commercial groups and sponsors), or otherwise ensure compliance with
business and regulatory requirements. Upon any of the foregoing events
occurring, Supplier hereby agrees to cooperate with Triple-S and its legal
counsel, and to create and implement a process sufficient to comply, in a timely
manner, with any requests from Triple-S or its legal counsel to categorize,
identify, view, preserve, extract, produce, filter, convert and/or provide to
Triple-S, a regulator, or any other Triple-S designee (in the format reasonably
requested by Triple-S), any hard copy documents or electronically stored
information or data of any type that is associated with the Services, that
results from or reflects the Services, that evidences or memorializes Supplier’s
efforts on behalf of Triple-S pursuant to this Agreement, or that is required by
applicable Law or necessary to evidence compliance with Law (hereinafter, the
“Requested Information”). Requested Information may include: claims data, email
data, home drive data, server data, common drive data, data stored in cloud
repositories, data on smartphones or peripheral devices, and data stored with
any third-parties on Supplier’s behalf. Requested Information may include any
type of reports or other information received, created or collected as part of
the Services, all information created by or for Triple-S or Triple-S’s
employees, or at their request, and any information or “metadata,” associated
with other types of Requested Information. Requested Information may include any
type of information relating to the foregoing within Supplier’s possession,
custody or control, including information entrusted to its employees or third
parties, or housed in any type of repository or media whatsoever, such as
servers, systems, applications, discs, equipment, tapes, or other locations.
Supplier shall use Commercially Reasonable Efforts to provide requested
information in a timely manner to enable Triple-S to meet regulatory and
internal deadlines.

 

(b) Supplier acknowledges and agrees that Supplier may, in some instances, be
required by Triple-S to utilize, or be required to involve outside professionals
to utilize, forensic extraction methods and techniques to obtain Requested
Information. Such methods may include setting-up a new or using an existing
non-production environment to retrieve and provide Requested Information. In
addition, if requested by Triple-S, Supplier shall provide access to such
environment or Requested Information so that Triple-S and/or its designee
(provided such designee has a confidentiality agreement in place with Triple-S
containing terms comparable to the confidentiality terms set forth in this
Agreement) may access, view, download and extract the Requested Information,
including reasonable access to third-party litigation support providers selected
by Triple-S to facilitate requests for Requested Information. Supplier shall
maintain and support an access method for allowing such access and extractions,
as determined by Triple-S (e.g., SFTP connections, remote access, on-site
access). Supplier will use Commercially Reasonable Efforts to provide all
Requested Information within the time period specified by Triple-S or its legal
counsel, and, if such deadlines cannot be met, Supplier shall promptly notify
Triple-S of the reason and extent of any delay.

 

(c) Triple-S shall direct any request under this Section 14.5 (Litigation and
Investigation Requests) to the Supplier Account Executive. Upon Triple-S’s
request, Supplier shall, as appropriate, promptly designate a Supplier attorney
or Supplier operations executive to

 



Triple-S / Supplier Confidential

Page 41 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



work with Triple-S and who can facilitate any Triple-S request under this
Section. In the event that Triple-S is the target of a governmental inquiry or
investigation, Triple-S shall retain all responsibility for directly interacting
with such governmental entity regarding such inquiry or investigation. Supplier
shall comply with and follow all restrictions and requirements reasonably
imposed by Triple-S or its legal counsel to maintain the protections of the
attorney-client privilege and attorney work-product doctrine for all efforts and
communications connected with requests and efforts made under this Section 14.5.

 

15. INTELLECTUAL PROPERTY RIGHTS

 

This Section 15 sets forth the Parties’ respective rights in Work Product and
other materials provided or created pursuant to this Agreement. As between the
Parties, the rights apply as set forth in this Section 15 whether the work in
question is performed solely by Supplier Personnel or by Supplier Personnel
working jointly with others.

 

15.1 Independent IP

 

(a) Except as otherwise expressly provided in this Agreement, including in
Section 15.2 (Intellectual Property Rights in Work Product):

 

(i) as between the Parties, each Party will have and retain all of its right,
title and interest, including Intellectual Property Rights, in and to its
Independent IP and any Derivative Works of its Independent IP, and will be
entitled to seek Intellectual Property Rights protection for its Independent IP
and any Derivative Works of its Independent IP as it deems appropriate; and

 

(ii) a Party will not be permitted to use the other Party’s Independent IP or
any Derivative Works of the other Party’s Independent IP.

 

(b) Supplier shall not incorporate any Independent IP of Supplier or a third
party into any Deliverable without Triple-S’s prior written approval, which
Triple-S may withhold in its discretion. Any such written approval, together
with details of the Independent IP that will be incorporated in the Deliverable,
shall be documented in the applicable Statement of Work or Task Order.

 

(c) If Supplier incorporates any Independent IP of Supplier or a third party
into a Deliverable without first notifying Triple-S of its nature and entering
into with Triple-S, or procuring for Triple-S, a license to Use the Independent
IP on terms that are acceptable to Triple-S, then (i) in the case of Supplier
Independent IP, Supplier hereby grants to Triple-S and its Affiliates, and (ii)
in the case of third party Independent IP, Supplier shall procure for Triple-S
and its Affiliates, a perpetual, irrevocable, non-exclusive, worldwide, paid-up
right and license to Use such Independent IP (including Source Code, artifacts,
programmer interfaces, available Documentation, manuals, and other materials
that may assist Triple-S with Use thereof), solely in connection with, and as
incorporated into, the Deliverable and solely in their businesses and to
authorize others (including Triple-S third party contractors providing services
to Triple-S, Triple-S Affiliates, and Service Recipients and not for any such
contractor’s own use) to do the same on their behalf, for

 



Triple-S / Supplier Confidential

Page 42 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



no additional charge. Triple-S will require any such third party contractors to
comply with the obligations of confidentiality and restrictions limiting use of
the Independent IP solely to performance of services on behalf of Triple-S. All
representations, warranties, and covenants of Supplier, and any rights of
Triple-S under this Agreement, that are applicable to Deliverables shall apply
equally to any Independent IP of Supplier incorporated into Deliverables.

 

(d) If Triple-S provides any of its Independent IP to Supplier for use in
rendering the Services, Triple-S grants to Supplier a fully paid-up,
nonexclusive license during the Term and any Disengagement Assistance Period to
Use such Independent IP solely as necessary to perform the Services, and to
sublicense Approved Subcontractors to do the same on Supplier’s behalf. Supplier
may not Use Triple-S’s Independent IP for the benefit of any entities other than
Triple-S (and its Service Recipients under this Agreement) without the prior
written consent of Triple-S, which may be withheld at Triple-S’s discretion.

 

15.2 Intellectual Property Rights in Work Product

 

(a) Deliverables and Work Product Owned by Triple-S.

 

(i) Subject to Section 15.2(a)(iii) below, and subject to the ownership rights
of Supplier and any Supplier third party providing Independent IP to Supplier in
their respective Independent IP and Derivative Works of their Independent IP
which may be incorporated therein pursuant to Section 15.1(a) and 15.1(c),
Triple-S will be the sole and exclusive owner of all Intellectual Property
Rights in and to the following (collectively, the “Triple-S Work Product”):

 

(A) Deliverables or portions of Deliverables that are not Derivative Works of
Independent IP owned or licensed by a Party or its Affiliates;

 

(B) Deliverables or portions of Deliverables that are Derivative Works of
Independent IP owned or licensed by Triple-S or its Affiliates or Service
Recipients;

 

(C) Work Product that is a Derivative Work of Independent IP owned or licensed
by Triple-S or its Affiliates; and

 

(D) All modifications and enhancements to In-Scope Applications whether they are
classified as Deliverables, Work Product or otherwise.

 

(ii) Subject to Section 15.2(a)(iii), as between the Parties, Triple-S will be
the sole and exclusive owner of the Intellectual Property Rights in each
Triple-S Work Product from the moment of its creation. Triple-S Work Product
will be deemed to be a ‘work made for hire’ under the copyright Laws. To the
extent that any such Triple-S Work Product is not deemed to be a ‘work made for
hire’ and the property of Triple-S by operation of Law, Supplier (on its own
behalf as well as on behalf of its current and future employees, agents and
subcontractors) hereby irrevocably conveys and assigns to Triple-S, without
further consideration, all

 



Triple-S / Supplier Confidential

Page 43 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



right, title, and interest in and to the Triple-S Work Product. Supplier agrees
to execute such other documents or take such other actions as Triple-S may
reasonably request to perfect Triple-S’s ownership of any Triple-S Work Product.
Triple-S and its assigns will have the right to register and hold in their own
name the copyright in and to such Triple-S Work Product.

 

(iii) Triple-S grants to Supplier a fully paid-up, nonexclusive license to Use
such Triple-S Work Product during the Term (and the Disengagement Assistance
Period) solely as necessary to perform the Services, and to sublicense Approved
Subcontractors to do the same on Supplier’s behalf in the performance of the
Services.

 

(b) Ownership of Other Developed Items.

 

(i) Subject to the rights of Triple-S and any third parties in their respective
Independent IP and Derivative Works of their Independent IP and Triple-S’s
ownership of Triple-S Work Product pursuant to Section 15.2(a) above, and in
addition to Supplier’s rights in Independent IP of Supplier pursuant to Section
15.1(a) above, Supplier shall be the sole and exclusive owner of all
Intellectual Property Rights in and to Deliverables and Work Product that are
not Triple-S Work Product (collectively, “Other Developed Items”).

 

(ii) Supplier hereby grants to Triple-S and its Affiliates and Service
Recipients, a perpetual, irrevocable, non-exclusive, worldwide, sublicenseable,
paid-up right and license to Use in their businesses and to authorize others
(including Triple-S contractors) to do the same solely on behalf of Triple-S and
its Affiliates and Service Recipients (and only where such other parties are
subject to an obligation of confidentiality and limited to services performed
for or on behalf of Triple-S, its Affiliates or Service Recipients) for no
additional charge, such Other Developed Items, including Source Code, artifacts,
programmer interfaces, available Documentation, manuals, and other materials
that may assist Triple-S with the Use of such Other Developed Items. For
clarity, the foregoing license does not apply to Supplier Software and Supplier
Tools denoted as Non-Commercially Available on Schedule S (Supplier Software and
Supplier Tools) (including any Other Developed Item denoted as Non-Commercially
Available pursuant to the process set forth in Section 10.4(c)), provided the
foregoing is not intended to limit the license granted in Section 10.5 (License
During the Term and Disengagement Assistance Period).

 

(c) Residual Knowledge.

 

Notwithstanding anything to the contrary in this Agreement, each Party will be
free to use the ideas, concepts, methodologies, processes and know-how that are
used, developed or created in the course of performing the Services that are
retained in the unaided mental impressions of the employees of such Party in
intangible form, provided that in doing so they do not use or disclose
Confidential Information of the other Party in violation of Section 21
(Confidentiality), or misappropriate or infringe upon the Intellectual Property
Rights of the other Party, its Affiliates (including such rights granted
pursuant to Section

 



Triple-S / Supplier Confidential

Page 44 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



15.1 (Independent IP)) or third parties who have licensed or provided
Independent IP to the other Party or its Affiliates.

 

15.3 Intellectual Property Rights Agreements with Supplier Personnel

 

Supplier is responsible for having in place with all Supplier Personnel (either
directly or indirectly through their respective employers) such agreements
respecting Intellectual Property Rights as are necessary for Supplier to fulfill
its obligations under this Section 15 (Intellectual Property Rights). Upon
Triple-S’s written request, Supplier shall provide copies of the template which
Supplier requires employees and contractors to sign to implement the foregoing
agreement with Triple-S (i.e., Supplier’s standard employment contract
template).

 

15.4 Rights on Bankruptcy of Supplier

 

All licenses and rights of Use granted under or pursuant to this Agreement shall
be deemed to be, for the purposes of Section 365(n) of the United States
Bankruptcy Code (the “Bankruptcy Code”), licenses to rights in “intellectual
property” as defined under the Bankruptcy Code. Accordingly, the licensee of
such rights shall retain and may fully exercise all of its rights and elections
under the Bankruptcy Code. Upon the commencement of bankruptcy proceedings by or
against either Party under the Bankruptcy Code, the other Party shall be
entitled to retain all of its license rights and Use rights granted under this
Agreement.

 

16.              TERMINATION

 

16.1 Termination by Triple-S

 

(a) Termination for Cause. If Supplier commits (i) a material breach of this
Agreement or any Statement of Work or Task Order that is capable of being cured
within thirty (30) days after receiving notice of the breach from Triple-S, and
fails to cure such breach within such thirty (30) day period; (ii) a material
breach of this Agreement that is not capable of being cured within thirty (30)
days after receiving notice of breach from Triple-S but is capable of being
cured within sixty (60) days, and fails to (A) proceed promptly and diligently
to cure the breach, (B) develop within thirty (30) days after receiving such
notice a reasonably detailed plan for curing the breach, and (C) cure the breach
within sixty (60) days after receiving such notice; or (iii) multiple breaches
of this Agreement or any Statement of Work or Task Order, whether material or
non-material, that collectively constitute a material breach of this Agreement
or any Statement of Work or Task Order; then Triple-S may, by giving written
notice to Supplier, terminate (A) in the case of a material breach of the
General Terms and Conditions, this Agreement, in whole or in part, and (B) in
the case of a material breach of a Statement of Work or any Task Order,
terminate the applicable Statement of Work or any Task Order (in whole or in
part), without charge or fee (except any outstanding Charges for all Services
provided in accordance with this Agreement through the effective date of
termination (subject to Triple-S’s right to dispute Charges set forth in
Schedule C (Charging Methodology) in good faith)), as of a date specified in the
notice of termination. Any termination by Triple-S shall not constitute an
election of remedies and shall be without prejudice as to Triple-S’s other
rights and remedies.

 



Triple-S / Supplier Confidential

Page 45 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(b) Termination for Convenience. Triple-S may terminate this Agreement (in whole
and not in part) at any time for convenience (i.e., for any reason or no reason)
by giving Supplier at least one hundred eighty (180) days’ prior written notice
(unless the Parties expressly agree otherwise in writing) designating the
termination date and paying to Supplier on or before the effective date of
termination any (properly invoiced) outstanding Charges for all Services
provided in accordance with this Agreement through the effective date of
termination (subject to Triple-S’s right to dispute Charges set forth in
Schedule C (Charging Methodology) in good faith); provided the effective date of
such termination shall not be earlier than the [***] of the Effective Date. Such
termination shall be without charge or fee except for any applicable early
termination for convenience charges (if any) expressly set forth in Schedule C
(Charging Methodology), and except for the amounts described in the preceding
sentence. If a purported termination for cause by Triple-S under Section 16.1(a)
is found by a competent authority not to be a proper termination for cause, then
such termination will be deemed to be a termination for convenience by Triple-S
under this paragraph except that the notice requirements of this paragraph will
apply.

 

(c) Termination for certain Service Level Failures. If (i) Supplier fails to
meet the same [***] Service Level [***] times in any rolling [***], then
Triple-S may, by giving written notice to Supplier, terminate this Agreement or
any Statement of Work or Task Order (in whole or in part) without charge or fee
(except any outstanding Charges for all Services provided in accordance with
this Agreement through the effective date of termination (subject to Triple-S’s
right to dispute Charges set forth in Schedule C (Charging Methodology) in good
faith)), as of a date specified in the notice of termination. The foregoing
rights to terminate shall not be construed as precluding Triple-S from claiming
that some other combination of failures to meet Service Levels is a material
breach of this Agreement and to exercise any available remedies in connection
with such material breach. Triple-S’s termination rights in this Section 16.1(c)
shall only apply with respect to each Statement of Work beginning [***] of each
Statement of Work. In other words, any Service Level Failure prior to such date
will not count as a failure for determining whether Triple-S has the right to
terminate pursuant to this Section 16.1(c).

 

(d) Termination Following a Change of Control of Supplier. “Change of Control of
Supplier” means an announcement by Supplier (i) that any other entity, person or
“group” (as such term is used in Section 13(d) of the Securities Exchange Act of
1934, as amended) that is not an Affiliate of Supplier will acquire (and
eventually does acquire) Control, of all or substantially all of the assets, of
Supplier (or any parent company of Supplier), whether directly or indirectly, in
a single transaction or series of related transactions, or (ii) that Supplier
(or any parent company of Supplier) will consolidate with, or be merged with or
into, another entity that is not an Affiliate of Supplier, or will sell, assign,
convey, transfer, lease or otherwise dispose of all or substantially all of the
assets of Supplier to another person(s) or entity(ies) that is not an Affiliate
of Supplier. Notwithstanding the foregoing, Triple-S agrees that a spin-off of
Supplier or Optum, Inc. into an independent company will not constitute a Change
of Control of Supplier. At any time within one (1) year after the consummation
of the transaction described in (i) or (ii) above, Triple-S may terminate this
Agreement (in whole and not in part) by giving Supplier at least one hundred
eighty (180) days prior written notice designating the

 



Triple-S / Supplier Confidential

Page 46 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



termination date. Such termination shall be [***] Triple-S shall pay to Supplier
on or before the effective date of termination any outstanding Charges for all
Services (including work in progress) provided in accordance with this Agreement
through the effective date of termination (subject to Triple-S’s right to
dispute Charges set forth in Schedule C (Charging Methodology) in good faith).

 

(e) Termination in the Event of a Force Majeure. Triple-S may terminate this
Agreement or any Statement of Work or Task Order (in whole or in part) [***], as
provided in Section 24.4 (Force Majeure).

 

(f) Termination Due to Change in Laws.

 

(i) Triple-S may terminate this Agreement or any Statement of Work or Task Order
(in whole or in part) by giving Supplier at least ninety (90) days prior written
notice specifying the terminated Services and designating the termination date
if a Law enacted, created or modified after the Effective Date (including any
Laws that increase taxes) (A) has a material adverse effect on Triple-S’s
receipt or use of Services or (B) increases Triple-S’s cost of using or
receiving the terminated Services by more than [***] and (in either case) the
Parties are unable to agree upon equitable adjustment in Charges or the scope of
the Affected Services that would address the new or modified Law in a manner
that is satisfactory to the Parties.

 

(ii) Triple-S may exercise the termination right set forth in this Section by
sending a written notice to Supplier as described above not later than one
hundred eighty (180) days after the effective date of the enacted, created or
modified Law. Such termination shall be [***] Triple-S shall pay to Supplier on
or before the effective date of termination any outstanding Charges for all
Services (including work in progress) provided in accordance with this Agreement
through the effective date of termination (subject to Triple-S’s right to
dispute Charges set forth in Schedule C (Charging Methodology) in good faith)
and any applicable early termination for change in Laws charges expressly set
forth in Schedule C (Charging Methodology).

 

(g) Termination Relating to Supplier’s General Liability Cap. If Supplier pays
to or owes to (or some combination thereof) Triple-S aggregate damages in excess
of [***] of the General Liability Cap as a result of one or more of the
following (i) an agreement by Supplier that it owes Triple-S certain damages,
(ii) a settlement agreed to by the Parties, or (iii) an order from a court of
competent jurisdiction or an arbitration award, and Supplier does not agree to
refresh the General Liability Cap, as applicable, to its original amount (i.e.,
none of such damages shall, after such refresh, be considered to have applied
against the General Liability Cap) within thirty (30) days after a Triple-S
request to refresh the General Liability Cap, then Triple-S may terminate for
cause this Agreement or any SOW or Task Order (in whole or in part), upon no
less than thirty (30) days prior written notice to Supplier. Such termination
shall be [***] Triple-S shall pay to Supplier on or before the effective date of
termination any outstanding Charges for all Services provided in accordance with
this Agreement through the effective date of termination (subject to Triple-S’s
right to dispute Charges set forth in Schedule C

 



Triple-S / Supplier Confidential

Page 47 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

(Charging Methodology) in good faith). If Supplier agrees to refresh the General
Liability Cap pursuant to this Section, the Parties agree that such amounts
added to refresh the General Liability Cap shall not be used to payliabilities
described in (i), (ii) or (iii) that caused the [***] threshold to have been
exceeded.  Triple-S’s termination rights in this Section 16.1(g) shall no longer
apply once Supplier refreshes the General Liability Cap [***] during the Term.

 

(h) Termination Relating to Regulatory Approval.

 

(i) Triple-S may terminate this Agreement or any Statement of Work or Task Order
if Triple-S is unable to obtain one or more regulatory approvals as provided in
Section 3.3 (Regulatory Approvals) on or prior to December 31, 2017 by giving
Supplier prior written notice specifying the terminated Services and designating
the termination date, and paying to Supplier on or before the effective date of
the termination any outstanding Charges for all Services (including work in
progress) provided in accordance with this Agreement through the effective date
of termination (subject to Triple-S’s right to dispute Charges set forth in
Schedule C (Charging Methodology) in good faith).

 

(ii) Such termination shall be [***] the amounts described in 16.1(h)(i) above,
as applicable, and any applicable early termination for regulatory approval
charges expressly set forth in Schedule C (Charging Methodology).

 

(iii) Before exercising the termination right set forth in this Section,
Triple-S and Supplier shall work together in good faith, using the Governance
procedure set forth in Schedule F (Governance), for a period acceptable to the
regulators (not to exceed ninety (90) days), to seek options to achieve
regulatory approval.

 

(i) Termination related to Business Associate Agreement. Triple-S may terminate
this Agreement as provided in Schedule H (Business Associate Agreement). Such
termination shall be [***] (except any outstanding Charges for all Services
(including work in progress) provided in accordance with this Agreement through
the effective date of termination (subject to Triple-S’s right to dispute
Charges set forth in Schedule C (Charging Methodology) in good faith)).

 

(j) Termination Due to Adverse Changes in Supplier’s Financial Circumstances. If
Supplier (but not any Subcontractor) (A) files a petition in bankruptcy; (B) has
an involuntary petition in bankruptcy filed against it which is not challenged
within thirty (30) days and dismissed within sixty (60) days; (C) becomes
insolvent; (D) makes a general assignment for the benefit of creditors; (E)
admits in writing its inability to pay substantially all of its debts as they
mature; (F) has a receiver appointed for its assets; (G) has any significant
portion of its assets attached; or (H) experiences a material negative change in
its net assets (i.e., total assets minus total liabilities), then Triple-S may
by giving thirty (30) day written notice to Supplier, terminate this Agreement
as of the date specified in such written notice of termination. Supplier shall
notify Triple-S as soon as possible if one of the circumstances in this
Section 16.1(j) occurs or is likely to occur. Supplier shall certify within ten
(10) Business Days of a written request by Triple-S, that none of the
circumstances in this Section 16.1(j) have occurred as of the date of
certification or, to

 



Triple-S / Supplier Confidential

Page 48 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



the best of Supplier’s knowledge, are likely to occur within [***] after the
date of certification. Such termination shall be [***] (except any outstanding
Charges for all Services (including work in progress) provided in accordance
with this Agreement through the effective date of termination (subject to
Triple-S’s right to dispute Charges set forth in Schedule C (Charging
Methodology) in good faith)).

 

16.2 Termination by Supplier

 

(a) If Triple-S

 

(i) fails to pay Supplier when due material Charges under this Agreement, not
otherwise disputed in good faith, totaling an amount greater than or equal to
the result obtained by [***], and fails to make such payment within [***] after
the date Triple-S receives written notice of non-payment from Supplier (a copy
of which notice shall also indicate that Supplier may terminate this Agreement
if Triple-S fails to pay such unpaid amounts, and shall be sent by Supplier to
the Triple-S Chief Financial Officer and General Counsel), or

 

(ii) materially breaches Section 10.5 (License During the Term and the
Disengagement Assistance Periods), Section 13 (Compliance With Laws), Section 15
(Intellectual Property), or Section 21 (Confidentiality) and Triple-S fails to
cure such material breach within thirty (30) days after the date Triple-S
receives written notice of such material breach from Supplier (a copy of which
notice shall also indicate that Supplier may terminate this Agreement if
Triple-S fails to cure such material breach, and shall be sent by Supplier to
the Triple-S Chief Financial Officer and General Counsel),

 

then Supplier may terminate this Agreement by sending written notice to Triple-S
terminating this Agreement, in which event this Agreement shall terminate as of
the date specified in the notice of termination (but not earlier than thirty
(30) days after Triple-S’s receipt of such notice).

 

(b) For clarity and without limiting Triple-S’s rights in Section 17
(Disengagement Assistance) (but subject to Section 17.3(c)), Triple-S shall be
entitled to Disengagement Assistance pursuant to Section 17 (Disengagement
Assistance) if Supplier terminates this Agreement.

 

16.3 Extension of Termination/Expiration Date

 

Triple-S may extend the effective date of termination/expiration one or more
times as it elects. However, in no event may the total of all such extensions
exceed one hundred eighty (180) days following the effective date of
termination/expiration in place immediately prior to the initial extension under
this Section 16.3. If any extension notice provided to Supplier within ninety
(90) days of the then-scheduled date of termination/ expiration would cause
Supplier to incur additional costs or expenses, Supplier may so notify Triple-S.
In that case, the extension of this Agreement’s Term pursuant to the notice will
be subject to Triple-S agreeing to reimburse Supplier for its additional costs
and expenses incurred as a result of the extension notice being provided within
ninety (90) days of the then scheduled date of termination/ expiration.

 



Triple-S / Supplier Confidential

Page 49 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



16.4 Partial Termination

 

(a) In the event of a termination of this Agreement or Statement of Work or any
Task Order in part pursuant to this Section 16:

 

(i) the scope of the Services shall be reduced to remove the terminated
Services;

 

(ii) the Service Levels and other performance standards for such terminated
Services shall cease to apply with respect to the terminated Services;

 

(iii) if this Agreement (or the applicable SOW) does not otherwise specify the
basis for determining Supplier’s charges for the continuing Services that are
not terminated, the charges payable under this Agreement (or the applicable SOW)
will be equitably adjusted to reflect the Services that have been terminated;

 

(iv) any minimum revenue commitment shall be adjusted using the methodology
provided in Schedule C (Charging Methodology), or otherwise reduced in an
equitable manner to the extent such methodology does not apply to the withdrawn
portions of the Services;

 

(v) Supplier shall provide Disengagement Assistance with respect to the
terminated Services pursuant to Section 17 (Disengagement Assistance); and

 

(vi) the following shall be equitably adjusted based on the effect of such
partial termination:

 

(A) the Service Levels for the remaining Services under this Agreement (i.e., if
the partial termination affects Supplier’s ability to meet such Service Levels);

 

(B) applicable affected provisions of this Agreement or other Services; and

 

(C) the termination-related payments for which Triple-S is responsible will be
revised to reflect that some portion of that amount has been paid by Triple-S.

 

The Parties shall negotiate such equitable adjustments above in good faith.

 

(b) The Parties shall enter into an amendment to this Agreement or Change Order
to reflect the termination in part and the resulting adjustments.

 

(c) Unless Triple-S provides written notice to Supplier terminating a portion of
this Agreement in part pursuant to any applicable provision of Section 16.1
(Termination by Triple-S), a reduction in volumes or scope as contemplated by
Section 2.7 (Services Not Exclusive; Variable) or Schedule C (Charging
Methodology) shall not constitute a termination in part, and such reduction in
volumes or scope shall be subject to the terms of Section 2.7 (Services Not
Exclusive; Variable) and/or Schedule C (Charging

 



Triple-S / Supplier Confidential

Page 50 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

Methodology) instead of the provisions of this Section 16.4 (Termination of this
Agreement in Part).

 

17. DISENGAGEMENT ASSISTANCE

 

17.1 General

 

(a) Commencing twelve (12) months prior to expiration of this Agreement, or
commencing upon a notice of termination (including notice based upon breach by
Triple-S under Section 16.2 (Termination by Supplier)) or of non-renewal of this
Agreement or a Statement of Work or Task Order (in whole or in part), and
continuing (as requested by Triple-S) for up to [***] following the effective
date of expiration or, if applicable, of termination of this Agreement (as such
effective date may be extended pursuant to Section 16.3 (Extension of
Termination/Expiration Date)), or a portion thereof, Supplier shall provide such
Disengagement Assistance to Triple-S as Triple-S requests, including to a
Successor Supplier. Triple-S shall provide Supplier with reasonable advance
notice (not less than ninety (90) days) before Triple-S removes any material
portion of the Services during the Disengagement Assistance Period and the
Parties shall work in good faith to establish a plan for the timing of
Triple-S’s reduction of Services during the Disengagement Assistance Period.
Supplier shall also provide Disengagement Assistance in the context of
Triple-S’s reduction or removal of a portion of the Services or volumes or
Functions in accordance with this Agreement, although this Agreement is not
itself being terminated in whole or in part. Disengagement Assistance includes
the assistance described in Schedule I (Disengagement Assistance) and this
Section 17.

 

(b) Supplier shall also provide Disengagement Assistance in the event of any
partial termination of this Agreement.

 

(c) The quality of the Services provided by Supplier, and the Supplier’s
performance of the Services, will not be materially degraded during the period
Supplier is providing Disengagement Assistance. Supplier shall not make any
changes to the number of Supplier Personnel providing Services during the
Disengagement Assistance Period or reassign any Supplier Personnel holding Key
Supplier Positions away from performing Services under this Agreement during the
Disengagement Assistance Period except as mutually agreed to by the Parties in
writing or to remove resources for Services that have been reduced or fully
wound down.

 

(d) Supplier shall provide Disengagement Assistance utilizing Supplier Personnel
then being regularly utilized to provide the Services, provided, however, that
if Supplier believes in good faith that providing such assistance utilizing such
Supplier Personnel will prevent Supplier from meeting the Service Levels or
otherwise complying with other obligations under this Agreement and gives
written notice to such effect to Triple-S, then Supplier shall not be obligated
to provide the Disengagement Assistance utilizing only the Supplier Personnel to
the extent that utilizing such personnel would cause Supplier to fail to meet
the Service Levels or otherwise be unable to comply with other Supplier
obligations under this Agreement, provided further, that if Triple-S agrees to
waive the Service Level Credits for failure to meet the Service Levels relating
to the applicable Service Levels and to excuse nonperformance of other affected
obligations of Supplier

 



Triple-S / Supplier Confidential

Page 51 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(provided that Supplier shall use good faith efforts to continue to meet the
Service Levels), then Supplier shall provide Disengagement Assistance utilizing
Supplier Personnel then being utilized in performing the Services. If Triple-S
does not provide such relief, the Parties shall use the Change Control Process
to address the use of additional Supplier Personnel to provide Disengagement
Assistance and Section 17.3(b) shall apply.

 

(e) Triple-S and the Successor Supplier shall be permitted to undertake, without
interference from Supplier, to hire any Supplier Personnel employed by Supplier
or its Affiliates performing the Services (which are expiring or being
terminated) as of the date of notice of termination or, in the case of
expiration, within the six (6) month period (or longer period reasonably
requested by Triple-S) prior to expiration. Supplier and its Affiliates shall
waive their rights, if any, under contracts with such personnel restricting the
ability of such personnel to be recruited or hired by Triple-S and the Successor
Supplier. Triple-S and the Successor Supplier shall have reasonable access to
such personnel for interviews and recruitment. This Section 17.1(e) shall not
apply to individuals in Key Supplier Positions with respect to the Successor
Supplier.

 

(f) Provided that such third party is subject to a confidentiality agreement
with Triple-S with terms substantially similar to Section 21 (Confidentiality)
of these General Terms and Conditions and Triple-S is responsible for such third
party’s compliance with this Agreement, including Section 15 (Intellectual
Property Rights), Supplier shall make available Documentation and information
reasonably sufficient for Triple-S or Triple-S’s designated Successor Supplier
to assume the provision of such terminated Services and become self-reliant with
respect to such terminated Services. In no event shall Triple-S disclose
Documentation for Supplier Tools or Supplier Software. Triple-S’s and the
Successor Supplier’s use of such Documentation and information that constitutes
Supplier Confidential Information shall be subject to the confidentiality
obligations herein. Such information shall be stored and provided to Triple-S in
an electronic format that is reasonably acceptable to, and in a location and
manner that is easily accessible by, Triple-S. Supplier shall provide Triple-S
with a copy of any Documentation promptly upon Triple-S’s request, but in any
event within ten (10) Business Days of Supplier’s receipt of such request.

 

(g) With respect to any Software or Tool used by Supplier to provide Services
for which Supplier is not obligated to grant or provide a license pursuant to
this Agreement, then upon Triple-S’s request, Supplier shall (as designated by
Triple-S) assist Triple-S with procuring a license to such Software or Tool (and
applicable third party maintenance and support contract) on behalf of Triple-S.

 

(h) If and to the extent requested by Triple-S, Supplier shall (i) assign to
Triple-S or the Successor Supplier leases for some or all of the Supplier Leased
Equipment located in Puerto Rico, including applicable maintenance agreements
(all as designated by Triple-S) that was used as of the date of termination or
expiration of this Agreement or portion thereof exclusively for providing the
Services, and Triple-S shall assume the obligations under such leases that
relate to periods after such date; provided, however, Supplier shall not be
obligated to assign any such leases with respect to which Supplier notified
Triple-S that it is unable to obtain the right to assign such lease to Triple-S,
and notwithstanding .

 



Triple-S / Supplier Confidential

Page 52 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



such, Triple-S approved the acquisition of such lease pursuant to Section
10.2(a); and (ii) sell to Triple-S or the Successor Supplier, at the lower of
fair market value or Supplier’s then current book value, some or all of the
Equipment (as designated by Triple-S) owned by Supplier that was used in Puerto
Rico as of the date of termination or expiration of this Agreement or portion
thereof exclusively used for providing the Services, including applicable
maintenance agreements. Supplier shall also provide all user and other
Documentation relevant to such Equipment which is in Supplier’s possession.
Triple-S or the Successor Supplier (as applicable) will assume responsibility
under any such maintenance agreements to the extent such responsibilities relate
to periods after the date of termination or expiration of this Agreement or
portion thereof

 

(i) If and to the extent requested by Triple-S, Supplier shall assign to
Triple-S or the Successor Supplier some or all of the Supplier Third Party
Service Contracts (as designated by Triple-S) that were used as of the date of
termination or expiration of this Agreement or portion thereof exclusively to
provide the Services, and Triple-S shall assume the obligations under such
contracts that relate to periods after such date; provided, however, that
subject to Section 17.1(j) below, Supplier shall not be required to assign any
such contracts with respect to which Supplier notified Triple-S that it is
unable to obtain the right to assign such lease to Triple-S, and notwithstanding
such, Triple-S approved the acquisition of such lease pursuant to Section
10.3(c).

 

(j) With respect to any third party services then being exclusively utilized by
Supplier in the performance of the Services (other than services under Supplier
Third Party Service Contracts Supplier is obligated to assign to Triple-S or the
Successor Supplier pursuant to Section 17.1(j)), if permitted by the terms of
the applicable contract, if and to the extent requested by Triple-S, Supplier
shall make available or assign to Triple-S or the Successor Supplier (as
designated by Triple-S) the contract for such third party services, pursuant to
reasonable terms and conditions. Supplier shall use Commercially Reasonable
Efforts to assign any other third party service contracts used exclusively to
provide the Services which Triple-S requests to be assigned to Triple-S.

 

(k) As requested by Triple-S, Disengagement Assistance shall include Supplier
continuing to provide any or all of the Services provided by Supplier prior to
the effective date of termination/expiration. Services provided by Supplier
under this Section 17 shall be subject to the other provisions of this
Agreement.

 

17.2 Required Consents

 

(a) Software/Tools and Associated Maintenance and Support Agreements. Supplier
shall have Financial Responsibility and be administratively responsible (with
the cooperation of Triple-S) for obtaining the Required Consents for any
Software and Tools (and any associated maintenance and support agreements) for
which Supplier is obligated to provide a license or access rights to Triple-S
pursuant to this Agreement (including Section 10.4(a)(i) (Supplier Software and
Tools), Section 10.5 (License During the Term and Disengagement Assistance
Period), Section 15.1(c) (Independent IP), Section 15.2(b) (Ownership of Other
Developed Items)), and Schedule S (Supplier Software and Supplier Tools).
Triple-S shall be financially responsible and Supplier shall be administratively
responsible (with the cooperation of Triple-S) for obtaining a Required

 



Triple-S / Supplier Confidential

Page 53 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Consent necessary to assign to Triple-S or a Successor Supplier a Software or
Tool license (and associated maintenance and support agreements) for any
Software or Tool not covered by the prior sentence.

 

(b) Equipment Leases and Third Party Service Contracts. If Triple-S requests
Supplier to assign any lease for Supplier Leased Equipment in accordance with
Section 17.1(h) above, or if Triple-S requests Supplier to assign any Supplier
Third Party Service Contract in accordance with Section 17.1(i) above, then the
Party which is obligated to procure the Required Consent for such Supplier
Leased Equipment lease or such Supplier Third Party Service Contract shall be as
follows:

 

(i) if at the time of acquisition of such Supplier Leased Equipment or Supplier
Third Party Service Contract, (A) Supplier had satisfied its obligation in
Section 10.2 (Equipment) (with respect to Supplier Leased Equipment) and Section
10.3 (Third Party Services) (with respect to such Supplier Third Party Service
Contracts), as applicable, to use Commercially Reasonable Efforts to obtain the
right to assign the asset to Triple-S, but (B) despite such efforts Supplier was
unable to obtain such rights, and (C) Supplier so notified Triple-S, and (D)
Triple-S agreed in writing that Supplier could acquire such asset to utilize in
providing the Services notwithstanding not having such right to assign (all as
set forth in Section 10.2 (Equipment) and Section 10.3 (Third Party Services)
above), then Triple-S shall be financially obligated to procure such Required
Consent, and Supplier shall be administratively responsible for procuring such
Required Consent (with the cooperation of Triple-S); and

 

(ii) for any scenario not covered by Section 17.2(b)(i) above with respect to
such Supplier Leased Equipment leases and such Supplier Third Party Service
Contracts, Supplier shall be financially and administratively obligated to
procure such Required Consent (with the cooperation of Triple-S); and

 

(iii) for clarity, maintenance and support agreements for Software and Tools are
covered by Section 17.2(a) above and not this Section 17.2(b).

 

17.3 Charges for Disengagement Assistance

 

Charges for Disengagement Assistance shall be as follows:

 

(a) For Disengagement Assistance that constitutes a continuation of the Services
and for which there is a predetermined Charge in this Agreement (e.g., a charge
for maintaining an Application as set forth in this Agreement), such
pre-determined Charge shall apply; provided, however, that as Services are
reduced the Charges shall be adjusted using the methodology provided in Schedule
C (Charging Methodology), or otherwise reduced in an equitable manner to the
extent such methodology does not apply to the withdrawn portions of the
Services. The Parties shall negotiate such equitable adjustments above in good
faith.

 

(b) For Disengagement Assistance for which (i) there is no predetermined Charges
in this Agreement (i.e., for assistance that is not part of the routine
Services) and (ii) Supplier is

 



Triple-S / Supplier Confidential

Page 54 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



permitted under Section 17.1(d) to utilize (and does in fact utilize) personnel
in addition to the existing Supplier Personnel to provide such Disengagement
Assistance, then (subject to Section 17.1(c)) such assistance will be chargeable
at the Personnel Rates to the extent performed by Supplier Personnel not
otherwise performing Services for Triple-S prior to the effective date of
termination or expiration of this Agreement.

 

(c) If Supplier has terminated this Agreement pursuant to Section 16.2
(Termination by Supplier), then the provision of Disengagement Assistance shall
be subject to Triple-S paying the estimated charges for Disengagement Assistance
monthly in advance.

 

17.4 Bid Assistance

 

(a) In the process of deciding whether to undertake or allow any cessation of
Services, or any termination, expiration or renewal of this Agreement, in whole
or in part, Triple-S may consider or seek offers for performance of services to
replace the Services. As and when reasonably requested by Triple-S for use in
any such process, Supplier will provide to Triple-S such information and other
cooperation regarding performance of the Services as would be reasonably
necessary to enable Triple-S to prepare a request for proposal relating to some
or all of such services, and for a third party to conduct due diligence and
prepare an informed, non-qualified offer for such services.

 

(b) Without limiting the generality of Section 17.4(a), the types of information
and level of cooperation to be provided by Supplier pursuant to this Section
17.4 will be no less than those initially provided by Triple-S to Supplier prior
to the Effective Date, and shall include the following information which
Triple-S may distribute to third-party bidders in a request for proposal(s),
request for information, specification, or any other solicitation relating to
the Services and as necessary to support any related due diligence activities:

 

(i) General organization charts showing the overall structure of the information
technology outsourcing organization supporting Triple-S, and a description of
the roles and responsibilities of the various functions described in such
organization charts;

 

(ii) General organization charts showing the overall structure of the
organization supporting the Services and a description of the roles and
responsibilities of the various Functions described in such organization charts;

 

(iii) With respect to time and material engagements, the number of personnel at
each location used to provide Services classified by job title, skill level, and
experience;

 

(iv) Generic job descriptions of the functions and job classifications within
the organization providing Services;

 

(v) Up-to-date Service Level performance histories, third-party contract lists,
then-current work volumes and information relating to projects underway;

 

(vi) Detailed network topographies; and

 



Triple-S / Supplier Confidential

Page 55 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(vii) List of all Software and Equipment utilized to provide the Services,
including details regarding the same such as version, release and the title and
similar information related to Software and Equipment as reasonably requested by
Triple-S.

 

18. GOVERNANCE AND MANAGEMENT

 

18.1 Governance Structure and Processes

 

(a) Supplier acknowledges that it is a key business requirement of Triple-S that
Supplier provide the Services in a consistent, integrated manner in accordance
with Schedule F (Governance). Schedule F (Governance) contains a description of
the committees and governance processes the Parties have formed and will use to
govern their relationship and activities under this Agreement.

 

(b) Notwithstanding anything set forth in this Agreement to the contrary, any
term in this Agreement that states that a matter shall be referred to or
resolved in accordance with Schedule F (Governance) shall not affect either
Party’s right to escalate such matter to the dispute resolution provisions in
Section 25.

 

18.2 Reports

 

The Parties have agreed to certain terms regarding reports as set forth in
Schedule K (Reports).

 

18.3 Procedures Manual

 

(a) The “Procedures Manual” is a document (or set of documents) to be prepared
by Supplier describing how Supplier will perform and deliver the Services under
this Agreement, the Equipment and Software used, and the documentation (e.g.,
operations manuals, user guides, specifications) that provide further details of
the activities. The Procedures Manual may also be referred to as “SOPs”. The
table of contents of the Procedures Manual as of the Effective Date is set forth
in Schedule CC (Procedures Manual TOC). The Procedures Manual will:

 

(i) describe the activities Supplier shall undertake in order to provide the
Services, including those direction, supervision, monitoring, staffing,
reporting, planning and oversight activities normally undertaken to provide
services of the type Supplier is to provide under this Agreement;

 

(ii) include Supplier’s escalation procedures and the other standards and
procedures of Supplier pertinent to Triple-S’s interactions with Supplier in
obtaining the Services; and

 

(iii) include such other information as would be reasonably necessary to an
Auditor when performing audits as permitted by this Agreement.

 

(b) The Procedures Manual must be reasonably suitable for use by Triple-S to
understand the Services.

 



Triple-S / Supplier Confidential

Page 56 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(c) Working in consultation with Triple-S, Supplier will deliver to Triple-S a
draft Procedures Manual describing the Services to be transitioned from Triple-S
to Supplier within one hundred eighty (180) days after the first Services
Commencement Date. Triple-S shall have the opportunity to provide comments and
suggestions on the draft Procedures Manual and to identify deficiencies.
Supplier will address Triple-S’s reasonable comments and identified deficiencies
and will provide a revised Procedures Manual with respect to each wave, within
one hundred eighty (180) days after the occurrence of such wave. The final
Procedures Manual will be subject to the approval of Triple-S.

 

(d) The Procedures Manual will be considered an operational document, which
Supplier shall revise and periodically, but no more than one time per contract
year, update to reflect changes in the operations or procedures described in it.
Updates of the Procedures Manual will be provided to Triple-S for review,
comment and approval.

 

(e) Supplier will perform the Services in accordance with the most recent
Triple-S-approved version of the Procedures Manual. The Procedures Manual shall
not be used to override this Agreement. If there is any conflict between the
provisions of this Agreement and the Procedures Manual, the provisions of this
Agreement will control.

 

(f) Any Triple-S Data or Triple-S Confidential Information that is incorporated
into the Procedures Manual shall continue to be the property of Triple-S. Any
Supplier Confidential Information that is incorporated into the Procedures
Manual shall continue to be the property of Supplier.

 

(g) Triple-S and its Affiliates may retain and Use the Procedures Manual in
their businesses and for their benefit both during the Term and the
Disengagement Assistance Period and following the expiration or termination of
this Agreement (or portion thereof) for any reason. Subject to appropriate
non-disclosure agreements for the limited purpose of protecting any Confidential
Information or Independent IP of Supplier incorporated into the Procedures
Manual, Triple-S and its Affiliates may permit any of their other service
providers to use the Procedures Manual during and after the Term, but solely in
connection with their provision of services for Triple-S and its Affiliates.

 

18.4 Change Control Process

 

(a) Except as otherwise expressly provided in this Agreement, Triple-S has
retained responsibility for establishing the standards and strategic direction
of Triple-S (and its Affiliates) with respect to information technology
outsourcing.

 

(b) Supplier will not make any Changes, except in accordance with the Change
Control Process and with Triple-S’s prior written approval (which Triple-S may
grant or withhold in its discretion). Supplier shall not implement, and shall
not be obligated to implement, any proposed Change for which Triple-S has not
provided its prior written consent.

 

(c) In exercising its discretion in determining whether to grant its approval to
a Change, Triple-S may consider, among other things, whether implementation of
the Change would adversely affect the functionality, performance or resource
efficiency of the

 



Triple-S / Supplier Confidential

Page 57 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Services, increase Triple-S’s internal costs or Supplier’s Charges to Triple-S
under this Agreement or charges by other Triple-S suppliers to Triple-S, or if
it would otherwise adversely affect Triple-S’s or its Affiliates’ business,
operations or security.

 

(d) The Parties agree that a Change may or may not result in additional charges
or in an adjustment to the charges. Supplier shall not be entitled to request an
additional charge or an adjustment to the charges for a Change unless, and only
to the extent, (i) such Change is a Material Change (defined in Schedule C
(Charging Methodology), and (A) such Change (1) is not within the scope of the
Services or Supplier’s Financial Responsibility under this Agreement, and (2)
would increase Supplier’s costs to implement the Change or to deliver the
Services in accordance with such Change; and (B) the additional charge requested
by Supplier for such Change must be reasonably related to the net additional
costs incurred by Supplier arising out of the Change (after taking into account
any reductions to Supplier’s costs arising out of the Change).

 

(e) With respect to any change in a Law, Other Compliance Obligation or Triple-S
Policy (or any new Law, Other Compliance Obligation or Triple-S Policy) that
either Party determines may require a potential Change to the Services:

 

(i) The Parties will mutually discuss the potential Change to the Services, and
based on such discussions, Supplier shall provide a proposed Change Order
addressing such Change, to reflect how the Services would be modified to be in
compliance with such changed or new Law, Other Compliance Obligation or Triple-S
Policy (as applicable).

 

(ii) With respect to any Change resulting from (x) a change in or a new Law or
Other Compliance Obligation, or (y) a change in or a new Triple-S Policy (but
only to the extent such change in or new Triple-S Policy was required in order
to comply with an existing Law or Other Compliance Obligation or caused by a
change in or a new Law or Other Compliance Obligation):

 

(A) Supplier shall use Commercially Reasonable Efforts to implement the Change
sufficiently in advance of the effective date of compliance with such changed or
new Law or Other Compliance Obligation such that Triple-S has a reasonable
amount of time to perform testing of any of Triple-S’s equipment, systems,
processes or other items that may be impacted by such Change; and

 

(B) Supplier shall have financial responsibility for any such Change, except (i)
to the extent that Triple-S is financially responsible as expressly set forth in
Schedule C (Charges); or (ii) as otherwise set forth in Schedule C (Charges) or
Schedule K (Reports).

 

(f) If an approved Change would result in New Services or a change in these
General Terms and Conditions or any Schedule, the Change must be authorized via
a Change Order or a contract amendment or modification made pursuant to
Section 26.3 (Contract Amendments and Modifications).

 



Triple-S / Supplier Confidential

Page 58 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



18.5 Audits and Records

 

The rights and obligations of the Parties with respect to audits and record
retention are set forth in Schedule M (Audit and Record Retention Requirements).

 

19. REPRESENTATIONS, WARRANTIES AND COVENANTS

 

19.1 Work Standards

 

Supplier represents, warrants and covenants that the Services will be rendered
with promptness and diligence and be executed in a professional and workmanlike
manner in accordance with the practices and standards observed by tier 1
providers of outsourcing services comparable to the Services. Supplier warrants
and covenants that it will use adequate numbers of qualified Supplier Personnel
with suitable training, education, experience and skill to perform the Services
in accordance with timing and other requirements of this Agreement.

 

19.2 Maintenance

 

Supplier represents, warrants and covenants that it will: maintain the Equipment
and Software so they operate in accordance with their specifications in all
material respects, including: (a) maintaining Equipment in good operating
condition, subject to normal wear and tear; (b) undertaking repairs and
preventive maintenance on Equipment in accordance with the applicable Equipment
manufacturer’s recommendations; and (c) performing Software maintenance in
accordance with the applicable Software vendor’s documentation and
recommendations (unless otherwise agreed by Triple-S).

 

19.3 Efficiency and Cost-Effectiveness

 

Supplier represents, warrants and covenants that it will use Commercially
Reasonable Efforts to use efficiently the resources or services necessary to
provide the Services. Supplier warrants and covenants that it will use
Commercially Reasonable Efforts to perform the Services in the most
cost-effective manner consistent with the required level of quality and
performance.

 

19.4 Deliverable Warranty

 

(a) Supplier represents, warrants and covenants that each Deliverable produced
by Supplier under this Agreement shall not, during the Warranty Period, deviate
in any material respect from the Requirements and specifications for such
Deliverable set forth in the applicable Statement of Work, or Task Order
developed by the Parties pursuant to this Agreement.

 

(b) If Triple-S notifies Supplier of a breach of the warranty set forth in
Section 19.4(a) within the Warranty Period, Supplier will promptly correct and
redeliver the affected Deliverable at no additional charge to Triple-S without
delay.

 

(c) “Warranty Period” shall mean the period of time commencing on the earlier to
occur of (i) the date of delivery of such Deliverable to Triple-S, and (ii) use
of such Deliverable to provide or receive the Services, and continuing for
(A)[***]after the start of the

 



Triple-S / Supplier Confidential

Page 59 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Warranty Period for Deliverables that are provided to Triple-S in such a manner
that they are outside of Supplier’s control and support as part of the Services;
and (B) the duration of the Term and all Disengagement Assistance Periods for
all other Deliverables.

 

(d) Supplier’s obligations under this Section 19.4 do not in any way limit
Supplier’s obligation to provide ongoing maintenance and support of the
Deliverables as may be specified in a Statement of Work or Task Order.

 

19.5 Intentionally Omitted

 

19.6 Documentation

 

Supplier represents, warrants and covenants that any Software Documentation
developed for Triple-S by or on behalf of Supplier will, during the Software
Documentation Warranty Period (a) accurately and with reasonable
comprehensiveness describe the operation, functionality and use of the
applicable Software in all material respects, and (b) accurately describe in
terms understandable to a typical End User the material functions and features
of the applicable Software and the procedures for exercising such functions and
features. “Software Documentation Warranty Period” shall mean the period of time
commencing on the date of acceptance of the Software Documentation and
continuing until the later of (i) the expiration or termination of the Statement
of Work or Task Order under which the Software Documentation was developed and
(ii) the expiration or termination of any Disengagement Assistance Period for
such Statement of Work or Task Order.

 

19.7 Compatibility

 

Supplier represents, warrants and covenants that any Deliverables and other
components of the Services will be compatible and will properly inter-operate
and work together in all material respects as components of an integrated system
if one would reasonably anticipate that such compatibility and interoperability
is necessary to use the Deliverable for its intended purpose.

 

19.8 Open Source Code

 

Supplier represents, warrants and covenants that Supplier shall not incorporate
any Open Source Code into any Deliverable unless approved in writing by Triple-S
in advance. “Open Source Code” means any Software that requires as a condition
of its use, modification or distribution that it be disclosed or distributed in
Source Code form or made available at no charge.  Open Source Code includes
software licensed under the GNU General Public License (GPL) or the GNU
Lesser/Library GPL.

 

19.9 Non-Infringement

 

(a) Subject to Section 19.9(b), Supplier represents, warrants and covenants as
follows:

 

(i) that Supplier and Supplier Personnel will perform their responsibilities
under this Agreement in a manner that does not infringe or constitute an
infringement or misappropriation of any Intellectual Property Rights of any
third party;

 



Triple-S / Supplier Confidential

Page 60 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(ii) that Supplier has all rights and licenses necessary to convey to Triple-S
(and to its Service Recipients, where applicable) the rights of ownership of (or
access or license rights to, as applicable and as provided for in, and subject
to, this Agreement), all Software, Work Product, Independent IP, Deliverables
and other items used by Supplier to deliver the Services or provided by or on
the behalf of Supplier pursuant to this Agreement; and

 

(iii) that no Software, Work Product, Independent IP, Deliverable or other item
used by Supplier to deliver the Services or provided by or on behalf of
Supplier, nor their use by Triple-S, its Affiliates or other Service Recipients
in accordance with this Agreement, will infringe or constitute an infringement
or misappropriation of any Intellectual Property Right of any third party.

 

(b) Supplier will not be considered in breach of the representation, warranty
and covenant set forth in Section 19.9(a) to the extent (but only to the extent)
any claimed infringement or misappropriation is attributable to any of the
following:

 

(i) A modification made by or on behalf of Triple-S, its Affiliates or any
Service Recipient (excluding modifications made by or on behalf of Supplier,
Supplier Personnel or any Affiliates of Supplier) of an item used or provided by
or on behalf of Supplier unless the modification was recommended, authorized,
approved, or made by Supplier; or

 

(ii) The combination, operation or use of an item by or on behalf of Triple-S,
its Affiliates or any Service Recipient (excluding the combination, operation or
use by or on behalf of Supplier or Supplier Personnel or any Affiliates of
Supplier) used or provided by or on behalf of Supplier with other specific items
not furnished by, through or at the specification of Supplier or its
Subcontractors; provided, however, that this exception will not be deemed to
apply to the combination, operation or use of an item with other commercially
available products that could reasonably have been anticipated to be used in
combination with the item used or provided by or on behalf of Supplier (e.g.,
the combination, operation or use of Application Software provided by Supplier
with a commercially available computer and operating systems (such as Windows)
not provided by Supplier); or

 

(iii) Developments or modifications made by Supplier in compliance with
specific, designs or instructions used or provided by or on behalf of Triple-S,
its Affiliates or any Service Recipient, where compliance with such designs or
instructions necessarily caused such infringement or misappropriation.

 

19.10 Viruses Impacting Triple-S

 

(a) Supplier represents, warrants and covenants that Supplier Personnel will not
knowingly introduce a Virus or knowingly allow a Virus to be introduced into
Triple-S’s or any other Service Recipient’s system or any system used to provide
the Services.

 



Triple-S / Supplier Confidential

Page 61 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(b) Supplier covenants that it will use Commercially Reasonable Efforts to
prevent Supplier Personnel from unknowingly introducing a Virus or allowing a
Virus to be introduced into Triple-S’s or any other Service Recipient’s system
or any system used to provide the Services.

 

(c) If a Virus is found to have been introduced into Triple-S’s or other Service
Recipients’ systems or the systems used to provide the Services as a result of
Supplier’s breach of the foregoing representation, warranty and covenants,
Supplier will use Commercially Reasonable Efforts at no additional charge to
assist Triple-S in eradicating the Virus and reversing its effects and, if the
Virus causes a loss of data or operational efficiency, to assist Triple-S in
mitigating and reversing such losses.

 

19.11 Disabling Code

 

(a) Supplier represents, warrants and covenants that in the course of providing
the Services it will not knowingly insert into Software or any systems used to
provide the Services any code, timer, clock or other design or routine that may
cause any Software or data used by it to be erased, become inoperable or
inaccessible or accessible by any party other than Triple-S, or any code that
would have the effect of disabling or otherwise shutting down all or any portion
of the Services (each a “Disabling Device”) without Triple-S’s prior written
consent or except for any lockout or similar devices used for the purpose of
managing Software or data compliance.

 

(b) With respect to any Disabling Device that was already part of Software or
systems used to provide the Services, Supplier represents, warrants and
covenants that it will not at any time without Triple-S’s prior written consent,
knowingly invoke such Disabling Device or knowingly permit it to be invoked.

 

(c) Supplier represents, warrants and covenants that Supplier will not, and will
not permit any other party to, invoke Disabling Device at any time without
Triple-S’s prior written consent.

 

(d) For purposes of this Section, programming errors by Supplier or a third
party will not be deemed a Disabling Device to the extent Supplier or the third
party can demonstrate that such errors were not made with the intention of
disabling or otherwise shutting down all or any portion of Triple-S’s or any
other Service Recipient’s systems or any system used to provide the Services or
causing any of the other negative effects described in Section 19.11(a).

 

19.12 Delivery Platforms

 

Supplier represents, warrants, and covenants that the Software and Tools
identified in Schedule S (Supplier Software and Supplier Tools), at the time
such lists are produced, shall constitute, in all material respects, all of the
hardware, Software and Tools that comprises or is necessary to operate an
instance of the platforms used by Supplier to provide the Services as it is then
configured, operated, and used by or for Supplier to perform and deliver
services under the Agreement.

 



Triple-S / Supplier Confidential

Page 62 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



19.13 Corporate Social Responsibility

 

Supplier represents, warrants and covenants to Triple-S that Supplier and
Supplier Facilities comply, and during the Term and the Disengagement Assistance
Period will comply, with the following:

 

(a) Supplier will not use forced or compulsory labor in any form, including
prison, indentured, political, bonded or otherwise.

 

(b) Supplier will not follow policies promoting or resulting in unacceptable
worker treatment such as the exploitation of children, physical punishment,
female abuse, involuntary servitude, or other forms of abuse.

 

(c) Supplier will not discriminate based on race, creed, gender, marital or
maternity status, class or caste status, religious or political beliefs, age or
sexual orientation. Supplier’s decisions related to hiring, salary, benefits,
advancement, termination or retirement will be based solely on the ability of an
individual to do the job, Supplier’s business and technical requirements, and
those of Supplier’s customers.

 

(d) Supplier’s management practices will recognize the dignity of the individual
employee and the right to a work place free of harassment, abuse or corporal
punishment, and will respect Supplier’s employees’ voluntary freedom of
association.

 

(e) Supplier will comply with all applicable Laws concerning the conditions of
employment of its employees, including those relating to pay, benefits, and
working conditions.

 

(f) Supplier will maintain on file documentation reasonably necessary to
demonstrate compliance with this Section 19.13 (Corporate Social Responsibility)
and shall make these documents available for Triple-S and its auditors in
accordance with Schedule M (Audit and Record Retention Requirements). Supplier
will publicize to its employees and enforce a non-retaliation policy that
permits Supplier’s employees to speak with Triple-S and Triple-S’s auditors
without fear of retaliation by Supplier’s management.

 

19.14 Foreign Corrupt Practices Act

 

(a) Supplier represents, warrants and covenants that it has not and will not
offer, pay, promise to pay, or authorize the payment of any money, or offer,
give, promise to give, or authorize the giving of anything of value to a
Territory official (as defined in the Foreign Corrupt Practices Act (P.L.
95-213), as amended), to any Territory political party or official thereof or
any candidate for Territory political office, or to any person, while knowing or
being aware of a high probability that all or a portion of such money or thing
of value will be offered, given or promised, directly or indirectly, to any
Territory official, to any Territory political party or official thereof, or to
any candidate for Territory political office, for the purposes of:

 

(i) influencing any act or decision of such Territory official, political party,
party official, or candidate in his or its official capacity, including a
decision to fail to perform his or its official functions; or

 



Triple-S / Supplier Confidential

Page 63 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(ii) inducing such Territory official, political party, party official, or
candidate to use his or its influence with the Territory government or
instrumentality thereof to affect or influence any act or decision of such
government or instrumentality, in order to assist Triple-S or Supplier in
obtaining or retaining business for or with, or directing business to Triple-S
or Supplier.

 

(b) Supplier further represents, warrants and covenants that it will not violate
the Foreign Corrupt Practices Act or any other applicable anti-corruption laws
or regulations. Supplier agrees that if subsequent developments after the
Effective Date cause the representations, warranties, covenants and information
reported in this Section 19.14 to be no longer accurate or complete, Supplier
will immediately furnish Triple-S with a supplementary report detailing such
change in circumstances, and will provide updates to Triple-S on the status of
such matters.

 

19.15 Debarment from Federal Contracts and Termination.

 

(a) Supplier represents, warrants and covenants that: (i) Supplier and its
Affiliates and Subcontractor(s), and its or their employees, agents or
representatives, are not subject to any active administrative agreement
pertaining to its eligibility for the award of government contracts; (ii)
Supplier and its Affiliates and Subcontractor(s), and its or their employees,
agents or representatives, have not had any communications with any suspending
or debarring official of any governmental entity regarding its eligibility for
the award of government contracts; (iii) neither Supplier nor its Affiliates and
Subcontractor(s), and its or their employees, agents or representatives, have
been debarred, suspended, or similarly disqualified from participation in the
award of contracts with the United States Government or any other governmental
entity; nor (iv) are there facts or circumstances that would warrant the
institution of suspension, debarment, or other disqualification proceedings or
the finding of non-responsibility or ineligibility as defined by 48 C.F.R.
2.101, on the part of Supplier or any Affiliate or Subcontractor(s), and its or
their employees, agents or representatives.

 

(b) Supplier represents, warrants and covenants that Supplier shall not employ
or contract with, for any aspect of its business that involves government
contracts, any individual or entity convicted with a criminal offense involving
government business, listed by a federal agency as debarred, or which is
suspended or otherwise excluded from federal program participation. Supplier
represents that Supplier and its Affiliates and Subcontractor(s), and its or
their employees, agents or representatives, do not, fit within any of these
categories as of the Effective Date.

 

(c) Supplier agrees to inform Triple-S promptly if at any time during the
effective period of this Agreement if Supplier or any of its employees or
Subcontractors becomes so convicted, listed, suspended or excluded. Supplier
also agrees not to assign any individual to perform work under this Agreement,
insofar as it may involve government contracts, who is so convicted, listed,
suspended or excluded, and shall perform screenings of all employees and
Subcontractors performing Services under the Agreement against the list of
parties excluded from federal contracting available on the System for Award
Management, SAM.gov, to identify any employees or Subcontractors that have been
suspended, excluded or otherwise sanctioned by the federal government.

 



Triple-S / Supplier Confidential

Page 64 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



19.16 Claims Procedures, Appeals and External Review

 

Supplier shall ensure that its decisions regarding hiring, compensation,
termination, promotion, or other similar matters with respect to Supplier
Personnel (such as a claims adjudicator, appeals processor, or medical expert)
shall not be made based upon the likelihood or perceived likelihood that the
individual will support or tend to support the denial of benefits for Triple-S
members and/or customers.

 

19.17 No Improper Inducements

 

Supplier represents, warrants, and covenants to Triple-S that it has not
violated any applicable laws or regulations or any Triple-S policies of which
Supplier has been given notice in writing, regarding the offering of unlawful or
improper inducements in connection with this Agreement.

 

19.18 Immigration

 

Supplier represents, warrants, and covenants to Triple-S that it has not
violated and shall comply with any applicable Laws relating to H-1B Visa program
and other similar immigration and labor Laws. Supplier shall use best efforts to
ensure that Triple-S is not drawn into any investigations or proceedings
regarding the immigration status of Supplier Personnel.

 

19.19 [***] Software

 

(a) Supplier represents, warrants, and covenants to Triple-S that as of the
Effective Date Supplier has executed an agreement with [***] (“[***]”)
authorizing Supplier to access the [***] and related software licensed by
Triple-S from [***] (“[***] Software”) as necessary to provide the Services (as
they exist on the Effective Date) throughout the Term of this Agreement
(“[***]/Supplier Agreement”). Supplier shall not terminate the [***]/Supplier
Agreement without consulting Triple-S in advance and obtaining Triple-S’ written
approval of an alternate solution reasonably acceptable to Triple-S with which
Supplier would continue providing the Services.

 

(b) If Supplier receives any notice from [***] or becomes aware of other
circumstance that could lead to [***] terminating the [***]/Supplier Agreement
or Supplier otherwise not having the rights it requires to access the [***]
Software as necessary to provide the Services (such rights, [***] Access
Rights), Supplier shall promptly notify Triple-S of the circumstance and provide
periodic updates until the circumstances are resolved. 

 

(c) If Supplier receives a notice of termination of the [***] Access Rights, or
otherwise loses or expects to lose the [***] Access Rights, Supplier shall
promptly notify Triple-S.  Upon receipt of such notice, Triple-S at its option
may (i) terminate this Agreement without payment of a termination charge or
other liability; or (ii) terminate the portion of the Services that require
[***] Access Rights without payment of a termination charge or other liability
and Supplier shall work in good faith with Triple-S to equitably adjust the
Charges to reflect the remaining Services Supplier will provide.

 

(d) Except as expressly permitted under the [***]/Supplier Agreement:

 



Triple-S / Supplier Confidential

Page 65 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(i) Supplier shall not host, access or operate the [***] Software, or access any
[***] Confidential Information (defined below).

 

(ii) Supplier shall not request from any In-Scope Employee, and shall instruct
such In-Scope Employees not to provide, any access to the [***] Software or to
any related documentation, information, data drawings, benchmark tests,
specifications, trade secrets, copies of [***] Software code, or other
proprietary information marked as confidential information of [***] or its
Affiliates (collectively “[***] Confidential Information”).

 

(iii) Supplier shall develop and maintain written policies, procedures and
controls designated to ensure compliance with the terms above in this Section
‎19.19(d), and shall provide copies to Triple-S upon request.

 

(iv) If Supplier does obtain access to any [***] Confidential Information other
than as permitted under the [***]/Supplier Agreement, Supplier shall promptly
(A) notify Triple-S; and (B) take appropriate actions to eliminate such access
and prevent such access from occurring again in the future.

 

19.20 Non-Infringement

 

(a) Subject to Section 19.20(b), Triple-S represents, warrants and covenants as
follows:

 

(i) that Triple-S, Triple-S Affiliates and Service Recipients will perform their
responsibilities under this Agreement in a manner that does not infringe or
constitute an infringement or misappropriation of any Intellectual Property
Rights of any third party;

 

(ii) that Triple-S has all rights and licenses necessary to convey to Supplier
(and to its Supplier Personnel and Subcontractors, where applicable) the rights
to use (or license rights to, as applicable), all Software, Equipment,
Independent IP, Tools and other items provided by or on the behalf of Triple-S
pursuant to this Agreement; and

 

(iii) that no Software, Equipment, Independent IP, Tool or other item provided
by or on behalf of Triple-S, nor their use by Supplier, its Affiliates, Supplier
Personnel or Subcontractors in accordance with this Agreement, will infringe or
constitute an infringement or misappropriation of any Intellectual Property
Right of any third party.

 

(b) Triple-S will not be considered in breach of the representation, warranty
and covenant set forth in Section 19.20(a) to the extent (but only to the
extent) any claimed infringement or misappropriation is attributable to any of
the following:

 

(i) A modification made by or on behalf of Supplier or its Affiliates (excluding
modifications made by or on behalf of Triple-S, Service Recipients or any
Affiliates of Triple-S) of an item provided by or on behalf of Triple-S unless
the modification was recommended, authorized, approved, or made by Triple-S; or

 



Triple-S / Supplier Confidential

Page 66 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(ii) The combination, operation or use of an item by or on behalf of Supplier or
its Affiliates (excluding the combination, operation or use by or on behalf of
Triple-S or Service Recipients or any Affiliates of Triple-S) provided by or on
behalf of Triple-S with other specific items not furnished by, through or at the
specification of Triple-S or a Service Recipient; provided, however, that this
exception will not be deemed to apply to the combination, operation or use of an
item with other commercially available products that could reasonably have been
anticipated to be used in combination with the item provided by or on behalf of
Triple-S (e.g., the combination, operation or use of Application Software
provided by Triple-S with a commercially available computer and operating
systems (such as Windows) not provided by Triple-S); or

 

(iii) Developments or modifications made by Triple-S in compliance with specific
designs or instructions provided by or on behalf of Supplier, where compliance
with such designs or instructions necessarily and unavoidably caused such
infringement or misappropriation.

 

19.21 Viruses Impacting Supplier

 

(a) Triple-S represents, warrants and covenants that Service Recipients will not
knowingly introduce a Virus or knowingly allow a Virus to be introduced into
Supplier’s, any Supplier Personnel’s or any Subcontractor’s system or any system
used to provide the Services.

 

(b) Triple-S covenants that it will use Commercially Reasonable Efforts to
prevent Service Recipients from unknowingly introducing a Virus or allowing a
Virus to be introduced into Supplier’s, any Supplier Personnel’s or any
Subcontractor’s system or any system used to provide the Services.

 

(c) If a Virus is found to have been introduced into Supplier’s, Supplier
Personnel’s or any Subcontractor’s systems or the systems used to provide the
Services as a result of Triple-S’s breach of the foregoing representation,
warranty and covenants, Triple-S will use Commercially Reasonable Efforts at no
additional charge to assist Supplier in eradicating the Virus and reversing its
effects and, if the Virus causes a loss of data or operational efficiency, to
assist Supplier in mitigating and reversing such losses.

 

20. MUTUAL REPRESENTATIONS AND WARRANTIES; DISCLAIMER

 

20.1 Mutual Representations and Warranties

 

Each Party represents, warrants and covenants to the other that:

 

(a) It has the requisite corporate power and authority to enter into this
Agreement and to carry out the transactions and activities contemplated by this
Agreement;

 

(b) The execution, delivery and performance of this Agreement and the
consummation of the transactions contemplated by this Agreement have been duly
authorized by the requisite

 



Triple-S / Supplier Confidential

Page 67 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



corporate action on the part of such Party, are a valid and binding obligation
of such Party, and do not constitute a violation of any existing judgment, order
or decree;

 

(c) The execution, delivery and performance of this Agreement and the
consummation of the transactions contemplated by this Agreement do not
constitute a material default under any existing material contract by which it
or any of its material assets is bound, or an event that would, with notice or
lapse of time or both, constitute such a default; and

 

(d) There is no proceeding pending or, to the knowledge of the Party, threatened
that challenges or could reasonably be expected to have a material adverse
effect on this Agreement or the ability of the Party to perform and fulfill its
obligations under this Agreement.

 

20.2 Disclaimer

 

OTHER THAN AS PROVIDED IN THIS AGREEMENT, THERE ARE NO EXPRESS WARRANTIES AND
THERE ARE NO IMPLIED WARRANTIES, STATUTORY OR OTHERWISE, INCLUDING THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE,
EXCEPT AS MAY BE REQUIRED BY LAW. FURTHER, SUPPLIER MAKES NO REPRESENTATIONS AND
WARRANTIES WITH RESPECT TO MANAGED THIRD PARTIES OR ANY ITEMS OR SERVICES
PROVIDED BY MANAGED THIRD PARTIES.

 

21. CONFIDENTIALITY

 

21.1 “Confidential Information” Defined

 

(a) “Confidential Information” of a Party means any non-public information (or
materials) belonging to, concerning or in the possession or control of the Party
or any of its Affiliates (the “Furnishing Party”) that is furnished, disclosed
or otherwise made available (directly or indirectly) to the other Party (the
“Receiving Party”) (or entities or persons acting on the other Party’s behalf)
in connection with this Agreement and which is either marked or identified in
writing as confidential, proprietary, secret or with another designation
sufficient to give notice of its sensitive nature, or is of a type that a
reasonable person would recognize it to be confidential.

 

(b) In the case of Triple-S, “Confidential Information” includes the following,
regardless of whether it is marked confidential or how it is marked:

 

(i) information belonging to, concerning or in the possession or control of
Triple-S, its Affiliates, Service Recipients or their respective members,
customers, employees, providers, suppliers or contractors (other than
information belonging to or concerning Supplier or its Affiliates) to which
Supplier has access in Triple-S Facilities or Triple-S systems or through
Supplier’s provision of the Services;

 

(ii) business, technical and financial information of Triple-S, its Affiliates,
Service Recipients or their respective members, customers, employees, providers,
suppliers or contractors (including past, present and prospective business,
current

 



Triple-S / Supplier Confidential

Page 68 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



and future products and services, finances, marketing plans and techniques,
price lists);

 

(iii) Triple-S Work Product;

 

(iv) Deliverables;

 

(v) Triple-S Data, Triple-S Owned Software, Triple-S Licensed Software, Triple-S
Tools, Triple-S Independent IP and systems access codes to such Triple-S Data
and such Software and applicable Source Code and Documentation relating to the
foregoing;

 

(vi) information concerning Triple-S’s and/or its Affiliates’ and Service
Recipient’s products, marketing strategies, financial affairs, members,
customers, employees, providers, suppliers or contractors;

 

(vii) Personally Identifiable Information, including PHI; and

 

(viii) All data and information in any form derived from any of the foregoing.

 

(c) In the case of Supplier, “Confidential Information” includes the following,
regardless of whether it is marked confidential or how it is marked:

 

(i) Business and technical information of Supplier, its Affiliates or
Subcontractors (including past, present and prospective business, current and
future products and services, marketing plans and techniques);

 

(ii) cost, pricing, and financial information of Supplier, its Affiliates or
Subcontractors;

 

(iii) Supplier Owned Software, Supplier Licensed Software, Supplier Tools,
Supplier Independent IP, Other Developed Items and systems access codes to such
Software and applicable Source Code and Documentation relating to the foregoing;

 

(iv) information about other customers of Supplier, its Affiliates, information
about Subcontractors and information about employees of Supplier, its Affiliates
and Subcontractors (including employee compensation, benefits, disciplinary
records, performance records, and other similar data, regardless of whether or
how it is marked); and

 

(v) all data and information in any form derived from any of the foregoing.

 

(d) Any notes, memoranda, compilations, derivative works, data files or other
materials prepared by or on behalf of the Receiving Party that contain or
otherwise reflect or refer to Confidential Information of the Furnishing Party
will also be considered Confidential Information of the Furnishing Party.

 



Triple-S / Supplier Confidential

Page 69 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(e) “Confidential Information” does not include any particular information
(other than Personally Identifiable Information (including PHI)) that the
Receiving Party can demonstrate:

 

(i) was rightfully in the possession of, or was rightfully known by, the
Receiving Party without an obligation to maintain its confidentiality prior to
receipt from the Furnishing Party;

 

(ii) was or has become generally known to the public other than as a result of
breach of this Agreement or a wrongful disclosure by the Receiving Party or any
of its agents;

 

(iii) after disclosure to the Receiving Party, was received from a third party
who, to the Receiving Party’s knowledge, had a lawful right to disclose such
information to the Receiving Party without any obligation to restrict its
further use or disclosure; or

 

(iv) was independently developed by the Receiving Party without use of or
reference to any Confidential Information of the Furnishing Party.

 

21.2 Obligations of Confidentiality

 

(a) Each Party acknowledges that it may be furnished, receive or otherwise have
access to Confidential Information of the other Party in connection with this
Agreement.

 

(b) The Receiving Party will not use or reproduce Confidential Information of
the Furnishing Party except as reasonably required to accomplish the purposes
and objectives of this Agreement. The Receiving Party will not disclose the
Confidential Information of the Furnishing Party to any person, or appropriate
it for the Receiving Party’s own use, or for any other person’s use or benefit,
except as specifically permitted by this Agreement or approved in writing by the
Furnishing Party.

 

(c) The Receiving Party will keep the Confidential Information of the Furnishing
Party confidential and secure, and will protect it from unauthorized use or
disclosure by using at least the same degree of care as the Receiving Party
employs to avoid unauthorized use or disclosure of its own Confidential
Information, but in no event less than reasonable care.

 

(d) As necessary to accomplish the purposes of this Agreement, the Receiving
Party may disclose Confidential Information of the Furnishing Party to any
employee, officer, director, contractor, Service Recipient, agent or
representative of the Receiving Party who has a legitimate “need to know” the
information in question solely to carry out the responsibilities of the Parties
under this Agreement or the purposes and objectives of this Agreement and who is
bound in writing to the Receiving Party to protect the confidentiality of the
information in a manner at least as stringent as that required of the Receiving
Party under this Agreement, and provided that if such party to which such
Confidential Information is to be provided is a contractor of the Receiving
Party, the requirements of Section 21.2(e) or (f) below (as applicable), shall
also apply. The

 



Triple-S / Supplier Confidential

Page 70 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Receiving Party may also disclose Confidential Information of the Furnishing
Party to the Receiving Party’s auditors provided they are made aware of the
Receiving Party’s obligations of confidentiality with respect to the Furnishing
Party’s Confidential Information, and to the Receiving Party’s attorneys.

 

(e) Supplier may disclose Triple-S Confidential Information only to Approved
Subcontractors who have agreed in writing to protect the confidentiality of such
Confidential Information in a manner at least as stringent as that required of
Supplier under this Agreement and pursuant to written terms requiring such
Approved Subcontractors to only permit access to its employees who have a
legitimate “need to know” such information in order to provide the subcontracted
services approved pursuant to this Agreement. As between the Parties, Supplier
shall: (i) cause Supplier Personnel to comply with the confidentiality
provisions set forth in this Agreement, and (ii) be responsible for all acts and
omissions of Supplier Personnel, Subcontractors and any third party to whom
Supplier permits access to Triple-S Data or Triple-S Confidential Information
(except to the extent such access is provided by Supplier to a third party
(excluding Supplier Affiliates or Subcontractors) at Triple-S’s prior written
request). As between the Parties, Triple-S shall: (A) cause Service Recipients
to comply with the confidentiality provisions set forth in this Agreement, and
(B) be responsible for all acts and omissions of Service Recipients and any
third party to whom Triple-S permits access to Supplier Confidential Information
(except to the extent such access is provided by Triple-S to a third party
(excluding Triple-S Affiliates) at Supplier’s prior written request).

 

(f) Triple-S may also provide Confidential Information of Supplier to third
parties (including outsourcing suppliers and contractors that may replace
Supplier under this Agreement) who have a legitimate “need to know” the
Confidential Information in question in order to provide services to Triple-S,
provided that any such third party is bound to Triple-S to use such Supplier
Confidential Information for the sole purpose of providing services to Triple-S,
and has agreed to confidentiality obligations at least as stringent to those set
forth in this Agreement.

 

(g) Triple-S and its Affiliates may also disclose Supplier Confidential
Information, including this Agreement and the transactions contemplated by this
Agreement, in any reports filed or required to be filed with any regulatory
agency or body charged with the administration, oversight or enforcement of
regulations applicable to any business conducted by Triple-S or any of its
Affiliates.

 

(h) If any unauthorized disclosure, loss of, or inability to account for any
Confidential Information of the Furnishing Party occurs, the Receiving Party
will promptly so notify the Furnishing Party and will cooperate with the
Furnishing Party and take such actions as may be necessary or reasonably
requested by the Furnishing Party to minimize the violation and any damage
resulting from it.

 

21.3 No Implied Rights

 

Each Party’s Confidential Information will remain the property of that Party.
Nothing contained in this Section 21 (Confidentiality) will be construed as
obligating a Party to disclose its

 



Triple-S / Supplier Confidential

Page 71 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Confidential Information to the other Party, or as granting to or conferring on
a Party, expressly or by implication, any rights or license to the Confidential
Information of the other Party. Any such obligation or grant will only be as
provided by other provisions of this Agreement. A Party shall not possess or
assert a lien or other similar right against the other Party’s Confidential
Information. No Party’s Confidential Information shall be sold, assigned, leased
or disposed of to third parties by the other Party or commercially exploited by
the other Party.

 

21.4 Compelled Disclosure

 

If the Receiving Party becomes legally compelled to disclose any Confidential
Information of the Furnishing Party in a manner not otherwise permitted by this
Agreement, the Receiving Party will, to the extent possible, provide the
Furnishing Party with prompt notice of the request so that the Furnishing Party
may seek a protective order or other appropriate remedy. If a protective order
or similar order is not obtained by the date by which the Receiving Party must
comply with the request, the Receiving Party may furnish that portion of the
Confidential Information that it determines it is legally required to furnish.
The Receiving Party will exercise reasonable efforts to obtain assurances that
confidential treatment will be accorded to the Confidential Information so
disclosed.

 

21.5 Confidential Treatment of this Agreement

 

Each Party may disclose the existence and general nature of this Agreement as
permitted by Section 27.6 (Public Disclosures), but otherwise the terms and
conditions of this Agreement will be considered the Confidential Information of
each Party; provided however, that this Agreement may be disclosed in its
entirety by either Party in connection with an actual or good-faith proposed
merger, acquisition, or similar transaction or in connection with due diligence
conducted for a securities offering, so long as such receiving entity (unless
such party is legal counsel to the counterparty in such transaction) first
agrees in writing to obligations substantially similar to those described in
this Section 21 (Confidentiality); and provided further that Triple-S may
disclose in one or more of its filings with the Securities and Exchange
Commission such terms of this Agreement as it believes in good faith to be
necessary to ensure that its filings under the Securities Exchange Act of 1934,
taken as a whole, do not omit to state a material fact necessary in order to
make the statements made in the light of the circumstances under which they were
made, not misleading. Furthermore, to the extent Triple-S is required, or
elects, to file this Agreement (or any portion thereof) with the Securities and
Exchange Commission, Triple-S will (i) provide Supplier with advance written
notice prior to making such filing; (ii) take all actions reasonably required to
request and obtain confidential treatment of commercially sensitive information
contained in this Agreement from the Securities and Exchange Commission; and
(iii) work in good faith with Supplier to identify for such purpose such
commercially sensitive information

 

21.6 Disclosure of Information Concerning Tax Treatment

 

Notwithstanding anything to the contrary in this Section 21 (Confidentiality),
each Party (and its Affiliates), and any person acting on their behalf, may
disclose to any person or entity the “tax structure” and “tax treatment” (as
such terms are defined in the U.S. Internal Revenue Code and regulations under
it) of the transactions effected by this Agreement and any materials provided to
that Party (or its Affiliates) describing or relating to such tax structure and
tax treatment;

 



Triple-S / Supplier Confidential

Page 72 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



provided, however, that this disclosure authorization will not be interpreted to
permit disclosure of (a) any materials or portions of materials that are not
related to the transaction’s tax structure or tax treatment, or (b) any
materials or information that the Party (or its Affiliate(s)) must refrain from
disclosing to comply with applicable securities Laws.

 

21.7 Return or Destruction

 

Except as may be otherwise provided in Schedule M (Audit and Record Retention
Requirements):

 

(a) As requested by the Furnishing Party during the Term and the Disengagement
Assistance Period, the Receiving Party will return or provide the Furnishing
Party a copy of any designated Confidential Information of the Furnishing Party;

 

(b) When Confidential Information of the Furnishing Party is no longer required
for the Receiving Party’s performance under this Agreement, or in any event upon
expiration or termination of this Agreement, the Receiving Party will return all
materials in any medium that contain, refer to, or relate to Confidential
Information of the Furnishing Party or, at the Furnishing Party’s election,
destroy them (which, in the case of Triple-S Confidential Information, will be
done in accordance with Section 21.8 (Destruction Obligations) below;

 

(c) Except with respect to Triple-S Data, which must be returned or destroyed in
accordance with Section 21.8 (Destruction Obligations) below, the Receiving
Party may, however, keep (i) any Confidential Information of the Furnishing
Party that the Receiving Party has a license to continue using, (ii) in the
files of its legal department, for record purposes only, one copy of any
Confidential Information of the Furnishing Party requested to be returned or
destroyed, (iii) archival copies as may be necessary to comply with document
retention laws and regulations applicable to such Party’s business operations;
and (iv) any Confidential Information that is located in storage media as a
result of routine back-up procedures so long as such media is subject to
destruction in due course.

 

(d) Additionally, a Party shall have no obligation to destroy any Confidential
Information that is subject to a claim, dispute, lawsuit, or subpoena or in any
other circumstances in which such Party reasonably believes that destruction of
such Confidential Information would be unethical or unlawful; and

 

(e) Within ten (10) days of any written request by the Furnishing Party, the
Receiving Party will certify in writing signed by an officer of the corporation
that it has returned or destroyed all copies of the Furnishing Party’s
Confidential Information in the possession or control of the Receiving Party or
any of its Affiliates, Subcontractors, or contractors, and if such Confidential
Information is required to be destroyed pursuant to Section 21.8 (Destruction
Obligations), that all Triple-S Data and other Triple-S Confidential Information
has been permanently deleted from Supplier’s systems and all physical files and
have been destroyed. The certification shall specify the method and/or tools
used to delete the files.

 



Triple-S / Supplier Confidential

Page 73 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



With respect to any situation in which either Party is permitted to retain
Confidential Information pursuant to this Section 21.7, it shall keep such
information confidential and comply with the requirements of this Section 21.

 

21.8 Destruction Obligations

 

Subject to the last sentence of Section 21.7(c), Section 21.9 (Exceptions to
Retention and Destruction Obligations) and Section 5 (Records Retention) of
Schedule M (Audit and Record Retention Requirements), in circumstances where
Supplier is permitted or directed to destroy Triple-S Data or any other Triple-S
Confidential Information, Supplier will:

 

(a) “destroy” all electronic copies of such records in compliance with NIST
Special Publication 800-88 (Guidelines for Media Sanitization), using method
‘clearing’ or more thorough; and

 

(b) destroy all physical copies of such records (including originals, copies and
reproductions of electronic copies) by cross-cut shredding, incineration,
pulping, or pulverization.

 

21.9 Exceptions to Retention and Destruction Obligations

 

Upon written notification by Triple-S, whether as a formal legal hold
notification pursuant to a legal action against Triple-S, or as a preservation
request by Triple-S for any other reason, Supplier will cease destruction,
whether automated, scheduled, manual or ad-hoc, of record types specified by
Triple-S, and Supplier will preserve specified record types until notified by
Triple-S reasonably in advance that preservation is no longer necessary or until
the records are handed over to Triple-S (whichever occurs first).

 

21.10 Duration of Confidentiality Obligations

 

The Receiving Party’s obligations under this Section 21 (Confidentiality) apply
to Confidential Information of the Furnishing Party disclosed to the Receiving
Party before or after the Effective Date and will continue during the Term and
survive the expiration or termination of this Agreement as follows:

 

(a) The Receiving Party’s obligations under Section 21.7 (Return or Destruction)
and Section 21.8 (Destruction Obligations) will continue in effect until fully
performed;

 

(b) As to any portion of the Furnishing Party’s Confidential Information that
constitutes a trade secret under applicable Law, the obligations will continue
for as long as the information continues to constitute a trade secret;

 

(c) As to certain Confidential Information described in Schedule M (Audit and
Record Retention Requirements), the obligations will survive for the duration of
time set forth therein (e.g., Section 5 (Record Retention) of Schedule M);

 

(d) As to all other Confidential Information of the Furnishing Party, the
obligations will survive for ten (10) years after the Receiving Party’s
fulfillment of its obligations under Section 21.7 (Return or Destruction) with
respect to the Confidential Information in

 



Triple-S / Supplier Confidential

Page 74 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



question; and

 

(e) With respect to Personally Identifiable Information, the obligations shall
survive indefinitely.

 

22. INSURANCE

 

22.1 General Terms

 

Supplier represents that it has, as of the Effective Date, and agrees to
maintain in force, throughout the Term and the Disengagement Assistance Period,
at least the types and amounts of insurance coverage specified in this Section
22 (Insurance). Supplier will ensure that its Subcontractors obtain the
insurance required in Section 22.2(a), and will use Commercially Reasonable
Efforts to cause its Approved Subcontractors (other than Non-Key Subcontractors)
to obtain reasonable insurance given the services performed by the Approved
Subcontractor and where the applicable agreement with the Subcontractor is being
entered into specifically for performance of the Services or is up for a
negotiated renewal between the parties (i.e., excluding evergreen renewals).

 

22.2 Types and amounts of coverage

 

Supplier agrees that during the Term it will maintain in force, the following
types and amounts of insurance:

 

(a) Employer’s Liability Insurance and Statutory Worker’s Compensation
Insurance, including coverage for occupational injury, illness and disease, and
other similar social insurance in accordance with the laws of the country, state
or territory exercising jurisdiction over the employee with limits per employee,
per accident and per disease of $1,000,000 or the minimum limit required by law,
whichever limit is greater.

 

(b) Commercial General Liability Insurance, including Products, Completed
Operations, Premises Operations, Bodily Injury, Personal and Advertising Injury,
Blanket Contractual Liability and Independent Contractors Liability to the
extent covered by insurance, and Broad Form Property Damage liability coverages,
on an occurrence basis, with a limit per occurrence of $1,000,000 and $2,000,000
in aggregate. Supplier agrees to maintain general liability coverage with the
above referenced limits through a DIC/DIL policy for Services provided outside
the United States. This coverage will include Triple-S and its Affiliates as
additional insureds.

 

(c) Property Insurance, including Extra Expense and Business Income coverage,
for risks of physical loss of or damage to Triple-S buildings, business personal
property or other property that is in the care, custody or control of Supplier
pursuant to the Agreement that result from such physical loss or damage. Such
insurance will have a limit adequate to cover risks on a replacement cost basis.
This coverage will include Triple-S and its Affiliates as loss payees for all
claims arising out of Triple-S buildings or property for which Supplier has an
obligation to provide Property Insurance hereunder.

 



Triple-S / Supplier Confidential

Page 75 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(d) Commercial Automobile Insurance covering use of all owned, non-owned and
hired automobiles for bodily injury, property damage liability with a combined
single limit per accident of $1,000,000 or similar amount in accordance with the
laws of the country, state or territory exercising jurisdiction. This coverage
will include Triple-S and its Affiliates as additional insureds.

 

(e) Umbrella Liability Insurance written on a follow-form basis with a minimum
limit of $10,000,000 per occurrence and in the aggregate, providing excess cover
for the coverages provided in Sections 22.2(a), 22.2(b), and 22.2(d).

 

(f) Commercial Crime Insurance, including coverage for employee dishonesty and
computer fraud, for loss or damage arising out of or in connection with
fraudulent or dishonest acts committed by the employees of Supplier, acting
alone or in collusion with others, including Triple-S’s property and funds of
others in their care, custody or control, with a limit per event of $10,000,000.
This Policy will include forgery or alteration coverage, mysterious
disappearance coverage, and coverage for theft of Triple-S or its Affiliates’
property on or off premise, and shall not include a requirement for arrest or
conviction. Supplier will maintain a separate third party crime policy that will
include Triple-S and its Affiliates as loss payees for all claims arising out of
Supplier’s services under this Agreement.

 

(g) Managed Care Errors and Omissions Insurance appropriate to the Supplier’s
profession, covering liability for loss or damage due to an act, error, omission
or negligence arising out of the scope of Services under this Agreement, with a
limit per claim and annual aggregate of $30,000,000.

 

(h) Professional Liability, Privacy Liability and Network Security Insurance
with a limit per claim and annual aggregate of $30,000,000 covering Supplier’s
legal liability for expenses incurred as a result of acts, errors and omissions
in connection with performance of the Services under this Agreement. Such
insurance shall, at a minimum, cover legal liability to others for:

 

(i) data security breaches (including, without limitation, unauthorized access,
use, loss or theft of Personally Identifiable Information or Triple-S
Confidential Information);

 

(ii) violation of Laws relating to the care, custody, control or use of
Personally Identifiable Information or Triple-S Confidential Information or the
privacy or security of such information;

 

(iii) data damage, destruction, or corruption;

 

(iv) any act, omission or failure to act that results in a failure of network
security (including unauthorized access to, unauthorized use of, a denial of
service attack by a third party against, or transmission of a Virus or other
type of malicious code to Triple-S’s computer systems) or the security of any
other information asset;

 



Triple-S / Supplier Confidential

Page 76 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(v) Internet Media liability (slander, defamation, libel, invasion of privacy)
or Intellectual property infringement (such as copyrights, trademarks, service
marks and trade dress);

 

(vi) Cyber Extortion;

 

(vii) Business Interruption coverage with no more than twelve (12) hour waiting
period post Network Security event; and

 

(viii) Crisis Management expense coverage (including notification, call center,
credit monitoring, identity theft repair, public relations and legal expenses).

 

The insurance of this subsection (h) shall cover Supplier’s liability for
expenses (including legal expenses) that Triple-S and/or its Affiliates incur as
a result of any such actual or alleged event, including costs of defending,
settling and paying judgments resulting from claims, costs of responding to
regulatory or administrative investigations, regulatory fines, and costs of
computer forensic analysis and investigation, notification of impacted
individuals, public relations, call center services, fraud consulting services,
credit monitoring and protection services, and identity restoration services.
The foregoing insurance shall address all of the foregoing without limitation if
caused by an employee of Supplier or an independent contractor working on behalf
of Supplier in connection with the Agreement, and will provide coverage for
wrongful acts, claims, and lawsuits anywhere in the world where legally
permissible. Supplier will maintain the foregoing policy in force during the
Term of the Agreement and for a period of three (3) years after the termination
or expiration of this Agreement (either as a policy in force or extended
reporting period).  

 

22.3 Terms of coverage

 

(a) The insurance coverages described above, will be primary, and all coverage
will be non-contributing with respect to any other insurance or self-insurance
that may be maintained by Triple-S. Supplier will be responsible for all
deductibles and retentions with regard to such insurance. The General Liability,
Auto Liability, Workers Compensation and Umbrella Liability coverages described
above will include a waiver of subrogation. To the extent any of the coverages
set forth in Section 22.2 is written on a claims-made basis, (i) such coverage
shall have a retroactive date no later than the Effective Date; and (ii) such
coverage shall continue for three (3) years after the termination or expiration
of the Agreement, and if the policy is terminated, then it will allow for an
extended reporting period of at least three (3) years.

 

(b) Supplier will cause its insurance representatives to issue certificates of
insurance evidencing that the coverages required under this Agreement are
maintained in force. With the exception of any wholly owned captive, the
insurers selected by Supplier will have an A.M. Best rating of A-, Financial
Size Category (FSC) X or better, or, if such ratings are no longer available,
with a comparable rating from a recognized insurance rating agency. Supplier
shall provide Triple-S with at least thirty (30) days’ notice of any
cancellation or material changes to any of the insurance coverages set forth in
this Section 22 (Insurance).

 



Triple-S / Supplier Confidential

Page 77 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(c) In the case of loss or damage or other event that requires notice or other
action under the terms of any insurance coverage described above, Supplier will
be solely responsible for taking such action. Supplier will use Commercially
Reasonable Efforts to notify Triple-S of any claim submitted to Supplier’s
insurers regarding a loss, damage or other event resulting from the Services.

 

(d) The Parties do not intend to shift all risk of loss to insurance. Supplier’s
obligation to maintain insurance coverage in specified amounts will not act as a
limitation on any other liability or obligation which Supplier would otherwise
have under this Agreement. Similarly, the including of Triple-S and its
Affiliates as additional insureds is not intended to be a limitation of
Supplier’s liability under this Agreement and will in no event be deemed to, or
serve to, limit Supplier’s liability to Triple-S to available insurance coverage
or to the policy limits specified in this Section 22, nor to limit Triple-S’s
rights to exercise any and all remedies available to Triple-S under this
Agreement, at law or in equity.

 

23. INDEMNIFICATION

 

23.1 Indemnification by Supplier

 

Supplier will at its expense indemnify, defend and hold harmless Triple-S and
its Affiliates, and their respective officers, directors, employees, customers,
agents, representatives, successors and assigns (collectively, “Triple-S
Indemnitees”) from and against any and all Losses suffered or incurred by any of
them arising from, in connection with, or based on any of the following,
whenever made:

 

(a) Hiring Process. Any Claim by, on behalf of or relating to any individual
arising out of Supplier’s employee selection, communications, recruitment or
hiring process, excluding Claims for which Triple-S is required to indemnify
under Section 23.3;

 

(b) Subcontractor Claims. Any Claim by Subcontractors arising out of Supplier’s
breach or violation of Supplier’s subcontracting arrangements;

 

(c) Supplier Personnel Claims. Any Claim by a Subcontractor or by other Supplier
Personnel that Triple-S is liable to such personnel for employee benefits or as
the employer or joint employer of such personnel; but excluding claims for which
Triple-S is required to indemnify under Section 23.3(a) or Schedule G (Form of
In-Scope Employee Agreement).

 

(d) Confidentiality, Data Security and HIPAA. Any Claim arising out of an
alleged breach of Supplier’s obligations under (i) Section 14 (Data Security and
Protection); (ii) Section 21 (Confidentiality); or (iii) Schedule H (Business
Associate Agreement);

 

(e) Security Breach. Any Claim arising out of a Security Breach;

 

(f) Infringement. Any Claim arising out of an alleged breach of Section 19.9(a)
(Non-Infringement), but subject in all respects to Section 19.9(b)
(Non-Infringement);

 

(g) Compliance. Any Claim relating to:

 



Triple-S / Supplier Confidential

Page 78 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(i) an alleged breach of Supplier’s obligations under Section 13 (Compliance
with Laws); or

 

(ii) an alleged breach of Supplier’s obligations under this Agreement, or
Supplier’s negligence or willful misconduct, to the extent such breach,
negligence or willful misconduct results in (A) assessment of a Regulatory or
Contract Assessment; or (B) Triple-S not complying with any applicable Law or
Other Compliance Obligation.

 

(h) Bodily Injury and Property Damage. Any Claim for death or bodily injury, or
the damage, loss, loss of use or destruction of real or tangible personal
property of any third party (including employees of Triple-S or Supplier or
their respective subcontractors) brought against a Triple-S Indemnitee alleged
to have been caused by the negligence or willful misconduct of Supplier,
Supplier Personnel or anyone else for whose acts Supplier is responsible;

 

(i) Transferred Third Party Contracts. Supplier’s failure to observe or perform
any duties or obligations to be observed or performed after the date of
assignment or transfer to Supplier under any of the TSS Transferred Contracts
that are assigned or otherwise transferred to Supplier under this Agreement by
Triple-S.

 

(j) Retained Third Party Equipment, Software and Third Party Service Contracts.
Any Claim arising out of Supplier’s use of any Triple-S Leased Equipment,
Triple-S Licensed Software or services under any Triple-S Third Party Services
Contracts made available by Triple-S to Supplier or Supplier’s Subcontractors to
the extent the Claim results from a breach by Supplier or Supplier
Subcontractors of, or an act or omission of Supplier which creates liability for
Triple-S relating to, (i) the applicable third party Software license agreement,
lease agreement or Triple-S Third Party Services Contract, or certain provisions
thereof, all of the foregoing that have been provided to Supplier in writing,
including obligations to comply with the requirements regarding members and
types of licenses under any such agreement, (ii) the [***]/Optum Agreement;
(iii) Supplier’s obligations with respect to Managed Third Party Contracts as
set forth in this Agreement, or (iv) any other reasonable restrictions required
by Triple-S relating to Triple-S Leased Equipment, Triple-S Licensed Software or
Triple-S Third Party Services Contracts, which restrictions are provided in
writing to Supplier;

 

(k) Cessation of Services. Any Claim arising out of Supplier’s (i) improper or
wrongful termination of this Agreement, or (ii) abandonment of any Services in
breach of this Agreement (including a failure to provide Disengagement
Assistance as required by this Agreement);

 

(l) Mutual Representations and Warranties. Any Claim arising out of any breach
of any of Supplier’s representations or warranties set forth in Section 20.1
(Mutual Representations and Warranties);

 

(m) Viruses. Any Claim arising out of any breach of any of Supplier’s
representations, warranties or obligations under Section 19.10(a) (Viruses);

 



Triple-S / Supplier Confidential

Page 79 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(n) Disabling Device. Any Claim arising out of any breach of any of Supplier’s
obligations under Section 19.11 (Disabling Device);

 

(o) CAP. Any Claim arising out of any breach of the CAP by Triple-S or its
Affiliates to the extent it results from Supplier’s breach of this Agreement,
negligence or willful misconduct;

 

(p) Misconduct and Negligence. Any Claim arising out of any criminal misconduct,
willful misconduct or negligence by Supplier; and

 

(q) Insurance. Any Claim arising out of risks, losses, or damages Supplier is
required to insure against under this Agreement, but only to the extent that
such insurance would have provided defense and/or indemnity coverage for the
insured loss but for Supplier’s failure to procure such insurance.

 

Any act or omission of a Subcontractor or In-Scope Employee shall be deemed to
be an act or omission of Supplier for purposes of determining Supplier’s
indemnification obligations pursuant to this Section 23.1.

 

23.2 Infringement Claims

 

If any item used by Supplier to provide the Services or which is provided by
Supplier to Triple-S under this Agreement, including any Software, Work Product,
Independent IP, Deliverables or Services (collectively, the “Indemnified Items”)
becomes, or in Supplier’s reasonable opinion is likely to become, the subject of
a Claim which is indemnifiable pursuant to Section 23.1(f) (Infringement),
Supplier will, in addition to indemnifying Triple-S Indemnitees as provided in
this Section 23 (Indemnification) and to the other rights Triple-S may have
under this Agreement, and at law or equity, at Supplier’s expense: (a) promptly
secure the right to continue using the Indemnified Item, or (b) if this cannot
be accomplished with Commercially Reasonable Efforts, then at Supplier’s expense
replace or modify the Indemnified Item to make it non-infringing or without
misappropriation, while not materially degrading performance, functionality, or
quality, increasing Triple-S costs, or materially disrupting Triple-S’s business
operations, or (c) if neither of the foregoing can be accomplished by Supplier
with Commercially Reasonable Efforts, and only in such event, then upon at least
180 days’ prior written notice to Triple-S, (i) with respect to Indemnified
Items other than Deliverables, Supplier may remove the item from use in
performing the Services, in which case Supplier’s Charges for the affected
Services will be equitably adjusted to reflect such removal, and (ii) in the
case of Deliverables, Supplier may recall the Deliverable and (if the
Deliverable was subject to a specific Charge) shall refund to Triple-S Charges
and fees paid by Triple-S for such Deliverable. If removal of the Indemnified
Item from use in performing Services or recall of a Deliverable causes the loss
or degradation of the Services or any portion of the Services that is material
to Triple-S or has a material impact on Triple-S, such loss, degradation or
material impact will constitute a material breach of this Agreement by Supplier
in respect of which Triple-S may exercise its termination and other rights and
remedies under this Agreement or at law or equity.

 

23.3 Indemnification by Triple-S

 

Triple-S will at its expense indemnify, defend and hold harmless Supplier and
its Affiliates, and

 



Triple-S / Supplier Confidential

Page 80 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



their respective officers, directors, employees, agents, representatives,
successors and assigns (collectively, “Supplier Indemnitees”) from and against
any and all Losses suffered or incurred by any of them arising from, in
connection with or based on any of the following, whenever made:

 

(a) Former Triple-S Employees. Any Claim by, on behalf of or relating to any of
the Former Triple-S Claims Employees (and/or by their collective bargaining
representative and/or union, where applicable), with respect to matters arising
out of the acts or omissions of Triple-S and/or any of its agents or
representatives, and/or with respect to the employment relationship between
these employees and Triple-S, the ending of such employment relationship, and
the decision by Triple-S to outsource Claims processing, but excluding Claims
for which Supplier is required to indemnify under Section 23.1.  For purposes of
this Section 23.3(a):  (i) “Former Triple-S Claims Employees” means individuals
who were employed by Triple-S to perform Claims processing or related services
at any time between the Effective Date and the Employee Separation Date ; and
(ii) “Employee Separation Date” means the date the employment relationship
between a Former Triple-S Claims Employee and Triple-S ends. For clarification,
the Former Triple-S Claims Employees do not include any personnel designated as
“In-Scope Employees” under Schedule G (In-Scope Employee Agreement).

 

(b) Confidentiality, Data Security and HIPAA. Any Claim arising out of an
alleged breach of Triple-S’s obligations under (i) Section 21 (Confidentiality);
or (ii) Schedule H (Business Associate Agreement);

 

(c) Transferred Third Party Contracts. Triple-S’ failure to observe or perform
any duties or obligations to be observed or performed prior to the date of
assignment or transfer by Triple-S, under any of the TSS Transferred Contracts
that are assigned or otherwise transferred to Supplier under this Agreement by
Triple-S;

 

(d) Infringement. Any Claim arising out of an alleged breach of Section 19.20(a)
(Non-Infringement), but subject in all respects to Section 19.20(b)
(Non-Infringement).

 

(e) Compliance with Laws. Any Claim arising out of an alleged breach of
Triple-S’s obligations under Section 13 (Compliance with Laws);

 

(f) Bodily Injury and Property Damage. Any Claim for death or bodily injury, or
the damage, loss, loss of use or destruction of real or tangible personal
property of any third party (including employees of Triple-S or Supplier or
their respective subcontractors) brought against a Supplier Indemnitee alleged
to have been caused by the negligence or willful misconduct of Triple-S,
Triple-S personnel or anyone else for whose acts Triple-S is responsible;

 

(g) Misconduct and Negligence. Any Claim arising out of any criminal misconduct,
willful misconduct or negligence by Triple-S or Triple-S employees;

 

(h) Viruses. Any Indemnity Claim arising out of any breach of any of Triple-S’s
obligations under Section 19.21(a) (Viruses);

 



Triple-S / Supplier Confidential

Page 81 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(i) CAP. Any Claim arising out of any breach of the CAP, except to the extent it
results from Supplier’s breach of Section 4.4(a) of this Agreement, negligence
or willful misconduct; and

 

(j) Mutual Representations and Warranties. Any Claim arising out of any breach
of any of Triple-S’s representations or warranties set forth in Section 20.1
(Mutual Representations and Warranties).

 

Any act or omission of a Service Recipient or any Triple-S contractor engaged to
perform Triple-S responsibilities under this Agreement shall be deemed to be an
act or omission of Triple-S for purposes of determining Triple-S’s
indemnification obligations pursuant to this Section 23.3.

 

23.4 Indemnification Procedures

 

The following procedures will apply to Claims for which a Party seeks to be
indemnified pursuant this Agreement:

 

(a) Notice. Promptly after an indemnitee receives notice of any Claim for which
it will seek indemnification pursuant to this Agreement, the indemnitee will
notify the indemnitor of the Claim in writing. No failure to so notify the
indemnitor will abrogate or diminish the indemnitor’s obligations under this
Section 23 (Indemnification) if the indemnitor has or receives knowledge of the
Claim by other means or if the failure to notify does not materially prejudice
its ability to defend the Claim. Within fifteen (15) days after receiving an
indemnitee’s notice of a Claim, the indemnitor will notify the indemnitee in
writing (a “Notice of Election”) as to whether:

 

(i) the indemnitor acknowledges its indemnification obligation to indemnify and
hold harmless the indemnitee with respect to such Claim; and

 

(ii) the indemnitor elects to assume control of the defense and settlement of
such Claim.

 

In addition, the indemnitor shall provide the Notice of Election no later than
fifteen (15) days before the date on which any response to the complaint or
Claim is due.

 

(b) Procedure Following Notice of Election.

 

(i) Procedure for Non-Governmental Claims.

 

With respect to any Claim that is not a Governmental Claim, if the indemnitor
timely delivers a Notice of Election to the address set forth in Section 27.3
(Notices) that both (x) acknowledges indemnitor’s obligation to indemnify and
hold the indemnitee harmless with respect to such Claim, and (y) includes an
express election to assume control of the defense and settlement of such Claim,
then:

 

(A) the indemnitor will be entitled to have sole control over the defense and
settlement of such Claim, provided that the indemnitee shall be entitled

 



Triple-S / Supplier Confidential

Page 82 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



to participate in the defense of such Claim on a monitoring, non-controlling
basis and to employ counsel at its own expense to assist in the handling of such
Claim;

 

(B) the indemnitor will not be liable to the indemnitee for any legal expenses
incurred by the indemnitee in defending or settling the Claim incurred after the
date that indemnitee receives such indemnitor’s Notice of Election;

 

(C) the indemnitor will not be required to reimburse the indemnitee for any
amount paid or payable by the indemnitee in settlement of the Claim if the
settlement was agreed to without the written consent of the indemnitor; and

 

(D) the indemnitor shall not, without the prior written consent of the
indemnitee, (1) consent to the entry of any judgment or enter into any
settlement that provides for injunctive or other non-monetary relief affecting
the indemnitee (or the Indemnitees of the indemnitee), nor (2) consent to the
entry of any judgment or enter into any settlement unless such judgment or
settlement provides for the unconditional and full release of the indemnitee
(and the Indemnitees of the indemnitee) in respect of such Claim and does not
diminish the indemnitee’s rights under this Agreement or result in additional
fees, charges or costs to the indemnitee.

 

(ii) Procedure for Governmental Claims.

 

(A) A “Governmental Claim” means a Claim made against a Party (or an Indemnitee
of such Party) by a regulator, federal or state Attorney General or other
governmental entity with respect to which such Party elects to retain control of
the defense and settlement of such Claim in its notice to the other Party
pursuant to Section 23.4(a) above and for which such Party indicates in such
notice that it will seek indemnification from the other Party pursuant to this
Agreement.

 

(B) With respect to any Governmental Claim, if the indemnitor timely delivers a
Notice of Election to the address set forth in Section 27.3 (Notices)
acknowledging its obligation to indemnify and hold harmless the indemnitee with
respect to such Claim, then the indemnitee will be entitled to have sole control
over the defense and settlement of such Claim at the cost and expense of the
indemnitor, subject to Section 23.4(b)(ii)(B)(4) below, which amount shall
include payment of any settlement, judgment or award in the cost of defending or
settling such Claim; provided that:

 

(1) the indemnitee will (i) keep the indemnitor informed about the status of the
proceedings with the entity that made the Governmental Claim (including
providing copies of documents

 



Triple-S / Supplier Confidential

Page 83 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



received by the indemnitee from such governmental entity and copies of documents
provided by the indemnitee to such governmental entity), (ii) allow the
indemnitor to participate in settlement discussions with the applicable
governmental entity unless such participation is prohibited (in which case
Triple-S will use reasonable efforts to obtain written notice of such
prohibition and the grounds for such prohibition from the government entity),
(iii) consult with indemnitor and its counsel regarding the Government Claim on
a regular basis regarding strategy and all significant case developments, and
(iv) consider any input that the indemnitor provides regarding the defense or
settlement of the Government Claim, provided that the indemnitee is not required
to follow the advice or suggestions of the indemnitor or its counsel;

 

(2) the indemnitor shall be entitled to retain its own legal counsel, at its
cost and expense, and participate fully and cooperatively in all respects with
the indemnitee in such defense, including the investigation, litigation,
settlement, and trial of such Claim and any appeal arising therefrom;

 

(3) subject to Section 23.4(b)(ii)(B)(4), the indemnitor will promptly reimburse
the indemnitee upon demand for all Losses suffered or incurred by the indemnitee
as result of or in connection with such Claim; and

 

(4) where the amount payable to settle a Government Claim is in excess of [***],
the indemnitee shall obtain the indemnitor’s written consent to such amount in
excess of [***]. Indemnitor’s consent shall not be unreasonably withheld (it
being understood that the indemnitor is responsible for reimbursing the
indemnitee for all reasonable amounts paid or payable by the indemnitee in its
defense and settlement of such Claim, subject to any applicable limitations of
liability provided in Section 24). “Reasonability” for purposes of this Section
23.4(b)(ii)(B)(4) shall be determined by taking into consideration all of the
facts and circumstances relating to such Claim, including reputational risks to
the indemnitee, the potential for the Claim to cause adverse impacts to the
indemnitee’s business or operations, and cost incurred by the indemnitee as
result of or in connection with such Claim. If indemnitor does not provide
consent for amounts indemnitee incurs in its defense and settlement of such
Claim in excess of [***], any disputes regarding the reasonability of
indemnitor’s withholding consent (and subsequently indemnitor’s obligation to
fund any such excess incurred by indemnitee) shall be settled pursuant to
Section 23.4(b)(ii)(B)(5) below.

 



Triple-S / Supplier Confidential

Page 84 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(5) in the event of a dispute between the Parties as to the reasonableness of
the amount of any cost, expense, settlement, judgement or other financial
liability that the indemnitee approves or otherwise incurs above [***] without
obtaining indemnitor’s consent under Section 23.4(b)(ii)(B)(4), the Parties
shall use the dispute process provided in Section 25 to resolve such dispute.

 

(c) Procedure Where No Notice of Election Is Delivered. If the indemnitor does
not deliver a timely (i.e., in accordance with Section 23.4(a)) Notice of
Election for a Claim that both (i) acknowledges its indemnification obligation
to indemnify and hold the indemnitee harmless with respect to such Claim, and
(ii) in the case of a Claim that is not a Governmental Claim, includes an
express election by the indemnitor to assume control of the defense and
settlement of the Claim, then the indemnitee may defend and/or settle the Claim
in such manner as it may deem reasonably appropriate, at the cost and expense of
the indemnitor, including payment of any settlement, judgment or award and the
costs of defending or settling the Claim. The indemnitor will promptly reimburse
the indemnitee upon demand for (A) all Losses suffered or incurred by the
indemnitee as a result of or in connection with the Claim; and (B) any
reasonable attorneys fees and related expenses incurred to collect such Losses
from the indemnitor.

 

(d) Cooperation regarding Claims. The indemnitor and the indemnitee shall
provide reasonable cooperation with one another in connection with the
resolution of any Claim, provided that, if such cooperation was at the request
of indemnitor, any costs incurred by the indemnitee in connection with such
cooperation shall be borne by the indemnitor, and shall be promptly reimbursed
by the indemnitor upon demand from the indemnitee.

 

23.5 Subrogation

 

Upon fulfilling all of its obligations under this Section 23 (Indemnification)
with respect to a Claim, including making payment in full of all amounts due
pursuant to its indemnification obligations, the indemnitor will be subrogated
to the rights of the indemnitee(s) with respect to that Claim.

 

24. LIABILITY

 

24.1 General Intent

 

Subject to the specific provisions of this Section 24 (Liability), it is the
intent of the Parties that if a Party fails to perform its obligations in the
manner required by this Agreement, that Party will be liable to the other Party
for any actual damages suffered or incurred by the other Party as a result.

 

24.2 Limitations of Liability

 

(a) Consequential Damages. Except as provided in Section 24.3 (Exceptions to
Limitations of Liability), in no event, whether in contract or in tort
(including breach of warranty,

 



Triple-S / Supplier Confidential

Page 85 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



negligence and strict liability in tort or otherwise), will a Party be liable to
the other Party under this Agreement for indirect, consequential, exemplary,
punitive or special damages of any kind or nature whatsoever (including lost
revenues, profits, savings or business), even if such Party has been advised of
the possibility of such damages in advance.

 

(b) General Liability Cap. Except as provided in Section 24.3(a) (Exceptions to
Limitations of Liability), each Party’s total liability to the other under this
Agreement, whether in contract or in tort (including breach of warranty,
negligence and strict liability in tort) will be limited, in the aggregate, to
an amount equal to the greater of the following (the “General Liability Cap”):

 

(i) $20,000,000.00; or

 

(ii) the total Charges paid or payable by Triple-S to Supplier pursuant to this
Agreement for proper performance of the Services for the twelve (12) months
prior to the month in which the most recent event giving rise to liability
occurred, provided that if the most recent event giving rise to liability occurs
during the first [***] months after the Effective Date, the amount of this
clause (ii) shall equal [***] times the result obtained by dividing the total
Charges paid or payable by Triple-S to Supplier pursuant to this Agreement for
proper performance of the Services from the Effective Date through the date on
which such event occurred, by the number of months from the Effective Date
through such date.

 

24.3 Exceptions to Limitations of Liability

 

(a) Exceptions to Consequential Damages Exclusion and General Liability Cap. The
limitations and exclusions of liability set forth in Sections 24.2(a)
(Consequential Damages) and 24.2(b) (General Liability Cap) shall not apply to
any of the following:

 

(i) damages attributable to the gross negligence or intentional or criminal
misconduct of a Party;

 

(ii) Claims and Losses that are the subject of indemnification pursuant to
Section 23 (Indemnification);

 

(iii) Damages relating to a Security Breach;

 

(iv) damages attributable to a Party’s breach of the Business Associate
Agreement or a breach of its obligations under this Agreement with respect to
Triple-S Data, Personally Identifiable Information, HIPAA or Confidential
Information of the other Party;

 

(v) damages attributable to the improper or wrongful termination of this
Agreement or abandonment of any Services by Supplier in breach of this
Agreement;

 

(vi) damages arising from a Party’s breach of its obligations under this
Agreement (including as set forth in Section 13) to comply with applicable Laws;

 



Triple-S / Supplier Confidential

Page 86 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(vii) damages arising from Supplier’s breach of this Agreement, negligence, or
willful misconduct, to the extent such breach, negligence, or willful misconduct
results in Triple-S (A) incurring a Regulatory or Contract Assessment; or (B)
Triple-S not complying with any applicable Law or Other Compliance Obligation;
or

 

(viii) amounts described in Section 12.2(c) (Transformation).

 

(b) Stipulated Direct Damages. Without limiting (1) each Party’s responsibility
for direct damages under this Agreement, and (2) each Party’s right to claim
other direct damages, the Parties agree that the following shall be considered
direct damages under this Agreement, notwithstanding anything set forth in
Section 24.2 (Limitations of Liability) to the contrary:

 

(i) Costs of recreating, restoring or reloading any of Triple-S’s information
lost or damaged as a direct result of a failure by Supplier to perform the
Services at all or in accordance with Supplier’s obligations under this
Agreement. Such recreation, restoration and reloading costs shall include all
reasonable activities and efforts that an IT group of a health insurance company
may undertake to recreate, restore or reload such lost or damaged information,
using efforts that are proportionate to the importance to Triple-S of the
information to be recreated, restored or reloaded and the volume of such lost or
damaged information;

 

(ii) Identity-Related Costs incurred by Triple-S relating to any Security
Breach;

 

(iii) Costs of implementing a workaround with respect to a failure by Supplier
to perform the Services at all or in accordance with Supplier’s obligations
under this Agreement;

 

(iv) Costs and expenses incurred by Triple-S to acquire and have performed
substitute services conforming to this Agreement in place of any Services
Supplier fails to provide at all or in accordance with Supplier’s obligations
under this Agreement; or

 

(v) Straight time, overtime, or related expenses reasonably incurred by Triple-S
or its Affiliates, including wages and salaries of additional personnel, travel,
expenses, telecommunication and similar charges, incurred due to the failure of
Supplier to perform the Services at all or in accordance with Supplier’s
obligations under this Agreement.

 

Nothing in this Section 24.3(b) shall limit Supplier’s obligations or liability
under Section 23 (Indemnification), including Section 23.1(d) (Confidentiality,
Data Security and HIPAA), Section 23.1(e) (Security Breach), and Section 23.1(g)
(Compliance with Laws), nor Triple-S’s right to claim damages for other items
not set forth in this Section.

 

(c) Service Level Credits, milestone credits and transition-related
reimbursements (including Critical Transition Milestones and Critical
Milestones) described in this Agreement, as well as any other credits as may be
agreed between the Parties for particular projects, shall not limit or otherwise
reduce (i) the foregoing liability caps or (ii) any other rights

 



Triple-S / Supplier Confidential

Page 87 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



or remedies that Triple-S may have available to it under this Agreement,
including termination rights and rights to recover damages; provided, however,
that the amount of damages recoverable by Triple-S with respect to a failure for
which credits are payable shall equal (A) the total amount of damages then
recoverable under this Agreement and incurred by Triple-S with respect to such
failure, without consideration of whether any credits resulting from such
failure had been provided to Triple-S; less (B) any amounts received by Triple-S
as credits that result from such failure.

 

(d) Each Party has a duty to mitigate the damages suffered by it for which the
other Party is or may be liable.

 

(e) The limitations specified in this Section 24 will survive and apply even if
any limited remedy specified in this Agreement is found to have failed of its
essential purpose.

 

24.4 Force Majeure

 

(a) No Party will be liable for any default or delay in the performance of its
obligations under this Agreement (i) if and to the extent such default or delay
is caused, directly or indirectly (including any default or delay that affects a
Subcontractor), by fire, flood, pestilence, earthquake, elements of nature or
acts of God, riots, or civil disorders, and (ii) provided the non-performing
Party is without fault in causing such default or delay, and such default or
delay could not have been prevented by reasonable precautions and could not
reasonably be circumvented by the non-performing Party through the use of
alternate sources, workaround plans or other means (including with respect to
Supplier by Supplier meeting its obligations for performing Disaster Recovery
and business continuity services as described in this Agreement) (each such
event a “Force Majeure Event”). For avoidance of doubt (A) failures of
Subcontractors to perform a Supplier obligation under this Agreement will not be
a Force Majeure Event for Supplier, and failure of Triple-S contractors to
perform a Triple-S obligation under this Agreement shall not be a Force Majeure
Event for Triple-S, unless the Subcontractor or contractor (as applicable) is
precluded from performing due to an event that satisfies the requirements above
with respect to such Subcontractor or contractor, and (B) strikes or other labor
unrest involving the non-performing Party’s own workers shall not constitute a
Force Majeure Event.

 

(b) In such event the non-performing Party will be excused from further
performance or observance of the obligations so affected for as long as such
circumstances prevail and such Party continues to use Commercially Reasonable
Efforts to recommence performance or observance without delay. Any Party so
delayed in its performance will immediately notify the Party to whom performance
is due by telephone (to be confirmed in writing as soon as possible after the
inception of such delay) and describe at a reasonable level of detail the
circumstances causing such delay. To the extent the provision of the Services or
any part thereof is prevented or materially affected by a Force Majeure Event,
Triple-S’s obligation to pay Charges hereunder shall accordingly be reduced by
an equitable amount (which in the case of total suspension of the Services would
be an amount equal to the total charges hereunder for the period of suspension).

 

(c) If any event under Section 24.4(a) substantially prevents, hinders or delays
performance

 



Triple-S / Supplier Confidential

Page 88 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



of the Services, then Supplier shall use Commercially Reasonable Efforts to
identify another Supplier location from which it might provide the Services
without interference from such event, and if Triple-S requests, Supplier shall
assist Triple-S in identifying an alternate source that may be able to provide
the Services to Triple-S during the time of such Force Majeure Event. If any
event under Section 24.4(a) substantially prevents, hinders or delays
performance of Services which are reasonably necessary for the continuity of
Triple-S’s business, for more than the Force Majeure Time Period (as hereinafter
defined), then at Triple-S’s option:

 

(i) Triple-S may procure such Services from an alternate source, and in such
event Supplier will reimburse Triple-S for one-half of the difference between
(1) the amount Triple-S is obligated to pay the alternate source for such
Services, and (2) the amount that Triple-S would have paid Supplier for such
Services under this Agreement, for a period not to exceed one hundred eighty
(180) days;

 

(ii) if such Services cannot be substantially restored within three (3) Business
Days after the occurrence of the Force Majeure Event, Triple-S may terminate any
portion of this Agreement so affected without charge or fee (except as set forth
in Section 24.4(e) below) or liability to Supplier, and the Charges payable
under this Agreement will be equitably adjusted to reflect those terminated
Services; or

 

(iii) if such Services cannot be substantially restored within fifteen (15)
Business Days and such Services constitute a material portion of this Agreement
or any Statement of Work, Triple-S may terminate this Agreement or such
Statement of Work, without charge or fee to Triple-S (except as set forth in
Section 24.4(e) below) or liability to Supplier, as of a date specified by
Triple-S in a written notice of termination to Supplier.

 

(d) “Force Majeure Time Period” shall mean ten (10) consecutive days.

 

(e) Triple-S shall not be obligated to pay Supplier for Services that Supplier
is not providing due to a Force Majeure Event. Supplier will not have the right
to any additional payments from Triple-S for costs or expenses incurred by
Supplier as a result of any Force Majeure Event. In the event that Triple-S
exercises an option to terminate pursuant to this Section, Triple-S shall pay
any outstanding Charges for all Services (including work in progress) provided
in accordance with this Agreement through to the effective date of termination
(subject to Triple-S’s right to dispute Charges set forth in Schedule C
(Charging Methodology) in good faith).

 

(f) A Force Majeure Event will not relieve Supplier of its obligations to
implement successfully all of the Services relating to Disaster Recovery
services that are included in this Agreement within the time period described in
this Agreement.

 

24.5 Disaster Recovery and Business Continuity

 

Supplier will at all times maintain Disaster Recovery and business continuity
plans, procedures and capabilities, described in Schedule A (Cross Functional
Services).

 



Triple-S / Supplier Confidential

Page 89 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



25. DISPUTE RESOLUTION

 

Any dispute between the Parties arising out of or relating to this Agreement,
including with respect to the interpretation of any provision of this Agreement
or with respect to performance by Supplier or Triple-S, will be resolved as
provided in this Section 25 (Dispute Resolution).

 

25.1 Informal Dispute Resolution

 

(a) Subject to Section 25.1(b), the Parties initially will attempt to resolve
any dispute arising out of or relating to this Agreement informally in
accordance with the following:

 

(i) Within ten (10) Business Days after a Party receives notice of a dispute
from the other Party (“Dispute Date”), it will designate a senior representative
(i.e., a person whose rank within the company is superior to, in the case of
Supplier, the Supplier Account Executive, and in the case of Triple-S, the
Triple-S Program Manager) who does not devote substantially all of his time to
performance under this Agreement, who will offer to meet with the designated
senior representative of the other Party for the purpose of attempting to
resolve the dispute amicably.

 

(ii) The appointed representatives will meet promptly to discuss the dispute and
attempt to resolve it without the necessity of any formal proceeding. They will
meet as often as the Parties deem necessary in order that each Party may be
fully advised of the other’s position. During the course of discussion, all
reasonable requests made by one Party to the other for non-privileged
information reasonably related to the matters in dispute will be honored
promptly.

 

(iii) The specific format for the discussions will be left to the reasonable
discretion of the appointed representatives.

 

(b) Formal dispute resolution may be commenced by a Party upon the first to
occur of any of the following:

 

(i) the appointed representatives conclude in good faith that amicable
resolution of the dispute through continued negotiation does not appear likely;

 

(ii) thirty-five (35) days have passed from the Dispute Date (this period will
be deemed to run notwithstanding any claim that the process described in this
Section 25.1 (Informal Dispute Resolution) was not followed or completed); or

 

(iii) commencement of formal dispute resolution is deemed appropriate by a Party
to avoid the expiration of an applicable limitations period or to preserve a
superior position with respect to other creditors, or a Party makes a good faith
determination, including as provided in Section 25.4 (Equitable Remedies), that
a breach of this Agreement by the other Party is such that a temporary
restraining order or other injunctive or conservatory relief is necessary.

  



Triple-S / Supplier Confidential

Page 90 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 

25.2 Litigation

 



For all litigation which may arise with respect to this Agreement, the Parties
irrevocably and unconditionally submit (a) to the exclusive jurisdiction and
venue (and waive any claim of forum non conveniens and any objections as to
laying of venue) of the Southern District of New York, or (b) if such court does
not have subject matter jurisdiction, to the state courts located in New York,
New York, in connection with any action, suit or proceeding arising out of or
relating to this Agreement. The Parties further consent to the jurisdiction of
any state court located within a district that encompasses assets of a Party
against which a judgment has been rendered for the enforcement of such judgment
or award against the assets of such Party.

 

25.3 Continued Performance

 

Each Party agrees (a) to continue performing its obligations under this
Agreement while a dispute is being resolved except (and then only) to the extent
performance is prevented by the other Party or the issue in dispute precludes
performance, and (b) not to take any action that intentionally obstructs,
delays, or reduces in any way the performance of such obligations. For the
avoidance of doubt, a good faith dispute regarding invoiced charges and
Triple-S’s exercise of rights with respect to such disputed charges as permitted
under Schedule C (Charging Methodology) will not be considered to prevent
Supplier from performing the Services or preclude performance by Supplier, nor
will this Section 25.3 be interpreted to limit either Party’s right to terminate
this Agreement as provided in Section 16 (Termination).

 

25.4 Equitable Remedies

 

(a) Each Party acknowledges that a breach of any of its obligations under the
Sections of this Agreement listed in Section 25.4(c), or its infringement or
misappropriation of any Intellectual Property Rights of the other Party, may
irreparably harm the other Party in a way that could not be adequately
compensated by money damages.

 

(b) In such a circumstance, the aggrieved Party may (in addition to all other
remedies and rights) proceed directly to court notwithstanding the other
provisions of this Section 25 (Dispute Resolution).

 

(c) Sections 25.4(a) and 25.4(b) apply to Sections 14 (Data Security and
Protection), 15 (Intellectual Property Rights), 17 (Disengagement Assistance),
21 (Confidentiality) and 23 (Indemnification).

 

25.5 Disclaimer of Uniform Computer Information Transactions Act

 

TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, THE PARTIES DISCLAIM AND
NONE OF THIS AGREEMENT SHALL BE SUBJECT TO THE UNIFORM COMPUTER INFORMATION
TRANSACTIONS ACT (“UCITA”) (PREPARED BY THE NATIONAL CONFERENCE OF COMMISSIONERS
ON UNIFORM STATE LAWS) AS CURRENTLY ENACTED OR AS MAY BE ENACTED, CODIFIED OR
AMENDED FROM TIME TO TIME BY ANY JURISDICTION. TO THE EXTENT THAT ANY ASPECT OF
THIS AGREEMENT OR ANY LICENSE GRANTED UNDER THIS AGREEMENT IS UNCLEAR OR
DISPUTED BY THE PARTIES AND UCITA, IF APPLIED, WOULD CLARIFY SUCH LICENSE OR
RESOLVE SUCH DISPUTE, THE PARTIES AGREE TO CLARIFY SUCH LICENSE OR RESOLVE SUCH
DISPUTE INDEPENDENTLY OF UCITA

 



Triple-S / Supplier Confidential

Page 91 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



BY APPLYING THE INTENT OF THE PARTIES AT THE TIME THAT THEY ENTERED THIS
AGREEMENT.

 

26. RULES OF CONSTRUCTION

 

26.1 Entire Agreement

 

This Agreement – consisting of the signature page, these General Terms and
Conditions and the attached Schedules and Exhibits and attachments, and each
Statement of Work (and its respective Exhibits and attachments) and Task Order –
constitutes the entire agreement between the Parties with respect to its subject
matter and merges, integrates and supersedes all prior and contemporaneous
agreements and understandings between the Parties, whether written or oral,
concerning its subject matter.

 

26.2 Contracting Parties; No Third Party Beneficiaries

 

This Agreement is entered into solely between, and may be enforced only by,
Triple-S and Supplier. This Agreement does not create any legally enforceable
rights in third parties, including suppliers, subcontractors and customers of a
Party, except as provided in this paragraph and Section 23 (Indemnification).

 

26.3 Contract Amendments and Modifications

 

Any terms and conditions varying from this Agreement on any order or written
notification from either Party will not be effective or binding on the other
Party. Subject to regulatory approval as set forth in Schedule W (Regulatory
Requirements), this Agreement may be amended or modified solely in a writing
signed by an authorized representative of each Party.

 

26.4 Governing Law

 

This Agreement and performance under it shall be governed by and construed in
accordance with the laws of the Commonwealth of Puerto Rico without regard to
its choice of law principles.

 

26.5 Relationship of the Parties

 

Supplier, in furnishing the Services, is acting as an independent contractor.
Supplier has the sole right and obligation to supervise, manage, contract,
direct, procure, perform or cause to be performed, all work to be performed by
Supplier under this Agreement. Supplier is not an agent or partner of Triple-S
and has no authority to represent or bind Triple-S as to any matters, except as
expressly authorized in this Agreement. Except as set forth in Section 2.7, this
Agreement establishes a nonexclusive relationship between the Parties.

 

26.6 Consents and Approvals

 

Where approval, acceptance, consent, determination or similar action by either
Party is required under this Agreement, such action will not be unreasonably
delayed, conditioned or withheld unless this Agreement expressly provides that
it is in the discretion or reasonable discretion of the Party, provided that
this shall not be construed to force Triple-S to accept any Deliverable or

 



Triple-S / Supplier Confidential

Page 92 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



Milestone that does not meet applicable Acceptance Criteria in all material
respects. No approval or consent given by a Party under this Agreement will
relieve the other Party from responsibility for complying with the requirements
of this Agreement, nor will it be construed as a waiver of any rights under this
Agreement (except to the extent, if any, expressly provided in such approval or
consent). Each Party will, at the request of the other Party, perform those
actions, including executing additional documents and instruments, reasonably
necessary to give full effect to this Agreement.

 

26.7 Waiver

 

No failure or delay by a Party in exercising any right, power or remedy will
operate as a waiver of that right, power or remedy, and no waiver will be
effective unless it is in writing and signed by an authorized representative of
the waiving Party. If a Party waives any right, power or remedy, the waiver will
not waive any successive or other right, power or remedy that Party may have.

 

26.8 Remedies Cumulative

 

Except as otherwise expressly provided in this Agreement, all remedies provided
in this Agreement are cumulative and in addition to and not in lieu of any other
remedies available to a Party under this Agreement, at law, or in equity.

 

26.9 References

 

(a) The section headings and the table of contents used in this Agreement are
for convenience of reference only and will not enter into the interpretation of
this Agreement.

 

(b) Unless otherwise indicated, section references are to sections of the
document in which the reference is contained. For example, section references in
these General Terms and Conditions are to sections of the General Terms and
Conditions and, likewise, section references in a Schedule to this Agreement are
to sections of that Schedule.

 

(c) References to numbered (or lettered) sections of this Agreement also refer
to and include all subsections of the referenced section.

 

(d) Unless otherwise indicated, references to Schedules to this Agreement also
refer to and include all Exhibits to the referenced Schedule.

 

26.10 Rules of Interpretation

 

(a) Unless the context requires otherwise, (i) ”including” (and any of its
derivative forms) means including but not limited to, (ii) ”may” means has the
right, but not the obligation to do something and “may not” means does not have
the right to do something, (iii) ”will” and “shall” are expressions of command,
not merely expressions of future intent or expectation, (iv) ”written” or “in
writing” is used for emphasis in certain circumstances, but that will not
derogate from the general application of the notice requirements set forth in
Section 27.3 (Notices) in those and other circumstances, (v) use of the singular
imports the plural and vice versa, and (vi) use of a specific gender imports the
other gender(s).

 



Triple-S / Supplier Confidential

Page 93 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(b) References in this Agreement to “days” that do not specifically refer to
Business Days are references to calendar days, unless otherwise provided.

 

26.11 Order of Precedence

 

If there is any conflict within this Agreement between these General Terms and
Conditions and any document incorporated by reference into this Agreement, the
Parties shall attempt to read any such conflicting provisions consistently,
however, in the event such a consistent reading cannot be accomplished, the
order of precedence will be as follows (subject to Section 13.5 above): (i) the
General Terms and Conditions and any amendments thereto, (ii) the Schedules,
(iii) other attachments to this Agreement, (iv) other documents incorporated by
reference, (v) subject to Section 2.3(d), Statements of Work and Task Orders
(including the Exhibits attached thereto).

 

26.12 Severability

 

If any provision of this Agreement conflicts with the Law under which this
Agreement is to be construed or if any provision of this Agreement is held
invalid, illegal, or otherwise unenforceable by a competent authority, such
provision will, if possible, be deemed to be restated to reflect as nearly as
possible the original intentions of the Parties in accordance with applicable
Law. In any event, the remainder of this Agreement will remain in full force and
effect.

 

26.13 Counterparts

 

This Agreement may be executed in several counterparts and by facsimile or PDF
signature, all of which taken together constitute a single agreement between the
Parties. Each signed counter-part, including a signed counterpart reproduced by
reliable means (including facsimile and PDF), will be considered as legally
effective as an original signature.

 

26.14 Reading Down

 

If a provision of this Agreement is reasonably capable of an interpretation
which would make that provision valid, lawful and enforceable and an alternative
interpretation that would make it unenforceable, illegal, invalid or void then,
so far as is possible, that provision will be interpreted or construed to be
limited and read down to the extent necessary to make it valid and enforceable.

 

27. GENERAL PROVISIONS

 

27.1 Survival

 

Any provision of this Agreement that contemplates or governs performance or
observance subsequent to termination or expiration of this Agreement will
survive the expiration or termination of this Agreement for any reason,
including Sections 8 (Charges), 14 (Data Security and Protection), including
Schedule L (IT Security Addendum), 15 (Intellectual Property Rights), 17
(Disengagement Assistance), including Schedule I (Disengagement Assistance),
18.5 (Audits and Records), including Schedule M (Audit and Record Retention
Requirements), 19.4 and 19.5 (Representations, Warranties and Covenants), but
solely to the extent that any Warranty Period or Software Documentation Warranty
Period, as applicable, extends beyond the termination or expiration of this
Agreement, 19.9 (Non-Infringement), 19.19 (Non-Infringement), 20.2

 



Triple-S / Supplier Confidential

Page 94 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



(Disclaimer), 21 (Confidentiality), 23 (Indemnification), 24 (Liability), 25
(Dispute Resolution), 26.4 (Governing Law), 27.1 (Survival), 27.4
(Non-Solicitation of Employees), Schedule H (Business Associate Agreement) and
Schedule S (Supplier Software and Supplier Tools).

 

27.2 Binding Nature and Assignment

 

This Agreement is binding upon, and inures to the benefit of, the Parties hereto
and their respective successors and permitted assigns. Supplier acknowledges
that the Services are personal in nature and that, as a result, Supplier may not
assign this Agreement or delegate its rights or obligations under this Agreement
(except as set forth in Section 6.6 (Subcontracting)), whether by operation of
law or otherwise, without the prior written consent of Triple-S. Triple-S may
not assign this Agreement without the prior written consent of Supplier except
to a Triple-S Affiliate or to the successor in a merger or reorganization of
Triple-S or an entity that acquires Control of Triple-S or acquires all or
substantially all of Triple-S’s business or assets provided that such assignee
agrees in writing to assume and be bound by all obligations of Triple-S under
this Agreement. Any attempted assignment or delegation in violation of this
Section 0 will be void and will constitute a material breach of this Agreement
by the Party attempting the assignment.

 

27.3 Notices

 

(a) All notices, requests, demands and determinations under this Agreement
(other than routine operational communications), shall be in writing and shall
be deemed duly given (i) when delivered by hand, and (ii) on the designated day
of delivery after being timely given to an express overnight courier with a
reliable system for tracking delivery,:

 

In the case of Triple-S:

 

Triple-S Salud, Inc. 

PO Box 363628 

San Juan, Puerto Rico 00936-3628 

Attention: President

 

With a copy to:

 

Triple-S Salud, Inc. 

PO Box 363628 

San Juan, Puerto Rico 00936-3628 

Attention: Chief Legal Counsel

 

and, in the case of notices of renewal, default, or termination: 

Pillsbury Winthrop Shaw Pittman LLP
401 Congress Avenue, Suite 1700 

Austin, TX 78701-3797 

Attention: John Barton

 

In the case of Supplier:

 



Triple-S / Supplier Confidential

Page 95 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



OptumInsight, Inc. 

11000 Optum Circle 

Eden Prairie, MN 55344 

Attn: General Counsel

 

(b) A Party may from time to time change its address or designee for
notification purposes by giving the other prior written notice of the new
address or designee and the date upon which it will become effective.

 

27.4 Non-solicitation of Employees

 

(a) Except as set forth in Section 17.1(e), each Party agrees not to directly or
indirectly solicit (i) in the case of Triple-S, the employment of Supplier’s
employees engaged in the provision of the Services during the period they are so
engaged and for six (6) months thereafter, and (ii) in the case of Supplier,
Triple-S’ employees working in functions related to information technology or
business process services (e.g., claims, contact center, member and provider
servicing) during the period they are so engaged and for six (6) months
thereafter without the first Party’s prior written consent.

 

(b) The restriction set forth in Section 27.4(a) shall not bar either Party from
soliciting, hiring or receiving services provided by any of the other Party’s
personnel whose employment has been terminated by the other Party or who have
previously voluntarily resigned from the other Party to accept an offer of
employment from a third party, including as contemplated in Schedule G (In-Scope
Employee Agreement).

 

(c) The restriction set forth in Section 27.4(a) shall not apply to
solicitation, hiring or receipt of services provided by personnel engaged via
general advertising that is not targeted at the other Party’s personnel.

 

27.5 Covenant of Good Faith

 

Each Party, in its respective dealings with the other Party under or in
connection with this Agreement, will act reasonably and in good faith.

 

27.6 Public Disclosures

 

Neither Party shall make any media releases, public announcements or public
disclosures relating to this Agreement or the subject matter of this Agreement,
including promotional or marketing material, but not including disclosures to
the extent required to meet legal or regulatory requirements beyond the
reasonable control of the disclosing Party without the prior written consent of
the other Party.

 

27.7 Service Marks

 

Each party will not, without the other Party’s consent, use the name, service
names or marks, derivative names or marks, or trademarks of the other Party in
any advertising or promotional materials prepared by or on behalf of the first
Party.

 



Triple-S / Supplier Confidential

Page 96 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Master Services Agreement
General Terms and Conditions

 



27.8 Mutually Negotiated

 

No rule of construction will apply in the interpretation of this Agreement to
the disadvantage of one Party on the basis that such Party put forward or
drafted this Agreement or any provision of this Agreement.

 

IN WITNESS WHEREOF, Triple-S and Supplier have each caused this Agreement to be
signed and delivered by its duly authorized officer, all as of the date first
set forth above.

 

TRIPLE-S SALUD, INC.   OPTUMINSIGHT, INC.                               By:

/s/ Madeline Hernández-Urquiza 

  By:

/s/ Eric Murphy 

          Print Name:

Madeline Hernández-Urquiza 

  Print Name:

Eric Murphy 

          Title:

President

  Title:

CEO, OptumInsight 

          Date:

August 29, 2017 

  Date:

8/29/2017 

 

 

 



Triple-S / Supplier Confidential

Page 97 



 

 





MSA Schedule A

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 

 



SCHEDULE A

 

CROSS FUNCTIONAL SERVICES

 

 

 

 

 

 

 

 

 

 



Schedule A Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



 

TABLE OF CONTENTS

 



1 INTRODUCTION 1   1.1 General 1   1.2 Hours of Coverage 1   1.3 Definitions 1 2
CROSS-FUNCTIONAL SERVICES 2   2.1 Training Services 2   2.2 Documentation 2  
2.3 Regulatory Compliance Adherence Services 3   2.4 Managed Third Party
Contract Services 4   2.5 Issue and Error Resolution Services 8   2.6 Knowledge
Base Services 8   2.7 Triple-S Policy Support Services 9   2.8 Business
Continuity & Disaster Recovery Services 10 3 EMBEDDED PROCESSES 14   3.1 General
14   3.2 Embedded Processes 14 4 RETAINED TRIPLE-S RESPONSIBILITIES 15



 

 

Triple-S / Supplier Confidential 

Page i 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



SCHEDULE A

 

CROSS FUNCTIONAL SERVICES

 

1 INTRODUCTION

 

1.1 General

 

(a) This Schedule A (Cross Functional Services) describes, among other things,
those Cross Functional Services and Embedded Processes to be performed and
delivered by Supplier, which are applicable to all of the Services performed by
Supplier under this Agreement.

 

(b) References to specific resources (e.g., tools, systems) in this Schedule A
(Cross Functional Services), any SOW, or elsewhere in the Agreement that are
used by Supplier in performing the Services shall be deemed to include successor
or replacement resources.

 

1.2 Hours of Coverage

 

(a) The minimum hours of coverage for each of the Services are set forth in SOW
#1 (Claims Services) and SOW #2 (IT Services). Supplier acknowledges and agrees
that performance of the Cross Functional Services may require Supplier Personnel
to perform additional/overtime work outside regular operating hours, and that
such additional/overtime work is within the scope of the Cross Functional
Services.

 

(b) Subject to any adjustments to charges expressly set forth in Schedule C
(Charging Methodology), Supplier will extend its hours of operations (for
example, through overtime, weekend and holiday work) from time to time as needed
to meet regulatory requirements, compliance and Service Level Metrics and other
requirements of the Agreement. Supplier’s work during such extended hours of
operations is within the scope of the Cross Functional Services.

 

1.3 Definitions

 

Capitalized terms not defined in this Schedule A (Cross Functional Services)
shall have the meanings given them in Schedule AA (Glossary) or elsewhere in
this Agreement.

 

(a) “Plan” means a health insurance plan offered by Triple-S.

 

(b) “Provider” means a facility, physician, physician organization, independent
practice association, health care provider, supplier, or other organization that
may provide covered services.

 



Triple-S / Supplier Confidential

Page 1



 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 

 

 

2 CROSS-FUNCTIONAL SERVICES

 

Supplier shall provide the following cross-functional services (the “Cross
Functional Services”) as part of the Services. If Triple-S terminates the
provision of any part of the Services pursuant to this Agreement, Supplier shall
continue to provide the Cross Functional Services set forth in this Section 2 as
such Cross Functional Services relate to the remaining Services.

 

2.1 Training Services

 

“Training Services” are those Functions associated with the curriculum
development, planning, scheduling and delivery of trainings in compliance with
Laws and Triple-S Policies and Procedures for all Supplier Personnel performing
the Services including the following activities:

 

(a) Developing training curriculum needed to deliver the Services including
training scenarios and knowledge checks;

 

(b) Developing training, including computer based training that comply with
regulatory requirements;

 

(c) Maintaining training calendar and inventory;

 

(d) Documenting training attendance, course completion and other training
related details;

 

(e) Managing and maintaining intake process and system for new and adjusted
training requests;

 

(f) Regularly reviewing training technology, methodologies, courses, and
approach;

 

(g) Performing needs assessment and training validation for any new training
requests;

 

(h) Reviewing audit findings and making recommendations to business areas for
policy and procedure creation/updates, additional training, process automation
tools, and/or process change/improvement; and

 

(i) Providing regulatory training support including ad hoc training requests
relating to Supplier’s performance of the Services and reporting.

 

2.2 Documentation

 

“Documentation Services” means those Functions associated with maintaining,
archiving, offsite storage, retrieval, and destruction of documentation as
related to the Services in hard copy and/or electronic form, including the
following activities:

 

(a) Recommending documentation requirements, location, and formats;

 

(b) Reviewing and approving documentation requirements, location and formats as
appropriate;

 



Triple-S / Supplier Confidential

Page 2



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



 

(c) Maintaining, retrieving and archiving documentation in agreed format in
support of the Services;

 

(d) Identifying documentation for archival per Triple-S retention policies and
coordinating with Triple-S to prepare documents for delivery to offsite storage;

 

(e) Providing additional information as requested to support Triple-S
documentation requirements and Triple-S proposal efforts;

 

(f) Enabling Triple-S direct electronic access to documentation retained in
accordance with the documentation requirements;

 

(g) Following record destruction processes set forth in Section 21.7 of the
General Terms and Conditions;

 

(h) Storing business continuity documentation separate from standard retention
documents;

 

(i) Maintaining documentation per legal hold requirements per regulatory and
Triple-S policies; and

 

(j) Providing, as requested by Triple-S, documentation related to the training
services, including assistance reports and training material.

 

2.3 Regulatory Compliance Adherence Services

 

“Regulatory Compliance Adherence Services” are the Functions necessary to manage
compliance of the Services, including managing the compliance of all
Subcontractors, in accordance with Law. The Regulatory Compliance Adherence
Services include the activities required under Section 14.5 of the General Terms
and Conditions and the following:

 

(a) Develop and distribute content for, and monitor evidence of completion of,
compliance training for Supplier Personnel;

 

(b) Monitor Supplier’s compliance with Laws with which Supplier is responsible
for complying pursuant to Section 13 (Compliance with Laws) of the General Terms
and Conditions;

 

(c) Identify, track, report, and escalate issues of non-compliance (or suspected
non-compliance) to Triple-S within required timeframes;

 

(d) Implement, monitor and report on normal course of business controls; and

 

(e) Notify Subcontractors of compliance requirements, monitor Subcontractor
compliance, and report to Triple-S on the compliance of Subcontractors.

 



Triple-S / Supplier Confidential

Page 3



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



2.4 Managed Third Party Contract Services

 

Supplier shall provide the Managed Third Party Contract Services with respect to
Managed Third Party Contracts.  

 

“Managed Third Party Contract” means the contracts in the name of Triple-S or a
Triple-S Affiliate used in support of the Services or complimentary to the
Services and identified as Managed Third Party Contracts in Schedule X (Source
of Truth) or as otherwise agreed by the Parties in writing (e.g., in a Statement
or Work or project plan).  

 

“Managed Third Party Contract Services” means the Functions described below
associated with managing the Managed Third Party Contracts in place as of the
Effective Date and entered into by Triple-S after the Effective Date and that
the Parties agree will be Managed Third Party Contracts.

 

“Managed Third Party” means the third party that is a party to the Managed Third
Party Contract with Triple-S or a Triple-S Affiliate.

 

The Managed Third Party Contract Services consist of the following activities:

 

(a) Commercial Oversight and Management. Supplier will manage the Managed Third
Party Contracts on behalf of Triple-S.  This responsibility includes
establishing resources within Supplier that are responsible for proactively
managing contract, performance, change, financial, transition and other issues
that arise under the Managed Third Party Contracts, including:

 

(i) Understanding contractual commitments in the Managed Third Party Contracts.

 

(ii) Serving as primary point of contact with Triple-S for interpretation and
modification of contracts with the applicable Managed Third Party.

 

(iii) Authorizing, managing, and testing scope changes and project work under
each Managed Third Party Contract (e.g., when Triple-S requires custom changes
to software provided by a Managed Third Party, Supplier is responsible for
communicating those changes and associated requirements provided by Triple-S,
working with the Managed Third Party refine and document them in a statement of
work or task order for Triple-S approval, overseeing and managing the work
performed by the Managed Third Party, and conducting testing and advising
Triple-S whether the work meets applicable user acceptance testing
requirements). Supplier shall obtain and document all requisite approvals to
establish an appropriate audit trail, within Triple-S guidelines for Managed
Third Party Contracts as such guidelines are provided to Supplier in writing.
Any such scope changes as well as exceptions to Triple-S guidelines will require
Triple-S’s prior written approval before any work is performed. If no guidelines
are established for a specific Managed Third Party Contract, Supplier will
consult with Triple-S regarding any such scope change. With respect to [***],
Supplier will (1) communicate with Triple-S personnel in connection with such

 



Triple-S / Supplier Confidential

Page 4



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



personnel’s interactions with [***]; and (2) reasonably cooperate in providing
information to support such interactions, in each case subject to Section 19.19
of the General Terms and Conditions.

 

(iv) Revising Managed Third Party Contracts to reflect changes in scope, new
services, service levels and other conditions upon prior approval by Triple-S,
including those related to formal change requests.

 

(v) Performing general administrative tasks associated with Managed Third Party
Contracts, including maintaining records and documentation related to Managed
Third Party Contracts, recording decisions in contract files.

 

(vi) Monitoring license usage and maintaining compliance with the terms of third
party licenses (i.e., the number of licenses and scope of licenses).

 

(vii) Maintaining Triple-S-provided copies of all Managed Third Party Contracts
(or a Triple-S-provided summary of the pertinent information contained in each
Managed Third Party Contract), including such contracts that expire during the
Term, in a secure, online location accessible to designated individuals at both
Triple-S and Supplier.

 

(viii) Escalating and working to resolve issues and disputes (pursuant to the
governance process agreed to by the Parties) related to the Managed Third Party
Contracts, and referring matters to Triple-S legal where appropriate.

 

(ix) Overseeing the performance of Managed Third Party Contracts, striving to
(i) maximize the operational and financial performance of such contracts (from
Triple-S's perspective) and (ii) minimize risk to Triple-S from the performance
of such contracts. Supplier's responsibilities consist of:

 

(A) Monitoring Managed Third Party Contract performance with respect to all
material contractual requirements directly related to the provision of products
or services and tracking and reporting on service levels or similar performance
metrics included in the applicable contract (as such reports are set forth in
Schedule K (Reports));

 

(B) Monitoring Managed Third Party Contract technical performance with respect
to the exchange of data between Supplier and the Managed Third Party including:

 

(1) Validating incoming and outgoing file transmissions to confirm what is
transmitted is received and processed correctly and in accordance with scheduled
frequencies;

 

(2) Validating file transmission contents are processed upon receipt of
transmission;

 



Triple-S / Supplier Confidential

Page 5



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(3) Validating file transmission contents are processed correctly and result in
system records that match to the information in the initiator’s source system;

 

(4) Validating/resolving that receiver systems’ impacted records are accurately
reconciled;

 

(5) Confirming compliance with applicable privacy requirements and regulations;

 

(6) Resolving issues with delegated entities/outside vendors related to
discrepancies with respect to risk determination in writing, and documenting and
logging related actions;

 

(C) Integrating work performed under the Managed Third Party Contracts among
Supplier and Supplier’s Subcontractor(s), Triple-S and its Affiliates, and other
Managed Third Parties;

 

(D) Validating assessments, calculations, and if Triple-S elects to receive
credits related to service level failures, the timely payment of such credits
and other similar types of credits and rebates under Managed Third Party
Contracts; provided, however, that execution and escalation on service level
failures, or application of credits and rebates, will be in cooperation with
Triple-S;

 

(E) Monitoring the compliance with any service levels contained in the
applicable Managed Third Party Contract;

 

(F) Notifying Triple-S of material failure to perform in accordance with the
provisions of its Managed Third Party Contract;

 

(G) Notifying Triple-S promptly if (i) there are performance failures or other
issues regarding contractual responsibilities related to any Managed Third Party
Contract, or (ii) there are issues with a Managed Third Party Contract adversely
affecting the Services or Triple-S (or its Affiliates);

 

(H) Evaluating and recommending retention, modification, or termination of a
Managed Third Party Contract based on the performance or cost benefits to
Triple-S as tracked by Supplier; and

 

(I) Monitoring Managed Third Party Contract adherence to compliance activities,
including auditing and training; and

 

(x) Providing assistance with Managed Third Party Contract negotiations as
reasonably required.

 



Triple-S / Supplier Confidential

Page 6



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(b) Financial Contract Management Support. Supplier will support Triple-S
financial contract management Functions by:

 

(i) Managing contract (including formal, short form, and annual contracts)
drafting, evaluation, negotiation, execution and order pricing;

 

(ii) Reviewing Managed Third Party invoices to confirm validity and accuracy;

 

(iii) Assigning applicable financial coding;

 

(iv) Managing invoice discrepancies and disputes and handle on-going issue and
change management;

 

(v) Submitting processed invoices for payment to Triple-S in a timely manner to
allow assistance to Triple-S to comply with third party payment terms; and

 

(vi) Obtaining Triple-S’s prior written approval prior to taking any action that
may affect amounts payable or other obligations Triple-S may have under the
Managed Third Party Contracts. 

 

(c) Service Levels Performance. If a Managed Third Party fails to meet a service
level under a Managed Third Party Contract as a direct result of acts or
omissions of Supplier, Supplier shall pay Triple-S an amount equal to the
service level credit that would have been payable under the Managed Third Party
Contract had the Managed Third Party’s failure resulted from the Managed Third
Party’s acts or omissions, less any amounts actually paid by the Managed Third
Party.

 

(d) Contract Compliance. Triple-S and Supplier will comply with the terms of the
Managed Third Party Contracts to the extent they are related to their respective
obligations and will not violate, or cause Triple-S to violate, the terms of
such Managed Third Party Contracts. Triple-S will also keep Supplier informed of
any pertinent communications Triple-S has with any Managed Third Party.

 

(e) Objections to Managed Services. If a Managed Third Party objects to
Supplier’s responsibilities as set forth in this Schedule or otherwise objects
to Supplier acting under such Managed Third Party Contracts as provided herein,
Triple-S and Supplier will, and will cause their respective Affiliates to,
cooperate and use their respective commercially reasonable efforts so that the
portion of such Managed Third Party Contract that relates to the Services can be
performed by Supplier and the objection, if any, of the Managed Third Party can
be resolved. If a Managed Third Party requires evidence of the rights set forth
in this Schedule, Triple-S will provide reasonable documentation to evidence
such rights.

 

(f) Transition Away from the Managed Third Party Contracts. Supplier shall lead
efforts required to transition services from Managed Third Party Contracts to
Supplier that the Parties agree will be transitioned to Supplier.  Supplier’s
responsibilities in this regard include:

 



Triple-S / Supplier Confidential

Page 7



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(i) Preparing and negotiating transition plans with Managed Third Parties;

 

(ii) Tracking and managing performance against transition plans;

 

(iii) Escalating problems that may arise with Managed Third Parties’ performance
that Supplier is unable to resolve to Triple-S;

 

(iv) Negotiating statements of work or other appropriate documentation required
to support the transition away from the Managed Third Party Contract.  Supplier
must obtain Triple-S’s approval prior to authorizing any Managed Third Party to
perform any work that may be chargeable to Triple-S; and

 

(v) Identifying and drafting all notices and other communications to Managed
Third Parties that are required to conduct the transition (e.g., notices to
remove services or to terminate or extend portions of the Agreement). 

 

2.5 Issue and Error Resolution Services

 

“Issue and Error Resolution” means the Functions associated with resolving all
issues related to the Services including issues identified by Triple-S’ internal
audit, customer complaints, any errors identified by regulators, or through any
other Triple-S or Supplier quality assurance activities, including the
following:

 

(a) Reviewing requests to correct errors;

 

(b) Correcting all errors in the systems used by Supplier and its
Subcontractors; and

 

(c) Timely reporting to Triple-S on the Issue and Error Resolution.

 

2.6 Knowledge Base Services

 

“Knowledge Base Services” are the Functions associated with managing and
maintaining the knowledge base (“KB”) system and content. The KB will be used to
store all content and procedures applicable to the Services. All documents in
the KB must be reviewed within one year of the previous review or after
delivering training. Knowledge Base Services include:

 

(a) Create, validate and approve (as appropriate) all KB content;

 

(b) Performing annual review of content and update accordingly except where
content is identified to be updated on a more frequent basis; and

 

(c) Timely updating Supplier staff of any revised content applicable to their
role.

 



Triple-S / Supplier Confidential

Page 8



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



2.7 Triple-S Policy Support Services

 

“Triple-S Policy Support Services” means those Functions associated with
supporting Triple-S in its development and implementation of Triple-S Policies
and Procedures, that govern or pertain to the Services.  Supplier’s role in
providing Triple-S Policy Support Services includes:

 

(a) Generally, providing operational input and subject matter expertise with
respect to Triple-S Policies and Procedures;

 

(b) As reasonably requested, participating in meetings with Triple-S and
Supplier stakeholders having responsibility for the development, implementation,
monitoring and enforcement of Triple-S Policies and Procedures;

 

(c) Following any Triple-S Policies and Procedures review timelines requirements
as reasonably specified by Triple-S;

 

(d) In response to changes in Laws, regulations, guidelines, policies, contracts
or requests from Triple-S’ or Supplier’s compliance organization:

 

(i) Participate in Triple-S EPCO Steering Committee meetings to review new legal
and regulatory changes and assessment of business impact;

 

(ii) Participate in Triple-S EPCO regulatory implementation change teams;

 

(iii) Project manage the operational implementation and/or affected system
changes of legal and regulatory changes that affect IT Services and participate
in operational implementation and/or affected system changes of legal and
regulatory changes that span multiple functions/departments, including tracking
the progress of deliverables and communicating status to Triple-S’ EPCO and/or
compliance organization; and

 

(iv) Based on the aforementioned meetings and guidance from the EPCO, prepare
initial drafts of revised or new Triple-S Policies and submit them to the
relevant Triple-S and Supplier stakeholders for review and comment.

 

To the extent the Services described in Sections 2.7(d)(iii) or (iv) require
Supplier to perform Application Support Services, they shall be counted against
the Applications Support Pool defined in Section 6 of Schedule C (Charging
Methodology). To the extent they require Supplier to perform Infrastructure
Projects that require changes to the Infrastructure used to host In-Scope
Applications, any Charges for those Infrastructure Projects will be determined
pursuant to Section 7 of Schedule C (Charging Methodology).

 

(e) As directed by Triple-S, prepare updated versions of Triple-S Policies and
Procedures to address input provided by relevant Triple-S and Supplier
stakeholder groups;

 



Triple-S / Supplier Confidential

Page 9



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(f) Provide communications and training to Supplier personnel regarding revised
and new Triple-S Policies and Procedures and access to Triple-S personnel to
such communications and training; and

 

(g) Implement new Triple-S-approved Triple-S Policies and Procedures related to
the performance of the Services in accordance with Section 4.4 (Triple-S
Policies and Procedures) of the General Terms and Conditions.

 

2.8 Business Continuity & Disaster Recovery Services

 

(a) General. Supplier will provide the following Functions associated with
planning, documenting, implementing, maintaining and periodically testing
Supplier’s business continuity plan and related process documentation (including
emergency management and site emergency response plans), as may be amended from
time to time during the Term, that are designed to provide Services in a
sustained and appropriate level during any business continuity / disaster
recovery event (a “BC/DR Event”). Supplier shall maintain a plan describing the
way in which it will provide the business continuity and disaster recovery
Functions (the “Business Continuity and Disaster Recovery Plan” or “BC/DR
Plan”). The BC/DR Plan includes the Legacy BC/DR Plan and New BC/DR Plan defined
below.

 

(b) Commencement. Supplier shall initially maintain and follow the existing
Triple-S business continuity plan for all operations that remain at facilities
used by Triple-S to provide the Services prior to the Services Commencement Date
(“Legacy BC/DR Plan”). As Supplier conducts the Transition and Transformation,
Supplier will develop, test and implement a new BC/DR Plan for the Services that
meets the requirements in this Section 2.8 (“New BC/DR Plan”).

 

(c) Policies and Access. Supplier will maintain the Services in compliance with
the BC/DR Plan. Supplier will store the BC/DR Plan in readily accessible
locations for access in the event of a BC/DR Event, and will provide Triple-S
ongoing access to the Triple-S BC/DR Plan during the Term (Supplier may redact
portions of the BC/DR Plan that are not applicable to Triple-S).

 

(d) New BC/DR Plan. The New BC/DR Plan shall meet the following requirements:

 

(i) Compliance with the requirements of the General Terms and Conditions;

 

(ii) Recovery time objectives (RTOs) of not more than four (4) hours for all
In-Scope Applications and Services, with recovery point objectives (RPOs) of not
more than four (4) hours;

 

(iii) A brief description of processes and procedures used to recover the
Services, and associated RTO time frames for the recovery of such Services,
including a prioritized listing of Services aligning with Triple-S’s reasonable
input;

 



Triple-S / Supplier Confidential

Page 10



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(iv) Notification procedures to alert Triple-S of Service disruptions including
off-hour and weekend coverage;

 

(v) Supplier’s and Triple-S’s respective recovery responsibilities;

 

(vi) Clearly defined structure, roles, responsibilities, names and tasks of a
team of Supplier Personnel (including appropriate deputies and delegates and
dedicated liaisons to Supplier) to implement, manage and execute the New BC/DR
Plan in accordance with its terms and the Agreement;

 

(vii) Description of how Supplier will implement, test, maintain (with relevant
updates/improvements) and manage the New BC/DR Plan;

 

(viii) Escalation and resolution procedures for BC/DR Events;

 

(ix) Identification and links to key emergency organizations (such as fire,
police and ambulance) and to applicable governmental agencies and authorities;

 

(x) Processes for performing post-event analysis (and identifying any need for
improvements) of a BC/DR Event following restoration of Services and technology;

 

(xi) Strategy or strategies for restoration of the affected processes, Services
and technology;

 

(xii) Provisions for recovery of operations related to Services delivery and as
needed to relocate Supplier Personnel to Recovery Sites;

 

(xiii) Contact listings of key Supplier Personnel associated with recovery of
operations with respect to the New BC/DR Plan;

 

(xiv) A list of the rimary ites and Recovery Sites for each Supplier Facility
that delivers Services to Triple-S;

 

(xv) Procedures for evacuation of Supplier Facilities and emergency
notification;

 

(xvi) Criteria for BC/DR Event declaration, recovery and testing; and

 

(xvii) Names and titles of those individuals who are authorized by Supplier to
declare a BC/DR Event.

 

(e) Notice of Deficiencies. Supplier will promptly alert Triple-S of any
deficiencies discovered in the BC/DR Plan that may reasonably be expected to
adversely affect the provision of Services to Triple-S.

 

(f) Updates. Supplier shall review and update, the BC/DR Plan on an annual basis
or as otherwise warranted by: (i) business or technical Changes (or both) made
through

 



Triple-S / Supplier Confidential

Page 11



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



the Change Control Process, (ii) requirements of applicable Laws, and (iii) in
the case of the New BC/DR Plan only, otherwise as necessary to maintain
compatibility with the applicable terms of this Agreement. Supplier will take
Triple-S business direction and requirements into consideration when making
updates. Supplier shall not make any changes to a BC/DR Plan that increase RTOs
or RPOs or that may otherwise reduce the effectiveness or timeliness of the
recovery of Services following a BC/DR Event without Triple-S’s prior written
consent.

 

(g) Performance of Business Continuity and Disaster Recovery Services. As part
of the Business Continuity and Disaster Recovery Functions, Supplier will:

 

(i) Fully execute the BC/DR Plan following a BC/DR Event;

 

(ii) Perform any other unimpacted Services during a BC/DR Event;

 

(iii) Use Commercially Reasonable Efforts to continue to perform any Services in
accordance with the minimum acceptable levels of operation specified in the
BC/DR Plan;

 

(iv) Assess and define functional, performance, availability, maintainability
and disaster recovery needs (e.g., support processes and procedures);

 

(v) Propose functional, performance, availability, maintainability and disaster
recovery requirements and establish standards (e.g., support processes and
procedures);

 

(vi) Perform education and awareness training related to the New BC/DR Plan for
all Supplier Personnel;

 

(vii) Upon cessation of the BC/DR Event, implement the activities necessary to
restore the affected Services at the affected locations with the capabilities to
meet the RTO and RPO requirements and other turnaround times set forth in this
Schedule A and the BC/DR Plan; and

 

(viii) Integrate Supplier’s disaster recovery and business continuity plans,
procedures and capabilities with Triple-S's disaster recovery and business
continuity plans, processes and procedures.

 

(h) BC/DR Plan Testing. Supplier shall test the BC/DR Plan annually, and as
otherwise reasonably necessary to comply with requirements of applicable Laws.
Each business continuity and disaster recovery test (each such test a “BC/DR
Drill”) shall comply with the following requirements:

 

(i) Test the site emergency response plan in accordance with the BC/DR Plan;

 



Triple-S / Supplier Confidential

Page 12



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(ii) If requested by Triple-S upon reasonable notice, reasonably integrate
Supplier testing with Triple-S’s disaster recovery and business continuity
testing for Triple-S customers and business partners, including by coordinating
with third parties as such third parties relate to the Services;

 

(iii) Provide a summary report of the BC/DR Drill results to Triple-S within
thirty (30) days of the Drill’s completion. The report shall be no less detailed
than similar information that Supplier provides to other customers similar to
Triple-S for similar services;

 

(iv) If material deficiencies are identified during the BC/DR Drill that may
reasonably be expected to have a material adverse impact to the performance of
Services, Supplier shall (A) include them in the summary report described above;
(B) promptly provide a plan and timeline to correct them; (C) execute the plan
and track and report progress against it to Triple-S; and (D) retest the BC/DR
Plan (or New BC/DR Plan if the remediation involves accelerating migration to a
new environment covered by the New BC/DR Plan) to determine if the deficiencies
have been remediated; and

 

(v) Notify Triple-S of a scheduled BC/DR Drill with respect to the BC/DR Plan
via email at least thirty (30) days prior to the scheduled date, reasonably
allowing Triple-S to observe or participate as applicable. In the event Supplier
changes any such scheduled testing date, Supplier will send prompt notification
of the change.

 

(i) BC/DR Event Management. If Supplier experiences a BC/DR Event, Supplier
shall provide the Services and other business continuity Functions in accordance
with the BC/DR Plan. Supplier’s Functions shall include the following:

 

(i) Promptly notifying the primary Triple-S contacts under the Agreement and
other Triple-S personnel designated in the BC/DR Plan;

 

(ii) Providing a single 24 hour per day, 365 day per year (24/365)
point-of-contact with an alternative back-up point-of-contact with 24/365
availability for business continuity related communications and activities;

 

(iii) If a BC/DR Event occurs at a primary site, promptly providing Triple-S
with an initial assessment of the impact of the BC/DR Event and an estimated
forecast of the time it will take to bring Supplier’s recovery site to
operational status;

 

(iv) Paying all travel and living expenses incurred by Supplier Personnel in the
performance of Supplier’s responsibilities described in this Section 2.8;

 

(v) Providing an assessment of the state of the Services periodically as
outlined in the BC/DR Plan during the recovery process until Services are
restored;

 



Triple-S / Supplier Confidential

Page 13



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(vi) Meeting service levels and recovery timelines as established in the
approved BC/DR Plan required during the BC/DR Event with relief from
consequences (financial impact or otherwise) outside of Supplier control and
within scope of services provided by third parties contracted directly to
Triple-S and as set forth in Schedule B (Service Level Methodology);

 

(vii) Performing a Root Cause Analysis of Incidents identified during a BC/DR
Event; and

 

(viii) Validating that the Services are functioning properly after recovering
from a BC/DR Event.

 

3 EMBEDDED PROCESSES

 

3.1 General

 

To the extent Supplier is responsible for performing a particular Function
(either as identified in Section 2 of this Schedule A (Cross Functional
Services) or in any SOW, then Supplier is responsible not only for performing
the indicated Function, but also for providing the resources necessary to
perform such Function and any other Functions and responsibilities described in
this Section 3.1 as they may relate to such Function (the “Embedded Processes”).

 

3.2 Embedded Processes

 

The Embedded Processes include:

 

(a) Developing the procedures underlying the Function, subject to and in
compliance with Triple-S regulatory requirements and in alignment with Triple-S
Policies and Procedures as defined in Schedule J (Triple-S Policies and
Procedures) and the requirements of this Agreement so as to enable the Services
to function cohesively and in a coordinated manner;

 

(b) Performing the required activities necessary to manage the Function,
including (i) supervising and reporting, including reporting to other personnel
within the Function, (ii) measuring and reporting on the performance of the
Function in accordance with Schedule K (Reports);

 

(c) Managing documents and data (including data acquisition, data entry, data
recording and data distribution) related to the Function;

 

(d) Coordinating with Triple-S business units as necessary to perform the
Services;

 

(e) Performing “self audits” of the Function, including testing the (i)
accuracy, reliability and quality of work, (ii) compliance with approved
policies and procedures, and (iii) performance and correction of any issues
identified during such audits and reporting of self audit results;

 



Triple-S / Supplier Confidential

Page 14



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule A

Cross-Functional Services

 



(f) Participating in internal and external audits pursuant to Schedule M (Audit
and Record Retention Requirements);

 

(g) Engineering the Function, including performing those actions necessary to
maintain or improve the underlying activities based on (i) then-current best
practices, and (ii) how it is intended to interact with other activities
performed by Supplier or by Triple-S;

 

(h) Responding to reasonable queries and requests concerning activities
associated with the performance of the Function, including making the applicable
subject matter experts, documentation and other relevant content available as
reasonably necessary to be responsive;

 

(i) Interacting and coordinating as needed with Triple-S, including (i)
integrating the Function with the activities of Triple-S such that the overall
delivery of services is optimized (i.e., not sub-optimized within the confines
of the Function), and (ii) monitoring the activities performed by Triple-S to
mitigate negative impact on the Function; and

 

(j) Providing reasonable support to Triple-S’s sales and marketing processes by
responding to prospective or existing customer requests for proposals (RFPs),
providing reasonable access to Supplier Facilities and Supplier Personnel as
part of any prospective or existing customer requests (subject to Supplier
Facility and Security Polices), and providing Triple-S with information
concerning the Services or delivery of the Services as (i) reasonably requested
by the prospective or existing customer, (ii) reasonably required by Triple-S
for the purpose of responding to an RFP, or (iii) reasonably necessary to
support the Triple-S sales and marketing process (e.g., sales pitches). Triple-S
disclosure of any Supplier Confidential Information remains subject to Section
21.2(d) of the General Terms and Conditions.

 

4 RETAINED TRIPLE-S RESPONSIBILITIES

 

Triple-S shall retain the following responsibilities:

 

(a) Information Sharing:

 

(i) Provide access to operational reports applicable to Supplier’s performance
of the Services from Triple-S Systems.

 

(b) Procedures Manuals:

 

(i) Assist with development of and provide input to the Procedures Manual; and

 

(ii) Provide available Triple-S documents, policies and processes as reasonably
requested by Supplier to assist in completion of the Procedures Manual.

 

 



Triple-S / Supplier Confidential

Page 15



 

 



MSA Schedule B 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE B

 

SERVICE LEVEL METHODOLOGY

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule B Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

 

TABLE OF CONTENTS

 



1 GENERAL PROVISIONS 1   1.1 Definitions 1   1.2 General 2   1.3 Reporting of
Performance Measures 3 2 SERVICE LEVEL OBLIGATIONS 4   2.1 Service Level
Obligations 4   2.2 Commencement of Service Level Obligations 5   2.3 Interim
Period 5   2.4 Service Level Failures 5   2.5 Excused Performance 6 3 CHANGES TO
SERVICE LEVELS 7   3.1 Changes to Service Points 7   3.2 Deletion of Service
Levels 8   3.3 Additions of Service Levels 8   3.4 Minimum and Maximum Number of
CPIs 8   3.5 Initial Baselined Service Levels 8   3.6 Additions of Regulatory
Service Levels 9   3.7 [***] Service Levels 10 4 SERVICE LEVEL CREDITS 11   4.1
Service Points 11   4.2 Service Level Credit Calculation 11   4.3 Service Credit
Multipliers 12   4.4 Service Level Credit Earn Back 12   4.5 Notice and Payment
of Service Level Credits 13   4.6 Cumulative Remedies and Waivers 13 5
CONTINUOUS IMPROVEMENT OF SERVICE LEVELS 13 6 QUARTERLY REVIEW 14

 

Triple-S / Supplier Confidential

Page i 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 



SCHEDULE B

 


SERVICE LEVELS METHODOLOGY

 

This Schedule B (Service Level Methodology) to the Agreement provides the
methodology by which Supplier’s performance of the Services will be monitored
and measured in relation to certain quantitative Service Levels. This Schedule B
also (a) defines such quantitative Service Levels that shall be provided in
Exhibit(s) to each SOW (collectively, the “Service Level Metrics Documents”),
(b) describes what constitutes a Service Level Failure, (c) describes the
methodology for calculating Service Level Credits that Supplier will provide to
Triple-S upon the occurrence of a Service Level Failure and such Service Level
Failure is not excused pursuant to this Schedule B, and (d) describes the
procedure for adding new Service Levels.

 

1. General Provisions

 

1.1 Definitions

 

The following capitalized terms when used in this Schedule shall have the
meanings given below. Any capitalized terms used but not defined in this
Schedule B (Service Level Methodology) will have meaning provided in Schedule AA
(Glossary) or elsewhere in the Agreement.

 

(a) “At Risk Amount” means, for any month during the Term, [***] of the total
Monthly Charges under the Agreement (excluding any taxes, reimbursements and
pass through expenses) for such month.

 

(b) “Baselined” means that the Service Level will be established using the
process set forth in Section ‎3.5.

 

(c) “Compliance Date” has the meaning given in Section ‎2.2.

 

(d) “Escalator Credit” has the meaning given in Section ‎4.3.

 

(e) “Interim Period” means the period of time beginning on the Compliance Date
during which Supplier will be held to the Interim SLA.

 

(f) “Interim SLA” means the Service Level effective during the Interim Period.

 

(g) “Long Term SLA” means the Service Level effective upon expiration of the
Interim Period.

 



Triple-S / Supplier Confidential

Page 1



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

(h) “Measurement Window” means the periodic evaluation and reporting frequency
for each individual Service Level as specified in the Service Level Metrics
Documents (e.g., monthly, quarterly, semi-annually, annually).

 

(i) “Root Cause Analysis” means the problem analysis process undertaken to
identify and enumerate the underlying cause(s) of a Service Level Failure or
some other failure, and to document the necessary corrective actions to be taken
to prevent recurring problems or trends which could result in problems.

 

(j) “Service Commencement Date” has the meaning given in Schedule AA (Glossary).

 

(k) “Service Level” has the meaning given in Schedule AA (Glossary).

 

(l) “Service Level Credit” means a monetary credit to Triple-S by Supplier upon
the occurrence of a Service Level Failure of a Service Level after the
Compliance Date for such Service Level and calculated in accordance with Section
‎4.2 of this Schedule B (Service Level Methodology).

 

(m) “Service Level Failure” means Supplier’s failure after the applicable
Compliance Date to meet a Service Level during the applicable Measurement Window
pursuant to this Schedule B (Service Level Methodology) and the applicable
Service Level Metrics Documents.

 

(n) “Service Level Metric” shall mean the measurement value of Supplier’s
required level of performance for the applicable Service Level. The Service
Level Metrics are described in the Service Level Metrics Documents.

 

(o) “Service Level Metrics Documents” has the meaning given in the Preamble to
this Schedule B.

 

(p) “Service Level Performance Report” has the meaning given in Section ‎1.3(a).

 

(q) “Service Point” means a percentage point that is equal to one percent (1%)
of the At Risk Amount and that is assigned in accordance with Sections ‎4.1 and
‎3.1.

 

(r) “SLA Pool” has the meaning given in Section ‎4.1(a).

 

(s) “[***] Service Level” means those Service Levels designated in Section ‎3.7
of this Schedule B for which Triple-S can terminate the Agreement pursuant to
Section 16.1(d) of the General Terms and Conditions.

 

1.2 General

 

(a) This Schedule B (Service Level Methodology) provides certain Service Levels
against which Supplier’s performance of the Services shall be measured. Supplier
shall perform the Services at or above the levels of performance indicated for
the applicable Service

 



Triple-S / Supplier Confidential

Page 2



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

Level as set forth in this Schedule B (Service Level Methodology) and the
Service Level Metrics Documents.

 

(b) Supplier will provide and maintain all of the tools, processes, and
capabilities that are necessary for measuring, monitoring and reporting
Supplier’s performance with respect to the Service Levels.

 

(c) Except as otherwise provided in the Service Level Metrics Documents, the
Measurement Window for each Service Level will be a calendar month. Except as
otherwise provided in the Service Level Metrics Documents, all references to
“hour” or “hours” shall mean clock hours; all references to “day” or “days”
shall mean calendar days (except where Business Days are expressly stated); all
references to “month” shall mean calendar month; and all references to “year”
shall mean calendar year.

 

1.3 Reporting of Performance Measures

 

On or before each applicable Service Commencement Date, Supplier shall implement
mutually agreed standard reporting procedures to report Supplier’s performance
of the Services at a level of detail sufficient to verify Supplier’s compliance
with the Service Levels. Triple-S has the right to audit all such reporting
procedures in accordance with Schedule M (Audit and Record Retention
Requirements).

 

(a) Throughout the Term of the Agreement and for the duration of any
Disengagement Assistance Period, Supplier shall track its performance with
respect to each Service Level and report the results to Triple-S in a monthly
report the format, structure, and level of detail of which shall be agreed to by
the Parties (the “Service Level Performance Report”). Without limiting the
generality of the foregoing, the Service Level Performance Report shall include:

 

(i) summary reporting for each Service Level;

 

(ii) a comparison of Supplier’s performance during the Measurement Window being
reported against Supplier’s performance during each of the Measurement Windows
over the previous twelve (12) months (or if a Service Level has been measured
for less than twelve (12) months, such time that the Service Level has been
measured) with respect to each Service Level;

 

(iii) with respect to each Service Level Failure: (A) a summary and description
of each Service Level Failure; and the Root Cause Analysis with respect to each
Service Level Failure; (B) associated trend analyses with respect to such
Service Level Failures; (C) to the extent not already included in the Root Cause
Analysis, a description of remedial and/or preventative measures taken or
planned to be taken by Supplier in connection with such Service Level Failures
and if remedial and/or preventative measures were taken in the past but the same
Service Level Failure persists, the alternative measures to be taken; and (D) a

 



Triple-S / Supplier Confidential

Page 3



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

calculation of the amount of the corresponding Service Level Credit Triple-S is
entitled to receive in connection with each such Service Level Failure.

 

(b) Supplier shall deliver the Service Level Performance Report within thirty
(30) days after the last day of each month. The Service Level Performance Report
shall be in electronic form suitable for use on a personal computer in a MS
Office format. Supplier shall provide a hard copy of the Service Level
Performance Report to Triple-S upon request.

 

(c) If any Service Level Performance Report does not contain a level of detail
sufficient to allow Triple-S to reasonably determine whether Supplier has met or
failed to meet a Service Level in the immediately preceding Measurement Window,
Triple-S will notify Supplier of such failure and Supplier will provide such
detail within ten (10) Business Days of such notice. If such additional detail
does not sufficiently allow Triple-S to reasonably determine whether Supplier
has met or failed to meet the applicable Service Level (including where Supplier
fails to report upon its performance for a Service Level), a Service Level
Failure shall be deemed to have occurred for such Service Level during the
applicable Measurement Period.

 

(d) Supplier shall provide reasonably detailed supporting information in
connection with any Service Level Performance Report to Triple-S in electronic
copy form suitable for use on a personal computer in a MS Office format
accessible upon reasonable request by Triple-S. Supplier shall also provide
Triple-S with on-line access to up-to-date problem management data and other
data regarding the status of service problems, service requests, and user
inquiries.

 

(e) Supplier shall provide Triple-S with reasonable access to the data used by
Supplier to calculate its performance against the Service Levels and the
measurement and monitoring tools and procedures utilized by Supplier to generate
such data for purposes of audit and verification. To ensure the ability to audit
Service Level reporting, Supplier shall retain for the duration of the Term, and
on request provide Triple-S with access (in accordance with Schedule M (Audit
and Record Retention Requirements)) to, underlying data used for Service Level
reporting and reasonably necessary for such verification, including manually
created and machine generated data, together with records of all calculations or
adjustments applied to such data as part of the reporting process. Triple-S
shall not be required to pay any amount in addition to the Charges for access to
Supplier’s measurement and monitoring tools or the resource utilization
associated with their use. The Service Level Performance Reports, and any
supporting data and information, will be considered the Confidential Information
of each Party.

 

2. Service Level Obligations

 

2.1 Service Level Obligations

 

The metrics, measurement standards, and other pertinent features for Service
Levels are described in the Service Level Metrics Documents.

 



Triple-S / Supplier Confidential

Page 4



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

2.2 Commencement of Service Level Obligations

 

The “Compliance Date” for any Service Level means the date that Supplier first
becomes obligated to meet or exceed the Service Level Metric for such Service
Level. The Compliance Date for each Service Level shall be the later of (a) the
applicable Service Commencement Date for SOW #1 (Claims Services) and SOW #2 (IT
Services) or (b) if applicable, the date set forth in the Service Level Metrics
Documents, subject to Section ‎3.5.

 

Claims within the Day One Backlog (as defined in Section 4.5 of Schedule B
(Service Level Methodology) will be excluded from Service Level calculations
under SOW #1 (Claims Services) for the first 60 days following completion of the
Claims Transition.

 

Supplier will not be responsible for Service Level Credits prior to July 1, 2018
(notwithstanding that the Service Commencement Date is earlier than such date)
with respect to Service Level Failures under SOW #1, except for [***] Service
Levels [***] for which Service Level compliance will begin on the Service
Commencement Date [***] Service Levels, the “Key Claims Transition SLAs”).

 

2.3 Interim Period

 

(a) The Service Level Metrics Documents may describe certain Service Levels for
which there will be an Interim SLA. Supplier will be required to meet or exceed
each such Interim SLA for the Interim Period (as measured from the Service
Commencement Date) designated in the applicable Service Level Metrics Document,
subject to Section ‎3.5.

 

(b) If there is an Interim SLA specified, upon the conclusion of the applicable
Interim Period, Supplier will be required to meet or exceed the corresponding
Long-Term SLA designated in the applicable Service Level Metrics Document.

 

2.4 Service Level Failures

 

Upon the occurrence of a Service Level Failure with respect to a Service Level,
the following will apply:

 

(a) Supplier shall grant to Triple-S a Service Level Credit, calculated in
accordance with Section ‎4.2, as applicable,

 

(b) The Service Level Failure will be escalated to the Program Manager or his or
her designee and the Governance Committee in accordance with Schedule F
(Governance).

 

(c) Supplier will promptly:

 

(i) conduct a Root Cause Analysis to determine why such failure occurred (in not
more than 48 hours);

 

(ii) provide copies of the Root Cause Analysis to Triple-S, upon its request;

 



Triple-S / Supplier Confidential

Page 5



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

(iii) prepare a formal written recovery plan designed to prevent the
reoccurrence of such Service Level Failure; and

 

(iv) once such recovery plan has been approved by Triple-S, implement such plan
at Supplier’s sole cost and expense and in a mutually agreed timeframe.

 

2.5 Excused Performance

 

(a) Supplier will not be excused from a failure to achieve a Service Level other
than as provided in this Section ‎2.5.

 

(b) Supplier shall be excused from a failure to meet a Service Level only if and
to the extent

 

(i) such failure was:

 

(A) due to changes made by Triple-S, for which it has not provided reasonable
notice to Supplier, in or to systems, technology, or data transmissions;

 

(B) due to failure of third party systems or network connectivity that Triple-S
is required to provide under this Agreement and that Supplier requires to
provide the Services; provided (1) this excuse shall not apply to any Supplier
Affiliates or Subcontractors; and (2) this excuse shall not apply to Managed
Third Parties to the extent such failure is attributable to Supplier not
performing is vendor management responsibilities under Schedule A (Cross
Functional Services);

 

(C) due to Supplier’s compliance with Triple-S’s written direction to perform
the Services in a manner inconsistent with Supplier’s obligations (provided
Supplier has notified Triple-S of such inconsistency and related impact on the
Service Levels), including for Projects or Changes where the Parties have agreed
to a Change Order or Task Order that noted that the Change or Project will
likely or possibly result in a failure to meet a Service Level;

 

(D) with respect to those Service Levels denoted as Volume-Sensitive Service
Levels in the Service Level Metrics Documents, due to the volume to be processed
by Supplier exceeding [***] (as defined in any applicable SOW), provided
Supplier’s acts or omissions did not cause the volume to exceed such forecast
(it being understood that omissions shall not include Supplier’s failure to
process excess volumes if Triple-S determines not to pay additional Charges
pursuant to Schedule C (Charging Methodology);

 

(E) caused by circumstances that constitute a Force Majeure Event; provided,
that Supplier has met its obligations for performing Disaster

 



Triple-S / Supplier Confidential

Page 6



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

Recovery and business continuity services as described in this Agreement; or

 

(F) caused by circumstances described in Section 7.3 (Savings Clause) of the
General Terms and Conditions; and

 

(ii) Supplier:

 

(A) promptly notified Triple-S of the applicable circumstances referenced in
Section ‎2.5(b)(i);

 

(B) used Commercially Reasonable Efforts to prevent, overcome, or mitigate the
adverse effects of such failure and to perform its obligations notwithstanding
such failure; and

 

(C) complied with Section ‎2.5(c).

 

(c) If Supplier wishes to avail itself of one of the clauses referenced in
Section ‎2.5(b), then Supplier shall indicate in the Service Level Performance
Report the following:

 

(i) Each applicable Service Level that is subject to the Service Level Failure;

 

(ii) For each applicable Service Level, the circumstances claimed by Supplier
under Section ‎2.5(b);

 

(iii) The calculation of the affected Service Level value, both with and without
taking into account the effect of the clause concerned; and

 

(iv) The circumstances and background data giving rise to the excuse, in
reasonably sufficient detail to permit Triple-S to evaluate whether Supplier’s
claim of excuse is valid.

 

(d) Supplier will at all times bear the burden of proof as to the existence of
an excuse and the applicability of the excuse to the Service Level Failure at
issue, including during dispute resolution proceedings.

 

3. Changes to Service Levels

 

3.1 Changes to Service Points

 

(a) Not more than [***], Triple-S has the right to provide written notice to
Supplier to increase or decrease the then-current Service Points among one or
more Service Levels; provided the total Service Points do not exceed the SLA
Pool and all such changes remain subject to Section ‎4.1(a).

 



Triple-S / Supplier Confidential

Page 7



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

(b) The changes will become effective 90 days after the agreement of the Parties
(or on the first day of the next Measurement Window if the 90th day after such
notice does not fall on the first day of the Measurement Window).

 

(c) Certain Service Levels are designated as “Critical Performance Indicators”
(or “CPIs”) and others as “Key Performance Indicators” (or “KPIs”). Triple-S may
not allocate Service Points to any KPIs without Supplier’s consent.

 

3.2 Deletion of Service Levels

 

Triple-S has the right to delete a Service Level by sending written notice to
Supplier; provided, however, that Triple-S shall not be entitled to reallocate
any Service Points except as set forth in Section ‎3.1 and all deletions remain
subject to Section ‎3.4. A deletion of any Service Level shall be documented
through the Change Control Process (but no Supplier consent shall be required).

 

3.3 Additions of Service Levels

 

Except as provided below in Section ‎3.6, the addition of new Service Levels
will be subject to mutual agreement of the Parties.

 

3.4 Minimum and Maximum Number of CPIs

 

Notwithstanding anything in this Schedule B (Service Level Methodology) and
except as mutually agreed by the Parties, there will be no fewer [***] CPIs at
any time during the Term of the Agreement. If the Parties add new Services to
this Agreement (e.g., a new SOW for call center services), the maximum number of
CPIs shall be reasonably increased to accommodate the new Service Levels
required for such new Services.

 

3.5 Initial Baselined Service Levels

 

For Service Levels that the Parties have designated in the Service Level Metrics
Documents as Service Levels to be “baselined”, the Service Level will be
established using the process set forth below. The Parties may, however, agree
to extend the baselining period to account for seasonality and other factors.

 

Where historical data exists and reporting is available as of the Effective Date
(“Existing Service Level”), the Interim SLAs will be established or validated
(as applicable) prior to the Service Commencement Date using the process
provided in Section ‎3.5(a). Where historical data exists and reporting is not
available (“Newly Reported Service Level”), Supplier will develop the required
reporting, and the Interim SLAs will be established or validated (as applicable)
using the process provided in ‎3.5(a), prior to the Service Commencement Date.
Where historical data does not exist for a Service Level (“New Service Level”),
the Interim SLAs will be established or validated using the process provided in
Section ‎3.5(b), with the baselining period commencing as soon as the Parties
are able to begin measuring performance against the applicable New Service
Levels. For clarification, the Long-Term Service Levels reflect levels
negotiated by the Parties and are not subject to baselining under this Section
‎3.5 or otherwise. If Triple-S determines it has

 



Triple-S / Supplier Confidential

Page 8



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

historical data for a Service Level being baselined, the Parties will agree on
the Service Level Metric and when to end the baselining period.

 

(a) For each Service Level for which there is at least six (6) months of
historical data within the past nine (9) months and such data indicates
performance that is acceptable to Triple-S, then the Service Level metric shall
be the arithmetic mean of the most recent six (6) months of historical data,
after excluding the highest and lowest monthly actual results during such period
. For example, if the six (6) months of historical data are 99.85, 99.90%,
99.91, 99.92%, 99.93% and 99.95%, then the Service Level would be the arithmetic
mean, after excluding the highest and lowest and monthly actual results during
such period (99.915%) (calculated as ((99.90 + 99.91% + 99.92% + 99.93%) / 4).
Such Service Level shall become effective as soon as the calculations above have
been performed.

 

(b) If the Parties agree to add a new Service Level for which at least six (6)
months of historical data within the past nine (9) months does not exist, then
such Service Level shall be baselined to determine the initial Service Level
value in accordance with the following:

 

(i) Supplier and Triple-S shall promptly meet to agree upon the tools and
procedures to be used to measure such new Service Level. Upon such agreement,
Supplier or Triple-S, as applicable, shall promptly implement such agreed upon
tools and/or procedures and begin measuring the new Service Level.

 

(ii) The “Baselining Period” for each such Service Level shall begin on the
first day of the calendar month following the date upon which Supplier or
Triple-S, as applicable, is capable of beginning to measure such Service Level
using the agreed upon tools and procedures, and continue for six (6) months. The
Parties may agree to extend the Baselining Period at any time.

 

(iii) Supplier shall begin to measure its performance against each such Service
Level commencing on the start date of the relevant Baselining Period, and shall
report on its performance with respect to each such Service Level as provided in
Section ‎1.3 or as otherwise agreed by the Parties. The Service Level level will
be set using the formula provided in Section ‎3.5(a).

 

(iv) Each such Service Level shall become effective (i.e., the Compliance Date
will be) as soon as the calculations above have been completed.

 

3.6 Additions of Regulatory Service Levels

 

Upon reasonable notice to Supplier (not less than [***] days or such shorter
period as may be required by applicable Law), Triple-S may supplement or modify
the Service Levels (provided that the Compliance Date for any such supplemented
or modified Service Level will be [***] after the date of the change to enable
Supplier to implement any required changes within such

 



Triple-S / Supplier Confidential

Page 9



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

period or (ii) such shorter period as may be required by applicable Law):

 

(a) To the extent there is a change to existing Laws or new Laws with which the
Services are required to comply;

 

(b) To the extent there is an updated interpretation of a Law with which the
Services are required to comply; or

 

(c) At the direction by a Regulator, or if there is a change in the enforcement
or threshold by a Regulator.

 

3.7 [***] Service Levels

 

Below are the [***] Service Levels as of the Effeictive Date. There will be no
more than [***] Service Levels at any time. Any changes to the [***] Service
Levels will be subject to mutual agreement of the Parties; provided that any
change to the [***] Service Levels will only be effective [***] after the
Parties agree to the change. Any Service Level with a Service Level Metric of
100% will not be a [***] Service Level. Any Service Level Failure of a Key
Claims Transition SLA prior to July 1, 2018 will not count as a failure for
determining whether Triple-S has the right to terminate pursuant to Section
16.1(c) of the General Terms and Conditions.

 

SOW Service Level # Category Service Level Name SOW #1 - Claims Claims 1 Claims
End to End Timeliness of Clean Claim Adjudication Process Claims 3 Claims
Timeliness of Unclean  Claim Adjudication  (provided, performance must be below
99.5% in order for the failure to be counted for purposes of the termination
right provided in Section 16.1(c)) SOW #2 - IT IT 1 Application Availability
Availability of Criticality 1 Applications IT 2 Application Availability
Availability of Criticality 2 Applications  IT 8 Business to Business Timely B2B
File Execution - Criticality 1

 



Triple-S / Supplier Confidential

Page 10



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 



SOW Service Level # Category Service Level Name IT 10 IT Infrastructure
Production Server (OS Instance) Availability IT 13 Network Availability IT
Network (Data Center and Triple-S Primary Facilities)

 

4. Service Level Credits

 

4.1 Service Points

 

For the purposes of calculating Service Level Credits, Triple-S may apportion
Service Points to the Service Levels, subject to the following:

 

(a) Subject to Section ‎3.1, Triple-S may apportion [***] Service Points
(collectively, the “SLA Pool”) across the collection of all Service Levels
included in the Service Level Metrics Documents; provided that (i) the maximum
number of Service Points for any Service Level with a Service Level Metric of
100% shall not exceed [***] Service Points; and (ii) the maximum number of
Service Points for any other particular Service Level shall not exceed [***]
Service Points.

 

(b) For clarity, each Service Point in the SLA Pool represents [***] of the At
Risk Amount; provided, however, the aggregate amount in Service Level Credits
recovered by Triple-S for any given month may not exceed the At Risk Amount in
such month.

 

4.2 Service Level Credit Calculation

 

With respect to a Service Level Failure, the applicable Service Level Credit
will be computed in accordance with the following formula:

 

Service Level Credit = A x B

 

Where A is the At Risk Amount; and

 

Where B is the allocation of Service Points for the applicable Service Level;

 

For example only, assume that Supplier fails to meet the Service Level for a
Service Level, the At Risk Amount is [***] of the Monthly Charges, and the
Monthly Charges for the month in which the Service Level Failure occurred were
[***]. Additionally, assume that the allocation of Service Points for such
Service Level is [***]. The Service Level Credit due to Triple-S for such
Service Level Failure would be computed as follows:

 

A (the At Risk Amount) is [***] which is [***];

 



Triple-S / Supplier Confidential

Page 11



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 



Multiplied by B (the allocation of Service Points for such Service Level), which
is [***] Service Points (or [***]);

 

Yields a Service Level Credit = [***]

 

In the event of multiple Service Level Failures due to a single incident
occurring in a month, only the highest Service Level Credit resulting from such
Service Level Failures will apply in such month.

 

4.3 Service Credit Multipliers

 

(a) If Supplier’s performance results in a Service Level Failure for the same
Service Level [***], then upon the occurrence of the [***] and any additional
Service Level Failure in the rolling six month period, the Service Level Credit
[***] by [***] (an “Escalator Credit”).

 

(b) For example, assume an At Risk Amount of [***] and that the applicable
Service Level has [***] Service Points. If Supplier fails to meet or exceed such
Service Level [***] times in a [***], then upon the occurrence of the [***] such
Service Level Failure, the Escalator Credit shall be [***].

 

4.4 Service Level Credit Earn Back

 

(a) If, during the [***] period immediately following the Measurement Window of
a Service Level Failure that generated a Service Level Credit, Supplier’s
performance is greater than or equal to the applicable Service Level metric for
each of such [***], then Supplier will earn back [***] of the applicable Service
Level Credit associated with, and previously credited for, the Service Level
Failure (a “Earn Back”), subject to the following:

 

(i) A Earn Back shall not apply to the same Service Level more than [***]; and

 

(ii) Supplier shall not be eligible for Earn Back for a Service Level Failure
that involves performance that is more than [***] the required Service Level
level. For example, if a Service Level requires 99.5% availability or 99.5% of
claims to be processed within 1 hour, if availability is less than [***] of such
claims are processed within 1 hour, Supplier would not be eligible to Earn-Back
the Service Level Credit payable for the failure).

 

(b) If Supplier fails to satisfy the requirements in Section ‎4.4(a), then
Supplier shall not be capable of generating a Earn Back for that Service Level
Credit. Earn Backs will be provided as set forth in Section ‎4.5 below.

 



Triple-S / Supplier Confidential

Page 12



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

4.5 Notice and Payment of Service Level Credits

 

Supplier shall notify Triple-S in the Service Level Performance Report if
Triple-S becomes entitled to a Service Level Credit. For each Service Level
Credit that Triple-S is entitled to pursuant to this Schedule B (Service Level
Methodology), Supplier will provide such Service Level Credit to Triple-S (less
any Earn Backs for prior Service Level Failures) on the invoice following the
applicable Service Level Performance Report at the end of the applicable
Measurement Window. If there will be no further invoices, Supplier will pay the
amount of the Service Level Credit (less any Earn Backs for prior Service Level
Failures) to Triple-S within thirty (30) calendar days after the date of the
last invoice.

 

4.6 Cumulative Remedies and Waivers

 

The exercise by Triple-S of its rights under this Schedule B (Service Level
Methodology), including the right to receive Service Level Credits and receive
payments for or interests, shall be without prejudice to its other rights or
remedies under the Agreement or at law or equity, including Triple-S’s right to
claim and collect damages and Triple-S’s right to terminate the Agreement in
whole or in part in accordance with the Agreement. If Triple-S elects to waive
in writing a Service Level Credit, such waiver will not be considered a waiver
of the application of the Service Level Failure toward any termination rights
set forth in the Agreement, unless otherwise expressly stated in such writing.

 

5. Continuous Improvement of Service Levels

 

The Service Levels designated by the Parties as being subject to continuous
improvement in the Service Level Metrics Documents will be subject to a
continuous improvement process that results in the adjustment of the Service
Level Metrics. Such adjustment will be conducted on an [***] basis commencing
[***] after each applicable Compliance Date. Such adjustments to the Service
Levels will be formalized by making updates to the relevant Service Level
Metrics Documents and will take effect [***] after the end of each measured year
(“Service Level Improvement Date”) and be calculated as follows:

 

(a) Following each Service Level Improvement Date, each applicable Service Level
Metric shall be reset to a value equal the outcome of the formula set forth in
Section ‎5(b) below (as may be modified by Section ‎5(c)), provided that the
result is better than the current Service Level standard.

 

(b) The formula referenced in Section ‎5(a) shall calculate the output of the
average of the [***] from the previous year. The Service Level will be reset by
taking the [***], and dividing the sum of the results by [***]. For example, if
the monthly results for the previous year were [***] the new Service Level would
be [***] provided the existing Service Level is lower than [***].

 

(c) Notwithstanding Section ‎5(b) above, in no event shall any single
improvement in a Service Level pursuant to Section ‎5(b) above exceed [***] and
the then-current Service

 



Triple-S / Supplier Confidential

Page 13



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule B

Service Level Methodology

 

 

Level. (For example, if the Service Level being adjusted were [***], the maximum
increase for that reset would be [***].

 

(d) The process described in this Section ‎5 will be performed utilizing the
data collected over the immediately preceding [***] month period.

 

6. QUarterly Review

 

During the first six (6) months following each Service Commencement Date and
every calendar quarter thereafter, or at either Party’s request, Supplier and
Triple-S will review the Service Levels and any proposed adjustments to them as
appropriate pursuant to the Change Control Process to reflect any improved
performance capabilities associated with advances in the technology and methods
used to perform the Services or material changes in volumes and metrics used to
determine the Service Levels. The Parties will also review any other
considerations relating to the Service Levels raised by either Party. As part of
this review process, the Parties may: (a) jointly determine and agree on the
addition and/or removal of Service Levels, (b) jointly determine and agree to
revisions to the results of the automatic continuous improvement adjustment
developed for a particular Service Level pursuant to Section ‎5 above or jointly
determine and agree to improve a particular Service Level not subject to the
automatic continuous improvement adjustments of Section ‎5 above.

 

 

 



Triple-S / Supplier Confidential

Page 14



 

 



Schedule C (Charging Methodology) (FEV)

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 



 

 

 

 

 

 

 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE C

 

CHARGING METHODOLOGY

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule C Triple-S / Supplier Confidential



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Schedule C

Charging Methodology





 





TABLE OF CONTENTS

 

1.   INTRODUCTION 1 1.1   Overview of Charges 1 1.2   General Terms 1
2.   DEFINITIONS 1 2.1   Certain Definitions 1 2.2   Other Terms 5
3.   TRANSITION AND TRANSFORMATION 5 3.1   [***] Charges 5 3.2   In-Flight
Projects 6 4.   HEALTH PLAN CHARGES 6 4.1   Membership Reports 6 4.2   Charges 7
4.3   Non-Restricted Members 8 4.4   Member Categories and Mix 8 4.5   Other
Adjustments 9 5.   NON-HEALTH PLAN HOSTING SERVICES 12 5.1   Fixed Charges 12
6.   APPLICATION SUPPORT SERVICES 13 6.1   Application Support Pool 13
6.2   Ongoing Operational Costs 15 7.   INFRASTRUCTURE PROJECTS 15
7.1   Definitions 15 7.2   Charges for BAU Activity 16 7.3   Charges for Special
Infrastructure Projects 16 7.4   Infrastructure Project Management 18
8.   MATERIAL CHANGES 18 8.1   Material Scope Change 19 8.2   Triple-S
Efficiency Initiatives 20 8.3   Additional Terms 21 9.   TRANSFERRED CONTRACTS
21 9.1   Transferred Contracts 21 10.   T&M RATES 22 10.1   Rates 22
10.2   Additional Terms 22 11.   ADDITIONAL TERMS RELATING FIXED FEES FOR HEALTH
PLAN CHARGES 23 12.   TERMINATION CHARGES 23 12.1   Termination Charges 24
12.2   Mitigation of Charges 24 13.   RESERVED 24

 

 



Triple-S / Supplier Confidential

Page i

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Schedule C

Charging Methodology





 

14.   OTHER CHARGES, CREDITS AND TERMS 24 14.1   Financial Responsibility Matrix
24 14.2   Inflation Adjustments for T&M Rates 24 14.3   Inflation Adjustments
for All Charges 25 14.4   End User Support 26 14.5   Pass-Through Expenses 26
14.6   Incidental Expenses 27 14.7   Taxes 27 14.8   Benchmarking 29
14.9   Currency 30 14.10   New Services 30 14.11   Remedial Services 30
14.12   Disengagement Services 30 14.13   Travel 30 14.14   Service Level
Credits 31 14.15   [***] Pricing for Certain New Charges and Adjustments 31
14.16   IT Inventory and Configuration 31 15.   INVOICING AND PAYMENT 31
15.1   Invoicing 31 15.2   Payment Due 32 15.3   Accountability 32
15.4   Proration 32 15.5   Refundable Items 32 15.6   Deductions 32
15.7   Disputed Charges 32

 

TABLE OF SCHEDULES

 

Schedule C-1 Charges Schedule C-2 T&M Rates Schedule C-3 Financial
Responsibility Matrix Schedule C-4 Termination Charges Schedule C-5 TSS
Transferred Contracts



 

 

Triple-S / Supplier Confidential

Page ii

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 



SCHEDULE C

CHARGING METHODOLOGY

 

1. INTRODUCTION

 

1.1 Overview of Charges

 

This Schedule C (Charging Methodology) describes the methodology for calculating
the charges for the Services provided by Supplier to Triple-S under this
Agreement. The charges consist of the following (collectively, the “Charges”):

 

(a) the charges for health plan Services in Section ‎4;

 

(b) the charges for non-health plan hosting Services in Section ‎5;

 

(c) the charges for Application Support Services in Section ‎6;

 

(d) the charges for Infrastructure Projects in Section ‎7;

 

(e) any Termination Charges payable under Section ‎12;

 

(f) any Pass-Through Expenses payable under Section ‎14.3; and

 

(g) any other charges, fees or other amounts or adjustments expressly set forth
in this Schedule C (Charging Methodology), a Change Order, Future SOW, or Task
Order executed by the Parties.

 

1.2 General Terms

 

(a) There are no amounts other than the Charges defined in Section ‎1.1 payable
by Triple-S under this Agreement.

 

(b) If any service or offering that Supplier is obligated to provide under this
Agreement is not measured by a specific Charge, the cost to Supplier of
providing that service or offering is subsumed in the Charges hereunder and
there shall be no separate charge for such service or offering.

 

(c) Supplier was given an opportunity to perform due diligence on the Services
prior to the Effective Date. Accordingly, except where expressly permitted under
this Agreement, in no event will information or changes in circumstances
discovered after the Effective Date serve as the basis for Supplier to adjust
Charges or terms of this Agreement.

 

2. DEFINITIONS

 

2.1 Certain Definitions

 

(a) “Application Development Project” means a Project to develop new
applications and enhancements to existing applications and systems.

 

Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

  

(b) “Application Support Pool” has the meaning given in Section ‎6.

 

(c) “Applications Support Services” means the following IT Processes (each of
which is defined in Exhibit A-1-1 (Process Definitions) of SOW #2 (IT Services)
when performed by Supplier on an In-Scope Application within the Health Plan
Portfolio:

 

(i) 1.4.1 - Delivery Strategy Development;

 

(ii) 2.3.2 – Application Architecture Development;

 

(iii) 2.6.3 – Solution Integration;

 

(iv) 2.92 – Project Management;

 

(v) 3.1.1 – Technical Requirements Definition;

 

(vi) 3.1.3 – Solution Development;

 

(vii) 3.1.4 – Resource Estimation;

 

(viii) 3.3.1 – Software Design;

 

(ix) 3.3.2 – Software Development;

 

(x) 3.3.3 – Software Integration;

 

(xi) 3.3.5 – Peer Review;

 

(xii) 3.3.6 – Testing;

 

(xiii) 3.4.2 – Environmental Integration Testing;

 

(xiv) 3.5.3 – Business Systems (Functional) Support;

 

(xv) 3.71. – Configuration;

 

(xvi) 3.7.2 – Implementation;

 

(xvii) 3.91. – Corrective Maintenance;

 

(xviii) 3.9.2 – Adaptive Maintenance;

 

(xix) 3.9.3 – Perfective Maintenance;

 

(xx) 3.9.4 – Preventive Maintenance;

 

(xxi) 3.11.2 – Problem Identification and Resolution;

 

Triple-S / Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

  

(xxii) 3.11.3 – Configuration Management Execution;

 

(xxiii) 3.11.4 – Change Management Execution; and

 

(xxiv) 3.11.5 – Release Management Execution.

 

(d) “Contract Year” means each twelve (12) month period beginning on the first
Service Commencement Date and each anniversary of such date.

 

(e) “Change Control Process” has the meaning given in Schedule AA (Glossary).

 

(f) “Change Order” has the meaning given in Section 3(a) of Schedule O (Change
Control Process).

 

(g) “Charges” has the meaning given in Section ‎1.

 

(h) “Effective Date” has the meaning given in the first paragraph of the General
Terms and Conditions.

 

(i) “Financial Responsibility Matrix” has the meaning given in Section ‎14.1.

 

(j) “Fixed Monthly Fee” means the fixed monthly fee provided in Schedule C-1
(Charges).

 

(k) “Fixed PC & Life Charge” has the meaning given in Section ‎5.1(a).

 

(l) “Fixed TSM Charge” has the meaning given in Section ‎5.1(b).

 

(m) “Health Plan Charges” has the meaning given in Section ‎4.

 

(n) “Health Plan Portfolio” means the In-Scope Applications designated to be
part of the Health Plan Portfolio in Schedule X (Source of Truth) (as it may be
updated by the Parties pursuant to Section ‎4.5(d)).

 

(o) “Infrastructure” means the Equipment, network connectivity, and system
software used or required (as applicable) to provide Services.

 

(p) “Infrastructure Project” has the meaning given in Section ‎7.

 

(q) “In-Scope Application” means a Triple-S application for which Supplier
provides IT Services requested by Triple-S. The In-Scope Applications existing
as of the Effective Date are listed in Schedule X (Source of Truth) and each
designated to be part of the Health Plan Portfolio, PC & Life Portfolio or TSM
Portfolio.

 

(r) “In-Scope Member” means a Non-Restricted Member or a Restricted Member.

 

(s) “Labor Costs” means the cost of Supplier Personnel required to provide
Services. Labor Costs shall be determined using the T&M Rates.

 

Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

  

(t) “Law” has the meaning given in Schedule AA (Glossary).

 

(u) “Material Change” has the meaning given in Section ‎5.

 

(v) “Material Functionality”, as it relates to an In-Scope Application, means:

 

(i) new end user functionality that (A) is added to an In-Scope Application
through an applications development project requested by Triple-S; (B) is
designated in advance as “Material Functionality” in the applicable Task Order
for the Project; and (C) requires Supplier to purchase and maintain a
substantial amount of additional ongoing compute capacity in order support the
new functionality; or

 

(ii) end user functionality that (A) is decommissioned or removed from an
In-Scope Application; and (B) enables Supplier to reduce a substantial amount of
existing compute capacity as a result of the decommissioning or removal.

 

(w) “Material Scope Change” has the meaning given in Section ‎8.1(a).

 

(x) “Member” means a person, enrollee, subscriber, dependent or other individual
who is enrolled in and is eligible to receive services under a health care plan
offered or administered by Triple-S or its Affiliates or other Service
Recipient.

 

(y) “Monthly Minimum Fixed Fee” has the meaning given in Section ‎11.

 

(z) “Non-Restricted Member” means a Member for which Supplier provides Claims
Services from outside of the United States or its territories, including Puerto
Rico.

 

(aa) “PC & Life Portfolio” means the In-Scope Applications designated to be part
of the PC & Life Portfolio in Schedule X (Source of Truth) (as it may be updated
by the Parties pursuant to Section ‎5.1(c).

 

(bb) “PMPM Rates” means the per member per month rates provided in Schedule C-1
(Charges).

 

(cc) “Productive Application Hour” means an hour of Productive Work performed by
Supplier on Application Support Services authorized by Triple-S.

 

(dd) “Productive Work” means productive work performed specifically for Triple-S
or a Service Recipient, as appropriately recorded under a labor tracking system
or other system acceptable to both Parties. Nonproductive time, including
holidays, vacation time, sick leave or other personal time off, education,
training, travel, administrative, expense accounting, and management time (e.g.,
Supplier’s internal meetings, internal reporting, expense accounting), internal
Supplier process implementation work, and idle time between projects shall not
be counted as Productive Work. Further, except as agreed to as part of a
Project, any time spent by personnel in Supplier’s program management office or
by any other personnel that perform administrative or account level management
functions shall not be considered Productive Work.

 

Triple-S / Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(ee) “Project” has the meaning given in Schedule N (Project Framework).

 

(ff) “Restricted Member” means a Member, other than a Non-Restricted Member,
whose Claims are processed using Triple-S’s [***] or HealthSuite claims
processing platform hosted by Supplier under this Agreement.

 

(gg) “Service Recipient” has the meaning given in Section 2.6 of the General
Terms and Conditions.

 

(hh) “Services” has the meaning given in Section 2.1(a) of the General Terms and
Conditions.

 

(ii) “T&M Rates” means the T&M Rates provided in Schedule C-2 (T&M Rates).

 

(jj) “Transformation” has the meaning given in Section 12 of the General Terms
and Conditions.

 

(kk) “Transition” has the meaning given in Section 11 of the General Terms and
Conditions.

 

(ll) “TSM Portfolio” means the In-Scope Applications designated to be part of
the TSM Portfolio in Schedule X (Source of Truth) (as it may be updated by the
Parties pursuant to Section ‎5.1(c).

 

(mm) “TSS Membership Report has the meaning given in Section ‎3.

 

2.2 Other Terms

 

Capitalized terms used in this Schedule C (Charging Methodology) but not defined
herein have the meanings given in the Glossary attached as Schedule AA
(Glossary) or elsewhere in this Agreement.

 

3. TRANSITION AND TRANSFORMATION

 

3.1 [***] Charges

 

(a) General Rule. There are [***] payable by Triple-S for the Transition or
Transformation. Supplier [***].

 

(b) Clarification. The IT Solution provided in Exhibit A-2 (IT Solution)
provides for an Assessment of the Triple-S environment and for Supplier to make
certain recommendations for improvements and other details about the final
Solution to be implemented by Supplier. Where Supplier is required to
“recommend” particular solutions to Triple-S, Supplier’s obligation includes
making a reasonable recommendation to achieve the objectives of SOW #2, work in
good faith with Triple-S to agree on the details of the recommended solution,
[***].

 

(c) Shift of Financial Responsibility. Schedule X (Source of Truth) identifies
the date by which each In-Scope Application is expected to transition from the
Triple-S data center

 

Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

to a Supplier Facility (“Assumed Migration Date”). Without limiting Supplier’s
obligations under Section 12.2 of the General Terms and Conditions, if one or
more of these In-Scope Applications is not migrated to a Supplier Facility by
the Assumed Migration Date (subject to Section 7.3 of the General Terms and
Conditions), then beginning on such date, Supplier shall: (i) continue to
provide Services in support of the In-Scope Application from the Triple-S data
center or other facility agreed by the Parties; (ii) provide Triple-S with a
payment in an amount equal to Triple-S’ documented costs (including internal
costs, external out-of-pocket costs and depreciation of remaining NBV) for
facilities, personnel, third party Equipment, Software, services and other
operational costs that would not have been incurred if the In-Scope Application
had been migrated to a Supplier Facility prior to the applicable Assumed
Migration Date. If such Equipment or Software needs to be refreshed, or if
additional Equipment or Software is required, in order to provide the Services
and meet the Service Levels for such In-Scope Applications, then Supplier will
purchase or license such Equipment or Software directly.

 

3.2 In-Flight Projects

 

Supplier shall assume responsibility for the In-flight Projects denoted as being
Supplier’s responsibility (as defined in Schedule P (In-Flight Projects))
beginning on the Effective Date and shall complete them. Services that are
Applications Support Services will count against the Application Support Pool.
Services that are Special Infrastructure Projects will count against the Special
Infrastructure Project Pool. Services for other Services necessary to complete
the In-Flight Projects (including Infrastructure Projects that are not
designated in Schedule P as Special Infrastructure Projects) will be performed
by Supplier as BAU Activity.

 

4. HEALTH PLAN CHARGES

 

This Section ‎4 describes certain charges that shall be determined based on the
number of Members (“Health Plan Charges”). The Health Plan Charges shall
compensate Supplier for providing (a) Claims Services for Non-Restricted
Members; (b) hosting and other Infrastructure support for the Health Plan
Portfolio; (c) the Application Support Pool; and (d) all other IT Services not
expressly covered by another charging methodology described in this Schedule C
(Charges).

 

4.1 Membership Reports

 

The Health Plan Charges shall be determined each month as follows:

 

(a) Triple-S will provide Supplier with a report that specifies the number of
In-Scope Members (with detail showing the volume of Non-Restricted Members and
Restricted Members) that were receiving the benefit of the Services as of the
10th day of each month (“TSS Membership Report”) by the 15th day of such month.
In addition, with each TSS Membership Report, Triple-S shall provide an update
to the data reported on the TSS Membership Report from three months prior that
reflects any retroactive additions or removals of In-Scope Members by Triple-S
(“True-Up TSS Membership Report”). For example, by the 15th day of April,
Triple-S will provide the volume of In-

 

Triple-S / Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

Scope Members existing on April 10 for the TSS Membership Report and the volume
of In-Scope Members existing on January 10 (after retroactive adds/removals are
made) for the True-Up TSS Membership Report). The TSS Membership Report will be
used to determine monthly charges under Section 4.1(b); the True-Up TSS
Membership Report will be used to “true-up” those Charges under Section 4.1(c).

 

(b) At the end of each month, the Health Plan Charges provided in Schedule C-1
(Charges) will be applied based on the volume of Restricted Members and
Non-Restricted Members for the month in the TSS Membership Report, as further
described in this Section 4.

 

(c) At the end of each quarter, the Health Plan Charges that were determined in
each of the months that were four, five and six months prior will be
recalculated based on the In-Scope Membership in the True-Up TSS Membership
Reports, and an additional charge or credit will be applied to the current
months’ Charges to reflect such recalculated Charges.

 

Example: By the end of January, Triple-S will provide the In-Scope Membership as
it existed on January 10. Supplier will invoice Triple-S for the Health Plan
Charges in early February based on such report. The same reporting and invoicing
process will occur in each subsequent month. At the end of June, the Health Plan
Charges will be recalculated for (i) January using the True-Up TSS Membership
Report provided in April (i.e., to reflect the number of In-Scope Members for
January as reported in April after retroactive adds and removals are made); (ii)
February using the True-Up TSS Membership Report provided in May; and (iii)
March using the True-Up TSS Membership Report provided in June. Any additional
Charges or credits required as a result of the true-up above will be applied on
the July invoice. At the end of September, the same true-up process would occur
for the Health Plan Charges invoiced in April, May and June.

 

4.2 Charges

 

The Health Plan Charges consist of the following:

 

Number of In-Scope Members Charges [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]

 

For clarification, except where variable incremental fees are noted above, the
Fixed Monthly Fees are not subject to adjustment [***].

 

Triple-S / Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

4.3 Non-Restricted Members

 

The volume tiers and corresponding Charges in Section ‎4.2 count and include
both Restricted Members and Non-Restricted Members, subject to the following:

 

(a) Each month, for purposes of determining Charges payable under Section ‎4.2:

 

(i) The first [***] Restricted Members shall count as “In-Scope Members”;

 

(ii) The next [***]Restricted Members shall not count as “In-Scope Members”
(i.e., Supplier will provide IT Services in support of them but they will be
excluded from In-Scope Member counts when determining Charges); and

 

(iii) Each Restricted Member above [***] shall count as an “In-Scope Member”.

 

(b) Additionally, if Triple-S acquires new In-Scope Members through a merger or
acquisition, including acquisition of a new Triple-S Affiliate that becomes a
Service Recipient:

 

(i) Such new Members that meet the definition of Non-Restricted Member will be
counted for purposes of determining Charges payable under Section ‎4.2 as soon
as they meet such definition.

 

(ii) For such new Members that meet the definition of Restricted Member,
Supplier will provide IT Services in support of them but they will be excluded
from the “In-Scope Member” counts for purposes of determining the Charges
payable under Section ‎4.2 until the earlier of (A) [***] following the date
they become Restricted Members under this Agreement; and (B) the date they
become Non-Restricted Members.

 

(iii) For clarification, new Members that do not meet the definition of
Restricted Members or Non-Restricted Members (e.g., Members that receive
processing on a platform not supported by Supplier) are not counted as In-Scope
Members for purposes of determining Charges under Section ‎4.2.

 

4.4 Member Categories and Mix

 

The Fixed Monthly Fees and the PMPM Rates shall compensate Supplier for
providing the Services for all types of existing and new Non-Restricted Members
for which Triple-S may request Services during the Term. The addition or removal
of Members within any Triple-S line of business through organic growth, merger
or acquisition or otherwise (e.g., Medicaid, Medicare, Commercial) shall not
result in a change to the Health Plan Charges other than through the adjustments
described in this Section 4.

 



Triple-S / Supplier Confidential

Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

  

4.5 Other Adjustments

 

(a) Claims Volumes in Excess of Forecast. If the volume of Claims to be
processed by Supplier pursuant to SOW #1 exceeds [***] of a Binding 2 Month
Forecast (as defined in SOW #1) in a month (such amount in excess of this [***]
threshold, a “Monthly Claims Backlog”), at Triple-S’ option (i) Supplier will
use Commercially Reasonable Efforts to process the Monthly Claims Backlog using
available Supplier Personnel capacity and no additional Charges shall apply (at
a minimum this shall include using any capacity below the [***] threshold in
subsequent months – e.g., if the actual volume of Claims in a subsequent month
is at 100% of forecast, Supplier will use the remaining [***] of capacity below
the [***] threshold to process backlog from prior months); or (ii) Supplier will
add supplemental Supplier Personnel on a temporary basis to process the Monthly
Claims Backlog more quickly and the Charges for such supplemental Supplier
Personnel will be determined using the T&M Rates. Any Claims that require
reprocessing as a result of Supplier’s acts or omissions shall be excluded from
Claims volumes used to determine if there is a Monthly Claims Backlog.

 

(b) Day One Claims Backlog. The Health Plan Charges include Supplier processing
up to [***] Claims within the Day One Backlog within [***] of Supplier’s
completion of the Claims Transition. “Day One Backlog” means Triple-S’s backlog
of Claims that have not been processed by or on behalf of Triple-S prior to
completion of the Claims Transition. If Triple-S desires, at its option, for
Supplier to process additional Claims in the Day One Backlog, Supplier will add
supplemental Supplier Personnel on a temporary basis to process the Day One
Backlog more quickly and the Charges for such supplemental Supplier Personnel
will be determined using the T&M Rates.

 

(c) MCPM.

 

(i) Supplier has established a baseline calculation of manual Claims per member
per month using Triple-S information as of the Effective Date, calculated based
on total Claims, auto-adjudication rates, and Claims re-work rates according to
the methodology set forth in Section ‎4.5(c)(ii) below (“MCPM”). For purposes of
calculating MCPM, Supplier will use (A) [***].

 

(ii) As of the Effective Date, the MCPM is:

 

Key Stats (LTM):   Reference 1 Average Membership [***] From Data 2 Claims per
member per month [***] From Data 3 Avg. Monthly Claims [***] (1)*(2) 4 Blended
Auto Adjudication Rate [***] From Data 5 Avg. Manual Claims per Month [***]
(3)*[100%-(4)] 6 Adjustment Rate per Member [***] From Data 7 Avg. Adjustments
per Month [***] (1)*(6) 8 Avg. Manual Monthly Claims [***] (5)+(7) 9 Manual
claims per member per month [***] (8)/(1) 10 [***] [***] (9)*[***] 11 [***]
[***] (9)*[***]

  

 

Triple-S / Supplier Confidential

Page 9

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(iii) Based on the MCPM calculated as of the Effective Date, Supplier will
establish a [***]. At the end of each quarter during the Term, Supplier will
calculate [***] in each of the three months of such quarter. Any “Manual Monthly
Claims” resulting from Supplier’s acts or omissions shall be excluded from the
MCPM calculation (e.g., if an adjustment is required as a result of a Supplier
processing error, that adjustment shall be excluded from the MCPM calculation).
If [***], then, Supplier will calculate and apply an additional charge or a
credit to Triple-S as follows:

 

(A) Step 1: Determine the [***].

 

(B) Step 2: Determine the [***]:

 

[***] 



C = the applicable Cost per Claim (as defined below).

 

(C) Supplier will apply the [***] the quarter.

 

(D) For purposes of calculating any change, [***] during such quarter. (i)
[***].

 

(E) At the end of each month, Supplier shall provide reporting to enable
Triple-S to validate the MCPM calculations, including a report of each of the
“Key Stats” listed in Section 4.5(b)(ii) above. At the end of each month [***],
Supplier shall also provide a report showing information used in calculating the
Average Manual Claims Processed per Hour (including total manual Claims
processed and total Productive Hours for Claims Agents used by Supplier to
perform Services in the month).

 

(iv) Example:

 

[***]: 

[***]

 

(v) Long-Term Trends: If there [***], the Parties agree to renegotiate the Fixed
Monthly Fees and PMPM Rates to reflect such long-term trend. Any such
renegotiation will require agreement by both Parties and will be “cost neutral”
– meaning the renegotiated Fixed Monthly Fees and PMPM Rates should in the
aggregate be equal to the existing fees and rates as adjusted above for [***]
(which calculation will be based on (i) the membership mid-point for each tier,
and (ii) [***] membership for the minimum membership tier).

 

Triple-S / Supplier Confidential

Page 10

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(d) Adjustments to Health Plan Portfolio.

 

(i) Except for changes that relate to a change to (or addition of) an In-Scope
Application agreed to by the Parties in the Schedule X (Source of Truth), if
Triple-S (1) adds a new Application to the Health Plan Portfolio, or (2) adds
Material Functionality to an existing Application in the Health Plan Portfolio
that requires a material change in the Infrastructure required to support such
Application, which Triple-S must do pursuant to the Change Control Process,
then:

 

(A) Supplier shall propose a staffing and Infrastructure plan showing the
incremental Supplier Personnel and Infrastructure required to support the new or
modified Application.

 

(B) Supplier will categorize charges associated with the new or modified
Application as one-time charges or ongoing charges (which will be further
categorized as fixed or variable).

 

(C) After the incremental staffing and Infrastructure is determined and the
charges are categorized:

 

(a) Triple-S shall pay for one-time charges using the Special Infrastructure
Projects Pool (if available) or using the T&M Rates;

 

(b) Triple-S shall pay for fixed ongoing charges as a separate line item on the
invoices; and

 

(c) For ongoing charges that are variable, the Parties shall equitably adjust
the Health Plan Charges to reflect the additional staffing and Infrastructure,
which adjustment shall not exceed an amount equal to [***].

 

(ii) Except for changes that relate to a change to an In-Scope Application
agreed to by the Parties in the Schedule X (Source of Truth), if Triple-S (1)
removes an existing Application from the Health Plan Portfolio, or (2) removes
Material Functionality from an existing Application in the Health Plan Portfolio
that allows for a material reduction in the Infrastructure required to support
such Application, which Triple-S must do pursuant to the Change Control Process,
then:

 

(A) Supplier shall propose a revised staffing and Infrastructure plan showing
the reduction in Supplier Personnel and Infrastructure required to support the
reduced workload.

 

(B) After the revised staffing and Infrastructure is determined, the Parties
shall equitably adjust the Health Plan Charges to reflect the revised staffing,
which adjustment shall equal [***].

 

Triple-S / Supplier Confidential

Page 11

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology



 

(iii) Patches, enhancements and other modifications to the existing Applications
in the Health Plan Portfolio shall [***] in connection with the addition or
removal of Material Functionality.

 

(iv) Upon request in connection with the processes in Sections ‎4.5(d)(i)
through ‎4.5(d)(ii), Supplier shall provide Triple-S with reasonable supporting
detail from Supplier’s estimating tools to allow Triple-S to understand and
validate Supplier’s proposed changes.

 

5. NON-HEALTH PLAN HOSTING SERVICES

 

This Section ‎5 provides the Charges payable for Services Supplier provides in
support of the PC & Life Portfolio and TSM Portfolio.

 

5.1 Fixed Charges

 

(a) Fixed PC & Life Portfolio Charge. Schedule C-1 (Charges) provides a fixed
monthly charge payable by Triple-S for all Services provided in support of the
PC & Life Portfolio (“Fixed PC & Life Charge”).

 

(b) Fixed TSM Hosting Portfolio Charge. Schedule C-1 (Charges) provides a fixed
monthly charge payable by Triple-S for all Services provided in support of the
TSM Portfolio (“Fixed TSM Charge”).

 

(c) Adjustments to Fixed Charges.

 

(i) If Triple-S (1) adds a new Application to the PC & Life Portfolio or the TSM
Portfolio, or (2) adds Material Functionality to an existing Application in the
PC & Life Portfolio or the TSM Portfolio that requires a material change in the
Infrastructure required to support such Application, which Triple-S must do
pursuant to the Change Control Process, then:

 

(A) Supplier shall propose a staffing and Infrastructure plan showing the
incremental Supplier Personnel and Infrastructure required to support the new or
modified Application.

 

(B) After the incremental staffing and Infrastructure is determined, the Parties
shall equitably adjust the Fixed PC & Life Charge or Fixed TSM Charge (as
applicable) to reflect the additional staffing and Infrastructure, which
adjustment shall not exceed an amount equal to (i) the number of incremental
FTEs in the revised staffing multiplied by the applicable T&M Rates provided in
Schedule C-2 (T&M Rates); and (ii) Supplier’s reasonable cost of providing such
additional Infrastructure.

 

(ii) If Triple-S (1) removes an existing Application from the PC & Life
Portfolio or the TSM Portfolio, or (2) removes Material Functionality from an
existing Application in the PC & Life Portfolio or the TSM Portfolio that allows
for a

 

Triple-S / Supplier Confidential

Page 12

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

  

material reduction in the Infrastructure required to support such Application,
which Triple-S must do pursuant to the Change Control Process, then:

 

(A) Supplier shall propose a revised staffing and Infrastructure plan showing
the reduction in Supplier Personnel and Infrastructure required to support the
reduced workload.

 

(B) After the revised staffing and Infrastructure is determined, the Parties
shall equitably adjust the Fixed PC & Life Charge or Fixed TSM Charge (as
applicable) to reflect the revised staffing, which adjustment shall equal (i)
the FTEs reduced multiplied by the applicable T&M Rates provided in Schedule C-2
(T&M Rates) unless the Parties agree otherwise; and (ii) reductions in
Supplier’s cost as a result of the removal of such Infrastructure.

 

(iii) Patches, enhancements and other modifications to the existing Applications
in the PC & Life Portfolio and TSM Portfolio shall [***] connection with the
addition or removal of Material Functionality.

 

(iv) Upon request in connection with the processes in Sections ‎5.1(c)(i)
through ‎5.1(c)(ii), Supplier shall provide Triple-S with reasonable supporting
detail from Supplier’s estimating tools to allow Triple-S to understand and
validate Supplier’s proposed changes.

 

6. APPLICATION SUPPORT SERVICES

 

This Section ‎6 describes how the Charges for Applications Support Services
shall be determined.

 

6.1 Application Support Pool

 

(a) Pool Hours. The Health Plan Charges include the provision of the following
pool of Productive Application Hours that shall be used by Supplier to perform
Applications Support Services (“Application Support Pool”):

 

  Application Support Pool Contract Year 1 [***] hours Contract Year 2 [***]
hours Contract Year 3 [***] hours Contract Year 4 and each Contract Year
thereafter [***] hours


 

(b) Use of Hours.

 

(i) The hours in the Application Support Pool shall be applied against all
Productive Application Hours worked by Supplier in a Contract Year (regardless
of location or skill-set required) until the Application Support Pool is reduced
to zero.

 

Triple-S / Supplier Confidential

Page 13

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(ii) The Parties expect that Supplier will perform application maintenance
Services such that Triple-S has at least [***] available for discretionary
applications development projects.

 

(c) Reporting. Supplier shall provide monthly reports showing:

 

(i) the number of Productive Application Hours worked each month (“Monthly Hours
Report”), including:

 

(A) identification of all individual timekeepers that charge hours against the
Application Support Pool (including location and position);

 

(B) number of hours charged by each such timekeeper;

 

(C) reasonably detailed descriptions of the Applications Support Services
performed by each timekeeper;

 

(D) number of hours allocated to application maintenance (vs. discretionary
development projects);

 

(E) number of hours charged against each Applications Development Project; and

 

(ii) a rolling three-month forecast of how Productive Application Hours are
estimated to be allocated going forward.

 

(d) Hours in Excess of Pool. If Productive Application Hours in excess of the
Application Support Pool are required to perform the Application Support
Services:

 

(i) Supplier shall provide Triple-S with reasonable advance notice of the
additional hours required, including the information required in the Monthly
Hours Report defined above and the T&M Rates applicable to each individual
identified in the Monthly Hours Report; and

 

(ii) Supplier may charge Triple-S for additional Productive Application Hours
approved by Triple-S in advance and in writing on a time and materials basis
using the T&M Rates.

 

(e) Forecasting and Carry-Forward of Application Support Pool Hours.

 

(i) Sixty (60) days prior to the start of each Contract Year, Triple-S will
allocate the Application Support Pool for the Contract Year between the first
and second six (6) month periods. Triple-S may update its forecast to move hours
allocated to the second six (6) month period into the first six (6) month period
by providing ninety (90) days’ notice to Supplier. Triple-S’ initial allocation
of hours (as it may be adjusted as provided above) may not result in an
allocation of more than [***].

 

Triple-S / Supplier Confidential

Page 14

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(ii) If Triple-S does not use [***] of the Application Support Pool hours in a
[***] period forecast (as it may be adjusted above), the unused portion of the
Application Support Pool for such period will be added to the Application
Support Pool in the following [***] period; provided, no more than [***] of the
original baseline amount (i.e., excluding any hours carried forward from a prior
period) of Application Support Pool hours from the immediately preceding[***]
period may be carried forward to the next [***] period under this Section
‎6.1(e) unless Triple-S was unable to use Application Support Pool dollars due
to Supplier’s failure to make sufficient Supplier Personnel with appropriate
skill sets available to perform Projects requested by Triple-S.

 

(f) Project Management. All Applications Development Projects shall be
initiated, defined, approved in writing by Triple-S, performed and accepted in
accordance with the process described in Schedule N (Project Framework).
Triple-S shall not be responsible for Charges (and dollars shall not be debited
from the Application Support Pool) for Applications Development Projects that
are not approved by Triple-S in writing in accordance with such process.

 

(g) Additional Terms. Supplier shall not charge (or count against the
Application Support Pool):

 

(i) any hours worked to perform Services required by the Transition or
Transformation; or

 

(ii) any hours worked on an Infrastructure Project or other Services that are
not Applications Support Services; or

 

(iii) any hours to correct errors or other issues caused by Supplier Personnel.

 

6.2 Ongoing Operational Costs

 

Each Party shall be responsible for implementing and providing on an ongoing
basis all additional Equipment, Software, network connectivity, and facilities
that may be required to support Applications Projects in the manner set forth in
the Financial Responsibility Matrix. Supplier is fully compensated for the
resources it provides in this regard through the Health Plan Charges, Fixed PC &
Life Charge and Fixed TSM Charge, as they may be adjusted as expressly provided
in this Schedule C.

 

7. INFRASTRUCTURE PROJECTS

 

This Section ‎7 describes how the charges for Projects (other than Application
Development Projects) (“Infrastructure Projects”) shall be determined.

 

7.1 Definitions

 

(a) “Special Infrastructure Project” means an Infrastructure Project that (i) is
requested by Triple-S; and (ii) is intended to (A) implement new technologies,
business functions, software, tools, business processes or to change the IT
architecture or (B) modify the

 

Triple-S / Supplier Confidential

Page 15

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

Infrastructure used to support the In-Scope Applications to enable Triple-S to
comply with a change in Applicable Law enacted after the Effective Date, in each
case excluding all BAU Activities that may be required in connection with the
Infrastructure Project.

 

(b) “BAU Activity” means:

 

(i) any Services that do not meet the definition of “Project”;

 

(ii) any Services or related activities required for Supplier to execute the
Transition or Transformation, and otherwise implement the Infrastructure,
solution and functionality described in the scope and solution documents
attached to the IT SOW;

 

(iii) any Services that Supplier is required to perform under SOW #1 (Claims
Services) or SOW #2 (IT Services)

 

(iv) any IMACs (including end user IMACs and network IMACs);

 

(v) any Services covered by a Service Level or required to meet Service Levels
(e.g., performing break-fix, capacity management, database index maintenance);

 

(vi) labor required to provision new Equipment and Software or to refresh
existing Equipment and Software;

 

(vii) labor required to manage project work to be performed by Managed Third
Parties (e.g., projects performed by Managed Third Parties requiring
modifications or upgrades to software); and

 

(viii) any Services that Supplier is required to perform under this Agreement in
the absence of a specific request from Triple-S for Supplier to perform them
(i.e., only ad hoc work specifically requested by Triple-S can be a Special
Infrastructure Project).

 

7.2 Charges for BAU Activity

 

There are no additional amounts payable for Projects that include BAU Activity.
Supplier is compensated for these Projects through the Fixed Fees and Health
Plan Charges, Fixed PC & Life Fee and Fixed TSM Fee.

 

7.3 Charges for Special Infrastructure Projects

 

(a) Pool Hours. The Health Plan Charges include the provision of the following
pool of Productive Hours that shall be used by Supplier to perform Special
Infrastructure Projects (“Special Infrastructure Projects Pool”):

 

Triple-S / Supplier Confidential

Page 16

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

  Special Infrastructure Project Pool (Hours) Contract Year 1 (first 6 months)
[***] Contract Year 1 (second 6 months) [***] Contract Year 2 (first 6 months)
[***] Contract Year 2 (second 6 months) [***] Contract Year 3 (first 6 months)
[***] Contract Year 3 (second 6 months) [***] Contract Year 4 (first 6 months)
[***] Contract Year 4 (second 6 months) [***] Contract Year 5 and each year
thereafter during the Term (first 6 months) [***] Contract Year 5 and each year
thereafter during the Term (first 6 months) [***]


 

(b) Use of Hours. The hours in the Special Infrastructure Project Pool shall be
applied against Productive Hours worked by Supplier on Special Infrastructure
Projects in a Contract Year (regardless of location or skill-set required) until
the Special Infrastructure Project Pool is reduced to zero.

 

(c) Reporting. Supplier shall provide monthly reports showing:

 

(i) the number of Productive Hours worked each month on Special Infrastructure
Projects (“Monthly Infrastructure Hours Report”), including:

 

(A) identification of all individual timekeepers that charge hours against the
Special Infrastructure Project Pool (including location and position);

 

(B) number of hours charged by each such timekeeper;

 

(C) reasonably detailed descriptions of the work performed by each timekeeper;
and

 

(D) number of hours charged against each Special Infrastructure Project; and

 

(ii) a rolling three-month forecast of how Productive Hours are estimated to be
allocated going forward for Special Infrastructure Projects.

 

(d) Hours in Excess of Pool. If Productive Hours in excess of the Special
Infrastructure Project Pool are required to perform Special Infrastructure
Projects:

 

(i) Supplier shall provide Triple-S with reasonable advance notice of the
additional hours required, including the information required in the Monthly
Infrastructure Hours Report defined above and the T&M Rates applicable to each
individual identified in the Monthly Infrastructure Hours Report; and

 

Triple-S / Supplier Confidential

Page 17

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(ii) Supplier may charge Triple-S for additional Productive Hours approved by
Triple-S in advance and in writing on a time and materials basis using the T&M
Rates.

 

(e) Carry-Forward. If Triple-S does not use [***] of the Special Infrastructure
Projects Pool hours in a [***] period, the unused portion of the pool for such
period will be added to the Special Infrastructure Projects Pool in the
following[***] period; provided, no more than [***] of the original baseline
amount (i.e., excluding any hours carried forward from a prior period) of pool
hours from the immediately preceding [***] period may be carried forward to the
next [***] period under this Section unless Triple-S was unable to use Special
Infrastructure Project Pool dollars due to Supplier’s failure to make sufficient
Supplier Personnel with appropriate skill sets available to perform Projects
requested by Triple-S.

 

(f) Project Management. All Special Infrastructure Projects shall be initiated,
defined, approved in writing by Triple-S, performed and accepted in accordance
with the process described in Schedule N (Project Framework). Triple-S shall not
be responsible for Charges (and dollars shall not be debited from the Special
Infrastructure Projects Pool)) for Projects that are not approved by Triple-S in
writing in accordance with such process.

 

(g) Charges for Equipment and Software. For Special Infrastructure Projects that
(i) constitute Material Scope Changes; and (ii) require Supplier to purchase
additional Equipment and Software, the charges for that Equipment and Software
shall be determined under Section ‎14.15.

 

7.4 Infrastructure Project Management

 

(a) Supplier shall use trained project managers and project management tools and
methodologies to manage all Infrastructure Projects under the Agreement,
including those that are included in BAU Activities.

 

(b) All Special Infrastructure Projects shall be initiated, defined, approved in
writing by Triple-S, performed and accepted in accordance with the process
described in Schedule N (Project Framework). Triple-S shall not be responsible
for Charges for Special Infrastructure Projects not approved by Triple-S in
writing in accordance with such process.

 

8. MATERIAL CHANGES

 

The Health Plan Charges (together with the other Charges provided in this
Schedule C (Charging Methodology)) shall compensate Supplier for all Services
provided to Triple-S, including substantial variability in the volume of such
Services that may be required from month-to-month. Accordingly, except as
expressly required elsewhere in this Schedule C (Charging Methodology), the
Charges are subject to adjustment only in the following circumstances (each a
“Material Change”):

 

Triple-S / Supplier Confidential

Page 18

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

8.1 Material Scope Change

 

(a) Definition. “Material Scope Change” means a change that Triple-S requires to
the scope of the Services that:

 

(i) causes a material increase or enables a material decrease in the recurring
labor or Infrastructure Supplier requires to provide the Services, where
“material” means [***];

 

(ii) is approved by Triple-S in writing through the Change Control Process; and

 

(iii) does not involve the following:

 

(A) changes in Member or Claims volumes (which are to be addressed through the
pricing methodologies provided in Section ‎4);

 

(B) changes involving Application Support Services (which are to be addressed
through the pricing methodology provided in Section ‎6.1);

 

(C) changes to the Health Plan Portfolio, PC & Life Portfolio or TSM Portfolio
(which are to be addressed through the pricing methodologies provided in
Sections ‎4.5(d) and ‎5);

 

(D) Infrastructure Projects (which are to be addressed through the pricing
methodologies provided in Section ‎7);

 

(E) changes assumed to occur as part of the Transition or Transformation; or

 

(F) change that is assumed as part of the Services described in Schedule A
(Cross Functional Services) or an SOW executed under this Agreement (for
example, annual updates to Claims processes and procedures; refresh of Triple-S
Software).

 

(b) Process and Pricing Adjustment. If Triple-S requests a change to the
Services that either Party believes is a Material Scope Change, such Party shall
notify the other of its determination and the following shall apply:

 

(i) the Parties will evaluate the impact of the change requested by Triple-S
through the Change Control Process; and

 

(ii) if the change is a Material Scope Change, they shall (A) determine the
extent to which Supplier’s Labor Costs or Infrastructure costs will increase or
decrease after implementing the Material Scope Change; and (B) negotiate
appropriate adjustments to the Health Plan Charges to reflect such increase or
decrease. Any changes to Health Plan Charges must be agreed in writing by the
Parties and will apply on a going-forward basis only. Unless agreed otherwise by
the Parties, adjustments based on Supplier Labor Costs shall be made using the
T&M Rates and adjustments to Infrastructure shall be made pursuant to Section
‎14.15.

 

Triple-S / Supplier Confidential

Page 19

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

If the change is not a “Material Scope Change”, Supplier will, subject to
Section ‎8.1(c) below, perform the change as part of the Services at no
additional charge.

 

(c) With respect to changes described in Section 18.4(e)(ii) of the General
Terms and Conditions that are enacted after the Effective Date (each, a “Change
in Law”):

 

(i) Application Changes. Changes to In-Scope Applications that require
Application Support Services shall be performed using hours from the Application
Support Pool. Supplier shall be required to make any changes required to
Supplier Software at Supplier’s expense. If any work product charged against the
Application Support Pool can be leveraged for the benefit of Supplier or a
Supplier Affiliate or their respective provider, the hours spent on such work
product shall be [***].

 

(ii) Infrastructure Changes. Changes to Infrastructure shall be reviewed under
the Material Scope Change provisions above. If the change is a Material Scope
Change, (A) charges for the one-time Infrastructure Project work will be
determined under Section ‎7; and (B) incremental Equipment and Software will be
charged under Section ‎14.15.

 

(iii) Labor Changes. Supplier shall be responsible for adding Supplier Personnel
as necessary to comply with a Change in Law; provided if Changes in Law require,
without regard to whether any such change is a Material Scope Change, Supplier
to add more than [***] in the aggregate over the Term of the Agreement (net of
any reductions Supplier makes in Supplier Personnel as a result of Changes in
Law) (“Labor Threshold”), (A) Supplier shall notify Triple-S of the Change in
Law and provide supporting detail for the increase in FTEs; and (B) the Parties
will negotiate an equitable increase to the Charges to compensate Supplier for
the FTEs required above the Labor Threshold.

 

8.2 Triple-S Efficiency Initiatives

 

(a) Definition. “Triple-S Efficiency Initiative” means a material change that
does not relate to a change to an In-Scope Application agreed to by the Parties
in Schedule X (Source of Truth) and (i) Triple-S makes to Triple-S systems or
operations; or (ii) Supplier makes as part of Application Support Services, that
enables Supplier to materially reduce Supplier’s recurring Labor Charges,
Infrastructure costs or other costs of providing the Services.

 

(b) Process and Pricing Adjustment. Triple-S shall notify Supplier of any change
that it believes is a Triple-S Efficiency Initiative and the following shall
apply:

 

(i) the Parties will evaluate the impact of the change requested by Triple-S
through the Change Control Process; and

 

(ii) if the Parties agree the change is a Triple-S Efficiency Initiative, the
Parties shall (A) determine the extent to which Supplier’s Labor Charges,
Infrastructure or other costs are reasonably expected to decrease in connection
with the Triple-S

 

Triple-S / Supplier Confidential

Page 20

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

Efficiency Initiative; and (B) negotiate equitable adjustments to the Charges to
reflect such decrease, taking into consideration each Party’s investment in the
Triple-S Efficiency Initiative. Any changes to Charges must be agreed in writing
by the Parties and will apply on a going-forward basis only.

 

8.3 Additional Terms

 

(a) The pricing adjustments contemplated in this Section ‎8 in connection with
Material Changes [***].

 

(b) Supplier shall provide Triple-S with reasonably detailed information about
Supplier’s existing environment (including personnel and Infrastructure
solution) and any changes required or made possible with respect to personnel,
Infrastructure and other resources as a result of a Material Change. This
information shall be sufficient for Triple-S to understand and assess the net
impact of the Material Change and the need to increase (or opportunity to
decrease) Labor Charges, including (i) identification of affected Supplier
Personnel by individual, rate category and location; and (ii) a list of affected
Infrastructure by component and location.

 

9. TRANSFERRED CONTRACTS

 

9.1 Transferred Contracts

 

Schedule C-5 (TSS Transferred Contracts) designates third party service
contracts and licenses for Equipment, Software, services and other resources
(“TSS Transferred Contracts”) that Supplier will assume as of the Service
Commencement Date for IT Services, subject to the terms in this Section ‎9.

 

(a) The parties will work in good faith to assign, novate or otherwise transfer
all of the TSS Transferred Contracts to Supplier prior to the Service
Commencement Date for IT Services.

 

(b) If the parties are unable to transfer a Transferred Contract to Supplier
prior to the Service Commencement Date for IT Services:

 

(i) Subject to the Parties obtaining any additional Required Consents, Triple-S
will use Commercially Reasonable Efforts to continue to make the Transferred
Contract available to Supplier for up to an additional 24 months. If Supplier
requests an extension beyond such 24 month period, Triple-S may agree to or
reject the request in its sole discretion.

 

(ii) If it is not possible using Commercially Reasonable Efforts for Triple-S to
continue making the Transferred Contract available to Supplier for the period
described above, Supplier will replace the TSS Transferred Contract with a new
contract or alternative solution approved in writing by Triple-S.

 

Triple-S / Supplier Confidential

Page 21

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(iii) Supplier will be responsible for [***] of the costs incurred by Triple-S
under each TSS Transferred Contract and payable to the counterparty to such TSS
Transferred Contract after the Service Commencement Date for IT Services whether
it is transferred to Supplier or retained by Triple-S.

 

(c) If Triple-S has prepaid any amounts under a TSS Transferred Contract (e.g.,
software maintenance) prior to the Service Commencement Date, Supplier shall
provide Triple-S with a payment for the prepaid amounts attributable to periods
after the Service Commencement Date for IT Services (e.g., if Triple-S prepaid
$1,200 in maintenance fees for January through December 2017 and the Service
Commencement Date is September 1, Supplier would provide a payment equal to
$400). The Parties will reconcile the Triple-S spend for TSS Transferred
Contracts to identify such payments within ninety (90) days of the Effective
Date and Supplier will pay Triple-S such amounts within forty-five (45) days
after such date.

 

10. T&M RATES

 

10.1 Rates

 

(a) T&M Rates. Schedule C-2 (T&M Rates) provides time and materials rates that
shall apply for purposes of calculating:

 

(i) any Applications Support Services charges payable by Triple-S on a time and
materials basis under this Agreement;

 

(ii) Labor Costs;

 

(iii) adjustments to the Health Plan Charges required in connection with a
Material Change under Section ‎8; and

 

(iv) any other Services for which this Agreement expressly permits Supplier to
charge on a time and materials basis.

 

10.2 Additional Terms

 

(a) All T&M Rates are fully loaded, meaning they include the following costs and
expenses:

 

(i) all corporate and administrative overhead;

 

(ii) charges or fees for visas for Supplier Personnel;

 

(iii) office space, Equipment and other Infrastructure expenses for Supplier
Personnel working outside of Triple-S facilities (including those working
remotely);

 

(iv) management activities by Supplier Personnel that are not dedicated to
performing Services for Triple-S;

 

Triple-S / Supplier Confidential

Page 22

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(v) personal computers for Supplier Personnel and related office Software and
tools (excluding Software and tools purchased specifically for performance of
Services for Triple-S that Supplier does not generally use in provision of
Services), except to the extent expressly provided otherwise in the Financial
Responsibility Matrix; and

 

(vi) all other costs associated with providing the Services, unless or to the
extent explicitly authorized in advance by Triple-S.

 

(b) Only Productive Work is chargeable to Triple-S in connection with a Project
or counted against the Application Support Pool. Supplier shall not charge for
or count any work for the purposes referenced above that does not meet the
definition of Productive Work.

 

11. ADDITIONAL TERMS RELATING FIXED FEES FOR HEALTH PLAN CHARGES

 

Section 4.2 provides for a Monthly Fixed Fee payable for In-Scope Members at the
[***] volume tier (“Minimum Monthly Fixed Fee”).

 

(a) The Minimum Monthly Fixed Fee shall be adjusted in connection with a
Termination Event as required under Section ‎12.

 

(b) If the volume of Non-Restricted Members in a month is reduced below [***] as
a result of:

 

(i) Supplier’s acts or omission (e.g., a Regulator suspends Triple-S’ right to
enroll new Members due to Supplier’s failure to meet Service Levels);

 

(ii) Triple-S’ removal of Services from this Agreement due to Supplier’s
negligence or failure to perform in accordance with this Agreement;

 

(iii) Any delay in completion of the Transition or Transformation (to the extent
the delay results from Supplier’s acts or omissions), or

 

(iv) During the Disengagement Assistance Period; then

 

the Monthly Minimum Fixed Fees for the period of the Non-Restricted Member
reduction caused by one of the foregoing events will be reduced by an amount
equal to (A) the volume of Non-Restricted Members reduced as a result of such
circumstance, multiplied by (B) the PMPM Rate payable for In-Scope Members in
the first tier above [***].

 

12. TERMINATION CHARGES

 

This Section ‎12 describes the Termination Charges that are payable in
connection with certain termination events defined in Section 16 (Termination)
of the General Terms and Conditions (each, a “Termination Event”).

 

Triple-S / Supplier Confidential

Page 23

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

12.1 Termination Charges

 

Schedule C-4 (Termination Charges) sets forth the Termination Charges that
Triple-S will pay to Supplier in connection with the termination of the entire
Agreement (including all SOWs executed under the Agreement) under Sections
16.1(b), 16,1(f) or 16.1(h) of the General Terms and Conditions.

 

12.2 Mitigation of Charges

 

The Termination Charges in Schedule C-4 (Termination Charges) assume Supplier
will be responsible for severance for all Supplier Personnel and stranded asset
costs for all Equipment and Software used by Supplier to provide the Services.

 

(a) If Triple-S elects to hire Supplier Personnel, the Termination Charges shall
be reduced by an amount equal to the severance that would otherwise be payable
to those Supplier Personnel had they been terminated on the date Triple-S hired
them.

 

(b) If Triple-S assumes facility leases, data center contracts or other
obligations that reduce Supplier’s wind-down obligations to third parties, the
Termination Charges shall be equitably reduced to reflect the associated savings
realized by Supplier.

 

13. RESERVED

 

14. OTHER CHARGES, CREDITS AND TERMS

 

14.1 Financial Responsibility Matrix

 

Schedule C-3 (Financial Responsibility Matrix) contains a financial
responsibilities matrix (“Financial Responsibilities Matrix” or “FRM”)
identifying which Party has financial responsibility for the various resources
used in performing the Services under the Agreement, including personnel
resources, Equipment, Software and facilities. With respect to those items for
which Supplier has financial responsibility, the Charges are deemed to
compensate Supplier for supplying the item and/or providing associated services
as specified in the FRM. Accordingly, Triple-S will not be required to pay
Supplier any amounts with respect to such items other than the Charges.

 

14.2 Inflation Adjustments for T&M Rates

 

This Section ‎14.2 sets forth the cost of living adjustment that Supplier may
make solely to the T&M Rates each year beginning in Contract Year 2, in addition
to any adjustments set forth in Section ‎14.3 below.

 

(a) On [***], Supplier shall increase the T&M Rates by multiplying such rates by
the applicable Inflation Factor defined below (each adjustment, a “COLA”).

 

(b) The “Inflation Factor” for T&M Rates in the United States shall equal [***].
“US CPI” means All Items Consumer Price Index for All Urban Consumers (CPI-U)
for the U.S. City Average, 1982-84 = 100 CPI.

 

Triple-S / Supplier Confidential

Page 24

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(c) The Inflation Factors for T&M Rates in India shall be determined as provided
above in Section ‎14.2(b), except the US CPI shall be replaced by the Consumer
Price Index “Numbers for Industrial Workers - CPI(IW) – All India Index”,
published by the Labour Bureau, Government of India for rates for Supplier
Personnel in India (“India CPI”).

 

(d) Notwithstanding the calculations above, the Inflation Factor in the United
States and India shall not exceed [***] in any year.

 

(e) Supplier shall give Triple-S notice of the applicable COLA for each Contract
Year and corresponding adjustments required under this Section ‎14.2 within
thirty (30) days after [***], including detailed calculations and supporting
documentation as to the determination of the Inflation Factor and the resulting
changes to the T&M Rates for such year.

 

14.3 Inflation Adjustments for All Charges

 

In addition to the adjustments to T&M Rates under Section ‎14.2, this Section
‎14.3 sets forth the cost of living adjustment that Supplier may make to the T&M
Rates, Health Plan Charges, PMPM Rates, PC & Life Fixed Fee and TSM Fixed Fee
each year beginning in Contract Year 2.

 

(a) Certain Definitions.

 

(i) “Base Growth” means [***] on [***] growth per year thereafter.

 

(ii) [***] means [***] on [***] growth per year thereafter.

 

(iii) [***]

 

(b) [***]:

 

(i) [***]

 

[***].

 

(c) [***]:

 

  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]                       [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]    

  

 

Triple-S / Supplier Confidential

Page 25

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

 

  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]                       [***]                 [***]
                [***]                                 [***]                
[***]                 [***]                

 

[***].

 

(d) Supplier shall give Triple-S notice of any such adjustments for each
Contract Year and corresponding adjustments required under this Section ‎14.3
within thirty (30) days of September 1 of such year, including detailed
calculations and supporting documentation as to the determination of the
resulting changes to the Charges for such year.

 

14.4 End User Support

 

The Health Plan Charges shall fully compensate Supplier for all service desk
functions, information technology support for all existing and future employees
of Triple-S and its Affiliates (and contractors working at Triple-S and its
Affiliates’ facilities) and support of their personal computers, peripherals,
printers and other end user devices.

 

14.5 Pass-Through Expenses

 

(a) As of the Effective Date, there are no Pass-Through Expenses payable by
Triple-S. If the Parties agree to add Pass-Through Expenses to this Agreement
after the Effective Date, they will do so through the Change Control Process.

 

(b) “Pass-Through Expenses” means third party charges that are to be both (i)
paid by Triple-S (either (A) directly to the third party or (B) to Supplier,
which, in turn, pays the third party) on an Out-of-Pocket Expenses basis, and
(ii) administered by Supplier. Any Pass-Through Expenses shall be agreed upon in
accordance with this Section. Supplier shall arrange for delivery by third
parties to Supplier of invoices for Pass-Through Expenses, and Supplier promptly
shall review such invoices and provide Triple-S with the original invoice
together with a statement identifying which charges are proper and valid and
should be paid by Triple-S.

 

(c) Supplier shall use Commercially Reasonable Efforts to minimize the amount of
Pass-Through Expenses. With respect to services or materials paid for on a
Pass-Through Expenses basis, Triple-S reserves the right to: (i) obtain such
services or materials directly from a third party; (ii) designate the third
party source for such services or materials; (iii) designate the particular
services or materials (e.g., equipment make and

 

Triple-S / Supplier Confidential

Page 26

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

model) Supplier shall obtain; (iv) designate the terms for obtaining such
services or materials (e.g., purchase or lease and lump sum payment or payment
over time); (v) require Supplier to identify and consider multiple sources for
such services or materials or to conduct a competitive procurement; and (vi)
review and approve the applicable Pass-Through Expenses before entering into a
contract for particular services or materials.

 

14.6 Incidental Expenses

 

Supplier acknowledges that, except as may be otherwise provided in this
Agreement, expenses that Supplier expects to incur in performing the Services
(including travel and lodging, document reproduction and shipping, and
long-distance telephone) are included in Supplier’s Charges and rates set forth
in this Agreement. Accordingly, such Supplier expenses are not separately
reimbursable by Triple-S unless, on a case-by-case basis for unusual expenses,
Triple-S has agreed in advance and in writing to reimburse Supplier for the
expense.

 

14.7 Taxes

 

The Parties’ respective responsibilities for taxes arising under or in
connection with this Agreement shall be as follows:

 

(a) Each Party shall be responsible for any personal property taxes on property
it owns or leases, for franchise and privilege taxes on its business, and for
taxes based on its net income or gross receipts.

 

(b) Supplier shall be responsible for any sales, use, excise, value-added,
services, consumption and other taxes and duties payable by Supplier on the
goods or services used or consumed by Supplier in providing the Services where
the tax is imposed on Supplier’s acquisition or use of such goods or services
and the amount of tax is measured by Supplier’s costs in acquiring such goods or
services.

 

(c) Triple-S shall be responsible for any applicable sales, use, excise,
value-added, services, consumption or other tax that is assessed on the
provision of the Services as a whole, or on any particular Service by any
governmental or taxing authority within the United States; provided, however,
that (i) Supplier invoices reflect on a current basis the amount of any such tax
in each jurisdiction and the taxable Services to which such tax relates, (ii) if
Supplier fails to reflect on its invoice any such tax on a current basis,
Supplier shall be financially responsible for any penalties and interest
assessed by the taxing authority with respect to such tax, and (iii) if Supplier
fails to reflect any such tax on a Supplier invoice within twelve (12) months
after the date that such tax is due and payable, Supplier shall be financially
responsible for the full amount of such tax, including any penalties and
interest.

 

(d) Supplier shall be responsible for any sales, use, excise, value-added,
services, consumption or other tax that is assessed on the provision of the
Services as a whole, or on any particular Service, by any governmental or taxing
authority outside the United States as of the Effective Date or during the Term,
except (i) where the Parties agree in writing that a Supplier Affiliate located
in a jurisdiction outside of the United States may

 

Triple-S / Supplier Confidential

Page 27

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

invoice Triple-S or a Triple-S Affiliate directly or (ii) where the Parties
agree in writing including email that Supplier will provide centralized billing,
wherein a Triple-S Affiliate located in a jurisdiction outside of the United
States will receive Services from a Supplier Affiliate located in a jurisdiction
outside of the United States and invoicing for such Services is between a
Triple-S Affiliate located in the United States and a Supplier Affiliate located
in the United States.

 

(e) Supplier shall be responsible for any payments required to compensate
Supplier Personnel for compensatory tax treatment resulting from Supplier
Personnel traveling to perform services.

 

(f) If a sales, use, excise, value added, services, consumption or other tax is
assessed on the provision of any of the Services, the Parties shall work
together to segregate the payments under this Agreement into three (3) payment
streams:

 

(i) those for taxable Services;

 

(ii) those for which Supplier functions merely as a payment agent for Triple-S
in receiving goods, supplies, or services (including leasing and licensing
arrangements); and

 

(iii) those for other nontaxable Services.

 

(g) The Parties agree to reasonably cooperate with each other to enable each to
more accurately determine its own tax liability and to minimize such liability
to the extent legally permissible. Supplier’s invoices shall separately state
the amounts of any taxes Supplier is collecting from Triple-S, or otherwise a
tax-compliant invoice, and Supplier shall remit such taxes to the appropriate
authorities. Each Party shall provide and make available to the other any resale
certificates, information regarding out-of-state or out-of-country sales or use
of equipment, materials or services, and other exemption certificates or
information reasonably requested by the other Party.

 

(h) Supplier shall promptly notify Triple-S of, and coordinate with Triple-S the
response to and settlement of, any claim for taxes asserted by applicable taxing
authorities for which Triple-S is responsible hereunder, it being understood
that with respect to any claim arising out of a form or return signed by a Party
to this Agreement, such Party shall have the right to elect to control the
response to and settlement of the claim, but the other Party shall have all
rights, at its sole cost and expense, to participate in the responses and
settlements that are appropriate to its potential responsibilities or
liabilities. If Triple-S requests Supplier to challenge the imposition of any
tax, Supplier shall do so in a timely manner and Triple-S shall reimburse
Supplier for the reasonable legal fees and expenses it incurs. Triple-S shall be
entitled to any tax refunds or rebates granted to the extent such refunds or
rebates are of taxes that were paid by Triple-S.

 

Triple-S / Supplier Confidential

Page 28

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

14.8 Benchmarking

 

(a) [***] during the Term commencing [***] (with intent to complete the
benchmark and make any adjustments resulting from the benchmark effective at the
beginning of [***], Triple-S may benchmark the Charges for the Services under
this Agreement in accordance with this Section ‎14.8.

 

(b) A benchmarking under this Section shall be conducted by an independent
industry-recognized benchmarking service provider designated by Triple-S and
reasonably approved by Supplier (‘Benchmarker’). Supplier agrees that [***] is
acceptable as a Benchmarker. If Supplier rejects any other Benchmarker suggested
by Triple-S, Supplier shall also provide Triple-S with the names of three (3)
other Benchmarkers that would be acceptable to Supplier. [***]. The Parties
shall cooperate with the Benchmarker, including, as appropriate, making
available knowledgeable personnel and pertinent documents and records.

 

(c) The Benchmarker shall perform the benchmarking in accordance with the
Benchmarker’s documented procedures that shall be provided to the Parties prior
to the start of the benchmarking process and as part of the Benchmarker
selection process. The Benchmarker shall compare the Charges for the Services
under this Agreement being benchmarked to the costs being incurred in a
representative sample of similar services. The Benchmarker shall select the
representative sample from entities (i) identified by the Benchmarker and
approved by the Parties, or (ii) identified by agreement of the Parties and
approved by the Benchmarker. The representative sample shall include at least
[***].

 

(d) The Benchmarker shall conduct a benchmarking as promptly as is prudent in
the circumstances. In conducting the benchmarking, the Benchmarker shall
normalize the data used to perform the benchmarking to accommodate, as
appropriate, differences in volume of service, scope of services, service
levels, service delivery locations and other pertinent factors. Supplier will
provide to the Benchmarker reasonably detailed information about the component
elements of Supplier’s charges and pricing methods under this Agreement
(although if Supplier fails to do so the Benchmarker shall proceed with such
assumptions as it determines are reasonable under the circumstances), and the
Benchmarker shall gather and utilize reasonably detailed information with
respect to the representative samples being used for comparison. At the
appropriate stage early in the process; but, in any event, prior to completing
its report, the Benchmarker will meet with the Parties and describe in
reasonable detail the steps that the Benchmarker proposes to take to normalize
the data for comparison. The Parties shall have a reasonable opportunity to
comment on those steps, and the Benchmarker shall incorporate into its
normalization process the reasonable suggestions made by either Party; provided
that if those suggestions are in conflict, the Benchmarker’s have the discretion
to make the final determination. After the Benchmarker issues its preliminary
report, each Party shall be provided a reasonable opportunity to review, comment
on, and request changes in the Benchmarker’s preliminary report. Following such
review and comment, the Benchmarker shall issue a final report of its findings
and conclusions, indicating what it believes all the Charges would be at
the[***] (viewed from the

 

Triple-S / Supplier Confidential

Page 29

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

  

perspective of most beneficial to Triple-S (e.g., lowest charges shall be the
“best” charges)). In doing so, the Benchmarker will set [***].

 

(e) If in the final report of the Benchmarker, the Charges to Triple-S for the
benchmarked Services are greater than the [***] of the representative sample,
(i) the Parties shall meet and work in good faith to adjust the Charges in an
attempt to achieve such [***]; and (ii) if the Parties are unable to agree on
and document in an amendment such adjustment within [***] after the Benchmarker
publishes its final report, Triple-S shall have the right to terminate this
Agreement (including the SOWs executed under this Agreement) [***] notice to
Supplier. If in the final report of the Benchmarker, the Charges are within the
[***] of the representative sample, there shall not be an adjustment to the
Charges. In no case will the Charges be [***].

 

14.9 Currency

 

All Charges in this Agreement are stated in U.S. Dollars, and shall be invoiced
by Supplier and paid by Triple-S in U.S. Dollars. There are no adjustments
permitted for changes in foreign exchange rates.

 

14.10 New Services

 

The Charges for any New Services performed by Supplier at Triple-S’ request
shall be determined in accordance with Section 2.2 (New Services) of the General
Terms and Conditions.

 

14.11 Remedial Services

 

Supplier shall not be entitled to charge Triple-S for any rework or other
Services required as a result of Supplier’s failure to perform in accordance
with this Agreement.

 

14.12 Disengagement Services

 

Supplier shall invoice Triple-S for Disengagement Services payable by Triple-S
as provided in Section 17 (Disengagement Assistance) of the General Terms and
Conditions.

 

14.13 Travel

 

(a) Except as provided in Section ‎14.13(b), Supplier shall be responsible for
all expenses for travel and lodging required to provide the Services, including
with respect to the Transition, training for Supplier Personnel, management
oversight, and any internal Supplier meetings.

 

(b) Triple-S shall reimburse Supplier for actual expenses for travel within the
United States requested by Triple-S only in connection with discretionary
Applications Development Projects; provided such expenses are (i) approved in
advance by Triple-S and documented in advance and in writing; and (ii) incurred
in accordance with Triple-S’ travel and expense policy.

 

Triple-S / Supplier Confidential

Page 30

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

14.14 Service Level Credits

 

Supplier shall credit any Service Level Credits (less any Claw Backs) earned in
a month against the subsequent month’s Charges.

 

14.15 [***] Pricing for Certain New Charges and Adjustments

 

Where this Schedule C (Charging Methodology) provides for a new Charge or an
increase to an existing Charge (including under Sections ‎4.5(d), ‎5.1(c), ‎7
and ‎8), the components of the new Charge or increase that involve the purchase
of additional Infrastructure and related services from a third party shall not
exceed an amount equal to [***]. This [***] shall compensate Supplier for all
procurement, vendor management, oversight and audit, financing, and Supplier
expertise in defining and documenting requirements. Supplier shall provide
detail to substantiate any third party costs that are the basis for a new Charge
or increase to an existing Charge under this Agreement.

 

14.16 IT Inventory and Configuration

 

On a quarterly basis, and as otherwise reasonably requested by Triple-S,
Supplier shall provide Triple-S with a detailed inventory of Infrastructure
components hosted by Supplier or its Subcontractors (including number of servers
and related capacity, GB of storage, system software and tools installed, and
any other component for which a third party charges a separate fee). At
Triple-S’ request, Supplier will meet with Triple-S to review Supplier’s report
and provide additional detail about the hosting environment as reasonably
requested by Triple-S.

 

15. INVOICING AND PAYMENT

 

15.1 Invoicing

 

(a) Supplier shall invoice Triple-S for all amounts due under this Agreement on
a monthly basis in arrears (i.e., Charges for Services delivered in August will
be invoiced on the invoice delivered to Triple-S in September), or as otherwise
agreed by the Parties in writing. Each invoice shall provide, for each Charge,
information regarding the Services to which such Charge relate which is
sufficient to enable Triple-S to determine the contractual basis for such
Charge. Supplier shall include the calculations utilized to establish the
Charges.

 

(b) To the extent a credit may be due Triple-S pursuant to this Agreement,
Supplier shall provide Triple-S with an appropriate credit against amounts then
due and owing against the next month’s invoice. If no further payments are due
to Supplier, Supplier shall pay such amounts to Triple-S within [***] of the
date of request for such credit by Triple-S.

 

(c) Supplier shall render a single consolidated invoice for each month’s Charges
showing such details as reasonably specified by Triple-S, including as necessary
to satisfy Triple-S’ internal accounting and chargeback requirements (such as
allocating Charges among Service components, locations and departments). The
form of invoice shall be mutually agreed by the Parties during Transition and
any changes to such form invoice during the Term must be approved by Triple-S.

 

Triple-S / Supplier Confidential

Page 31

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C
Charging Methodology

 

(d) Supplier shall use good faith efforts to submit complete invoices that
include all Charges incurred in the applicable month, and may include additional
Charges on a later invoice, provided that in no event shall Charges [***].

 

15.2 Payment Due

 

Subject to the other provisions of this Section ‎15, invoices provided under
Section ‎15.1 and properly submitted to Triple-S pursuant to this Agreement
shall be paid by Triple-S within [***] after receipt thereof.

 

15.3 Accountability

 

Supplier shall maintain complete and accurate records of and supporting
documentation for the amounts billable to and payments made by Triple-S
hereunder in accordance with generally accepted accounting principles applied on
a consistent basis. Supplier agrees to provide Triple-S with documentation and
other information with respect to each invoice as may be reasonably requested by
Triple-S to verify accuracy and compliance with the provisions of this
Agreement.

 

15.4 Proration

 

Except as may be otherwise provided in this Agreement, periodic Charges under
this Agreement are to be computed on a calendar month basis, and shall be
prorated for any partial month.

 

15.5 Refundable Items

 

(a) Prepaid Amounts. Where Triple-S has prepaid for a service or function for
which Supplier is assuming financial responsibility under this Agreement,
Supplier shall refund to Triple-S, upon either Party identifying the prepayment,
that portion of such prepaid expense which is attributable to periods on and
after the Effective Date.

 

(b) Refunds and Credits. If Supplier should receive a refund, credit or other
rebate for Pass-Through Expenses previously paid for by Triple-S or for amounts
paid by Triple-S under a TSS Transferred Contract prior to the date the contract
is transferred to Supplier, Supplier shall promptly notify Triple-S of such
refund, credit or rebate and shall promptly pay the full amount of such refund,
credit or rebate, as the case may be, to Triple-S.

 

15.6 Deductions

 

With respect to any amount to be paid by Triple-S hereunder, Triple-S may deduct
from such amount any amount that Supplier is obligated to pay Triple-S
hereunder.

 

15.7 Disputed Charges

 

Subject to Section ‎15.6, Triple-S shall pay undisputed Charges when such
payments are due under this Section ‎15.7. Triple-S may withhold and/or set off
payment of particular Charges that Triple-S disputes in good faith, and may set
off amounts due and owing to Triple-S as credits against Charges payable to
Supplier under this Agreement. If any such disputed Charges have already been
paid, Triple-S may deduct such disputed Charges or amounts due from future
amounts owed by Triple-S to Supplier.

 



Triple-S / Supplier Confidential

Page 32

 



 

 

MSA Schedule C1

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 



 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE C-1

 

CHARGES

 

 

 

 

 

 

 

 

 



Schedule C-1 Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

Schedule C-1 Charges

 

Final Pricing   Fee Schedule         Year 1 (a) Year 2 Year 3 Year 4 Year 5
Year 6 Year 7 Year 8 Year 9 Year 10     Health Fees Basis                      
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]    
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]    
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]    
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]    
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]    
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]    
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]        
                        [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]     [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]    

 

 

    Year 1 Fee Schedule Final Year 1 Fee Schedule                              
Mo. 1 Mo. 2 Mo. 3 Mo. 4 Mo. 5 Mo. 6 Mo. 7 Mo. 8 Mo. 9 Mo. 10 Mo. 11 Mo. 12
Health Fees Basis                         [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]                             [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]                              

M = Millions

 

(a) Optum has provided Year 1 fees broken out by month. Year 1 column in this
analysis represents the average.

 



Schedule C-1 Page 1 Triple-S / Supplier Confidential





 

 



MSA Schedule C2

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE C-2

 

T&M RATES

 

 

 

 

 

 

 

 

 

 

 

 



Schedule C-2 Triple-S / Supplier Confidential

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

Schedule C-2 T&M Rates

 



 

Role No. Role Type Key Skill   Onshore (Landed) Hourly
Rate - Long Term (USD)   Offshore Hourly Rate (USD)   Level   Level  
Intermediate Senior   Associate Intermediate Senior 1 Technology Architect
Enterprise/Solution Architect , Data Architect, Compliance Architect, QA
Architect   [***]       [***] [***] Network Architect (LAN, WAN, Networking),
Data Center   [***]       [***] [***] 2 Database Administrator SQL, Oracle, DB2,
and Sybase   [***] [***]   [***] [***] [***] 3 Developer Developer - Java & Web
Programming, ASP, VB, C++
Developer, BizTalk Developer/
HIPAA EDI, JCL  Developer,
PrintNet, OnBase   [***] [***]   [***] [***] [***] .Net Framework Developer  
[***] [***]   [***] [***] [***] Edifecs Programmer   [***] [***]   [***] [***]
[***] DW/ETL IBM Infosphere, ESP/ IBM Websphere, BI Cognos,
Informatica   [***] [***]   [***] [***] [***] 4 Production Support
Engineer Service Desk Technican, Command Center Specialist, Data Network
Engineering, Windows Server
Engineer, Storage Engineer,
Messaging Engineer,
Cloud/Virtualization Specialist,
ESB (Middleware) Infrastructure Engineer, Mobile Technology
Specialist   [***] [***]   [***] [***] [***] Workplace Services Specialist,
Network & Telecom (Voice)
Specialist   [***] [***]   [***] [***] [***] UNIX Engineer, Backup Engineer  
[***] [***]   [***] [***] [***] Release Manager           [***] [***] Level 1
Distributed Ops/Engineering   [***]   [***]   [***] [***] [***] 5 QA Tester
Manual and Automated Software
Tester   [***] [***]   [***] [***] [***] Test Designer           [***] [***] 6
Security
Engineer Enterprise Security Solution
Engineer   [***] [***]   [***] [***] [***]






Triple-S / Supplier Confidential

Page 1



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-2

T&M Rates

 



Schedule C-2 T&M Rates (continued)

 

Role No. Role Type Key Skill   Onshore (Landed) Hourly
Rate - Long Term (USD)   Offshore Hourly Rate (USD)   Level   Level  
Intermediate Senior   Associate Intermediate Senior 7 Analysts Business /
Technology Analysts           [***] [***] Business Application
Configuration Architect, Workstream Lead           [***] [***] 8 BPO Claims
Adjudication Processor           [***]   Claims Audit Processor           [***]
  Performance Management Analyst           [***]   Trainer           [***]   UAT
Tester           [***]   Business  Process Analyst           [***]   Project
Lead           [***]   Project Manager           [***]  

 

 

Role No. Role Type Key Skill   Onshore (US Based) Hourly
Rate - (USD)   Level   Intermediate Senior             9 Program Management1
Business/ Technology Analyst   [***] [***] Business and Technology-enabled
Business PM   [***] [***]

 

______________________

 

1 These roles will be provided with U.S. based resources.

 

 

 



Triple-S / Supplier Confidential

Page 2



 

 



MSA Schedule C3

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 



 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE C-3

 

FINANCIAL RESPONSIBILITY MATRIX

 

 

 

 

 

 

 

 

 

 



Schedule C-3  Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

Schedule C-3

 

Financial Responsibility Matrix

 

1. EQUIPMENT

 

  Financial Responsibility

Equipment located in Triple-S data centers*

 

[***]

 

Equipment located in Supplier Facilities (including third party cloud and other
Subcontractor facilities)*

 

[***]

 

End user equipment (including personal computers and peripherals, printers,
mobile phones) for Triple-S employees and contracts

 

[***]

 

End user equipment (including personal computers and peripherals, printers,
mobile phones) for Supplier employees and contracts

 

[***]

 

* Including servers, storage, network infrastructure as production and disaster
recovery data centers. All In-Scope Applications are assumed to migrate to
Supplier Facilities within the timelines set forth in Schedule X (Source of
Truth) and the transition documents attached in SOW #2 (IT Services). Triple-S
will retain Financial Responsibility for the Equipment and facilities required
to host the [***] Software.

 

2. NETWORK CONNECTIVITY

 

  Financial Responsibility

Network connectivity between Triple-S facilities

 

[***]

 

Network connectivity between Triple-S facilities and Supplier data centers in
the United States

 

[***]

 

Network connectivity between Supplier facilities (including all connectivity
required between the United States and India)

[***]

 

 



Triple-S / Supplier Confidential

Page 1



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-3

Financial Responsibility Matrix

 

 

3. FACILITIES

 

3.1 Facilities

 

Supplier shall provide and have Financial Responsibility for the facilities
required to provide the Services, except as follows:

 

Supplier Use of Triple-S Space To Deliver Buzz Services Locations Initial
Take-Over Period* Transition to Cloud*

Managed IT Services

 

(Post Data Center)*

 

  9/12017 – 12/31/2017 1/1/2018 - 6/30/2019 7/1/2019 – End of Term Data Center
[***] (Existing Employees) [***] [***] Other Triple-S Locations [***] (Existing
Employees)** [***] [***] Workplace services [***] [***] [***] Supplier KA / KT &
Mgmt Staff [***] [***] [***]

* Triple-S shall provide facilities for the In-Scope Employees designated in
Schedule G (In-Scope Employee Agreement) so long as they retain employees of
Interactive Systems.

 

The timelines above assume Supplier move of majority of existing resources into
Supplier temporary space.

 

**Supplier is also assuming [***] open requisitions.  Open requisitions will be
hired direct to Supplier locations & Triple-S real estate is not required.

 

3.2 Reimbursements

 

(a) The reimbursements Supplier is required to make under the In-Scope Employee
Agreement include certain allocations for use of the space above.

 

(b) Supplier will not be required to reimburse Triple-S for real estate costs
for the personnel noted above, except as provided in the In-Scope Employee
Agreement.

 



Triple-S / Supplier Confidential

Page 2



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-3

Financial Responsibility Matrix

 

 

4. SOFTWARE

 

Financial Responsibility

Suppler-provided Software (including as listed in Schedules, S, X and C-5) and
any other Software required to implement the IT Solution

 

[***]

 

Triple-S-provided Software listed in Schedule X

 

[***]

 

 

5. ADDITIONAL TERMS

 

(a) Triple-S Financial Responsibility in this Schedule C-3 is subject to
Sections 12.2 of the General Terms and Conditions and Section 3.1(c) of Schedule
C (Charging Methodology).

 

(b) If there is an express conflict between the general allocation of
responsibility in Sections 1 through 4 of this Schedule C-3, and the terms of
Schedule S (Supplier Software), X (Source of Truth) or C-5 (TSS Transferred
Contracts), the terms of Schedule S, X or C-5 (as applicable) shall control.

 

(c) Supplier shall have Financial Responsibility for all Equipment and Software
maintenance contracts (including where Triple-S has Financial Responsibility for
the underlying Equipment or Software), except as provided otherwise in Schedule
X (Source of Truth).

 

 

 



Triple-S / Supplier Confidential

Page 3



 

 

 

 

MSA Schedule C4

 

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 

 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE C-4

 

TERMINATION CHARGES

 

 

 

 

 

 

 

 

 

 

 

 



Schedule C-4 Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

Schedule C-4 Termination Charges

 

Termination Fee for termination pursuant to Section 16.1(b) of the General Terms
and Conditions:

 

Termination Schedule   Termination Fee   Basis Year 1 Year 2 Year 3 Year 4 Year
5 Year 6 Year 7 Year 8 Year 9 Year 10 Termination for Convenience Annual [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]

 

Termination Fee for termination pursuant to Section 16.1(f) of the General Terms
and Conditions:

 

Termination Schedule   Termination Fee   Basis Year 1 Year 2 Year 3 Year 4 Year
5 Year 6 Year 7 Year 8 Year 9 Year 10 Termination due to change in laws Annual
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]

 

Termination Fee for termination pursuant to Section 16.1(h) of the General Terms
and Conditions:

 

    Termination Fee - Contract Year 1 Only     Month 1 Month 2 Month 3 Month 4
Termination - No regulatory approval   [***] [***] [***] [***]

 

The Termination Fees above state the Termination Fee payable for a termination
that is effective in the first month of each Contract Year. If the effective
date of termination is later in the year, the Termination Fee will be pro-rated
based on the number of months remaining in the year. For example, assume each
Contract Year is from 9/1 through 8/31 and that the Termination Fee for year 1
is $1,000 and for year 2 is $2,000. If the effective date of termination is in
the middle of year 1, the Termination Fee would be $1,500.

 

 

 

 



Triple-S / Supplier Confidential

Page 1



 

 



MSA Schedule C5

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 





MASTER SERVICES AGREEMENT

 

SCHEDULE C-5

 

TSS TRANSFERRED CONTRACTS

 

 

 



Schedule C-5 Triple-S / Supplier Confidential



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-5

TSS Transferred Contracts



 



Schedule C-5 – TSS Transferred Contracts

 

Seq # Vendor Description Long Description

Agreement Name/Date

 

Contract File Reference Annual Baseline Spend Amount
- In Scope Legal Name [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]

Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-5

TSS Transferred Contracts



 

[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]

Triple-S / Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-5

TSS Transferred Contracts



 

[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]

Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-5

TSS Transferred Contracts



 

[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]

Triple-S / Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-5

TSS Transferred Contracts



 

[***][***]

[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]

Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule C-5

TSS Transferred Contracts



 

[***] [***] [***] [***]   [***] [***]   [***] [***] [***] [***]   [***] [***]  
[***] [***] [***] [***]   [***] [***]               [***]  

 



Triple-S / Supplier Confidential

Page 6

 



Schedule D

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 

 

 

 

 



SCHEDULE D

 

KEY SUPPLIER POSITIONS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule D Triple-S/Supplier Confidential



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 



SCHEDULE D 


KEY SUPPLIER POSITIONS

 

I. INTRODUCTION

 

With reference to Section 6.3 (Key Supplier Positions and Other Requirements) of
the General Terms and Conditions, this Schedule D (Key Supplier Positions)
identifies the Key Supplier Positions that are approved as of the Effective
Date. All Key Supplier Positions will be identified, interviewed and on-boarded
within thirty (30) days of the Effective Date.

 

II. KEY SUPPLIER POSITIONS

 

Ref # Key Supplier Position Summary of Role/ Responsibilities Physical Location
1 Client Account Executive The Client Account Executive is a Senior Executive
who has full authority to make decisions across all services. The Supplier
Account Executive will have extensive experience in managing strategic client
relationships across a complex set of service delivery and performance
standards. This position will be available to travel to attend meetings in
Puerto Rico. The Supplier Account Executive will be authorized to act as
Supplier’s primary contact with respect to each Party’s obligations under this
Agreement, and will have day-to-day authority to assess Triple-S satisfaction,
including a strong cultural fit. The Supplier Account Executive will have
day-to-day responsibility for managing the delivery of the Services and
coordinating with Triple-S executives. The Client Account Executive will have
primary responsibility for governance obligations across all services for a
smooth transition and a high level of satisfaction with Triple-S personnel. The
Account Executive will be the single point of escalation for all contract
deliverables. Puerto Rico 75% for first 2 years then 50% or as determined need
for onsite presence after implementation milestones have been completed.





 

 





Triple-S/Supplier Confidential

Page 1



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule D
Key Supplier Positions – Account Level



Ref # Key Supplier Position Summary of Role/ Responsibilities Physical Location
2 IT Implementation Lead

The IT Implementation Lead will be responsible for managing the transition phase
cloud implementation of services to steady state for IT services.

 

Once steady state is achieved across the IT services, ongoing Transition
Services will be provided on an as-needed basis and resource will no longer be
dedicated.

 

·      Mobilize the IT Implementation Team, progress tracking, communications,
and status reporting.

 

·      Manage and provide guidance and direction on the development of the
Transition Plans and Transition Work Plans.

 

·      Coordinate to produce a consolidated status report that conveys program
status, accomplishments, key next steps, risks and issues for the transition.

 

·      Develop and maintain a matrix summarizing the progress of contractual
deliverables through the development, submission, review and approval
activities.

 

Implement a risk and issue management process for the program that includes
mitigation and contingency planning. 

Puerto Rico 75% for first 2 years (or longer if necessary, to complete the
Transition and Transformation) then 50% or as determined need for onsite
presence after implementation milestones have been completed



 

  





Triple-S/Supplier Confidential

Page 2



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



Ref # Key Supplier Position Summary of Role/ Responsibilities Physical Location
3 Program Delivery Lead / VP of Program Operations The Program Delivery Lead
will provide program oversight, contract compliance, change control functions
and financial management. This position has oversight to day-to-day
responsibility for ensuring contract adherence and management in areas such as
reporting, compliance, invoicing, finance and other contract relevant management
functions. The Program Delivery Lead will be responsible for coordinating the
delivery of contractually specified reports and manages the contract changes
through the Change Control and Governance process in partnership with the
Triple-S executives. The Program Delivery Lead will be the key responsible party
for the overall program deliverables including SLAs, program deliverables,
client expectations, and all program milestones. The Program Delivery Lead is
accountable for reporting the performance of all programs to the client on a
recurrent basis. The Program Delivery Lead will also be responsible for managing
the transition of Claims Services to steady state. Puerto Rico 75% for first 2
years then 50% or as determined need for onsite presence after implementation
milestones have been completed 4 Claims Operations Lead

The Claims Operations Lead will provide oversight and management of claims staff
and day to day operations focusing on quality. 

The Claims Operations Lead will be responsible for Triple-S operational
commitments and service delivery capability. The Claims Operations Lead will
conduct internal performance management meetings. 

The Claims Operations Lead will manage operational performance, SLA metrics and
communicate status to Triple-S as required through performance reporting.



Hyderabad, India 

Eau Claire, WI

 

5 IT Delivery Lead

The IT Delivery Lead will provide oversight and management of IT staff and day
to day operations focusing on quality. 

The IT Delivery Lead will be responsible for Triple-S operational commitments
and service delivery capability. The IT Delivery Lead will conduct internal
performance management meetings. 

The IT Delivery Lead will manage operational performance, SLA metrics and
communicate status to Triple-S as required through performance reporting. 

Puerto Rico 75% for first 2 years then 50% or as determined need for onsite
presence after implementation milestones have been completed



 



 





Triple-S/Supplier Confidential

Page 3



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule D
Key Supplier Positions – Account Level

 



Ref # Key Supplier Position Summary of Role/ Responsibilities Physical Location
6 PMO

The Program Management Lead is a Director level or higher resource with
extensive experience in leading large scale program management teams during the
transition of services to steady state. This resource reports into the Program
Delivery Lead and will be a dedicated resource during the transition. During
transition the PMO will perform the following functions:

 

·      Mobilize the Program Management Office (PMO) program management processes
including day-to-day program governance, progress tracking, communications, and
status reporting.

 

·      Establish and manage the program change management process, including
logging changes and shepherding them through the review, approval, and reporting
activities.

 

·      Coordinate across the transition services to produce a consolidated
status report that conveys program status, accomplishments, key next steps,
risks and issues for the transition.

 

·      Implement a risk and issue management process for the program that
includes mitigation and contingency planning.

 

Once steady state is achieved across the services, ongoing Transition Services
will be provided on an as-needed basis. 

Puerto Rico 75% for first 2 years then 50% or as determined need for onsite
presence after implementation milestones have been completed





 

 





Triple-S/Supplier Confidential

Page 4

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule D
Key Supplier Positions – Account Level



Ref # Key Supplier Position Summary of Role/ Responsibilities Physical Location
7 Director of  IT Operations

The Director of IT Operations is a direct support role of the IT Delivery Lead
role and will provide oversight and management of IT staff and day to day
operations focusing on quality.



The Director of IT Operations will be responsible for Triple-S operational
commitments and service delivery capability. The IT Delivery Lead will conduct
internal performance management meetings.



The Director of IT Operations will manage operational performance, SLA metrics
and communicate status to Triple-S as required through performance reporting. 

Puerto Rico 75% for first 2 years then 50% or as determined need for onsite
presence after implementation milestones have been completed 8 Director of
Program Operations The Director of Program Operations is a direct support role
of the Program Delivery Lead/VP of Program Operations role and support all
functions and responsibilities of that role. Puerto Rico 75% for first 2 years
then 50% or as determined need for onsite presence after implementation
milestones have been completed 9 Claims Delivery Liaison The Claims Delivery
Liaison is a claims expert that will be responsible for day to day management of
the transition of the Claims Services from Triple-S to Supplier.  This will
include managing the knowledge transfer process and information and document
requests from Triple-S.  The Claims Delivery Liaison will also coordinate with
the Claims Operations Lead for any follow-ups from Supplier and will communicate
regularly with Triple-S personnel regarding the status of the transition and
Supplier’s launch of the Claims Services on a production basis.  Claims Delivery
Liaison will also be available to participate and contribute in meetings with
providers, clients, actuaries, regulators as required by Triple S Puerto Rico
75% for first 2 years then 50% or as determined need for onsite presence after
implementation milestones have been completed.



 

 

 



 

 





Triple-S/Supplier Confidential

Page 5

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 







Schedule E

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 

 

 

SCHEDULE E

 

SUPPLIER FACILITIES

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule E Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

SCHEDULE E

 


SUPPLIER FACILITIES

 

I. INTRODUCTION

 

With reference to Section 4.2 (Place of Performance) of the General Terms and
Conditions, this Schedule E (Supplier Facilities) describes the facilities at
which Supplier will perform the Services.

 

II. SUPPLIER FACILITIES

 

Primary Location Location Address

Triple-S Data Accessed?



(Y/N)



Authorized Service(s) Backup Location(s) Optum Headquarters

11000 Optum Circle



(Bldgs. 1, 2 and 3)



Eden Prairie, MN 55344 USA

 

Y

Process design



Architecture support



Claims process support



Data analysis support



Project management support



Leadership support



Executive management



[***]

 

 

 

 

 



Triple-S/Supplier Confidential

Page 1



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule E
Supplier Facilities

Primary Location Location Address

Triple-S Data Accessed?



(Y/N)



Authorized Service(s) Backup Location(s)

Optum Elk River, MN

 

Data Center

 

[***] Y

End User Help Desk Support



Application Support



24/7 Monitoring & Alerting



War Room Services (priority 1&2 kickoff)



[***] Gurgaon, India

[***]



Y Claims processing [***] Noida, India [***] Y Claims processing [***] Chaska,
Minnesota [***] Y

End User Help Desk Support



Application Support



24/7 Monitoring & Alerting



War Room Services (priority 1&2 kickoff)



[***]

 

 

 

 



Triple-S/Supplier Confidential

Page 2



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule E
Supplier Facilities




Primary Location Location Address

Triple-S Data Accessed?

 

(Y/N)

 

Authorized Service(s) Backup Location(s) Gurgaon, India [***] Y Application M&O
[***] Gurgaon, India [***] Y IT engineering, implementation and support services
[***] East US 2 (Virginia) [***] Y Microsoft Data Center [***]

 

 

 

 



Triple-S/Supplier Confidential

Page 3



 





Schedule F

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 

 

SCHEDULE F

 





GOVERNANCE

 

 

 

 

 

 

 

 

 

 

Schedule F Triple-S / Optum Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance

 

SCHEDULE F

 

GOVERNANCE

 

Table of Contents

 

1.   INTRODUCTION 1 2.   CONTRACT GOVERNANCE PLAN 1 2.1   Contract Governance
Plan Development 1 2.2   Contract Governance Responsibilities 2
2.3   Relationship Management Structure 3 2.4   Meetings 6 3.   ANNUAL
TECHNOLOGY PLAN 6 4.   VENDOR GOVERNANCE 7 5.   COORDINATION AMONGST KEY THIRD
PARTIES 8

 

 

 

Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



SCHEDULE F

 

GOVERNANCE

 

1. INTRODUCTION

 

(a) With reference to Section 18 (Governance and Management) of the General
Terms and Conditions, this Schedule F (Governance) sets forth an integrated set
of business office governance processes, plans and tools relating to this
Agreement (“Contract Governance”). The purpose of this Contract Governance is to
monitor and control aspects of the Services in order to promote smooth operation
of the Services in accordance with this Agreement. This Schedule F (Governance)
describes the Contract Governance plan, Triple-S’s and Supplier’s roles and
responsibilities, the relationship management structure, and the decision-making
processes related to the Services.

 

(b) In the event of a conflict between the provisions of this Schedule and other
parts of this Agreement, the provisions of Section 26.11 (Order of Precedence)
of the General Terms and Conditions shall apply.

 

(c) All references in this Schedule to Sections and Exhibits shall be to the
Sections and Exhibits to this Schedule, unless otherwise specified.

 

(d) Capitalized terms are defined in Schedule AA (Glossary) to the Agreement or
in the place where they are used.

 

2. CONTRACT GOVERNANCE PLAN

 

2.1 Contract Governance Plan Development

 

Triple-S and Supplier will jointly develop, approve and begin implementing a
plan for governance of the Agreement (the “Contract Governance Plan”) within
ninety (90) days following the Effective Date. The Contract Governance Plan
will:

 

(a) Be consistent with the Relationship Management Structure described in
Section 2.3 below, specify the formal organizations, processes, and practices
for managing Triple-S’s and Supplier’s relationship under the Agreement and the
Parties’ governance and integration of third party systems and processes that
are applicable to the Services;

 

(b) Establish organizational interfaces for management and operation of this
Agreement including:

 

(i) Provide a high level overview of the business office governance processes
requiring Triple-S’s involvement;

 

(ii) Establish a strategy for communicating and planning for major organization
changes (i.e., people, processes, functions); and

 



Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 



(iii) Enhance and facilitate effective operating protocols and resolution of
certain disputes in accordance with Section 25 (Dispute Resolution) of the
General Terms and Conditions.

 

2.2 Contract Governance Responsibilities

 

(a) Supplier will:

 

(i) Assign an individual to be the single point of contact to Triple-S for the
Contract Governance Plan development and maintenance;

 

(ii) Provide, update and maintain a description of the Supplier’s leadership
organization as part of the organization charts to be provided by Supplier
pursuant to Section 6.3(f) of the General Terms and Conditions;

 







(iii) Draft the initial Contract Governance Plan and provide such to Triple-S
within sixty (60) days after the Effective Date;

 

(iv) Identify Service process inhibitors, if any, and propose process
improvements to Triple-S;

 

(v) Jointly review the Contract Governance Plan on an annual basis or more
frequently as may be agreed by the Parties, and update and maintain the Contract
Governance Plan accordingly; and

 

(vi) Provide appropriate Supplier Personnel access to the Contract Governance
Plan, as needed.

 

(b) Triple-S will:

 

(i) Assign an individual to be the single point of contact to Supplier for the
Contract Governance Plan development and maintenance;

 

(ii) Provide, update and maintain the Triple-S leadership organization;

 

(iii) Review and provide to Supplier, in writing, Triple-S’s comments, questions
and proposed changes to the draft Contract Governance Plan within thirty (30)
days following Triple-S’s receipt of the draft Contract Governance Plan;

 

(iv) Acknowledge Triple-S’s receipt and approval of the final version of the
Contract Governance Plan;

 

(v) Identify Service process inhibitors, if any, and propose process
improvements to Supplier;

 



Triple-S / Supplier Confidential

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 

(vi) Jointly review and update the Contract Governance Plan on an annual basis
or more frequently as may be agreed by the Parties; and

 

(vii) Provide the Contract Governance Plan to appropriate Triple-S employees, as
appropriate.

 

2.3 Relationship Management Structure

 

(a) On the Effective Date, the Parties will each identify an Executive Sponsor
(who will focus on Triple-S’ and Supplier’s long-term strategic relationship and
the mission, vision and innovation as they relate to the Services) and Delivery
Executives (the Triple-S Program Manager a described in Section 7.1 of the
General Terms and Conditions and the Supplier Account Executive as described in
Section 6.3(e) of the General Terms and Conditions). (who will have
responsibility for the execution of Contract Governance and who will be
responsible for the day-to-day operations and delivery of the Services). These
positions will function as the initial Relationship Management Structure until
the long term Relationship Management Structure is implemented as described
below. During such period, each Party will cause its representatives to
participate in contract governance related discussions and work together to
establish agendas and agreed upon tasks. These roles will continue within the
Relationship Management Structure.

 

(b) Within thirty (30) days after the Effective Date, the Parties will identify
the titles of (i) the initial members of the committees set forth below in this
Section 2.3 (Relationship Management Structure) and (ii) the initial
representatives who will attend the meetings identified in Section 2.4
(Meetings) below, and will agree upon a process for replacement of committee
members and meeting attendees, as applicable, during the Term.

 

(c) Joint Steering Committee.

 

(i) Triple-S and Supplier will jointly create a committee consisting of three
(3) management employees from Triple-S and its Affiliates and three (3)
management employees from Supplier who will focus on Triple-S’s and Supplier’s
long-term strategic plans as they relate to the Services (“Joint Steering
Committee”).

 

(ii) The Joint Steering Committee will:

 

(A) Meet at least monthly within the first six (6) months after the Effective
Date, quarterly for the next six (6) months and then semi-annually thereafter,
to discuss the evolving business agenda and strategic alignment of Triple-S and
Supplier as it relates to the Services, including key Triple-S priorities;

 

(B) Facilitate the goals of this Agreement;

 

(C) Review performance against goals and revise such goals, as appropriate;

 



Triple-S / Supplier Confidential

Page 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 

(D) Approve and/or propose Changes to this Agreement, as appropriate;

 

(E) Identify major Triple-S organization changes (i.e., people, processes,
functions) or proposed changes affecting this Agreement;

 

(F) Review industry and business trends and the impact of technology on the
Services;

 

(G) Evaluate Supplier industry initiatives for potential applicability to the
Services;

 

(H) Discuss future Triple-S service needs, including opportunities for
additional collaboration and/or Supplier’s performance of additional services
for Triple-S;

 

(I) Upon Triple-S’s or Supplier’s request, assist in resolving issues arising
under this Agreement; and

 

(J) Participate in the dispute resolution process set forth in Section 26
(Dispute Resolution) of the General Terms and Conditions, as necessary.

 

(d) Joint Management Committee.

 

(i) Triple-S and Supplier will jointly create a committee consisting of three
(3) management employees from Triple-S and its Affiliates and three (3)
management employees from Supplier who will focus on management of the Triple-S
and Supplier relationship and delivery of the Services (“Joint Management
Committee”).

 

(ii) The Joint Management Committee will:

 

(A) Meet at least monthly within the first twelve (12) months after the
Effective Date, and quarterly thereafter, to review tactical alignment, promote
effective relationship management, and validate progress under this Agreement;

 

(B) Develop and implement plans to meet the goals of this Agreement;

 

(C) Review performance against the established Service Levels and address
contractual or management problems and issues, as appropriate;

 

(D) Assess the quality of Triple-S’s and Supplier’s working relationship and
develop and implement action plans to strengthen such relationship, as
appropriate;

 



Triple-S / Supplier Confidential

Page 4

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 

(E) Identify, manage and address issues affecting performance of the Services;

 

(F) Identify and manage impending change; and

 

(G) When appropriate, propose changes to the Joint Steering Committee regarding
the Triple-S and Supplier relationship, and/or this Agreement.

 

(e) Joint Operations Committee.

 

(i) Within sixty (60) days after the Effective Date, Triple-S and Supplier will
jointly create a committee (as agreed to by the Parties) comprised of employees
of Triple-S and its Affiliates and employees of Supplier and its Affiliates
(“Joint Operations Committee”) who will focus on the day-to-day operations and
delivery of the Services. As part of the Joint Operations Committee, the Parties
will work together to share information and reporting as reasonably necessary
for the Joint Operations Committee, including such information from Triple-S
Vendors. The Parties will also work together to consider whether a Managed Third
Party or other Triple-S Vendor should be invited to participate in Joint
Operations Committee and will work together to obtain such participation.
Sub-committees will be established and meet as required to ensure IT (both
Supplier and Triple-S) are connected to and listening to the needs of the
business. Committees to be established may include Sales and Marketing
Operations, Product Development, Claims, Service, Enrollment and Revenue
Management, Pharmacy, PCPs/IPAs/Alliances, NW Management, Compliance, Ethics and
Audits, STARS & Quality, Appeals’ & Grievances, BIA, Configuration, Medial
Management, SALUS, TSP, TSV, and Finance.

 

(ii) The Joint Operations Committee shall:

 

(A) Meet at least every two (2) weeks within the first twelve (12) months after
the Effective Date, and monthly thereafter, to review operational performance
status and plans;

 

(B) Review contract performance;

 

(C) Review operational trends and analysis and take corrective action, as
required;

 

(D) Identify and address potential operational issues;

 

(E) Identify and manage operational change; and

 

(F) Make recommendations, as appropriate, to the Joint Management Committee.

 



Triple-S / Supplier Confidential

Page 5

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 

(f) Day-to-Day Operations.

 

(i) Within the same timeframe in which the Committees are established, Triple-S
and Supplier will identify interaction points for which each party will
designate a primary and alternate point of contact. These interaction points are
necessary to monitor day-to-day operations and act as necessary to address
issues or ensure smooth execution of processes.

 

(ii) The designations of those points of contact will be documented and
maintained up to date by the Joint Operations Committee(s).

 

2.4 Meetings

 

Within thirty (30) days after the Effective Date, the Parties will determine an
appropriate set of meetings to be held between their representatives, which will
include at least the following:

 

(a) Joint Steering Committee meetings, to be held not less than semi-annually
(unless the Parties otherwise agree);

 

(b) Joint Management Committee meetings, to be held not less than quarterly
(unless the Parties otherwise agree); and

 

(c) Joint Operations Committee meetings, to be held not less than monthly
(unless the Parties otherwise agree).

 

3. ANNUAL TECHNOLOGY PLAN

 

(a) As part of the governance process, Supplier will prepare an annual
technology plan in accordance with the provisions of this Section 3 (Annual
Technology Plan) (the “Technology Plan”). Each Technology Plan will include a
review and assessment of the immediately preceding Technology Plan. The
Technology Plan will consist of a three-year plan and an annual implementation
plan as described below.

 

(b) Contents of the Technology Plan.

 

(i) The Technology Plan will include an assessment and strategic analysis of
Triple-S’s then-current and future technology environments that are in-scope
hereunder for the next three (3) years, including an assessment of the
recommended direction for Triple-S’s systems and services in light of Triple-S’s
business priorities and strategies and competitive market forces (to the extent
such business information is available or provided to Supplier), including
additional opportunities for the Parties to collaborate. The Technology Plan
will include an identification of proposed Software and Equipment strategies and
direction, a cost projection, a costs-vs.-benefits analysis of any proposed
Changes, a description of the types of personnel skills and abilities needed to
respond to any recommended Changes or upgrades in technology, a general plan and
a projected time schedule

 



Triple-S / Supplier Confidential

Page 6

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 

for developing and achieving the recommendations made, and references to
appropriate operating platforms that support Service Level requirements, exploit
industry trends in production capabilities and provide potential
price-performance improvement opportunities.

 



(ii) As necessary to support the overall objectives and directions of the three
(3)-year plan, the annual implementation plan will provide guidance as to the
information services requirements, projects and plans for the upcoming year,
including information on operations, maintenance backlog and development
activities. Supplier will prepare an annual implementation plan for each year of
the Term.

 

(c) Process for Developing the Technology Plan.

 

(i) As part of the process of preparing the annual implementation plan, the
Parties (working through the committees described above) will review the overall
operation of this Agreement to ensure that the Services continue to be aligned
with Triple-S’s strategic business and IT requirements.

 

(ii) Supplier will submit the draft of the first Technology Plan (for the second
Contract Year) within six (6) months after the Effective Date. Triple-S will
review and provide comments on the draft. Supplier will review such comments and
submit the final Technology Plan to Triple-S within thirty (30) days after
receiving Triple-S’s comments on the draft.

 

(iii) Supplier will submit the draft of the Technology Plan for the third and
subsequent Contract Years not later than three months (3) months prior to the
commencement of such Contract Year. The Parties may agree to make changes to the
dates that the draft Technology Plan must be submitted by Supplier to Triple-S
to coordinate it with and to support Triple-S’s annual business planning cycle
and/or the timing of Joint Steering Committee meetings. Triple-S will review and
provide comments on the draft. Supplier will review such comments and submit the
final Technology Plan to Triple-S within thirty (30) days after receiving
Triple-S’s comments on the draft.

 

(iv) Supplier will update the Technology Plan during the year as necessary to
reflect changes to Triple-S’s and its Affiliates’ businesses that materially
affect the validity of the then-current Technology Plan. Supplier will recommend
modifications to the Technology Plan as it deems appropriate, and will revise
the Technology Plan as requested by Triple-S.

 

4. VENDOR GOVERNANCE

 

Supplier will provide oversight and management of Managed Third Parties through
its performance of the Managed Third Party Contract Services (see Section 2.4 of
Schedule A). 

 



Triple-S / Supplier Confidential

Page 7

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule F



Governance



 



5. [***]

  

Without limiting Supplier’s obligations under the Agreement, with respect to
[***], Supplier will perform the following:

 

(a) Regularly communicate, and follow up on communications as needed, with
designated Triple-S personnel who interface with [***] to facilitate delivery of
the Services and completion of Projects relating to the [***] Software, as
applicable;

 

(b) Provide support to Triple-S in connection with Triple-S negotiations with
[***] as they relate to the Services;

 

(c) Coordinate and regularly communicate with Triple-S and [***] regarding
issues arising during the performance of Projects or other Functions performed
by [***] as they relate to the Services, including performance issues and any
errors in deliverables provided by [***].

 

 

 

 



Triple-S / Supplier Confidential

Page 8

 

 







Schedule G

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

SCHEDULE G

 

In-scope employee agreement

 

 

 

 

 

 

 

 

 

 

 

 

Schedule G Triple-S / Supplier Confidential



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement

 

SCHEDULE G
IN-SCOPE EMPLOYEE AGREEMENT

 

IN-SCOPE EMPLOYEE AGREEMENT (this “Agreement”), executed on August 29, 2017, by
and between INTERACTIVE SYSTEMS, INC., and a corporation organized and existing
under the laws of the Commonwealth of Puerto Rico (“Interactive Systems”) and
OPTUMINSIGHT, INC., a corporation organized and existing under the laws of
Delaware (“Optum”).

 

WITNESSETH:

 

WHEREAS, Triple-S Salud, Inc. a company under common control with Interactive
Systems, and Optum executed a Master Services Agreement dated August 29, 2017
(the “Master Services Agreement”), pursuant to which Optum agreed to provide
infrastructure, application development, maintenance, business process, hosting
and consulting services to Interactive Systems (the “Services”).

 

WHEREAS, Optum desires to leverage certain employees of Interactive Systems to
assist Optum with the process of migrating and/or the ongoing performing the
Services.

 

NOW, THEREFORE, in consideration of the mutual covenants and conditions set
forth below, and other good and valuable considerations, the receipt and
sufficiency of which are mutually acknowledged by Interactive Systems and Optum,
the parties hereto hereby agree as follows:

 

1. Provision of In-Scope Employees

 

Subject to the terms and conditions of this Agreement, on August 31, 2017 (the
“Effective Date”) Interactive Systems will make available to Optum the employees
listed in Appendix A (the “In-Scope IT Employee(s))” or also interchangeably
referred to as “In-Scope Employee(s)”, described below) to assist Optum in the
process of performing the Services.

 

(a) In-Scope IT Employee(s) or In-Scope Employee(s) means individuals who are
employed by Triple-S Salud or Interactive Systems as information technology
employees who Triple-S Salud and Interactive Systems will make available for
Optum to leverage in order to perform the Services. These employees will be
identified in Appendix A, the list of which may include any addition, removal or
replacement of employees during the Term of this Agreement.

 

(b) In-Scope Employee Period (“Transition Period”), for each In-Scope Employee,
means the period commencing on the Effective Date of this Agreement and
continuing until the date Optum is required to make an offer of employment under
Section 5 below.

 



Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement



 

2. Term of the Agreement.

 

This Agreement shall commence as of the Effective Date and shall remain in force
so long as the Master Services Agreement remains in effect (the “Term”), unless
sooner terminated as provided in Section 6 of this Agreement.

 

3. Status of In-Scope Employee(s).

 

(a) Employee Payroll and Benefits: Subject to the terms of this Section
(including Optum’s obligations set forth in Section 3(b) below), In-Scope
Employee(s) providing services to Optum under this Agreement shall at all times
during the Term remain employees of Interactive Systems. Interactive Systems
shall provide payroll, employment taxes, employee benefits, and workers
compensation with respect to the In-Scope Employees. 

 

(b) Control and Supervision: All In-Scope Employees shall be subject to
supervision, direction and control by Optum. Optum shall have full and exclusive
responsibility to evaluate, train, supervise, promote, discipline and control
the In-Scope Employees, and to determine which In-Scope Employees shall be
designated to perform required tasks. Certain In-Scope Employees may hold
supervisory positions and, in such capacity (unless otherwise determined by
Optum), shall control and determine the procedures to be followed by other
In-Scope Employees regarding the time, place and manner of performance of work
for Optum by the In-Scope Employees, including determination of hours of work,
rest periods, lunch periods and the delegation and assignment of work; provided,
however, that such In-Scope Employees having supervisory responsibilities shall
adhere to all of Interactive System’s policies, practices and contractual
obligations if any, concerning days of vacation, sick time, leave and all other
terms and conditions of employment.

 

(c) Employee Removal: Optum shall have the right to have Interactive Systems
remove any In-Scope Employee, specifically, as service provider to Optum for
just cause. In this event, the removal of any In-Scope Employee for just cause
shall not constitute a termination of employment by Interactive Systems. Just
cause for purposes of this section shall generally mean if, among other things,
any In-Scope Employee: fails to perform his/her duties satisfactorily; and/or
violates Optum or Interactive Systems rules, regulations or policies.

 

(d) Employee Replacement and Recruiting: Upon death, resignation or removal of
any In-Scope Employee, Optum may elect to replace such In-Scope Employee. In the
event Optum makes such election, it shall recruit qualified individuals as
potential replacements for such In-Scope Employees. Upon Optum’s written notice
to Interactive Systems of such recruitment, Interactive Systems shall hire
(pursuant to Optum’s hiring decision-making process) such individuals and shall

 

 



Triple-S / Supplier Confidential

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement



 

commence to exert its functions of payroll, employment taxes, employee benefits,
and workers compensation of such hired individual(s).

 



(e) Representations to Third Parties: In-Scope Employee(s) shall not be treated
as agents or representatives of Optum and shall not have any authority or
responsibility to enter into any contract or otherwise take any action in the
name of or on behalf of Optum.

 

(f) [***] Confidential Information: Optum shall exercise control and supervision
of the In-Scope Employees and perform its other obligations under this Agreement
strictly in accordance with the terms of in Section 10.7 and 19.19 of the Master
Services Agreement.

 

4. Service Fees.

 

(a) Reimbursement for Services and Other Reasonable Expenses: In exchange for
exerting the functions of payroll, employment taxes, employee benefits, and
workers compensation during the Term, Interactive Systems will be reimbursed by
Optum for the salary, benefits and other reasonable overhead costs directly
incurred in providing the In-Scope Employee(s) in accordance with the terms set
forth in Appendix B. In addition, Optum shall reimburse Interactive Systems for
reasonable expenses incurred by the In-Scope Employee(s) in the performance of
services, provided that such expenses are supported by original receipts and the
In-Scope Employee(s) obtain the prior authorization of Optum before incurring
any such expenses.

 

(b) Invoice Dispute: In case of a disputable invoice, Optum shall make a payment
with the total amount of the invoice minus the disputed amount, along with a
detailed schedule of the fees being disputed and the reason for the dispute.

 

(c) Invoice due: All payments of amounts due under this Agreement will be made
to Interactive Systems within [***] days upon delivery of invoice. Invoices will
be generated at the end of every payroll period according to Interactive
Systems’ payroll policies.

 

5. Offering of Employment to In-Scope Employees.

 

From time-to-time during the Term, Interactive Systems may identify In-Scope
Employees that Optum shall offer employment to (such employees, the
“Transitioning Employees”), with the goal of Optum making an initial set of
employment offers to certain Employees by December 31, 2017 and in any case
prior to March 31, 2018 (such date, the “Initial Offer Date”). Optum represents
and warrants that it will provide the Transitioning Employees it offers
employment to with comparable compensation and benefits as required by
applicable law, including Act 80. In all cases Optum shall offer employment to
Transitioning Employees by the later of (a) the Initial Offer Date; and (b)

 

 



Triple-S / Supplier Confidential

Page 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement



 



sixty (60) days after Interactive Systems designates them as Transitioning
Employees in writing to Optum.

 

6. Termination of Agreement.

 

This Agreement will automatically terminate if (i) the Master Services Agreement
is terminated; or (ii) the parties mutually agree in writing to terminate this
Agreement. For clarification, a material breach of this In-Scope Employee
Agreement will be considered a material breach of the Master Services Agreement.

 

7. Indemnification.

 

(a) Interactive Systems will at its expense indemnify, defend and hold harmless
Optum and its affiliates, and their respective officers, directors, employees,
agents, representatives, successors and assigns, from and against any and all
Losses (as defined in the Master Services Agreement) suffered or incurred by any
of them arising from, in connection with or based on any claims by, or on behalf
of the In-Scope Employees) (and/or by their collective bargaining representative
and/or union, where applicable), with respect to matters arising out of the acts
or omissions of Interactive Systems and/or Triple-S Salud’s agents or
representatives occurring prior to the termination or expiration date of this
Agreement, and/or with respect to the employment relationship between the
In-Scope Employees and Interactive Systems and/or Triple-S Salud for acts or
omissions attributable to any other Interactive System’s or Triple-S Salud’s
employee not defined as an In-Scope Employee, but excluding claims for which
Optum is required to indemnify Interactive Systems pursuant to Section 7(b)
below.

 

(b) Optum will at its expense indemnify, defend and hold harmless Interactive
Systems and its affiliates, and their respective officers, directors, employees,
agents, representatives, successors and assigns, from and against any and all
Losses (as defined in the Master Services Agreement) suffered or incurred by any
of them arising from, in connection with or based on (i) any claims from
In-Scope Employees arising out of the acts and/or omissions of Optum after the
Effective Date of this Agreement; (ii) any claims directly arising out of the
termination of any In-Scope Employee(s) as a consequence of Optum choosing not
to hire them upon the end of the applicable Transition Period, pursuant to
Section 5 of this Agreement; (iii) any claims directly arising out of the
termination of any In-Scope Employee(s) as consequence of Optum’s breach of
Section 5 of this Agreement; and (iv) any claims arising out of the acts or
omissions of the In-Scope Employees, agents or representatives towards any
employee, agent or representative of Triple-S and its affiliates directly
arising out of Optum’s breach of Section 3(b) of this Agreement, but excluding
claims for which Interactive Systems is required to indemnify Optum pursuant to
Section 7(a) above.

 

Triple-S / Supplier Confidential

Page 4

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement



 



8. Incorporation by Reference.

 

All terms, provisions and agreements set forth in the Master Services Agreement
with respect to confidentiality, non-solicitation, data-security protection,
intellectual property rights, indemnification and dispute resolutions
obligations are hereby made part of this Agreement to the same extent and with
the same force as if they were fully set forth herein.

 

9. Amendments.

 

This Agreement may only be amended in writing and signed by all of the parties
to this Agreement.

 

10. Notices.

 

All notices and communications shall be given in the manner, and shall be
effective, as provided in Master Services Agreement.

 

11. Binding Effect.

 

This Agreement shall inure to the benefit of and be binding upon the parties
hereto and their respective heirs, successors, representatives and assign.
Neither party to this Agreement may assign its rights or delegate its duties
hereunder without the express written consent of the other party, which consent
shall not be unreasonably withheld.

 

12. Execution in Counterpart.

 

This Agreement may be executed in any number of counterparts and by different
parties hereto in separate counterparts, each of which when so executed shall be
deemed to be an original and all of which taken together shall constitute one
and the same agreement. Delivery of an executed counterpart of a signature page
to this Agreement by electronic means shall be effective as delivery of a
manually executed counterpart of this Agreement.

 

13. Headings.

 

Section and other headings contained in this Agreement are for reference
purposes only and shall not affect in any way the meaning or interpretation of
this Agreement.

 

14. Severability.

 

If any part or condition of this Agreement is held to be void, invalid or
inoperative, such shall not affect any other provision hereof, which shall
continue to be effective as though such void, invalid or inoperative part,
clause or condition had not been made.

 

Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement

 



15. Governing Law.

 

This Agreement shall be governed by, and construed in accordance with, the laws
of the Commonwealth of Puerto Rico without regard to its conflict of laws
principles.

 

[Signature Page Follows]

 

Triple-S / Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement

 

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed
and delivered as of the date first above written.

 

 

INTERACTIVE SYSTEMS, INC.

 

 

By: /s/ Juan J. Diaz   Name: Juan J. Diaz   Title: President  

 

 

OPTUMINSIGHT, INC.

 

 

By: /s/ Eric Murphy   Name: Eric Murphy   Title: CEO, OptumInsight  

 

 

 

 

 

 

Triple-S / Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement



 

Appendix A

 

In-Scope Employees

 

Interactive Systems provided Optum with an initial list of In-Scope Employees
prior to the Effective Date, and will provide updates during the Term as
necessary to keep the list current.

 

 

 

 

 

 

 

 

 

 

 

Triple-S / Supplier Confidential

Page 8

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule G
In-Scope Employment Agreement

 



Appendix B

 

Service Fees and Additional Compensation

 

 

    Charge per In-Scope Employee*     Annual   Monthly           Overhead  
[***]   [***] Real Estate   [***]   [***] Total   [***]   [***]          

[***]

 

Notwithstanding the calculations above, the adjustment shall not exceed [***]
percent ([***]%) in any year. Triple S shall give Supplier notice of the
applicable adjustment for each year during this Agreement within thirty (30)
days after April 1 of such year, including detailed calculations and supporting
documentation as to the determination of the adjustment and the resulting
changes to the fees for such year.

 

Overhead and real estate charges will be paid monthly based on the number of
In-Scope Employees during each month. For In-Scope Employees who cease to become
an In-Scope Employee during a month, the monthly charges will be pro-rated for
any partial month.

 

 

 



Triple-S / Supplier Confidential

Page 9

 

 



Schedule H

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



SCHEDULE H 

BUSINESS ASSOCIATE AGREEMENT

 

This Business Associate Agreement is an addendum to the Agreement entered into
to be effective as of August 31, 2017, by and between Triple-S Salud, Inc.,
a Puerto Rico corporation, with principal offices located at #1441 F.D.
Roosevelt Avenue, San Juan, Puerto Rico 00921 (hereafter, the Covered Entity)
and OptumInsight, Inc., a Delaware corporation, having a primary place of
business at 11000 Optum Circle, Eden Prairie, MN 55344 (hereafter, the Business
Associate).

 

WHEREAS, the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) and its implementing regulations (45 Code of Federal Regulations Parts
160-164) impose on Covered Entity and its Business Associates rules relating to
the use, storage, transmission, and disclosure of protected health information
pertaining to participants and beneficiaries in order to standardize
communications and protect the privacy and security of individual health,
insurance and financial information; and

 

WHEREAS, Business Associate requires access to Protected Health Information of
participants and beneficiaries of Covered Entity to perform its obligations
under the Underlying Agreement. The purpose of this Business Associate Agreement
is to satisfy certain standards and requirements of HIPAA including, but not
limited to, 45 C.F.R. §§164.308(b), 164.314(a), 164.502(e) and 164.504(e).

 

In consideration of the mutual promises below and the exchange of information
pursuant to this Business Associate Agreement, intending to be legally bound
hereby, Covered Entity and Business Associate agree as follows:

 

Section 1. Definitions

 

“Breach” shall have the same meaning given to the term in 45 CFR §164.402, as
the impermissible acquisition, access, use, or disclosure of protected health
information that compromises the security or privacy of the protected health
information.

 

“Designated Record Set” shall have the same meaning as set forth in 45 C.F.R.
§164.501.

 

“Disclosure” shall mean the release, transfer, and provision of access to or
divulgation in any manner of information outside the entity holding the
information, as set forth in 45 C.F.R. §160.103.

 

“IT Functions” shall refer to services related to business continuity,
information system data integrity, and information confidentiality, security,
storage, maintenance, and destruction.

 

 

  Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



“Business Continuity” shall mean the strategic and tactical capability of the
organization to plan for and respond to incidents and business disruptions in
order to continue business operations at an acceptable predefined level.

 

“System Data Integrity” shall refer to the processes and controls established by
the organization to maintain and assure the accuracy and consistency of data
over its entire life-cycle, and is a critical aspect to the design,
implementation and usage of any system which stores, processes, or retrieves
data.

 

“Effective date” shall mean the day and year first above written.

 

“HITECH Act” The Health Information Technology for Economic and Clinical Health
Act, signed on February 17, 2009, promotes the adoption and meaningful use of
health information technology. The HITECH Act also addresses what is a security
breach and provides general guidelines on how Covered entities and Business
Associates should handle security incidents in which unsecured PHI is exposed.

 

“Individual” shall have the meaning given to such term under the Privacy Rule,
including, but not limited to, 45 C.F.R. §160.103 and shall include a person who
qualifies as a personal representative in accordance with 45 CFR 164.502(g).

 

“Privacy Rules” shall mean the Standards for Privacy of Individually
Identifiable Health Information as set forth under 45 CFR Part 160 and Part 164,
Subparts A and E, as amended.

 

“Protected Health Information (PHI and E-PHI)” shall have the meaning given to
the term at 45 C.F.R. §160.103 limited to the information created or received by
Business Associate from or on behalf of Covered Entity.

 

“Required By Law” shall have the same meaning set forth in 45 C.F.R. §164.103.

 

“Secretary” shall mean the Secretary of the U.S. Department of Health and Human
Services or his/her designee.

 

“Security Rules” shall mean the Security Standards for the Protection of
Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164,
Subparts A and C.

 

“Unsecured Protected Health Information” shall have the same meaning provided to
the term at 45 C.F.R. §164.402.

 



 

  Triple-S / Supplier Confidential

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



Other terms used in this Business Associate Agreement, but not otherwise defined
shall have the same meaning as those terms in HIPAA.

 

Section 2. Obligations of Business Associate

 

a. Functions and activities on behalf of Covered Entity. Business Associate may
use or disclose Protected Health Information for the purpose of providing the
Services or as otherwise permitted or required under this Business Associate
Agreement or the Agreement, provided that such use or disclosure would not
violate the Privacy Rules and Security Rules if done by Covered Entity. To the
extent Business Associate is to carry out Covered Entity’s obligations under the
Privacy Rule, Business Associate will comply with the requirements of the
Privacy Rule that apply to Covered Entity in the performance of those
obligations.

 

b. Limited use and disclosure. Business Associate shall not use or further
disclose PHI other than as permitted or required by this BAA, or as required by
law or as otherwise authorized by Covered Entity.

 

c. Proper handling of PHI. Business Associate shall have in place and have its
workforce, agents and subcontractors trained on formalized policies, procedures,
protocols and mechanisms to handle PHI in a responsible manner in order to
prevent unauthorized access, uses, disclosures or acquisition of PHI.

 

d. Prohibition on sale of PHI. Business Associate shall not directly or
indirectly receive remuneration in exchange for any PHI of an individual unless
the Covered Entity obtains from the individual a valid authorization that
includes a specification of whether the PHI can be exchanged for remuneration by
the entity receiving PHI of that individual.

 

e. Prohibition on requesting information related to medical services or
procedures paid in its entirety by the individual. The Business Associate will
not require information related to medical services and procedures paid in its
entirety by the individual, unless that information is necessary to take a
determination and the authorization of the individual is obtained.

 

f. De-identified information. Business Associate may use or disclose protected
health information that has been de-identified in accordance with the standards
set forth at 45 C.F.R. §164.514(a), (b), and (c ).

 

g. Minimum necessary. Business Associate shall limit its uses, disclosures and
requests for PHI to that which is reasonably necessary to accomplish the
intended purposes of such use, disclosure and/or request consistent with the
minimum necessary requirements under HIPAA. Moreover, Business Associate shall
disclose the minimum necessary PHI to perform its obligations to the Covered
Entity only (i) to its employees,

  

 



  Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



subcontractors, and agents (ii) as directed by Covered Entity; or (iii) as
otherwise permitted by the terms of this Business Associate Agreement.

 

h. Transfer of data. Transfer, exchange or sharing of data information between
the Business Associate, the Covered entity and its agents or subcontractors
shall be conducted using secure means to protect PHI against the access or
intrusion of third unauthorized parties. Business Associate and Covered Entity
will agree on the best methodology to exchange data in a safely and secure
manner as stated in the Security Rule, including all repositories that may
contain PHI/ IIHI.

 

i. [Reserved]

 

j. Security and annual risk assessments. Business Associate shall use and
maintain technical, administrative and physical safeguards as set forth in 45
C.F.R. §§164.308, 164.310, and 164.312 that reasonably and appropriately protect
the confidentiality, integrity, and availability of e-PHI. Business Associate
shall conduct a security risk assessment at least on an annual basis.

 

k. Subcontractors. Business Associate shall ensure that any subcontractor or
agent that create, receive, maintain, or transmit PHI on behalf of Business
Associate agree to the same restrictions and conditions that apply to Business
Associate with respect to such information. If Business Associate becomes aware
of a pattern of activity or practice of a Subcontractor that would constitute a
material breach or violation of the written agreement between Business Associate
and Subcontractor, Business Associate shall (1) take reasonable steps to cure
such breach or end the violation, if any and as applicable, or, if feasible,
terminate such written agreement with such Subcontractor if such steps were
unsuccessful.

 

l. Except as otherwise limited in this Business Associate Agreement, Business
Associate may:

 

(a) Use PHI in its possession, but only to the minimum extent necessary, for the
proper management and administration of Business Associate or to carry out the
legal responsibilities of Business Associate if such uses are permitted under
applicable state and federal confidentiality laws.

 

(b) Disclose PHI to third parties, but only to the minimum extent necessary, for
the proper management and administration of Business Associate or to carry out
the legal responsibilities of Business Associate, provided that (i) the
disclosures are Required By Law, as provided under 45 C.F.R. Section 164.501, or
(ii) Business Associate obtains reasonable written assurances from the third
party to whom the information is disclosed that such information shall be held
confidentially in accordance with the Privacy Rules and shall be used or further
disclosed only as required by law or for the purpose for which it was disclosed

 



  



  Triple-S / Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



to such third party, and such third party notifies Business Associate of any
instance of which the confidentiality of the information has been breached.

 

(c) Use for reporting of violations of law to appropriate Federal and State
authorities, consistent with 45 C.F.R. §164.502(j) (1).

 

(d) Use for data aggregation services. Use the information to provide data
agregation services related to the health care operations (as such term is
defined in 45 C.F.R. §164.501) of Covered Entity, as permitted by 45 C.F.R.
§164.504(e)(2)(i)(B), if requested by Covered Entity in writing.

 

m. Reporting of any unauthorized use or disclosure. Report to Covered Entity, as
promptly as practicable and, in any case, within forty-eight (48) hours , any
use or disclosure of PHI of which Business Associate becomes aware that is not
provided for in this Business Associate Agreement or the Agreement. The report
shall include the identification of each individual whose Unsecured PHI has been
or is reasonably believed by the Business Associate to have been accessed,
acquired, or disclosed during such Breach.

 

n. Unsuccessful Security Incidents. The parties acknowledge that this paragraph
constitutes notice by Business Associate to Covered Entity of the ongoing
existence and occurrence or attempts of Unsuccessful Security Incidents for
which no additional notice to Covered entity shall be required. “Unsuccessful
Security Incident” means, without limitation, pings and other broadcast attacks
on Business Associate’s firewall, port scans, unsuccessful log-on attempts,
denial of service attacks, and any combination of the above, so long as no such
incident (i) results in unauthorized access to, use, or disclosure of PHI or
(ii) adversely affects the ability of Business Associate to maintain, process or
safeguard PHI of Covered Entity. This paragraph reflects the parties’
determination under 45 C.F.R. §164.306(b) that the effort and expense required
for Business Associate’s accurate reporting of Unsuccessful Security Incidents
to Covered Entity would significantly outweigh any benefit that might be
achieved through such reporting and, accordingly, that requiring reporting of
Unsuccessful Security Incidents would not be reasonable or appropriate.

 

o. Mitigation and corrective actions.  Establish procedures to mitigate and
correct, to the extent practicable, any harmful effect that is known to Business
Associate of a use or disclosure of PHI by Business Associate or any of its
agents in violation of the requirements of this Business Associate Agreement,
including the duty to notify affected individuals due to a Breach of Unsecured
PHI pursuant to §§13401-13402 of the American Recovery and Reinvestment Act of
2009, Public Law 111-5.

 

p. Breach notification.   Following the discovery of a Breach of Unsecured PHI,
Business Associate:





 

 



  Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



1) Shall provide written notice to Covered Entity of such Breach as promptly as
practicable and, in any case, within forty-eight (48) hours following Business
Associate’s discovery of the same. Business Associate shall furnish subsequent
reports with additional information as reasonably required by Covered Entity. A
Breach shall be treated as discovered by Business Associate as of the first day
on which such Breach is known to Business Associate or, through the exercise of
reasonable diligence, would have been known to Business Associate.
Notwithstanding the foregoing, if a law enforcement official states to Business
Associate that notification of a Breach would impede a criminal investigation or
cause damage to national security, then Business Associate shall delay such
notification for the time period specified by the official.

 

2) The Breach notification provided to Covered Entity shall include, to the
extent possible: (i) the identification of each individual whose Unsecured PHI
has been, or is reasonably believed by Business Associate to have been accessed,
acquired, used or disclosed during the Breach; (ii) a brief description of the
incident, including the date of the Breach and the date of discovery of the
Breach, if known; (iii) a description of the types of Unsecured PHI that were
involved in the Breach (such as whether full name, Social Security number, date
of birth, home address, account number, diagnosis, medical procedures, or other
types of information were involved); (iv) any steps individuals should take to
protect themselves from potential harm resulting from the Breach; (v) a
description of what Business Associate is doing to investigate the Breach, to
mitigate harm to individuals, and to protect against any further Breach; and
(vi) contact procedures for individuals to ask questions or learn additional
information, which shall include a toll-free telephone number, an e-mail
address, Website or postal address.

 

q. Corrective Measures. Business Associate shall adopt corrective measures if
any violation to the terms of this Business Associate Agreement is detected.

 

r. Access to the Secretary. Business Associate shall make available its internal
practices, books and records relating to the use and disclosure of PHI hereunder
to the United States Secretary of Health or its designees for purposes of
determining Covered Entity’s compliance with the Privacy and Security Rules.

 

s. Amendments to Protected Health Information. Within ten (10) business days
following Business Associate’s receipt of a written request from the Covered
Entity, Business Associate shall incorporate any amendments or corrections to
PHI in Designated Record Sets when notified and as required by Covered Entity,
the beneficiary or his representative that the information is inaccurate or
incomplete or as otherwise required by Covered Entity, all in compliance with
the standards set forth in 45 C.F.R. §164.526.

 

t. Access to PHI. Within ten (10) business days following Business Associate’s
receipt of a written request from the Covered Entity, Business Associate shall
make available PHI contained in a Designated Record Set to Covered Entity or, if
directed to do so in

 



 



  Triple-S / Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



specifications and limitations included in the Privacy Rule or other applicable
legal requirements.

 

u. Accounting of Disclosures. Business Associate shall maintain and, within ten
(10) business days following Business Associate’s receipt of a written request
from the Covered Entity, make available PHI requested by Covered Entity or an
individual as required to provide an Accounting of disclosures in accordance
with 45 C.F.R.§164.528. Such information shall be provided to Covered Entity,
unless Covered Entity directs Business Associate in writing to make the
Accounting directly to the individual.

 

v. Requests for restrictions. Business Associate shall comply with any requests
for restrictions on certain disclosures of PHI to which Covered Entity has
agreed in accordance with 45 C.F.R. §164.522 and of which Business Associate has
been notified by Covered Entity.

 

w. Authentication of individuals. Institute and maintain procedures that meet
the requirements of the Privacy Rule to reasonably verify the identity of an
individual requesting access to, or requesting an amendment or accounting of PHI
in a Designated Record Set.

 

x. Disclosures for Legal Orders and administrative proceedings. Business
Associate may disclose PHI in the course of any judicial or administrative
proceeding in accordance with 45 C.F.R. §164.512(e ). If legally permissible,
following receipt of any order from a court or administrative tribunal or a
subpoena, discovery request, or other lawful process that is not accompanied by
an order of a court or administrative tribunal, Business Associate shall provide
Covered Entity with prompt notice of such order or process. If possible,
Business Associate shall provide such notice to Covered Entity prior to the
disclosure of any PHI. Business Associate shall cooperate with reasonable
requests of Covered entity in responding to such order or process.

 

y. Shredding, Destruction or Storage of PHI. Business Associate will comply with
ensuring the most appropriate secure measures, as stated under the Security Rule
for the shredding, destruction and/or storage of documents containing PHI,
including the onsite repositories, and if deemed necessary securing offsite
transportation of the information.

 

z. Compliance with IT Functions. Business Associate will comply with maintaining
appropriate policies and procedures for securing all data containing PHI with
their business continuity plan, where their contingency for operations shall
have established and implemented procedures, as needed, that allow facility
access in support of restoration of lost data under the disaster recovery plan
and/or emergency mode operations plan in the event of an emergency.

 

· Business Associate will implement policies and procedures to limit physical
access to its electronic information systems and the facility or facilities in
which

  

 



  Triple-S / Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



they are housed, while ensuring that properly authorized access is allowed for
the receipt and removal of hardware and electronic media that contain electronic
PHI into and out of a facility, and the movement of these items within the
facility.

 

· Business Associate will implement security measures to ensure that
electronically transmitted electronic protected health information is not
improperly modified without detection until disposed of, therefore securing
appropriate system data integrity procedures to ensure statistical accuracy.

 

aa. Compliance with Standard Transactions. Business Associate shall comply and
require its agents or subcontractors to comply with each applicable requirement
for standard transactions established in 45 CFR Part 162 when conducting all or
any part of a Standard Transaction, electronically for, or on behalf of, Covered
Entity, if applicable.

 

bb. Other representations. Business Associate represents and warrants to Covered
Entity:

 

(a) that all of its employees, agents, representatives and members of its
workforce whose services may be used to fulfill obligations under this Business
Associate Agreement are or shall be appropriately trained as required by the
Privacy Rule, and are under legal obligation to Business Associate, by contract
or otherwise, sufficient to enable Business Associate to fully comply with all
provisions of this Business Associate Agreement with respect to the Privacy
Rule.

 

(b) that it will reasonably cooperate with Covered Entity in the performance of
the mutual obligations under this Business Associate Agreement with respect to
the Privacy Rules.

 

(c) that it will notify Covered Entity immediately upon becoming aware that any
of the foregoing representations and warranties may be inaccurate or may become
inaccurate.

 

Section 3. Obligations of Covered Entity

 

Covered Entity shall:

 

(a) Notify Business Associate of any limitations in its Notice of Privacy
Practices to the extent that such restriction may affect Business Associate’s
use or disclosure of PHI.

 

(b) Notify Business Associate of any changes in, or revocation of, permission by
an individual to use or disclose PHI, to the extent that such changes may affect
Business Associate’s use or disclosure of PHI.

 



 

 



  Triple-S / Supplier Confidential

Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



(c) Notify Business Associate of any restriction to the use or disclosure of PHI
to which Covered Entity has agreed, to the extent that such restriction may
affect Business Associate’s use or disclosure of PHI.

 

(d) Covered Entity shall not request Business Associate to use or disclose PHI
in any manner that would not be permissible under the Privacy and Security Rules
if done by Covered Entity.

 

Section 4. Term and Termination.

 

a. Term. The Term of this Business Associate Agreement shall be effective as of
the Effective Date, and shall terminate on the later of (i) the effective date
of termination or expiration of the Agreement; and (ii) when all of the PHI
provided by Covered Entity to Business Associate, or created or received by
Business Associate on behalf of Covered Entity, is destroyed or returned to
Covered Entity after the expiration date of the underlying agreement, or if it
is unfeasible to return or destroy PHI, protections are extended to such
information, in accordance with the termination provisions in this section.

 

b. Termination for Cause by Covered Entity. If Covered Entity determines that
Business Associate has committed a material breach of this Business Associate
Agreement, Covered Entity shall (i) provide Business Associate with written
notice of the breach within ten (10) days after discovering the alleged breach
(“Notice of Breach”); and (ii) afford Business Associate an opportunity to cure
such breach within thirty (30) days of the Notice of Breach. Failure to cure in
the manner set forth under this Section shall constitute grounds for immediate
termination of this Business Associate Agreement and the Agreement. Further,
Triple-S may terminate this Business Associate Agreement upon notice to Supplier
if Supplier commits a material breach of this Business Associate Agreement and
Triple-S is required to terminate in order to comply with Applicable Law or
direction from a Regulator.

 

c. Effect of Termination. Within thirty (30) days termination of this Business
Associate Agreement for any reason.

 

(a) Business Associate shall, if feasible, return or destroy all Protected
Health Information received from Covered Entity, or created or received by
Business Associate on behalf of Covered Entity. This provision shall also apply
to PHI that is in the possession of subcontractors or agents of Business
Associate. Business Associate shall retain no copies of the PHI, except where
return or destruction is infeasible.

 



 

 



  Triple-S / Supplier Confidential

Page 9

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 





(b) In the event that Business Associate determines that returning or destroying
the PHI is infeasible, Business Associate shall provide Covered Entity
notification in writing, and Business Associate, its agents and subcontractors
shall extend the protections of this Business Associate Agreement to such PHI
and limit further uses and disclosures of such PHI to those purposes that make
the return or destruction infeasible, for so long as Business Associate, its
agents and subcontractors maintain such PHI.

 

Survival. All the obligations of Business Associate to protect Protected Health
Information shall survive the termination of this Business Associate Agreement,
and the Agreement, for as long as Business Associate maintains such Protected
Health Information.

 

Transition Assistance. Following the termination of this Agreement for any
reason, Business Associate agrees to provide transition services as described in
Section 17 of the Agreement

 

Section 5. Miscellaneous provisions

 

Notices. All notices, demands, claims, requests, and other communications which
may be or are required to be given hereunder or with respect hereto shall be in
writing, will either be given by personal delivery, by mail or overnight
courier, or by fax, and shall be deemed to have been given or made when
personally delivered, and otherwise when received, addressed to the respective
Parties as follows:

 

TO COVERED ENTITY:

 



  Attn: Dallila Allende Rosa   Corporate Ethics and Compliance Director – Office
of Legal Affairs   Triple-S   Telephone:    



  Fax:        PO Box 363628   San Juan, PR, 00936-3628



 



TO BUSINESS ASSOCIATE:

 



 

Name: General Counsel, OptumInsight, Inc. 

  Telephone:    



  Fax:         Postal Address: 11000 Optum Circle   Eden Prairie, MN 55344





 



 



  Triple-S / Supplier Confidential

Page 10

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH "[***]". AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule H

Business Associate Agreement



 



Interpretation. Any ambiguity in this Business Associate Agreement shall be
resolved in favor of a meaning that permits the Parties to comply with the
Privacy Rule, federal and local rules or statutes regarding the confidentiality
and security of PHI. A reference in this Business Associate Agreement to a
section of the Privacy Rule means the section as in effect or as amended.

 

Amendments required by law. If HIPAA, the HITECH Act or other legal requirements
relating to the protection of Protected Health Information are instituted
mandating an amendment of certain provisions within this Business Associate
Agreement, the Parties agree that this Agreement is amended pursuant to said
mandate without further consent of the parties.

 

Audit and Records Retention. Schedule M (Audit and Record Retention) contains
audit and record retention terms applicable to this Business Associate
Agreement.

 

Disputes. If any controversy, dispute or claim arises between the Parties with
respect to this Business Associate Agreement, the Parties shall resolve it
pursuant to the dispute resolution terms provided in the General Terms and
Conditions of the Agreement.

 

Injunction. Business Associate hereby agrees that Covered Entity may suffer
irreparable damage upon Business Associate’s breach of the provisions of this
Agreement and that such damages may be difficult to quantify. Business Associate
hereby agrees that Covered Entity may file an action for an injunction to
enforce the terms of this Business Associate Agreement against Business
Associate, in addition to any other remedy Covered Entity may have.

 

Severability. If any provision of this Business Associate Agreement is held by a
court of competent jurisdiction to be illegal, invalid, or unenforceable under
present or future laws effective during the term of this Business Associate
Agreement, the legality, validity, and enforceability of the remaining
provisions of this Business Associate Agreement shall not be affected thereby.

 

IN WITNESS WHEREOF, each of the following undersigned has caused this Business
Associate Agreement to be duly executed.

 

Triple-S Salud, Inc.,   OptumInsight, Inc.            

/s/ Madeline Hernández-Urquiza

 

/s/ Eric Peterson

Name: Madeline Hernández-Urquiza   Name: Madeline Hernández-Urquiza Title:
  President   Title:   Deputy General Counsel



 

 



  Triple-S / Supplier Confidential

Page 11

 

 

 

 

 

 

 

 





Schedule I

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 



 

 

 

SCHEDULE I

 

DISENGAGEMENT ASSISTANCE

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule I Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule I
Disengagement Assistance





 

SCHEDULE I

 

Disengagement Assistance

 

TABLE OF CONTENTS

 

1.   Introduction 1 2.   Definitions 1 3.   General Terms 2 3.1   Overview of
Disengagement Assistance 2 3.2   Compensation for Disengagement Assistance 3
3.3   Audit Rights 3 4.   Disengagement Assistance Planning 3
4.1   Disengagement Assistance Plan 3 4.2   Supplier Responsibilities Under the
Disengagement Assistance Plan 4 5.   Resource Transition 5 5.1   General Terms 5
5.2   Supplier Equipment 6 5.3   Supplier Third Party Service Contracts 7
5.4   Software and Tools 7 5.5   Telephone Numbers 8 5.6   Unidentified Assets 8
5.7   Human Resources 9 6.   Supplier Disengagement Assistance Team 10
7.   Operational Transition 10 8.   Organizational Transition 14 9.   Business
Continuity and Disaster Recovery Transition 15 10.   Knowledge Transfer 15
11.   Financial Transition 16 12.   Risk Mitigation 17

 

 

 

 

 

 

Triple-S/Supplier Confidential

Page ii

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

SCHEDULE I

 

Disengagement Assistance

 

1. Introduction

 

(a) With reference to (and without limiting) Section 17 (Disengagement
Assistance) of the General Terms and Conditions, this Schedule I (Disengagement
Assistance) sets forth terms relating to the provision of Disengagement
Assistance by Supplier.

 

(b) The primary purpose of Disengagement Assistance, and Supplier’s goal in
providing it, shall be to:

 

(i) assist in enabling Triple-S to obtain from a Successor Supplier, or to
provide for itself and other Service Recipients, each in an efficient manner
without adverse effect on the continuity of operations or otherwise, services to
substitute for or replace the Services; and

 

(ii) minimize any adverse effect of transferring responsibility for providing
the Services to Triple-S or to a Successor Supplier.

 

(c) In the event of a conflict between the provisions of this Schedule I and
other parts of this Agreement, the provisions of Section 27.11 (Order of
Precedence) of the General Terms and Conditions shall apply.

 

2. Definitions

 

Capitalized terms are defined in Schedule AA (Glossary) to this Agreement, in
the place where they are used, or have the meanings set forth below:

 

(a) “Affected Services” means the Services for which Disengagement Assistance is
requested by Triple-S to be provided by Supplier pursuant to and in accordance
with Section 17 (Disengagement Assistance) of the General Terms and Conditions.

 

(b) “Affected Supplier Third Party Service Contracts” has the meaning given in
Section 5.3(a).

 

(c) “Affected Supplier Personnel” has the meaning given in Section 5.7(a)(i).

 

(d) “Cutover Date” means, for any Affected Services, the corresponding effective
date of the cessation of, or the termination or expiration (as applicable) of,
Supplier’s obligation under this Agreement to provide such Affected Services (as
such effective date may be extended pursuant to this Agreement).

 

(e) “Discovery Notice” has the meaning given in Section 5.6.

 

(f) “Disengagement Assistance Plan” has the meaning given in Section 4.1(a).

 

Triple-S/Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance











 

(g) “Disengagement Event” means any event (e.g., withdrawal of Services, notice
of termination, Agreement expiration) that gives Triple-S the right to request
Disengagement Assistance pursuant to Section 17 (Disengagement Assistance) of
the General Terms and Conditions.

 

(h) “Financial Reconciliation Period” has the meaning given in Section 11.

 

(i) “Knowledge Transfer Plan” has the meaning given in Section 10(b).

 

(j) “Resources” has the meaning given in Section 5.1(a).

 

(k) “Supplier Disengagement Assistance Lead” has the meaning given in Section 6.

 

(l) “Supplier Leased Equipment” has the meaning given in Section 10.2(b)
(Equipment) of the General Terms and Conditions.

 

(m) “Supplier Non-Personnel Resource Obligations” has the meaning given in
Section 5.1(c).

 

(n) “Supplier Owned Equipment” has the meaning given in Section 5.2.

 

(o) “Supplier Personnel Information” has the meaning given in Section 5.7(a).

 

(p) “Supplier Personnel Resource Obligations” has the meaning given in Section
5.1(c).

 

(q) “Unidentified Asset” has the meaning given in Section 5.6.

 

3. General Terms

 

3.1 Overview of Disengagement Assistance

 

(a) Supplier shall, upon Triple-S’s request in accordance with Section 17
(Disengagement Assistance) of the General Terms and Conditions, provide
Disengagement Assistance with respect to the Affected Services in accordance
with Section 17 (Disengagement Assistance) of the General Terms and Conditions.
Supplier shall continue to perform the Affected Services in accordance with the
Agreement until the applicable Cutover Dates, but no longer than the periods set
forth in the General Terms and Conditions.

 

(b) Supplier shall provide Disengagement Assistance pursuant to a Disengagement
Assistance Plan (as set forth in Section 4).

 

(c) To the extent that Supplier has used a Subcontractor to provide any part of
the Affected Services, Supplier shall cause such Subcontractor to comply with
Supplier’s obligations set forth in this Schedule I with respect to such
Affected Services.

 

Triple-S/Supplier Confidential

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

(d) Supplier shall use Commercially Reasonable Efforts to minimize Triple-S’s
costs and management time resulting from the cessation of the Affected Services
and to minimize the implementation time for the transfer of the Affected
Services to Triple-S and/or its Successor Supplier(s).

 

3.2 Compensation for Disengagement Assistance

 

(a) Triple-S shall fully compensation Supplier for the provision of
Disengagement Assistance as set forth in Section 17.3 (Charges for Disengagement
Assistance) of the General Terms and Conditions. The provision of Disengagement
Assistance shall not be subject to any other charges by Supplier.

 

(b) As Services are transitioned from Supplier during the Disengagement
Assistance Period, Supplier shall reduce the Charges to Triple-S as, and to the
extent that, the resource utilization volumes specified in the applicable
Statement of Work or Task Order decline, and the resources otherwise used by
Supplier in performing the Services are reduced as a result of such transition
in accordance with the agreed Disengagement Assistance Plan.

 

3.3 Audit Rights

 

Triple-S may audit the accuracy of information provided by Supplier under this
Schedule I in accordance with Schedule M (Audit and Record Retention
Requirements).

 

4. Disengagement Assistance Planning

 

4.1 Disengagement Assistance Plan

 

(a) As part of its obligations to provide Disengagement Assistance, Supplier
shall assist Triple-S and the Successor Supplier in preparing and subsequently
revising a disengagement plan for the transition of any Affected Services (which
may include major transition activities, schedules, and milestones) and, if
applicable, the transfer of corresponding assets to Triple-S or the Successor
Supplier (any such plan, a “Disengagement Assistance Plan”). Without limiting
the generality of the foregoing, such assistance shall include:

 

(i) prior to the fifth anniversary of the Effective Date, preparing an initial
draft Disengagement Assistance Plan that includes the information necessary for
Supplier to perform the Disengagement Assistance described in this Schedule I;

 

(ii) preparing input for the Disengagement Assistance Plan detailing how
Supplier shall perform, during the Disengagement Assistance Period, its
responsibilities to provide (A) the Affected Services before the corresponding
Cutover Dates for each Affected Service, and (B) Disengagement Assistance with
respect to the Affected Services;

 

Triple-S/Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

(iii) reviewing draft versions of the Disengagement Assistance Plan and
subsequent revisions, and identifying to Triple-S (A) material risks associated
with Triple-S’s proposed plans for Disengagement Assistance (including any
potential disruption in the Affected Services before the corresponding Cutover
Dates, disruption to the other Services being provided by Supplier, and
disruption to Triple-S’s business or other third party services), and suggested
means by which such risks may be mitigated, and (B) operational constraints that
may impact Triple-S’s proposed plans; and

 

(iv) Subject to Section 17 (Disengagement Assistance) of the General Terms and
Conditions, providing other information regarding the Affected Services or
Supplier’s performance of Disengagement Assistance with respect to the Affected
Services that may be reasonably requested by Triple-S in connection with the
preparation or subsequent revision of the Disengagement Assistance Plan.

 

(b) Triple-S or the Successor Supplier shall be responsible for finalizing and
managing the overall Disengagement Assistance Plan.

 

4.2 Supplier Responsibilities Under the Disengagement Assistance Plan

 

(a) Supplier Performance. Supplier shall manage and perform its responsibilities
under the Disengagement Assistance Plan.

 

(b) Handover of Records. The Disengagement Assistance Plan shall set forth a
detailed plan for Supplier to deliver to Triple-S the Triple-S Data required by
Triple-S, including the records described in Section 5 (Records Retention) of
Schedule M (Audit and Record Retention Requirements) and in this Schedule I.
This plan shall describe the migration of such data and records from Supplier to
Triple-S, including the applicable schedule, file formats, medium of
transmission, and applicable criteria for acceptance of delivered data and
records.

 

(c) Modification of Supplier Responsibilities. Triple-S may, from time to time
and subject to the Change Control Process, modify Supplier’s responsibilities
under the Disengagement Assistance Plan in order to meet the evolving dynamics
of implementing the goals of the plan; provided, however, that Triple-S shall
consult with Supplier in defining or modifying Supplier’s responsibilities, and
shall consider, and use reasonable efforts to accommodate, Supplier’s reasonable
input.

 

(d) Risk Assessment. Within thirty (30) days after commencement of the
Disengagement Assistance Services, Supplier shall perform and provide a risk
assessment, identify any material additional risk factors relating to the
migration of the Services to Triple-S and any Successor Supplier, and recommend
activities to mitigate such risks.

 

Triple-S/Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 


5. Resource Transition

 

5.1 General Terms

 

(a) Access to Resources. During the Disengagement Assistance Period, Supplier
shall provide to Triple-S and any Successor Supplier reasonable and timely
access to and use of information regarding the Equipment, Software, Tools, third
parties (including Subcontractors), third party contracts (including leases,
licenses and contracts), Documentation and other materials or information about
the resources that are used to provide the Affected Services (collectively the
“Resources”) and Supplier Personnel, in each case, consistent with Section
17.1(f) (Disengagement Assistance) of the General Terms and Conditions and other
applicable restrictions set forth in the Agreement, for the purpose of
transitioning responsibility for the Affected Services to Triple-S or the
Successor Supplier.

 

(b) Management of Resources. During the Disengagement Assistance Period,
Supplier shall obtain Triple-S’s prior written approval before (i) taking any
action or actions with respect to the removal, reassignment, transfer or
disposal of any Resources used to provide the Services, which Triple-S is
entitled to acquire as part of Disengagement Assistance, or (ii) proposing,
amending or extending the terms of (or entering into new) agreements governing
such Resources used to provide the Services, which Triple-S is entitled to
acquire as part of Disengagement Assistance.

 

(c) Transfer of Resources.

 

(i) Section 17.2 (Required Consents) of the General Terms and Conditions sets
forth certain Supplier obligations relating to obtaining Required Consents with
respect to Resources.

 

(ii) Supplier shall provide reasonable assistance required for, and take
reasonable actions (including by executing documents) necessary to affect, the
transfer of Resources as contemplated in this Section 5 and Section 17
(Disengagement Assistance) of the General Terms and Conditions (to the extent
Triple-S requests such transfers). Supplier shall use Commercially Reasonable
Efforts to minimize the costs associated with the transfer of, or assumption of
responsibility for, Resources pursuant to this Section 5 and Section 17
(Disengagement Assistance) of the General Terms and Conditions.

 

(iii)             Unless otherwise agreed by the Parties, the effective date of
any transfer of Resources pursuant to this Section 5 shall be the Cutover Date
for the corresponding Affected Services; provided, however, that any such
transfer shall not take place before the Cutover Date for the corresponding
Affected Services unless mutually agreed by the Parties in writing.

 

(iv) Triple-S shall not assume, and shall not be liable for, any of Supplier’s
or any of its Subcontractor’s obligations to any third party with respect to any
non-

 

Triple-S/Supplier Confidential

Page 5

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

personnel Resource owned, leased, licensed, or contracted for by Supplier or any
of its Subcontractors (such obligations collectively the “Supplier Non-Personnel
Resource Obligations”), and Supplier shall be responsible for performing such
Supplier Non-Personnel Resource Obligations. Triple-S shall only be responsible
for any of such obligations that arise after the date that the underlying
Resource is transferred to Triple-S.

 

(v) Triple-S shall not assume, and shall not be liable for, any claims,
obligations, or liabilities of any kind or nature with respect to any personnel
Resource that arise out of (A) Supplier’s relationship as the employer of such
person, or (B) a contractual arrangement with such person (such obligations
collectively “Supplier Personnel Resource Obligations”), and Supplier shall be
responsible for performing such Supplier Personnel Resource Obligations.

 

5.2 Supplier Equipment

 

(a) Subject to Section 5.1(a), Supplier shall provide information to Triple-S or
the Successor Supplier concerning: (i) the Equipment owned by Supplier (and its
Subcontractors) that is used to perform the Affected Services (collectively, the
“Supplier Owned Equipment”); and (ii) Supplier Leased Equipment. All such
information shall include a complete inventory of such Supplier Owned Equipment
and Supplier Leased Equipment (in Microsoft Excel format) specifying make,
model, location, the corresponding Services such Supplier Owned Equipment and
Supplier Leased Equipment are used to provide, whether such Equipment is
dedicated to providing the Services or whether Supplier utilizes such Equipment
for other customers, and such other information as Triple-S may reasonably
request. With respect to Supplier Owned Equipment or Supplier Leased Equipment
for which Triple-S has a right to purchase or receive through assignment (as
applicable) under Section 17.1(i) (Disengagement Assistance) of the General
Terms and Conditions, Supplier shall also provide the serial number, purchase or
lease date (as applicable), depreciation cycle, fair market value or copy of the
lease (as applicable), and other reasonable information requested by Triple-S.

 

(b) With respect to Supplier Owned Equipment to be sold to Triple-S pursuant to
Section 17.1(i) (Disengagement Assistance) of the General Terms and Conditions,
as directed by Triple-S and upon Supplier’s receipt of payment in full, Supplier
shall convey such Supplier Owned Equipment to Triple-S or the Successor
Supplier, along with any associated warranties that Supplier is permitted to
pass on to a purchaser and with all available user and other Documentation, free
of any liens, claims or encumbrances (excluding any such liens, claims or
encumbrances created by Triple-S), and shall execute a bill of sale in a
mutually agreed form to evidence the conveyance.

 

(c) With respect to Supplier Leased Equipment to be assigned to Triple-S
pursuant to Section 17.1(i) (Disengagement Assistance) of the General Terms and
Conditions, as directed by Triple-S, Supplier shall (i) provide to Triple-S a
copy of the current leases pertaining to the Supplier Leased Equipment, and
(ii) assign to Triple-S or the Successor Supplier the leases for such Supplier
Leased Equipment.

 

Triple-S/Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

(d) If requested by Triple-S, a conveyance to Triple-S of any Supplier Owned
Equipment under Section 5.2(b) or Supplier Leased Equipment under Section 5.2(c)
shall include Supplier’s assignment to Triple-S of all associated Equipment
maintenance agreements to the extent that Supplier has such rights to assign
under the applicable maintenance agreements.

 

5.3 Supplier Third Party Service Contracts

 

(a) Subject to Section 5.1(a), Supplier shall provide information to Triple-S
concerning any Supplier Third Party Service Contracts held by Supplier (and any
of its Subcontractors) that are used to perform the Affected Services
(collectively, the “Affected Supplier Third Party Service Contracts”) (other
than Equipment leases, which are governed by Section 5.2 above), which shall
include a complete inventory of such contracts (in Microsoft Excel format)
specifying the third party, the nature of the contract (e.g., support agreement,
equipment maintenance contract), the corresponding Services such contract is
used to provide, and other reasonable information requested by Triple-S.

 

(b) With respect to Supplier Third Party Service Contracts to be assigned to
Triple-S pursuant to Section 17.1(j) (Disengagement Assistance) of the General
Terms and Conditions, as directed by Triple-S, Supplier shall (i) provide, or
use Commercially Reasonable Efforts to cause the corresponding Subcontractor to
provide, to Triple-S or the Successor Supplier a copy of the Supplier Third
Party Service Contracts, and (ii) assign, or use Commercially Reasonable Efforts
to cause the corresponding Subcontractor to assign, to Triple-S or the Successor
Supplier such Supplier Third Party Service Contracts, which such assignee shall
assume the assigning party’s obligations under any such contract assigned
relating to periods after the date of assignment.

 

5.4 Software and Tools

 

(a) Subject to Section 5.1(a), Supplier shall provide information to Triple-S or
the Successor Supplier concerning any Supplier Software or Supplier Tools that
are used for the provision of the Affected Services (including those for
tracking Projects and service information requests, and those used for knowledge
transfer), which shall include a complete inventory of such Supplier Software
and Supplier Tools, the corresponding licensor of such Supplier Software and
Supplier Tools, the nature of such Supplier Software and Supplier Tools (e.g.,
Software, process), the corresponding Services each Supplier Software or
Supplier Tool is used to provide, all Documentation related to Supplier Software
and Supplier Tools required to be made available under Section 17.1(f)
(Disengagement Assistance) of the General Terms and Conditions, and other
information reasonably requested by Triple-S.

 

(b) As part of Disengagement Assistance, Supplier shall procure any license that
Supplier has not previously provided to Triple-S that Supplier is expressly
obligated to provide to Triple-S pursuant to Section 10.4 (Supplier Software and
Tools), Section 10.5 (License During the Term and Disengagement Assistance
Periods), Section 10.6 (Post Term License Option), Section 15.1(c) (Independent
IP), Section 15.2(b) (Ownership of Other

 

Triple-S/Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

Developed Items) of the General Terms and Conditions and Schedule S (Supplier
Software and Tools). With respect to any third party Software or Tool for which
Supplier is not obligated to procure such a license, Section 17.1(h)
(Disengagement Assistance) of the General Terms and Conditions shall govern. For
clarity, Triple-S’s rights with respect to Supplier Owned Software and Supplier
Owned Tools are set forth in the General Terms and Conditions and Schedule S
(Supplier Software and Tools).

 

5.5 Telephone Numbers

 

(a) Supplier shall provide information to Triple-S or its designee concerning
any telephone numbers (i) for which Supplier or a Subcontractor is the customer
of record, and (ii) that are used for the provision of the Affected Services
(e.g., help desk numbers), which shall include a complete inventory of such
numbers (in Microsoft Excel format), the corresponding Services each of such
numbers is used to provide, the corresponding network provider and country of
origin, and other reasonable information requested by Triple-S. Triple-S may
audit the accuracy of such information in accordance with Section 18.6 (Audits
and Records) of the General Terms and Conditions and Schedule M (Audit and
Record Retention Requirements). For avoidance of doubt, this Section 5.5(a)
shall not require Supplier to provide the individual telephone number for any
specific Supplier employee (personal or otherwise), or the personal telephone
number of any Subcontractor.

 

(b) Supplier shall cause each of the telephone numbers described in Section
5.5(a) that are used exclusively for the provision of the Affected Services to
be ported to Triple-S or its designee as of the corresponding Cutover Date(s),
thereby making Triple-S or its designee the customer of record for such numbers.

 

5.6 Unidentified Assets

 

(a) For any Affected Services, if after the corresponding Cutover Date, any
Resources are discovered that were not identified by Supplier pursuant to
Sections 5.2 through 5.5 (each, an “Unidentified Asset”), Supplier shall provide
Triple-S or the Successor Supplier with notice of such discovery (such notice
for any such Unidentified Asset, a “Discovery Notice” for such asset), which
Discovery Notice shall provide a description of the corresponding Unidentified
Asset that includes the information described in Sections 5.2 through 5.5, as
applicable.

 

(b) As of the Cutover Date, Supplier hereby grants to Triple-S and its
designees, at no additional charge, to the greatest extent possible given
Supplier’s existing rights, perpetual, irrevocable rights of access to, and use
of the Unidentified Assets; provided, however, that with respect to any
Unidentified Asset that is Leased Equipment or a Third Party Agreement, Supplier
may terminate the lease or agreement corresponding to such Unidentified Asset at
Supplier’s expense, but only after: (i) Supplier has provided Triple-S with a
Discovery Notice for such Unidentified Asset, (ii) Supplier has presented
Triple-S with a complete copy of the corresponding agreement and has provided
Triple-S with the opportunity to exercise its rights pursuant to Sections 5.2(c)
and 5.3(b); and (iii)

 

Triple-S/Supplier Confidential

Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

Triple-S has notified Supplier that it does not wish to exercise its rights
pursuant to Sections 5.2(c) or 5.3(b). For any such Unidentified Asset that is
Leased Equipment or a Third Party Agreement, Triple-S shall provide the
notification as to whether it wishes to accept assignment of the corresponding
lease or agreement within thirty (30) days after Supplier’s delivery of the
corresponding agreement to Triple-S pursuant to clause (ii) of this Section
5.6(b).

 

5.7 Human Resources

 

(a) Supplier Personnel Information.

 

(i) Supplier shall, within ten (10) Business Days following either Triple-S’s
request made during the Disengagement Assistance Period or a Disengagement
Event, and subject to any applicable Law governing the use, disclosure or
processing of personal data, provide Triple-S with information and copies of
records concerning Supplier Personnel (such information collectively, the
“Supplier Personnel Information”). If requested by Triple-S, Supplier Personnel
Information shall be provided in electronic format (including in Microsoft Excel
format). Supplier Personnel Information shall include a current organizational
chart that identifies all Supplier Personnel performing the Affected Services
(“Affected Supplier Personnel”), and summarizes their organizational
relationship among one another (e.g., solid-line versus dotted-line reporting
from one person to another), and which specifically distinguishes the Affected
Supplier Personnel from other Supplier Personnel. For the Affected Supplier
Personnel, such chart shall include roles, responsibilities, level of effort
(i.e., dedicated to Triple-S or % of time dedicated to Triple-S) and authority
of such personnel.

 

(ii) With respect to Supplier Personnel who are eligible to be hired by Triple-S
pursuant to Section 17.1(e) (Disengagement Assistance) of the General Terms and
Conditions, as and to the extent reasonably requested by Triple-S, Supplier
shall provide a list of the Supplier Personnel performing the Affected Services
(“Affected Supplier Personnel”) by individual, and the following information
(both on an aggregated basis and by individual person, each broken down by
function): (A) name; (B) position and job title; (C) job responsibilities; and
(D) whether such person is a heritage Triple-S employee, heritage Supplier
employee, or independent contractor personnel.

 

(iii) Where Supplier Personnel Information has been provided pursuant to this
Section 5.7(a), Supplier shall: (A) inform Triple-S of any material change to
the same; (B) clarify any matter on which clarification is reasonably requested
by Triple-S; and (C) cooperate with any other reasonable requests made by
Triple-S concerning Supplier Personnel Information. Supplier shall perform such
obligations as soon as practicable, but in any event within ten (10) Business
Days of any material change described in clause (A) of this paragraph, or of any
Triple-S request pursuant to clauses (B) and (C) of this paragraph.

 

Triple-S/Supplier Confidential

Page 9

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

(b) Hiring of Supplier Personnel.

 

(i) Following a Disengagement Event, Triple-S and the Successor Supplier shall
have the right to make offers of employment to all Supplier Personnel pursuant
to Section 17.1(e) of the General Terms and Conditions; however, nothing shall
be construed to require acceptance of employment offers by any such Supplier
Personnel. Triple-S and the Successor Supplier shall have reasonable access to
such Supplier Personnel for interviews and recruitment.

 

(ii) Supplier shall fully and promptly cooperate in good faith with all
reasonable requests of Triple-S to procure the smooth and lawful transfer to
Triple-S or the Successor Supplier of the Supplier Personnel who accept offers
to transfer to Triple-S or a Successor Supplier.

 

(c) Satisfaction of Obligations. To the extent Triple-S hires any Supplier
Personnel pursuant to the Agreement, as of the date of such hire, Supplier shall
satisfy all of its obligations with respect to all outgoing and accrued
liabilities incurred as Employer of such hired personnel, including wages,
contractual bonuses, commission, holiday remuneration, tax, social security and
national insurance contributions or other relevant national statutory deductions
governed by the Laws of any jurisdiction governing the employment of such
personnel.

 

5.8 Transfer of Services Operating Environment.

 

As part of the Disengagement Plan and upon termination of the Agreement,
Triple-S shall have the right to take over the existing instances of the
Triple-S operating environment contained within the data center(s) of Supplier’s
applicable Subcontractors (“Existing Instances”). Supplier shall not restrict or
otherwise hinder Triple-S’ ability to acquire rights to the software and
supporting systems and access such Existing Instances.

 

6. Supplier Disengagement Assistance Team

 

Until the completion of the Disengagement Assistance Plan, Supplier shall assign
an individual to service on a dedicated basis to manage and oversee Supplier’s
support of Disengagement Assistance activities (such position, the “Supplier
Disengagement Assistance Lead”). The individual serving as the Supplier
Disengagement Assistance lead shall be subject to Triple-S’ prior written
approval. The Supplier Disengagement Assistance Lead shall meet with his or her
Triple-S counterparts on a weekly basis (or more frequently if reasonably
requested by Triple-S), and shall serve as an escalation point for issues
relating to the Disengagement Assistance.

 

7. Operational Transition

 

Pursuant to this Schedule I, Section 17 (Disengagement Assistance) of the
General Terms and Conditions, and the Disengagement Assistance Plan, the
Disengagement Assistance to be provided to Triple-S by Supplier shall include
the following activities, as directed by Triple-S:

 

Triple-S/Supplier Confidential

Page 10

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

(a) Providing Source Code and object code, database, file, record layouts and
field descriptions, where available with respect to the Triple-S Software (and
other Software, to the extent Triple-S is entitled to a license to Source Code
pursuant to the General Terms and Conditions), along with the Documentation and
associated program execution statements if available, and other similar
information necessary for the designee to execute such Software for Triple-S’s
benefit, in the form reasonably specified by Triple-S;

 

(b) To the extent Supplier is obligated to grant or procure a license for
Triple-S that includes a right to Source Code under the General Terms and
Conditions, providing the available object code, database, file, record layouts
and field descriptions with respect to such Source Code, along with the
Documentation and associated program execution statements, and other similar
information in a form reasonably specified by Triple-S;

 

(c) To the extent Supplier is obligated to grant or procure a license for
Triple-S that includes a right to Source Code under the General Terms and
Conditions, documenting and delivering the available program materials,
including source and object libraries, reference files, interface definitions,
specifications, implementation procedures relative to Triple-S’s technical
environment, and embedded software;

 

(d) In accordance with Section 21.7 (Return or Destruction) of the General Terms
and Conditions and Section 5 (Records Retention) of Schedule M (Audit and Record
Retention Requirements), delivering or destroying all Triple-S Data and Triple-S
Confidential Information, in the manner and format specified by Triple-S
(including electronic copies on storage devices in, and electronic transmission
to, a new environment) with a complete content listing;

 

(e) Delivering then-existing systems support profiles, change logs including
enhancement and maintenance, history, problem tracking/resolution documentation,
functional and complexity assessment analyses, and status reports associated
with the Services;

 

(f) Providing work volumes, then-current staffing requirements, demand backlog
and information on historical performance for the Service Levels, to the extent
available for the Affected Services, over the preceding twelve (12) months;

 

(g) Identifying and documenting the demarcation points for each portion of the
Affected Services, including any operating level agreements with other Triple-S
or Supplier groups at those demarcation points, and information regarding the
physical and virtual locations affected by the Disengagement Assistance Plan;

 

(h) Identifying work and Projects expected to be in progress as of the
corresponding Cutover Dates for the Affected Services, and with respect to such
work, documenting current status (including Project budget information),
stabilizing for continuity during transition, and providing any reasonably
required training to qualified personnel to achieve transfer of responsibility
for such work and Projects;

 

Triple-S/Supplier Confidential

Page 11

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

(i) Before the corresponding Cutover Dates, providing the following Services:

 

(i) Subject to Section 17.1(f) of the General Terms and Conditions, provide
Documentation used by Supplier to provide the Affected Services and reasonably
necessary to provide continuity of service during transition, in an electronic
format that is reasonably acceptable to, and in a location and manner that is
easily accessible by, Triple-S;

 

(ii) Identify, record and provide change control records with respect to
Projects and provide release management with respect to application changes;

 

(iii) Provide and coordinate assistance in notifying Subcontractors of the
procedures to be followed in connection with the Disengagement Assistance Plan;

 

(iv) Collaboratively with Triple-S, coordinate with [***] and other similar
third parties regarding the procedures to be followed in connection with the
Disengagement Assistance Plan;

 

(v) Review the organization, structure use and contents of all Software
libraries, databases and repositories including those utilized for test, staging
and production with Triple-S’s or the Successor Supplier’s operations staff;

 

(vi) Provide reasonable assistance to Triple-S or the Successor Supplier in
establishing or transferring operational standards including naming and
addressing conventions;

 

(vii) Make arrangements for any physical de-installation, transportation, and
relocation of Equipment and physical assets to be performed as part of the
Disengagement Assistance;

 

(viii) Reasonably cooperate and assist Triple-S and the Successor Supplier in
achieving a state of operational readiness before the applicable Cutover Dates;

 

(ix) Provide Triple-S with any help desk or service request tickets and problem
logs it does not already have, reporting back at least two (2) years prior to
the Cutover Date (but no earlier than the Effective Date);

 

(x) After consultation with Triple-S, discontinue all discretionary Software
changes, other than with respect to the Services or other modifications
necessary to address processing problems;

 

(xi) Assist Triple-S or its designee in the analysis of the direct access
storage capacity required to accommodate Software libraries and Triple-S’s data
files;

 

Triple-S/Supplier Confidential

Page 12

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

(xii) Deliver in a usable format, all databases and associated content used to
provide the Services including those for tracking projects and service
information requests, and those used for knowledge transfer;

 

(xiii) As provided in Sections 10.4 (Supplier Software and Tools) and 15
(Intellectual Property Rights) of the General Terms and Conditions or expressly
provided in any other section of the Agreement, generate and provide the Source
Code for the Software to which Triple-S has a license under Sections 10.4
(Supplier Software and Tools) and 15 (Intellectual Property Rights) of the
General Terms and Conditions or such other express provision of the Agreement in
a form reasonably requested, and deliver such Source Code, technical
specifications and materials, and user documentation for the Software to
Triple-S or its designee, as and to the extent provided for in Sections 10.4
(Supplier Software and Tools) and 15 (Intellectual Property Rights) of the
General Terms and Conditions or such other express provision of the Agreement;

 

(xiv) Provide documentation and diagrams for the voice, data, video, and other
communications capabilities, asset information and configuration settings
(including configurations, router tables, IP addressing schema, managed device
thresholds) for all configurable items used by Supplier to perform the Services
(including media access, media, routing, bridging and switching devices and
other equipment and software providing communications service delivery and
management functions); and

 

(xv) Provide interim Triple-S Data, in such format and on such media as
reasonably requested by Triple-S.

 

(j) On or before the corresponding Cutover Dates, providing the following
Services:

 

(i) In conjunction with Triple-S or the Successor Supplier, conduct a rehearsal
of any migration that is part of the Disengagement Assistance Plan prior to the
Cutover Date and as scheduled by Triple-S and reasonably agreed to by Supplier,
and provide any required corrective action identified during the rehearsal;

 

(ii) Provide reasonable assistance to Triple-S or its designee in making
Triple-S Data files available on the storage devices of the new environment;

 

(iii) Provide reasonable assistance to Triple-S or its designee with the
transmission or movement of data from then-existing databases to the new
environment;

 

(iv) Provide an image copy (and mirrored DASD volumes if available) of each
operating system environment (in dump/restore or image mode, as applicable to
the operating system platform);

 

Triple-S/Supplier Confidential

Page 13

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

(v) Provide reasonable assistance to Triple-S or the Successor Supplier with the
turnover of operations and the execution of parallel testing and parallel
operations;

 

(vi) Assist Triple-S or the Successor Supplier in the identification and removal
of security access credentials for Supplier Personnel from any computing
communications devices and associated Software transferred to Triple-S or the
Successor Supplier; and

 

(vii) Transfer responsibility to Triple-S or the Successor Supplier for off-site
media and document storage.

 

(k) On or before the corresponding Cutover Dates, providing additional
assistance reasonably requested by Triple-S, including:

 

(i) Returning to Triple-S (or, if requested by Triple-S, destroying) at no
additional charge any remaining Triple-S property in Supplier’s possession or
control, including remaining reports, data and Triple-S Data or Triple-S
Confidential Information; and

 

(ii) Vacating Triple-S Facilities in a timely manner.

 

8. Organizational Transition

 

Supplier shall provide reasonable assistance required to adequately transfer, in
accordance with the Disengagement Assistance Plan, the organizational
information developed during the Term to support the delivery of the Affected
Services. Supplier’s responsibilities shall include, as requested by Triple-S:

 

(a) Providing, to the extent Supplier has created such items, functional
organization charts, operating level agreements with third-party contractors,
phone trees, contact lists, and standard operating procedures;

 

(b) Transferring physical and logical security processes and tools, including
cataloguing and tendering all badges and keys, documenting ownership and access
levels for all passwords, and instructing Triple-S or its designee in the use
and operation of security controls; and

 

(c) Protecting against security breaches of Supplier Personnel during the
Disengagement Assistance Period by revoking Supplier Personnel access to
Triple-S Facilities (or secure locations within such facilities), Triple-S Data,
Triple-S Confidential Information, Equipment, Software and other systems,
processes and tools, as such Supplier Personnel are transitioned away from
Triple-S’s account or as the functions performed by such Supplier Personnel are
transitioned away from Supplier, and accordingly, corresponding access to such
items is no longer required.

 

Triple-S/Supplier Confidential

Page 14

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

9. Business Continuity and Disaster Recovery Transition

 

During the Disengagement Assistance Period Supplier shall:

 

(a) Supply the BC/DR Plan to Triple-S;

 

(b) To the extent Triple-S Data corresponding to the Affected Services is
replicated to another facility, transfer such data to Triple-S or its designee,
and upon Triple-S’s request, provide reasonable assistance to Triple-S in
developing equipment and other requirements for relocating such data; and

 

(c) Participate in business continuity and Disaster recovery testing in
connection with the Disengagement Assistance Plan until a successful test of the
recovery arrangements is accomplished.

 

10. Knowledge Transfer

 

(a) As reasonably requested by Triple-S, Supplier shall provide for a transfer
of knowledge regarding its performance of the Affected Services, scope,
processes, and related topics, so as to facilitate the provision of the Affected
Services by Triple-S or the Successor Supplier. Supplier’s responsibilities
shall include:

 

(i) Providing the Documentation and information described in, and subject to the
restrictions set forth in, Section 17.1(f) (Disengagement Assistance) of the
General Terms and Conditions, including: (A) relevant Documentation; (B) the
Procedures Manual; (C) schedules, frequencies, Work Product owned by Triple-S or
to which it has a license and related information for activities and
Deliverables as reasonably requested by Triple-S; (D) security plans and
procedures; and (E) key support contacts (names and phone numbers) of Triple-S
personnel, third party personnel, and Supplier Personnel during the
Disengagement Assistance Period;

 

(ii) Providing reasonable training to Triple-S’s or the Successor Supplier’s
personnel in the performance of those Services that are to be transferred,
including in the management of the third party vendors of goods and services
used to perform the Affected Services;

 

(iii) Explaining the particular Supplier implementation of the processes used to
provide the Services, and the human, procedural and technical interfaces to and
interactions with Triple-S (including the Procedures Manual) to Triple-S or the
Successor Supplier’s operations staff;

 

(iv) Responding to inquiries from Triple-S regarding the Affected Services,
including by providing reasonable access (e.g., by telephone) during the
Disengagement Assistance Period; and

 

Triple-S/Supplier Confidential

Page 15

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance



 

(v) Providing contact listings of potential alternate sources of resources,
including skilled labor and spare Equipment parts.

 

(b) Supplier’s performance of the obligations described in Section 10(a) shall
be in accordance with a knowledge transfer plan for the Affected Services (each
such plan a “Knowledge Transfer Plan”). Each Knowledge Transfer Plan shall be
aligned with the Disengagement Assistance Plan, and shall, at a minimum,
describe the overall knowledge transfer process, including, without disclosing
Supplier Confidential Information: (i) Supplier’s overall approach; (ii) major
activities and schedules for the knowledge transfer; (iii) the Supplier
Personnel who shall participate in the knowledge transfer; (iv) a description of
the documentation that Supplier shall provide in connection with the knowledge
transfer; and (v) designation of resources needed from Triple-S and associated
schedules. Each Knowledge Transfer Plan shall be provided to Triple-S for its
review, comment and approval. The reasonable comments or suggestions of Triple-S
shall be incorporated as applicable into each such Knowledge Transfer Plan and
Triple-S’s final approval shall be obtained prior to implementation of the
Knowledge Transfer Plan.

 

11. Financial Transition

 

As of the Cutover Date for any Affected Services, and continuing for a period of
six (6) months thereafter (each such period a “Financial Reconciliation
Period”), Supplier shall reasonably cooperate with and support Triple-S, at no
additional charge, to achieve a final reconciliation with respect to the areas
identified in this Section 11.

 

(a) Supplier Invoicing. Supplier shall submit its invoice for all charges and
credits applicable to the Affected Services through the corresponding Cutover
Date, which shall be payable in accordance with Schedule C (Charging
Methodology). Effective as of the Cutover Date for any Affected Services, each
Party shall submit to the other Party reconciliation information (including as
reasonably requested by the other Party) to reconcile any outstanding charges or
credits, and each Party shall work diligently and in good faith to achieve a
final reconciliation of such charges and credits by the end of the Financial
Reconciliation Period.

 

(i) The Parties acknowledge the possibility that invoices for third-party
contracts (e.g., Third Party Service Contracts or Equipment leases) used to
provide the Affected Services and transferred to Triple-S or its designees
pursuant to Section 5 may be misdirected by third-party vendors after the
effective date of transfer, and provided to Supplier instead of Triple-S or its
designee. Supplier shall provide any such invoices in their original form to
Triple-S in a timely manner.

 

(ii) Supplier shall reimburse Triple-S for third party products or services, if
any, for which Supplier is financially responsible, and that are used to provide
the Affected Services before the Cutover Date, but that are invoiced to Triple-S
or its designee.

 

Triple-S/Supplier Confidential

Page 16

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



Schedule I
Disengagement Assistance





 

(iii) On or before the Cutover Date, Supplier shall provide Triple-S with
information regarding any third party contracts used to provide the Affected
Services such that Triple-S can reasonably validate that the corresponding third
party vendor has invoiced, and Supplier has paid, any charges arising under such
contracts before the Cutover Date.

 

(b) Asset Acquisitions. Sections 5.2 through 5.4 describe terms pursuant to
which Triple-S or its designee may acquire certain resources used to provide the
Affected Services. Each Party shall work diligently and in good faith to
achieve, by the end of the Financial Reconciliation Period, a final
reconciliation of the financial issues arising from any transfer of such
resources to Triple-S or its designee under such provisions.

 

12. Risk Mitigation

 

The Parties shall at all times work together in good faith during the
Disengagement Assistance Period to minimize any risk to or interference with the
Services (including the Service Levels).

 

 

 



Triple-S/Supplier Confidential

Page 17

 

 



Schedule J

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 



SCHEDULE J

 

TRIPLE-S POLICIES AND PROCEDURES

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule J Triple-S / Supplier Confidential



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 





SCHEDULE J

 

TRIPLE-S POLICIES AND PROCEDURES

 

No. Policy Name 1 Claims Department Medicare Secondary Payer COB 2 Claims
Payment Dispute Process for Non Contracted Provider 3 Claims Universe Request 4
Code of Business Conduct and Ethics 5 Compliance Program 6 Contracting and
Monitoring of Delegated Entities 7 Manual de Politicas Corporativas – Empleo de
Familiares 8 Manual de Politicas Corporativas – Contratacion de Terceros –
Evaluacion y Clasificacion 9 IT and Information Security Policies 10 IT Controls
Questionnaire for Service Providers 11 Manual de Politicas Corporativas –
Politica Antifraude y Abuso 12 Manual de Politicas Corporativas – Contratacion
de Terceros 13 Manual de Politicas Corporativas – Retencion de Documentos 14
Protocolo Para el Cumplimiento Con Law FCPA



 

 

 

Triple-S / Supplier Confidential

Page 1

 



 

 

 

 

 

 

 

 

 

 

 

Schedule J1

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

TSA P&P #: CL-009 Page 1 of 10



 



 













  [image_101.jpg]

Policy and Procedure

 

Title:    Part C-Medicare Secondary Payer

Department:  Claims Department Additional Areas of Impact:  Enrollment , Finance
Legal and Pharmacy Department

Effective Date: 1/1/2015 Date Last Amended: 8/26/2016





Reference: · Medicare Manage Care Manual - Chapter 4 Benefits and Beneficiary
Protections (Rev. 121, 4-22-2016) · 42 CFR 422.108 Medicare as Secondary Payer
(MSP) Procedures







Approved by: Ricardo Rivera Martínez, Claims Director

 

Date: 9/14/2016

 









Policy Statement

 

Triple S Advantage does not pay for services to the extent that there is a third
party that is required to be the primary payer, after identifying payers that
are primary to Medicare, the amounts payable by those payers and coordinate its
benefits to Medicare enrollees with the benefits of the primary payers in
compliance with the "Omnibus Budget Reconciliation Act of 1980" that turned
Medicare into a secondary payer under specifics conditions.

 

Purpose

 

To guarantee that Triple-S Advantage will apply the Medicare Secondary Payer
rules when receiving a claim of a member with other health insurance or a
liability insurance policy; to prevent payments of medical services when there
is another health plan as primary payer.

 

Definitions

 

1. Coordination of Benefits (COB): is a program which determines which plan or
insurance policy will issue primary payment when two insurance companies cover
the same benefits. If one of the plans is a Medicare Health Plan, Federal Law
establishes which plan is the Primary Payer. It is the process of determining
the respective

 

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 2 of 10

 



responsibilities of two or more health care insurance plans that have financial
responsibility over a medical claim.

 

2. Electronic Correspondence Referral System (ECRS): allows authorized users at
Medicare contractor sites and authorized CMS Regional Offices (ROs) to fill out
various online forms and electronically transmit requests for changes to
existing CWF MSP information, and inquiries concerning possible MSP coverage.
Transactions are automatically stored on the Coordination of Benefits (COB)
contractor’s system. Each evening, a batch process reads the transactions and
processes the requests. The status of each transaction is updated as it moves
through the system.

 

3. Explanation of Benefits (EOB): is a document issued by the Insurance Plan
that describes services rendered to a member and billed to the plan. The EOB is
issued to notify him/her of the results of the claim’s payment or denial
evaluation process. The Medicare Advantage Plan must issue the Appeals Language
in the EOB when services are denied to the member.

 

4. Group Health Plan (GHP): is a health plan which provides coverage to
employees, retired employees and their families; and is financially supported by
an employer or employee organization. The determination for application of
Medicare Secondary rules is based on the number of employees of the plan.

 

5. Liability Insurance: is an insurance (includes self-insurance plan) that
provides a payment based on legal liability, illness or damages to property. It
includes but is not limited to: automobile insurance, uninsured and under-insure
motorist insurance, homeowner’s liability, malpractice insurance, product
liability, insurance and general casualty insurance. And also includes payments
under State wrongful death statutes that provide payment for medical damages.

 

6. Medicare Secondary Payer (MSP): is the term generally used when the Medicare
program does not have primary payment responsibility - that is, when another
entity has the responsibility for paying before Medicare. Medicare is secondary
payer in the following situations:



a. Working Aged



· Beneficiaries over 65 years.



· If the beneficiary has an Employer Group Health Plan (EGHP) coverage by virtue
of the individual’s current employment status or the current employment status
of the individual spouse.

 

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 3 of 10

 

· The employer should have 20 or more employees.



b. Disabled



c. Beneficiaries under 65 years.



· That received Medicare benefit based on disability.



· Whose large group health plan (LGHP) coverage is based on the individual’s
current employment status of the spouse or a family member.



· The employer should have 100 or more employees.



d. Worker’s Compensation



· Medicare is secondary payer for medical services that were related to a work
injury.



e. Auto No-Fault / Liability



· Medicare is secondary payer for those medical services that were related to a
car injury covered by the ACAA or services payable under no-fault or liability
insurance.



f. ESRD (End Stage Renal Disease)



· Medicare is secondary payer to GHP’s for individual eligible for or entitled
to Medicare benefits based on ESRD during a coordination period of 30 months.

 

7. Primary Payer: An insurance policy, plan, or program that pays first on a
claim for medical care. This could be Medicare or other health insurance.
Medicare is primary payer in the following situations:





a. Individual has ESRD, is covered by COBRA and is after the first 30 months of
eligibility or entitlement to Medicare



b. Individual is disabled and covered by Medicare & COBRA

 







8. Subrogation: is the substitution of one person or entity for another.

 

Procedure

 

A. Claims Department receives the UB04 and CMS1500 claim forms and enters the
claim data in the HealthSuite System. Claims Analyst will verify the following
in the UB04 and 1500 Health Insurance Claim Form:



1. System reason codes with possible additional payers



2. Membership information on the system



3. Trauma and occupational illness diagnosis codes



4. MSP data on the claim



5. Claim indicators that the services were related to an accident



6. Patient history showing claims for ambulance or trauma related services



7. Claims documents that may include an Explanation of Benefits (EOB) from other
insurance

 

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 4 of 10



 



B. A rule was created with the clearing house to detect if a claim has any item
in the item #10 (Is Patient’s Condition Related To) of the 1500 Claim Form that
indicates “yes”: employment, B: auto accident or C: other accident. The provider
will receive a Remittance Advice (277 form) with the Status Code Related Causes
Code (Accident, auto accident, employment).



1. The provider must submit the claim to the primary insurance.

 

C. In the UB04 claim form other insurance that may be the Primary Payer to
Medicare is identified as follows:



1. A trauma related ICD-9/ICD-10-CM code is shown; or



2. A Value Code (VC) in items 39-41:

 

Code Description 12 Working aged beneficiary/spouse with an EGHP (beneficiary
over 65). Beneficiary must have Medicare Part A entitlement (enrolled in Part A)
for this provision to apply. Primary Payer Code = A. 13 ESRD beneficiary with
EGHP in MSP/ESRD 30-month coordination period. Primary Payer Code = B. 14
No-Fault including automobile/other. Examples: Personal injury protection (PIP)
and medical payment coverage. Requires Occurrence Code-OC 01 or 02 with date of
accident/injury. Primary Payer Code = D. If filing for a Conditional Payment,
report with Occurrence Code 24. 15 Workers Compensation (WC). Requires Condition
Code-CC 02 and OC 04 with date of accident/injury. Primary Payer Code = E. If
filing for a Conditional Payment, report with Occurrence Code 24. 16 Public
health services (PHS) or other federal agency. Conditional billing does not
apply. Primary Payer Code = F. 41 Federal Black Lung (BL) Program. Primary Payer
Code = H. 42 Veterans Administration (VA). Conditional billing does not apply.
Primary Payer

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 5 of 10



 



  Code = I. 43 Disabled beneficiary under age 65 with an LGHP. Beneficiary must
have Medicare Part A entitlement (enrolled in Part A) for this provision to
apply. Primary Payer Code = G. 44 Amount provider was obligated/required to
accept from a primary payer as payment in full due to contract/law when that
amount is less than charges but higher than amount actually received. An MSP
payment may be due. Note: When applicable, this Value Code is reported in
addition to MSP Value Code. 47 Any Liability Insurance. Requires Occurrence
Code-OC 02 with date of accident/injury. Primary Payer Code = L. If filing for a
Conditional Payment, report with Occurrence Code 24.

 

3. An Occurrence Code (OC) in items 31 to 34:

 

Code Description 01 Accident/Medical Payment Coverage – Date of accident/injury
for which there is medical payment coverage. Reported with Value Code-VC 14 or
VC 47. If filing for a Conditional Payment, report with Occurrence Code 24. 02
No-Fault Insurance (including automobile and other accidents) – Date of
accident/injury for which the state has applicable No-Fault laws. Reported with
Value Code-VC 14 or 47. If filing for a Conditional Payment, report with
Occurrence Code 24. 03 Accident/Tort Liability - Date of an accident/injury
resulting from a third party's action that may involve a civil court action in
an attempt to require payment by third party, other than No-Fault. Reported with
Value Code-VC 47. 04 Accident/Employment-Related - Date of an accident/injury
related to beneficiary's employment. Reported with Value Code-VC 15 or VC 41. If
filing for a Conditional

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 6 of 10





 

  Payment, report with Occurrence Code 24. 05 Accident/No Medical Payment,
No-Fault or Liability Coverage – Date of accident/injury for which there is no
Medical Payment or other third-party liability coverage 06 Crime victim - Date
on which a medical condition resulted from alleged criminal action committed by
one or more parties 18 Date of retirement (beneficiary) 19 Date of retirement
(spouse) 24* Date Insurance denied - Date of receipt of a denial of coverage by
a higher priority payer. This could be date of primary payer's Explanation of
Benefit (EOB) statement, letter or other documentation. Date is required on all
Conditional Payment claims. 25 Date Coverage No Longer Available – Date on which
coverage, including Workers' Compensation benefits or No-Fault coverage, is no
longer available to beneficiary 33 First day of MSP ESRD coordination period for
ESRD beneficiaries covered by an EGHP

 

4. A Condition Code (CC) in items 18 to 28:

 

Code Description 02 Condition is employment related 06 End-stage renal disease
(ESRD) beneficiary in first 30 months of eligibility/entitlement covered by an
employer group health plan (EGHP) 08 Beneficiary refused to provide information
concerning other insurance coverage

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 7 of 10



 



09 Neither the beneficiary nor spouse is employed 10 Beneficiary and/or spouse
is employed but no Employer Group Health Plan (EGHP) 11 Disabled beneficiary
and/or family member is employed but no Large Group Health Plan (LGHP) 28

Beneficiary's and/or spouse's Employer Group Health Plan (EGHP) is secondary to
Medicare. Beneficiary and/or spouse are employed and there is an EGHP that
covers beneficiary but either:

 

1.    EGHP is a single employer plan and employer has fewer than 20 full- and/or
part-time employees

 

2.    EGHP is a multi- or multiple-employer plan that elects to pay secondary to
Medicare for employees and spouses aged 65 and older for those participating
employers who have fewer than 20 employees

29

Disabled beneficiary and/or family member's Large Group Health Plan (LGHP) is
secondary to Medicare. Beneficiary and/or family member(s) are employed and
there is a LGHP that covers beneficiary but either:

 

1.    LGHP is a single employer plan and employer has fewer than 100 full-
and/or part-time employees

 

2.    LGHP is a multi-or multiple employer plan and all employers participating
in plan have fewer than 100 full- and/or part-time employees

63 Services rendered to beneficiary in state or local custody (prisoner) meets
requirements of 42 CFR 411.4(b) for payment 77 Provider accepts or is
obligated/required, due to a contractual arrangement/law, to accept payment by
primary payer as payment in full (and that amount has been received and no
Medicare payment is due). MSP claim is being filed because claim is an inpatient
claim or claim is an outpatient claim and the beneficiary has not yet met
his/her annual Medicare Part B deductible. D7 Change to make Medicare the
secondary payer (report on adjustment when original

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 8 of 10



 





  claim was processed as a Medicare primary claim, conditional claim or was
rejected for MSP). D8 Change to make Medicare the primary payer (report on
adjustment when original claim was processed as an MSP claim or as a conditional
claim). D9 Any other change (report on adjustment claim when original claim was
rejected for MSP but Medicare is primary or when original claim was processed as
an MSP or conditional claim and a change needs to be made to the claim such as a
change in the MSP Value Code amount).

 

D. If item 50-Payer Name of the UB04 is completed with another payer and the
information needed for payment is on the claim, the Claim Analyst will pay the
lowest of:



1. The gross amount payable by TSA less any deductible or coinsurance amount;
or,



2. The gross amount payable by TSA minus the amount paid by the primary payer
for TSA covered services; or,



3. The provider's charges, minus the amount paid by the primary payer for TSA
covered services; or



4. The provider's charges minus the applicable TSA deductible and/or coinsurance
amounts.



5. Condition Code-CC 08 is shown on the claim;



6. Claim with primary insurer identification, no primary payer amounts, and
nothing indicated in remarks item;



7. MSP claim filed with very low primary payment (investigate for possible
keying error with provider to ensure accurate payment amount);



8. Trauma diagnosis, and claim does not show Occurrence Code-OC 05 and date nor
remarks;



9. Retirement dates same as dates of service (i.e., improper use of Occurrence
Codes-OC18 and 19);



10. Occurrence Codes-OC 01-04 used, but not MSP claim. No Occurrence Code-OC 24
or remarks

 

E. If item 50-Payer Name of the UB04 is completed with another payer but the
claim lacks of information TSA will deny the claim requesting the missing data.



1. When the information is received the Claim Analyst completes the adjudication
of the claim.



2. No primary payment will be made where a GHP denies payment for particular
services because:



a. The services are not covered by the plan, and there is reason to believe the
plan does cover the services;

 

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



TSA P&P #: CL-009 Page 9 of 10

 



b. The plan offers only secondary coverage of services covered by Medicare.
Primary benefits may not be paid in this situation even if the GHP has only
collected premiums for secondary rather than primary coverage. Where a GHP has
denied the claim because the plan provides only secondary coverage, TSA will
deny the claim.



c. The plan limits its payments when the individual is entitled to Medicare;



d. The services are covered under the EGHP for younger employees and spouses but
not for employees and spouses age 65 or over;



e. The provider fails to file a proper claim for any reason

 

F. If a primary payer is detected after the claim was paid, the claim will be
adjusted to offset future payments to the provider by a recurrent recovery
process and the provider will be authorized to bill the primary payer. This
process will be performed weekly by the Recovery Unit.

 

G. Recovery Unit will generate a weekly report through Reporting Services which
combines members with MSP - TPL indicator from the Electronic Correspondence
Referral System (ECRS) and Health Suite eligibility. This report will match the
claims paid with TPL accident related diagnosis during the same period.

 

H. Once the Recovery Examiner identifies possible cases to be recover, the
Analytics Unit will perform a proper investigation following the coordination of
benefits investigation guidelines set forth by CMS. This investigation includes
contact with the member, communication with the Third Party Liability Insurance
(TPL) and evaluation of Medical Records, among others.

 

I. Once the Analytics Unit confirms the information of the MSP-TPL report was
correct, including the period and the condition; Recovery Unit will recoup the
claims that applies to the TPL and cases will be referred to:



1. Pharmacy Department for their TPL recoup process with the PBM



2. Legal Department for the subrogation process



3. Finance Department for the re-adjudication, evaluation and impact of the
cases in the Risk Adjustment Processing System (RAPS), Encounter Data System
(EDS) and Prescription Drug Event (PDE).

 

J. TSA will include Third Party Liability and Coordination of Benefits
information in the eligibility report sent monthly to all delegated entities to
prevent overpayments. Delegated entity will perform recoveries of the
overpayments and re-adjudications.



1. FDR’s will submit the results to Claims Manager in no more than 45 days after
they are performed.



2. Claims Department will performed quarterly monitoring to the FDR’s of the
MSP-TPL and Coordination of Benefits process.

 

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 





TSA P&P #: CL-009 Page 10 of 10

 

 

Supporting Documents

 

· N/A

 

Review and Revision History

 

Date Sections Affected Reason for Change Reviewer 8/26/2016 Policy name and
procedure New process Maritza Pérez

2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version
please refer to Compliance 360 or contact Compliance Department through:
TSACompliance@sssadvantage.com

 



Schedule J2

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TSA P&P #: CL-033 Page 1 of 4



 

 





 

[image_054.jpg]

 

Policy and Procedure

Title: Payment Dispute Process for Non Contracted Provider Department: Claims
Additional Areas of Impact: Customer Service, Contracting, Provider Relations,
Medical Management, Network Management Effective Date: 5/9/2016 Date Last
Amended: 5/9/2016

Reference: Providers Payment Dispute Resolution Contractor(PDRC),



CMS Memo of April 15, 2015 – MA Payment Guide for Out of Network Payments



Policy # CL-023: Payment Process of Non-Contracted Non Clean Claims and CL-033:
Payment Dispute Process



Approved by: Ricardo Rivera Martínez, Claims Director Date: 5/9/2016          

Policy Statement

 

TSA has a process to review non-contracted providers payment disputes for
instances non- contracted provider contends that the amount paid for covered
services is less than the amount that would have been paid under original
(traditional) Medicare or where a non-contracted provider disagrees with TSA
decision to pay for a different service than billed, often referred to as
down-coding of a claim.

 

Purpose

 

To establish a procedure for claim payment dispute requested by non-contracted
providers.

 

Definitions

 

1. Non – Contracted-Provider: A provider for whom/which there is no signed
contract agreement between the provider and Triple S Advantage.

 

1. Payment Dispute: Any decision where a non-contracted Medicare health plan
provider contends that the amount paid by the Medicare health plan for a
Medicare covered service is less than the amount that would have been paid under
Original Medicare. Non- contracted provider claim payment disputes also include
instances where there is a disagreement between a non-contracted Medicare health
plan provider and the Medicare health plan about the plan’s decision to pay for
a different service or level than that billed. The dispute process does not
include:

 

· Payment denials that result in zero payments



· Payment disputes for contracted providers



· Local and National Coverage Determinations



· Medical necessity determinations



· A non-contracting provider requesting payment in full



· Claims denied for timely filing



· Claims denied as not prior authorized



· Misdirected claim submissions

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TSA P&P #: CL-033 Page 2 of 4



 



 



Procedure

 

A. Request a Payment Dispute

 

1. The non-contracted provider’s payment dispute received by mail, hand delivery
to:

 

Triple-S Advantage, Inc. 

Claims Department



Re: Provider Payment Dispute



PO Box 11320



San Juan, Puerto Rico 00922

 

2. The Payment Dispute request must be filed within a minimum of 120 calendar
days following the notice of initial determination and must include any related
documentation including but not limited to:

 

a. Non Contracted Provider Payment Dispute Form (see attachment 1)



b. Explanation of Payment (EOP)



c. 1500/Ub-04 Form



d. Waiver or the Liability Letter, if available (see attachment 2)



e. Any support document that help to resolve the provider dispute

 

B. Registration of dispute payment request

 

1. The Payment Dispute request are registered by the Claims Clerk in a Dispute
Log (see Attachment 3) storage in the Claims Department Folder: J:\Claims
Dispute Non Contracted Provider and stamped according to received date.

 

a. As part of the registration the Claims Clerk has to identify if it is a First
Level Payment Dispute or a Payment Dispute Committee Review Request.

 

2. Once the Claims Clerk register the dispute in the log, scan all documentation
and create an electronic file in the share folder of the Unit and send an email
to the Claims Supervisor to communicate the dispute received.

 

a. If it is a First Level Dispute the Claims Supervisor is responsible to assign
the dispute to the Claims Analyst (that was not involved in the initial
determination) refer to Section (C) of this policy and procedure.



b. If it is a Payment Dispute Committee Review Request, refer to Section (D) of
this policy and procedure.

 

3. The Claims Supervisor is responsible to monitor the log weekly to ensure the
turnaround time in order to guarantee compliance.

 

C. First Level Payment Dispute

 

1. The Claims Analyst assigned, reviews all the documentation and identifies if
the Payment Dispute request needs additional information for determination.

 







 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TSA P&P #: CL-033 Page 3 of 4



 






 

a. The Claims Analyst must contact via phone call or in writing (see attachment
4) the non-contracted provider in order to request the missing information.



b. The non-contracted provider have 14-calendar days to submit the requested
information.



c. Any attempts to contact the non-contracted provider is documented in the
claims Dispute Log.

 

2. Once the Claims Analyst has all the required documentation, he/she has 30
calendar days to make a determination with regards to the Payment Dispute.

 

a. If the decision is favorable the Claims Analyst process the Payment Dispute
and notify the non-contracted provider orally or in writing about the decision
and document the resolution and the notification date in the Dispute Log.



b. If the decision is adverse the Claims Analyst send a letter (see attachment
5) to the non-contracted provider to communicate the decision including the
reason and the rights to request a Payment Dispute Committee Review and document
the resolution and the notification date in the Dispute Log.

 

D. Payment Dispute Committee Review Request

 

1. The non-contracted provider has 120 calendar days from the First Level
determination date to request a Payment Dispute Committee Review.

 

2. The Claims Supervisor has 30 calendar days to present the case to the
Providers Committee to make a determination.

 

a. Upon the determination the Claims Supervisor assigned to the Claims Analyst
the Payment Dispute in order to:

 

i. If it is favorable: process and notify the non-contracted provider by phone
and document the resolution and date of completion in the Dispute Log.

 

ii. If it is adverse: send a letter (see attachment 6) to the non-contracted
provider to communicate the decision including the reason and the rights to
request a Second Level Payment Dispute and document the resolution and
notification date in the Dispute Log.

 

E. Second Level Payment Dispute:

 

1. If the non-contracted provider disagrees with the Payment Dispute Committee
Review determination, she/he may file a complaint with 1-800-MEDICARE.

 

2. TSA must process the CMS determination in accordance with CMS requirements.

 

Supporting Documents:

 

Attachment 1: Non Contracted Provider Payment Dispute Form



Attachment 2: Waiver or the Liability Letter



Attachment 3: Dispute Log



Attachment 4: Request to Additional Information Letter Attachment 5: Adverse
First Level Payment Letter Attachment 6: Adverse Second Level Payment Letter

 







 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TSA P&P #: CL-033 Page 4 of 4



 




 

Review and Revision History

 

Date Sections Affected Reason for Change Reviewer 05/04/2016 All policy and
procedure Reorganization of the process Maritza Perez



 

 

 

 

 

 



Schedule J3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



TSA P&P #: CL-034 Page 1 of 5



 



    [image_002.jpg] Policy and Procedure Title: Claims Universe Request
Department: Claims Department Additional Areas of Impact: Delegated  Entities
(APS, Net Claim, TNPR) Effective Date: 7/5/2016 Date Last Amended:

Reference:

 

·    CMS Part C Organization Determinations, Appeals and Grievances (ODAG) Audit
Process and Data Request (2015-2016 v.100815)

 

·    Prescription Drug Benefit Manual, Chapter 9 and Medicare Managed Care
Manual Chapter 21 – Compliance Program Guidelines; Section 50.6 Element VI:
Effective System for Routine Monitoring, Auditing and Identification of
Compliance Risks Rev. 01-11-2013

 

Approved by: Ricardo Rivera Martínez, Claims Director Date: 8/22/2016          

Policy Statement

 

TSA Claims Department implements a validation and monitoring process to
ascertain, test and confirm that universes data from Triple-Advantage and the
Delegated Entities are accurate and in compliance with Medicare regulations, as
well as internal policies and procedures regarding the universe submission per
CMS Audit protocols.

 

Purpose

 

Establish a formal procedure to generate the universe for claims in TSA and the
Delegated Entities (APS, Net Claim and TNPR) in order to assure the compliance
of the requirements and guidelines established in the CMS Part C Organization
Determinations, Appeals, and Grievances (ODAG) Audit Process and Data request in
order to produce and submit appropriate universe records.

 

Definitions

 

1. Center for Medicare and Medicaid Services (CMS): The agency within the U.S.
Department of Health and Human Services responsible for the Medicare, Medicaid
and the Children’s Health Insurance Programs.

 

2. Delegated entity: entity that assumes, by contract, the performance of an
activity covered under these standards for which the organization is responsible
of. The delegated entities are commercial entities, not individuals.

 

3. FDRs: First Tier, Downstream and Related Entities.



 



2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version  

please refer to Compliance 360 or contact Compliance Department through: mailto:
TSACompliance@sssadvantage.com 





 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



TSA P&P #: CL-034 Page 2 of 5



 







a. First Tier Entity: Any part compliant with local, federal regulations
(including CMS, and ASES) that enters into a written arrangement Triple S, to
provide administrative of health care services to a member.

 

b. Downstream Entity: Any part compliant with local, federal regulations
(including CMS, and ASES) that enters into a written arrangement with persons or
entities involved with Triple S below the level of the arrangement between the
Plan and a first tier entity. These written arrangements continue down to the
level of the ultimate provider of both health and administrative services.

 

c. Related Entity: means any entity compliant with local, federal regulations
(including CMS, and ASES) that is related to Triple S by common ownership or
control and

 

i. Performs some of the Plan’s management functions under contract or
delegation;

 

ii. Furnishes services to enrollees under an oral or written agreement; or

 

iii. Leases real property or sells materials to Plan at a cost of more than
$2,500 during a contract period.

 

4. Monitoring Activities are regular reviews performed as part of normal
operations to confirm ongoing compliance and to ensure that corrective actions
are undertaken and effective.

 

5. Protocols: Guidelines to ensure universe submission accuracy.

 

6. Universe: Report of organizational determination processed on a determined
timeframe.

 

Procedure

 

1. Claims Department certifies and guarantee through a validation process that
each Delegated Entity and TSA are following the guidelines and requirements
established by CMS in the protocols, and includes methods in which data will be
gathered and compiled from delegated entities.

 

2. Universe validation process will be performed by the Claims Auditor and/or
Claims Manager in coordination with the delegated entities; on a monthly basis
to assure that each delegated entity and Claims Department has their processes
to generate the universe up to date with CMS changes as well ensure the
compliance, completeness and accuracy of the data included.

 

a. The validation procedures will be performed on a monthly basis for three (3)
months period or until 100% threshold is reached, whichever occurs later.

 

b. By the end of this period, the monitoring efforts will be performed every six
(6) months.

 







2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version  

please refer to Compliance 360 or contact Compliance Department through: mailto:
TSACompliance@sssadvantage.com





 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



TSA P&P #: CL-034 Page 3 of 5



 





c. TSA Claims universe will be generated by Claims Coordinator using Reporting
Service Portal and request for universe submission will be sent to the Delegated
Entities. Delegated Entities will have one week to submit the Universe.

 

d. A sample of 25 random cases will be selected for validation purposes of each
universe layout in order to validate that the universes are accurate. Delegated
Entities (TNPR and APS) will be required to submit print screen of the claims in
their system, letters and checks sent to members and providers in a timeframe of
72 hours.

 

3. The validation process will consist of the following analysis:

 

a. Includes denied claims for both contracted and non-contracted providers

 

b. Partially paid claims are considered denied

 

c. Includes approved claims for non-contracted providers

 

d. Exclusion of all direct member reimbursement (DMR), duplicate claims,
adjustments, claims denied for billing errors, eligibility and recoupments

 

e. Claims submitted correspond to the period requested

 

f. If a claim has more than one line, all items should be included with a
maximum length

 

g. The name, length and description of the fields in accord with the protocol

 

h. If the rationale of one column with another is correct

 

i. Timeliness of the determination and or mailing date

 

j. Accuracy in appeal member and provider language

 

4. Claims processing validation will consist of the following:

 

a. If the claims were processed within Medicare timeframes (non-contracted
providers should be determined in less than 60 days)

 

b. If the determination is adverse, was the letter with appeal rights sent to
members and providers?

 

c. If the determination is favorable, did the provider receive the correct
amount of reimbursement?

 

d. If adverse, was the non-contracted provider development process followed?

 

5. Claims Auditor will have a week to validate the information submitted and
share the results and findings to the responsible parties of the delegated
entities (Refer to Attachment #1).

 

a. If the audit results in any finding the Delegated Entity will have to correct
the issue in a timeframe determined by TSA.

 

b. This document will be sent to Compliance Department for their records.

 







2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version  

please refer to Compliance 360 or contact Compliance Department through: mailto:
TSACompliance@sssadvantage.com





 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



TSA P&P #: CL-034 Page 4 of 5



 





Supporting Documents

 

P&P Attachments:

 

· Attachment 1: TSA Delegated Entity Audit Results Notification Template

 

Claims Department P&P’s:

 

· CL-002: Professional Claims Adjudication

 

· CL-003: Institutional Claims Adjudication

 

· CL-015: Claims Payments and Denials

 

· CL-025: Claims Quality Audit Process

 

Compliance Department P&P’s:

 

· COMP-006: Internal Compliance Audit and Monitoring Process

 

Review and Revision History

  

Date Sections Affected Reason for Change Reviewer 7/7/2016 All policy and
procedure New Policy & Procedure Maritza Pérez

 





2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version  

please refer to Compliance 360 or contact Compliance Department through: mailto:
TSACompliance@sssadvantage.com



 

 

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



TSA P&P #: CL-034 Page 5 of 5



 





Attachment 1: TSA Delegated Entity Audit Results Notification Template

 

[image_003.jpg]

 











2016 TSA Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version  

please refer to Compliance 360 or contact Compliance Department through: mailto:
TSACompliance@sssadvantage.com







 

 

 

 

Schedule J4

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION





 



MESSAGE FROM THE CHAIRMAN OF THE BOARD OF DIRECTORS AND THE PRESIDENT AND CEO OF
TRIPLE-S MANAGEMENT CORPORATION

 

dEAR COLLEAGUE:

 

our success as a Corporation is founded on the decisions we make. Every day, we
face challenges that need to be addressed with the highest ethical standards.
Ethical behavior is more than safeguarding our reputation or avoiding legal
issues. We must do what is right. This Code of Business Conduct and Ethics,
together with our policies and corporate guidelines, sets our standards for
appropriate conduct. Read the Code in its entirety and refer to it often. Look
in it for guidance whenever you are uncertain about any decision you are about
to make. We are committed to integrity. We value our Corporation, customers and
shareholders. By translating the principles of this Code into actions we will
continue to achieve our goals. Thank you for joining us in this effort!

 

Luis A. Clavell Rodriguez, MD Ramón Ruíz-Comas Chairman President and CEO Board
of Directors Triple-S Management Corporation

 

 

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 



OUR values

 

We RESPECT people and APPRECIATE their involvement.

 

We contribute to the DEVELOPMENT and WELL –BEING of our employees.

 

We value TEAM WORK.

 

We believe in INTEGRITY and ETHICAL BEHAVIOR in all our actions.

 

We believe PROACTIVITY, CREATIVITY and INNOVATION give us a competitive edge.

 

We believe in EXCELLENCE when serving our constituents.

 

We encourage EFFICIENCY and EFFECTIVENESS.

 

We promote the QUALITY OF LIFE in the communities we serve.

 

NOTE: This Code is part of the Corporation’s Compliance Program and is an
important part of its internal control structure.

 

 

2 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

  

OVERVIEW

 

Triple-S Management Corporation

 

Triple-S Management Corporation and its subsidiaries (collectively referred to
as the “Corporation”) are committed to integrity, ethical behavior and
professionalism in all areas. All employees, agents, officers, directors,
consultants and independent contractors must respect and comply with all laws,
rules and regulations applicable to the Corporation. This Code of Business
Conduct and Ethics (“Code”) is intended to help us prevent and detect any
illegal, improper and unethical conduct within the Corporation and to promote
effective business controls. This Code is part of the corporation’s Compliance
Program and is an important part of its internal control structure.

 

Who must follow the Code

 

This Code applies to all directors, officers, employees, agents, consultants and
independent contractors of the Corporation at all times, anywhere throughout the
world. Each one of us should read the Code in conjunction with any other policy,
manual or handbook that applies to our respective jobs. Independent contractors
are not employees of the Corporation, but their adherence to this Code is
important because integrity, ethical behavior and respect to every individual
shall permeate every activity in which we are involved.

 

Violations of this Code are subject to disciplinary, civil or legal action,
including but not limited to termination of employment. In some cases, civil and
criminal penalties may apply. Because of the significant legal and ethical
consequences of noncompliance with the Code, disciplinary action may be taken
with respect to not only those who violate the Code, but also those who –
through lack of diligence or supervision – fail to prevent or report violations.
This Code does not summarize all the laws, rules and regulations applicable to
the Corporation, but it sets forth the behavioral expectations and guidelines
for how we should conduct business.

 

Please consult with the Legal Affairs Office of TSM (hereinafter referred to as
the “Legal Affairs Office”) if you have any questions related to this Code.
Also, refer to the various corporate policies and guidelines which the
Corporation has prepared regarding specific laws, rules and regulations.

 

3 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

OUR RESPONSIBILITY

 

We are all responsible for knowing, understanding and complying with this Code
as well as with all the corporation’s policies and procedures. The guidelines
set forth in the Code should be used in conjunction with the policies and
procedures of the Corporation including the Corporate Policies Manual, the
Employee Handbook and other departmental or administrative procedures. While
there may be some overlap, the Code does not replace or supersede any portion of
the Employee Handbook not addressed by the Code. The detailed Corporate Policies
Manual is available in its entirety to all employees on the Intranet. Any
questions regarding specific employment related policies may be directed to your
manager or the Human Resources Division staff. Consultants and independent
contractors may request a copy of any applicable policy to its respective
contact within the Corporation.

 

NOTE: We are all responsible for knowing, understanding and complying with this
Code as well as with all the Corporation’s policies and procedures.

 

 

4 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

ETHICAL CULTURE

 

This Code cannot possibly address every potential situation or issue we may
face, so it’s important to understand the principles behind the Code and how to
apply them. We must act honestly and ethically to safeguard the Corporation’s
integrity.

 

If you have questions, you are encouraged to discuss the issue with your
supervisor, speak with your designated Human Resources Representative, your
Compliance Officer or contact the Legal Affairs Office for help and advice.

 

You should never engage in dishonest or illegal act, even if directed to do so
by a supervisor, other employee, consultant or independent contractor. You
should immediately report any request to engage in a dishonest or illegal act to
your supervisor, your Compliance Officer or the Legal Affairs Office of TSM.

 

Compliance to our Code and other policies is subject to audit. The
Vice-President of the Office of Internal Audit will periodically report to the
Audit Committee of the Board of Directors of Triple-S Management Corporation in
compliance with the Code.

 

Consider your actions and ask for guidance. If you are uncertain about a course
of conduct, ask yourself:

 

Ø Is it consistent with the Code?

 

Ø Is it ethical?

 

Ø Is it legal?

 

Ø Will it reflect well on me and the Corporation?

 

Ø Would I want to read about it in the newspaper?

 

If the answer is “NO” to any on these questions, do not do it.

 

5 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

Directors’, Officers’ and Managers’ Responsibility

 

The managerial personnel (which include managers, directors, Vice-presidents,
officers and directors of the Corporation) play a key role in implementing the
Code and creating and sustaining a strong ethical work environment. This
includes:

 

· Understanding, accepting and enforcing the Code.

 

· Projecting an image of an ethical leader and maintaining a workplace
environment supportive of the Code.

 

· Educating employees in the meaning and application of the Code. Considering
conduct in relation to the Code and policies when evaluating employees or
independent contractors.

 

Reporting Violations

 

We have the duty to report any known or suspected violation of this Code.
Reporting a known or suspected violation shows responsibility and fairness and
helps protect the Corporation’s reputation and assets. It is about sustaining a
place where we all are proud to work in. We are all encouraged to speak to our
supervisor , manager, compliance officer or other appropriate officer regarding
any illegal or unethical behavior observed, any suspected violation of the Code
or questions about the best course of action to follow when a particular
situation whose legal or ethical nature is unclear. If you are aware of any
violations to this Code, or other illegal or unethical conducts that may have
occurred, we urge you to contact your supervisor, the Compliance Officer, the
Vice-president of the Office of Internal Audit, The Legal Affairs Office of TSM.
The Vice-President of the Office of Internal Audit and the General Counsel of
Triple-S Management Corporation or their designees will investigate any alleged
violations of our Code.

 

To report acts or suspicions of non-compliance with the Code or illegal
activities you may contact the following persons at Triple-S Management
Corporation:

 

Office of Internal Audit

Attention: Vice-President of Internal Audit



Address: P.O. Box 363628, San Juan, PR 00936-3628



Fax: (787) 277-6070                E-mail: crosich@ssspr.com



Legal Affairs Office

Attention: Corporate Compliance and Ethics Director



Address: P.O. Box 363628, San Juan, PR 00936-3628



Fax: (787) 749-4191                E-mail: dallende@ssspr.com



6 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

An ethics helpline and website are available for those people that seek guidance
or wish to report any known or suspected violation of the Code, in complete
confidentiality and without fear of retaliation. These resources are intended to
supplement existing internal communication channels and are not intended to
replace the management team.

 

Ethics and Compliance Help Line: (866) 384-4277 (Toll free) 

EthicsPoint Website: www.ethicspoint.com

 

The Ethics Point Helpline is available 24 hours a day, seven days a week. After
reporting a violation, you can expect that:

 

Ø A report will be filed and forwarded to the Audit Committee and the Office of
Internal Audit for follow up.



Ø The concern will be addressed by the appropriate personnel, which may include
representatives from Compliance and Ethics, Human Resources, Legal Affairs,
Security or Internal Audit. Each concern will be carefully evaluated before it
is referred for investigation or resolution.



Ø The concern will be handled promptly, discreetly and professionally.



Ø Certain follow-up information about how the concern was addressed may be
obtained upon request.

 

DUTY TO COOPERATE WITH INVESTIGATIONS

 

The Corporation expects the full cooperation of all employees, officers,
directors, agents and independent contractors during and after internal or
external investigations. This duty includes providing truthful and honest
information, giving verifiable facts and supporting documentation, and being
available to be questioned by internal or external investigating officers.

 

REPORTING ACCOUNTING, AUDITING AND INTERNAL CONTROL IRREGULARITIES

 

We are committed to complying with all rules and regulations regarding financial
and accounting reports that apply to the Corporation. If you have any concerns
or complaints regarding questionable corporate accounting, auditing practices or
internal control irregularities, you should submit those concerns or complaints
(anonymously or confidentially if desired) to the Audit Committee of the Board
of Directors, to any member of the Audit Committee or make a confidential report
to EthicsPoint, as identified in REPORTING VIOLATIONS, on pages 10 and 11.

 

7 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

NOTE: If you have any concerns or complaints regarding questionable corporate
accounting, auditing practices or internal control irregularities, you should
report them.

 

Example: Two employees on a business trip eat dinner at a restaurant.  One of
them pays for the meal and is reimbursed by the Corporation for the
expense.  The other employee takes a duplicate receipt and submits an expense
report for money he didn’t spend.  The second employee is disciplined because he
submitted a false expense report.

 

OBLIGATION OF LEGAL ADVISORS

 

All of the Corporation’s legal advisors should inform the General Counsel of
Triple-S Management Corporation and the Audit Committee regarding any violation
to the Securities and Exchange Commission (“SEC”) regulations. If that person or
entity does not act upon the evidence presented (adopting, as necessary, the
corresponding preventive measures or sanctions), the legal advisor could present
said evidence to the President and CEO of the Corporation or to the Audit
Committee.

 

WHAT TO DO IF YOU HAVE EXHAUSTED AVAILABLE REPORTING CHANNELS

 

You should report known or suspected violations to the Audit Committee when you
have exhausted available management channels or you are uncomfortable about
bringing an issue to your supervisor.

 

FAX; (787) 749-4148

 



WEBSITE: WWW.ETHICSPOINT.COM

 



POSTAL ADDRESS: P.O. Box 363628, San Juan, PR 00938-3628



 

NO DISCRIMINATION, NO RETALIATION

 

The Corporation will not discriminate or allow any retaliation against you from
or on behalf of the Corporation or any other persons because of reports or
complaints made in good faith or for participation in an investigation of
violations to this Code, any internal policies or procedures, or of any other
unethical or illegal behavior.

 



8 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 



MAKING FALSE ACCUSATIONS

  

The Corporation will protect any employee or independent contractor who raises a
concern in good faith and honesty, but it is a violation of our Code to
knowingly make a false accusation.

 

CONFIDENTIALITY

 

Confidentiality, including maintaining the informant’s identity anonymous, will
be protected, subject to applicable laws, regulations and/or legal proceedings.
You are expected to fully cooperate during an internal, external and/or
government investigation.

 

CONSEQUENCES OF NON-COMPLIANCE

 

Any person who violates this Code or other internal policies and procedures of
the Corporation is subject to corrective actions, up to and including
termination of employment or contract. The degree of the corrective action will
depend on the nature and circumstances of the violation. Some violations, such
as those listed below, may be so serious that they warrant immediate
notification to government authorities before, or simultaneously with, the
beginning of an internal investigation:

 

Ø The incident is a clear violation of civil or criminal law.



Ø It has a significant adverse effect on the quality of care provided to
participants and beneficiaries.



Ø It presents a pattern of a systematic failure to comply with applicable laws
or contractual obligations.

 

9 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

REPORTS TO THE SECURITIES AND EXCHANGE COMMISSION (SEC)

 

As a Corporation that files reports with the SEC, it is important that reports
submitted to the SEC be accurate and timely. Depending on your position within
the Corporation, you may be called upon to provide necessary information to
ensure that the Corporation’s public reports are complete, fair, accurate,
timely and understandable. The Corporation expects you to take this
responsibility very seriously, providing correct and rapid responses to
questions regarding the Corporation’s public disclosure requirements.

 

10 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

WORK ENVIRONMENT

 

OPEN DOOR POLICY

 

You are encouraged to communicate any idea or concern directly to management. It
is important that you speak up promptly, so your ideas or concerns can be
addressed. You can contact your Human Resources representative or the Legal
Affairs Office of TSM for guidance if you think your supervisor cannot address
your idea or concern or if you think your supervisor is part of the problem.

 

EQUAL EMPLOYEMENT OPPORTUNITY, NON-DISCRIMINATION AND HARASSMENT

 

It is our policy to foster a positive, productive work environment that promotes
equal employment opportunity and prohibits discriminatory practices.

 

The Corporation is an equal opportunity employer. The Corporation forbids all
forms of discrimination and employment decisions based upon an individual's
qualifications, skills, and performance, without regard to race, color, sex,
age, disability, veteran status, religion, national origin, ancestry, sexual
orientation, or any characteristic protected by applicable law. Retaliation
based on your report or complaint of discrimination is prohibited. You should
promptly report perceived retaliation to your Human Resources representative.
The Corporation will take appropriate disciplinary action against any individual
who is proven to have taken adverse action against you on your complaint or
report of alleged discrimination.

 

It is the Corporation’s policy that you, our customers, vendors, and visitors
enjoy a positive, productive, and respectful environment that is free from
harassment. Harassment, whether verbal, physical or related to the work
environment, is unacceptable. The Corporation encourages the reporting of all
incidents of harassment, regardless of who the offender may be. Retaliation
against you, a customer, vendor, or visitor who in good faith alleges harassment
will not be tolerated. All complaints of harassment or retaliation will be
investigated and appropriate disciplinary or corrective actions will be taken.

 

EXAMPLE: Today Mario has been telling racial jokes that are inappropriate for
the workplace and offend me and other coworkers.  What an I do? You should tell
Mario that his jokes offend you.  If you’re not comfortable doing so, talk to
your supervisor or contact your human resources representative.  Mario’s
behavior is creating a hostile environment for you, and that could therefore
constitute harassment.

11 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics



 

Alcohol and Drug-Free Workplace

 

We are committed to providing an alcohol and drug-free workplace, which helps
facilitate a safe and healthy work environment. None of us shall report to work
under the influence of alcohol and/or illegal drugs. Additionally, you shall not
manufacture, distribute, sell or be in possession of illegal drugs or prohibited
substances. Unlawful substances are not to be stored in your vehicle while at
the premises owned or controlled by the Corporation.

 

Searches of property owned or controlled by the Corporation may be conducted at
any time, including those used or in possession of any employee, agent, officer,
director, consultant and independent contractor. The Corporation may also take
all legal and reasonable steps to search employees, agents, officers, directors,
consultants and independent contractors and their property within the premises
owned and controlled by the Corporation.

 

EXAMPLE: José notices that María is acting strangely after her lunch.  She does
not express her ideas in an understandable and coherent manner and is staggering
when she walks.  When José confronts her, she tells him she has the flu but he
smells alcohol on her breath. What should he do? José should report María to her
supervisor.  If María is under the influence of alcohol, she is creating a
safety hazard for herself and for those around her in the workplace.  This
behavior cannot be tolerated because it violates our Corporation’s policy.  

 

CORPORATE OPPORTUNITY

 

You are forbidden to:

 

Ø Make personal use of opportunities that in truth belong to the Corporation, or
which are discovered through corporate property, information, or position.

 

Ø Using corporate property, information or position for personal benefit.

 

Ø Competing with the Corporation.

 

You must promote the Corporation’s legitimate interests when the opportunity to
do so arises.

 

WORKPLACE HEALTH AND SAFETY

 

The health and safety of our people are of utmost importance to the Corporation,
which is committed to protecting the health and well-being of each employee. We
srive to

 

12 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

protect our people, customers and the public from injury and illness through our
Health and Safety Program.

 

You are required to advise the Corporation of any work-related vehicle accident,
workplace injury, instance of non-compliance, or any situation which may
represent a risk of injury. When an unsafe condition, practice, or non-compliant
action is identified, prompt and appropriate action must be taken to correct the
condition and prevent it from happening again.

 

Workplace or domestic Violence

 

The Corporation will not tolerate acts of violence, threats, harassment,
intimidation, intentional or reckless destruction of property or other
disruptive behavior in its workplace, its premises or any other place at which
an event conducted or sponsored by the Corporation takes place.

 

If you witness, are the subject of, or have knowledge of a threatening behavior,
you should immediately report it to your supervisor, Compliance Officer, Office
of Corporate Security or the Human Resources Division.

 

Weapons

 

The Corporation prohibits any individual from keeping weapons on property owned
or controlled by the Corporation. In addition, weapons may not be kept in
vehicles parked at company owned or controlled parking lots. Weapons include,
but are not limited to, guns, knives and/or ammunition.

 

ENVIRONMENTAL PROTECTION

 

We are committed to conducting our business in a manner that protects the
environment. Our commitment includes the advancement of programs that promote
improvement of the environment, such as recycling. Everyone who is part of the
Corporation is expected to support our effort to maintain a leadership role in
protecting the environment.

 

13 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

ANTI-FRAUD POLICY

 

The Corporation has zero tolerance for fraudulent or illegal acts. Fraud is any
intentional conduct performed with the intent to misrepresent facts in order to
obtain a benefit to which the individuals not entitled. Fraud can be committed
by internal or external individuals. The Corporation is firmly committed to
complying with federal and local anti-fraud statutes. Consequently, it has an
adequate infrastructure to monitor, detect, investigate and refer to public
enforcement agencies any fraudulent or illegal activity.

 

Keep in mind that illegal acts or improper conduct may represent severe
financial losses and may expose the Corporation to administrative, civil and
criminal penalties, including large fines and being barred from certain types of
business. Therefore, you must report any illegal activity or violations of the
Code to the appropriate personnel, as identified I REPORTING VIOLATIONS on pages
10 and 11.

 

NOTE: The Corporation has zero tolerance for fraudulent or illegal acts and is
firmly committed to comply with federal and local anti-fraud statutes.

 

MONEY LAUNDERING

 

It is the process by which individuals or entities try to conceal illegal funds
or otherwise enter into transactions to make these funds appear legitimate. The
Corporation does not condone, facilitate or support money laundering. Few of us
will ever personally be in the position to violate money laundering laws, but we
all need to be alert to irregularities in the way payments are made, including
large cash payments and unusual transactions. Furthermore, we have the
responsibility to conduct due diligence on our customers, intermediaries and
business partners, and to report any suspicious behavior.

 

EXAMPLE:  A customer visits our offices and tells you he wants to buy an
insurance product.  He gives you $12,000 in cash to pay the premium of the whole
year in advance.  What you should do? Transactions over $10,000 must be
reported.  Follow the corporate procedures implemented to handle these cases,
including the filing of various forms to document the transaction.  Be sure to
contact your Compliance Officer if you have any questions.

14 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics



 

Fair Dealing

 

You should endeavor to deal fairly with the Corporation’s clients, suppliers,
competitors, officers, and directors. No one should take unfair advantage
through manipulation, cover-up, concealment or the abuse of privileged
information, misrepresentation of material facts, or any other unfair business
practice. To preserve our relationships: 1) we do not misrepresent our services
or products in any sales or promotional efforts; 2) we communicate clearly, so
that our customers and contractors understand the terms of our business
relationships, including contracts performance criteria, schedules, prices and
responsibilities and 3) we only make promises to customers that we believe we
will be able to keep.

 

EXAMPLE: While attending a customer meeting with another corporate employee, the
other employee made what I believe to be an intentionally false statement about
our capabilities in order to retain the account.  What should I do?  Correct the
error during the meeting if possible.  If that is not possible, raise the issue
with the employee, your manager or other responsible corporate personnel after
the meeting, and ensure that the Corporation corrects any customer
misrepresentation.  If you are correct that the other employee intentionally
lied to a customer, the other employee has violated the Code.

15 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 



Conflicts of Interest

 

You must be scrupulous in avoiding a conflict of interest regarding the
Corporation’s interests. A “conflict of interest” exists whenever an
individual’s private interests interfere or diverge or diverge in any way (or
even appear to interfere or diverge) with those of the Corporation.

 

It is the Corporation’s policy to avoid any situation that involves, or appears
to involve, a conflict between the interests of the Corporation and your
interests. Conflicts of interest are prohibited as a matter of corporate policy.

 

Conflicts of interest can arise when you are directly or indirectly connected
with a present or potential supplier, competitor, or customer.

 

Outside financial or business involvement by members of your immediate family,
or by persons with whom you have a close personal relationship, may create a
possible conflict of interest, and are subject to the requirements of this
policy.

 

Moreover, it is our policy to prohibit anyone from: taking personal
opportunities that are discovered through the use of corporate property,
information or position; using corporate property, information or position for
personal gain; or competing against the Corporation.

 

A conflictive situation can arise when any of us undertake some action or have
interests that adversely affect the objective and effective performance of our
duties in the Corporation. Another possible conflict could emerge if you, or
some member of their family, receive improper personal benefits as a result of
your position in the Corporation, whether the benefit is received from the
Corporation or from a third party. You should also avoid outside activities that
interfere with your working hours or your regular duties, adversely affect the
quality of the work performed or negatively impact the Corporation.

 

Personal loans to, or guarantees of obligations by the Corporation may also
create conflicts of interest and are subject to the requirements of this Code.
Loans to its directors and/or executive officers are prohibited by law and the
Corporation.

 

Such conflicts may not always be clear-cut; therefore, any question should be
consulted with the highest managerial levels or with the Legal Affairs Office of
TSM. If you observe, encounter or discover a conflict or a potential conflict
you should inform a supervisor, manager, or consult and/or follow the procedures
described in this Code.

 



16 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

EXAMPLE: It is my job to select a supplier for the Corporation.  One of the
suppliers being considered is a company owned by my spouse.  Do I need to take
any precautions? Yes. In this situation your interest in your spouse’s business
conflicts – or at least appears to conflict – with your responsibility to select
the best supplier for the Corporation.  The best course of action is either for
you not to be involved in the selection process and disclose the conflict of
interest immediately or for your spouse’s business to be eliminated from
consideration.

 

 

17 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 



Confidentiality

 

We cannot disclose confidential information entrusted to us by the Corporation,
its suppliers, clients, or any other person, except when disclosure is
authorized by the Legal Affairs Office or required by law, regulations, or legal
proceedings. If you understand there is a legal obligation to disclose such
information, you must consult with the Legal Affairs Office.

 

It is the Corporation’s policy to protect the privacy of past, present and
prospective customers, members, plan participants, policyholders, insureds, and
its employees and other similar parties, consistent with applicable law. All
individually identifiable personal information will be collected only as
reasonably necessary for the conduct of the Corporation’s business.

 

It is also the Corporation’s policy to protect its information assets from
accidental or unauthorized modification, destruction and/or disclosure. We must
protect corporate information assets and must follow the requirements provided
by the Corporation. Safeguarding confidential information requires our
compliance with all related policies and procedures, protect paper documents and
individual workstations; manage passwords properly, secure software, back up
critical data; and use the Corporation’s networks safely and responsibly.

 

It is expected that in the event a consultant, agent or independent contractor
experiences a security breach in which confidential information is exposed, a
process is implemented to mitigate, to the extent practicable, any harmful
effect. This includes the duty to promptly notify the Corporation and each
affected individual, and cover all the costs incurred by the Corporation if it
has to notifyits customers of such exposure.

 

EXAMPLE: You went out to work with a coworker.  At the restaurant, the two of
you discussed a project – on which you are both working- with a lot of detail,
including several of your secret business strategies.  When leaving the
restaurant, you notice that in the table next to yours were seated employees
from a rival company.  What should you do?  Notify your supervisor of the
potential disclosure so he/she can work with legal counsel to avoid or minimize
damage.  We must protect our Corporation’s confidential information and exercise
caution when discussing such information in public spaces, like restaurants.

 

18 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

Reporting and Public Disclosures of Corporate Information

 

The Corporation is committed to provide full, fair, accurate, timely and
understandable disclosure in its public communications and in the reports and
documents that it files with regulatory authorities, including the SEC. Strict
compliance with both the spirit and the letter of the laws governing public
disclosures and reporting to SEC is required. The Corporation’s disclosures will
enable its stockholders to understand (i) the key business opportunities it
seeks, (ii) the issues and risks it manages, (iii) the critical accounting
policies it employs and (iv) the important judgments it makes in preparing its
financial statements.

 

Certain employees are authorized to release information about the Corporation as
part of their duties, subject to corporate procedures. Other than those
employees, no one should release information concerning the Corporation or its
business activities without prior, written approval from the Legal Affairs
Office of TSM.

 

Confidential Information About Employees

 

Confidential information must not be revealed to anyone, except when necessary
for legitimate business purposes or as permitted by law. Confidential
information includes, but is not limited to wage and salary data, employment
agreements, social security numbers, information on leaves, financial/banking
information and claims/medical information.

 

EXAMPLE: I have just received an e-mail by accident with a file containing the
salaries of several other employees.  May I share it with other people at work?
No.  if you and your colleagues have no business reason to have this
information, you should delete the e-mail and bring the error to the attention
of the sender immediately.  Disclosing the information to other employees is a
code violation.

 

Confidential Information About insureds and other customers

 

Numerous federal and state laws govern the use and disclosure of health and
financial information relating to the Corporation’s members. The Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”) prohibits
unauthorized disclosure of the Corporations members’ protected health
information (“PHI”).

 

19 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

The Corporation’s policies and procedures include HIPAA requirements, which must
be followed when dealing with PHI. Accessing or sharing confidential member
information, except as necessary to do the assigned job is inappropriate. We
must uphold the trust that the Corporation’s customers have placed in the
Corporation and keep their information confidential.

 

EXAMPLE: I know that an employee in my work area accessed and viewed PHI about
his neighbor without any business cause, in order to harm his heighbor’s
reputation.  Do I have to report this? Yes. The other employee committed a
violation of the Code that is subject to disciplinary action and is reportable
to federal agencies.

 

Material Nonpublic or Inside Information About Our Corporation

 

The communication, release and use of material nonpublic or inside information
for personal financial benefit or financial benefit of family, friends or
closely related persons is strictly prohibited. You must not buy or sell
securities of the Corporation securities, based on knowledge of material
nonpublic or inside information.

 

In addition, you must not share or disclose material nonpublic or inside
information with co-workers, family, friends or others unless the other party is
considered an “insider,” has signed a non-disclosure or confidentiality
agreement with the Corporation, or the information is required as part of doing
business and the appropriate functional approval has been obtained from the
Legal Affairs Office.

 

The use of material nonpublic or inside information about other publicly traded
companies is also prohibited. You must not buy or sell securities of other
companies about which they have knowledge or any other material inside
information.

 

Information is material if it is likely to be a consideration to an investor in
determining whether to buy, sell, or hold the particular company’s securities.
Information is nonpublic if it has not yet been fully disclosed to the public.

 

Any inappropriate use or disclosure of inside information may expose you, the
company, and any person to whom the inside information is communicated, to
severe penalties, both criminal and civil, under applicable law.

 

20 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

Before trading in the Corporation’s securities, company officers, members of the
Board of Directors and other designated associates should consult and must
pre-clear any transactions with the General Counsel or the Chief Financial
Officer of Triple-S Management Corporation.

 

NOTE: You must not share or disclose material non-public or inside information
with co-workers, family, friends or others.

 

EXAMPLE: I have learned that the Corporation is considering the acquisition of a
small, publicly traded company.  May I acquire the stock of this company in
anticipation of the acquisition? No. Trading on material non-public information
is illegal and a violation of the Code.

 

PROTECTION AND PROPER USE OF THE CORPORATION’S ASSETS

 

The Corporation’s assets include property such as materials, facilities,
furniture, supplies, office equipment of all kinds, telephone and mail systems,
voice mail and e-mail systems, computers, computer networks, software, and
information relating to the company, the products and services it provides, and
its customers. Assets also include any documents or records that have financial
value such as currency, checks, vouchers, credit or other charge cards,
receivables, payables, records of time worked, expense reimbursements or
invoices.

 

It is our policy that its assets be adequately protected from loss, damage or
misuse. We must protect the Corporation’s assets and ensure their efficient use.
Theft, carelessness, waste and alterations, all have a direct impact on the
Corporation’s assets. All such assets must be only used for corporate business
or any legitimate purpose determined by the Corporation.

 

We must not use, sell, loan, give away or dispose of corporate assets regardless
of condition or value, except when properly authorized by corporate policy. We
are expected to use corporate assets in a professional, productive, ethical and
lawful manner consistent with our corporate policies.

 

EXAMPLES:

 

Personal favor. An employee used corporate computer and equipment, as well as
time at work to design and print a school project for the daughter/son of
another employee. The employee misused corporate assets.

 

Personal assistance. A manager persistently asked an administrative assistant to
take



 

 

21 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 





care of the manager’s personal matters on corporate time, such as picking up
laundry, medical appointments, balancing a personal checkbook or shopping for
personal gifts. The manager is misusing the assistant’s work time, which is a
corporate asset.



 

Teaching. As marketing manager, I have volunteered to teach a course on
marketing at a local college. I believe that my students would benefit from a
discussion of how the Corporation developed marketing campaigns. Can I discuss
this work in class? No. You can only do this with the prior approval from the
President of your company. The development of marketing campaigns is a corporate
work product and a corporate asset. Much of this work may be proprietary, and
may not be appropriate to reveal outside the Corporation.



 

NOTE: We must protect the Corporation’s assets and ensure their efficient use.

 

NAMES, LOGOS AND INTELLECTUAL PROPERTY

 

All names and logos to be used by the Corporation and all of us must be the
approved names and logos of the Corporation. The Advertising and Public
Relations Office is responsible for developing and managing brand positioning
standards for all references to the Corporation in advertising, promotional
materials, stationery, and other forms of communications media used externally.

 

The Corporation owns all innovations, ideas, inventions, discoveries and
improvements conceived, created, made or discovered by its employees while
employed by the Corporation, if they relate or pertain in any way to the
Corporation’s business. This includes innovations made by employees working
alone or with others. All innovations conceived of or made by an employee will
be deemed to have been made in the course of employment unless the innovations:
1) were developed on the employee's own time; 2) outside the employee's regular
or assigned duties for the Corporation; and 3) no equipment, facility, or
proprietary information of the Corporation was used.

 

It is the Corporation’s policy is to take necessary steps to secure and protect
its rights in its intellectual property and to protect it from illegal use or
other misuse by ensuring it is affixed with or identified by "Confidential"
notices, trademark, service mark or copyright symbols and by avoiding any
inappropriate or unauthorized disclosures.

 

ANTITRUST AND OTHER COMPETITION LAWS

 

Antitrust laws are designed to ensure a fair and competitive free market system
where no single company has a monopoly on providing a service or a product.
While the

 

22 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

Corporation competes vigorously in the marketplace, it complies with the
applicable antitrust and competition laws wherever it does business.

 

This means that the Corporation competes on the merits of its services, prices
and customer loyalty. The Corporation independently determines the pricing
structure of its products and providers contracts, subject to applicable
regulatory review. Our actions in the marketplace define who we are as a
Corporation.

 

Some of the most serious antitrust offenses occur between competitors, such as
agreements to fix prices or to divide customers, territories or markets. It is
therefore very important for us to avoid discussions with competitors regarding
customers, pricing policies, bids, discounts, promotions, terms and conditions
of sale and any other proprietary or confidential information.

 

Competition laws also prohibit entering into formal or informal agreements with
suppliers, distributors or clients that may restrict competition. Such
agreements include tying products, or refusing to sell to particular clients or
buy from particular suppliers.

 

We must remember that unlawful agreements need not be written or even consist of
express commitments. Agreements can be inferred based on “loose talk,” informal
discussions, or the mere exchange of certain information. If a conversation with
a competitor enters an inappropriate area, we should end the conversation at
once and report the matter immediately to the Legal Affairs Office.

 

Please note that violating these laws may subject both the individuals involved
and our corporation to severe consequences.

 

TRANSACTIONS WITH GOVERNMENT OFFICERS

 

Transactions with governments are covered by special legal rules and are not the
same as conducting business with private parties. In general, do not offer
anything to an agent of public service – directly or indirectly – in return for
favorable treatment. To be responsible members of our business community, we
must follow the law wherever we do business, regardless of local law or custom.

 

Bribes are prohibited. A bribe is giving or offering anything of value to an
agent of public service to influence a discretionary decision. Examples of a
bribe include the payment to an agent of public service to encourage a decision
to award or continue a business relation, to influence the outcome of a
government audit or inspection or to influence on tax ruling or any other
legislation. Obtain prior approval before providing anything of value to an
agent of public service.

 

23 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

We shall be completely honest in all dealings with government agencies and
representatives. No misrepresentations shall be made, and no false bills or
requests for payment shall be submitted to government agencies. Personnel
certifying the correctness of records submitted to government agencies,
including bills or requests for payment, shall have knowledge that the
information is accurate and complete before giving such certification. Personnel
who participate in government interviews shall always give truthful, complete
and unambiguous answers.

 

NOTE: We shall be completely honest in all dealings with government agencies and
representatives.

 

HIRING AN AGENT OF PUBLIC SERVICE

 

The Corporation may hire public officers to perform services that have a
legitimate business purpose and do not conflict with the public officer’s
duties, such as hiring an off-duty police officer to provide security at a
corporate event. All such hiring decisions must have the prior approval of an
officer of the Corporation.

 

IMPROPER PAYMENTS BY THIRD PARTIES

 

The Corporation may be held liable for bribes paid by a third party agent,
consultant or independent contractor acting on behalf of the Corporation. You
must not engage a third-party agent, consultant or independent contractor if
there is any reason to believe that such third-party may attempt to bribe an
agent of public service.

 

COOPERATION WITH GOVERNMENT INQUIRIES

 

From time to time, the Corporation may be asked to cooperate with a government
investigation or to respond to a request for information from the government
about how we conduct our business. The request may come through official
channels from the government to the Corporation’s management or you could be
contacted individually by a member of a law enforcement agency, such as the
Department of Justice, the Federal Bureau of Investigations (FBI) or the Office
of the Inspector General.

 

It is the Corporation’s policy to cooperate fully and truthfully on all such
matters. To ensure that this process is conducted efficiently, immediately
notify the General Counsel of Triple-S Management Corporation and inform that
you have been contacted by a government representative. The decision of whether
or not to cooperate with their inquiry is up to you alone and you will not be
disciplined, punished or otherwise retaliated against if you decide to do so.
Although you are free to cooperate individually with the government
investigators, you may not provide documents or data that belong to the
Corporation or are in its custody and control in response to a government
request for information without first obtaining authorization from the
Corporation’s legal counsel.

 

24 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

POLITICAL ACTIVITIES AND CONTRIBUTIONS

 

Local and federal laws restrict the use of corporate funds and assets in
connection with elections and other political activities. Consequently, we may
not make any political contribution to any candidate, office holder or political
organization for or on the behalf of the Corporation.

 

The term “political contribution” includes payments, provision of services,
purchasing tickets or furnishing supplies on behalf of a candidate running for
political office. The covered persons may not use any corporate property,
facilities or time of any other employee for any political activity.

 

The Corporation recognizes your right as a citizen to participate in the
political process. When engaged in political activities, you shall let it be
known that the views expressed are yours as an individual and not those of the
Corporation.

 

NOTE: We may not make any political contribution to any candidate, officeholder
or political organization for or on the behalf of the Corporation.

 

EXAMPLE: My friend is running for political office, and I would like to help
with the campaign.  Is this allowed? Yes.  Your personal political activity in
your leisure time is your own concern. Just make sure that you do not use
corporate resources, including corporate time, e-mail, equipment or supplies or
the corporate name to advance the campaign.

 

CHARITABLE CONTRIBUTIONS

 

The President of the Corporation and the Presidents of each of its subsidiaries
are the only persons authorized to make charitable contributions on behalf of
their respective company. Requests for charitable contributions should be
referred to the President of each particular company. Under no circumstances you
should use the Corporation’s funds to make charitable contributions on behalf of
the Corporation.

 

gifts and entertainment

 

The Corporation recognizes that business gifts and entertainment can create
goodwill and sound working relationships. However, the use of business gifts and
entertainment for gaining special advantage or unduly influencing employees,
customers, suppliers or others doing business with the Corporation is strictly
prohibited. Gifts over $200, in value, in total over a one year period, have to
be reported and approved by the President of the particular company.

 

25 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

Do not accept gifts in exchange for doing or promising to do anything for a
customer or supplier. Do not ask for gifts. Gifts or discounts offered to a
large group of corporate employees as part of an agreement between the
Corporation and a customer or supplier may be accepted and used as intended by
the customer and supplier.

 

Purchase of goods and services on behalf of the Corporation must not benefit you
or your family in the form of kickbacks or rebates. Kickbacks or rebates can
take many forms and are not limited to direct cash payments or credits. In
general, if you or your family benefit personally from the transaction, it is
prohibited.

 

Such practices are not only unethical but, in many cases, they are illegal. It
is strictly prohibited by this Code to accept cash, bank issued gift/debit
cards, gift certificates redeemable for cash, checks or similar items.

 

EXAMPLE: Last year, an independent contractor sent you a box of fine chocolates
for the Holidays.  This year, the same contractor sends you an expensive watch,
valued at $500.00 with your name engraved on it.  May you keep the watch?
No.  The chocolates were within the bounds of a reasonable gift, but the
personalized watch goes beyond our Corporation’s monetary limit.  You should
politely decline the gift.

 

Amendments, Modifications and Waiver

 

This Code may be amended, modified or suspended by the Board of Directors, who
can also grant suspensions or waivers, subject to disclosure and other
applicable provisions of the Securities and Exchange Act of 1934, as amended,
and other applicable regulations.

 

The policies contained in this Code apply to all the Corporation’s controlled
entities, regardless of geographic location.

 

This Code is posted on the Corporation’s website: www.triplesmanagement.com

 

If you want to make a contribution to foster our commitment to ethical behavior,
please send your comments to:

 

ATTENTION: Corporate Compliance and Ethics Director

FAX: (787) 749-4045



E-MAIL: dallende @ssspr.com



POSTAL ADDRESS: P.O. Box 363628 San Juan, PR 00936-3628



26 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Code of Business Conduct and Ethics

 

This Code of Business Conduct and Ethics was approved by the Board of Directors
of Triple-S Management Corporation on October 5, 2010.

 



 

 

27 

 



Schedule J5

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

[image_039.jpg]   [image_041.jpg]    



 

Compliance Program

 

 

 

Effective Lines of Communication

Compliance Officer:Jenny Cardenas Curbelo

Privacy Officer: Lucy Padilla Flores

Image result for blue phone [image_035.jpg]1-866-384-4277

Image result for blue computer icon [image_036.jpg]www.ethicspoint.com

 

Compliance Department Email:

TSACompliance@sssadvantage.com

 

 

 



Effective Lines of Communications



Anonymous • Confidential • No retaliation • No discrimination • No intimidation

 





 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

 

 

 

 

Compliance Program

 

Approved by the Board of Directors on March 29, 2016

 

Last Review Date: August 15, 2017

 

 

 

 

 



 



 



2| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Table of Contents

    Organization Overview 4   Commitment to Compliance 5   general overview 6  
Element 1: Written Policies, Procedures and Standard of Conduct 7   Element 2:
Compliance Officer, Compliance Committee and High Level Oversight 8   Element 3:
Effective Training and Education 15   Element 4: Effective Lines of
Communication 18   Element 5: Well Publicized Standards 21   Element 6:
Effective System for Routine and Monitoring and Identification of Compliance
Risk 23   Element 7: Procedures and System for Prompt Reponses to Compliance
Issues 28   Laws and regulations 32   DEFINITIONS 33   Contact us 37



 

 



 

 



3| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

Organization Overview

 

Triple-S was founded in 1959 by doctors and dentists who were concerned with the
need to provide better access to healthcare. Triple-S Management (TSM) was
created 1999 as part of a corporate reorganization and to serve as holding
company for its health, life and property insurance businesses. TSM became a
public company on December 7, 2007. Its shares are traded in the New York Stock
Exchange, under the symbol GTS.

 

The TSM family of companies includes: Triple-S Salud (health insurance),
Triple-S Advantage (Medicare Advantage health insurance), Triple-S Vida (life
insurance), and Triple-S Propiedad (property and casualty insurance). Other
affiliates operate in Costa Rica and the US Virgin Islands.

 

Triple-S Salud (TSS), Triple-S Advantage (TSA) and Triple-S Blue are Blue Cross
Blue Shield licensees and have the exclusive right to use the BCBS name and logo
throughout Puerto Rico, the U.S. Virgin Islands, Costa Rica, the British Virgin
Islands and Anguilla.

 

TSS has a contract with Puerto Rico Health Insurance Administration, “PRHIA”for
Medicare Platino and Mediciad Programs and TSA, Inc. is licensed to conduct
managed care business in Puerto Rico, and has a contract with Centers for
Medicare and Medicaid Services (CMS) for Medicare Advantage Prescription Drug
(MAPD) programs.

 

ü Vision

 

Be recognized as market leader in the health industry in the communities we
serve.

 

 



4| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



ü Mission

 

We take better care of your health, wellbeing and peace of mind during life’s
expected and unexpected events.

 

Commitment to Compliance

Statement from the Chairman of the Board of Directors and

CEO, Triple –S Management Corporation

 

Dear Colleague

 

Our success as a Company is founded on the decisions we make. Every day, we face
challenges that need to be addressed with the highest ethical standards. Ethical
behavior and a compliance culture are more than safeguarding our reputation or
avoiding legal issues. We must do what is right.

 

This Compliance Program (“Program”) and compliance policies and procedures
together with our Code of Business Conduct and Ethics, sets our standards for
expected conduct. Read this Compliance Program in its entirety and refer to it
often. Look in it for guidance whenever you are uncertain about any decision you
are about to make.

 

Our commitment to comply with all applicable Federal and Commonwealth of Puerto
Rico laws, regulations and guidelines and doing our jobs with ACCOUNTAIBLITY,
INTEGRITY, RESPECT, EXCELLLENCE, INNOVATION and COMMITMENT, support our mission
to take better care of the member’s health, well-being and peace of mind during
life’s expected and unexpected events.

 

By translating the elements of this Program into actions we continue to achieve
our goals. We count on you to take our Compliance initiatives to the next level!

 

Thank you,

 

[image_044.jpg]

 

 



5| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





 

General Overview

 

The Compliance Program reflects our interpretation of CMS Compliance Program
requirements. In order to be effective, this Program is tailored to the Triple-S
Salud (TSS) and Triple – S Advantage (TSA) unique operations and circumstances.
TSS and TSA has devoted adequate resources to this Program to promote and
enforce the Code of Business Conduct and Ethics and this Program, train and
educate our Board of Directors members, employees, as well as consultants and
FDRs, establish effective lines of communication within our self and between our
FDRs, overseeing FDRs compliance with this Program and Medicaid, Commercial,
Medicare Part C and D requirements, establishing and implementing an effective
system for routine auditing and monitoring and identifying and promptly
responding to risks and findings. TSS and TSA conducts its quality management
functions in accord with applicable laws, regulations and current URAC
accreditation standards.

 

This Program includes the following core elements:

 

1. Written Policies, Procedures and Standard of Conduct;

 

2. Compliance Officer, Privacy Officer, Compliance Committees and High Level
Oversight;

 

3. Effective Training and Education;

 

4. Effective Lines of Communication;

 

5. Well Publicized Disciplinary Standards;

 



 



6| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

6. Effective System for Routine Monitoring and Identification of Compliance
Risks; and

 

7. Procedures and System for Prompt Response to Compliance Issues.

 

This Program is subject to change as policy, technology and Medicaid,
Commercial, and Medicare business practices continue to evolve.

 

 

Element 1: Written Policies and Procedures and Standard of Conduct

 

TSS and TSA adopts the Code of Business Conduct and Ethics and Employee Handbook
of TSM and has implemented the Code of Business Conduct and Ethics, Compliance
Program and policies and procedures. The Code of Business Conduct and Ethics and
policies and procedures:

 

ü Articulate our commitment to comply with all applicable Federal and State
standards;

 

ü Describe compliance expectations as embodied in the Code of Business Conduct
and Ethics;

 

ü Implement the operation of the compliance program;

 

ü Provide guidance to employees and others on dealing with suspected, detected
or reported compliance issues;

 

ü Identify how to communicate compliance issues using the effective lines of
communications;

 

ü Describe how suspected, detected or reported compliance issues are
investigated and resolved by Triple-S ; and

 

ü Include a policy of non-intimidation, non-discrimination and non-retaliation
for good faith participation in this Program, including, but not limited to,
reporting potential

 

 



7| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

issues, investigating issues, conducting self-evaluations, audits and remedial
actions, and reporting to appropriate officials.

 

TSS and TSA compliance policies and procedures are detailed and specific,
describe the operation of this Program, and are updated to incorporate changes
in applicable laws, regulations, other program requirements and accreditation
standards.

 

The Code of Business Conduct and Ethics, this Program, as well as compliance
policies and procedures are distributed to all the employees and FDRs within
ninety (90) days of initial hire or contract, when there are updates and
annually thereafter. For more information refer to the policy and procedure
COMP-001 Development, Review, Approval and Distribution of the Code of Business
Conduct and Ethics, Compliance Program and Policies and Procedures.

 

 

Element 2: Compliance Officer, Compliance Committee and High Level Oversight

 

The President of Triple-S Salud, Inc. (TSS) and Triple-S Advantage, Inc. (TSA)
designates a Compliance Officer and a Privacy Officer. Similarly, the Board of
Directors of TSS and TSA delegates the Compliance Program oversight to the
Executive Compliance Committee. Furthermore, the President designates the
members of the Vendor Management Oversight Committee (VMOC). Those components,
together, shall oversee the performance of the Compliance Program.

 

The Compliance Officer have express authority to provide unfiltered, in-person
reports to the Board of Directors and is responsible for the implementation of
the Compliance Program, the definition of the program structure, educational
requirements, reporting and complaint mechanisms, response and correction
procedures, and compliance expectations of all personnel and FDRs. Additional
duties of the Compliance Officer include, but are not limited to:

 

þ Chair the Executive Compliance Committee.

 



 



8| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ Ensuring that compliance reports are provided regularly to the Executive
Compliance Committee, Board of Directors, and President. Reports includes the
status of the Compliance Program implementation, the identification and
resolution of suspected, detected or reported instances of noncompliance, and
compliance oversight and audit activities;

 

þ Being aware of daily business activity by interacting with the operational
units;

 

þ Creating and coordinating educational training programs to ensure that Board
of Directors, employees, FDRs, and other individuals working in the Medicare
program are knowledgeable about the Compliance Program, its written Code of
Business Conduct and Ethics, compliance policies and procedures, and all
applicable statutory and regulatory requirements;

 

þ Developing and implementing methods and programs that encourage managers and
employees to report Medicare program noncompliance and potential FWA without
fear of retaliation, discrimination or intimidation;

 

þ Maintaining the compliance reporting mechanism and closely coordinating with
the internal audit department and the Audit and Investigation Unit (SIU), where
applicable;

 

þ Responding to reports of potential FWA, the development of appropriate
corrective or disciplinary actions and coordinate internal investigations.

 

þ Ensuring that the DHHS OIG and Government Services Administration (“GSA”)
exclusion lists have been checked with respect to all employees, Board of
Directors members, and FDRs monthly and coordinating any resulting personnel
issues with the Triple S Management (TSM) Human Resources, Security, Legal or
other departments as appropriate;

 

þ Maintaining documentation for each report of potential noncompliance or
potential FWA received from any source, through any reporting method (e.g.,
helpline, Compliance email, or in-person);

 

þ Overseeing the development and monitoring of corrective action plans
implementation;

 

þ Coordinating potential fraud investigations/referrals and the appropriate NBI
MEDIC. This includes facilitating any documentation or procedural requests that

 

 



9| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

the NBI MEDIC makes of Triple-S.

 

þ Review contracts and other documents pertinent to the Medicare and other
government programs;

 

þ Report potential FWA to CMS, ASES, OCI its designee or law enforcement.

 

þ Overseeing the FDRs performance thru the active participation of VMOC.

 

To assist the senior management in observing its responsibilities related to the
TSA/TSS operational compliance with applicable legal requirements and
comprehensive ethical standards, senior management has established an Executive
Compliance Committee, which will provide oversight of and direction to the
Compliance Officer and receive report from the Compliance Officer no less
frequently than every quarter.

 

The Executive Compliance Committee will undertake the following responsibilities
and duties and any other activities related to the Compliance Program as
delegated by the Board of Directors and established in the Compliance Program.

 

þ Development, implementation and annual review and approval of the compliance
policies and procedures;

 

þ Development of strategies to promote compliance and the detection of any
potential violation;

 

þ Review and approval of compliance and FWA training, and ensuring that training
and education are effective and appropriately completed;

 

þ Assist with the creation, approval and implementation of the compliance risk
assessment and of the compliance monitoring and auditing work plan and audit
results;

 

þ Assist in the creation, implementation and monitoring of effective corrective
actions;

 

þ Development of innovative ways to implement appropriate corrective and
preventative action;

 

þ Review and approval of corrective action plans resulting from audits;

 



 



10| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ Review the effectiveness of the system of internal controls designed to ensure
compliance with Medicare regulations and other applicable federal and local laws
in daily operations;

 

þ Support the compliance officer’s needs for sufficient staff and resources to
carry out his/her duties;

 

þ Oversee that TSS/TSA has appropriate, up-to-date compliance policies and
procedures;

 

þ Oversee that TSS/TSA has a system for employees and FDRs to ask compliance
questions and report potential instances of Commercial/ Medicare/Medicaid
programs noncompliance and potential FWA confidentially or anonymously (if
desired) without fear of retaliation;

 

þ Oversee that the sponsor has a method for enrollees to report potential FWA;

 

þ Review and address reports of monitoring and auditing of areas in which
TSS/TSA are at risk for program noncompliance or potential FWA and ensuring that
corrective action plans are implemented and monitored for effectiveness and;

 

þ Review of Compliance Officer ad hoc reports on the status of compliance with
recommendations to the Board of Directors;

 

þ Review of dashboard, scorecard, and self-assessment tools that reveal
compliance issues;

 

þ Review of internal and external oversight activities results and government
compliance enforcement activities.

 

The Privacy Officer respond to the Compliance Officer and reports to the
Executive Compliance Committee. The responsibilities includes, but is not
limited to:

 

þ Provides guidance and assists in the identification, development, ,
maintenance of information privacy policies and procedures and implementation;

 

þ Performs annual privacy risk assessment and conducts relevant privacy
monitoring activities;

 

þ Oversees the development and monitoring of corrective action plans
implementation.

 



 



11| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ Manages external audits related to privacy requirements.

 

þ Ensures that the organization maintains appropriate privacy and
confidentiality forms, notices and materials reflecting current organization and
legal practices and requirements;

 

þ Creates and coordinates privacy educational trainings to ensure that Board of
Directors, employees, FDRs, and other individuals as applicable about the
privacy policies and procedures, notice of privacy practices and other
applicable statutory and regulatory requirements;

 

þ Participates in the development, implementation, and ongoing compliance
monitoring of business associate to ensure all privacy concerns, requirements
and responsibilities are addressed;

 

þ Works cooperatively with appropriate senior staff to review, amend and
restrict access to protected health information as appropriate;

 

þ Generate quality reports regarding privacy initiatives;

 

þ Establishes and administers a process for receiving, documenting, tracking,
investigating and taking action on all complaints concerning the organization’s
privacy P&Ps;

 

þ Ensures compliance with privacy practices and consistent application of
sanctions for failure to comply with privacy policies for all individuals in the
workforce, extended workforce and for business associates, in cooperation with
Human Resources, Security Officer and Legal Counsel;

 

þ Initiates, facilitates and promotes activities to foster information privacy
awareness within the organization and business associates;

 

þ Works with all personnel involved with any aspect of release of protected
health information (PHI) to ensure full coordination and compliance;

 

þ Maintains current knowledge of federal, state and local privacy laws and
accreditation standards, and monitors advancements in information privacy
technologies to ensure adaptation and compliance;

 

þ Develop and implement methods and programs that encourage managers and
employees to report noncompliance issues without fear of retaliation,
discrimination or intimidation;

 

 

 



12| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ Maintaining documentation for each report of potential noncompliance received
from any source, through any reporting method (e.g., helpline, Compliance email,
or in-person);

 

þ Review Business Associate Agreements and other documents to ensure compliance
with privacy requirements.

 

þ Report privacy and security breaches to CMS, ASES, OCR its designee or law
enforcement.

 

The Board of Directors members of TSS/TSA exercise reasonable oversight with
respect to the implementation and effectiveness of the Compliance Program. The
oversight by the Board of Directors members includes, but is not limited to:

 

þ Approving the Code of Business Conduct and Ethics;

 

þ Understanding the compliance program structure;

 

þ Remaining informed about the Compliance Program outcomes, including results of
internal and external audits;

 

þ Remaining informed about governmental compliance enforcement activity such as
Notices of Non-Compliance, Warning Letters and/or more formal sanctions;

 

þ Receiving regularly scheduled, periodic updates from the compliance officer
and compliance committee; and

 

þ Reviewing the results of performance and effectiveness assessments of the
compliance program.

 

þ Provide regular and ad hoc reports on the status of FDR compliance with
recommendations to the Executive Compliance Committee.

 

The Vendors Management and Oversight Committee (VMOC) undertakes the following
responsibilities and duties to support the Compliance Officer and Executive
Compliance Committee in their duties of appropriate oversight, including but not
limited to:

 

þ Assist with the creation, approval and implementation of the FDR compliance
risk

 

 



13| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

assessment and of the FDR monitoring and auditing work plan and audit results;

 

þ Review of FDR oversight activities results;

 

þ Review of the FDRs corrective action plans resulting from audits;

 

þ Assist in the monitoring of the effective implementation of the corrective
actions from the FDRs;

 

þ Ensure that the FDRs has a method for their employees to report potential FWA;

 

þ Review and address reports of monitoring and auditing of areas in which the
FDRs are at risk for program noncompliance or potential FWA and ensuring that
corrective action plans are implemented and monitored for effectiveness; and

 

þ Provide regular and ad hoc reports on the status of FDR compliance with
recommendations to the Executive Compliance Committee.

 

The following diagram summarize the previous structure:

 

[image_045.jpg]

 

Related to URAC Accreditation, the Board of Directors delegated the Quality
Council for oversees the Quality Improvement Program for the Commercial and
Medicaid Line of Business. The responsibilities include, but are not limited to:

 



 



14| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ Oversees physical and mental health care, risk management, enrollee’s access
to services, provider services, and complaint and appeal processes, satisfaction
with services provided, among others,

 

þ Provide guidance on quality management priorities and projects,

 

þ Approves the quality improvement projects to undertake,

 

þ Allocate resources for quality initiatives,

 

þ Receive all issues and concerns about the quality of the care of the services
rendered by the health plan,

 

þ Monitors progress in meeting quality improvement goals,

 

þ Report to the Board of Directors on an annual basis.

 

þ Review and approval policies and procedures related to URAC Accreditation.

 



 



15| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



Element 3: Effective Training and Education

 

TSS and TSA establish, implement and provide effective training and education
for its employees, (including all senior management, and members of the Board of
Directors) as well as contractorsand FDRs.

 

The training and education occurs at least annually and is part of the
orientation for new employees, including Board of Directors members,
contractorsand FDRs.

 

General/Specialized Compliance Trainings

 

TSS/TSA’s employees, and Board of Directors members and contractors receive
General Compliance Training before entering the work area or within 30 days of
initial hiring, contracting or appointment, depending of business needs, and
annually thereafter.

 

TSS/TSA provides specialized compliance trainings to ensure that employees are
aware of the regulatory requirements (Medicare, Medicaid, Commercial, etc.)
related to their job function.

 

TSS/TSA review and update the compliance trainings as necessary, whenever there
are material changes in regulations, policy or guidance, and at least annually.
The following are examples of topics the general compliance training program
communicate:

 

þ A description of the Compliance Program, including a review of compliance
policies and procedures, the Code of Business Conduct and Ethics, and our
commitment to business ethics, confidentiality and compliance with all
Commercial/Medicare/Medicaid and other regulatory requirements;

 

þ An overview of how to ask compliance questions, request compliance
clarification or report suspected or detected noncompliance. Trainings emphasize
confidentiality, anonymity, and non-retaliation for compliance related questions
or reports of suspected or detected noncompliance or potential Fraud, Waste and
Abuse (FWA);

 



 



16| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ The requirement to report to the sponsor actual or suspected
Commercial/Medicare/Medicaid or other program noncompliance or potential FWA;

 

þ Examples of reportable noncompliance that an employee might observe;

 

þ A review of the disciplinary guidelines for non-compliant or fraudulent
behavior and communicate how such behavior can result in mandatory retraining
and may result in disciplinary action, including possible termination when such
behavior is serious or repeated or when knowledge of a possible violation is not
reported;

 

þ Attendance and participation in compliance and FWA training programs as a
condition of continued employment and a criterion to be included in employee
evaluations;

 

þ A review of policies related to contracting with the government, such as the
laws addressing gifts and gratuities for Government employees;

 

þ A review of potential conflicts of interest and the sponsor’s system for
disclosure of conflicts of interest;

 

þ An overview of HIPAA/HITECH, the CMS Data Use Agreement (if applicable), and
the importance of maintaining the confidentiality of personal health
information;

 

þ An overview of the monitoring and auditing process; and

 

þ A review of the laws that govern employee conduct in the
Commercial/Medicare/Medicaid programs.

 

þ Mental Health Parity Addiction and Equity Act

 

Additional, specialized or refresher training may be provided on issues posing
FWA risks and URAC Accreditation standards, based on the individual’s job
function.

 

Training may be provided upon appointment to a new job function; when
requirements change; when employees are found to be noncompliant; as a
corrective action to address a noncompliance issue; and when an employee works
in an area implicated in past FWA.

 

FWA training include, but not limited to, the following topics:

 

þ Laws and regulations related to MA and Part D FWA (i.e., False Claims Act,
Anti-Kickback statute, HIPAA/HITECH, etc.);

 

þ Obligations of FDRs to have appropriate policies and procedures to address
FWA;

 



 



17| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

þ Processes for TSA employees and FDR employees to report suspected FWA to TSA
(or, as to FDR employees, either to the sponsor directly or to their employers
who then must report it to TSA);

 

þ Protections for TSA and FDR employees who report suspected FWA; and

 

þ Types of FWA that can occur in the TSA settings and FDR employees work.

 

For more information, related to employees training and education refer to the
policy and procedure: COMP-003 Effective Training and Education.

 

TSS/TSA communicates general compliance information to FDRs. TSA distributes the
Code of Business Conduct and Ethics and compliance policies and procedures to
FDRs’ and have oversight processed implemented to ensure its distribution to the
FDRs employees.

 

TSS/TSA maintains training records for a period of 10 years of the time,
attendance, topic, certificates of completion (if applicable), and test scores.
TSS/TSA requires the FDRs to maintain records of the training of the FDRs’
employees. For more information, related to FDRs training and education refer to
the policy and procedure: COMP-003-1 FDRs Effective Training and Education.

 

 



 



18| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

Element 4: Effective Lines of Communication

 

Triple-S establishes and implements effective lines of communication, ensuring
confidentiality between the compliance officer, members of the Executive
Compliance Committee, our employees, Board of Directors, and FDRs. The lines of
communication are accessible to all and allow compliance issues to be reported
including a method for anonymous and confidential good faith reporting of
potential compliance issues as they are identified.

 

TSS/TSA implemented an effective way to communicate information from the
Compliance Officer to others, including the Compliance Officer’s name, office
location and contact information; laws, regulations and guidance for employees,
Board of Directors and FDRs. Communications from the Compliance Officer include
but is not limited to, statutory, regulatory, and sub-regulatory changes (e.g.,
HPMS memos); and changes to policies and procedures and Code of Business Conduct
and Ethics. TSS/TSA use different methods to timely communicate information to
others, including physical postings of information, e-mail distributions,
internal websites, and individual and group meetings with the Compliance
Officer.

 

TSS/TSA requires to all employees, members of the Board, and FDR’s to report
compliance concerns and suspected or actual violations related to the Compliance
Program through the following effective lines of communication:

 

ü Immediate supervisor or manager

 

ü Compliance Officer, Privacy Officer, or any member of the Compliance
Department

 

 

 



19| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

· Compliance Officer: jennycar@sssadvantage.com

 

· Privacy Officer: lpadilla@sssadvantage.com

 

· Compliance Department Email: TSAcompliance@sssadvantage.com

 

ü Ethics Point (available 24 hours/7 days): Helpline: 1.866.384.4277 /
www.ethicspoint.com

 

ü The Human Resources Department

 

ü Vice-President of the Office of Internal Audit and the General Counsel of
Triple-S Management Corporation or their designees.

 

· Office of Internal Audit:crosich@ssspr.com

 

· Corporate Ethics and Compliance Director: dallende@ssspr.com

 

Triple-S have a system in place to receive, record, respond to and track
compliance questions or reports of suspected or detected noncompliance or
potential FWA from employees, members of the Board of Directors, enrollees and
FDRs and their employees. Reporting systems maintain confidentiality, to the
greatest extent possible, allow anonymity if desired and emphasize Triple-S
policy of non-intimidation, non-discrimination and non-retaliation for good
faith reporting of compliance concerns and participation in the compliance
program. TSS/TSA allows their FDRs to have their own reporting mechanism with an
important emphasis that reports related or that impacts TSS/TSA must be informed
to TSS/TSA.

 

Triple-S have a no-tolerance policy for retaliation or retribution against any
employee or FDR who in good faith reports suspected FWA. This no-tolerance
policy is widely publicized, and enforced. Employees and FDRs are notified that
they are protected from retaliation for False Claims Act complaints, as well as
any other applicable anti-retaliation protections. The methods available for
reporting compliance or FWA concerns and the non-retaliation policy are
publicized throughout the TSS/TSA or FDR’s facilities. TSS/TSA may use different
mechanisms to publicize this information such use of posters, table tents, mouse
pads, key cards and other prominent displays.

 

 



20| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

When a suspected compliance issue is reported, TSS/TSA provide the complainant
with information regarding expectations of a timely response, confidentiality,
non-retaliation, non-intimidation, and non-discrimination and progress reports.

 

TSS/TSA educate their enrollees and providers about identification and reporting
of potential FWA. Education methods may include flyers, letters, pamphlets that
can be included in mailings to enrollees, such as enrollment packages,
Explanation of Benefits (“EOB”), and information published on the TSS/TSA’s
website. For more information, refer to the policy and procedure COMP-004
Effective Lines of Communication.

 

Element 5: Disciplinary Standards

 

TSS and TSA has well-publicized disciplinary standards through the
implementation of the Code of Business Conduct and Ethics and compliance
policies and procedures, which encourage good faith participation in the
Compliance Program. These standards must include policies that articulate
expectations for reporting actual or potential, fraud, waste and abuse, HIPAA
and compliance issues and assist in their resolution; identify noncompliance or
unethical behavior; and provide for timely, consistent, and effective
enforcement of the standards when non-compliance or unethical behavior is
determined.

 

TSS and TSA establishes and implements disciplinary policies and procedures that
reflect clear and specific disciplinary standards. The disciplinary policies
describe expectations for the reporting of compliance issues including
noncompliant, unethical or illegal behavior, that employees participate in
required training, and the expectations for assisting in the resolution of
reported compliance issues. In addition, the disciplinary policies identify
noncompliant, unethical or illegal behavior, through examples of misconduct that
employees might encounter in their jobs. Further, the policies provide for
timely, consistent and effective enforcement of the standards when noncompliant
or unethical behavior is found. Finally, the disciplinary actions are
appropriate to the seriousness of the violation.

 

 



21| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

To encourage good faith participation in this Program, TSS and TSA publicize
disciplinary standards for employees, providers, enrollees, contractors and FDRs
(as applicable). The standards include the duty and expectation to report issues
or concerns. The following are examples of the types of publication mechanisms
that TSS and TSA could use:

 

ü Newsletters;

 

ü Regular presentations at department staff meetings;

 

ü Communications with FDRs;

 

ü General compliance training;

 

ü Intranet site;

 

ü TSA and TSS Internet site;

 

ü Provider Portal;

 

ü Annual compliance awareness campaign

 

ü Posters prominently displayed throughout employee work and break areas; and

 

ü Lunch room table tents.

 

Triple-S applies disciplinary actions on a timely manner and consistent with the
seriousness of the violation. The Compliance Officer or his/her designated and
Human Resources Department work in collaboration with the appropriate supervisor
or manager in determining disciplinary action related to an instances of
regulatory noncompliance. Example of disciplinary action that may be taken in
accordance with the measure and scope of the noncompliance event include, but
are not limited to:

 

· Retraining

 

· Verbal memorandum

 

· Written memorandum

 

· Suspension

 

· Termination

 

Disciplinary actions records are maintained for a period of 10 years for all
compliance

 

 



22| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

violation disciplinary actions, capturing the date the violation was reported, a
description of the violation, date of investigation, summary of findings,
disciplinary action taken and the date it was taken. TSS/TSA reviews these
records on a periodic basis to ensure that disciplinary actions are appropriate
to the seriousness of the violation, fairly and consistently administered and
imposed within a reasonable timeframe. Compliance in one of the competences on
the employee’s performance evaluation. Disciplinary Action taken are reported to
the Executive Compliance Committee on a quarterly basis. For more information,
refer to the policy and procedure COMP-005 Well-Publicized Disciplinary
Standards.

 

 

Element 6: Effective System for Routine Monitoring and Identification of
Compliance Risks

 

TSS and TSA establishes and implements an effective system for routine
monitoring and identification of compliance risks. The system include internal
monitoring and audits and, as appropriate, external audits, to evaluate the
TSS/TSA’s operations, including FDRs’, compliance with regulatory requirements
and the overall effectiveness of this Program.

 

TSS/TSA conducts monitoring and auditing to test and confirm compliance with
Centers for Medicare and Medicaid Services (CMS), Office of Personnel Management
(OPM), Office of Insurance Commissioner (OIC) and ASES regulations,
sub-regulatory guidance, contractual agreements, and applicable Federal and
State laws, including Mental Health Parity Law, as pertains specifically for our
mental health and substance use disorder services, accreditation requirements,
as well as internal policies and procedures to protect against program
noncompliance and potential FWA.

 

 



23| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

TSS/TSA develops a monitoring and auditing work plan that addresses the risks
associated with the Commercial, Medicaid and Medicare Parts C and D benefits.
The monitoring and auditing work plan is coordinated, overseen and/or executed
by the Compliance Officer, assisted if desired by the Compliance Department
staff and/or the Executive Compliance Committee. The Compliance Officer or
his/her designee provide updates on monitoring and auditing results to the
Executive Compliance Committee, the President, Senior Leadership and the Board
of Directors. For more information refer to the policies and procedures COMP-006
Internal Compliance Audit and Monitoring Process; COMP-006-1 Delegation
Oversight and COMP-006-3 Compliance with Mental Health Parity Law.

 

TSS/TSA establishes and implements policies and procedures to conduct the annual
compliance and FWA risk assessments. The risk assessments takes into account all
business operational areas and First tiers. Each operational area and/or first
tier are assessed for the types and levels of risks they presents to the
Commercial, Medicaid and Medicare program and to TSS/TSA. The factors that may
be considered in determining the risks associated with each department or First
Tiers include, but are not limited to:

 

ü Size of the department / Size of the first-tier entity;

 

ü Complexity of transactions / Complexity of process delegated and decision
making authority;

 

ü Background experience of personnel

 

ü Implementation of policies, procedures and internal controls

 

ü Adequacy of equipment, software or applications

 

ü Amount of training that has taken place;

 

ü Past Compliance issues and budget.

 

Risks identified by the risk assessment are ranked to determine which risk
areas/entities have the greatest impact on TSS/TSA, and to prioritize the
monitoring and auditing strategy accordingly. Ongoing review of potential risks
of noncompliance

 

 



24| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

and FWA and a periodic re-evaluation of the accuracy of the TSS/TSA risk
assessment is conducted as risks change and evolve with changes in the law,
regulations, ASES and CMS, OIG requirements and operational matters. Risk areas
identified through CMS audits and oversight, as well as through the TSA’s
monitoring, audits and investigations are priority risks. The results of the
risk assessment inform the development of the monitoring and audit work plans.
For more information, refer to the policy and procedure COMP-006-2 Risk
Assessment.

 

Once the risk assessment is completed, a monitoring and auditing work plan is
developed based. The work plans includes a process for responding to all
monitoring and auditing results and for conducting follow-up reviews of areas
found to be non-compliant to determine if the implemented corrective actions
have fully addressed the underlying problems. The work plans include a schedule
that lists all of the monitoring and auditing activities for the calendar year
for departments and first tiers.

 

Corrective action and follow-up are overseen by the Compliance Officer and
assisted by the compliance department staff and include actions such as
reporting findings to ASES, CMS or to the NBI MEDICs, if necessary.

 

TSS/TSA uses a variety of audit approaches, including but not limited to: desk
and/or on-site audits, including, as appropriate and as permitted by contractual
agreements, unannounced audits or “spot checks” when developing the work plans.
TSS/TSA prepares a standard audit report that includes items such as:

 

ü Audit Objectives;

 

ü Scope and Methodology;

 

ü Findings:

 

· Condition;

 

· Criteria;

 

· Cause;

 

· Effect; and

 

ü Recommendations

 

 



25| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

The effectiveness of this Program is measured through an annual audit and
results are shared with the Board of Directors.

 

TSS/TSA conducts monitoring and auditing activities of the first tier entities
to ensure that they are in compliance with all applicable laws and regulations,
and to ensure that the first tier entities are monitoring the compliance of the
entities with which they contract (the sponsors’ “downstream” entities).
Monitoring activities are also conducted to related entities to ensure they are
compliant with all applicable laws and regulations.

 

When corrective action is needed, TSS/TSA conduct validation procedures to
ensure that corrective actions are taken by the entity. TSS/TSA track and
document compliance efforts. In addition to formal audits and monitoring,
TSS/TSA uses the Compliance Scorecard and self-assessments that show the extent
to which operational areas and FDRs are meeting compliance goals. Results are
shared with employees, Senior Management, Executive Compliance Committee and
Board of Directors members, as applicable.

 

Triple-S reviews the DHHS OIG List of Excluded Individuals and Entities (LEIE
list) and the GSA Excluded Parties Lists System (EPLS) prior to the hiring or
contracting of any new employee, temporary employee, volunteer, consultant,
Board of Directors members, or FDR, and monthly thereafter, to ensure that none
of these persons or entities are excluded or become excluded from participation
in federal programs. Monthly screening is essential to prevent inappropriate
payment to providers, pharmacies, and other entities that have been added to
exclusions lists since the last time the list was checked. After entities are
initially screened against the entire LEIE and EPLS at the time of hire or
contracting, Triple-S only review the LEIE supplement file provided each month,
which lists the entities added to the list that month, and review the EPLS
updates provided during the specified monthly time frame.

 

 



26| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

TSS/TSA performs effective monitoring in order to prevent and detect FWA
including data analysis. Baselines data are established to recognize unusual
trends, changes in drug utilization over time, physician referral or
prescription patterns, and plan formulary composition over time. This activities
are designed to:

 

ü Reduce or eliminate Medicaid and Medicare Parts C and D benefit costs due to
FWA;

 

ü Reduce or eliminate fraudulent or abusive claims paid for with federal
dollars;

 

ü Prevent illegal activities;

 

ü Identify enrollees with overutilization issues;

 

ü Identify and recommend providers for exclusion, including those who have
defrauded or abused the system to the NBI MEDIC and/or law enforcement;

 

ü Refer suspected, detected or reported cases of illegal drug activity,
including drug diversion, to the NBI MEDIC and/or law enforcement and conducting
case development and support activities for NBI MEDIC and law enforcement
investigations; and

 

ü Assist law enforcement by providing information needed to develop successful
prosecutions.

 

TSS/TSA allow access to any auditor acting on behalf of the state and federal
government or CMS to conduct an on-site audit. On-site audits require a thorough
review of required documentation as well as interviews of the staff. TSS/TSA and
the FDRs provide records to ASES, CMS or its designee. TSS/TSA and the FDRs are
committed to cooperate with regulatory agencies and contractors, such as the NBI
MEDICs. This cooperation includes providing CMS and/or the NBI MEDICs or other
contractor’s access to all requested records associated in any manner with the
Medicare Parts C or D program.

 



 



27| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

 

 

Element 7: System for Prompt Response to Compliance Issues

 

TSS/TSA establishes and implements procedures and a system to promptly respond
to compliance issues as they are raised, investigates potential compliance
problems as identified in the course of self-evaluations and audits, corrects
such problems promptly

 

 



28| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

and thoroughly to reduce the potential for recurrence, and ensures ongoing
compliance with agencies regulatory requirements.

 

The Compliance Department conducts a timely and well-documented reasonable
inquiry into any compliance incident or issue involving potential Medicare,
Medicaid and Commercial noncompliance or potential FWA.

 

Noncompliance and FWA may be discovered through the lines of communication,
enrollee complaint, during routine monitoring or self-evaluation, an audit, or
by regulatory authorities. Regardless of how the noncompliance or FWA is
identified, the Compliance Department initiates an inquiry as quickly as
possible, but not later than two (2) weeks after the date the potential
noncompliance or potential FWA incident was identified.

 

The inquiry includes a preliminary investigation of the matter by the Compliance
Officer or his/her delegated. If the issue appears to involve potential FWA and
the Compliance Department does not have either the time or the resources to
investigate the potential FWA in a timely manner, it should refer the matter to
the NBI-MEDIC within thirty (30) days of the date the potential fraud or abuse
is identified so that the potentially fraudulent or abusive activity does not
continue.

 

The Compliance Department monitors FWA and Medicare, Medicaid and Commercial
noncompliance. When serious noncompliance or waste occurs, the Compliance
Officer or his/her designee refers the matter to the applicable regulatory
agencies. When potential fraudulent or abusive activity is identified for
Medicare Advantage line of business, the Compliance Officer or his/her designee
refers the matter to NBI MEDIC.

 

Corrective actions are implemented by the operational areas of TSS/TSA and the
FDRs in response to potential noncompliance or potential FWA and are designed to
correct the underlying problem that results in program violations and to prevent
future noncompliance. As part of the evaluation of the potential noncompliance
or potential FWA, a root cause analysis is performed to determine what caused or
allowed the

 

 



29| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

FWA, noncompliance or deficiency to occur. The corrective actions are tailored
to address the particular FWA, noncompliance or deficiency identified, and
includes timeframes for specific achievements.

 

Failure of the FDRs to effectively implement appropriate corrective actions may
result in contract termination. The Compliance Department conducts monitoring
activities during and after the implementation of the corrective actions to
ensure that they are effective. The Compliance Department performs a thorough
documentation of all the elements, including ramifications of the corrective
actions that address noncompliance or FWA committed by the TSS’s/TSA’s employees
or the FDRs. Enforcement of correction are implemented through disciplinary
measures, including employment or contract termination, if warranted.

 

The Compliance Department conducts self-report of potential FWA discovered at
the plan level, and potential fraud and abuse by FDRs, as well as significant
waste and significant incidents of Commercial, Medicare/Medicaid program
noncompliance.

 

The Compliance Department conducts investigation of potential FWA activity to
make a determination whether potential FWA has occurred. Investigations of
potential FWA are concluded within a reasonable time period after the activity
is discovered. If after conducting a reasonable inquiry, the Audit and
Investigation Unit determines that potential FWA related to the Medicaid and
Medicare Parts C or D programs has occurred, the matter is referred to the NBI
MEDIC promptly. The Audit and Investigation Unit also refer potential FWA at the
FDR levels to the NBI MEDIC so that the NBI MEDIC can help identify and address
any scams or schemes.

 

The Compliance Officer or his/her designee reports potentially fraudulent
conduct to government authorities such as the Office of Inspector General
(through the OIG’s Provider Self-Disclosure Protocol) or the Department of
Justice.

 

 



30| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

When the Compliance Officer discovers an incident of significant Medicare
program noncompliance, it reports the incident to CMS as soon as possible after
its discovery. The Compliance Officer or his/her designee refers cases involving
potential fraud or abuse that meet any of the following criteria to the NBI
MEDIC:

 

· Suspected, detected or reported criminal, civil, or administrative law
violations;

 

· Allegations that extend beyond the Parts C and D plans, involving multiple
health plans, multiple states, or widespread schemes;

 

· Allegations involving known patterns of fraud;

 

· Pattern of fraud or abuse threatening the life or wellbeing of beneficiaries;
and

 

· Scheme with large financial risk to the Medicare Program or beneficiaries.

 

When a Fraud Alert is received, TSS/TSA and the corresponding FDR conduct a
review of its contractual agreements with the identified parties. Review of past
paid claims from entities identified in a fraud alert is conducted to identify
claims that may be or may have been part of an alleged fraud scheme and remove
them from their sets of prescription drug event data submissions.

 

TSS/TSA maintains files for a period of 10 years on both in-network and
out-of-network providers who have been the subject of complaints,
investigations, violations, and prosecutions. This includes enrollee complaints,
NBI MEDIC investigations, OIG and/or DOJ investigations, US Attorney
prosecution, and any other civil, criminal, or administrative action for
violations of Federal health care program requirements. Files that contain
documented warnings (i.e., fraud alerts) and educational contacts, the results
of previous investigations, and copies of complaints resulting in investigations
are maintained. Triple -S comply with requests by law enforcement, CMS and CMS’
designee regarding monitoring of providers within the Triple -S network that CMS
has identified as potentially abusive or fraudulent.

 



 



31| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

Laws and Regulations

 

The following are laws and regulation that was consider in this Program:

 

· Title XVIII of the Social Security Act

 

· Medicare regulations governing Parts C and D found at 42 C.F.R. §§ 422 and 423
respectively

 

· Patient Protection and Affordable Care Act (Pub. L. No. 111 -148, 124 Stat.
119)

 

· Health Insurance Portability and Accountability Act (HIPAA) (Public Law
104-191)

 

· False Claims Acts (31 U.S.C. §§ 3729-3733)

 

· Federal Criminal False Claims Statutes (18 U.S.C. §§ 287,1001)

 

· Anti-Kickback Statute (42 U.S.C. § 1320a-7b(b))

 

· The Beneficiary Inducement Statute (42 U.S.C. § 1320a-7a(a)(5))

 

· Civil monetary penalties of the Social Security Act (42 U.S.C. § 1395w-27 (g))

 

· Physician Self-Referral (“Stark”) Statute (42 U.S.C. § 1395nn)

 

· Fraud and Abuse, Privacy and Security Provisions of the Health Insurance
Portability and Accountability Act, as modified by HITECH Act

 

· Prohibitions against employing or contracting with persons or entities that
have been excluded from doing business with the Federal Government (42
U.S.C.§1395w-27(g)(1)(G)

 

· Fraud Enforcement and Recovery Act of 2009

 

· All sub-regulatory guidance produced by CMS and HHS such as manuals, training
materials, HPMS memos, and guides

 

· Final Rule of the Section 1557 of the Patient Protection and Affordable Care
Act (ACA) of 2010 (45 CFR § 92.1)

 

· Mental Health Parity and Addiction Equity Act

 

· URAC Health Plan Accreditation Guideline Version 7.2:

 

o Core 3 -



o Core 4 – Regulatory Compliance

 

 

 



32| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

o Core 6 thru 9 – Oversight of Delegated Activities [P-QM 1] [P-QM 3(a)] [P-QM
3(e)] [P-QM 3(d)]



o Core 16 – Confidentiality of Individually-Identifiable Health Information



o Core 27 – Staff Training Program



o P-CP 1 – Compliance Program: Internal Controls

 

 

Definitions

 

ASES: Administración de Seguros de Salud de Puerto Rico (the Puerto Rico Health
Insurance Administration, “PRHIA”, in its English acronym), the entity of the
Government of Puerto Rico responsible for oversight of the Government Health
Plan (GHP) Program and the Medicare Platino Program, or its Agent.

 

DHHS is the Department of Health and Human Services. CMS is the agency within
DHHS that administers the Medicare program.

 

FDRs: First Tier, Downstream and Related Entities

 

a) First Tier Entity: Is an independent entity that enters into a written
contract with the Corporation, acceptable for CMS, to provide administrative
services or health care services to a beneficiary.

 

b) Downstream Entity: It is a party who enters into a written agreement with the
Delegated Entity, which is acceptable for CMS to provide services. The agreement
falls below the level of agreement that reaches Triple-S with a Delegated Entity
(First Tear Entity).

 

c) Related Entity: Any entity that is affiliated with the Corporation under a
same common control, in addition: 1) performs some of the activities of the
Corporation by contract or delegation; (2) it provides services to the
beneficiaries through a written contract; or (3) rents real property or sell
materials to the Corporation at a cost that exceeds $2,500 for the contract
period.

 

d) Delegated Entity: Entity to which an activity is transferred through a
contract. A Delegated Entity may be a first tear entity (contractor), a
downstream entity (subcontractor) or a related entity. Delegated entities are
commercial entities, not individuals.

 

 



33| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

Fraud, Waste and Abuse (FWA):

 

a) Fraud: is knowingly and willfully executing, or attempting to execute, a
scheme or artifice to defraud any health care benefit program or to obtain (by
means of false or fraudulent pretenses, representations, or promises) any of the
money or property owned by, or under the custody or control of, any health care
benefit program. 18 U.S.C. §1347.

 

b) Waste: is the overutilization of services, or other practices that, directly
or indirectly, result in unnecessary costs to the Medicare program. Waste is
generally not considered to be caused by criminally negligent actions but rather
the misuse of resources.

 

c) Abuse: includes actions that may, directly or indirectly, result in:
unnecessary costs to the Medicare/Medicaid Program, improper payment, payment
for services that fail to meet professionally recognized standards of care, or
services that are medically unnecessary. Abuse involves payment for items or
services when there is no legal entitlement to that payment and the provider has
not knowingly and/or intentionally misrepresented facts to obtain payment. Abuse
cannot be differentiated categorically from fraud, because the distinction
between “fraud” and “abuse” depends on specific facts and circumstances, intent
and prior knowledge, and available evidence, among other factors.

 

GSA: General Services Administration is an independent agency of the United
States government, established in 1949 to help manage and support the basic
functioning of federal agencies. The GSA supplies products and communications
for U.S. government offices, provides transportation and office space to federal
employees, and develops government-wide cost-minimizing policies, among other
management tasks.

 

HIPAA: (Public Law 104-191, as amended) The Health Insurance Portability and
Accountability Act of 1996, is federal legislation approved by Congress
regulating the continuity and portability of health plans, mandating the
adoption and implementation of administrative simplification standards to
prevents, fraud, waste and/or abuse, improve

 

 



34| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

health plan overall operations and guarantee the privacy, confidentiality and
security of individually identifiable health information, among others
requirements.

 

HITECH: The Health Information Technology for Economic and Clinical Health Act
(2009). Provisions of this act expanded HIPAA regulations to include mandatory
data breach notifications, heightened enforcement, increased penalties and
expanded patient rights.

 

HHS-OIG: is the Office of Inspector General within the U.S Department of Health
and Human Services (DHHS). The HHS OIG is dedicated to combating fraud, waste
and abuse and to improving the efficiency of HHS programs. A majority of OIG's
resources goes toward the oversight of Medicare and Medicaid programs.

 

Health Plan Management System (HPMS): is a CMS web-enabled information system
that serves a critical role in the ongoing operations of the Medicare Advantage
(MA), Part D, and Accountable Care Organization (ACO) programs.

 

NBI-MEDIC: Health Integrity is the Medicare Part C and Part D program integrity
contractor for the Centers for Medicare & Medicaid Services (CMS) under the
National Benefit Integrity Medicare Drug Integrity Contract (NBI MEDIC). The
purpose of the NBI MEDIC is to detect and prevent fraud, waste and abuse in the
Part C (Medicare Advantage) and Part D (Prescription Drug Coverage) programs on
a national level.

 

Office of the Commissioner of Insurance of Puerto Rico (OCI): Regulator of the
insurance business in the Commonwealth of Puerto Rico. The Office of the
Commissioner of Insurance is an entity that reports directly to the Governor of
Puerto Rico.

 

OIG: is the Office of the Inspector General within DHHS. The Inspector General
is responsible for audits, evaluations, investigations, and law enforcement
efforts relating to DHHS programs and operations, including the Medicare
program.

 

 



35| Compliance Program


 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

Office of Personnel Management (OPM): The Office of Personnel Management manages
the civil service of the federal government, coordinates recruiting of new
government employees, and manages their health insurance and retirement benefits
programs.

 

Protected Health Information (PHI): Information transmitted through any means of
communication (paper, electronic or verbal) that identifies a specific
individual. The elements that identify and represent an individual's protected
health information are:

 

a) Name

 

b) Any reference to a geographical division smaller than a State, including
street address, city, county, precinct, zip code or their equivalents.

 

c) Any information on dates directly related to the individual, including birth
date, subscription or start date in the plan, discharge date or cancellation,
date of death, any over 89 years reference to age, and any information or
reference to the indicative dates of that age.

 

d) Phone number, fax, e-mail addresses

 

e) Social Security Number

 

f) Medical Record Number

 

g) Beneficiary health plan number

 

h) Account numbers

 

i) License number, license plate, permits, tags

 

j) Identification or medical equipment serial number

 

k) Biometric identifiers, including voice tests or fingerprints

 

l) Images of the individual face photographs

 

m) Any other number, code or characteristic that is unique in the identification
of the individual or that could lead to the identification of the individual

 

The Centers for Medicare and Medicaid Services (CMS): The federal agency that
runs the Medicare program. In addition, CMS works with the States to run the
Medicaid program. CMS works to make sure that the beneficiaries in these
programs are able to get high quality health care.

 

 



36| Compliance Program


 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

 

Contact Us

 

This Compliance Program is published in Compliance 360, if you have any
questions or concerns related to this Program and/or if you want to report any
situation of noncompliance, fraud, waste and/or abuse, you can contact our
Compliance Department through:

 

 

Image result for email [image_046.jpg]

 

TSACompliance@sssadvantage.com

 



 

 

 



37| Compliance Program


 



 

 

 

Schedule J6

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_032.jpg] 

 







I. Purpose:

 

The purpose of this policy is to establish processes to ensure the organization:
1) develops criteria to perform an assessment of potential contractors prior to
delegation of functions, 2) follows such criteria to approve contractors, 3)
enters into written agreements that includes all URAC and other regulatory
agencies requirements, and 4) establishes and implements an oversight mechanism
for delegated functions.

 

II. Scope:

 

Regular employees, temporary personnel and contractors.

 

III. Policy:

 

Delegated Entities are independent contractors to whom we assign by contract
certain operational activities in which they have developed expertise and have
achieved operational efficiencies. Even if we delegate certain activities of our
operation to these entities, we are responsible to policyholders and regulators
regarding compliance with laws and regulations applicable to the functions
delegated to such entities, as well as the continuity and quality of the
services that they provide. For this reason, we have the duty to continually
ensure the integrity and competence of the Delegated Entities and their
compliance with the laws and regulations applicable to the functions that were
delegated to them. Triple-S as an insurer has the final responsibility for
compliance with the terms and conditions of its contract with the Center for
Medicare and Medicaid Services (CMS), the Office of Personnel Management (OPM);
the Puerto Rico Health Insurance Administration (ASES), the Office of the
Insurance Commissioner (OCS) and any other regulator.

 

Therefore, for each Delegated Entity, the Corporation has appointed a contract
administrator so as to maintain a continuous monitoring to the Delegated Entity
throughout the year. This monitoring consists of periodic interactions with
Delegated Entities, as well as review and follow-up of performance indicators,
their policies and operational procedures, meetings, phone calls, emails,
educational workshops, audit reports, among others.

 





2017 Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 









[image_012.jpg] Policy No.: TSS-CE-001 Page 2 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



 







The delegation oversight authority shall conduct a documented review, no less
frequently than annually, of the contractor’s written policies and documented
procedures to assure continued compliance and capacity to comply with the terms
of the delegation agreement.

 

Note: All the delegations are subject to approved policies, the resolutions of
the Board of Directors, business strategy plans and current budget.

 

This policy/procedure will govern everything related to the contracting and
monitoring of the Delegated Entities.

 

IV. Definitions:

 

1. Criteria: A set of standards, guidelines or protocols used by the Corporation
to govern its processes. The criteria should: be in writing, be based on
professional practice and the applicable literature, to be applied consistently;
and subject to review at least once a year.

 

2. Delegation: The process by which an organization contracts with or otherwise
arranges for another entity to perform functions and to assume certain
responsibilities on behalf of the organization, while the organization retains
final authority to provide oversight to the delegate. The Corporation has to be
specific as to the parts of the function that are subject to delegation.

 

3. Delegated Entity: Entity to which an activity is transferred through a
contract. A Delegated Entity may be a first tear entity (contractor), a
downstream entity (subcontractor) or a related entity. Delegated entities are
commercial entities, not individuals.

 

4. Downstream Entity (Subcontractor): It is a party who enters into a written
agreement with the Delegated Entity, which is acceptable for CMS to provide
services. The agreement falls below the level of agreement that reaches Triple-S
with a Delegated Entity (First Tear Entity).

 

5. Related Entity: Any entity that is affiliated with the Corporation under a
same common control, in addition: 1) performs some of the activities of the
Corporation by contract or delegation; (2) it provides services to the
beneficiaries through a written contract; or (3) rents real property or sell
materials to the Corporation at a cost that exceeds $2,500 for the contract
period. FDR: means First Tier, Downstream or Related Entity.

 

6. First Tear Entity (Delegated Entity): Is an independent entity that enters
into a written contract with the Corporation, acceptable for CMS, to provide
administrative services or health services to a beneficiary.

 

7. Off-shore: refers to businesses that have operations in any foreign country
(not the United States of America, or its Territories, including Puerto Rico)
delegated entities have to notify and request the prior written authorization
from the Corporation in they have off-shore

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department.







 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_012.jpg] Policy No.: TSS-CE-001 Page 3 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



 

operations before the pre-delegation audit or 90 days before the effective date
in which they plan to perform a delegated activity off-shore.

 

V. Responsibilities:

 

The responsibilities of the Contract Administrator include, but are not limited
to, keep a copy of the contract with the Delegated Entity, establish and
maintain good relations with the Delegated Entity for which he/she is
responsible, act as contact for the solution of problems, monitor the contractor
to carry out activities in compliance with the contractual and regulatory
standards, corporate policies and procedures, regulatory and accreditation
agencies, and best practices as well as producing reports for management related
to compliance with the contract. For this, the Administrator must perform the
initial pre-delegation assessment and subsequent compliance assessments, at
least once a year. The Administrator must keep a record for each contract that
he/she administers. Also, the Contract Administrator will monitor financial
incentives, if any, to ensure that the quality of the services is not adversely
affected.

 

VI. Procedure:

 

The contract administrator will work closely with the subject matter experts.
These are knowledgeable/experts in a particular area, process or topic subject
to delegation. The primary responsibilities of the subject matter experts are:

 

1) Evaluate reports produced and/or submitted by the delegated entity.

 

2) Review policies and procedures related to their areas of expertise from an
operational perspective.

 

3) Collaborate in the monitoring of the implementation of regulatory changes.

 

4) Participate in the performance of pre-delegation, delegation audits and
monitoring activities.

 

5) Oversee the implementation of corrective actions required based on the
monitoring activities and audits.

 

The Compliance and Privacy Offices of the various business units will
collaborate with the Contract Administrators in those tasks that are understood
to be relevant, including but not limited to those related to the requested
trainings, regulatory monitoring and follow-up of corrective action plans.

 

The Vendor Management Oversight Committee (VMOC) will receive quarterly written
reports from the Contract Administrators who are responsible for the selected
Delegated Entities.

 

A. Activities than can be Delegated

 

Below, for illustrative purposes, we present a list of related activities with
contracts that we currently have with regulators and that can be delegated:

 





Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department.









 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_012.jpg] Policy No.: TSS-CE-001 Page 4 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



  

Affiliations, non-affiliations and membership management Pharmacy Benefits
Manager (PBM) Applications Processing Clinical quality Provider Network
Management (Mental health, dental and vision) Grievances, Complaints and Appeals
Coordination of benefits Utilization Management Claims, processing and
adjudication of coverage Licensing and credentials Rebates negotiation and other
price concessions for prescribed medications Customer Service Confidence Line
Bid preparation Sales and marketing     Affiliation verification

 

B. Factors to Consider to determine if we have a Delegated Entity

 

There are several factors to consider. If you answer in the affirmative all
questions below, we are probably facing a Delegated Entity:

 

1) What function does the entity perform? Refer to the list of activities that
can be delegated.

 

2) Is the function one that Triple-S must perform in the ordinary course of the
business of an insurer, according to the Law, the contract, rules or guidelines
of the regulator or accrediting entity?

 

3) Does the function that it performs impact policyholders directly?

 

4) Is the interaction with the insured, verbal, written or face-to-face?

 

5) Does it have access to confidential information of the insured?

 

6) Does it have discretion to make decisions in relation to the service that it
offers?

 

C. Criteria for the Selection of a Delegated Entity [Core 6]

 

Triple S carefully monitors the activities performed and any responsibilities
assumed by another entity whenever those activities are covered under
accreditation standards and/or other applicable laws or regulations.

 

Triple S adheres to the following criteria for approving delegation of
activities to a contractor: [Core 6]

 





Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department.









 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



  

[image_012.jpg] Policy No.: TSS-CE-001 Page 5 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



 



1) Potential Delegate must demonstrate ability to adhere/comply with URAC
Standards (if applicable) and local and federal laws and regulations relevant to
the functions that they are being contracted to perform (if applicable). [Core
6]

 

2) Potential Delegate must demonstrate that it has adequate resources (e.g.,
Information Technology/Information Management, Equipment, and Staffing) to
implement the functions that they are being contracted to perform. [Core 6]

 

3) Potential Delegate must be willing and capable of complying with Triple S
delegation oversight activities including Pre-assessment Evaluation, Annual
Delegation Reviews and Performance Reporting as delineated in the Triple S
Delegation Agreement. [Core 6 & Core 7(b)]

 

In addition, the Delegated Entities must comply with the following criteria:
[Core 6]

 

i. Good standing with regulatory agencies [Core 6]

 

ii. Compliance with federal, local and accrediting agencies statutory
requirements [Core 6]

 

iii. Fiscal solvency [Core 6]

 

iv. Preferably, it should be a company that has an existing accreditation with
URAC, NCQA or another entity with national recognition. [Core 6]

 

v. Approval of the pre-delegation evaluation by the Contract Administrator and
the Compliance Officer. [Core 6]

 

Note that for purposes of this policy, those business functions covered under
the "Health Plan Accreditation" program of URAC that are carried out off-shore
are subject to these standards and we have to monitor contractor’s compliance
with URAC requirements. Certifications for off-shore activities must be
submitted by the contract administrator to the Compliance Officer as part of the
pre-delegation process.

 

D. Pre - Evaluation of the Delegated Entity [Core 7(a) & Core 7(b)]

 

In order to evaluate a potential delegate’s capacity to meet Triple S delegation
approval criteria, a formal review is performed. The pre- assessment includes a
review of the potential delegate’s applicable written policies and procedures
and other documents to confirm compliance with the delegation criteria,
applicable URAC standards (if applicable), and any applicable laws and
regulations. [Core 7(a)] The previous evaluation of the capabilities of a
possible delegated entity contributes to promote a good working relationship and
ensure a quality service to customers. Prior to the

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department. 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_012.jpg] Policy No.: TSS-CE-001 Page 6 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



 



contract, the entity shall be evaluated using, at the discretion of the
Corporation, one or more of the methods below: [Core 7(b)]

 

1) Review of written policies and procedures applicable to the delegated
function. Once the Delegated Entity is contracted, the Contract Administrator
shall perform, as a minimum, an annual review of these policies and procedures
and documentation of the way in which the Delegated Entity monitors the quality
of the services provided to the Corporation and our customers for related
delegated functions. [Core 7(b)]

 

2) Validation and documentation of status to operate with primary sources such
as the Office of the Inspector General, the System for Awards Merit, Department
of State, local Department of Health, Office of Foreign Assets Control, among
others. [Core 7(b)]

 

3) Evaluation as to the sufficiency, appropriateness and expertise of staff to
perform delegated functions [Core 7(b)]

 

4) Selection of sample of cases to confirm the capacity of the Delegated Entity
to carry out the function [Core 7(b)]

 

5) Perform satisfaction surveys [Core 7(b)]

 

6) Site visit - An onsite review may be performed if there is indication that
further information is necessary to determine appropriateness of delegation. In
the case of Delegated Entities who receive insured in their facilities to
provide services, this is to ensure that the facilities meet minimum
requirements for accessibility, hygiene, number of professionals, signs required
by law, waiting times, among others. [Core 7(b)]

 

7) Interviews (telephonic or on-site) and exchange of information with potential
Delegate’s staff [Core 7(b)]

 

8) Screen Prints of potential Delegate’s electronic documentation/record system
[Core 7(b)]

 

If the potential Delegate is URAC accredited the pre-assessment is not required.
Current URAC accreditation will be verified via URAC web site www.urac.org.

 

The result of the assessment must be in writing and signed by the person(s) who
performed it.

 

E. Delegation Oversight [Core 9]

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department.





 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_012.jpg] Policy No.: TSS-CE-001 Page 7 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



 

After contracting, the Contract Administrator will evaluate the Delegated Entity
with the regularity that at his/her own discretion, or the Vendor Management
Oversight Committee, deems necessary, but it must be at least an annual
assessment. For the annual evaluation the administrator can use the
Pre-Delegation Uniform Audit Form.

 

Triple S will require its delegated vendors to submit periodic reports to the
organization regarding the performance of its delegated responsibilities. [Core
9(a) & Core 9(b)] In addition it may include specific reports related to
individual incidents. As part of the periodic monitoring, the Corporation shall
review, no less frequently than annually, the contractor’s written policies and
procedures to assure continued compliance with applicable company standards,
contractual agreements, URAC standards, other applicable accrediting
organizations standards, and any applicable laws and regulations. [Core 9(a) &
Core 9(b)] The contract administrator shall conduct a documented review of the
Delegated Entity quality activities related to the delegated functions in order
to assure continued compliance with the applicable quality standards of TSS
regarding the quality of services provided. [Core 9(a) & Core 9(b)] In cases in
which the Delegated Entity does not comply with the quality requirements, the
Contract Administrator must request a corrective action plan to improve the
level of quality of the services provided under the contract.

 

In addition, as a part of the annual review, the contract administrator will
query the Delegated Entity as to the existence of any financial incentives,
either in the agreement between Triple-S and the contractor or within the
contractor’s relationships to its staff. Should such financial incentives exist,
the contract administrator, after consultation with the medical director if
necessary, will document whether such financial incentives compromise the
quality of care and service provided to Triple-S members. If the incentives are
found to compromise members’ quality of care and service, the medical director
shall be alerted and shall work with staff to either terminate the agreement or
require the contractor to take steps appropriate to address the risk to members.
[Core 9(c)]

 

F. Contracting with the Delegated Entity [Core 8]

 

Contracts with the Delegated Entities must comply with Third-Party Contracting
Policy parameters. The contract with the Delegated Entity, just like any other
contract, must be in writing, signed by the parties and be prospective. In
addition, it will specify:

 

1) The responsibilities delegated to the contractor and the responsibilities
held by the Corporation; [Core 8(a)]

 

2) The requirement that the services are provided according to the requirements
of the Corporation, URAC standards, guidelines of ASES, OPM and CMS; [Core 8(b)]

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department. 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



[image_012.jpg] Policy No.: TSS-CE-001 Page 8 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities

 



3) Process that it has implemented to monitor the quality of the services it
provides;

 

4) The obligation that the Delegated Entity notifies the Corporation any
material changes in its ability to perform delegated functions. Examples of
material change may include prolonged interruption of services and loss or
replacement of senior clinical person. [Core 8(c)]

 

5) The discretion of the Corporation to carry out interviews, polls or surveys
on the Delegated Entity, as it may consider necessary; [Core 8(d)]

 

6) Process by which Triple S evaluates the Delegate’s performance including at
least annual Delegation Reviews and semi-annual Performance Reporting. The
Delegated Entity has an obligation to submit periodic reports to the Corporation
on its performance of the delegated responsibilities; [Core 8(e)]

 

7) Remedies or penalties applicable if the Delegated Entity does not fulfill its
obligations or does not correct the problems identified within a specific period
as required; [Core 8(f)]

 

8) The requirement to sign a business associate agreement if as part of the
delegated functions there will be exchange of personal insurance, health or
financial information of the customers.

 

9) Services during transition periods.

 

10) The circumstances in which a contractor may subcontract, including the
requirement to obtain prior authorization from the Corporation, provided that in
the case of subcontracting, it corresponds to the Delegated Entity to submit to
the contract administrator periodic reports on the performance of the
subcontractor; and [Core 8(g)]

 

11) Services sub-delegated by Delegate shall be subject to all terms and
conditions of the written delegation agreement between Delegate and Triple S and
shall be provided in accordance with URAC standards and other national
accrediting standards that the organization is required to meet. [Core 8(h)]

 

12) Delegated Entities that are accredited by local or national organizations
(URAC, NCQA) must notify the Corporation of any changes in their accreditation.

 

13) If the Delegated Entity is accredited by URAC, the Corporation must perform
a primary verification in the directory of corporations accredited by URAC
provided

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department. 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_012.jpg] Policy No.: TSS-CE-001 Page 9 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities



 

in the Internet (www.urac.org) and provide a copy to demonstrate that the
Delegated Entity is accredited.

 

14) The duty of the Delegated Entity is to keep records of the trainings taken
by its employees as a requirement of the contract. As a minimum it should retain
copy of the material taught, information of the resource that provided the
training, attendance sheets or certifications, mechanism used to assess the
effectiveness of the training.

 

15) If applicable, include with the Medicare Advantage attachment.

 

G. Non-Compliance in Performance

 

If from the continuous monitoring and reviews came indications that the
Delegated Entity cannot meet the contractual requirements of the Corporation,
its policies, accreditations and standards, the Contract Administrator should
report it to senior management and to the Vendor Management Oversight Committee
(VMOC) within a period which shall not exceed 3 working days. In this report the
Contract Administrator will indicate the measures required to make the Delegated
Entity rectify the deficiencies. The deficiencies associated with regulatory
non-compliance should be informed immediately to the Compliance Officers of the
different business units, in order to formally request a corrective action plan.

 

The results of the reviews, monitoring and management determinations will be
communicated to the Delegated Entity in writing. Triple SSS will work with the
Delegate to address and correct any concerns in its effort to continuously
improve processes and provide services. The Delegated Entity shall have ten (10)
calendar days to respond to any finding through a corrective action plan
indicating:

 

o Plans taken to immediately correct deficiencies that impact Consumer health
and safety;

 

o Plans to correct/revise policies and/or processes that fail to meet other
contractual and/or accreditation requirements

 

Actions to correct deficiencies will be assessed on a case by case basis and on
its merits. As a general rule the corrective action plans must be completed
within a period of thirty

 

(30) days. It is at the discretion of senior management to provide longer
periods to those provided in this section. Unjustified failure to comply with
these deadlines will be sufficient cause for the Contract Administrator to
recommend the termination of the contract to senior management and report it to
the VMOC. Reviews or re-audits are conducted as needed to assure corrective
actions have been effective in improving previously identified deficiencies.

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department. 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_012.jpg] Policy No.: TSS-CE-001 Page 10 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities

 



H. Management Reports

 

Contract Administrators who have Delegated Entities in charge must submit to the
VMOC a quarterly report which details the evaluation of the performance of the
contractor (may include corrective action plans, and their update, audits
results, among others). Quarterly reports will be submitted through this address
vmoc@ssspr.com on the following dates:

 

1) First quarter: April 10

 

2) Second quarter: July 10

 

3) Third quarter: October 10

 

4) Fourth quarter: January 10

 

If any of these dates falls on a holiday or weekend, the report will be
presented the next working day.

 

I. Document Retention

 

Documentation related to the delegation of functions will be retained by the
Contract Administrator of the contracting unit while the contract with the
Delegated Entity is in force. This documentation shall be recorded in the
contractor’s file (paper or electronic) which will contain:

 

1) Copy of the contract

 

2) Copy of the Non-Disclosure Agreement or Business Associate Agreement, if
applicable.

 

3) Copy of policies and procedures and any other documentation submitted by the
Delegated Entity.

 

4) Copies of Delegate’s Performance Reports

 

5) Copy of the pre-evaluation results and annual delegation review of
performance and contractual compliance.

 

6) Copy of corrective action plans and follow-up revisions

 

7) Written communications between the Corporation and the Delegated Entity

 

8) Primary source verification of the status of URAC accreditation
certification, if applicable

 

Vendor Agreements Quasi-Delegation Involving Protected Health Information

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department. 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



[image_012.jpg] Policy No.: TSS-CE-001 Page 11 of 11 Effective Date:09/01/2016
Approval Date:09/07/2017 Department: Compliance Policy Name:  Contracting and
monitoring of Delegated Entities

 



For URAC compliance, services provided by a contractor that are not within the
scope of URAC Health Plan Accreditation Program, but the relationship between
Triple-S and such contractor involves contact by the vendor with protected
health information (“PHI”) or individually identifiable health information
(“IIHI”) of members of Triple-S, is considered to be Limited Delegation.

 

Examples of such vendor relationships include document storage and/or shredding
and the operation of member translator telephone services, among others.

 

The requirements for this type of delegation are:

 

o Delegation agreement



o Business Associate Agreement that address the following elements:



o Breach



o Breach notification/remediation/mitigation



o Transferring of data,



o Requirements of training for the BA’s workforce, and



o Proper handling of the PHI

 

VII. Attachments: None

 

VIII. References:

 

URAC accreditation standards

 

Version Control Effective Date Approved By (include position name) Amendment 1
09/01/2016 Dalila Allende, Compliance and Ethics Director New document 2
09/07/2017 Dalila Allende, Compliance and Ethics Director Annual review, no
changes







 

 

 



Triple - S Policy and Procedure Template. Hardcopies of this document are
considered uncontrolled, for the latest version please refer to Compliance 360
or contact Compliance Department.

 



 

 

 

 



 

 

 

 

 

 



 

Schedule J9

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



 



[image_023.jpg]

 

 

 

 

 

 

 

 

 

 

IT and Information Security Policies

 

Approved by and Date

 

Issued by: Miguel O. Mercado, 

Cyber & Information Security Director 

Effective Date: Sep 1, 2016 Revised by: Miguel O. Mercado Date Revised: Aug. 11,
2016 Version: 1.2

Approved by: Juan José Díaz, 

Chief Information Officer (CIO) 

       

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



 

Table of Contents

 

Acceptable Use 1 Anti-virus and Anti-Spyware 10 Asset Management Policy 14
Backup & Retention 18 Change Management 23 Clear Desk & Clear Screen 27 Data
Classification 30 Data Integrity and Interoperability 35 Encryption and
Cryptographic Algorithms 40 General Information Security 45 Information Exchange
49 IT Compliance Management 54 Network Security 61 Password Management 66
Physical and Environmental Security 70 Remote Access 75 Removable Device
Management 79 Retention and Disposal 83 Security Awareness and Training 88
Security Monitoring Policy 91 Technical Vulnerability Management Policy 97
Teleworking 100 Third Party Services Risk Management 105 User Access 107
Information Security Risk Analysis 113 Business Continuity Management 117 Patch
and Vulnerability Management Policy 121

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



[image_027.jpg]

 

Policy No.: ISP#1 Page 1 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Acceptable Use

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

 

           

I. Purpose:

 

The purpose of this policy is to establish what is considered acceptable (and
also unacceptable) use of computer and related media in TSM in order to reduce
unauthorized access to sensible information (i.e. corporate, personnel and EPHI
information), security breaches and of course avoid legal issues associated with
such breaches.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches.
The policy also help identify how individually-identifiable health information
should be used.

 

Triple-S Management Corporation (TSM) has developed and adopted the Acceptable
Use Policy to provide management with direction, support and protection for
inappropriate, unauthorized, and even illegal actions performed by users,
whether the action is performed knowingly (intentionally) or by ignorance.

 

Internet systems that includes: desktop computers, laptops and other mobile
media (tablets, smartphones), file transfer protocols, operating systems,
network accounts, electronic mail, all electronic storage media, are the
property to TSM. All of these resources are to be used only for business, never
for personal use.

 

TSM shall ensure that all the in scope parties are formal communicated of TSM
Information Security Policies. TSM has implemented training programs to guide
users on the importance of properly using the information of TSM, and at the
same time raise awareness of existing regulations and corporate policies and
procedures to ensure full compliance with all the requirements.

 

Access to the TSM information systems and applications will be provided to users
to support business activities and only on a need-to-know basis to perform their
jobs responsibilities.

 

IV. Definitions:

 

1. Blogging: The activity of adding new entries to a blog or website usually
designed to present the owner’s thoughts and ideas, observations, opinions and
experiences.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 2 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        

 

2. Honeypot: A location in network that is expressly set up to attract and study
malware that attempts to penetrate the network or computer system.

 

3. Honeynets: Contains one or more honey pots, which are computer systems on the
Internet expressly set up to attract and "trap" people who attempt to penetrate
other people's computer systems.

 

4. Proprietary Information: The information that is not considered public. This
may include: corporate, financial and system information.

 

5. Spam: Any electronic junk mail received by users and most unsolicited e-mail.

 

6. Cloud Platform: A system where applications or systems may be run in an
environment composed of utility services in an abstract environment, such as the
Internet. Internet- based computing, where shared resources, data and
information are provided to computers and other devices on-demand.

 

7. Cloud Storage: A popular method used for data storage on the Internet. This
could be free or paid.

 

8. Mobile device: Any portable equipment used in technology.

 

9. BYOD: An acronym for Bring Your Own Device. A custom on the corporate culture
where the employer approves the use of employee personal devices such as phones
and tablets for the daily job function.

 

10. Jail Break: Term used to unlock the operating system of a smartphone, tablet
or any portable device without its default security system.

 

11. Root: Rooting gives the user administrator rights to alter the OS, tweak the
hardware and unlock the phone from its carrier.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 3 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

1. The following General Use and Ownership practices help the organization
prevent confidentiality and security breaches:

 

a) All users should know that all generated information through TSM networks and
systems is property of TSM.

 

b) A physical inventory of all TSM devices and the authorized personnel to use
the devices (e.g. Laptops, Desktops Computers, and Corporate Cellphones among
others) shall exist and be updated frequently. All devices shall be labeled with
either a TSM inventory number, or logo for proper identification.

 

c) Authorized users may access, use or share TSM proprietary information only to
the extent it is authorized and necessary to fulfill the user assigned job
duties (e.g. minimum necessary).[Core-16(a)] [Core 15(b)]

 

d) All users shall be liable for the protecting the information stored on
systems, applications, directories and network devices belonging to TSM and
shall exercise good judgment regarding the reasonableness of the use of the
equipment and the information. [Core- 15(b)]

 

e) For security and network maintenance purposes, TSM, authorized individuals
shall supervise and monitor equipment, system and network traffic.
[Core-15(a)(b)(c)]

 

f) TSM reserves the right to audit network and systems if necessary on a
periodic basis to ensure compliance with this policy. [Core-15(a)(c)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 4 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



g) All system accesses will be disabled and/or deleted upon termination of
employee, completion of contract, end of service of non-employee, or
disciplinary action arising from violation of this policy. In the case of a
change in job function and/or transfer the original access will be discontinued,
and only reissued if necessary and a new request for access is approved.
[Core-15(b)]

 

2. Security and Proprietary Information:

 

The following Security and Proprietary Information protection practices help the
organization prevent confidentiality and security breaches [Core-15(b)].

 

a) Providing access to another individual, either deliberately or through
failure to secure its access is prohibited.

 

b) All computing devices must be secured with a password-protected screensaver
with the automatic activation feature set at 10 minutes or less. The user must
lock the screen or log off when the device is unattended.

 

c) Posting by employees from a TSM email address or systems on blogs or social
networking sites is prohibited unless posting is in the course of business
duties.

 

3. Unacceptable Use:

 

The following activities are not considered an acceptable use of the
organization information and information assets. Not following these
recommendations could place individually- identified health information and
company information at risk. Note that some users may be exempted from some of
the restrictions during the course of their legitimate job responsibilities
(e.g., system administrator staff may have a need to disable the network access
of a host if that host is disrupting production services).

 

a) Under no circumstances an employee of TSM is authorized to engage in any
activity that is illegal under local, state, federal or international law while
utilizing TSM owned resources. [Core-15(b)]

 

b) Violations of the rights of any person or company protected by copyright,
trade secret, patent or other intellectual property, or similar laws or
regulations, including, but not limited to, the installation or distribution of
"pirated" or other software products that are not appropriately licensed for use
by TSM. [Core-15(b)]

 

c) Unauthorized copying of copyrighted material including, but not limited to,
digitization and distribution of photographs from magazines, books or other
copyrighted sources,

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 5 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



copyrighted music, and the installation of any copyrighted software for which
TSM or the end user does not have an active license is strictly prohibited.
[Core-15(b)]

 

d) The use or installation of unauthorized software, including obtaining data
and/or software from external networks is prohibited. [Core-15(b)]

 

e) Accessing data, a server or an account for any purpose other than conducting
TSM business, even if you have authorized access, is prohibited. [Core-16(a)]

 

f) Exporting software, technical information, encryption software or technology,
in violation of international or regional export control laws, is illegal. The
appropriate management should be consulted prior the export of any material that
is in question.[Core-15(b)]

 

g) Introduction of malicious programs into TSM network environment (e.g.,
viruses, worms, Trojan horses, e-mail bombs, ransomware, etc.). [Core-15(b)]

 

h) Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is being done
at home. [Core-15(b)]

 

i) Using a TSM information technology asset to actively engage in procuring or
transmitting material that is in violation of sexual harassment or hostile
workplace laws in the user's local jurisdiction.

 

j) Making fraudulent offers of products, items, or services originating from any
TSM account.

 

k) Making statements about warranty, expressly or implied, unless it is a part
of normal job duties.

 

l) Effecting security breaches or disruptions of network communication. Security
breaches include, but are not limited to, accessing data of which the employee
is not an intended recipient or logging into a server or account that the
employee is not expressly authorized to access, unless these duties are within
the scope of regular duties. For purposes of this section, "disruption"
includes, but is not limited to, network sniffing, pinged floods, packet
spoofing, denial of service, and forged routing information for malicious
purposes. [Core- 15(b)]

 

m) Port scanning or security scanning is expressly prohibited unless prior
notification to the Information Security Group is made. [Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 6 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



n) Executing any form of network monitoring which will intercept data not
intended for the employee's host, unless this activity is a part of the
employee's normal job/duty. [Core- 15(b)]

 

o) Circumventing user authentication or security of any host, network or
account. [Core- 15(b)]

 

p) Introducing honeypots, honeynets, or similar technology on the TSM networks.
[Core- 15(b)]

 

q) Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's terminal session, via any means,
locally or via the Internet/Intranet/Extranet. [Core-15(b)]

 

r) Providing confidential information about TSM employees to parties outside
TSM. [Core- 15(b)]

 

4. Email and Communication Activities:

 

The following practices help the organization prevent confidentiality and
security breaches and therefore are prohibited [Core-15(b)]:

 

a) Sending unsolicited email messages, including the sending of "junk mail" or
other advertising material to individuals who did not specifically request such
material (email spam).

 

b) Any form of harassment via email, telephone or texting, whether through
language, frequency, or size of messages.

 

c) Unauthorized use, or forging, of email header information.

 

d) Creating or forwarding "chain letters", "Ponzi" or other "pyramid" fraudulent
schemes of any type.

 

e) Use of unsolicited email originating from within TSM networks or other
information technology service providers on behalf of, or to advertise, any
service hosted by TSM or connected via TSM network unless this activity is part
of normal business activity.

 

f) Posting the same or similar non-business-related messages to large numbers of
Usenet newsgroups (newsgroup spam).

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 7 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



g) Employees should never open e-mails received from unknown senders as these
e-mails may contain malware.

 

5. Blogging and Social Media:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

a) Blogging by employees, whether using Triple-S Management Corporation (TSM)
property and systems or personal computer systems, is also subject to the terms
and restrictions set forth in this Policy. Blogging from TSM systems is also
subject to monitoring.

 

b) Users shall also carefully control what information they post on social media
accounts and to whom this information is available. This particularly applies to
users who actively participate on social media sites as part of their company
job function, in order to network with customers and promote brand awareness.

 

c) TSM Confidential Information policy also applies to blogging. As such,
Employees are prohibited from revealing any TSM confidential or proprietary
information, trade secrets or any other material covered by TSM Confidential
Information policy when engaged in blogging.

 

d) Employees shall not engage in any blogging that may harm or tarnish the
image, reputation and/or goodwill of TSM and/or any of its employees. Employees
are also prohibited from making any discriminatory, disparaging, defamatory or
harassing comments when blogging or otherwise engaging in any conduct prohibited
by TSM Non- Discrimination and Anti-Harassment policy.

 

e) Employees shall also not attribute personal statements, opinions or beliefs
to TSM when engaged in blogging. If an employee is expressing his or her beliefs
and/or opinions in blogs, the employee shall not, expressly or implicitly,
represent itself as an employee or representative of TSM. Employees shall assume
any and all risk associated with blogging.

 

f) Apart from following all laws pertaining to the handling and disclosure of
copyrighted or export controlled materials, TSM trademarks, logos and any other
TSM intellectual property shall also not be used in connection with any blogging
activity.

 

6. Cloud Base Storage Sites:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 8 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



Triple-S Management Corporation (TSM) has contracted the services of “Box”
(cloud platform). This is the TSM authorized cloud platform for the secure
online storage of TSM files.

 

a) User access to “Box” shall be authorized by the Information & Cyber Security
Director to support business activities, only in a need-to-know basis to allow
the authorized users to perform their jobs functions and responsibilities.

 

b) All files, data and information with PHI, PII, ePHI or any other sensitive
information property of TSM store using the cloud platform (Box) shall be
encrypted with PGP or other mechanisms.

 

c) The use of cloud base store sites such as (Dropbox, OneDrive, Google Drive,
Amazon, Copy, and iCloud) are not considered an acceptable use. The Users shall
not storage any type of TSM data and/or information. All users shall maintain
and protect the confidentiality of all TSM data and information systems.

 

d) Users shall not use the designated TSM “Box” account for personal use. The
storage of files, music, pictures or other data not related to TSM business
purposes is prohibited.

 

7. Mobile Devices:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

This policy establishes the rules for the proper used of mobile devices
(BYOD/Corporate Owned) whenever it is use to access to Triple-S Management
Corporation (TSM) networks or corporate email, in order to protect the
confidentiality of sensitive data, the integrity of data and applications, and
the availability of services at TSM, as well as corporate assets
(confidentiality and integrity) and continuity of the business (availability).

 

TSM reserves the right to disconnect any device or disable the access to TSM
networks or application services without notification. The users shall use his
or her devices always in an ethical manner and agrees to adhere to the TSM
applicable policies and procedures.

 

a) Mobile devices must be passwords/PIN protected.

 

b) Users shall maintain the original device operating system and keep the device
current with security patches and updates, as released by the manufacturer.

 

c) Users shall not “Jail Break” nor “Root” the device (installing software that
allows the user to bypass standard built-in security features and controls).

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 9 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



d) Users agree to delete any sensitive business files that may be inadvertently
downloaded and stored on the device, and that is not going to be used anymore.

 

e) Users are responsible for security and backing up all personal information on
their mobile devices.

 

f) Users must take appropriate precautions to prevent others from obtaining
access to their mobile device(s).

 

g) Mobile devices user credentials (User-ID, PIN, and Password) shall not be
share with other personnel.

 

h) Employees are responsible for immediately notifying to TSM in case of device
loss or theft.

 

i) Selected TSM mobile device activities can be tracked and monitored.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#2 Page 10 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Anti-virus and Anti-Spyware

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish requirements which must be followed
by all users of the organization and be met by all computers connected to the
TSM network. The adoption and enforcement of the policy help reduce the
organization risk against malicious programs such as malware, botnets and
computer viruses.

 

Computer viruses, malware, botnets and spyware are some of the most significant
threats against computer environment connected to the Internet. The Internet has
made the propagation of malicious programs part of the global cyber-crime
industry. This industry today counts with computer viruses, malware, botnets and
spyware program developers as well as formal distribution and harvesting
channels. One of the main goals of the cyber-crime industry is to steal customer
sensitive information and promote fraud and cyber-espionage against individuals
and corporations. The channel is highly effective due to the following factors:

 

1. Easy and rapid access to the internet by cyber criminals.

 

2. Cyber-criminals leverage the very low cost of the internet channel.

 

3. Billions of users connected to the internet provide a great incentive to
cyber-criminals to harvest this channel for committing fraud.

 

4. Most internet users have a very low level of awareness cyber-crime and
cyber-crime techniques.

 

5. Global nature of the internet makes criminal prosecution harder.

 

For these reasons proper maintenance and operation of the anti-virus and
anti-spyware system is one of the primary security layers used by TSM to protect
its IT assets against malware and other types of attacks. The anti-virus and
antispyware system is designed to detect and protect the IT assets based on the
Windows operating system used by TSM.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#2 Page 11 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Anti-virus and Anti-Spyware







 

Triple-S Management Corporation (TSM) has developed and adopted the Anti-Virus
and Anti- Spyware Policy to provide management with direction and support for
the implementation of safeguards to detect, prevent and recover, against
malicious programs such as malware, botnets and computer viruses.

 

IV. Definitions:

 

1. Virus: A program that enters a computer usually without the knowledge of the
operator. Some viruses are mild and only cause messages to appear on the screen,
but others are destructive and can wipe out the computer's memory or cause more
severe damage.

 

2. Botnet: A network of computers created by malware and controlled remotely,
without the knowledge of the users of those computers.

 

3. Malware: Software that is intended to damage or disable computers and
computer systems. Including computer viruses, worms, trojan horses, ransom ware,
spyware, adware and other malicious programs.

 

4. Spyware: Software that aims to gather information about a person or
organization without their knowledge and that may send such information to
another entity.

 

V. Responsibilities:

 

All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

TSM reserves the right to audit networks, systems, or procedures on a periodic
basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

1. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

2. Non-Compliance

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#2 Page 12 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Anti-virus and Anti-Spyware



 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. TSM Microsoft based Windows servers, workstations and laptop computers must
have TSM's approved and supported anti-virus and anti-spyware agent installed
and scheduled to run at regular intervals. [Core-15 (b)]

 

2. The anti-virus and anti-spyware agent and its virus and spyware signature
database must be configured for performing automatic updates of the system
malicious program database. [Core-15 (b)]

 

3. All new software and files downloaded from the internet must be subject to
screening by the anti-virus and anti-spyware system before being allowed in the
internal network. [Core- 15(c)]

 

4. The Desktop Management Group (DMG) is responsible for removing from the TSM
network virus-infected computers until they are verified as virus-free.
Confirmation of the verification shall be send to the Information Security
Group. [Core-15(c)]

 

5. The Infrastructure Management Group (IMG) is responsible for removing from
the TSM network virus-infected servers until they are verified as virus-free.
Confirmation of the verification shall be send to the Information Security
Group. [Core-15(c)]

 

6. The Information Security Group is responsible for creating procedures to
ensure that anti- virus and anti-spyware software is run at regular intervals,
to confirm that computers are verified as virus-free. [Core-15 (b)]

 

7. Audit logs shall be generated and be maintained of the checks performed by
the anti-virus software. Audit logs of the anti-virus and anti-spyware system
will be managed by the Information Security group. [Core-15(c)]

 

8. Employees, temporary personnel, contractors and Service providers granted
access to the TMS network are prohibited from performing any activities with the
intention to create and/or distribute malicious programs into TSM's networks
(e.g., viruses, spyware, malware, worms, Trojan horses, e-mail bombs, etc.) are
prohibited, in accordance with the TSM Acceptable Use Policy. [Core-15(b)]

 

9. Machines with operating systems other than those based on Microsoft Operating
System are exempted from this policy. [Core-15 (b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#2 Page 13 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Anti-virus and Anti-Spyware



 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 14 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security  Policy Name: Asset Management Policy

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements to ensure that IT assets
are clearly identified and that an inventory of all IT assets is maintained and
updated ton ensure accountability and protection of the electronic information
stored in the asset. [Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the IT Asset
Management Policy to provide management with direction and support to ensure
that management requires ownership, defines responsibilities and maintains
accountability for the protection of the organization computing assets.
[Core-15(b)]

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 15 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security Policy Name:  Asset Management Policy



 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. IT Asset Lifecycle Program

 

TSM shall implement an IT Asset Lifecycle Program, monitor its effectiveness
making changes as needed. TSM shall implement six (6) stages for the lifecycle
of an IT asset. The following activities for each stage must include:
[Core-15(b)]

 

a) Planning: Defining supporting processes, setting standards for configuration
and retention, aligning purchase plans to business goals, collecting aggregate
information on intended purchases, and negotiating volume discounts.

 

b) Procurement: Requisitioning, approving, ordering, receiving and validating
orders.

 

c) Deployment: Tagging assets, entering asset information in a repository,
configuring and installing assets including:

 

o Disabling unnecessary or insecure services or protocols

 

o Limiting servers to one primary function

 

o Defining system security parameters to prevent misuse

 

d) Management: Inventory / counting, monitoring usage, managing contracts for
maintenance and support, and monitoring configuration.

 

e) Support: Adding and changing configurations, repairing devices, and
relocating equipment and software.

 

f) Disposition: Removing assets from service, deleting storage contents,
disassembling components for reuse, disposing of equipment, terminating
contracts, disposing of equipment, and removing or eliminating assets from the
active inventory.

 

The inventory of IT assets shall include capital and non-capital assets. Capital
assets are considered property, plant and equipment (assets that are usually
capitalized). For capital assets an annual inventory must be performed at least
once a year. [Core-15(b)]

 

Non-capital assets are those that are usually, due to the lower cost considered
as a supply expense (i.e. pen drives, etc.). [Core-15(b)]

 

2. Inventory of IT assets

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 16 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security Policy Name:  Asset Management Policy



 

The organization shall identify, tag and inventory all IT assets including
information (e.g. ePHI, PII) and document the importance of these assets. The IT
asset inventory shall include the information necessary to uniquely identify the
IT asset. [Core-15(b)]

 

The inventory of IT assets shall include the following information elements
(where applicable): [Core-15(b)]

 

o Equipment serial number.



o Equipment or machine name.



o Information system of which the component is a part.



o Type of information system component (i.e. server, desktop, laptop,
application, database, etc.).



o Operating System (OS) type and version.



o Service Pack (SP) level.



o Presence of virtual machines



o Application or database software version/license information (i.e. [***], MS
SQL Server).



o Physical location (i.e. building/room number).



o Logical location (i.e. IP address, position with the IS architecture).



o Media access control (MAC) address.



o Ownership by position and role.



o Operational status (i.e. Active/Inactive).



o Primary and secondary system administrators.



o Primary and secondary application administrators.



o Primary business application owner.



o Asset classification level based on data classification criteria (i.e.
CONFIDENTIAL).

 

3. Equipment assigned to employees, temporary employees or contractors

 

Records of property assigned to employees of the organization, temporary
employees or contractors (laptops, tablets, cell phones, external drives, and
similar peripherals) shall be maintained. [Core-15(b)]

 

The equipment record shall be used to ensure that all the assigned property is
returned to the organization upon the employee termination or transfer out of
the department or upon termination of the temporary employee contract or upon
termination of the contractor contract. [Core-15(b)]

 

The manager of the employee or of the contractor is responsible for ensuring
that during the employee exit process or the contractor termination process the
assigned equipment is returned and that the IT asset inventory is updated. In
case of laptops and notebooks the IT

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 17 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security Policy Name:  Asset Management Policy



 

asset shall be returned to the Desktop Management Group (DMG) for updating of
the IT asset inventory. [Core-15(b)]

 

Laptops and any other equipment assigned to employees, temporary employees and
contractors must be reviewed and updated annually. [Core-15(b)]

 

4. IT Asset inventory

 

TSM shall employ automated mechanisms to scan the network at least on a weekly
basis to detect the presence of unauthorized components or devices (including
hardware, firmware and software) into the information system. TSM shall disable
network access by such components. [Core-15(b)]

 

5. Inventory of Wireless Access Points (WAP)

 

TSM shall maintain an inventory of Wireless Access Points (WAP). This inventory
shall also be updated on an annual basis or when WAP are removed or added.
[Core-15(b)]

 

6. Ownership of IT Assets

 

All IT assets must be assigned a System Owner who will be responsible for the
asset (protection, storage, transfer protocols, destruction). Although property
might be assigned to contractors or volunteers for business purposes, ownership
will remain in TSM to the officer assigned such ownership. [Core-15(b)]

 

7. Accepted use of IT Assets

 

Refer to Acceptable Use Policy for details.

 

8. Sensitive System Isolation

 

Sensitive systems shall have a dedicated and isolated computing environment.
[Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 18 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Backup & Retention

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

The purpose of this policy is to establish the organization backup and retention
policy in order to protect the confidentiality, integrity and availability of
critical data required to support TSM business operations.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries equipment (e.g. laptops,
desktops, servers etc.), data and systems, owned or operated by TSM where the
organization provides services to its customers. In order to safeguard the
information assets of TSM and to prevent the loss of data in the case of an
accidental deletion or corruption of data, system failure, or a disaster.

 

III. Policy:

 

This policy supports the organization plan for storage, maintenance and
destruction information [Core-13b].

 

Triple-S Management Corporation (TSM) has developed and adopted the Backup and
Retention Policy to provide management with direction and support for the
implementation of secured and protected backup processes in order to ensure the
availability of the critical business information in case of major disaster or
system interruption. The implementation of robust backup and retention
procedures also help minimize potential loss or corruption of critical data
reducing the organization level of risk against unexpected interruptions and
events.

 

IV. Definitions:

 

1. Backup: The activity of storing data, files or databases in a secured
environment (equipment, cloud) in case of catastrophe or hardware failure.

 

2. Full Backup: A backup of a set of specified files, often the entire contents
of a disk, regardless of when they were last modified.

 

3. Incremental Backup: Incremental backups only backup the files that have been
modified since the last backup. If dump levels are used, incremental backup’s
only backup files changed since last backup of a lower dump level.

 

4. Restore: The process of copying files forms a backup location to a hard drive
or other acceptable media. A restore can be performed when backup data is needed
and as part of a testing process.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 19 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        

 

5. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used.

 

6. Retention: The period established to keep backup media. This period must be
in compliance with local and Federal regulations.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

4. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This procedure supports the organization process for storage, maintenance and
destruction information [Core-13b].

 

1. Scheduling and Retention:

 

a) TSM shall implement backup and retention schedules to ensure that application
and system data are safeguarded against destruction and lost.

 

b) TSM is committed to retain and preserve the application and system data for
the period of time required by federal and local laws and with the requirements
of the Record Retention policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 20 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        



 

c) Full and incremental backups shall be performed and verified on a daily,
weekly, and monthly basis for Mainframe, Unix, Windows and VM Ware base systems.

 

d) A full backup shall be made at least once a month and will be retained for a
minimum of one year.

 

e) A full backup shall be made at least once a year and will be retained for a
minimum of ten years.

 

f) Full and incremental backups shall be performed for all business applications
and databases.

 

g) All backups shall be subject to verification on a daily, weekly, and monthly
basis and backup error conditions should be monitored, log and notified to
management for investigation and executions of the backup process.

 

h) Automatic backup verification process shall be performed, to ensure backups
are completed successfully and without error.

 

i) Backups shall be monitored and problem management procedures shall be
followed if error conditions are generated that could impact the integrity and
completeness of the backup process.

 

j) Procedures for retention, and storage of backup media shall be designed,
implemented and documented. Backup tapes will be rotated on a daily, weekly, and
monthly basis to a secured off-site storage facility (International Safe
Deposit) and maintained according to a predefined retention schedule.

 

k) Tape media inventory shall be performed on a monthly and quarterly basis for
mainframe and distributed systems, respectively.

 

l) Controls must be in place to ensure backup tapes data are not reuse until
retention period expires.

 

2. Onsite and Offsite Storage:

 

a) Depending on the criticality of the data, TSM shall ensure its preservation
by moving the data to the contracted offsite backup storage facility using a
data encryption mechanism.

 

b) Data considered critical for the business continuity must be moved to an
offsite storage at least once a week.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 21 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        



 

c) Network infrastructure backups, and system critical files must be moved to an
offsite storage at least once a month.

 

d) When the backup service is delivered by the third party, the service level
agreement shall include the detailed protections to control confidentiality,
integrity, and availability of the back-up information.

 

3. Storage Access and Security:

 

a) All backup media must be stored in a secure area that is accessible only to
authorized personnel.

 

b) Physical and environmental controls shall be in place to protect the backup
tapes.

 

4. Restorations:

 

a) All restorations require approval from the designated Data Owner and/or
Application Owner. The requestor must fill out a "Restore and Recovery Data"
form.

 

5. Verification:

 

a) The backup system shall be tested periodically by restoring a single random
file from a random equipment, and manually inspecting it for accurate recovery.
The recovery tests will be stored into secured temporary areas so that current
"real" user copies of the files will not be overwritten.

 

b) Backup verification processes must be enabled to facilitate the automatic
backup verification purposes and adequate exception notification configured.

 

c) Failed backups will be re-started twice automatically by the backup tools
implemented at TriServe.

 

6. Documentation:

 

a) Backup procedure must be documented. Procedure should describe how to execute
backup process and the data restoration process. The procedure must include a
list of all the systems and files that are backed up as well as frequency,
retention and in-site / off-site backup details.

 

7. Responsibilities and other important consideration:

 

a) Information that it is stored in the "My Documents" folder of the user (e.g.
Desktop) will not be backed-up, it is the responsibility of the employee to
store all important and critical TSM information in the "My Documents” folder.

 

VII. Attachments:

 

ATTACHMENT A - Backup & Retention Procedure [Core-13b]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 22 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        



 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 23 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Change Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish the requirements of the change
management process required to control the request, approval and implementation
of changes to TSM systems, applications and IT infrastructure. The objective of
the policy if to help to minimize the risk of impact to TSM IT services and
customers as well as resulting in the introduction of significant
vulnerabilities in the TSM IT systems.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers and host its IT systems,
applications and IT infrastructure components.

 

III. Policy:

 

This policy supports the organization data integrity process of electronic
information [Core- 13(a)].

 

Triple-S Management Corporation (TSM) has adopted a Change Management Policy to
provide management with direction and support for the implementation of
processes and controls to effectively manage risks associated with changes to IT
systems and the organization IT infrastructure. As a standard practice changes
should be documented, approved, tested and validated. This policy is designed to
ensure the organization designs and implement procedures and controls for
management of the change management process. These processes and controls are
required to meet operational and compliance requirements as well as reduce the
level of risk for the organization by ensuring that changes are subject to an
approval process before being deployed to the production environment.

 

IV. Definitions:

 

1. Change Management: A systematic approach to managing all changes made to a
product or system.

 

2. Fallback: Actions to revert software implemented changes that failed and
therefore it is requiring going back to the original state.

 

3. Outsourced software development: Software made by a third party contracted by
an organization with specific requirements.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 24 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Change Management        



 

comply with the information security policies. Any employee found to have
violated such Policies may be subject to disciplinary actions, up to and
including termination of employment. In the event the violation has been by a
contractor and/or provider, the respective contract or service may be deemed
terminated.

 

TSM reserves the right to audit networks, systems, or procedures on a periodic
basis to ensure compliance with this policy.

 

2. In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This procedure supports the organization data integrity process of electronic
information [Core-13(a)].

 

1. Changes to Information Technology (IT) assets and systems, such as operating
system, hardware, software, application, and network component shall follow the
organization change management process. This process shall ensure that changes
are documented, authorized, tested, approved and properly implemented.

 

2. For custom developed applications and the implementation of package
applications, TSM shall ensure that data input validation controls are tested to
ensure that the data is correct and appropriate.

 

3. The following activities shall be adopted within the change management
process:

 

a) Change Request Form (CR Form): Documentation of the change shall be completed
explaining the purpose, details and consequences of the proposed change. All
change requests shall be prioritized in terms of benefits, urgency, effort
required and potential impact on TSM operations. The CR Form shall include Risk
and Impact considerations about the proposed change.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 25 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Change Management        

 

b) Version Control: Change requests and/or updates shall be controlled with
version control numbers. Access to system files and program source code shall be
restricted to authorized personnel and only authorized personnel shall have
access to the version control system.

 

c) Testing: Changes to TSM systems and IT infrastructure (i.e. servers,
databases, applications, system access level and end-user access level) shall be
tested in an isolated, controlled environment (where feasible) prior to
implementation. The testing process shall verify that intended changes will meet
the stated objectives and not cause operational problems, service interruptions
or introduce security risks to the organization.

 

d) Approval: All changes shall be approved prior to implementation. Approval of
changes shall be based on the documented acceptance criteria (i.e. a change
request form is completed and approved by TSM personnel, an impact assessment
was performed and proposed changes were tested). All users, significantly
affected by a change, shall be notified. The user representative such as the
Application Owner shall sign-off on the change request form.

 

e) Implementation: Implementation shall only be undertaken after appropriate
testing and approval by the designated TSM stakeholders. Implementation of
changes to the production environment shall be performed only by authorized TSM
systems administrator or by the designated IT personnel such as Database
administrator or the Application Administrator. Production systems shall only
hold approved programs and required executable code. No development code or
compilers shall reside in production systems. Any decision to upgrade (software)
to a new release shall take into account the business requirements for the
change, and the security and privacy impacts of the release.

 

f) Fallback: Fallback procedures shall be defined and implemented. This includes
defining procedures and roles and responsibilities for aborting/cancelling and
recovering from unsuccessful changes and unforeseen events.

 

g) Post Implementation: All changes shall be monitored once they have been
implemented to check for unexpected behavior or incidents.

 

4. Emergency Changes shall follow documented procedures to ensure the proper
control and authorization.

 

5. Outsourced software development shall be reviewed to ensure that the
contracts shall have considerations for: code ownership, intellectual property
rights, escrow arrangements, right to audit, requirements for quality of code,
and technical support.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 26 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Change Management        

 

6. All internally developed software and all changes to internally developed
software that will be accessible via the internet must be subject to a code
verification process. The Quality Assurance Group to reduced risks associated
with potential vulnerabilities at the application level establish a subscription
to use the Code Scanning service to facilitated and conduct this verification
process.

 

VII. Attachments:

 

ATTACHMENT B - Change Management process [Core-13(a)]

 

 

 

 

[image_027.jpg]

 

Policy No.: ISP#6 Page 27 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Clear Desk & Clear Screen

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish requirements for maintaining a “Clear
Desk” & “Clear Screen” procedures where sensitive/confidential information about
our employees, our intellectual property, our customers and our vendors is
secure in locked areas and out of site.

 

This Policy is not only about security, but it is also part of the TSM Privacy
Policies and it has the purpose to reduce the risk of security breaches in the
workplace.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)] and provide guidance to employees on how to shred and destroy paper
documents [CORE-13(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted a Clear Desk &
Clear Screen policy to ensure that sensitive/confidential information (on paper
or electronic media) are removed from the end user workspace, locked away when
the items are not in use or an employee leaves his/her workstation and clear
screen for information assets. This Policy shall take into account the
information classification, legal and contractual requirements, and the
corresponding risks and cultural aspects of TSM.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#6 Page 28 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Clear
Desk & Clear Screen        

 

comply with the information security policies. Any employee found to have
violated such Policies may be subject to disciplinary actions, up to and
including termination of employment. In the event the violation has been by a
contractor and/or provider, the respective contract or service may be deemed
terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. Sensitive/Confidential business information in paper or electronic storage
media shall be locked away in secure cabinets when not required, especially when
the office is vacated for a short or extended period of time.

 

2. File cabinets containing business sensitive/confidential information shall be
kept closed and locked when not in use or when not attended.

 

3. Keys used for access to confidential information shall not be left at an
unattended desk and they shall be kept in a secure place.

 

4. Computer and terminals shall be logged off or protected with a screen and
keyword locking mechanism controlled by a password (e.g., (“Ctrl+Alt+Del”) in
Windows systems), token or similar user authentication mechanism that conceals
information previously visible on the display when unattended and shall be
protected by key locks, passwords, or other controls when not in use.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#6 Page 29 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Clear
Desk & Clear Screen        



 

5. Unattended portable computing devices such as laptops and tablets shall be
either locked with a locking cable, locked away in a drawer or kept in a
restricted area where only authorized employees are authorized to access.

 

6. Employee shall treat mass storage devices such as CD-ROM, DVD or USB drives
as sensitive and secure them in a locked drawer when not in use.

 

7. Passwords shall not be written on sticky notes or posted on under a computer,
nor shall they be left written down in accessible locations.

 

8. Incoming and outgoing mail points and unattended facsimile machines shall be
protected and unauthorized use of photocopiers shall be prevented.

 

9. All printers, copiers and facsimile machines shall be cleared of documents as
soon as they are printed to ensure that sensitive printouts are not left in
printer trays for the wrong person to pick up.

 

10. When transporting documents with Sensitive/Confidential within facilities
and through inter- office mail, information shall not be visible through
envelope windows and envelopes shall be marked according its classification
level (e.g., “Confidential”).

 

11. Sensitive/Confidential documents shall be placed in the official shredder
bins/recycling bins or placed in the locked secured disposal recycling bins
contracted by the organization for the secured destruction of the documents.
[CORE-13(b)]

 

12. Whiteboard containing sensitive/confidential information shall be erased.
[CORE-13(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 30 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Data Classification

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of the Data Classification Policy is to ensure that TSM IT assets
receive an appropriate level of protection based on the type of information
stored and managed. As such the policy required a data centric and risk base
focus for the design and implementation safeguard for protection of the most
sensitive data including ePHI. [Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has defined and documented a Data
Classification Policy to provide management with direction and support for the
proper handling of information considering the sensitivity and risk of such
data. In order to ensure proper management, information must be first classified
according to its level of risk and sensitivity considering local and federal
regulations. The higher the sensitivity and risk, the higher the classification
to be assigned and therefore more controls will be needed to ensure only
authorized personnel can access such information. [Core-15(b)]

 

Users shall be made aware of their responsibilities for proper handling of
information received, created, processed, stored, distributed and destroyed by
TSM according to its sensitivity and assigned data classification level.
[Core-15(b)]

 

IV. Definitions:

 

1. Information Owner: Responsible for determining who has access to the
information he/she owns. Usually senior management or department head.

 

2. Information Custodian: Responsible for assigning the access to the
information according to the instructions of the information owner.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 31 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        

 

3. Information User: Responsible for the application of this policy in his/her
daily activities in TSM and its subsidiaries.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.



 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. Classification Levels

 

Four levels of data classification have been defined: [Core-15(b)]

 

Level Description Examples

PUBLIC

 

Information officially released by TSM for widespread public disclosure. Press
releases, public marketing materials, employment advertising, annual reports,
product brochures, the public web site, etc.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 32 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        

 

INTERNAL

 

All forms of proprietary information originated or owned by TSM, or entrusted to
it by others that is not considered sensitive or confidential. General
organization charts (with no names, only positions), policies, procedures, phone
directories (excluding client contact information), some types of training
materials.

CONFIDENTIAL

 

Information for which the unauthorized disclosure or compromise would likely
have an adverse impact on the company's competitive or financial position, or
compromise regulatory compliance of local and Federal laws for protecting
personal information. Trade secrets & marketing, PHI or EPHI, operational,
financial, employee user ID’s, passwords, PINs, or other personal identification
devices, source code, and technical information integral to the success of our
company.

HIGHLY RESTRICTIVE

 

Includes information that is so sensitive that disclosure or usage would have a
definite impact on the TSM’s business and future.

 

Significant restrictions and controls need to be applied.

 

Merger and acquisition information, reorganization documents, security protocol
information, legal actions, strategic or tactical information of the
organization and its subsidiaries, etc.

 

a) All information generated by or for TSM, no matter the format: written,
verbal, or electronic, is to be treated according to its classification level.
[Core-15(b)]

 

b) If the information is not labeled, personnel must assume it’s confidential.
[Core-15(b)]

 

c) Information that is labeled as public or internal use, but is in draft form
or has not been formally approved, it should also be considered confidential.
[Core-15(b)]

 

d) All employees should familiarize themselves with the information labeling and
handling guidelines included in the procedures document. [Core-15(b)]

 

e) It should be noted that the sensitivity level classifications were created as
guidelines and to emphasize appropriate measures that users have to take to
protect TSM and third Party Confidential information. [Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 33 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        



 

f) Nothing in this policy is, however, intended to prevent employees from
engaging in concerted activity protected by law. [Core-15(b)]

 

2. Information Owner

 

The Information Owner also known as the Application Owner is the leader of a
business area or service who is directly responsible for the proper use of the
area’s information under his/her management. Such use must be performed, based
on the objectives of TSM business. The information owner is responsible for
classifying the information, deciding who must have access to it and validating
that the security is commensurate according to its assigned classification and
that controls are implemented in consistency with such classification. The owner
must also periodically review the classification, ensure it is kept up to date
and ensure the classification is correct. [Core-15(b)]

 

Documentation that a physical inventory has been taken, for all locations, shall
be retained in the organization’s central accounting office. [Core-15(b)]

 

3. Information Custodian

 

The Information Custodian also known as the Data Custodian is responsible for
ensuring that access to TSM information is consistent with the information
owner’s requirements and updating such access as personnel changes his
responsibilities, is transferred to another unit (and therefore another
information owner) and eliminating access if personnel is terminated.
[Core-15(b)]

 

4. Considerations

 

The data classification process must consider: [Core-15(b)]

 

a) Business needs for sharing or restricting information.

 

b) The business impacts associated with such needs.

 

c) The aggregation effect in the classification process (consider groups of
similar information assets and how their individual classification may impact
the group or conglomerate of such assets: i.e. if similar information assets
have been assigned different classifications, re-consider the classification of
each one).

 

5. Information asset life cycle

 

Information assets should be protected in all phases of their life cycle:
received/created, processed, storing, transmittal and destruction. The
protection must be according to the classification assigned. Details of how to
protect the information asset will be presented in a procedure document.
[Core-15(b)]

 

6. Third Party Confidential Information

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 34 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        



 

A subset of TSM Confidential information is "TSM Third Party Confidential"
information. This is information that belongs to another corporation which has
been entrusted to TSM by that company under non-disclosure agreements (NDA’s)
and other contracts as part of the business agreement between both parties.
Examples of this type of information include everything from joint business
activities to vendor lists, customer orders, and supplier information.
Information in this category ranges from extremely sensitive to information
about the fact that we’ve connected a supplier / vendor into TSM network to
support our operations. [Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 35 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Data Integrity and Interoperability

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

This policy provides direction for management of the information as a valuable
and strategic resource through establishment of the required processes and
controls to ensure the accuracy and integrity of the information managed by the
organization.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy supports the organization data integrity process of electronic
information [Core- 13(a)].

 

Information has most value when it is complete, accurate, relevant, accessible
and timely (CARAT). This policy describes the commitment of Triple-S Management
for designing, implementing, and maintaining procedures and controls for proper
management of its information. This includes ensuring the accuracy and
interoperability of the information managed by the core systems of the
organization.

 

IV. Definitions:

 

1. Data: numbers, words or images that have yet to be organized or analyzed to
answer a specific question. It is often interchangeable with the word
‘information’.

 

2. Data Quality: ensuring data is ‘fit for purpose’ and ‘right first time’,
which includes the relevance, correctness, completeness and timeliness of all
data held in all Trust systems

 

3. Document: smallest complete unit of recorded material which is accumulated to
form a file.

 

4. Information: Produced through processing, manipulating and organizing data to
answer questions, adding to the knowledge of the receiver. It is often
interchangeable with the word data.

 

5. Information Management: a collection and management of information from one
or more sources and the distribution of that information to one or more
audiences. Management means the organization of and control over the planning,
structure and organization, controlling, processing evaluating and reporting of
information activities in order to meet the Trust’s objectives and to enable
corporate functions in the delivery of information.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 36 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        

 

6. Software Life Cycle Development: The systems development life cycle (SDLC),
also referred to as the application development life-cycle, is a term used in
systems engineering, information systems and software engineering to describe a
process for planning, creating, testing, and deploying an information system.

 

7. Change Management Process: Change Management (CM) refers to any approach to
transitioning individuals, teams, and organizations using methods intended to
re-direct the use of resources, business process, budget allocations, or other
modes of operation that significantly reshape a company or organization.

 

8. Referential Integrity: Referential integrity is a relational database
concept, which states that table relationships must always be consistent. In
other words, any foreign key field must agree with the primary key that is
referenced by the foreign key.

 

9. Data Purging: Data purging is a term that is commonly used to describe
methods that permanently erase and remove data from a storage space. There are
many different strategies and techniques for data purging, which is often
contrasted with data deletion. Deletion is often seen as a temporary preference,
whereas purging removes the data permanently and opens up memory or storage
space for other uses

 

10. Sensitive Information: Sensitive information is defined as information that
is protected against unwarranted disclosure.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 37 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        



 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

This procedure supports the organization data integrity process of electronic
information [Core-13(a)].

 

1. Data Accuracy and Trace-Ability:

 

a) The organization will follow the System Development Life Cycle (SDLC) process
for all internal system development activities. The SDLC provides a structured
methodology for the design, development, testing and implementation of new
systems and reduces the risk associated with errors that could be generated by
the introduction of new programs.

 

b) To promote data accuracy the organization promotes the adoption of relational
databases structures for its core systems (e.g. [***]). In a relational database
framework referral integrity between tables will be enforced by the definition
of primary and secondary keys. Maintaining referential integrity ensures the
consistency of the data stored by avoiding duplicate records and records with
invalid information.

 

c) To promote data accuracy new systems must be subject to user testing and
certification steps. Test results must be documented and retained as part of the
project documentation.

 

d) To promote data accuracy system and applications must be designed to validate
data fields registered by end users. For online systems data entry errors must
notify the user by generating an error message.

 

e) To promote data accuracy files received will be subject to a data validation
process prior to processing. Records with errors will be reported and will
require investigation and be subject to a clearance process in order to continue
processing.

 

f) To promote data accuracy reconciliation reports will be developed and
provided to the business owners for tracking and monitoring as part of their
daily work activities.

 

g) To promote data accuracy users will be trained on the proper use and
management of new applications.

 

h) To promote data accuracy administration access to production data will be
restricted to authorized personnel (e.g. Database Administrator).

 

i) To promote data integrity users access will be granted based on the employee
job function. User access will require the approval of the business unit
manager.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 38 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        

 

j) To verify data accuracy database consistency checks must be run at least
annually.

 

k) To promote trace-ability applications will maintain and audit trail of the
most recent changes performed by the users.

 

l) To promote data accuracy and trace-ability changes to applications and
systems must follow the organization change control and release management
procedures. Following these procedures is will the organization ensure the
consistency, continuity and integrity of the data through software, application
and system upgrades.

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 39 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        



 

m) To promote data accuracy and confidently two factor authentication will be
enforced for authorized telecommute users (e.g. Working from home users).

 

n) To verify data accuracy end users will participate in the annual Disaster
Recovery test to confirm the successful restoration of the system and the system
data. Results will be documented and retained.

 

2. Interoperability:

 

a) System and data Interoperability will be promoted by the adoption of open
based technology standards and protocols and adherence to each information
system interface.

 

3. Quality:

 

a) Data quality will be ensured by the manager in the business area having
responsibility over the data, with support from the information technology
specialists.

 

4. Telecommuters, Remote Users, Delegated Entities and Vendors changes:

 

a) Authorized telecommuters, remote users, delegated entities and vendors
authorized to work and support the systems and business applications used by the
organization will be subject to the system development and change management
controls established. Following these processes and controls to production
systems and environments as defined in the Change Management Policy help reduce
the risk of data corruption and system or application errors.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 40 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Encryption and Cryptographic Algorithms

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

TSM has established a formal policy concerning cryptographic and key-management
methods that limit the use of encryption to those algorithms that complies with
industry-accepted standards and have been proven to work securely and
effectively. Additionally, this policy provides direction to ensure that
required Federal Regulations and sound industry practices are followed, and
legal authority is granted for the dissemination and use of encryption
technologies outside Puerto Rico and the United States.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Encryption
Policy to provide management with direction and support to protect the
confidentiality, authenticity and integrity of the information by cryptographic
means.

 

IV. Definitions:

 

1. Proprietary Encryption: An algorithm that has not been made public and/or has
not withstood public scrutiny. The developer of the algorithm could be a vendor,
an individual, or the government.

 

2. Symmetric Cryptosystem: A method of encryption in which the same key is used
for both encryption and decryption of the data.

 

3. Asymmetric Cryptosystem: A method of encryption in which two different keys
are used: one for encrypting and one for decrypting the data (e.g., public-key
encryption).

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 41 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        

 

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

TSM shall ensure that the Encryption and Cryptographic Algorithms Policy adheres
to the following conditions for purposes of complying with sound industry
practices and regulatory requirements. These practices help the organization
prevent confidentiality and security breaches [Core-15(b)]:

 

1. Whenever encryption is used, workers must not delete the sole readable
version of the information unless they have demonstrated that the decryption
process is able to reestablish a readable version of the information.

 

2. It shall not be allowed:

 

o The use of proprietary encryption algorithms for any purpose.

 

o The use of any deprecated cryptographic algorithms as reported in the NIST
Special Publication 800-131A Revision 1

 

o The use of insecure In-Trasit protocols such as SSL versions 1, 2, 3 or TLS
v1.0.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 42 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        



 

o The use of weak key lengths and weak Random Number Generators in accordance to
the NIST Special Publication 800-131A Revision 1

 

3. Types of Encryption Algorithms:

 

Proven, standard algorithms such as AES256 and Three-Key Triple DES should be
used as the basis for protecting the confidentiality of the corporate
information. These algorithms represent the actual cipher used for an approved
application. Symmetric cryptosystem key lengths must be at least 128 bits.
Asymmetric crypto-system keys must be of a length that yields equivalent
strength.

 

Cipher Suites must be used in order of their encryption algorithm key strength
and length (e.g.):

 

o AES256



o AES192



o AES128



o Three-Key 3DES





 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions must be
documented and approved by Information & Cyber Security Director.

 

4. Types of HASH Algorithms:

 

Proven, standard algorithms such as SHA-224, SHA-256, SHA-384 and SHA-512 should
be used as the basis for protecting the corporate information. These algorithms
represent the actual hash used for an approved application. MD5 and SHA-1 are
deprecated and MUST NOT be used to protect the corporate information in
accordance to the NIST Special Publication 800-131A Revision 1. Acceptable hash
functions are:

 

o SHA-224



o SHA-256



o SHA-384



o SHA-512

 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions MUST be
documented and approved by Information & Cyber Security Director.

 

5. Types of Digital Signatures:

 

Digital signatures are used to provide assurance of origin authentication and
data integrity. The generation of a digital signature on data requires the use
of 1) a cryptographic hash

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 43 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        

 

algorithm that operates on the data to be signed, and 2) the use of a
cryptographic key and a signing algorithm to generate a signature on the output
of the hash function (and, by extension, the data that is intended to be signed)
Proven, standard algorithms such as DSA, ECDSA and RSA should be used as the
basis for protecting the corporate information in accordance with the NIST
Special Publication 800-131A Revision 1. For digital signature, generation Key
lengths providing at least 112 bits of security are acceptable. For digital
signature verification, Key lengths providing at least 112 bits of security
using approved digital signature algorithms are acceptable.

 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions MUST be
documented and approved by Information & Cyber Security Director.

 

6. Protocols for Protecting Data while IN-Transit:

 

TSM shall ensure that all confidential data (including encryption keys) is
protected while in transit. Proven, standard protocols such as IPsec and TLS
should be used as the basis for protecting the corporate information while
in-transit. The use of SSL in all its versions 1-3 and TLS v1.0 is prohibited.
TLS v1.2 and above is allowed in accordance to NIST Special Publication 800-52
Revision 1. IPsec MUST BE used ONLY with approved cryptographic algorithms.
Additionally, proven, standard security protocols such as Secured FTP (SFTP) and
Secured Shell (SSHv2) MAY be used as the basis for protecting the corporate
sensitive data during transmission over open, public networks.

 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions MUST be
documented and approved by Information & Cyber Security Director.

 

7. Key Management Procedures:

 

TSM shall ensure to have documented and implemented all key-management
procedures for cryptographic keys to address the following considerations:

 

o Generate strong keys



o Securely distribute keys



o Securely store keys



o Conduct cryptographic key changes for keys that have expired



o Replacement of known or suspected compromised keys



o Prevent unauthorized substitution of keys



o Prevent the use of keys that were retired or replaced

 

Key Agreement schemes with keys of 2048 bits or larger are acceptable in
accordance to NIST SP 800-56B. Key transport schemes with keys of 2048 bits or
larger are acceptable in accordance to NIST SP 800-56B.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 44 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        

 

8. Key Access and Security:

 

Encryption keys used for TSM information are always classified as confidential
information. Access to such keys must be limited authorized personnel and based
upon job responsibilities.

 

TSM will ensure to require approval from the Information & Cyber Security
Director or authorized representative prior revealing encryption keys to
consultants, contractors, or other this parties.

 

Certificates must be signed in accordance to the above mentioned digital
signature requirements of this policy.

 

9.    Portable Devices:

 

TSM shall ensure that all portable approved devices such as laptops, and general
mobile devices, must be encrypted through TSM approved tools including but not
limited to:

 

o Symantec End Point Protection system

 

o Airwatch for mobile devices

 

o PGP and Pkzip for end user file encryption capabilities

 

o FTP secured for file transmission

 

o HTTPS for encrypted web sessions. Using TLSv1.2

 

Provided that the applications meet the above-mentioned requirements specified
in this policy.

 

10. Review:

 

TSM’s key length requirements shall be reviewed annually and upgraded as
technology allows.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#10 Page 45 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
General Information Security

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for maintaining the
Information Security Policies, the organization Information Security Management
Program and establish the direction of TSM by aligning the documentation with
information security sound practices, laws, and regulatory requirement.
[Core-15(b)]

 

II. Scope:

 

This policy applies to TSM, its subsidiaries, employees, temporary workers,
contractors, business partners and third party vendors contracted by TSM to
provide services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted a General
Information Security Policy to provide management clear direction in line with
business objectives and relevant laws and regulations. The policy also
demonstrates the support and commitment of the organization, its Senior
Management and the Board of Directors to maintaining a robust Information
Security Management Program (ISMP) in compliance with regulatory requirements
across TSM, subsidiaries and its direct and indirect affiliates. [Core-15(b)]

 

Information security policies are an organizational tool that help its members
to be aware of the importance for protecting the organization information assets
from threats such as cyber- attacks, internal theft and malicious programs among
others as these could result in the unauthorized disclosure of sensitive or
protected information and significant regulatory fines. [Core-15(b)]

 

Therefore, this policy focuses on defining general information security
requirements, based on industry standards and information security practices.
Adoption of these information security requirements allows TSM to mitigate or
reduce risks associated with threats that could expose critical information
assets of the organization. [Core-15(b)]

 

IV. Definitions:

 

1. Information Security: The practice of protecting data or information from
unauthorized access for viewing, modification, recording or destruction.

 

V. Responsibilities:

 

1. All TSM and its subsidiaries employees, temporary workers, contractors,
business partners and third party vendors, without exception, must comply with
the information security policies.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#10 Page 46 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
General Information Security        

 

3. In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

4. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

5. Non-Compliance

 

Any employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. Information Security Management Program

 

An Information Security Management Program (ISMP) shall be formally established,
implemented, operated and maintained. [Core-15(b)]

 

The ISMP shall be reviewed and updated at least annually considering the needs
of the organization and changes on existing business requirements, technologies,
threats and risk facing the organization. [Core-15(b)]

 

TSM Senior Management support for the ISMP shall be demonstrated through signed
acceptance or approval by management of the program. [Core-15(b)]

 

The ISMP shall include the relevant security domains for proper management of
the program as required by HITRUST. [Core-15(b)]

 

Personnel assigned with formal responsibilities in the ISMP must be competent in
information security tasks. [Core-15(b)]

 

2. Information Security Policy

 

The Information Security Policy shall be approved by Senior Management (e.g.
CEO, CFO, COO), published and communicated to all employees and required
external service providers. The Information Security Policy shall be supported
by a strategic plan and a ISMP with well-defined roles and responsibilities for
leadership and officer roles. The policy shall consider: [Core-15(b)]

 

o Definition of information security;



o Overall objectives and scope and the importance of security;



o Statement of management intent, supporting the goals and principles of
information security in line with the business strategy and objectives;

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#10 Page 47 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
General Information Security        

 

o A framework for setting control objectives including risk management;



o The need and goals for information security;



o Compliance scope;



o Applicable laws and regulatory requirements;



o Arrangement for notification of security incidents and breaches;



o Definition of roles and responsibilities for information security management.

 

The Information Security Policy, the ISMP and related documents shall have a
designated owner was approved by management responsibility for accountability
purposes. [Core- 15(b)]

 

The Information Security Policies shall be reviewed and updated at least
annually to ensure its continuing adequacy and effectiveness. [Core-15(b)]

 

3. Organization of Information Security

 

The Board of Director and TSM Senior Management shall demonstrate commitment and
clear direction to support the Information Security Policy and the organization
ISMP. [Core- 15(b)]

 

An Information & Cyber Security Director must be appointed to ensure that the
required components of the Information Security Policy and the ISMP are
effectively implemented, maintained and are communicated to all stakeholders.
[Core-15(b)]

 

Information security activities shall be coordinated with a designated person in
the division. As such the Business Unit Manager has the responsibility to
designate a role for an Information Security Coordinator (ISC) to facilitate the
communication and coordination process in the implementation and maintenance of
the organization ISMP. [Core-15(b)]

 

TSM shall ensure to keep continuous contact with relevant regulatory
requirements to ensure that information security practices are in alignment with
current requirements. Additionally, contact with special interest groups,
security forums and professional associations shall be maintained. [Core-15(b)]

 

Independent review of the ISMP shall be periodically planned and conducted such
as independent assessments and audits to ensure continuing adequacy and
effectiveness of the security policies and procedures. [Core-15(b)]

 

VII. Attachments:

 

N/A

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#10 Page 48 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
General Information Security        



 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#11 Page 49 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Information Exchange

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

The purpose of this policy is to ensure the exchange of information within TSM
and with external business partners, business associates and covered entities is
secured and protected, and carried out in compliance with relevant laws,
regulations and exchange agreements.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy supports the organization plan for interoperability [CORE-13(c)].
The policy also addresses electronic communication and records that are
transmitted or stored by the organization [CORE-16(d)].

 

Triple-S Management Corporation (TSM) has adopted and implemented safeguards and
countermeasures to secure confidential and sensitive information exchanges. This
safeguards and controls are required to protect the confidentiality and
integrity of the information that is processed, stored, and transmitted by TSM
networks and systems.

 

IV. Definitions:

 

1. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used. Also, Virtual Private Network (VPN) is a method
employing encryption to provide secure access to a remote computer over the
Internet.

 

2. Information Exchange: The act of people, companies, and organizations passing
information from one to another, especially electronically, or a system that
allows them to do this.

 

3. Sensitive Information: Defined as information that is protected against
unwarranted disclosure.

 

4. Wiretapping: The practice of connecting a listening device to a telephone
line to secretly monitor a conversation.

 

5. Eavesdropping: Secretly listening to the private conversation of others
without their consent.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 50 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        

 

6. Cache: A computer memory with very short access time used for storage of
frequently or recently used instructions or data.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This procedure supports the organization plan for interoperability [CORE-13(c)].
The procedure also addresses electronic communication and records that are
transmitted or stored by the organization [CORE-16(d)]. Attachment A includes
the list of systems within the scope of the URAC accreditation that provide
support for the internal and external interoperability standards. Attachment B
includes a High Level Architecture diagram for the [***] core system which
provides support for internal and external interoperability requirements.

 

The diagram below is a high level representation of TSS core [***] application
architecture. The architecture is based on open system standards and the use of
SQL databases and web based systems.

 

TSM shall ensure that the exchange of information within TSM networks and
systems and with authorized external business partners, business associates and
covered entities is secured and protected.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 51 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        



 

Procedures shall be defined and documented to ensure that communication
protection requirements, including the security of exchanges of information
include the following considerations as well as confidentiality and privacy
requirements:

 

1.    B2B Information Exchange Requirements:

 

a) Information exchanges including the transmission of sensitive and
confidential information including ePHI must be controlled and managed by the
Data Center Operation B2B group.

 

b) The Data Center Operation B2B group shall document, establish and maintain
formal data exchange policies, procedures, and controls to protect the exchange
of ePHI and company confidential information through the use of corporate
approved of communication methods managed by the B2B group.

 

c) ePHI information shall only be transmitted to business associates and covered
entities who have a demonstrated need to receive the information and which have
a Business Associate Agreement (BAA) duly signed and approved by the Legal
Division.

 

d) All ePHI transmissions must be performed via approved encrypted
telecommunication channels.

 

e) All ePHI files to be transmitted must be fully encrypted prior to
transmission over the secured telecommunication channel.

 

2. Electronic Communication:

 

a) When using electronic communication applications or systems for information
exchanges of sensitive and ePHI information, the following procedures and
guidelines shall be defined:

 

o Acceptable use of electronic communication applications or systems.

 

o Anti-malware for the detection of and protection against malicious code that
may be transmitted through the use of electronic communications.

 

o Secure wireless communications including an appropriate level of encryption.

 

o Cryptographic techniques shall be implemented to protect the confidentiality,
integrity and authenticity of TSM sensitive information (e.g., ePHI).

 

o Retention and disposal guidelines shall be defined and followed.

 

3. Personnel Awareness:

 

TSM personnel shall be appropriately educated and periodically reminded of the
precautions that TSM employees need to consider when sharing TSM sensitive and
ePHI with authorized third parties.

 

4. Exchange Agreements:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 52 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        



 

Exchange agreements shall be defined and implemented for the exchange of
information between TSM and external parties. The agreements shall specify
security controls on responsibility, procedures and technical solutions.

 

5.    Encryption:

 

TSM shall define and implement standard encryption algorithms for transmission
of private or confidential information over public networks protected by
industry standard protocols. Refer to the Encryption Policy.

 

6. Physical Media in Transit:

 

Media containing sensitive, confidential and ePHI information shall be protected
against unauthorized access, misuse or corruption during transportation beyond
TSM physical boundaries. The following requirements shall be implemented for
protection of physical storage media to be transported (i.e. backup tapes):

 

o Transportation shall be conducted by authorized couriers who have valid and
current contracts with TSM.

 

o Contracted transport or courier company must be able to track the status of
the backup media being transported.

 

o Procedures to check the identification of couriers shall be followed.

 

o Packaging shall be sufficient to protect the content from physical damage.

 

o Transportation of the media shall be conducted using locked containers.

 

o Delivery of the media shall be conducted by hand and confirmation of receipt
shall be maintained.

 

o Tamper-evident packaging (which reveals any attempt to gain access) shall be
used.

 

o Use of approved encryption methods for data being physically transported in
the

 

o storage media is required.

 

o Procedures for proper inventory and accountability of backup tapes shall be
defined, implemented and followed.

 

o Procedure for maintaining proper inventory of backup media shall define and
followed.

 

7. Interconnected Business Information Systems:

 

a) TSM shall define and implement procedures and guidelines to protect
information associated with the interconnection of business information systems
between TSM and third parties’ networks.

 

b) Security controls such as a firewall and network segmentation shall be in
place to manage the exchange of information with third parties when using public
networks. The firewall shall restrict connections between untrusted networks and
systems storing, processing or transmitting sensitive (e.g., ePHI) information.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 53 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        



 

c) Third parties that shall not meet TSM Information Security Policies, shall
not be trusted and interconnected until TSM receives the assurance that the
third party meets the security controls.

 

VII. Attachments:

 

ATTACHMENT C- Internal and External Interoperability [CORE-13(c)]

 

ATTACHMENT D- High Level Architecture for Internal and External Interoperability
[CORE- 13(c)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#12 Page 54 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name: IT
Compliance Management

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by: Juan Díaz Goitía, 

Chief Information Officer 

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements to ensure that the design,
operation, use, and management of information systems complies with industry
laws, regulations and contractual obligations, including security requirements.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the IT
Compliance Policy to provide management with direction and support for the
implementation of appropriate security measures for the identification of
applicable local and federal legislation, intellectual property rights of TSM
over its products and services, protection of organizational records, and other
related subjects related to legal and regulatory compliance that are expected of
organizations in the insurance and healthcare industry. [Core-13(b) &
Core-15(c)]

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 55 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4.    Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This section is composed of different sections which detail the policies
required for TSM to ensure effective compliance efforts.

 

1. Identification of Applicable Legislation:

 

TSM must ensure that applicable local (i.e. Puerto Rico Insurance Commissioner
Officer) and Federal (i.e. HHS, OCR, HIPAA, HITECH) Information Security
regulatory requirements are addressed, implemented and maintained. ).

 

TSM must be a member of a recognized industry trade associations including
thought leadership and similar organizations (i.e. Asociacion de Compañias de
Seguros de PuertoRico – ACODESE) in order to stay abreast of industry’s legal,
regulatory, and technology environmental trends (and threats) that could have an
impact on TSM operations including but not limited to TSM information security
policies and procedures which, might need to be updated accordingly to consider
those new trends and threats.

 

2. Intellectual Property Rights:

 

Preparation of a detailed procedures is required for compliance intellectual
property rights and on the use of proprietary software products. The procedures
to be developed must include the following elements:

 

a) Acquisition of software only through known and reputable sources to avoid
copyright violations.

 

b) Keep in a safe place all formal and documented evidence of license ownership,
master disks, owner’s manuals, and any other documented evidence.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 56 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        



 

c) Implementing controls to avoid exceeding the number of authorized users
allowed by the purchased license.

 

d) Establish controls to avoid copying software and any other illegal approach
to increase users.

 

e) Implementing a license tracking mechanism (manual or automated) to ensure
proper control of the software.

 

f) At least on a yearly basis, perform an audit in the employee’s computers to
identify any unauthorized software installation.

 

g) The information regarding software purchase must be kept in an asset registry
or inventory (refer to Asset Management policy for details).

 

3. Protection of Electronic Records: [Core-13(b)]

 

TSM is responsible to ensure that sensitive data like member or patient medical
electronic records, legal contracts or agreements, financial information,
employee records and other sensitive information is protected from loss,
accidental destruction (i.e. fire, earthquake, flood, etc.) and from
unauthorized access.

 

TSM will issue guidelines that will include ownership, classification,
retention, storage, handling and disposal of electronic records and information.
A designated member of the business shall be designated as the Data Owner and
will be responsible of assigning the corresponding data classification level
(i.e. confidential). The ISG will ensure that security controls are applied
based on the assigned data classification level (i.e. encryption).

 

4. Retention of Electronic Records: [Core-13(b)]

 

Part of the protection efforts includes that electronic and physical information
needs to be retained for the minimum period as established by regulation.

 

No. Documentation Retention Period 1 TSM must comply with local and Federal
document retention regulations for both physical and electronic information:
formal policies and procedures, risk assessment evaluation results and
disclosures of protected health information. 6 years

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 57 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        

 

2 For notice requirements, TSM (as a covered entity as defined by HIPAA) must
comply with the minimum requirement period. This requirement includes any
written acknowledgements of receipt of such notice or documentation of good
faith to obtain such written acknowledgement. 6 years 3 For electronic Protected
Health Information (ePHI), TSM must retain records of disclosures  needed to
perform treatment, payment and health care operations. 3 years 4 TSM must
document restrictions in disclosure and formally keep such files or an
electronic copy. 6 years 5 Accounting of disclosures, including the information
required for disclosure, the information provided to the individual, and the
positions and titles of the person (including unit) that received and processed
the request for accounting of such request. 6 years 6 Minimum  period  of
 retention  of  PHI  for  deceased  plan members. 50 years 7 Federal Tax
Information (FTI) 5 years

8 Audit information 7 years

 

5. Electronic Record Retention Program: [Core-13(b)]

 

TSM must develop and update a formal electronic record retention program that
includes:

 

o Secure disposal of information (physical and electronic) when no longer needed
and is no longer required as per documented retention requirements.

 

TSM must develop procedures for secured storage, access, retention and disposal
that shall include the following controls as minimum:

 

o Retention schedule to identify record types and the time period that must be
retained according to such type.

 

o Inventory of sources of key information.

 

o To facilitate decryption, all encryption key material (including digital
signatures), programs and documentation should be stored securely.

 

6. Data Protection and Privacy of Covered Information:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 58 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        

 

a) A data protection and privacy policy (refer to Data Classification Policy)
must be developed to ensure security of sensitive TSM data including EPHI. The
policy must be distributed and communicated to all relevant parties. The policy
must be updated with latest regulatory requirements and the necessary technical
security controls according to classification of assets on an annual basis.

 

b) A data protection officer should be appointed that will be in charge of
assigning responsibilities as presented in the data classification policy. Refer
to the Data Classification policy for data ownership and the responsibility
according to the role.

 

c) Covered information must be rendered unreadable anywhere it is stored (i.e.
PC’s, portable digital media, backup media, servers, databases, or in logs using
the following approach: (for details refer to encryption policy): [Core-13(b)]

 

o Full disk encryption



o Virtual disk encryption



o Volume disk encryption



o File and folder encryption

 

d) The encryption approach shall be performed using one or combination of the
following: [Core-13(b)]

 

o One-way hashes based on strong cryptography



o Truncation

 

o Strong cryptography with associated key-management processes and procedures

 

e) Protection of information assets must be according to its assigned data
classification level (i.e. applying encryption control to PHI/PII).
[Core-13(b)]).

 

f) The implementation of security and privacy protections include transfers of
TSM records and even extracts of such records (i.e. spreadsheet information, PDF
images of documents, electronic copies, and any other format including .TXT).
[Core-13(b)]

 

7. Prevention of Misuse of Information Assets:

 

Controls must be established to avoid unauthorized use of sensitive information
including ePHI/ePII. The following controls must be established:

 

a) Notification to employees, contractors and service providers that their
actions may be monitored and are subject to, depending on the event,
disciplinary actions (employees) and in contractors and service providers
(penalties and even contract termination).

 

b) All employees contracted personnel (professional services) and service
providers (i.e. consultants, auditors) must sign an acceptable use

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 59 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        



 

agreement (refer to acceptable use policy for details). The agreement must
establish that they have read, understand and agree to abide by the rules of
behavior before TSM management authorizes access to any database and information
system of TSM. This must be performed on a yearly basis as this document is
updated accordingly.

 

c) TSM must render the Primary Account Number (PAN) and PHI and PII information
unreadable via encryption wherever it is stored including portable media.

 

d) The criteria of what is considered acceptable use of sensitive information
should be reviewed every year to update as needed due to regulatory requirements
or because of new technologies and threats.

 

8. Regulation of Cryptographic Controls: [Core-13(b)]

 

Refer to encryption policy for details however, all cryptographic controls need
to be reviewed annually for minimum standards established by local and Federal
Regulations.

 

9. Compliance with Security Policies and Standards: [Core-15(c)]

 

Reviews of the compliance of systems with security policies, standards
applicable (i.e. HIPAA, local and Federal regulations, etc.) should be conducted
by the ISG team.

 

Compliance reviews should be formally documented including all relevant
evidence. If noncompliance is found, TSM management must:

 

a) Determine the cause for non-compliance (intentional, lack of training, lack
of resources, etc.)

 

b) Evaluate the need for actions to ensure remediation effort is effective

 

c) Select and implement a remediation action

 

d) Perform a re-testing effort to ensure corrective action was effective

 

Develop a continuous monitoring strategy that includes security metrics.

 

10. Technical Compliance Checking: [Core-15(c)]

 

TSM must check the technical security configuration of its systems at least
annually. In the case where services are provided by a third party, the
agreement must allow TSM to verify compliance with processing and security
requirements required by TSM.

 

11. Information Systems Audit Controls: [Core-13(b)]

 

TSM must require an annual audit of its information systems to ensure protection
data received, stored and transmitted through the systems.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 60 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        



 

In the case of service providers that manage PHI and PII information, the
requirement of an audit must be included in their contracts: either TSM is
allowed to audit or a SSAE 16 SOC 1 and/or SOC 2 will be required from the
service provider depending on the service provided or information processed.

 

12. Protection of Information Systems Audit Tools: [Core-15(c)]

 

Access to audit applications and the databases generated from those applications
should have access controls which limit such access to authorize personnel and
they type of access should be according to role in the audit and oversight of
such audit.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#13 Page 61 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Network Security

Drafted by:

René Rivera,



IT Compliance Supervisor 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer 

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define the security requirements for the
implementation and management of telecommunication networks. The security
requirements are required to protect the organization IT assets from internal
and external threats and to maintain the security of the systems and
applications using the telecommunication network to support the organization and
our internal and external client’s business objectives. [Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has adopted and implemented safeguards and
countermeasures to secure TSM telecommunication network and systems, in order to
protect the confidentiality, integrity, and availability of information that is
processed, stored, and transmitted by TSM networks and systems. These controls
are implemented to support the business objectives of the organization and to
comply with applicable laws and regulations. [Core-15(b)]

 

IV. Definitions:

 

1. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used. Also, Virtual Private Network (VPN) is a method
employing encryption to provide secure access to a remote computer over the
Internet.

 

2. Router: Device that interconnect logical networks by forwarding information
to other networks based upon IP addresses.

 

3. Switch: Networking device that keeps track of MAC addresses attached to each
of its ports so that data is only transmitted on the ports that are the intended
recipient of the data.

 

4. Network Diagram: Unique kind of diagram that represents a cluster or small
structure of computers or other networking devices. Generally, is made up of
interconnected devices and systems.

 

5. Wireless Access Point (WAP): A networking hardware device that allows
wireless devices to connect to a wired network using Wi-Fi, or related
standards.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 62 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        

 

6. Simple Network Management Protocol (SNMP): Protocol governing network
management and the monitoring of network devices and their functions. A set of
protocols for managing complex networks.

 

V. Responsibilities:

 

1. All TSM and its subsidiaries employees, temporary workers, contractors,
business partners and third party vendors, without exception, must comply with
the information security policies.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

Telecommunication networks controls shall be managed and implemented to protect
TSM IT assets, systems and information and to maintain the security, integrity
and availability of the systems and applications. Telecommunication networks
controls are also required to avoid the unauthorized access, use, disclosure,
disruption, modification, or destruction of TSM IT assets and electronic
information. [Core-15(b)]

 

1. Network Controls

 

A current telecommunication network diagram shall be maintained. The
telecommunication network diagram shall document all internal and external
connections to TSM systems storing, processing or transmitting information
(e.g., PII, ePHI). The diagram shall also include authorized wireless networks
and Wireless Access Points (WAP). [Core-15(b)]

 

The telecommunications network diagram shall be reviewed and updated based on
the changes in the environment and no less than every 6 months. [Core-15(b)]

 

TSM management shall implement telecommunications network controls to ensure the
security of the IT assets and the protection of connected systems and active
services from

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 63 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        



 

unauthorized access as well as to ensure the availability of the required
telecommunication network services in order to support the organization Business
Continuity and Disaster Recovery strategy. [Core-15(b)]

 

2. Segregation of Networks

 

Firewalls shall be used to segregate and control traffic between the TSM
internal network and external networks (Internet and authorized 3rd party
networks), and any Demilitarized Zone (DMZ). [Core-15(b) & Core-15(c)]

 

An internal network perimeter shall be implemented by installing firewalls and
implementing the required virtual networks to control access and information
flow between TSM domains to authorized traffic. The firewall shall be capable of
enforcing security policies, be configured to filter traffic between TSM
domains, and block unauthorized access in accordance with TSM User Access
Policy. [Core-15(b) & Core-15(c)]

 

Wireless Access Points (WAP) shall be segregated from the internal and private
TSM networks. A firewall shall be implemented between any wireless network and
TSM information systems environment. [Core-15(b) & Core-15(c)]

 

3. Network Connection Controls

 

Managed interfaces and network traffic shall be denied by default and allowed by
exception (i.e., deny all, permit by exception). [Core-15(b)]

 

Access controls shall restrict the ability of users to connect to TSM internal
network(s), in accordance with the User Access Policy and the requirements of
TSM business applications and services. [Core-15(b)]

 

4. Router & Switch Configuration

 

Every router, switch and firewall connecting to a TSM production
telecommunication network must meet the following configuration controls:
[Core-15(b)]

 

a) Local or default user accounts shall not be configured on the router or
switch.

 

b) All default passwords of the equipment must be changed.

 

c) Access to the administrator password shall be provided only to authorize
personnel based on their job function and role.

 

d) Unnecessary user or equipment accounts shall be disabled.

 

e) The following services or features must be disabled unless a business
justification is provided:

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 64 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        





 

o IP directed broadcasts.



o Incoming packets at the router/switch sourced with invalid addresses such as
RFC1918 addresses.



o TCP small services.



o UDP small services.



o All source routing and switching.



o All web services running on router.



o Discovery protocol on Internet connected interfaces.



o Telnet, FTP, and HTTP services.



o Auto-configuration. o Discovery protocols. o Dynamic trunking.



o Scripting environments, such as the TCL shell.

 

f) Restricted access statement banner shall be presented for all forms of login
whether remote or local.

 

g) Access must be restricted to only TSM authorized personnel.

 

h) All device updates shall be done using secure routing updates and shall
adhere to the TSM Change Management process.

 

5. Wireless Security

 

When configuring Wireless Access Points (WAP) and devices, the organization
shall change the following: [Core-15(b)]

 

o Equipment administrator default password.

 

o Vendor default encryption keys.

 

o Encryption keys anytime anyone with knowledge of the keys leaves TSM or
changes positions.

 

o Default SNMP community strings on wireless devices.

 

o Default passwords/passphrases on access points.

 

o Other security-related wireless vendor defaults, if applicable.

 

TSM shall monitor all authorized and unauthorized Wireless Access Points (WAP)
to TSM information systems and networks. The installation of Wireless Access
Points (WAP) is prohibited, unless explicitly authorized, in writing, by the
Infrastructure Manager and the Information & Cyber Security Director.
[Core-15(b) & Core-15(c)]

 

Approved Wireless Access Points (WAP) and devices shall have appropriate
encryption enabled for authentication and transmission and shall be placed in
secure areas. [Core- 15(b)]

 

6. Security of Network Services

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 65 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        





 

Security features, service levels, and management requirements of all network
services shall be identified, documented and included in any network services
agreement, whether these services are provided in-house or outsourced.
[Core-15(b)]

 

Agreed services shall be determined and regularly monitored, and the right to
audit shall be agreed by management. [Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#14 Page 66 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Password Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish the standard for creation of strong
passwords, the protection of those passwords, and the frequency of change.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Password
Management Policy to provide management with direction and support for the
implementation strong password practices. Password are an important aspect of
information security and they are designed to protect user accounts. Weak
passwords may result in the compromise of TSM information systems. All TSM users
are responsible for taking the steps to select a strong password and secure
their passwords.

 

Users shall be made aware of their responsibilities for maintaining effective
access controls and shall be required to follow good security practices in the
selection and use of passwords and security of equipment. It is the employee's,
temporary, contractors and vendor’s responsibility to protect at the maximum,
that third parties have no knowledge of any of the passwords to access TSM
databases, networks, applications and systems.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#14 Page 67 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Password Management        

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. General Requirements:

 

The following practices shall be communicated to all TSM users and followed by
all employees:

 

a) Keep passwords confidential.

 

b) Passwords shall not be displayed when entered.

 

c) Avoid keeping a record (e.g., paper, file in the computer) of passwords.

 

d) Change passwords whenever there is any indication of a possible system or
password compromise.

 

e) Do not share your user account or password.

 

f) Do not provide the password to anyone for any reason.

 

g) The use of the same password for business and non-business purposes shall be
avoided.

 

h) Select strong passwords that meet TSM Password Management Guidelines.

 

i) Default vendor passwords shall be modified following installation of any
system, software or application.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#14 Page 68 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Password Management        

j) The allocation of passwords shall be controlled through a formal management
process. The use of third parties or unprotected (clear text) electronic mail
messages shall be avoided.

 

2. Password Creation:

 

a) All user-level and system-level passwords must conform to TSM strong password
guidelines.

 

b) Users must not use the same password for TSM accounts as for other non-TSM
access accounts (i.e. personal ISP account, etc.).

 

c) User accounts that have system-level privileges granted through group
memberships or programs such as “sudo” (temporary privilege elevation) must have
a unique password from all other accounts held by that user to access TSM
systems.

 

d) Where Simple Network Management Protocol (SNMP) is used, the community
strings must be defined as something other than the standard defaults of public,
private, and system and must be different from the passwords used to log in
interactively.

 

3. Password Change and Parameters:

 

This Policy specifies the minimum requirements and passwords parameters among
all the system environments (network, operating system, applications and data
repository, if applicable).

 

a) Lan Passwords shall be changed at least every 90 days.

 

b) Passwords for privileged accounts (i.e. system administrators) shall be
changed at least every 60 days.

 

c) Password length must be a minimum of eight (8) characters.

 

d) Passwords shall be easy to remember but not easily to guess, free of words
included in dictionaries, free of consecutive identical characters and require a
combination of alphabetic, upper and lower case characters, numbers, and special
characters (combination of any three (3) of the above four (4) listed is
acceptable).

 

e) Passwords shall be prohibited from being reused for at least four (4)
generations for users or six (6) generations for privileged users and at least
four (4) changed characters are changed when new passwords are created.

 

f) Temporary passwords shall be unique to an individual and shall not be
guessable.

 

g) User identity shall be verified before performing password reset process.

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#14 Page 69 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Password Management        




 

h) Temporary passwords shall be changed at the first log-on.

 

i) Temporary passwords shall be given to users in a secure manner.

 

j) Allow a minimum of three (3) failed login attempts before disabling the
accounts.

 

4. Password Protection:

 

a) Passwords must not be shared with anyone. All passwords are to be treated as
sensitive, Confidential TSM information.

 

b) Users shall not reveal his/her passwords over the phone to anyone.

 

c) Do not write passwords down or store them anywhere in your office.

 

d) Do not store passwords in a file on a computer system without encryption.

 

e) Do not use the "Remember Password" feature of applications (for example, web
browsers).

 

f) Any user suspecting that his/her password may have been compromised must
report the incident to the ISG and change all passwords.

 

5. Application Development:

 

Application developers must ensure that their programs contain the following
security precautions:

 

a) Support authentication of individual users, not groups.

 

b) Applications must not store passwords in clear text or in any easily
reversible form.

 

c) Shall not transmit passwords in clear text over the network. (For further
information see Minimum Security Requirements Baseline).

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#15 Page 70 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Physical and Environmental Security

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

TSM has established a formal policy and supporting procedures concerning
physical and environmental security to prevent loss, damage, theft or compromise
of IT assets and interruption to TSM IT business functions.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Physical and
Environmental Security Policy to provide management with direction and support
to prevent unauthorized physical access, damage, and interference to TSM’s IT
asset storage locations such as the primary data center and information.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or the Corporate Security Director responsible for physical security.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 71 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

4.    Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. Physical Security Perimeter:

 

a) Computers and IT assets that store or process sensitive and confidential
business or ePHI information shall not be located in areas that are unattended
or have unrestricted access by public or visitors to the facilities.

 

b) At the data center access to a delivery and loading area from outside of the
building shall be restricted to identified and authorized personnel.

 

c) All physical security for the TSM buildings will be managed and monitored by
the Real Estate & Facilities Division of TSS who have designated a Corporate
Security Director to manage the physical security program for offices and
facilities.

 

2. Physical Entry Controls to Data Center:

 

Adequate physical security measures must be in implemented to protect TSM
computer and communications equipment, and data from unauthorized access,
disclosure, modification, destruction, lost, and misuse whether accidental or
intentional.

 

a) Authorized credentials shall be issued for all personnel with access to TSM
facilities.

 

b) A list of authorized personnel with access to the Data Center shall be
develop and approve. This list shall be reviewed at least quarterly. Personnel
that access is no longer required shall be removed from the list.

 

c) Access to areas where sensitive, confidential and PHI information is
processed or stored shall be controlled and restricted to authorized persons
only.

 

d) Servers and communication devices should be kept in secured physical areas.
Access to these areas should be restricted to authorized personnel and
contractors working for TSM and who have a demonstrated need to access the area.

 

e) Access to TSM offices should be protected and subject to monitoring (e.g.
video surveillance). This may include, but not limited to, protection by PIN,
card swipe devices, biometric devices, door locks and video surveillance
systems.

 



 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 72 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

f) Access to the data center server room shall require the authorized employee
to use of the assigned ID card as well as a biometric authentication method.

 

g) Access to the data center shall restricted to authorized personnel and be
subject to video surveillance.

 

h) A visitor log shall be maintained to record all authorized visits to the data
center.

 

i) Third party support service personnel shall be granted restricted access to
secure areas or covered information processing facilities only when required.
This access shall be authorized and monitored.

 

j) For the data center maintain physical access audit logs for at least two
years and review the visitor records periodically but no less than monthly.

 

k) The security access PIN number should be changed every 180 days or when an
employee with knowledge of the PIN is terminated.

 

3. Visitors to Data Center:

 

a) A visitor log to the data center shall be maintained. The visitor’s log
records shall contain the following information:

 

o Name and organization of the person visiting.

 

o Signature of the visitor. o Form of identification. o Date of access.

 

o Time of entry and departure.

 

o Purpose of visit.

 

o Name and organization of person visited.

 

b) All visitors must be identified prior to gaining access to restricted areas
controlled by TSM.

 

c) All visitors must be admitted to TSM premises only for specific authorized
purposes.

 

d) All physical access shall be granted with the minimum required access needed
to perform the personnel duties and job responsibilities.

 

e) Visitors to TSM offices and the data center must be escorted and supervised
at all times by an authorized TSM employee, consultant, or contractor.

 

f) Individuals, who are neither TSM employees, nor authorized contractors, nor
authorized consultants, shall not be provided access to areas where containing
sensitive, confidential or PHI information.

 



 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 73 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

g) Entrance to the TriServe Tech, Data Center by external personnel (non-regular
employees) must be pre-notified in advance to the Data Center supervisor.

 

4. Physical Environmental Controls:

 

a) Physical protection measures against damage from fire, flood, earthquake,
explosion, civil unrest, and others forms of natural or man-made disaster shall
be designated and implemented, to protect and maintain the availability of
Triple-S Management Corporation (TSM) assets like computer, communications
equipment, and data from lost and/or destruction accidental or intentional.

 

b) TSM shall develop, disseminate and review/update annually:

 

o Formal, documented physical and environmental protection policies that
addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance. For further
information, (refer to GTS Business Continuity Plan (BCP) and the Security
Awareness & Training policy).

 

o Formal, documented procedures to facilitate the implementation of the physical
and environmental protection policy and the associated protection controls.

 

c) The following controls shall be implemented to avoid damage from fire, flood,
earthquake, explosion, civil unrest, and other forms of natural or man-made
disasters:

 

o Appropriate fire extinguishers shall be located throughout the facility.

 

o The fire extinguishers shall be no more than 50 feet away from critical
electrical components.

 

o Fire detectors (e.g., smoke or heat activated) shall be installed on and in
ceilings and floors.

 

o Fire authorities shall be automatically notified when a fire alarm is
activated.

 

5. Maintenance Personnel:

 

All maintenance personnel access shall be authorized, monitored and validated
periodically.

 

6. Inventory of Hardware:

 

a) TSM will ensure to maintain an up to date inventory of computer and
communications equipment, removable storage media, and software under its
control. At a minimum the inventory of information system components shall
include manufacturer, type, serial number, and physical location.

 

b) Procedures shall be developed, documented and implemented effectively to
control the flow of equipment into and out of the organization. Business
Managers shall authorize the delivery or removal of TSM information system
equipment.

 

7. Secure Disposal or Re-Use of Equipment:

 



 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 74 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

Equipment containing storage media shall be checked to ensure that any sensitive
business information and licensed software is physical destroyed or completely
removed/erased using industry standard secured methods of destruction prior to
disposal or re-use.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#16 Page 75 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Remote Access

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for connecting to TSM
network from a remote location by authorized users. These requirements are
designed to minimize the potential risk associated with remote connections and
protect from exposure TSM IT assets.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Remote
Access Policy to provide management with direction and support for the
implementation of appropriate authentication methods to control access to the
TSM IT assets by remote users.

 

IV. Definitions:

 

1. Remote Access: Any Connection to TSM network(s) or information systems that
originates from a computer or device located outside of TSM network.

 

2. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used. Also, Virtual Private Network (VPN) is a method
employing encryption to provide secure access to a remote computer over the
Internet.

 

3. Authentication: Authentication is the process of confirming the correctness
of the claimed identity.

 

4. Authorization: To allow access only to those resources which are appropriate
to that entity's identity.

 

5. Strong password: Consists of at least eight characters (and the more
characters, the stronger the password) that are a combination of letters,
numbers and symbols (@, #, $, %, etc.)

 

6. Accountability: The quality or state of being accountable; especially: an
obligation or willingness to accept responsibility or to account for one's
actions.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#16 Page 76 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Remote Access        

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)].

 

Remote connections represent a high risk access method if adequate controls and
management procedures are not implemented and followed. For this reason TSM have
established a remote access policy and procedures to protect the organization IT
assets from unauthorized access. The primary objective of this policy is to
protect the confidentiality, integrity and availability of the IT assets in
accordance with TSM established business objectives and regulatory requirements.

 

The following requirements were defined in order to access from a remote
(external) location TSM’s network and IT assets. This includes connections
performed to support remote working from home activities or establishing remote
connections to the TSM corporate network to perform system monitoring
activities, provide system support or conduct maintenance to production systems
among other activities.

 

1. General Requirements:

 

a) Authorization to grant remote access permission will require manager
approval.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#16 Page 77 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Remote Access        



 

b) The managers are responsible for recertifying on a quarterly basis the list
of authorized remote access users.

 

c) Managers must ensure that remote access is limited only to authorized users
and that this type of access shall be kept to the minimum number of employees.

 

d) All users shall have a unique identifier (user-id) to ensure proper
identification and authentication.

 

e) A stronger user authentication method must be implemented and use to
authenticate remote users. Two of the following factors shall be used to conduct
the remote user authentication process:

 

o Something you know (e.g. User ID & Password)

 

o Something you have (e.g. Symantec VIP two factor authentication token, Azure
two factor authentication token)

 

o Something you are (e.g. biometric technology)

 

f) All remote access sessions must be monitored and audit logs of remote
connections shall be protected and retained. Remote access logs shall be
retained for a period of 1 year online and 3 years on backup tapes.

 

g) Authorized users shall protect their assigned user id, password and the
assigned second factor authentication method at all times and not shared with
others.

 

h) The Information Security Group (ISG) shall ensure that redundant or duplicate
user IDs and second factor authentication methods are not issued.

 

i) Regular user activities shall not be performed from privileged accounts.

 

j) All computer devices that are connected to TSM network(s) remotely must have:

 

o Updated anti-virus and anti-spyware software installed and active.

 

o Updated operating system patches.

 

o Updated application level patches (e.g. Acrobat, Flash)

 

k) Remote access by vendors and business partners (e.g., maintenance, reports or
other data access) shall be maintained in a disabled stated unless specifically
authorized by management.

 

l) Remote access by vendors and business partner shall also be immediately
deactivated after use.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#16 Page 78 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Remote Access        



 

m) The remote connection shall be automatically disconnected from TSM network
after 30 minutes of inactivity.

 

2. Access Request:

 

An approved Access Request Form shall be submitted to the Information Security
Group (ISG) to establish and grant remote access permission for authorized
employees (Regulars and/or Temporary), prior to connecting to TSM information
systems. The following practices shall be established:

 

a) The access request shall indicate a predefined date, profile based on job
responsibilities or assignments to specific functions and/or resources.

 

b) Remote access shall be restricted to authorized personnel and must be
requested and be authorized by the user manager or supervisor.

 

c) Remote user’s access rights and privileges shall be restricted to the minimum
services and functions as is necessary to carry out their job role or function.

 

d) The activity of each account can be monitored at any time and may be
terminated by the ISG at any time.

 

e) Access to Confidential, Restricted and Protected information will be limited
to authorized personnel whose job responsibilities require this type of
information or as determined by the Application Owner.

 

3. Emergency Access:

 

In case of any situation where an emergency access is needed, the request will
follow the established process stated on the User Access Policy.

 

4. Access Review:

 

A formal process shall be conducted at regular intervals by system owners and
application owners in conjunction with ISG to confirm that remote users’ access
rights remains appropriate. The review shall be documented and sign off by the
applicable responsible.

 

Managers are responsible for recertifying on a quarterly basis the list of
authorized remote access users.

 

VII. Attachments:

 

ATTACHMENT E - Remote Access Procedure

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#17 Page 79 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Removable Device Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish the requirements for the use of
removable devices on TSM information systems and equipment, to minimize the risk
associated with loss or exposure of sensitive information such as PII, PHI and
ePHI managed by TSM. The policy is also design to reduce the risk associated
with malware infections, computer viruses and botnet that can be propagated on
computers operated by TSM by this type of device.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities with
access to TSM information, information systems or IT equipment (i.e. computer,
server, laptop and mobile devices) and intends to store any information on
removable media devices.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Removable
Device Management policy, to provide management with direction and support for
the implementation of safeguards to ensure the proper use of removable media
devices used to store and transfer information by users who have been authorized
access by TSM management to use this type of equipment for the purpose of
conducting official TSM business.

 

IV. Definitions:

 

1. Encryption: The process of encoding a message so that it can be read only by
the sender and the intended recipient.

 

2. Malware: Is defined as software of malicious intent/impact such as viruses,
worms, and spyware.

 

3. Removable Media: Any type of device that can be removed from a computer while
the system is running.

 

4. Sensitive Information: Information that is protected against unwarranted
disclosure. Access to sensitive information should be safeguarded.

 

5. USB Flash Drive: A memory data storage device integrated with a USB
(universal serial bus) interface. They are typically small, lightweight,
removable and rewritable.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#17 Page 80 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Removable Device Management        

 

6. Personal Identification information (PII): An individual’s name together with
Social Security number, drivers’ license number, or certain bank or credit
account information.

 

7. Protected Health Information (PHI): Protected health information, generally
refer to demographic information, medical history, test and laboratory results,
insurance information and other data that a healthcare professional collects to
identify an individual and determine appropriate care.

 

8. Electronic Protected Health Information (ePHI): Refers to any protected
health information (PHI) that is covered under Health Insurance Portability and
Accountability Act of 1996 (HIPAA) security regulations and is produced, saved,
transferred or received in an electronic form.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. General Requirements:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#17 Page 81 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Removable Device Management        



 

a) TSM shall implement safeguards and procedures for the proper management of
removable media.

 

b) Procedures and controls shall be designed and implemented to prevent the
unauthorized use of removable media storage devices such as:

 

o USB Memory Sticks (also known as pen drives or flash drives).



o External Hard Drives.



o Media Card Readers.



o CDs.



o DVDs.



o Embedded Microchips (including Smart Cards and Mobile Phone SIM Cards).



o Smart and Cellular Phones.



o MP3 Players.



o Digital Cameras.



o Backup tapes.

 

c) All PII or PHI data stored on removable media devices must be encrypted by
the TSM approved removable media encryption tool.

 

d) Authorized users are responsible for the appropriate use and protection of
the removable media from theft or lost.

 

e) Authorized users must be aware that TSM can audit the transfer of data files
to and from all removable media devices and TSM IT equipment by using the
approved Data Loss Prevention (DLP) tool

 

f) Confidential, PII, PHI or ePHI information should be stored on removable
media only when required in for the performance of TSM personnel assigned
duties.

 

g) All Confidential, PII, PHI or ePHI information to be stored on removable
media, must be encrypted in accordance with the TSM Encryption Policy.

 

h) Media containing confidential, PII, PHI or ePHI information shall be
physically secured until the media is destroyed and/or sanitized.

 

i) Virus and malware checking software must be used when the removable media
device is connected to TSM equipment and systems.

 

j) Only data that is authorized and necessary to be transferred should be saved
on to the removable media device.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#17 Page 82 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Removable Device Management        



 

k) Removable media devices must not to be used for archiving or storing records
as an alternative to the approved computer systems such used by TSM.

 

l) Special care must be taken to physically protect the removable media device
and stored data from loss, theft or damage.

 

2. Restricted Access to Removable Media:

 

The use of removable media devices shall be approved by the department manager
and by the Information & Cyber Security Director of TriServe.

 

The Department Manager must document the user access request by using the
Removable Device Access Form.

 

The Department Managers are responsible for re-certifying the list of authorized
users to access removal media storage devices on an annual basis.

 

3. Preventing Information Security Incidents:

 

The data in transit, storage or held on any removable media devices must be
given appropriate security according to the type of data and its sensitivity.
Encryption and password control must be applied for PII and PHI information.

 

PII, PHI and/or TSM confidential or sensitive data must not be transmitted or
stored on Bluetooth enabled devices.

 

TSM users are require to immediately report any loss or theft of TSM information
or equipment to the ISG and/or IT Service Desk.

 

4. Bluetooth Enabled Device’s:

 

All Bluetooth devices must use Secure Simple Pairing with encryption enabled.
Bluetooth users must only access TSM information systems using approved
Bluetooth device hardware, software, solutions, and connections.

 

5. Disposal of Removable Media Devices:

 

Removable media devices that are no longer required, or have become damaged,
must be disposed securely to avoid data leakage.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#18 Page 83 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Retention and Disposal

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for data retention and
disposal of technology equipment and records. These requirements are designed to
minimize the potential exposure to TSM from damages which may result from
unauthorized access, disclosure and use of TSM records containing sensitive,
confidential, and ePHI information.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy supports the organization plan for storage, maintenance and
destruction information [Core-13(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Retention
and Disposal Policy to provide management with direction and support to protect
important records containing sensitive, confidential, and ePHI information from
loss, destruction, and falsification, in accordance with business requirements,
laws and regulations.

 

IV. Definitions:

 

1. Record: Any type of record created or received in the course of TSM business,
including, but not limited to, paper, e-mail, any type of electronic file or
data, plans, and audio/ video recordings, etc.

 

2. Disk wiping: Is a software-based method of overwriting the data that aims to
completely destroy all electronic data residing on a hard disk drive or other
digital media.

 

3. Degaussing: Is a technique for destroying data on magnetic storage tapes. Can
also be used to erase the contents of a hard drive, USB thumb drive or a smart
phone.

 

4. Active Record: Any record that is currently in use by TSM and is required to
support the business operational functions and client’s services.

 

5. Archival Record: A record that is not required to be retained on premise and
which can be moved to a long term archival method.

 

6. Electronic Record: A record kept in an electronic format, such as a word
processing document, a spreadsheet, a database, a scanned or imaged document,
and any other type of

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 84 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        

 

file stored on a computer, server or mainframe storage device or medium, or on
any external or off-site storage medium.

 

7. Inactive Record: A record that is no longer an Active Record but must be
maintained pursuant to the Records Retention Program requirements.

 

8. Personal Identifiable Information (PII), Personal Health Information (PHI)
and Electronic Personal Health Information (ePHI) records: PII, PHI and ePHI are
considered highly sensitive and confidential and must be safeguarded and secured
at all times.

 

9. Hard Copy Record: Any physical representation of information, most often
associated with paper printouts.

 

10. Electronic Record: Information captured and managed through electronic
means, and which may or may not have a paper record to back it up. Also called
machine readable record. Electronic records can be stored throughout an
organization in a variety of ways such as databases, directories, file systems,
applications, hard drives, and email accounts.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

This procedure supports the organization process for storage, maintenance and
destruction information [Core-13(b)].

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 85 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        

 

1. General Requirements:

 

a) TSM shall establish documented procedures for the retention and disposal of
data, technological equipment and resources of electronic data storage media.
This includes, but are not limited to hard disks, tapes, cartridges, CDs, and
USB drives.

 

b) TSM shall establish a formal record retention program that addresses, record
storage, access, retention, and destruction. The program shall also specify the
retention period for electronic storage media (i.e. backup tapes).

 

c) Procedures shall be implemented meeting the requirements of the define
retention schedule by identifying essential records types and periods of
retention, an inventory of sources of key information, a disposal of information
that exceeds the retention period and secure disposal of equipment.

 

2. Record Retention:

 

a) Electronic Communication (Email): Email communications shall be retained for
a period of 6 months. E-mail messages containing approvals or representing TSM
agreements with outside entities, shall be retained by TSM departments according
to the retention guidelines set in this policy (either electronic or paper). For
further information on retention periods refer to the Backup and Retention
Policy.

 

b) Document Retention Periods: For further information on document retention
periods refer to the Documents Retention Policy #V-14.

 

3. Disposal:

 

a) All media shall be disposed of securely and safely when is no longer required
by TSM business or legal requirements, using formal documented procedures. All
information shall be rendered unusable, unreadable, or indecipherable on system
media, both digital and non-digital, prior to disposal or release for reuse.
Media containing sensitive information that cannot be sanitized shall be
destroyed.

 

4. Secure Disposal Techniques:

 

a) The following are appropriate techniques to securely remove information:

 

o Disk Wiping



o Degaussing

 

b) The following are appropriate techniques to securely destroy electronic and
hard copy media:

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 86 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        

 

o Shredding disk platters



o Disintegration



o Grinding surfaces



o Incineration



o Pulverization



o Melting

 

5. Document Disposal:

 

a) Paper documents may be disposed (destroyed) after being digitized as long as
it is verified that the document to be printed is clear, legible, integrity
remains intact and is a true and exact copy of the original.

 

b) All documents may be destroyed after fulfilling the corresponding period of
conservation and if there are not legal hold periods related to the document
content.

 

c) A log of the destroyed documents shall be keep to maintain a documented
process and tracking of all destroyed documents covered by this policy. All
document destruction for in scope legal cases or investigations shall be halted,
after receiving notification of the Legal Division for hold notification.

 

d) All paper sensitive/confidential documents shall be placed in the official
shredder bins/recycling bins or placed in the locked secured disposal recycling
bins contracted by the organization for the secured destruction of the
documents.

 

6. Secure Equipment Disposal:

 

a) Surplus equipment shall be stored securely while not in use, and shall be
disposed of or sanitized when no longer required.

 

b) Sanitization of desktop computers and portable media will be managed by
Desktop Management Group (DMG).

 

c) All items of equipment containing storage media shall be checked to ensure
that any covered information and licensed software has been removed or securely
overwritten prior to disposal.

 

d) Devices containing covered information shall be physically destroyed or the
information shall be destroyed, deleted or overwritten using techniques to make
the original information non-retrievable rather than using the standard delete
or format function.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 87 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        



 

e) Disposal without sanitization shall be considered only if information
disclosure would have no impact on TSM business, would not result in damage to
TSM assets, and would not result in financial loss or harm to any customer,
employees and business associates.

 

7. Equipment Donation and/or Transfers

 

a) TSM personnel shall sanitized or destroyed information system digital media
before its disposal or release for reuse outside of TSM premises, to prevent
unauthorized individuals from gaining access to and using the information
contained on the media.

 

VII. Attachments:

 

ATTACHMENT F - Retention & Disposal Procedure [Core-13(b)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#19 Page 88 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Security Awareness and Training

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define the requirements to ensure that users of
TSM systems and third party contractors receive appropriate awareness and
training to ensure the protection of TSM’s IT assets and information.
[Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the Security
Awareness and Training Policy to provide management with direction and support
for the implementation of a security awareness training program including
providing regular updates of TSM information security policies and procedures
required to protect the organization IT assets. [Core-15(b)]

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#19 Page 89 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Awareness and Training        

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

TSM shall define and implement security awareness, training, and education
programs for internal use as well as with applicable third parties to ensure
that all users are appropriately trained in the organization Information
Security Policies periodically. The following requirements shall be considered:
[Core-15(b)]

 

1. All employees of TSM, contractors and third party users shall receive
appropriate Information Security training. [Core-15(b)]

 

2. The Information Security Group (ISG) shall provide regular updates in the
organization Information Security policies and procedures as considered relevant
for the employee job functions and responsibilities in TSM and its subsidiaries.
[Core-15(b)]

 

3. ISG shall develop an Information Security Training and Awareness program to
support the employee onboarding process of TSM and its subsidiaries and
affiliates. [Core-15(b)]

 

4. ISG shall review and update the Information Security Training and Awareness
program on an annual basis to ensure compliance with local and federal
regulations. [Core-15(b)]

 

5. The Information Security Training and Awareness, which must be part of the
onboarding process, will include employees as well as contractors, and third
party service providers that may come into contact with sensitive information.
[Core-15(b)]

 

6. TSM must maintain record of each individual who completes the on-boarding
process and the Information Security Training module. The training records must
be filed for at least five years thereafter. [Core-15(b)]

 

7. The ISG in coordination with the Human Resources training center will
coordinate providing the employee with a refresher training at least every year.
[Core-15(b)]

 

8. The organization training center will keep track of the employees who
completed the training. [Core-15(b)]

 

9. Employees, contractors and any other third party, must acknowledge that they
received the training and that they are responsible to comply with it through a
formal and documented signoff. [Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#19 Page 90 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Awareness and Training        



 

10. TSM security personnel shall receive specialized security education and
training appropriate to their role/responsibilities. [Core-15(b)].

 

11. Personnel from the Information Security Group (ISG) shall be required to
participate in information system security training for the following functions:
[Core-15(b)]

 

o Before engaging in user provisioning activities.



o When required due to new threats.



o Changes in role, employee transfers to the information security unit will
require a training before officially starting his/her position.

 

12. At least, on an annual basis, refresher training to all security personnel
will be conducted to ensure knowledge keeps relevant considering new threats and
changes. [Core-15(b)]

 

13. TSM shall incorporate simulated events into incident response training to
ensure effective response in critical events. [Core-15(b)]

 

14. All third parties that provide and/or manage critical applications (i.e. for
handling claims – [***]) must provide training or training materials on the
correct use and operation of security functions and controls of the applications
or systems. [Core-15(b)]

 

15. Awareness training shall include a formal introduction to the organizations
security and privacy policies, state and federal laws. [Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#20 Page 91 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Security Monitoring Policy

Drafted by:

Rene Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,

CIO

           

I. Purpose:

 

The purpose of this policy is to ensure that information security events are
recorded and monitored to detect unauthorized system activities in compliance
with applicable laws and regulations.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization detect, contain and correct confidentiality
and security violations [Core-15(c)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Security
Monitoring Policy to provide management with direction and support to ensure
that information security events are recorded and monitored to detect
unauthorized system activities in compliance with applicable laws and
regulations.

 

Procedures for monitoring the use of IT assets shall be established to check for
use and effectiveness of implemented controls. The results of the monitoring
activities shall be reviewed regularly.

 

IV. Definitions:

 

1. Event: Something that occurs within a system or network.

 

2. Log: A record of the events occurring within an organization’s systems and
networks.

 

3. Log Archival: Retaining logs for an extended period of time, typically on
removable media.

 

4. IPS: A proactive protection technology that provides security at the network
level.

 

5. Clock Synchronization: Process of precisely coordinating or matching two or
more activities, devices, or processes in time.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 92 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        

 

Policies may be subject to disciplinary actions, up to and including termination
of employment. In the event the violation has been by a contractor and/or
provider, the respective contract or service may be deemed terminated. Triple-S
Management Corporation (TSM) reserves the right to audit networks, systems, or
procedures on a periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

This procedure help the organization detect, contain and correct confidentiality
and security violations [Core-15(c)].

 

1. General Requirements:

 

a) All users should know that all generated information through TSM networks and
systems is property of TSM.

 

b) Telecommunication networks, computers, internet and email traffic shall be
monitored by members of the Information Security Group (ISG), or third parties
contracted in support of the Information Security Group monitoring function.

 

c) All systems, applications and databases shall be configured with audit logs
enabled at each of the following levels:

 

a. Operation system and admin activities audit log

 

b. Application event level audit log

 

c. Database event level audit log

 

d) All audit logs shall be kept secure and be protected from unauthorized
deletion or alteration.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 93 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        

 

e) Audit logs shall be protected against tampering and unauthorized access.

 

f) Audit logs shall be accessible to authorized personnel of the ISG.

 

g) Audit logs must be backup and retained in accordance with the retention
periods defined by the Retention Officer.

 

h) Security event logging and monitoring of TSM systems shall be carried out in
order to detect suspicious activities that could impact the confidentiality,
integrity and availability of the IT assets and the data stored.

 

i) Authorized access and unauthorized access attempts in systems that manage PHI
and/or PII information and/or company financial information shall be logged.

 

j) System administrator and system operator activities shall be logged and
regularly reviewed.

 

k) Suspicious events shall be evaluated and categorized appropriately. If an
event is determined to be an attack or is categorized as a security incident, it
shall be investigated and reported to affected parties according to the IT &
Cyber Security Incident Response Plan.

 

l) The results of the monitoring activities shall be reviewed periodically.

 

m) The clocks of all relevant information processing systems within TSM or
security domain shall be synchronized with an agreed accurate time source to
support tracing and reconstitution of activity timelines.

 

2. Monitoring:

 

a) TSM shall implement the following safeguards and mechanisms to ensure the
confidentiality, integrity and availability of TSM networks and information
systems. Specific network perimeter controls include:

 

a. Network Firewalls: Firewalls are frequently used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially intranets. All messages entering or leaving the intranet pass through
the firewall, which examines each message and blocks those that do not meet the
TSM security criteria.

 

b. Application Level Firewall: An application firewall is a form of firewall
that controls input, output, and/or access from, to, or by an application or
service. It operates

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 94 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        




 

by monitoring and potentially blocking the input, output, or system service
calls that do not meet the configured policy of the firewall.

 

c. Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS): To
provide automated real-time identification of unauthorized use, misuse, and
abuse of computer assets by internal or external network users. Logs alarms,
alerts and functions shall be monitored and reviewed on a regular basis and
anomalies/trends shall be identified, analyzed and reported.

 

d. Network Traffic Monitoring: Firewall logs, alerts and network traffic shall
be monitored to ensure identified issues are reviewed and resolved on time.
Firewall rules shall be documented and reviewed on a quarterly basis.

 

e. Endpoints: Detection and prevention controls to protect the endpoints with
anti- virus protection.

 

f. Internet Browsing: The Internet use shall be monitored from all computers and
devices connected to the TSM network and Web Content Filter technologies shall
be used to protect users.

 

g. Email: Emails shall be monitored from all users to ensure that sensitive
information is kept confidential and technology is in place to protect from
malware.

 

b) The following monitoring frequencies have been implemented are followed:

 

Security Device Monitoring Frequency Network Firewalls 7x24x365 Application
Level Firewall 7x24x365 Intrusion Detection System (IDS) and Intrusion
Prevention Systems (IPS)

7x24x365

 

Network Traffic Monitoring 7x24x365 Endpoints Daily for anti-virus status
Internet Browsing On demand for internal investigations

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 95 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        

   

Email

 

Daily for suspicious email attachment. On demand for internal investigations.

 

3. Audit Logging:

 

a) Audit logs recording user activities, exceptions, and security events shall
be generated and stored, in accordance with TSM record retention policy
requirements and procedures, to assist in investigations and access control
monitoring processes.

 

b) Information systems processing PII, PHI, financial and employee sensitive
information shall generate audit log records each time a user accesses, creates,
updates, or archives the information via the system. The audit logs shall
include:

 

a. Unique user identifier.

 

b. A unique data subject (e.g., the patient) identifier.

 

c. Function performed by the user (e.g., log-in, record creation, access,
update, etc.)

 

d. Time and date when the function was performed.

 

e. Type of event that occurred (e.g., success or failure).

 

f. Event Information (e.g., files handled).

 

g. The account(s) and administrator(s) or operator(s) involved (when applicable)

 

h. Process(es) involved.

 

i. Before and after values when action involves updating a data element, if
feasible.

 

c) Grant, modify, or revoke access rights, including adding a new user or group,
changing user privilege levels, changing file permissions, changing database
object permissions, changing firewall rules, and user password changes.

 

d) System, network, or services configuration changes, including installation of
software patches and updates, or other installed software changes.

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 96 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        




 

e) System administrator and system operator activities shall be logged and
regularly reviewed.

 

4. Protection of Audit Log Information:

 

a) Access to TSM system audit tools and audit trails shall be safeguarded from
unauthorized access and used to prevent misuse or compromise of logs. Authorized
and unauthorized access attempts to the audit system and audit trails shall be
logged and protected from modification.

 

b) Logging controls shall protect against unauthorized changes and promptly back
up of audit trail files to a centralized log server or media that is difficult
to alter.

 

VII. Attachments:

 

ATTACHMENT G - IT & Cyber Security Incident Response Plan [Core-15(c)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#21 Page 97 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Technical Vulnerability Management Policy

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements to manage and reduce risks
that could result from the exploitation of technical vulnerabilities by
implementing an effective, systematic, and repeatable process with measurements
included to confirm its effectiveness.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization assess the potential risks and vulnerabilities
to the confidentiality, integrity and availability of information systems
[Core-15(a)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Technical
Vulnerability Management Policy to provide management with direction and support
to assess and manage technical vulnerabilities that could impact ePHI
confidentiality, integrity and availability.

 

IV. Definitions:

 

Vulnerability: A weakness of an asset or group of assets that can be exploited
by one or more threats.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#21 Page 98 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Technical Vulnerability Management Policy        

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

The following practices help the organization assess the potential risks and
vulnerabilities to the confidentiality, integrity and availability of
information systems [Core-15(a)].

 

1. TSM shall implement a technical vulnerability management process that
includes periodic vulnerability assessment activities for the in scope systems.

 

2. TSM has adopted the following frequency for conducting the external and
internal vulnerability and penetrations assessment of the organization IT
assets:

 

Type of Assessment Frequency External Quarterly Internal Twice Per Fiscal Year

 

3. Mitigation activity shall be prioritized based on the severity of the
vulnerability, the current threat environment and the business use of the
vulnerable asset.

 

4. Shielding shall be used to protect vulnerable assets until mitigation is
completed, if applicable.

 

5. The root cause of vulnerabilities shall be identified and eliminated,
whenever applicable, through improvements in network and server configuration
policies, and better change management and administrative processes.

 

6. TSM shall develop applications based on secure coding guidelines to prevent
common coding vulnerabilities in software development applicable to internal and
external public facing web applications and interfaces.

 

7. TSM system and application configurations standards shall be consistent with
industry- accepted system hardening standards. Refer to TSM System Hardening
Guidelines checklist.

 

8. The following activities shall be adopted within the technical vulnerability
management process and roles and responsibilities defined and established:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#21 Page 99 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Technical Vulnerability Management Policy        



 

a) Discovery: To identify new technical vulnerabilities using vulnerability
scans and ethical hacking assessments performed by a third-party.

 

b) Prioritization: The prioritization activities shall be based on external
threat information and internal risk rating related to the affected information
asset and with a predefined inventory of systems. Based on its relevance,
identified vulnerabilities shall be sorted or discarded and then prioritized.

 

c) Shielding/Mitigation: Current IT techniques and processes shall be used to
shield vulnerable assets until mitigation work is completed. High-priority
vulnerabilities shall be mitigated immediately and the root causes eliminated.

 

d) Test/Change Management: Before the implementation into the production
environment, and whenever applicable, the new countermeasure or patch shall be
tested in a test environment. Appropriate change management procedures should be
followed and a patch calendar scheduled shall be in place.

 

e) Monitoring: Periodically, monitor the security state of the IT environment
and the current status of vulnerability mitigation activities. The discovery
step need to be continuous, and all subsequent vulnerability management steps
should be repeated as part of an ongoing process.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#22 Page 100 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Teleworking

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for managing and reducing
risks associated with teleworking activities. The policy and the requirements
are designed to minimize the potential exposure of TSM IT assets from damages
which may result from theft of equipment and information, the unauthorized
disclosure of information including ePHI, unauthorized remote access to the
organization’s internal systems and/or misuse of the IT assets of the
organization.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)] and [Core-13(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Teleworking
Policy to provide management with direction and support for the implementation
of appropriate security measures for employees working from remote locations and
working from home.

 

IV. Definitions:

 

1. Teleworking: Is defined as working at home or at other off-site locations
that are linked electronically (via computer, fax, etc.) to a central office or
principal place of employment.

 

2. VPN: A method employing encryption to provide secure access to a remote
computer over the Internet.

 

3. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used.

 

4. Remote Access: Any Connection to TSM network(s) or information systems that
originates from a computer or device located outside of TSM network.

 

5. Session locking: Means locking screens on workstations after a certain amount
of inactivity.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 101 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        

 

comply with the information security policies. Any employee found to have
violated such Policies may be subject to disciplinary actions, up to and
including termination of employment. In the event the violation has been by a
contractor and/or provider, the respective contract or service may be deemed
terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

TSM shall only authorize teleworking activities if they comply with TSM’s
security requirements and controls for remote access connections. TSM shall
consider that any teleworking facility is essentially an extension of the TSM
network and any teleworking user that connects without appropriate security
controls could result in the exposure of company and ePHI confidential
information resulting in a signification impact to the entire organization. At a
minimum the following requirements shall be implemented for authorized
teleworking users:

 

1. General Requirements:

 

a) Only authorize teleworking users shall be allowed.

 

b) Business managers are responsible for requesting and authorizing the access
based upon the needs of the department for the user to perform teleworking
functions.

 

c) TSM business managers shall ensure that authorized teleworking users read and
acknowledged understanding the organization Employee Manual and Information
Security policies for performing teleworking functions.

 



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 102 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        



d) Training on Information Security (IS) and privacy responsibilities shall be
required for all authorized teleworking users.

 

e) TSM will provide corporate approved computers (i.e. laptops) to teleworking
authorized users. The assigned computer will comply with the organization
standard image and security controls including but not limited to:

 

o Corporate approved MS Windows license and image.

 

o Corporate approved anti-virus, anti-malware and firewall system.

 

o Corporate approved Data Loss Prevention system.

 

o Corporate approved encryption system.

 

o Corporate approved Virtual Private Connection (VPN) system.

 

f) Authorized teleworking users shall use the assigned corporate equipment to
conduct teleworking functions.

 

g) TSM computer equipment located at the user teleworking location shall not be
used for personal activities or lent to friends or family members.

 

h) Teleworking users shall not install unauthorized software in the assigned
teleworking equipment.

 

i) TSM teleworking equipment and media taken off the premises shall be encrypted
and not be left unattended in unsecured places or high risk locations such as
inside automobiles.

 

j) Adequate insurance coverage shall be in place to protect off-site TSM
computer equipment.

 

k) TSM maintains ownership over the corporate assets (e.g. computer,
peripherals, etc.) used by teleworking authorized personnel.

 

2. Account Administration:

 

a) Teleworking user access requests must also meet the User Access Policy and
Remote Access Policy requirements for secure remote connections.

 

b) Business manager are responsible for requesting revocation of remote accesses
to TSM systems, and returning TSM assigned equipment when the teleworking
activities are terminated.

 

c) Business managers are responsible for the timely notification of employee
terminations and transfers to the Human Resources department.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 103 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        



 

3. Teleworking User Requirements:

 

a) Verifiable unique IDs shall be required for all teleworker users accessing
TSM network by a remote connection.

 

b) Authorized teleworkers must use the Symantec VIP two factor authentication
system establish the remote connection to TSM network.

 

c) The authorized users is responsible for maintaining appropriate protection of
at the teleworking site to protect the assigned equipment against theft, the
unauthorized disclosure of information, and the unauthorized remote access to
TSM internal systems.

 

d) The use of home WiFi networks is permitted as long as the WiFi is password
protected and the WiFi encryption protocol is enabled. The WPA encryption
protocol is the minimum required.

 

e) ePHI information shall never be stored outside the corporate provided
equipment.

 

f) ePHI or company confidential information shall never be printed when working
from a teleworking facility.

 

g) Home-working controls shall be applied, including lockable filing cabinets,
clear desk and clear screen, and access controls for computers and secure
communication with the office.

 

4. Teleworking Document Management: [Core-13(b)]

 

a) Authorized teleworking users must avoid storing and printing documents
containing PHI, PII and company confidential information while working remotely.

 

b) Teleworking users must place in a secured location documents containing PHI,
PII and company confidential information when not in use.

 

c) Authorized portable storage devices must be encrypted if they are to be used
to stored PHI, PII or company confidential information.

 

5. Teleworking Control of Assigned Equipment: [Core-13(b)]

 

a) For decommissioning of company assigned equipment the user must return the
required to the Desk Top Management team who will coordinate the process as
outlined in the Retention & Disposal procedure.

 





 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 104 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        





VII. Attachments:

 

ATTACHMENT F - Retention & Disposal procedure [Core-13(b)]



 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#23 Page 105 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Third
Party Services Risk Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements and establish
systematically approach for management of risks associated with the contracting
of third party service providers.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization assess the potential risks and vulnerabilities
to the confidentiality, integrity and availability of information systems
[Core-15(a)].

 

Triple-S Management Corporation (TSM) has developed a Third Party Services Risk
Management Policy also known as Vendor Risk Management to ensure that third
party service providers maintain adequate security controls to manage TSM PII
and/or PHI information. The policy also require management monitor the level of
services contracted.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#23 Page 106 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Third
Party Services Risk Management        

 

4.    Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization assess the potential risks and
vulnerabilities to the confidentiality, integrity and availability of
information systems [Core-15(a)].

 

TSM shall implement develop and implement a Third Party Service Provider Risk
Management Program to ensure that security requirements and service levels are
met:

 

1. Service Delivery: It shall be ensure that security controls, service
definitions, and delivery levels included in the third party service delivery
agreement are implemented, operated, and maintained by the third party.

 

2. Monitoring and Review: The services, reports, or records provided by third
party shall be regularly monitored and reviewed, and audits shall be carried out
regularly to govern and maintain compliance with the service delivery
agreements.

 

3. Managing Changes: Changes to the provision of service, including maintaining
and improving existing information security policies, procedures, and controls,
shall be managed, taking account of the criticality of business systems and
processes involved and re-assessment of risk.

 

VII. Attachments:

 

ATTACHMENT H - Third Party Services & Risk Management procedure [Core-15(a)].

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_029.jpg]

 

Policy No.: ISP#24 Page 107 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           



 

I. Purpose:

 

The purpose of this policy is to define requirements to establish, document and
review access control mechanism to ensure that users have the minimum access
required to conduct their business activities. [Core-15(a) & Core-15(b)]

 

II. Scope:

 

This policy applies to TSM, its subsidiaries, employees, temporary workers,
contractors, business partners and third party vendors contracted by TSM to
provide services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the User Access
Policy to provide management with direction and support for the implementation
of appropriate logical and physical user access controls. [Core-15(a) &
Core-15(b)]

 

TSM has adopted appropriate user access measures (logical and physical) to
ensure the confidentiality, integrity and availability of sensitive information
and the organization IT assets. This policy is critical for securing Protected
Health Information (PHI), Personally Identifiable Information (PII) and
Electronic Protected Health Information (ePHI) and ensuring compliance with
HIPAA minimum use requirement. [Core-15(a) & Core-15(b)]

 

Authorization to programs, systems and databases required to access any
information on TSM networks, either via local or remote access, must be approved
by management and authenticated using unique user’s ID’s and passwords.
[Core-15(a) & Core-15(b)]

 

Logical and physical access controls shall be implemented based on the employee
job function and role. The applications, systems and databases accesses shall be
granted according to the employee job function and business needs to prevent
unauthorized access to information stored in TSM systems and physical
facilities. [Core-15(a) & Core-15(b)]

 

IV. Definitions:

 

1. Authentication: The process of verifying a user identity in order to grant
access to a system according a specific role or profile.

 

2. Logical Access: Access to a computer or network system through an
authentication protocol.

 

3. Unique User ID: The sole identifier of a user, usually a user name.

 

4. Privilege Access: Access of an administrator or super user.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 108 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        

 

 

5. Remote Access: Is the ability to get access to a computer or a network from a
remote location.

 

V. Responsibilities:

 

1. All TSM and its subsidiaries employees, temporary workers, contractors,
business partners and third party vendors, without exception, must comply with
the information security policies.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. General Requirements

 

a) TSM shall define a formal procedure to manage the user access provisioning
and de- provisioning processes. The procedure must be designed to prevent
unauthorized access to the IT assets and systems used by the organization.
[Core-15(a) & Core- 15(b)]

 

b) Division managers must assign Application Owners for each business
application. In case the application has multiple modules specific Application
Owners can be assigned to each module. [Core-15(a) & Core-15(b)]

 

c) Access rights shall be reviewed by management based on the process and
scheduled defined by the Information Security Group. At a minimum managers and
supervisors shall review and certify its employee user accesses on an annual
basis. [Core-15(a) & Core-15(b)]

 

d) Completing the user access review and certification process is an essential
component to ensure compliance with the HIPAA minimum use requirement.
[Core-15(a) & Core- 15(b)]

 



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 109 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        

 



e) Display the approved proper system use notification message or banner before
providing access to TSM systems. The notification must provide the required
privacy and security notices consistent with key industry regulations and
standards such as HIPAA and HiTrust. [Core-15(a) & Core-15(b)]

 

f) Logical and physical access to information and application systems and
functions by users and support personnel shall be restricted in accordance with
their job functions and responsibilities. [Core-15(a) & Core-15(b)]

 

2. Access Request (User Access Provisioning)

 

a) Users shall obtain formal approval for the use of TSM information assets and
applications by completing the official TSM access request form or submitting an
approved request via email. [Core-15(a) & Core-15(b)]

 

b) Access to TSM information systems shall be authorized by the appropriate
requester manager or supervisor, before user is allow to login into TSM systems.
[Core-15(a) & Core-15(b)]

 

c) Authorized logical access requests must be based on the employee job
functions and scope of responsibility. [Core-15(a) & Core-15(b)]

 

d) All user access authorizations shall be granted following the minimum access
necessary concept in order to allow the users to perform their job functions
with the minimum necessary accesses. [Core-15(a) & Core-15(b)]

 

e) All physical access to TSM buildings and offices shall be processed by the
Corporate Security Group. Users shall obtain formal approval by TSM management
before physical access is granted. For further information, (refer to the
Corporate Policy Manual, Policy of ID Cards and Access). [Core-15(a) &
Core-15(b)]

 

3. User Account Administration

 

a) The user account management process, as well as privileged access
authorizations shall be restricted and controlled through a formal documented
process via the use of the User Access Request Form or by submitting an approved
email. [Core-15(a) & Core-15(b)]

 

b) The business managers or the Application Owners are responsible for
conducting user’s access reviews and certification process on an annual basis.
Following this process is required ensure that granted logical accesses,
correspond with the employee’s job function and duties and remain restricted to
authorized personnel only. [Core-15(a) & Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 110 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        



 

Completing the user access review and certification process is an essential
component to ensure compliance with the HIPAA minimum use requirement.
[Core-15(a) & Core- 15(b)]

 

c) Unnecessary accounts shall be removed, disabled or otherwise secured.
[Core-15(a) & Core-15(b)]

 

d) Ensure that default accounts that are not required are removed or disabled.
[Core-15(a) & Core-15(b)]

 

e) Ensure that default application or system accounts that are required are
protected with a strong password compliant with the TSM password rules.
[Core-15(a) & Core-15(b)]

 

4. Termination (User Access De-Provisioning)

 

The Division of Human Resources will maintain an updated list of active
employees and temporally personnel. [Core-15(a) & Core-15(b)]

 

a) All terminations of regular and temporary employees shall be immediately
notified to the Human Resources department. [Core-15(a) & Core-15(b)]

 

b) The SAP system will provide the ISG with an automated notification of all
regular and temporary employee terminations. [Core-15(a) & Core-15(b)]

 

c) The ISG will terminated the access to the LAN based on the requested
effective date of the termination. [Core-15(a) & Core-15(b)]

 

d) The ISG will terminated the access to other applications in a 5 working day’s
period. [Core-15(a) & Core-15(b)]

 

e) The ISG will remove or disable Active Directory accounts that have been
inactive for a period of sixty (45) days or more. [Core-15(a) & Core-15(b)]

 

f) All terminations of contractor and/or the service provider employees shall be
immediately notified to the ISG. [Core-15(a) & Core-15(b)]

 

g) The ISG will terminated the access to the LAN by the contractor and/or the
service provider on the requested effective date of the termination. [Core-15(a)
& Core-15(b)]

 

h) The ISG will terminated the access to other applications used by the
contractor and/or the service provider in a 5 days working day’s period.
[Core-15(a) & Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 111 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        



 

i) The user that ends his employment or contractual relationship with TSM, shall
not by any means attempt to access the networks and information systems of TSM.
[Core- 15(a) & Core-15(b)]

 

5. Transfers

 

a) Transfer of employees between departments, companies or affiliates will be
processed by the Information Security Group as a termination. [Core-15(a) &
Core-15(b)]

 

b) It is the responsibility of the new Manager or Supervisor to complete the
User Access Request Form with the required new accesses based on the employee
job function. User accesses can also be requested via email. [Core-15(a) &
Core-15(b)]

 

6. Database User Accesses

 

a) Only authorized personnel shall have administrator access to administrative
functions to TSM databases. [Core-15(a) & Core-15(b)]

 

b) Users shall not have direct access to TSM databases. [Core-15(a) &
Core-15(b)]

 

7. Emergency User Accesses

 

The following conditions will be defined and considered as emergency situations:
[Core- 15(a) & Core-15(b)]

 

o Disaster condition;



o Application, system or database problem which results in system downtime or
very poor performance;



o Application, system or database problem and that cannot be replicated in the
test environment and the problem is causing significant operational problems.

 

a) The request for emergency access must be generated by a manager or higher
level of the area where the need arises. [Core-15(a) & Core-15(b)]

 

b) The justification for the emergency access shall be documented in the Serena
Business Manager ticketing system. The justification must include the approval
of the division Vice-President (VP) or the affiliate director and the estimated
date until when the access will be required. If for some reason the form cannot
be completed in time, a notification must be send by e-mail to the Information
Security Group (ISG) and complete the form the next business day. [Core-15(a) &
Core-15(b)]

 

c) The ISG unit will evaluate any emergency access request and shall determine
its approval. [Core-15(a) & Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 112 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        



 

d) On emergency cases or outside working hours, it is the responsibility of the
requesting manager to notify the administration and/or data center Information
Security Group personnel. [Core-15(a) & Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#25 Page 113 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Information Security Risk Analysis

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this Policy is to define requirements and establish the
appropriate actions and priorities for developing and implementing TSM’s
information security risk analysis process; managing information security and
business continuity risks; and implementing controls to protect against
identified risks.

 

II. Scope:

 

This Policy applies to TSM and workforce members who are authorized to access
information systems maintained by TSM and the ePHI that is processed, stored,
and transmitted on such systems. This Policy forms part of the conditions of
employment or contracting with TSM, as applicable, of all workforce members at
all levels. For purposes of this policy, “workforce members” shall include TSM’s
employees, volunteers, trainees, contractors, agents, interns, temporary staff,
and other persons whose conduct, in the performance of work for TSM, is under
the direct control of TSM, whether or not they are paid by TSM.

 

III. Policy:

 

This policy help the organization assess the potential risks and vulnerabilities
to the confidentiality, integrity and availability of information systems
[Core-15(a)].

 

Triple-S Management Corporation, on behalf of itself and its direct and indirect
affiliates and subsidiaries (collectively referred to herein as “TSM”), has
adopted this Information Security Risk Analysis Policy (“Policy”) to protect the
confidentiality, integrity, and availability of the electronic protected health
information (“ePHI,” as defined in 45 C.F.R. § 160.103) that it processes,
stores and transmits, and to protect the information systems on which such ePHI
is processed, stored and transmitted. This Policy aids TSM in preventing,
detecting, containing, and correcting threats and vulnerabilities to ePHI and
the information systems on which it is processed, stored and transmitted, and
meeting its obligations with regard to information security.

 

The risk analysis process described in this Policy is a key requirement to
comply with HIPAA, HiTrust and ISO 27001 security requirements.

 

TSM shall conduct an enterprise wide assessment of risk, including the
likelihood and magnitude of harm, from the unauthorized access, use, disclosure,
disruption, modification, or destruction of its information systems and the ePHI
that such systems process, store, or transmit.

 

IV. Definitions:

 

N/A

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#25 Page 114 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Security Risk Analysis        



 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

The following practices help the organization assess the potential risks and
vulnerabilities to the confidentiality, integrity and availability of
information systems [Core-15(a)].

 

1. In order to conduct a thorough enterprise wide risk analysis, TSM shall
include each of the following elements in its risk analysis process:

 

a) Data Collection: Identify where the ePHI is stored, received, maintained or
transmitted.

 

b) Identify and Document Potential Threats and Vulnerabilities: Identify and
document reasonably anticipated threats to ePH.

 

c) Access Current Security Measures: Assess and document the security measures
TSM implemented, maintained and managed to safeguard ePHI. This assessment shall
include security measures required by the HIPAA Security Rule and whether the
existing security measures are configured, used and maintained properly.

 

d) Determine the Likelihood of Threat Occurrence: Determine the probability of
potential risk to ePHI. Document all reasonably anticipated combinations of
threats and vulnerabilities with associated likelihood estimates that may impact
the confidentiality, availability and integrity of ePHI.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#25 Page 115 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Security Risk Analysis        

 

e) Determine the Potential Impact of Threat Occurrence: Determine the impact of
potential risk to ePHI. Document all reasonably anticipated potential impacts
associated with the occurrence of threats triggering or exploiting
vulnerabilities.

 

f) Determine the Level of Risk: Assign risk levels for all threat and
vulnerability combinations identified during the risk analysis should be
assigned.

 

g) Finalize Documentation: Document the risk analysis and maintain such
documentation for future reference.

 

h) Periodic Review and Updates to the Risk Analysis: Conduct continuous
information security risk analyses to identify when updates are needed. To
ensure that the risk analysis process is integrated into the risk management
process, the information security risk analysis shall be conducted or reviewed
as new technologies and business operations are planned and as existing
technologies and business operations change. Below is a non-exclusive list of
events when a risk analysis shall be conducted or reviewed:

 

o Security incident is experienced;



o Change of ownership occurs;



o Turnover in key staff or management; and



o Plans to incorporate new technology.

 

In the absence of any of the events listed above, TSM shall conduct or review a
risk analysis at least annually.

 

i) Monitoring of Risk Mitigation Plan: Establish a process to monitor the status
of the risk mitigation plan, which shall occur at least quarterly.

 

j) Reporting to Board: Provide an executive level presentation, including the
key areas of risks and the status of the defined risk mitigation plan, to the
Board of Directors at least annually.

 

This Policy shall be supported by additional policies, standards, guidelines,
procedures, and processes.

 





 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#25 Page 116 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Security Risk Analysis        



 

VII. Attachments:

 

ATTACHMENT I - Information Security Risk Analysis Procedure [Core-15(a)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

[image_029.jpg]

 

Policy No.: ISP#26 Page 117 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Business Continuity Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

Triple-S Management Corporation (TSM) is committed to its customers, employees,
stakeholders and suppliers. To insure the effective safety of people and the
availability of essential products and services, TSM establishes this Business
Continuity Management Policy in support of a comprehensive program for emergency
response, business continuity, disaster recovery and business recovery.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the Business
Continuity Management Policy to provide management with direction and support
for the implementation of a Business Continuity Program (BCP) in accordance with
the organization business requirements and applicable laws and regulations. TSM
recognizes that information is an important asset and it is important to protect
the confidentiality of the information being managed, maintain its integrity and
ensure its availability.

 

This policy provides the requirements for planning, implementation, activation
and governance processes to counteract interruptions to business activities and
to protect critical business functions from the effects of major failures of
information systems or disasters and to ensure their timely resumption.

 

TSM shall establish a Business Continuity Management Program (BCMP) that will
define the minimum requirements for the organization to address the continuity
of mission critical operations. Additionally, TSM shall assign resources with
specific roles and responsibilities to develop implement and oversee the
business continuity plans in compliance with the business continuity management
program.

 

IV. Definitions:

 

1. Business Continuity (BC) Planning: An organization’s risk management strategy
for threats that may terminate or significantly disrupt core business. It
involves mitigation activities and contingency planning for response and
recovery actions. (Note: BC planning necessarily embraces disaster recovery and
emergency management planning.)

 

2. Business Continuity (BC) Program: An ongoing funded process that is supported
by senior management, comprising all BC planning, plans, arrangements, practices
and processes

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#26 Page 118 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Business Continuity Management        

 

with which to achieve required BC outcomes in compliance with BC aims and agreed
expectations.

 

3. Business Continuity Management (BCM): The development, implementation and
maintenance of strategies, plans, resources and actions to ensure the continued
achievement of critical objectives in the event of a significant, untoward,
crisis event.

 

4. Crisis: An untoward event that potentially or actually results in disruption
to day-to-day functioning of a part or the whole of an organization, sufficient
to require management to divert a portion of their attention, time, energy and
resources away from business-as-usual activities. (Note: for BC purposes, the
term ‘crisis’ is used generically to refer to a significant,
crisis/emergency/disaster event).

 

5. Event: The occurrence of a particular set of circumstances that creates an
actual or potential emergency or disaster or other crisis situation.

 

6. Risk: The chance of something happening that will have an impact upon
objectives.

 

V. Responsibilities:

 

1. Business Continuity Management (BCM) is a strategic, tactical and operational
issue. It is a shared responsibility of TSM, including management and employees
from all business units throughout the organization. In order to implement the
Business Continuity Management Program (BCMP), TSM has defined the Contingency
Management Team (CMT) which is responsible to execute the Crisis Management
process for TSM, by timely responding to emergencies or events which threatens
the business continuity of the company and by having an effective communication
with employees, customers, and the media if necessary through various
communications devices and methods.

 

2. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

3. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

4. Exceptions

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#26 Page 119 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Business Continuity Management        

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

5. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. Business Continuity Management Program

 

a) The Business Continuity Management Program (BCMP) involves the minimum
requirements to develop and implement the Business Continuity (BC) plans. The
program shall include, at a minimum, documenting processes such as:

 

b) Governance, which specifies formal roles and responsibilities, resource
assignment and budget planning.

 

c) Risk Assessment & Business Impact Analysis, which evaluates of potential
threats (natural, technical or human), that may impact TSM’s assets from
achieving its business and operational goals and the actions needed to prevent
or minimize the effects of potential loss.

 

d) Emergency Response, which establishes the immediate reaction and response to
an emergency situation focusing on ensuring life safety and reducing the
severity of the incident.

 

e) Crisis Management, which establishes the overall coordination of TSM’s
response to crisis in an effective, timely manner with the goal of avoiding or
minimizing damage to TSM, profitability, reputation and ability to operate until
specific business continuity plans are activated.

 

f) Business Continuity / Disaster Recovery, which defines the process of
developing and documenting procedures that enable TSM to respond to an event
that lasts for an extended period of time and return to performing its critical
functions after an interruption.

 

g) Communications, which establishes communication process with employees,
government, customers and all affected shareholders.

 

h) Awareness and Training, which creates and maintains awareness and training to
enhance the skills required to develop and implement the business continuity
management processes.

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#26 Page 120 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Business Continuity Management        

 

i) Exercise, Evaluation and Corrective Actions, which are performed for the
purpose of training team members and validating the business continuity plans
shall be tested every two years or yearly if requested by the Chief Information
Officer or the Chief Technology Officer in order to ensure that the plan is
still effective.. Exercise results identify plan gaps and limitations and are
used to improve the business continuity plans.

 

j) Coordination with Third Parties, which establishes the coordination of
activities and the integration of resources with third parties with the
objective of managing a disrupting event or an exercise.

 

k) Audit and Compliance, which establishes applicable procedures to be aligned
with laws and regulatory requirements.

 

l) Budgeting, annual budgeting for adequate levels of initial development and
on-going maintenance of BC planning is the responsibility of TSM Senior
Management.

 

m) Program Maintenance, which establishes the management process of keeping
TSM’s Business Continuity Management Program up-to-date and aligned with the
corporate Business Continuity strategies.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





[image_029.jpg]

 

Policy No.: ISP#27 Page 121 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Patch and Vulnerability Management Policy

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

 

I. Purpose:

 

In today’s dynamic and heterogenous networks desktops, servers and communication
equipment are prone to software/hardware development errors. Operating systems
and software applications are more affected than other types of equipment. This
creates a fertile environment for malware to compromise systems and networks
containing critical systems. To mitigate these potential threats Grupo Triple S
has established a policy to identify vulnerabilities and mitigate them in a
timely fashion.

 

II. Scope:

 

This policy applies to all computer, servers and communication systems of Grupo
Triple S found in all subsidiaries of the corporation without exception. It
applies to all operating systems brands and versions. It applies to all licensed
and open-source applications.

 

III. Policy:

 

It is the policy of Grupo Triple S to identify and mitigate in a reasonable
timely fashion all the application and operating system vulnerabilities
identified by Vendor and National Vulnerabilities databases applicable to the
corporate inventory of computers, servers and communication equipment.

 

This policy complies with the Patch and Vulnerability Management recommendations
found in NIST Special Publication 800-40 version 2.

 

IV. Definitions:

 

1. PVG – Policy and Vulnerability Group

 

2. NVD – National Vulnerability Database

 

3. Vdb – Vulnerability Database

 

4. CAB – Change Advisory Board

 

V. Responsibilities:

 

1. It is the responsibility of the Information Security Group of Triserve to
carry out this policy. It is the responsibility of the Infrastructure Group of
Triserve to assist in this process providing accurate equipment inventory. It is
the responsibility of the Change advisory board to meet monthly to discuss,
approved or deny the implementation of vulnerability mitigation techniques. It
is the responsibility of business application owners to accept risks when threat
mitigation is not an option as it could adversely affect daily corporate
operations.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#27 Page 122 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Patch
and Vulnerability Management Policy        

 

2. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

3. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. The Infrastructure Management Supervisor and/or its designators must use an
automatic tool to create and maintain a Corporate IT Asset Inventory of
computers, servers and communications equipment used by the organization. The
Microsoft Active Directory is a suitable tool to create and maintain such
inventory database.

 

2. The Information Security Group and/or its designators must use an automatic
tool to perform a monthly IT asset scan and provide the differences between the
IT asset scan results and the Corporate IT Asset Inventory to the Infrastructure
Management Supervisor and/or its designators for processing.

 

3. The Information Security Group and/or its designators must use an automatic
tool to create and maintain a Corporate Vulnerability Database. This database
must include an up to date list of vulnerabilities from vendor specific sites
and national vulnerability databases.

 

4. On a monthly basis, the Information Security Group and/or its designators
must use an automatic tool to identify vulnerabilities applicable to the
corporate IT asset inventory.

 

5. The Information Security Group will identify CRITICAL and IMPORTANT security
patches for deployment.

 

6. The TriServe software architecture supervisor and the TriServe data center
operation team must review the list of recommended patches for deployment and
provide approval full or partial of the recommended patches prior to deployment.
If partial a valid justification must be provided. Possible reasons for not
installing a patch include:

 

a) Application is not compatible with the recommended patch.

 

b) Operating System (OS) is not compatible with the recommended patch.

 

7. The Information Security Group and/or its designators must use an automatic
tool to apply corresponding patches to the following environments in the
specific time windows as follows:

 

a) Test Environment: Any given time window

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#27 Page 123 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Patch
and Vulnerability Management Policy        



 

b) Development Environment: Any day from 8PM to 6AM.

 

c) Quality Assurance Environment: From 8PM to 6AM Tuesdays and Wednesdays.

 

d) Production Core Systems (PROD-CORE): From 1:00 AM to 6:00 AM 2nd and 3rd
Sunday of the month.

 

e) Production Non-Core Systems (PROD-NON CORE): From 10:00 PM to 5:00 AM on
Fridays.

 

8. After receiving approval for the installation of the recommended patches the
Information Security Group will coordinate the installation process based upon
the agreed deployment scheduled.

 

9. If patches are not available, Information Security Group and/or its
designators must identify and apply applicable alternate mitigation techniques
to the following environments in the specific time windows as follows:

 

a) Test Environment: Any given time window

 

b) Development Environment: Any day from 8PM to 6AM.

 

c) Quality Assurance Environment: From 8PM to 6AM Tuesdays and Wednesdays.

 

d) Production Core Systems (PROD-CORE): From 1:00 AM to 6:00 AM 2nd and 3rd
Sunday of the month.

 

e) Production Non-Core Systems (PROD-NON CORE): From 10:00 PM to 5:00 AM on
Fridays.

 

10. If alternate mitigation techniques are not available or recommended for a
vulnerability or set of vulnerabilities, the Information Security Group and/or
its designators must identify the application business owner and request the
business owner to fill out a risk acceptance form. The business owner must fill
out a risk acceptance form that must include a remediation plan with
implementation dates.

 

11. If the business owner can or will not accept the risk, the Information
Security Group and/or its designators must prepare a removal procedure for the
affected software, system or hardware.

 

12. After approval from CAB, the Information Security Group and/or its
designators must use an automatic tool to apply corresponding patches or
implement alternate configuration adjustment techniques to:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#27 Page 124 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Patch
and Vulnerability Management Policy        



 

a) Quality Assurance Environment: From 8PM to 6AM Tuesdays and Wednesdays.

 

b) Production Core Systems (PROD-CORE): From 1:00 AM to 6:00 AM 2nd and 3rd
Sunday of the month.

 

c) Production Non-Core Systems (PROD-NON CORE): From 10:00 PM to 5:00 AM on
Fridays.

 

VII. Attachments:

 

ATTACHMENT I - Information Security Patch and Vulnerability Management Procedure

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      



 



 

 



 

 

 



 



 

 

 

 

 



Schedule J10

 

  CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



 [image_004.jpg]



 

 



IT Controls Questionnaire



  

Instructions: This is an assessment of the Triple-S Management Group (TSM)
business partner’s compliance level with the TSM Information Security & Control
Policies. This is a requirement to establish a business relationship between the
business partner and a TSM operating company. The TSM corporate policies, as
well as industry based regulations, provides a broad set of security
requirements that must be met for adequate management of TSM business
information. Business partners of TSM are required to meet the policies and
regulations for information that they may have access to or manage for TSM,
depending upon the nature of the work that they are doing for TSM and the
sensitivity of the information.  This questionnaire is intended to help the TSM
operating company determine whether the business partner’s security practices
and controls are acceptable relative to the organization policies and
requirements.

An independent validation of the answers may be conducted through an on-site
visit and review at the discretion of the TSM operating company. The answers and
validation will be used to formulate an overall position, which will then help
determine whether the TSM operating company wishes to engage in a contract with
the business bartner and, if so, how security requirements should be captured in
such a contract to ensure compliance with the TSM security controls. In the
event that the business partner’s security policies and procedures do not
sufficiently meet the requirements set forth by TSM operating company, TSM may
request satisfactory remediation or termination of the business relationship. If
a contractual relationship currently exists between the business partner and the
TST operating company, collaboration on an acceptable resolution for any
identified issues will be required.

Consider all answers from the perspective of the facilities, personnel, systems,
applications, and networks with access, or potential access, to TSM systems or
information. Different questionnaires must be completed for each physical
location involved in the relationship that will have access, or potential
access, to TSM classified information assets. TSM classified information is all
NON-PUBLIC information.  All questions are in YES / NO format to allow for easy
completion and evaluation, but a few questions request additional information.

In the event of a NO answer, response sections (comments) are provided for the
business partner to elaborate on alternative controls or to provide
clarification. These responses will be considered when evaluating the completed
questionnaire to determine whether an answer is acceptable. If a question is not
applicable, please mark the answer NO and explain in the comments section why
the question is not applicable.

 

 





 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

[image_004.jpg]









[image_006.jpg]



IT Securty Risk Assessment

General Information

 





Company Information:   Company Name:   Address:   Name of representative:  
Representative title:   Services to be rendered   Email:   Phone:   website:    
Name of who responded this questionnaire (must be IT related personnel):   Name:
  Position or Title:   Email:   Phone:     Application Information (If this not
apply please leave a comment below and continue):   Application Name:  
Description or purpose:   Name of representative:   Does this application
manages Protected Health Information (PHI), Personal Identifiable Information
(PII) or other confidential information such as financial records? (Indicate
volume of records, exchange methods and frequency)   website:     Subcontractors
Information in this engagement context (If this not apply please leave a comment
below):   Subcontractor Name:   Address:   Name of representative:  
Representative title:   Email:   Phone:   website:   Services Description



 

 





 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_004.jpg]  

[image_006.jpg]

IT Securty Risk Assessment





Questionnaire Analysis   Question All Questions2 Service Provider Answer
(Yes, No, 0=Not Applicable) Service Provider Notes   Q1 Does your company have a
dedicated information security staff?       Q2 Does your company have a
documented information security training and awareness program?       Q3 Do all
PCs have properly configured and enabled commercial anti-malware software
installed and running at all times? If yes, please specify the product used in
the “Comment” section below.       Q4 Are anti-malware signature files installed
no later than 72 hours after release by the vendor?       Q5 Are all personnel
involved in processing customer (i.e., TST) information appropriately trained
for the handling of that information?       Q6 Are all personnel required to
complete annual information security training?       Q7 Is there a background
check process in place for new hiring personnel.       Q8 Does your company have
defined policies or procedures to ensure the proper control and protection of
customer classified information when held in storage, transmitted
electronically, or transferred via physical means?       Q9 Does all sensitive
information (i.e. PKI) is encrypted over a public network, such as the Internet?
      Q10 Are all paper documents containing customer classified information
filed and locked away when not in use?       Q11 Are paper and film-based media
containing customer classified information destroyed using secured destruction
devices or processes?       Q12 Is the use of non-Company approved Instant
Messaging and File-Sharing software outside of your Intranet prohibited?      
Q13 Do your policies require segregation of duties (i.e., account authorization
rights and application/transaction capabilities must not be granted to the same
individual)?       Q14 Are access control lists reviewed at least annually?    
  Q15 Is there a process in place to authorize user accounts?       Q16 Are user
accounts disabled upon termination of employment or upon termination of a
business relationship?       Q17 Does your company have a password policy?      
Q18 Are all systems configured to ensure password length/complexity rule
combinations: 1) passwords with a minimum length of 8 characters that contain
characters from at least 3 complexity classes such as upper/lower case,
numerals, special characters...       Q19 Are user passwords required to be
changed at least every 90 days?       Q20 Is the user required by policy to
change a temporary or initial password after first use?       Q21 Are default
system passwords or PINs immediately changed during or immediately after the
installation process?    

 

 





 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



  Q22 Are user IDs delivered via a separate medium or at a separate time from
the password?       Q23 Does your password delivery process require confirmation
of the recipient’s identity before delivery?       Q24 Is all external access to
your company network through an access control system (i.e., Firewall)? If yes,
please specify the product used in the “Comment” section below.       Q25 Do the
firewalls deny all inbound and outbound traffic that doesn’t have a documented
business purpose?       Q26 Is intrusion detection system enabled?       Q27 Do
all firewalls log traffic and suspicious activity?       Q28 If remote sessions
on the firewall are permitted, are logs of the time, date, duration, and user
IDs recorded?       Q29 Is there a policy in place to ensure mobile devices are
configured to protect customer information stored, processed or transmitted by
those devices?       Q30 Is there the capability to encrypt customer data on the
mobile device?       Q31 Is there the capability to remotely wipe the TST
information stored on the mobile device?       Q32 After 60 days of non-use, are
Mobile Devices wiped and their users’ access revoked?       Q33 Does your
company have a policy that dictates cryptographic standards for the protection
of information?       Q34 If so, does your policy meet the following
cryptographic standards for encryption (symmetric AES, 3DES with at least 128
bits, asymmetric – RSA with at least 2048 bits)?       Q35 Are all sensitive
file transmissions (i.e. PHI) encripted?       Q36 Are all backups containing
sensitive information (i.e. PHI) encrypted?       Q37 Is there a security
monitoring and reporting process in place?       Q38 Does the process define the
time frame for addressing security events?       Q39 Is there a process to
notify customers when their systems are affected by an incident?       Q40 Does
your company utilize intrusion detection technology?       Q41 Are intrusion
detection mechanisms deployed at all external business partner connection
points?       Q42 Do critical intrusion detection events generate an alarm?    
  Q43 Are your policies consistent with government laws, regulations, and
directives such as: HIPAA, GLBA, SOX, PCI, etc…?       Q44 Does your company
have a documented information systems business continuity and disaster recovery
plan?       Q45 Is the Continuity of Business and Disaster Recovery Plan
reviewed and exercise at least once a year?       Q46 Does your company have a
physical security policy that establishes requirements for ensuring the physical
protection of information assets?       Q47 Are physical access rights revoked
immediately after an employee or contractor is terminated?       Q48 Are
entrances and exits monitored to prevent unauthorized removal of customer or
company property?    

 

 





 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



  Q49 Does the policy require users to be individually identified and
authenticated prior to being permitted access to any company networking and
computing resources?       Q50 Is there a process to authorize remote and
wireless access points in your network?       Q51 Are remote access sessions to
your network logged?       Q52 Is strong encryption (using the 3DES or AES
algorithm with at least a 128 bit key) enforced at the remote and wireless entry
points?       Q53 Does your company have a System Administration and Management
Security Policy (or policies)?       Q54 Does your company have an up-to-date
inventory of all your hardware and software assets?       Q55 Does your company
have a documented configuration management process?       Q56 Do standard
configurations exist for laptops/desktops and servers?       Q57 Is there a
process in place to periodically scan infrastructure assets for vulnerabilities?
If yes, please specify frequency of scans in Comments below.       Q58 Is there
a process in place to ensure the timely installation of security patches?      
Q59 Do you have a procedure to apply security patches immediately in the event
there is an immediate threat or major vulnerability?       Q60 Are computing
devices configured to lock (or disable) user accounts after 5 invalid attempts
within 15 minutes (or less)?       Q61 Are computing devices configured to lock
user interfaces after 15 minutes (or less) of inactivity?       Q62 Does your
company have documented policies and procedures for data backup?       Q63 Do
backups include system data and application/business data?       Q64 Are backups
geographically separated from the original sources?       Q65 Are logs protected
against changing, overwriting, or deletion?       Q66 Do devices with logging
enabled have access to sufficient mass storage to maintain logs for 90 days?    
  Q67 Does the company maintain a Cyber Insurance Policy?       Q68 Does the
company have a SOC 1 Type II report for the service being offered?        Q69
Does the company have a SOC 2 Type II report for the service being offered?     
  Q70 Is the company ISO 27001 certified?       Q71 Is the company HiTrust
certified?       Q72 Are the services being proposed to be provided from a USA
location?       Q73 Will the data be hosted in the USA?    



 

 





 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_004.jpg]

[image_006.jpg] 



Security Checklist for Acquired Systems:  Please indicate if the application
proposed meets the following securitry requirements.  If the requirement is not
met please explain in detail what mitigation controls you have in place.  If the
requirement is not applicable please explain why. If an application will no be
offered as part of this engagement please explain and do not answer this
worksheet.

 





APPLICATION QUESTIONS YES/NO Explain if not in compliance or if it is not
applicable





AREA 1 - AUTHENTICATION AND PASSWORD MANAGEMENT     1. Password length with
minimum of 8 characters     2. Maximum password age of 30 days     3. Password
require combination of characters (at least one the following
characters:  Lowercase alphabetic, uppercase alphabetic, numeric, and special
characters)     4. Account lockout threshold (locked after 3 invalid logon
attempts)     5. Reset user’s session after 30 minutes of inactivity.     6.
Temporary password should be change automatically at first log-in.     7.
Prevent re-use of passwords (previous 15 passwords cannot be reused).     8.
Require user to re-authenticate previous to performing critical transactions.  
  AREA 2 - ACCESS CONTROLS     9. Application must be able to generate user’s
access report upon request (other attributes: with header, title of report,
timestamp, user id, description, role, status, etc.)     10. Restrict access
security-relevant configuration privileges to only authorized users.     11.
Implement ability of disabling desired user accounts upon request.     12.
Disable user’s accounts after 90 days of inactivity     13. Implement two
factor-authentication to power users, master users, and sensitive accounts.    
14. Restrict access to files or other resources, including those outside the
application's direct control, to only authorized users.     AREA 3 -
ACCOUNTABILITY AND REPORTING     15. System and user’s account auditing
functions.     16. Restrict access to logs to only authorized individuals     
17. Audit logs cannot be altered     18. Protection of sensitive information
(such as PHI, social security, financial information) displayed in reports to
authorized personnel only.     19. Log all administrative functions, including
changes to the security configuration settings.        

 





 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



AREA 4 - SYSTEM CONFIGURATION     20. Avoid the use of “root” account (at
different level such as DB, App, O/S, tools…)     21. Remove test code or any
functionality not intended for production, prior to deployment     22. Remove
unnecessary information from HTTP response headers related to the OS, web-server
version and application frameworks     23. The security configuration store for
the application should be able to be output in human readable form to support
auditing     24. Isolate development environments from the production network
and provide access only to authorized development and test groups.     AREA 5 -
DATABASE SECURITY     25. The application should use the lowest possible level
of privilege when accessing the database     26. Remove or change all default
database administrative passwords     27. The application should connect to the
database with different credentials for every trust distinction (e.g., user,
read-only user, guest, administrators)     AREA 6- FILE MANAGEMENT     28.
Require authentication before allowing a file to be uploaded      29. Prevent or
restrict the uploading of any file that may be interpreted by the web server    
30. Ensure application files and resources are read-only     31. Scan user
uploaded files for viruses and malware    



 



 

 



Schedule K

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 



SCHEDULE K

 

REPORTS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule K Supplier Confidential



 

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 



schedule K

 

Reports

 



 



1. Introduction

 

(a) Introduction. In compliance with Section 18.2 of the General Terms and
Conditions, this Schedule K defines the Parties’ approach to reporting including
(i) defining the operational reporting framework, and (ii) specifically
identifying certain operational reports to be produced and provided by Supplier
as part of the Services.

 

(b) Defined Terms.

 

(i) “Management Report” means reporting by Supplier to Triple-S management, with
respect to the Functions outsourced to Supplier, in order to provide Triple-S
visibility into the relevant aspects of Triple-S’ business and the Services.

 

(ii) “Governance Reports” means any reporting required to support contract
Governance, the Governance Plan, or as otherwise required by Schedule F
(Governance).

 

(iii) “Operational Report” means a written summary or detail of operations which
is produced as part of or as an output to the Services.

 

(iv) “Regulatory Report” means any reporting required by Regulators or
applicable Laws or reporting required due to changes in Law.

 

(v) “Reports” means collectively Governance Reports, Management Reports,
Operational Reports, and Regulatory Reports.

 

Any capitalized terms used but not otherwise defined in this Schedule K
(Reports) will have the meaning provided in the Schedule AA (Glossary) or
elsewhere in the Agreement.

 

2. REPORTING FRAMEWORK

 

2.1 Supplier Reporting Commitment.

 

Supplier shall provide at no additional charge to Triple-S the following
Reports:

 

(a) Each Report generated by Triple-S for the Services in the twelve (12) months
prior to the Service Commencement Date (“Existing Reports”), unless and until
Triple-S confirms in writing that such Report is no longer required;

 

(b) Regulatory Reports including Reports reasonably necessary to prepare for and
respond to a regulatory audit or inquiry;

 

(c) Governance Reports;

 

Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

(d) Management Reports that Triple-S reasonably requires as part of its
management and oversight of the Services and Supplier;

 

(e) Reports set forth in Sections ‎7 through ‎9 of this Schedule K; and

 

(f) Any new versions of Reports developed during implementation of new Triple-S
Systems to ensure continuity of accurate Reporting.

 

2.2 New Report Requests or Modifications to Existing Reports.

 

All requests by Triple-S for: (i) new Reports, or (ii) modifications to Reports
shall be Changes that will be subject to the Change Control Process.

 

2.3 Access to Data for Triple-S Reporting Purposes.

 

As of the Service Commencement Date, Triple-S will continue to have the same
access as Triple-S had as of the Effective Date to all transactional data for
the Services.

 

3. FREQUENCY OF REPORTS

 

Supplier shall provide the Reports at the current frequency as of the Services
Commencement Date for all Existing Reports.

 

(a) If a Report is identified with a frequency of “Weekly”, Supplier shall
provide such Report by the close of business Tuesday on the following week. In
the event that a holiday occurs on either Monday or Tuesday, delivery shall be
by close of business Wednesday of the following week.

 

(b) If a Report is identified with a frequency of “Monthly”, such Report shall
be provided at the same time as all other monthly Reports and no later than the
tenth (10th) day of the following month (or the first Business Day after the
tenth (10th) day if the tenth (10th) day is not a Business Day).

 

(c) If a Report is identified with a frequency of “Quarterly”, such Report shall
be provided by the tenth (10th) day of the following quarter (or the first
Business Day after the tenth (10th) day if the tenth (10th) day is not a
Business Day).

 

(d) If a Report is identified with a frequency of “Semi-Annually”, such Report
shall be provided by the tenth (10th) day of the following semi-annual period
(or the first Business Day after the tenth (10th) day if the tenth (10th) day is
not a Business Day).

 

4. REPORT DELIVERY

 

All Reports shall be available on a SharePoint site or using the reporting
solution described in Section ‎5 below.

 

Triple-S / Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

 

5. REPORTING SoLUTION

 

Supplier will develop and deliver to Triple-S a reporting solution as set forth
below (“Reporting Solution”). Supplier will use Planview to post reports and/or
links to reports. Triple-S will have its own client instance in Planview and
will be able to use the Planview collaboration portal, where reports and
reporting links will be made available to Triple-S. Triple-S will identify the
users that will be authorized to access Planview and Supplier will work with
Triple-S to provide and manage such access as needed for Triple-S to access
reports through Planview.

 

6. Reporting Activities During Transition

 

The Parties agree that within ninety (90) days of the Effective Date, they will
catalog the existing Reports that are in scope pursuant to Section ‎2.1(a)
above.

 

7. Account level Reports

 

Supplier shall provide Triple-S the following account-level reports:

 

7.1 Strategic Relationship Reports

 

Ref Report Report Description Frequency 7.1.1 Strategic Review Report

Supplier shall provide an overall enterprise level report highlighting the
following: 

(a)   Relationship Review 

(i)       Results accomplished against Triple-S business goals 

(ii)      Benefits delivered 

(iii)     Directional alignment 

(b)   Strategic initiatives for next half year 

(i)       From both Triple-S and Supplier 

(ii)      Partnership opportunities 

(iii)     Priorities 

(c)   Status update on key initiatives and action items from last Strategic
Review Report 

(d)   Customer satisfaction



Semi-Annually 7.1.2 Quarterly Business Review Report

Supplier shall provide an overall enterprise report encompassing all Services
delivered to Triple-S to include a quarterly view on the following, as
appropriate: 

(a)    Key enterprise Service delivery highlights and failures 

(b)    Operational metrics 

(c)    Productivity metrics 

(d)    Escalations review 

(e)    Key learning and focus areas 

(f)     Process improvement initiatives 

(g)    Key activities planned for the next period 

Quarterly

 





Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

7.2 Commercial Contract Reports

 

Ref Report Report Description Frequency 7.2.1 Change Notice Log

Supplier shall provide a report specifying the status of all pending Change
Notices.



(a)  Control number and dates associated with each Change Notice (e.g., request
date, beginning of implementation, expected completion); 

(b)  Name of the Party requesting the Change; 

(c)  Brief description of the Change Notice; and 

(d)  Current status of the Change Notice.



The status of the Change Notice shall be categorized as one of the following
stages: 

(a)   “Open” (i.e., the Change Notice has been created and registered); 

(b)   “In Review” (i.e., the Change Notice has been created and is being
reviewed by Triple-S pending approval to proceed); 

(c)   “Approved” (i.e., the Change Notice has been approved by both Parties and
is awaiting implementation); 

(d)   “On Hold” (i.e., the Parties wish to suspend implementation of the Change
but anticipate that the Change will be implemented at a later date); 

(e)   “Completed” (i.e., all implementation tasks have been completed and the
Change has been implemented); or 

(f)    “Closed” (i.e., completed and not implemented). 

Upon request

 

7.3 Supplier Services Reports

 

Ref Report Report Description Frequency 7.3.1 Monthly Business Review Report

Supplier shall provide a report of the Supplier Services highlights during the
previous month including: 

(a)  Key enterprise Service delivery highlights and failures 

(b)  Operational metrics 

(c)  Productivity metrics 

(d)  Escalations review 

(e)  Key learning and focus areas 

(f)   Process improvement initiatives 

(g)  Key activities planned for the next period 

Monthly 7.3.2 Implementation  Plan Status Report

Supplier shall provide a report of the Supplier Implementation Status
including: 

(a)   Deliverable actual vs. projected timeline for overall program 

(b)   Deliverable actual vs. projected timeline for each work stream (BPO, ITO,
Reporting, etc.) 

(c)   Interwork stream dependencies and action items to address 

Weekly / Monthly

   

 

Triple-S / Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

Ref Report Report Description Frequency    

(d)   Risk items and mitigation to address to maintain implementation timeline 

(e)   Overall adjustments needing to be made to implementation plan for ad hoc
items identified during KA/KT for both ITO/BPO 

(f)    Program closeout of implementation items as deliverables are achieved and
delivered 

  7.3.3 Service Level Performance Report Report of performance against all
Service Levels pursuant to Schedule B (Service Level Methodology). Monthly 7.3.4
Governance Action Items Supplier shall provide a report of items discussed,
items needing action and/or resolution, tracking item/action “owner” to gain
resolution during the governance meeting to track to item close. Monthly

 

7.4 Project Reports

 

Ref Report Report Description Frequency 7.4.1 Project Status Report

Supplier shall provide a report for each Project in process highlighting the
following: 

(a)   Overall status of the Project 

(b)   Effort and cost metrics 

(c)   Actual vs. estimated hours, including updated estimate-to-complete 

(d)   Forecast of Project performance 

(e)   Execution highlights 

(f)    Current risk and issue tracker 

(g)   Identified Problems 

(h)   Service introduction preparation status and alignment review 

(i)    Additional reporting requirements as defined by the Triple-S designated
Project Manager 

Weekly

      8. claims services reports

 

Supplier shall provide Triple-S the following reports relating to the Claims
Services:

 

Ref Report Report Description Frequency 8.1 Claim Inventory Reports

Reports describing the following information regarding the Claims Services: 

·      Time and Claim count reporting; 

Daily / Weekly / YTD

    

 

Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

Ref Report Report Description Frequency    

·      Claim volume by engine, time, status; 

·      Claims under various LOBs; 

·      Claim auto-processing, autofail and pended; and 

·      Void and re-processed Claim reports. 

  8.2 Service Level Performance Report Supplier will provide a monthly report as
described in Schedule B that details the overall performance of each Service
Level and it’s “met” or “not met” of the goal metric. Monthly 8.3 Claims
Performance % of Claims Auto-Adjudicated.  The result shall be calculated in
accordance with the following formula:  (i) Number of Claims Auto-Adjudicated by
Supplier divided by (ii) total number of Claims Auto-Adjudicated by Supplier
during each month. Monthly 8.4 Average Claims Adjudication Cycle Time Average
Claims -Adjudication Time.  The average time taken for a Claim to be Adjudicated
by Supplier during each month. Monthly 8.5 Cycle Time Average Claims Adjustment
processing Time.  The average time taken for a Claim to be Adjusted by Supplier
during the month. Monthly 8.6 Inventory Tracking – Claims aged 10 days Number
and value of Claims aged > ten (10) calendar days (reported by volume of Claims
and Claim value (i.e., dollars)).  Number and value of Claims in the processing
queue for more than ten (10) calendar days. Monthly 8.7 Inventory Tracking –
Claims aged 25 days Number and value of Claims aged > twenty-five (25) calendar
days (reported by volume of Claims and Claim value (i.e., dollars)).  Number and
value of Claims in the processing queue for more than twenty-five (25) calendar
days. Monthly 8.8 Inventory Tracking – Claims aged over 30 days Number and value
of Claims aged > thirty (30) calendar days (reported by volume of Claims and
Claim value (i.e., dollars)).   Number of and value of Claims in the processing
queue for more than thirty (30) calendar days Monthly 8.9 Inventory Tracking –
Adjustments aged over 10 days

Number and value of Adjustments aged > ten (10) calendar days (reported by
volume of Adjustments and Adjustment value (i.e., dollars)). Number and value of
Adjustments in the processing queue for more than ten (10) calendar days

 

Monthly 8.10 Inventory Tracking – Adjustments Number and value of Adjustments
aged > twenty-five (25) calendar days (reported by volume of Adjustments and
Adjustment value (i.e., dollars)).  Number and value of Monthly

   

 

Triple-S / Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

Ref Report Report Description Frequency   aged over 25 days Adjustments in the
processing queue for more than twenty-five (25) calendar days.   8.11 Inventory
Tracking – Adjustments aged over 30 days

Number and value of Adjustments aged > thirty (30) calendar days (reported by
volume of Adjustments and Adjustment value (i.e., dollars)). Number and value of
Adjustments in the processing queue for more than thirty (30) calendar days.

 

Monthly 8.12 Production Number of manual Claims processed each month. Monthly

 

9. it services reports

 

Supplier shall provide Triple-S the following reports relating to the IT
Services:

 

Ref Report Report Description Frequency 9.1 Support Reports

Reports describing the following information relating to support Functions as
part of the IT Services: 

·      Incident influx; 

·      Incident backlog; 

·      Incident closures; 

·      Incident priority; 

·      Incident aging; 

·      Incident MTTR (meant time to repair); and 

·      Incident meant time to respond 

Daily / Weekly / YTD 9.2 Problem Management

Reports describing the following information relating to Problem management
Functions as part of the IT Services: 

·      Problem influx; 

·      Problem backlog; 

·      Problem closures; 

·      Problem by application; and 

·      Problem aging. 

Daily / Weekly / YTD 9.3 Change & Release Management

Reports describing the following information relating to Problem management
Functions as part of the IT Services: 

·      Planned releases; 

·      Release status; and 

·      Release quality. 

Per release cycle 9.4 Support

Reports describing the following information relating to support and Service
Level compliance Functions as part of the IT Services: 

·       P1 Incidents; 

·      P2 Incidents; 

Daily / Weekly / YTD

    

 

Triple-S / Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







  

Ref Report Report Description Frequency    

·      P3 Incidents; and 

·      Application downtime. 

  9.5 Application Services

The following reports relating to application services Functions as part of the
IT Services: 

·      Executive summary of application status; 

·      Application health check; 

·      Production uptime / downtime; and 

·      Application status. 

·      Health of the B2B interfaces, automated reporting, and batch processes 

Daily / Weekly / YTD 9.6 Infrastructure Assets

Asset Management reporting shall be performed at a minimum as defined by
regulatory needs. Additional reporting of assets may be performed as agreed by
the Parties. Asset Management items may include the following.



·      Physical server and desktop assets. 

·      Virtual server and desktop assets. 

·      Network appliances 

·      Other assets in the public and private IP space. 

·      Storage Assets (SAN/NAS/Direct Attached/Cloud)). 

Per regulatory requirements 9.7 Network Performance

Network Performance monitoring and reporting shall be performed at a minimum as
defined by regulatory needs. Additional reporting of assets may be performed as
agreed by the Parties. Network Performance Indicators may include the following.

 

·      Ingress and egress traffic statistics on network interfaces.

 

·      Server performance metrics that may include performance indicators
regarding availability, response time, packet loss, and temperature.

 

·      Performance indicators regarding service response time. 

Per regulatory requirements 9.8 Security – Vulnerability

Vulnerability Scans and Vulnerability Scan reporting shall be performed at
minimum as defined by regulatory needs. Vulnerability Scans and Vulnerability
Scan Reporting may be performed more frequently on high value assets as agreed
by the Parties. Vulnerability Reports may include such items as follows.

 

·      IP Address/Subnets scanned, vulnerability or violation indicated, and
last scan date. 

Per regulatory requirements

   

 

Triple-S / Supplier Confidential

Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule K

Reports







 

Ref Report Report Description Frequency 9.9 Identity and Access Management
(Includes Privileged Users)

Identity & Access Management (IAM) reporting shall be performed at minimum as
defined by regulatory needs. IAM monitoring and reporting will be defined
largely by determining business goals, but some examples of IAM reports may
include the following.

 

·      Identity & Access Provisioning, De-provisioning, and Attestation Audits.

 

·      Privileged access notification for high value targets

 

·     Audit & Reporting

 

·     Administrative activities (User accounts and Access policies)

 

·     User logins & Application access

 

·     Application services availability 

Per regulatory requirements 9.10 System/Security Logs

System & Security logs shall be collected on assets and functions performed at a
minimum as defined by regulatory needs. Log sources and event configuration
shall be determined by business requirements and goals. Configuration standards
and management shall be put in place to ensure the collection of logs throughout
the environment. Some events collected may include the following as examples.

 

·      System Events – Success/Failure

 

·      Hardware Events – Success/Failure

 

·      Directory Service Events – Domain controller record of Active directory
changes

 

·      Security Log – Events set for auditing with local or global group
policies

 

·      Application Log – Start/Stop/Failure events 

Per regulatory requirements



 

 



Triple-S / Supplier Confidential

Page 9

 

 

Schedule L

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



SCHEDULE L

 

IT SECURITY ADDENDUM

 



 

 

 

 

 

 

 

 

 

 



Schedule L IT Security Addendum



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 



MASTER SERVICES AGREEMENT

 

SCHEDULE L

 

IT SECURITY ADDENDUM

 



 



Except as noted in the exceptions list below, Supplier shall comply with the
requirements of the policies attached as Appendix 1 (IT Security Policies) to
this Schedule L (IT Security Addendum) as such policies are applicable to
Vendors of Triple-S and the Services.

 

Exceptions

 

Supplier’s obligation to comply with the policies listed in Appendix 1 below
shall not include the obligation to comply with the following policies or
requirements contained therein:

 

1. Any requirements directly related to Functions retained by Triple-S under the
Agreement;

 

2. Any requirement reserving Triple-S audit rights to networks and systems is
only applicable to Triple-S environments, and not to Supplier hosted
environments, except as set forth in Schedule M (Audit and Record Retention
Requirements).

 

3. Any provisions regarding employment and discipline of Supplier Personnel.
Supplier will follow Supplier’s internal guidelines regarding employment and
discipline of Supplier Personnel; provided, however, that this exclusion does
not limit the other obligations of the Parties with respect to Supplier
Personnel set forth in the Agreement.

 

4. Any requirement directing employees to report to Triple-S Privacy Office.
Supplier Personnel will report as required through Supplier’s privacy, security
and compliance reporting channels, and Supplier will report to Triple-S as
required under the Agreement;

 

5. Policy ISP#3 – Section VI.4, requirement that Supplier scan the network at
least on a weekly basis to detect the presence of unauthorized component or
devices. Supplier shall scan workstations used to provide the Services. Supplier
shall begin monitoring the network for unauthorized components or devices after
Triple-S implements a capable network access control solution. If Triple-S
desires to engage Supplier to implement such solution, it will be Application
Support Services and/or a Special Infrastructure Project, as applicable.

 

6. Policy ISP#4 – Section VI.1.b, requirement to comply with TSM Record
Retention Policy. Supplier shall meet the record retention requirements set
forth in Schedule M;

 



Triple-S / Supplier Confidential

Page 1

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule L

IT Security Addendum





 



7. Policy ISP#4 – Section VI.7, requirement to store all important and critical
Triple-S information in the “My Documents” folder and to ensure that the “My
Documents” folder of the user will not be backed-up. Supplier will comply with
this policy after Triple-S updates the policy to reflect Triple-S’s use of
OneDrive;

 

8. Policy ISP#8, Section VI.1.n, requirement to perform a full functional
Disaster Recovery test on an annual basis. Supplier will perform Disaster
Recovery tests for the applicable In-Scope Applications and the servers, as
identified in the Business Impact Analysis;

 

9. Policy ISP#20 – Section VI.3.b, requirement to have log view records for all
systems.

 

10. Policy ISP#21 – Section VI.2.b, requirement required vulnerability and
penetration assessments. Supplier shall perform vulnerability and penetration
assessments in coordination with Triple-S and its third party vendor;

 

11. Policy ISP#22 – Section VI.3.b, requirement for teleworkers to use the
Symantec VIP two factor authentication system to establish remote connection to
the network. For this requirement, Supplier may use a different, but comparable
solution, as Symantec VIP;

 

12. Policy ISP#25 – Section VI.1.i, requirement to quarterly monitor the risk
mitigation plan. Supplier will comply with the requirements set forth in
Schedule M; and

 

13. Policy ISP#27 – Section VI.7, requirement to apply patches during the listed
time windows. Supplier will have the ability to implement patches outside of the
defined windows for any patches to address security, vulnerability, or business
critical patches in order to maintain a secure and stable environment.

 



 

Triple-S / Supplier Confidential

Page 2

 



 

 

 

 

 

 

 

 

 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 



SCHEDULE L

 

APPENDIX 1 – IT SECURITY POLICIES

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule L, Appendix 1 Triple S / Supplier Confidential



 



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



 



[image_023.jpg]

 

 

 

 

 

 

 

 

 

 

IT and Information Security Policies

 

Approved by and Date

 

Issued by: Miguel O. Mercado, 

Cyber & Information Security Director 

Effective Date: Sep 1, 2016 Revised by: Miguel O. Mercado Date Revised: Aug. 11,
2016 Version: 1.2

Approved by: Juan José Díaz, 

Chief Information Officer (CIO) 

       

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



 

Table of Contents

 

Acceptable Use 1 Anti-virus and Anti-Spyware 10 Asset Management Policy 14
Backup & Retention 18 Change Management 23 Clear Desk & Clear Screen 27 Data
Classification 30 Data Integrity and Interoperability 35 Encryption and
Cryptographic Algorithms 40 General Information Security 45 Information Exchange
49 IT Compliance Management 54 Network Security 61 Password Management 66
Physical and Environmental Security 70 Remote Access 75 Removable Device
Management 79 Retention and Disposal 83 Security Awareness and Training 88
Security Monitoring Policy 91 Technical Vulnerability Management Policy 97
Teleworking 100 Third Party Services Risk Management 105 User Access 107
Information Security Risk Analysis 113 Business Continuity Management 117 Patch
and Vulnerability Management Policy 121

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



[image_027.jpg]

 

Policy No.: ISP#1 Page 1 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Acceptable Use

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

 

           

I. Purpose:

 

The purpose of this policy is to establish what is considered acceptable (and
also unacceptable) use of computer and related media in TSM in order to reduce
unauthorized access to sensible information (i.e. corporate, personnel and EPHI
information), security breaches and of course avoid legal issues associated with
such breaches.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches.
The policy also help identify how individually-identifiable health information
should be used.

 

Triple-S Management Corporation (TSM) has developed and adopted the Acceptable
Use Policy to provide management with direction, support and protection for
inappropriate, unauthorized, and even illegal actions performed by users,
whether the action is performed knowingly (intentionally) or by ignorance.

 

Internet systems that includes: desktop computers, laptops and other mobile
media (tablets, smartphones), file transfer protocols, operating systems,
network accounts, electronic mail, all electronic storage media, are the
property to TSM. All of these resources are to be used only for business, never
for personal use.

 

TSM shall ensure that all the in scope parties are formal communicated of TSM
Information Security Policies. TSM has implemented training programs to guide
users on the importance of properly using the information of TSM, and at the
same time raise awareness of existing regulations and corporate policies and
procedures to ensure full compliance with all the requirements.

 

Access to the TSM information systems and applications will be provided to users
to support business activities and only on a need-to-know basis to perform their
jobs responsibilities.

 

IV. Definitions:

 

1. Blogging: The activity of adding new entries to a blog or website usually
designed to present the owner’s thoughts and ideas, observations, opinions and
experiences.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 2 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        

 

2. Honeypot: A location in network that is expressly set up to attract and study
malware that attempts to penetrate the network or computer system.

 

3. Honeynets: Contains one or more honey pots, which are computer systems on the
Internet expressly set up to attract and "trap" people who attempt to penetrate
other people's computer systems.

 

4. Proprietary Information: The information that is not considered public. This
may include: corporate, financial and system information.

 

5. Spam: Any electronic junk mail received by users and most unsolicited e-mail.

 

6. Cloud Platform: A system where applications or systems may be run in an
environment composed of utility services in an abstract environment, such as the
Internet. Internet- based computing, where shared resources, data and
information are provided to computers and other devices on-demand.

 

7. Cloud Storage: A popular method used for data storage on the Internet. This
could be free or paid.

 

8. Mobile device: Any portable equipment used in technology.

 

9. BYOD: An acronym for Bring Your Own Device. A custom on the corporate culture
where the employer approves the use of employee personal devices such as phones
and tablets for the daily job function.

 

10. Jail Break: Term used to unlock the operating system of a smartphone, tablet
or any portable device without its default security system.

 

11. Root: Rooting gives the user administrator rights to alter the OS, tweak the
hardware and unlock the phone from its carrier.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 3 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

1. The following General Use and Ownership practices help the organization
prevent confidentiality and security breaches:

 

a) All users should know that all generated information through TSM networks and
systems is property of TSM.

 

b) A physical inventory of all TSM devices and the authorized personnel to use
the devices (e.g. Laptops, Desktops Computers, and Corporate Cellphones among
others) shall exist and be updated frequently. All devices shall be labeled with
either a TSM inventory number, or logo for proper identification.

 

c) Authorized users may access, use or share TSM proprietary information only to
the extent it is authorized and necessary to fulfill the user assigned job
duties (e.g. minimum necessary).[Core-16(a)] [Core 15(b)]

 

d) All users shall be liable for the protecting the information stored on
systems, applications, directories and network devices belonging to TSM and
shall exercise good judgment regarding the reasonableness of the use of the
equipment and the information. [Core- 15(b)]

 

e) For security and network maintenance purposes, TSM, authorized individuals
shall supervise and monitor equipment, system and network traffic.
[Core-15(a)(b)(c)]

 

f) TSM reserves the right to audit network and systems if necessary on a
periodic basis to ensure compliance with this policy. [Core-15(a)(c)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 4 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



g) All system accesses will be disabled and/or deleted upon termination of
employee, completion of contract, end of service of non-employee, or
disciplinary action arising from violation of this policy. In the case of a
change in job function and/or transfer the original access will be discontinued,
and only reissued if necessary and a new request for access is approved.
[Core-15(b)]

 

2. Security and Proprietary Information:

 

The following Security and Proprietary Information protection practices help the
organization prevent confidentiality and security breaches [Core-15(b)].

 

a) Providing access to another individual, either deliberately or through
failure to secure its access is prohibited.

 

b) All computing devices must be secured with a password-protected screensaver
with the automatic activation feature set at 10 minutes or less. The user must
lock the screen or log off when the device is unattended.

 

c) Posting by employees from a TSM email address or systems on blogs or social
networking sites is prohibited unless posting is in the course of business
duties.

 

3. Unacceptable Use:

 

The following activities are not considered an acceptable use of the
organization information and information assets. Not following these
recommendations could place individually- identified health information and
company information at risk. Note that some users may be exempted from some of
the restrictions during the course of their legitimate job responsibilities
(e.g., system administrator staff may have a need to disable the network access
of a host if that host is disrupting production services).

 

a) Under no circumstances an employee of TSM is authorized to engage in any
activity that is illegal under local, state, federal or international law while
utilizing TSM owned resources. [Core-15(b)]

 

b) Violations of the rights of any person or company protected by copyright,
trade secret, patent or other intellectual property, or similar laws or
regulations, including, but not limited to, the installation or distribution of
"pirated" or other software products that are not appropriately licensed for use
by TSM. [Core-15(b)]

 

c) Unauthorized copying of copyrighted material including, but not limited to,
digitization and distribution of photographs from magazines, books or other
copyrighted sources,

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 5 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



copyrighted music, and the installation of any copyrighted software for which
TSM or the end user does not have an active license is strictly prohibited.
[Core-15(b)]

 

d) The use or installation of unauthorized software, including obtaining data
and/or software from external networks is prohibited. [Core-15(b)]

 

e) Accessing data, a server or an account for any purpose other than conducting
TSM business, even if you have authorized access, is prohibited. [Core-16(a)]

 

f) Exporting software, technical information, encryption software or technology,
in violation of international or regional export control laws, is illegal. The
appropriate management should be consulted prior the export of any material that
is in question.[Core-15(b)]

 

g) Introduction of malicious programs into TSM network environment (e.g.,
viruses, worms, Trojan horses, e-mail bombs, ransomware, etc.). [Core-15(b)]

 

h) Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is being done
at home. [Core-15(b)]

 

i) Using a TSM information technology asset to actively engage in procuring or
transmitting material that is in violation of sexual harassment or hostile
workplace laws in the user's local jurisdiction.

 

j) Making fraudulent offers of products, items, or services originating from any
TSM account.

 

k) Making statements about warranty, expressly or implied, unless it is a part
of normal job duties.

 

l) Effecting security breaches or disruptions of network communication. Security
breaches include, but are not limited to, accessing data of which the employee
is not an intended recipient or logging into a server or account that the
employee is not expressly authorized to access, unless these duties are within
the scope of regular duties. For purposes of this section, "disruption"
includes, but is not limited to, network sniffing, pinged floods, packet
spoofing, denial of service, and forged routing information for malicious
purposes. [Core- 15(b)]

 

m) Port scanning or security scanning is expressly prohibited unless prior
notification to the Information Security Group is made. [Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 6 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



n) Executing any form of network monitoring which will intercept data not
intended for the employee's host, unless this activity is a part of the
employee's normal job/duty. [Core- 15(b)]

 

o) Circumventing user authentication or security of any host, network or
account. [Core- 15(b)]

 

p) Introducing honeypots, honeynets, or similar technology on the TSM networks.
[Core- 15(b)]

 

q) Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's terminal session, via any means,
locally or via the Internet/Intranet/Extranet. [Core-15(b)]

 

r) Providing confidential information about TSM employees to parties outside
TSM. [Core- 15(b)]

 

4. Email and Communication Activities:

 

The following practices help the organization prevent confidentiality and
security breaches and therefore are prohibited [Core-15(b)]:

 

a) Sending unsolicited email messages, including the sending of "junk mail" or
other advertising material to individuals who did not specifically request such
material (email spam).

 

b) Any form of harassment via email, telephone or texting, whether through
language, frequency, or size of messages.

 

c) Unauthorized use, or forging, of email header information.

 

d) Creating or forwarding "chain letters", "Ponzi" or other "pyramid" fraudulent
schemes of any type.

 

e) Use of unsolicited email originating from within TSM networks or other
information technology service providers on behalf of, or to advertise, any
service hosted by TSM or connected via TSM network unless this activity is part
of normal business activity.

 

f) Posting the same or similar non-business-related messages to large numbers of
Usenet newsgroups (newsgroup spam).

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 7 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



g) Employees should never open e-mails received from unknown senders as these
e-mails may contain malware.

 

5. Blogging and Social Media:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

a) Blogging by employees, whether using Triple-S Management Corporation (TSM)
property and systems or personal computer systems, is also subject to the terms
and restrictions set forth in this Policy. Blogging from TSM systems is also
subject to monitoring.

 

b) Users shall also carefully control what information they post on social media
accounts and to whom this information is available. This particularly applies to
users who actively participate on social media sites as part of their company
job function, in order to network with customers and promote brand awareness.

 

c) TSM Confidential Information policy also applies to blogging. As such,
Employees are prohibited from revealing any TSM confidential or proprietary
information, trade secrets or any other material covered by TSM Confidential
Information policy when engaged in blogging.

 

d) Employees shall not engage in any blogging that may harm or tarnish the
image, reputation and/or goodwill of TSM and/or any of its employees. Employees
are also prohibited from making any discriminatory, disparaging, defamatory or
harassing comments when blogging or otherwise engaging in any conduct prohibited
by TSM Non- Discrimination and Anti-Harassment policy.

 

e) Employees shall also not attribute personal statements, opinions or beliefs
to TSM when engaged in blogging. If an employee is expressing his or her beliefs
and/or opinions in blogs, the employee shall not, expressly or implicitly,
represent itself as an employee or representative of TSM. Employees shall assume
any and all risk associated with blogging.

 

f) Apart from following all laws pertaining to the handling and disclosure of
copyrighted or export controlled materials, TSM trademarks, logos and any other
TSM intellectual property shall also not be used in connection with any blogging
activity.

 

6. Cloud Base Storage Sites:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 8 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



Triple-S Management Corporation (TSM) has contracted the services of “Box”
(cloud platform). This is the TSM authorized cloud platform for the secure
online storage of TSM files.

 

a) User access to “Box” shall be authorized by the Information & Cyber Security
Director to support business activities, only in a need-to-know basis to allow
the authorized users to perform their jobs functions and responsibilities.

 

b) All files, data and information with PHI, PII, ePHI or any other sensitive
information property of TSM store using the cloud platform (Box) shall be
encrypted with PGP or other mechanisms.

 

c) The use of cloud base store sites such as (Dropbox, OneDrive, Google Drive,
Amazon, Copy, and iCloud) are not considered an acceptable use. The Users shall
not storage any type of TSM data and/or information. All users shall maintain
and protect the confidentiality of all TSM data and information systems.

 

d) Users shall not use the designated TSM “Box” account for personal use. The
storage of files, music, pictures or other data not related to TSM business
purposes is prohibited.

 

7. Mobile Devices:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

This policy establishes the rules for the proper used of mobile devices
(BYOD/Corporate Owned) whenever it is use to access to Triple-S Management
Corporation (TSM) networks or corporate email, in order to protect the
confidentiality of sensitive data, the integrity of data and applications, and
the availability of services at TSM, as well as corporate assets
(confidentiality and integrity) and continuity of the business (availability).

 

TSM reserves the right to disconnect any device or disable the access to TSM
networks or application services without notification. The users shall use his
or her devices always in an ethical manner and agrees to adhere to the TSM
applicable policies and procedures.

 

a) Mobile devices must be passwords/PIN protected.

 

b) Users shall maintain the original device operating system and keep the device
current with security patches and updates, as released by the manufacturer.

 

c) Users shall not “Jail Break” nor “Root” the device (installing software that
allows the user to bypass standard built-in security features and controls).

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#1 Page 9 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Acceptable Use        



d) Users agree to delete any sensitive business files that may be inadvertently
downloaded and stored on the device, and that is not going to be used anymore.

 

e) Users are responsible for security and backing up all personal information on
their mobile devices.

 

f) Users must take appropriate precautions to prevent others from obtaining
access to their mobile device(s).

 

g) Mobile devices user credentials (User-ID, PIN, and Password) shall not be
share with other personnel.

 

h) Employees are responsible for immediately notifying to TSM in case of device
loss or theft.

 

i) Selected TSM mobile device activities can be tracked and monitored.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#2 Page 10 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Anti-virus and Anti-Spyware

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish requirements which must be followed
by all users of the organization and be met by all computers connected to the
TSM network. The adoption and enforcement of the policy help reduce the
organization risk against malicious programs such as malware, botnets and
computer viruses.

 

Computer viruses, malware, botnets and spyware are some of the most significant
threats against computer environment connected to the Internet. The Internet has
made the propagation of malicious programs part of the global cyber-crime
industry. This industry today counts with computer viruses, malware, botnets and
spyware program developers as well as formal distribution and harvesting
channels. One of the main goals of the cyber-crime industry is to steal customer
sensitive information and promote fraud and cyber-espionage against individuals
and corporations. The channel is highly effective due to the following factors:

 

1. Easy and rapid access to the internet by cyber criminals.

 

2. Cyber-criminals leverage the very low cost of the internet channel.

 

3. Billions of users connected to the internet provide a great incentive to
cyber-criminals to harvest this channel for committing fraud.

 

4. Most internet users have a very low level of awareness cyber-crime and
cyber-crime techniques.

 

5. Global nature of the internet makes criminal prosecution harder.

 

For these reasons proper maintenance and operation of the anti-virus and
anti-spyware system is one of the primary security layers used by TSM to protect
its IT assets against malware and other types of attacks. The anti-virus and
antispyware system is designed to detect and protect the IT assets based on the
Windows operating system used by TSM.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#2 Page 11 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Anti-virus and Anti-Spyware







 

Triple-S Management Corporation (TSM) has developed and adopted the Anti-Virus
and Anti- Spyware Policy to provide management with direction and support for
the implementation of safeguards to detect, prevent and recover, against
malicious programs such as malware, botnets and computer viruses.

 

IV. Definitions:

 

1. Virus: A program that enters a computer usually without the knowledge of the
operator. Some viruses are mild and only cause messages to appear on the screen,
but others are destructive and can wipe out the computer's memory or cause more
severe damage.

 

2. Botnet: A network of computers created by malware and controlled remotely,
without the knowledge of the users of those computers.

 

3. Malware: Software that is intended to damage or disable computers and
computer systems. Including computer viruses, worms, trojan horses, ransom ware,
spyware, adware and other malicious programs.

 

4. Spyware: Software that aims to gather information about a person or
organization without their knowledge and that may send such information to
another entity.

 

V. Responsibilities:

 

All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

TSM reserves the right to audit networks, systems, or procedures on a periodic
basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

1. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

2. Non-Compliance

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#2 Page 12 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Anti-virus and Anti-Spyware



 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. TSM Microsoft based Windows servers, workstations and laptop computers must
have TSM's approved and supported anti-virus and anti-spyware agent installed
and scheduled to run at regular intervals. [Core-15 (b)]

 

2. The anti-virus and anti-spyware agent and its virus and spyware signature
database must be configured for performing automatic updates of the system
malicious program database. [Core-15 (b)]

 

3. All new software and files downloaded from the internet must be subject to
screening by the anti-virus and anti-spyware system before being allowed in the
internal network. [Core- 15(c)]

 

4. The Desktop Management Group (DMG) is responsible for removing from the TSM
network virus-infected computers until they are verified as virus-free.
Confirmation of the verification shall be send to the Information Security
Group. [Core-15(c)]

 

5. The Infrastructure Management Group (IMG) is responsible for removing from
the TSM network virus-infected servers until they are verified as virus-free.
Confirmation of the verification shall be send to the Information Security
Group. [Core-15(c)]

 

6. The Information Security Group is responsible for creating procedures to
ensure that anti- virus and anti-spyware software is run at regular intervals,
to confirm that computers are verified as virus-free. [Core-15 (b)]

 

7. Audit logs shall be generated and be maintained of the checks performed by
the anti-virus software. Audit logs of the anti-virus and anti-spyware system
will be managed by the Information Security group. [Core-15(c)]

 

8. Employees, temporary personnel, contractors and Service providers granted
access to the TMS network are prohibited from performing any activities with the
intention to create and/or distribute malicious programs into TSM's networks
(e.g., viruses, spyware, malware, worms, Trojan horses, e-mail bombs, etc.) are
prohibited, in accordance with the TSM Acceptable Use Policy. [Core-15(b)]

 

9. Machines with operating systems other than those based on Microsoft Operating
System are exempted from this policy. [Core-15 (b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#2 Page 13 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Anti-virus and Anti-Spyware



 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 14 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security  Policy Name: Asset Management Policy

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements to ensure that IT assets
are clearly identified and that an inventory of all IT assets is maintained and
updated ton ensure accountability and protection of the electronic information
stored in the asset. [Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the IT Asset
Management Policy to provide management with direction and support to ensure
that management requires ownership, defines responsibilities and maintains
accountability for the protection of the organization computing assets.
[Core-15(b)]

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 15 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security Policy Name:  Asset Management Policy



 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. IT Asset Lifecycle Program

 

TSM shall implement an IT Asset Lifecycle Program, monitor its effectiveness
making changes as needed. TSM shall implement six (6) stages for the lifecycle
of an IT asset. The following activities for each stage must include:
[Core-15(b)]

 

a) Planning: Defining supporting processes, setting standards for configuration
and retention, aligning purchase plans to business goals, collecting aggregate
information on intended purchases, and negotiating volume discounts.

 

b) Procurement: Requisitioning, approving, ordering, receiving and validating
orders.

 

c) Deployment: Tagging assets, entering asset information in a repository,
configuring and installing assets including:

 

o Disabling unnecessary or insecure services or protocols

 

o Limiting servers to one primary function

 

o Defining system security parameters to prevent misuse

 

d) Management: Inventory / counting, monitoring usage, managing contracts for
maintenance and support, and monitoring configuration.

 

e) Support: Adding and changing configurations, repairing devices, and
relocating equipment and software.

 

f) Disposition: Removing assets from service, deleting storage contents,
disassembling components for reuse, disposing of equipment, terminating
contracts, disposing of equipment, and removing or eliminating assets from the
active inventory.

 

The inventory of IT assets shall include capital and non-capital assets. Capital
assets are considered property, plant and equipment (assets that are usually
capitalized). For capital assets an annual inventory must be performed at least
once a year. [Core-15(b)]

 

Non-capital assets are those that are usually, due to the lower cost considered
as a supply expense (i.e. pen drives, etc.). [Core-15(b)]

 

2. Inventory of IT assets

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 16 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security Policy Name:  Asset Management Policy



 

The organization shall identify, tag and inventory all IT assets including
information (e.g. ePHI, PII) and document the importance of these assets. The IT
asset inventory shall include the information necessary to uniquely identify the
IT asset. [Core-15(b)]

 

The inventory of IT assets shall include the following information elements
(where applicable): [Core-15(b)]

 

o Equipment serial number.



o Equipment or machine name.



o Information system of which the component is a part.



o Type of information system component (i.e. server, desktop, laptop,
application, database, etc.).



o Operating System (OS) type and version.



o Service Pack (SP) level.



o Presence of virtual machines



o Application or database software version/license information (i.e. [***], MS
SQL Server).



o Physical location (i.e. building/room number).



o Logical location (i.e. IP address, position with the IS architecture).



o Media access control (MAC) address.



o Ownership by position and role.



o Operational status (i.e. Active/Inactive).



o Primary and secondary system administrators.



o Primary and secondary application administrators.



o Primary business application owner.



o Asset classification level based on data classification criteria (i.e.
CONFIDENTIAL).

 

3. Equipment assigned to employees, temporary employees or contractors

 

Records of property assigned to employees of the organization, temporary
employees or contractors (laptops, tablets, cell phones, external drives, and
similar peripherals) shall be maintained. [Core-15(b)]

 

The equipment record shall be used to ensure that all the assigned property is
returned to the organization upon the employee termination or transfer out of
the department or upon termination of the temporary employee contract or upon
termination of the contractor contract. [Core-15(b)]

 

The manager of the employee or of the contractor is responsible for ensuring
that during the employee exit process or the contractor termination process the
assigned equipment is returned and that the IT asset inventory is updated. In
case of laptops and notebooks the IT

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#3 Page 17 Effective Date: 09/01/2016 Review Date: 06/05/2016
Department: Information Security Policy Name:  Asset Management Policy



 

asset shall be returned to the Desktop Management Group (DMG) for updating of
the IT asset inventory. [Core-15(b)]

 

Laptops and any other equipment assigned to employees, temporary employees and
contractors must be reviewed and updated annually. [Core-15(b)]

 

4. IT Asset inventory

 

TSM shall employ automated mechanisms to scan the network at least on a weekly
basis to detect the presence of unauthorized components or devices (including
hardware, firmware and software) into the information system. TSM shall disable
network access by such components. [Core-15(b)]

 

5. Inventory of Wireless Access Points (WAP)

 

TSM shall maintain an inventory of Wireless Access Points (WAP). This inventory
shall also be updated on an annual basis or when WAP are removed or added.
[Core-15(b)]

 

6. Ownership of IT Assets

 

All IT assets must be assigned a System Owner who will be responsible for the
asset (protection, storage, transfer protocols, destruction). Although property
might be assigned to contractors or volunteers for business purposes, ownership
will remain in TSM to the officer assigned such ownership. [Core-15(b)]

 

7. Accepted use of IT Assets

 

Refer to Acceptable Use Policy for details.

 

8. Sensitive System Isolation

 

Sensitive systems shall have a dedicated and isolated computing environment.
[Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 18 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Backup & Retention

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

The purpose of this policy is to establish the organization backup and retention
policy in order to protect the confidentiality, integrity and availability of
critical data required to support TSM business operations.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries equipment (e.g. laptops,
desktops, servers etc.), data and systems, owned or operated by TSM where the
organization provides services to its customers. In order to safeguard the
information assets of TSM and to prevent the loss of data in the case of an
accidental deletion or corruption of data, system failure, or a disaster.

 

III. Policy:

 

This policy supports the organization plan for storage, maintenance and
destruction information [Core-13b].

 

Triple-S Management Corporation (TSM) has developed and adopted the Backup and
Retention Policy to provide management with direction and support for the
implementation of secured and protected backup processes in order to ensure the
availability of the critical business information in case of major disaster or
system interruption. The implementation of robust backup and retention
procedures also help minimize potential loss or corruption of critical data
reducing the organization level of risk against unexpected interruptions and
events.

 

IV. Definitions:

 

1. Backup: The activity of storing data, files or databases in a secured
environment (equipment, cloud) in case of catastrophe or hardware failure.

 

2. Full Backup: A backup of a set of specified files, often the entire contents
of a disk, regardless of when they were last modified.

 

3. Incremental Backup: Incremental backups only backup the files that have been
modified since the last backup. If dump levels are used, incremental backup’s
only backup files changed since last backup of a lower dump level.

 

4. Restore: The process of copying files forms a backup location to a hard drive
or other acceptable media. A restore can be performed when backup data is needed
and as part of a testing process.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 19 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        

 

5. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used.

 

6. Retention: The period established to keep backup media. This period must be
in compliance with local and Federal regulations.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

4. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This procedure supports the organization process for storage, maintenance and
destruction information [Core-13b].

 

1. Scheduling and Retention:

 

a) TSM shall implement backup and retention schedules to ensure that application
and system data are safeguarded against destruction and lost.

 

b) TSM is committed to retain and preserve the application and system data for
the period of time required by federal and local laws and with the requirements
of the Record Retention policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 20 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        



 

c) Full and incremental backups shall be performed and verified on a daily,
weekly, and monthly basis for Mainframe, Unix, Windows and VM Ware base systems.

 

d) A full backup shall be made at least once a month and will be retained for a
minimum of one year.

 

e) A full backup shall be made at least once a year and will be retained for a
minimum of ten years.

 

f) Full and incremental backups shall be performed for all business applications
and databases.

 

g) All backups shall be subject to verification on a daily, weekly, and monthly
basis and backup error conditions should be monitored, log and notified to
management for investigation and executions of the backup process.

 

h) Automatic backup verification process shall be performed, to ensure backups
are completed successfully and without error.

 

i) Backups shall be monitored and problem management procedures shall be
followed if error conditions are generated that could impact the integrity and
completeness of the backup process.

 

j) Procedures for retention, and storage of backup media shall be designed,
implemented and documented. Backup tapes will be rotated on a daily, weekly, and
monthly basis to a secured off-site storage facility (International Safe
Deposit) and maintained according to a predefined retention schedule.

 

k) Tape media inventory shall be performed on a monthly and quarterly basis for
mainframe and distributed systems, respectively.

 

l) Controls must be in place to ensure backup tapes data are not reuse until
retention period expires.

 

2. Onsite and Offsite Storage:

 

a) Depending on the criticality of the data, TSM shall ensure its preservation
by moving the data to the contracted offsite backup storage facility using a
data encryption mechanism.

 

b) Data considered critical for the business continuity must be moved to an
offsite storage at least once a week.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 21 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        



 

c) Network infrastructure backups, and system critical files must be moved to an
offsite storage at least once a month.

 

d) When the backup service is delivered by the third party, the service level
agreement shall include the detailed protections to control confidentiality,
integrity, and availability of the back-up information.

 

3. Storage Access and Security:

 

a) All backup media must be stored in a secure area that is accessible only to
authorized personnel.

 

b) Physical and environmental controls shall be in place to protect the backup
tapes.

 

4. Restorations:

 

a) All restorations require approval from the designated Data Owner and/or
Application Owner. The requestor must fill out a "Restore and Recovery Data"
form.

 

5. Verification:

 

a) The backup system shall be tested periodically by restoring a single random
file from a random equipment, and manually inspecting it for accurate recovery.
The recovery tests will be stored into secured temporary areas so that current
"real" user copies of the files will not be overwritten.

 

b) Backup verification processes must be enabled to facilitate the automatic
backup verification purposes and adequate exception notification configured.

 

c) Failed backups will be re-started twice automatically by the backup tools
implemented at TriServe.

 

6. Documentation:

 

a) Backup procedure must be documented. Procedure should describe how to execute
backup process and the data restoration process. The procedure must include a
list of all the systems and files that are backed up as well as frequency,
retention and in-site / off-site backup details.

 

7. Responsibilities and other important consideration:

 

a) Information that it is stored in the "My Documents" folder of the user (e.g.
Desktop) will not be backed-up, it is the responsibility of the employee to
store all important and critical TSM information in the "My Documents” folder.

 

VII. Attachments:

 

ATTACHMENT A - Backup & Retention Procedure [Core-13b]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#4 Page 22 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Backup & Retention        



 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 23 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Change Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish the requirements of the change
management process required to control the request, approval and implementation
of changes to TSM systems, applications and IT infrastructure. The objective of
the policy if to help to minimize the risk of impact to TSM IT services and
customers as well as resulting in the introduction of significant
vulnerabilities in the TSM IT systems.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers and host its IT systems,
applications and IT infrastructure components.

 

III. Policy:

 

This policy supports the organization data integrity process of electronic
information [Core- 13(a)].

 

Triple-S Management Corporation (TSM) has adopted a Change Management Policy to
provide management with direction and support for the implementation of
processes and controls to effectively manage risks associated with changes to IT
systems and the organization IT infrastructure. As a standard practice changes
should be documented, approved, tested and validated. This policy is designed to
ensure the organization designs and implement procedures and controls for
management of the change management process. These processes and controls are
required to meet operational and compliance requirements as well as reduce the
level of risk for the organization by ensuring that changes are subject to an
approval process before being deployed to the production environment.

 

IV. Definitions:

 

1. Change Management: A systematic approach to managing all changes made to a
product or system.

 

2. Fallback: Actions to revert software implemented changes that failed and
therefore it is requiring going back to the original state.

 

3. Outsourced software development: Software made by a third party contracted by
an organization with specific requirements.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 24 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Change Management        



 

comply with the information security policies. Any employee found to have
violated such Policies may be subject to disciplinary actions, up to and
including termination of employment. In the event the violation has been by a
contractor and/or provider, the respective contract or service may be deemed
terminated.

 

TSM reserves the right to audit networks, systems, or procedures on a periodic
basis to ensure compliance with this policy.

 

2. In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This procedure supports the organization data integrity process of electronic
information [Core-13(a)].

 

1. Changes to Information Technology (IT) assets and systems, such as operating
system, hardware, software, application, and network component shall follow the
organization change management process. This process shall ensure that changes
are documented, authorized, tested, approved and properly implemented.

 

2. For custom developed applications and the implementation of package
applications, TSM shall ensure that data input validation controls are tested to
ensure that the data is correct and appropriate.

 

3. The following activities shall be adopted within the change management
process:

 

a) Change Request Form (CR Form): Documentation of the change shall be completed
explaining the purpose, details and consequences of the proposed change. All
change requests shall be prioritized in terms of benefits, urgency, effort
required and potential impact on TSM operations. The CR Form shall include Risk
and Impact considerations about the proposed change.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 25 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Change Management        

 

b) Version Control: Change requests and/or updates shall be controlled with
version control numbers. Access to system files and program source code shall be
restricted to authorized personnel and only authorized personnel shall have
access to the version control system.

 

c) Testing: Changes to TSM systems and IT infrastructure (i.e. servers,
databases, applications, system access level and end-user access level) shall be
tested in an isolated, controlled environment (where feasible) prior to
implementation. The testing process shall verify that intended changes will meet
the stated objectives and not cause operational problems, service interruptions
or introduce security risks to the organization.

 

d) Approval: All changes shall be approved prior to implementation. Approval of
changes shall be based on the documented acceptance criteria (i.e. a change
request form is completed and approved by TSM personnel, an impact assessment
was performed and proposed changes were tested). All users, significantly
affected by a change, shall be notified. The user representative such as the
Application Owner shall sign-off on the change request form.

 

e) Implementation: Implementation shall only be undertaken after appropriate
testing and approval by the designated TSM stakeholders. Implementation of
changes to the production environment shall be performed only by authorized TSM
systems administrator or by the designated IT personnel such as Database
administrator or the Application Administrator. Production systems shall only
hold approved programs and required executable code. No development code or
compilers shall reside in production systems. Any decision to upgrade (software)
to a new release shall take into account the business requirements for the
change, and the security and privacy impacts of the release.

 

f) Fallback: Fallback procedures shall be defined and implemented. This includes
defining procedures and roles and responsibilities for aborting/cancelling and
recovering from unsuccessful changes and unforeseen events.

 

g) Post Implementation: All changes shall be monitored once they have been
implemented to check for unexpected behavior or incidents.

 

4. Emergency Changes shall follow documented procedures to ensure the proper
control and authorization.

 

5. Outsourced software development shall be reviewed to ensure that the
contracts shall have considerations for: code ownership, intellectual property
rights, escrow arrangements, right to audit, requirements for quality of code,
and technical support.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#5 Page 26 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Change Management        

 

6. All internally developed software and all changes to internally developed
software that will be accessible via the internet must be subject to a code
verification process. The Quality Assurance Group to reduced risks associated
with potential vulnerabilities at the application level establish a subscription
to use the Code Scanning service to facilitated and conduct this verification
process.

 

VII. Attachments:

 

ATTACHMENT B - Change Management process [Core-13(a)]

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED. 



 

[image_027.jpg]

 

Policy No.: ISP#6 Page 27 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Clear Desk & Clear Screen

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish requirements for maintaining a “Clear
Desk” & “Clear Screen” procedures where sensitive/confidential information about
our employees, our intellectual property, our customers and our vendors is
secure in locked areas and out of site.

 

This Policy is not only about security, but it is also part of the TSM Privacy
Policies and it has the purpose to reduce the risk of security breaches in the
workplace.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)] and provide guidance to employees on how to shred and destroy paper
documents [CORE-13(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted a Clear Desk &
Clear Screen policy to ensure that sensitive/confidential information (on paper
or electronic media) are removed from the end user workspace, locked away when
the items are not in use or an employee leaves his/her workstation and clear
screen for information assets. This Policy shall take into account the
information classification, legal and contractual requirements, and the
corresponding risks and cultural aspects of TSM.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#6 Page 28 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Clear
Desk & Clear Screen        

 

comply with the information security policies. Any employee found to have
violated such Policies may be subject to disciplinary actions, up to and
including termination of employment. In the event the violation has been by a
contractor and/or provider, the respective contract or service may be deemed
terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. Sensitive/Confidential business information in paper or electronic storage
media shall be locked away in secure cabinets when not required, especially when
the office is vacated for a short or extended period of time.

 

2. File cabinets containing business sensitive/confidential information shall be
kept closed and locked when not in use or when not attended.

 

3. Keys used for access to confidential information shall not be left at an
unattended desk and they shall be kept in a secure place.

 

4. Computer and terminals shall be logged off or protected with a screen and
keyword locking mechanism controlled by a password (e.g., (“Ctrl+Alt+Del”) in
Windows systems), token or similar user authentication mechanism that conceals
information previously visible on the display when unattended and shall be
protected by key locks, passwords, or other controls when not in use.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#6 Page 29 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Clear
Desk & Clear Screen        



 

5. Unattended portable computing devices such as laptops and tablets shall be
either locked with a locking cable, locked away in a drawer or kept in a
restricted area where only authorized employees are authorized to access.

 

6. Employee shall treat mass storage devices such as CD-ROM, DVD or USB drives
as sensitive and secure them in a locked drawer when not in use.

 

7. Passwords shall not be written on sticky notes or posted on under a computer,
nor shall they be left written down in accessible locations.

 

8. Incoming and outgoing mail points and unattended facsimile machines shall be
protected and unauthorized use of photocopiers shall be prevented.

 

9. All printers, copiers and facsimile machines shall be cleared of documents as
soon as they are printed to ensure that sensitive printouts are not left in
printer trays for the wrong person to pick up.

 

10. When transporting documents with Sensitive/Confidential within facilities
and through inter- office mail, information shall not be visible through
envelope windows and envelopes shall be marked according its classification
level (e.g., “Confidential”).

 

11. Sensitive/Confidential documents shall be placed in the official shredder
bins/recycling bins or placed in the locked secured disposal recycling bins
contracted by the organization for the secured destruction of the documents.
[CORE-13(b)]

 

12. Whiteboard containing sensitive/confidential information shall be erased.
[CORE-13(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 30 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Data Classification

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of the Data Classification Policy is to ensure that TSM IT assets
receive an appropriate level of protection based on the type of information
stored and managed. As such the policy required a data centric and risk base
focus for the design and implementation safeguard for protection of the most
sensitive data including ePHI. [Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has defined and documented a Data
Classification Policy to provide management with direction and support for the
proper handling of information considering the sensitivity and risk of such
data. In order to ensure proper management, information must be first classified
according to its level of risk and sensitivity considering local and federal
regulations. The higher the sensitivity and risk, the higher the classification
to be assigned and therefore more controls will be needed to ensure only
authorized personnel can access such information. [Core-15(b)]

 

Users shall be made aware of their responsibilities for proper handling of
information received, created, processed, stored, distributed and destroyed by
TSM according to its sensitivity and assigned data classification level.
[Core-15(b)]

 

IV. Definitions:

 

1. Information Owner: Responsible for determining who has access to the
information he/she owns. Usually senior management or department head.

 

2. Information Custodian: Responsible for assigning the access to the
information according to the instructions of the information owner.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 31 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        

 

3. Information User: Responsible for the application of this policy in his/her
daily activities in TSM and its subsidiaries.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.



 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. Classification Levels

 

Four levels of data classification have been defined: [Core-15(b)]

 

Level Description Examples

PUBLIC

 

Information officially released by TSM for widespread public disclosure. Press
releases, public marketing materials, employment advertising, annual reports,
product brochures, the public web site, etc.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 32 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        

 

INTERNAL

 

All forms of proprietary information originated or owned by TSM, or entrusted to
it by others that is not considered sensitive or confidential. General
organization charts (with no names, only positions), policies, procedures, phone
directories (excluding client contact information), some types of training
materials.

CONFIDENTIAL

 

Information for which the unauthorized disclosure or compromise would likely
have an adverse impact on the company's competitive or financial position, or
compromise regulatory compliance of local and Federal laws for protecting
personal information. Trade secrets & marketing, PHI or EPHI, operational,
financial, employee user ID’s, passwords, PINs, or other personal identification
devices, source code, and technical information integral to the success of our
company.

HIGHLY RESTRICTIVE

 

Includes information that is so sensitive that disclosure or usage would have a
definite impact on the TSM’s business and future.

 

Significant restrictions and controls need to be applied.

 

Merger and acquisition information, reorganization documents, security protocol
information, legal actions, strategic or tactical information of the
organization and its subsidiaries, etc.

 

a) All information generated by or for TSM, no matter the format: written,
verbal, or electronic, is to be treated according to its classification level.
[Core-15(b)]

 

b) If the information is not labeled, personnel must assume it’s confidential.
[Core-15(b)]

 

c) Information that is labeled as public or internal use, but is in draft form
or has not been formally approved, it should also be considered confidential.
[Core-15(b)]

 

d) All employees should familiarize themselves with the information labeling and
handling guidelines included in the procedures document. [Core-15(b)]

 

e) It should be noted that the sensitivity level classifications were created as
guidelines and to emphasize appropriate measures that users have to take to
protect TSM and third Party Confidential information. [Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 33 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        



 

f) Nothing in this policy is, however, intended to prevent employees from
engaging in concerted activity protected by law. [Core-15(b)]

 

2. Information Owner

 

The Information Owner also known as the Application Owner is the leader of a
business area or service who is directly responsible for the proper use of the
area’s information under his/her management. Such use must be performed, based
on the objectives of TSM business. The information owner is responsible for
classifying the information, deciding who must have access to it and validating
that the security is commensurate according to its assigned classification and
that controls are implemented in consistency with such classification. The owner
must also periodically review the classification, ensure it is kept up to date
and ensure the classification is correct. [Core-15(b)]

 

Documentation that a physical inventory has been taken, for all locations, shall
be retained in the organization’s central accounting office. [Core-15(b)]

 

3. Information Custodian

 

The Information Custodian also known as the Data Custodian is responsible for
ensuring that access to TSM information is consistent with the information
owner’s requirements and updating such access as personnel changes his
responsibilities, is transferred to another unit (and therefore another
information owner) and eliminating access if personnel is terminated.
[Core-15(b)]

 

4. Considerations

 

The data classification process must consider: [Core-15(b)]

 

a) Business needs for sharing or restricting information.

 

b) The business impacts associated with such needs.

 

c) The aggregation effect in the classification process (consider groups of
similar information assets and how their individual classification may impact
the group or conglomerate of such assets: i.e. if similar information assets
have been assigned different classifications, re-consider the classification of
each one).

 

5. Information asset life cycle

 

Information assets should be protected in all phases of their life cycle:
received/created, processed, storing, transmittal and destruction. The
protection must be according to the classification assigned. Details of how to
protect the information asset will be presented in a procedure document.
[Core-15(b)]

 

6. Third Party Confidential Information

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#7 Page 34 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Classification        



 

A subset of TSM Confidential information is "TSM Third Party Confidential"
information. This is information that belongs to another corporation which has
been entrusted to TSM by that company under non-disclosure agreements (NDA’s)
and other contracts as part of the business agreement between both parties.
Examples of this type of information include everything from joint business
activities to vendor lists, customer orders, and supplier information.
Information in this category ranges from extremely sensitive to information
about the fact that we’ve connected a supplier / vendor into TSM network to
support our operations. [Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 35 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Data Integrity and Interoperability

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

This policy provides direction for management of the information as a valuable
and strategic resource through establishment of the required processes and
controls to ensure the accuracy and integrity of the information managed by the
organization.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy supports the organization data integrity process of electronic
information [Core- 13(a)].

 

Information has most value when it is complete, accurate, relevant, accessible
and timely (CARAT). This policy describes the commitment of Triple-S Management
for designing, implementing, and maintaining procedures and controls for proper
management of its information. This includes ensuring the accuracy and
interoperability of the information managed by the core systems of the
organization.

 

IV. Definitions:

 

1. Data: numbers, words or images that have yet to be organized or analyzed to
answer a specific question. It is often interchangeable with the word
‘information’.

 

2. Data Quality: ensuring data is ‘fit for purpose’ and ‘right first time’,
which includes the relevance, correctness, completeness and timeliness of all
data held in all Trust systems

 

3. Document: smallest complete unit of recorded material which is accumulated to
form a file.

 

4. Information: Produced through processing, manipulating and organizing data to
answer questions, adding to the knowledge of the receiver. It is often
interchangeable with the word data.

 

5. Information Management: a collection and management of information from one
or more sources and the distribution of that information to one or more
audiences. Management means the organization of and control over the planning,
structure and organization, controlling, processing evaluating and reporting of
information activities in order to meet the Trust’s objectives and to enable
corporate functions in the delivery of information.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 36 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        

 

6. Software Life Cycle Development: The systems development life cycle (SDLC),
also referred to as the application development life-cycle, is a term used in
systems engineering, information systems and software engineering to describe a
process for planning, creating, testing, and deploying an information system.

 

7. Change Management Process: Change Management (CM) refers to any approach to
transitioning individuals, teams, and organizations using methods intended to
re-direct the use of resources, business process, budget allocations, or other
modes of operation that significantly reshape a company or organization.

 

8. Referential Integrity: Referential integrity is a relational database
concept, which states that table relationships must always be consistent. In
other words, any foreign key field must agree with the primary key that is
referenced by the foreign key.

 

9. Data Purging: Data purging is a term that is commonly used to describe
methods that permanently erase and remove data from a storage space. There are
many different strategies and techniques for data purging, which is often
contrasted with data deletion. Deletion is often seen as a temporary preference,
whereas purging removes the data permanently and opens up memory or storage
space for other uses

 

10. Sensitive Information: Sensitive information is defined as information that
is protected against unwarranted disclosure.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 37 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        



 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

This procedure supports the organization data integrity process of electronic
information [Core-13(a)].

 

1. Data Accuracy and Trace-Ability:

 

a) The organization will follow the System Development Life Cycle (SDLC) process
for all internal system development activities. The SDLC provides a structured
methodology for the design, development, testing and implementation of new
systems and reduces the risk associated with errors that could be generated by
the introduction of new programs.

 

b) To promote data accuracy the organization promotes the adoption of relational
databases structures for its core systems (e.g. [***]). In a relational database
framework referral integrity between tables will be enforced by the definition
of primary and secondary keys. Maintaining referential integrity ensures the
consistency of the data stored by avoiding duplicate records and records with
invalid information.

 

c) To promote data accuracy new systems must be subject to user testing and
certification steps. Test results must be documented and retained as part of the
project documentation.

 

d) To promote data accuracy system and applications must be designed to validate
data fields registered by end users. For online systems data entry errors must
notify the user by generating an error message.

 

e) To promote data accuracy files received will be subject to a data validation
process prior to processing. Records with errors will be reported and will
require investigation and be subject to a clearance process in order to continue
processing.

 

f) To promote data accuracy reconciliation reports will be developed and
provided to the business owners for tracking and monitoring as part of their
daily work activities.

 

g) To promote data accuracy users will be trained on the proper use and
management of new applications.

 

h) To promote data accuracy administration access to production data will be
restricted to authorized personnel (e.g. Database Administrator).

 

i) To promote data integrity users access will be granted based on the employee
job function. User access will require the approval of the business unit
manager.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 38 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        

 

j) To verify data accuracy database consistency checks must be run at least
annually.

 

k) To promote trace-ability applications will maintain and audit trail of the
most recent changes performed by the users.

 

l) To promote data accuracy and trace-ability changes to applications and
systems must follow the organization change control and release management
procedures. Following these procedures is will the organization ensure the
consistency, continuity and integrity of the data through software, application
and system upgrades.

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#8 Page 39 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Data
Integrity and Interoperability        



 

m) To promote data accuracy and confidently two factor authentication will be
enforced for authorized telecommute users (e.g. Working from home users).

 

n) To verify data accuracy end users will participate in the annual Disaster
Recovery test to confirm the successful restoration of the system and the system
data. Results will be documented and retained.

 

2. Interoperability:

 

a) System and data Interoperability will be promoted by the adoption of open
based technology standards and protocols and adherence to each information
system interface.

 

3. Quality:

 

a) Data quality will be ensured by the manager in the business area having
responsibility over the data, with support from the information technology
specialists.

 

4. Telecommuters, Remote Users, Delegated Entities and Vendors changes:

 

a) Authorized telecommuters, remote users, delegated entities and vendors
authorized to work and support the systems and business applications used by the
organization will be subject to the system development and change management
controls established. Following these processes and controls to production
systems and environments as defined in the Change Management Policy help reduce
the risk of data corruption and system or application errors.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 40 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Encryption and Cryptographic Algorithms

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía, 

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

TSM has established a formal policy concerning cryptographic and key-management
methods that limit the use of encryption to those algorithms that complies with
industry-accepted standards and have been proven to work securely and
effectively. Additionally, this policy provides direction to ensure that
required Federal Regulations and sound industry practices are followed, and
legal authority is granted for the dissemination and use of encryption
technologies outside Puerto Rico and the United States.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Encryption
Policy to provide management with direction and support to protect the
confidentiality, authenticity and integrity of the information by cryptographic
means.

 

IV. Definitions:

 

1. Proprietary Encryption: An algorithm that has not been made public and/or has
not withstood public scrutiny. The developer of the algorithm could be a vendor,
an individual, or the government.

 

2. Symmetric Cryptosystem: A method of encryption in which the same key is used
for both encryption and decryption of the data.

 

3. Asymmetric Cryptosystem: A method of encryption in which two different keys
are used: one for encrypting and one for decrypting the data (e.g., public-key
encryption).

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 41 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        

 

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

TSM shall ensure that the Encryption and Cryptographic Algorithms Policy adheres
to the following conditions for purposes of complying with sound industry
practices and regulatory requirements. These practices help the organization
prevent confidentiality and security breaches [Core-15(b)]:

 

1. Whenever encryption is used, workers must not delete the sole readable
version of the information unless they have demonstrated that the decryption
process is able to reestablish a readable version of the information.

 

2. It shall not be allowed:

 

o The use of proprietary encryption algorithms for any purpose.

 

o The use of any deprecated cryptographic algorithms as reported in the NIST
Special Publication 800-131A Revision 1

 

o The use of insecure In-Trasit protocols such as SSL versions 1, 2, 3 or TLS
v1.0.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 42 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        



 

o The use of weak key lengths and weak Random Number Generators in accordance to
the NIST Special Publication 800-131A Revision 1

 

3. Types of Encryption Algorithms:

 

Proven, standard algorithms such as AES256 and Three-Key Triple DES should be
used as the basis for protecting the confidentiality of the corporate
information. These algorithms represent the actual cipher used for an approved
application. Symmetric cryptosystem key lengths must be at least 128 bits.
Asymmetric crypto-system keys must be of a length that yields equivalent
strength.

 

Cipher Suites must be used in order of their encryption algorithm key strength
and length (e.g.):

 

o AES256



o AES192



o AES128



o Three-Key 3DES





 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions must be
documented and approved by Information & Cyber Security Director.

 

4. Types of HASH Algorithms:

 

Proven, standard algorithms such as SHA-224, SHA-256, SHA-384 and SHA-512 should
be used as the basis for protecting the corporate information. These algorithms
represent the actual hash used for an approved application. MD5 and SHA-1 are
deprecated and MUST NOT be used to protect the corporate information in
accordance to the NIST Special Publication 800-131A Revision 1. Acceptable hash
functions are:

 

o SHA-224



o SHA-256



o SHA-384



o SHA-512

 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions MUST be
documented and approved by Information & Cyber Security Director.

 

5. Types of Digital Signatures:

 

Digital signatures are used to provide assurance of origin authentication and
data integrity. The generation of a digital signature on data requires the use
of 1) a cryptographic hash

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 43 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        

 

algorithm that operates on the data to be signed, and 2) the use of a
cryptographic key and a signing algorithm to generate a signature on the output
of the hash function (and, by extension, the data that is intended to be signed)
Proven, standard algorithms such as DSA, ECDSA and RSA should be used as the
basis for protecting the corporate information in accordance with the NIST
Special Publication 800-131A Revision 1. For digital signature, generation Key
lengths providing at least 112 bits of security are acceptable. For digital
signature verification, Key lengths providing at least 112 bits of security
using approved digital signature algorithms are acceptable.

 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions MUST be
documented and approved by Information & Cyber Security Director.

 

6. Protocols for Protecting Data while IN-Transit:

 

TSM shall ensure that all confidential data (including encryption keys) is
protected while in transit. Proven, standard protocols such as IPsec and TLS
should be used as the basis for protecting the corporate information while
in-transit. The use of SSL in all its versions 1-3 and TLS v1.0 is prohibited.
TLS v1.2 and above is allowed in accordance to NIST Special Publication 800-52
Revision 1. IPsec MUST BE used ONLY with approved cryptographic algorithms.
Additionally, proven, standard security protocols such as Secured FTP (SFTP) and
Secured Shell (SSHv2) MAY be used as the basis for protecting the corporate
sensitive data during transmission over open, public networks.

 

Special concessions and exceptions could be made for applications transitioning
from deprecated algorithms into acceptable ones. These exceptions MUST be
documented and approved by Information & Cyber Security Director.

 

7. Key Management Procedures:

 

TSM shall ensure to have documented and implemented all key-management
procedures for cryptographic keys to address the following considerations:

 

o Generate strong keys



o Securely distribute keys



o Securely store keys



o Conduct cryptographic key changes for keys that have expired



o Replacement of known or suspected compromised keys



o Prevent unauthorized substitution of keys



o Prevent the use of keys that were retired or replaced

 

Key Agreement schemes with keys of 2048 bits or larger are acceptable in
accordance to NIST SP 800-56B. Key transport schemes with keys of 2048 bits or
larger are acceptable in accordance to NIST SP 800-56B.

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#9 Page 44 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Encryption and Cryptographic Algorithms        

 

8. Key Access and Security:

 

Encryption keys used for TSM information are always classified as confidential
information. Access to such keys must be limited authorized personnel and based
upon job responsibilities.

 

TSM will ensure to require approval from the Information & Cyber Security
Director or authorized representative prior revealing encryption keys to
consultants, contractors, or other this parties.

 

Certificates must be signed in accordance to the above mentioned digital
signature requirements of this policy.

 

9.    Portable Devices:

 

TSM shall ensure that all portable approved devices such as laptops, and general
mobile devices, must be encrypted through TSM approved tools including but not
limited to:

 

o Symantec End Point Protection system

 

o Airwatch for mobile devices

 

o PGP and Pkzip for end user file encryption capabilities

 

o FTP secured for file transmission

 

o HTTPS for encrypted web sessions. Using TLSv1.2

 

Provided that the applications meet the above-mentioned requirements specified
in this policy.

 

10. Review:

 

TSM’s key length requirements shall be reviewed annually and upgraded as
technology allows.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#10 Page 45 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
General Information Security

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for maintaining the
Information Security Policies, the organization Information Security Management
Program and establish the direction of TSM by aligning the documentation with
information security sound practices, laws, and regulatory requirement.
[Core-15(b)]

 

II. Scope:

 

This policy applies to TSM, its subsidiaries, employees, temporary workers,
contractors, business partners and third party vendors contracted by TSM to
provide services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted a General
Information Security Policy to provide management clear direction in line with
business objectives and relevant laws and regulations. The policy also
demonstrates the support and commitment of the organization, its Senior
Management and the Board of Directors to maintaining a robust Information
Security Management Program (ISMP) in compliance with regulatory requirements
across TSM, subsidiaries and its direct and indirect affiliates. [Core-15(b)]

 

Information security policies are an organizational tool that help its members
to be aware of the importance for protecting the organization information assets
from threats such as cyber- attacks, internal theft and malicious programs among
others as these could result in the unauthorized disclosure of sensitive or
protected information and significant regulatory fines. [Core-15(b)]

 

Therefore, this policy focuses on defining general information security
requirements, based on industry standards and information security practices.
Adoption of these information security requirements allows TSM to mitigate or
reduce risks associated with threats that could expose critical information
assets of the organization. [Core-15(b)]

 

IV. Definitions:

 

1. Information Security: The practice of protecting data or information from
unauthorized access for viewing, modification, recording or destruction.

 

V. Responsibilities:

 

1. All TSM and its subsidiaries employees, temporary workers, contractors,
business partners and third party vendors, without exception, must comply with
the information security policies.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#10 Page 46 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
General Information Security        

 

3. In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

4. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

5. Non-Compliance

 

Any employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. Information Security Management Program

 

An Information Security Management Program (ISMP) shall be formally established,
implemented, operated and maintained. [Core-15(b)]

 

The ISMP shall be reviewed and updated at least annually considering the needs
of the organization and changes on existing business requirements, technologies,
threats and risk facing the organization. [Core-15(b)]

 

TSM Senior Management support for the ISMP shall be demonstrated through signed
acceptance or approval by management of the program. [Core-15(b)]

 

The ISMP shall include the relevant security domains for proper management of
the program as required by HITRUST. [Core-15(b)]

 

Personnel assigned with formal responsibilities in the ISMP must be competent in
information security tasks. [Core-15(b)]

 

2. Information Security Policy

 

The Information Security Policy shall be approved by Senior Management (e.g.
CEO, CFO, COO), published and communicated to all employees and required
external service providers. The Information Security Policy shall be supported
by a strategic plan and a ISMP with well-defined roles and responsibilities for
leadership and officer roles. The policy shall consider: [Core-15(b)]

 

o Definition of information security;



o Overall objectives and scope and the importance of security;



o Statement of management intent, supporting the goals and principles of
information security in line with the business strategy and objectives;

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#10 Page 47 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
General Information Security        

 

o A framework for setting control objectives including risk management;



o The need and goals for information security;



o Compliance scope;



o Applicable laws and regulatory requirements;



o Arrangement for notification of security incidents and breaches;



o Definition of roles and responsibilities for information security management.

 

The Information Security Policy, the ISMP and related documents shall have a
designated owner was approved by management responsibility for accountability
purposes. [Core- 15(b)]

 

The Information Security Policies shall be reviewed and updated at least
annually to ensure its continuing adequacy and effectiveness. [Core-15(b)]

 

3. Organization of Information Security

 

The Board of Director and TSM Senior Management shall demonstrate commitment and
clear direction to support the Information Security Policy and the organization
ISMP. [Core- 15(b)]

 

An Information & Cyber Security Director must be appointed to ensure that the
required components of the Information Security Policy and the ISMP are
effectively implemented, maintained and are communicated to all stakeholders.
[Core-15(b)]

 

Information security activities shall be coordinated with a designated person in
the division. As such the Business Unit Manager has the responsibility to
designate a role for an Information Security Coordinator (ISC) to facilitate the
communication and coordination process in the implementation and maintenance of
the organization ISMP. [Core-15(b)]

 

TSM shall ensure to keep continuous contact with relevant regulatory
requirements to ensure that information security practices are in alignment with
current requirements. Additionally, contact with special interest groups,
security forums and professional associations shall be maintained. [Core-15(b)]

 

Independent review of the ISMP shall be periodically planned and conducted such
as independent assessments and audits to ensure continuing adequacy and
effectiveness of the security policies and procedures. [Core-15(b)]

 

VII. Attachments:

 

N/A

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#10 Page 48 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
General Information Security        



 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#11 Page 49 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Information Exchange

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

The purpose of this policy is to ensure the exchange of information within TSM
and with external business partners, business associates and covered entities is
secured and protected, and carried out in compliance with relevant laws,
regulations and exchange agreements.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy supports the organization plan for interoperability [CORE-13(c)].
The policy also addresses electronic communication and records that are
transmitted or stored by the organization [CORE-16(d)].

 

Triple-S Management Corporation (TSM) has adopted and implemented safeguards and
countermeasures to secure confidential and sensitive information exchanges. This
safeguards and controls are required to protect the confidentiality and
integrity of the information that is processed, stored, and transmitted by TSM
networks and systems.

 

IV. Definitions:

 

1. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used. Also, Virtual Private Network (VPN) is a method
employing encryption to provide secure access to a remote computer over the
Internet.

 

2. Information Exchange: The act of people, companies, and organizations passing
information from one to another, especially electronically, or a system that
allows them to do this.

 

3. Sensitive Information: Defined as information that is protected against
unwarranted disclosure.

 

4. Wiretapping: The practice of connecting a listening device to a telephone
line to secretly monitor a conversation.

 

5. Eavesdropping: Secretly listening to the private conversation of others
without their consent.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 50 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        

 

6. Cache: A computer memory with very short access time used for storage of
frequently or recently used instructions or data.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This procedure supports the organization plan for interoperability [CORE-13(c)].
The procedure also addresses electronic communication and records that are
transmitted or stored by the organization [CORE-16(d)]. Attachment A includes
the list of systems within the scope of the URAC accreditation that provide
support for the internal and external interoperability standards. Attachment B
includes a High Level Architecture diagram for the [***] core system which
provides support for internal and external interoperability requirements.

 

The diagram below is a high level representation of TSS core [***] application
architecture. The architecture is based on open system standards and the use of
SQL databases and web based systems.

 

TSM shall ensure that the exchange of information within TSM networks and
systems and with authorized external business partners, business associates and
covered entities is secured and protected.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 51 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        



 

Procedures shall be defined and documented to ensure that communication
protection requirements, including the security of exchanges of information
include the following considerations as well as confidentiality and privacy
requirements:

 

1.    B2B Information Exchange Requirements:

 

a) Information exchanges including the transmission of sensitive and
confidential information including ePHI must be controlled and managed by the
Data Center Operation B2B group.

 

b) The Data Center Operation B2B group shall document, establish and maintain
formal data exchange policies, procedures, and controls to protect the exchange
of ePHI and company confidential information through the use of corporate
approved of communication methods managed by the B2B group.

 

c) ePHI information shall only be transmitted to business associates and covered
entities who have a demonstrated need to receive the information and which have
a Business Associate Agreement (BAA) duly signed and approved by the Legal
Division.

 

d) All ePHI transmissions must be performed via approved encrypted
telecommunication channels.

 

e) All ePHI files to be transmitted must be fully encrypted prior to
transmission over the secured telecommunication channel.

 

2. Electronic Communication:

 

a) When using electronic communication applications or systems for information
exchanges of sensitive and ePHI information, the following procedures and
guidelines shall be defined:

 

o Acceptable use of electronic communication applications or systems.

 

o Anti-malware for the detection of and protection against malicious code that
may be transmitted through the use of electronic communications.

 

o Secure wireless communications including an appropriate level of encryption.

 

o Cryptographic techniques shall be implemented to protect the confidentiality,
integrity and authenticity of TSM sensitive information (e.g., ePHI).

 

o Retention and disposal guidelines shall be defined and followed.

 

3. Personnel Awareness:

 

TSM personnel shall be appropriately educated and periodically reminded of the
precautions that TSM employees need to consider when sharing TSM sensitive and
ePHI with authorized third parties.

 

4. Exchange Agreements:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 52 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        



 

Exchange agreements shall be defined and implemented for the exchange of
information between TSM and external parties. The agreements shall specify
security controls on responsibility, procedures and technical solutions.

 

5.    Encryption:

 

TSM shall define and implement standard encryption algorithms for transmission
of private or confidential information over public networks protected by
industry standard protocols. Refer to the Encryption Policy.

 

6. Physical Media in Transit:

 

Media containing sensitive, confidential and ePHI information shall be protected
against unauthorized access, misuse or corruption during transportation beyond
TSM physical boundaries. The following requirements shall be implemented for
protection of physical storage media to be transported (i.e. backup tapes):

 

o Transportation shall be conducted by authorized couriers who have valid and
current contracts with TSM.

 

o Contracted transport or courier company must be able to track the status of
the backup media being transported.

 

o Procedures to check the identification of couriers shall be followed.

 

o Packaging shall be sufficient to protect the content from physical damage.

 

o Transportation of the media shall be conducted using locked containers.

 

o Delivery of the media shall be conducted by hand and confirmation of receipt
shall be maintained.

 

o Tamper-evident packaging (which reveals any attempt to gain access) shall be
used.

 

o Use of approved encryption methods for data being physically transported in
the

 

o storage media is required.

 

o Procedures for proper inventory and accountability of backup tapes shall be
defined, implemented and followed.

 

o Procedure for maintaining proper inventory of backup media shall define and
followed.

 

7. Interconnected Business Information Systems:

 

a) TSM shall define and implement procedures and guidelines to protect
information associated with the interconnection of business information systems
between TSM and third parties’ networks.

 

b) Security controls such as a firewall and network segmentation shall be in
place to manage the exchange of information with third parties when using public
networks. The firewall shall restrict connections between untrusted networks and
systems storing, processing or transmitting sensitive (e.g., ePHI) information.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#11 Page 53 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Exchange        



 

c) Third parties that shall not meet TSM Information Security Policies, shall
not be trusted and interconnected until TSM receives the assurance that the
third party meets the security controls.

 

VII. Attachments:

 

ATTACHMENT C- Internal and External Interoperability [CORE-13(c)]

 

ATTACHMENT D- High Level Architecture for Internal and External Interoperability
[CORE- 13(c)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#12 Page 54 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name: IT
Compliance Management

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by: Juan Díaz Goitía, 

Chief Information Officer 

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements to ensure that the design,
operation, use, and management of information systems complies with industry
laws, regulations and contractual obligations, including security requirements.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the IT
Compliance Policy to provide management with direction and support for the
implementation of appropriate security measures for the identification of
applicable local and federal legislation, intellectual property rights of TSM
over its products and services, protection of organizational records, and other
related subjects related to legal and regulatory compliance that are expected of
organizations in the insurance and healthcare industry. [Core-13(b) &
Core-15(c)]

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 55 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4.    Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

This section is composed of different sections which detail the policies
required for TSM to ensure effective compliance efforts.

 

1. Identification of Applicable Legislation:

 

TSM must ensure that applicable local (i.e. Puerto Rico Insurance Commissioner
Officer) and Federal (i.e. HHS, OCR, HIPAA, HITECH) Information Security
regulatory requirements are addressed, implemented and maintained. ).

 

TSM must be a member of a recognized industry trade associations including
thought leadership and similar organizations (i.e. Asociacion de Compañias de
Seguros de PuertoRico – ACODESE) in order to stay abreast of industry’s legal,
regulatory, and technology environmental trends (and threats) that could have an
impact on TSM operations including but not limited to TSM information security
policies and procedures which, might need to be updated accordingly to consider
those new trends and threats.

 

2. Intellectual Property Rights:

 

Preparation of a detailed procedures is required for compliance intellectual
property rights and on the use of proprietary software products. The procedures
to be developed must include the following elements:

 

a) Acquisition of software only through known and reputable sources to avoid
copyright violations.

 

b) Keep in a safe place all formal and documented evidence of license ownership,
master disks, owner’s manuals, and any other documented evidence.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 56 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        



 

c) Implementing controls to avoid exceeding the number of authorized users
allowed by the purchased license.

 

d) Establish controls to avoid copying software and any other illegal approach
to increase users.

 

e) Implementing a license tracking mechanism (manual or automated) to ensure
proper control of the software.

 

f) At least on a yearly basis, perform an audit in the employee’s computers to
identify any unauthorized software installation.

 

g) The information regarding software purchase must be kept in an asset registry
or inventory (refer to Asset Management policy for details).

 

3. Protection of Electronic Records: [Core-13(b)]

 

TSM is responsible to ensure that sensitive data like member or patient medical
electronic records, legal contracts or agreements, financial information,
employee records and other sensitive information is protected from loss,
accidental destruction (i.e. fire, earthquake, flood, etc.) and from
unauthorized access.

 

TSM will issue guidelines that will include ownership, classification,
retention, storage, handling and disposal of electronic records and information.
A designated member of the business shall be designated as the Data Owner and
will be responsible of assigning the corresponding data classification level
(i.e. confidential). The ISG will ensure that security controls are applied
based on the assigned data classification level (i.e. encryption).

 

4. Retention of Electronic Records: [Core-13(b)]

 

Part of the protection efforts includes that electronic and physical information
needs to be retained for the minimum period as established by regulation.

 

No. Documentation Retention Period 1 TSM must comply with local and Federal
document retention regulations for both physical and electronic information:
formal policies and procedures, risk assessment evaluation results and
disclosures of protected health information. 6 years

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 57 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        

 

2 For notice requirements, TSM (as a covered entity as defined by HIPAA) must
comply with the minimum requirement period. This requirement includes any
written acknowledgements of receipt of such notice or documentation of good
faith to obtain such written acknowledgement. 6 years 3 For electronic Protected
Health Information (ePHI), TSM must retain records of disclosures  needed to
perform treatment, payment and health care operations. 3 years 4 TSM must
document restrictions in disclosure and formally keep such files or an
electronic copy. 6 years 5 Accounting of disclosures, including the information
required for disclosure, the information provided to the individual, and the
positions and titles of the person (including unit) that received and processed
the request for accounting of such request. 6 years 6 Minimum  period  of
 retention  of  PHI  for  deceased  plan members. 50 years 7 Federal Tax
Information (FTI) 5 years

8 Audit information 7 years

 

5. Electronic Record Retention Program: [Core-13(b)]

 

TSM must develop and update a formal electronic record retention program that
includes:

 

o Secure disposal of information (physical and electronic) when no longer needed
and is no longer required as per documented retention requirements.

 

TSM must develop procedures for secured storage, access, retention and disposal
that shall include the following controls as minimum:

 

o Retention schedule to identify record types and the time period that must be
retained according to such type.

 

o Inventory of sources of key information.

 

o To facilitate decryption, all encryption key material (including digital
signatures), programs and documentation should be stored securely.

 

6. Data Protection and Privacy of Covered Information:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 58 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        

 

a) A data protection and privacy policy (refer to Data Classification Policy)
must be developed to ensure security of sensitive TSM data including EPHI. The
policy must be distributed and communicated to all relevant parties. The policy
must be updated with latest regulatory requirements and the necessary technical
security controls according to classification of assets on an annual basis.

 

b) A data protection officer should be appointed that will be in charge of
assigning responsibilities as presented in the data classification policy. Refer
to the Data Classification policy for data ownership and the responsibility
according to the role.

 

c) Covered information must be rendered unreadable anywhere it is stored (i.e.
PC’s, portable digital media, backup media, servers, databases, or in logs using
the following approach: (for details refer to encryption policy): [Core-13(b)]

 

o Full disk encryption



o Virtual disk encryption



o Volume disk encryption



o File and folder encryption

 

d) The encryption approach shall be performed using one or combination of the
following: [Core-13(b)]

 

o One-way hashes based on strong cryptography



o Truncation

 

o Strong cryptography with associated key-management processes and procedures

 

e) Protection of information assets must be according to its assigned data
classification level (i.e. applying encryption control to PHI/PII).
[Core-13(b)]).

 

f) The implementation of security and privacy protections include transfers of
TSM records and even extracts of such records (i.e. spreadsheet information, PDF
images of documents, electronic copies, and any other format including .TXT).
[Core-13(b)]

 

7. Prevention of Misuse of Information Assets:

 

Controls must be established to avoid unauthorized use of sensitive information
including ePHI/ePII. The following controls must be established:

 

a) Notification to employees, contractors and service providers that their
actions may be monitored and are subject to, depending on the event,
disciplinary actions (employees) and in contractors and service providers
(penalties and even contract termination).

 

b) All employees contracted personnel (professional services) and service
providers (i.e. consultants, auditors) must sign an acceptable use

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 59 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        



 

agreement (refer to acceptable use policy for details). The agreement must
establish that they have read, understand and agree to abide by the rules of
behavior before TSM management authorizes access to any database and information
system of TSM. This must be performed on a yearly basis as this document is
updated accordingly.

 

c) TSM must render the Primary Account Number (PAN) and PHI and PII information
unreadable via encryption wherever it is stored including portable media.

 

d) The criteria of what is considered acceptable use of sensitive information
should be reviewed every year to update as needed due to regulatory requirements
or because of new technologies and threats.

 

8. Regulation of Cryptographic Controls: [Core-13(b)]

 

Refer to encryption policy for details however, all cryptographic controls need
to be reviewed annually for minimum standards established by local and Federal
Regulations.

 

9. Compliance with Security Policies and Standards: [Core-15(c)]

 

Reviews of the compliance of systems with security policies, standards
applicable (i.e. HIPAA, local and Federal regulations, etc.) should be conducted
by the ISG team.

 

Compliance reviews should be formally documented including all relevant
evidence. If noncompliance is found, TSM management must:

 

a) Determine the cause for non-compliance (intentional, lack of training, lack
of resources, etc.)

 

b) Evaluate the need for actions to ensure remediation effort is effective

 

c) Select and implement a remediation action

 

d) Perform a re-testing effort to ensure corrective action was effective

 

Develop a continuous monitoring strategy that includes security metrics.

 

10. Technical Compliance Checking: [Core-15(c)]

 

TSM must check the technical security configuration of its systems at least
annually. In the case where services are provided by a third party, the
agreement must allow TSM to verify compliance with processing and security
requirements required by TSM.

 

11. Information Systems Audit Controls: [Core-13(b)]

 

TSM must require an annual audit of its information systems to ensure protection
data received, stored and transmitted through the systems.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#12 Page 60 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: IT
Compliance Management        



 

In the case of service providers that manage PHI and PII information, the
requirement of an audit must be included in their contracts: either TSM is
allowed to audit or a SSAE 16 SOC 1 and/or SOC 2 will be required from the
service provider depending on the service provided or information processed.

 

12. Protection of Information Systems Audit Tools: [Core-15(c)]

 

Access to audit applications and the databases generated from those applications
should have access controls which limit such access to authorize personnel and
they type of access should be according to role in the audit and oversight of
such audit.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





[image_029.jpg]

 

Policy No.: ISP#13 Page 61 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Network Security

Drafted by:

René Rivera,



IT Compliance Supervisor 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer 

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define the security requirements for the
implementation and management of telecommunication networks. The security
requirements are required to protect the organization IT assets from internal
and external threats and to maintain the security of the systems and
applications using the telecommunication network to support the organization and
our internal and external client’s business objectives. [Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has adopted and implemented safeguards and
countermeasures to secure TSM telecommunication network and systems, in order to
protect the confidentiality, integrity, and availability of information that is
processed, stored, and transmitted by TSM networks and systems. These controls
are implemented to support the business objectives of the organization and to
comply with applicable laws and regulations. [Core-15(b)]

 

IV. Definitions:

 

1. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used. Also, Virtual Private Network (VPN) is a method
employing encryption to provide secure access to a remote computer over the
Internet.

 

2. Router: Device that interconnect logical networks by forwarding information
to other networks based upon IP addresses.

 

3. Switch: Networking device that keeps track of MAC addresses attached to each
of its ports so that data is only transmitted on the ports that are the intended
recipient of the data.

 

4. Network Diagram: Unique kind of diagram that represents a cluster or small
structure of computers or other networking devices. Generally, is made up of
interconnected devices and systems.

 

5. Wireless Access Point (WAP): A networking hardware device that allows
wireless devices to connect to a wired network using Wi-Fi, or related
standards.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 62 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        

 

6. Simple Network Management Protocol (SNMP): Protocol governing network
management and the monitoring of network devices and their functions. A set of
protocols for managing complex networks.

 

V. Responsibilities:

 

1. All TSM and its subsidiaries employees, temporary workers, contractors,
business partners and third party vendors, without exception, must comply with
the information security policies.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

Telecommunication networks controls shall be managed and implemented to protect
TSM IT assets, systems and information and to maintain the security, integrity
and availability of the systems and applications. Telecommunication networks
controls are also required to avoid the unauthorized access, use, disclosure,
disruption, modification, or destruction of TSM IT assets and electronic
information. [Core-15(b)]

 

1. Network Controls

 

A current telecommunication network diagram shall be maintained. The
telecommunication network diagram shall document all internal and external
connections to TSM systems storing, processing or transmitting information
(e.g., PII, ePHI). The diagram shall also include authorized wireless networks
and Wireless Access Points (WAP). [Core-15(b)]

 

The telecommunications network diagram shall be reviewed and updated based on
the changes in the environment and no less than every 6 months. [Core-15(b)]

 

TSM management shall implement telecommunications network controls to ensure the
security of the IT assets and the protection of connected systems and active
services from

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 63 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        



 

unauthorized access as well as to ensure the availability of the required
telecommunication network services in order to support the organization Business
Continuity and Disaster Recovery strategy. [Core-15(b)]

 

2. Segregation of Networks

 

Firewalls shall be used to segregate and control traffic between the TSM
internal network and external networks (Internet and authorized 3rd party
networks), and any Demilitarized Zone (DMZ). [Core-15(b) & Core-15(c)]

 

An internal network perimeter shall be implemented by installing firewalls and
implementing the required virtual networks to control access and information
flow between TSM domains to authorized traffic. The firewall shall be capable of
enforcing security policies, be configured to filter traffic between TSM
domains, and block unauthorized access in accordance with TSM User Access
Policy. [Core-15(b) & Core-15(c)]

 

Wireless Access Points (WAP) shall be segregated from the internal and private
TSM networks. A firewall shall be implemented between any wireless network and
TSM information systems environment. [Core-15(b) & Core-15(c)]

 

3. Network Connection Controls

 

Managed interfaces and network traffic shall be denied by default and allowed by
exception (i.e., deny all, permit by exception). [Core-15(b)]

 

Access controls shall restrict the ability of users to connect to TSM internal
network(s), in accordance with the User Access Policy and the requirements of
TSM business applications and services. [Core-15(b)]

 

4. Router & Switch Configuration

 

Every router, switch and firewall connecting to a TSM production
telecommunication network must meet the following configuration controls:
[Core-15(b)]

 

a) Local or default user accounts shall not be configured on the router or
switch.

 

b) All default passwords of the equipment must be changed.

 

c) Access to the administrator password shall be provided only to authorize
personnel based on their job function and role.

 

d) Unnecessary user or equipment accounts shall be disabled.

 

e) The following services or features must be disabled unless a business
justification is provided:

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 64 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        





 

o IP directed broadcasts.



o Incoming packets at the router/switch sourced with invalid addresses such as
RFC1918 addresses.



o TCP small services.



o UDP small services.



o All source routing and switching.



o All web services running on router.



o Discovery protocol on Internet connected interfaces.



o Telnet, FTP, and HTTP services.



o Auto-configuration. o Discovery protocols. o Dynamic trunking.



o Scripting environments, such as the TCL shell.

 

f) Restricted access statement banner shall be presented for all forms of login
whether remote or local.

 

g) Access must be restricted to only TSM authorized personnel.

 

h) All device updates shall be done using secure routing updates and shall
adhere to the TSM Change Management process.

 

5. Wireless Security

 

When configuring Wireless Access Points (WAP) and devices, the organization
shall change the following: [Core-15(b)]

 

o Equipment administrator default password.

 

o Vendor default encryption keys.

 

o Encryption keys anytime anyone with knowledge of the keys leaves TSM or
changes positions.

 

o Default SNMP community strings on wireless devices.

 

o Default passwords/passphrases on access points.

 

o Other security-related wireless vendor defaults, if applicable.

 

TSM shall monitor all authorized and unauthorized Wireless Access Points (WAP)
to TSM information systems and networks. The installation of Wireless Access
Points (WAP) is prohibited, unless explicitly authorized, in writing, by the
Infrastructure Manager and the Information & Cyber Security Director.
[Core-15(b) & Core-15(c)]

 

Approved Wireless Access Points (WAP) and devices shall have appropriate
encryption enabled for authentication and transmission and shall be placed in
secure areas. [Core- 15(b)]

 

6. Security of Network Services

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#13 Page 65 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Network Security        





 

Security features, service levels, and management requirements of all network
services shall be identified, documented and included in any network services
agreement, whether these services are provided in-house or outsourced.
[Core-15(b)]

 

Agreed services shall be determined and regularly monitored, and the right to
audit shall be agreed by management. [Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#14 Page 66 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Password Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish the standard for creation of strong
passwords, the protection of those passwords, and the frequency of change.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Password
Management Policy to provide management with direction and support for the
implementation strong password practices. Password are an important aspect of
information security and they are designed to protect user accounts. Weak
passwords may result in the compromise of TSM information systems. All TSM users
are responsible for taking the steps to select a strong password and secure
their passwords.

 

Users shall be made aware of their responsibilities for maintaining effective
access controls and shall be required to follow good security practices in the
selection and use of passwords and security of equipment. It is the employee's,
temporary, contractors and vendor’s responsibility to protect at the maximum,
that third parties have no knowledge of any of the passwords to access TSM
databases, networks, applications and systems.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#14 Page 67 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Password Management        

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. General Requirements:

 

The following practices shall be communicated to all TSM users and followed by
all employees:

 

a) Keep passwords confidential.

 

b) Passwords shall not be displayed when entered.

 

c) Avoid keeping a record (e.g., paper, file in the computer) of passwords.

 

d) Change passwords whenever there is any indication of a possible system or
password compromise.

 

e) Do not share your user account or password.

 

f) Do not provide the password to anyone for any reason.

 

g) The use of the same password for business and non-business purposes shall be
avoided.

 

h) Select strong passwords that meet TSM Password Management Guidelines.

 

i) Default vendor passwords shall be modified following installation of any
system, software or application.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#14 Page 68 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Password Management        

j) The allocation of passwords shall be controlled through a formal management
process. The use of third parties or unprotected (clear text) electronic mail
messages shall be avoided.

 

2. Password Creation:

 

a) All user-level and system-level passwords must conform to TSM strong password
guidelines.

 

b) Users must not use the same password for TSM accounts as for other non-TSM
access accounts (i.e. personal ISP account, etc.).

 

c) User accounts that have system-level privileges granted through group
memberships or programs such as “sudo” (temporary privilege elevation) must have
a unique password from all other accounts held by that user to access TSM
systems.

 

d) Where Simple Network Management Protocol (SNMP) is used, the community
strings must be defined as something other than the standard defaults of public,
private, and system and must be different from the passwords used to log in
interactively.

 

3. Password Change and Parameters:

 

This Policy specifies the minimum requirements and passwords parameters among
all the system environments (network, operating system, applications and data
repository, if applicable).

 

a) Lan Passwords shall be changed at least every 90 days.

 

b) Passwords for privileged accounts (i.e. system administrators) shall be
changed at least every 60 days.

 

c) Password length must be a minimum of eight (8) characters.

 

d) Passwords shall be easy to remember but not easily to guess, free of words
included in dictionaries, free of consecutive identical characters and require a
combination of alphabetic, upper and lower case characters, numbers, and special
characters (combination of any three (3) of the above four (4) listed is
acceptable).

 

e) Passwords shall be prohibited from being reused for at least four (4)
generations for users or six (6) generations for privileged users and at least
four (4) changed characters are changed when new passwords are created.

 

f) Temporary passwords shall be unique to an individual and shall not be
guessable.

 

g) User identity shall be verified before performing password reset process.

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#14 Page 69 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Password Management        




 

h) Temporary passwords shall be changed at the first log-on.

 

i) Temporary passwords shall be given to users in a secure manner.

 

j) Allow a minimum of three (3) failed login attempts before disabling the
accounts.

 

4. Password Protection:

 

a) Passwords must not be shared with anyone. All passwords are to be treated as
sensitive, Confidential TSM information.

 

b) Users shall not reveal his/her passwords over the phone to anyone.

 

c) Do not write passwords down or store them anywhere in your office.

 

d) Do not store passwords in a file on a computer system without encryption.

 

e) Do not use the "Remember Password" feature of applications (for example, web
browsers).

 

f) Any user suspecting that his/her password may have been compromised must
report the incident to the ISG and change all passwords.

 

5. Application Development:

 

Application developers must ensure that their programs contain the following
security precautions:

 

a) Support authentication of individual users, not groups.

 

b) Applications must not store passwords in clear text or in any easily
reversible form.

 

c) Shall not transmit passwords in clear text over the network. (For further
information see Minimum Security Requirements Baseline).

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#15 Page 70 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Physical and Environmental Security

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

 [image_028.jpg]

           

I. Purpose:

 

TSM has established a formal policy and supporting procedures concerning
physical and environmental security to prevent loss, damage, theft or compromise
of IT assets and interruption to TSM IT business functions.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Physical and
Environmental Security Policy to provide management with direction and support
to prevent unauthorized physical access, damage, and interference to TSM’s IT
asset storage locations such as the primary data center and information.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or the Corporate Security Director responsible for physical security.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 71 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

4.    Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. Physical Security Perimeter:

 

a) Computers and IT assets that store or process sensitive and confidential
business or ePHI information shall not be located in areas that are unattended
or have unrestricted access by public or visitors to the facilities.

 

b) At the data center access to a delivery and loading area from outside of the
building shall be restricted to identified and authorized personnel.

 

c) All physical security for the TSM buildings will be managed and monitored by
the Real Estate & Facilities Division of TSS who have designated a Corporate
Security Director to manage the physical security program for offices and
facilities.

 

2. Physical Entry Controls to Data Center:

 

Adequate physical security measures must be in implemented to protect TSM
computer and communications equipment, and data from unauthorized access,
disclosure, modification, destruction, lost, and misuse whether accidental or
intentional.

 

a) Authorized credentials shall be issued for all personnel with access to TSM
facilities.

 

b) A list of authorized personnel with access to the Data Center shall be
develop and approve. This list shall be reviewed at least quarterly. Personnel
that access is no longer required shall be removed from the list.

 

c) Access to areas where sensitive, confidential and PHI information is
processed or stored shall be controlled and restricted to authorized persons
only.

 

d) Servers and communication devices should be kept in secured physical areas.
Access to these areas should be restricted to authorized personnel and
contractors working for TSM and who have a demonstrated need to access the area.

 

e) Access to TSM offices should be protected and subject to monitoring (e.g.
video surveillance). This may include, but not limited to, protection by PIN,
card swipe devices, biometric devices, door locks and video surveillance
systems.

 



 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 72 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

f) Access to the data center server room shall require the authorized employee
to use of the assigned ID card as well as a biometric authentication method.

 

g) Access to the data center shall restricted to authorized personnel and be
subject to video surveillance.

 

h) A visitor log shall be maintained to record all authorized visits to the data
center.

 

i) Third party support service personnel shall be granted restricted access to
secure areas or covered information processing facilities only when required.
This access shall be authorized and monitored.

 

j) For the data center maintain physical access audit logs for at least two
years and review the visitor records periodically but no less than monthly.

 

k) The security access PIN number should be changed every 180 days or when an
employee with knowledge of the PIN is terminated.

 

3. Visitors to Data Center:

 

a) A visitor log to the data center shall be maintained. The visitor’s log
records shall contain the following information:

 

o Name and organization of the person visiting.

 

o Signature of the visitor. o Form of identification. o Date of access.

 

o Time of entry and departure.

 

o Purpose of visit.

 

o Name and organization of person visited.

 

b) All visitors must be identified prior to gaining access to restricted areas
controlled by TSM.

 

c) All visitors must be admitted to TSM premises only for specific authorized
purposes.

 

d) All physical access shall be granted with the minimum required access needed
to perform the personnel duties and job responsibilities.

 

e) Visitors to TSM offices and the data center must be escorted and supervised
at all times by an authorized TSM employee, consultant, or contractor.

 

f) Individuals, who are neither TSM employees, nor authorized contractors, nor
authorized consultants, shall not be provided access to areas where containing
sensitive, confidential or PHI information.

 



 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 73 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

g) Entrance to the TriServe Tech, Data Center by external personnel (non-regular
employees) must be pre-notified in advance to the Data Center supervisor.

 

4. Physical Environmental Controls:

 

a) Physical protection measures against damage from fire, flood, earthquake,
explosion, civil unrest, and others forms of natural or man-made disaster shall
be designated and implemented, to protect and maintain the availability of
Triple-S Management Corporation (TSM) assets like computer, communications
equipment, and data from lost and/or destruction accidental or intentional.

 

b) TSM shall develop, disseminate and review/update annually:

 

o Formal, documented physical and environmental protection policies that
addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance. For further
information, (refer to GTS Business Continuity Plan (BCP) and the Security
Awareness & Training policy).

 

o Formal, documented procedures to facilitate the implementation of the physical
and environmental protection policy and the associated protection controls.

 

c) The following controls shall be implemented to avoid damage from fire, flood,
earthquake, explosion, civil unrest, and other forms of natural or man-made
disasters:

 

o Appropriate fire extinguishers shall be located throughout the facility.

 

o The fire extinguishers shall be no more than 50 feet away from critical
electrical components.

 

o Fire detectors (e.g., smoke or heat activated) shall be installed on and in
ceilings and floors.

 

o Fire authorities shall be automatically notified when a fire alarm is
activated.

 

5. Maintenance Personnel:

 

All maintenance personnel access shall be authorized, monitored and validated
periodically.

 

6. Inventory of Hardware:

 

a) TSM will ensure to maintain an up to date inventory of computer and
communications equipment, removable storage media, and software under its
control. At a minimum the inventory of information system components shall
include manufacturer, type, serial number, and physical location.

 

b) Procedures shall be developed, documented and implemented effectively to
control the flow of equipment into and out of the organization. Business
Managers shall authorize the delivery or removal of TSM information system
equipment.

 

7. Secure Disposal or Re-Use of Equipment:

 



 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#15 Page 74 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Physical and Environmental Security        

 

Equipment containing storage media shall be checked to ensure that any sensitive
business information and licensed software is physical destroyed or completely
removed/erased using industry standard secured methods of destruction prior to
disposal or re-use.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#16 Page 75 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Remote Access

Drafted by:

René Rivera, 

IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for connecting to TSM
network from a remote location by authorized users. These requirements are
designed to minimize the potential risk associated with remote connections and
protect from exposure TSM IT assets.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Remote
Access Policy to provide management with direction and support for the
implementation of appropriate authentication methods to control access to the
TSM IT assets by remote users.

 

IV. Definitions:

 

1. Remote Access: Any Connection to TSM network(s) or information systems that
originates from a computer or device located outside of TSM network.

 

2. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used. Also, Virtual Private Network (VPN) is a method
employing encryption to provide secure access to a remote computer over the
Internet.

 

3. Authentication: Authentication is the process of confirming the correctness
of the claimed identity.

 

4. Authorization: To allow access only to those resources which are appropriate
to that entity's identity.

 

5. Strong password: Consists of at least eight characters (and the more
characters, the stronger the password) that are a combination of letters,
numbers and symbols (@, #, $, %, etc.)

 

6. Accountability: The quality or state of being accountable; especially: an
obligation or willingness to accept responsibility or to account for one's
actions.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#16 Page 76 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Remote Access        

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director or Triple-S Management in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)].

 

Remote connections represent a high risk access method if adequate controls and
management procedures are not implemented and followed. For this reason TSM have
established a remote access policy and procedures to protect the organization IT
assets from unauthorized access. The primary objective of this policy is to
protect the confidentiality, integrity and availability of the IT assets in
accordance with TSM established business objectives and regulatory requirements.

 

The following requirements were defined in order to access from a remote
(external) location TSM’s network and IT assets. This includes connections
performed to support remote working from home activities or establishing remote
connections to the TSM corporate network to perform system monitoring
activities, provide system support or conduct maintenance to production systems
among other activities.

 

1. General Requirements:

 

a) Authorization to grant remote access permission will require manager
approval.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#16 Page 77 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Remote Access        



 

b) The managers are responsible for recertifying on a quarterly basis the list
of authorized remote access users.

 

c) Managers must ensure that remote access is limited only to authorized users
and that this type of access shall be kept to the minimum number of employees.

 

d) All users shall have a unique identifier (user-id) to ensure proper
identification and authentication.

 

e) A stronger user authentication method must be implemented and use to
authenticate remote users. Two of the following factors shall be used to conduct
the remote user authentication process:

 

o Something you know (e.g. User ID & Password)

 

o Something you have (e.g. Symantec VIP two factor authentication token, Azure
two factor authentication token)

 

o Something you are (e.g. biometric technology)

 

f) All remote access sessions must be monitored and audit logs of remote
connections shall be protected and retained. Remote access logs shall be
retained for a period of 1 year online and 3 years on backup tapes.

 

g) Authorized users shall protect their assigned user id, password and the
assigned second factor authentication method at all times and not shared with
others.

 

h) The Information Security Group (ISG) shall ensure that redundant or duplicate
user IDs and second factor authentication methods are not issued.

 

i) Regular user activities shall not be performed from privileged accounts.

 

j) All computer devices that are connected to TSM network(s) remotely must have:

 

o Updated anti-virus and anti-spyware software installed and active.

 

o Updated operating system patches.

 

o Updated application level patches (e.g. Acrobat, Flash)

 

k) Remote access by vendors and business partners (e.g., maintenance, reports or
other data access) shall be maintained in a disabled stated unless specifically
authorized by management.

 

l) Remote access by vendors and business partner shall also be immediately
deactivated after use.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#16 Page 78 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Remote Access        



 

m) The remote connection shall be automatically disconnected from TSM network
after 30 minutes of inactivity.

 

2. Access Request:

 

An approved Access Request Form shall be submitted to the Information Security
Group (ISG) to establish and grant remote access permission for authorized
employees (Regulars and/or Temporary), prior to connecting to TSM information
systems. The following practices shall be established:

 

a) The access request shall indicate a predefined date, profile based on job
responsibilities or assignments to specific functions and/or resources.

 

b) Remote access shall be restricted to authorized personnel and must be
requested and be authorized by the user manager or supervisor.

 

c) Remote user’s access rights and privileges shall be restricted to the minimum
services and functions as is necessary to carry out their job role or function.

 

d) The activity of each account can be monitored at any time and may be
terminated by the ISG at any time.

 

e) Access to Confidential, Restricted and Protected information will be limited
to authorized personnel whose job responsibilities require this type of
information or as determined by the Application Owner.

 

3. Emergency Access:

 

In case of any situation where an emergency access is needed, the request will
follow the established process stated on the User Access Policy.

 

4. Access Review:

 

A formal process shall be conducted at regular intervals by system owners and
application owners in conjunction with ISG to confirm that remote users’ access
rights remains appropriate. The review shall be documented and sign off by the
applicable responsible.

 

Managers are responsible for recertifying on a quarterly basis the list of
authorized remote access users.

 

VII. Attachments:

 

ATTACHMENT E - Remote Access Procedure

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#17 Page 79 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Removable Device Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to establish the requirements for the use of
removable devices on TSM information systems and equipment, to minimize the risk
associated with loss or exposure of sensitive information such as PII, PHI and
ePHI managed by TSM. The policy is also design to reduce the risk associated
with malware infections, computer viruses and botnet that can be propagated on
computers operated by TSM by this type of device.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities with
access to TSM information, information systems or IT equipment (i.e. computer,
server, laptop and mobile devices) and intends to store any information on
removable media devices.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Removable
Device Management policy, to provide management with direction and support for
the implementation of safeguards to ensure the proper use of removable media
devices used to store and transfer information by users who have been authorized
access by TSM management to use this type of equipment for the purpose of
conducting official TSM business.

 

IV. Definitions:

 

1. Encryption: The process of encoding a message so that it can be read only by
the sender and the intended recipient.

 

2. Malware: Is defined as software of malicious intent/impact such as viruses,
worms, and spyware.

 

3. Removable Media: Any type of device that can be removed from a computer while
the system is running.

 

4. Sensitive Information: Information that is protected against unwarranted
disclosure. Access to sensitive information should be safeguarded.

 

5. USB Flash Drive: A memory data storage device integrated with a USB
(universal serial bus) interface. They are typically small, lightweight,
removable and rewritable.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#17 Page 80 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Removable Device Management        

 

6. Personal Identification information (PII): An individual’s name together with
Social Security number, drivers’ license number, or certain bank or credit
account information.

 

7. Protected Health Information (PHI): Protected health information, generally
refer to demographic information, medical history, test and laboratory results,
insurance information and other data that a healthcare professional collects to
identify an individual and determine appropriate care.

 

8. Electronic Protected Health Information (ePHI): Refers to any protected
health information (PHI) that is covered under Health Insurance Portability and
Accountability Act of 1996 (HIPAA) security regulations and is produced, saved,
transferred or received in an electronic form.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

1. General Requirements:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#17 Page 81 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Removable Device Management        



 

a) TSM shall implement safeguards and procedures for the proper management of
removable media.

 

b) Procedures and controls shall be designed and implemented to prevent the
unauthorized use of removable media storage devices such as:

 

o USB Memory Sticks (also known as pen drives or flash drives).



o External Hard Drives.



o Media Card Readers.



o CDs.



o DVDs.



o Embedded Microchips (including Smart Cards and Mobile Phone SIM Cards).



o Smart and Cellular Phones.



o MP3 Players.



o Digital Cameras.



o Backup tapes.

 

c) All PII or PHI data stored on removable media devices must be encrypted by
the TSM approved removable media encryption tool.

 

d) Authorized users are responsible for the appropriate use and protection of
the removable media from theft or lost.

 

e) Authorized users must be aware that TSM can audit the transfer of data files
to and from all removable media devices and TSM IT equipment by using the
approved Data Loss Prevention (DLP) tool

 

f) Confidential, PII, PHI or ePHI information should be stored on removable
media only when required in for the performance of TSM personnel assigned
duties.

 

g) All Confidential, PII, PHI or ePHI information to be stored on removable
media, must be encrypted in accordance with the TSM Encryption Policy.

 

h) Media containing confidential, PII, PHI or ePHI information shall be
physically secured until the media is destroyed and/or sanitized.

 

i) Virus and malware checking software must be used when the removable media
device is connected to TSM equipment and systems.

 

j) Only data that is authorized and necessary to be transferred should be saved
on to the removable media device.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#17 Page 82 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Removable Device Management        



 

k) Removable media devices must not to be used for archiving or storing records
as an alternative to the approved computer systems such used by TSM.

 

l) Special care must be taken to physically protect the removable media device
and stored data from loss, theft or damage.

 

2. Restricted Access to Removable Media:

 

The use of removable media devices shall be approved by the department manager
and by the Information & Cyber Security Director of TriServe.

 

The Department Manager must document the user access request by using the
Removable Device Access Form.

 

The Department Managers are responsible for re-certifying the list of authorized
users to access removal media storage devices on an annual basis.

 

3. Preventing Information Security Incidents:

 

The data in transit, storage or held on any removable media devices must be
given appropriate security according to the type of data and its sensitivity.
Encryption and password control must be applied for PII and PHI information.

 

PII, PHI and/or TSM confidential or sensitive data must not be transmitted or
stored on Bluetooth enabled devices.

 

TSM users are require to immediately report any loss or theft of TSM information
or equipment to the ISG and/or IT Service Desk.

 

4. Bluetooth Enabled Device’s:

 

All Bluetooth devices must use Secure Simple Pairing with encryption enabled.
Bluetooth users must only access TSM information systems using approved
Bluetooth device hardware, software, solutions, and connections.

 

5. Disposal of Removable Media Devices:

 

Removable media devices that are no longer required, or have become damaged,
must be disposed securely to avoid data leakage.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#18 Page 83 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Retention and Disposal

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for data retention and
disposal of technology equipment and records. These requirements are designed to
minimize the potential exposure to TSM from damages which may result from
unauthorized access, disclosure and use of TSM records containing sensitive,
confidential, and ePHI information.

 

II. Scope:

 

This policy applies to all TSM and its subsidiaries employees, temporary
workers, contractors, business partners, third party vendors and physical
facilities where TSM provides services to its customers.

 

III. Policy:

 

This policy supports the organization plan for storage, maintenance and
destruction information [Core-13(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Retention
and Disposal Policy to provide management with direction and support to protect
important records containing sensitive, confidential, and ePHI information from
loss, destruction, and falsification, in accordance with business requirements,
laws and regulations.

 

IV. Definitions:

 

1. Record: Any type of record created or received in the course of TSM business,
including, but not limited to, paper, e-mail, any type of electronic file or
data, plans, and audio/ video recordings, etc.

 

2. Disk wiping: Is a software-based method of overwriting the data that aims to
completely destroy all electronic data residing on a hard disk drive or other
digital media.

 

3. Degaussing: Is a technique for destroying data on magnetic storage tapes. Can
also be used to erase the contents of a hard drive, USB thumb drive or a smart
phone.

 

4. Active Record: Any record that is currently in use by TSM and is required to
support the business operational functions and client’s services.

 

5. Archival Record: A record that is not required to be retained on premise and
which can be moved to a long term archival method.

 

6. Electronic Record: A record kept in an electronic format, such as a word
processing document, a spreadsheet, a database, a scanned or imaged document,
and any other type of

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 84 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        

 

file stored on a computer, server or mainframe storage device or medium, or on
any external or off-site storage medium.

 

7. Inactive Record: A record that is no longer an Active Record but must be
maintained pursuant to the Records Retention Program requirements.

 

8. Personal Identifiable Information (PII), Personal Health Information (PHI)
and Electronic Personal Health Information (ePHI) records: PII, PHI and ePHI are
considered highly sensitive and confidential and must be safeguarded and secured
at all times.

 

9. Hard Copy Record: Any physical representation of information, most often
associated with paper printouts.

 

10. Electronic Record: Information captured and managed through electronic
means, and which may or may not have a paper record to back it up. Also called
machine readable record. Electronic records can be stored throughout an
organization in a variety of ways such as databases, directories, file systems,
applications, hard drives, and email accounts.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

This procedure supports the organization process for storage, maintenance and
destruction information [Core-13(b)].

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 85 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        

 

1. General Requirements:

 

a) TSM shall establish documented procedures for the retention and disposal of
data, technological equipment and resources of electronic data storage media.
This includes, but are not limited to hard disks, tapes, cartridges, CDs, and
USB drives.

 

b) TSM shall establish a formal record retention program that addresses, record
storage, access, retention, and destruction. The program shall also specify the
retention period for electronic storage media (i.e. backup tapes).

 

c) Procedures shall be implemented meeting the requirements of the define
retention schedule by identifying essential records types and periods of
retention, an inventory of sources of key information, a disposal of information
that exceeds the retention period and secure disposal of equipment.

 

2. Record Retention:

 

a) Electronic Communication (Email): Email communications shall be retained for
a period of 6 months. E-mail messages containing approvals or representing TSM
agreements with outside entities, shall be retained by TSM departments according
to the retention guidelines set in this policy (either electronic or paper). For
further information on retention periods refer to the Backup and Retention
Policy.

 

b) Document Retention Periods: For further information on document retention
periods refer to the Documents Retention Policy #V-14.

 

3. Disposal:

 

a) All media shall be disposed of securely and safely when is no longer required
by TSM business or legal requirements, using formal documented procedures. All
information shall be rendered unusable, unreadable, or indecipherable on system
media, both digital and non-digital, prior to disposal or release for reuse.
Media containing sensitive information that cannot be sanitized shall be
destroyed.

 

4. Secure Disposal Techniques:

 

a) The following are appropriate techniques to securely remove information:

 

o Disk Wiping



o Degaussing

 

b) The following are appropriate techniques to securely destroy electronic and
hard copy media:

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 86 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        

 

o Shredding disk platters



o Disintegration



o Grinding surfaces



o Incineration



o Pulverization



o Melting

 

5. Document Disposal:

 

a) Paper documents may be disposed (destroyed) after being digitized as long as
it is verified that the document to be printed is clear, legible, integrity
remains intact and is a true and exact copy of the original.

 

b) All documents may be destroyed after fulfilling the corresponding period of
conservation and if there are not legal hold periods related to the document
content.

 

c) A log of the destroyed documents shall be keep to maintain a documented
process and tracking of all destroyed documents covered by this policy. All
document destruction for in scope legal cases or investigations shall be halted,
after receiving notification of the Legal Division for hold notification.

 

d) All paper sensitive/confidential documents shall be placed in the official
shredder bins/recycling bins or placed in the locked secured disposal recycling
bins contracted by the organization for the secured destruction of the
documents.

 

6. Secure Equipment Disposal:

 

a) Surplus equipment shall be stored securely while not in use, and shall be
disposed of or sanitized when no longer required.

 

b) Sanitization of desktop computers and portable media will be managed by
Desktop Management Group (DMG).

 

c) All items of equipment containing storage media shall be checked to ensure
that any covered information and licensed software has been removed or securely
overwritten prior to disposal.

 

d) Devices containing covered information shall be physically destroyed or the
information shall be destroyed, deleted or overwritten using techniques to make
the original information non-retrievable rather than using the standard delete
or format function.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#18 Page 87 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Retention and Disposal        



 

e) Disposal without sanitization shall be considered only if information
disclosure would have no impact on TSM business, would not result in damage to
TSM assets, and would not result in financial loss or harm to any customer,
employees and business associates.

 

7. Equipment Donation and/or Transfers

 

a) TSM personnel shall sanitized or destroyed information system digital media
before its disposal or release for reuse outside of TSM premises, to prevent
unauthorized individuals from gaining access to and using the information
contained on the media.

 

VII. Attachments:

 

ATTACHMENT F - Retention & Disposal Procedure [Core-13(b)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#19 Page 88 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Security Awareness and Training

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define the requirements to ensure that users of
TSM systems and third party contractors receive appropriate awareness and
training to ensure the protection of TSM’s IT assets and information.
[Core-15(b)]

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the Security
Awareness and Training Policy to provide management with direction and support
for the implementation of a security awareness training program including
providing regular updates of TSM information security policies and procedures
required to protect the organization IT assets. [Core-15(b)]

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#19 Page 89 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Awareness and Training        

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

TSM shall define and implement security awareness, training, and education
programs for internal use as well as with applicable third parties to ensure
that all users are appropriately trained in the organization Information
Security Policies periodically. The following requirements shall be considered:
[Core-15(b)]

 

1. All employees of TSM, contractors and third party users shall receive
appropriate Information Security training. [Core-15(b)]

 

2. The Information Security Group (ISG) shall provide regular updates in the
organization Information Security policies and procedures as considered relevant
for the employee job functions and responsibilities in TSM and its subsidiaries.
[Core-15(b)]

 

3. ISG shall develop an Information Security Training and Awareness program to
support the employee onboarding process of TSM and its subsidiaries and
affiliates. [Core-15(b)]

 

4. ISG shall review and update the Information Security Training and Awareness
program on an annual basis to ensure compliance with local and federal
regulations. [Core-15(b)]

 

5. The Information Security Training and Awareness, which must be part of the
onboarding process, will include employees as well as contractors, and third
party service providers that may come into contact with sensitive information.
[Core-15(b)]

 

6. TSM must maintain record of each individual who completes the on-boarding
process and the Information Security Training module. The training records must
be filed for at least five years thereafter. [Core-15(b)]

 

7. The ISG in coordination with the Human Resources training center will
coordinate providing the employee with a refresher training at least every year.
[Core-15(b)]

 

8. The organization training center will keep track of the employees who
completed the training. [Core-15(b)]

 

9. Employees, contractors and any other third party, must acknowledge that they
received the training and that they are responsible to comply with it through a
formal and documented signoff. [Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#19 Page 90 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Awareness and Training        



 

10. TSM security personnel shall receive specialized security education and
training appropriate to their role/responsibilities. [Core-15(b)].

 

11. Personnel from the Information Security Group (ISG) shall be required to
participate in information system security training for the following functions:
[Core-15(b)]

 

o Before engaging in user provisioning activities.



o When required due to new threats.



o Changes in role, employee transfers to the information security unit will
require a training before officially starting his/her position.

 

12. At least, on an annual basis, refresher training to all security personnel
will be conducted to ensure knowledge keeps relevant considering new threats and
changes. [Core-15(b)]

 

13. TSM shall incorporate simulated events into incident response training to
ensure effective response in critical events. [Core-15(b)]

 

14. All third parties that provide and/or manage critical applications (i.e. for
handling claims – [***]) must provide training or training materials on the
correct use and operation of security functions and controls of the applications
or systems. [Core-15(b)]

 

15. Awareness training shall include a formal introduction to the organizations
security and privacy policies, state and federal laws. [Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#20 Page 91 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Security Monitoring Policy

Drafted by:

Rene Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,

CIO

           

I. Purpose:

 

The purpose of this policy is to ensure that information security events are
recorded and monitored to detect unauthorized system activities in compliance
with applicable laws and regulations.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization detect, contain and correct confidentiality
and security violations [Core-15(c)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Security
Monitoring Policy to provide management with direction and support to ensure
that information security events are recorded and monitored to detect
unauthorized system activities in compliance with applicable laws and
regulations.

 

Procedures for monitoring the use of IT assets shall be established to check for
use and effectiveness of implemented controls. The results of the monitoring
activities shall be reviewed regularly.

 

IV. Definitions:

 

1. Event: Something that occurs within a system or network.

 

2. Log: A record of the events occurring within an organization’s systems and
networks.

 

3. Log Archival: Retaining logs for an extended period of time, typically on
removable media.

 

4. IPS: A proactive protection technology that provides security at the network
level.

 

5. Clock Synchronization: Process of precisely coordinating or matching two or
more activities, devices, or processes in time.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 92 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        

 

Policies may be subject to disciplinary actions, up to and including termination
of employment. In the event the violation has been by a contractor and/or
provider, the respective contract or service may be deemed terminated. Triple-S
Management Corporation (TSM) reserves the right to audit networks, systems, or
procedures on a periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

This procedure help the organization detect, contain and correct confidentiality
and security violations [Core-15(c)].

 

1. General Requirements:

 

a) All users should know that all generated information through TSM networks and
systems is property of TSM.

 

b) Telecommunication networks, computers, internet and email traffic shall be
monitored by members of the Information Security Group (ISG), or third parties
contracted in support of the Information Security Group monitoring function.

 

c) All systems, applications and databases shall be configured with audit logs
enabled at each of the following levels:

 

a. Operation system and admin activities audit log

 

b. Application event level audit log

 

c. Database event level audit log

 

d) All audit logs shall be kept secure and be protected from unauthorized
deletion or alteration.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 93 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        

 

e) Audit logs shall be protected against tampering and unauthorized access.

 

f) Audit logs shall be accessible to authorized personnel of the ISG.

 

g) Audit logs must be backup and retained in accordance with the retention
periods defined by the Retention Officer.

 

h) Security event logging and monitoring of TSM systems shall be carried out in
order to detect suspicious activities that could impact the confidentiality,
integrity and availability of the IT assets and the data stored.

 

i) Authorized access and unauthorized access attempts in systems that manage PHI
and/or PII information and/or company financial information shall be logged.

 

j) System administrator and system operator activities shall be logged and
regularly reviewed.

 

k) Suspicious events shall be evaluated and categorized appropriately. If an
event is determined to be an attack or is categorized as a security incident, it
shall be investigated and reported to affected parties according to the IT &
Cyber Security Incident Response Plan.

 

l) The results of the monitoring activities shall be reviewed periodically.

 

m) The clocks of all relevant information processing systems within TSM or
security domain shall be synchronized with an agreed accurate time source to
support tracing and reconstitution of activity timelines.

 

2. Monitoring:

 

a) TSM shall implement the following safeguards and mechanisms to ensure the
confidentiality, integrity and availability of TSM networks and information
systems. Specific network perimeter controls include:

 

a. Network Firewalls: Firewalls are frequently used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially intranets. All messages entering or leaving the intranet pass through
the firewall, which examines each message and blocks those that do not meet the
TSM security criteria.

 

b. Application Level Firewall: An application firewall is a form of firewall
that controls input, output, and/or access from, to, or by an application or
service. It operates

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 94 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        




 

by monitoring and potentially blocking the input, output, or system service
calls that do not meet the configured policy of the firewall.

 

c. Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS): To
provide automated real-time identification of unauthorized use, misuse, and
abuse of computer assets by internal or external network users. Logs alarms,
alerts and functions shall be monitored and reviewed on a regular basis and
anomalies/trends shall be identified, analyzed and reported.

 

d. Network Traffic Monitoring: Firewall logs, alerts and network traffic shall
be monitored to ensure identified issues are reviewed and resolved on time.
Firewall rules shall be documented and reviewed on a quarterly basis.

 

e. Endpoints: Detection and prevention controls to protect the endpoints with
anti- virus protection.

 

f. Internet Browsing: The Internet use shall be monitored from all computers and
devices connected to the TSM network and Web Content Filter technologies shall
be used to protect users.

 

g. Email: Emails shall be monitored from all users to ensure that sensitive
information is kept confidential and technology is in place to protect from
malware.

 

b) The following monitoring frequencies have been implemented are followed:

 

Security Device Monitoring Frequency Network Firewalls 7x24x365 Application
Level Firewall 7x24x365 Intrusion Detection System (IDS) and Intrusion
Prevention Systems (IPS)

7x24x365

 

Network Traffic Monitoring 7x24x365 Endpoints Daily for anti-virus status
Internet Browsing On demand for internal investigations

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 95 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        

   

Email

 

Daily for suspicious email attachment. On demand for internal investigations.

 

3. Audit Logging:

 

a) Audit logs recording user activities, exceptions, and security events shall
be generated and stored, in accordance with TSM record retention policy
requirements and procedures, to assist in investigations and access control
monitoring processes.

 

b) Information systems processing PII, PHI, financial and employee sensitive
information shall generate audit log records each time a user accesses, creates,
updates, or archives the information via the system. The audit logs shall
include:

 

a. Unique user identifier.

 

b. A unique data subject (e.g., the patient) identifier.

 

c. Function performed by the user (e.g., log-in, record creation, access,
update, etc.)

 

d. Time and date when the function was performed.

 

e. Type of event that occurred (e.g., success or failure).

 

f. Event Information (e.g., files handled).

 

g. The account(s) and administrator(s) or operator(s) involved (when applicable)

 

h. Process(es) involved.

 

i. Before and after values when action involves updating a data element, if
feasible.

 

c) Grant, modify, or revoke access rights, including adding a new user or group,
changing user privilege levels, changing file permissions, changing database
object permissions, changing firewall rules, and user password changes.

 

d) System, network, or services configuration changes, including installation of
software patches and updates, or other installed software changes.

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#20 Page 96 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Security Monitoring Policy        




 

e) System administrator and system operator activities shall be logged and
regularly reviewed.

 

4. Protection of Audit Log Information:

 

a) Access to TSM system audit tools and audit trails shall be safeguarded from
unauthorized access and used to prevent misuse or compromise of logs. Authorized
and unauthorized access attempts to the audit system and audit trails shall be
logged and protected from modification.

 

b) Logging controls shall protect against unauthorized changes and promptly back
up of audit trail files to a centralized log server or media that is difficult
to alter.

 

VII. Attachments:

 

ATTACHMENT G - IT & Cyber Security Incident Response Plan [Core-15(c)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#21 Page 97 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Technical Vulnerability Management Policy

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements to manage and reduce risks
that could result from the exploitation of technical vulnerabilities by
implementing an effective, systematic, and repeatable process with measurements
included to confirm its effectiveness.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization assess the potential risks and vulnerabilities
to the confidentiality, integrity and availability of information systems
[Core-15(a)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Technical
Vulnerability Management Policy to provide management with direction and support
to assess and manage technical vulnerabilities that could impact ePHI
confidentiality, integrity and availability.

 

IV. Definitions:

 

Vulnerability: A weakness of an asset or group of assets that can be exploited
by one or more threats.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#21 Page 98 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Technical Vulnerability Management Policy        

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

The following practices help the organization assess the potential risks and
vulnerabilities to the confidentiality, integrity and availability of
information systems [Core-15(a)].

 

1. TSM shall implement a technical vulnerability management process that
includes periodic vulnerability assessment activities for the in scope systems.

 

2. TSM has adopted the following frequency for conducting the external and
internal vulnerability and penetrations assessment of the organization IT
assets:

 

Type of Assessment Frequency External Quarterly Internal Twice Per Fiscal Year

 

3. Mitigation activity shall be prioritized based on the severity of the
vulnerability, the current threat environment and the business use of the
vulnerable asset.

 

4. Shielding shall be used to protect vulnerable assets until mitigation is
completed, if applicable.

 

5. The root cause of vulnerabilities shall be identified and eliminated,
whenever applicable, through improvements in network and server configuration
policies, and better change management and administrative processes.

 

6. TSM shall develop applications based on secure coding guidelines to prevent
common coding vulnerabilities in software development applicable to internal and
external public facing web applications and interfaces.

 

7. TSM system and application configurations standards shall be consistent with
industry- accepted system hardening standards. Refer to TSM System Hardening
Guidelines checklist.

 

8. The following activities shall be adopted within the technical vulnerability
management process and roles and responsibilities defined and established:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#21 Page 99 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Technical Vulnerability Management Policy        



 

a) Discovery: To identify new technical vulnerabilities using vulnerability
scans and ethical hacking assessments performed by a third-party.

 

b) Prioritization: The prioritization activities shall be based on external
threat information and internal risk rating related to the affected information
asset and with a predefined inventory of systems. Based on its relevance,
identified vulnerabilities shall be sorted or discarded and then prioritized.

 

c) Shielding/Mitigation: Current IT techniques and processes shall be used to
shield vulnerable assets until mitigation work is completed. High-priority
vulnerabilities shall be mitigated immediately and the root causes eliminated.

 

d) Test/Change Management: Before the implementation into the production
environment, and whenever applicable, the new countermeasure or patch shall be
tested in a test environment. Appropriate change management procedures should be
followed and a patch calendar scheduled shall be in place.

 

e) Monitoring: Periodically, monitor the security state of the IT environment
and the current status of vulnerability mitigation activities. The discovery
step need to be continuous, and all subsequent vulnerability management steps
should be repeated as part of an ongoing process.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#22 Page 100 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Teleworking

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,

Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements for managing and reducing
risks associated with teleworking activities. The policy and the requirements
are designed to minimize the potential exposure of TSM IT assets from damages
which may result from theft of equipment and information, the unauthorized
disclosure of information including ePHI, unauthorized remote access to the
organization’s internal systems and/or misuse of the IT assets of the
organization.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization prevent confidentiality and security breaches
[Core-15(b)] and [Core-13(b)].

 

Triple-S Management Corporation (TSM) has developed and adopted the Teleworking
Policy to provide management with direction and support for the implementation
of appropriate security measures for employees working from remote locations and
working from home.

 

IV. Definitions:

 

1. Teleworking: Is defined as working at home or at other off-site locations
that are linked electronically (via computer, fax, etc.) to a central office or
principal place of employment.

 

2. VPN: A method employing encryption to provide secure access to a remote
computer over the Internet.

 

3. Encryption: Cryptographic transformation of data (called "plaintext") into a
form (called "cipher text") that conceals the data's original meaning to prevent
it from being known or used.

 

4. Remote Access: Any Connection to TSM network(s) or information systems that
originates from a computer or device located outside of TSM network.

 

5. Session locking: Means locking screens on workstations after a certain amount
of inactivity.

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 101 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        

 

comply with the information security policies. Any employee found to have
violated such Policies may be subject to disciplinary actions, up to and
including termination of employment. In the event the violation has been by a
contractor and/or provider, the respective contract or service may be deemed
terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization prevent confidentiality and
security breaches [Core-15(b)]:

 

TSM shall only authorize teleworking activities if they comply with TSM’s
security requirements and controls for remote access connections. TSM shall
consider that any teleworking facility is essentially an extension of the TSM
network and any teleworking user that connects without appropriate security
controls could result in the exposure of company and ePHI confidential
information resulting in a signification impact to the entire organization. At a
minimum the following requirements shall be implemented for authorized
teleworking users:

 

1. General Requirements:

 

a) Only authorize teleworking users shall be allowed.

 

b) Business managers are responsible for requesting and authorizing the access
based upon the needs of the department for the user to perform teleworking
functions.

 

c) TSM business managers shall ensure that authorized teleworking users read and
acknowledged understanding the organization Employee Manual and Information
Security policies for performing teleworking functions.

 



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 102 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        



d) Training on Information Security (IS) and privacy responsibilities shall be
required for all authorized teleworking users.

 

e) TSM will provide corporate approved computers (i.e. laptops) to teleworking
authorized users. The assigned computer will comply with the organization
standard image and security controls including but not limited to:

 

o Corporate approved MS Windows license and image.

 

o Corporate approved anti-virus, anti-malware and firewall system.

 

o Corporate approved Data Loss Prevention system.

 

o Corporate approved encryption system.

 

o Corporate approved Virtual Private Connection (VPN) system.

 

f) Authorized teleworking users shall use the assigned corporate equipment to
conduct teleworking functions.

 

g) TSM computer equipment located at the user teleworking location shall not be
used for personal activities or lent to friends or family members.

 

h) Teleworking users shall not install unauthorized software in the assigned
teleworking equipment.

 

i) TSM teleworking equipment and media taken off the premises shall be encrypted
and not be left unattended in unsecured places or high risk locations such as
inside automobiles.

 

j) Adequate insurance coverage shall be in place to protect off-site TSM
computer equipment.

 

k) TSM maintains ownership over the corporate assets (e.g. computer,
peripherals, etc.) used by teleworking authorized personnel.

 

2. Account Administration:

 

a) Teleworking user access requests must also meet the User Access Policy and
Remote Access Policy requirements for secure remote connections.

 

b) Business manager are responsible for requesting revocation of remote accesses
to TSM systems, and returning TSM assigned equipment when the teleworking
activities are terminated.

 

c) Business managers are responsible for the timely notification of employee
terminations and transfers to the Human Resources department.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 103 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        



 

3. Teleworking User Requirements:

 

a) Verifiable unique IDs shall be required for all teleworker users accessing
TSM network by a remote connection.

 

b) Authorized teleworkers must use the Symantec VIP two factor authentication
system establish the remote connection to TSM network.

 

c) The authorized users is responsible for maintaining appropriate protection of
at the teleworking site to protect the assigned equipment against theft, the
unauthorized disclosure of information, and the unauthorized remote access to
TSM internal systems.

 

d) The use of home WiFi networks is permitted as long as the WiFi is password
protected and the WiFi encryption protocol is enabled. The WPA encryption
protocol is the minimum required.

 

e) ePHI information shall never be stored outside the corporate provided
equipment.

 

f) ePHI or company confidential information shall never be printed when working
from a teleworking facility.

 

g) Home-working controls shall be applied, including lockable filing cabinets,
clear desk and clear screen, and access controls for computers and secure
communication with the office.

 

4. Teleworking Document Management: [Core-13(b)]

 

a) Authorized teleworking users must avoid storing and printing documents
containing PHI, PII and company confidential information while working remotely.

 

b) Teleworking users must place in a secured location documents containing PHI,
PII and company confidential information when not in use.

 

c) Authorized portable storage devices must be encrypted if they are to be used
to stored PHI, PII or company confidential information.

 

5. Teleworking Control of Assigned Equipment: [Core-13(b)]

 

a) For decommissioning of company assigned equipment the user must return the
required to the Desk Top Management team who will coordinate the process as
outlined in the Retention & Disposal procedure.





 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#22 Page 104 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Teleworking        





 

VII. Attachments:

 

ATTACHMENT F - Retention & Disposal procedure [Core-13(b)]

 



Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#23 Page 105 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Third
Party Services Risk Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this policy is to define requirements and establish
systematically approach for management of risks associated with the contracting
of third party service providers.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

This policy help the organization assess the potential risks and vulnerabilities
to the confidentiality, integrity and availability of information systems
[Core-15(a)].

 

Triple-S Management Corporation (TSM) has developed a Third Party Services Risk
Management Policy also known as Vendor Risk Management to ensure that third
party service providers maintain adequate security controls to manage TSM PII
and/or PHI information. The policy also require management monitor the level of
services contracted.

 

IV. Definitions:

 

None

 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#23 Page 106 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Third
Party Services Risk Management        

 

4.    Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

The following practices help the organization assess the potential risks and
vulnerabilities to the confidentiality, integrity and availability of
information systems [Core-15(a)].

 

TSM shall implement develop and implement a Third Party Service Provider Risk
Management Program to ensure that security requirements and service levels are
met:

 

1. Service Delivery: It shall be ensure that security controls, service
definitions, and delivery levels included in the third party service delivery
agreement are implemented, operated, and maintained by the third party.

 

2. Monitoring and Review: The services, reports, or records provided by third
party shall be regularly monitored and reviewed, and audits shall be carried out
regularly to govern and maintain compliance with the service delivery
agreements.

 

3. Managing Changes: Changes to the provision of service, including maintaining
and improving existing information security policies, procedures, and controls,
shall be managed, taking account of the criticality of business systems and
processes involved and re-assessment of risk.

 

VII. Attachments:

 

ATTACHMENT H - Third Party Services & Risk Management procedure [Core-15(a)].

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#24 Page 107 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           



 

I. Purpose:

 

The purpose of this policy is to define requirements to establish, document and
review access control mechanism to ensure that users have the minimum access
required to conduct their business activities. [Core-15(a) & Core-15(b)]

 

II. Scope:

 

This policy applies to TSM, its subsidiaries, employees, temporary workers,
contractors, business partners and third party vendors contracted by TSM to
provide services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the User Access
Policy to provide management with direction and support for the implementation
of appropriate logical and physical user access controls. [Core-15(a) &
Core-15(b)]

 

TSM has adopted appropriate user access measures (logical and physical) to
ensure the confidentiality, integrity and availability of sensitive information
and the organization IT assets. This policy is critical for securing Protected
Health Information (PHI), Personally Identifiable Information (PII) and
Electronic Protected Health Information (ePHI) and ensuring compliance with
HIPAA minimum use requirement. [Core-15(a) & Core-15(b)]

 

Authorization to programs, systems and databases required to access any
information on TSM networks, either via local or remote access, must be approved
by management and authenticated using unique user’s ID’s and passwords.
[Core-15(a) & Core-15(b)]

 

Logical and physical access controls shall be implemented based on the employee
job function and role. The applications, systems and databases accesses shall be
granted according to the employee job function and business needs to prevent
unauthorized access to information stored in TSM systems and physical
facilities. [Core-15(a) & Core-15(b)]

 

IV. Definitions:

 

1. Authentication: The process of verifying a user identity in order to grant
access to a system according a specific role or profile.

 

2. Logical Access: Access to a computer or network system through an
authentication protocol.

 

3. Unique User ID: The sole identifier of a user, usually a user name.

 

4. Privilege Access: Access of an administrator or super user.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 108 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        

 

 

5. Remote Access: Is the ability to get access to a computer or a network from a
remote location.

 

V. Responsibilities:

 

1. All TSM and its subsidiaries employees, temporary workers, contractors,
business partners and third party vendors, without exception, must comply with
the information security policies.

 

2. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any

 

3. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

4. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. General Requirements

 

a) TSM shall define a formal procedure to manage the user access provisioning
and de- provisioning processes. The procedure must be designed to prevent
unauthorized access to the IT assets and systems used by the organization.
[Core-15(a) & Core- 15(b)]

 

b) Division managers must assign Application Owners for each business
application. In case the application has multiple modules specific Application
Owners can be assigned to each module. [Core-15(a) & Core-15(b)]

 

c) Access rights shall be reviewed by management based on the process and
scheduled defined by the Information Security Group. At a minimum managers and
supervisors shall review and certify its employee user accesses on an annual
basis. [Core-15(a) & Core-15(b)]

 

d) Completing the user access review and certification process is an essential
component to ensure compliance with the HIPAA minimum use requirement.
[Core-15(a) & Core- 15(b)]

 



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 109 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        

 



e) Display the approved proper system use notification message or banner before
providing access to TSM systems. The notification must provide the required
privacy and security notices consistent with key industry regulations and
standards such as HIPAA and HiTrust. [Core-15(a) & Core-15(b)]

 

f) Logical and physical access to information and application systems and
functions by users and support personnel shall be restricted in accordance with
their job functions and responsibilities. [Core-15(a) & Core-15(b)]

 

2. Access Request (User Access Provisioning)

 

a) Users shall obtain formal approval for the use of TSM information assets and
applications by completing the official TSM access request form or submitting an
approved request via email. [Core-15(a) & Core-15(b)]

 

b) Access to TSM information systems shall be authorized by the appropriate
requester manager or supervisor, before user is allow to login into TSM systems.
[Core-15(a) & Core-15(b)]

 

c) Authorized logical access requests must be based on the employee job
functions and scope of responsibility. [Core-15(a) & Core-15(b)]

 

d) All user access authorizations shall be granted following the minimum access
necessary concept in order to allow the users to perform their job functions
with the minimum necessary accesses. [Core-15(a) & Core-15(b)]

 

e) All physical access to TSM buildings and offices shall be processed by the
Corporate Security Group. Users shall obtain formal approval by TSM management
before physical access is granted. For further information, (refer to the
Corporate Policy Manual, Policy of ID Cards and Access). [Core-15(a) &
Core-15(b)]

 

3. User Account Administration

 

a) The user account management process, as well as privileged access
authorizations shall be restricted and controlled through a formal documented
process via the use of the User Access Request Form or by submitting an approved
email. [Core-15(a) & Core-15(b)]

 

b) The business managers or the Application Owners are responsible for
conducting user’s access reviews and certification process on an annual basis.
Following this process is required ensure that granted logical accesses,
correspond with the employee’s job function and duties and remain restricted to
authorized personnel only. [Core-15(a) & Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 110 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        



 

Completing the user access review and certification process is an essential
component to ensure compliance with the HIPAA minimum use requirement.
[Core-15(a) & Core- 15(b)]

 

c) Unnecessary accounts shall be removed, disabled or otherwise secured.
[Core-15(a) & Core-15(b)]

 

d) Ensure that default accounts that are not required are removed or disabled.
[Core-15(a) & Core-15(b)]

 

e) Ensure that default application or system accounts that are required are
protected with a strong password compliant with the TSM password rules.
[Core-15(a) & Core-15(b)]

 

4. Termination (User Access De-Provisioning)

 

The Division of Human Resources will maintain an updated list of active
employees and temporally personnel. [Core-15(a) & Core-15(b)]

 

a) All terminations of regular and temporary employees shall be immediately
notified to the Human Resources department. [Core-15(a) & Core-15(b)]

 

b) The SAP system will provide the ISG with an automated notification of all
regular and temporary employee terminations. [Core-15(a) & Core-15(b)]

 

c) The ISG will terminated the access to the LAN based on the requested
effective date of the termination. [Core-15(a) & Core-15(b)]

 

d) The ISG will terminated the access to other applications in a 5 working day’s
period. [Core-15(a) & Core-15(b)]

 

e) The ISG will remove or disable Active Directory accounts that have been
inactive for a period of sixty (45) days or more. [Core-15(a) & Core-15(b)]

 

f) All terminations of contractor and/or the service provider employees shall be
immediately notified to the ISG. [Core-15(a) & Core-15(b)]

 

g) The ISG will terminated the access to the LAN by the contractor and/or the
service provider on the requested effective date of the termination. [Core-15(a)
& Core-15(b)]

 

h) The ISG will terminated the access to other applications used by the
contractor and/or the service provider in a 5 days working day’s period.
[Core-15(a) & Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 111 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        



 

i) The user that ends his employment or contractual relationship with TSM, shall
not by any means attempt to access the networks and information systems of TSM.
[Core- 15(a) & Core-15(b)]

 

5. Transfers

 

a) Transfer of employees between departments, companies or affiliates will be
processed by the Information Security Group as a termination. [Core-15(a) &
Core-15(b)]

 

b) It is the responsibility of the new Manager or Supervisor to complete the
User Access Request Form with the required new accesses based on the employee
job function. User accesses can also be requested via email. [Core-15(a) &
Core-15(b)]

 

6. Database User Accesses

 

a) Only authorized personnel shall have administrator access to administrative
functions to TSM databases. [Core-15(a) & Core-15(b)]

 

b) Users shall not have direct access to TSM databases. [Core-15(a) &
Core-15(b)]

 

7. Emergency User Accesses

 

The following conditions will be defined and considered as emergency situations:
[Core- 15(a) & Core-15(b)]

 

o Disaster condition;



o Application, system or database problem which results in system downtime or
very poor performance;



o Application, system or database problem and that cannot be replicated in the
test environment and the problem is causing significant operational problems.

 

a) The request for emergency access must be generated by a manager or higher
level of the area where the need arises. [Core-15(a) & Core-15(b)]

 

b) The justification for the emergency access shall be documented in the Serena
Business Manager ticketing system. The justification must include the approval
of the division Vice-President (VP) or the affiliate director and the estimated
date until when the access will be required. If for some reason the form cannot
be completed in time, a notification must be send by e-mail to the Information
Security Group (ISG) and complete the form the next business day. [Core-15(a) &
Core-15(b)]

 

c) The ISG unit will evaluate any emergency access request and shall determine
its approval. [Core-15(a) & Core-15(b)]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#24 Page 112 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: User
Access        



 

d) On emergency cases or outside working hours, it is the responsibility of the
requesting manager to notify the administration and/or data center Information
Security Group personnel. [Core-15(a) & Core-15(b)]

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_029.jpg]

 

Policy No.: ISP#25 Page 113 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Information Security Risk Analysis

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

The purpose of this Policy is to define requirements and establish the
appropriate actions and priorities for developing and implementing TSM’s
information security risk analysis process; managing information security and
business continuity risks; and implementing controls to protect against
identified risks.

 

II. Scope:

 

This Policy applies to TSM and workforce members who are authorized to access
information systems maintained by TSM and the ePHI that is processed, stored,
and transmitted on such systems. This Policy forms part of the conditions of
employment or contracting with TSM, as applicable, of all workforce members at
all levels. For purposes of this policy, “workforce members” shall include TSM’s
employees, volunteers, trainees, contractors, agents, interns, temporary staff,
and other persons whose conduct, in the performance of work for TSM, is under
the direct control of TSM, whether or not they are paid by TSM.

 

III. Policy:

 

This policy help the organization assess the potential risks and vulnerabilities
to the confidentiality, integrity and availability of information systems
[Core-15(a)].

 

Triple-S Management Corporation, on behalf of itself and its direct and indirect
affiliates and subsidiaries (collectively referred to herein as “TSM”), has
adopted this Information Security Risk Analysis Policy (“Policy”) to protect the
confidentiality, integrity, and availability of the electronic protected health
information (“ePHI,” as defined in 45 C.F.R. § 160.103) that it processes,
stores and transmits, and to protect the information systems on which such ePHI
is processed, stored and transmitted. This Policy aids TSM in preventing,
detecting, containing, and correcting threats and vulnerabilities to ePHI and
the information systems on which it is processed, stored and transmitted, and
meeting its obligations with regard to information security.

 

The risk analysis process described in this Policy is a key requirement to
comply with HIPAA, HiTrust and ISO 27001 security requirements.

 

TSM shall conduct an enterprise wide assessment of risk, including the
likelihood and magnitude of harm, from the unauthorized access, use, disclosure,
disruption, modification, or destruction of its information systems and the ePHI
that such systems process, store, or transmit.

 

IV. Definitions:

 

N/A

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#25 Page 114 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Security Risk Analysis        



 

V. Responsibilities:

 

1. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated. Triple-S Management Corporation (TSM) reserves
the right to audit networks, systems, or procedures on a periodic basis to
ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

2. Exceptions

 

The Information & Cyber Security Director or Triple-S Management must approve
any exception to the policy in advance.

 

3. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

 

VI. Procedure:

 

The following practices help the organization assess the potential risks and
vulnerabilities to the confidentiality, integrity and availability of
information systems [Core-15(a)].

 

1. In order to conduct a thorough enterprise wide risk analysis, TSM shall
include each of the following elements in its risk analysis process:

 

a) Data Collection: Identify where the ePHI is stored, received, maintained or
transmitted.

 

b) Identify and Document Potential Threats and Vulnerabilities: Identify and
document reasonably anticipated threats to ePH.

 

c) Access Current Security Measures: Assess and document the security measures
TSM implemented, maintained and managed to safeguard ePHI. This assessment shall
include security measures required by the HIPAA Security Rule and whether the
existing security measures are configured, used and maintained properly.

 

d) Determine the Likelihood of Threat Occurrence: Determine the probability of
potential risk to ePHI. Document all reasonably anticipated combinations of
threats and vulnerabilities with associated likelihood estimates that may impact
the confidentiality, availability and integrity of ePHI.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#25 Page 115 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Security Risk Analysis        

 

e) Determine the Potential Impact of Threat Occurrence: Determine the impact of
potential risk to ePHI. Document all reasonably anticipated potential impacts
associated with the occurrence of threats triggering or exploiting
vulnerabilities.

 

f) Determine the Level of Risk: Assign risk levels for all threat and
vulnerability combinations identified during the risk analysis should be
assigned.

 

g) Finalize Documentation: Document the risk analysis and maintain such
documentation for future reference.

 

h) Periodic Review and Updates to the Risk Analysis: Conduct continuous
information security risk analyses to identify when updates are needed. To
ensure that the risk analysis process is integrated into the risk management
process, the information security risk analysis shall be conducted or reviewed
as new technologies and business operations are planned and as existing
technologies and business operations change. Below is a non-exclusive list of
events when a risk analysis shall be conducted or reviewed:

 

o Security incident is experienced;



o Change of ownership occurs;



o Turnover in key staff or management; and



o Plans to incorporate new technology.

 

In the absence of any of the events listed above, TSM shall conduct or review a
risk analysis at least annually.

 

i) Monitoring of Risk Mitigation Plan: Establish a process to monitor the status
of the risk mitigation plan, which shall occur at least quarterly.

 

j) Reporting to Board: Provide an executive level presentation, including the
key areas of risks and the status of the defined risk mitigation plan, to the
Board of Directors at least annually.

 

This Policy shall be supported by additional policies, standards, guidelines,
procedures, and processes.

 



 



 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



 

[image_027.jpg]

 

Policy No.: ISP#25 Page 116 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Information Security Risk Analysis        



 





VII. Attachments:

 

ATTACHMENT I - Information Security Risk Analysis Procedure [Core-15(a)]

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      

 

 

 

 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

[image_029.jpg]

 

Policy No.: ISP#26 Page 117 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Business Continuity Management

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

I. Purpose:

 

Triple-S Management Corporation (TSM) is committed to its customers, employees,
stakeholders and suppliers. To insure the effective safety of people and the
availability of essential products and services, TSM establishes this Business
Continuity Management Policy in support of a comprehensive program for emergency
response, business continuity, disaster recovery and business recovery.

 

II. Scope:

 

This policy applies to TSM and its subsidiaries employees, temporary workers,
contractors, business partners, third party vendors and physical facilities
where TSM provides services to its customers.

 

III. Policy:

 

Triple-S Management Corporation (TSM) has developed and adopted the Business
Continuity Management Policy to provide management with direction and support
for the implementation of a Business Continuity Program (BCP) in accordance with
the organization business requirements and applicable laws and regulations. TSM
recognizes that information is an important asset and it is important to protect
the confidentiality of the information being managed, maintain its integrity and
ensure its availability.

 

This policy provides the requirements for planning, implementation, activation
and governance processes to counteract interruptions to business activities and
to protect critical business functions from the effects of major failures of
information systems or disasters and to ensure their timely resumption.

 

TSM shall establish a Business Continuity Management Program (BCMP) that will
define the minimum requirements for the organization to address the continuity
of mission critical operations. Additionally, TSM shall assign resources with
specific roles and responsibilities to develop implement and oversee the
business continuity plans in compliance with the business continuity management
program.

 

IV. Definitions:

 

1. Business Continuity (BC) Planning: An organization’s risk management strategy
for threats that may terminate or significantly disrupt core business. It
involves mitigation activities and contingency planning for response and
recovery actions. (Note: BC planning necessarily embraces disaster recovery and
emergency management planning.)

 

2. Business Continuity (BC) Program: An ongoing funded process that is supported
by senior management, comprising all BC planning, plans, arrangements, practices
and processes

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#26 Page 118 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Business Continuity Management        

 

with which to achieve required BC outcomes in compliance with BC aims and agreed
expectations.

 

3. Business Continuity Management (BCM): The development, implementation and
maintenance of strategies, plans, resources and actions to ensure the continued
achievement of critical objectives in the event of a significant, untoward,
crisis event.

 

4. Crisis: An untoward event that potentially or actually results in disruption
to day-to-day functioning of a part or the whole of an organization, sufficient
to require management to divert a portion of their attention, time, energy and
resources away from business-as-usual activities. (Note: for BC purposes, the
term ‘crisis’ is used generically to refer to a significant,
crisis/emergency/disaster event).

 

5. Event: The occurrence of a particular set of circumstances that creates an
actual or potential emergency or disaster or other crisis situation.

 

6. Risk: The chance of something happening that will have an impact upon
objectives.

 

V. Responsibilities:

 

1. Business Continuity Management (BCM) is a strategic, tactical and operational
issue. It is a shared responsibility of TSM, including management and employees
from all business units throughout the organization. In order to implement the
Business Continuity Management Program (BCMP), TSM has defined the Contingency
Management Team (CMT) which is responsible to execute the Crisis Management
process for TSM, by timely responding to emergencies or events which threatens
the business continuity of the company and by having an effective communication
with employees, customers, and the media if necessary through various
communications devices and methods.

 

2. All Triple-S Management Corporation (TSM) and its subsidiaries employees,
temporary workers, contractors, business partners and third party vendors,
without exception, must comply with the information security policies. Any
employee found to have violated such Policies may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

3. TSM reserves the right to audit networks, systems, or procedures on a
periodic basis to ensure compliance with this policy.

 

In addition, all TSM personnel shall not interfere with federal or state
investigations or disciplinary proceedings by willful misrepresentation or
omission of facts or by the use of threats or harassment against any person.

 

4. Exceptions

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#26 Page 119 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Business Continuity Management        

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

5. Non-Compliance

 

An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. Business Continuity Management Program

 

a) The Business Continuity Management Program (BCMP) involves the minimum
requirements to develop and implement the Business Continuity (BC) plans. The
program shall include, at a minimum, documenting processes such as:

 

b) Governance, which specifies formal roles and responsibilities, resource
assignment and budget planning.

 

c) Risk Assessment & Business Impact Analysis, which evaluates of potential
threats (natural, technical or human), that may impact TSM’s assets from
achieving its business and operational goals and the actions needed to prevent
or minimize the effects of potential loss.

 

d) Emergency Response, which establishes the immediate reaction and response to
an emergency situation focusing on ensuring life safety and reducing the
severity of the incident.

 

e) Crisis Management, which establishes the overall coordination of TSM’s
response to crisis in an effective, timely manner with the goal of avoiding or
minimizing damage to TSM, profitability, reputation and ability to operate until
specific business continuity plans are activated.

 

f) Business Continuity / Disaster Recovery, which defines the process of
developing and documenting procedures that enable TSM to respond to an event
that lasts for an extended period of time and return to performing its critical
functions after an interruption.

 

g) Communications, which establishes communication process with employees,
government, customers and all affected shareholders.

 

h) Awareness and Training, which creates and maintains awareness and training to
enhance the skills required to develop and implement the business continuity
management processes.

 



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_027.jpg]

 

Policy No.: ISP#26 Page 120 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name:
Business Continuity Management        

 

i) Exercise, Evaluation and Corrective Actions, which are performed for the
purpose of training team members and validating the business continuity plans
shall be tested every two years or yearly if requested by the Chief Information
Officer or the Chief Technology Officer in order to ensure that the plan is
still effective.. Exercise results identify plan gaps and limitations and are
used to improve the business continuity plans.

 

j) Coordination with Third Parties, which establishes the coordination of
activities and the integration of resources with third parties with the
objective of managing a disrupting event or an exercise.

 

k) Audit and Compliance, which establishes applicable procedures to be aligned
with laws and regulatory requirements.

 

l) Budgeting, annual budgeting for adequate levels of initial development and
on-going maintenance of BC planning is the responsibility of TSM Senior
Management.

 

m) Program Maintenance, which establishes the management process of keeping
TSM’s Business Continuity Management Program up-to-date and aligned with the
corporate Business Continuity strategies.

 

VII. Attachments:

 

N/A

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





[image_029.jpg]

 

Policy No.: ISP#27 Page 121 Effective Date: 09/01/2016 Approval Date: 09/01/2016
 Department: Information Security Last Review Date: 08/11/2016  Policy Name:
Patch and Vulnerability Management Policy

Drafted by:

René Rivera,



IT Compliance Supervisor

 

Reviewed by:

Miguel O. Mercado,

Information & Cyber Security Director

Approved by:

Juan Díaz Goitía,



Chief Information Officer

[image_028.jpg] 

           

 

I. Purpose:

 

In today’s dynamic and heterogenous networks desktops, servers and communication
equipment are prone to software/hardware development errors. Operating systems
and software applications are more affected than other types of equipment. This
creates a fertile environment for malware to compromise systems and networks
containing critical systems. To mitigate these potential threats Grupo Triple S
has established a policy to identify vulnerabilities and mitigate them in a
timely fashion.

 

II. Scope:

 

This policy applies to all computer, servers and communication systems of Grupo
Triple S found in all subsidiaries of the corporation without exception. It
applies to all operating systems brands and versions. It applies to all licensed
and open-source applications.

 

III. Policy:

 

It is the policy of Grupo Triple S to identify and mitigate in a reasonable
timely fashion all the application and operating system vulnerabilities
identified by Vendor and National Vulnerabilities databases applicable to the
corporate inventory of computers, servers and communication equipment.

 

This policy complies with the Patch and Vulnerability Management recommendations
found in NIST Special Publication 800-40 version 2.

 

IV. Definitions:

 

1. PVG – Policy and Vulnerability Group

 

2. NVD – National Vulnerability Database

 

3. Vdb – Vulnerability Database

 

4. CAB – Change Advisory Board

 

V. Responsibilities:

 

1. It is the responsibility of the Information Security Group of Triserve to
carry out this policy. It is the responsibility of the Infrastructure Group of
Triserve to assist in this process providing accurate equipment inventory. It is
the responsibility of the Change advisory board to meet monthly to discuss,
approved or deny the implementation of vulnerability mitigation techniques. It
is the responsibility of business application owners to accept risks when threat
mitigation is not an option as it could adversely affect daily corporate
operations.

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#27 Page 122 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Patch
and Vulnerability Management Policy        

 

2. Exceptions

 

Any exception to the policy must be approved by the Information & Cyber Security
Director in advance.

 

3. Non-Compliance

 

Any employee found to have violated the policy may be subject to disciplinary
actions, up to and including termination of employment. In the event the
violation has been by a contractor and/or provider, the respective contract or
service may be deemed terminated.

 

VI. Procedure:

 

1. The Infrastructure Management Supervisor and/or its designators must use an
automatic tool to create and maintain a Corporate IT Asset Inventory of
computers, servers and communications equipment used by the organization. The
Microsoft Active Directory is a suitable tool to create and maintain such
inventory database.

 

2. The Information Security Group and/or its designators must use an automatic
tool to perform a monthly IT asset scan and provide the differences between the
IT asset scan results and the Corporate IT Asset Inventory to the Infrastructure
Management Supervisor and/or its designators for processing.

 

3. The Information Security Group and/or its designators must use an automatic
tool to create and maintain a Corporate Vulnerability Database. This database
must include an up to date list of vulnerabilities from vendor specific sites
and national vulnerability databases.

 

4. On a monthly basis, the Information Security Group and/or its designators
must use an automatic tool to identify vulnerabilities applicable to the
corporate IT asset inventory.

 

5. The Information Security Group will identify CRITICAL and IMPORTANT security
patches for deployment.

 

6. The TriServe software architecture supervisor and the TriServe data center
operation team must review the list of recommended patches for deployment and
provide approval full or partial of the recommended patches prior to deployment.
If partial a valid justification must be provided. Possible reasons for not
installing a patch include:

 

a) Application is not compatible with the recommended patch.

 

b) Operating System (OS) is not compatible with the recommended patch.

 

7. The Information Security Group and/or its designators must use an automatic
tool to apply corresponding patches to the following environments in the
specific time windows as follows:

 

a) Test Environment: Any given time window

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#27 Page 123 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Patch
and Vulnerability Management Policy        



 

b) Development Environment: Any day from 8PM to 6AM.

 

c) Quality Assurance Environment: From 8PM to 6AM Tuesdays and Wednesdays.

 

d) Production Core Systems (PROD-CORE): From 1:00 AM to 6:00 AM 2nd and 3rd
Sunday of the month.

 

e) Production Non-Core Systems (PROD-NON CORE): From 10:00 PM to 5:00 AM on
Fridays.

 

8. After receiving approval for the installation of the recommended patches the
Information Security Group will coordinate the installation process based upon
the agreed deployment scheduled.

 

9. If patches are not available, Information Security Group and/or its
designators must identify and apply applicable alternate mitigation techniques
to the following environments in the specific time windows as follows:

 

a) Test Environment: Any given time window

 

b) Development Environment: Any day from 8PM to 6AM.

 

c) Quality Assurance Environment: From 8PM to 6AM Tuesdays and Wednesdays.

 

d) Production Core Systems (PROD-CORE): From 1:00 AM to 6:00 AM 2nd and 3rd
Sunday of the month.

 

e) Production Non-Core Systems (PROD-NON CORE): From 10:00 PM to 5:00 AM on
Fridays.

 

10. If alternate mitigation techniques are not available or recommended for a
vulnerability or set of vulnerabilities, the Information Security Group and/or
its designators must identify the application business owner and request the
business owner to fill out a risk acceptance form. The business owner must fill
out a risk acceptance form that must include a remediation plan with
implementation dates.

 

11. If the business owner can or will not accept the risk, the Information
Security Group and/or its designators must prepare a removal procedure for the
affected software, system or hardware.

 

12. After approval from CAB, the Information Security Group and/or its
designators must use an automatic tool to apply corresponding patches or
implement alternate configuration adjustment techniques to:

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_027.jpg]

 

Policy No.: ISP#27 Page 124 Effective Date: 09/01/2016 Approval Date: 09/01/2016
Department: Information Security Last Review Date: 08/11/2016 Policy Name: Patch
and Vulnerability Management Policy        



 

a) Quality Assurance Environment: From 8PM to 6AM Tuesdays and Wednesdays.

 

b) Production Core Systems (PROD-CORE): From 1:00 AM to 6:00 AM 2nd and 3rd
Sunday of the month.

 

c) Production Non-Core Systems (PROD-NON CORE): From 10:00 PM to 5:00 AM on
Fridays.

 

VII. Attachments:

 

ATTACHMENT I - Information Security Patch and Vulnerability Management Procedure

 

Version Control

Effective Date

 

Approved By (include position name)

 

Amendment

 

1 09/01/2016 Juan Díaz Goitía, CIO 1 2      



 



 

 



 

 

 



 



 

 

 

 

 

Schedule M

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 



schedule M

 

AUDIT AND RECORD RETENTION REQUIREMENTS

 



 

 

 

 

 

 

 

 

 



Schedule M Triple-S / Supplier Confidential



 

 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 





schedule m

 

AUDIT AND RECORD RETENTION REQUIREMENTS

 

1. INTRODUCTION

 

(a) This Schedule M (Audit and Record Retention Requirements) sets forth certain
audit and record retention requirements in addition to those audit requirements
set forth in Section 18.6 (Audits and Records) of the General Terms and
Conditions.

 

(b) For the purposes of this Schedule M, references to “Supplier” shall include
Supplier’s Affiliates that are providing Services, including any Approved
Subcontractors that are Supplier Affiliates.

 

(c) “Auditors” shall mean Triple-S, Triple-S Affiliates, and Triple-S customers,
and each of their respective auditors (internal and external), Regulators
(including the applicable auditors of such Regulators) and other representatives
as Triple-S may designate.

 

(d) Supplier shall perform its obligations under this Schedule M (Audit and
Records Retention) [***], except as provided below in Section 1(e). Supplier is
[***].

 

(e) [***] Certain SOC 1, Type 2 Audit Costs

 

(i) Triple-S will [***] for conducting [***] SOC 1, Type 2 audits under Section
3(d) that are to be used exclusively for Triple-S under this Agreement.

 

(ii) If Triple-S requires Supplier to conduct more than two (2) SOC 1, Type 2
audits in a Contract Year, Triple-S will [***].

 

(iii) Triple-S’ obligations under Sections 1(e)(i) and 1(e)(ii) shall not apply
if (A) Supplier provides Claims Services on a platform used to service other
customers; or (B) the SOC 1, Type 2 audits can be used for any of Supplier’s
other customers.

 

2. AUDIT RIGHTS

 

2.1 General Terms

 

(a) Except as otherwise provided below, during the Term and for the longer of:
(x) the applicable periods of time set forth in Section ‎5(b) solely with
respect to audits of the types of records described therein; (y) the period
ending at the end of the second 2nd full calendar year after the date on which
the final Function is transitioned back to Triple-S or to a Successor Supplier;
or (z) as required to fulfill a request from a Regulator, the Auditors will have
the right to reasonably inspect, examine and audit those portions of the
systems, books, records (including financial records and contracts), controls,
facilities, practices and procedures of Supplier and its Subcontractors
(beginning on date such Subcontractors begin providing Services under this
Agreement and subject to

 

Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule M
Audit and Record Retention Requirements



 

Section 3(h)) that are used in rendering the Services, or pertaining to the
Services and systems used to provide the Services, and will have access to
Supplier Personnel performing the Services (collectively, “Audits”) for any of
the following purposes:

 

(i) to verify the accuracy of Supplier’s invoices;

 

(ii) to verify the integrity and accuracy of those elements of Triple-S’s
corporate control processes that are performed by Supplier;

 

(iii) to verify the integrity of Triple-S Data and Supplier’s compliance with
the data privacy, data protection, confidentiality and security requirements of
this Agreement (and Triple-S’s right to audit such compliance shall survive for
the duration of time during which Supplier is required to maintain such
compliance as provided in the Agreement (e.g., Section 21.10 (Duration of
Confidentiality Obligations) of the General Terms and Conditions));

 

(iv) to examine Supplier’s performance of the Services and to verify Supplier’s
compliance with the terms of this Agreement, including (to the extent applicable
to the Services and to the Charges therefore), performing Audits:

 

(A) of policies, practices and procedures;

 

(B) of controls and procedures related to systems, equipment, software and
claims processes;

 

(C) of general controls and security practices and procedures;

 

(D) of Disaster recovery, business continuity, and back-up plans and procedures;

 

(E) of the validity of Supplier’s Charges; and

 

(F) as necessary to enable Triple-S to meet, or to confirm that Supplier is
meeting, applicable regulatory and contractual requirements;

 

(v) to satisfy the reasonable requirements of the Triple-S audit committee and
regulators that are provided or made available to Supplier; and

 

(vi) any other reason required by Law, as set forth in Schedule W (Regulatory
Requirements).

 

(d) Audits will be subject to the following conditions:

 

(i) Audits will be conducted no more than twice per year upon at least thirty
days advance written notice to Supplier, except such limitations shall not apply
in the case of Audits by Triple-S customers, Regulators, in connection with
Security Incidents or Security Breaches, Security Audits, Audits investigating
claims of

 

Triple-S / Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule M
Audit and Record Retention Requirements



 

unlawful behavior, or Audits being conducted on an emergency basis (such as to
determine if a Triple-S Security Breach is imminent or underway) (collectively,
“Extraordinary Audits”). Audits will be conducted during normal business hours
and in a manner intended to minimize interruption to Supplier’s normal business
operations.

 

(ii) Auditors shall have no access to (A) Supplier’s internal costs (except with
respect to Pass-Through Expenses and Charges that are determined on a cost-plus
basis), or (B) data or other information of other Supplier customers.

 

(e) Supplier will cooperate with the Auditors in conducting Audits and provide
such assistance as they reasonably require to carry out the Audits, including
providing reasonable access to Supplier’s and its Subcontractors’ facilities
(subject to Section 3(h)) records related to the Services, and to any records or
data in Supplier’s control that are relevant to the Supplier systems used to
provide the Services and/or to the Triple-S systems. Furthermore, Supplier will
comply with Triple-S’s internal audit methodology to the extent reasonable and
as it is made known to Supplier by Triple-S in advance, in writing.

 

2.2 Audit Follow-up

 

(a) At Triple-S’s request, Supplier will meet with Triple-S to review each Audit
report promptly after the issuance thereof and to discuss the appropriate manner
and timeframe for remediation of Audit findings, provided that if an Audit
indicates that Supplier is not in compliance with any provision of this
Agreement, any generally accepted accounting principle, rule or regulation, or
other regulatory or audit requirement relating to the Services, Supplier shall
promptly bring the Services into compliance.

 

(b) Supplier and Triple-S agree to develop operating procedures for the sharing
of Audit and regulatory findings and reports related to Supplier’s operating
practices and procedures relevant to the Services produced by Auditors or
Regulators. Supplier shall comply with Triple-S’s internal audit methodology to
the extent reasonable and as Triple-S makes it known to Supplier in advance, in
writing.

 

(c) If an Audit indicates a materially adverse impact to Triple S or Triple S
Data, a control deficiency or material breach of the Agreement, Supplier shall
deliver to Triple-S a corrective action plan to promptly address and resolve any
such deficiencies or recommendations arising out of an Audit. Supplier’s
corrective action plan shall be subject to Triple-S’s prior written approval
(such approval not to be unreasonably withheld or delayed). Upon such approval,
Supplier shall promptly remediate and implement the corrective action plan. Any
such corrective action shall be in addition to, and shall not be in lieu of, any
other recourse or remedies available to Triple-S under this Agreement or
applicable Laws. Corrective action plans must be provided in accordance with
Triple-S’ format and requirements. Triple-S shall conduct monitoring and
validation activities to ensure deficiencies are corrected and are not likely to
recur. At Triple-S’ request, a Supplier executive shall provide an attestation
certifying that corrective and mitigating actions were effectively implemented.

 

Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule M
Audit and Record Retention Requirements



 

 2.3

Overcharges

 

If as a result of an Audit it is determined that Supplier has overcharged
Triple-S, Supplier shall within 60 days of such determination credit Triple-S’s
account (or, at Triple-S’s option, pay Triple-S directly) an amount equal to the
overcharge.

 

3. supplier audits

 

(a) Supplier will develop and maintain internal processes and controls that are
designed to prevent and detect a material misstatement in financial information
processed or generated by Supplier and included in Triple-S’s financial
statements. These processes and controls will be mutually defined and agreed
upon by the Parties within six (6) months after the Effective Date and will
include control requirements that relate to the completeness, accuracy, and
timeliness of the Services.

 

(b) Supplier will permit Triple-S and Auditors to perform an onsite
transactional walkthrough of processes and controls relevant to the Services no
more than twice per year as part of an Audit, for more frequently to the extent
part of an Extraordinary Audit. In preparation for such walkthrough, Supplier
will provide Triple-S with documents describing Supplier’s processes and
controls (e.g., policy and procedure documents, process narratives). During the
walkthrough, Supplier will provide documentation validating Supplier’s
performance of such processes and controls.

 

(c) Supplier will provide Triple-S and its Auditors with documentation
reasonably required to allow Triple-S and its Auditors to complete their
internal control testing. Examples of such documentation may include user access
listings for Supplier-managed applications, Supplier audits of benefit strings,
Supplier audits of pricing and other reference file updates, Supplier audits of
its employee access to Triple-S application systems, and mass pricing file
updates. Triple-S or its Auditors will provide initial documentation requests to
Supplier, and Supplier will provide corresponding documentation or responses
within thirty (30) days. In instances where additional documentation is
necessary or questions are raised, Supplier will provide corresponding
documentation or responses within thirty (30) days. In instances where necessary
to respond more quickly to a Regulator, Supplier will provide the documentation
required above more quickly to enable a timely response to such Regulator.

 

(d) SSAE Audits and HITRUST

 

(i) General Terms and Definitions

 

(A) Supplier will engage a nationally recognized independent accounting firm to
conduct the Service Organization Controls (“SOC”) 1, Type 2 Audits and a SOC 2,
Type 2 Audits pursuant to Statement on Standards for Attestation Engagements
(“SSAE”), No. 18, (or an Audit made pursuant to any other guidance that
supersedes or replaces SSAE 18 SOC 1 Type 2 and SSAE 18 SOC 2 Type 2)
(collectively, the “SOC Audits”)

 

Triple-S / Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule M
Audit and Record Retention Requirements



 

described in this Section 3(d) for each Supplier Facility from which the
Services are provided to Triple-S.

 

(B) Within [***] days following completion of each SOC Audit, Supplier will
deliver to Triple-S a copy of the report provided by the independent auditor
that conducts the SOC Audit (“SOC Audit Report”).

 

(C) At Triple-S’s request, and for no additional compensation, Supplier shall
confirm in writing (“Supplier Bridge Letter”) to Triple-S within [***] of its
request, that there have been no changes in the controls subject to the SOC
Audit since the date of the most recent SOC Audit Report.

 

(ii) From the Service Commencement Date through December 31, 2017, Supplier
shall permit Triple-S to perform certain direct testing of Supplier processes
and controls as necessary for Triple-S to comply with its regulatory and
compliance obligations. The Parties will work in good faith to define the scope
and timing of such direct testing promptly following the Effective Date.

 

(iii) Beginning in [***] and in [***], Supplier shall provide[***] if required
by a Regulator or Triple-S customer) SOC 1 Type II Reports and subsequent Bridge
Letters describing the suitability of the design and operating effectiveness of
the controls executed by Supplier relating to the Services described in SOW #1
(Claims Services) and SOW #2 (IT Services). The scope of the SOC 1 Type II
audits will be mutually agreed upon by the Parties in advance of commencement of
such audit by the Auditor, but at a minimum shall be sufficient to enable
Triple-S to comply with its regulatory and compliance obligations.

 

(iv) In addition to the SOC Audits described above:

 

(A) Subject to paragraph (B) below by [***] and [***] thereafter, Supplier and
Supplier’s Subcontractors, as applicable, shall cause an independent third party
auditor that is familiar with appropriate auditing standards applicable to the
Services to conduct the necessary audits and assessments and certify compliance
with the HITRUST Common Security Framework (“CSF”) for each of the Supplier
Facilities (including Subcontractor facilities) that host Triple-S Data or from
which Triple-S Data is accessed.

 

(B) If a Subcontractor does not meet the CSF requirements above in any Contract
Year for any such facility, Supplier shall obtain and provide to Triple-S a SOW
2 Type II report for such facilities.

 

(e) Upon Triple-S’s request, Supplier will provide Triple-S with (i) summaries
of Supplier audit reports conducted by or for Supplier or its Affiliates
relating to Supplier’s operating practices or procedures, to the extent relevant
to the Services or Triple-S, and (ii) summaries of business continuity and
disaster recovery exercise results to the extent relevant to the Services or
Triple-S, which shall include frequency of the testing, what

 

Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule M
Audit and Record Retention Requirements



 

was tested, and a summary of the outcome of those tests, and which shall be no
less detailed than similar information that Supplier provides to other customers
similar to Triple-S. The foregoing shall be provided by Supplier within thirty
(30) days after completion of the audit report or occurrence of business
continuity and disaster recovery testing. Supplier will also provide information
regarding its plans to correct, and will correct, any deficiencies or problems
identified in the audit report.

 

(f) If a Supplier audit (including an internal audit, compliance audit, or a SOC
Audit or HITRUST assessment) indicates a materially adverse impact to Triple-S
Data, or to Triple-S, Triple-S Service Recipients, a control deficiency, or any
material breach of this Agreement, Supplier will promptly notify Triple-S,
providing pertinent details so that Triple-S can take steps to avoid or minimize
the adverse impacts, and Supplier shall promptly bring the Services into
compliance with this Agreement and correct such deficiencies. Supplier shall
promptly deliver to Triple-S a corrective action plan to promptly address and
resolve any deficiencies or recommendations arising out of any Supplier audit
related to the Services, which action plan shall be subject to Triple-S’s prior
written approval (which approval shall not be unreasonably withheld or delayed).
Upon such approval, Supplier shall remediate and implement such action plan as
soon as reasonably possible. If Supplier receives a qualified opinion resulting
from a Supplier audit (including an internal audit, compliance audit, or a SOC
Audit, HITRUST assessment), Supplier will promptly remediate the deficiencies
and to the extent they adversely impact Triple-S, and provide Triple-S with
evidence of remediation.

 

(g) If Supplier utilizes a Subcontractor that will provide Services from a
facility that is not controlled by Supplier, Supplier shall make available to
Auditors on an annual basis a SOC Audit Report from such Subcontractor and
Subcontractor facility. If Supplier utilizes a Subcontractor that will provide
Services from a facility that is not controlled by Supplier, and such
Subcontractor will have access to any Triple-S Data, Supplier shall annually
review the audit control and security requirements of such Subcontractor and
remain responsible for ensuring that such Subcontractor’s audit control and
security requirements substantially meet the requirements of Supplier under the
Agreement.

 

4. confidentiality of audits

 

All audit results and disclosed records will be treated as Supplier Confidential
Information (except to the extent they contain Triple-S Confidential Information
or fall within an exception in Section 21.1(e) (“Confidential Information”
Defined) of the General Terms and Conditions) and shall not be used for any
purpose except as provided in this Schedule M, and except that such results and
records may be disclosed to Regulators or Triple-S Auditors in accordance with
Section 21.2 (Obligations of Confidentiality) of the General Terms and
Conditions.

 

5. records retention

 

(a) In support of Triple-S’s audit rights, Supplier will keep and maintain (i)
financial records relating to this Agreement in accordance with generally
accepted accounting principles applied on a consistent basis, (ii) records
substantiating Supplier’s invoices, (iii) records pertaining to Supplier’s
compliance with the Service Levels, including Root Cause

 

Triple-S / Supplier Confidential

Page 6

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule M
Audit and Record Retention Requirements



 

Analyses, and (iv) such other operational records pertaining to performance of
the Services as Supplier keeps in the ordinary course of its business.

 

(b) Supplier will retain such records and provide access to them upon request
for Audits until the last to occur of the following:

 

(i) (A) for records that are subject to Laws related to the Medicare program,
ten (10) years after termination or expiration of the Agreement or the
completion of any Audit, whichever is later; (B) for records that are subject to
Laws related to HIPAA, six (6) years after termination or expiration of the
Agreement or longer if required by Law; (C) for records that are subject to Laws
related to the Affordable Care Act, ten (10) years after termination or
expiration of the Agreement; and (D) for records that are subject to similar
Laws, the period(s) of time required by such Laws; and

 

(ii) all pending matters relating to this Agreement (including disputes) are
closed.

 

(c) The record retention periods set forth in Section ‎5(b) above shall not
apply to information that is subject to litigation involving Triple-S (i.e., a
“litigation hold”), and Supplier shall retain such information for the duration
of time as Triple-S reasonably requests for such purposes.

 

(d) Supplier will cause any Subcontractor of Supplier under this Agreement to
make such Subcontractor’s books and records with respect to the Services
available for inspection, examination and copying by the applicable Regulator
and to retain such books and records in accordance with applicable Laws, which
requirements shall be provided by Triple-S to Supplier.

 

(e) At Triple-S’s request, Supplier will provide to Triple-S copies of publicly
available audited and unaudited financial statements of Supplier and its
Controlling Affiliates.

 



 

 

Triple-S / Supplier Confidential

Page 7

 



Schedule N

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 



SCHEDULE N

 

PROJECT FRAMEWORK

 

 

 

 

 

 

 

 

 









Schedule N Triple-S / Supplier Confidential



 

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N
Project Framework





 



TABLE OF CONTENTS

 

1.   Introduction 1 1.1   General Overview 1 2.   Types of Projects 1 3.   Roles
and Responsibilities 1 3.1   Project Sponsor 2 3.2   Business Lead 3
3.3   Project Manager 4 3.4   Business and System Analyst 6 3.5   Process
Analyst 7 3.6   Subject Matter Expert or Business Team Member 8
3.7   Development Manager 9 3.8   Development Team 10 4.   Pricing models 11
4.1   Fixed Hour Model 11 4.2   T&M Model 12 5.   Project and activity Approval
Process 12 5.1   Requests and Estimates 12 5.2   Project Investment Committee
Approval 14 5.3   Task Orders for Projects 14 5.4   Due Diligence 14
6.   Project Management 15 6.1   Performance of Projects 15 6.2   Completion of
Projects 16 6.3   Suspension or Termination of Projects 16 6.4   Remedies for
Delays and Failures 16 6.5   Corrective Action Plan 17 6.6   Other Remedies 18
7.   Competitive Bids 18 8.   General Obligations 18



 



List of Schedules

 

Schedule N-1 (Deliverable and Milestone Acceptance Procedures)

 



 

Triple-S/Supplier Confidential

Page i

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



SCHEDULE N

PROJECT FRAMEWORK

 

1. Introduction

 

1.1 General Overview

 

(a) This Schedule N (Project Framework) and its schedules set forth the process
to be followed by the Parties to execute projects under this Agreement (“Project
Framework”). Unless otherwise provided herein or agreed for particular Projects,
the Parties shall follow and utilize the Project Framework for all Projects
performed pursuant to this Agreement, including Projects related to New
Services. “Project” means a discrete unit of discretionary, non-recurring work
(including application development work), with clearly defined scope and
resources, to be performed under a Statement of Work, Task Order, or similar
form of document agreed to by the Parties that results in a unique product,
service, Deliverable or result.

 

(b) The successful completion of any Deliverable prepared and delivered pursuant
to this Agreement and any Milestone to be accomplished during the course of a
Project requires acceptance of such Deliverable or Milestone by Triple-S in
accordance with the Deliverable and Milestone acceptance procedures set forth in
Schedule N-1 (Deliverable and Milestone Acceptance Procedures).

 

(c) The Parties agree that the Project Framework may be too detailed for certain
small work efforts and agree that certain aspects of the Project Framework
process may be omitted or adapted for such Projects upon mutual agreement of the
Parties.

 

2. Types of Projects

 

Triple-S may submit requests to Supplier to perform (or Supplier may propose to
perform) Applications Development Projects, Infrastructure Projects and other
types of Projects at any time during the Term. Such requests or proposals will
be submitted in a Project Request Template in a form to be agreed by the Parties
during Transition (each, a “Project Request”). Project Requests will be
processed and handled as provided in Section ‎5 (Project Approval Process)
below. Each Project that is an Applications Development Project that counts
against the Applications Support Pool and each Special Infrastructure Project
that counts against the Special Infrastructure Project Pool shall be designated
as such in the applicable Project Request and Task Order.

 

3. Roles and Responsibilities

 

The following description of roles and associated responsibilities are typical
roles that maybe be formally assigned on a Project. The purpose of this list is
to establish a common framework of roles and responsibilities. Responsibility
for filling out these roles is dependent on the nature of the Project and would
be established, as they are applicable to the Project, pursuant to the
allocation of responsibility in Exhibit A (Services) of SOW #2 (IT Services) and
otherwise as agreed by the Parties up front as part of the Project approval and
initiation process.

 

Triple-S/Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 



3.1 Project Sponsor

 

(a) The Project Sponsor is the Executive accountable for the project and
principal communicator to the organization. Manages expectations and procures
the necessary resources to foster success. Signs-off on primary project
documentation and decisions.

 

(b) Main Responsibilities:

 

(i) Reviews and approves the business case for the project or initiative;

 

(ii) Reviews and approves the project charter;

 

(iii) Allocates time to host project status meetings periodically;

 

(iv) Reviews project status periodically and keeps C-level informed on progress;

 

(v) Attends project closing workshop to ensure knowledge is captured for future
reference;

 

(vi) Dictates priorities in the project portfolio segment corresponding to its
areas of responsibility;

 

(vii) Supports the proactive resolution of project issues and eliminates
execution barriers;

 

(viii) Procures the necessary budget, both CAPEX and OPEX, and assign/dedicate
the necessary resources to position the project for success;

 

(ix) Reviews project change requests to assess appropriateness and timing, and
signs-off on any change in scope, schedule or budget;

 

(x) Receives from the project team all deliverables to take ownership of the new
processes, systems and resources as part of the regular business operations
under its areas of responsibility;

 

(xi) Champion change management in the area of responsibility to ensure success
post implementation;

 

(xii) Address internal audit of the project as a whole, and sign-off on
management response to the report; and

 

(xiii) Assume or delegate contract management duties when third parties are
involved in the delivered solution.

 

(c) Deliverables:

 

Triple-S/Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(i) Project budget and justification documents for finance; and

 

(ii) Executive Status Report.

 

3.2 Business Lead

 

(a) The Business Lead is the primary point of contact for the operation impacted
by the project. Manages change in the operation and ensures that it is prepared
to assimilate the changes driven by the project. Serves as subject matter expert
and coordinator of activities for users of the proposed solution. Accountable of
Team Members’ work execution.

 

(b) Main Responsibilities:

 

(i) Facilitate with Project Manager the creation of the business case for the
project or initiative;

 

(ii) Review the project charter, schedule, executive summary, documentation and
portfolio information; and provide feedback to the project manager;

 

(iii) Support the project closing workshop to capture lessons learned, benefits,
achievements, metrics to be monitored, and additional opportunities derived from
the project completed;

 

(iv) Attend and actively participate in project status meetings;

 

(v) Contribute to the proactive resolution of project issues;

 

(vi) Monitor task and activity execution by Team Members and operation resources
to ensure their completion based on the established project timeframe;

 

(vii) Monitor actual project costs versus budget and suggest corrective actions
to reduce risks;

 

(viii) Manage expectations and “scope creep”, and draft change requests for
approval by the sponsor;

 

(ix) Assess gaps in the operational processes to align them with the adoption of
new solutions and assess organizational readiness;

 

(x) Lead user acceptance testing and documentation;

 

(xi) Prepare training materials, templates and plan as part of the change
readiness activities for the operation; and

 

Triple-S/Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(xii) When third parties are involved, evaluate the operational aspects of the
contract and performance guarantees.

 

(c) Deliverables:

 

(i) Change requests;

 

(ii) User acceptance documentation;

 

(iii) Operational process gap analysis and readiness assessment;

 

(iv) Training plan; and

 

(v) Training materials and templates.

 

3.3 Project Manager

 

(a) The Project Manager is the primary point of contact for the project's team
and principal communicator to the sponsor. Manages the smooth and coordinated
development, deployment, and implementation of the project's unique outcome
given the necessary resources obtained by the sponsor to foster success.

 

(b) Main Responsibilities:

 

(i) Facilitate with Business Lead the creation of the business case for the
project or initiative;

 

(ii) Draft the project charter and finalize with feedback from the sponsor,
business lead and other team members;

 

(iii) Develop, coordinate and track the execution of the project schedule;

 

(iv) Maintain a one page executive summary, updated weekly at a minimum, of each
project managed;

 

(v) Maintain key project information in the project portfolio and database;

 

(vi) Lead a project closing workshop to capture lessons learned, benefits,
achievements, metrics to be monitored, and additional opportunities derived from
the project completed;

 

(vii) Lead project status meetings, and ad hoc communications with team members,
prepare agendas and capture meeting minutes;

 

(viii) Achieve the proactive resolution of project issues;

 



Triple-S/Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(ix) Maintain project documentation up to date;

 

(x) Establish project milestones with the team members and monitor task and
activity execution to ensure their completion based on the established project
timeframe;

 

(xi) Monitor actual project costs versus budget and take the corrective actions
to ensure the project is completed within the allocated time and budget;

 

(xii) Ensure that project activities are in scope, and that any change request
is documented and presented for approval by the sponsor; and

 

(xiii) Execute tasks for the deployment of each project deliverable to the
sponsor's custody, including training and deployment itself.

 

(c) Deliverables:

 

(i) Project Charter;

 

(ii) Business Case;

 

(iii) Templates Checklist;

 

(iv) Risk Register;

 

(v) Communication Plan;

 

(vi) Project Schedule;

 

(vii) Kick-off Presentation;

 

(viii) Issues and Actions Items Report;

 

(ix) Status Report;

 

(x) Meeting Agenda and Minutes;

 

(xi) Closure Notice;

 

(xii) Lessons Learned Report; and

 

(xiii) Checkpoint Assessment.

 

Triple-S/Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

3.4 Business and System Analyst

 

(a) Business and System Analysts lead the definition, documentation and
implementation of the user requirements from idea through deployment in
production. Accountable for design of the conceptual solution in alignment with
business requirements and project plan.

 

(b) Main Responsibilities:

 

(i) Evaluate existent structures to determine functional requirements;

 

(ii) Capture and deliver detailed technical requirements from which a developer
can implement the solution;

 

(iii) Ensure functional design elements and test cases are aligned with business
requirements;

 

(iv) Support the Business Lead in delivering and facilitating training sessions;

 

(v) Design the application components (screens, queries, reports, integrations,
as needed);

 

(vi) Design the technical elements and their relation with the functional and
procedural elements;

 

(vii) Revise all information about the current and the proposed enhanced process
to understand the gaps in detail;

 

(viii) Understand the system functionality related to the process and how it is
impacted by the proposed enhancements;

 

(ix) Develop test cases for user validation and execution of acceptance and
integration tests;

 

(x) Organize acceptance revisions and testing for each deliverable, including
resource and facilities coordination and documentation of the revision / test
results; and

 

(xi) Coordinate the transfer of technology assets from the development to the
quality assurance environment.

 

(c) Deliverables:

 

(i) Business Requirement Document;

 

Triple-S/Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(ii) Test Plan;

 

(iii) Test Cases and Results;

 

(iv) Test Readiness Notice;

 

(v) Business Functional and Technical Design;

 

(vi) Database Checklist;

 

(vii) Performance Requirements; and

 

(viii) Support Requirements.

 

3.5 Process Analyst

 

(a) The Process Analyst leads the definition, documentation and optimization of
user/operational procedures. Accountable for the design of compliant and
efficient procedures, and the mechanisms to monitor their level of performance.

 

(b) Main Responsibilities:

 

(i) Design new processes to solve process-related problems;

 

(ii) Map existing processes and design improved ones (processes changes);

 

(iii) Lead process redesign workshops;

 

(iv) Facilitate workshops that involve eliciting process requirements and
liaising with users;

 

(v) Monitoring, measuring and providing feedback on process performance;

 

(vi) Applying their knowledge of business process modeling notations (VSM,
Process Flow) to documenting processes; and

 

(vii) Continuous process improvement applying lean-six-sigma principles.

 

(c) Deliverables:

 

(i) Revised Policies and Procedures;

 

(ii) Revised Desktop Procedures or Standard Operating Procedures as applicable;

 

Triple-S/Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(iii) Metric definitions as designed with the data governance team, including
actual return on investment measures;

 

(iv) Performance monitoring report definitions as designed with the business
intelligence team;

 

(v) Service level agreements with corresponding performance monitoring
mechanisms;

 

(vi) As-Is Process diagrams;

 

(vii) To-Be Process diagrams; and

 

(viii) Process improvement specifications.

 

3.6 Subject Matter Expert or Business Team Member

 

(a) The staff who actively work on the project, at some stage, during the
lifetime of the project. Responsible for performing required tasks and providing
expertise to the Business Lead.

 

(b) Main Responsibilities:

 

(i) Contribute to the proactive resolution of project issues;

 

(ii) Perform tasks and activities as required by their Business Lead to ensure
their completion within the established project timeframe;

 

(iii) Perform user acceptance testing and documentation;

 

(iv) Provide functional expertise in an administrative process;

 

(v) Work with users to ensure the project meets business needs;

 

(vi) Documentation and analysis of current and future processes/systems;

 

(vii) Identification and mapping of information needs;

 

(viii) Defining requirements for reporting and interfacing;

 

(ix) User training; and

 

(x) Support the project closing workshop to capture lessons learned, benefits,
achievements, metrics to be monitored, and additional opportunities derived from
the project completed.

 

Triple-S/Supplier Confidential

Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(c) Deliverables:

 

(i) Required tasks and reports;

 

(ii) User acceptance documentation;

 

(iii) User acceptance tests results and documentation; and

 

(iv) Trainings.

 

(d) For clarification, to the extent these resources are part of the Supplier
Personnel providing Claims Services under SOW #1 (Claims Services), they shall
not be separately chargeable and shall not count against the Application Support
Pool or Special Infrastructure Project Pool.

 

3.7 Development Manager

 

(a) The Development Manager reviews the technical implementation of solutions
(when applicable to a project) in the context of the overall technological
environment and platforms. Provide the necessary resources to meet project
timelines. Develop the resource and level of effort estimates to be presented to
Triple-S.

 

(b) Main Responsibilities:

 

(i) Review the viability of technical solutions and designs in the context of
the overall technological environment and platforms including the
infrastructure, communications, production and security architectures;

 

(ii) Secure and/or procure the necessary resources to meet project timelines,
and provide the resource and level of effort estimated to Triple-S;

 

(iii) Evaluate the technical implementation plan, the automatic job setup
requirements and provide feedback to the lead developer;

 

(iv) Evaluate business and technical development specifications provided by the
Business/System Analysts and provide feedback;

 

(v) Assess unit test scope and plan for completeness;

 

(vi) Support projects by coordinating with QA and System Operations management
the availability of resources on their end to prepare QA and production
environments as required in the timeline;

 

(vii) Deliver the security control transfer plan, the deployment plan and the
go-live checklist; and

 

Triple-S/Supplier Confidential

Page 9

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(viii) Build a team that incorporates the necessary Lead Developers, Developers
and Business Consultants to successfully complete deliverables.

 

(c) Deliverables:

 

(i) Technical and business requirement documents feedback;

 

(ii) Level of effort estimates and budgetary requests for development resources;

 

(iii) Security Control Transfer Plan;

 

(iv) Automatic Job Setup Requirements;

 

(v) Infrastructure, security, communications and environment requirements;

 

(vi) Deployment Plan;

 

(vii) General Deployment Report Template; and

 

(viii) Go Live Checklist.

 

3.8 Development Team

 

(a) The Development Team is assembled by Supplier and consists of Lead
Developers, Developers and Business Consultants as necessary to drive the
Project to a successful completion. These roles have individual responsibilities
defined in the Supplier’s policies and procedures. This team is responsible for
the technical implementation of solutions (including software components) in the
context of standards defined by the Supplier’s Technical Architecture team that
address infrastructure, communications, production, operations and security, as
well as the business requirements captured by Triple-S in the context of its
process, application and information architecture standards.

 

(b) Main Responsibilities:

 

(i) Refine the specified technical solutions and designs into software
components and a technical implementation plan;

 

(ii) Analyze the specified technical solutions and designs, to develop software
components meeting milestones in the technical implementation plan;

 

(iii) Distribute software component work items to the developers assigned to the
team, and perform the integration of the components;

 

(iv) Develop software component work items;

 

Triple-S/Supplier Confidential

Page 10

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(v) Track the progress of the development work and report status to the project
manager and development manager;

 

(vi) Develop according to best practices and standards;

 

(vii) Evaluate technical development specifications provided by Business/System
Analysts and provide feedback;

 

(viii) Coordinate and execute unit tests; and

 

(ix) Manage integration tests and promote to QA when completed.

 

(c) Deliverables:

 

(i) Software components that passed unit testing; and

 

(ii) Documentation to promote the software solution to QA.

 

4. Pricing models

 

Schedule C (Charging Methodology) will be used to determine whether a Project is
an Applications Development Project or Special Infrastructure Project that is
separately chargeable to Triple-S (collectively, Chargeable Projects) or whether
it is a BAU Activity or other Service that is not separately chargeable to
Triple-S. Regardless of the pricing model used for a Chargeable Project, the
billing rates used shall not exceed the T&M Rates provided in Schedule C
(Charging Methodology). Chargeable Projects will generally be priced either on a
fixed basis (a “Fixed Hour Model”) or variable basis (a “T&M Model”), each as
described immediately below. In appropriate circumstances, the Parties may agree
to use another pricing model for a Project, such as a ‘risk-based’ pricing model
pursuant to which the fees payable by Triple-S will be contingent (in whole or
in part) on a successful Project outcome being delivered.

 

4.1 Fixed Hour Model

 

With respect to a Project identified in a Task Order as being under the Fixed
Hour Model (“Fixed Hour Task Order”), Supplier shall be solely accountable for
completing the work effort and any associated Deliverables and accomplishing the
Milestones described in the applicable Task Order for such Project, in the fixed
number of hours set forth in such Fixed Hour Task Order. Accordingly, subject to
any dependencies or Triple-S responsibilities identified in the Fixed Hour Task
Order, Supplier shall bear all risk that its internal cost and effort to
successfully complete such Project may exceed the fixed number of hours set
forth in the Fixed Hour Task Order. Supplier’s performance of each such Project
shall be subject to the terms of the Agreement, including the applicable Service
Levels. All travel and other expenses related to performing the Project are
included in the Fixed Hour Task Order chargeable amount.

 

Triple-S/Supplier Confidential

Page 11

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

4.2 T&M Model

 

With respect to a Project identified in a Task Order as being under the T&M
Model (“T&M Task Order”), the Charges for labor for the Project will be
determined by multiplying the number of hours spent by Supplier to perform such
Project by the applicable T&M Rates provided in Schedule C (Charging
Methodology), provided the number of chargeable hours shall not exceed the
number of hours, if any, approved by Triple-S in the applicable Task Order
unless otherwise agreed by the Parties in accordance with the Change Control
Process. Supplier’s performance of each such Project shall be subject to the
terms of the Agreement, including the applicable Service Levels. Travel and
other expenses related to performing the Project are included in the T&M Rates
set forth in Schedule C (Charging Methodology), except as set forth in Schedule
C (Charging Methodology). Costs for infrastructure, Equipment, materials and
third party expenses shall be provided pursuant to Schedule C (Charging
Methodology).

 

5. Project and activity Approval Process

 

5.1 Requests and Estimates

 

(a) Triple-S will give Supplier a written notice identifying the titles of
Triple-S executives who are authorized to initiate Project Requests. Supplier
shall reject in writing any Project Requests submitted by non-authorized
Triple-S personnel. Triple-S Projects will be initiated with an approved
business case and project charter. Within the project plan, activities assigned
to Supplier and Triple-S will be identified. Supplier and Triple-S will assign
the appropriate resources to participate in the planning activities to determine
the level of effort, costs and timeframes for the execution of software
development and implementation activities.

 

(b) After receipt of a Project Request, Supplier will provide Triple-S with
information as described in Section 5.1(d) below and as otherwise needed by
Triple-S to be used for Triple-S’s assessment (“Project Estimate”), and Supplier
will evaluate the high level business requirements for the Project as defined by
Triple-S. Estimates of Supplier’s labor charges must be based on a reasonable
and good faith estimate of the number of hours by labor category required to
complete the Project. At Triple-S’s request, Supplier shall provide the detailed
input and output data generated to provide estimates or fixed price proposals.

 

(c) Unless otherwise agreed by the Parties in writing on a case-by-case basis,
Supplier will provide the Project Estimate to Triple-S within ten (10) Business
Days after a complete Project Request is submitted by Triple-S to Supplier. The
effort of developing Project Estimates and assisting Triple-S in completing the
Project Request assessment pursuant to this Section ‎5 is included in the
Charges and is not separately chargeable to Triple-S. Triple-S may score and
prioritize Project Estimates in its sole discretion. Each Project Estimate will
be provided in a Project/Task Order in a form to be agreed by the Parties.

 

Triple-S/Supplier Confidential

Page 12

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(d) Each Project Estimate will include a high-level overview of:

 

(i) The high level business requirements for the Project;

 

(ii) The technical solution that addresses such high level business
requirements;

 

(iii) Supplier’s labor hours and charges (if applicable) to complete the entire
Project, including a summary breakdown by job category and skill set;

 

(iv) Impacts the Project may have on other Triple-S projects or operations
(e.g., on computer operations, servers, networks, business area resources,
etc.);

 

(v) Impacts to any Services;

 

(vi) Impacts to third party supplier services;

 

(vii) Identification of any key assumptions, risks or dependencies related to
the Project;

 

(viii) If the Project contemplates the licensing, purchase or development of
Software, or implementation of Equipment and other materials in conjunction with
a third party supplier, Supplier will provide a list of such items to be
procured by Triple-S and support Triple-S in estimating costs for such Software,
Equipment or other materials and related services charges and license and
maintenance fees. Costs should include both one-time costs as well as any
recurring costs that would be added or subtracted as a result of the Project’s
implementation;

 

(ix) The estimated time period required to complete the Project, measured in
weeks required, and broken out by relevant development phase, or by other phase
as agreed by the Parties; and

 

(x) The number of hours, broken down by labor category and phases, to complete
the Project.

 

(e) The Parties recognize that, for certain large or complex Projects (“Large
Projects”), Supplier may need to perform some initial assessment work in order
to provide the information required by Section 5.1(d) above (the “Assessment
Phase”). For such Projects, upon Triple-S’s request, Supplier shall deliver to
Triple-S (i) the number of hours and schedule to complete the Assessment Phase,
(ii) the Charges associated with completing the Assessment Phase, and (iii) a
high-level estimate of the number of hours and schedule to complete the
remainder of the Project. If Triple-S requests Supplier to perform the
Assessment Phase, then promptly after completing the Assessment Phase, Supplier
will deliver to Triple-S the estimated timeline and number of hours for Supplier
to complete the Project.

 

Triple-S/Supplier Confidential

Page 13

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

5.2 Project Investment Committee Approval

 

Following the completion of the Assessment Phase for a Large Project, Supplier
will submit the Project Estimate (and other details requested by Triple-S) to
Triple-S’s appropriate demand management committee or designee, as indicated by
Triple-S from time to time, for approval. If such approval is obtained, then
Supplier will, with Triple-S’s cooperation, complete the “plan” phase, including
documenting Triple-S’s detailed business requirements for the proposed Large
Project and providing an updated timeline estimate and number of hours to be
performed by Supplier Personnel to complete the applicable Large Project. Such
updated estimate and number of hours shall be resubmitted to Triple-S’s
appropriate demand management committee or designee for approval.

 

5.3 Task Orders for Projects

 

(a) Prior to commencing work or authorizing performance of a Project, the
Parties will document the Project in a detailed Task Order prepared using a
template to be agreed by the Parties. Supplier will be responsible for providing
final estimates, Milestones and other information needed to complete the
applicable Task Order. Unless otherwise agreed, each Task Order will document
Supplier and Triple-S responsibilities during each phase of the agreed
methodology that will be followed for the Project.

 

(b) Unless otherwise agreed by the Parties, each Task Order will include
substantially all of the information contemplated by the agreed Task Order
template used for the Project.

 

(c) Once the applicable Task Order is executed by the Parties, Supplier shall
perform the Project in accordance with such Task Order, except as may be
otherwise agreed by the Parties in accordance with the Change Control Process.
No work will be considered a Project, nor may Supplier invoice Triple-S for
Project -related charges, unless and until Triple-S’s authorized representatives
approve in writing and in advance a written Task Order with the information
provided above for such Project.

 

5.4 Due Diligence

 

Due diligence related to each Task Order will be conducted on a schedule agreed
to by the Parties and, unless a delay is caused by Triple-S failing to provide
requested information or Supplier provides notice to Triple-S explaining any
reasons for its inability to follow such schedule, Supplier will follow such
schedule and complete all due diligence with regard to a Task Order by the date
agreed by the Parties.

 

Triple-S/Supplier Confidential

Page 14

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

6. Project Management

 

6.1 Performance of Projects

 

(a) Supplier shall perform each Project in accordance with a recognized Project
development lifecycle methodology. Applications Development Projects will be
managed according to the Triple-S policies and procedures, and incorporate the
agile software lifecycle management methodology adopted from Supplier for
implementing new solutions or managing changes to software components.

 

(b) On a weekly basis, Supplier will submit to Triple-S a progress report on the
progress of its work on each active Project, including issues, risks, mitigation
strategies and (i) the level of effort spent to-date on each such Project
(including by providing information on hours worked by each Supplier Personnel
on each Project), (ii) Project scope achieved to-date, and (iii) Project budget
utilized and remaining to-date. Items (i), (ii), and (iii) will be rendered as
an earned value calculation.

 

(c) In addition to the applicable meetings set forth in Schedule F (Governance),
Supplier will attend or conduct regular review meetings (as agreed upon by the
Parties on a weekly basis or other frequency agreed upon by the Parties),
including weekly Project status meetings and monthly portfolio reviews, which
will be attended by Supplier Leads and other representatives as the Parties deem
appropriate. During such meetings, the Parties will review Supplier’s weekly
reports and consider progress to-date (including the status of any previously
identified issues) to ensure that work-in-progress (including as related to any
Deliverables and any Milestones) is achieved by scheduled completion dates.

 

(d) Supplier shall be proactive in monitoring and promptly addressing
operational and other issues relating to ongoing performance of Projects, and
shall promptly communicate any issues or potential delays caused by acts or
omissions of Triple-S or its third party service providers. As reasonably
requested by Triple-S from time-to-time, Supplier shall demonstrate to
Triple-S’s reasonable satisfaction that Supplier is making progress consistent
with Supplier’s or third parties’ performance and delivery obligations under
each applicable Task Order.

 

(e) Deliverables and Milestones shall be subject to the acceptance procedures
set forth in Schedule N-1 (Supplier Deliverable and Milestone Acceptance
Procedures).

 

(f) Any Change to a Project will be subject to the Change Control Process set
forth in Schedule O (Change Control Process) and reflected in an updated version
of the original or most recent Task Order.

 

Triple-S/Supplier Confidential

Page 15

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

6.2 Completion of Projects

 

A Project will be deemed to be complete upon final acceptance of all Supplier
Deliverables and Milestones by Triple-S in accordance with Schedule N-1
(Supplier Deliverable and Milestone Acceptance Procedures).

 

6.3 Suspension or Termination of Projects

 

(a) Triple-S may suspend or terminate a Project and the associated Task Order at
any time by providing Supplier at least ten (10) days’ notice of termination.
Upon receipt of a Project suspension or termination notice, Supplier shall
immediately cease all work on the Project (except those services necessary to
wind-down the Project) and promptly notify Triple-S in writing of any technical
issues, operational risks, necessary wind-down services or transitional
considerations associated with the proposed suspension or termination. Upon
reasonable prior notice by Triple-S, suspended Projects may be reinstated.

 

(b) If the affected Project is chargeable, and provided Triple-S is not
terminating the Project for cause, Supplier will, in accordance with Schedule C
(Charging Methodology), charge Triple-S for the work performed prior to receipt
of Triple-S’s termination or suspension notice, and for work or wind-down work
performed during the time period from receipt of Triple-S’s termination or
suspension notice to the effective date of termination or suspension; provided
that the total hours applied or amount charged shall not exceed the hours or
charges in the applicable Task Order. Upon the effective date of termination or
suspension, Supplier shall deliver to Triple-S all tangible work-in-progress
relating to Deliverables not previously delivered.

 

(c) Notwithstanding the foregoing, nothing in this Section ‎6.3 shall be deemed
to limit any rights or remedies relating to Supplier’s performance otherwise
available to Triple-S under the circumstances.

 

6.4 Remedies for Delays and Failures

 

(a) The timeliness of Supplier’s performance of Projects is governed by this
Section ‎6.4.

 

(b) If Supplier fails to successfully complete and secure Triple-S’s acceptance,
(such acceptance by Triple-S not to be unreasonably withheld, conditioned or
delayed) of a Project, Deliverable or Milestone in accordance with its
completion schedule and Acceptance Criteria and such failure is not caused by
the acts or omissions of Triple-S, Triple-S may:

 

(i) Require Supplier to continue working on the Deliverable or Milestone until
it is successfully completed and accepted in accordance with its Acceptance
Criteria; or

 

Triple-S/Supplier Confidential

Page 16

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(ii) Accept the Deliverable or Milestone in its deficient state, in which case
Supplier’s hours or Charges for performing the Project (if it is a chargeable
concept) shall be equitably adjusted to reflect the deficiencies.

 

(c) If Supplier’s failure to successfully complete and secure Triple-S
acceptance of one or more Deliverables or Milestones for a Project, in
accordance with their respective completion schedule and Acceptance Criteria,
reaches a degree that, in the reasonable judgment of Triple-S, puts the
achievement of the purpose or objectives of the Project in material jeopardy,
Triple-S may exercise the additional remedies set forth in this paragraph.
Triple-S may terminate the Project and return any delivered Deliverables or
tangible portions of Milestones that have not been accepted, which were part of
the Project and any previously accepted Deliverables or tangible portions of
Milestones, the usefulness of which is materially compromised as a result of the
failure, in which case Triple-S shall be liable only for Charges incurred by
Supplier associated with Deliverables and tangible portions of Milestones
achieved and accepted by the effective date of termination of the Task Order and
retained by Triple-S, or, if Triple-S has already been charged for the
applicable Deliverables and Milestones (i.e., those not already accepted),
Triple-S may receive a prompt refund of all Charges paid to Supplier for such
Deliverables and Milestones.

 

6.5 Corrective Action Plan

 

(a) When Triple-S is entitled to exercise its remedies under Section 6.4‎(c)
above but has not already done so, it may request a corrective action plan from
Supplier (a “Corrective Action Plan”). In such event Supplier, will prepare and
deliver, at Supplier’s expense, a proposed Corrective Action Plan for Triple-S’s
review and approval within five (5) Business Days after receiving the request
(or such other timeframe as the Parties may otherwise agree). The Corrective
Action Plan shall contain the contents described in Section 6.5‎(b) below based
on the information available at the time.

 

(b) A Corrective Action Plan shall specify in detail reasonably satisfactory to
Triple-S:

 

(i) a description of the problem(s) that led Triple-S to request a Corrective
Action Plan;

 

(ii) where remedy of the problem(s) is possible, the actions that Supplier will
take to effect that remedy;

 

(iii) the actions Supplier will take to prevent the same or substantially
similar problem(s) from recurring in the future;

 

(iv) a timeline for the implementation of the Corrective Action Plan; and

 

(v) any other content that Triple-S may reasonably request.

 

Triple-S/Supplier Confidential

Page 17

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N

Project Framework





 

(c) After receiving a Corrective Action Plan, Triple-S shall, within two (2)
Business Days, accept it or provide comments to be addressed. In the latter
case, Supplier shall promptly meet with Triple-S to discuss its comments and
shall deliver for Triple-S’s approval a revised Corrective Action Plan
addressing Triple-S’s comments within two (2) additional Business Days. If
Triple-S approves Supplier’s Corrective Action Plan, Supplier shall promptly
implement it to rectify the problems that led to its creation.

 

If Triple-S considers that to ensure the successful execution of the Corrective
Action Plan, it may require the inclusion of expert resources from Triple-S or
Third-Parties on behalf of Triple-S in the execution of the Corrective Action
Plan by Supplier.

 

6.6 Other Remedies

 

The remedies described in this Section ‎6 are in addition to any other remedy
which Triple-S may have, whether at law, in equity or pursuant to this Agreement
(including termination rights described in this Agreement and other rights
pursuant to Schedule B (Service Level Methodology) to this Agreement).

 

7. Competitive Bids

 

Triple-S may elect to solicit bids from more than one vendor for any particular
Project.

 

8. General Obligations

 

For each Project, Supplier’s obligations include: (a) providing Supplier’s sound
professional judgment in recommending, designing and implementing solutions to
meet Triple-S’s evolving business and technical requirements; and (b) notifying
Triple-S in writing and with reasonable specificity of applicable risks as part
of development.

 





Triple-S/Supplier Confidential

Page 18

 



Schedule N-1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 

 

 



SCHEDULE N-1

 

DELIVERABLE AND MILESTONE ACCEPTANCE PROCEDURES

 



 

 

 

 

 

 

 

 

 



Schedule N-1 Triple-S / Supplier Confidential



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 



SCHEDULE N-1


DELIVERABLE AND MILESTONE ACCEPTANCE PROCEDURES

 





1. INTRODUCTION

 

(a) Deliverables prepared and delivered pursuant to this Agreement and the
achievement of Milestones (including Critical Milestones and others relating to
Transition and Transformation) require acceptance by Triple-S.

 

(b) Acceptance of a Deliverable or Milestone requires Triple-S’s written
confirmation that the Deliverable or Milestone meets applicable Acceptance
Criteria.

 

(c) In the case of Deliverables consisting of Software or operational systems,
such acceptance will include the successful completion of agreed-upon user
acceptance testing (“User Acceptance Testing”) and performance testing as set
forth below.

 

(d) In the case of Deliverables that are component parts of larger Deliverables,
in addition to acceptance of the component Deliverables, the Deliverable
comprised of the component Deliverables will also be subject to acceptance in
its entirety.

 

2. Acceptance procedure for deliverables

 

(a) Upon completion of a Deliverable, Supplier shall notify Triple-S in writing
that the Deliverable has been completed in accordance with the requirements of
the Agreement and is ready for acceptance by Triple-S. Prior to doing so,
Supplier shall conduct a quality review of the Deliverable and confirm that it
is complete and in a suitable form for Triple-S’s acceptance. Upon receiving
Supplier’s notice and any additional information required by the Agreement
including this Schedule N-1, Triple-S will evaluate the Deliverable for
acceptance in accordance with the process set forth in this Schedule N-1.

 

(b) In addition to the acceptance procedures described in this Schedule N-1,
other acceptance procedures for Deliverables may be documented in the applicable
Statement of Work, Task Order, Change Order, or other contract document (or
referenced therein to the extent the Parties agree on standard procedures).
Acceptance procedures will be sufficiently rigorous so as to verify that the
Deliverables conform in all material respects to all applicable requirements,
specifications and Acceptance Criteria.

 

(c) Triple-S will be responsible for performing (or participating in, when so
agreed), User Acceptance Testing or performance testing that Triple-S requires
as the basis for Triple-S’s acceptance of Operational Deliverables under this
Schedule N-1. Supplier shall reasonably support such testing, including by
preparing appropriate use cases and test

 

Triple-S/Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N-1

Deliverable and Milestone Acceptance Procedures





 



data, making available test collateral or other applicable documentation,
answering questions, etc.

 

(d) The acceptance process outlined below shall not extend the scheduled
completion date for any Deliverable specified in a Task Order or other contract
document (i.e., the Acceptance Period (as defined in the following paragraph)
shall be factored into the scheduled completion date).

 

(e) Triple-S shall notify Supplier as to whether a Deliverable does or does not
satisfy the applicable Acceptance Criteria within the following timeframes or
such other timeframes as may be agreed to (as applicable, the “Acceptance
Period”):

 

(i) For Written Deliverables, the Acceptance Period will be five (5) Business
Days (or such other period as may be stated in the applicable Statement of Work,
Task Order, Change Order, or other contractual documentation) after Supplier’s
delivery of the Deliverable to Triple-S with the required notice indicating that
the Deliverable is ready for Triple-S’s acceptance.

 

(ii) For Operational Deliverables, the Acceptance Period will be ten (10)
Business Days (or such other period as may be stated in the applicable Task
Order or Triple-S-approved Project plan) following the successful completion and
passing of the User Acceptance Testing phase of the Project, conducted according
to the agreed schedule and Acceptance Criteria.

 

(f) If any Deliverable is delivered earlier or later than scheduled, Triple-S
shall endeavor to begin the Acceptance Period promptly after receiving the
Deliverable and any required notices or other materials, as provided above, but
may delay the commencement of the Acceptance Period as reasonably necessary to
accommodate the availability of the Triple-S review or testing resources,
including the personnel responsible for reviewing and accepting it. Similarly,
if multiple Deliverables are delivered to Triple-S within an Acceptance Period
and in a manner different from the timeline set forth in the Task Order, the
Acceptance Period may be extended by Triple-S as reasonably necessary to
accommodate the availability of Triple-S personnel responsible for reviewing and
accepting them.

 

(g) “Acceptance Criteria” shall mean the criteria the Parties agree to use as
the basis to determine whether a Deliverable is complete and ready for
acceptance by Triple-S. In general, the Acceptance Criteria for each Deliverable
will consist of the following:

 

(i) Completion. The Deliverable has been completed and delivered in accordance
with the applicable Task Order or other contract document;

 

(ii) Meets Requirements and Specifications. The Deliverable meets or exceeds
applicable requirements and specifications (performance related and otherwise),
which, in the case of Software or operational systems, must be demonstrated by

 

Triple-S/Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N-1

Deliverable and Milestone Acceptance Procedures





 

the successful completion of all applicable testing (including unit,
performance, system, integration, and other applicable forms of testing);

 

(iii) Representations and Warranties. The Deliverable is in compliance with the
representations and warranties applicable to such Deliverable as set forth in
the Agreement;

 

(iv) Documentation. The Deliverable has been properly and fully documented
pursuant to this Agreement and the applicable Task Order or other contract
document;

 

(v) Successful Completion of Testing. The Deliverable complies with testing
criteria and such other criteria as may be developed and agreed upon by the
Parties, and has successfully passed Acceptance Testing by Triple-S; and

 

(vi) Additional Acceptance Criteria. The Deliverable meets any additional
Acceptance Criteria set forth in the applicable Task Order or other contract
document, or otherwise agreed in writing by the Parties.

 

3. Operational Deliverables

 

(a) “Operational Deliverables” are Deliverables comprised in whole or in part of
Software or operational systems. Prior to the date on which Supplier is
scheduled to deliver each Operational Deliverable to Triple-S, Supplier and
Triple-S will (to the extent not previously set forth in the applicable
Statement of Work, Task Order, Change Order, or other contract document) agree
upon the testing procedures for the Operational Deliverable, including detailed
test criteria, expected results, and permitted defect densities by severity
level, for both entry into and exit from User Acceptance Testing. The User
Acceptance Tests will be designed to confirm that the Operational Deliverable
performs in all material respects with its agreed requirements, specifications
and Acceptance Criteria. Triple-S will have the opportunity during User
Acceptance Testing to evaluate and test each Operational Deliverable in
accordance with the procedures set forth in the applicable Task Order or other
Project document.

 

(b) When Supplier has completed an Operational Deliverable and confirmed that it
meets the criteria for entry into User Acceptance Testing, Supplier will so
notify Triple-S and, if requested by Triple-S, deliver the Operational
Deliverable to Triple-S’s designated User Acceptance Testing site, notify the
designated Triple-S person of delivery and, if Supplier is responsible for
installation, install such Operational Deliverable and perform an installation
test reasonably acceptable to Triple-S to verify that the Operational
Deliverable has been properly delivered and installed. Supplier shall notify
Triple-S in writing when the Operational Deliverable is ready for User
Acceptance Testing; provided, however, that such notice shall not occur prior to
the successful completion by Supplier of System Integration Testing (SIT) (if
required in the applicable Task Order) with results meeting the agreed criteria
for entry into User Acceptance Testing.

 

Triple-S/Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N-1

Deliverable and Milestone Acceptance Procedures





 

Supplier’s notice shall include requirements traceability documentation and a
testing summary of Supplier’s SIT testing of the Operational Deliverable.

 

(c) During User Acceptance Testing, the Parties will follow an agreed process
for notifying Supplier of defects discovered in the Operational Deliverable,
Supplier correcting such defects, and Supplier delivering the corrected
Operational Deliverable to Triple-S for further User Acceptance Testing.

 

(d) The Acceptance Period shall start for the Operational Deliverable when User
Acceptance Testing of it has been completed successfully in accordance with the
agreed criteria (which shall, except when not applicable, include requirements
traceability validation, confirmation of adequate test coverage, and the absence
of remaining severity level 1 and 2 defects). Triple-S shall give written notice
to Supplier by the end of the Acceptance Period stating that the Operational
Deliverable is accepted in its then-current form or describing any failure of
the Operational Deliverable to meet its Acceptance Criteria. If Supplier does
not receive any such notice from Triple-S by the end of the Acceptance Period,
Supplier shall promptly notify Triple-S in writing that no such notice has been
received and Triple-S shall have an additional five (5) Business Days to provide
such notice. If Supplier does not receive such notice within such additional
five (5) Business Days, then the Deliverable shall be deemed accepted.

 

(e) If Triple-S delivers to Supplier a notice of deficiencies, Supplier will at
no additional charge to Triple-S, correct the described deficiencies as quickly
as reasonably possible and, in any event, unless otherwise agreed in writing by
the Parties, within five (5) Business Days after Triple-S notifies Supplier of
the deficiencies.

 

4. Written Deliverables

 

(a) “Written Deliverables” are all Deliverables other than Operational
Deliverables (as defined in Section ‎3 above). Supplier may submit interim
drafts of Written Deliverables (e.g., system designs and documentation, manuals)
to Triple-S for review. Triple-S agrees to review and, if requested by Supplier,
to reply to each interim draft within a reasonable period of time after
receiving it from Supplier, but in any event within five (5) Business Days.

 

(b) When Supplier delivers a final Written Deliverable to Triple-S for
acceptance, Triple-S will complete its review of such Deliverable within the
Acceptance Period.

 

(c) Triple-S shall give written notice to Supplier by the end of the Acceptance
Period stating that such Written Deliverable is accepted in its then-current
form or describing with reasonable particularity any deficiencies that must be
corrected prior to its acceptance. If Supplier does not receive any such notice
from Triple-S by the end of the Acceptance Period, Supplier shall promptly
notify Triple-S in writing that no such notice has been received and Triple-S
shall have an additional five (5) Business Days to provide such

 

Triple-S/Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N-1

Deliverable and Milestone Acceptance Procedures





 

notice. If Supplier does not receive such notice within such additional five (5)
Business Days, then the Deliverable shall be deemed accepted.

 

(d) If Triple-S delivers to Supplier a notice of deficiencies, Supplier will at
no additional charge to Triple-S, correct the described deficiencies as quickly
as reasonably possible and, in any event, unless otherwise agreed in writing by
the Parties, within five (5) Business Days after Triple-S notifies Supplier of
the deficiencies.

 

(e) Upon receipt of a corrected Written Deliverable from Supplier, Triple-S will
have a reasonable additional period of time to review the corrected Written
Deliverable, but in any event within five (5) Business Days, which will be
without prejudice to any remedies that may be available to Triple-S for the
Written Deliverable not being completed and acceptable by its contractual due
date. Supplier shall, at no additional charge to Triple-S, correct any further
deficiencies identified by Triple-S as quickly as reasonably possible and, in
any event, unless otherwise agreed by the Parties, within five (5) Business Days
after Triple-S notifies Supplier of the further deficiencies.

 

5. ACCEPTANCE OF MILESTONES

 

(a) As agreed by the Parties in writing, Projects performed under this
Agreement, including those comprising the Transition and Transformation programs
associated with the Initial SOWs, will have certain defined checkpoints intended
to assess Supplier’s progress at key stages and validate that progress has been
sufficient to justify the Project proceeding to the next stage of its lifecycle,
as well as to signify when the Project has been completed successfully (each, a
“Milestone”). Each Milestone will have associated acceptance or achievement
criteria, analogous to Acceptance Criteria for Deliverables, which Triple-S will
use as the basis to confirm that the Milestone has been properly achieved or
accomplished (“Milestone Acceptance Criteria”).

 

(b) When Supplier determines that a Milestone has been achieved (i.e., that its
Milestone Acceptance Criteria have all been met or satisfied), Supplier will so
notify the designated Triple-S person in writing, indicating that the Milestone
is ready for Triple-S’s acceptance. Supplier’s notice will include reasonable
documentation substantiating Supplier’s determination that the Milestone has
been achieved. Upon receiving Supplier’s notice, Triple-S will commence a review
to confirm whether or not the Milestone Acceptance Criteria have been met or
satisfied in all material respects. The process for Triple-S to confirm the
achievement of Milestone Acceptance Criteria that involve Operational
Deliverables or Written Deliverables will be as set out in Sections ‎3 and ‎4
above. Triple-S shall notify Supplier as to whether a Milestone does or does not
satisfy the applicable Milestone Acceptance Criteria in all material respects
within five (5) Business Days of Supplier’s foregoing notice, or such other
period as agreed by the Parties (the “Milestone Review Period”). At the end of
such review, Triple-S will give Supplier a written notice either confirming
Triple-S’s acceptance of the Milestone or describing with particularity the
Milestone Acceptance Criteria that Triple-S determined were not met or
satisfied. In the latter case, Supplier will, at no additional charge to

 

Triple-S/Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule N-1

Deliverable and Milestone Acceptance Procedures





 

Triple-S, take such further actions as are necessary to cause the identified
Milestone Acceptance Criteria to be met or satisfied as quickly as reasonably
possible and, in any event, unless otherwise agreed by the Parties, within five
(5) Business Days after Supplier receives Triple-S’s notice. Upon completing
such actions, Supplier will give Triple-S written notice that it has caused the
previously identified Milestone Acceptance Criteria to be met or satisfied and
the above-described Triple-S review will be repeated.

 

(c) If Triple-S fails to give Supplier a written notice within five (5) Business
Days of the end of the Milestone Review Period, either confirming Triple-S’s
acceptance of the Milestone or describing with particularity the Milestone
Acceptance Criteria that Triple-S determined were not met or satisfied, Supplier
shall promptly notify Triple-S in writing that no such notice has been received
and Triple-S shall have an additional five (5) Business Days to provide such
notice. If Supplier does not receive such notice within such additional five (5)
Business Days, then the Deliverable shall be deemed accepted.

 



Triple-S/Supplier Confidential

Page 6

 



 

 

 

 

 

 

 

 

 

 

Schedule O

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 

 



SCHEDULE O

 

CHANGE CONTROL PROCESS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule O Triple-S / Supplier Confidential





 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

  

SCHEDULE O

Change Control Process

 

1. Introduction

 

With reference to Section 18.4 (Change Control Process) of the General Terms and
Conditions, this Schedule O (Change Control Process) sets forth the Change
Control Process for purposes of the Agreement.

 

2. Change Control Process

 

2.1 Right to Request

 

(a) Either Party may request a Change by submitting to the other Party’s duly
authorized representative a written change notice (“Change Notice”), a form of
which is attached as Schedule O-1 (Sample Change Notice) to this Schedule O,
specifying in detail the proposed Change in accordance with the following
procedure:

 

(i) Part A of a Change Notice will be completed by the duly authorized
representative of the Party that requests the Change, who will act as the Change
Notice sponsor throughout the Change Control Process, and who will submit the
Change Notice to the other Party for its review and approval.

 

(ii) Part B of the Change Notice will be completed by Supplier regardless of
which Party initiates the request for the Change Notice. Unless otherwise
mutually agreed by the Parties, Supplier will complete Part B of all Change
Notices initiated by Supplier within ten (10) Business Days of receipt by
Supplier of a Change Notice initiated by Triple-S.

 

(iii) Upon agreement of the Parties, the form may be replaced by an electronic
system that manages the change control process and allows for the paperless
execution of the complete process with the appropriate evidence, controls and
logs.

 

(b) Supplier and Triple-S will agree to the timeline for completion of each
Change covered in each Change Notice as set forth in Part B of the Change
Notice.

 

(c) In considering a Change Notice, the Parties will determine:

 

(i) Supplier and Triple-S activities necessary to plan, implement and operate
the Change;

 

(ii) Whether the Change is appropriate and beneficial, including by assessing
its implementation and ongoing costs and its impact on existing Services; and

 

(iii) The priority of the Change in relation to other planned work.

 

(d) Prior to using any new business process, procedure, methodology, or any
other Supplier or third party intellectual property to provide the Services,
Supplier shall verify that the

 

  



  Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule O 

Change Control Process







 

process or item is consistent with the standards, policies and procedures,
technical architecture and, if applicable, strategic direction specified by
Triple-S, as included or expressly referenced in the Agreement (or as such may
be modified to accommodate such new business process, procedure, methodology, or
intellectual property in accordance with the Agreement), and, if applicable, has
been properly installed, and is operating in accordance with its specifications.
If the Change is not consistent with such standards, policies and procedures,
technical architecture and strategic direction specified by Triple-S, the
Parties will review and amend the Change Notice to provide such consistency.

 

2.2 Change Notice Log and Reports

 

(a) Supplier shall: (i) at all times during the Term, maintain a log of all
Changes, to which Triple-S will have access; and (ii) provide monthly reporting
on status and target dates for open Change Notices.

 

(b) The Change Notice log shall include the following details:

 

(i) Control number and date of the Change Notice;

 

(ii) Name of the Party requesting the Change;

 

(iii) Brief description of the Change Notice;

 

(iv) Current status of the Change Notice; and

 

(v) Date of the Change Notice, as applicable.

 

2.3 Costs and Expenses

 

Each Party shall be responsible for all costs and expenses incurred by it and
its employees, agents and contractors with respect to its participation in, and
responsibilities and obligations under, the Change Control Process; provided,
however, any Charges in connection with the Change Control Process shall be
determined in accordance with Section 18.4 (Change Control Process) of the
General Terms and Conditions and with Schedule C (Charging Methodology).

 

3. Approval

 

(a) All Change Notices must be executed by authorized representatives of both
Parties before the Change becomes effective. Upon the execution of a mutually
agreed Change Notice, such Change Notice shall be deemed to be a “Change Order”
for the purposes of the Agreement. The Parties will work in good faith to
finalize and execute a Change Order within thirty (30) days (or as otherwise
mutually agreed upon) from a Party’s receipt of the applicable Change Notice.

 

(b) For purposes of the Change Control Process, the Program Manager will be the
duly authorized representative of Triple-S, and the duly authorized
representative of Supplier will be the Supplier Account Executive.

 

 



  Triple-S / Supplier Confidential

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule O 

Change Control Process



 

(c) Any Charges will be determined in accordance with Section 18.4 (Change
Control Process) of the General Terms and Conditions, and, if applicable, the
methodology set forth in Schedule C (Charging Methodology). Supplier shall not
be entitled to an additional charge for a Change, except as otherwise stated in
Section 18.4(d) of the General Terms and Conditions or in Schedule C (Charging
Methodology).

 

(d) Following agreement on all matters between Triple-S and Supplier relating to
any proposed Change, the duly authorized representatives of the Parties shall
execute:

 

(i) A Change Notice, which shall become a Change Order upon execution; or

 

(ii) A Statement of Work or Task Order (if required); and

 

(iii) If required by Section 18.4(e) of the General Terms and Conditions (e.g.,
for changes to the General Terms and Conditions or Schedules), an amendment to
the Agreement in accordance with Section 27.3 (Contract Amendments and
Modifications) of the General Terms and Conditions.

 

(e) All services added or modified by a Change Order shall be “Services” under
the Agreement, and the performance of the Change Order shall in all respects be
governed by the Agreement. Except as expressly provided herein, no part of the
discussions or interchanges between the Parties shall obligate the Parties to
approve any proposed Change or shall constitute an amendment or waiver of the
Agreement unless and until reflected in an approved Change Order and adopted in
accordance with this Schedule O.

 

4. Expedited Procedures for Emergency Changes

 

(a) An “Emergency Change” is a Change desired by a Party to respond to an
emergency that, in the reasonable opinion of such Party, if not implemented
without delay, would cause a serious operational problem or other substantial
adverse effect to Triple-S.

 

(b) If either Party believes that an Emergency Change is necessary, it will so
inform the other Party’s responsible executive (as described in Section ‎3(b)
above). Such notification will be made as promptly as possible under the
circumstances and may be given verbally (but not via voice mail), provided such
notification is followed up in writing as soon as practicable. As part of the
notification, the Parties’ responsible executives will work to agree
expeditiously on the nature of, process for carrying out, and Charges, if any,
for the Emergency Change. Subject to the terms of this Section ‎4, as soon as
commercially reasonable (which may follow the implementation of the applicable
Emergency Change), the Parties will document such Emergency Change in a Change
Order.

 

(c) If the requesting Party is unable to contact the other Party’s responsible
executive, the requesting Party shall contact other executives at the other
Party until it is able to obtain the required consent. The Parties will work
together to develop a list of executives and contact information for each Party
for handling such requests.

 

(d) If the Parties are unable to agree on Supplier’s Charges (if any) for
carrying out an Emergency Change, the matter will be referred to the dispute
resolution process

 

 



  Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule O 

Change Control Process



 

described in Section 26 (Dispute Resolution) of the General Terms and
Conditions. In no event will a dispute over such Charges constitute grounds for
Supplier to refuse to carry out or to delay in carrying out an Emergency Change,
and in no event will Triple-S’s payment of any portion of Supplier’s proposed
Charges for an Emergency Change constitute a waiver of Triple-S’s right to
dispute the validity or amount of such Charges.

 

5. Mandatory Changes

 

(a) A “Mandatory Change” means any Change Notice by Triple-S that Supplier is
required to carry out: (i) in order for the Services or Triple-S to be and
remain in compliance with applicable Laws (including any requirements provided
by the Medicaid Administration, Federal Employees Health Program, and Centers
for Medicare and Medicaid), or (ii) in order to avoid a significant adverse
effect on Triple-S’s business or operations.

 

(b) Triple-S requests for Mandatory Changes will be subject to the Change
Control Process so as to ensure they are carried out in a controlled and
disciplined manner, but Supplier may not refuse to enter into a Change Notice,
or to otherwise carry out, a Mandatory Change as directed by Triple-S; provided,
however, the Parties will subsequently evaluate the impact the Mandatory Change
has on the Services (including impacts on Supplier’s processes for performing
the Services) and additional costs and expenses in Supplier complying with the
Mandatory Change. If Supplier is entitled to additional Charges for the
Mandatory Change under Schedule C (Charging Methodology), the Parties will take
such impact, costs and expenses into account as part of the Change Control
Process and the additional Charges for implementing the Mandatory Change.
Triple-S may, in its discretion, require Supplier to implement a Mandatory
Change on an expedited basis (taking into account the scope of the Mandatory
Change and the impact on the Services) where Triple-S reasonably believes that
expedited implementation of the Mandatory Change is necessary to limit
Triple-S’s compliance risk or to otherwise mitigate potential adverse
consequences to Triple-S or its Affiliates, in which case the Parties will
follow the expedited procedures set forth in Section ‎4 with respect to such
Mandatory Change (i.e., as if it were an Emergency Change).

 

(c) Either Party may submit a dispute concerning a Mandatory Change to the
dispute resolution process set forth in Section 26 (Dispute Resolution) of the
General Terms and Conditions.

 

 



  Triple-S / Supplier Confidential

Page 4

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

Schedule O-1

SAMPLE CHANGE NOTICE

 

Change Notice Number: ____

 

This Change Notice is made and entered into by and between Triple-S and Supplier
pursuant to Schedule O (Change Control Process) of the Agreement.

 

Part A:

 

Submitted by:

 

[Name and Title] 

Date: Title of Change requested: Detailed description of Change requested:
Requested timing/priority for the Change: Triple-S cost center or business unit
requesting the Change Is the requested Change (check if applicable):  ☐ an
Emergency Change ☐  a Mandatory Change

 

Part B: (To be completed by Supplier as applicable to the specific Change)

 

Task Order or Statement of Work Reference #: Task Order or Statement of Work
Effective Date: Task Order or Statement of Work Term: Triple-S P.O. #: Original
Project Overview: Triple-S Sponsoring Organization: Triple-S Primary Contact:
Change Summary: Proposed timeline for implementation of Change:

   

 

 

  Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Schedule O-1

Sample Change Notice





 

 

Critical milestones and dependencies: Charges (or, if none, indicate “No
additional Charge”): Assessment of the added value and rationale of the proposed
Change to Triple-S (for Supplier-initiated Changes): Deliverables: Relevant
Acceptance Criteria and details of Acceptance Tests: Amendments to the Schedules
or other attachments to the Agreement: Changes to the Procedures Manual (list
sections to be modified or added, and describe here): Other relevant
information, including but not limited to Subcontractors, Transition, Supplier
Facilities, resource requirements, impact on other Projects, etc.:

 

Part C:

 

Triple-S’s approval for Supplier to proceed with the Change as described above
(including applicable Changes to Charges):

 



Approved: ☐ Not Approved: ☐

 





Supplier:

 

By:     Name:        Title:     Date:    



 

Approved: ☐ Not Approved: ☐



 

Triple-S:

 



By:     Name:        Title:     Date:    



 



Additional information required:

 



 



  Triple-S / Supplier Confidential

Page 2

 

 



Schedule P

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



MASTER SERVICES AGREEMENT   SCHEDULE P   IN FLIGHT PROJECTS

 

 

 



Note:  The Parties anticipate that Supplier will not be responsible with respect
to projects marked as "Not Required" in the "Supplier Activity Category"
column.  Such projects are left in this list of projects solely for the purpose
of having a consolidated list of In-Flight Projects.  Supplier's role with
respect to Projects marked with a "?" in the "Supplier Activity Category" column
will be determined by the Parties during Transition.



 

 

 

 

 

 

 

 

 

 Triple-S / Supplier Confidential

1 

 





Business Innovation - Project Management Office

 [image_012.jpg]

 

 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Project Portfolio

 Thursday, August 31, 2017

 









# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 1 16-044 BCBSA
CareSourcing Specialty Pharmacy Program Network Management Com/Adv/PSG
Operational Excellence Clinical Management 2016-11-07 2017-03-31 Active Triple-S
25% Application Support Service Behind Schedule Execution/Monitoring Nydia Ortiz
Elsie Malavé    [***]  10-11-16 - In the process of getting Business planning
approval for the out of budget form. 2 PRJ64448 Broadway (MA Migration to [***])
Claims & Configuration Advantage Operational Excellence Configuration 2017-01-09
2017-12-31 Active Triple-S 90% Application Support Service Alert
Execution/Monitoring  Carmen González  Francisco J. Crespo 600201  [***]    3
17-004 CAP Mailing Improvement 2017 Quality Assurance Com/Adv/PSG Organizational
Excellence Compliance 2017-01-01 2017-07-31 Active Triple-S 50% Application
Support Service On Schedule Planning   Ada García       4 16-056 CAP Mock Gorman
& Internal Absorption of Accuprint Services Corporate Strategy Com/Adv
Organizational Excellence TSH Finance 2016-11-01 2017-09-30 Active Triple-S 50%
Application Support Service On Schedule Planning   Olga E. Molina     Juan Jose
Roman - Sponsor 5 16-036 CareMessage Customer Management Advantage Operational
Excellence Customer Engagement 2016-07-01 2017-04-06 On Hold Triple-S 25%
Application Support Service Behind Schedule Execution/Monitoring  Dorelisse
Juarbe  Terrako Stallings     Dependency  - Tracphone deployment
Market Penitration and Platino member response  is a concern.
Discussions to inlude no tracphone  TSA/TSS
Pending contract execuation, meeting with Edilberato /Veneet to finalize next
steps.
Caremessage Contract
Need to determine if the contract with Care-Message will be joint within
TSS/TSA.  Actually TSS has no contract with Care-Message
Contract reviewd by Marisela and Edilberto to submit to  legal
Pending Meeting with Veneet to be scheudled, Contract received from Ben/
Caremessage
Contract Review Edilberto / Terrak Contract Submitted to Triple-S Management
Corp- Single Contract to support Medicare and Medicaid
Care Message File Submission  Edilberto 2 separate files  Triple S Salud and
Triple S Advantage
Process Flow development   
Edilberto Terrako to  Send Care message  FTP info to Edilberto  /
11/15/16 Terrako / 11/15/16 FTP document shared
New Care Message Proposal shared with Triple-S Management Corp. Edilberto
Edilberto to share with Sr. Management for review and consideration  
Contract Termination   “ Vivox”  Edilberto   
Expected DEC Cancellation
Caremessage/Tracphone contract Triple-S Management Corp.
Edilberto Contract  due date 1/1/17
Contract: 11.14.2016  
Meeting with Caremessage . Contract provided and shared with legal dept: Daniel
E. Gonzalez Ortiz
12.6.16  Pending review of contract .
Once contract is signed will have to confirm workflow and messaging
12.23.16  pending contract.  Following up with Legal. 

 



 



2 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      12.27.16  TracFone contract provided to legal dept.
12.28.16 : Caremessage Cyber Cert provided to Wildalis.  
12.30.16 TSS BAA shared with Caremessage , pending return 1.9.17 Contact Care
Message on BAA return
1.9.17 Care message returned BAA  
1.19.17 BAA submitted to Legal Dept.
1.20.17 TSS Legal provided MSA for Caremesaage review and Signature
Pending return of MSA from Care Message
Pending Return of TracFone contract.
Followed up with Angela , Tracphone, contract under review by TracFone Legal
Dept.
2.8.17 Carmessage meeting confirmaton , SFTP doc shared with Jose Tores and 2nd
invite to technical meeting on 2.10.17
2.22.23. SFTP Meeting with Tri-S outline file structure and requirments  and
test timeline
4.3.2017  Security  does not provide  approval to Caremessage to provide service
to Trs-S.
4/10/2017,  CAREMESSAGE , INVESTIGATEING SIGNLE SIGN ON OPTION
4.27.2017 Request for update on status of Secuorty Concerns
4.28.2017   Caremessage  reply  
For password protection, how many attempts does your team recommend before
locking out the user? We're evaluating if this is something we can support.  
Re: SSO, that isn't something we can support at this point. None of our other
200 customers have requested this capability, so we'll have to implement without
that in place.  
4.28.2017  Refernd Email questions to Jonathan Maldonado for Triple S Secuirty
response
5.1.2017  On hold peniding sSecuirty Solution  impact to Tracphone
5.1.2017 TriS Secuirty JM, provided details to CM to resolve Singal sign on
requirments                                        5.19.2017 Email received from
Caremessage   will follow up with Tri-S security for update.
5.23.2017  Terrako./ follow up with Jonathan and Dicuss with Marisella next
steps.
Pending meeting 5.29.2017 Triple S Security had denied Secuirty Clearance  to
Carmessage, will follow up with Businiess Owner, Marisela for next steps 6
16-051 Centralized Medical Records Storage (OnBase) Quality Assurance Advantage
Grow The Core Quality 2016-10-01 2017-06-30 Active Triple-S 75% Application
Support Service On Schedule Execution/Monitoring  Pedro Aponte  Rafael Fonseca  
 [***]  04/04/17 - Since HEDIS season already started and project has not been
completed, Natalia express that they won't be needing the application by
03/31/17 as previously stated. HEDIS season finishes on Q2.  Estimated Due Date
was pushed back to Q2. 02/22/17: Project put on Alert because we are still
working on a Master Agreement with DSP. In discussion with Natalia Diaz, project
due date was pushed back to Q1-2017 due to budget approval and other priorities.
7 17-009 CES Upgrade Network Management Com/PSG Clinical Excellence Clinical
Management 2017-02-01 2017-04-30 Active Triple-S 90% Application Support Service
On Schedule Planning   Ada García       8 16-012 CHM Data Hub (BCBS) Corporate
Strategy Advantage Operational Excellence Business Intelligence 2016-04-01
2017-01-11 Implemented     Not Required On Schedule Execution/Monitoring  Carmen
González  Francisco J. Crespo    [***]  Internal Resources

The information requested was sent to CHM and we are waiting for any additional
tasks they may requiere.

 





3 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 9 16-002 Claims
First Pass Rate Claims & Configuration Advantage Operational Excellence Claims
2016-01-01 2017-06-30 On Hold Triple-S 50% Application Support Service On
Schedule Execution/Monitoring  Carmen González  Verónica Miranda De León  
 [***]  We coordinated weekly meetings with Ricardo Rivera, José Espinosa and
Miguel Rodríguez. Currently the project is on hold because the Configuration
Analyst in on sick leave and Carmen Laura is identifying who can replace him for
the configured rule testing.  We talked with Ricardo Rivera to change the due
date to 12/30, but first we need to clarify with Carmen Laura when the resource
assigned to the testing is going to be available to have more visibility if
12/30 is achievable. 12/16/16- As discussed with Ricardo Rivera, the Project's
date was moved to 06/30/17 because at the moment there is occuring transfer of
knowledge between resources. Also, we are going to have a meeting with Nydia and
Ricardo to decide if we will continue with the Project.  The meeting is been
coordinated to occur the second week of January. As of 01/10/17- Nydia requested
a work session to have more visibility if we will continue with the project or
if its going to be cancelled because the migration.  As of January 2017, the
project is on hold. On 02/13/17, there was a conference call with Nydia
Ortíz,  Iris Aponte, Carmen González and Ricardo Rivera.  In the call it was
discuss the project and decided we should focus in the system migration. I
informed once there is a  written notification explaining we will not continue
with the efforts in this project, the project is going to be cancelled. 10
16-021 Claims Payment Integrity Claims & Configuration Advantage Operational
Excellence Claims 2016-07-14 2017-12-31 Active Triple-S 90% Application Support
Service On Schedule Execution/Monitoring  Nydia Ortiz  Verónica Miranda De León
400243  [***]  Contractual negotiation caused a delay in the project, therefore
we are going to be receiving the file on 12/13/2016 to proceed with its
analysis. The new due date will be discussed with Nydia Ortíz and Ricardo
Rivera. The last Status Report sent on 02/05/17, Optum informed the letter is
going to be sent on 04/25/2017. On 04/06/17 we had the meeting to discuss the
final results of the recovery exercise. On 05/11/2017, recoveries letter was
sent to Providers 11 17-002 Clearinghouse Implementation and Optimization Claims
& Configuration Com/Adv/PSG Operational Excellence Configuration 2017-03-01
2017-06-30 Active Triple-S 25% Application Support Service On Schedule
Initiation  Carmen González  Terrako Stallings     Clearing House / Next Steps
Schedule Kick Off Meeting- Coordinating with Michel/Carmen
Legal  
• IT Cert Submitted
• Business Case Completed
Legal Next Steps
• 3/20/17  BAA Created under legal for modifications  once complete send to
Assertus  
• SSS Legal and Assertus agree to specific Service Level Clauses identified in
Security Certification
• Request 2016 SOC1 report for Verizon (Assertus subcontracted Data Center) upon
completion
3/28/2017 BAA signed by Assertus and submitted to Tri-S legal PMO
• WorkPlan/Time Line  Update Presentation
Benefits- Team Structure-Accomplishments
• Business Case Completed
• Charter pending Ricardo
BAA Submitted to legal
4/3/2017 Business Rules to Assertus by EOD.
PMO Next Steps
Ceate Presentatin for KICK OFF meeting with Ricardo to complete.
Provide Business rules to Assertus on 4/3/2017
Schedule meeting with Franchesk and Bigio to povide coverage for BA Jose Cameo  
• Contact Bigio to Meet with Nelson Sanchez –Optum/Edefx support
• Submitter ID’s ensure loaded into QNX • Reconciliation process add to each
process
• Identify Reconciliation process in-place to today for all submissions- Optum-
Bigio/Nelson Sanchez 

 





 



4 

 







 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      • Add Communication process  to all providers
• Schedule Meeting to gather enrichment rules
• Gather Submitter files                                        Time line
adjustments
Sprint 1  May 31= Add all providers  
• June 30 Go Live
• Sprint 2 July 1  
• Sprint 3  TBD
4/10/2017   Business Rules submitted for review and acceptance to Assertus-  BRD
in process and evaluatioin
4/10/2017 Charter Completed
4.11.2017 Claims Submission Implenation plan
4.17.2017  BAA completed  
4.19.2017  Healthy Claims process review
4.20.2017 Healthy Claims Meeting next steps identified
4.20.2017 Master load files shared with Assertus
4.27.2017 TS Testing Validation Review Request - Billing/Rendering Relationship
- PHI
4.27.2017 Errors reported in tets under review
4.29.2017  Assertus request new Master load file
5.06/2017  Meeting to discuss Call Center Support - Project Status
5.9.2017 Enrichment Rules discussion-Test results-Portal evaluation and
discussion-Lunch off site
submit the first round of test files. These files are going to be deposited in
the test FTP. 5.19.2017 Meeting Notes
R. Rivera requested more recurring tests. M. Jimenez answered that the test
cycles by Assertus can be sent daily Starting next week.
M. Jimenez requested a Master file to be able to do the tests.
J. Santana will send Master load files refreshed between Monday and Tuesday for
next Week.
M. Jimenez recommended working a production pilot from the first week of June.
Once TS sends load files daily to Assertus, then Assertus can send the claims in
production environment.                                        Erica indicated
that by this time she does not have more details for the enrichment rules.
Michael explains that the purpose of the pilot process is to determine whether
to add new business rules.
R.Rivera, mentioned that we should be thinking about going in go-live for
7/1/2017 5.19.2017
Pending Items:
J. Santana will deposit in the SFTP the Inmediata files for next Tuesday
J. Santana will share a production data file from May 16th so that Assertus can
do the tests tomorrow.
W. Curbelo will deposit the ACK files in the Assertus’s Out Data file, and the
Master files in the Assertus’s Master load file.
5.22.2027 No meeting this week, time to  be used for testing. Michael and
Ricardo met to discuss details regarding the contract.
5.29 2017  New GO live date of  6/15/17  
5.29.2017   Testing in Progress
5.31.2017  Meeting to dicusss Transmission Deposit with Assertus to heald at
2:30 pm

 

 



5 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 12 16-057 CMS
Audit Automation of Universe Generation Quality Assurance Advantage
Organizational Excellence Compliance 2017-06-01 2017-12-31 Active Triple-S 75%
Application Support Service On Schedule Initiation  Jenny Cárdenas  Olga E.
Molina       13 17-010 CMS Bid Products Process 2018 Customer Management
Advantage Grow The Core Customer Engagement 2017-02-01 2017-05-31 Active
Triple-S 15% Application Support Service On Schedule Planning   Mariela Martínez
      14 16-011 Compliance 360 Quality Assurance Com/Adv/PSG Organizational
Excellence Compliance 2016-04-01 2017-07-31 Active Triple-S 15% Application
Support Service On Schedule Execution/Monitoring  Jenny Cárdenas  Olga E. Molina
600210  [***]  Phase #2 should be implemented by the beginning of October. Phase
#3 should be implemented by the end of April. (Stage: Execution - 50%
Completion), however the operational requirements and the IT configuration
process was in delay because the availability of the resources. 15 16-035
Concierge Program - Phase 1 Customer Management Advantage Operational Excellence
Customer Engagement 2016-09-13 2017-06-12 Active Triple-S 75% Application
Support Service On Schedule Execution/Monitoring  Pedro Aponte  Terrako
Stallings     Dependant on  Welframe Contract
Internal Process,being documented : Work Flow
Work flow of internal process on specific dept in progress.
Terrako made request to Fernando Moya to provided Proposale 11.30.16
12.6.16 Meeting held to discuss proposal and next steps.
Terrako has requested contact info for vendor CIRACET to corridinate product
demostration and futher discussion.
Meeting Schedule with new vendor CIRACET Dec 21 . 17
12.23.16 LOI needed to proceed.  Request to Mariselle to provide LOI to CIRACET.
12.27.16 MCA emailed to CIRACET, Norris and Fernando
1.17.16 Customer engangment meeting to discuss Concierge , follow up meetings
needed
1.19.17 Meeting with Marisella and Rory to discuss CIRACET proposal and draft
workplan
1.19.17 Marisela provided revised proposal to Pedro and Ciracet , requested
meeting with Pedro to discuss.
1.19.17 Per Fernado , emailed Propsal changes to Ciracet  President, pending
response from CIRACET.
1.19.17 Pedro replys to email : To clarify that the intent is not to build a
custom application, but obtain a product/service to support the business
need.  Integrations to other systems would need to be prioritized and delivered
in sprints
1.24.17 Meeting with dept. managers to dicsuss Conceirge impact and learning
dept concerns
1.24.17 Meeting with Rory to cover work plan impacting internal departs.
1.27.17 Concierge Workflow in both Word and Visio formats submitted.  
1.31.17 PMO Binder shared
1.31.17 Concierge Workplan  
1.31.17  Meeting invite  to Ciracet  
2.10.17  Concierge/Ciracet  Kickoff meeting  scheduled 2.10.17
2.16.17  Concierge/Ciracet   time line and workplan discussion
2.21.17 Addition meeting scheduled for 2.23.17

 





 

6 

 







 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      2.23.17  On Calender: Meeting Scheduled with Tri-S to
dicuss manual data request made of member data  by " Fernando"  on behalf of
Ciracet  and SFTP option
3.29.2017  Data file format agreed to by Ciracet/Tri-S
4.3.2017 Tri-S  provided contract to Ciracet, pending  response from Ciracet.
4.10.2017 Meeting with Ciracet to re-work  Workflow to include Pharmacay and
additional STARS requirmemts new go live date of MAY 20, 2017
4.11.2017  Adjustments made to workflow
4.12.2017  Training scheduled for 5/8-510- 2017
4.18.2017  Reviw of Services /Phase 2 Meeting with Pharmacy
4.18.2017TSA/PCS Requirments discussiopn
4.18.2017   program requirements document (TSA PC3 Requirements -Concierge
Program v.10abril) was discussed. It defined which of these will be for phase 1
or phase 2 of the project. Phase 1 is the first 3 months of the pilot project.
It is determined that the Go Live will be for May 11, so phase 2 would begin for
August. (Work plan pending update).
4.21.2017 Outstanding items review and update of workflow
4.21.2017 Scripts Submitted
High Call (Discharge Call)
2. Call Coordination PCP view (PCP Visit Coordination Call)
3. Call Satisfaction (Satisfaction Service Call)
4. Call Tracking
5. Welcome call
6. General Coordination (visit coordination call)
4.25.2017 Concierge Program Member Detail updated
4.27.2017 Concierge Go Live doc submitted
4.27.2017 Ticket created to identify Concierge members in HealthSuite  request
id ##68924##
4.27.2017 Concierge Mebmer file priovide to William B to merge with Identifire
in HealthSuit
4.27.2017 EFT Document Submitted to Circet to all for SFTP of PHI Date,        
                              4.28.2017  Meeting with Ciracet to reviews phase
one services, details to shared by Ciract, Fernando suggestd Encrypted emial to
share PHI date instead of Sftp, will contact Ciracet to determine if they will
complate EFT document.
5.11.017   BASA out on Medical leave BRD is incomplete, meeting with Franchesca
to identify outstaning items.  
5/15/2017 : Request to Ciracet for status of timeline and  project update
5.19.17 Munual workaround for phase one is option if BRD is not complete,
working to complete and automate PHI data share to Ciracet
5/22/2017 : Request to Ciracet for status of timeline and  project update
5.23.17  Communication per Ciracet:  The link is not available.  As soon I have
a Go I will let you know.  We’re in an internal meeting an later I will send an
update on the project plan.
5.25.17 PC3 access resolved, Brenda working on SOW
5.29.17  Verifciation on Marketing and Compliance requirements in progress.

 





 

7 

 







 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      2.23.17  On Calender: Meeting Scheduled with Tri-S to
dicuss manual data request made of member data  by " Fernando" on behalf of
Ciracet  and SFTP option
3.29.2017  Data file format agreed to by Ciracet/Tri-S
4.3.2017 Tri-S  provided contract to Ciracet, pending  response from Ciracet.
4.10.2017 Meeting with Ciracet to re-work  Workflow to include Pharmacay and
additional STARS requirmemts new go live date of MAY 20, 2017
4.11.2017  Adjustments made to workflow
4.12.2017  Training scheduled for 5/8-510- 2017
4.18.2017  Reviw of Services /Phase 2 Meeting with Pharmacy
4.18.2017TSA/PCS Requirments discussiopn
4.18.2017   program requirements document (TSA PC3 Requirements -Concierge
Program v.10abril) was discussed. It defined which of these will be for phase 1
or phase 2 of the project. Phase 1 is the first 3 months of the pilot project.
It is determined that the Go Live will be for May 11, so phase 2 would begin for
August. (Work plan pending update).
4.21.2017 Outstanding items review and update of workflow
4.21.2017 Scripts Submitted
High Call (Discharge Call)
2. Call Coordination PCP view (PCP Visit Coordination Call)
3. Call Satisfaction (Satisfaction Service Call)
4. Call Tracking
5. Welcome call
6. General Coordination (visit coordination call)
4.25.2017 Concierge Program Member Detail updated
4.27.2017 Concierge Go Live doc submitted
4.27.2017 Ticket created to identify Concierge members in HealthSuite  request
id ##68924##
4.27.2017 Concierge Mebmer file priovide to William B to merge with Identifire
in HealthSuit
4.27.2017 EFT Document Submitted to Circet to all for SFTP of PHI Date, 16
16-033 Contracting Initiatives - Home Health Network Consolidation Network
Management Com/Adv/PSG Clinical Excellence NW Management 2016-09-01 2017-04-01
On Hold Triple-S 0% Not Required Behind Schedule Execution/Monitoring   Marilia
Torres     02.27 Innovation team evaluating business case.
11.30 Wendeline informed the need to advice CMS of network reduction.  
11.02 Wendeline informed the effectiveness date of the selected vendor(s) was
changed to 2/1/2017. The distribution of membership will based in six (6)
regions.
10.25 Wendeline working with RFP draft version to be revised by the Proposal
Steering Committee. 17 16-032 Contracting Initiatives - Laboratory Fee
Adjustment Network Management Com/Adv/PSG Clinical Excellence NW Management
2016-08-31 2017-04-30 On Hold Triple-S 0% Not Required On Schedule Planning  
Marilia Torres     02.27 Innovation team evaluating PM support.
02.02 Maritza Vazquez requested on meeting held on 1/30/17 to move the estimated
due date to 4/30/17.
12.14 Meeting held with Zulma Leon on December 9th to discuss initiative status.
10.01 Preferred lab network to be contracted at 85% vs. regular network at 95%,
effective January 1. 2017.
09.30 New laboratory contract to be developed to contract PPN.

 



 



8 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 18 16-039
Contracting Initiatives - Prosthetics Implants Network Management Com/Adv/PSG
Clinical Excellence NW Management 2016-09-01 2017-03-31 On Hold Triple-S 0% Not
Required On Schedule Execution/Monitoring   Marilia Torres     02.27 Innovation
team evaluating PM support. 19 16-034 Contracting Initiatives - Vision Benefit
Network Management Advantage Clinical Excellence NW Management 2016-09-01
2017-02-15 Implemented     Not Required Behind Schedule Execution/Monitoring  
Marilia Torres     06.09 Completed iVision encounters file. It will be presented
to pass to PRD on CAB meeting to be held on June 14, 2017.
01.09 Completed implementation of iVision capitation payment programming.
12.20 Implementing project to comply with benefit configuration, claims testing
and capitation payment.
11.30 iVision was the vendor selected. Working with the required needs to comply
as a delegated entity.  
11.02 Vendors have submitted their proposals and are being evaluated by Jennifer
Ferrer and Luis Kianes.  
10.14 iVision has submitted their proposal. 2017  
09.27 Vision benefits will be provided to Eye Management on October 1st for them
to submit a proposal. 20 16-061 CPP: POS y MOOP 2017 Customer Management
Com/Adv/PSG Operational Excellence Customer Engagement 2016-12-12 2017-10-31
Active Triple-S 25% Application Support Service Behind Schedule
Execution/Monitoring  Dorelisse Juarbe  Olga E. Molina     Operational
Initiative
Dorelisse Juarbe - SPONSOR 21   EDI Transaction 278BX Claims & Configuration
Advantage Operational Excellence Claims 2017-01-20 2017-03-31 Active Triple-S
25% Application Support Service Behind Schedule Execution/Monitoring   Terrako
Stallings     We are confronting issues to have a partner of the Association for
testing. On 05/12/17 there will be a meeting with Iris to decide the
transaction's future. Proyect transferred on May to Terrako Stallings.
5.15.2017   Item is being address with larger Assertus Clearing House project:
5.31.2017   Item is being address with larger Assertus Clearing House project:
22 15-019 Electronic Transactions: CORE 276/277 Claims & Configuration Advantage
Operational Excellence Claims 2015-09-01 2017-05-12 Implemented     Not Required
On Schedule Execution/Monitoring  Carmen González  Verónica Miranda De León  
 [***]  Budget includes 276/277, 835 ERA/EFT, 277CA.  Web Service was already
exposed with the help of TriServe and Wovenware.  We need to confirm that
276/277 is available and perform some validation tests. As of December 2016,
Wovenware is working on an analysis to identify the changes to be made.  On the
week of 02/20/17, we are going to have status of testing between Wovenware and
HIS. On the week of the 20th (March) we begin testing with Vermont, the tests
failed and we had to make the test cases again.  We are confronting problems
with Health Suite test Environment. As of 04/10/17, all the testing with our
trading partner was successful.  On the week 04/10/17, we will be moving the
transaction to QA.  On 05/05/17, QA Testing was successful.  AD400 was sent to
Ricardo Rivera to be signed. On 05/12/17 the transaction 276/277 was
implemented.  Wovenware is supporting us in programming a dummy response for
when Healthsuite is down and also for when the contract number has more than
nine digits.

 









 

9 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 23 16-003
Electronic Transactions: Paperless Claims (837) Claims & Configuration Advantage
Operational Excellence Claims 2016-01-01 2017-06-30 Active Triple-S 25%
Application Support Service On Schedule Initiation  Carmen González  Terrako
Stallings    [***]  Currently pending on Business Rules definition.
Serena# pending.  Owner/Sponsor is is not included in Serena (requestor's
dataset)  On May 1st, project was transferred to Terrako Stallings.
5.19.2017 Meeting with Assertus  to dicsuss
5.31.2017   Item is being address with larger Assertus Clearing House project:
24 17-013 E-Marketing Prospect Management Advantage Grow The Core Sales
2017-02-01 2017-08-01 Active Triple-S 50% Application Support Service On
Schedule Execution/Monitoring  Gustavo Pérez  Annette Rivera 600147  [***] 
05-31-2017
Completed
1.  Test Cases Documentation
In Progress
1. DSP Development
2. Approval of the BRD 25 16-027 EPSDT - SmartCap Module Implementation Network
Management PSG Clinical Excellence Clinical Management 2016-08-01 2017-12-31
Active Triple-S 50% Application Support Service On Schedule Planning  Dr.
Benjamin Santiago  Rafael Fonseca     08.30 PM Marilia Torres was assigned to
support the implementation of EPSDT SmartCap Module.
10.07 Project transitioned to Terrako Stallings.
11/3/16 Project Charter signature Dr. Santiago
11/16/16 Contract Singed
Obgyn – Dental-Claims, Pharmacy – Eligibility ,Dental - 6 months data to
PHM         17-Nov-16 17-Nov-16
Programing time frame for PHM.        11.18.16 to 12.9.16   11.18.16 to 12.9.16
PHM To delivery to Tri -S for development environment        12.12.16  12.1
2.16
PHM end of development        12.23.16  12.23.16
Triple S UI Test Period        12.27.16 - 1.10.17    12.27.16 - 1.10.17
Triple S QA Begins        1.16.17 -  1.26.17 1.16.17 -  1.26.17
Go Live Production        2.16.17 2.16.17
Terrako announce January 30: Date expected go life.
Angel Davila explains the Steps
1. Mental Dental Data (LAB) ---PHM –We need OBGYN registry
PHM developmental platform- EPSDT Module
The data is needed to PHM do their test
They have to eliminate the actual files and replace with the new Mental –Dental
and OBGYN files
Andres Vega and Wilson need to lets us know the date to be delivered the files.
The expected date is November 11, 2016
If we send the data to PHM (11/11/2016).   PHM needs 3 weeks to do their test.
(With NO ERROR)  PHM will deliver 12/2/2016 to Triple S                        
              2. SSS Development & Implementation: 12/5/2016
SSS -QA -Implementation and Deployments:  we need 2 weeks (12/21/2016) QA we
start
We can’t start QA   because Roberto Torres is on vacation through 12-21-2016 to
January 9 2017
Robert Torres (PHM) will start QA   implementation: We need 2 week for QA
(January 11 to 25)
QA will start in 2017
On January 26 Nos  deben entregar  el  Proyecto para QA
The  database time collection time fram is   January 2016 – June 2016
Next critcal item  is 11/11/16 due date for PHM to receive files
On February 28 will go on production:  1 week
11/16/16  Notes
SmartCap/ EPSDT Contract signed   11.16.2016 11.16.2016
Claims-Mental-Dental –Obgyn Data  provided to PHM  Triple S HIS/Antonio/Wilson
11.17.2016 11.17.2016
PHM Programming Period PHM 11.18.2016 12.9.2016
PHM To delivery to Tris for development environment PHM 12.12.2016 12.23.16
User Interface  Testing Tachie 12.27.2016   1.10.2017
PHM/Tiple S Buffer Period PHM Triple S 1.11.2017 1.13.2017
Data Transfer and Prep QA and Production Environment Tri-Serv QA
1.16.2017  1.26.2017
Go into production date Tri-Serv QA/Production  2.2.201 -  2.12.2017
EPSDT GO Live  Tri-Serv 2.13.2

 









10 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      SmartGap Working session to resolve smart data
requirments.
High Priority Items
• 11.30.16  /  12.1.16  Working session held to discuss and resolve File format
issues.
• Items of Concern 1
• Files  are not in proper format, 11 fields are requested per PHM – Triple S
responds with 5 data fields. Data retrieval has stopped per Wilson and Antonio
as of 11.11.16 date.  After discussion Wilson and Antonio agree to proceed with
data collection.    Request made to identify what data has been accomplished to
date.  OBGYN-MENTAL-DENTAL-CLAIMS-PHARMACY HAVE  are being collected nothing has
been provided to PHM, data previously provided, in error. • Dec 15 date
identified as work slowdown until Jan 15. 2017.
• PHM Vacation and Tri-serv holiday vacation schedule impacting time line.
Awareness request made in June 16 , effort began in Sept / Oct 16
PHM was provided  data to  continue and complete programming
Antonio Vega was asked to create  Serina tickets for EPSDT.
High Priority: Critical dates missed  11.11.16  :  Missed  data transfer to
PHM  further discussion needed 11.14.16 Requested update from Antonio Vega and
Wilson  Follow up provided at 11.15.16 Meeting. "Data not complete"
Suggested Options.
Option 1 : Provide to PHM the 5 field layout and allow PHM to determine  if 6
additional fields are required.
Option 2: Continue gather mental data and resolve file format issue and delivery
mental data  in phase 1 update                                       Delivery
Dates:
This is the original date discussed with and agreed to by Ivelisse ,
subsequently  Angel Davila  told her we could have it done by Jan 30. 2017.  I
explained to Ivelisse, I did not  think  this was possible due to the delays in
data collection, holiday work slowdown, and  critical members taking vacation
over the Christmas , New year time frame.
Feb 1 2017 Time Line to meet  Deadline
• SSS Development & Implementation: 12/5/2016
• Claims-Mental-Dental –Obgyn Data needs to be provided to PHM (11/11/2016).
• Triple-S Management Corp. PHM needs 3 weeks to do their test. (With NO
ERROR)  PHM will deliver 12/2/2016 to Triple S
• SSS -QA -Implementation and Deployments: needed 2 weeks (12/21/2016) QA  “
Christmas work slowdown, impact”
• PHM availability - Roberto Torres and Angel Davila  will be  on vacation
through 12-21-2016 to January 9 2017 PHM Critical Item: Lack of PHM
and  Tri-Serv support through QA test period may impact deployment time line.
• Robert Torres (PHM) will start QA   implementation  after vacation PHM
Critical Item 2 weeks needed for QA (January 11 to 25),
• Tri-serve  Availability   Critical item Dec 21 top Jan 15  need to ensure
Angel Davila
JAN 30 2017 Time Line to meet  new Deadline “ Date adjustments needed”
• SSS Development & Implementation: 12/5/2016
• Claims-Mental-Dental –Obgyn Data needs to be provided to PHM
(11/11/2016).  Data Provide to PHM on 12.1.16”, PHM states an additional 8 days
is needed before evaluation of received EDSPT data, this put us right at the
15th of Dec, work slowdown here in Triple and  there for  schedule slide
until  Jan 15th  2017
• Triple-S Management Corp. PHM needs 3 weeks to do their test. (With NO
ERROR)  PHM will deliver 12/2/2016 to Triple S
• SSS -QA -Implementation and Deployments:     need2 weeks (12/21/2016) QA  “
Christmas work slowdown, impact”

 

 



11 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      • PHM availability - Roberto Torres and Angel Davila  will
be  on vacation through 12-21-2016 to January 9 2017 PHM Critical Item: Lack of
PHM and  Tri-Serv support through QA test period may impact deployment time
line.  
• Robert Torres (PHM) will start QA   implementation  after vacation PHM
Critical Item 2 weeks needed for QA (January 11 to 25),
• Tri-serve  Availability   Critical item Dec 21 top Jan 15  need to ensure
Angel Davi
12.23.16 We were able to gain access to the EPSDT test environment as of
12.22.2016.  The issue we are facing know is that we have no one here within
Triple S UI/Application testing.  Tachie G. Collazo Morales, is the primary for
all EPSDT activity including testing the UI. “Tachie is the key to success of
the “EPSDT” project from clinical perspective”     Tachie has been assigned
other duties taking away from the scheduled test period. And  impacting time
that could be used for testing. Ivelisse is out and is directing Tachie’s work
load/schedule and priorities.
12.22.16 PHM delivered applicatoin to TRI-Serve,  however access to
test  environment was not provided/validated  
Tachie and Terrako spent all day trying to locate PHM team to fix issues.
12.23.16  
Continued access issues to  1.9.17  , access to test enviornmerment via hotspot
, need to address PHM VPN access.
One day of testing completed, very limited.  
UI not fuctioning as exscpected ,also includes issues with grammer sentence
structure. Terrako providing assessment to PHM and to business owner , pending
review by Lynda.
1.23.17 Data due to  PHM, Escalation of data request to Wilson - Ivilse and
Bigio
1.23.17 Terrako meeting With Wilson and Bigio
1.23.17 Confirmation of data files retired  per. Tachie and Wilson
1.24.17  Meeting Agenda Shared
Program Status / Phase 1 ? Phase 2?
EPSDT    Schedule Determinación- impact of delays 

 

 

12 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      Architecture / Security standards  Internal Process and
status/ concerns  * Next Steps*
Angel Davila submission to PHM process ?
PHM data mapping, updates etc.
Claims Data   and confirmation of new layout. – need to confirm Deliver date-
Wilson
Implementación Status  internal /external / data collection/validation
Pointer /Eligalibty  issues, previously  stated as resolved
Timetable for PHM request / Tri-S response -   Must be in writing – Wilson,
Tachie, Terrako, Lcda Ivelisse Cancel , Antonio Vega and Alejandro Melendez
Technical Specifications (servers, licenses, etc.)    Status / Next Steps
Confirmation of action items PHM/Tri-S
o Internal /Vendor  update  
Internal documentation approvals verified
Documentation Confirmation to Vendor.
1.25.17  Meeting Notes
Architecture / Security standards  Internal Process and status/ concerns  * Next
Steps* Angel Davila submission to PHM process ?
PHM  mapping, Municipality  updates location data, zip code city etc.-
Wilson-Antonio  date TBD
Claims Data   and confirmation of new layout. –  
Implementación Status  internal /external / data
collection/validation  ,  Pending review of data by PHM on 1.26 27
Pointer /Eligalibty  issues, previously  stated as resolved  - Wilson due date
of Feb13
Timetable for PHM request / Tri-S response -   Must be in writing – Wilson,
Tachie, Terrako, Lcda Ivelisse Cancel , Antonio Vega and Alejandro
Melendez    “Deliver date- Wilson  3 -5 days = expedite  7 days max. data
request only .
Technical Specifications (servers, licenses, etc.)    Status / Next Steps”     :
Per Jose, no issue preventing going to production, all tickets are in place for
change control and entry to  production environment. 

 



 



13 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      Confirmation of action items PHM/Tri-S  - Robert to submit
and confirm data Internal /Vendor  update – PHM on time
Certification Process to go to production  Per Jose ,  Certification to
production is non iuss
1.26.17  Files validated by PHM and Tachie begins QA 1.26.17   Terrako reques to
Jose Rivera for expdiete process to get through Certifcation/Change control to
producton once QA is completed.
1.31.17  Ivelise , request cancelaltion of on going meetings , pending EPSDT
determination of program.
2.7.17  Pedning update from Ivelise or Lynda on program status and PMO effor
required.
2.21.17   American Pedeatric Assoiciation update for 2017.   New
requirmemnts   need to determine impact to schedule will discuss on 2.22.17
meeting
Ivelie meeting with Pedro and Lynda to determine next steps to bring project
internal to Tri-S.  Project is on hold as of 3.2.17
4.16.17 go live date                                       2. SSS Development &
Implementation: 12/5/2016
SSS -QA -Implementation and Deployments:  we need 2 weeks (12/21/2016) QA we
start
We can’t start QA   because Roberto Torres is on vacation through 12-21-2016 to
January 9 2017
Robert Torres (PHM) will start QA   implementation: We need 2 week for QA
(January 11 to 25)
QA will start in 2017
On January 26 Nos  deben entregar  el  Proyecto para QA
The  database time collection time fram is   January 2016 – June 2016
Next critcal item  is 11/11/16 due date for PHM to receive files
On February 28 will go on production:  1 week
11/16/16  Notes
SmartCap/ EPSDT Contract signed   11.16.2016 11.16.2016
Claims-Mental-Dental –Obgyn Data  provided to PHM  Triple S HIS/Antonio/Wilson
11.17.2016 11.17.2016
PHM Programming Period PHM 11.18.2016 12.9.2016
PHM To delivery to Tris for development environment PHM 12.12.2016 12.23.16
User Interface  Testing Tachie 12.27.2016   1.10.2017
PHM/Tiple S Buffer Period PHM Triple S 1.11.2017 1.13.2017
Data Transfer and Prep QA and Production Environment Tri-Serv QA
1.16.2017  1.26.2017
Go into production date Tri-Serv QA/Production  2.2.201 -  2.12.2017
EPSDT GO Live  Tri-Serv 2.13.20

  

 

14 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 26 17-014 E-SOA
Prospect Management Advantage Grow The Core Sales 2017-02-01 2017-08-01 Active
Triple-S 50% Application Support Service On Schedule Planning  Gustavo Pérez 
Annette Rivera 600208  [***]  5/31/2017
Pending Tasks:
1. ESOA Proposal approval
2.  Approval of the BRD
3. Received from Triserve the tablet recommendation document. 27 17-008 HCG
Grouper (Milliman) Corporate Strategy Advantage Grow The Core Risk Management
2017-01-10 2017-10-31 Active Triple-S 25% Application Support Service On
Schedule Initiation  Ivette Reyes  Rafael Fonseca    [***]  05/19/17: Pending on
approval of SOW from Sponsor.  In addition, the approval of the Out of Budget
form that Owner needs to submit.
04/04//17: Application has not been installed in a DEV environment.  Without the
application, Nagnoi cannot begin their development.  We will be establishing a
new Due Date once we know the LOE for integrating the Grouper with OneTSA.
02/22/17: Project put on Alert because we just recently received the
installation file to tests the tool.  The design for the solution to integrate
the Gropuer with OneTSA depends on these tests.
Project End Date, Stakeholders and next steps will be discussed with Owner on
01/10/17. 28 16-019 HealthSuite Upgrade 14.04 Claims & Configuration Advantage
Operational Excellence Claims 2017-01-26 2017-03-10 On Hold Triple-S 75%
Application Support Service On Schedule Initiation  Carmen González  Francisco
J. Crespo    [***]  This project was put On Hold since we were having problems
with the 834 tests and it was getting too close to AEP. The project should begin
again, early next year.
The business needs to decide priorities between different projects and
limitations. For more information, please reference email sent from Francisco J.
Crespo to Carmen González and Pedro Aponte on January 26, 2017 at 4:39 PM.

 



 



15 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 29 16-058
Healthy Claims: Adjustment Database Inventory Claims & Configuration Advantage
Operational Excellence Claims 2016-11-01 2017-08-10 Active Triple-S 75%
Application Support Service On Schedule Execution/Monitoring  Nydia Ortiz 
Verónica Miranda De León     On November 2016 there was a meeting between HIS
and Claims and there were identified the requirements.  On December it was
informed by Eduardo Nieves the project is on hold because there is not a
resource available for this project. On 03/02/17 there was a meeting between the
business, BASA and Process Analyst to review what it is needed from the business
side.  On March 21, there was held a meeting with Iris Aponte and the BASA to
discuss the project and the options provided by the BASA.  The business
requirements are supposed to be delivered on 04/05/17. On 04/05/17 the
requirements were delivered. On 04/11/17 a meeting will take place with HIS to
establish ETA's of the milestones.  On 05/01/2017 HIS provided the timeline of
the project with a due date of 08/10/17.  On 05/24/17, Wilson Curbelo confirmed
the programming begun. 30 17-011 Healthy Claims: CES Application Managed
Services (AMS) Network Management Com/Adv/PSG Clinical Excellence Clinical
Management 2017-02-01 2021-12-31 Active Triple-S 90% Application Support Service
On Schedule Execution/Monitoring   Verónica Miranda De León     As os March
30th, we continue with the accesses situation for the Optum Team. The accesses
were granted on 04/27/17. The First release (Cleanup) was configured on
04/27/17.  The New Change Management Process was effective 04/24/17. Second
Release to be configured on 05/12/17.  The Second Release was configured on
05/12/17. Third Release is scheduled for 05/25/2017. On 05/25/17 the KB was
implemented and on 05/26/17 it had to be rolled back because there were errors
that stopped the adjudication process in TSA.  It is planned to implement again
the KB between Thursday June 3rd and June 5th. 31 16-052 HEDIS Vendor Quality
Assurance Com/Adv/PSG Grow The Core Quality 2016-10-01 2017-06-30 Active
Triple-S 25% Application Support Service On Schedule Execution/Monitoring  Pedro
Aponte  Rafael Fonseca    [***]    32 16-025 Inpatient Value Care - Census Web
Tool Network Management Com/Adv Clinical Excellence Clinical Management
2016-06-01 2017-05-05 Implemented     Not Required Behind Schedule
Execution/Monitoring  Ivonne Vega  Elsie Malavé 600209   02.10 Intermedia is in
the development phase. Expected completion date: 3/9/17.
01.09 Intermedia visited Triple-S (2 weeks) to discuss BRD, and develop work
plan.
12.20 Decision made by Pedro Aponte to develop the new Census Web Tool with
Intermedia vendor.
11.30 BRD discussed with Dra. Vega and Luis Medina on November 30th.
11.07 Team is discussing and gathering new requirements for the Census Web Tool.
Meeting scheduled to be held on November 10th with Wovenware to discuss the new
requirements.
10.27 Presented architecture technical design (interphases, feeds, new apps
needed) to leaders for feedback and approval.
10.17 Started meetings with Architecture team to define the technical design of
the best solution to be implemented by 4/1/17.
9.21 Wovenware submitted proposal to be evaluated by Triple-S.

 



 



16 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 33 16-010
Inpatient Value Care - Compensation Model Network Management Com/Adv Clinical
Excellence NW Management 2016-05-01 2017-05-05 Active Triple-S 25% Application
Support Service Behind Schedule Execution/Monitoring  Dr. José Novoa  Marilia
Torres 600209  [***]  06.09 Cardiovascular successhfully created cases in Census
Management Tool. Need to perform end-to-end PRD Validation.

06.08 BASA and DAU gathering automated solution requirements to be sent to
leaders for proper revision, and sent to Nagnoi to start development.

05.30 Tested employees and hospital login in PRD. These were successful.

05.24 PRD tasks were completed on May 19th. Errors in login are still being
presented.

05.19 Completed UAT in QA environment. Operation signed AD400 approving the
movement to PRD.

05.05 Completed QA installation and configuration. BASA tested, and results were
not satisfactory.

04.28 Clinical area (identified users) performed testing in Development
environment on April 21 - 22. Technical team working with the resolution of
situations identified by operational area.

04.21 Cardiovascular and San Lucas Ponce were contracted with the new
compensation model. TOC personnel started in Cardiovascular.

04.03 Contracting area needs to confirm the completion of the negotiations with
the hospitals to proceed with the advanced payments.

03.20 Advanced payment approved by Finance, and shared with selected hospitals.
PPN Communication Plan developed by Marketing.

02.27 Contracting area needs to have completed the hospital master contract,
amendment, and advanced payment by the week ending on March 10th.

02.10 Hospital master contract and amendment have not been completed.

12.31 PPN hospital (% discount) configuration completed in both systems (HS and
[***]).

12.20 Hospitals PPN - % of discount in perdiem negotiation completed by
Contracting area. Pending to complete configuration in systems (HS & [***]).

12.15 Dorelisse Juarbe informed on December 12 that the IVC project budget was
approved by the Board.

 



 



17 

 



 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes                
                      11.30 Juan Jose Roman approved the project budget on
November 9th. Madeline Hernandez requested a change in scope. Contract three (3)
hospitals as PPN with new compensation model, and contract five (5) hospitals
with a perdiem discount (will not include Transition of Care). These hospitals
will become the PPN on 1/1/17.
11.07 Second meeting with Juan Jose Roman scheduled to be held on November 9th.
10.31 Meeting held with Juan Jose Roman to present the model and receive
project's budget approval.
10.11 Meetings held with Madeline Hernandez to discuss details regarding the
initiative.
08.18 Leaders agreed to perform a pilot program in Mayaguez hospitals (West
region). The initiative is divided in three buckets: Admitting Physician
Program, Transition of Care, and new compensation model for hospitals.
07.14 Fico presented preliminar financial model to be revised by leaders.
06.03 Indicators have been identified, along with the measurement periods and
data sources.
05.19 Met with PSG leaders to understand the hospital model implemented for
certain hospitals within the Medicaid regions. Medicare Advantage leadership
continues to develop the strategy.
04.29 Indicators for the compensation model are being discussed among leaders.

 



 

 

18 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 34 16-026
Inpatient Value Care - IP Professional Services Program Network Management
Com/Adv Clinical Excellence NW Management 2016-07-01 2017-06-30 Active Triple-S
75% Application Support Service Behind Schedule Execution/Monitoring  Dorelisse
Juarbe  Marilia Torres 600209   06.09 Nagnoi provided an updated timeline: July
24, 2017. DAU performing validations.
05.19 Nagnoi provided timeline. Estimated due date: June 30, 2017.
04.28 Server access situations resolved. Nagnoi to provide new project timeline.
04.21 Server completed on 4/17. Access granted to Nagnoi Consultants.
Nevertheless, Nagnoi is confronting situations to access the server.
04.03 Readmission Monitoring Report has been delayed due to dependency on HEDIS
measures server.
03.20 PO granted to Nagnoi. Pending to grant access to HEDIS Server.
02.27 Nagnoi's SOW is in the process of being approved by Legal area.
02.10 Nagnoi submitted proposal on February 1, 2017 for the readmissions
calculation. Contracting process has started.
12.31 Proposal (options previously discussed) submitted by Nagnoi is being
evaluated by leaders.
12.20 Need to approve proposal with vendor to start the development of
readmissions calculation for Admitting Physician and hospitals.
10.31 Configuration area completed creation of new fixed rates fee schedule for
Admitting Physician, effective November 1, 2016.
10.28 Alianzas area completed orientations to Admitting Physicians about new
compensation model.
10.10 Nagnoi sent proposal to Pedro Aponte for evaluation and determination.
09.26 Pedro Aponte requested proposal to Nagnoi for the calculation of the
readmissions (gross & HEDIS).
09.30 Sent mailing (letters and amendments) to providers and corporations. 35  
Inpatient Value Care - OnBase Integration Network Management Com/Adv Clinical
Excellence NW Management 2017-02-01 2017-05-05 Active Triple-S 75% Application
Support Service Behind Schedule Execution/Monitoring   Rafael Fonseca      

 



 

 

19 

 







 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 36 16-048
Inpatient Value Care - Transition of Care (TOC) Network Management Com/Adv
Clinical Excellence NW Management 2016-07-01 2017-05-05 Active Triple-S 0% Not
Required Behind Schedule Execution/Monitoring  Dorelisse Juarbe  Marilia Torres
600209   05.19 Presentation of Census Management Tool provided to San Lucas
Ponce Hospital on May 16th.
05.05 Coordination of Census Management Tool presentation to Cardiovascular
hospital completed by A. Alejandro. Pending to confirm San Lucas Ponce hospital.
04.28 San Lucas Ponce hospital provided space for TOC personnel. Clinical area
working with the arrangements to setup the TSS office.
04.21 TOC started on Cardiovascular hospital on the week of 4/3/17.
04.03 TOC personnel has been trained. An operational mock-up was performed on
March 29 - 30. Dr. Novoa informed the staff will not start in the hospitals on
4/3/17.
03.20 TOC personnel has been recruited, and will be trained (VITAL, [***], HS,
and operational process) the week of March 27th.
02.27 Clinical leaders met on Feb. 27 to discuss, and agree upon TOC operational
model.
02.10 V2A will be supporting the implementation of the TOC model.
12.20 Decision made by leaders to implement VITAL platform for hospital revision
and IP pre-authorizations processes.
08.31 Completed definition of the Transition of Care model. 37 17-007 Inpatient
Value Care - VITAL for Hospital Revision and PA admissions Network Management
Advantage Clinical Excellence Clinical Management 2017-01-03 2017-04-01
Implemented     Not Required Behind Schedule Execution/Monitoring   Marilia
Torres 600209   06.09 BASA coordinated and held testing in DEV environment with
clinical personnel.
04.03 TOC personnel can start to perform PA process from the hospitals since MA
membership loaded in VITAL on 4/1/17. Hospital revision for MA line of business
will start when the technical components are completed. Estimated date: 5/5/17.
03.20 PA VITAL workflow completed. Pending approval from Dalila Alonso. VITAL
training was given to MA Nurses, and TOC training will be held on the week of
March 27th.
02.27 Hospital revision workflow has been completed, pending to complete PA
VITAL workflow.
02.13 Performing design system functionality (workflows, letters) for hospital
revision process and pre-authorization. 38   Interqual Connect Network
Management Com/Adv/PSG Clinical Excellence Clinical Management     Active
Triple-S 25% Application Support Service On Schedule Planning  Dr. José Novoa 
Elsie Malavé    [***]  Initial meetings with McKesson done during May 2017

  

 

20 

 







 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 39   MTM Report
Automation (BCBS) Quality Assurance Advantage Organizational Excellence
Compliance 2017-04-03 2017-12-31 Active Triple-S 75% Application Support Service
On Schedule Planning  Jenny Cárdenas  Olga E. Molina     Manuel Mercado -
Business Lead 40 16-053 OneTSA: Phase II (Extensions) Corporate Strategy
Advantage Operational Excellence Business Intelligence 2016-10-01 2017-06-30
Active Triple-S 25% Application Support Service On Schedule Execution/Monitoring
 Carmen González  Rafael Fonseca 600185  [***]  04/04/17 - This project will be
worked in phases
- Serena ID for Phase 1: CHG62575
- Serena ID for Phase 2: CHG63550 41 17-005 OneTSH Corporate Strategy Com/PSG
Operational Excellence Business Intelligence 2017-05-01 2018-03-31 Active
Triple-S 25% Application Support Service On Schedule Planning  Carmen González 
Rafael Fonseca 600205  [***]    42 15-009 Performance Evaluation Application
Corporate Strategy Advantage Operational Excellence TSH Finance 2015-05-01
2017-06-30 Active Triple-S 25% Application Support Service Behind Schedule
Execution/Monitoring  Ivette Reyes  Rafael Fonseca    [***]  02/22/17: Project
is Behind Schedule.  We will be discussing a new Estimated Due Date in our next
project meeting
It has a dependency on Project 15-010 (OneTSA Data Warehouse) and Project 15-011
(Capture all encounters from third parties).  A new completion date needs to be
established taking into account the completion of project 15-011.  This will be
discussed with both Project Sponsors. 43 17-006 PMO Portal Corporate Strategy
Com/Adv/PSG Organizational Excellence Business Innovation 2017-01-01 2017-09-30
Active Triple-S 25% Application Support Service On Schedule Initiation  Pedro
Aponte  Rafael Fonseca    [***]    44   Product & Risk Management Program
Corporate Strategy Com/PSG Grow The Core Risk Management 2017-02-14 2017-12-31
Active Triple-S 0% Not Required On Schedule Planning   Olga E. Molina       45  
Provider Data Optimization (Project Sunshine) Network Management Com/Adv/PSG
Operational Excellence PCPs, Alianzas, IPAs 2017-04-19   Active Triple-S 75%
Application Support Service On Schedule Initiation   Elsie Malavé       46
16-014 Providers' Portal: Care Coordination Request Network Management
Com/Adv/PSG Operational Excellence PCPs, Alianzas, IPAs 2017-01-30 2017-12-31 On
Hold Triple-S 50% Application Support Service On Schedule Initiation  Pedro
Aponte  Elsie Malavé    [***]  This phase of the project has a dependency on the
completion of Project 16-006 (Architecture and Security) which has an estimated
due date of 06/30/16.  We still need confirmation from Sponsor on when the
Estimated Due Date for this project will be.  In the meantime, date was changed
from 05/31/16 to 12/31/16 so as to reflect a date which is aligned with its
dependency. 47 16-007 Providers' Portal: Online Providers' Directory Network
Management Advantage Operational Excellence NW Management 2016-02-01 2017-06-30
Active Triple-S 50% Application Support Service Behind Schedule
Execution/Monitoring  Dorelisse Juarbe  Elsie Malavé    [***]  08.23 Project
transitioned to Elsie Malave. The project was in Planning phase.
08.18 Project is in process of being transition to new PM, Elsie Malave. Marilia
will completed the pending tasks for the Online Directory - monthly refresh
process.
07.18 Met with Fernando and Jomar to discuss the project's implementation
approach based on SCRUM.
07.06 Project team working to automate directory's extraction from HS, and start
programming the requirements for the new directory.
06.13 Online Directory was updated on June 13th
04.29 Consultant is working with the long-term solution requirements to be
presented to Project Sponsor.
03.31.16 Working with Online Directory - short term solution. Issues with data,
and providers configuration in HealthSuite have been identified, and are being
revised by DAU, Consultant, and Quality Operations Director.

  

 

21 

 



 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 48 16-006
Providers' Portal: Portal Reengineering Network Management Advantage Operational
Excellence NW Management 2016-01-30 2017-05-05 Implemented     Not Required
Behind Schedule Execution/Monitoring  Pedro Aponte  Elsie Malavé    [***] 
5.31.17 - Implemented as part of Phase I IVC Applications 49 17-003 [***]
Optimization Claims & Configuration Com/PSG Operational Excellence Configuration
2017-02-01   Active Triple-S 50% Application Support Service On Schedule
Planning  Carmen González  Annette Rivera 600206  [***]  6/9/2017
Completed Tasks:
1. Conference Call with [***] to discuss project scope, timeline, Team Structure
2. [***] PM identification (Ryan Morse)
3. [***] Optimization new lead (Karen González)

Pending Tasks:
1. Internal review of the custom codes
2. Project Plan approval by [***] 50 16-013 RightFax/OnBase Integration Network
Management Advantage Clinical Excellence Clinical Management 2016-05-02
2017-03-31 Implemented     Not Required On Schedule Execution/Monitoring  Ivonne
Vega  Elsie Malavé    [***]  03/27/17 - Internal testing completed in
development environment and training taking place today.
09/16/16 - Vendor proposal submitted to business owners for approval and out of
budget requisition form requested.m
08/26/16 - Project was transitioned to Elsie
Currently working on Scope definition and defining current processes for Case
Management, Pre-Auth and Hospital Discharge.  As of today, budget reflects only
the phase of analysis.  Upon approval of solution, requirements and scope
definition, Vendor (DSP) will give us the quote for the entire project.  In
addition, the Due Date for this project is yet to be established.  It will
depend on the scope and requirements definition.
10-11-16 - Currently in process of documenting the "to be" process. 51 16-038
Seamless Transition Prospect Management Advantage Operational Excellence
Marketing 2016-07-01 2017-06-02 On Hold Triple-S 50% Application Support Service
Alert Execution/Monitoring  Ivette Reyes  Annette Rivera     Pending ASES
approval. 52 16-049 Sharepoint Collaboration Sites: Phase 1 TSA Finance
Corporate Strategy Advantage Organizational Excellence TSH Finance 2016-07-01
2017-12-31 On Hold Triple-S 50% Application Support Service On Schedule Planning
 Ivette Reyes  Rafael Fonseca    [***]  02/16/17 - Put On Hold until Dagmarie
talks to Ivette and decide if she continues with project lead and if there is
going to be an impact on project due to changes in Organization Structure
As discussed with Dagmarie, project was pushed back from 12/31/16 to 03/31/17.

  

 

22 

 





 CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

# Project ID Project Name Cluster Line of Business Pillar Department Start Date
Estimated Date Status Project Owner Optum Involvement Supplier Activity Category
Health Phase  Sponsor  Project Manager Cuenta SAP  Budget  Notes 53   Social
Security Number Removal Initiative (SSNRI) Prospect Management Com/Adv  
Enrollment                  Ivette Reyes  Annette Rivera       54 17-016 Support
Implementation of New Credentialing Process Network Management Com/Adv/PSG
Organizational Excellence NW Management 2017-04-03 2017-06-01 Active Triple-S
25% Application Support Service On Schedule Execution/Monitoring  Dr. José
Novoa  Elsie Malavé       55   TSA IVR Population Log Customer Management
Advantage Organizational Excellence Customer Service 2017-06-01 2017-10-31
Active Triple-S 50% Application Support Service On Schedule Initiation   Terrako
Stallings       56   TSS Overpayment Claims & Configuration Comercial
Operational Excellence Claims 2016-11-18 2018-11-15 Active Triple-S 90%
Application Support Service On Schedule Planning   Verónica Miranda De León    
This is a key initiative for TSS for their 11M by 12/31/17 goal. The Project's
Due date is 11/15/18, although 11/14/17 is the date to begin the recouping.  On
05/26/17, the credentials to the Optum team were granted and sent to them, as of
05/31/17 we are waiting on confirmation that they could accessed [***]. 57   VAM
Appeals and Grievances Application Commercial LOB Customer Management Comercial
Operational Excellence Grievances & Appeals 2017-05-16 2017-07-28 Active
Triple-S 25% Application Support Service On Schedule Initiation  Pedro Aponte 
Terrako Stallings     BRD Request made to Tri S, pending date selection,
Letters have been submitted , actual go live date is TBD pending on site meeting
with Vedor Beacon
5.19.17, Pending review of automatinn and requirements
5.19.17 Provide policy and procedures that would require custom case type and
categories to support Medicaid specific cases/guidelines.
Provide the user list with roles
Create files for the Medicaid Members, providers and claims
Provide custom workflows to support Medicaid
Identify any specific reporting required.
5.24.17  Template issues reported to Beacon
5.26.17 Beacon PM change to Imari Triplett
5.31.2017 Pending follow from Beacon on Templates and Timline 58 15-005 WIPRO:
Broker 360 Prospect Management Advantage Grow The Core Sales 2015-04-15
2017-03-31 Active Triple-S 25% Application Support Service Behind Schedule
Execution/Monitoring  Gustavo Pérez  Rafael Fonseca 600148  [***]  Broker 360
will run parallel for two month after M360 Go Live
Pending Test Environment Availability.
This is a cloud-based solution.



 

 

 



23 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Office of the CIO  [image_004.jpg]





Project Portfolio



                            [***]   # Project Name Line of Business Pillar
Supplier Activity Category Start Date Estimated Date Days to Complete Status
Health Phase Project Owner Optum Involvement Project Coordinator Budget Notes 1
Buzz Contracting Corporate Organizational Excellence BAU Activity 5/1/2017
8/1/2017 -98 Active On Schedule   NA         2 DR Test TSA 2017 Corporate
Organizational Excellence BAU Activity 5/1/2017 7/30/2017 -100 Active On
Schedule Execution/Monitoring NA (Completed)   Richard Gonzalez  [***]   3 DR
Test GTS 2017 Corporate Organizational Excellence BAU Activity 5/1/2017
7/10/2017 -120 Done On Schedule   Triple-S 70%       4 DR 2.0 (Azure) Corporate
Organizational Excellence Not Required 5/1/2017 9/30/2017 -38 Active On Schedule
Planning Triple-S 90% Jose Luis Ramirez  [***]   5 Intranet Corporate
Operational Excellence Special Infrastructure Project 5/1/2017 9/30/2017 -38
Active On Schedule Contracting Triple-S 10% Zaira Vallenilla  [***]   6 Strat
Plan Corporate Organizational Excellence Not Required 5/1/2017 8/30/2017 -69
Active On Schedule Planning Triple-S 30% Zaira Vallenilla  [***]   7 M&A
Corporate Organizational Excellence Not Required 5/1/2017 12/31/2017 54 Active
On Schedule   Triple-S Special Project       8 InfoTech Rersearch Corporate
Operational Excellence Not Required 5/1/2017 6/1/2017 -159 Active Behind
Schedule In Signature Triple-S 0% JJ Diaz  [***]                                
                                                Less than 60 days   Completed
Total                           8   0            

 

 



24 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Service Management

 [image_004.jpg]



 

Project Portfolio

Thursday, August 31, 2017

 



                      [***]     # Project Name Supplier Activity Category Start
Date Estimated Date Days Status Health Phase Project Owner Optum Involvement
Project Coordinator Budget Notes 1 Symantec Endpoint Encryption BAU Activity
5/1/2017 7/30/2017 90 Active On Schedule   Optum 100%       2 MacAfee Agent BAU
Activity 5/1/2017 7/30/2017 90 Active On Schedule   Optum 100%       3 Horizon
VDI implementation on Telemedik Special Infrastructure Project 5/1/2017
5/30/2017 29 Active On Hold Execution/Monitoring Optum 100%       4 Horizon VDI
implementation on BPO Special Infrastructure Project 5/1/2017 5/30/2017 29
Active Behind Schedule   Optum 100%       5 VDI Pools as Instant Clones for TSS
Clients Special Infrastructure Project 5/1/2017 6/30/2017 60 Active On Schedule
Execution/Monitoring Optum 100%   [***]   6 AirWatch Implementation Special
Infrastructure Project 5/1/2017 7/31/2017 91 Active On Schedule   Optum 100%    
  7 TSC Transformation Initiative Not Required 5/1/2017 12/30/2017 243 Active On
Schedule Execution/Monitoring Optum 100%   [***]   8 Windows 10 / IE 11 BAU
Activity 5/1/2017 12/31/2017 244 Active On Schedule   Optum 100%       9 Move
KMS Service to another Server Not Required 5/1/2017 6/30/2017 60 Active On
Schedule   Optum 100%       10 MDT update on the new server BAU Activity
5/1/2017 6/30/2017 60 Active On Schedule   Optum 100%       11 Citrix Platform
Elimination Special Infrastructure Project 5/1/2017 12/30/2017 243 Active On
Schedule Planning Optum 100%       12 Audio Visuals Project BAU Activity
5/1/2017 9/30/2017 152 Active On Schedule   Triple-S 80%       13 IT Asset
Management (CMDB) Not Required 5/1/2017 6/30/2017 60 Active Behind Schedule
Execution/Monitoring Optum 100%       14 CAP - Hardening Guidelines BAU Activity
5/1/2017 9/30/2017 152 Active On Schedule   Triple-S 90%         SERVICE
MANAGEMENT       0 Active   Planning       [***]   15 Healthy Claims (7
Initiative) (desktop level) BAU Activity 1/1/2017 12/30/2017 363 Active On
Schedule Planning Triple-S 90%   [***]   16 Mainframe PhaseOut Not Required
1/1/2017 6/30/2017 180   On Schedule   Triple-S 20%       17 SLA's Not Required
1/1/2017 12/30/2017 363   On Schedule   Triple-S 50%       18 AHM Domain
Migration BAU Activity 1/1/2017 6/30/2017 180   On Schedule   Optum 100%      
19 TSA B2B's Automation Process Not Required 1/1/2017 12/31/2017 364 Active On
Schedule Operational Optum 100%       20 MA - [***] Migration Special
Infrastructure Project 5/1/2017 12/30/2017 243 Active On Schedule   Triple-S
100%       21 [***] Upgrade BAU Activity 1/1/2017 5/30/2017 149 Active On
Schedule   Optum 100%       22 Impatient Value Care Special Infrastructure
Project 1/1/2017 12/31/2017 364 Active On Schedule   Triple-S 80%       23 O365
OnBoarding 2 Special Infrastructure Project 6/1/2017 11/30/2017 182 Active On
Schedule   Optum 100%         ECM (Onbase Related)       0                 24
Bienvenido Project Special Infrastructure Project 1/1/2017 4/30/2017 119  
Behind Schedule   Triple-S 80%       25 TSP OnBase Upgrade BAU Activity 3/1/2017
6/30/2017 121   On Schedule   Triple-S 80%       26 TSV OnBase Upgrade BAU
Activity 2/1/2017 4/30/2017 88   Behind Schedule   Triple-S 80%       27 Alchemy
migration to OnBase Special Infrastructure Project 3/1/2017 7/31/2017 152   On
Schedule   Triple-S 80%       28 Unisys migration to OnBase Special
Infrastructure Project 3/1/2017 7/31/2017 152   On Schedule   Triple-S 80%      
29 Delta C Project Special Infrastructure Project 3/1/2017 6/30/2017 121   On
Schedule   Triple-S 80%         SALUS       0                 30 SALUS
Integration Plan Not Required 1/1/2017 12/31/2017 364   On Schedule   Triple-S
10%       31 Domains Transfer to TSM Not Required 1/1/2017 6/30/2017 180   On
Schedule   NA - completed         32 TRA Contract Not Required 1/1/2017
6/30/2017 180   On Schedule   Triple-S 0%       33 NeoMed Contract Not Required
1/1/2017 6/30/2017 180   On Schedule   Triple-S 0%       34 QA Environments
Preparation BAU Activity 5/1/2017 9/30/2017 152   On Schedule   Optum 100%      
35 Ricoh Scan to Folder BAU Activity 1/1/2017 6/30/2017 180   On Schedule  
Optum 100%       36 LAB Integration with NeoMEd BAU Activity 5/1/2017 9/30/2017
152   On Schedule   Triple-S 10%       37 CMS CT Rules NEMA XR-29 Standards
Compliance ? 4/1/2017 6/30/2017 90   On Schedule   Triple-S 10%       38 New
Radiology Modality (Digital Radiology) Special Infrastructure Project 4/1/2017
6/30/2017 90   On Schedule   Triple-S 10%       39 UNE Salus Integration Special
Infrastructure Project 5/1/2017 9/30/2017 152   On Schedule   Triple-S 40%      
          Less than 60 days                           9                        
                      Row Labels                           Aida Martinez        
                  Angel Nazario                           Angel Pagan          
                C Garcia                           Cynthia Robles              
            Damarie Velez                           Damaris Massa              
            David Rivera                           Francisco Granados          
                Ivan Rodriguez                           Jorge Bosch            
              Jose Ramirez                           Juan Sepulveda            
              Miguel Barreto                           Monica Oliveras          
                Rinaldo Perez                           Grand Total            
           



 

 

 

25 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Operations  [image_004.jpg]





Project Portfolio
Thursday, August 31, 2017

 



# Project Name Line of Business Pillar Supplier Activity Category Start Date
Estimated Date Column1 Status Health Phase Project Owner Optum Involvement
Responsible Project Coordinator  Budget Notes 1 O365 Corporate Organizational
Excellence Special Infrastructure Project 5/1/2017 7/30/2017 90 Active Behind
Schedule   Optum 100% Hector Rodriguez       2 Firewall Implementation TST
Operational Excellence BAU Activity 5/1/2017 6/30/2017 60 Active On Schedule  
Optum 100% Richard Gonzalez       3 Storage Upgrade TST Operational Excellence
BAU Activity 5/1/2017 4/30/2017 -1 Active Behind Schedule   Optum 100% Richard
Gonzalez       4 LAN TST Grow The Core BAU Activity 5/1/2017 6/30/2017 60 Active
On Schedule   Triple-S 70% Richard Gonzalez  [***]     5 WAN Corporate
Organizational Excellence BAU Activity 5/1/2017 4/30/2017 -1 Active On Schedule
  Triple-S 70% Cynthia Robles  [***]     6 Backup Implementation TST
Organizational Excellence Special Infrastructure Project 5/1/2017 6/30/2017 60
Active Behind Schedule   Optum 100% Jose Luis Ramirez       7 Health Suite /
[***] Migration Corporate Organizational Excellence Special Infrastructure
Project 5/1/2017 9/30/2017 152 Active Behind Schedule   Optum 100% Hector
Rodriguez       8 AIX to 3PAR integration Corporate Organizational Excellence
BAU Activity 5/1/2017 6/30/2017 60 Active On Schedule   Optum 100% Richard
Gonzalez       9 Upgrade AIX and Health Suite TST Organizational Excellence BAU
Activity 5/1/2017 6/30/2017 60 Active Behind Schedule   Optum 100% Jose Luis
Ramirez       10 SnapShots utilization TST Organizational Excellence BAU
Activity 5/1/2017 7/30/2017 90 Active Behind Schedule   Optum 100% Jose Luis
Ramirez       11 Micro segmentation Corporate Organizational Excellence ?
5/1/2017 7/30/2017 90 Active On Schedule   Optum 100% Hector Rodriguez       12
VDI Improvements Corporate Organizational Excellence Special Infrastructure
Project 5/1/2017 7/30/2017 90 Active On Schedule   Optum 100% Jose Luis Ramirez
      13 Informatica TST Organizational Excellence Special Infrastructure
Project 5/1/2017 9/30/2017 152 Active On Schedule   Optum 100% Jose Luis Ramirez
      14 MF Sunset Corporate Organizational Excellence Not Required 5/1/2017
6/30/2017 60 Active Behind Schedule   Optum 100% Jose Luis Ramirez              
      Less than 60 days                               8                        
                              Row Labels Count of Responsible                  
            Jose Ramirez 1                               Richard Gonzalez 3    
                          Victor Rivera 1                               Rinaldo
Perez 5                               Grand Total 10                            

 

 

26 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Security  [image_004.jpg]





Project Portfolio
Thursday, August 31, 2017

 



                          [***]     # Project Name Line of Business Pillar Start
Date Estimated Date Status Supplier Activity Category Health Phase Project Owner
Optum Involvement Project Coordinator  Budget Notes Column1 1 SOC2 Corporate
Organizational Excellence 5/1/2017 7/30/2017 Active BAU Activity On Schedule
Planning Triple-S 10%       90 2 CAP Corporate Operational Excellence 5/1/2017
6/30/2017 Active Not Required On Schedule Execution/Monitoring Triple-S 10%    
  60 3 HighTrust Corporate Operational Excellence 5/1/2017 6/30/2017 Active Not
Required Behind Schedule Execution/Monitoring Triple-S 10%       60 4 McCafee
TST Grow The Core 5/1/2017 6/30/2017 Active Special Infrastructure Project On
Schedule   Triple-S 75%       60 5 NAC Corporate   5/1/2017 6/30/2017 Active
Special Infrastructure Project Behind Schedule   Triple-S 90%       60 6 SIEM
(Qradar) Corporate   5/1/2017 6/30/2017 Active Not Required Behind Schedule  
Triple-S TBD       60 7 Data De-identification Corporate   5/1/2017 6/30/2017
Active Special Infrastructure Project Behind Schedule   Triple-S TBD       60 8
Azure Security Corporate   5/1/2017 8/30/2017 Active Not Required On Schedule  
Triple-S TBD       121 9 Firewall Security Corporate   5/1/2017 6/30/2017 Active
Not Required On Schedule   Triple-S TBD       60 10 CyberArk Corporate  
5/1/2017 8/30/2017 Active Not Required On Schedule   Triple-S TBD       121 11
Phisme Corporate   5/1/2017 8/30/2017 Active Not Required On Schedule   Optum
100%       121 12 Intune Corporate   5/1/2017 8/30/2017 Active Not Required On
Schedule   Optum 100%       121               BAU Activity               Less
than 60 days               Special Infrastructure Project             7        
      Application Support Service                 Row Labels Count of
Responsible                             Rene Rivera 3                          
  Vincent DeHoyos 17                             Juan Orfila 1                  
          Grand Total 21                          



 

 

27 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Compliance  [image_004.jpg]





Project Portfolio
Thursday, August 31, 2017



                          [***]     # Project Name Line of Business Pillar Start
Date Estimated Date Status Supplier Activity Category Health Phase Project Owner
Optum Involvement Project Coordinator  Budget Notes Column1 1 HHS-OCR CAP
Corporate Compliance 5/1/2017 8/30/2017 Active Not Required On Schedule
Execution/Monitoring Triple-S 0% TST Management     121 2 SOX Qtr. Certification
Corporate Compliance 5/1/2017 8/30/2017 Active Not Required On Schedule
Execution/Monitoring Triple-S 0% Corporate     121 3 LexisNexis roles revision
and re-training Corporate Operational Excellence 5/1/2017 8/30/2017 Active Not
Required On Schedule Execution/Monitoring Triple-S 0% Corporate     121 4
CMS-HEDIS File Change Request Corporate Compliance 5/1/2017 8/30/2017 Active Not
Required On Schedule Execution/Support Triple-S 0% TSS Compliance     121 5
Investigation of possible breach. (various) Corporate Compliance 5/1/2017
4/30/2017 Done Not Required On Schedule Execution/Support Triple-S 0% TSS
Compliance   This is an on-going activity -1 6 APS / PSG ASES monthly system
availability Corporate Compliance 5/1/2017 4/30/2017 Active Not Required On
Schedule Execution/Monitoring Triple-S 0% TSS Compliance   This is an on-ging
activity -1 7 OFAC numerous vendor verification Corporate Compliance 5/1/2017
4/30/2017 Active Not Required On Schedule Execution/Monitoring Triple-S 0% TSS
Compliance   This is an on-gonig activity -1 8 Termination control monitoring
Corporate Compliance 5/1/2017 4/30/2017 Active Not Required On Schedule
Execution/Monitoring Triple-S 0% TST Compliance   This is an on-goning activity
-1 9 Assets inventory initiative Triserve Operational Excellence 5/1/2017
8/30/2017 Active Not Required Behind Schedule Execution/Monitoring Triple-S 0%
TST Compliance   This activity depends on the imlpementation of the ME 121 10 BC
strategy re-define Corporate Operational Excellence 5/1/2017 8/30/2017 Active
Not Required On Schedule Execution/Monitoring Triple-S 0% Corporate   This is an
on-going activity 121 11 CMS User certification process Corporate Compliance
5/1/2017   Done Not Required On Schedule Execution Triple-S 0% TST Compliance  
  -42856 12 Privacy Organization Model (POM) participation and scope definition
Corporate Compliance 5/1/2017   Active Not Required On Schedule
Execution/Support Triple-S 0% TST Compliance     -42856 13 Compliance 360
document popullation for retention Corporate Compliance 4/1/2017   Active Not
Required On Schedule Execution Triple-S 0% TST Compliance     -42826 14 O365
OnBoarding II - Triple-S - EMS Corporate Compliance 6/26/2017   Active Not
Required On Schedule Execution/Support Triple-S 0% Corporate     -42912 15
Access certifications monitoring, follow-up and direct assistance to past-due
transactions. Corporate Compliance 6/12/2017   Done Not Required On Schedule
Execution Triple-S 0% Corporate     -42898                                      
                                                      Less than 60 days 4    
Row Labels Count of Responsible                         0 Luis Garcia 17        
                    Grand Total 17                        



 

 

 



28 

 





Schedule Q

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 



SCHEDULE Q

 

Supplier Affiliates

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule Q Triple-S / Supplier Confidential



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



SCHEDULE Q

 

SUPPLIER AFFILIATES

 

1. Introduction

 

With reference to Section 6.6 (Subcontracting) of the General Terms and
Conditions, this Schedule Q (Supplier Affiliates) identifies the Supplier
Affiliates who, as of the Effective Date, are Approved Subcontractors for the
purposes of the Agreement, and with respect to the SOW and Functions that each
such Supplier Affiliate is authorized to perform as set forth below.

 

2. Supplier AFFILIATES

 

Ref # Supplier Affiliate Corporate Address SOW(s) & Business Process(es)
Approved Functions 1 United Healthcare Parekh Insurance TPA Private LTD
Millennium Plaza
Unit No 504, 5th floor,
Tower “B”,Sector-27,
Sushant Lok,
Gurgaon, Haryana- 122002 SOW 1 Claims Claims

 

 

 



  Triple-S / Supplier Confidential

Page 1

 

 

 





Schedule R

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

 

 

 

 



SCHEDULE R

 

APPROVED SUBCONTRACTORS

 

 

 

 

 

 

 

 

 

 

 

Schedule R Triple-S / Optum Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION





schedule R

 

APPROVED SUBCONTRACTORS

 

1. INTRODUCTION

 

With reference to Section 6.6 (Subcontracting) of the General Terms and
Conditions, this Schedule R identifies the Subcontractors as of the Effective
Date who are Approved Subcontractors for the purposes of the Agreement, and the
Functions that each Subcontractor is authorized to perform as set forth below.
The Parties agree that during the sixty (60) days after the Effective Date,
Supplier will identify the Approved Subcontractors that access Triple-S Data and
will determine the facility address from which the Approved Subcontractors will
provide Services for purposes of Section 6.6 of the General Terms and
Conditions.

 

2. APPROVED SUBCONTRACTORS

 







Approved Subcontractor

Corporate Address /



Service Facility Address



Service Tower Approved Functions Triple-S Data Access? (Y/N) [***] [***]

IT Infrastructure

ITSM

Asset Management

Change Management

Incident Management

Workflow Management



 

 

Y

 

 

  

[***] [***] IT Infrastructure Data Encryption N   [***] [***] IT Infrastructure

OS and Application packaging and automation



Patch management

Configuration management

N

 

 

 

 

 

 

 



Triple-S / Optum Confidential

Page 1

 





Schedule S

 

CONFIDENTIAL TREATMENT REQUESTED



FINAL EXECUTION VERSION

 



  CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.  

 



 

 

  

 

 

 

SCHEDULE S

 

SUPPLIER SOFTWARE AND SUPPLIER TOOLS

 

 

 

 

 

 

 

 

 

 

 

Schedule S Triple-S / Optum Confidential



 



CONFIDENTIAL TREATMENT REQUESTED



Schedule S

 Supplier Software adn Supplier Tools

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Explanation of Columns in Software Tab and Tools Tab Column Explanation Service
Tower Identifies the Service Tower(s) for which the Software / Tool will be used
Software / Tool Name Provides the name of each Software product / Tool
Description / Purpose Provides high level description of the Software product /
Tool and its purpose Owned by Supplier or Third Party Identifies whether the
Software / Tool is owned by Supplier or a third party (if third party, identify
such party) Existing Triple-S Software / Tool Identifies whether the Software /
Tool is currently licensed by Triple-S Type of License Describes the way in
which each Software product / Tool is licensed (Single user, CPU, core etc.)
Number of Licenses Supplier Requires Identifies the number of licenses Supplier
requires for each applicable Service Tower Incremental Hardware Needed 
Identifies the need for additional hardware that Triple-S will need to purchase
in order to host the Software / Tool that Supplier will provide Triple-S Right
to Access / Use Identifies whether Triple-S has the right to access and use the
Software / Tool Triple-S Software / Tool Replaced by Supplier Software / Tool
(if any) Identifies any Software / Tool used by Triple-S that will be replaced
by Supplier's Software / Tool



 

 

 

Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED



Schedule S

 Supplier Software adn Supplier Tools

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] ITO - SUPPLIER
SOFTWARE AND TOOLS                 [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] BPO CLAIMS - SUPPLIER SOFTWARE AND TOOLS              
  [***] [***] [***] [***] [***] [***] [***]         [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***]   [***] [***] [***] [***] [***]
[***] [***]   [***] [***]   [***] [***] [***] [***] [***] [***] [***]   [***]
[***]   [***] [***] [***] [***] [***] [***] [***]   [***] [***]   [***] [***]
[***] [***] [***] [***] [***]   [***] [***]   [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]      
 

 

 

 



Triple-S / Supplier Confidential

Page 2

 



Schedule T

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 



SCHEDULE T

 

BACKGROUND CHECKS

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule T Triple-S / Supplier Confidential





 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



SCHEDULE T 


BACKGROUND CHECKS

 

1. INTRODUCTION

 

This Schedule T (Background Checks) describes Triple-S’s requirements for all
Supplier Personnel (including Subcontractors, independent contractors and
representatives) that will be providing any of the Services to Triple-S. These
requirements are in addition to the screening required under Schedule W
(Flow-Down Requirements).

 

2. SCREENING AND BACKGROUND CHECKS

 

(a) Subject to the terms of this Section 2, Supplier shall, at no additional
expense to Triple-S, complete, or have a third party complete, background checks
for all Supplier Personnel (“Background Checks”).

 

(b) The Background Checks described in this Section 2 shall be completed before,
or performed promptly following, the assignment of such Supplier Personnel to
Triple-S’s account, but in no event more than thirty (30) days after such
assignment. No Supplier Personnel providing Offshore Services will be permitted
to access Personally Identifiable Information or Protected Health Information
until they have successfully passed the Background Checks.

 

(c) For Supplier Personnel based in the United States, Background Checks shall
include a county, state, and federal criminal search (seven (7) years based upon
residence and employment for all crimes). Supplier shall search criminal records
in each county the individual has lived in based on results obtained from a SSN
trace, employment history, and education history verifications. Supplier’s
search parameters shall include all counties of residence (up to a maximum of
ten (10) most recent counties), employment, and school attendance for the
applicable time periods set forth above. Any individual whose Background Check
reveals a job-related felony conviction, including crimes of dishonesty and of a
violent nature, may not be engaged as Supplier Personnel without written
approval from a vice president or higher of human resources at Triple-S. The
Background Checks shall also include a determination as to whether the person
has been listed on the Department of Treasury Office of Foreign Assets Control’s
Specially Designated Nationals and Blocked Persons List as an individual with
whom U.S. persons are prohibited from engaging in transactions. Supplier shall
perform an updated felony Background Check annually on any Supplier Personnel
who is assigned to perform Services under this Agreement.

 

(d) Supplier shall also screen Supplier Personnel based in the United States to
determine whether the person has been excluded from, or is otherwise ineligible
for, participation in any federal health care program or is debarred, suspended,
proposed for debarment, declared ineligible, or voluntarily excluded by any
federal department or agency. Any matches of Supplier Personnel to the FACIS
Level 3 (includes OIG/GSA/Healthcare Fraud) database must be investigated and if
it is determined that any Supplier Personnel is listed in the FACIS Level 3
database, that Supplier Personnel must be removed from work under the Agreement
immediately. Additionally, Supplier shall confirm on a monthly

 

 

 

 



  Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 





Schedule T
Background Checks







 

basis that no Supplier Personnel based in the United States is listed on the
federal contractor exclusion list. Records of such checks on all Supplier
Personnel must be retained for a minimum of ten (10) years. Supplier agrees to
comply with applicable federal suspension and debarment regulations, including,
but not limited to 7 CFR Part 3017, 40 CFR Part 32, or 34 CFR Part 85. Supplier
certifies to the best of its knowledge and belief that it and its principals:

 

(i) Are not presently debarred, suspended, proposed for debarment, declared
ineligible, or voluntarily excluded by any federal department or agency;

 

(ii) Have not within a three (3) year period preceding this Agreement been
convicted of commission of fraud or a criminal offense in connection with
obtaining, attempting to obtain, or performing a public (federal, state or
local) transaction or contract under a public transaction; violation of federal
or state antitrust statutes or commission of embezzlement, theft, forgery,
bribery, falsification or destruction of records, making false statements, or
receiving stolen property;

 

(iii) Are not presently indicted for or otherwise criminally charged by a
governmental entity (federal, state or local) with commission of any of the
offenses enumerated in Section 2(d)(ii) herein;

 

(iv) Shall not knowingly enter into any lower tier covered transaction with a
person who is proposed for debarment under federal regulations (i.e., 48 CFR 9,
subpart 9.4), debarred, suspended, declared ineligible, or voluntarily excluded
from participation in such transaction, unless authorized by the State; and

 

(v) Shall promptly report any change in the above status to Triple-S.

 

(e) For Supplier Personnel based outside of the United States (i.e., Offshore),
to the extent permitted under local law, pre-employment Background Checks shall
include a search of local and/or global databases for criminal records, using
available, government sanctioned, electronic databases, and the local police
station or similar jurisdiction in the country where the individual currently
lives, for the previous seven (7) years, as well as the following checks :

 

(i) Professional certifications verifications (only highest certification
verified if required for the provision of Offshore Services);

 

(ii) Education (if applicable);

 

(iii) Valid ID or passport; and

 

(iv) Address verification.

 

Any individual whose Background Check reveals a job-related felony conviction,
including crimes of dishonesty and of a violent nature, may not be engaged as
Supplier Personnel without written approval from a vice president or higher of
human resources at Triple-S. The Background Checks shall also include a
determination as to whether the

 

 

 

  Triple-S / Supplier Confidential

T- 2

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

Schedule T

Background Checks





 

person has been listed on the Department of Treasury Office of Foreign Assets
Control’s Specially Designated Nationals and Blocked Persons List as an
individual with whom U.S. persons are prohibited from engaging in transactions.

 

(f) Supplier shall contact current and previous employers to verify employment
as set forth below. Based on each company’s individual disclosure policy,
Supplier shall confirm employment dates and title.

 

(i) For Supplier Personnel based in the United States, Supplier shall contact
two (2) current and previous employers to verify employment.

 

(ii) For Offshore Supplier Personnel, Supplier shall contact either three (3)
current and previous employers or current and previous employers covering the
past five (5) calendar years.

 

(g) Supplier shall contact the academic institution for verification of the
highest degree or verification of the most significant academic event reported
by the individual. This may include GED, high school diploma, college or
advanced degree verification.

 

(h) For those positions requiring specific licenses (MD, RN, etc.), the
Background Check shall validate that the professional license is active and
valid.

 

(i) Subject to applicable Law, Supplier must be able to prove to Triple-S’s
satisfaction that all Supplier Personnel located in the United States have
completed and passed a third party urine drug screening test prior to the first
day of his or her assignment at Supplier. Supplier is responsible for ensuring
that such Supplier Personnel have signed any necessary consent forms or
authorizations required for the drug screen, and has completed the drug screen
within the required number of days before the employment start date. Drug
testing performed as part of the Background Check shall consist of a Five (5)
Panel Drug Screen which tests for:

 

(i) Amphetamines (including Methamphetamine, “Crystal Meth”);

 

(ii) Cannabinoids (THC, Marijuana);

 

(iii) Cocaine;

 

(iv) Opiates (Codeine, Morphine, Heroin, Oxycodone, Vicodin, etc.); and

 

(v) Phencyclidine (PCP).

 

Supplier Personnel will not be subjected to random urine drug testing, nor will
they have to re-test during the course of employment.

 

(j) Results of Background Checks and drug testing will remain Supplier’s
Confidential Information and will not be provided to Triple-S, but any negative
or questionable Background Check or drug test of personnel will require Supplier
to remove or not assign such personnel to provide Services under this Agreement,
provided this action is not in

 

 





  Triple-S / Supplier Confidential

T- 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

Schedule T

Background Checks





 

contradiction of the Americans with Disabilities Act of 1990. Supplier
represents and warrants that it complies with applicable laws regarding drug use
in the workplace.

 

(k) In the event that the background investigation of professional
certifications results in a finding that disqualifies the Supplier Personnel
from performing Services under this Agreement, Supplier shall remove the
Supplier Personnel from providing services to Triple-S.

 

(l) Supplier shall provide documentation and cooperation as requested by
Triple-S to respond to state or federal agency inquiries regarding the
authorization of Supplier Personnel to work in the United States, as applicable.
Supplier further agrees to provide certification of compliance with this
Schedule T to Triple-S upon written request.

 

(m) Supplier represents and warrants that all Background Checks as specified in
this Schedule T shall be conducted in accordance with and comply with applicable
Law, including, without limitation, the Fair Credit Reporting Act, the Patient
Protection and Affordability Care Act, and the Notice to Users of Consumer
Reports as revised by the Consumer Financial Protection Bureau.

 

 



  Triple-S / Supplier Confidential

T- 4

 



 

 

Schedule U

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTED VERSION

 



Offshore Subcontractor Attestation

 





  

Backgroud:



Business Associates (BA) using offshore employees or subcontractors (first tier,
downstream and related entities) that will requires access to beneficiary
protected health information (PHI), are require to provide TSS with specific
offshore subcontractor information. Business Associates (BA) must complete this
attestation regarding protection of beneficiary protected health information
(PHI). Offshore contractors are organizations operating in any country that is
not one of the 50 United States or one of the United States Territories
(American Samoa, Guam, Northern Marianas, Puerto Rico, and the Virgin Islands)
that have contracted either directly with a Part D organization or with one of
its downstream subcontractors.

 

Business Associate using offshore subcontractors or Business Associates that
have offshore operation to perform services delegated by the covered entity,
must submit one attestation for each offshore subcontractor or location that the
organization has engaged to perform the contracted services that involves
receiving, processing, transferring, handling, storing, or accessing protected
health information (PHI).

 

Part I. Contractor Information

 

*Covered Entity’s Contractor Name:



 

 

*Contractor Contact Person: 

 

 

*Contractor Contact Person contact information (Email and phone number) 

  

 

   



 

*Describe Contractor Services:



     

  

 





 

*Please confirm if you have contracted offshore vendor/s to perform services to
the Covered Entity.



 

 

Note:

 

If the response to the previous question is affirmative please complete the
attestation (Part 2 to Part 6) and provide all the require documentation in
order to demonstrate the effectiveness of the controls implemented regarding
protection of beneficiary PHI

 

 

 



 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTED VERSION

 

If your organization does not have offshore employees neither entered in a
contractual relationship with any offshore vendor to perform services to the
Covered Entity. Please certify the following statement with your signature and
submit the signed copy to the following email address: lpadilla@sssadvantage.com

 

Attestation

 

I (contractor contact person name), certify that (contractor name) does not have
offshore employees neither contracted any offshore vendor to perform services to
the Covered Entity. (Contract vendor) under no circumstance is allowing offshore
employees or vendor to access, receive, process, transfer handle or storing
beneficiaries PHI.

 

    (Contractor Contact Person Name)    Date   (Contractor Name)      

 

Part 2. Offshore Subcontractor Information

 

*Offshore Subcontractor Name:



 

 

*Offshore Subcontractor Country:



 

 

*Offshore Subcontractor Address:

  

 

   

 

*Describe Offshore Subcontractor Functions:

  

 

   



 

*State Proposed or Actual Effective Date for Offshore Subcontractor:



 

 

Part 3. Precautions for Protected Health Information (PHI)

 

*Describe the PHI that will be provided to the Offshore Subcontractor:



 

 



 2

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTED VERSION



 

*Discuss why providing PHI is necessary to accomplish the Offshore Subcontractor
objectives: 

 

 

*Part 4. Contractor Attestation

 

Instructions:

 

Please respond “Yes” or “No” to the following questions.

 

Attestation of Safeguards to Protect Beneficiary Information in the Offshore
Subcontract

 

Item Attestation Response I.1. Offshore subcontracting arrangement has policies
and procedures in place to ensure that Medicare beneficiary protected health
information (PHI) and other personal information remains secure.

☐

☒

Yes 
No I.2. Offshore subcontracting arrangement prohibits subcontractor’s access to
Medicare data not associated with the sponsor’s contract with the offshore
subcontractor.

☐

☒

Yes 
No I.3. Offshore subcontracting arrangement has policies and procedures in place
that allow for immediate termination of the subcontract upon discovery of a
significant security breach.

☐

☒

Yes 
No I.4. Offshore subcontracting arrangement includes all required Medicare Part
C and D language (e.g., record retention requirements, compliance with all
Medicare Part C and D requirements, etc.)



☐
☒ Yes 
No





 

Attestation of Audit Requirements to Ensure Protection of PHI 

 



Item Attestation Response II.1. Do you conduct annual audit of the offshore
activity and subcontractor.

☐

☐

Yes 
No II.2. Audit results will be used to evaluate the continuation of its
relationship with the offshore subcontractor.

☐

☐

Yes 
No



 

 

Part 5. Supporting Documents

 

 

 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTED VERSION

 



 

Please submit the following documentation as a supporting documentation the
responses provided on Part III and Part IV of the attestation

 

Item Deliverable I.1. Copy of  all policies and procedures that describe the
implemented controls to ensure that individuals protected health information
(PHI) and other personal information remains secure I.2. Please provide copy of
the contract clause that prohibits subcontractor’s access individual protected
health information not associated with the sponsor’s contract with the offshore
subcontractor. I.3. Copy of the policies and procedures in place that allow for
immediate termination of the subcontract upon discovery of a significant
security breach. I.4. Copy of all the policy and procedures that include the
process developed by the organization to comply with the HIPAA Privacy and
Security Rule. I.5 Copy of the BAA template. II.1. Most recent third party audit
report II.2 List of incident occurred during the past 12 months

 

Part 6. Attestation

 

By signature, I certify that the information provided here is true and correct
and I understand that the Covered Entity or any other regulatory agency may
request additional information to substantiate the statements made in this
attestation.

  

 



    (Contractor Contact Person Name)    Date   (Contractor Name)      



 



 4

 



Schedule U-1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Offshore Subcontractor Attestation









 



Background:

 

Business Associates (BA) using offshore employees or subcontractors (first tier
, downstream and related entities) that will requires access to beneficiary
protected health information (PHI), are require to provide TSS with specific
offshore subcontractor information. Business Associates (BA) must complete this
attestation regarding protection of beneficiary protected health information
(PHI). Offshore contractors are organizations operating in any country that is
not one of the 50 United States or one of the United States Territories
(American Samoa, Guam, Northern Marianas , Puerto Rico, and the Virgin Islands)
that have contracted either directly with a Part D organization or with one of
its downstream subcontractors.

 

Business Associate using offshore subcontractors or Business Associates that
have offshore operation to perform services delegated by the covered entity,
must submit one attestation for each offshore subcontractor or location that the
organization has engaged to perform the contracted services that involve s
receiving, processing, transferring, handling , storing, or accessing protected
health information (PHI).

 

Part I. Contractor Information

 



* Covered Entity’ s Contractor Name: OptumInsight, Inc.

 



* Contractor Contact Person: John M. Reynolds

 



* Contractor Contact Person contact information (Email and home number)

john.reynolds@optum.com 

T: 952-205-7836 

  



* Describe Contractor Services: ITO and BPO Outsourcing

 



* Please confirm if you have contracted offshore vendor/s to perform services to
the Covered Entity. None

 



Note:

 

If the response to the previous question is affirmative please complete the
attestation (Part 2 to Part 6) and provide all the require documentation in
order to demonstrate the effectiveness of the controls implemented regarding
protection of beneficiary PHI

 

If your organization does not have offshore employees neither entered in a
contractual relationship with any offshore vendor to perform services to the
Covered Entity. Please certify the following statement with your signature and
submit the signed copy to the following email address: lpadilla@sssadvantage.com

 

 1

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Attestation

 

I John Reynolds, certify that OptumInsight, Inc. does not have offshore
employees ne it her contracted any offshore vendor to perform services to the
Covered Entity. (Contract vendor) under no circumstance is allowing offshore
employees or vendor to access, receive, process, transfer handle or storing
beneficiaries

 



      /s/ John M. Reynolds   8/18/17 Name: John M. Reynolds   Date Title:
Contractor Contact Person    





 



Part 2. Offshore Subcontractor Information

 





*Offshore Subcontractor Name:  



 



*Offshore Subcontractor Country:  



 



*Offshore Subcontractor Address:

  

 

 



 



*State Proposed or Actual Effective Date for Offshore Subcontractor:  





 



Part 3. Precautions for Protected Health Information (PHI)

 

* Describe the PHI that will be provided to the Offshore Subcontractor:    
*Discuss why providing PHI is necessary to accomplish the Offshore Subcontractor
objectives:

 

 

  



 

 



 2

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



*Part 4. Contractor Attestation

 

Instructions:

 

Please respond “Yes” or “No” to the following questions.

 

Attestation of Safeguards to Protect Beneficiary Information in the Offshore
Subcontract

 



Item Attestation Response 1.1 Offshore subcontracting arrangement has policies
and procedures in place to ensure that Medicare beneficiary protected health
information (PHI) and other personal information remains secure.

o   Yes

ü   No

1.2 Offshore subcontracting arrangement prohibits subcontractor’s access to
Medicare data not associated with the sponsor’s contract with the offshore
subcontractor.

o   Yes

ü   No

1.3 Offshore subcontracting arrangement has policies and procedures in place
that allow for immediate termination of the subcontract upon delivery of a
significant security breach.

o   Yes

ü   No

1.4 Offshore subcontracting arrangement includes all required Medicare Part C
and D language (e.g., record retention requirements, compliance with all
Medicare Part C and D requirements, etc.)

o   Yes

ü   No



 

Attestation of Audit Requirements to Ensure Protection of PHI

 



Item Attestation Response 11.1 Do you conduct annual audit of the offshore
activity and subcontractor.

o   Yes

o   No

11.2 Audit results will be used to evaluate the continuation of its relationship
with the offshore subcontractor.

o   Yes

o   No



 

Part 5. Supporting Documents

 

Please submit the following documentation as a supporting documentation the
responses provided on Part Ill and Part IV of the attestation

 

Item Attestation 1.1 Copy of all policies and procedures that describe the
implemented controls to ensure that individuals protected health information
(PHI) and other personal information remains secure 1.2 Please provide copy of
the contract clause that prohibits subcontractor’s access individual protected
health information not associated with the sponsor’s contract with the offshore
subcontractor. 1.3 Copy of the policies and procedures in place that allow for
immediate termination of the subcontract upon discovery of a significant
security breach. 1.4 Copy of all the policy and procedures that. include the
process developed by the organization to comply with the HIPAA Privacy and
Security Rule. 1.5 Copy of the BAA template.



 

 





 3

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



11.1 Most recent third party audit report 11.2 List of incident occurred during
the past 12 months

 

Part 6. Attestation

 

By signature, I certify that the information provided here is true and correct
and I understand that the Covered Entity or any other regulatory agency may
request additional information to substantiate the statements made in this
attestation.

 

      /s/ John M. Reynolds   8/18/17 Name: John M. Reynolds   Date Title:
Contractor Contact Person    



 



 



 4

 

 

 

 

 

 

 



Schedule W

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 



SCHEDULE W

 

REGULATORY AND CUSTOMER FLOW-DOWN TERMS

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Schedule W Triple-S / Supplier Confidential





 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 



SCHEDULE W

 

MEDICARE ADVANTAGE AND PART D ADMINISTRATIVE SERVICES

 

1. Background and Relationship to Agreement

 

1.1 The Parties acknowledge that the Centers for Medicare & Medicaid Services
(“CMS”) requires that specific terms and conditions be incorporated into the
Agreement between a Medicare Advantage Organization and/or Part D Plan Sponsor,
such as Triple-S, and a First Tier Entity, Downstream Entity, or Related Entity,
such as Supplier.

 

1.2 Provisions of the Agreement that are not inconsistent with this Schedule W
continue in full force and effect with respect to the services provided pursuant
to the Agreement. With respect to the Medicare Advantage line of business, this
Exhibit shall supersede and replace any inconsistent provisions of the Agreement
(or any related agreement) and shall continue concurrently with the term of the
Agreement.

 

1.3 All capitalized terms used but not defined in this Exhibit will have the
meaning set forth in the Agreement.

 

2. Definitions

 

(a) Centers for Medicare and Medicaid Services: The agency within the Department
of Health and Human Services (“HHS”) that administers the Medicare program.

 

(b) Completion of Audit: Completion of audit by HHS, the Government
Accountability Office, or their designees of a Medicare Advantage Organization,
Medicare Advantage Organization contractor, or related entity related to the
services provided under the Agreement.

 

(c) Downstream Entity: Any party that enters into a written arrangement,
acceptable to CMS, with persons or entities involved with the MA benefit, below
the level of the arrangement between an MA Organization and a first tier entity.
These written arrangements continue down to the level of the ultimate provider
of both health and administrative services.

 

(d) Final Contract Period: The final term of the contract between CMS and the
Medicare Advantage Organization.

 

(e) First Tier Entity: Any party that enters into a written arrangement,
acceptable to CMS, with an MA Organization or applicant to provide
administrative services or health care services for a Medicare eligible
individual under the MA program.

 

(f) Medicare Advantage (“MA”): An alternative to the Traditional Medicare
program in which private plans run by health insurance companies provide health
care benefits that eligible beneficiaries would otherwise receive directly from
the Medicare program.

 

Triple-S/Supplier Confidential

Page 1

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

(g) Medicare Advantage Organization (“MA Organization”): A public or private
entity organized and licensed by a State as a risk-bearing entity (with the
exception of provider-sponsored organizations receiving waivers) that is
certified by CMS as meeting the MA contract requirements.

 

(h) Member: A Medicare Advantage eligible individual who has enrolled in or
elected coverage through an MA Organization.

 

(i) Medical Loss Ratio (“MLR”): The medical loss ratio for an MA or Part D plan
as described in 42 C.F.R. Part 422, Subpart X and 42 C.F.R. Part 423, Subpart X.

 

(j) MLR Reporting Date: The date for each contract year on which the MA
Organization or Part D Plan Sponsor reports to CMS its MLR and the data needed
to calculate and verify the MLR.

 

(k) Part D: The Medicare prescription drug benefit administered by private Part
D Plan Sponsors under contract with CMS.

 

(l) Part D Plan Sponsor: A public or private entity that holds a contract with
CMS to provide Part D benefits.

 

(m) Related Entity: Any entity that is related to the MA Organization by common
ownership or control and (1) performs some of the MA Organization's management
functions under contract or delegation; (2) furnishes services to Medicare
enrollees under an oral or written agreement; or (3) leases real property or
sells materials to the MA Organization at a cost of more than $2,500 during a
contract period.

 

(n) Traditional Medicare: Means health insurance available under Medicare Part A
and Part B through the traditional fee-for service payment system.

 

3. Requirements

 

Supplier agrees to the following:

 

3.1 Records. HHS, the Comptroller General, or their designees (either directly
or through Triple-S) have the right to collect, audit, evaluate, and inspect any
pertinent information for any particular contract period, including, but not
limited to, any operational, financial and administrative records,
documentation, books, contracts, computer or other electronic systems (including
medical records and documentation of the First Tier Entities, Downstream
Entities and Related Entities) directly or indirectly related to the Services
provided to Triple-S Medicare Advantage line of business (“Records”) through 10
years from the expiration or termination of the Agreement, or from the date of
any Completion of Audit, whichever is later.

 

(a) Supplier will retain all Records for 10 years from the termination or
expiration of the Agreement or from the date of any Completion of Audit,
whichever is later.

 

Triple-S/Supplier Confidential

Page 2

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

(b) Such records must be adequate for Triple-S to determine if the Contactor has
performed its obligations under the Agreement.

 

(c) Such Records must be adequate and accurate to enable Triple-S to calculate
and report its MLR and for the MLR to be validated by CMS. Supplier shall
provide all underlying data associated with MLR reporting of business to
Triple-S upon request, to allow Triple-S to meet its MLR reporting requirements
and CMS validate the MLR. Triple-S agrees to provide Supplier with reasonable
notice so that Supplier has sufficient time to respond to any such requests.

 

(d) Supplier must promptly notify Triple-S by telephone and inform it in writing
of any request from any government entity for Records and/or access to
personnel, physical premises, facilities, or equipment related to services
provided under the Agreement, unless otherwise instructed by HHS, the
Comptroller General, or their designees. If permitted by law, Supplier agrees
to, upon Triple-S’s request, submit to Triple-S any such Records requested by
the government entity. Supplier agrees to notify Triple-S of the date and time
of any onsite inspection of the Supplier’s premises related to services provided
to Triple-S under the Agreement, unless prohibited by government authorities.

 

3.2 Member Confidentiality. Supplier will comply with all applicable
confidentiality and Member record accuracy requirements, including: (1) abiding
by all Federal and State laws regarding confidentiality and disclosure of
medical records, or other health and enrollment information, (2) ensuring that
medical information is released only in accordance with applicable Federal or
State law, or pursuant to court orders or subpoenas, (3) maintaining the records
and information in an accurate and timely manner, and (4) ensuring timely access
by Members to the records and information that pertain to them.

 

3.3 Hold Harmless. Members will not be held liable for payment of any fees that
are the legal obligation of Triple-S. Supplier will not request or accept
compensation from a Member for any amounts that are the obligation of Triple-S,
including but not limited to the following circumstances: insolvency of
Triple-S, nonpayment by Triple-S, or breach of agreement by Triple-S.

 

3.4 Compliance with CMS Contract. Any services or other activity performed in
accordance with the Agreement by Supplier will be consistent and comply with
Triple-S’s contractual obligations to CMS, as communicated to Supplier by
Triple-S.

 

3.5 Compliance with Law. Supplier will comply with all applicable federal,
state, and territorial laws, including but not limited to Medicare laws,
regulations, and CMS instructions (“Applicable Laws”).

 

3.6 Delegation, Revocation, and Monitoring. Triple-S is delegating certain of
Triple-S’s activities or responsibilities under its contract with CMS, as
described further below:

 

(a) The delegated activities and reporting responsibilities of Supplier are
specified in the Agreement.

 

Triple-S/Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



 

(b) CMS and Triple-S (including Triple-S acting at its own discretion in the
absence of CMS involvement) reserve the right to immediately revoke, in whole or
in part, the delegation of the Medicare services to be provided under the
Agreement and associated reporting requirements or to specify other remedies, in
instances where CMS or Triple-S determine that such parties have not performed
satisfactorily.

 

(c) Triple-S is ultimately responsible for performance under its contract with
CMS and will monitor the performance of Supplier under the Agreement on an
ongoing basis. Supplier agrees to cooperate fully with Triple-S’s monitoring
program.

 

3.7 No Exclusion or Debarment. Supplier represents and warrants that it and its
employees, contractors, governing body members, and any Downstream Entities are
not excluded or debarred by the HHS Office of Inspector General or by the
General Services Administration from participation in any federal health care
program, and that they are not, to the best of Supplier’s knowledge, under
investigation for any such exclusion or debarment. Supplier agrees not to use
federal funds to pay for work or services provided by a provider, employee or
Downstream Entity excluded by the Department of Health and Human Services’
Excluded Individuals and System for Award Management (formerly Entities List or
the General Services Administration’s Excluded Parties Lists System). Supplier
must review the lists prior to hiring or contracting a new employee or entity
and supplemental/update files must be reviewed on a monthly basis. Supplier will
notify Triple-S immediately if there are any changes in status under this
paragraph. Supplier acknowledges that the Agreement and/or any SOW under the
Agreement for the provision of the delegated services may be terminated
immediately with respect to the delegated services if Supplier is excluded from
participation in any federal health care program.

 

3.8 Subcontracting. Supplier will not contract with any entity to perform the
delegated services to be provided under the Agreement unless (a) such
arrangement is made in accordance with the terms of the Agreement; (b) such
person or entity is obligated, through a written agreement executed between such
entity and Supplier, to substantially comply with the provisions contained in
the Agreement between Triple-S and Supplier; and (c) such written arrangement
specifically permits the Supplier to terminate the delegation if such entity
breaches the delegation agreement between the entity and Supplier.

 

(a) Supplier shall conduct on-going monitoring and review of performance of the
sub-delegated activity;

 

Supplier or Triple-S may revoke the delegation in whole or in part or take such
other remedial action as Triple-S, in its reasonable discretion, deems
appropriate or where CMS, in its sole discretion, or Triple-S, in its reasonable
discretion, determine that the sub-delegated activity is not being performed
satisfactorily

 

3.9 Credentialing. To the extent that Supplier performs healthcare provider
credentialing services, the credentials of medical professionals credentialed by
or affiliated with Supplier will be either reviewed by Triple-S or the
Supplier’s credentialing process will be reviewed and approved by Triple-S.
Triple-S will audit the credentialing process on

 

Triple-S/Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

an ongoing basis. In addition, to the extent that Triple-S delegates the
selection of healthcare providers or subcontractors, Triple-S retains the right
to approve, suspend, or terminate any such arrangement.

 

3.10 Data that Determine Payment. To the extent that Supplier generates data
used to determine payment by CMS, including but not limited to calculation of
Triple-S’s MLR or used to identify possible overpayments, such as information on
enrollment of Members, encounter data, claims data, data relating to the
Triple-S’s bids submitted to CMS, or other data specified by Triple-S or CMS,
Supplier will certify that, to the best of Supplier’s knowledge and belief, such
data are complete, truthful, and accurate and will make this certification (a)
to Triple-S, and/or (b) directly to CMS, when required by Triple-S, by
Applicable Law, or CMS.

 

3.11 Federal Funds. Supplier acknowledges and agrees that payment for the
services provided under the Agreement is made, in whole or in part, from federal
funds.

 

3.12 Off-Shore. In performing services under the Agreement, Supplier will not
perform any functions, activities or services (or directly or indirectly
contract with any person or entity that performs any functions, activities or
services), including, without limitation, access to or storage of Member
information, outside of the United States of America or its territories without
the prior written consent of Triple-S.

 

(a) Code of Conduct. Adoption of a code of conduct particular to Supplier that
reflects a commitment to prevent, detect and correct non compliance and fraud,
waste, and abuse instances in the administration or delivery of the services
under this agreement.

 

(b) Training and Compliance. Supplier agrees to:

 

(i) Ensure that all Supplier personnel, and require any Subcontractors to ensure
that their personnel including but not limited to officers, directors and
employees involved in the performance of the Medicare delegated services
provided under the Agreement (i) complete the compliance and fraud waste and
abuse training module required by CMS (the “CMS Module”) within 90 days of
hiring and annually thereafter and (ii) receive specialized Medicare Advantage
and Part D compliance training pertaining to their duties as applicable. Any
such required training must be provided initially upon hiring, and annually
thereafter, upon any change in the individual’s job function or job
requirements, as a condition of employment; and upon Supplier or Triple-S
determination that additional training is required because of issues of
non-compliance. Trainings must comply with all Applicable Laws pertaining to
training, including but not limited to the requirements set forth in the CMS
Compliance Program Guidelines (contained in the Medicare Managed Care Manual as
Chapter 21 and in the Prescription Drug Benefit Manual as Chapter 9) (the
“Compliance Program Guidelines”). Supplier must be able to provide proof of
completion for all Supplier Personnel taking the

 

Triple-S/Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



CMS Module at least annually upon request to Triple-S, and upon request by CMS.

 

(ii) As appropriate to Supplier’s organization and the nature of the services
provided under the Agreement, establish and maintain a compliance and anti-fraud
program to ensure compliance with Applicable Laws and to detect and prevent the
incidence of fraud, waste and abuse relating to the provision of the services.
Such program will meet the requirements of 42 C.F.R. §§ 422.503(b)(4) (vi) and
423.504(b)(4) (vi) regarding effective compliance programs. Supplier will notify
promptly its authorized representative at Triple-S of any instance of
noncompliance with Applicable Law or misconduct related to Triple-S’s Medicare
Advantage program.

 

(iii) Cooperate with Triple-S in any investigation that Triple-S, in its sole
discretion, conducts in connection with Triple-S’s compliance or fraud, waste,
and abuse programs directly or indirectly related to the Agreement.

 

(iv) Supplier will perform the Services in compliance with Triple-S Policies and
Procedures as further described in Section 4.4 of the Agreement. Supplier agrees
upon reasonable request, to enable Triple-S to comply with a request from CMS,
to formally attest to meeting the training and compliance and anti-fraud program
obligations described in this Exhibit.

 

Monitoring and auditing of Supplier responsibilities and activities with respect
to the administration or delivery of services under this agreement. Supplier
hereby represents and warrants to Triple-S that has an adequate work plan in
place to perform such monitoring and audit activities.

 

3.13 Incidents of Suspected Non-Compliance, Fraud, Waste or Abuse

 

(a) Investigation. Supplier shall promptly investigate any potential and/or
suspected non-compliance with Supplier’s obligations under Section 13.1(a) of
the General Terms and Conditions and report any such non-compliance to Triple-S
as soon as reasonably possible, but in no event later than seven (7) calendar
days after Supplier becomes aware of such non-compliance. Such notice to
Triple-S shall include a statement regarding Supplier efforts to conduct a
timely, reasonable inquiry into the non-compliance, proposed or implemented
corrective actions in response to the non-compliance, and any other information
that may be relevant to Triple-S in making its decision regarding self-reporting
of such non-compliance.

 

(b) Corrective Action. Supplier shall undertake any corrective action requested
or reasonably required by Triple-S in connection with any non-compliance with
Supplier’s obligations under Section 13.1(a) of the General Terms and Conditions
, including, without limitation, development and implementation of a corrective
action plan; provided, however, that any such corrective action requested by
Triple-S shall be in addition to, and shall not be in lieu of, any other
recourse or remedies

 

Triple-S/Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

available to Triple-S under this Agreement or Applicable Laws. Corrective Action
plans must be provided in accordance with Triple-S’s format and requirements.
Triple-S shall conduct monitoring and validation activities to ensure
deficiencies were corrected and are not likely to recur.

 

3.14 Conflicts of Interest. Supplier represents and warrants that it requires
any manager, officer, director or employee associated with the administration or
delivery of Services to sign a conflict of interest statement, attestation or
certification at the time of hire and annually thereafter certifying that such
individual is free from any conflict of interest in administering or delivering
Services pursuant to this Agreement. Supplier shall supply the form of such
statement, attestation or certification to Triple-S upon request.

 

3.15 OffShore Operations.

 

(a) As of the Effective Date, Triple-S has approved Supplier’s use of offshore
operations in connection with SOW #1 (Claims Services) and SOW #2 (IT Services),
subject to the terms of this Agreement.

 

3.16 Amendments. The Parties shall amend this Exhibit to the extent required to
conform this Exhibit to any changes to applicable laws, regulations, or CMS
requirements or instructions.

 



Triple-S/Supplier Confidential

Page 7

 



 

 

 

 

 

 

 

 

 

 

 

 

 



CONFIDENTIAL TREATMENT REQUESTED
FINAL EXECUTION VERSION

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 



MASTER SERVICES AGREEMENT   SCHEDULE X   SOURCE OF TRUTH



 

 

 



This Schedule X (Source of Truth) consists of the following components:   -
Applications List  - Server List  - B2B Files  - TSS Retained Contracts

 

 

 

 

Triple-S / Supplier Confidential



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

APPLICATIONS LIST

 







                  Triple-S Category Current Solution (SSS) Future Solution
Action Plan for Current Solution Application Element Category Element In-Scope
Application Description Supplier or Third Party App SLA Criticality Designation
Current Location Planned Future Location Risk Management Abacus Law N/A Retain
Application Non-Healthcare Business Applications PC & Life Portfolio A
all-in-one, easy to use solution designed specifically for law firms.

"AbacusLaw off ers fully integrated Case Management, Time, Billing and
Accounting Solutions for small, medium
and large sized firms in all practice areas and jurisdictions. "

http://www.abacuslaw.com/sites/default/files/AbacusLaw
%20Brochure_1.pdf Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Membership Accounting & Configuration ACOM3 Evolve Targeted for
Decommission Application Healthcare Applications (3rd Party) Health Plan
Portfolio Application used to generate comissions payments.

"ACom3™ is an incentive compensation automation “workhorse” built to deliver
extreme automation in integration, plan configuration, producer management,
payout calculation and communication. ACom3 is built for business users, with
product development focused on continual expansion of core product functionality
to ensure ACom3 delivers end to end automation. The result of this focus is a
highly user configurable system supporting rapid deployment, ease of use and
reduced operational complexity." Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] Administration Administration Service Request N/A
Retain Application Non-Healthcare Business Applications TSM Portfolio The
Administration Department receive jobs or requests from TSP & TSIA employees, so
they can assign the jobs to the administration personnel. The jobs or requests
received by this application are generated from the Service Request Application.
Third Party - Commercially Available Not Designated Triple-S DataCenter [***]
Operating Systems AIX 6100-06-12-1339   To be Decommissioned Infrastructure
Software Infrastructure SW N/A Unix Operating System Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Operating Systems AIX6.1 Tech
Level 3   To be Decommissioned Infrastructure Software Infrastructure SW N/A
Unix Operating System Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Channel & Interaction Management Alchemy OnBase
Targeted for Decommission Application Healthcare Applications (3rd Party) Health
Plan Portfolio Document Image Repository

"Alchemy is a document imaging and document management system for small to
medium businesses and departments.
Alchemy lets you find the one document in millions containing keywords (e.g.,
"contract" and "Paul Bunyan"). Alchemy can then pull up invoices, receipts and
other documents related to that contract. A new Alchemy system can be up and
running in minutes, and non-technical end users can make sense out of a fresh
system without any customizations."

http://faxsolutions.opentext.com/alchemy-document-
management.aspx Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Infrastructure Hosting Altoava - XML Format File Tool Altova -
XML Format File Tool   Application Infrastructure SW   Developer Tool Third
Party - Commercially Available Not Designated Triple-S DataCenter [***]
Reporting & Compliance AM Best N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Application used to generate our annual statements
and other statutory reports. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] Member Management AR Inquiry TBD Retain Application
Non-Healthcare Business Applications PC & Life Portfolio Batch process that
extracts premium invoice data related to Life Insurance for employers that offer
Life insurance to their employees.  The file is sent to Life Insurance
Subsidiary. Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] Operating Systems AS400   To be Decommissioned Infrastructure
Software Infrastructure SW N/A Operating System Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Asset Management Ascan N/A
Retain Infrastructure Software Infrastructure SW N/A This application is used in
portable Ipaq Pocket PC’s to generate a physical inventory of the company’s
assets by scanning the items barcodes into the Ipaq and later generating a .txt
file with the information. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Sales & Marketing Aspect Optum CRM (Customer
Relationship Management) Salesforce Targeted for Decommission Application
Healthcare Applications (3rd Party) Health Plan Portfolio Contact Server
Solution for Sales Department.

https://www.aspect.com/ Third Party - Commercially Available 3 Triple-S
DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] Channel & Interaction Management Avaya CMS (Call Monitoring Service)
Optum VCC (Virtual Contact Center) Targeted for Decommission Infrastructure
Software Infrastructure SW N/A Call Monitoring Service.

"Avaya Call Management System (CMS) is an integrated analysis and reporting
solution that keeps you in touch with virtually everything that’s going on in
your contact center from evaluating the performance of a single agent or group
of agents to managing a contact center with multiple locations worldwide."

https://www.avaya.com/en/documents/avaya-call-
management-system-cc7349.pdf Third Party - Commercially Available 1 Triple-S
DataCenter [***] Channel & Interaction Management Avaya PBX (Private Branch
Exchange) Extensions Optum VCC (Virtual Contact Center) Targeted for
Decommission Infrastructure Software Infrastructure SW N/A Avaya Software to
handle and configure Extensions.

http://www.avaya.com/en/ Third Party - Commercially Available 1 Triple-S
DataCenter [***] Asset Management BackTrack N/A Retain Infrastructure Software
Infrastructure SW N/A Asset and Inventory Tracking Software used to keep track
of our policy and claims physical files.

"This unique 32-bit tracking package combines a series of databases, an advanced
label designer and a flexible report designer into the ultimate tracking
applications development tool. If you need to find out where it is, what it was
used for, or who used it, BackTrack is the answer."

http://www.indatasys.com/html/product109.html Third Party - Commercially
Available Not Designated Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Product Management Barcode Ruler N/A Retain Application Non-Healthcare Business
Applications Health Plan Portfolio Application used to create bar codes for the
policy and claims physical files. Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Channel & Interaction Management Beacon VAM
(Virtual Appeals Manager) N/A Retain Application Healthcare Applications (3rd
Party) Health Plan Portfolio A Single Source of Truth for Effective, Efficient
and Compliant Appeals & Grievances Operations

"Virtual Appeals Manager provides real-time dashboard monitoring of key metrics
and alerts. It also:
•Supports monitoring, management, reporting, and granularly tracking of unique
appeals, grievances and CTM case files
•Designed for regulated health plans
•Supports Medicare, Medicaid and other regulated lines of business
•Highly configurable
•Eliminates manual processes
•Enables plans to more effectively maintain compliant A&G operations
•Supports highly complex yet simple to manage business rules
•Intuitive user interface
•Enables users to create and maintain rule sets
•Flexible workflow rules engine with multiple configuration options ensure that
essentially any business rule can be supported with native functionality:
          •Trigger Points
          •Outcomes
          •Due Date Logic
          •Case Flags"

https://www.beaconhcs.com/appeals---grievances.html Third Party - Commercially
Available 3 Triple-S DataCenter [***] Patch Management BigFix/WSUS/ManageEngine
WSUS/Chef/ServiceNow   Infrastructure Software Infrastructure SW N/A Patch
Management (ITSM) Third Party - Commercially Available 1 Triple-S DataCenter
[***] Sales & Marketing Blue Market - CAP Enroll N/A Retain Application
Healthcare Applications (3rd Party) Health Plan Portfolio Optum Product used of
employer groups on commercials, used for fully insured group.  Member
eligibility functionality. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Sales & Marketing Blue Market - CAP Shop N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Optum
Product used of employer groups on commercials, used for fully insured
group.  Member eligibility functionality. Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] [***] [***]   [***] [***] [***] [***]  
[***] [***] [***] [***] Operations Scheduling BMC - Control-M ControlM to start,
future TBD   Infrastructure Software Infrastructure SW N/A Workflow, Batch
Processing tool Third Party - Commercially Available 1 Triple-S DataCenter [***]
Member Management? Build-A-Badge N/A Retain Application Infrastructure SW  
Software for ID Badge Creation Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Provider Network Management CACTUS TBD
Targeted for Decommission Application Healthcare Applications (3rd Party) Health
Plan Portfolio Application used to enter all the information related to
suppliers, IPAS and provider group. These tables serve as input to update
Mainframe. Solution supporting provider credentialing.

"Cactus Software specializes in the development and support of credentialing and
provider management software for hospitals, managed care organizations, CVOs
(Credentials Verification Organization), and physician groups."

http://www.symplr.com/products/category-provider-
management?__hstc=31318752.e2e1a298070f138464
d7d3d61bcce76d.1487957375420.1487957375420.
1487957375420.1&__hssc=31318752.2.14879573
75420&__hsfp=4050951241

(https://cactussoftware.com/) Third Party - Commercially Available 4 Triple-S
DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
Sales & Marketing Cartas Circulares N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio This application is used to send
mass mailings of any of the company’s  circulars through the Microsoft Outlook
application. Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Care Management CCMS (VITAL) - AXIS N/A Targeted for
Decommission Application Healthcare Applications (3rd Party) Health Plan
Portfolio Clinical information of insured.  Supports disease management programs
and  hospital review.

"McKesson’s Care Management platform, CCMS® (Coordinated Care Management
System®), is a browser-based, fl exible, scalable workfl ow tool that helps
payers decide where to focus resources, better coordinate care through
automation and effective communication, integrate data at key points in the
workfl ow, and base interventions on evidence-based standards of care."

http://www.mckesson.com/uploadedFiles/
McKessoncom/Content/About_Us/
Newsroom/Press_Releases/2012/CCMS%
20Workflow.pdf Third Party - Commercially Available 1 Triple-S DataCenter [***]
Financial & Corporate Systems CDM (1998) N/A Retain Application Non-Healthcare
Business Applications TSM Portfolio Collection & Deposit Manager, Cash Receipt,
Policy System Transfer, Ledger Account Transfer. Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Information Management CDM
Warehouse (2008) N/A Retain Application Non-Healthcare Business Applications TSM
Portfolio Data Warehouse (Policies, Benefits, Insureds, Claims, Loans, Notes)
Third Party - Commercially Available Not Designated Triple-S DataCenter [***]
Financial & Corporate Systems CEDAR N/A Retain Application Non-Healthcare
Business Applications TSM Portfolio Financial Statements.
Close,Reserves,Investments,Premiums-AR-CR. Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] Care Management Census Application N/A
Retain Application Healthcare Applications (3rd Party) Health Plan Portfolio
Hospital Member Tracking Documentation Software Third Party - Commercially
Available Not Designated Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TBD Certificate N/A Retain Application Non-Healthcare Business Applications PC &
Life Portfolio This application creates PDF certificates in the areas of
Liability, Property and Evidence. Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] Channel & Interaction Management Cisco Agent N/A Retain
Infrastructure Software Infrastructure SW N/A Allows agents from the service
center to receive calls through a  queue.

"Cisco Agent Desktop is a computer telephony integration (CTI) solution for
single- and multisite IP-based contact centers. It is easy to deploy, configure,
and manage. Powerful tools help increase agent and supervisor productivity,
improve customer satisfaction, and reduce costs. An intuitive GUI decreases IT
dependency and simplifies customization, maintenance, and change management.
Transparent integration with Cisco Unified Contact Center helps you easily
deploy CTI capabilities at new locations as customer contact operations expand."

http://www.cisco.com/c/en/us/products/customer-collaboration
/agent-desktop/index.html Third Party - Commercially Available 3 Triple-S
DataCenter [***] Channel & Interaction Management Cisco Attendant Console N/A
Retain Infrastructure Software Infrastructure SW N/A Allows operator to receive
and transfer calls from clients that come in from the administrative pilot.

"Connect customers, employees, and business partners with the right person, the
first time. Cisco® Unified Attendant Console Standard gives corporate operators
and receptionists the tools they need to handle incoming calls efficiently and
professionally. This desktop application communicates directly with Cisco
Unified Communications Manager to control the operator’s phone. It makes it fast
and easy to answer calls and transfer them to people across your organization."

(http://www.cisco.com/c/en/us/products/collateral/
unified-communications/unified-attendant-console/
datasheet-c78-731866.html) Third Party - Commercially Available 3 Triple-S
DataCenter [***] Channel & Interaction Management Cisco Jabber N/A Retain
Infrastructure Software Infrastructure SW N/A Tool that allows communication
among internal employees and shows each employee status.

"Cisco Jabber lets you access presence, instant messaging (IM), voice, video,
voice messaging, desktop sharing, and conferencing.

Cisco Jabber helps you communicate and work with colleagues, partners, and
customers more quickly and securely through best-in-class Cisco Unified
Communications. Built on open standards for interoperability and integrated with
commonly used desktop business applications, Cisco Jabber for Windows can help
you:
•Reduce communication delays by providing presence information so you can see
when your colleagues are available
•Accelerate team performance by instantly expanding one-on-one conversations to
group chats or multiparty audio, video, and web conferences
•Collaborate directly from Microsoft Outlook by viewing a contact's availability
and simply clicking to IM or call
•Limit the costs of business travel and phone calls by communicating with IM;
audio, video, and web conferencing; or IP telephony
•Choose the best provisioning model for your business; Cisco Jabber can be
deployed on-premises or on demand as a cloud-based service"

http://www.cisco.com/c/en/us/products/
unified-communications/jabber/index.html Third Party - Commercially Available 3
Triple-S DataCenter [***] Financial & Corporate Systems Citibank CD Viewer N/A
Retain Application Non-Healthcare Business Applications TSM Portfolio
Application sent by Citibank, along with payment data for viewing checks. Third
Party - Commercially Available Not Designated Triple-S DataCenter [***] Virtual
Desktop Citrix - Xen Desktop Citrix - Xen Desktop   Infrastructure Software
Infrastructure SW N/A Virtual Desktop Third Party - Commercially Available 1
Triple-S DataCenter [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] Channel & Interaction Management Claims Status N/A Retain Application
Healthcare Applications (In-House) Health Plan Portfolio Real time process that
allows providers to check the status of a claim. Web service for the provider
portal. Inhouse Application -- Custom Baseline Required - Category 1
Applications Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Channel & Interaction Management CMAS TBD Targeted for Decommission Application
Healthcare Applications (3rd Party) Health Plan Portfolio Front end sofware for
Customer Service Third Party - Commercially Available 1 Triple-S DataCenter
[***] Claims Management CodeitRight N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio Tool used by claims coding. E.g.
ICD10, (will be there 1/2018). Solution supporting the correct coding of ICD-10
codes.  This is an online tool used for coding.

"CodeIt.Right provides a fast, automated way to ensure that your source code
adheres to (your) predefined design and style guidelines as well as best coding
practices. We take static code quality analysis to the next level by enabling
rule violations to be automatically refactored into conforming code.
CodeIt.Right helps to improve your software quality, ensure code correctness,
find issues early and resolve them quickly."

http://submain.com/products/codeit.right.aspx Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Sales & Marketing Codysoft
N/A Retain Application Triple-S SaaS Health Plan Portfolio Product development
for MA (Marketing collateral in line with submission to CMS). Solution supports
compliance language management for Medicaid LOB.  It is used for all types of
corresponsence where regulatory language is required, including marketing
materials, annual notice of change, EOB.  This is a cloud application. Third
Party - Commercially Available Baseline Required - Category 4 Applications
Triple-S DataCenter [***] Claims Management Comite de Mayor Cuantia (CMC) N/A
Retain Application Non-Healthcare Business Applications TSM Portfolio This
application holds a live inventory of claims that need to be seen by the Mayor
Quantities Case Commission. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Data Center CommVault     Infrastructure Software
Infrastructure SW N/A  Enterprise Backups Third Party - Commercially Available 1
Triple-S DataCenter [***] Compliance | FWA | Clinical Quality Management
Compliance 360 N/A Retain Application Triple-S SaaS Health Plan Portfolio
Solution supporting compliance tracking for non-provider contracts, audit
functionality, and to remediate and/or implement new regulatory memos (e.g. CMS,
SAI Global).  This is a cloud application.

Houses:
 1. P&P
 2. SOP/DLPs
 3. Audit are managed here
 4. HPMS Memo's received from CMS
 5. Analyst assigns tasks based on analysis of the Memo's and workflow manage
with others.

https://www.saiglobal.com/en-us/compliance_and_risk
/compliance_360/compliance_360/ Third Party - Commercially Available Not
Designated Third Party SaaS Solution [***] Data Center Control_M    
Infrastructure Software Infrastructure SW N/A Batch Scheduler Third Party -
Commercially Available 1 Triple-S DataCenter [***] Membership Accounting &
Configuration Cost Plus Billing N/A Retain Application Healthcare Applications
(3rd Party) Health Plan Portfolio This application is used to bill the ASO
group.  Use members & paid claim. Account Receivable Claims. Solution supporting
the client's billing for Government employees. Third Party - Commercially
Available Not Designated Third Party SaaS Solution [***] TBD CoverAll to SISE
Interface N/A Retain Application Non-Healthcare Business Applications PC & Life
Portfolio This interface transfer to SISE SIA all the transactions issue in
CoverAll MIC and Policy Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] Information Management Data Warehouse OneTSH Targeted for Decommission
Infrastructure Software Infrastructure SW N/A Data repository for analysis
purposes.  Is replaced by OneTSH. Third Party - Commercially Available 1
Triple-S DataCenter [***] Information Management Data Warehouse (AHM) OneTSH
Targeted for Decommission Infrastructure Software Infrastructure SW N/A Claims,
Premiums, Reserves Third Party - Commercially Available 1 Triple-S DataCenter
[***] Infrastructure Hosting Dell - TOAD Data Modeler Dell - TOAD Data Modeler  
Application Infrastructure SW     Third Party - Commercially Available Baseline
Required - Category 3 Applications Triple-S DataCenter [***] Care Management
Dental Max N/A Retain Application Healthcare Applications (3rd Party) Health
Plan Portfolio Legacy Practice management solutions Third Party - Commercially
Available 4 Third Party SaaS Solution [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] Care Management Dragon Medical N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio System
that transcribes radiological reports.

"Dragon Medical solutions accurately translate the doctor’s voice into a rich,
detailed clinical narrative that feeds directly into the EHR."

http://www.nuance.com/for-healthcare/dragon-
medical/index.htm Third Party - Commercially Available Not Designated Third
Party SaaS Solution [***] Information Management Dwelling File Transfer N/A
Retain Application Non-Healthcare Business Applications PC & Life Portfolio Used
to do File Transfer of Dwelling Policies from Agencies to Company.  IP
204.6.200.55 (Internet) 10.0.128.56 (remote anex) Third Party - Commercially
Available Not Designated Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Application Monitoring Dynatrace Dynatrace   Infrastructure Software
Infrastructure SW N/A Application Monitoring Third Party - Commercially
Available 1 Triple-S DataCenter [***] Applica EDI Images to OnBase EDI Imaging
OnBase Targeted for Decommission Application Triple-S SaaS Health Plan Portfolio
Image viewer for medical claims submitted by Applica

http://www.ediimaging.com Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Gateway / Enterprise Service Bus EDIFECS
(Candidate for Decommission for 834) Optum iEDI (Intelligent Electronic Data
Interchange) Targeted for Decommission Application Healthcare Applications (3rd
Party) Health Plan Portfolio Used to support Operating Rules (HIPAA
transactions).   Use to validate, transform and distribuete HIPAA
transaction.  EDI application. (This functionality would be replaced by a
clearinghouse.) Solution supporting EDI for X12 transactions. Third Party -
Commercially Available Baseline Required - Category 1 Applications Triple-S
DataCenter [***] Membership Accounting & Configuration ELA N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Custom
App. State Government employee, multi agency benefit Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Financial & Corporate Systems
eLearning Cornerstone   Retain Infrastructure Software Infrastructure SW N/A  
Third Party - Commercially Available Not Designated Triple-S DataCenter [***]
Membership Accounting & Configuration Electronic Enrolllment N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Electronic
Enrollment Onbase. Solution supporting the client's Medicare LOB.  Built with
Onbase by Document Solutions Partners (DSP). Runs on Surface Pro
tablet.  Contains the enrollment process for Commercial LOB.  Built in
salesforce (?) Third Party - Commercially Available 1 Triple-S DataCenter [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
Membership Accounting & Configuration Eligibility N/A Retain Application
Healthcare Applications (3rd Party) Health Plan Portfolio Used to validate the
eligibility of the insured. Internal Webservice used for the member eligibility
inquiries: clearinghouse, provider portal, blues exchange

Claim estimate - provides an estimates should the provider follow through on
health services. Third Party - Commercially Available 1 Triple-S DataCenter
[***] Claims Management Encoder Pro N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio ICD-10 encoding tool used for
claims management

"EncoderPro.com, the coder’s essential CPT®, ICD-10-CM/PCS, ICD-9-CM, and HCPCS
Level II online code look-up software, offers fast, detailed search capabilities
of over 20 volumes of procedure, service/supply, and diagnosis reference
material and lay descriptions in real-time. Complimentary code updates let
practices billing Medicare Part B and private payer’s code confidently
throughout the year with fewer rejected claims due to improper coding. "

https://www.optum360coding.com/
Product/20510/ Third Party - Commercially Available Baseline Required - Category
3 Applications Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] Care Management Endo Soft N/A Retain Application
Healthcare Applications (3rd Party) Health Plan Portfolio Radiological EHR
System

"Laboratory/Pathology/Radiology:
In the Laboratory Module, providers can send orders and receive results via an
HL7 compliant interface directly with other LIS and HIS systems.  Results are
listed chronologically and can be viewed in a graph form to visualize
trends.  Abnormal lab results are highlighted for quick recognition."

https://www.endosoft.com/3602-2/#Lab Third Party - Commercially Available 3
Triple-S DataCenter [***] Certificate Authority Entrust SSL Azure/IPSEC/Entrust
SSL (VPN)   Infrastructure Software Infrastructure SW N/A Certificate Authority
Third Party - Commercially Available Not Designated Triple-S DataCenter [***]
Network & Telecomm EnVision - Avaya Licenses EnVision - Avaya Licenses  
Infrastructure Software Infrastructure SW N/A   Third Party - Commercially
Available Not Designated N/A [***] Operating Systems ESX5 (Hypervisor)    
Infrastructure Software Infrastructure SW N/A VMWARE Hypervisor Third Party -
Commercially Available 1 Triple-S DataCenter [***]   Exchange Server    
Infrastructure Software Infrastructure SW N/A   Third Party - Commercially
Available 1   [***] Load Balancing F5 F5   Infrastructure Software
Infrastructure SW N/A Loadbalanceing and Firewall tools (Web App Firewalls)
Third Party - Commercially Available 1 Triple-S DataCenter [***] Gateway /
Enterprise Service Bus FacilEDI TBD Targeted for Decommission Application
Healthcare Applications (3rd Party) Health Plan Portfolio Solution supporting
validation of X12 files

"A self-contained application that provides “in-stream” validation of X12 files.
This option provides a wider variety of reports and responses than Transaction
Testing Service. It also provides custom splitting and routing of individual
“business units” (e.g., a single claim in a batch) based on user-defined rules."

http://info.optuminsight.com/content/hipaa Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] Channel & Interaction Management File Policy
Request N/A Retain Infrastructure Software Infrastructure SW N/A To view, manage
and deliver all the policies that have been requested to the File Room
Department through the Policy Request System.
DNS - N/A Process Not Designated Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Channel & Interaction Management FollowIT   Targeted for Decommission
Application Triple-S SaaS Health Plan Portfolio Customer Service. Solution
supporting case management; managing, tracking and collaborating on cases.

"Followit is a cloud based business process management and workflow software
that allows you and your team to document and track any type of process in a
centralized solution."

www.followit.com Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Channel & Interaction Management FollowIT N/A Retain
Application Triple-S SaaS Health Plan Portfolio Finance Purchase Order Approval
Workflow System - used by finance group TSM

Solution supporting case management; manage, track and collaborate on cases
Third Party - Commercially Available Not Designated Third Party SaaS Solution
[***]   [***] [***]   [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]  
[***] [***] [***] [***] [***] [***]   [***] Reporting & Compliance GIS
(Geographic Information System) Mapping N/A Retain Application Triple-S SaaS
Health Plan Portfolio Used for reporting.

"A geographic information system (GIS) is a computer system for capturing,
storing, checking, and displaying data related to positions on Earth’s surface.
GIS can show many different kinds of data on one map. This enables people to
more easily see, analyze, and understand patterns and relationships. "

http://www.nationalgeographic.org/encyclopedia
/geographic-information-system-gis/ Third Party - Commercially Available
Baseline Required - Category 3 Applications Third Party SaaS Solution [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]   Globascape
FTP Service     Infrastructure Software Infrastructure SW N/A FTP Monitoring
Software Third Party - Commercially Available 2   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] Financial & Corporate Systems Home
Service Debit System (MDO System) (1986) N/A Retain Application Non-Healthcare
Business Applications PC & Life Portfolio Individual Debit Ordinary Life and
Health, Policy Loan and Surrenders, Information Transfer Controls w/Actuary, New
Business & Underwriting, Policy Master File, Premiums and Cash Receipts,
Commissions, Reinsurance, Ledger Account Transfer . Third Party - Commercially
Available Not Designated Blank [***] Human Capital Management HR Sense (2000)
N/A Retain Application Non-Healthcare Business Applications TSM Portfolio HR and
Payroll Transactions, Cash Disbursement, Employee Benefits and Surrenders,
Government Agency Transfers & Compliance, Ledger Account Transfer

"RENOVA Human Capital Management (HCM) has been designed and built with one
singular intention: to provide a totally secure, configurable Web-based
enterprise solution that can automatically integrate human resources, payroll
and time administration processes, more effectively and at a lower overall cost"

http://renovasolutions.com/human-resources/ Third Party - Commercially Available
Not Designated Blank N/A IAM Hyena (SystemTools Software/Xapiens Hyena
(SystemTools Software/Xapiens   Infrastructure Software Infrastructure SW N/A
Third Party Idenity and Access Management Services Third Party - Commercially
Available 2 Third Party SaaS Solution [***]   Hyper-V Physical Node   To be
Decommissioned Infrastructure Software Infrastructure SW N/A Will go away with
the HS decomm Third Party - Commercially Available 1   [***] Gateway /
Enterprise Service Bus IBM  Websphere TBD Targeted for Decommission
Infrastructure Software Infrastructure SW N/A IBM Software that provides
transaction processing connections between applications

"IBM® WebSphere® Application Server provides a range of flexible, secure, Java
EE 7 runtime environments available on premises or across any public, private or
hybrid cloud. Whether you’re seeking to reduce costs, unlock new value from your
application investment or speed time to market, WebSphere has the right fit for
every business need."

http://www-03.ibm.com/software/products/en/
appserv-was Third Party - Commercially Available 1   [***] Operating Systems IBM
AIX Phased Out with App Migration To be Decommissioned Infrastructure Software
Infrastructure SW N/A Unix Operating System Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] Gateway / Enterprise Service Bus IBM
CICS (Customer Information Control System) TBD Targeted for Decommission
Infrastructure Software Infrastructure SW N/A IBM Software that provides
transaction processing connections between applications. Solution supporting
transaction gateway.

"IBM® CICS® is a family of mixed language application servers that provide
industrial-strength, online transaction management and connectivity for
mission-critical applications."

https://www-01.ibm.com/software/htp/cics/ Third Party - Commercially Available 1
Triple-S DataCenter [***] Operating Systems IBM Mainframe/Windows 2008z/os 1.9  
Not in scope Infrastructure Software Infrastructure SW N/A   Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Data Center Idera   Retain Infrastructure Software Infrastructure SW N/A   Third
Party - Commercially Available 1 Triple-S DataCenter [***] Web Services IIS APP
IIS APP   Infrastructure Software Infrastructure SW N/A Webserver Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Claims
Management Implug N/A Retain Application Healthcare Applications (3rd Party)
Health Plan Portfolio Sends files generated by practice managerial clearing
house (handles communications with the clearing house), Receive and send.

"This application is used to facilitate integration with other billing systems
that are capable of generating either an HIPAA X12 file, a proprietary file or a
standard prior to HIPAA such as "NSF"."

https://www.inmediata.com/index.php?option=com_
content&view=article&id=8&Itemid=127&lang=es Third Party - Commercially
Available Baseline Required - Category 1 Applications Triple-S DataCenter [***]
Gateway / Enterprise Service Bus Informatica N/A Retain Infrastructure Software
Infrastructure SW N/A https://www.informatica.com/   1 Triple-S DataCenter [***]
Provider Management Ingenix (Provider Metrics & Analysis Tool) N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Provider
Metrics and Analysis tools Third Party - Commercially Available Baseline
Required - Category 3 Applications Triple-S DataCenter [***] Risk Management
INOVALON N/A Retain Application Triple-S SaaS Health Plan Portfolio Solution
supporting screens and assessments; analytic tool for retrospective member
stratification.  Solution includes ePass, indicies, analytics and DDDS (Data
Driven Delivery System)

ePASS® (Electronic Patient Assessment Solution Suite) is a patient-specific,
point-of-care, documentation and decision support platform for providers. ePASS®
empowers providers with Inovalon’s advanced cloud-based analytics to deliver
patient-level information during the encounter to close gaps in care,
assessment, provider documentation, and quality.
(http://www.inovalon.com/howwehelp/epass)

INDICES®, an integrated platform of data visualization provides high-level
insight, as well as drill down detail into:
•Real-time performance, outcomes, and insight reporting
•Outcomes-based / value-based contract tracking, insight, and administration
•Data and analysis visualization
•Transparency regarding value achieved
•Details regarding intervention platform activity
•Clinical data intelligence for population health program design, operation, and
monitoring
•Business intelligence for financial and strategic planning and forecasting
•Processing and structuring of data for transmission to clients and third
parties
•Regulatory filings and program oversight filings
(http://www.inovalon.com/howwehelp/indices)

Inovalon's Distributed Analytics provides an industry-leading analytical
platform with access to the entirety of a healthcare organization’s data assets,
bringing together meaningful data with powerful analytics in an environment
friendly to non-technical personnel to enable deep investigation into root
cause, improvement, and reporting strategies.
(http://www.inovalon.com/howwehelp/distributed-analytics)

Third Party - Commercially Available Not Designated Third Party SaaS Solution
[***] Gateway / Enterprise Service Bus Interchange Grid (Wovenware) TBD Targeted
for Decommission Application Healthcare Applications (3rd Party) Health Plan
Portfolio Manage EDI transaction - Wovenware

"The Wovenware Health Interchange Grid offers a quick cost effective way to
integrate and manage Electronic Data transactions (e.g. HIPAA X 12 834
Eligibility, HIPAA X12 837 Claims, Custom File Formats, etc.) with back-end
processing systems across heterogeneous platforms and databases, be it for
export or import into existing systems." Third Party - Commercially Available 1
Triple-S DataCenter [***] Care Management Interqual N/A Retain Application
Healthcare Applications (3rd Party) Health Plan Portfolio Clinical Guidelines
Care Management system supporting the client's clinical decisions, UM, HM;
Medical nescessity guidelines

"InterQual Criteria provide appropriateness of care decision support covering
medical and behavioral health across all levels of care as well as care planning
and complex care management"

http://www.mckesson.com/health-plans/decision-management
/decision-management-interqual/interqual-criteria/ Third Party - Commercially
Available 3 Triple-S DataCenter [***] Claims Management ISO (Insurance Services
Office) Claim Search N/A Retain Application Non-Healthcare Business Applications
PC & Life Portfolio ISO ClaimSearch is the only comprehensive all-claims
database and system for claims processing and fraud detection.

"Each year, participating insurers and other organizations submit tens of
millions of reports on individual insurance claims. ISO stores those reports in
a single database that helps insurers, self-insurers, law enforcement agencies,
and state fraud bureaus detect and prevent fraud, evaluate risk, and process
meritorious claims.

The ISO ClaimSearch system furnishes essential data for researching prior-loss
histories, identifying claims patterns, and detecting suspect claims. ISO’s
Internet interface lets users conduct broad and flexible searches of the data."

http://www.verisk.com/iso/claimsearch.html Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] Reporting & Compliance ISO (Insurance
Services Office) Company Edit Package (Web CEP) N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio With ISO's Company Edit
Packages, reporting companies can edit and correct their data before submitting
it to ISO. The software streamlines the error detection and correction process
by allowing companies to test with the same edits performed at ISO.

"The Web CEP service, included as part of Statistical Web Services, helps you
detect errors in your statistical data before you send your submission files to
ISO. Web CEP uses the same editing criteria that ISO uses as part of its
submission system quality checks."

http://www.verisk.com/iso/data-collection-
services/web-cep.html Third Party - Commercially Available Not Designated
Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Reporting & Compliance ISO (Insurance Services Office) Net N/A Retain
Application Non-Healthcare Business Applications PC & Life Portfolio ISOnet
brings ISO's vast wealth of insurance information to you over the web.  With
ISOnet — the information service for insurance professionals — you can easily
locate current and historical ISO documents. Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Reporting & Compliance ISO
(Insurance Services Office) Secure Transport N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio Used to report all the data
files generated thru the ISO's Company Edit Packages.

"Managed File Transfer. Send and receive large files securely and efficiently,
without the need for proprietary software or networks. Tumbleweed
SecureTransport™ enables the exchange of valuable and sensitive data over the
Internet in a secure and reliable manner. SecureTransport is a centrally
managed, client-server solution supporting a broad set of open standard file
transfer protocols, including FTP, FTPS, HTTP, HTTPS, SSH (SFTP and SCP), and
AS2. SecureTransport is available as an appliance or software."

http://www.acw-group.com/distribution/malaysia/
product_solutions/pdf/tumbleweed_
securetransport_brochure.pdf Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] Channel & Interaction Management IVR (Interactive Voice
Response) Optum VCC (Virtual Contact Center) Targeted for Decommission
Infrastructure Software Infrastructure SW N/A Interactive voice recognition
application.  Provides services to provider, members and group administrator.

"Reduces human resources costs by processing credit card, debit card & ACH
transactions with no human intervention. Our Interactive Voice Recognition
payment system provides:

Last-minute payment capability
24/7 availability
Account authentication & status reports
Payment verification
Daily transmission of transaction details"

https://www.evertecinc.com/en-us/paymentprocessing
/electronicpaymentservices/billpaymentsolutions.aspx Third Party - Commercially
Available 1 Triple-S DataCenter [***] TBD JUA 1 App: JUS - Asociacion de
Subscripcion Conjunta N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Web application to issue JUA vouchers to credit our
clients for the cost of their cars registration or "Marbete" by the Seguro
Obligatorio.
 
"Seagull Software is a technology services and software company that specializes
in integrating legacy applications into modern service-oriented architecture
(SOA) infrastructures for a wide range of enterprise-level clients. By
connecting applications on mainframes and client/server platforms to middleware
and next-generation Web services, Seagull Software provides its clientele with
powerful, cost-effective solutions that modernize business, while enhancing
regulatory compliance. "

http://h41379.www4.hpe.com/partners/seagull/)+H100 Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] TBD JUA 2 App: Sistema de
Subrogaciones de ASC N/A Retain Application Non-Healthcare Business Applications
PC & Life Portfolio Subrogation cases transfer system for the Seguro Obligatorio
or Asociacion de Subscripcion Conjunta (ASC), once known as JUA. Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Financial &
Corporate Systems Kronos N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio https://www.kronos.com/ Third Party - Commercially
Available 3 Triple-S DataCenter [***] DR Lepide (Exchange Recovery) Lepide
(Exchange Recovery)   Infrastructure Software Infrastructure SW N/A DR tool for
MS Exchange Servers Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Reporting & Compliance Lexis Nexis TBD Retain Application
Non-Healthcare Business Applications TSM Portfolio Legal investigations.
Computer-assisted legal research. World's largest electronic database for legal
and public-records related information.

https://www.lexisnexis.com/en-us/about-us/about-us.page Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Product
Management LifePro (1997) N/A Retain Application Non-Healthcare Business
Applications PC & Life Portfolio Individual Ordinary Life, Health and Annuities,
Policy Loan and Surrenders, Information Transfer Controls w/Actuary, New
Business & Underwriting, Policy Master File, Premiums and Cash Receipts,
Commissions, Reinsurance, Ledger Account Transfer .  Puerto Rico and Costa Rica
Business.

"EXL's LifePRO administrative solution was developed specifically to take
advantage of client server technology, providing flexible support for an
extremely broad range of life, health and annuity products. LifePRO streamlines
policy administration through features such as a flexible product engine,
real-time customer service and extensive agent compensation support.
Communication with other applications is enhanced via the use of Microsoft SQL
as the operational database. In addition, Application Programming Interfaces
(APIs) developed in .NET provide real-time access to LifePRO data and business
logic for the purposes communicating with external applications such as client
and agent web portals."

http://info1.exlservice.com/hubfs/Imported_Assets/
Infosheets/LifePROSystem-features.pdf Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Operating Systems LinuxRedHat 6.5    
Infrastructure Software Infrastructure SW N/A Linux Operating System Third Party
- Commercially Available Not Designated Triple-S DataCenter [***] Operating
Systems LINUXUbuntu 12.04 LTS     Infrastructure Software Infrastructure SW N/A
Linux Operating System Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Product Management LIS
(Life Information System) (1992) N/A Retain Application Non-Healthcare Business
Applications PC & Life Portfolio Individual Ordinary Life, Health and Annuities,
Policy Loan and Surrenders, Information Transfer Controls w/Actuary, New
Business & Underwriting, Policy Master File, Premiums and Cash Receipts,
Commissions, Reinsurance, Ledger Account Transfer . Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Operating Systems MAC    
Infrastructure Software Infrastructure SW N/A OSX Laptop Third Party -
Commercially Available Not Designated N/A [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Channel & Interaction Management MailStart Optum Print Fulfillment Targeted for
Decommission Infrastructure Software Infrastructure SW N/A Mail Routing

Solution supporting web-based email services.  Postal address validation. Third
Party - Commercially Available 4 Triple-S DataCenter [***] Data Center Manage
Engine Application Manager   Decommission Infrastructure Software Infrastructure
SW N/A   Third Party - Commercially Available 1     Data Center Manage Engine
Operations Manager   decommission Infrastructure Software Infrastructure SW N/A
  Third Party - Commercially Available 1     Service Management / ITSM
ManageEngine ServiceNow   Infrastructure Software Infrastructure SW N/A   Third
Party - Commercially Available 1 Triple-S DataCenter [***] Endpoint Remote
Control ManageEngine Bomgar   Infrastructure Software Infrastructure SW N/A
Remote Access Remote Control Software for End User Support.  (Remote Desktop)
Third Party - Commercially Available 1 Triple-S DataCenter [***] Operations
Scheduling ManageEngine Chef/ServiceNow   Infrastructure Software Infrastructure
SW N/A OS & Application Packaging and Automation, Patch & Configuration
Management Third Party - Commercially Available 1 Triple-S DataCenter [***]
Information Management Management Information System (MIS) N/A Retain
Application Non-Healthcare Business Applications PC & Life Portfolio Our
Business Inteligence Platform running on Business Objects (SAP). Reports and
data warehousing system for data generated by our SISE System. Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] Membership Accounting &
Configuration MDM (Master Data Management) TBD Targeted for Decommission
Infrastructure Software Infrastructure SW N/A Member Master Data Management.

"Master data management (MDM) is a comprehensive method of enabling an
enterprise to link all of its critical data to one file, called a master file,
that provides a common point of reference. When properly done, MDM streamlines
data sharing among personnel and departments. In addition, MDM can facilitate
computing in multiple system architectures, platforms and applications."
http://searchdatamanagement.techtarget.com/definition
/master-data-management Inhouse Application -- Custom 1 Triple-S DataCenter
[***] Provider Payments MedOne N/A Retain Application Healthcare Applications
(3rd Party) Health Plan Portfolio Legacy Practice management solutions. Billing
system for medical offices. Third Party - Commercially Available Baseline
Required - Category 4 Applications Triple-S DataCenter [***] Mobile Member -
Mobile Applications N/A Retain Application Healthcare Applications (3rd Party)
Health Plan Portfolio Member mobile application similiar to
Health4Me  (Corporate Mobile Apps) Third Party - Commercially Available Not
Designated Triple-S DataCenter [***]   Microfocus     Infrastructure Software
Infrastructure SW N/A Cobol runtime. Need till HS runout Third Party -
Commercially Available Not Designated   [***] Infrastructure Hosting Microsoft -
Office 365 Microsoft - Office 365   Infrastructure Software Infrastructure SW
N/A Cloud Services Third Party - Commercially Available Not Designated Triple-S
DataCenter /Azure Cloud [***] IAM Microsoft AD (RBAC) - Xapiens Xapiens & Azure
AD   Infrastructure Software Infrastructure SW N/A Third pary Identity and
Access Management Service Third Party - Commercially Available 1 Third Party
SaaS Solution [***] Channel & Interaction Management Microsoft Dynamics CRM
(Customer Relation Management) Optum CRM (Customer Relationship Management)
Salesforce Targeted for Decommission Infrastructure Software Infrastructure SW
N/A Customer Relation Management Application

"Microsoft Dynamics™ Customer Relationship Management (CRM) is a business
solution to help develop leads, nurture contacts, track your sales, and keep
your customers happy.

At its core, Microsoft Dynamics CRM involves three basic steps:
1.Finding and developing customer relationships.
2.Cultivating these relationships to enhance profitability.
3.Maintaining complete satisfaction of all customers. "

http://www.interdynbmi.com/microsoft-dynamics-crm Third Party - Commercially
Available 6 Triple-S DataCenter [***] Infrastructure Hosting Microsoft HyperV
HyperV (On Prem & Azure) To be Decommissioned Infrastructure Software
Infrastructure SW N/A Virtualization Software Third Party - Commercially
Available 1 Triple-S DataCenter [***] Information Management Microsoft Reporting
Services N/A Retain Infrastructure Software Infrastructure SW N/A Report Builder
Software. This is called 'SQL Server Reporting Services (SSRS).

"Create, deploy, and manage mobile and paginated reports on premises with the
range of ready-to-use tools and services that SQL Server Reporting Services
(SSRS) provides.

SQL Server Reporting Services is a solution that customers deploy on their own
premises for creating, publishing, and managing reports, then delivering them to
the right users in different ways, whether that’s viewing them in web browser,
on their mobile device, or as an email in their in-box."

https://msdn.microsoft.com/en-us/library/
ms159106.aspx Third Party - Commercially Available 2 Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Information Management Microsoft SQL N/A Retain Infrastructure Software
Infrastructure SW N/A Microsoft SQL Server is a relational database management
system developed by Microsoft. As a database server, it is a software product
with the primary function of storing and retrieving data as requested by other
software applications—which may run either on the same computer or on another
computer across a network (including the Internet).

(https://www.microsoft.com/en-us/sql-server/sql-server-2016) Third Party -
Commercially Available 1 Triple-S DataCenter [***] Operating Systems Microsoft
Windows Server 2008 Enterprise     Infrastructure Software Infrastructure SW N/A
Windows Operating System Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Operating Systems Microsoft Windows Server 2008 R2
Enterprise     Infrastructure Software Infrastructure SW N/A Windows Operating
System Third Party - Commercially Available Not Designated Triple-S DataCenter
[***] Operating Systems Microsoft Windows Server 2008 R2 Standard    
Infrastructure Software Infrastructure SW N/A Windows Operating System Third
Party - Commercially Available Not Designated Triple-S DataCenter [***]
Operating Systems Microsoft Windows Server 2008 Standard     Infrastructure
Software Infrastructure SW N/A Windows Operating System Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Operating
Systems Microsoft Windows Server 2008 Standard without Hyper-V    
Infrastructure Software Infrastructure SW N/A Windows Operating System Third
Party - Commercially Available Not Designated Triple-S DataCenter [***]
Operating Systems Microsoft Windows Server 2012 R2 Standard     Infrastructure
Software Infrastructure SW N/A Windows Operating System Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Operating
Systems Microsoft(R) Windows(R) Server 2003  Standard Edition     Infrastructure
Software Infrastructure SW N/A Windows Operating System Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Operating
Systems Microsoft(R) Windows(R) Server 2003 Standard x64 Edition    
Infrastructure Software Infrastructure SW N/A Windows Operating System Third
Party - Commercially Available Not Designated Triple-S DataCenter [***]
Operating Systems Microsoft(R) Windows(R) Server 2003, Enterprise Edition    
Infrastructure Software Infrastructure SW N/A Windows Operating System Third
Party - Commercially Available Not Designated Triple-S DataCenter [***]
Reporting & Compliance Microstategy (2008) N/A Retain Application Non-Healthcare
Business Applications TSM Portfolio Business Intelligence Reporting, Financial
Statements and Analysis, Claims and HR.

MicroStrategy is an enterprise business intelligence (BI) application software
vendor. The MicroStrategy platform supports interactive dashboards, scorecards,
highly formatted reports, ad hoc query, thresholds and alerts, and automated
report distribution. Interfaces include web, desktop (for developers) and
Microsoft Office integration. MicroStrategy Mobile also supports mobile
BI.  (http://searchbusinessanalytics.techtarget.com/
definition/MicroStrategy)

(https://www.microstrategy.com/us) Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Claims Management Mitchell WorkCenter N/A
Retain Application Non-Healthcare Business Applications PC & Life Portfolio
Complete physical damage claims processing. Mitchell WorkCenter™ steps up the
pace in meeting the industry’s demand for an open, modular, end-to-end, physical
damage claims settlement solution.

(https://www.mitchell.com/Portals/0/Assets/APD-Claims
/wc-overview-brochure-single-pages-final.pdf) Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Reporting & Compliance MSP
(Medicare Secondary Payer Act) Navigator N/A Retain Application Non-Healthcare
Business Applications Health Plan Portfolio It's an interactive tools and
reports to address ongoing mandatory reporting and the MSA and conditional
payment enforcement that Section 111 reporting will prompt.

"MSP Navigator provides enhanced data visibility to your claims personnel and
neatly packages
CMS information critical to every settlement.    We provide the highest level of
security in a
package flexible enough to meet any need.   Our implementation experience
provides critical
pathways to overcome challenges posed by shifting RRE status, coverage issues,
multiple claimant
litigation and extraction of data from claims systems.  We address these and
other questions that
every Section 111 reporting solution should deal with in order to avoid costly
fines and
unnecessary confusion.    MSP Navigator provides an audit trail and escalation
procedures to
ensure that you get the reporting right and you can prove it to CMS or anyone
else.  "

http://www.verisk.com/claimspartners-v/uploads/
Crowe-Paradis-Services-Corporation-Reporting-
Product-Brief-Updated.pdf Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Product Management My Insurance Center™ (MIC) N/A
Retain Application Non-Healthcare Business Applications PC & Life Portfolio My
Insurance Center™ (MIC) is a web-based solution that provides real-time
management and support for both carriers and agencies through a “horizontally”
scalable platform that allows you to add or remove capabilities as conditions
warrant.

Http://www.lexingtoncoverall.com Third Party - Commercially Available Not
Designated Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Care Management NeoMed N/A Retain Application Healthcare Applications (3rd
Party) Health Plan Portfolio Electronic Health Record (EHR) where all the
doctors notes are stored.

"NeoMED EHR 3.0 is a user friendly, flexible, easily customizable and bilingual
(English /Spanish) electronic health record. Data entry can be performed through
point and click, direct typing and speech recognition (with optional
equipment)."

neodeckholdings.com/neomed-ehr/ Third Party - Commercially Available 1 Triple-S
DataCenter [***] Backup NetBackup (retain solution and backups per compliance
guidelines) CommVault Future Solution being deployed. Infrastructure Software
Infrastructure SW N/A Enterprise Backup Software Third Party - Commercially
Available 1 Triple-S DataCenter [***]   Netflow     Infrastructure Software
Infrastructure SW N/A Network Utilization Software

"NetFlow is a network protocol developed by Cisco for collecting IP traffic
information and monitoring network traffic. By analyzing flow data, a picture of
network traffic flow and volume can be built. Using a NetFlow collector and
analyzer, you can see where network traffic is coming from and going to and how
much traffic is being generated." Third Party - Commercially Available 1   [***]
  [***]     [***] [***] [***] [***] [***] [***]   [***] TBD New HEDIS Vendor App
N/A Retain Application Healthcare Applications (3rd Party) Health Plan Portfolio
  Third Party - Commercially Available Baseline Required - Category 2
Applications Triple-S DataCenter [***] Information Management | Reporting &
Compliance ODS (Operational Data Store) N/A Retain Infrastructure Software
Infrastructure SW N/A Data repository for analysis purposes
Looking to create a new ODS for transactional reporting.  This new ODS will feed
OneTSH.  ODS Feeds Member MDM Third Party - Commercially Available 1 Triple-S
DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] Content Management OnBase (Content Management - Life) N/A Retain
Application Non-Healthcare Business Applications PC & Life Portfolio Document
Management and Process WorkFlow

"Workflow management automates business processes allowing work to be shared
efficiently between workers. It matches work tasks with the workers that can
best do them."

https://www.onbase.com/en/learn-ecm/common-ecm-terms
/workflow/#.WL3fPW_yvIU Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Content Management OnBase (Content Management - P&C)
N/A Retain Application Non-Healthcare Business Applications PC & Life Portfolio
Is enterprise content management software that combines integrated document
management, business process management and records management in a single
application.

"OnBase is a flexible enterprise content management (ECM) solution that helps
organizations manage documents and data to streamline business operations.
Integrating with everyday business applications, OnBase provides instant access
to critical information when you need it, wherever you are."

https://www.onbase.com/en/product/platform-capabilities
/enterprise-content-management/#.WL3hP2_yvIU Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Content Management OnBase
(Content Management - TSS) N/A Retain Application Non-Healthcare Business
Applications Health Plan Portfolio Storage of Digital Images and support of
workflow processes Third Party - Commercially Available 1 Triple-S DataCenter
[***] Content Management OnBase (Content Management - TSS-ITS) N/A Retain
Application Non-Healthcare Business Applications Health Plan Portfolio Storage
of Digital Images and support of workflow processes - used for ITS Third Party -
Commercially Available 3 Triple-S DataCenter [***] Membership Accounting &
Configuration
Sales & Marketing Onbase (Membership Accounting & Configuration, Sales &
Marketing) N/A Retain Application Non-Healthcare Business Applications TSM
Portfolio Document Management

https://www.onbase.com/en/solutions/healthcare/#
.WL3eoW_yvIU Third Party - Commercially Available 3 Triple-S DataCenter [***]
Information Management ONE TSA - will become OneTSH OneTSH Targeted for
Decommission Infrastructure Software Infrastructure SW N/A DW: Claims, Premiums,
Reserves - Will enhanace to become OneTSH Inhouse Application -- Custom 3
Triple-S DataCenter [***] Product Management Optum StepWise N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio
Application used for renovation and sale of groups

The StepWise Suite is a holistic software platform that simplifies the design,
deployment and distribution of health insurance products across stakeholders and
lines of business. The suite automates key underwriting, actuarial, product,
compliance, sales and fulfillment processes around a core repository and single
technology platform to deliver exponential value and efficiencies for the
organization. Business owners are empowered to design, own and manage
mission-critical rate and product definitions, formulas and rules enabling staff
efficiency, enhanced accuracy and speed to market. Its service-oriented
architecture and domain-specific workflow and collaboration tools enable
transparency across stakeholders and systems, streamlining processes across the
product development to quote to cash value chain.

https://www.optum.com/solutions/prod-nav/
stepwise-suite.html Third Party - Commercially Available 2 Triple-S DataCenter
[***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Information Management Oracle Database OneTSH Targeted for Decommission
Infrastructure Software Infrastructure SW N/A Old Data warehouse Third Party -
Commercially Available 2 Triple-S DataCenter [***] Financial & Corporate Systems
Oracle Financial (1990) N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Claims Life A&H, DAC Accumulation of Costs, FSC, Cash
Disbursement, Investment, Payroll, Premiums and Cash Receipts-MDO, Premiums and
Cash Receipts-Other, A/P (Purchases), Income Taxes, PPE, Billing & Cash Receipt
Group,Commissions Other & Group

http://www.oracle.com/us/solutions/financial-management
/index.html Third Party - Commercially Available 3 Triple-S DataCenter [***]
Operating Systems Oracle LinuxEnterprise 5.5     Infrastructure Software
Infrastructure SW N/A Linux Operating System Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Imaging Osirix aycan N/A
Retain Application Healthcare Applications (3rd Party) Health Plan Portfolio
System used for the clinical analysis of radiological images

"A Mac-based multi-modality workstation for post-processing and primary
diagnosis

Today's increasing volume of image data requires high-performance workstations
that allow multi-planar imaging and manipulation–introducing aycan workstation,
an advanced image-processing tool and DICOM PACS workstation for conventional,
multi-slice and other image reading. With the most robust feature set on the
market, aycan workstation offers high performance at a great value. "

http://www.aycan.com/products/aycan-workstation/details.html Third Party -
Commercially Available Baseline Required - Category 4 Applications Triple-S
DataCenter [***] Care Management Osirix MD N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio System used to import previous
radiological studies

"OsiriX MD, the medical edition of OsiriX, is certified and validated for
clinical use in medicine (FDA, CE, ANVISA). With ultrafast performance and an
intuitive interactive user interface, it is the most widely used DICOM viewer in
the world. It offers advanced post-processing techniques in 2D and 3D, exclusive
innovative techniques for 3D & 4D navigation, including PET-CT and SPECT-CT
fusion, and a complete integration with any PACS server. It can import and
display any medical images (DICOM) from CD, DVD, USB stick, web-site, … OsiriX
MD supports 64-bit computing and multithreading for the best performances on the
most modern computers."

http://www.osirix-viewer.com/osirix/overview/ Third Party - Commercially
Available Baseline Required - Category 4 Applications Triple-S DataCenter [***]
Financial & Corporate Systems Other financial tools (TSM) N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio     Baseline Required -
Category 1 Applications     Financial & Corporate Systems PAM N/A Retain
Application Non-Healthcare Business Applications TSM Portfolio Treasury to
manage capital investments.

"PAM is highly flexible and configured to operate across your asset classes,
currencies and portfolio types. It provides transaction management, cash
management, reporting, recordkeeping and valuation — in a single system. With
several accounting parameter choices, you can define accounting rules to create
a processing environment that meets your needs."

http://www.statestreet.com/solutions/by-capability/
ssgx/software-solutions/accounting.html Third Party - Commercially Available 3
Triple-S DataCenter [***] Financial & Corporate Systems PAM (Portfolio
Accounting Management) N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio PAM for Securities is a comprehensive investment
accounting and management platform that supports international accounting and
reporting requirements for a diverse range of assets and portfolio types. Third
Party - Commercially Available 3 Triple-S DataCenter [***] Channel & Interaction
Management PAS Enhanced Provider Portal Targeted for Decommission Application
Healthcare Applications (3rd Party) Health Plan Portfolio Front end Sofware for
Providers - replace with new enhanced portal. Legacy portal supporting internal
customer service activities. Third Party - Commercially Available Baseline
Required - Category 2 Applications Triple-S DataCenter [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] Operating Systems PC
Desktop Windows 7     Infrastructure Software Infrastructure SW N/A Windows
Operating System Third Party - Commercially Available Not Designated N/A [***]
Asset Management PC Inventory System N/A Retain Infrastructure Software
Infrastructure SW N/A Application used to maintain the PC & PRT inventory.
Inhouse Application -- Custom Not Designated    

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Financial & Corporate Systems PC-Recon\PC-App\Tablets N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio Home Service Sales &
Collection Manager, Cash Receipt, Policy Premium Transfer, Policy App Transfer,
Ledger Account Transfer. Third Party - Commercially Available Not Designated
Third Party SaaS Solution [***] Financial & Corporate Systems PeachTree N/A
Retain Application Healthcare Applications (3rd Party) Health Plan Portfolio
Acounting Software, Acounts payable

"Features include: Sales Optimization, Expense Management, Mobile Invoicing,
Dashboards, Reporting, Payroll"

http://www.sage.com/us/sage-50-accounting/features Third Party - Commercially
Available Not Designated Third Party SaaS Solution [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] Financial & Corporate Systems
PLS (Loans) (1988) N/A Retain Application Non-Healthcare Business Applications
TSM Portfolio Loans for Individual Life, Cash Disbursement, Information Transfer
Controls w/Actuary, Other Loan Reserves, Ledger Account Transfer . Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Product
Management Policy (Majesco) N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Policy is a web-based solution that provides
real-time management and support for both carriers and agencies through a
“horizontally” scalable platform that allows you to add or remove capabilities
as conditions warrant.  It is based on a Loss Cost rating method.

https://www.majesco.com/software/property-casualty/policy/ Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Information
Management Policy Request N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Application used to view, manage and deliver all the
policies physical files that have been requested to the Administration
Department through the Policy Request System. Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Care Management Portal del
Paciente In development  Targeted for Replacement Application Healthcare
Applications (In-House) Health Plan Portfolio Tool used in patient
pre-registration process Inhouse Application -- Custom Baseline Required -
Category 2 Applications Triple-S DataCenter [***] Data Center Power -
Distribution Software Power - Distribution Software   Infrastructure Software
Infrastructure SW N/A Datacenter PDU Software Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Care Management Powerscribe
N/A Retain Application Healthcare Applications (3rd Party) Health Plan Portfolio
Voice dictation for radiologists. Legacy system that transcribes radiological
studies.

http://www.nuance.com/products/powerscribe360/index.htm Third Party -
Commercially Available Baseline Required - Category 4 Applications Triple-S
DataCenter [***] Financial & Corporate Systems PR Soft N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio Tax software App specific to
Puerto Rico Tax Laws

www.prsoft.com Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] Asset Management Prevail Reinsurance System (PRS) N/A Retain
Application Non-Healthcare Business Applications PC & Life Portfolio Reinsurance
System.

Asset Protection
Operating Cost Reduction
Audit of All Financial Transactions

http://prevailconsulting.com/Prevail%20Reinsurance
%20System.htm Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Output Management PrintNet N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio PrintNet supplies the
correspondence templates for printing. Solution supporting fulfillment
operations.

http://www.printnetsolutions.com/ Third Party - Commercially Available Baseline
Required - Category 2 Applications Triple-S DataCenter [***] SIEM PRISM
Microsystems  (Event Tracker) QRadar Future Solution being deployed.
Infrastructure Software Infrastructure SW N/A Security Information and Event
Management (SIEM) Third Party - Commercially Available 1 Triple-S DataCenter
[***] Gateway / Enterprise Service Bus Process Control Monitoring (PCM) TBD
Targeted for Decommission Infrastructure Software Infrastructure SW N/A
Application to coordinate batch process that runs in Websphere Process Server
(ESB) - batch job scheduler - works in concert with control-M Third Party -
Commercially Available 1 Triple-S DataCenter [***] Provider Network Management
Provider Directory Optum Intelligent Directory Targeted for Decommission
Application Healthcare Applications (3rd Party) Health Plan Portfolio Solution
supporting provider management. Third Party - Commercially Available 2 Triple-S
DataCenter [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] Channel & Interaction Management Qfiniti Call Recording Optum VCC
(Virtual Contact Center) Targeted for Decommission Infrastructure Software
Infrastructure SW N/A Call Recording Software. Solution supporting customer
interaction performance measures, including quality monitoring, interaction
analysis, performance management, evaluations, customer surveys. Third Party -
Commercially Available 3 Triple-S DataCenter [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] Product Management QL Admin N/A Retain
Application Non-Healthcare Business Applications PC & Life Portfolio Individual
Ordinary Life, Health and Annuities, Policy Loan and Surrenders, Benefits,
Information Transfer Controls w/Actuary, New Business & Underwriting, Policy
Master File, Premiums and Cash Receipts, Commissions, Reinsurance, Ledger
Account Transfer .  P.R. and C.R.

"With QLAdmin life insurance policy administration software and related tools,
clients have complete processing ability for traditional life and health
insurance products. In addition, annuities, pre-arranged funeral plans, final
expense, group or worksite coverage, and supplemental benefits are all
supported."

http://www.qladmin.com/#sthash.0ptcUF5k.r0q
XguCD.dpuf Third Party - Commercially Available Not Designated Triple-S
DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] SIEM QRadar QRadar
Future Solution being deployed. Infrastructure Software Infrastructure SW N/A
Security Information and Event Management (SIEM) Third Party - Commercially
Available 1 Triple-S DataCenter [***] Imaging RadStore/ DCM4CHEE N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Manage
patient image. RadStore is a long-term image storage solution.

"dcm4che is a collection of open source applications and utilities for the
healthcare enterprise. These applications have been developed in the Java
programming language for performance and portability, supporting deployment on
JDK 1.6 and up."

http://www.dcm4che.org/ Third Party - Commercially Available Baseline Required -
Category 3 Applications Triple-S DataCenter [***] Operating Systems RedHat
RedHat   Infrastructure Software Infrastructure SW N/A Linux Operating System
Third Party - Commercially Available Not Designated Triple-S DataCenter [***]
Reporting & Compliance Reporting Services 2005 N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio Tool used to make and display
reports via a Web Browser. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Channel & Interaction Management RightFax N/A Retain
Infrastructure Software Infrastructure SW N/A Fax send and receive delivery
Software. Solution supporting document management of faxes - paperless.

https://www.redcompr.com Third Party - Commercially Available 3 Triple-S
DataCenter [***] Provider Network Management Risk Management TBD Targeted for
Decommission Application Healthcare Applications (3rd Party) Health Plan
Portfolio Application (batch process) to clasify claims as Risk (catastrophic)
for Medicaid Third Party - Commercially Available 2 Triple-S DataCenter [***]
Risk Management Risk Model TSA N/A Retain Application Healthcare Applications
(In-House) Health Plan Portfolio   Inhouse Application -- Custom 4 Triple-S
DataCenter [***] Risk Management RMS - RiskLink N/A Retain Application
Non-Healthcare Business Applications PC & Life Portfolio RMS uses desktop and
server technology to deliver disaster risk tech.They are the primary access
point to our catastrophe risk models and expertise, providing an end-to-end
solution for risk selection, pricing, portfolio management, and risk transfer.

http://www.rms.com/ Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Financial & Corporate Systems SAP (2012 Life) N/A Retain
Application Non-Healthcare Business Applications TSM Portfolio Financial \
Accounting & HR Purposes - General Ledger, Accounts Payable, Accounts
Receiveable, Vendors, Reconciliaion, modules among others Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Financial &
Corporate Systems SAP (Medicare) N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Finance and HR Software Solution Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Financial &
Corporate Systems SAP (P&C) N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio Refer to TSM App Catalog Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Reporting & Compliance SAPPS
(Medicaid & Commercial) N/A Retain Application Healthcare Applications (3rd
Party) Health Plan Portfolio Used to perform medical audits of claim. Third
Party - Commercially Available Baseline Required - Category 4 Applications
Triple-S DataCenter [***] Channel & Interaction Management SASSS (Medicare)
Optum CRM (Customer Relationship Management) Salesforce Targeted for
Decommission Application Healthcare Applications (3rd Party) Health Plan
Portfolio Used for document requests from insured. Third Party - Commercially
Available 3 Triple-S DataCenter [***] Financial & Corporate Systems SASVI (2006)
N/A Retain Application Non-Healthcare Business Applications TSM Portfolio Group
Life, Commissions, Premiums and Cash Receipts-Other, Claims Group, New Business
& Underwriting-Group, Reinsurance, Billing & Cash Receipt, Groups and
Ledger  Account Transfer. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Product Management Secure Plusss Certificates N/A
Retain Application Non-Healthcare Business Applications PC & Life Portfolio To
rate and issue auto certificates from a Master Policy. Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Product
Management Secure Plusss System (SPS) N/A Retain Application Non-Healthcare
Business Applications PC & Life Portfolio To rate and issue personal lines
policies. It has an electronic interface with our SISE package. IP -
204.6.200.55 (internet)  or 10.0.128.56 (remote anex) Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Change Management Serena
ServiceNow TBD Infrastructure Software Infrastructure SW N/A   Third Party -
Commercially Available 3 Triple-S DataCenter [***] Portfolio Management Serena
Planview   Infrastructure Software Infrastructure SW N/A   Third Party -
Commercially Available 3 Triple-S DataCenter [***] Administration Service
Request N/A Retain Application Non-Healthcare Business Applications TSM
Portfolio Employees enter the request they need from the Admnistration
Department. Then the Administration Department (with Administration Service
Request) they assign the jobs. Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Infrastructure Hosting Sidif Del Caribe -
Double Take Tool Sidif Del Caribe - Double Take Tool   Infrastructure Software
Infrastructure SW N/A Optum Comment:  Not sure if this is a third party service
(SIDIF) or a tool Third Party - Commercially Available 1 Triple-S DataCenter
[***] Imaging Sirona N/A Retain Application Healthcare Applications (3rd Party)
Health Plan Portfolio Capture, analyze, process, and import/export dental
radiology images. 

http://www.sironausa.com Third Party - Commercially Available Baseline Required
- Category 4 Applications Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Claims Management SISE N/A Retain Application Non-Healthcare Business
Applications PC & Life Portfolio Our Back End solution that includes policy
administration, claims administration, reinsurance, regulatory reporting,
billing, accounting and general ledger for Life and P&C insurance carriers, MGAs
and TPAs. Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Asset Management Sky Tec N/A Retain Application Non-Healthcare
Business Applications TSM Portfolio Application to keep track of company
vehicles and calculate business routes. This application is installed directly
on a computer and there is a web version available.

http://skytecpr.com/homepage/ Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Asset Management Sky Tec Web N/A Retain
Application Non-Healthcare Business Applications TSM Portfolio Web  Application
to keep track of company vehicles by GPS and calculate business routes.This
application can also be installed directly on a computer.

http://skytecpr.com/homepage/ Third Party - Commercially Available Not
Designated Triple-S DataCenter [***] Information Management SmartCap OneTSH
Targeted for Decommission Application Healthcare Applications (3rd Party) Health
Plan Portfolio Medicaid line of business, Capitation, claims, member roster for
,  also used for utilization, IPA Independent Provider Association.  has a
provider portal

SmartCap is an application that allows you to manage every step you take in your
ACO, IPA, and MSO medical group which consists of importing and converting the
data sent by different insurers.

www.smartcappr.com Third Party - Commercially Available Baseline Required -
Category 2 Applications Triple-S DataCenter [***] SMTP SMTP - Special Project
Azure SendGrid   Infrastructure Software Infrastructure SW N/A Mail Transport
Tool Third Party - Commercially Available Not Designated Triple-S DataCenter
[***] Operating Systems Solaris   To be Decommissioned Infrastructure Software
Infrastructure SW N/A Unix Operating System Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] Infrastructure Monitoring Solarwinds
Solarwinds Retain Infrastructure Software Infrastructure SW N/A
Application/Infrastructure monitoring tool Third Party - Commercially Available
1 Triple-S DataCenter [***] Financial & Corporate Systems SpeedPay N/A Retain
Application Non-Healthcare Business Applications TSM Portfolio System that
transfer archive with information of policies pending for payment to CitiBank
SpeedPay system.

https://www.speedpay.com/ Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Financial & Corporate Systems SpeedPay Web N/A Retain
Application Non-Healthcare Business Applications TSM Portfolio Website to
process SpeedPay payments directly with CitiBank

https://www.speedpay.com/ Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Service Management Spiceworks N/A Retain Application
Healthcare Applications (3rd Party) Health Plan Portfolio Help desk management
system

https://www.spiceworks.com/ Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Claims Management SRI (Claims) System
(1988) N/A Retain Application Non-Healthcare Business Applications PC & Life
Portfolio Claims Individual Life A&H, Cash Disbursement, Information Transfer
Controls w/Actuary, Other Claims Reserves-IBNR, Ledger Account Transfer . Third
Party - Commercially Available Not Designated Triple-S DataCenter [***] Mobile
SRO Mobile App N/A Retain Application Non-Healthcare Business Applications TSM
Portfolio Mobile App for the SRO policies servicing Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Compliance | FWA | Clinical
Quality Management STAR Sentinnel
(candidate for Decommission) CPI (Comprehensive Payment Integrity) Targeted for
Decommission Application Healthcare Applications (3rd Party) Health Plan
Portfolio Application used to evaluate the payment of claims (Claim Check).
Cloud Fraud, Waste, Abuse detection.

STAR Sentinel – sophisticated software data-mining tools that analyze all
categories of claims received, Provider demographics, and Member benefits – are
primary sources of audit and investigation identification and selection.  FW&A
specific.

"This automated early-warning, detection and overpayment protection system helps
shield health payers’ assets with built-in intelligence to
identify potential fraud cases, spot billing misunderstandings/mistakes
and help adhere to medical policies. STARSSentinel uses
hundreds of patterns, rules, statistical calculations, utilization measures,
financial profiles, high-impact fraud schemes and predictive detection to
evaluate, compare, rank and score providers and members, as
well as identify an overall “Index of Suspicion”. "

http://gdhealth.com/globalassets/health-solutions/
documents/brochures/starssolutionssoftware Third Party - Commercially Available
Not Designated Third Party SaaS Solution [***] Compliance | FWA | Clinical
Quality Management STARS Track N/A Retain Application Healthcare Applications
(3rd Party) Health Plan Portfolio MA Stars Metrics. Solution supporting
reporting for Triple-S.  More specifically this solution is used for HEDIS
reporting. Third Party - Commercially Available Not Designated Triple-S
DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
Financial & Corporate Systems STS Reconcile System N/A Retain Application
Non-Healthcare Business Applications TSM Portfolio This application is used to
carry out a bank reconciliation with our Citibank checks, sent to us by CDs in
Microsoft Excel archives. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Operating Systems SUSE - Linux SUSE - Linux  
Infrastructure Software Infrastructure SW N/A Linux Operating System Third Party
- Commercially Available Not Designated Triple-S DataCenter [***]   [***]    
[***] [***] [***] [***] [***] [***]   [***]   [***]     [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
Human Capital Management Time Aide N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio Where employee punches are stored

Time Aide is Identech's Time and Attendance software application, specifically
designed taking in full acocount of Puerto Rico's Labor Law, FLSA and the
peculiarities of each individual company.

http://timeaide.net/wp-content/uploads/2014/01/TimeAide
Solutions-2013.pdf Third Party - Commercially Available Baseline Required -
Category 4 Applications Triple-S DataCenter [***] Information Management |
Database Toad N/A Retain Infrastructure Software Infrastructure SW N/A Oracle
DB, & HS DB2 access Software

Toad empowers you to:

Implement consistent and repeatable processes, supporting agile DB development.
Accelerate application delivery, while minimizing risks associated with database
changes.
Ensure functional accuracy and scalability with automated testing.
Quickly pinpoint and resolve database performance inefficiencies.
Automate SQL optimization.
Automate and schedule complex or routine database tasks.
Reduce the learning curve and support a wide variety of database platforms with
a highly visual interface.

https://www.quest.com/products/toad-for-oracle/ Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Practice Management TRA N/A
Retain Application Healthcare Applications (3rd Party) Health Plan Portfolio
Practice management, billing, claims administration. Third Party - Commercially
Available 1 Triple-S DataCenter [***] Information Management Trillium Discovery
N/A Retain Application Non-Healthcare Business Applications TSM Portfolio TS
Discovery is the automated data profiling and data discovery component of the
Trillium Software System, a robust, scaleable, highly available and easily
deployable solution for mission-critical enterprise data quality.

https://www.trilliumsoftware.com/products/tss/discovery Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Information
Management Trillium Quality N/A Retain Application Non-Healthcare Business
Applications TSM Portfolio TS Quality is the data cleansing and standardization
component of the Trillium Software System, a robust, scaleable, highly available
and easily deployable solution for mission-critical enterprise data quality.

https://www.trilliumsoftware.com/products/tss/data-quality Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] Portal TSP
Transactional Portal N/A Retain Application Non-Healthcare Business Applications
PC & Life Portfolio Transactional web portal for Insured, Agencies, Producers
and employees.  It offers different services for both policies and claims.  
Third Party - Commercially Available Not Designated Triple-S DataCenter [***]
Gateway / Enterprise Service Bus Tx Manager TBD Targeted for Decommission
Application Healthcare Applications (3rd Party) Health Plan Portfolio   Third
Party - Commercially Available Baseline Required - Category 1 Applications
Triple-S DataCenter [***] Imaging Unisys Imaging OnBase Targeted for
Decommission Infrastructure Software Infrastructure SW N/A "Unisys InfoImage is
an Enterprise Content Management (ECM) platform targeted to Transactional
Content Management and is ideally suited for applications that involve high
document volumes arriving as paper, internet transactions or as content files
from business partners. Once captured, the content can be processed and managed
through comprehensive workflow and accessed by automated and manual processes.

Unisys InfoImage brings together ECM, imaging, workflow, document management,
internet technologies, mobile technologies, and integration methods to form an
integrated end-to-end solution suitable for a wide range of industries and
applications. InfoImage installations can support tens of thousands of users,
and can process hundreds of thousands of new content items and transactions per
day."

http://www.unisys.com/offerings/industry-solutions/financial-services-
industry-solutions/enterprise-content-management-for-financial-
services/infoimage-for-financial-services/Brochure/InfoImage-
Product-Overview-id-603 Third Party - Commercially Available 4 Triple-S
DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Operating Systems Unix HP/UX 11i     Infrastructure Software Infrastructure SW
N/A Unix Operating System Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] IAM User Credential Management, Enterprise
Provisionining (Xapiens) User Credential Management, Enterprise Provisionining
(Xapiens)   Infrastructure Software Infrastructure SW N/A Third pary Identity
and Access Management Service Third Party - Commercially Available 1 Third Party
SaaS Solution [***] Product Management | Financial & Corporate Systems USSI
(United Systems and Software Inc.) N/A Retain Application Non-Healthcare
Business Applications PC & Life Portfolio Group  Life, Health and Annuities,
Policy Loan and Surrenders, Benefits, Information Transfer Controls w/Actuary,
New Business & Underwriting, Policy Master File, Premiums and Cash Receipts,
Commissions, Reinsurance, Ledger Account Transfer .  V.I. Business. New System
will be As a Service. Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Care Management Value Base Compensation Model (TSA)
N/A Retain Application Healthcare Applications (In-House) Health Plan Portfolio
  Inhouse Application -- Custom 3 Triple-S DataCenter [***] Reporting &
Compliance Vera Smart N/A Retain Application Healthcare Applications (3rd Party)
Health Plan Portfolio This tool is used to generate reports on calls received in
the clinic/hospital Third Party - Commercially Available 4 Triple-S DataCenter
[***] IAM VIP Multifactor Authenticator/Symantec VIP Multifactor
Authenticator/Symantec   Infrastructure Software Infrastructure SW N/A Two
Factor Authentication Third Party - Commercially Available 1 Triple-S DataCenter
[***] Care Management Vista Dent TBD Retain Application Healthcare Applications
(3rd Party) Health Plan Portfolio ANGEL INCLUIR APLICACION DEL DENTISTA
Dentist Application - do not know details. Third Party - Commercially Available
4 Triple-S DataCenter [***] Imaging VixWin N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio Manage patient images

http://www.gendex.com/vixwin-platinum?page_id=866 Third Party - Commercially
Available 4 Triple-S DataCenter [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] Virtualization VMWare N/A Retain Infrastructure Software
Infrastructure SW N/A Run the linux server where Radstore runs

Virtualization (VMWare) uses software to simulate the existence of hardware and
create a virtual computer system. Doing this allows businesses to run more than
one virtual system – and multiple operating systems and applications -- on a
single server. This can provide economies of scale and greater efficiency.

http://www.vmware.com/solutions.html Third Party - Commercially Available 1
Triple-S DataCenter [***] Mobile Virtualization Vmware - Airwatch Microsoft
Intune   Infrastructure Software Infrastructure SW N/A Mobile Device Management
Third Party - Commercially Available 1 Triple-S DataCenter [***]

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Virtualization VMWare Fusion N/A Retain Infrastructure Software Infrastructure
SW N/A Virtual Machine that is utilized to run TRA in iOS and the PowerScribe
LegacySystem

VMware Fusion lets anyone run Windows and hundreds of other operating systems on
a Mac, without rebooting.

http://www.vmware.com/products/fusion.html Third Party - Commercially Available
Not Designated Triple-S DataCenter [***] Virtualization VMWare Horizon Client
N/A Retain Infrastructure Software Infrastructure SW N/A A system of virtual
machines involved in medicine (drug) and revenue cycle management

"VMware Horizon Clients for Windows, Mac, iOS, Linux, and Android allow you to
connect to your VMware Horizon virtual desktop from your device of choice giving
you on-the-go access from any location."

https://my.vmware.com/web/vmware/info?slug=desktop_
end_user_computing/vmware_horizon_clients/4_0 Third Party - Commercially
Available 1 Triple-S DataCenter [***] Infrastructure Hosting VMWare vCloud Suite
5 VMWare vCloud Suite 5 (On Prem)   Infrastructure Software Infrastructure SW
N/A Virtualization (Server on Prem) Third Party - Commercially Available 1
Triple-S DataCenter [***] Channel & Interaction Management Web Portal -
Electronic Referrals N/A Retain Application Healthcare Applications (3rd Party)
Health Plan Portfolio Application that allows provider to register Referrals
(HMO)

Enhancement Effort Third Party - Commercially Available 2 Triple-S DataCenter
[***] Channel & Interaction Management Web Portal - Individuals N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Provides
information and some transaction for Members

Enhancement Effort Third Party - Commercially Available 2 Triple-S DataCenter
[***] Channel & Interaction Management Web Portal - IPA Web N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio Provides
information and some transaction for IPA

Enhancement Effort Third Party - Commercially Available Baseline Required -
Category 2 Applications Triple-S DataCenter [***] Channel & Interaction
Management Web Portal - REO N/A Retain Application Healthcare Applications (3rd
Party) Health Plan Portfolio Application that allows provider to register
members (women) that are pregnant

Enhancement Effort Third Party - Commercially Available 2 Triple-S DataCenter
[***] Channel & Interaction Management Web Portal - SES Billing N/A Retain
Application Healthcare Applications (3rd Party) Health Plan Portfolio
Application that allows groups administrators to reconcile their billing

Enhancement Effort Third Party - Commercially Available 2 Triple-S DataCenter
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
Care Management Web Portal - SES WEB N/A Retain Application Healthcare
Applications (3rd Party) Health Plan Portfolio Application that allows providers
to do Member Eligibility, Electronic Referrals, Uplaod Claims File, Download
letter and 835 transaction. Enhancement Effort Inhouse Application -- Custom 2
Triple-S DataCenter [***] Channel & Interaction Management Web Portal (Channel &
Interaction Management) N/A Retain Application Healthcare Applications (3rd
Party) Health Plan Portfolio Members, Providers and Group Administrators
portal.  It include information (content) and severals transaction.  

Enhancement Effort Third Party - Commercially Available 2 Triple-S DataCenter
[***] Portal Web Portal SSSVIDA.com (2006) N/A Retain Application Non-Healthcare
Business Applications PC & Life Portfolio Triple-S Vida Products & Services,
Agent Statements and Reports, Agent Proposal System,  Policy Owner Info, On-Line
Premium Payment, Policy System Transfer. Inhouse Application -- Custom 1
Triple-S DataCenter [***] Collaboration and Productivity Tools Webex Webex  
Infrastructure Software Infrastructure SW N/A Online Streaming
Meeting/Collaboration Tool Third Party - Commercially Available 3 Third Party
SaaS Solution [***] Operating Systems Windows 2000     Infrastructure Software
Infrastructure SW N/A Windows Operating System Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Operating Systems Windows 8  
  Infrastructure Software Infrastructure SW N/A Windows Operating System Third
Party - Commercially Available Not Designated N/A [***] Operating Systems
Windows Mobile5     Infrastructure Software Infrastructure SW N/A Windows
Operating System Third Party - Commercially Available Not Designated Triple-S
DataCenter [***] Operating Systems Windows Server 200     Infrastructure
Software Infrastructure SW N/A Windows Operating System Third Party -
Commercially Available Not Designated Triple-S DataCenter [***] Operating
Systems Windows Server 2012     Infrastructure Software Infrastructure SW N/A
Windows Operating System Third Party - Commercially Available Not Designated
Triple-S DataCenter [***] Operating Systems Windows XP     Infrastructure
Software Infrastructure SW N/A Windows Operating System Third Party -
Commercially Available Not Designated N/A [***] Operating Systems Windows2003
Std R2     Infrastructure Software Infrastructure SW N/A Windows Operating
System Third Party - Commercially Available Not Designated Triple-S DataCenter
[***] Operating Systems Windows2012 R2 64 STD     Infrastructure Software
Infrastructure SW N/A Windows Operating System Third Party - Commercially
Available Not Designated Triple-S DataCenter [***] Membership Accounting &
Configuration WiPro - Broker360 (B360) N/A Retain Application Triple-S SaaS
Health Plan Portfolio   Third Party - Commercially Available 2 Third Party SaaS
Solution [***] Membership Accounting & Configuration (M360)
***** (R360) WiPro - Member360 (M360), Revenue360 (R360) N/A Retain Application
Triple-S SaaS Health Plan Portfolio M360- Member 360
R360- Revenue 360

https://www.medicare-solution.com/mss/quay/
products.htm Third Party - Commercially Available 1 Third Party SaaS Solution
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
Service Management Wovenware Integrator (System Integrator) Wovenware  
Infrastructure Software Infrastructure SW N/A Claims Management Tool (EDI) Third
Party - Commercially Available 1 Triple-S DataCenter [***]

 









 

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

SERVER LIST



 



Tab Server Role Application  Company Environment Powerstate Decomm Candidate?
P-V Future Platform Comments
For
Environments
NOT
going to Azure [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***]   [***] [***] [***] [***] [***] [***] [***]   [***] [***]  
[***] [***] [***] [***] [***] [***] [***]   [***] [***]   [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]

 



1 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] Total TSS
(TSS,TSA,TSH) TSMCADPRDAPP01 CAD CAD TSS PRD poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMCMMODQAAPP01 CCMS Vital TSS QA poweredOn Y Virtual
Triple-S Premise Targeted for Decom looking for new soliution in 18/19 keep on
Prem until new solution is determined Total TSS (TSS,TSA,TSH) TSMCMMODQASQL01
CCMS Vital TSS QA poweredOn Y Virtual Triple-S Premise Targeted for Decom
looking for new soliution in 18/19 keep on Prem until new solution is determined
Total TSS (TSS,TSA,TSH) TSMCMTSTDEVAPP1 CCMS Vital TSS DEV poweredOn Y Virtual
Triple-S Premise Targeted for Decom looking for new soliution in 18/19 keep on
Prem until new solution is determined Total TSS (TSS,TSA,TSH) TSMCMTSTDEVSQL1
CCMS Vital TSS DEV poweredOn Y Virtual Triple-S Premise Targeted for Decom
looking for new soliution in 18/19 keep on Prem until new solution is determined
Total TSS (TSS,TSA,TSH) TSMEDPCCMS02 CCMS Vital TSS PRD poweredOn Y Virtual
Triple-S Premise Targeted for Decom looking for new soliution in 18/19 keep on
Prem until new solution is determined Total TSS (TSS,TSA,TSH) TSMVCMODQAAPP01
CCMS Vital TSS QA poweredOn Y Virtual Triple-S Premise Targeted for Decom
looking for new soliution in 18/19 keep on Prem until new solution is determined
Total TSS (TSS,TSA,TSH) TSMVCPRDAPP01 CCMS Vital TSS PRD poweredOn Y Virtual
Triple-S Premise Targeted for Decom looking for new soliution in 18/19 keep on
Prem until new solution is determined Total TSS (TSS,TSA,TSH) TSMVTPRDCOR01 CCMS
Vital TSS PRD poweredOn Y Virtual Triple-S Premise Targeted for Decom looking
for new soliution in 18/19 keep on Prem until new solution is determined Total
TSS (TSS,TSA,TSH) tsmccmsdevapp01.tsm.local CCMS 7.0 Vital TSS DEV poweredOn Y
Physical Triple-S Premise Targeted for Decom looking for new soliution in 18/19
keep on Prem until new solution is determined Total TSS (TSS,TSA,TSH)
tsmccmsprdapp01.tsm.local CCMS 7.0 Vital TSS PRD poweredOn Y Physical Triple-S
Premise Targeted for Decom looking for new soliution in 18/19 keep on Prem until
new solution is determined Total TSS (TSS,TSA,TSH) AHMDWCMASDR CMAS DR Test TSA
DEV poweredOn Y Virtual Triple-S Premise Replaced by new Triple-S portals
(target before 1/2018)

Old portal being modernized.  Is currently underway. Total TSS (TSS,TSA,TSH)
TSMGPRDAPP01 CodeManager CodeManager TSS PRD poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) AHMORADWDR Data Warehouse DR Test TSA DEV poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) ahmmsdw.ahmpr.tsm.local Database
Datawarehouse TSA PRD poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH)
tsasprdsql03.tsm.local Database StarsTrack TSA PRD poweredOn   Physical Optum
Azure   Total TSS (TSS,TSA,TSH) sqltsm01.tsm.local Database Vital TSS PRD
poweredOn Y Physical Triple-S Premise Targeted for Decom looking for new
soliution in 18/19 keep on Prem until new solution is determined Total TSS
(TSS,TSA,TSH) dbprod03.tsm.local  Database Sybase TSS PRD poweredOn   Physical
Optum Azure   [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH)
dwserverc.tsm.local DataWarehouse triple C Datawarehouse TSS PRD poweredOn  
Physical Optum Azure   Total TSS (TSS,TSA,TSH) SISAPP2 Development In House TSS
DEV poweredOn   Virtual Optum Azure   [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH)
TSMATSTDEVAPP01 Development In House TSS DEV poweredOn Y Virtual Triple-S
Premise Targeted for Decom based on Triple-S feedback Total TSS (TSS,TSA,TSH)
TSMATSTDEVDAC01 Development In House TSS DEV poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMATSTDEVDAC02 Development In House TSS DEV poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) tsm-edpbiz01 SISSQLA Biztalk  TSS
PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSM-EDPBIZ03 Sise
Biztalk  TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSM-EDPDEV01 Development In House TSS DEV poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMEDPDEV04 Development In House TSS DEV poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMEMODQAAPP01 Edifecs Edifecs TSS
QA poweredOn Y Virtual Triple-S Premise Targeted for Decom looking for new
soliution in Candidate for replacement with 834 keep on Prem until decision
made  Total TSS (TSS,TSA,TSH) TSMEMODQAOR01 Edifecs Edifecs TSS QA poweredOn Y
Virtual Triple-S Premise Targeted for Decom looking for new soliution in
Candidate for replacement with 834 keep on Prem until decision made  Total TSS
(TSS,TSA,TSH) TSMEMODQATM01 Edifecs Edifecs TSS QA poweredOn Y Virtual Triple-S
Premise Targeted for Decom looking for new soliution in Candidate for
replacement with 834 keep on Prem until decision made  Total TSS (TSS,TSA,TSH)
TSMEMODQAXE01 Edifecs Edifecs TSS QA poweredOn Y Virtual Triple-S Premise
Targeted for Decom looking for new soliution in Candidate for replacement with
834 keep on Prem until decision made  Total TSS (TSS,TSA,TSH) TSM-EDPDSTX01
Mercator Mercator TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMEPRDAPP01 Edifecs Edifecs TSS PRD poweredOn Y Virtual Triple-S
Premise Targeted for Decom looking for new soliution in Candidate for
replacement with 834 keep on Prem until decision made  Total TSS (TSS,TSA,TSH)
TSMEPRDOR01 Edifecs Edifecs TSS PRD poweredOn Y Virtual Triple-S Premise
Targeted for Decom looking for new soliution in Candidate for replacement with
834 keep on Prem until decision made  Total TSS (TSS,TSA,TSH) TSMEPRDTM01
Edifecs Edifecs TSS PRD poweredOn Y Virtual Triple-S Premise Targeted for Decom
looking for new soliution in Candidate for replacement with 834 keep on Prem
until decision made  Total TSS (TSS,TSA,TSH) TSMEPRDXE01 Edifecs Edifecs TSS PRD
poweredOn Y Virtual Triple-S Premise Targeted for Decom looking for new
soliution in Candidate for replacement with 834 keep on Prem until decision
made  Total TSS (TSS,TSA,TSH) TSMEPRDXE02 Edifecs Edifecs TSS PRD poweredOn Y
Virtual Triple-S Premise Targeted for Decom looking for new soliution in
Candidate for replacement with 834 keep on Prem until decision made  Total TSS
(TSS,TSA,TSH) TSMETSTDEVAPP01 Edifecs Edifecs TSS DEV poweredOn Y Virtual
Triple-S Premise Targeted for Decom looking for new soliution in Candidate for
replacement with 834 keep on Prem until decision made  Total TSS (TSS,TSA,TSH)
TSMETSTDEVOR01 Edifecs Edifecs TSS DEV poweredOn Y Virtual Triple-S Premise
Targeted for Decom looking for new soliution in Candidate for replacement with
834 keep on Prem until decision made  Total TSS (TSS,TSA,TSH) TSMETSTDEVXE01
Edifecs Edifecs TSS DEV poweredOn Y Virtual Triple-S Premise Targeted for Decom
looking for new soliution in Candidate for replacement with 834 keep on Prem
until decision made  [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH) TSAAPRDFS01 Shared Data
File Server TSA PRD poweredOn   Virtual Optum Azure   [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH) TSMEDPFPS03 File
Server File Server TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMFPRDFS01 File Server File Server TSS PRD poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMFPRDFS02 File Server File Server TSS
PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
ahmfilesrv02.ahmpr.tsm.local File Server File Server TSA PRD poweredOn  
Physical Optum Azure   Total TSS (TSS,TSA,TSH) ahmfilesrv01.ahmpr.tsm.local File
Server File Server TSA PRD poweredOn   Physical Optum Azure   Total TSS
(TSS,TSA,TSH) ahmnas1.ahmpr.tsm.local File Server File Server TSA PRD poweredOn
  Physical Optum Azure   Total TSS (TSS,TSA,TSH) ahmfilesrv03.ahmpr.tsm.local
File Server File Server TSA PRD poweredOn   Physical Optum Azure   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]

 

 

2 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] Total TSS (TSS,TSA,TSH)
TSMEDPVSR01 View Server Unisys  TSS PRD poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSMEDPVSR02 View Server Unisys  TSS PRD poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) tsmcmdbprdapp01.tsm.local HP CMDB Mercury
TSS PRD poweredOn   Physical Triple-S Premise Keep on Prem (Until Move to
ServiceNow) Total TSS (TSS,TSA,TSH) tsmcmdbprdapp03.tsm.local HP CMDB Mercury
TSS PRD poweredOn   Physical Triple-S Premise Keep on Prem (Until Move to
ServiceNow) Total TSS (TSS,TSA,TSH) tsmcmdbprdapp02.tsm.local HP CMDB Mercury
TSS PRD poweredOn   Physical Triple-S Premise Keep on Prem (Until Move to
ServiceNow) Total TSS (TSS,TSA,TSH) tsahvnprod01.tsm.local Hyper V Nodo 1 Hyper
V Node TSA PRD poweredOn   Physical Triple-S Premise Keep on Prem Total TSS
(TSS,TSA,TSH) tsahvndevqa02.tsm.local Hyper V Nodo 2 Hyper V Node TSA DEV
poweredOn   Physical Triple-S Premise Keep on Prem Total TSS (TSS,TSA,TSH)
tsahvnprod02.tsm.local Hyper V Nodo 2 Hyper V Node TSA PRD poweredOn   Physical
Triple-S Premise Keep on Prem Total TSS (TSS,TSA,TSH) tsahvnprod03.tsm.local
Hyper V Nodo 3 Hyper V Node TSA PRD poweredOn   Physical Triple-S Premise Keep
on Prem Total TSS (TSS,TSA,TSH) tsahvndevqa01.tsm.local Hyper V Nodo 4 Hyper V
Node TSA PRD poweredOn   Physical Triple-S Premise Keep on Prem Total TSS
(TSS,TSA,TSH) tsahvnprod04.tsm.local Hyper V Nodo 5 Hyper V Node TSA PRD
poweredOn   Physical Triple-S Premise Keep on Prem Total TSS (TSS,TSA,TSH)
TSMHYPQAAPP02 Hyperion Hyperion TSS QA poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSMHYPQAAPP03 Hyperion Hyperion TSS QA poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSSHYQAAPP01 Application Server Hyperion
TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
tsmhypprdapp01.tsm.local Application Server Hyperion TSS PRD poweredOn  
Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSM-EDPHYP01 Application Server
Hyperion TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMHYPQAAPP01 Hyperion (TSM-QASQL01) Hyperion TSS QA poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSM-EDP3CWEB01 IPA WEB IPA Web TSS PRD poweredOn
  Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSSAAPRDWEB01 Autoaudit
Autoaudit TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMEDP3CWEB02 IPA WEB IPA Web TSS PRD poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSMJPRDIRA01 Jira Jira TSS PRD poweredOn   Virtual Optum Azure
  Total TSS (TSS,TSA,TSH) TSMVPRDCCMS02 McKesson VITAL Platform 7.2.5 Vital TSS
PRD poweredOn Y Virtual Triple-S Premise Targeted for Decom looking for new
soliution in 18/19 keep on Prem until new solution is determined Total TSS
(TSS,TSA,TSH) tsmvprdccms01.tsm.local McKesson VITAL Platform 7.2.5 Vital TSS
PRD poweredOn Y Physical Triple-S Premise Targeted for Decom looking for new
soliution in 18/19 keep on Prem until new solution is determined Total TSS
(TSS,TSA,TSH) tsmmsmodqaweb01.tsm.local Mobile Web Services Mobile Web Services
TSS QA poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSMHMODQAWEB02
ODS In House Web App TSS QA poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMHMODQAWEB05 ODS In House Web App TSS QA poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMHMODQAWEB06 ODS In House Web App TSS QA
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMHPRDWEB03 ODS In
House Web App TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMHTSTDEVWEB02 ODS In House Web App TSS DEV poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMHTSTDEVWEB03 ODS In House Web App TSS DEV poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMHTSTDEVWEB04 ODS In House Web
App TSS DEV poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMMSMODQAWEB02 ODS Mobile APP TSS QA poweredOn   Virtual Optum Azure   [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***]   [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH) TSMMTSTDEVAPP01 ODS
Mobile APP TSS DEV poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMQTSTDEVWEB02 ODS Web Server TSS DEV poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSAOPRDAPP01 Onbase App Server Onbase TSA PRD poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSM-EDPWEB06 Onbase Web Server
Onbase TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSM-EDPWEBP06 Onbase Web Server Onbase TSS PRD poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSM-EDPWFL01 Onbase Workflow Server Onbase TSS PRD
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOMODQAAPP01 Onbase
App Server Onbase TSS QA poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMOMODQADIP01 Onbase DIP Server Onbase TSS QA poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMOMODQAGAP01 Onbase GAP Server Onbase
TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOMODQASQL01
Onbase SQL DB Server Onbase TSS QA poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMOMODQAWEB01 Onbase Web Server Onbase TSS QA poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMOMODQAWEB02 Onbase Web Server Onbase
TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOMODQAWKF01
Onbase Workflow Server Onbase TSS QA poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMOMODQAWKF02 Onbase Workflow Server Onbase TSS QA poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOPRDAPP01 Onbase App Server
Onbase TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMOPRDAPP02 Onbase App Server Onbase TSS PRD poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMOPRDAPP04 Onbase App Server Onbase TSS PRD poweredOn
  Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOPRDDIP01 Onbase DIP Server
Onbase TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMOPRDGAP01 Onbase GAP Server Onbase TSS PRD poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMOPRDNAS03 Onbase Imaging Server Onbase TSS PRD
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOPRDWEB02 Onbase
Web Server Onbase TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMOPRDWKF01 Onbase Workflow Server Onbase TSS PRD poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMOPRDWKF02 Onbase Workflow
Server Onbase TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMOTSTDEVONB01 Onbase SQL DB Server Onbase TSS Dev poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSASDEVSQL02 OneTSH OneTSH TSA DEV poweredOn  
Virtual Optum Azure  

 

 

3 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Total TSS (TSS,TSA,TSH) TSASDEVSQL03 OneTSH OneTSH TSA DEV poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) tsmreprdapp02.tsm.local Stepwise Stepwise
(Capshop) TSS PRD poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH)
TSHSTSTDEVSQL04 OneTSH OneTSH TSH DEV poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSMFINPRDAPP01 PAM APP Server PAM TSS PRD poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMFINPRDSQL01 PAM SQL DB Server PAM TSS
PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMFINQAAPP01 PAM
APP Server PAM TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMFINQASQL01 PAM SQL DB Server PAM TSS QA poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSM-EDPFIN01 Pam-AMBest PAM TSS PRD poweredOn   Virtual
Optum Azure   [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
Total TSS (TSS,TSA,TSH) TSMQ52BIZ07 BizTalk BizTalk TSS DEV poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSM-EDPFIN02 Pam-AMBest PAM TSS PRD
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) PPHOST PICTURE PERFECT
PICTURE PERFECT TSS PRD poweredOn Y Virtual Triple-S Premise Keep On Prem until
Decom (Decom Triple-S comment) Total TSS (TSS,TSA,TSH) tsmedpdev03.tsm.local
Portal Portal TSS DEV poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH)
tsmhprdweb01.tsm.local Portal Portal TSS PRD poweredOn   Physical Optum Azure  
Total TSS (TSS,TSA,TSH) tsmhprdweb02.tsm.local Portal Portal TSS PRD poweredOn  
Physical Optum Azure   Total TSS (TSS,TSA,TSH) tsmhmodqaweb03.tsm.local Portal
Portal TSS QA poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH)
PTAL-CMS-SSS Portal  Commerce Server TSS QA poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) PTAL-STG-SSS Portal  STG Server TSS PRD poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMEDPCS02 Portal  Portal TSS PRD
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMHPRDTSMWEB01
Portal  Web Server TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSM-QAGBIZ01 QA Legacy BizTalk TSS QA poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSMQAGBIZ02 QA Legacy BizTalk TSS QA poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) tsmhtspqagweb01.tsm.local Portal
Etools Portal TSS QA poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH)
tsmhtspprdweb02.tsm.local Portal Services Srv Portal TSS PRD poweredOn  
Physical Optum Azure   Total TSS (TSS,TSA,TSH) tsmhtspprdsql01.tsm.local Portal
Sql Srv Portal TSS PRD poweredOn   Physical Optum Azure   Total TSS
(TSS,TSA,TSH) tsmhtspqagsql01.tsm.local Portal Sql Srv Portal TSS QA poweredOn  
Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSMEDPPRT02 Print Server Print
Server TSS PRD poweredOn   Virtual Triple-S Premise Keep On Prem (keep close to
end users) Total TSS (TSS,TSA,TSH) TSMHTSTDEVWID01 Process Server WID TSS DEV
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMHTSTDEVWID02
Process Server WID TSS DEV poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSM-QAGAPP01 QA Legacy In House TSS QA poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSMQAGAPP03 QA Legacy In House TSS QA poweredOn
  Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMQAGAPP04 QA Legacy In House
TSS QA poweredOn   Virtual Optum Azure   [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***]

 



4 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH) TSMUPRDAPP01
Unisys Application Server Unisys TSS PRD poweredOn   Virtual Optum Azure   [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH) TSM-QAGSTG01 QA
Legacy STG Legacy TSS QA poweredOn   Virtual Optum Azure  

 

 

5 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

Total TSS (TSS,TSA,TSH) TSM-QAGSTG02 QA Legacy STG Legacy TSS QA poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSM-QAGWEB01 QA Legacy In House
TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMQAGWEB02 QA
Legacy In House TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMQAGWEB04 QA Legacy In House TSS QA poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSMQAGWEB05 QA Legacy In House TSS QA poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMQAGWEB06 QA Legacy In House TSS QA
poweredOn   Virtual Optum Azure   [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] Total TSS (TSS,TSA,TSH) TSMWTESTWMQ03 MQ ESB TSS DEV poweredOff   Virtual
Triple-S Premise Keep on Prem (system powered off) [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] Total TSS
(TSS,TSA,TSH) TSMQAGWEB07 QA Legacy In House TSS QA poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSMEDPRPS01 Report Server Report Server TSS PRD
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSSRTSTDEVSQL01 Report
Server Report Server TSS DEV poweredOn   Virtual Optum Azure   [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH) TSAFDEVAPP01
RightFax App Server Rightfax TSA DEV poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSAFPRDAPP01 Right Fax App Server Rightfax TSA PRD poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMFPRDAPP01 RightFax App Server
Rightfax TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
TSMFPRDAPP02 RightFax App Server Rightfax TSS PRD poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSMFPRDIMG01 RightFax Imaging Server Rightfax
TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMFPRDSQL01
RightFax SQL DB Server RightFax TSS PRD poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) tsmedpsas02.tsm.local SAS SASSS TSS PRD poweredOn   Physical
Optum Azure   Total TSS (TSS,TSA,TSH) tsmedpsas03.tsm.local SAS SASSS TSS PRD
poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSMEDPSAS01 SASSS
Imaging Server SASSS TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMEDPSAS04 SASSS SQL DB Server SASSS TSS PRD poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) NT_TRIPLESES SES SES TSS PRD poweredOn Y
Virtual Triple-S Premise Keep On Prem until Decom (Decom Triple-S comment) Total
TSS (TSS,TSA,TSH) TSMPPRDWEB03 Web Server SharePoint TSS PRD poweredOn   Virtual
Triple-S Premise Keep on Prem (move to O365) Total TSS (TSS,TSA,TSH)
TSMSPQAAPP01 SharedPoint APP Server SharePoint TSS QA poweredOn   Virtual
Triple-S Premise Keep on Prem (move to O365) Total TSS (TSS,TSA,TSH)
TSMSPQASQL01 SharedPoint SQL DB Server SharePoint TSS QA poweredOn   Virtual
Triple-S Premise Keep on Prem (move to O365) Total TSS (TSS,TSA,TSH)
TSMSISDEVPRT01 SIS SIS TSS DEV poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMSISDEVSQL01 SIS SIS TSS DEV poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) TSMSPQAWEB01 SharedPoint WEB Server SharePoint TSS QA
poweredOn   Virtual Triple-S Premise Keep on Prem (move to O365) Total TSS
(TSS,TSA,TSH) SISSQLA SQL DB Server SIS TSS PRD poweredOn   Virtual Optum Azure
  Total TSS (TSS,TSA,TSH) TSMEDPSIS01 SIS APP Server SIS TSS PRD poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) tsmedpsis02 SIS APP Server SIS TSS
PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSSSCPRDAPP01
SmartCap App Server SmartCap TSS PRD poweredOn Y Virtual Triple-S Premise
Targeted for Decom looking to move to OneTSH Total TSS (TSS,TSA,TSH)
TSSSCPRDSQL01 SmartCap SQL DB Server SmartCap TSS PRD poweredOn Y Virtual
Triple-S Premise Targeted for Decom looking to move to OneTSH Total TSS
(TSS,TSA,TSH) TSSTSTDEVSC01 SmartCap App Server SmartCap TSS  Dev poweredOn Y
Virtual Triple-S Premise Targeted for Decom looking to move to OneTSH Total TSS
(TSS,TSA,TSH) TSMEDPSMT01 Smartstream APP Server Smartstream TSS PRD poweredOn  
Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSMEDPSMT02 Smartstream APP Server
Smartstream TSS PRD poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
tsmedparc01.tsm.local Database Unisys TSS PRD poweredOn   Physical Optum Azure  
Total TSS (TSS,TSA,TSH) tsmedparc03.tsm.local Database Unisys TSS PRD poweredOn
  Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSMEDPSMT03 Smartstream SQL DB
Server Smartstream TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMQASMT03 Smartstream SQL DB Server Smartstream TSS QA poweredOn
  Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSSQASC01 SmartCap SmartCap TSS
QA poweredOn Y Virtual Triple-S Premise Targeted for Decom looking to move to
OneTSH Total TSS (TSS,TSA,TSH) ahmmssql1 SQL Database Internal App TSA PRD
poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH) DBMS3C SQL Server SQL
Database\File Share TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSASQASQL01 StarsTrack-SQL Analisys Server StarsTrack TSA QA
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSASQASQL02
StarsTrack-SQL Integration Server StarsTrack TSA QA poweredOn   Virtual Optum
Azure   Total TSS (TSS,TSA,TSH) TSASQASQL03 StarsTrack-SQL DB Server StarsTrack
TSA QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSASQAWEB01
Starstrack - Web Server Starstrack TSA QA poweredOn   Virtual Optum Azure  

 

 

6 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Total TSS (TSS,TSA,TSH) TSASTSTDEVSQL01 StarsTrack-SQL Analisys Server
StarsTrack TSA DEV poweredOn   Virtual Optum Azure   [***] [***] [***] [***]
[***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
  [***] [***] [***] Total TSS (TSS,TSA,TSH) TSASTSTDEVSQL02 StarsTrack-SQL
Integration Server StarsTrack TSA DEV poweredOn   Virtual Optum Azure   Total
TSS (TSS,TSA,TSH) TSASTSTDEVSQL03 StarsTrack-SQL DB Server StarsTrack TSA DEV
poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH) TSASTSTDEVWEB01
Starstrack - Web Server StarsTrack TSA DEV poweredOn   Virtual Optum Azure  
Total TSS (TSS,TSA,TSH) tsasprdweb01.tsm.local StarsTrack StarsTrack TSA PRD
poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH)
tsasprdsql01.tsm.local StarsTrack StarsTrack TSA PRD poweredOn   Physical Optum
Azure   Total TSS (TSS,TSA,TSH) tsasprdsql02.tsm.local StarsTrack StarsTrack TSA
PRD poweredOn   Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSM-EDPWISE01
StepWise App Server StepWise TSS PRD poweredOn   Virtual Optum Azure   Total TSS
(TSS,TSA,TSH) TSMREPRDAPP01 Application StepWise TSS PRD poweredOn   Virtual
Optum Azure   Total TSS (TSS,TSA,TSH) TSMWISEDEVAPP01 StepWise App Server
StepWise TSS Dev poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
tsmedpimg01.tsm.local Database Unisys TSS PRD poweredOn   Physical Optum Azure  
Total TSS (TSS,TSA,TSH) tsmedpimg02.tsm.local Database Unisys TSS PRD poweredOn
  Physical Optum Azure   Total TSS (TSS,TSA,TSH) TSMWISEDEVSQL01 Stepwise SQL
Server Stepwise TSS Dev poweredOn   Virtual Optum Azure   [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH)
TSMWISEQAAPP01 StepWise App Server Stepwise TSS QA poweredOn   Virtual Optum
Azure   [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] Total TSS
(TSS,TSA,TSH) tsmedprbe01.tsm.local Database Unisys TSS PRD poweredOn   Physical
Optum Azure   Total TSS (TSS,TSA,TSH) TSMWISEQASQL01 Stepwise SQL Server
Stepwise TSS QA poweredOn   Virtual Optum Azure   Total TSS (TSS,TSA,TSH)
tsmwiseprdapp01.tsm.local StepWise StepWise TSS PRD poweredOn   Physical Optum
Azure   [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] Total TSS
(TSS,TSA,TSH) EMS_SBC Virtual Appliance Telefonia SBC cuadro Ponce TSS PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
Total TSS (TSS,TSA,TSH) ACSLS TSA DR #N/A TSA PRD poweredOff Y Virtual Triple-S
Premise Keep on Prem  (powered off and Triple-S comment to decom) [***] [***]
[***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***]   [***] [***] [***] [***] [***] [***] [***]   [***] [***]   [***] [***]
[***] [***] [***] [***] [***]   [***] [***]   [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]  
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***]   [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***]   [***] [***] [***] Total TSS (TSS,TSA,TSH)
SSSMEDACR File Server FILE SERVER MED PRD poweredOn   Physical Triple-S Premise
Project to move all File Servers to StorSimple (Roosevelt Building) Total TSS
(TSS,TSA,TSH) 172.20.2.68 Telephony CMS MED PRD poweredOn   Physical Triple-S
Premise Keep On Prem (keep close to end users) (Roosevelt Building) Total TSS
(TSS,TSA,TSH) 172.20.2.66 Telephony Avaya Communication Server MED PRD poweredOn
  Physical Triple-S Premise Keep On Prem (keep close to end users) (Roosevelt
Building) Total TSS (TSS,TSA,TSH) 172.20.2.67 Telephony Avaya Aura Communication
Manager MED PRD poweredOn   Physical Triple-S Premise Keep On Prem (keep close
to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH) 172.20.2.62 Telephony
Avaya Contact Recorder MED PRD poweredOn   Physical Triple-S Premise Keep On
Prem (keep close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH)
SSSMEDWFO Telephony Avaya WorkForce Optimization MED PRD poweredOn   Physical
Triple-S Premise Keep On Prem (keep close to end users) (Roosevelt Building)
Total TSS (TSS,TSA,TSH) 172.20.2.64 Telephony Avaya Application Enablement
Services MED PRD poweredOn   Physical Triple-S Premise Keep On Prem (keep close
to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRAWFO Telephony
Avaya WorkForce Optimization TSS PRD poweredOn   Virtual Triple-S Premise Keep
On Prem (keep close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH)
TSMFDRAVMW01 VMWARE HOST Vmware TSS PRD poweredOn   Physical Triple-S Premise
Keep on Prem (VMWARE Physical Server) (Roosevelt Building) Total TSS
(TSS,TSA,TSH) TSMFDRAVMW02 VMWARE HOST Vmware TSS PRD poweredOn   Physical
Triple-S Premise Keep on Prem (VMWARE Physical Server) (Roosevelt Building)
Total TSS (TSS,TSA,TSH) TSMFDRACM01 Telephony Avaya Communication Manager TSS
PRD poweredOn   Virtual Triple-S Premise Keep On Prem (keep close to end users)
(Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRACM02 Telephony Avaya
Communication Manager TSS PRD poweredOn   Virtual Triple-S Premise Keep On Prem
(keep close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH)
TSMFDRCMM01 Telephony Avaya Communication Manager Messanging TSS PRD poweredOn  
Virtual Triple-S Premise Keep On Prem (keep close to end users) (Roosevelt
Building) Total TSS (TSS,TSA,TSH) TSMFDRAUTIL01 Telephony Avaya Utility Services
TSS PRD poweredOn   Virtual Triple-S Premise Keep On Prem (keep close to end
users) (Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRSMGR01 Telephony Avaya
Aura System Manager TSS PRD poweredOn   Virtual Triple-S Premise Keep On Prem
(keep close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH)
TSMFDRAWBIM01 Telephony Avaya Web based License Manager TSS PRD poweredOn  
Virtual Triple-S Premise Keep On Prem (keep close to end users) (Roosevelt
Building) Total TSS (TSS,TSA,TSH) TSMFDRAAES01 Telephony Avaya Application
Enablement Services TSS PRD poweredOn   Virtual Triple-S Premise Keep On Prem
(keep close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH)
TSMFDRASM01 Telephony Avaya Seccion manager TSS PRD poweredOn   Virtual Triple-S
Premise Keep On Prem (keep close to end users) (Roosevelt Building) Total TSS
(TSS,TSA,TSH) TSMFDRAEPMS01 Telephony Avaya VIRTUAL APPLIANCE EXPERIENCE TSS PRD
poweredOn   Virtual Triple-S Premise Keep On Prem (keep close to end users)
(Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRAEPMP01 Telephony Avaya Web
portal TSS PRD poweredOn   Virtual Triple-S Premise Keep On Prem (keep close to
end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRAEPMPP01 Telephony
Avaya Aura Experience portal TSS PRD poweredOn   Virtual Triple-S Premise Keep
On Prem (keep close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH)
TSMFDRWEB01 Telephony Avaya Web portal TSS PRD poweredOn   Virtual Triple-S
Premise Keep On Prem (keep close to end users) (Roosevelt Building) Total TSS
(TSS,TSA,TSH) TSMFDRWEB02 Telephony Avaya Web portal TSS PRD poweredOn   Virtual
Triple-S Premise Keep On Prem (keep close to end users) (Roosevelt Building)
Total TSS (TSS,TSA,TSH) TSMFDRIQAPP02 Telephony Avaya IQ  TSS PRD poweredOn  
Physical Triple-S Premise Keep On Prem (keep close to end users) (Roosevelt
Building) Total TSS (TSS,TSA,TSH) TSMFDRIQDB02 Telephony Avaya IQ  TSS PRD
poweredOn   Physical Triple-S Premise Keep On Prem (keep close to end users)
(Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRIEX01 Telephony Avaya NICE
app TSS PRD poweredOn   Physical Triple-S Premise Keep On Prem (keep close to
end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRIEXDB02 Telephony
Avaya Nice DB TSS PRD poweredOn   Physical Triple-S Premise Keep On Prem (keep
close to end users) (Roosevelt Building) Total TSS (TSS,TSA,TSH) TSMFDRCB01
Telephony Avaya Call Assitance TSS PRD poweredOn   Virtual Triple-S Premise Keep
On Prem (keep close to end users) (Roosevelt Building) TSV Analytics VM
Analitics Analysis TSV PRD poweredOn Y Virtual Triple-S Premise Targeted for
Decom based on Triple-S feedback TSV Application Enablement Services Telephony
Avaya TSV PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to
end users) TSV Avaya Aura Messaging (2) Telephony Avaya TSV PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) TSV Avaya
Aura(R) System Manager New Telephony Avaya TSV PRD poweredOn   Virtual Triple-S
Premise Keep on Prem (keep close to end users) TSV TrueProof Server 4.04.05-1
TrueProof Trueproof TSV PRD poweredOn   Virtual Optum Azure   TSV TSMGAL10ZIG
Manejo de Thin Client De VDI VDI TSV PRD poweredOn   Virtual Triple-S Premise
Keep on Prem (keep close to end users) TSV TSMGALACR Avaya Avaya TSV PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users) TSV
TSMGALADMT 0 TBD TSV PRD poweredOn   Virtual Triple-S Premise Keep on Prem TSV
TSMGALEMCDB 0 TBD TSV PRD poweredOn   Virtual Triple-S Premise Keep on Prem TSV
TSMGALEMCF Avaya Avaya TSV PRD poweredOn   Virtual Triple-S Premise Keep on Prem
(keep close to end users) TSV TSMGALFS File Server File Server TSV PRD poweredOn
  Virtual Triple-S Premise Project to move all File Servers to StorSimple TSV
TSMGALLINUXCONS Avaya Avaya TSV PRD poweredOn   Virtual Triple-S Premise Keep on
Prem (keep close to end users) TSV TSMGALMF Lis New Business Adabas TSV PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (Mainframe App) TSV
TSMGALMFDEVN Mainframe Dev Adabas TSV DEV poweredOn   Virtual Triple-S Premise
Keep on Prem (Mainframe App) TSV TSMGALMICRODEV Microstrategy Microstrategy TSV
DEV poweredOn   Virtual Optum Azure   TSV TSMGALOFASP 0 TBD TSV PRD poweredOn  
Virtual Triple-S Premise Keep on Prem TSV TSMGALOFDBP 0 TBD TSV PRD poweredOn  
Virtual Triple-S Premise Keep on Prem

 

 

7 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TSV TSMGALSASVIDEV SASVI SASVI TSV DEV poweredOn   Virtual Optum Azure   TSV
TSMGALTTS Licenciamiento Licensing TSV PRD poweredOn   Virtual Optum Azure   TSV
TSMGALVCENTER Vmware vCenter TSV PRD poweredOn   Virtual Triple-S Premise Keep
on Prem (VMWARE will ONLY run on Prem) TSV TSMGALWEBCONT Content Content TSV PRD
poweredOn   Virtual Optum Azure   TSV TSMGALWEBDEV Portal Portal TSV DEV
poweredOn   Virtual Optum Azure   TSV TSMGALWEBP Portal Portal TSV PRD poweredOn
  Virtual Optum Azure   TSV TSMGDEVAPP01 HCG Grouper HCG Grouper TSV DEV
poweredOn   Virtual Optum Azure   TSV TSMEDPOCE01 PRISMA PRISMA TSV PRD
poweredOn   Virtual Optum Azure   TSV TSMOPRDAPP03 Prisma PRISMA TSV PRD
poweredOn   Virtual Optum Azure   TSV TSVOPRDAPP01 Onbase App Server Onbase TSV
PRD poweredOn   Virtual Optum Azure   TSV TSVOPRDAPP02 Onbase App Server Onbase
TSV PRD poweredOn   Virtual Optum Azure   TSV TSVOPRDAPP03 Onbase WEB SRV Onbase
TSV PRD poweredOn   Virtual Optum Azure   TSV TSVOPRDVWV01 Onbase WEB SRV Onbase
TSV PRD poweredOn   Virtual Optum Azure   TSV TSVOQAAPP01 Onbase App Server
Onbase TSV QA poweredOn   Virtual Optum Azure   TSV TSVOTSTDEVAPP01 Onbase App
Server Onbase TSV Dev poweredOn   Virtual Optum Azure   TSV TSVRHLIC
Licenciamiento de Linux Licenciamiento de Linux TSV PRD poweredOn Y Virtual
Triple-S Premise Targeted for Decom based on Triple-S feedback TSV UI VM
Operation Manager VM Operation Manager VM TSV PRD poweredOn   Virtual Optum
Azure   TSV WebLM Support Avaya Avaya TSV PRD poweredOn   Virtual Triple-S
Premise Keep on Prem (keep close to end users) TSV WebLM Support Avaya Avaya TSV
PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
TSV WebLM 6.3.2 Web Server Web Server TSV PRD poweredOff   Virtual Triple-S
Premise Keep on Prem (Powered Off) TSV tsmgalhr.gal.tsm.local Not Assigned TBD
TSV PRD poweredOn   Physical Triple-S Premise Keep on Prem (Not Assigned) TSV
tsmgalweb01.gal.tsm.local Not Assigned TBD TSV PRD poweredOn   Physical Triple-S
Premise Keep on Prem (Not Assigned) TSV tsmgalbi Not Assigned TBD TSV PRD
poweredOn   Physical Triple-S Premise Keep on Prem (Not Assigned) TSV
tsmgalsasvip.gal.tsm.local SASVI SASVI TSV PRD poweredOn   Physical Optum Azure
  TSV tsmgalpdap.gal.tsm.local Not Assigned TBD TSV PRD poweredOn   Physical
Triple-S Premise Keep on Prem (Not Assigned) TSV tsmgallpapps.gal.tsm.local Not
Assigned TBD TSV PRD poweredOn   Physical Triple-S Premise Keep on Prem (Not
Assigned) TSV asico-srv-db.gal.tsm.local Database Database TSV PRD poweredOn  
Physical Optum Azure   TSV tsmgallpsql.gal.tsm.local Database Database TSV PRD
poweredOn   Physical Optum Azure   TSV lpsql.gal.tsm.local Database Database TSV
PRD poweredOn   Physical Optum Azure   TSV tsmgaladc01.gal.tsm.local Domain
Controller Active Directory TSV PRD poweredOn   Physical Triple-S Premise Keep
on Prem (keep close to end users) TSV tsmgaladc03.gal.tsm.local Domain
Controller Active Directory TSV PRD poweredOn   Physical Triple-S Premise Keep
on Prem (keep close to end users) TSV tsmgalepo.gal.tsm.local McAfee ePolicy
Orchestrator 5.3.0 McAfee TSV PRD poweredOn   Physical Optum Azure   TSV
asico-srv-rm.gal.tsm.local McAfee Host Intrusion Prevention McAfee TSV PRD
poweredOn   Physical Optum Azure   TSV tsmgalas.gal.tsm.local MicroStrategy 9
MicroStrategy TSV PRD poweredOn   Physical Optum Azure   TSV
tsmgaldw.gal.tsm.local SQL Server 2008 R2 Reporting Services Datawarehouse TSV
PRD poweredOn   Physical Optum Azure   TSP SQLSTS SQL Server SQL TSP PRD
poweredOn   Virtual Optum Azure   TSP SQLSTS03 Sise SISE TSP PRD poweredOn  
Virtual Optum Azure   TSP STSAPP SISE SISE TSP PRD poweredOn   Virtual Optum
Azure   TSP TSAOPRDEWS01 Onbase Web TSP PRD poweredOn   Virtual Optum Azure  
TSP TSAPRDEFT01 DWS TBD TSP PRD poweredOn   Virtual Optum Azure   TSP
TSMCTXPRDL01 Licensing Citrix   TSP PRD poweredOn   Virtual Optum Azure   TSP
TSMEDPCOV01 Database Server Coverall  TSP PRD poweredOn   Virtual Optum Azure  
TSP TSMEDPCOV02 Application Server Coverall  TSP PRD poweredOn   Virtual Optum
Azure   TSP TSMEDPCOV03 Services Coverall  TSP PRD poweredOn   Virtual Optum
Azure   TSP TSMEDPCOV04 Services Coverall  TSP DEV poweredOn   Virtual Optum
Azure   TSP TSMEDPCOV05 Database Server Coverall  TSP DEV poweredOn   Virtual
Optum Azure   TSP TSMEDPCOV06 Web Server Coverall  TSP PRD poweredOn   Virtual
Optum Azure   TSP TSM-EDPLAW01 Abacus Law Abacus Law TSP PRD poweredOn   Virtual
Optum Azure   TSP TSM-EDPPRT01 Print Server SISE TSP PRD poweredOn   Virtual
Optum Azure   TSP TSM-EDPSQLDEV01 SISE SISE TSP DEV poweredOn   Virtual Optum
Azure   TSP tsm-edpsqltest2 SISE SISE TSP DEV poweredOn   Virtual Optum Azure  
TSP TSM-EDPSTSLAB02 SISE SISE TSP DEV poweredOn   Virtual Optum Azure   TSP
TSMEDPSTSWEB01 Shared Data In House TSP PRD poweredOn   Virtual Optum Azure  
TSP TSM-EDPTRI01 Application Server Trillium TSP PRD poweredOn   Virtual Optum
Azure   TSP TSM-EDPWEB02 FTP FTP Server TSP PRD poweredOn   Virtual Optum Azure
  TSP TSMEDPXENL01 Licensing Citrix TSP PRD poweredOn   Virtual Optum Azure  
TSP TSMRDEVVAPP01 Risk Link Risk Link TSP PRD poweredOn   Virtual Optum Azure  
TSP TSMRTSTDEVSQL01 Risk Link Risk Link TSP PRD poweredOn   Virtual Optum Azure
  TSP TSMSIDEVSQL02 SISE SQL  Server TSP POC poweredOn   Virtual Optum Azure  
TSP TSMTXPRDAPP01 Interfase SISE SISE TSP PRD poweredOn   Virtual Optum Azure  
TSP TSPCPRDAPP01 CoverAll APP Server Coverall TSP PRD poweredOn   Virtual Optum
Azure   TSP TSPCPRDAPP02 CoverAll APP Server Coverall TSP PRD poweredOn  
Virtual Optum Azure   TSP TSPCPRDSQL01 CoverAll SQL DB Server Coverall TSP PRD
poweredOn   Virtual Optum Azure   TSP TSPCPRDWEB01 CoverAll Web Server Coverall
TSP PRD poweredOn   Virtual Optum Azure   TSP TSPCTSTDEVAPP01 CoverAll APP
Server Coverall TSP Dev poweredOn   Virtual Optum Azure   TSP TSPCTSTDEVSQL01
CoverAll SQL DB Server Coverall TSP Dev poweredOn   Virtual Optum Azure   TSP
TSPCTSTDEVWEB01 CoverAll Web Server Coverall TSP Dev poweredOn   Virtual Optum
Azure   TSP TSPMODQAFS01 File Server File Server TSP QA poweredOn   Virtual
Triple-S Premise Project to move all File Servers to StorSimple TSP TSPODEVAPP01
OnBase Onbase TSP DEV poweredOn   Virtual Optum Azure   TSP TSPOPRDAPP01 Onbase
App Server Onbase TSP PRD poweredOn   Virtual Optum Azure   TSP TSPOPRDAPP02
OnBase Onbase TSP PRD poweredOn   Virtual Optum Azure   TSP TSPOPRDAPP03 OnBase
Onbase TSP PRD poweredOn   Virtual Optum Azure   TSP TSPOQAAPP02 OnBase Onbase
TSP QA poweredOn   Virtual Optum Azure   TSP TSPPRDONB01 Onbase Onbase TSP PRD
poweredOn   Virtual Optum Azure   TSP TSPPRDONB02 Onbase Suscription Server
Onbase TSP PRD poweredOn   Virtual Optum Azure   TSP TSPRISDEVSQL01 Prevail
Prevail TSP Dev poweredOn   Virtual Optum Azure   TSP TSPRISTSTSQL01 Prevail
Prevail TSP Dev poweredOn   Virtual Optum Azure   TSP TSPRPRDAPP01 RiskLink 17.0
Application Risk Link TSP PRD poweredOn   Virtual Optum Azure   TSP TSPRPRDAPP02
RiskLink 17.0 Application Risk Link TSP PRD poweredOn   Virtual Optum Azure  
TSP TSPRPRDRPT01 RiskLink Report Server Risk Link TSP PRD poweredOn   Virtual
Optum Azure   TSP TSPRPRDSQL02 RiskLink 17.0 Database Risk Link TSP PRD
poweredOn   Virtual Optum Azure   TSP TSPTSTDEVFS01 File Server File Server TSP
Dev poweredOn   Virtual Triple-S Premise Project to move all File Servers to
StorSimple TSP TSM-EDPQPL01 Quicker Quicker TSP PRD poweredOn   Virtual Optum
Azure   TSP tsmhtsptstsql01.tsm.local Portal Sql Srv Portal TSP DEV poweredOn  
Physical Optum Azure   TSP tsmhtsptstweb01.tsm.local Portal Web Srv Portal TSP
DEV poweredOn   Physical Optum Azure   TSP tsm-edpbea01.tsm.local MIS  APP SRV
Beacon TSP PRD poweredOn   Physical Optum Azure   TSP tsm-edpweb05.tsm.local Mis
ETL Srv MIS TSP PRD poweredOn   Physical Optum Azure   TSP
tsprisprdsql01.tsm.local Prevail SQL & Web Srv PRS TSP PRD poweredOn   Physical
Optum Azure   TSP tsprisprdapp01.tsm.local Prevail Web Srv PRS TSP PRD poweredOn
  Physical Optum Azure   TSP tsprprdsql01.tsm.local RMS SRV and Database RMS TSP
PRD poweredOn   Physical Optum Azure  

 

 

8 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

TSP tsmedpcls17.tsm.local Sise SQl Act Node SISE TSP PRD poweredOn   Physical
Optum Azure   TSP tsmedpcls18.tsm.local Sise SQL PAss node SISE TSP PRD
poweredOn   Physical Optum Azure   TSP TSMQAGQPL01 Quicker Quicker TSP QA
poweredOn   Virtual Optum Azure   Salus Call Management System Telephony Avaya
SALUS PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end
users) Salus CMM Test Telephony Avaya SALUS PRD poweredOn   Virtual Triple-S
Premise Keep on Prem (keep close to end users) Salus Cobras Test Telephony Cisco
PBX SALUS PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to
end users) Salus Collector Telephony Cisco PBX SALUS PRD poweredOn   Virtual
Triple-S Premise Keep on Prem (keep close to end users) Salus Communication
Manager 1 (2) Telephony Cisco PBX SALUS PRD poweredOn   Virtual Triple-S Premise
Keep on Prem (keep close to end users) Salus CSSDVPRDSPS01 Print Server Print
Server SALUS PRD poweredOn   Virtual Optum Azure   Salus CSSFPRDFS01 File Server
File Server SALUS PRD poweredOn   Virtual Triple-S Premise Project to move all
File Servers to StorSimple Salus CSSLPRDAPP01 App Server App Server SALUS PRD
poweredOn   Virtual Optum Azure   Salus CSSNPRDAPP01   Neomed   SALUS PRD
poweredOn   Virtual Optum Azure   Salus CSSNTSTDEVAPP01   Neomed   SALUS DEV
poweredOn   Virtual Optum Azure   Salus CSSPPRDAPP01 MD Timeline PACS SALUS PRD
poweredOn   Virtual Optum Azure   Salus CSSTPRDAPP01 Salus Right Answer SALUS
PRD poweredOn   Virtual Optum Azure   Salus CSSTPRDAPP02 TRA TRA SALUS PRD
poweredOn   Virtual Optum Azure   Salus CSSTTSTDEVAPP01 Salus Right Answer SALUS
DEV poweredOn   Virtual Optum Azure   Salus CSSVMPRDBKP01 Backup Veeam SALUS PRD
poweredOn   Virtual Optum Azure   Salus CSSVMPRDBKP02 Backup Veeam SALUS PRD
poweredOn   Virtual Optum Azure   Salus CSSVPRDADC01 Domain Controller Active
Directory SALUS PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Salus CSSVPRDIMG01 Imaging Radiology & More SALUS PRD
poweredOn   Virtual Optum Azure   Salus RADSTORE Imaging PACS SALUS PRD
poweredOn   Virtual Optum Azure   Salus SALUS Web Portal Web Application SALUS
PRD poweredOn   Virtual Optum Azure   Salus SALUSDEV TEST Web Application SALUS
DEV poweredOn   Virtual Optum Azure   Salus SALUSQA TEST Web Application SALUS
QA poweredOn   Virtual Optum Azure   Salus tsmccxprd01 Cisco Cisco PBX SALUS PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
Salus tsmcucmprd01 Cisco UCM Cisco PBX SALUS PRD poweredOn   Virtual Triple-S
Premise Keep on Prem (keep close to end users) Salus tsmcucmprd02 Cisco UCM
Cisco PBX SALUS PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Salus tsmunityprd01 Cisco CUCM Cisco PBX Salus PRD poweredOn
  Virtual Triple-S Premise Keep on Prem (keep close to end users) Salus
TSMVSMPRDAPP01 VeraSmart VeraSmart Salus PRD poweredOn   Virtual Optum Azure  
Salus esxi-salus.tsm.local VMWARE HOST Vmware Salus PRD poweredOn   Physical
Triple-S Premise Keep on Prem (keep close to end users) Salus 10.16.11.11 VMWARE
HOST BKP  Salus PRD poweredOn   Physical Triple-S Premise Keep on Prem (keep
close to end users) Salus tsmimpprd01 Cisco UCM User Presence Salus PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
Corporate (Triserve,TSM,Medica) AdditionalBackEnd DELL EMC Addition Back End
Appliance TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) angelpc32bits PC PC TRI PRD poweredOn Y Virtual Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) APMTEST Application Manager
Manage Engine TRI DEV poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) Avaya Aura Experience Portal - MPP Telephony Avaya TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) Avaya Aura Experience Portal - Primary
EPM (2) Telephony Avaya TRI   poweredOff   Virtual Triple-S Premise Keep on Prem
(future Decom according to Triple-S) Corporate (Triserve,TSM,Medica) Avaya
Aura(R) System Manager (2) Telephony Avaya TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Communication Manager Messaging     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) CSSDVPRDSPS01_replica     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) CSSVPRDADC01_replica     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) CSSVPRDIMG01_replica     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) DR_IBM     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) IAT-Test INFRA INFRA TRI DEV poweredOn   Virtual Optum
Azure   Corporate (Triserve,TSM,Medica) ISIAWPRDAPP01 App Server Airwatch TRI
PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
ISIAWPRDAPP02 App Server Airwatch TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) ISIAWPRDSQL01 Database Server Airwatch TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) ISIV35121    
TRI   poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according
to Triple-S) Corporate (Triserve,TSM,Medica) ISIVMISG02 Linux Linux TRI PRD
poweredOn Y Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S)
Corporate (Triserve,TSM,Medica) ISIXAP01 Xapiens Support PC security support TRI
PRD poweredOn   Virtual Triple-S Premise Keep on Prem (until determined if Optum
will look to replace services or keep) Corporate (Triserve,TSM,Medica) ISIXAP02
Xapiens Support PC security support TRI PRD poweredOn   Virtual Triple-S Premise
Keep on Prem (until determined if Optum will look to replace services or keep)
Corporate (Triserve,TSM,Medica) ISIXAP03 Xapiens Support PC security support TRI
PRD poweredOn   Virtual Triple-S Premise Keep on Prem (until determined if Optum
will look to replace services or keep) Corporate (Triserve,TSM,Medica) ISIXAP04
Xapiens Support PC security support TRI PRD poweredOn   Virtual Triple-S Premise
Keep on Prem (until determined if Optum will look to replace services or keep)
Corporate (Triserve,TSM,Medica) ISIXAP05 Xapiens Support PC security support TRI
PRD poweredOn   Virtual Triple-S Premise Keep on Prem (until determined if Optum
will look to replace services or keep) Corporate (Triserve,TSM,Medica) ISIXAP06
Xapiens Support PC security support TRI PRD poweredOn   Virtual Triple-S Premise
Keep on Prem (until determined if Optum will look to replace services or keep)
Corporate (Triserve,TSM,Medica) KEYS Xapiens Support PC security support TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (until determined if Optum
will look to replace services or keep) Corporate (Triserve,TSM,Medica) Lenovo
XClarity Administrator Lenovo XClarity Administrator Lenovo XClarity
Administrator TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) Linux_File_Recovery #N/A Linux TRI PRD poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) LINUXSANDBOX #N/A Linux TRI PRD poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) LocalDataStore-Test #N/A Linux TRI PRD poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) LPAPPS     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) MEDCMSBAK Backup CMS Medicare PRD poweredOn   Virtual
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) MEDDC01     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) MED-DC01 Domain Controller Active
Directory Medicare PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Corporate (Triserve,TSM,Medica) MEDDC02 Domain Controller
Active Directory Medicare PRD poweredOn   Virtual Triple-S Premise Keep on Prem
(keep close to end users) Corporate (Triserve,TSM,Medica) MEDDC09     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) MEDQA2K     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) MEDQA2K8 Patch Deployment Client  Patch Deployment
Medicare QA poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
New-Avaya Aura Experience Portal - MPP     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) nt-triplesids2 FTP Server FTP Server TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) PCTSPONB01     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) PrimaryBackEnd TEST TEST TRI DEV
poweredOn Y Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S)
Corporate (Triserve,TSM,Medica) Prueba-FS TEST TEST TRI QA poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) PSP_4.04.02_CS10000_b402_x86_04-14-14_IPDS_esx TEST TEST
TRI QA poweredOn Y Virtual Triple-S Premise Keep on Prem (Marked for Decom by
Triple-S) Corporate (Triserve,TSM,Medica) QAppMasterTemplate     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) [***] [***] [***] [***] [***] [***] [***]   [***] [***]   [***] [***]
    [***]   [***]   [***] [***] [***] Corporate (Triserve,TSM,Medica)
RADSTORE_replica     TRI   poweredOff   Virtual Triple-S Premise Keep on Prem
(future Decom according to Triple-S) Corporate (Triserve,TSM,Medica) Session
Manager 1 (2)     TRI   poweredOff   Virtual Triple-S Premise Keep on Prem
(future Decom according to Triple-S) Corporate (Triserve,TSM,Medica) SMAIL1
MCAfee MCAfee TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) SMAIL2 MCAfee MCAfee TRI PRD poweredOn   Virtual Optum
Azure   Corporate (Triserve,TSM,Medica) sss33418     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S)

 

 

9 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Corporate (Triserve,TSM,Medica) SSS37376 PC PC TRI PRD poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) STS03474     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) STS03485     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) STS03489     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Template_Win_2008_R2_Std     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Template_Win_2k8_R2_Std     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) [***] [***]  
  [***]   [***]   [***] [***] [***] Corporate (Triserve,TSM,Medica) test     TRI
  poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) TRISDEVMON01     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) TRSOPRDAPP01 OnBase Onbase TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TRSOPRDAPP02 OnBase Onbase
TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TRSVLCPRDAPP01 Tenable Nessus Tenable TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TRSVNEPRDAPP01 Tenable Nessus Tenable TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TRSVNEPRDAPP02
Tenable Nessus Tenable TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TRSVPC01 Information Security Tennable TRI PRD poweredOn Y
Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TRSVPC02 Information Security Tennable TRI PRD poweredOn Y
Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TRSVPC03 Information Security Tennable TRI PRD poweredOn Y
Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TRSVSCPRDAPP01 Tenable Nessus Tennable TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TrueProof Server 4.04.05-1
    TRI   poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom
according to Triple-S) Corporate (Triserve,TSM,Medica) TSAVMASTER-DR     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) TSMA9CON01   TBD TRI PRD poweredOn Y
Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TSMAMPRDAPP01 Application Manager Manage Engine TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMAMPRDAPP02
Application Manager Manage Engine TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMAMPRDAPP03 Application Manager Manage Engine
TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMAMPRDMGT01 Application Manager Manage Engine TRI PRD poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) TSMAMPRDSQL01 Application Manager
Manage Engine TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMAPRDB2B01 B2B File Repository TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMAPRDFS01 File Server
StorSimple Shares TSM PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMAPRDFS02 File Server StorSimple Shares TSM PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMAUPRDAPP01
Imagine Onbase TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMAVPRDBKP01 Media Server Netbackup TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem  Corporate (Triserve,TSM,Medica)
TSMAZPRDSYNC01 Azure Azure TRI PRD poweredOn   Virtual Triple-S Premise Keep on
Prem  Corporate (Triserve,TSM,Medica) TSMAZPRDSYNC02 Azure Azure TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem  Corporate
(Triserve,TSM,Medica) TSMCAPRDAPP01 CyberArk CyberArk TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMCAPRDAPP02 CyberArk CyberArk TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMCAPRDAPP03 CyberArk CyberArk TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMCBPRDCON01 Cisco Cobras TRI PRD poweredOn   Virtual
Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMCDEVQACTM03 Control M Control M TRI DEV poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMCPRDAPP07_restore    
TRI   poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according
to Triple-S) Corporate (Triserve,TSM,Medica) TSMCPRDCTM02 Control M Control M
TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMCPRDCTM03 Control M Control M TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMCPSPRD01 #N/A TBD TRI PRD poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TSMCQ52APP01     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMCVPRDMA01 Commvault -Media Agent Commvault TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMCVPRDMA02
Commvault -Media Agent Commvault TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMCVPRDMA03 Commvault -Media Agent Commvault
TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMCVPRDMS01 Commvault Servers -Commserve Commvault TRI PRD poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) TSM-DCEDP01 Domain Controller
Active Directory TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Corporate (Triserve,TSM,Medica) tsm-dcedp01b Domain
Controller Active Directory TRI PRD poweredOn   Virtual Triple-S Premise Keep on
Prem (keep close to end users) Corporate (Triserve,TSM,Medica) TSMDMGPRDLIC01
Licensing Citrix  TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMDPRDDCV01 Symantec Symantec DLP  TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMDPRDEE01 Symantec
Symantec Endpoint Encryption TRI PRD poweredOn   Virtual Triple-S Premise Keep
on Prem (keep close to end users) Corporate (Triserve,TSM,Medica) TSMDPRDEG01
Symantec Symantec VIP TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem
(keep close to end users) Corporate (Triserve,TSM,Medica) TSMDPRDEP01 Symantec
Symantec DLP  TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMDPRDIC01 Symantec Symantec VIP TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMDPRDII01 Symantec Symantec VIP TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMDPRDIM01 Symantec Symantec VIP TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMDPRDPE01 Symantec Symantec DLP  TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMDPRDPW01 Symantec
Symantec DLP  TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMDTPRDAPP01 DynaTrace Dynatrace TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMDTPRDCON01 DoubleTake
Double Take TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMDTPRDDB01 DynaTrace Dynatrace TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMDVBFPRDAPP01 BIGFIX
BIGFIX TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMDVBFPRDAPP02 BIGFIX BIGFIX TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMDVBFPRDSQL01 BIGFIX BIGFIX TRI PRD poweredOn
  Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMDVEPRDEXC01 Exchange
Online 365 Exchange TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem
(keep close to end users) Corporate (Triserve,TSM,Medica) TSMDVNBPRDENC01
Encryption Netbackup TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem
Corporate (Triserve,TSM,Medica) TSMEDP3CWEB03 Portal In House Portal TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPALT02
Altiris Altiris TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSM-EDPBIZ03_2k3_AGL56680     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMODEVDFS01 DFS File Server TRI DEV poweredOn   Virtual
Triple-S Premise Project to move all File Servers to StorSimple Corporate
(Triserve,TSM,Medica) TSMEDPCTX10 Portal Citrix TRI PRD poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPDATAFIN01     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) ahmprdadc01.ahmpr.tsm.local Domain
Controller AHMPR Active Directory TRI PRD poweredOn   Physical Triple-S Premise
Keep on Prem (keep close to end users) Corporate (Triserve,TSM,Medica)
TSMEDPEXC06 MS Exchange - Vida OWA TRI PRD poweredOn   Virtual Triple-S Premise
Keep on Prem (keep close to end users) Corporate (Triserve,TSM,Medica)
TSMEDPHIT01 Admin Console Hitachi TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMEDPISA01 ISA Server Exchange TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPKRN05
Application Server Kronos TSM PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMEDPKRN06 Application Server Kronos TSM PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPMPREP01_Noprender  
  TRI   poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom
according to Triple-S) Corporate (Triserve,TSM,Medica) TSMEDPQASAP01     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) TSMEDPQASAP02 SAP SAP TSM QA poweredOn
  Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPQASAP03 SAP SAP
TSM QA poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
tsmnprdlic01.tsm.local Licensing File Server TRI PRD poweredOn   Physical
Triple-S Premise Project to move all File Servers to StorSimple Corporate
(Triserve,TSM,Medica) TSMEDPTIV04 Monitoring Tivoli TRI DEV poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TSM-EDPVAULT01 Enterprise Vault Enterprise Vault TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
Corporate (Triserve,TSM,Medica) TSMVTSTDEVVW02 Virtual PC Horizon View TRI DEV
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
Corporate (Triserve,TSM,Medica) TSM-EDPWEB03 Web Portal Web TSM PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPWREP01 0 TBD TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMEMODQAXE01-Test     TRI   poweredOff   Virtual Triple-S Premise Keep on Prem
(future Decom according to Triple-S)

 

 

10 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Corporate (Triserve,TSM,Medica) TSMETESTTM01     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMEVPRDAPP01 Enterprise Vault Enterprise Vault TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) TSMEVPRDSQL01 Enterprise Vault Enterprise Vault TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsmexcprdhtc01 MS Exchange Exchange TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) tsmexcprdhtc02 MS Exchange Exchange TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMEXCPRDHYB01 MS Exchange Exchange TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) tsmexcprdmb01 MS Exchange Exchange TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) tsmexcprdmb02 MS Exchange Exchange TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) tsmexcprdtmg01 MS Exchange Exchange TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSM-EDPKRN01 Kronos App Server Kronos TSM PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPKRN04 Kronos SQL
Server Kronos TSM PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMKRDEVAPP01 Kronos App Server Kronos TSM DEV poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMKRDEVSQL01 Kronos SQL
Server Kronos TSM DEV poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMKRPRDAPP01 Kronos App Server Kronos TSM PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMKRPRDSQL01 Kronos SQL
Server Kronos TSM PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMKRQAAPP01 Kronos App Server Kronos TSM QA poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMKRQASQL01 Kronos SQL
Server Kronos TSM QA poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMGALADS     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMGALMFQC     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMGALSASVIQC     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMQAGLMS01 Learning Mgmt System LMS TSM QA poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMIATWKS01 Workstation
Infrastructure TRI DEV poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Corporate (Triserve,TSM,Medica) TSMIATWKS02 Workstation
Infrastructure TRI DEV poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Corporate (Triserve,TSM,Medica) TSMIMCPRDAPP01 Monitoring
IMC TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end
users) Corporate (Triserve,TSM,Medica) TSMIMPPRDAPP01 0 TBD TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
TSMMBQAAPP01 Malwarebytes Malwarebytes TRI QA poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMMBQASQL01 Malwarebytes Malwarebytes TRI QA
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMMCPRDAPP02
Mcafee SQL DB Server Mcafee TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMMCPRDAPP03 Mcafee SQL DB Server Mcafee TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMMCPRDAPP03_Appliance Application Mcafee TRI PRD poweredOn   Virtual Optum
Azure   Corporate (Triserve,TSM,Medica) TSMMCPRDAPP04 Application Mcafee TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMMCPRDAPP05
Application Mcafee TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMMCPRDCON01 Mcafee Mcafee TRI PRD poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) TSMMCPRDSQL01 Application Mcafee
TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMMCPRDVDI01 EPO Mcafee TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMMCPRDVDI02 EPO Mcafee TRI PRD poweredOn   Virtual Optum
Azure   Corporate (Triserve,TSM,Medica) TSMMCPRDVDI03 EPO Mcafee TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMMCPRDVDI04
EPO Mcafee TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMMCPRDVDI05 EPO Mcafee TRI PRD poweredOn   Virtual Optum
Azure   Corporate (Triserve,TSM,Medica) TSMMGMTPRDDCNM Manejo de SAN Manejo de
SAN TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem [***] [***] [***]
[***] [***] [***] [***]   [***] [***]   [***] [***] [***] [***] [***] [***]
[***]   [***] [***]   Corporate (Triserve,TSM,Medica) TSMMPRDAPP02 Manage Engine
APP Server Manage Engine TRI PRD poweredOn   Virtual Triple-S Premise Move to
ServiceNow Corporate (Triserve,TSM,Medica) TSMMPRDAPP04 Manage Engine Manage
Engine TRI PRD poweredOn   Virtual Triple-S Premise Move to ServiceNow Corporate
(Triserve,TSM,Medica) TSMMPRDSQL01 Manage Engine SQL DB Server Manage Engine TRI
PRD poweredOn   Virtual Triple-S Premise Move to ServiceNow Corporate
(Triserve,TSM,Medica) TSMOMPRDCON01 Patch Management Bigfix TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMOPRDCTM02 Control M
Control M TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMOPRDFTP01 B2B FTP Server TSM PRD poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) TSMOPRDFTP02-RESGUARDO ANTES
EXPANDIR DISCO     TRI   poweredOff   Virtual Triple-S Premise Keep on Prem
(future Decom according to Triple-S) Corporate (Triserve,TSM,Medica) TSMOQAAPP01
OnBase Onbase TSM QA poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMOSGTST03 OSG Infrastructure TRI DEV poweredOn   Virtual
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) TSMOSGTST04 OSG
Infrastructure TRI DEV poweredOn   Virtual Triple-S Premise Keep on Prem
Corporate (Triserve,TSM,Medica) tsmosgtst05 OSG Infrastructure TRI DEV poweredOn
  Virtual Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) TSMPOC01
  TBD TRI DEV poweredOn Y Virtual Triple-S Premise Keep on Prem (Marked for
Decom by Triple-S) Corporate (Triserve,TSM,Medica) TSMPOC02   TBD TRI DEV
poweredOn Y Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S)
Corporate (Triserve,TSM,Medica) TSMPOC03   TBD TRI DEV poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TSMPOCAZUREBKP     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMPOCAZURESR     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMPOCDEVFIN01     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) tsmprdisg01 Infromation Security ISG Application TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMPRDISG03
ISG Application ISG Application TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMPXPRDAPP01 Prophix APP Server Prophix TSM PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMQ52APP01  
  TRI   poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom
according to Triple-S) Corporate (Triserve,TSM,Medica) TSMQ52HUB04     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) TSMQ52SQL01     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) TSM-QAGSQL01     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSSDVPDEVAPP01 Prophix APP Server Prophix TSM DEV
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSSDVPDEVSQL01
Prophix SQL DB Server Prophix TSM DEV poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMQIPRDBIZ01_Old     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMQMODQAAPP51     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMQMODQAIFC50     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMQRPRDAPS05     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] Corporate (Triserve,TSM,Medica)
TSMRADIPRDAPP01 Radius  Server(Meraki) Radius TRI PRD poweredOn   Virtual Optum
Azure   Corporate (Triserve,TSM,Medica) TSMSMODQASBM01 Serena Serena TSM QA
poweredOn   Virtual Triple-S Premise Keep on Prem (Moving to
Planview/ServiceNow) Corporate (Triserve,TSM,Medica) TSMSPRDSBM02 Serena Serena
TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem (Moving to
Planview/ServiceNow) Corporate (Triserve,TSM,Medica) TSMSPRDSBM03 Serena Serena
TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem (Moving to
Planview/ServiceNow) Corporate (Triserve,TSM,Medica) tsmsprdsql03 Serena Serena
TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem (Moving to
Planview/ServiceNow) Corporate (Triserve,TSM,Medica) TSMSPRDSTR03 EMC
Replication Manager Console EMC Replication Manager Console TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
TSMSPRDSTR04 EMC Replication Manager Console EMC Replication Manager Console TRI
PRD poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) TSMSPRDSTR05 Stor Simple StorSimple TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMSTSVWSISO     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) TSMSYSPRDLOG01 Manage Engine SysLog
Server Manage Engine TRI PRD poweredOn   Virtual Triple-S Premise Move to
ServiceNow Corporate (Triserve,TSM,Medica) TSMUACPRDAPP02 Cisco Management Cisco
PBX TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) TSMVCPRDVCTR01-VCSA     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) TSMVEDPADRAP Manage Engine Service Desk Plus Manage Engine
TRI POC poweredOn   Virtual Triple-S Premise Move to ServiceNow Corporate
(Triserve,TSM,Medica) TSMVEDPADRAP02 ADRap ADRap TRI PRD poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) TSMVISIO01 PC PC TRI PRD poweredOn
Y Virtual Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TSMVPRDAPP01 0 TBD TRI PRD poweredOn   Virtual Optum Azure
 

 

 

11 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

Corporate (Triserve,TSM,Medica) TSMVPRDBKP02 Media Server Netbackup TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) TSMVPRDHCOM01 VDI Composer Horizon TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSMVPRDHCON01 Horizon Connection Broker Horizon TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMVPRDHCON02
Horizon Connection Broker Horizon TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMVPRDHCON03 Horizon Connection Broker Horizon
TRI PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMVPRDHFS01 Horizon File Server Horizon TRI PRD poweredOn   Virtual Optum Azure
  Corporate (Triserve,TSM,Medica) TSMVPRDHPCOIP01 Horizon Application Horizon
TSM PRD poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSMVPRDHSS01 Horizon Application Horizon TSM PRD poweredOn   Virtual Optum Azure
  Corporate (Triserve,TSM,Medica) TSMVPRDHVAPP01 Horizon Application Volumes
Horizon TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMVPRDHVCTR01 Horizon Vcenter Server Horizon TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMVPRDHVSQL01
Horizon Databse Server Horizon TRI PRD poweredOn   Virtual Optum Azure  
Corporate (Triserve,TSM,Medica) TSMVPRDKMS01 Microsoft Key Management Service
Key Mgmt TRI PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) TSMVPRDVCTR01 Vmware Vcenter Server TRI PRD poweredOn  
Virtual Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
TSMVTDEVAPP01     TRI   poweredOff   Virtual Triple-S Premise Keep on Prem
(future Decom according to Triple-S) Corporate (Triserve,TSM,Medica)
TSMVTSTDEVCTR01 VMware vCenter Server TRI DEV poweredOn   Virtual Triple-S
Premise Keep on Prem [***] [***] [***] [***] [***] [***] [***]   [***] [***]
[***] Corporate (Triserve,TSM,Medica) TSMWMODQAWTX02_OLD WTX ESB TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) TSMWMODQAWTX04_OLD WTX ESB TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) [***] [***] [***] [***] [***] [***] [***]   [***] [***] [***]
Corporate (Triserve,TSM,Medica) TSMWTSTFTP01 FTP FTP Server TRI PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSSAPRDWFO01 Avaya Avaya
TRI   poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica)
TSSMDEVEXC02 Exchange Exchange TRI DEV poweredOn Y Virtual Triple-S Premise Keep
on Prem (Marked for Decom by Triple-S) [***] [***] [***] [***] [***] [***] [***]
  [***] [***]   [***] [***] [***] [***] [***] [***] [***]   [***] [***]   [***]
[***] [***] [***] [***] [***] [***]   [***] [***]   Corporate
(Triserve,TSM,Medica) TSSVPCINFO01 PC PC TRI DEV poweredOn Y Virtual Triple-S
Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) TSTAPRDSRDP01 Not Assigned TBD TRI PRD poweredOn   Virtual
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) TSTFPRDFMG01
Fortinet FortiGate Manager TRI PRD poweredOn   Virtual Triple-S Premise Keep on
Prem Corporate (Triserve,TSM,Medica) TSTHPEOVGD01 HPE OneView TRI PRD poweredOn
  Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSTMENOCAPP01 Manage
Engine APP Server Manage Engine TRI DEV poweredOn   Virtual Triple-S Premise
Move to ServiceNow Corporate (Triserve,TSM,Medica) TSTNOCLAB02 Application
Manager Managed Server Manage Engine TRI LAB poweredOn   Virtual Triple-S
Premise Move to ServiceNow Corporate (Triserve,TSM,Medica) TSTNOCLABSQL01 Manage
Engine LAB DB Server Manage Engine TRI LAB poweredOn   Virtual Triple-S Premise
Move to ServiceNow Corporate (Triserve,TSM,Medica) TSTPRDSQLRD01 PC PC TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem (keep close to end users)
Corporate (Triserve,TSM,Medica) TSTPRDSQLRD02 PC PC TRI PRD poweredOn   Virtual
Triple-S Premise Keep on Prem (keep close to end users) Corporate
(Triserve,TSM,Medica) TSTVQAWEBGW01 #N/A TBD TRI DEV poweredOn   Virtual
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) TSTW10WKS01 PC
Infrastructure TRI DEV poweredOn   Virtual Triple-S Premise Keep on Prem (keep
close to end users) Corporate (Triserve,TSM,Medica) UEC-IT-LABINFO     TRI  
poweredOff   Virtual Triple-S Premise Keep on Prem (future Decom according to
Triple-S) Corporate (Triserve,TSM,Medica) UEC-IT-NEOMED     TRI   poweredOff  
Virtual Triple-S Premise Keep on Prem (future Decom according to Triple-S)
Corporate (Triserve,TSM,Medica) UEC-IT-QMATIC     TRI   poweredOff   Virtual
Triple-S Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) UEC-UHC-PACS     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Unknown 14     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Unknown 3     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Unknown 3 (1)     TRI   poweredOff   Virtual Triple-S
Premise Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) Unknown 8     TRI   poweredOff   Virtual Triple-S Premise
Keep on Prem (future Decom according to Triple-S) Corporate
(Triserve,TSM,Medica) VMware HealthAnalyzer Vmware Appliance Health Analyzer TRI
PRD poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) VMware vCenter Support Assistant Appliance Vmware
Appliance   TRI   poweredOff   Virtual Triple-S Premise Keep on Prem (future
Decom according to Triple-S) Corporate (Triserve,TSM,Medica) VMware vRealize Log
Insight vRealize Log Insight vRealize TRI PRD poweredOn   Virtual Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) vRealize Operations Manager
Appliance vRealize Operations Manager vRealize TRI DEV poweredOn   Virtual
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) vRealize
Operations Manager Appliance(PRD) vRealize Operations Manager vRealize TRI PRD
poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) vSphere Replication Appliance vSphere Replication
Appliance vSphere Replication TRI PRD poweredOn   Virtual Triple-S Premise Keep
on Prem Corporate (Triserve,TSM,Medica) vSphere Replication Appliance vSphere
Replication Appliance vSphere Replication TRI PRD poweredOn   Virtual Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) WEBGW   TBD TRI PRD
poweredOn   Virtual Optum Azure   Corporate (Triserve,TSM,Medica) WIN2008R2
Standard Server Template Server Template TRI PRD poweredOff   Virtual Triple-S
Premise Keep on Prem (Template for VMs) Corporate (Triserve,TSM,Medica)
Win2012GoldenCopy Server Template Server Template TRI PRD poweredOff   Virtual
Triple-S Premise Keep on Prem (Template for VMs) [***] [***] [***] [***] [***]
[***] [***]   [***] [***] [***] Corporate (Triserve,TSM,Medica) WIN2012R2STD
Server Template Server Template TRI PRD poweredOff   Virtual Triple-S Premise
Keep on Prem (Template for VMs) Corporate (Triserve,TSM,Medica) WIN2012R2STD_DEV
Server Template Server Template TRI PRD poweredOff   Virtual Triple-S Premise
Keep on Prem (Template for VMs) Corporate (Triserve,TSM,Medica)
Windows_2012_R2_STD Server Template Infrastructure TRI QA poweredOn   Virtual
Optum Azure   Corporate (Triserve,TSM,Medica) Windows_2016 Server Template
Server Template TRI DEV poweredOff   Virtual Triple-S Premise Keep on Prem
(Template for VMs) Corporate (Triserve,TSM,Medica) zenoss-ucspm Cisco UCS
Monitor TRI PRD poweredOn   Virtual Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsmsprdsbm01.tsm.local Serena Dimensions Server Serena TRI
PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) TSMEDPDEVSAP02 SAP SQL DB Server SAP TSM DEV poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) tsmedpprdsap03 SAP Web
Server SAP TSM PRD poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) tsmedpqasap04 SAP APP Server SAP TSM QA poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) TSMEDPDEVSAP03 SAP APP
Server SAP TSM DEV poweredOn   Virtual Optum Azure   Corporate
(Triserve,TSM,Medica) tsavprdbkp04.tsm.local Netbackup Netbackup TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsavprdbkp02.tsm.local Netbackup Netbackup TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsmststdevapp01.tsm.local Sap Data Service SAP TSM DEV
poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmisgdev01.tsm.local Management Management TRI DEV poweredOn   Physical Optum
Azure   Corporate (Triserve,TSM,Medica) tsmedpalt01.tsm.local Altiris Deployment
Server Altiris TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmedpalt03.tsm.local Altiris Deployment Server Altiris
TRI PRD poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsm-bkp-01.tsm.local Netbackup Netbackup TRI PRD poweredOn   Physical Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) tsmvprdbkp03.tsm.local
Netbackup Netbackup TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem
Corporate (Triserve,TSM,Medica) tsmvprdbkp06.tsm.local Netbackup Netbackup TRI
PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsmvprdbkp05.tsm.local Netbackup Netbackup TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsmcprdtsspre01.tsm.local Citrix Citrix TRI PRD poweredOn
  Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmcprdtsspre02.tsm.local Citrix Citrix TRI PRD poweredOn   Physical Optum Azure
  Corporate (Triserve,TSM,Medica) tsmcvprdma05.tsm.local Commvault -Media Agent
Commvault TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmcvprdma04.tsm.local Commvault -Media Agent Commvault
TRI PRD poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmcvprdma06.tsm.local Commvault -Media Agent Commvault TRI PRD poweredOn  
Physical Optum Azure   Corporate (Triserve,TSM,Medica) tsmedpsapids01.tsm.local
Database Database TSM PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmmprdapp03.tsm.local Database Database TRI PRD poweredOn
  Physical Optum Azure   Corporate (Triserve,TSM,Medica) tsmmprdapp10.tsm.local
Desktop Central Manage Engine TRI PRD poweredOn   Physical Triple-S Premise Keep
on Prem (Bomgar future) Corporate (Triserve,TSM,Medica) tsmrprdapp01.tsm.local
Digital StoreFront Digital StoreFront TRI PRD poweredOn   Physical Optum Azure  
Corporate (Triserve,TSM,Medica) tssdpscprdsql02.tsm.local DLP DLP TRI PRD
poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tssdpscprdsql01.tsm.local DLP DLP TRI PRD poweredOn   Physical Optum Azure  
Corporate (Triserve,TSM,Medica) tsmdprdenf01.tsm.local DLP DLP TRI PRD poweredOn
  Physical Optum Azure   Corporate (Triserve,TSM,Medica) hec03v010061.workgroup
DLP DLP TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmdprdnm02.tsm.local DLP DLP TRI PRD poweredOn   Physical
Optum Azure   Corporate (Triserve,TSM,Medica) tsm-dcedp02.tsm.local Domain
Controller Active Directory TRI PRD poweredOn   Physical Triple-S Premise Keep
on Prem (keep close to end users)

 



12 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Corporate (Triserve,TSM,Medica) tsm-tspadc01.tsm.local Domain Controller Active
Directory TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem (keep close
to end users) Corporate (Triserve,TSM,Medica) tsm-fdradc01.tsm.local Domain
Controller Active Directory TRI PRD poweredOn   Physical Triple-S Premise Keep
on Prem (keep close to end users) Corporate (Triserve,TSM,Medica)
tsmprdevt02.tsm.local Event Tracker Event Tracker TRI PRD poweredOn   Physical
Optum Azure   Corporate (Triserve,TSM,Medica) tsmmprdapp06.tsm.local Database
Monitoring Idera TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmprdisg01.tsm.local ISG Application ISG Application TRI
PRD poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmmprdapp08.tsm.local Manage Engine Service Desk Manage Engine TRI PRD
poweredOn   Physical Triple-S Premise Move to ServiceNow Corporate
(Triserve,TSM,Medica) tsmmprdapp05.tsm.local Manage Engine Service Desk Manage
Engine TRI PRD poweredOn   Physical Triple-S Premise Move to ServiceNow
Corporate (Triserve,TSM,Medica) tsmmprdapp01.tsm.local Manage Engine Service
Desk Manage Engine TRI PRD poweredOn   Physical Triple-S Premise Move to
ServiceNow Corporate (Triserve,TSM,Medica) tsmnocprdapp02.tsm.local Manage
Engine Service Desk Manage Engine TRI PRD poweredOn   Physical Triple-S Premise
Move to ServiceNow Corporate (Triserve,TSM,Medica) sssisg1.tsm.local Management
ISG Application TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmfdrsec01.tsm.local March Networks Administrator Console
March Networks TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmedpcls19.tsm.local Onbase Cluster -TSM-EDPSQL01 Onbase 
TRI PRD poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmedpcls20.tsm.local Onbase Cluster -TSM-EDPSQL01 Onbase  TRI PRD poweredOn  
Physical Optum Azure   Corporate (Triserve,TSM,Medica) tsmsprdapp01.tsm.local
SAP BusinessObjects Enterprise XI 3.1 SP ... SAP TSM PRD poweredOn   Physical
Optum Azure   Corporate (Triserve,TSM,Medica) tsmedpprdsap01.tsm.local SAP
BusinessObjects Enterprise XI 3.1 SP ... SAP TSM PRD poweredOn   Physical Optum
Azure   Corporate (Triserve,TSM,Medica) tsmsprdds01.tsm.local Serena Dimensions
Server Serena TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem (Move
to Planview/ServiceNow) Corporate (Triserve,TSM,Medica) tsmsprdsdm01.tsm.local
Serena Dimensions Server Serena TRI PRD poweredOn   Physical Triple-S Premise
Keep on Prem (Move to Planview/ServiceNow) Corporate (Triserve,TSM,Medica)
tsmnocprdapp01.tsm.local Monitoring SolarWinds TRI PRD poweredOn   Physical
Optum Azure   Corporate (Triserve,TSM,Medica) esxi23.tsm.local VMWARE HOST
Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) esxi25.tsm.local VMWARE HOST Vmware TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
esxi27.tsm.local VMWARE HOST Vmware TRI PRD poweredOn   Physical Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) esxi28.tsm.local VMWARE
HOST Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) esxi29.tsm.local VMWARE HOST Vmware TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
esxi32.tsm.local VMWARE HOST Vmware TRI PRD poweredOn   Physical Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) esxi33.tsm.local VMWARE
HOST Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) esxi34.tsm.local VMWARE HOST Vmware TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
esxi18.tsm.local VMWARE HOST Vmware TRI PRD poweredOn   Physical Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) esxi21.tsm.local VMWARE
HOST Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) esxi17.tsm.local VMWARE HOST Vmware TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
esxi24.tsm.local VMWARE HOST Vmware TRI PRD poweredOn   Physical Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) esxi19.tsm.local VMWARE
HOST Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) esxi26.tsm.local VMware vSphere Client 5.0 Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) TSM-EDPSOX01 Sox Sox App Server TSM PRD poweredOn  
Virtual Optum Azure   Corporate (Triserve,TSM,Medica) esxi12.tsm.local VMWARE
HOST Vmware TRI DEV poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) tsmvprdbkp04.tsm.local Backup Netbackup TRI PRD poweredOn
  Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
tsmxentspapp03.tsm.local Citrix Srv Citrix TRI PRD poweredOn   Physical Optum
Azure   Corporate (Triserve,TSM,Medica) tsmxentspapp01.tsm.local Citrix Srv
Citrix TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) esxi11.tsm.local VMWARE HOST Vmware TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
esxi10.tsm.local VMWARE HOST Vmware TRI PRD poweredOn   Physical Triple-S
Premise Keep on Prem Corporate (Triserve,TSM,Medica) esxi09.tsm.local VMWARE
HOST Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) esxih-10.tsm.local VMWARE HOST Vmware TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
tsmedp3cctx01.tsm.local Citrix Citrix TRI PRD poweredOn   Physical Optum Azure  
Corporate (Triserve,TSM,Medica) tsmedp3cctx02.tsm.local Citrix Citrix TRI PRD
poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmedpsssctx01.tsm.local Citrix Citrix TRI PRD poweredOn   Physical Optum Azure
  Corporate (Triserve,TSM,Medica) tsmedpsssctx03.tsm.local Citrix Presentation
Server Citrix TRI PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) tsmedpsssctx04.tsm.local Citrix Presentation Server Citrix
TRI PRD poweredOn   Physical Optum Azure   Corporate (Triserve,TSM,Medica)
tsmedpsssctx2.tsm.local Citrix Presentation Server Citrix TRI PRD poweredOn  
Physical Optum Azure   Corporate (Triserve,TSM,Medica) isidprdwds01.tsm.local
File Server File Server TRI PRD poweredOn   Physical Triple-S Premise Project to
move all File Servers to StorSimple Corporate (Triserve,TSM,Medica)
medfilesrvr.medicare.tsm.local File Server File Server MED PRD poweredOn  
Physical Triple-S Premise Project to move all File Servers to StorSimple
Corporate (Triserve,TSM,Medica) FrontEnd #N/A TBD TRI PRD poweredOn Y Virtual
Triple-S Premise Keep on Prem (Marked for Decom by Triple-S) Corporate
(Triserve,TSM,Medica) esxi36.tsm.local VMWARE VMWARE TRI PRD poweredOn  
Physical Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica)
TSMMDEVAPP08 Manage Engine Manage Engine TRI DEV poweredOn   Virtual Triple-S
Premise Move to ServiceNow Corporate (Triserve,TSM,Medica)
tsmsmodqaapp01.tsm.local SAP SAP TSM QA poweredOn   Physical Optum Azure  
Corporate (Triserve,TSM,Medica) tsmremodqaapp01.tsm.local Kronos’ Workforce
Central Application 7.0 Kronos  TSM QA poweredOn   Physical Optum Azure  
Corporate (Triserve,TSM,Medica) trsvneprdapp01 Kronos’ Workforce Central
Application 7.0 Kronos TSM PRD poweredOn   Physical Optum Azure   Corporate
(Triserve,TSM,Medica) Synergy 1 VMWARE HOST Vmware TRI PRD poweredOn   Physical
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) Synergy 2 VMWARE
HOST Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) Synergy 3 VMWARE HOST Vmware TRI PRD poweredOn   Physical
Triple-S Premise Keep on Prem Corporate (Triserve,TSM,Medica) APOLLO1 VM VDI HPE
Apollo r2600 Chassis Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep
on Prem Corporate (Triserve,TSM,Medica) APOLLO2 VM VDI HPE Apollo r2600 Chassis
Vmware TRI PRD poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) APOLLO3 VM VDI HPE Apollo r2600 Chassis Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) APOLLO4 VM VDI HPE Apollo r2600 Chassis Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) APOLLO5 VM VDI HPE Apollo r2600 Chassis Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) APOLLO6 VM VDI HPE Apollo r2600 Chassis Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) APOLLO7 VM VDI HPE Apollo r2600 Chassis Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem Corporate
(Triserve,TSM,Medica) APOLLO8 VM VDI HPE Apollo r2600 Chassis Vmware TRI PRD
poweredOn   Physical Triple-S Premise Keep on Prem

 

 

13 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 Schedule X
Source of Truth

 

B2B FILES

 



B2B CRITICALITY B2B FILE NAME DESCRIPTION EXECUTION FREQUENCY 1 Transaction
Reply Reports / Response (CMS - Daily Data Exchanges) - WIPRO Measures the
percentage that the process to send to WIPRO, and/or process once received from
WIPRO, as applicable, the following types of Centers for Medicare & Medicaid
Services (CMS) Medicare Part
D                                                      (a) Enrollment Files Sent
to WIPRO= 2 times each day (12:00 p.m. AST and 12:00 a.m. AST),
(b) Enrollment Files (834) Processed Once Received  = Processed within two (2)
hours after receipt from WIPRO 3 times each day  
(c) Transaction Report Replies Processed Once Received from WIPRO = Processed
after receipt from WIPRO 1 time each day Daily 1 Data Warehouse Update (CMS -
Onetsa) Measures the percentage that the daily  process to refresh the CMS Data
Warehouse is completed on time (by 12:00 a.m. AST each day).   Daily 1 Abarca
Measures the percentage that the PBM file is created and submitted to Abarca on
time (by 12:00 a.m. AST each weekday). Daily (Monday through Friday)         2
ID Cards File Management   (PersoCard) Measures the percentage of Member ID card
files which are: (a) generated and delivered to the vendor (or made available
for the applicable vendor to obtain from within the system, as applicable); and
(b) received back from the vendor and reconcilled for accuracy - all by 11:59
a.m. AST each day Monday through Friday.   Daily - Monday though Friday 2 Risk
Management Files (Inovalon, McKesson, PopHealth, Miliman, DDDS) Measures the
percentage of Monthly Membership Report, MO, PTDMOO, HCMOD data files which are
sent to the corresponding vendor(s) by 11:59 p.m. AST each Friday.   Weekly 2
Premium Management Files Handling  (Inovalon) Measures the percentage of weekly
file counts and paid claim amounts - in each of the following 5 categories -
which are provided for validation and uploaded to a designated Triple-S FT site
by 12:00 a.m. AST each Tuesday:  Member, Enrollment, Providers, Provider
Enrollment, Alianzas.   Weekly 2 Premium Management Files Handling (Inovalon,
DDDS, Miliman, PopHealth) Measures the percentage of file counts and paid claim
amounts - in each of the following 8 categories - which are provided to
Triple-S' Finance Department for validation and uploaded to a designated
Triple-S FTP site by 12:00 a.m. AST on the 5th day of each month:  Member,
Claims, Enrollment, Pharmacy Claims, Laboratory Claims, Providers, Provider
Enrollment, Alianzas.   Monthly 2 Claims Payment Files (Accuprint) Measures the
percentage of claims and capitation payment source files which are (i) sent to
the applicable Triple-S business owner for approval by 12:00 a.m. AST each
Saturday; and once approved by such Triple-S business owner; (ii) sent to the
vendor for checks and ACH file generation. Weekly 2 Capitation Payment Files
(Accuprint) Measures the percentage of capitation payment source files which are
(i) sent to the applicable Triple-S business owner for approval; and once
approved by such Triple-S business owner; (ii) sent to the vendor for checks and
ACH file generation - all within three (3) days after receipt of the applicable
request. On Demand 2 Oracle Data Warehouse Update Measures the percentage that
the weekly process to refresh the Oracle Data Warehouse is completed by 7:00
a.m. AST each Monday morning.   Monthly        

 

 

Triple-S / Supplier Confidential
Page 1

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 Schedule X
Source of Truth

 TSS RETAINED CONTRACTS



 



Vendor Description Orthotec BPO WJ Medical Consulting BPO Palo Alto Networks,
Inc. Software and Services ViaWest, Inc. Services for data centers Assertus,
Inc. Services for transaction processing, software installation AT&T Software
and Services Integration Technologies, Corp. Services for PBX and Avaya
maintenance Prism Microsystems, Inc. Services for Event Tracker SAP Services for
SAP Sungard Availability Services, LP Services for disaster recovery, mobile
recovery, security, network, test, and support 

 

 



Triple-S / Supplier Confidential

Page 1 

 

 



 

 

 

 

Schedule Y

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 

SCHEDULE Y

 

Subcontractor Flow-Down Terms

 

 

 

 

 

 

 

 

 

 

 

Schedule Y Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION 



SCHEDULE Y

 


Subcontractor Flow-Down Terms

 

As of the Effective Date, Triple-S will comply with the following terms and
conditions regarding Triple-S’s use of Equipment, Third Party Services, Software
and Tools provided or made available by Supplier. During the Term, the Parties
will mutually agree to any updates to such terms and conditions.

 

1. Terms with respect to F5 Software:

 

Triple-S may not copy (except to make one archival copy for backup and disaster
recover purposes), modify, sell, sub-license, rent or transfer the F5 software,
data or any associated documentation to any third party. Triple-S may not
disassemble, reverse compile or reverse engineer such software or any data
incorporated in such software or encourage others to do so except as required by
law for interoperability purposes, and then only after Triple-S has given
Supplier an opportunity to provide information or software necessary to resolve
such interoperability issues.

 

2. Terms with respect to Microsoft Software and Services:

 

Triple-S may not reverse engineer, decompile, disassemble, or work around
technical limitations in the Microsoft products, except to the extent applicable
law permits it despite these limitations. Triple-S may not disable, tamper with,
or otherwise attempt to circumvent any billing mechanism that meters your use of
the Microsoft services. Triple-S may not rent, lease, lend, resell, transfer, or
host the Microsoft product, or any portion thereof, to or for third parties
except as expressly permitted in the General Terms and Conditions.

 

3. Acceptable Use Policy

 

(a) Neither Triple-S, nor those that access the Microsoft service through
Triple-S, may use such service:

 

(i) in a way prohibited by law, regulation, governmental order or decree;

 

(ii) to violate the rights of others;

 

(iii) to try to gain unauthorized access to or disrupt any service, device,
data, account or network;

 

(iv) to spam or distribute malware;

 

(v) in a way that could harm such service or impair anyone else’s use of it; or

 

(vi) in any application or situation where failure of such service could lead to
the death or serious bodily injury of any person, or to severe physical or
environmental damage.

 

 



Triple-S / Supplier Confidential

Page 1

 

 



Schedule AA

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 



 



SCHEDULE AA

 

Glossary

 

 

 

 

 

 

 

 

 

 

Schedule AA Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

SCHEDULE AA

 


GLOSSARY

 

The following capitalized terms, when used in this Agreement, will have the
meanings given below.

 

“6 Month Rolling Forecast” has the meaning given in Section 1.3 of Exhibit A
(Claims Service Descriptions) to SOW #1.   “AAA” has the meaning given in
Section 23.4(e)(i) of the General Terms and Conditions.   “Acceptance Criteria”
has the meaning given in Section 2(g) of Schedule N-1 (Deliverable and Milestone
Acceptance Procedures).     “Acceptance Period” has the meaning given in Section
2(e) of Schedule N-1 (Deliverable and Milestone Acceptance Procedures).  
“Action Plan” has the meaning given in Section 24(a)(i) of the General Terms and
Conditions.   “Actor” has the meaning given in Section 3 of Exhibit A (IT
Services) to SOW #2.   “Actual Uptime” has the meaning given in Exhibit B-2
(Service Level Definitions) to SOW #2.   “Additional Claims Processing
Functions” has the meaning given in Exhibit A-1 (Claims Process Definitions) to
SOW #1.   “Adjudication” or “Adjudicated” or “Adjudicating” has the meaning
given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.  
“Adjustment” has the meaning given in Section 1.3 of Exhibit A (Claims Service
Descriptions) to SOW #1.   “Administracion de Seguros de Salud de Puerto Rico”
or “ASES” has the meaning given in Section 1.3 of Exhibit A (Claims Service
Descriptions) to SOW #1.   “Affected Services” has the meaning given in Section
2(a) of Schedule I (Disengagement Assistance).   “Affected Supplier Personnel”
has the meaning given in Section 5.7(a)(i) of Schedule I (Disengagement
Assistance).   “Affected Supplier Third Party Service Contracts” has the meaning
given in Section 5.3(a) of Schedule I (Disengagement Assistance).   “Affiliate”
means, with respect to an entity, any other entity or person Controlling,
Controlled by or under common Control with such entity.   “Agreed Timeframe” has
the meaning given in Exhibit B (Claims Service Levels) to SOW #1.

 

 

Triple-S/Supplier Confidential



Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Agreement” shall mean collectively the General Terms and Conditions document as
well as all Schedules, Exhibits, and Attachments, and any Statements of Work,
Task Orders, and similar documents entered into or issued pursuant to this
Agreement (and their respective Exhibits and attachments), as the same may be
amended by the Parties from time to time in accordance with Section 27.3
(Contract Amendments and Modifications) of the General Terms and Conditions.  
“Applicable Laws”, solely as used in Schedule W (Regulatory and Customer
Flow-Down Terms) has the meaning given in Section 3.5 of Schedule W (Regulatory
and Customer Flow-Down Terms).   “Applicable Services Rate Card” has the meaning
given in Section 4.5 of Schedule C (Charging Methodology).   “Application” or
“Application Software” means Software that performs specific End User-related
data processing, data management and telecommunications tasks.   “Application
Development Project” has the meaning given in Section 2.1 of Schedule C
(Charging Methodology).   “Application Support Pool” has the meaning given in
Section 2.1 of Schedule C (Charging Methodology).   “Applications Support
Services” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).   “Approved Subcontractor” has the meaning given in Section 6.6(a)
of the General Terms and Conditions.   “Assessment” has the meaning given in
Section 1.1(a) of Exhibit A-2 (IT Solution Description) to SOW #2.   “Assessment
Phase” has the meaning given in Section 5.1(e) of Schedule N (Project
Framework).   “Assumed Migration Date” has the meaning given in Section 3.1(c)
of Schedule C (Charging Methodology).   “At Risk Amount” has the meaning given
in Section 1.1(a)of Schedule B (Service Level Methodology).   “Audit” has the
meaning given in Section 2.1(a) of Schedule M (Audit and Record Retention
Requirements).   “Auditors” has the meaning given in Section 1(c) of Schedule M
(Audit and Record Retention Requirements).   “Availability” has the meaning
given in Exhibit B-2 (Service Level Definitions) to SOW #2.   “Available for
Use” has the meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.
  “Average Manual Claims Processed per Hour” has the meaning given in Section
4.5 of Schedule C (Charging Methodology).

  

 

Triple-S/Supplier Confidential



Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Background Checks” has the meaning given in Section 2(a) of Schedule T
(Background Checks).   “Bankruptcy Code” has the meaning given in Section 15.4
of the General Terms and Conditions.   “Base Growth” has the meaning given in
Section 14.3 of Schedule C (Charging Methodology).   “Baseline” has the meaning
given in Exhibit B-2 (Service Level Definitions) to SOW #2.   “Baselined” has
the meaning given in Section 1.1(b) of Schedule B (Service Level Methodology).  
“Batch Processing Completion Time” has the meaning given in Exhibit B-2 (Service
Level Definitions) to SOW #2.   “BAU Activity” has the meaning given in Section
7.1 of Schedule C (Charging Methodology).   “BC/DR Drill” has the meaning given
in Section 2.8 of Schedule A (Cross-Functional Services).   “Benchmarker” has
the meaning given in Section 14.8(b) of Schedule C (Charging Methodology).  
“Binding 2 Month Forecast” has the meaning given in Section 1.3 of Exhibit A
(Claims Service Descriptions) to SOW #1.   “Blue Card Program” has the meaning
given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.  
“Blue Cross Blue Shield Association (BCBSA)” has the meaning given in Section
1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.   “Business Associate
Agreement” or “BAA” means the Business Associate Agreement attached as Schedule
H (Business Associate Agreement).   “Business Continuity and Disaster Recovery
Plan” or “BC/DR Plan” has the meaning given in Section 2.8 of Schedule A
(Cross-Functional Services).   “Business Day” means each day Monday through
Friday, excluding Triple-S holidays, provided that for purposes of counting the
number of days that a Party has to perform an obligation (such as the number of
days to provide a written notice to the other Party), then Business Days shall
mean Monday through Friday, excluding Triple-S holidays.   “Capacity” or
“Capacities” has the meaning given in Section 1.2(a) of Exhibit A-2 (IT Solution
Description) to SOW #2.   “Change” means any addition to, modification or
removal of any aspect of the Services pursuant to the Agreement.   “Change
Control Process” means the terms set forth in Section 18.4 (Change Control
Process) of the General Terms and Conditions and the written procedures set
forth in Schedule O (Change Control Process) for considering, analyzing,
approving and carrying out Changes.  

 



Triple-S/Supplier Confidential



Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

“Change in Law” has the meaning given in Section 8.1 of Schedule C (Charging
Methodology).   “Change Notice” has the meaning given in Section 2.1(a) of
Schedule O (Change Control Process).   “Change of Control of Supplier” has the
meaning given in Section 16.1(e) of the General Terms and Conditions.   “Change
Order” has the meaning given in Section 3 of Schedule O (Change Control
Process).   “Charges” has the meaning given in Section 1.1 of Schedule C
(Charging Methodology).   “Claim” means (i) when used in the context of any
indemnification obligations under the Agreement, any third party demand, or any
civil, criminal, administrative, regulatory or investigative claim, notice,
action, or proceeding (including arbitration) made, sent, commenced or
threatened against an entity or person by an unaffiliated third party; provided
that for the purposes of this definition, an employee of either Party is
considered an unaffiliated third party, or (ii) when used in any other context,
a health insurance claim.   “Claims Adjudication- Medical Claims” has the
meaning given in Exhibit A-1 (Claims Process Definitions) to SOW #1.   “Claims
Adjudication Non-Medical / Ancillary Claims” has the meaning given in Exhibit
A-1 (Claims Process Definitions) to SOW #1.   “Claims Adjustment” has the
meaning given in Exhibit A-1 (Claims Process Definitions) to SOW #1.   “Claims
Services” has the meaning given in Section 1.1 of Exhibit A (Claims Service
Description) to SOW #1.   “Clean Claim” has the meaning given in Section 1.3 of
Exhibit A (Claims Service Descriptions) to SOW #1.   “CMS” has the meaning given
in Section 1.1 of Schedule W (Regulatory and Customer Flow-Down Terms).   “CMS
Module” has the meaning given in Section 3.12(b)(i) of Schedule W (Regulatory
and Customer Flow-Down Terms).   “COB Processing” has the meaning given in
Exhibit A-1 (Claims Process Definitions) to SOW #1.   “COB Queries” has the
meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW
#1.   “[***]” has the meaning given in Section 19.19(a) of the General Terms and
Conditions.   “[***] Access Rights” has the meaning given in Section 19.19(b) of
the General Terms and Conditions.   “[***] Confidential Information” has the
meaning given in Section 19.19(d)(ii) of the General Terms and Conditions.

 



Triple-S/Supplier Confidential



Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

“[***] Software” has the meaning given in Section 19.19(a) of the General Terms
and Conditions.   “[***]/Supplier Agreement” has the meaning given in Section
19.19(a) of the General Terms and Conditions.   “COLA” has the meaning given in
Section 14.2 of Schedule C (Charging Methodology).   “[***]” has the meaning
given in Section 4.5(c) of Schedule C (Charging Methodology).   “Commercial” has
the meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to
SOW #1.   “Commercially Available” means, with respect to Software or a Tool,
that the applicable Software or Tool vendor (which in the case of Supplier Owned
Software and Supplier Owned Tools, would be Supplier) routinely licenses such
Software or Tool to the general public or commercial customers such as Triple-S
through separately established standard terms and conditions and standard
charges, and for which such Software or Tool vendor (which may be Supplier as
described above) provides ongoing maintenance, support and updates.  
“Commercially Reasonable Efforts” means taking such steps and performing in such
a manner as a well-managed company would undertake where it was acting in a
determined, prudent and reasonable manner to achieve a particular desired result
for its own benefit.   “Compliance Date” has the meaning given in Section 2.2 of
Schedule B (Service Level Methodology).   “Compliance Program Guidelines” has
the meaning given in Section 3.12(b)(i) of Schedule W (Regulatory and Customer
Flow-Down Terms).   “Confidential Information” has the meaning given in Section
21.1(a) of the General Terms and Conditions.   “Configuration” or “Configuration
Change” has the meaning given in Exhibit B-2 (Service Level Definitions) to SOW
#2.   “Contract Governance” has the meaning given in Section 1(a) of Schedule F
(Governance).   “Contract Governance Plan” has the meaning given in Section 2.1
of Schedule F (Governance).   “Contract Year” has the meaning given in Section
2.1 of Schedule C (Charging Methodology).   “Control” and its derivatives, such
as “Controlling” means with regard to any entity the legal, beneficial or
equitable ownership, directly or indirectly, of fifty percent (50%) or more of
the capital stock (or other ownership interest if not a stock corporation) of
such entity ordinarily having voting rights.     “Coordination of Benefits” or
“COB” has the meaning given in Section 1.3 of Exhibit A (Claims Service
Descriptions) to SOW #1.



 

Triple-S/Supplier Confidential



Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Corrective Action Plan” or “CAP” has the meaning given in Section 6.5(a) of
Schedule N (Project Framework).   “Correspondence” has the meaning given in
Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.   “Cost per
Claim” has the meaning given in Section 4.5 of Schedule C (Charging
Methodology).     “Credits” has the meaning given in Section 5.2(a) of the
General Terms and Conditions.   “Critical Milestone” has the meaning given in
Section 12.2(a) of the General Terms and Conditions.   “Critical Milestone
Completion Date” has the meaning given in Section 12.2(a) of the General Terms
and Conditions.   “Critical Milestone Failure” has the meaning given in Section
12.2(b) of the General Terms and Conditions.   “Criticality 1 Application” has
the meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.  
“Criticality 2 Application” has the meaning given in Exhibit B-2 (Service Level
Definitions) to SOW #2.   “Criticality 3 Application” has the meaning given in
Exhibit B-2 (Service Level Definitions) to SOW #2.   “Criticality 4 Application”
has the meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.  
“Criticality 5 Application” has the meaning given in Exhibit B-2 (Service Level
Definitions) to SOW #2.   “Criticality 6 Application” has the meaning given in
Exhibit B-2 (Service Level Definitions) to SOW #2.   “Criticality 7 Application”
has the meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.  
“Cross Functional Services” has the meaning given in Section 2 of Schedule A
(Cross-Functional Services).   “Cumulative CPI” has the meaning given in Section
14.3(b) of Schedule C (Charging Methodology).   “Cutover Date” has the meaning
given in Section 2(d) of Schedule I (Disengagement Assistance).   “Day One IT”
has the meaning given in Section 2.1(a) of Exhibit A-2 (IT Solution Description)
to SOW #2.   “Day One Backlog” has the meaning given in Section 4.5(b) of
Schedule C (Charging Methodology).   “days” has the meaning given in Section
27.10(b) of the General Terms and Conditions.   “Deliverable” means any Work
Product produced in the course of performing the Services that is listed or
described in this Agreement (including a Statement of Work, Change Order, Task
Order, or other document developed pursuant to this Agreement) as a
“Deliverable” and is provided by Supplier to



 



Triple-S/Supplier Confidential



Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

Triple-S in connection with providing Services under this Agreement, including
Software code changes, bug fixes and Software enhancements created by Supplier
Personnel in the performance of Services as they relate to Triple-S
Applications, whether Supplier or Triple-S is hosting the Triple-S
Applications.  Deliverables also include reports provided to Triple-S,
Documentation, the Procedures Manual and any training materials provided by
Supplier under this Agreement.

 

“Derivative Work” means all modifications and enhancements to, or derivatives of
existing material.   “Development” has the meaning given in Section 1.2(c) of
Exhibit A-2 (IT Solution Description) to SOW #2.   “Disabling Device” has the
meaning given in Section 19.11(a) of the General Terms and Conditions.  
“Disaster Recovery” or “DR” shall mean the back-up, storage, retrieval, recovery
planning, and disaster recovery Services using the designated disaster recovery
facilities in a temporary capacity upon a Disaster.   “Discovery Notice” has the
meaning given in Section 5.6 of Schedule I (Disengagement Assistance).  
“Disengagement Assistance” means, collectively, the Functions that Triple-S
reasonably requests from Supplier to enable an orderly transfer of Services from
Supplier to Triple-S or its designees without material interruption or material
adverse effect to Triple-S in connection with the cessation of any Services, or
the expiration or earlier termination (for any reason) of this Agreement, in
whole or in part, including the Functions described in Section 17 (Disengagement
Assistance) of the General Terms and Conditions and Schedule I (Disengagement
Assistance).   “Disengagement Assistance Period” means the period of time that
Supplier is obligated to provide Disengagement Assistance pursuant to Section
17.1 (General) of the General Terms and Conditions.   “Disengagement Assistance
Plan” has the meaning given in Section 4.1(a) of Schedule I (Disengagement
Assistance).   “Disengagement Event” has the meaning given in Section 2(g) of
Schedule I (Disengagement Assistance).   “Disposition Format (DF)” has the
meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW
#1.   “Dispute Date” has the meaning given in Section 25.1(a)(i) of the General
Terms and Conditions.   “Division of Financial Responsibility” or “DOFR” has the
meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW
#1.   “Document Term” has the meaning given in Section 3.1(b) of the General
Terms and Conditions.   “Documentation” means written materials (including
materials published on an Internet or Intranet site or otherwise online) that
are available or necessary to instruct or assist End Users, operators or systems
personnel in the installation, development, maintenance, operation, use or
modification of any Equipment, Software, system, or Deliverable (including
applicable functional and technical specifications), standard  

 





Triple-S/Supplier Confidential



Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

operating procedures, run books, the Procedures Manual and other manuals, and
any marketing materials, proposals, and responses to requests for information or
proposals concerning the Services, as such documentation is updated from time to
time.

 

“Documentation Services” has the meaning given in Section 2.2 of Schedule A
(Cross-Functional Services).   “DR Environment” has the meaning given in Section
1.2(c) of Exhibit A-2 (IT Solution Description) to SOW #2.   “Effective Date”
has the meaning given in the first paragraph of the General Terms and
Conditions.   “Elements” has the meaning given in Section 3 of Exhibit A (IT
Services) to SOW #2.   “Embedded Processes” has the meaning given in Section 3.1
of Schedule A (Cross-Functional Services).   “Emergency Change” has the meaning
given in Section 4(a) of Schedule O (Change Control Process).   “Employee
Separation Date” has the meaning given in Section 23.3(a) of the General Terms
and Conditions.   “Encounter(s)” has the meaning given in Section 1.3 of Exhibit
A (Claims Service Descriptions) to SOW #1.   “End Users” means direct users of
the Services provided under this Agreement.   “Environments” has the meaning
given in Section 1.2(c) of Exhibit A-2 (IT Solution Description) to SOW #2.  
“Equipment” means any computer and telecommunications machines or other hardware
(without regard to the entity owning or leasing it) used or accessed in
connection with providing or receiving the Services, including all associated
attachments, features, accessories and peripheral devices and upgrades.  
“Escalation Claims Inquiry” has the meaning given in Exhibit A-1 (Claims Process
Definitions) to SOW #1.   “Escalator Credit” has the meaning given in Section
4.3 of Schedule B (Service Level Methodology).   “Existing Offshore Restricted
Business” has the meaning given in Section 4.9(b) of the General Terms and
Conditions.   “Existing Reports” has the meaning given in Section 2(a) of
Schedule K (Reports).   “Explanation of Benefits” or “EOB” has the meaning given
in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.  
“Extraordinary Audits” has the meaning given in Section 2.1(d)(i) of Schedule M
(Audit and Record Retention Requirements).

 

Triple-S/Supplier Confidential



Page 9

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Facilities” means Triple-S Facilities and/or Supplier Facilities, as
applicable.   “Federal Employee Programs” or “FEP” has the meaning given in
Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.   “Financial
Reconciliation Period” has the meaning given in Section 2(h) of Schedule I
(Disengagement Assistance).   “Financial Responsibility” means having
responsibility for furnishing and paying for resources or certain services
related to resources.   “Financial Responsibility Matrix” has the meaning given
in Section 2.1 of Schedule C (Charging Methodology).   “First Pass” or
“Automatic(ally) Adjudicated” has the meaning given in Section 1.3 of Exhibit A
(Claims Service Descriptions) to SOW #1.   “Fixed Hour Model” has the meaning
given in Section 4 of Schedule N (Project Framework)   “Fixed Hour Task Order”
has the meaning given in Section 4.1 of Schedule N (Project Framework)   “Fixed
Monthly Fee” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).   “Fixed PC & Life Charge” has the meaning given in Section 2.1 of
Schedule C (Charging Methodology).   “Fixed TSM Charge” has the meaning given in
Section 2.1 of Schedule C (Charging Methodology).   “Force Majeure Event” has
the meaning given in Section 24.4(a) of the General Terms and Conditions.  
“Force Majeure Time Period” has the meaning given in Section 24.4(d) of the
General Terms and Conditions.   “Former Triple-S Affiliate” means: (i) any
entity affiliated with Triple-S at any time during the Term (such designation
expiring at the end of the twenty-fourth (24th) month after the date that such
entity ceases to Control, be Controlled by, or be under common Control with,
Triple-S); or (ii) the purchaser of all or substantially all of the assets of
any line of business or a health plan of Triple-S or an Affiliate (such
designation (A) applying only with respect to the business so acquired; and (B)
expiring at the end of the twenty-fourth (24th) month after the date of such
purchase).  At Triple-S’s option, during such twenty-four (24) month period,
each Former Triple-S Affiliate shall be deemed to be an Affiliate of Triple-S.  
“Former Triple-S Claims Employees” has the meaning given in Section 23.3(a) of
the General Terms and Conditions   “Functions” has the meaning given in Section
2.1(a) of the General Terms and Conditions.   “Furnishing Party” has the meaning
given in Section 21.1(a) of the General Terms and Conditions.

 

Triple-S/Supplier Confidential



Page 10

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Future SOW Transition” has the meaning given in Section 11.2(c) of the General
Terms and Conditions.   “Future SOWs” has the meaning given in Section
2.3(a)(ii) of the General Terms and Conditions.   “General Liability Cap” has
the meaning given in Section 24.2(b) of the General Terms and Conditions.  
“General Terms and Conditions” means the document labeled “General Terms and
Conditions” on the first page and in the header of the following pages.  In
other words, it is the Agreement exclusive of all Schedules, Exhibits,
Attachments, Annexes, Statements of Work and Task Orders.   “Governance Reports”
has the meaning given in Section 1(b) of Schedule K (Reports).   “Governmental
Claim” has the meaning given in Section 23.4(b)(ii)(A) of the General Terms and
Conditions.   “Governmental Entity” means any (i) federal, state, local,
municipal, foreign or other government, (ii) governmental or quasi-governmental
entity of any nature (whether federal, state, local, municipal, foreign,
multinational or international, including any governmental agency, branch,
department, official, or entity (including any Regulator)) or (iii) other body
exercising or entitled to exercise any administrative, executive, legislative,
police, regulatory, or taxing authority or power of any nature.   “Health Plan
Charges” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).   “Health Plan Portfolio” has the meaning given in Section 2.1 of
Schedule C (Charging Methodology).   “HHS” has the meaning given in Section 2(a)
of Schedule W (Regulatory and Customer Flow-Down Terms).   “[***]” has the
meaning given in Section 4.5 of Schedule C (Charging Methodology).   “High
Priority Adjustments” has the meaning given in Exhibit B (Claims Service Levels)
to SOW #01 (Claims).   “HIPAA” has the meaning given in the preamble of Schedule
H (Business Associate Agreement).   “HITECH Act” has the meaning given in
Section 1 of Schedule H (Business Associate Agreement).   “Home Claim” has the
meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW
#1.   “Host Claim” has the meaning given in Section 1.3 of Exhibit A (Claims
Service Descriptions) to SOW #1.   “Hours of Operation” has the meaning given in
Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.  
“Identity-Related Costs” means the following actual, documented costs incurred
by Triple-S relating to a Security Breach:  (i) preparation and mailing or other
transmission of notifications to affected individuals   

 

 



Triple-S/Supplier Confidential



Page 11

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

that Triple-S reasonably determines are necessary to comply with applicable Law
or to protect Triple-S’ business or reputation; (ii) establishment of a call
center or other communications procedures in response to such Security Breach
(e.g., customer service frequently asked questions, talking points and
training); (iii) costs for credit monitoring services, identity theft insurance,
reimbursement for credit freezes, fraud resolution services, and identity
restoration services  that a health insurance company makes available to
impacted individuals in the event of a data breach of such Personally
Identifiable Information; (iv) fees paid to forensic consultants associated with
Triple-S’s investigation of the event; and (v) reasonable legal fees and
expenses associated with Triple-S’s investigation of and response to such event.

 

“Image” has the meaning given in Section 1.3 of Exhibit A (Claims Service
Descriptions) to SOW #1.   “in writing” has the meaning given in Section
26.10(a) of the General Terms and Conditions.   “Incident” has the meaning given
in Exhibit B-2 to SOW #2.   “including” and any of its derivative forms has the
meaning given in Section 26.10(a) of the General Terms and Conditions.  
“Indemnified Items” has the meaning given in Section 23.2 of the General Terms
and Conditions.   “Independent IP” of a party (including a third party) means
any Software, documents, materials, processes, works of authorship, know how,
Intellectual Property Rights, methodologies, technologies, algorithms, Tools,
forms and templates that either (i) were created by or for the party prior to
the Effective Date, or (ii) are subsequently created by or for the party outside
the scope of and independent from this Agreement.     “India CPI” has the
meaning given in Section 14.2 of Schedule C (Charging Methodology).   “Inflation
Factor” has the meaning given in Section 14.2 of Schedule C (Charging
Methodology).   “In-Flight Projects” has the meaning given in Section 11.8 of
the General Terms and Conditions.   “Infrastructure” has the meaning given in
Section 2.1 of Schedule C (Charging Methodology).   “Infrastructure
Architecture” has the meaning given in Section 1.2(d) of Exhibit A-2 (IT
Solution Description) to SOW #2.   “Infrastructure Project” has the meaning
given in Section 2.1 of Schedule C (Charging Methodology).   “Initial SOW
Transition” has the meaning given in Section 11.2(b) of the General Terms and
Conditions.  

“Initial SOWs” shall mean collectively the following Statements of Work:

 

(i)       Statement of Work # 1 (Claims Services), and

 

(ii)       Statement of Work # 2 (IT Services).



  “In-Scope Application” has the meaning given in Section 2.1 of Schedule C
(Charging Methodology).

 





Triple-S/Supplier Confidential



Page 12

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“In-Scope Member” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).   “Intake” has the meaning given in Exhibit A-1 (Claims Process
Definitions) to SOW #1.   “Intellectual Property Rights” means, on a worldwide
basis, any and all:  (i) rights associated with works of authorship, including
copyrights, moral rights and mask-works; (ii) trademarks and service marks;
(iii) trade secret rights; (iv) patents, designs, algorithms and other
industrial property rights; (v) other intellectual and industrial property
rights of every kind and nature, however designated, whether arising by
operation of law, contract, license or otherwise; and (vi) registrations,
initial applications, renewals, extensions, continuations, divisions or reissues
in any of the foregoing.   “Inter Plan Programs” has the meaning given in
Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.   “Inter
Teleprocessing System (ITS)” has the meaning given in Section 1.3 of Exhibit A
(Claims Service Descriptions) to SOW #1.   “Interim Period” has the meaning
given in Section 1.1(e) of Schedule B (Service Level Methodology).   “Interim
SLA” has the meaning given in Section 1.1(f) of Schedule B (Service Level
Methodology).   “Intervention Claim” has the meaning given in Exhibit A-1
(Claims Process Definitions) to SOW #1.   “Inventory Management” has the meaning
given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.  
“Issue and Error Resolution” has the meaning given in Section 2.5 of Schedule A
(Cross-Functional Services).   “Joint Management Committee” has the meaning
given in Section 2.3(d) of Schedule F (Governance).   “Joint Operations
Committee” has the meaning given in Section 2.3(e) of Schedule F (Governance).  
“Joint Steering Committee” has the meaning given in Section 2.3(c) of Schedule F
(Governance).   “KB” has the meaning given in Section 2.6 of Schedule A
(Cross-Functional Services).   “Key Supplier Positions” has the meaning given in
Section 6.3(a) of the General Terms and Conditions.   “Knowledge Base Services”
has the meaning given in Section 2.6 of Schedule A (Cross-Functional Services).
  “Knowledge Transfer Plan” has the meaning given in Section 10(b) of Schedule I
(Disengagement Assistance).   “Labor Costs” has the meaning given in Section 2.1
of Schedule C (Charging Methodology).   “Labor Threshold” has the meaning given
in Section 8.1 of Schedule C (Charging Methodology).



 

Triple-S/Supplier Confidential



Page 13

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

   

“Large Projects” has the meaning given in Section 5.1(e) of Schedule N (Project
Framework).   “Law” means (i) any law, statute, regulation, ordinance or
subordinate legislation; (ii) the common law; (iii) any binding court order,
judgment or decree (including consent agreements); (iv) any regulation,
ordinance, order, directive, instruction, corrective action plan, manual (such
as Medicare Internet Only Manuals (IOM)), memos, communication or other mandate
that is made by any governmental entity or any regulator of any national,
federal, commonwealth, state, or local jurisdiction, including the Centers for
Medicare and Medicaid Services (“CMS”); and (ix) any other applicable statutes,
regulations and ordinances (both in the U.S. and outside the U.S.) regarding
necessary business permits, certificates, licenses and the like, which may be
required to perform the Services, as well as in the performance of the Services
themselves.   “Legacy BC/DR Plan” has the meaning given in Section 2.8 of
Schedule A (Cross-Functional Services).   “Line(s) of Business” or “LOB” has the
meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW
#1.   “Long Term SLA” has the meaning given in Section 1.1(g) of Schedule B
(Service Level Methodology).   “Losses” means all losses, liabilities, damages,
liens, claims, costs, expenses, fines, penalties, and other charges suffered or
incurred as a result of or in connection with a Claim, including reasonable
attorneys’ fees and disbursements, costs of investigation, litigation,
settlement, and judgment, and any taxes, interest, penalties, and fines with
respect to any of the foregoing.     “[***]” has the meaning given in Section
4.5 of Schedule C (Charging Methodology).   “MA” has the meaning given in
Section 2(f) of Schedule W (Regulatory and Customer Flow-Down Terms).   “MA
Organization” has the meaning given in Section 2(g) of Schedule W (Regulatory
and Customer Flow-Down Terms).   “Managed IT Services” has the meaning given in
Section 1.1(a) of Exhibit A-2 (IT Solution Description) to SOW #2.   “Managed
Third Party” has the meaning given in Section 2.4 of Schedule A
(Cross-Functional Services).   “Managed Third Party Contract” has the meaning
given in Section 2.4 of Schedule A (Cross-Functional Services).   “Managed Third
Party Contract Services” has the meaning given in Section 2.4 of Schedule A
(Cross-Functional Services).   “Management Report” has the meaning given in
Section 1(b) of Schedule K (Reports).   “Mandatory Change” has the meaning given
in Section 5(a) of Schedule O (Change Control Process).

 



Triple-S/Supplier Confidential



Page 14

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Material Change” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).   “Material Functionality” has the meaning given in Section 2.1 of
Schedule C (Charging Methodology).   “Material Scope Change” has the meaning
given in Section 2.1 of Schedule C (Charging Methodology).   “may not” has the
meaning given in Section 26.10(a) of the General Terms and Conditions.   “may”
has the meaning given in Section 26.10(a) of the General Terms and Conditions.  
“MCPM” has the meaning given in Section 4.5(c) of Schedule C (Charging
Methodology).   “[***]” has the meaning given in Section 4.5(c) of Schedule C
(Charging Methodology).   “[***]” has the meaning given in Section 4.5(c) of
Schedule C (Charging Methodology).   “Measurement Date” has the meaning given in
Section 14.3(b) of Schedule C (Charging Methodology).   “Measurement Window” has
the meaning given in Section 1.1(h) of Schedule B (Service Level Methodology).  
“Medicaid” has the meaning given in Section 1.3 of Exhibit A (Claims Service
Descriptions) to SOW #1.   “Medicare Advantage” or “Medicare” has the meaning
given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.  
“Member” has the meaning given in Section 2.1(y) of Schedule C.   “Member
Reimbursement” has the meaning given in Exhibit A-1 (Claims Process Definitions)
to SOW #1.   “Milestone” has the meaning given in Section 5(a) of Schedule N-1
(Deliverable and Milestone Acceptance Procedures).   “Milestone Acceptance
Criteria” has the meaning given in Section 5(a) of Schedule N-1 (Deliverable and
Milestone Acceptance Procedures).   “Milestone Review Period” has the meaning
given in Section 5(b) of Schedule N-1 (Deliverable and Milestone Acceptance
Procedures).   ‘MLR” has the meaning given in Section 2(i) of Schedule W
(Regulatory and Customer Flow-Down Terms).   “Monthly Claims Backlog” has the
meaning given in Section 4.5 of Schedule C (Charging Methodology).   “Monthly
Minimum Fixed Fee” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).

 



Triple-S/Supplier Confidential



Page 15

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Net New Sponsors” has the meaning given in Exhibit B (Claims Service Levels) to
SOW #01 (Claims).   “New BC/DR Plan” has the meaning given in Section 2.8 of
Schedule A (Cross-Functional Services).   “New Service Proposal” has the meaning
given in Section 2.2(c) of the General Terms and Conditions.   “New Service
Statement of Work” has the meaning given in Section 2.2(c) of the General Terms
and Conditions.   “New Services” means Functions Triple-S requests Supplier to
perform under this Agreement: (i) that are materially different from, and in
addition to, the Services; and (ii) for which there is no existing charging
mechanism in this Agreement (other than Personnel Rates).   “Non Commercially
Available Items” has the meaning given in Section 10.4(a)(ii) of the General
Terms and Conditions.   “Non Commercially Available” shall mean, with respect to
Software or a Tool, that such Software or Tool is not Commercially Available.  
“Non-Key Subcontractors” has the meaning given in Section 6.6(h) of the General
Terms and Conditions.   “Non-Restricted Member” has the meaning given in Section
2.1 of Schedule C (Charging Methodology).   “Notice of Election” has the meaning
given in Section 23.4(a) of the General Terms and Conditions.   “Offshore
Prohibitions” has the meaning given in Section 4.9(a) of the General Terms and
Conditions.   “Offshore Restricted Business” has the meaning given in Section
4.9(c) of the General Terms and Conditions.   “Open” has the meaning given in
Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.   “Open Source
Code” has the meaning given in Section 19.8 of the General Terms and Conditions.
  “Operating Environment” has the meaning given in Section 3 of Exhibit A (IT
Services) to SOW #2.   “Operational Deliverables” has the meaning given in
Section 3(a) of Schedule N-1 (Deliverable and Milestone Acceptance Procedures).
  “Operational Report” has the meaning given in Section 1(b) of Schedule K
(Reports).   “Other Compliance Obligations” means: (i) all requirements of any
Exchange Agreement and Regulatory Contract to which Triple-S may be subject;
(ii) any requirements of the NCQA applicable to Triple-S (“NCQA Requirements”);
(iii) the requirements of the Stars rating program administered by CMS (“Stars
Requirements”); (iv) any Medicaid requirements applicable to Triple-S, including
those associated with Medicaid reimbursement (“Medicaid Requirements”); (iv) the
requirements of the Blue Cross Blue Shield Association, including MTM and Fed
Program measures; and (v) any requirements of URAC applicable to Triple-S (“URAC
Requirements”).

 



Triple-S/Supplier Confidential



Page 16

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

“Other Developed Items” has the meaning given in Section 15.2(b)(i) of the
General Terms and Conditions.   “Other Sensitive Confidential Information” has
the meaning given in Section 6.6(h) of the General Terms and Conditions.  
“Other Third Party” has the meaning given in Section 3 of Exhibit A (IT
Services) to SOW #2.   “Out-of-Pocket Expense” means reasonable, demonstrable
and actual out-of-pocket expenses incurred by Supplier for Equipment, materials,
supplies or services provided by a third party provider which is used by
Supplier for Triple-S as identified in this Agreement, which shall not include
any Supplier actual or allocated overhead costs, administrative expenses or
other mark-ups.   “Overdue Adjustment” has the meaning given in Exhibit B
(Claims Service Levels) to SOW #01 (Claims).   “Overdue Clean Claim” has the
meaning given in Exhibit B (Claims Service Levels) to SOW #01 (Claims).  
“Overdue Unclean Claim” has the meaning given in Exhibit B (Claims Service
Levels) to SOW #01 (Claims).   “Parties” has the meaning given in the first
paragraph of the General Terms and Conditions.   “Party” has the meaning given
in the first paragraph of the General Terms and Conditions.   “Pass-Through
Expenses” has the meaning given in Section 14.5 of Schedule C (Charging
Methodology).   “Patch” has the meaning given in Exhibit B-2 (Service Level
Definitions) to SOW #2.   “Payment / Remittance Advice” has the meaning given in
Exhibit A-1 (Claims Process Definitions) to SOW #1.   “PC & Life Portfolio” has
the meaning given in Section 2.1 of Schedule C (Charging Methodology).   “PCI
DSS” has the meaning given in Section 14.2(c)(ii) of the General Terms and
Conditions.   “Pended” or “Suspended” has the meaning given in Section 1.3 of
Exhibit A (Claims Service Descriptions) to SOW #1.   “Personally Identifiable
Information” means personally identifiable information of individuals, including
(1) any information (alone or in combination) that can be used to distinguish or
trace an individual’s identity, such as name, social security number, date and
place of birth, mother’s maiden name, or biometric records; (2) any information
(alone or in combination) that is linked or linkable to specific individuals,
such as medical, educational, financial, and employment information; (3) any
information of Triple-S members, employees and customers; and (4) any
information which is otherwise protected by Law. Personally Identifiable
Information also includes “PHI” as defined in Schedule H (Business Associate
Agreement), and personal card data and other regulated data.

 

Triple-S/Supplier Confidential



Page 17

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

“Plan” has the meaning given in Section 1.3(b) of Schedule A (Cross Functional
Services).   “PMPM Rates” has the meaning given in Section 2.1 of Schedule C
(Charging Methodology).   “Prior Year US CPI” has the meaning given in Section
14.2 of Schedule C (Charging Methodology).   “Priority 1 Incident” has the
meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.   “Priority
2 Incident” has the meaning given in Exhibit B-2 (Service Level Definitions) to
SOW #2.   “Priority 3 Incident” has the meaning given in Exhibit B-2 (Service
Level Definitions) to SOW #2.   “Priority 4 Incident” has the meaning given in
Exhibit B-2 (Service Level Definitions) to SOW #2.   “Problem” means a cause of
one or more Incidents. The cause is not usually known at the time a Problem
record is created.   “Procedures Manual ” has the meaning given in Section
18.3(a) of the General Terms and Conditions.   “Processes” has the meaning given
in Section 3 of Exhibit A (IT Services) to SOW #2.   “Production” has the
meaning given in Section 1.2(c) of Exhibit A-2 (IT Solution Description) to SOW
#2.   “Productive Application Hour” has the meaning given in Section 2.1 of
Schedule C (Charging Methodology).   “Productive Work” has the meaning given in
Section 2.1 of Schedule C (Charging Methodology).   “Program Manager” has the
meaning given in Section 7.1 of the General Terms and Conditions.   “Programa de
Salud de Gobierno” or “PSG” has the meaning given in Section 1.3 of Exhibit A
(Claims Service Descriptions) to SOW #1.   “Prohibited Person” has the meaning
given in Section 13.2(a)(iii) of the General Terms and Conditions.   “Project”
has the meaning given in Section 1.1(a) of Schedule N (Project Framework).  
“Project Estimate” has the meaning given in Section 5.1(b) of Schedule N
(Project Framework).   “Project Framework” has the meaning given in Section
1.1(a) of Schedule N (Project Framework)   “Project Request” has the meaning
given in Section 2 of Schedule N (Project Framework)   “Protected Health
Information” or “PHI” has the meaning given in Section 1 of Schedule H (Business
Associate Agreement).   “Provider” has the meaning given in Section 1.3(c) of
Schedule A (Cross Functional Services).

 

Triple-S/Supplier Confidential



Page 18

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Quality Assurance” or “QA” has the meaning given in Section 1.3 of Exhibit A
(Claims Service Descriptions) to SOW #1.   “Quality Assurance (Pre/Post Payment
Review)” has the meaning given in Exhibit A-1 (Claims Process Definitions) to
SOW #1.   “Quick Adjustments” has the meaning given in Exhibit B (Claims Service
Levels) to SOW #01 (Claims).   “Receiving Party” has the meaning given in
Section 21.1(a) of the General Terms and Conditions.   “Reconciliation Format
(RF)” has the meaning given in Section 1.3 of Exhibit A (Claims Service
Descriptions) to SOW #1.   “Records” has the meaning given in Section 3.1 of
Schedule W (Regulatory and Customer Flow-Down Terms).   “Recurring Claims
Reports” has the meaning given in Exhibit B (Claims Service Levels) to SOW #01
(Claims).   “Regulator” means any governmental or quasi-governmental entity (i)
with investigatory or oversight capability regarding Triple-S, a Triple-S
Affiliate, or a Former Triple-S Affiliate, or of any Services under this
Agreement, including CMS, or (ii) that is party to a Regulatory Contract.  
“Regulatory Compliance Adherence Services” has the meaning given in Section 2.3
of Schedule A (Cross-Functional Services).  

“Regulatory or Contract Assessment” means a fine, penalty, interest, liquidated
damages or other amount that is (i) assessed to Triple-S or a Triple-S Affiliate
by a Regulator, the Blue Cross Blue Shield Association or otherwise under
applicable Law; or (ii) payable by Triple-S or a Triple-S Affiliate pursuant to
a contract between Triple-S or such Triple-S Affiliate and an employer group,
provider or Governmental Entity.”

 

  “Regulatory Contract” means any contract between governmental or
quasi-governmental entity and Triple-S or a Triple-S Affiliate (and to which
Triple-S or a Triple-S Affiliate is a subcontractor) under which such entity is
paying for services provided to beneficiaries pursuant to a government or
quasi-governmental program (e.g., Medicare, Medicaid).  For clarity, this does
not include contracts in which the governmental or quasi-governmental entity is
merely acting as the employer paying for health insurance coverage for its
employees.   “Release Management Plan” has the meaning given in Section 4.1(d)
of Exhibit A-2 (IT Solution Description) to SOW #2.   “Regulatory Report” has
the meaning given in Section 1(b) of Schedule K (Reports).   “Renewal Period”
has the meaning given in Section 3.2(a) of the General Terms and Conditions.

 

Triple-S/Supplier Confidential



Page 19

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Reporting Solution” has the meaning given in Section 5 of Schedule K (Reports).
  “Reports” has the meaning given in Section 1(b) of Schedule K (Reports).  
“Requested Information” has the meaning given in Section 14.5(a) of the General
Terms and Conditions.   “Required Consents” means such consents as may be
required for (i) the assignment to a Party, or the grant to a Party of rights of
access and use, of resources otherwise provided to or licensed by the other
Party, and (ii) with respect to any resource (e.g., Software, Equipment, third
party services) for which the corresponding contract is to be assigned to
Triple-S or a Successor Supplier pursuant to this Agreement (including any
resource existing as of the Effective Date and assigned to Supplier, as well as
any resource utilized or introduced after the Effective Date during the Term),
the disclosure of the corresponding contract terms to Triple-S or the Successor
Supplier, or the assignment of such contract to Triple-S or the Successor
Supplier, as part of Disengagement Assistance and as set forth in this
Agreement.   “Requirements” means a documented functionality or business need
that a Service solution or Deliverable will meet or perform as set forth in the
Agreement or in any other tangible form agreed by the Parties (which, for
clarity, does not necessarily require a signature).   “Resolution Time” has the
meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.   “Response
Time” has the meaning given in Exhibit B-2 (Service Level Definitions) to SOW
#2.   “Resources” has the meaning given in Section 5.1(a) of Schedule I
(Disengagement Assistance).   “Restricted Member” has the meaning given in
Section 2.1 of Schedule C (Charging Methodology).   “Rework Claims” has the
meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW
#1.   “Root Cause Analysis” has the meaning given in Section 1.1(i) of Schedule
B (Service Level Methodology).   “Root Cause Analysis Report” has the meaning
given in Exhibit B-2 (Service Level Definitions) to SOW #2.   “Scheduled
Downtime” means that period of time (days of the week and hours per day) during
which a particular In Scope Application, Software, Tool, Equipment, Network or
any other part of the Services is not expected to be Available for Use during
the Measurement Period due to pre-agreed scheduled maintenance, system upgrades,
etc.  Scheduled Downtime windows will be agreed to by the Parties.   “Schedule
Uptime” has the meaning given in Exhibit B-2 (Service Level Definitions) to SOW
#2.  

“Security Breach” means:

 

(i)            any compromise of the privacy or security of any Triple-S Data,
or Software or system used to provide the Services on which Triple-S Data is
stored, transmitted, processed or accessible, that either (A) is possessed or
operated by (or for) or under the control of Supplier or a Subcontractor, or (B)
results from the acts or omissions of Supplier or its Subcontractors; or







 



Triple-S/Supplier Confidential



Page 20

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

(ii)           any loss, or unauthorized acquisition, access, destruction,
alteration, disclosure, or use (in all cases whether intentional or not) of, or
the inability to locate, Triple-S Data that (A) is possessed or operated by or
under the control of Supplier or a Subcontractor, or (B) results from the acts
or omissions of Supplier or its Subcontractors.

 

“Service Commencement Date” means (i) September 1, 2017 for Services under SOW
#2 (IT Services); (ii) April 30, 2018 for Services under SOW #1 (Claims
Services); and (iii) the date(s) set forth in the Transition Documents that
Supplier is scheduled to commence performance of the applicable steady state
Services (i.e., the Transition has been completed) that Supplier is obligated to
provide under any Future SOWs.  References in this Agreement to the Service
Commencement Date shall mean September 1, 2017 unless expressly provided
otherwise.   “Service Delivery Environment” has the meaning given in Section 3
of Exhibit A (IT Services) to SOW #2.   “Service Desk” means the single point of
contact support team that responds to Incidents reported via phone, e-mail, or
direct entries to the Incident management system, routes tickets to the
appropriate party, or manages the successful resolution of all such Incidents.  
“Service Improvement Plan” or “SIP” means the documentation of action items,
responsibilities and timelines required to resolve a service issue.   “Service
Level Credit” or “SLC” has the meaning given in Section 1.1(l) of Schedule B
(Service Level Methodology).   “Service Level Failure” has the meaning given in
Section 1.1(m) of Schedule B (Service Level Methodology).   “Service Level
Metric” has the meaning given in Section 1.1(n) of Schedule B (Service Level
Methodology).   “Service Level Metrics Documents” has the meaning given in
Section 1.1(o) of Schedule B (Service Level Methodology).   “Service Level
Performance Report” has the meaning given in Section 1.1(p) of Schedule B
(Service Level Methodology).   “Service Levels” means the quantitative
performance standards for certain of the Services as set forth in Schedule B
(Service Level Methodology) and the Task Orders.   “Service Point” has the
meaning given in Section 1.1(q) of Schedule B (Service Level Methodology).  
“Service Recipient” has the meaning given in Section 2.6(a) of the General Terms
and Conditions.  

“Service Tower” means the Services to be provided by Supplier under each
Statement of Work, as well as the Cross Functional Services to support such
Service Tower. The Service Towers as of the Effective Date are: 

  



Triple-S/Supplier Confidential



Page 21

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary



 

(i)       Claims Service Tower means the Claims Services as defined in Statement
of Work #1 (Claims);

 

(ii)       IT Service Tower means the IT Services as defined in Statement of
Work #3 (IT);

 

 

“Services” has the meaning given in Section 2.1(a) of the General Terms and
Conditions.   “shall” has the meaning given in Section 26.10(a) of the General
Terms and Conditions.   “Skills Matrix Rate Card” means the rate card attached
Schedule C-1 (Skills Matrix Rate Card) setting forth the applicable rate to be
charged by Supplier for Supplier Personnel conforming to an applicable
technology expertise and level of experience in the applicable job category
(i.e., experience level I, II or III).   “SLA Pool” has the meaning given in
Section 1.1(r) of Schedule B (Service Level Methodology).   “SME” means subject
matter expert.   “Software Deliverables” means a Deliverable that is Software.  
“Software Documentation Warranty Period” has the meaning given in Section 19.6
of the General Terms and Conditions.   “Software” means program code (in both
object code and Source Code forms, as applicable) and any applicable
Documentation, media, on-line help facilities and tutorials used or accessed in
connection with providing or receiving the Services, including any update,
enhancement, modification, releases and Derivative Work of any item comprising
Software.  For clarity, Software includes Tools that are Software.     “SOC” has
the meaning given in Section 3(d)(i)(A) of Schedule M (Audit and Record
Retention Requirements).   “SOC Audits” has the meaning given in Section
3(d)(i)(A) of Schedule M (Audit and Record Retention Requirements).   “SOC Audit
Report” has the meaning given in Section 3(d)(i)(B) of Schedule M (Audit and
Record Retention Requirements).   “SOP” (i) with respect to the MSA, has the
meaning given in Section 18.3(a) of the General Terms and Conditions; and (ii)
with respect to SOW #2,  has the meaning given in Section 1.2(e) of Exhibit A-2
(IT Solution Description) to SOW #2.   “Source Code” means the computer code of
Software in programming languages, including all comments, procedural code, and
all related development documents (e.g., flow charts, schematics, statements of
principles of operations, architectural standards, artifacts, and design
documentation, technical and End User Manuals, and any other specification that
are used to create or that comprise the computer code, of the Software
concerned).

  

Triple-S/Supplier Confidential



Page 22

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Span” has the meaning given in Section 3 of Exhibit A (IT Services) to SOW #2.
  “Special Infrastructure Project” has the meaning given in Section 7.1 of
Schedule C (Charging Methodology).   “Special Infrastructure Projects Pool” has
the meaning given in Section 7.3 of Schedule C (Charging Methodology).  
“Specification” means the functions to be performed by and/or features to be
included in a Deliverable as set forth in a Task Order or Statement of Work
(including for clarity the relevant documents incorporated by reference), or
otherwise agreed by the Parties in writing.   “SR Completion Time” has the
meaning given in Exhibit B-2 (Service Level Definitions) to SOW #2.   “SR
Response Time” has the meaning given in Exhibit B-2 (Service Level Definitions)
to SOW #2.   “SSAE” “SOC” has the meaning given in Section 3(d)(i)(A) of
Schedule M (Audit and Record Retention Requirements).   “Statement of Work” or
“SOW” has the meaning given in Section 2.3(a) of the General Terms and
Conditions.   “Subcontractor” means (i) a third party engaged by Supplier to
provide any portion of the Services, (ii) any entity to which a Subcontractor
further subcontracts (or otherwise sub-delegates) any of its subcontracted
duties or obligations, and (iii) any other entity to which any such
subcontracted duties or obligations are further subcontracted (or otherwise
sub-delegated), below the level of the agreement between Supplier and a
Subcontractor.   “Submission Format (SF)” has the meaning given in Section 1.3
of Exhibit A (Claims Service Descriptions) to SOW #1.   “Successor Supplier”
means any third party designated by Triple-S to perform Services previously
performed by Supplier under this Agreement.   “Supplier Account Executive” has
the meaning given in Section 6.3(e)(ii) of the General Terms and Conditions.  
“Supplier Bridge Letter” “SOC” has the meaning given in Section 3(d)(i)(C) of
Schedule M (Audit and Record Retention Requirements).   “Supplier Data Center”
has the meaning given in Section 1.2(b) of Exhibit A-2 (IT Solution Description)
to SOW #2.   “Supplier Disengagement Assistance Lead” has the meaning given in
Section 6 of Schedule I (Disengagement Assistance).   “Supplier Escalation
Claims” has the meaning given in Exhibit A-1 (Claims Process Definitions) to SOW
#1.

 



Triple-S/Supplier Confidential



Page 23

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Supplier Facilities” has the meaning given in Section 4.2(a) of the General
Terms and Conditions.   “Supplier Implementation Lead” has the meaning given in
Section 4.3(b) of Exhibit A-2 (IT Solution Description) to SOW #2.   “Supplier
Indemnitees” has the meaning given in Section 23.3 of the General Terms and
Conditions.   “Supplier Leased Equipment” has the meaning given in Section
10.2(b) of the General Terms and Conditions.   “Supplier Licensed Software”
means Software owned (i.e., in which the copyright is owned) by a party other
than Supplier (or a Supplier Affiliate) that is licensed by Supplier (or a
Supplier Affiliate).   “Supplier Licensed Tool” means a Tool owned (i.e., in
which the copyright is owned) by a party other than Supplier (or a Supplier
Affiliate) that is licensed by Supplier (or a Supplier Affiliate).   “Supplier
Non-Personnel Resource Obligations” has the meaning given in Section 5.1(c) of
Schedule I (Disengagement Assistance).   “Supplier Owned Equipment” has the
meaning given in Section 5.2 of Schedule I (Disengagement Assistance).  
“Supplier Owned Software” means Software owned (i.e., in which the copyright is
owned) by Supplier or any Supplier Affiliate.  Software owned by Supplier
Affiliates shall be treated as Supplier Owned Software rather than Supplier
Licensed Software under this Agreement.   “Supplier Owned Tool” means a Tool
owned (i.e., in which the copyright is owned) by Supplier or any Supplier
Affiliate.  A Tool owned by Supplier Affiliates shall be treated as a Supplier
Owned Tool rather than a Supplier Licensed Tool under this Agreement.  
“Supplier Personnel” means, collectively, any and all personnel furnished or
engaged by Supplier to perform any part of the Services, or which is provided
access by Supplier to Triple-S Data, Triple-S facilities or Triple-S systems,
including: (i) the employees and independent contractors of Supplier and its
Affiliates; (ii) Subcontractors; and (iii) the employees and independent
contractors of Subcontractors.   “Supplier Personnel Information” has the
meaning given in Section 5.7(a) of Schedule I (Disengagement Assistance).  
“Supplier Personnel Resource Obligations” has the meaning given in Section
5.1(c) of Schedule I (Disengagement Assistance).   “Supplier Software” means
Supplier Owned Software and Supplier Licensed Software, collectively.  
“Supplier Third Party Service Contracts” has the meaning given in Section
10.3(b) of the General Terms and Conditions.   “Supplier Tools” means Supplier
Owned Tools and Supplier Licensed Tools, collectively.

 



Triple-S/Supplier Confidential



Page 24

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Supplier” has the meaning given in the first paragraph of the General Terms and
Conditions.   “T&M Model” has the meaning given in Section 4 of Schedule N
(Project Framework)   “T&M Rates” has the meaning given in Section 2.1 of
Schedule C (Charging Methodology).   “T&M Task Order” has the meaning given in
Section 4.2 of Schedule N (Project Framework)   “Task Order” means a document or
set of documents executed pursuant to the Agreement for the purposes of
memorializing an agreement as to Projects and other non-recurring Services.  
“Technology Plan” has the meaning given in Section 3(a)  of Schedule F
(Governance).   “Term” has the meaning given in Section 3.1(a) of the General
Terms and Conditions.   “Termination Event” has the meaning given in Section 12
of Schedule C (Charging Methodology).   “[***] Service Level” has the meaning
given in Section 1.1(s) of Schedule B (Service Level Methodology).   “Test/QA”
has the meaning given in Section 1.2(c) of Exhibit A-2 (IT Solution Description)
to SOW #2.   “Third Party Service Contracts” means all agreements with third
parties used to provide the Services.   “third party” means any individual, sole
proprietorship, partnership, firm, entity, unincorporated association,
unincorporated syndicate, unincorporated organization, trust, body corporate, or
Governmental or Regulatory Authority, that is not a Party or an Affiliate of a
Party.   “timely” or “on a timely basis” has the meaning given in Exhibit B-2
(Service Level Definitions) to SOW #2.   “Tools” shall mean tools, processes,
frameworks, utilities, artifacts, procedures, methodologies, templates and
Software (including related Documentation) used to (i) deliver or manage the
Services, processes, or staff, or (ii) increase productivity, and includes such
items used for the purpose of project management, workflow management, service
request creation and tracking, Service Level and metrics measurement, and
systems development life cycle.   “Top Tier Facilities” comply with the
requirements of Schedule J (Triple-S Policies and Procedures), Schedule L (IT
Security Addendum), and have all of the following, each of which shall be
consistent with good industry standards: (i) limited access to the Supplier
Facility controlled by electronic badge access; (ii) background checks completed
for each individual granted an access badge; (iii) all visitors must have an
escort; (iv) additional electronic security measures (details are confidential);
and (v) at least one industry-standard functional certification (except if the
only functions are office functions such as account management, ITIL management,
and project management) (e.g., as applicable, CMMi certified, ISO compliant).  
“TPA” means third party administrator.

  

Triple-S/Supplier Confidential



Page 25

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“Training Services” has the meaning given in Section 2.1 of Schedule A
(Cross-Functional Services).   “Transformation Documents” has the meaning given
in Section 12.1(b) of the General Terms and Conditions.   “Transformation” has
the meaning given in Section 12(a) of the General Terms and Conditions.  
“Transition” (1) with respect to the MSA, has that meaning given in Section 11.2
of the General Terms and Conditions and (2) with respect to SOW #2, has the
meaning given in Section 1.1(a) of Exhibit A-2 (IT Solution Description) to SOW
#2.   “Transition Deliverables” has the meaning given in Section 11.4(b) of the
General Terms and Conditions.   “Transition Documents” has the meaning given in
Section 11.3(a) of the General Terms and Conditions.   “Transition Milestones”
has the meaning given in Section 11.4(b) of the General Terms and Conditions.  
“Transition Services” has the meaning given in Section 11.3(e) of the General
Terms and Conditions.   “Triple-S Data” means: (i) all data and information in
any form (including Triple-S Confidential Information, payment card information
and Personally Identifiable Information) that is entered in or otherwise
transferred to Software or Equipment by or on behalf of Triple-S and and (ii)
all data and information derived from the above information, including as stored
in or processed through the Equipment or Software.   “Triple-S Efficiency
Initiative” has the meaning given in Section 8.2 of Schedule C (Charging
Methodology).   “Triple-S Equipment” means Triple-S Leased Equipment and
Triple-S Owned Equipment, collectively.   “Triple-S Facility” means a Triple-S
office or business location at which, or with respect to which, Supplier
performs the Services.   “Triple-S Indemnitees” has the meaning given in Section
23.1 of the General Terms and Conditions.   “Triple-S Leased Equipment” means
Equipment leased by Triple-S (or a Triple-S Affiliate).   “Triple-S Licensed
Software” means Software owned (i.e., in which the copyright is owned) by a
party other than Triple-S (or a Triple-S Affiliate) that is licensed by Triple-S
(or a Triple-S Affiliate).     “Triple-S Licensed Tool” means a Tool owned
(i.e., in which the copyright is owned) by a party other than Triple-S (or a
Triple-S Affiliate) that is licensed by Triple-S (or a Triple-S Affiliate).  
“Triple-S Owned Equipment” means Equipment owned by Triple-S (or a Triple-S
Affiliate).   “Triple-S Owned Software” means Software owned (i.e., in which the
copyright is owned) by Triple-S (or a Triple-S Affiliate).

  

Triple-S/Supplier Confidential



Page 26

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

 

“Triple-S Owned Tool” means a Tool owned (i.e., in which the copyright is owned)
by Triple-S (or a Triple-S Affiliate).   “Triple-S Policies and Procedures”
means the standards, policies and procedures set forth in, or attached to
Schedule J or listed in Schedule J (Triple-S Policies and Procedures) or made
available to Supplier on Triple-S’s website or online storage site, and as new
policies and procedures are added by Triple-S from time to time.   “Triple-S
Project Manager” has the meaning given in Section 4.3 of Exhibit A-2 (IT
Solution Description) to SOW #2.   “Triple-S Software” means Triple-S Owned
Software and Triple-S Licensed Software, collectively.   “Triple-S Policy
Support Services” has the meaning given in Section 2.7 of Schedule A
(Cross-Functional Services).   “Triple-S Systems” has the meaning given in
Section 1.3 of Exhibit A (Claims Service Descriptions) to SOW #1.   “Triple-S
Third Party Service Contract” shall mean a Third Party Service Contract entered
into between Triple-S and a third party pursuant to which such third party
provides services to Triple-S.   “Triple-S Tools” means Triple-S Owned Tools and
Triple-S Licensed Tools, collectively.   “Triple-S Work Product” has the meaning
given in Section 15.2(a)(i) of the General Terms and Conditions.   “Triple-S”
has the meaning given in the first paragraph of the General Terms and
Conditions.   “True-Up TSS Membership Report” has the meaning given in Section
4.1 of Schedule C (Charging Methodology).   “TSM Portfolio” has the meaning
given in Section 2.1 of Schedule C (Charging Methodology).   “TSS Membership
Report” has the meaning given in Section 2.1 of Schedule C (Charging
Methodology).   “TSS Transferred Contracts” has the meaning given in Section 9.1
of Schedule C (Charging Methodology).   “Unidentified Asset” has the meaning
given in Section 5.6 of Schedule I (Disengagement Assistance).   “United States”
means the United States of America and Puerto Rico.   “UCITA” has the meaning
given in Section 25.5 of the General Terms and Conditions.   “Unclean Claims”
has the meaning given in Section 1.3 of Exhibit A (Claims Service Descriptions)
to SOW #1.

  

Triple-S/Supplier Confidential



Page 27

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





Schedule AA



Glossary

  

“US CPI” has the meaning given in Section 14.2 of Schedule C (Charging
Methodology).   “Use” means to access, use, copy, maintain, modify, enhance,
perform, display, distribute and create derivative works; provided, when used in
the context of a Software license or a Tool license, the right to modify,
enhance, and create derivative works shall only apply to Software or Tools for
which Triple-S is expressly granted a right to use or obtain Source Code or
create derivative works in the Agreement.     “User Acceptance Testing” has the
meaning given in Section 1(c) of Schedule N-1 (Deliverable and Milestone
Acceptance Procedures).   “Vendor Management” has the meaning given in Section
1.1(a) of Exhibit A-2 (IT Solution Description) to SOW #2.   “VIP Adjustment
Sponsor” has the meaning given in Exhibit B (Claims Service Levels) to SOW #01
(Claims).   “VIP Adjustment Sponsor Adjustments” has the meaning given in
Exhibit B (Claims Service Levels) to SOW #01 (Claims).   “VIP Reimbursement
Sponsor” has the meaning given in Exhibit B (Claims Service Levels) to SOW #01
(Claims).   “Virus” means (i) program code or programming instruction(s) or
set(s) of instructions intentionally designed to disrupt, disable, harm,
interfere with or otherwise adversely affect computer programs, data files or
operations; or (ii) other code generally understood as constituting a virus,
Trojan horse, worm, back door or other type of harmful code.   “Warranty Period”
has the meaning given in Section 19.4(c) of the General Terms and Conditions.  
“will” has the meaning given in Section 26.10(a) of the General Terms and
Conditions.   “Work Product” means Software, documents, materials, processes,
business processes, business models, business rules, business logic, methods,
reports, documents, templates, studies, strategies, operating models, technical
architecture, design ware, Software objects, Software programs and programming,
program listings, programming tools, interfaces, source code, object code,
artifacts, requirements, specifications, design documents and analyses,
abstracts and summaries, software configurations, test plans, scenarios,
scripts, work and process flows, test results, inventions, and other items
produced by Supplier Personnel, whether developed solely or jointly, as a result
of the Services provided under this Agreement.  A Work Product is either a new
work (not based upon any preexisting work) or a Derivative Work.   “written” has
the meaning given in Section 26.10(a) of the General Terms and Conditions.  
“Written Deliverables” has the meaning given in Section 4(a) of Schedule N-1
(Deliverable and Milestone Acceptance Procedures).

  

Triple-S/Supplier Confidential



Page 28

 



SOW 01 - Main

 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 



 

STATEMENT OF WORK #1 (Claims SERVICES)

 

CLAIMS WRAPPER

 

 

 

 

 

 

 

 

 

 

SOW #1 (Claims Services) Triple-S / Supplier Confidential







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 MASTER SERVICES AGREEMENT

 

STATEMENT OF WORK #01 (Claims Services)

 

This Statement of Work #01 (Claims Services), effective as of August 31, 2017
(“the SOW Effective Date”), is between Triple-S Salud, Inc., a Puerto Rico
corporation, with principal offices located at #1441 F.D. Roosevelt Avenue, San
Juan, Puerto Rico 00921 (“Triple-S”), and OptumInsight, Inc. (“Supplier”), a
Delaware corporation, having a primary place of business at 11000 Optum Circle,
Eden Prairie, MN 55433 (each, a “Party” and collectively, the “Parties”). This
SOW #01 (Claims Services) is entered into and shall be governed by the terms of
that certain Master Services Agreement entered into between the Parties dated
August 29, 2017 (the “Agreement”).

 

1. INTRODUCTION

 

1.1 Background & Purpose

 

This SOW #01 (Claims Services) describes the Claims Services Supplier will
provide for Triple-S, as such Services are defined in Exhibit A (Claims
Services) to this SOW #01 (Claims Services), and sets forth certain other terms
and conditions relating to them, including, among other things:

 

(a) The scope of the Claims Services; and

 

(b) The Service Levels Supplier will meet when performing the Claims Services.

 

1.2 Structure

 

This SOW #01 (Claims Services) is comprised of this cover document and the
following Exhibits:

 

Table 1:  Exhibits to SOW #1 (Claims Services) Item # Exhibit Purpose of Exhibit
1 Exhibit A (Claims Services) Describes the scope of the Claims Services. 2
Exhibit A-1 (Claims Services Description) Provides a description of the in-scope
Functions for the Claims Services. 3 Exhibit A-2 (Reserved) Reserved 4 Exhibit
A-3 (Claims Transition Description) Provides a description of the Transition for
the Claims Services. 4.1 Exhibit A-3-1 (Claims Transition Plan ) A draft
Transition Plan agreed to by the Parties. 4.2 Exhibit A-3-2 (Reserved) Reserved
4.3 Exhibit A-3-3 (Critical Milestones) The set of Claims related Critical
Milestones 5 Exhibit B (Claims Service Levels)

Provides the Service Levels applicable to the Claims Services. 





Triple-S/Supplier Confidential
Page 1





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1



Claims Wrapper

  

1.3

Order of Precedence of SOW #01 Documents

 

To the extent there is any conflict or inconsistency as to the responsibilities
of either Party between (a) Exhibit A (Claims Services), on the one hand; and
(b) Exhibit A-1 (Claims Services Description), on the other hand, then the
Exhibit A (Claims Services) shall prevail. The Parties explicitly acknowledge
that Exhibit A-1 (Claims Services Description) may not address every aspect of
the Services, including each of Supplier’s responsibilities otherwise covered by
Exhibit A (Claims Services). Section 27.11 of the General Terms and Conditions
shall apply with respect to any inconsistency or order of precedence with
respect to this Statement of Work and the remainder of the Agreement.

 

2. DEFINITIONS

 

Capitalized terms used but not defined in this SOW #01 (Claims Services) shall
have the meanings given them in the Agreement.

 

3. CHANGES TO SUPPLIER SOLUTION

 

As a general principal, Supplier has both the right and the obligation to
perform the Services to be provided by it under this Statement of Work in the
manner described in Exhibit A (Claims Services). That said, Supplier is charged
with responsibility for the adequacy of its Solution, which is to say that if
the Supplier’s Solution, as set forth in Exhibit A (Claims Services), should
prove inadequate at any point during the Statement of Work Term for Supplier to
perform and deliver the Services in accordance with the obligations of the
Agreement (including this Statement of Work), then Supplier is responsible for
making such changes to its Solution as are necessary to enable Supplier to
perform and deliver the Services in accordance with such obligations. All such
changes are to be made in accordance with Schedule O (Change Control Process) of
the Agreement, as applicable according to its terms; provided, however, that
Supplier is responsible for making such changes at its own cost and expense
except in those cases (if any) in which the Agreement expressly provides that
Triple-S has Financial Responsibility for them as defined in Schedule C-3
(Financial Responsibility Matrix) and as required by State or Federal Laws.

 

4. APPLICABILITY OF THE AGREEMENT

 

This SOW #01 (Claims Services) is hereby made a part of, and is subject to and
governed by, the Agreement. This SOW #01 (Claims Services) is one of the Initial
Statements of Work executed under the Agreement.

 

Triple-S/Supplier Confidential
Page 2



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1



Claims Wrapper

 

IN WITNESS WHEREOF, Triple-S and Supplier have each caused this SOW #01 (Claims
Services) to be signed and delivered by its duly authorized officer, all as of
the SOW Effective Date set forth above.

 



Triple-S Salud, Inc.   OptumInsight, Inc.           By: /s/ Madeline
Hernández-Urquiza   By: /s/ Eric Murphy           Print Name:  Madeline
Hernández-Urquiza   Print Name: Eric Murphy           Title: President   Title:
CEO, OptumInsight           Date: August 29, 2017   Date: 8/29/2017

 

 

 

 

Triple-S/Supplier Confidential
Page 3

 



 



SOW 01 - Exhibit A

 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 



SOW #01 (CLAIMS SERVICES)

 

EXHIBIT A

 

ClaimS Service DESCRIPTION

 

 

 

 

 

 

 

 

 

 

 

 

SOW #1 (Claims Services) Triple-S / Supplier Confidential







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 

Table of contents

 





 

1.   INTRODUCTION 1 1.1   General 1 1.2   Primary Points of Contact 1
1.3   Definitions 2 2.   ClaimS SERVICES 4 3.   Additional ClaimS SERVICE
Requirements 4 3.1   Operating Hours 4 3.2   Staffing 4 3.3   Organizational
Structure 5 3.4   Methodologies Supplier will Utilize to Perform the Services 5
3.5   Supplier Personnel Retention 6 3.6   Knowledge Retention 6 3.7   Quality
Assurance 6 3.8   Resources 7 4.   Excluded Functions 7 5.   RETAINED TRIPLE-S
RESPONSIBILITIES 7 6.   forecast Volumes 7





 

 

Triple-S / Supplier Confidential



Page i





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



 

SOW #1 (CLAIMS SERVICES)

 

Exhibit A

 

ClaimS Service DESCRIPTION

 

1. INTRODUCTION

 

1.1 General

 

(a) In the most general terms, the “Claims Services” are the Functions
associated with the electronic intake, processing and adjudication of Claims,
coordination of benefits processing, generation and distribution of Explanation
of Benefits, Claims Adjustment, and Quality Assurance of Claims processing as
further described in Section 2, for Claims that are both:

 

(i) For Non-Restricted Members; and

 

(ii) Within the Lines of Business, except as expressly noted otherwise in this
SOW.

 

(b) The Claims Services are more fully described in this Exhibit A (Claims
Service Descriptions). Supplier shall perform the Claims Services, except for
those Functions that are expressly identified as retained Triple-S
responsibilities in Section 5 (Retained Triple-S Responsibilities) below.

 

(c) Reports. Supplier shall generate and provide to Triple-S reporting for the
Claims Services as set forth in Schedule K (Reports).

 

(d) The Functions that comprise the Claims Services include both the Cross
Functional Services described in Section 2 of Schedule A (Cross Functional
Services) and the Functions included as part of the Embedded Processes described
in Section 3 of Schedule A (Cross Functional Services), each as they relate to
the Functions included as part of the Claims Services.

 

1.2 Primary Points of Contact

 

(a) The Triple-S point of contact for this SOW is:

 

Name: Iris M Aponte
Title: Claims Director
Phone: 787-749-4949 ext 4316
E-mail Address: imaponte@ssspr.com

 

(b) The Supplier point of contact for this SOW is:

 

Name: Eric McBride
Title: Vice President of BPO Operations
Phone: 715-858-5277
E-mail Address: eric_b_mcbride@optum.com

 



Triple-S / Supplier Confidential



Page 1











CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



  

1.3 Definitions

 

Capitalized terms not defined in this Exhibit A (Claims Service Descriptions)
shall have the meanings given them in Schedule AA (Glossary) or elsewhere in
this Agreement. Capitalized terms used in this SOW to describe the Claims
Services are defined as follows:

 

(a) “Adjudication” or “Adjudicated” or “Adjudicating” shall mean the process of
authorizing or denying Claim payment after evaluating Claims against health plan
benefit, claims systems edits and coverage requirements.

 

(b) “Adjustment” shall mean any Claim received post payment amending the content
of an original Claim or received to be reworked after an original determination
was completed.

 

(c) “Administración de Seguros de Salud de Puerto Rico” or “ASES” shall mean the
State agency responsible for the administration of the Medicaid program in
Puerto Rico.

 

(d) “Blue Card Program” shall mean a national program that enables members of a
Blue Cross Blue Shield Plan to obtain healthcare services while traveling or
living in another Blue Cross Blue Shield Plan service area.

 

(e) “Blue Cross Blue Shield Association (BCBSA)” shall mean a national
federation of 36 independent community based and locally operated Blue Cross and
Blue Shield Companies.

 

(f) “Claim” means a request for payment for services that a Member receives.

 

(g) “Clean Claim” shall mean a Claim that has no defect and lacks any required
substantiating document, including any documentation to meet requirements for
encounter data reporting. A Clean Claim is that which does not require Triple-S
to externally develop and investigate a Claim.

 

(h) “COB Queries” shall mean letters sent by Triple-S to Members requesting
information about additional health insurance plan coverage that may be in part
or wholly financially responsible for Members’ healthcare related expenses.

 

(i) “Commercial” shall mean four specific Triple-S segments (as such term is
defined below), including Individual and Family Plan (“IFP”); Small Group
(“SG”); Mid/Large Portfolio (“Core”); and Administrative Service Only Accounts
(“ASO”).

 

(j) “Coordination of Benefits” or “COB” shall mean determinations of
responsibility for payment of healthcare service related charges for Members in
the event Members are insured by multiple entities, including more than one
Triple-S Plans.

 

(k) “Correspondence” shall mean a letter, e-mail, or other written communication
received from a Member or Provider.

 

(l) “Disposition Format (DF)” shall mean the ITS standard format for
transmitting disposition data from the Control/Home Plan to the Par/Host Plan
for preparing provider explanations of benefits and payment, if any.

 

(m) “Division of Financial Responsibility” or “DOFR” shall mean the agreements
between Triple-S and Providers that determine payment obligations.

 

(n) “Encounter(s)” shall mean a medical service received by a Member from a
Provider for which Triple-S has delegated to another entity for processing
(e.g., therapy, behavioral

 



Triple-S / Supplier Confidential



Page 2







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 







health). Encounters are electronically submitted to Triple-S Systems. Encounters
are only applicable for Health Maintenance Organization (“HMO”) services.

 

(o) “Explanation of Benefits” or “EOB” shall mean a document that explains an
outcome of Adjudication, including approval, payment amount, or a reason for
denial.

 

(p) “Federal Employee Programs” or “FEP” shall mean a group contract to provide
healthcare benefits to federal employees underwritten by Blue Cross Blue Shield
Plans.

 

(q) “First Pass” or “Automatic(ally) Adjudicated” shall mean any Claim which is
processed without any manual intervention.

 

(r) “Home Claim” shall mean a claim from a local member receiving services out
side its service area through the Blue Card Program.

 

(s) “Host Claim” shall mean a claim from a non local member receiving healthcare
services in local area.

 

(t) “Image” shall mean a scanned copy of a document submitted by Members or
Providers.

 

(u) “Inter Plan Programs” shall mean the collection of programs supported by
approved delivery platforms that enable Control/Home Plans to process claims
incurred by members outside their service area.

 

(v) “Inter Teleprocessing System (ITS)” shall mean the system used to transmit
Claims from Members who receive services from a Blue Cross Blue Shield Plan to
another Blue Cross Blue Shield Plan. It’s a set of common-language data formats,
software and procedures to access, send/receive and control data.

 

(w) “Line(s) of Business” or “LOB” shall mean PSG (i.e., Medicaid), Commercial,
and Medicare Advantage.

 

(x) “Medicaid” shall mean joint federal and state programs that subsidize
medical costs for individuals with limited income and resources.

 

(y) “Medicare Advantage” or “Medicare” shall mean a Triple-S healthcare
insurance product or a government health care program that Triple-S has been
contracted by the Centers for Medicare and Medicaid Services (“CMS”) to
reimburse medical services Claims for citizens over 65 years of age or younger
individuals with disabilities.

 

(z) “Member Reimbursement” shall mean a Member request of payment for medical or
pharmacy services.

 

(aa) “Open” shall mean (i) the first status of a Claim once it is loaded into
the Triple-S Systems, or (ii) a Claim that falls out in the Adjudication process
but does not contain edits from the Triple-S Systems and requires additional
research and manual intervention from Supplier’s agents.

 

(bb) “Pended” or “Suspended” shall mean the status of a Claim for which
Adjudication is delayed pending input, correction, or evaluation of data. Claims
can be assigned Pended status by rules in Triple-S Systems or manually by
Triple-S or Supplier.

 

(cc) “Programa de Salud de Gobierno” or “PSG” shall mean the State Health
Insurance product or government health care program that Triple-S has been
contracted by ASES to reimburse medical services for Medicaid citizens.

 



Triple-S / Supplier Confidential



Page 3









CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 

(dd) “Quality Assurance” or “QA” shall mean monitoring and evaluation of the
Claims Services to assess Supplier’s compliance with the Claim Service Levels
and other requirements specified in the Agreement or by Regulators.

 

(ee) “Reconciliation Format (RF)” shall mean the standard ITS format for
transmitting requests for reimbursement of net liability sent from the Par/Host
plan to the Control/Home Plan.

 

(ff) “Rework Claims” shall mean Claims corrections done during the processing of
the Claim and before the final determination (pre-payment).

 

(gg) “Submission Format (SF)” shall mean the standard ITS format for
transmitting claims and pricing data from the Par/Host Plan to the Control/Home
Plan.

 

(hh) “Triple-S Systems” shall mean Triple-S computer systems used and/or
accessed by Supplier in the provision of the Claims Services, including the main
enterprise system.

 

(ii) “Unclean Claims” shall mean a Claim that requires additional information
and further investigation outside of Triple-S.

 

2. ClaimS SERVICES

 

(a) Supplier will perform the Claims Services described in this Exhibit A
(Claims Service Descriptions). The Claims Services include the Functions set
forth in Exhibit A-1 (Claims Process Definitions). Supplier shall be responsible
for Functions in Exhibit A-1 where Supplier is designated as the responsible
party.

 

(b) Supplier shall provide the Claims Services as required to meet or exceed the
Claims Service Levels set forth in Exhibit B (Claims Service Levels) to this
SOW.

 

3. Additional ClaimS SERVICE Requirements

 

Supplier will comply with the following requirements in its performance of the
Claims Services.

 

3.1 Operating Hours

 

Unless otherwise specified herein, the Claims Services shall be performed at
least during the hours of operation set forth in this Section 3.1 (“Hours of
Operation”). No changes shall be made to the Hours of Operation without
Triple-S’s prior written approval. Notwithstanding the foregoing, upon no less
than thirty (30) calendar days’ written request, Triple-S may ask Supplier to
temporarily extend the Hours of Operation to address a specific need. In such
case, the Parties will agree upon (i) the start and end dates for the extended
Hours of Operation, and (ii) the extended Hours of Operation for each day of the
week. Upon the conclusion of any extended Hours of Operation, the Hours of
Operation noted below (or as subsequently modified by the Parties) will
automatically resume.

 

Service Minimum Hours of Operation (in Triple S’s Local Time Zone) Claims
Services Monday to Friday 7:00am to 4:30pm.

  

3.2 Staffing

 

Minimum Staffing Ratios. To perform the Claims Services set forth in this
Exhibit A (Claims Service Descriptions), and as of the Effective Date, Supplier
anticipates that it will use the following staffing ratios without additional
charge to Triple-S.

 

 

Triple-S / Supplier Confidential



Page 4









CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 



Supplier Role Minimum Staffing Ratio Operations Director One (1) Operations
Director for overall Triple-S account at a ratio of one (1) Operations Director
to two hundred (200) Agents, or one per site Operations Manager One (1)
Operations Manager to one hundred twelve (112) Agents Team Lead Ratio of one (1)
Team Lead per twenty (20) Agents Training Manager One (1) per Claims Services
Supplier Facility Quality Assurance Auditor Ratio of one (1) Quality Assurance
Auditor to fifty (50) Agents Trainer Ratio of one (1) Trainer to fifty (50)
Agents Workforce Analyst Ratio of one (1) workforce analyst to one hundred fifty
(150) Agents Agent As determined by Supplier based on the 6 Month Rolling
Forecast  

 

If a change in the Supplier Personnel filling a Supplier Role results in
Supplier falling outside of the Minimum Staffing Ratio, Supplier will use
Commercially Reasonable Efforts to return to the Minimum Staffing Ratio within
sixty (60) days. 

 

3.3 Organizational Structure

 

In addition to the staffing organization, ratios and supervision described in
Section 3.2 above, Supplier will organize the Claims Services Supplier Personnel
according to the Supplier organizational chart provided to Triple-S in
accordance with Section 6.3(f) of the General Terms and Conditions.

 

Supplier will manage demand and Service requirements by coordinating with
Triple-S through weekly and monthly update meetings. Supplier will use
information from these meetings, in addition to information gained from
Supplier’s inventory management and capacity tools, as part of Supplier’s
management of its staffing volume. For higher volume situations, Supplier will
meet demands by adjusting staff workload and work priorities to focus on client
workload instead of internal work processes (e.g., internal meetings, town
halls) and by adjusting shrinkage.

 

3.4 Methodologies Supplier will Utilize to Perform the Services

 

Supplier’s performance of the Claims Services includes use of the following
methodologies:

 

(a) Six Sigma (including a Black Belt dedicated to Triple-S) to improve quality
results, automation results, identify defects, denial trending, and adjustment
trending to improve processes for Triple-S;

 

(b) Capacity and forecasting models to manage staffing appropriately for
variations in Claim volumes, planning for holidays and other variations in
calendars (e.g., working days in each month);

 

(c) Analytical methodologies to help Supplier understand drivers of Claim
adjustment reason codes and to assist in improving quality and Triple-S
experience;

 

(d) Automation and edit review methodologies for identifying opportunities to
build automation and repeatable processes;

 

(e) Review of defects to reduce the number of adjustments to improve Claims
Services performance; and

 



Triple-S / Supplier Confidential



Page 5









CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 

(f) Project management methodologies for managing Claims projects.

 

3.5 Supplier Personnel Retention

 

Supplier is an employer of choice for the local employee base where the Claims
Services will be performed and Supplier will use the following processes to
recruit Supplier Personnel:

 

(a) Supplier internal hiring process to search current employee population by
opening formal requisitions through Supplier’s human capital department;

 

(b) Working with Supplier’s recruiting specialists to search for qualified,
in-house staff to fill open positions;

 

(c) Supplier corporate sourcing team to search for external candidates using
high-volume hiring sites (e.g., CareerBuilder, LinkedIn, Facebook, Monster.com,
Indeed.com) and drive interest in Supplier;

 

(d) Supplier screens potential new hires using its talent acquisition team and
through a series of functional interviews before making hiring decisions; and

 

(e) Supplier’s recruiter extends job offers (following background checks for
external candidates) and works with the candidate to complete necessary hiring
documents.

 

Supplier will use the following processes and programs to retain Supplier
Personnel:

 

(a) Market competitive pay, competitive benefits and wellness programs;

 

(b) Programs for employee recognition, career development, diversity and
inclusion and social responsibility;

 

(c) Incentive program (including compensation) for new employee innovations; and

 

(d) Employee engagement surveys, leader-employee monthly meetings, monthly town
halls and open house discussions with senior leaders.

 

3.6 Knowledge Retention

 

Supplier will maintain the SOPs using Supplier’s standard database of
procedures. Supplier will review and update the SOPs with Triple-S at least on
an annual basis to confirm accuracy.

 

3.7 Quality Assurance

 

(a) Supplier performs regular reviews of quality in performance of the Claims
Services, including to drive compliance with the Service Levels, using the
following processes: Performing statistically valid random sample of Claims
Services to assist in Service Level compliance;

 

(b) Performing self-audits;

 

(c) Performing on the job training for Supplier Personnel; and

 

(d) Reviewing quality assessments with supervisors and managers to identify
improvements in Claims processor performance (including performing quality
assurance on the performance of Supplier agents).

 



Triple-S / Supplier Confidential



Page 6









CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 

3.8 Resources

 

Supplier will use the following Tools to perform the Claims Services, including
to provide the reports set forth on Schedule K (Reports):

 

(a) Triple-S-facing performance dashboards to report on Service Level
performance;

 

(b) Inventory management tools to assist Supplier in tracking and managing
Claims volumes to adjust workflows, staffing and day to day operations; and

 

(c) Productivity tools to track Claim status, time in production, down time and
other metrics to assist Supplier in staffing, Service Level compliance and
Claims Services performance.

 

4. Excluded Functions

 

Triple-S acknowledges that Supplier will not, and this Agreement contemplates
that Supplier will not, provide clinical, medical, or insurance advice or
counseling.

 

5. RETAINED TRIPLE-S RESPONSIBILITIES

 

As it relates to Claims Services, Triple-S shall retain the following
responsibilities as it relates to the Claims Services:

 

(a) Providing Supplier with access to data from Triple-S vendors as reasonably
needed for Supplier to perform its reporting obligations under this SOW.

 

(b) Performing the Functions in Exhibit A-1 that are designated with Triple-S as
the responsible party.

 

(c) Providing guidelines for quality assurance calibration, including the
scheduling, monitoring and facilitating of calibration sessions.

 

(d) Providing timely feedback of any complaints Triple-S receives associated
with the Claims Services to support applicable complaint response timelines and
processes in accordance with applicable Laws.

 

(e) Obtaining applicable approvals for Non-Restricted Member Claims.

 

(f) Maintaining responsibility for the integrity, accuracy and completeness of
all Triple-S provided data, information and written materials, policies that
Triple-S provides to Supplier, including but not limited to, all Member and
Provider data and Claims volumes.

 

(g) Except as set forth in SOW #2 (IT Services), Adjudicating and processing all
ITS and FEP Claims.

 

6. forecast Volumes

 

By the 15th day of each month, Triple-S shall submit to Supplier a forecast of
aggregate membership that will generate Claims volume subject to the Claims
Services to be processed by Supplier in the next six (6) months (the “6 Month
Rolling Forecast”).

 

The first and second months of each 6 Month Rolling Forecast provided by
Triple-S (the “Binding 2 Month Forecast”) shall not be subject to revision.
Triple-S shall have the option to

 



Triple-S / Supplier Confidential



Page 7











CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Service Description



 



modify forecast volumes in each successive 6 Month Rolling Forecast, except for
the Binding 2 Month Forecast portion, at its sole discretion.

 

Example 1: Triple-S will provide an updated 6 Month Rolling Forecast to Supplier
by September 15th covering October through March. The October and November
portion of the forecast provided is the Binding 2 Month Forecast. Triple-S may
increase or decrease the December through March portions of the forecast in its
sole discretion.

 

7. Inventory Management

 

As part of the Claims Services, Supplier will be responsible for Inventory
Management. “Inventory Management” are the Functions associated with creating
and maintaining a daily accurate accounting of all inventories and transactions,
reporting to Triple-S inventory numbers (including aged claim statistics), and
attending meetings (including those described in Section 3.3 above) to discuss
volumes, issues, and other operational topics, including the following
activities:

 

(a) Performing inventory control and management;

 

(b) Creating and maintaining a daily accurate accounting of transactional
inventories, including claims and other adjustment related transactions
received, "in process" (i.e. transactions received, but not considered
"complete" in the core system.) and transactions completed and inventory aging
statistics;

 

(c) Utilizing daily inventory management reports to control and maintain
inventory within compliance and business service levels;

 

(d) Making all daily and cumulative monthly inventory management reports
available to Triple-S as described in Schedule K (Reports); and

 

(e) Providing access to daily inventory reports / systems and cumulative monthly
inventory management reports to Triple-S as described in Schedule K (Reports).

 



Triple-S / Supplier Confidential



Page 8





 

 

 

SOW 01 - Exhibit A-1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 



STATEMENT OF WORK #1 (CLAIMS SERVICES)

 

EXHIBIT A-1

 

cLAIMS PROCESS DEFINITIONS

 

 

 





 

 

 

 

 

SOW#01 (Claims Services) Exhibit A-1 Triple-S / Supplier Confidential





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



SOW #01 (CLAIMS SErvices)

 

EXHIBIT A-1

 

CLAIMS process definitions

 

1. CLAIMS PROCESS DEFINITIONS INTRODUCTION

 

The Claims Process Definitions described in this Exhibit A-1 are part of SOW #01
(Claims Services). In addition to describing the Process Definitions, this
Exhibit A-1 sets forth the responsible party for each process.

 



Process Definition Responsible Party 1. Claims Intake     1.1 Intake “Intake”
are those Functions associated with the intake of Claims in format including
receiving EDI and PO Box Claims from different sources and formats (e.g.,
clearinghouses, Providers or ITS Host and FEP). Triple-S 2. Claims Processing  
  2.1 Claims Adjudication – Medical Claims “Claims Adjudication – Medical
Claims” are those Functions associated with Adjudicating medical Claims
including:       (a)  Reporting of Claims status post auto-Adjudication;
Supplier     (b)  Identifying Open and Pended Claims for research and
Adjudication; Supplier     (c)  Reviewing Pended Claims; Supplier    
(d)  Identifying and correcting systemic data errors; Triple-S    
(e)  Reconciling all Provider data issues; Triple-S     (f)   Processing Open
and Pended Claims (including collecting missing data); Supplier     (g)  Marking
or forwarding Pended Claims for input from other Supplier teams in the workflow
tool; Supplier     (h)  Generating inquiry letters and emails to obtain
information (as necessary) to resolve Claims issues; Supplier    
 (i)   Generating inquiry calls or mailing letters based on input from Supplier
to obtain information (as necessary) to resolve Claim issues;  Triple-S

  

Triple-S / Supplier Confidential



Page 1







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Claims Process Definitions



 

Process Definition Responsible Party      (j)   Identifying and routing Claims
to Triple-S for medical review and determination; Supplier      (k)  Flagging
and sending unresolved Claims to Triple-S internal stakeholders (e.g., Provider
data services); Supplier     (l)   Obtaining input on Claims from Triple-S
internal groups as appropriate; Supplier      (m)  Fixing unresolved
Intervention Claims issues;   Triple-S     (n)  Completing Claims processing
after all necessary fixes; Supplier      (o)  Sending follow-ups if Claims
issues are not resolved by other stakeholders; Supplier     (p)  Tracking and
escalating if the issue is not resolved by Triple-S after the threshold days;
Supplier      (q)  Performing external pricing for certain Claims
including:  Non participant Provider claims that should be priced as Original
Medicare using CMS payment methodologies or pricers; Supplier      (r)   As
appropriate, obtaining approval from Triple-S for high dollar Claims; Supplier  
  (s)  As appropriate, providing guidance on high dollar Claims; Triple-S    
 (t)   Calculating and processing late payment interest. Triple-S 2.2 Claims
Adjudication Non-Medical / Ancillary Claims “Claims Adjudication Non-Medical /
Ancillary Claims” are those Functions associated with Adjudicating non-medical
and ancillary Claims including:        (a)  Processing hearing Claims; Supplier
     (b)  For PSG and Commercial, processing Claims for Dental services;
Supplier     (c)  For PSG and Commercial, processing Claims for Vision services;
Supplier      (d)  Processing Claims for behavioral services; Supplier    
 (e)  Processing Claims for implants (e.g., surgical trays) and DME (durable
medical equipment); Supplier      (f)   Processing Claims for long-term care
services, except personal assistant and private duty/ independent Provider
services; Supplier      (g)  Processing Claims for non-urgent / emergent
transportation; Supplier      (h)  Routing Claim issues related to Triple-S
delegated third party vendors to Triple-S; Supplier      (i)   Handling Claims
processing issues with delegated third party vendor based on details provided by
Supplier; and Triple-S



 



Triple-S / Supplier Confidential



Page 2





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1



Claims Process Definitions

 



Process Definition Responsible Party      (j)    Processing Claims for wellness
benefits. Supplier 2.3 COB Processing “COB Processing” are those Functions
associated with processing COB Claims including:        (a)   Researching Claims
Pended for COB; and Supplier      (b)   Processing COB Claims after all issues
are resolved. Supplier 2.4 EOB “EOB” are those Functions associated with
processing  Explanation of Benefits (“EOB”) including:        (a)  Printing and
mailing EOB to Members. Triple-S 2.5      Claims Adjustment “Claims Adjustment”
are those Functions associated with adjusting Claims including:        (a)  
Receiving and documenting adjustment requests from all stakeholders, including
Providers and Triple-S; Supplier      (b)   Reviewing adjustment requests and
making corrections to Claims where necessary; Supplier      (c)   Ensuring
Claims adjustment timelines are accounted for in the processes and service
levels; Supplier      (d)   Identifying, tracking, and resolving adjustment
discrepancies to connect to prior Claims errors; Supplier      (e)   Generating
the file for letters for overpayment and underpayment discovered during audits
and quality checks; Supplier      (f)    Mailing letters for overpayment and
underpayment discovered during audits and quality checks; Triple-S      (g)  
Process mass adjustments received from Triple-S for pricing and policy changes;
Supplier      (h)   Following Triple-S process for high dollar adjustments;  
Supplier      (i)    As appropriate, obtaining approval from Triple-S for high
dollar adjustments; Supplier      (j)    As appropriate, providing guidance on
high dollar adjustments; Triple-S      (k)   Performing mass adjustments;
Supplier      (l)    Processing Claims adjustments; and Supplier      (m)
 Processing of claims adjustments associated with recoveries sent by Triple-S.
Supplier 2.6 Member Reimbursement “Member Reimbursement” are those Functions
associated with processing Member reimbursements including:  

 

Triple-S / Supplier Confidential



Page 3





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1



Claims Process Definitions



 

Process Definition Responsible Party      (a)  Receiving paper Claims requests
by mail, fax, etc.; Triple-S      (b)  Sorting and preparing paper requests;
Triple-S      (c)  Scanning of paper requests and all supporting documentation;
Triple-S      (d)  Receiving and loading electronic Member Reimbursement
requests including those received via the web application and email; Supplier  
   (e)  Data entry of all services related to Member Reimbursement request;
Supplier      (f)   Resolving all Claim issues and obtaining input on Claims
from Triple-S internal groups as appropriate; Supplier      (g)  Flagging and
sending unresolved Claims to Triple-S internal stakeholders; Supplier      (h)
 Fixing unresolved Intervention Claims issues;   Triple-S      (i)   Generating
letters (in a printable format) to Members related to denials including
requesting information or final denial determination;   Supplier      (k) 
Printing and sending letters to Members related to denials including requesting
information, or final denial determination; and Triple-S      (l)   Monitoring
Member Reimbursement timeliness to comply with Service Levels. Supplier 2.7
Additional  Claims Processing Functions “Additional Claims Processing Functions”
are those Functions associated with Claims processing that require Triple-S
intervention (e.g., resolving Provider demographic updates, clinical
recommendations, prior authorization updates, eligibility updates, high dollar
threshold reviews, medical record reviews) in order for Supplier to process the
Claim (“Intervention Claim”) including:        (a)  Identifying and routing to
Triple-S the Intervention Claim; Supplier      (b)  Management and resolution of
Intervention Claim issue; Triple-S      (c)  Routing to Supplier resolved
Intervention Claim issue; and Triple-S      (d)  Receiving and processing
resolved Intervention Claim issue. Supplier 2.8 Escalation Claim Inquiry
“Escalation Claims Inquiry” are those Functions associated with Claims
processing that require Supplier action in order for Triple-S to resolve an
issue with the Claim (“Supplier Escalation Claims”) including:        (a)
 Identifying and routing Supplier Escalation Claims to Supplier; Triple-S    
 (b)  Managing and resolving Supplier Escalation Claim issue; Supplier      (c)
 Routing to Triple-S resolved Supplier Escalation Claim issue; and Supplier

 

Triple-S / Supplier Confidential



Page 4





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1



Claims Process Definitions



 

Process Definition Responsible Party     (d) Receiving resolved Supplier
Escalation Claim issue. Triple-S 3.      Quality assurance     3.1 Quality
Assurance (Pre/Post Payment Review) “Quality Assurance (Pre/Post Payment
Review)” are those Functions associated with performing quality checks on
payments including:        (a)   Creating criteria for pre- and Post-Payment
quality checks; Supplier      (b)   Performing quarterly calibration of the
criteria used in audit/quality processes; Supplier      (c)   Following Triple-S
policies for quality assurance audits;   Supplier      (d)   Identifying Claims
for Pre-Payment quality checks as per documented guidelines; Supplier      (e)  
Performing Pre-Payment quality check review; Supplier      (f)    Documenting
issues identified in Pre-Payment quality check; Supplier      (g)   Fixing
Claims issues identified in Pre-Payment quality check; Supplier      (h)  
Identifying Claims for Post-Payment quality check; Supplier    
 (i)    Performing Post-Payment quality check reviews as per documented
guidelines; Supplier      (j)    Documenting issues identified in Post-Payment
quality checks; Supplier      (k)   Performing adjustments based on Post-Payment
quality check results; Supplier      (l)    Based on Service Level performance,
summarizing Post-Payment quality checks on a weekly and monthly basis and
sharing summaries with Triple-S; and Supplier      (m)  Developing
recommendations to fix processes found to be deficient from quality checks.
Supplier 4.       PAYMENT / REMITTANCE ADVICE  “Payment  / Remittance Advice”
are those Functions associated with processing payments, and remittances
including:        (a)   Performing business approval; and Triple-S      (b)  
Mailing checks or remittance advice. Triple-S

 

 



Triple-S / Supplier Confidential



Page 5

 

 



SOW 01 Exhibit A-3

 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 



STATEMENT OF WORK #1 (CLAIMS SERVICES

 

EXHIBIT A-3

 

CLAIMS TRANSITION DESCRIPTION

 

 

 

 

 

 

 

 

 



SOW #1 (Claims Services) Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1 

Exhibit A-3

 



 

TABLE OF CONTENTS

 

 

1   Introduction 3 2   High Level Description of the Claims Transition 3
2.1   Phases 3 2.2   Schedule 4 2.3   Major Work Stream(s) 6 2.4   Milestones 7
2.5   Transition Deliverables 7 3   Continuity of Operations 8 4   Transition
Management 9 4.1   Transition Management Activities 9 4.1.1   Status Reporting 9
5   Risks 11 6   Triple-S Dependencies 11 7   Risk Management 12

 

Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 

1 Introduction

 

Commencing upon the Effective Date and ending upon the Service Commencement Date
for the Claims Services, Supplier will perform the following Claims Transition
services for Triple-S (“Claims Transition”).

 

2 High Level Description of the Claims Transition

 

Supplier’s Claims Transition approach provides a framework to manage and control
the applicable Claims Transition activities using project management best
practices. Using this approach, Supplier will provide a project management
framework, best practices, lessons learned, and Claims Transition support to
Triple-S.

 

2.1 Phases

 

Supplier’s methodologies are aligned with industry standard project management
methodologies. The figure below provides a summary of the phases for the Claims
Services Transition.

 

Figure 2-1 – Transition Phases

 

[image_077.jpg]

 



Triple-S / Supplier Confidential

Page 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

2.2 Schedule

 

The Claims Services Transition schedule will be based on the project plan (a
draft of which is provided in Exhibit A-3-1 to this Exhibit A-3), and will be
performed in accordance with the Critical Milestones provided in Exhibit A-3-3
to this Statement of Work.

 

The following view is an example of the schedule anticipated as of the Effective
Date for the Claims Services Transition. In the event of any conflict between
the schedule provided in the chart below and Exhibit A-3-1, Exhibit A-3-1 will
control.

 

Figure 2-2 Example Schedule*

 

Phase:

 

LOB 

Project Initiation

Knowledge

Acquisition 

Project Set-up Knowledge Transfer

Work

Ramp-up

Steady

State 

All LOBs 

(across work streams) 

Month 1 to 

Month 2 

Month 1 to Month 2       Medicare: Open/Pended       Month 2 to Month 6 Month 4
to Month 8 Month 9 Medicare: Adjustments       Month 5 to Month 6 Month 6 to
Month 8 Month 9 Commercial: Open/Pended       Month 2 to Month 6 Month 4 to
Month 8 Month 9 Commercial: Adjustments       Month 5 to Month 6 Month 6 to
Month 8 Month 9 Medicaid: Open/Pended       Month 2 to Month 4 Month 4 to Month
6 Month 9 Medicaid: Adjustments       Month 5 to Month 6 Month 6 to Month 8
Month 9 Member Reimbursements (across Medicare and Commercial)       Month 2 to
Month 6 Month 4 to Month 8 Month 9

 

Triple-S / Supplier Confidential

Page 4

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 



Timeline >> Trainer OJT Coach
/ QA   7/17/17 7/24/17 7/31/17 8/7/17 8/14/17 8/21/17 8/28/17 9/4/17 9/11/17
9/18/17 9/25/17 10/2/17 10/9/17 Onsite KA - Week 1                              
  Onsite KA (Week 2 - Week 8)                                 Medicare -
HealthSuite                 8 8 8 8 8 8 8 * Medicare - [***] (Offshore/Remote)  
                              2 Commercial (including Vision, Hearing & Dental)
    Onshore         6 6 6 6 6 6 6 * Medicaid     Onshore         3 3 3 3 3 3 3 *
Member Reimbursements     Onshore         1 1 1 1 1 1 1 * Hands-on Production -
Offshore                                 KT - Offshore FTEs                    
           

Medicare Claims (76 FTE) including Member Reimbursements

 

Suspended - 46 FTE

 

Adjustments FTE - 30 FTE 

                                Open/ Pended - HS                              
24 Open/ Pended – [***]                                24 Adjustments - HS      
                          Open/ Pended - HS                               24 
Adjustments - [***]                                 Open/ Pended - [***]        
                       

Commercial Claims (74 FTE) - including Vision, Hearing, Dental &Member
Reimbursements)

 

Pended - 44 FTE

 

Adjustments FTE - 30 FTE 

                                Open/ Pended - [***]                            
  24 Open/ Pended - [***]                               24 Adjustments - [***]  
                              Open/ Pended - [***]                              
24 Adjustments - [***]                                 Open/ Pended - [***]    
                           

Medicaid Claims (30 FTE)

 

Open/ Pended - 22 FTE
Adjustments - 08 FTE 

                                Open/ Pended - [***]                            
  24 Open/ Pended - [***]                               11 Adjustments - [***]  
                                                               

 

 

Triple-S / Supplier Confidential

Page 5

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 



Timeline >> 10/16/17 10/23/17 10/30/17 11/6/17 11/13/17 11/20/17 11/27/17
12/4/17 Onsite KA - Week 1                 Onsite KA (Week 2 - Week 8)          
      Medicare - HealthSuite                 Medicare - [***]
(Offshore/Remote)   2 2 2 2 2 2 2 2 Commercial (including Vision, Hearing &
Dental)                 Medicaid                 Member Reimbursements          
      Hands-on Production - Offshore                 KT - Offshore FTEs        
       

Medicare Claims (76 FTE) including Member Reimbursements

 

Suspended - 46 FTE

 

Adjustments FTE - 30 FTE 

                Open/ Pended - HS 24 24 24 24 24 24 24 24 Open/ Pended – [***]
24 24 24 24 24 24 24 24 Adjustments - HS                 Open/ Pended - HS 24 24
24 24 24 24 24 24 Adjustments - [***]                 Open/ Pended - [***]      
         

Commercial Claims (74 FTE) - including Vision, Hearing, Dental &Member
Reimbursements)

 

Pended - 44 FTE

 

Adjustments FTE - 30 FTE 

                Open/ Pended - [***] 24 24 24 24 24 24 24 24 Open/ Pended -
[***] 24 24 24 24 24 24 24 24 Adjustments - [***]                 Open/ Pended -
[***] 24 24 24 24 24 24 24 24 Adjustments - [***]                 Open/ Pended -
[***]                

Medicaid Claims (30 FTE)

 

Open/ Pended - 22 FTE
Adjustments - 08 FTE 

                Open/ Pended - [***] 24 24 24 24 24 24 24 24 Open/ Pended -
[***] 11 11 11 11 11 11 11 11 Adjustments - [***]                              
   

 

 

 

 

Triple-S / Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 





Timeline >> 12/11/17 12/18/17 12/25/17 1/1/18 1/8/18 1/15/18 1/22/18 1/29/18
2/5/18 2/12/18 2/19/18 2/26/18 Onsite KA - Week 1                         Onsite
KA (Week 2 - Week 8)                         Medicare - HealthSuite            
            Medicare - [***] (Offshore/Remote)   2 2                    
Commercial (including Vision, Hearing & Dental)                         Medicaid
                        Member Reimbursements                         Hands-on
Production - Offshore                         KT - Offshore FTEs                
       

Medicare Claims (76 FTE) including Member Reimbursements

 

Suspended - 46 FTE

 

Adjustments FTE - 30 FTE 

                        Open/ Pended - HS 22 22 22 22 29 29 29 29 29 29 29 29
Open/ Pended – [***] 22 22 19 19 0               Adjustments - HS       >>  17
17 17 17 17 17 15 15 Open/ Pended - HS 24 22 22 22 0               Adjustments -
[***]       >>  17 17 17 17 17 17 15 15 Open/ Pended - [***]       18 18 18 18
18 18 18 17 17

Commercial Claims (74 FTE) - including Vision, Hearing, Dental &Member
Reimbursements)

 

Pended - 44 FTE

 

Adjustments FTE - 30 FTE 

                        Open/ Pended - [***] 22 22 22 22 22 22         –   Open/
Pended - [***] 22 22 19 19 2 2 2 2 2 2 2 2 Adjustments - [***]       >>  17 17
17 17 17 17 15 15 Open/ Pended - [***] 22 22 22 22 5 5 5 5 5 5 5 5 Adjustments -
[***]       >>  17 17 17 17 17 17 15 15 Open/ Pended - [***]     17 17 17 17 17
17 17 17 15 15

Medicaid Claims (30 FTE)

 

Open/ Pended - 22 FTE
Adjustments - 08 FTE 

                        Open/ Pended - [***] 22 22 22 22 22   22 22 22 22 22 22
Open/ Pended - [***] 10 10 10 10 >>                Adjustments - [***]       >> 
10 10 10 10 10 10 8 8                          



 

 



Triple-S / Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 



Timeline >> 3/5/18 3/12/18 3/19/18 3/26/18 4/2/18 4/9/18 4/16/18 4/23/18 4/30/18
5/7/18 5/14/18 5/21/18 5/28/18 6/4/18 6/11/18 6/18/18 6/25 /18 Onsite KA - Week
1                                   Onsite KA (Week 2 - Week 8)                
                  Medicare - HealthSuite                                  
Medicare - [***] (Offshore/Remote)                                    
Commercial (including Vision, Hearing & Dental)                                
  Medicaid                                   Member Reimbursements              
                    Hands-on Production - Offshore                              
    KT - Offshore FTEs                                  

Medicare Claims (76 FTE) including Member Reimbursements

 

Suspended - 46 FTE

 

Adjustments FTE - 30 FTE 

                                  Open/ Pended - HS                            
      Open/ Pended – [***]                                   Adjustments - HS 15
15 15 15 15 15 15 15 15 IN production – but not 100% productive Open/ Pended -
HS                                   Adjustments - [***] 15 15 15 15 15 15 15 15
15 IN production – but not 100% productive Open/ Pended - [***] 17 17 17 17 17
17 17 17 17 IN production – but not 100% productive

Commercial Claims (74 FTE) - including Vision, Hearing, Dental &Member
Reimbursements)

 

Pended - 44 FTE

 

Adjustments FTE - 30 FTE 

                                  Open/ Pended - [***]                          
        Open/ Pended - [***] >>                                  Adjustments -
[***] 15 15 15 15 15 15 15 15 15 IN production – but not 100% productive Open/
Pended - [***] >>                                  Adjustments - [***] 15 15 15
15 15 15 15 15 15 IN production – but not 100% productive Open/ Pended - [***]
15 15 15 15 15 15 15 15 15 IN production – but not 100% productive

Medicaid Claims (30 FTE)

 

Open/ Pended - 22 FTE
Adjustments - 08 FTE 

                                  Open/ Pended - [***]                          
        Open/ Pended - [***]                                   Adjustments -
[***] 6 6 6 8 8 8 8 8 8 IN production – but not 100% productive                
                   



* Dates in the plan are based on start date of Sep 1, 2017 (KA initiates prior
to this date)

 

2.3 Major Work Stream(s)

 

The major work streams associated with the Claims Transition Services are as
follows:

 

Work Stream Description Operations Responsible for the manual processing of
claims in support of the overall delivery of benefits and services by providing
support and guidance to customers to ensure continued services.   Quality
Responsible for the overall delivery of the quality assurance guidelines and
programs, performance of quality audits and determination of process improvement
opportunities. Training Responsible for the effective delivery and execution of
training programs and ensures all operational, technological and organizational
resources have the specific knowledge and tools to perform their duties.
Workforce Management Responsible for the overall forecasting, capacity planning,
scheduling and real time execution as they relate to workforce management.
 Provides operational reporting, oversight of telephony tools  and
infrastructure and provides business continuity planning.

 



Triple-S / Supplier Confidential

Page 8

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 



 



Work Stream Description Reporting and Analytics Responsible for the overall
reporting templates and distribution. Responsible for designing/developing,
programming, maintaining and publishing operational reports. Provides
operational analysis utilized for decision making.  May make recommendations
based on the analysis, and provide explanations for reporting results as needed.
Human Resources Responsible for providing talent acquisition, organizational
development direction and support. Acts as a trusted advisor and business
partner to leverage appropriate solutions aligned to the business strategies and
outcomes. Transitions Responsible for deploying the Supplier transition
methodology to plan & implement the project within scope – including
communication of progress updates, risks and mitigation, stakeholder management
as part of the established program governance.

 

 

2.4 Critical Milestones

 

Descriptions and due dates for the Critical Milestones are provided in Exhibit
A-3-3 (Critical Claims Milestones). Transition Deliverables

 

Supplier will provide the following Transition Deliverables, which will be based
on the description below and the due dates provide in Exhibit A-3-3.

 

Deliverables Description 1.      Claim Services Plan The detailed document that
describes the objectives, timeline, activities, constraints, and outputs needed
to complete the Claims Transition. 2.      Transition Work Plan Supplier shall
create a Claims Transition plan applicable to the Claims Services that includes
the tasks, roles, responsibilities, and timelines needed for the Claims Services
to commence according to the timeline mutually agreed with Triple-S. 3.     
As-Is Operations Model The “As-Is” Operations Model is the detailed description
of the current operational environment and process as of the Effective Date.
4.      Knowledge Transfer Plan The Knowledge Transfer Plan documents the
process and content for performing Training consistent with Section 3.7
of  Exhibit A (Claim Services).

 



Triple-S / Supplier Confidential

Page 9

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 



Deliverables Description 5.      New Operations Model The New Operations Model
is the description of the planned operational environment and processes for
Supplier’s performance of the Claim Services. 6.      Operations Report
Templates Templates for reports to be provided pursuant to Schedule K (Reports).

 

 

3 Continuity of Operations

 

Supplier will provide the Claims Services Transition services in a manner that
minimizes disruption to the Triple-S operations in place as of the Effective
Date as follows:

 

· Maintain ongoing dialogue with the Claims Delivery Liaison to proactively
address concerns and mitigations

 

· Perform readiness exercises to capture and remedy early potential failures
before the demonstration of end-to-end system readiness and the operational
start date

 

· Monitor real-time operational systems and processes to make adjustments as
needed to avoid service degradation

 

The Transition Plan, Transition Schedule, and subsequent status updates will
contain Transition Milestones and applicable Deliverables. Supplier and Triple-S
will conduct regular transition steering committee calls to identify and address
Claims Transition risks.

 

Triple-S / Supplier Confidential

Page 10

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 

4 Transition Management

 

4.1 Transition Management Activities

 

4.1.1 Status Reporting

 

Supplier will provide regular status reporting during the Transition including
weekly status reporting and executive status reporting, The following provides
an example of Weekly Status report:

 

Figure 4-1 – Sample Weekly Status Report

 

[image_078.jpg]

 

Triple-S / Supplier Confidential

Page 11

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 

The following provides an example of the executive status report format:

 

Figure 4-2 - Sample Executive Status Report

 

[image_079.jpg]

 

Triple-S / Supplier Confidential

Page 12

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 

5 Risks

 

The following table provides examples of potential constraints associated with
Claims Transition Services and activities. The table below includes possible
mitigation approaches.

 

# Risks Mitigation 1

System access is delayed

 

·   Triple-S will need to enforce contract terms and Triple-S-approved
Transition Plan.

 

·   The Transition Plan will identify Supplier and Triple-S responsibilities.

 

2 Missing or incomplete information is provided to Triple-S and/or Supplier

·   Supplier will attempt to identify missing or incomplete information early in
the process and notify Triple-S immediately.

 

·   When information is not adequate, Supplier will notify Triple-S and request
intervention.

 

3

Supplier Transition activities may interrupt services.

 

When Supplier develops the AS-IS Operations Model & TO-BE Operations Model,
Supplier will verify that the existing services or capabilities-related
requirements are addressed with the new solution to provide similar capability
or services after Transition to the new solution. 4 Lack of knowledge of
existing tools and capabilities affect service performance, including Service
Levels. Triple-S will provide reasonable support in accordance with its turnover
plan. 5 Incomplete/ Inadequate Knowledge Transfer

·   Supplier will undertake comprehensive Knowledge Acquisition exercise

 

·   When information is not adequate, Supplier will notify Triple-S and request
intervention.

 

6 Triple-S Claims Service team Attrition ·   Addressed by agreeing to
accelerated 8 month transition plan.

 

6 Triple-S Dependencies

 

Supplier requests that Triple-S provide the following support.

 



Triple-S / Supplier Confidential

Page 13

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 

Phase

Triple-S

Resources

Duration Nature of support

Onsite Knowledge Acquisition

 

(Aug’17-Oct’17)

 

8 – 12

 

SME

 

7 weeks

 

5 hours per day (3 hours on system, 2 hours off system)

 

SME support at Triple-S sites in Puerto Rico according to agreed upon plan

Supplier Classroom Training

 

(Per LOB)

 

Open/Pended (Oct’17-Nov’17)

 

Adjustments (Jan’18-Feb’18)

 

3 SME

 

(1 from each LOB)

 

Open/Pended: 10 weeks (2-3 hours per SME per week)

 

Adjustments: 4 weeks (2-3 hours per SME per week)

 

Webex/ conference call support for clarifications

Supplier OJT/ Ramp

 

(Per LOB)

 

Open/Pended (Nov’17 – April’18)

 

Adjustments (Feb’18-April’18)

 

Quality\Coordinator across each LOB

 

(TBD)

 

Open/Pended:

 

2 weeks OJT, 8 weeks ramp

 

Auditor daily engagement TBD

 

Adjustments:

 

1 week OJT, 6 weeks ramp

 

Auditor daily engagement TBD

 

Auditing transactions/output, sharing scores, feedback  & calibration

 

7 Risk Management

 

Supplier will use Supplier’s risk assessment tool, IRAD (Issues, Risks, Actions,
and Decisions) to manage risks and issues during the Claims Transition. The IRAD
is a workbook designed to help drive more predictable outcomes by identifying
key risk areas across a product or project development initiative.

 

This combination of likelihood and consequence positions each risk into one of
three categories: 1) Most Important Risks, 2) Very Important Risks, or 3)
Important Risks. Such designation assists Supplier in tracking, managing and
addressing risks during the course of the Claims Transition. The designation
also determines the timing and frequency of Supplier’s communications to
Triple-S regarding such risks (as described below).

 



Triple-S / Supplier Confidential

Page 14

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #1

Exhibit A-3

 

 

 

Figure 7-1 outlines the elements of the overall risk management process. As
risks or problems are identified during the course of the Claims Transition,
Supplier will document and address them in a direct and straightforward manner
and resolve or mitigate so as not to compromise the success of the Claims
Transition. Supplier will communicate risks to the Supplier and Triple-S
transition teams in a timely and effective manner, and risks and issues analysis
and reporting will be a feature of the weekly transition status meeting.

 

Figure 7-1 Supplier Risk Management Approach. Supplier’s approach requires that
risks be identified, assessed, and assigned to a responsible owner, and that a
risk mitigation approach developed and implemented.

 

Figure ‎7-1 - Risk Management

 

[image_080.jpg]

 

The Risk Management Plan will include Supplier’s strategy for issue management,
including tracking, impact analysis, mitigation plans and escalation procedures.
A mitigation or removal plan will be formulated for each identified issue, with
clear responsibilities.

 

Because issue reduction or mitigation actions may also trigger other Claims
Transition changes, the Risk Management Plan will also address change management
as it pertains to risk and issue management during the Transition.

 

 



Triple-S / Supplier Confidential

Page 15

 







SOW 01 Exhibit A-3-1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 



STATEMENT OF WORK #1 (CLAIMS SERVICES)

 

ATTACHMENT A-3-1 (TRANSITION AND TRANSFORMATION PROJECT PLAN)

 

 

 

 

 

 

 

 

 

 

 

 

 

 



SOW #1 (Claims Service) Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



ID

[image_116.jpg]

 

WBS Task Name Duration Start Finish   1   1 CLAIMS OFFSHORE 492 days Fri 8/11/17
Mon 7/1/19 2   1.1 Transition Milestones 66 days Fri 9/8/17 Mon 12/11/17 3  
1.1.1 Kick Off Meeting 0 days Fri 9/8/17 Fri 9/8/17 4   1.1.2 “As Is”
Operational Model Submission 0 days Fri 10/6/17 Fri 10/6/17 5   1.1.3 Transition
Plan Approval 0 days Fri 10/6/17 Fri 10/6/17 6   1.1.4 Training Commencement
Approval 0 days Mon 10/9/17 Mon 10/9/17 7   1.1.5 To-Be Operational Model
Submission 0 days Mon 11/20/17 Mon 11/20/17 8   1.1.6 Service Commencement Date
0 days Mon 12/11/17 Mon 12/11/17 9   1.2 Transition Deliverables 32 days Mon
10/9/17 Tue 11/21/17 10 [image_117.jpg] 1.2.1 Claim Services Plan 1 day Mon
10/9/17 Mon 10/9/17 11 [image_117.jpg] 1.2.2 Transition Work Plan 1 day Mon
10/9/17 Mon 10/9/17 12 [image_117.jpg] 1.2.3 As-Is Operations Model 1 day Mon
10/9/17 Mon 10/9/17 13 [image_117.jpg] 1.2.4 Knowledge Transfer Plan 1 day Mon
10/9/17 Mon 10/9/17 14 [image_117.jpg] 1.2.5 New Operations Model 1 day Mon
11/20/17 Mon 11/20/17 15 [image_117.jpg] 1.2.6 Operations Report Templates 1 day
Tue 11/21/17 Tue 11/21/17 16   1.3 Transition Activities 492 days Fri 8/11/17
Mon 7/1/19 17   1.3.1 Phase 1 - Project Initiation 1 day Fri 8/11/17 Fri 8/11/17
18 [image_118.jpg] 1.3.1.1 SOW/ MSA Signing 0 days Fri 8/11/17 Fri 8/11/17 19  
1.3.1.2 Mobilize project initiation activities 1 day Fri 8/11/17 Fri 8/11/17 20
  1.3.2 Phase 2 - Knowledge Acquisition 40 days Mon 8/14/17 Fri 10/6/17 21
[image_117.jpg] 1.3.2.1 Onsite KA - Week 1 (Executive Meetings) 5 days Mon
8/14/17 Fri 8/18/17 22   1.3.2.2 Onsite KA - Week 2 - Week 8 35 days Mon 8/21/17
Fri 10/6/17 23 [image_117.jpg] 1.3.2.2.1 Medicare including Member
Reimbursements ([***]/HS) 35 days Mon 8/21/17 Fri 10/6/17 24 [image_117.jpg]
1.3.2.2.2 Commercial including Member Reimbursements 35 days Mon 8/21/17 Fri
10/6/17 25 [image_117.jpg] 1.3.2.2.3 Medicaid 35 days Mon 8/21/17 Fri 10/6/17 26
[image_117.jpg] 1.3.2.2.4 Hands-on Production 10 days Mon 9/25/17 Fri 10/6/17  
             





 

 

  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]



 

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Page 1 ID

[image_116.jpg]

 

WBS Task Name Duration Start Finish   27   1.3.3 Phase 3 - Project Set up 491
days Mon 8/14/17 Mon 7/1/19 28   1.3.3.1 IT Access - Operations 40 days Mon
8/14/17 Fri 10/6/17 29 [image_117.jpg] 1.3.3.1.1 Offshore IT Connectivity
(Establishing & Testing) 40 days Mon 8/14/17 Fri 10/6/17 30 [image_117.jpg]
1.3.3.1.2 Production access for Optum Offshore 10 days Mon 9/25/17 Fri 10/6/17
31   1.3.3.2 Hiring 40 days Mon 8/14/17 Fri 10/6/17 32 [image_117.jpg] 1.3.3.2.1
Hiring approvals (for overall scope of project) 1 day Mon 8/14/17 Mon 8/14/17 33
[image_117.jpg] 1.3.3.2.2 Hiring - Production FTEs 40 days Mon 8/14/17 Fri
10/6/17 34   1.3.3.3 [***] 487 days Fri 8/18/17 Mon 7/1/19 35 [image_117.jpg]
1.3.3.3.1 User Acceptance Testing 12 days Sun 10/22/17 Sun 11/5/17 36  
1.3.3.3.2 Functional specific test plans 0 days Fri 8/18/17 Fri 8/18/17 37
[image_117.jpg] 1.3.3.3.3 End-to-End testing 32 days Sun 11/12/17 Sun 12/24/17
38 [image_117.jpg] 1.3.3.3.4 Training / SOP Development 43 days Wed 11/1/17 Fri
12/29/17 39 [image_117.jpg] 1.3.3.3.5 Training of current Triple-S MA staff 27
days Sun 10/29/17 Sun 12/3/17 40   1.3.3.3.6 Concurrent run of HealthSuite
platform 391 days Mon 1/1/18 Mon 7/1/19 41   1.3.4 Phase 4 - Knowledge Transfer
95 days Mon 10/9/17 Fri 2/16/18 42   1.3.4.1 KT - Offshore FTEs 95 days Mon
10/9/17 Fri 2/16/18 43   1.3.4.1.1 Medicare Claims including Member
Reimbursements (76 FTE) Open/Pended - 46 FTE,  Adjustments FTE - 30 FTE 95 days
Mon 10/9/17 Fri 2/16/18 44   1.3.4.1.1.1 Open/Pended [***]/HealthSuite - Batch 1
45 days Mon 10/9/17 Fri 12/8/17 45 [image_117.jpg] 1.3.4.1.1.1.1 Onboarding 5
days Mon 10/9/17 Fri 10/13/17 46 [image_117.jpg] 1.3.4.1.1.1.2 Process Training
30 days Mon 10/16/17 Fri 11/24/17 47 [image_117.jpg] 1.3.4.1.1.1.3 OJT 10 days
Mon 11/27/17 Fri 12/8/17 48   1.3.4.1.1.2 Open/Pended [***]/ HealthSuite - Batch
2 45 days Mon 10/9/17 Fri 12/8/17 49 [image_117.jpg] 1.3.4.1.1.2.1 Onboarding 5
days Mon 10/9/17 Fri 10/13/17 50 [image_117.jpg] 1.3.4.1.1.2.2 Process Training
30 days Mon 10/16/17 Fri 11/24/17 51 [image_117.jpg] 1.3.4.1.1.2.3 OJT 10 days
Mon 11/27/17 Fri 12/8/17  



 



  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]



 

  



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



Page 2 ID

[image_116.jpg]

 

WBS Task Name Duration Start Finish   52   1.3.4.1.1.3 Adjustments [***]/
HealthSuite - Batch 1 30 days Mon 1/8/18 Fri 2/16/18 53 [image_117.jpg]
1.3.4.1.1.3.1 Process Training 20 days Mon 1/8/18 Fri 2/2/18 54 [image_117.jpg]
1.3.4.1.1.3.2 OJT 10 days Mon 2/5/18 Fri 2/16/18 55   1.3.4.1.1.4 Open/Pended
[***]/ HealthSuite - Batch 3 45 days Mon 10/9/17 Fri 12/8/17 56 [image_117.jpg]
1.3.4.1.1.4.1 Onboarding 5 days Mon 10/9/17 Fri 10/13/17 57 [image_117.jpg]
1.3.4.1.1.4.2 Process Training 30 days Mon 10/16/17 Fri 11/24/17 58
[image_117.jpg] 1.3.4.1.1.4.3 OJT 10 days Mon 11/27/17 Fri 12/8/17 59  
1.3.4.1.1.5 Adjustments [***]/ HealthSuite - Batch 2 30 days Mon 1/8/18 Fri
2/16/18 60 [image_117.jpg] 1.3.4.1.1.5.1 Process Training 20 days Mon 1/8/18 Fri
2/2/18 61 [image_117.jpg] 1.3.4.1.1.5.2 OJT 10 days Mon 2/5/18 Fri 2/16/18 62  
1.3.4.1.1.6 Open/Pended [***]/ HealthSuite - Batch 4 45 days Mon 12/18/17 Fri
2/16/18 63 [image_117.jpg] 1.3.4.1.1.6.1 Onboarding 5 days Mon 12/18/17 Fri
12/22/17 64 [image_117.jpg] 1.3.4.1.1.6.2 Process Training 30 days Mon 12/25/17
Fri 2/2/18 65 [image_117.jpg] 1.3.4.1.1.6.3 OJT 10 days Mon 2/5/18 Fri 2/16/18
66   1.3.4.1.2 Commercial Claims - including Member Reimbursements (74 FTE)
Open/Pended - 44 FTE, Adjustments FTE - 30 FTE 95 days Mon 10/9/17 Fri 2/16/18
67   1.3.4.1.2.1 Open/Pended - Batch 1 45 days Mon 10/9/17 Fri 12/8/17 68
[image_117.jpg] 1.3.4.1.2.1.1 Onboarding 5 days Mon 10/9/17 Fri 10/13/17 69
[image_117.jpg] 1.3.4.1.2.1.2 Process Training 30 days Mon 10/16/17 Fri 11/24/17
70 [image_117.jpg] 1.3.4.1.2.1.3 OJT 10 days Mon 11/27/17 Fri 12/8/17 71  
1.3.4.1.2.2 Open/Pended - Batch 2 45 days Mon 10/9/17 Fri 12/8/17 72
[image_117.jpg] 1.3.4.1.2.2.1 Onboarding 5 days Mon 10/9/17 Fri 10/13/17 73
[image_117.jpg] 1.3.4.1.2.2.2 Process Training 30 days Mon 10/16/17 Fri 11/24/17
74 [image_117.jpg] 1.3.4.1.2.2.3 OJT 10 days Mon 11/27/17 Fri 12/8/17 75  
1.3.4.1.2.3 Adjustments - Batch 1 30 days Mon 1/8/18 Fri 2/16/18 76
[image_117.jpg] 1.3.4.1.2.3.1 Process Training 20 days Mon 1/8/18 Fri 2/2/18  



 



  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]

 

  



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



Page 3 ID   WBS Task Name Duration Start Finish   77 [image_117.jpg]
1.3.4.1.2.3.2 OJT 10 days Mon 2/5/18 Fri 2/16/18 78   1.3.4.1.2.4 Open/Pended -
Batch 3 45 days Mon 10/9/17 Fri 12/8/17 79 [image_117.jpg] 1.3.4.1.2.4.1
Onboarding 5 days Mon 10/9/17 Fri 10/13/17 80 [image_117.jpg] 1.3.4.1.2.4.2
Process Training 30 days Mon 10/16/17 Fri 11/24/17 81 [image_117.jpg]
1.3.4.1.2.4.3 OJT 10 days Mon 11/27/17 Fri 12/8/17 82   1.3.4.1.2.5 Adjustments
- Batch 2 30 days Mon 1/8/18 Fri 2/16/18 83 [image_117.jpg] 1.3.4.1.2.5.1
Process Training 20 days Mon 1/8/18 Fri 2/2/18 84 [image_117.jpg] 1.3.4.1.2.5.2
OJT 10 days Mon 2/5/18 Fri 2/16/18 85   1.3.4.1.2.6 Open/Pended - Batch 4 45
days Mon 12/18/17 Fri 2/16/18 86 [image_117.jpg] 1.3.4.1.2.6.1 Onboarding 5 days
Mon 12/18/17 Fri 12/22/17 87 [image_117.jpg] 1.3.4.1.2.6.2 Process Training 30
days Mon 12/25/17 Fri 2/2/18 88 [image_117.jpg] 1.3.4.1.2.6.3 OJT 10 days Mon
2/5/18 Fri 2/16/18 89   1.3.4.1.3 Medicaid Claims (30 FTE) - Open/ Pended - 22
FTE, Adjustments - 08 FTE 95 days Mon 10/9/17 Fri 2/16/18 90   1.3.4.1.3.1
Open/Pended 45 days Mon 10/9/17 Fri 12/8/17 91 [image_117.jpg] 1.3.4.1.3.1.1
Onboarding 5 days Mon 10/9/17 Fri 10/13/17 92 [image_117.jpg] 1.3.4.1.3.1.2
Process Training 30 days Mon 10/16/17 Fri 11/24/17 93 [image_117.jpg]
1.3.4.1.3.1.3 OJT 10 days Mon 11/27/17 Fri 12/8/17 94   1.3.4.1.3.2 Adjustments
30 days Mon 1/8/18 Fri 2/16/18 95 [image_117.jpg] 1.3.4.1.3.2.1 Process Training
20 days Mon 1/8/18 Fri 2/2/18 96 [image_117.jpg] 1.3.4.1.3.2.2 OJT 10 days Mon
2/5/18 Fri 2/16/18 97   1.3.5 Phase 5 - Work Ramp Up 101 days Mon 12/11/17 Mon
4/30/18 130   1.3.6 Steady State 1 day Tue 5/1/18 Tue 5/1/18 131   1.3.6.1
Steady State Operations - 100% 1 day Tue 5/1/18 Tue 5/1/18  







 



  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]

  



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.  



 



Page 4 Predecessors Resource Names January 21 July 11 January 1 June 21 December
11 June 1 2/12 5/7 7/30 10/22 1/14 4/8 7/1 9/23 12/16 3/10 6/2 8/25    
[image_155.jpg]     21FS+15 days Optum,Triple S 22 Optum 22 Optum,Triple S
73SS-5 days Optum,Triple S 74SS-5 days Optum,Triple S 74FS+1 day Optum 20 Optum
20 Optum 20 Optum 20 Optum 7 Optum 14 Optum           Optum,Triple-S  
Optum,Triple-S     19 Optum,Triple S     21 Optum,Triple S 21 Optum,Triple S 21
Optum,Triple S 24FF,25FF,23FF Optum,Triple S  



 





  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.





 



Page 5 Predecessors Resource Names January 21 July 11 January 1 June 21 December
11 June 1 2/12 5/7 7/30 10/22 1/14 4/8 7/1 9/23 12/16 3/10 6/2 8/25    
[image_156.jpg]     19 Optum,Triple S 29FF Triple S. Optum     19 Optum 32SS
Optum       Triple S   Triple S 35FS+5 days Triple S   Triple S   Triple S 38
Triple S                 33 Optum 45 Optum 46 Optum     33 Optum 49 Optum 50
Optum  



 



  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 



Page 6 Predecessors Resource Names January 21 July 11 January 1 June 21 December
11 June 1 2/12 5/7 7/30 10/22 1/14 4/8 7/1 9/23 12/16 3/10 6/2 8/25    
[image_157.jpg] 51FS+20 days Optum 53 Optum     33 Optum 56 Optum 57 Optum    
58FS+20 days Optum 60 Optum     22FS+50 days Optum 63 Optum 64 Optum         33
Optum 68 Optum 69 Optum     33 Optum 72 Optum 73 Optum     74FS+20 days Optum  



 



  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]

 



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Page 7 Predecessors Resource Names January 21 July 11 January 1 June 21 December
11 June 1 2/12 5/7 7/30 10/22 1/14 4/8 7/1 9/23 12/16 3/10 6/2 8/25 76 Optum
[image_158.jpg]     33 Optum 79 Optum 80 Optum     81FS+20 days Optum 83 Optum  
  22FS+50 days Optum 86 Optum 87 Optum             33 Optum 91 Optum 92 Optum  
  93FS+20 days Optum 95 Optum         105,109,118,122,129 Optum      



 



  Task [image_119.jpg] External Milestone    [image_134.jpg] Manual Summary
Rollup  [image_120.jpg]   Split [image_130.jpg] Inactive Task [image_121.jpg]
Manual Summary             [image_122.jpg] Project: Project Plan Project Buzz
Milestone       [image_131.jpg] Inactive Milestone    [image_135.jpg]





Start-only                             [image_125.jpg] Date: Tue 8/15/17 Summary
[image_132.jpg] Inactive Summary [image_136.jpg] Finish-only
                         [image_126.jpg]   Project Summary [image_133.jpg]
Manual Task [image_137.jpg] Deadline
                              [image_127.jpg]   External Tasks [image_128.jpg]
Duration-only [image_138.jpg] Progress                               
[image_129.jpg]

 

Page 8

 

 

 



 

 



SOW 01 Exhibit A-3-3



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 

 

 



STATEMENT OF WORK #1 (CLAIMS SERVICES)

 

EXHIBIT A-3-3

 

CRITICAL MILESTONES

 

 

 

 

 

 

 

 

 

 

 

 



SOW #1 (Claims Services) Triple-S / Supplier Confidential



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

Statement of work #1 (claims services)

 

Exhibit A-3-3

 

CRITICAL MILESTONES

 

In accordance with SOW #1 and the terms of the Agreement, Supplier will provide
the Transition Services for Claims Services in accordance with the Critical
Milestones set forth below.

 

#

 

Critical Milestone Acceptance Criteria Critical Milestone Completion Date 1
Knowledge Acquisition SOPs and Training modules for initiation of new hire
training are complete 8 weeks after the Effective Date 2 Initiate New Hire
Training of Supplier Personnel Supplier begins Training of Claims Agents
performing the Claims Services 1 week from the completion of Milestone #1 3
Service Commencement Date (Open and Pended) Supplier begins executing ongoing
operational Claims Services - Open and Pended Claims.   April 30, 2018 4 Service
Commencement Date  (Adjustments) Supplier begins executing ongoing operational
Claims Services - Adjustments   April 30, 2018

 





 

Triple-S / Supplier Confidential

Page 1

 



SOW 01 Exhibit B

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Final Execution Version

 



 

 

 



SOW #01 (CLAIMS)

 

EXHIBIT B

 

CLAIMS SERVICE LEVELS

 

# Service Level Name Service Level Service Level Definition Type of Service
Level Interim SLA Interim Period Long Term SLA Measurement Period Service Points
Continuous Improve (Y/N) Measurement Tool Volume Sensitive Service Level (Y/N)
Points Assigned [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]

 

 

 

 

 





SOW 2 - Main

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 





 

 

 

 

 

 

STATEMENT OF WORK #2 (IT SERVICES)

 

IT WRAPPER

 

 

 

 

 

 

 

 

 

SOW #2 (IT Service) Triple-S / Supplier Confidential



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



MASTER SERVICES AGREEMENT

 

STATEMENT OF WORK #2 (IT Services)

 

This Statement of Work #02 (IT Services), effective as of August 31, 2017, (“the
SOW Effective Date”), is between Triple-S Salud, Inc., a Puerto Rico
corporation, with principal offices located at #1441 F.D. Roosevelt Avenue, San
Juan, Puerto Rico 00921 (“Triple-S”), and OptumInsight, Inc. (“Supplier”), a
Delaware corporation, having a primary place of business at 11000 Optum Circle,
Eden Prairie, MN 55433 (each, a “Party” and collectively, the “Parties”). This
SOW #02 (IT Services) is entered into and shall be governed by the terms of that
certain Master Services Agreement entered into between the Parties dated August
29, 2017, (the “Agreement”).

 

1. INTRODUCTION

 

1.1 Background & Purpose

 

This SOW #2 (IT Services) describes the IT Services Supplier will provide for
Triple-S, as such Services are defined in Exhibit A (IT Services) to this SOW #2
(IT Services), and sets forth certain terms and conditions relating to them,
including, among other things:

 

(a) The scope of the IT Services;

 

(b) The Solution Supplier will use to perform and deliver them; and

 

(c) The Service Levels Supplier will meet in providing them.

 

1.2 Structure

 

This SOW #2 (IT Services) is comprised of this cover document and the following
Exhibits:

 

Table 1:  Exhibits to SOW #2 (IT Services) Item # Exhibit Purpose of Exhibit 1
Exhibit A (IT Services) Describes the scope, Solution, Transition and
Transformation, and other aspects of the IT Services. 2 Exhibit A-1 (Scope
Model)

Provides the Scope Model for the IT Services and includes as exhibits:



·         Exhibit A-1-1 (Process Definitions)



·         Exhibit A-1-2 (Element Definitions)



3 Exhibit A-2 (Solution Description) Describes Supplier’s solution for the
provision of the IT Services.

 

 



Triple-S / Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

Statement of Work #2

IT Wrapper





 

Table 1:  Exhibits to SOW #2 (IT Services) Item # Exhibit Purpose of Exhibit 4
Exhibit A-3 (Transition and Transformation Description)

Describes Supplier’s description for the provision of the IT Transition and
Transformation Services and includes individual solutions as exhibits:



·         Exhibit A-3-1 (Transition and Transformation Project Plan)



·         Exhibit A-3-2 (Reserved)



·         Exhibit A-3-3 (Transition and Transformation Milestones, Checkpoint
Gates, and Deliverables)



5 Exhibit B (IT Service Levels)

Provides the Service Levels applicable to the IT Services and includes as
exhibits:



·         Exhibit B-1: Service Level Metrics



·         Exhibit B-2: Service Level Definitions



 



1.3 Special Order of Precedence of SOW #2 Documents

 

To the extent there is any conflict or inconsistency as to the responsibilities
of either Party between (a) Exhibit A-1 (Scope Model), on the one hand; and (b)
Exhibit A-2 (Solution Description), on the other hand, then the Exhibit A-1
(Scope Model) shall prevail. The Parties explicitly acknowledge that Exhibit A-2
(Solution Description) may not address every aspect of the Services, including
each of Supplier’s responsibilities otherwise covered in the Exhibit A-1 (Scope
Model).

 

2. DEFINITIONS

 

Capitalized terms used but not defined in this SOW #2 (IT Services) shall have
the meanings given them in the Agreement.

 

3. ADDITIONAL IT SERVICES

 

In addition to the IT Services set forth in Exhibit A (IT Services), the IT
Services include the Services set forth in this Section 3.

 

4. CHANGES TO SUPPLIER SOLUTION

 

As a general principal, Supplier has both the right and the obligation to
perform the Services to be provided by it under this Statement of Work in the
manner described in Exhibit A-2 (Solution Description). That said, Supplier is
charged with responsibility for the adequacy of its Solution, which is to say
that if the Supplier’s Solution, as described in Exhibit A-2 (Solution
Description), should prove inadequate at any point during the Statement of Work
Term for Supplier to perform and deliver the Services in accordance with the
obligations of the Agreement (including this Statement of Work), then Supplier
is responsible for making such changes to its Solution as are

Triple-S / Supplier Confidential

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

Statement of Work #2

IT Wrapper







 



necessary to enable Supplier to perform and deliver the Services in accordance
with such obligations. All such changes are to be made in accordance with
Schedule O (Change Control Process) of the Agreement, as applicable according to
its terms; provided, however, that Supplier is responsible for making such
changes at its own cost and expense except in those cases (if any) in which the
Agreement expressly provides that Triple-S has Financial Responsibility for them
as defined in Schedule C-3 (Financial Responsibility Matrix) and as required by
State or Federal Laws.

 

5. OPERATIONAL REPORTING

 

Supplier shall generate and provide to Triple-S each report set forth in
Schedule K (Reports).

 

6. OPERATING HOURS

 

Supplier will at a minimum mirror the regular operating hours adhered to by
Triple-S’ IT organization as of the Effective Date. Supplier acknowledges and
agrees that performance of the IT Services may regularly require Supplier
Personnel to perform additional/overtime work outside regular operating hours,
and that such additional/overtime work is within the scope of the IT Services.

 

Supplier will extend its hours of operations (for example, through overtime,
weekend and holiday work) from time to time as needed to meet regulatory
requirements, Service Level metrics and other requirements of the Agreement.
Supplier’s work during such extended hours of operations is within the scope of
the IT Services.

 

7. DATA EXCHANGES

 

Supplier will manage and execute file transfer jobs (consistent with the
applicable Functions described in Exhibit A-2 (Solution Description), including
Process 3.10.2 (Computer Operations)) as those jobs are being performed on the
Effective Date and as those jobs evolve over the Term. The Parties will work
together during Transition to develop a list of such file transfer jobs and
corresponding Triple-S trading partners, and will update such list as needed
throughout the Term.

 

8. APPLICABILITY OF THE AGREEMENT

 

This SOW #2 (IT Services) is hereby made a part of, and is subject to and
governed by, the Agreement. This SOW #2 (IT Services) is one of the Initial
Statements of Work executed under the Agreement.

 

Triple-S / Supplier Confidential

Page 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

Statement of Work #2

IT Wrapper





 

IN WITNESS WHEREOF, Triple-S and Supplier have each caused this SOW #02 (IT
Services) to be signed and delivered by its duly authorized officer, all as of
the SOW Effective Date set forth above.

 

Triple-S Salud, Inc.



 

OptumInsight, Inc.



         

By:

/s/ Madeline Hernández-Urquiza



 

By:

/s/ Eric Murphy



 

 

Print Name:  

Madeline Hernández-Urquiza



 

Print Name:  

Eric Murphy



 

 

Title:

President



 

Title:

CEO, OptumInsight



 

 

Date:

August 29, 2017



 

Date:

8/29/2017



 

 

 



Triple-S / Supplier Confidential

Page 4

 

SOW 02 Exhibit A (IT Services)

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

STATEMENT OF WORK #2

 

EXHIBIT A

 

IT SERVICES

 

 

 

 

 

 

 

 

 



SOW #2 (IT Services) Triple-S / Supplier Confidential



 

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

EXHIBIT A

 

IT SERVICES

 

1. INTRODUCTION

 

1.1 Overview of Services

 

(a) This Exhibit A (IT Services) describes the specific Services to be provided
by Supplier under this IT SOW, as well as the dependent or related Functions for
which Triple-S is retaining responsibility. It does so by means of a Scope Model
– a table or tables that encompass(es) the portions of Triple-S’s operations and
Operating Environment within the scope of or relevant to the Services under this
IT SOW and maps the standard processes performed within the relevant area of
operations (referred to as the Processes) against various categories of
associated operational infrastructure components or services (referred to as
Elements). Each cell of the Scope Model represents the intersection of a Process
with an Element and designates the party (referred to as the Actor) responsible
for performing that Process in relation to such Element. Where Supplier is
designated as an Actor, the Scope Model describes which Functions Supplier is
responsible for performing as part of the Services (the ‘What’), not the manner
in which Supplier is responsible for performing them (the ‘How’). The manner in
which Supplier is to perform the Services is set forth elsewhere in this IT SOW
and the Agreement, including Exhibit A-2 (Solution Description) and Exhibit B
(Service Levels).

 

(b) As part of the Services, Supplier will provide to and perform for Triple-S
the Functions for which Supplier is identified as being the responsible Actor in
the Scope Model. As part of such responsibility, Supplier will perform the
associated activities identified in Exhibit A-1-1 (Process Definitions),
including the Embedded Processes that are required or relevant under the
circumstances.

 

(c) Triple-S (or an Other Third Party for whom Supplier is not responsible) will
be responsible for performing those Functions for which Triple-S or such an
Other Third Party is identified as the responsible Actor in the Scope Model,
including the Embedded Processes that are required or relevant under the
circumstances.

 

(d) Except as otherwise provided in the applicable Schedule C-3 (Financial
Responsibility Matrix), the responsible Actor designated in a Process-Element
intersection is responsible not only for performing the indicated Process in
relation to such Element, but also for providing all types of resources
necessary to perform those Processes. Where Supplier is the designated Actor in
a Process-Element intersection and another Actor is designated as having
Financial Responsibility for providing certain types of resources (e.g.,
Equipment, Software, labor, facilities, third-party services, business
processes, recruiting and training) required by Supplier to so perform,
Supplier’s responsibility to perform is subject to Supplier receiving timely
access to the required resources from the Actor designated as having Financial
Responsibility for those resources.

 

Triple-S / Supplier Confidential
Page 5

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

SOW #2 Exhibit A
IT Services

  

(e) Where the documents comprising this Exhibit A (IT Services) include
references to specific resources (e.g., tools, systems, Equipment or Software)
that will be used by Supplier in performing the Services, if Supplier implements
any successors or replacements to such resources, the applicable references will
be deemed to include such successor or replacement resources.

 

1.2 Additional Services

 

The IT Services include the Functions included as part of the Embedded Processes
described in Schedule A (Cross Functional Services) as they relate to the
Functions included as part of the IT Services. For clarity, this includes
Supplier’s responsibility to manage all activities performed by Supplier Managed
Third Parties in accordance Section 2.4 (Managed Third Party Contract Services)
of Schedule A (Cross-Functional Services).

 

1.3 Certain IT Functions Related to the Claims Services

 

Appendix 1 (Certain IT Functions Related to the Claims Services) below includes
certain IT Functions that relate to the Claims Services. The Functions set forth
in Appendix 1 apply to both Restricted and Non-restricted Members. For avoidance
of doubt, the listing of IT Functions set forth in Appendix 1 is not intended to
be an exhaustive set of IT Functions that support the Claims Services. For the
sake of clarity, Supplier’s scope of IT Services will include those Functions
included in Exhibit A-1 (Scope Model) and the Functions listed in Appendix 1
below.

 

1.4 Supplier Facilities

 

The Supplier Facilities from which Supplier is permitted to provide the Services
are listed in Schedule E (Supplier Facilities) of the Agreement.

 

2. EXHIBIT A CONTENT

 

Exhibit A (IT Services) is comprised of this cover document and the following
Exhibits:

 

Table 1: Exhibits to IT SOW Item # Exhibit Purpose of Exhibit 1 Exhibit A-1
(Scope Model) Contains the Scope Model for this IT SOW. It allocates among the
pertinent Actors functional responsibility for the Processes that are relevant
to the scope of this IT SOW. As a means of identifying required interactions
between Supplier and Triple-S, and between Supplier and other third-party
providers of related products and services to Triple-S, the Scope Model’s scope
of coverage is, by design, broader than the scope of Supplier’s Services under
this IT SOW. Exhibit A-1 (Scope Model) includes the following additional
Exhibits:

 

Triple-S / Supplier Confidential
Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

SOW #2 Exhibit A
IT Services

 

Table 1: Exhibits to IT SOW Item # Exhibit Purpose of Exhibit 2 Exhibit A-1-1
(Process Definitions) Sets forth the definitions of the Processes used in the
Scope Model. The Process definitions are intended to provide industry-standard
descriptions of the processes that are typically performed by companies in the
area of operations that is within the scope of this IT SOW. 3 Exhibit A-1-2
(Element Definitions) Sets forth the definitions of the Elements used in the
Span axis of the Scope Model. 4 Exhibit A-2 (Solution Description) Describes
Supplier’s solution for the provision of the IT Services. 5 Exhibit A-3
(Transition and Transformation Description)

Describes Supplier’s description for the provision of the IT Transition and
Transformation Services and includes individual solutions as exhibits: 

·   Exhibit A-3-1 (Transition and Transformation Project Plan) 

·   Exhibit A-3-2 (Reserved) 

·   Exhibit A-3-3 (Transition and Transformation Milestones, Checkpoint Gates,
and Deliverables) 

 

3. DEFINITIONS AND INTERPRETATION

 

The following terms, when used in this IT SOW, will have the meanings given them
below unless otherwise specified or required by the context in which the term is
used. Any capitalized term used but not defined in this Exhibit A (IT Services)
will have the meaning indicated in Schedule AA (Glossary) or elsewhere in the
Agreement.

 

Defined Term Meaning “Actor” An entity (or group within an entity) assigned
functional responsibility for a Process-Element intersection in the Scope Model
– i.e., assigned responsibility for performing the indicated Process with
respect to the indicated Element category. “Elements” Entries on the Span axis
of a Scope Model. Elements may represent a category of components (e.g.,
Servers), services (e.g., Managed WAN), individual products (e.g., VPN
Concentrator or individual applications. “Operating Environment” Collectively,
the Equipment, Software, systems, communications networks and connectivity,
facilities, and other infrastructure components owned, controlled, or operated
by Triple-S (or its Affiliates or third-party services providers on behalf of
Triple-S and Service Recipients) and used to receive, use

 

Triple-S / Supplier Confidential
Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

SOW #2 Exhibit A
IT Services

 

Defined Term Meaning   transmit and otherwise enjoy the benefits of the
Services. “Other Third Party” An Actor other than Triple-S or Supplier. Certain
Other Third Parties may be identified by name in a Scope Model, others by the
general designation of “Other Third Party,” and others by type of provider.
“Processes” The groupings of activities on the Process axis of a Scope Model,
which may pertain to an individual (level 3) process (e.g., Technology
Architecture Development, Solution Development) or a group of related (level 2)
processes (e.g., Domain Architecture, Solution Formation). “Service Delivery
Environment” Collectively, the Equipment, Software, systems, communications
networks and connectivity, facilities, and other infrastructure components
owned, controlled, or operated by Supplier (or its Affiliates or other
Subcontractors) and used by Supplier Personnel in rendering the Services. “Span”
The axis of a Scope Model that depicts Triple-S’ Operating Environment and / or
Supplier’s Service Delivery Environment or, alternatively, categories of
services that are relevant to the Processes on the Process axis of the Scope
Model.

 

4. KEEPING SCOPE MODEL DOCUMENTS UP TO DATE

 

At least once a year during the IT SOW Term and pursuant to the governance
process set forth in Schedule F (Governance), and more often as necessary to
reflect the effects of agreed Changes, the Parties will review the Scope Model
and update it (and, as necessary, the associated Process and Element
definitions) to reflect the following:

 

(a) Changes in any of the Actors or the responsibilities assigned to any of the
Actors in the Scope Model; or

 

(b) Additions, deletions, or other modifications to the Scope Model’s Span,
including as necessary to reflect changes in the Triple-S locations served by
Supplier or in Supplier’s Service Delivery Centers.

 

In as much as the Scope Model documents the allocation of functional
responsibility to Actors other than Triple-S and Supplier, Triple-S has the
right to make unilateral changes in the Scope Model from time to time to reflect
changes in any of the Other Third Parties or their assigned responsibilities
(including by (i) adding or deleting Elements (including adding new Elements to
A-1-2 (Element Definitions)) or (ii) changing the designated

 

Triple-S / Supplier Confidential
Page 8

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

SOW #2 Exhibit A
IT Services

 

Actor(s)) provided such changes do not alter Supplier’s scope of Services or
affect Supplier’s performance of the Services. If such changes alter Supplier’s
scope of Services or affect Supplier’s performance of the Services, such changes
will be handled via the Change Control Process.

 

Triple-S / Supplier Confidential
Page 9

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

APPENDIX 1

 

CERTAIN IT FUNCTIONS RELATED TO CLAIMS SERVICES

 

The IT Functions Definitions related to Claims described in this Appendix 1 are
part of SOW #02 (IT Services). In addition to describing the IT Functions
related to the Claims Processes, this Appendix 1 sets forth the responsible
party for each process.

 

Process Definition Responsible Party 1. CLAIMS INTAKE     1.1 IT EDI Intake “IT
EDI Intake” are those IT Functions associated with the intake of Claims in EDI
format including:       (a)   Processing and uploading Claims into the Triple-S
System; Supplier (IT)     (b)   Receiving authorization file from Triple-S and
loading it into the Triple-S System for accurate Claims processing; Supplier
(IT)     (c)   Taking action to correct invalid files and data issues; Supplier
(IT)     (d)   Performing a quality check review; Supplier (IT)     (e)   Fixing
errors identified as part of the quality check; and Supplier (IT)     (f)
  Sending EDI status reports (including volume, completed, and errored claims
aging) to Triple-S on a daily, weekly and monthly basis. Supplier (IT) 2. CLAIMS
PROCESSING     2.1 IT Claims Adjudication – Medical Claims “IT Claims
Adjudication – Medical Claims” are those IT Functions associated with
adjudicating Medical Claims including:       (a)   Loading all Triple-S
file  into the Triple-S System; Supplier (IT)     (b)   Resolving all file  load
issues in a timely manner; Supplier (IT)     (c)   Reporting on all file  load
outcomes (% success, % failure, # of items in inventory for resolution); and
Supplier (IT)     (d)  Loading Claims and running auto-Adjudication. Supplier
(IT) 2.2 Claims Adjudication and Adjustment Network Share (ITS ) Claims “IT
Claims Adjudication – Network Share- ITS Claims” are those IT Functions
associated with Adjudicating ITS Claims including:       (a)   Received ITS SF
and RF claims through the ITS system; Supplier (IT)     (b)   Transmit DF
records through the ITS system; Supplier (IT)     (c)   Taking action to correct
invalid SF, DF, and RF records that did not transmit; and Supplier (IT)     (d)
  Transmitting DF records. Supplier (IT)

 

Triple-S / Supplier Confidential
Page 1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

SOW #2 Exhibit A
IT Services

 

Process Definition Responsible Party 2.3 Network Share (ITS Host) and FEP Claims
“Network Share- ITS and FEP Claims” are those IT Functions associated with
adjudicating ITS and FEP Claims including:       (b) Loading  EDI claims for ITS
in the corresponding core system and FEP in the FEP Direct System; Supplier (IT)
    (c) Identify issues affecting the loading of files and refer to the
corresponding Claims processing team; Supplier (IT)     (d) Generate SF (Host
Claims); Supplier (IT)     (e) Transmit SFs records through the ITS system;
Supplier (IT)     (f) Receiving DFs; Supplier (IT)     (g) Generating RFs; and
Supplier (IT)     (h) Receiving FEP Direct transmission and loading for payment
Supplier (IT) 2.4 Accumulator Processing “Accumulator Processing” are those IT
Functions associated with managing and applying accumulators to Claims
including:       (a)   Collecting medical and third party accumulators; Supplier
(IT)     (b)   Loading all accumulator files into the appropriate Triple-S
System; Supplier (IT)     (c)   Calculating accumulators (e.g., Claims dollars)
against deductibles and benefits; Supplier (IT)     (d)   Updating accumulators;
and Supplier (IT)     (e)   Sending updated accumulators (e.g., daily and
weekly) to other third parties (e.g., Delegated Providers, ancillary). Supplier
(IT) 2.5  EOB “EOB” are those IT Functions associated with processing
Explanation of Benefits (“EOB”) including:       (a) Utilizing Triple-S (or in
the case of Medicare, CMS) templates and style guides to generate EOB letters;
Supplier (IT)     (b) Utilizing third party Encounter data to generate EOB
letter per Claim as necessary; Supplier (IT)     (c) Generating EOB letters; and
Supplier (IT)     (d) Correcting EOB file transmitting errors Supplier (IT) 3
ITS Claims Adjustment Network Share- ITS Claims “ITS Claims Adjustment – Network
Share - ITS Claims are those IT Functions associated with adjusting ITS Claims
including receiving ITS adjustment requests. Supplier (IT) 4. PAYMENT /
REMITTANCE ADVICE  “Payment, / Remittance Advice” are those IT Functions
associated with processing payments, and remittances including:       (a)
Generating Payment Cycle Supplier (IT)     (b) Performing Technical approval
Supplier (IT)     (c) Generating Checks, ACH, positive pay (clearance) and
Payment Advice files Supplier (IT)     (d) Transferring ACH and positive pay
files to the bank Supplier (IT)     (e) Transmitting check PDF and EOP files to
the print shop Supplier (IT)

 

Triple-S / Supplier Confidential
Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.



 

SOW #2 Exhibit A
IT Services

 

Process Definition Responsible Party     (f) Correcting EDI transmitting errors
for EDI (e.g., payment, remittance advise) transactions; Supplier (IT) 5.
CERTAIN IT SUPPORT FOR CLAIMS OPERATIONS     5.1 IT Support for Claims
Operations “IT Support for Claims Operations” are those IT Functions associated
with supporting the Claims operation through execution of various IT processes
including mass Adjudication, batch reversals and running scripts related to
Claims Functions. Supplier (IT)

 

Triple-S / Supplier Confidential
Page 3

 

SOW 02 - Exhibit A-1

 

FINAL EXECUTION VERSION

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

 

 





STATEMENT OF WORK #2 

EXHIBIT A-1-1 

SCOPE MODEL

 

 

 

 

 

 

 





 

 

 



Triple-S / Supplier Confidential

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_022.jpg]

 







[sow02a1_p1.jpg] Infrastructure SW [***] (Software) Healthcare Applications
(In-House) Healthcare Applications (3rd Party) Triple-S SaaS  Non-Healthcare
Business Applications Non-Healthcare Business Applications Infrastructure Data
Exchanges Compute & Storage - End User Devices, Servers Compute & Storage  -
[***] & [***] Related Servers Network - Network Edge Router & Network and
Security Devices or Appliances Network - Private Network Access & Transport &
Public Network Access Telecomm Facilities Triple-S (includes Kiosks)





IT Management Client Relations Enterprise Architecture Delivery Strategy
Sourcing Strategy IT Finance Actor Management Portfolio Management IT Leadership
IT Governance Risk Management Compliance Management Internal Client Relationship
Mgmt External Client Relationship Mgmt Demand Management Enterprise Architecture
Development Domain Architecture Approval Enterprise Architecture Approval
Delivery Strategy Development Delivery Strategy Approval Sourcing Strategy
Development Sourcing Execution Sourcing Approval Financial Control Budgeting and
Forecasting Allocation and Chargeback Invoice Review Invoice Approval Invoice
Payment Services Management Incident Oversight Commercial Management Actor
Integration Service Catalog Management Performance Management Benchmarking
Knowledge Oversight Knowledge Management 1.1.1 1.1.2 1.1.3 1.1.4 1.2.1 1.2.2
1.2.3 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4
1.6.5 1.6.6 2.1.1 2.1.2 2.1.3 2.1.4 2.2.1 2.2.2 2.2.3 2.2.4 (a) 2.2.4 (b)



Note:  (a)  Supplier Personnel are not permitted to access [***] software in
order to perform these functions.  These functions shall be performed by
Triple-S In-Scope Personnel in compliance with the [***]/Supplier Agreement and
the General Terms and Conditions (including Section 19.19).

 

 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_022.jpg]









[sow02a1_p2.jpg] Infrastructure SW [***] (Software) Healthcare Applications
(In-House) Healthcare Applications (3rd Party) Triple-S SaaS  Non-Healthcare
Business Applications Non-Healthcare Business Applications Infrastructure Data
Exchanges Compute & Storage - End User Devices, Servers Compute & Storage  -
[***] & [***] Related Servers Network - Network Edge Router & Network and
Security Devices or Appliances Network - Private Network Access & Transport &
Public Network Access Telecomm Facilities Triple-S (includes Kiosks)



Domain Architecture Process Architecture Standards Solution Requirements Service
Management Security Management Program Office Information Architecture
Development Application Architecture Development Infrastructure Architecture
Development Security Architecture Development Process Architecture Development
Standards Policies Establishment Standards Development Standards Approval
Standards Audit Business Requirements Documentation Security Requirements
Development Solution Integration Security Solution Approval Solution Approval
Service Delivery Management Incident Management Problem Management Configuration
and Asset Management Change Management Release Management Capacity Management
Availability Management Service Level Management Technology Continuity
Management Service Continuty Management Security Oversight Security Policy
Development Program Management Project Management 2.3.1 2.3.2 2.3.3 2.3.4 2.4.1
2.5.1 2.5.2 2.5.3 2.5.4 2.6.1 2.6.2 2.6.3 2.6.4 2.6.5 2.7.1 2.7.2 2.7.3 2.7.4
2.7.5 2.7.6 2.7.7 2.7.8 2.7.9 2.7.10 (a) 2.7.10 (b) 2.8.1 2.8.2 2.9.1 2.9.2



Note:  (a)  Supplier Personnel are not permitted to access [***] software in
order to perform these functions.  These functions shall be performed by
Triple-S In-Scope Personnel in compliance with the [***]/Supplier Agreement and
the General Terms and Conditions (including Section 19.19).







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



[image_022.jpg]









[sow02a1_p3.jpg] Infrastructure SW [***] (Software) Healthcare Applications
(In-House) Healthcare Applications (3rd Party) Triple-S SaaS  Non-Healthcare
Business Applications Non-Healthcare Business Applications Infrastructure Data
Exchanges Compute & Storage - End User Devices, Servers Compute & Storage  -
[***] & [***] Related Servers Network - Network Edge Router & Network and
Security Devices or Appliances Network - Private Network Access & Transport &
Public Network Access Telecomm Facilities Triple-S (includes Kiosks)



Solution Formation Infrastructure Engineering Software Engineering Quality
Assurance Client Support Acquire Deploy Maintain Software Maintenance Operations
Technical Requirements Development Security Solution Development Solution
Development Resource Estimation Platform Engineering Software Design Software
Development Software Integration Logical Database Administration Peer Review
Testing Environment Integration Testing User Acceptance Testing Service Desk
Technical Support Business Systems (Functional) Support Procurement Management
Acquisition Configuration Implementation Maintenance Administration Local
Maintenance & Repair Remote Maintenance & Repair Corrective Maintenance Adaptive
Maintenance Perfective Maintenance Preventive Maintenance Operations Scheduling
Computer Operations Network Operations Media Operations Physical Database
Administration Operations Monitoring 3.1.1 3.1.2 3.1.3 3.1.4 3.2.1 3.3.1 3.3.2
3.3.3 3.3.4 3.3.5 3.4.1 3.4.2 3.4.3 3.5.1 3.5.2 3.5.3 3.6.1 3.6.2 3.7.1 3.7.2
3.8.1 3.8.2 3.8.3 3.9.1 3.9.2 3.9.3 3.9.4 3.10.1 3.10.2 3.10.3 3.10.4 3.10.5
3.10.6

Note:  (a)  Supplier Personnel are not permitted to access [***] software in
order to perform these functions.  These functions shall be performed by
Triple-S In-Scope Personnel in compliance with the [***]/Supplier Agreement and
the General Terms and Conditions (including Section 19.19).



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED. 

 



[image_022.jpg]





 

 

[sow02a1_p4.jpg] Infrastructure SW [***] (Software) Healthcare Applications
(In-House) Healthcare Applications (3rd Party) Triple-S SaaS  Non-Healthcare
Business Applications Non-Healthcare Business Applications Infrastructure Data
Exchanges Compute & Storage - End User Devices, Servers Compute & Storage  -
[***] & [***] Related Servers Network - Network Edge Router & Network and
Security Devices or Appliances Network - Private Network Access & Transport &
Public Network Access Telecomm Facilities Triple-S (includes Kiosks)



Service Support Security Logistics Incident Management Execution Problem
Identification and Resolution Configuration Management Execution Change
Management Execution Release Management Execution Capacity Reporting
Availability Analysis Service Continuity Plan Development Service Continuity
Plan Execution Security Engineering Security Credentials Management Credentials
Authorization Physical Security Security Operations Security Analysis Security
Incident Response Security Incident Recovery Vulnerability Assessment Remove /
Repurpose Disposition Warehouse Management Distribution 3.11.1 3.11.2 3.11.3
3.11.4 3.11.5 3.11.6 3.11.7 3.11.8 3.11.9 3.12.1 3.12.2 3.12.3 3.12.4 3.12.5
3.12.6 3.12.7 13.2.8 3.12.9 3.13.1(a) 3.13.1(b) 3.13.2 3.13.3











Note:  (a)  Supplier Personnel are not permitted to access [***] software in
order to perform these functions.  These functions shall be performed by
Triple-S In-Scope Personnel in compliance with the [***]/Supplier Agreement and
the General Terms and Conditions (including Section 19.19).

 





 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 



      Triple-S   Optum   [***]   Other Third Party   Not Applicable to Element

 

 

 

 

 

 

 



 

 



 SOW02 Exhibit A-1-1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

STATEMENT OF WORK #2

 

EXHIBIT A-1-1

 

IT PROCESS DEFINITIONS

 

 

 

 

 

 

 

 


 

 

SOW #2 (IT Services) Exhibit A-1-1 Triple-S / Supplier Confidential



 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



 





Table of Contents

 

Section I. IT Process Definitions

 

Section II. Embedded Processes

 

Section III. Glossary

 

 

I.       IT Process Definitions

 

 

Processes Definitions       1 Governance and Leadership   1.1 IT Management  
1.1.1 IT Leadership

The purpose of “IT Leadership” is to lead the IT organization in delivering IT
services that meet the business requirements of its Clients.

 

IT Leadership includes the following activities:



    1.           Understanding the strategies and objectives of the Clients
supported by the IT organization, the criticality of IT in achieving   the
Client’s objectives and the IT organization’s role within the larger context of
the industry in which it operates;     2.          Promoting and maintaining the
alignment of IT services with the needs of its Clients;     3.          Leading
the IT organization so as to deliver on the requirements and objectives of
Clients, including:     (a)      Enabling Clients to exploit business
opportunities and maximize their individual and collective potential;    
(b)      Promoting the responsible use of IT assets and services;

 

 

[image_072.jpg] Page 2 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 





Processes Definitions





    (c)      Securing and protecting IT assets including data resting in, or
flowing through, the IT environment; and     (d)     Providing macro-level
guidance as to how, when and where IT is to deliver its services; and    
4.         Promulgating the desired values, philosophies, strategies and
performance of IT throughout the IT organization and the enterprise. 1.1.2 IT
Governance

The purpose of “IT Governance” is to establish the framework for decision rights
and the platform for the oversight of the key aspects of the IT environment and
services.

 

IT Governance includes the following activities:



    1.        Assigning, establishing and enforcing decision rights throughout
the IT organization;     2.         Establishing appropriate oversight of
Compliance Management, Risk Management, Program Management, IT Finance, Client
Relations, Performance Management, Actor Management, Service Delivery
Management, Security Management and other key aspects of IT, including:    
(a)      Assigning personnel with responsibility to oversee the underlying
functions;     (b)      Providing adequate resources and authority to such
personnel to carry out their oversight-based activities; and     (c)     
Establishing committees and meetings, including assigning committee heads and
establishing meeting schedules; and     3.         Reviewing recommendations,
requests for review and other similar interactions from Process owners and, as
applicable, Actors and providing feedback, including advice and consent when
appropriate.

 

 

[image_072.jpg] Page 3 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

1.1.3 Risk Management

The purpose of “Risk Management” is to determine risk tolerance, identify risks,
analyze the potential for Risk Issues and develop, assess and monitor actions to
mitigate and remediate IT risk.

 

Risk Management includes the following activities:



    1.         Obtaining and documenting the Client’s and IT’s risk tolerance
and prioritizations for Risk Management;     2.         Obtaining and
maintaining a comprehensive understanding of all relevant aspects of the IT and
Client environments and External Client systems that may give rise to Risk
Issues or may result in IT risk, including:     (a)       Systems associated
with the delivery of IT services, including the access and storage points for
confidential customer and Client information;     (b)       IT plans or other
similar information that could help identify exposure to risks that could limit
the enterprise’s ability to implement its strategic priorities;     (c)     
Business recovery and continuity plans to gain insight into the critical systems
and control environment;     (d)     Due diligence and monitoring activities
associated with the management of External Actors;     (e)      IT operational
reports providing information regarding potential performance or control issues;
    (f)      Quality control reviews performed by Process or Element owners
pertaining to controls that could help identify noncompliance with policy or
areas of weakness;     (g)      IT audit findings that could shed light on the
veracity and responsiveness of the Actors’ commitments to policy compliance and
operational control; and     (h)      Viewpoints of Actors’ senior management as
they pertain to resource limitations, real and perceived threats, priorities and
key controls;

[image_072.jpg] Page 4 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    3.         Analyzing the IT and Client environments and associated
information for the purpose of:     (a)        Identifying the universe of Risk
Issues including the Risk Issues associated with operational change and delivery
risks,   legal and regulatory risks, information security risks, etc. ;    
(b)        Estimating the likelihood of occurrence of Risk Issues;     (c)  
     Identifying and estimating the impact of Risk Issues on the enterprise from
the applicable perspectives (e.g., strategic, operational, financial,
reputation) and that appropriately take into consideration lost revenue, flawed
business decisions, data recovery and reconstruction time and expense, costs of
litigation and potential judgments, loss of market share, and increases to
premiums or denials of insurance coverage; and     (d)       Developing
comprehensive risk assessments of IT operations and activities;     4.        
Identifying and developing a prioritization of actions that is appropriate for
the complexity of the enterprise that is designed to:     (a)      Reduce risk
exposure; and     (b)      Establish mitigating controls for safe, sound and
efficient IT operations;     5.         Reporting the recommended prioritization
of actions to the applicable Process or Element owner(s) and incorporating
feedback into the prioritization;     6.         Submitting appropriately
approved actions to the applicable Process or Element owner(s);     7.        
Monitoring, analyzing and reporting on risk reduction, mitigation and
remediation activities, including the extent to which risk assessment and
prioritization results are integrated into various operational aspects of IT,
including:     (a)      Technology budgeting, investment and deployment
decisions;

 

 

 

[image_072.jpg] Page 5 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0



 

Processes Definitions

    (b)      Contingency planning;     (c)      Policies and procedures;    
(d)     Controls;     (e)      Staffing and expertise;     (f)       Insurance;
    (g)      Performance benchmarks;     (h)      Service levels; and    
(i)        Policy enforcement and compliance; and     8.         Reviewing
business requirements and proposed solutions, and providing feedback regarding
risk and control to the applicable Process owner(s). 1.1.4 Compliance Management

The purpose of “Compliance Management” is to cause all applicable External
Compliance Requirements and External Actor Compliance Requirements to be
fulfilled and to monitor the fulfillment of such requirements.

 

Compliance Management includes the following activities:



    1.         Identifying the External Compliance Requirements applicable to
the IT environment;     2.         Obtaining from External Actors, comprehensive
written descriptions of their External Actor Compliance Requirements, including
detailed statements describing how such requirements are being fulfilled;    
3.         Developing, documenting and disseminating to Actors the policies
designed to fulfill the External Compliance Requirements for the IT environment;
    4.         Developing and documenting the procedures and controls designed
to detect and prevent noncompliance with the External Compliance Requirements;  
  5.         Developing and implementing an ongoing compliance (i.e., External
Compliance Requirements) and ethics training program for all Actors, including
those at senior levels;

 

 

 

[image_072.jpg] Page 6 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

Processes Definitions



    6.         Determining the extent to which the IT environment is in
compliance with the External Compliance Requirements, including, when
appropriate, implementing:     (a)      Auditing and monitoring systems designed
to assist in the detection of noncompliance;     (b)      Systems to report or
seek guidance regarding potential or actual noncompliance; and     (c)     
Mechanisms designed to protect anonymity and confidentiality;     7.        
Determining the extent to which External Actors are in compliance with their
respective External Actor Compliance Requirements, including (when appropriate):
    (a)      Obtaining from the External Actors appropriate written statements
regarding their compliance with the requirements; and     (b)      Obtaining
audits and assessments of External Actors by appropriately recognized
independent organizations;     8.         Documenting and disseminating
information regarding the compliance program to the applicable Process or
Element owner(s) and other personnel as appropriate;     9.         Enforcing
and encouraging compliance through appropriate mechanisms, including:    
(a)      Establishing disciplinary and incentive measures; and     (b)     
Documenting and reporting instances of noncompliance to the applicable Process
or Element owner(s), offending Actors and other personnel as appropriate;    
10.       Responding to and taking reasonable steps to prevent incidents of
noncompliance with the External Compliance Requirements;     11.      
Identifying personnel or Actors within the IT environment that have shown either
a disregard for compliance or a tendency toward improper conduct and notifying
the applicable Process owner(s) and other personnel as appropriate; and    
12.       Reviewing business requirements and proposed solutions to:

 

 

 

[image_072.jpg] Page 7 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



    (a)      Identify and communicate the applicable External Compliance
Requirements; and     (b)      Provide feedback to the applicable Process or
Element owner(s), including advice and consent. 1.2 Client Relations   1.2.1
Internal Client Relationship Management

The purpose of “Internal Client Relationship Management” is to coordinate and
manage the activities necessary to initiate, enhance and maintain the IT
services that support Internal Clients.

 

Internal Client Relationship Management includes the following activities:



    1.         Identifying Internal Clients;     2.         Acting as an
advocate for Internal Clients with IT by promoting and actively seeking
resolution of issues related to the delivery, performance and pricing of IT
services;     3.         Obtaining issue handling and escalation requirements
from Internal Clients and providing to the applicable Process owner(s);    
4.         Tracking Internal Client issues, escalations and resolutions;    
5.         Obtaining Internal Client interaction requirements and providing to
the applicable Process owner(s);     6.         Facilitating IT service
activities with Internal Clients;     7.         Advising Internal Clients of
potential opportunities to create value using IT services;     8.        
Working with Internal Clients to identify and specify strategic IT-related
business missions, objectives and concepts, including obtaining the input of the
applicable Process owner(s);     9.         Coordinating the provision of
broad-based input (e.g., technical, resource, process) to Internal Clients
regarding new business requirements that may affect the IT environment,
including:     (a)      Guidance on technical solutions in the pre-business
requirements development phase; and

 

[image_072.jpg] Page 8 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (b)      Pricing, risk and duration information;     10.       Reviewing
periodically with Internal Clients relevant information regarding ongoing and
project-based activities, including IT delivery of Client-specific results
regarding:     (a)      Performance (e.g., measures and metrics, performance
credits);     (b)      Projects (e.g., pipeline, status, issues, supply
limitations);     (c)      Financials (e.g., allocations, chargebacks,
invoices); and     (d)     Satisfaction surveys (e.g., Client, stakeholder);    
11.       Reviewing the Service Catalog with Internal Clients and providing
feedback to the applicable Process owner(s);     12.       Attending, as
applicable and appropriate, Internal Client management meetings or other similar
forums to provide perspective, support and feedback regarding the IT services,
including planned future delivery capabilities and performance of IT services;  
  13.      Coordinating the provision of technical input and guidance into the
development of Internal Client responses to requests for proposals or other
similar constructs used by its customers for goods and/or services; and    
14.      Attending Actor disagreement and dispute forums pertaining to issues
with Internal Clients. 1.2.2 External Client Relationship Management

The purpose of “External Client Relationship Management” is to coordinate and
manage the applicable activities necessary to initiate, enhance and maintain the
IT services that support External Clients.

 

External Client Relationship Management includes the following activities:



    1.         Identifying External Clients;     2.         Acting as an
advocate for External Clients by promoting and actively seeking resolution of
issues related to the delivery, performance and pricing of IT services;

 

 

[image_072.jpg] Page 9 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



    3.         Obtaining issue handling and escalation requirements from
External Clients and providing to the applicable Process owner(s);    
4.         Tracking External Client issues, escalations and resolutions;    
5.         Obtaining External Client interaction requirements and providing to
the applicable Process owner(s);     6.         Facilitating IT service
activities with External Clients;     7.         Coordinating the provision of
input (e.g., technical, resource, process) to External Clients regarding new
business requirements that may affect the IT environment, including:    
(a)      Guidance on technical solutions in the pre-business requirements
development phase; and     (b)      Pricing, risk and duration information;    
8.         Reviewing periodically with External Clients relevant information
regarding ongoing and project-based activities, including IT delivery of
Client-specific results regarding:     (a)      Performance (e.g., measures and
metrics, performance credits);     (b)      Projects (e.g., pipeline, status,
issues, supply limitations);     (c)      Financials (e.g., allocations,
chargebacks, invoices); and     (d)     Satisfaction surveys (e.g., Client,
stakeholder);     9.         Reviewing the Service Catalog with External Clients
and providing feedback to the applicable Process owner(s); and     10.      
Attending Actor disagreement and dispute forums pertaining to issues with
External Clients. 1.2.3 Demand Management

The purpose of “Demand Management” is to align Internal Client demand and
consumption of IT services with the applicable resource and operational
constraints, and to optimize demand by coordinating requests across Internal
Clients and encouraging standards.

 

Demand Management includes the following activities:





 

 



[image_072.jpg] Page 10 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    1.         Informing, directly or indirectly through the owner of Internal
Client Relationship Management, Internal Clients of their consumption of IT
services and, to the extent applicable, the ramifications of such behavior;    
2.         Obtaining information regarding historical, current and future
requests for IT services;     3.         Evaluating the impact (e.g., strategic,
tactical, operational) on IT and its Internal Clients based on historical and
expected future receipt of requests for IT services;     4.        
Rationalizing demand by regular review of work pipelines and identifying
opportunities for collaboration, standardization and reuse; and     5.        
Developing and promulgating methodologies and/or tools that help in capturing,
documenting and managing the impact, decisions and results associated with
consumption and demand behavior. 1.3 Enterprise Architecture   1.3.1 Enterprise
Architecture Development

The purpose of “Enterprise Architecture Development” is to design the underlying
IT framework that defines and describes the applicable characteristics of the
IT-enabled platforms, information, applications and security required by Clients
to attain their objectives and achieve their business visions.

 

Enterprise Architecture Development includes the following activities:



    1.         Defining the guiding principles, high-level objectives and scope
of architecture development;     2.         Identifying, documenting and
assessing business requirements, drivers and mandates, including those derived
internally and those derived from external sources such as External Clients,
regulations and other compliance mandates;     3.         Identifying high-level
alternative approaches, including transition timelines and interim states;

[image_072.jpg] Page 11 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    4.         Developing, documenting and disseminating the Enterprise
Architecture deliverables for use by the applicable Process owner(s) of Domain
Architecture;     5.         Defining the architectural deliverables to be
developed by the applicable Process owner(s) of Domain Architecture, including:
    (a)      Architectural-level deliverables (e.g., vision statement, IT
industry best practices);     (b)      Conceptual-level deliverables (e.g.,
conceptual models, high-level event process models, event-process matrices);    
(c)      Solution-level deliverables (e.g., logical models, detailed event
process models); and     (d)     Implementation-level deliverables (e.g.,
detailed designs);     6.         Developing service continuity requirements,
including:     (a)      Identifying and documenting Client business recovery
requirements, expectations and constraints;     (b)      Defining success
criteria; and     (c)      Developing and providing service continuity plan
requirements to the applicable Process owner(s); and     7.         Managing
development of Domain Architecture, including:     (a)      Establishing
timelines;     (b)      Identifying transition steps/interim states;    
(c)      Providing instructions regarding deliverable timing and quality
requirements; and     (d)     Measuring the performance of Domain Architecture.
1.3.2 Domain Architecture Approval

The purpose of “Domain Architecture Approval” is to perform the activities
necessary to evaluate and approve each Domain Architecture.

 

Domain Architecture Approval includes the following activities:



 

 



[image_072.jpg] Page 12 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

 

 

  1.         Confirming that, both individually and collectively, the Domain
Architecture deliverables will satisfy the requirements, drivers and mandates
identified by the Enterprise Architecture;     2.         Confirming that
individual Domain Architectures do not conflict with other Domain Architectures;
    3.         Authorizing deviation from the requirements, drivers and mandates
identified by the Enterprise Architecture; and     4.         Obtaining
approvals from the appropriate personnel designated to approve Domain
Architectures. 1.3.3 Enterprise Architecture Approval

The purpose of “Enterprise Architecture Approval” is to perform the activities
necessary to evaluate and approve the Enterprise Architecture.

 

Enterprise Architecture Approval includes the following activities:



    1.         Confirming that the Enterprise Architecture requirements, drivers
and mandates are necessary and sufficient to balance Client needs and
constraints;     2.         Confirming that the Enterprise Architecture will
satisfy the requirements, drivers and mandates;     3.         Authorizing
deviation from Client requirements, drivers and mandates; and     4.        
Obtaining approvals from the appropriate personnel designated to approve
Enterprise Architectures. 1.4 Delivery Strategy   1.4.1 Delivery Strategy
Development

The purpose of “Delivery Strategy Development” is to define how the IT services
will be delivered.

 

Delivery Strategy Development includes the following activities: 

    1.         Developing alternative Delivery Models in response to changes in
the underlying goals, objectives and Domain Architecture, as well as
technologies and services available in the marketplace;

 

 

 

[image_072.jpg] Page 13 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    2.         Determining the assignment of Actor responsibility for each
Element and Process (or groups thereof) pertinent to the Delivery Model such
that the assignment supports the applicable Domain Architecture(s), the
Enterprise Architecture, and the applicable Client needs;     3.        
Determining high-level characteristics (e.g., internal, external, local,
regional, global) of the Actors and their span of service delivery (e.g.,
geographic, Client, facility types, technology grouping);     4.         Using
Delivery Model constructs to develop detailed statements of responsibility for
each Actor;     5.         Defining and documenting delivery requirements to be
incorporated into sourcing strategies by the applicable Process owner(s) of
Sourcing Strategy Development, including:     (a)      Strategic segmentation of
the Processes;     (b)      Advice and consent guidelines regarding selection of
Actors;     (c)      Service delivery integration requirements, including, as
applicable, specific process and tool platforms;     (d)     Interaction
requirements between Actors;     (e)      Application of specific
commercialization models;     (f)       Use of various service delivery
performance regimes, measures and metrics;     (g)      Use of specific
procurement processes; and     (h)      Required level of organizational
readiness; and     6.         Developing requirements for the integration of
Actors. 1.4.2 Delivery Strategy Approval

The purpose of “Delivery Strategy Approval” is to perform the activities
necessary to evaluate and approve the delivery strategy, including the Delivery
Models.

 

Delivery Strategy Approval includes the following activities:

 

 

 



[image_072.jpg] Page 14 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    1.         Confirming that the Delivery Models and delivery requirements
satisfy the underlying goals, objectives, and the applicable Client need, and
comply with, or have received the necessary exceptions from the applicable
Process owner(s) of Enterprise Architecture and Domain Architecture; and    
2.         Obtaining approvals from the appropriate personnel designated to
approve delivery strategies. 1.5 Sourcing Strategy   1.5.1 Sourcing Strategy
Development

The purpose of “Sourcing Strategy Development” is to identify the actions
necessary to achieve the commercial aspects associated with the configuration of
Actors described in the delivery strategy, and to maintain alignment between
these actions, the marketplace and Client requirements.

 

Sourcing Strategy Development includes the following activities:



    1.         Analyzing organizational strategies, plans and constraints;    
2.         Identifying sourcing objectives, desired outcomes and potential
risks;     3.         Developing and documenting sourcing strategies;    
4.         Identifying, prioritizing and sequencing (e.g., parallel, serial,
staggered) and scheduling the number and type of sourcing activities to be
performed in a given timeframe; including:     (a)       Developing mechanisms
to describe the relative sequence and timing for the major aspects of the
sourcing activities for each underlying transaction; and     (b)     
 Identifying and documenting the points of linkage or dependence between the
transactions;     5.         Developing performance measures to track the
effectiveness of sourcing strategies against organizational performance;    
6.         Tracking the achievement of the sourcing strategies;     7.        
Obtaining and analyzing market information and trends, including with respect to
services and suppliers;

 

 

[image_072.jpg] Page 15 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    8.         Identifying suppliers capable of performing the
responsibility(ies) as allocated in the relevant delivery strategy and
satisfying the associated delivery requirements, including:     (a)     
 Identifying the tier(s) or other segmentation schemas of suppliers to be
considered for those components of IT services to be sourced externally;    
(b)       Documenting the specific portfolio of suppliers to be considered for
transactions;     (c)        Determining special handling requirements with
respect to expected changes in the then-current population of External Actors
providing components of IT services; and     (d)       Identifying supplier
integration requirements (e.g., technical, commercial, process);     9.        
Determining whether changes to the existing portfolio of Actors would be
beneficial;     10.       Identifying, in response to new Delivery Models or
need for supplier replacement, optimal methods of procuring and/or divesting
(e.g., competitive procurement, termination of External Actors, renewal of
External Actors, expansion/contraction of External Actor responsibility) those
components of IT services to be performed by suppliers;     11.       Developing
mature, standardized and repeatable sourcing transaction approaches and process
models;     12.        Identifying and documenting the commercial terms required
to achieve the desired level of Actor integration, interoperability and
independence;     13.      Confirming that the sourcing strategy will satisfy
the delivery strategy; and     14.      Obtaining approvals from the appropriate
personnel designated to approve sourcing strategies.

 

 

[image_072.jpg] Page 16 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



1.5.2 Sourcing Execution

The purpose of “Sourcing Execution” is to conduct the specific sourcing
activities to establish or modify commercial relationships with Actors.

 

Sourcing Execution includes the following activities:



    1.         Obtaining and reviewing sourcing strategies;     2.        
Preparing for and initiating activities related to contracts or services to be
renewed, re-competed or restructured;     3.         Developing transaction
structures;     4.         Developing transaction-based organizational
structures and teams;     5.         Developing communication requirements and
providing to the applicable Process owner(s);     6.         Preparing
requirements packages that define the products and/or services to be sourced;  
  7.         Soliciting and reviewing supplier proposals in response to
requirements packages;     8.         Using an appropriate mix of objective and
subjective measures to determine entities that best meet the specified
requirements;     9.         Negotiating statements of work, implementation
solutions, Service Level Agreements, pricing and business terms, including other
operational, financial, regulatory or legal aspects relevant to transactions;  
  10.     Preparing and negotiating contractual documents;     11.     Obtaining
approvals from the appropriate personnel designated to approve sourcing
transactions; and     12.     Executing contractual documents. 1.5.3 Sourcing
Approval

The purpose of “Sourcing Approval” is to perform those activities necessary to
evaluate and approve new commercial arrangements and changes to existing
commercial arrangements.

 

Sourcing Approval includes the following activities: 





 

 

 

 



[image_072.jpg] Page 17 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    1.         Confirming that sourcing transactions are sufficient and
appropriately balance stakeholder needs and constraints, including with respect
to timing and overall solution;     2.         Confirming that sourcing
transactions satisfy the delivery and sourcing strategies, and are otherwise
reasonable;     3.         Confirming that the costs and benefits of sourcing
transactions meet the requisite hurdles, including those for investment
approval;     4.         Confirming that the appropriate risk analyses have been
performed and the identified risks are adequately mitigated and in line with the
applicable standards;     5.         Confirming that the organizational impact
of sourcing transactions has been appropriately considered, including as it
pertains to Clients;     6.         Obtaining stakeholder buy-for sourcing
transactions; and     7.         Obtaining approvals from the appropriate
personnel designated to approve sourcing transactions. 1.6 IT Finance   1.6.1
Financial Control

The purpose of “Financial Control” is to identify, measure, accumulate, analyze,
prepare, interpret and communicate IT-based financial and related information.

 

Financial Control includes the following activities:



    1.         Establishing financial policies and formulating financial plans
that will subsequently be expressed in financial terms;     2.         Providing
guidance for financial management decisions, including the generation, analysis,
presentation and interpretation of various financial and other related
information;     3.         Contributing to the monitoring and control of
financial performance through the provision of reports, analysis and
interpretation of such reports, and the implementation of financial controls;

 

 

 

[image_072.jpg] Page 18 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    4.         Contributing to periodic reporting of accounting as required by
statute or regulation for shareholders, government agencies and other parties
external to the business;     5.         Obtaining and reviewing relevant
financial and other related information for all Actors; and     6.        
Reporting financial issues, concerns and risks to the applicable Process
owner(s). 1.6.2 Budgeting and Forecasting

The purpose of “Budgeting and Forecasting” is to (a) develop a comprehensive IT
budget, including funding allocations and expense constraints, (b) establish a
framework for operational units of Internal Actors to track and manage against
their respective budgets, including capital and operational budgets, and (c)
forecast future budget requirements.

 

Budgeting and Forecasting includes the following activities:



    1.         Determining IT budgets and how such budgets will be allocated
across each Actor’s various operational units, including:     (a)     
 Developing, maintaining and disseminating budget guidelines and parameters
(e.g., standards, frameworks, timelines and other principles), which guidelines
and parameters are intended to govern the creation and management of budgets;  
  (b)       Providing assistance to Internal Actors in developing budgets;    
(c)       Collecting and compiling each Actor’s budgets;     (d)       Reviewing
and confirming that Actor-developed budgets comply with the relevant budget
guidelines and parameters, and advising Actors of discrepancies; and    
(e)       Obtaining approvals from the appropriate personnel designated to
approve budgets;     2.         Measuring and reporting on actual financial
performance as compared to the budget; and     3.         Forecasting and
reporting future budget performance.

 

 

 

[image_072.jpg] Page 19 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



Processes Definitions

1.6.3 Allocation and Chargeback

The purpose of “Allocation and Chargeback” is to use resource accounting, cost
allocation, and chargeback systems to accurately and equitably allocate the cost
of IT services to Clients.

 

Allocation and Chargeback includes the following activities:



    1.         Understanding the scope of services provided by each Actor and
the associated pricing or costs;     2.         Understanding the services and
charges included within the Service Catalog and working with the applicable
Process owner(s) of Service Catalog Management to revise such charges when
warranted;     3.         Obtaining and analyzing IT service consumption
information by relevant Client or other grouping;     4.         Assigning IT
service costs to appropriate financial organizational groups (e.g., cost
centers); and     5.         Implementing and administering a chargeback system
that records, allocates and communicates IT service costs in an understandable,
controllable manner. 1.6.4 Invoice Review

The purpose of “Invoice Review” is to confirm that invoices submitted by Actors
and other IT-based suppliers are proper and accurate.

 

Invoice Review includes the following activities:



    1.         Obtaining invoices from Actors and other suppliers;    
2.         Reviewing invoices to confirm they are:     (a)      Not previously
paid or in the process of being paid;     (b)      For goods and services that
were approved to be purchased;     (c)      For the correct amounts in the
correct currencies;     (d)      Appropriately adjusted for available credits
and/or rebates; and     (e)      Consistent with the terms of the underlying
commercial arrangements;

 

 

[image_072.jpg] Page 20 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    3.         Administering invoices that do not conform to expectations or
that prompt questions, including:     (a)      Tracking the status of such
invoices;     (b)      Communicating and working with the entities that rendered
such invoices to determine the proper handling;     (c)       Obtaining suitably
revised invoices or adequate additional information to enable the continuation
of the invoice review process;     (d)       Rejecting invoices where suitably
revised invoices or adequate additional information does not enable continuation
of the invoice review process; and     (e)       Escalating invoices to the
owner of Commercial Management and other personnel as appropriate when the
invoice issuer will not cooperate with resolution of the issue or provide
reasonably requested supporting information;     4.         Verifying that the
goods and services referenced on invoices were actually received and of the
appropriate quantity and quality;     5.         Coordinating with the
appropriate personnel to properly identify invoices and answer questions
regarding the invoices;     6.         Assigning the applicable financial or
other coding (e.g., cost center numbers) to invoices; and     7.        
Submitting invoices to the owner of Invoice Approval. 1.6.5 Invoice Approval

The purpose of “Invoice Approval” is to approve payment of reviewed invoices.

 

Invoice Approval includes the following activities:



    1.         Obtaining invoices from the owner of Invoice Review;    
2.         Reviewing invoices for proper coding and timely submission;    
3.         Confirming the appropriateness of payment of invoices;

 

 

 

 

[image_072.jpg] Page 21 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    4.         Verifying that payment amounts match their corresponding invoices
(as appropriately adjusted for available credits and rebates);     5.        
Obtaining approvals from the appropriate personnel designated to approve
invoices; and     6.         Submitting approved invoices to the owner of
Invoice Payment. 1.6.6 Invoice Payment

The purpose of “Invoice Payment” is to pay approved invoices.

 

Invoice Payment includes the following activities:



    1.         Obtaining invoices from the owner of Invoice Approval; and    
2.         Issuing payment of invoices in the proper form (e.g., check, ACH,
wire), currency and timeframe. 2 Service Management and Integration   2.1 Actor
Management   2.1.1 Services Management

The purpose of “Services Management” is to collect, understand and communicate
to the applicable supply-side Process owner(s) of Service Delivery Management
the demands on the IT enterprise, to work with the applicable supply-side
Process owner(s) of Service Delivery Management, and to monitor and to evaluate
the manner in which the demands on the IT enterprise are being met.

 

Services Management includes the following activities:



    1.         Obtaining, organizing and validating the relevant drivers of
demand for IT services by Clients and the IT environment in general from the
applicable Process owner(s);     2.         Gaining and maintaining a
comprehensive understanding of:     (a)      How each Process owner delivers its
IT services;     (b)      Actor performance from both objective (e.g., SLA) and
subjective perspectives;

 

 

 

 

[image_072.jpg] Page 22 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (c)       The appetite for risk in the enterprise as it relates to
operational IT service delivery alternatives;     (d)      The scope of services
provided by the applicable Actors (e.g., the Service Catalog) and the costs and
benefits of ordering services within the existing scope, expanding or
contracting the existing scope, or ordering services that are not currently in
scope for a given Actor; and     (e)       Each applicable External Actor’s
capabilities pertaining to its service delivery role both in the IT environment
and for third parties receiving similar services from such External Actor;    
3.         Establishing and maintaining a close working relationship with the
applicable Process owner(s) of Service Delivery Management;     4.        
Acting as an advocate for the demand side of the IT environment, Clients and the
enterprise, including:     (a)       Providing relevant information to the
applicable Process owner(s) of Service Delivery Management, including historical
and institutional knowledge regarding the systems, data, configuration,
organization, Clients, culture and preferences of the enterprise;     (b)     
 Establishing and communicating the demand-side service delivery expectations
and demand drivers to the applicable Process owner(s) of Service Delivery
Management; and     (c)       Enforcing accountability among the applicable
Process owner(s) of Service Delivery Management for meeting the enterprise’s
demands for action, quality, cooperation, urgency and improvement pertaining to
the delivery of IT services consistent with the capabilities and broad
commitments made by the applicable Process owner(s) of Service Delivery
Management and other applicable service delivery Actors;

 

 

 

[image_072.jpg] Page 23 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    5.         Taking the actions necessary with the applicable Process owner(s)
of Service Delivery Management to minimize both the effect and number of
instances of service-impacting Incidents on the enterprise;     6.        
Verifying that External Actor obligations regarding the External Actor personnel
are fulfilled, including (when appropriate):     (a)       Screening the
External Actor personnel consistent with the applicable policies before
instituting such personnel within, or in support of, the IT and Client
environments;     (b)       Reviewing the résumés of candidates submitted for
review by External Actors, interviewing those selected for further review and
providing feedback, including advice and consent;     (c)       Providing
feedback, including advice and consent, to External Actors regarding their
proposed changes to the then-current personnel fulfilling positions designated
as key;     (d)      Validating that External Actors provide a sufficient number
of personnel who possess the requisite education, skills and certification to
provide the IT services; and     (e)       Advising External Actors of the need
to remove certain of the External Actor personnel from providing IT services
within or in support of the IT or Client environments;     7.         Reviewing
policy and procedure manual documentation that is developed and submitted by
Actors for review and approval, including:     (a)       Requesting and
obtaining feedback on such documentation by the applicable Process owner(s) and
other personnel as appropriate; and     (b)      Providing feedback to the
submitting Actors, including advice and consent;     8.         Enforcing
External Actor obligations regarding the use of subcontractors, including:

 

 

[image_072.jpg] Page 24 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (a)      Obtaining and reviewing information from the applicable Process
owner(s) regarding the performance of the subcontractors of External Actors;    
(b)      Approving and rejecting External Actor requests to make changes to both
its portfolio of approved subcontractors and scope of responsibilities to be
subcontracted; and     (c)      Determining if previously approved
subcontractors of an External Actor are no longer acceptable for use within or
in support of the IT and Client environments, or parts thereof, and advising, as
appropriate, the relevant Actor(s) and applicable Process owner(s) of Commercial
Management;     9.        Obtaining and reviewing documentation and other
relevant information regarding deliverables produced by Actors, including
requests by Actors for the acceptance of deliverables, and providing feedback,
including advice and consent when appropriate to the relevant Actor(s) and
applicable Process owner(s);     10.      Attending IT service delivery-related
meetings, both recurring and ad hoc, including those where the applicable
Process owner(s) of Service Delivery Management may also be present, and
providing input, including (when appropriate):     (a)      Making
recommendations;     (b)      Providing historical, Client or other information
regarding the IT environment and the enterprise;     (c)      Countermanding
decisions by other Process owner(s), including those of Service Delivery
Management; and     (d)     Waiving an Actor’s SLA obligations;     11.    
 Verifying that the applicable Process owner(s) of Service Delivery Management
follow through with their short-to long- term service delivery commitments;    
12.      Articulating the short- to long- term results of a comprehensive set of
service delivery characteristics to the applicable Process owner(s), the
enterprise and other personnel, as appropriate, including the:

 

 

 

[image_072.jpg] Page 25 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (a)      Status, activities and timeframes regarding noteworthy Incidents
and Problems, both ongoing and resolved;     (b)      Type, duration and purpose
of IT change that will impact the enterprise;     (c)      Performance and
financial shortfalls of service delivery Actors; and     (d)       Delivery and
integration shortcomings of service delivery Actors (e.g., management,
knowledge, personnel, process, organization, culture, tools);     13.      
Escalating issues that cannot be reasonably resolved with the applicable Process
owner(s) of Service Delivery Management to the applicable Process owner(s) or
other appropriate personnel; and     14.       Attending Actor disagreement and
dispute forums regarding matters pertaining to IT service delivery. 2.1.2
Incident Oversight

The purpose of “Incident Oversight” is to oversee, inform and communicate to the
applicable Process owner(s) of Incident Management and other Processes the
relevant preferences for resolving Incidents, work with the applicable Process
owner(s) of Incident Management to plan for, monitor and evaluate the manner in
which Incidents are addressed and, if necessary, to take over various
operational roles pertaining to the handling of an Incident.

 

Incident Oversight includes the following activities:



    1.         Gaining and maintaining a comprehensive understanding of each
delivery Actor’s role as it pertains to the management and resolution of
Incidents, including, for the Process owner(s) of Incident Management and
Incident Management Execution, their relevant methodologies, processes and
tools;     2.         Establishing and maintaining a close working relationship
with the applicable Process owner(s) of Incident Management and Incident
Management Execution;     3.         Acting as an advocate for the demand side
of the IT environment, Clients and the enterprise; including:

 

 

 



[image_072.jpg] Page 26 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

 

  

  (a)       Gaining and maintaining an understanding of the perspectives and
preferences of Clients, the enterprise and IT leadership regarding the handling
of Incidents;     (b)       Establishing and communicating the demand-side
Incident resolution expectations to the applicable Process owner(s), including
Incident Management;     (c)       Providing information to the applicable
Process owner(s) of Incident Management regarding notices to be issued regarding
Incidents; and     (d)       Enforcing accountability among the applicable
Process owner(s) of Incident Management and other relevant Processes for meeting
the enterprise’s demands for action, quality, cooperation and urgency pertaining
to the management and resolution of Incidents;     4.         Overseeing all
Incidents across their lifecycles, including:     (a)       Gaining information
about Incidents from the applicable Process owner(s) of Incident Management,
Incident Management Execution and other relevant Processes, including attending
recurring or ad hoc meetings where Incidents are being discussed;     (b)     
Obtaining and evaluating information regarding the management and resolution of
Incidents, including the personnel and other resources assigned to specific
Incidents;     (c)       Obtaining and providing available information (e.g.,
historical, Client) regarding the IT environment and the enterprise that is
reasonably requested by the applicable Process owner(s) of Incident Management
or that could be of importance to the resolution of Incidents by the applicable
Process owner(s) of Incident Management, Incident Management Execution and other
Processes;

 

 

 

[image_072.jpg] Page 27 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



    (d)      Acting as an intermediary between the applicable Process owner(s)
of Incident Management and the applicable internal personnel of the enterprise
(e.g., Clients, IT leadership, other Process owners) to facilitate temporary
change in resource allocation, policy or requirements to help mitigate the
impact of an Incident;     (e)       Reviewing proposed Incident resolution
solutions and providing input and preferences to the Process owner(s) of
Incident Management;     (f)        Requesting alternative Incident resolution
solutions from the Process owner(s) of Incident Management when proposed
solutions do not meet the needs and preferences of Clients, the enterprise or IT
leadership;     (g)       Mandating specific actions and/or solutions to be
implemented by the Process owner(s) of Incident Management in response to an
Incident;     (h)       Waiving an Actor’s SLA obligations;     (i)       
Evaluating the effectiveness of the applicable Process owner’s(s’) performance
of Incident Management and other Processes as it pertains to an Incident and,
when deemed warranted, taking control of Incident Management and/or other
Processes as necessary for such Incident;     (j)        Declaring disasters in
the IT environment and setting in motion the applicable components of the ITBCP
and/or the equivalent for External Actors; and     (k)       Providing
informative updates regarding the resolution of Incidents to the Process
owner(s) of Services Management for communication to the applicable personnel;
and     5.         Escalating issues that cannot be reasonably resolved with the
applicable Process owner(s) of Incident Management to the applicable Process
owner(s) or other appropriate personnel.

 

 

 

 

[image_072.jpg] Page 28 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

2.1.3 Commercial Management

The purpose of “Commercial Management” is to manage the commercial aspects of
relationships with External Actors so that the underlying arrangements are in
line with the needs of the IT environment.

 

Commercial Management includes the following activities:

    1.         Understanding all aspects of the then-current contractual
agreements with External Actors;     2.         Serving as the primary point of
contact for Internal Actors for the interpretation and modification of
contractual agreements with External Actors;     3.         Managing and
administering contractual agreements with External Actors, including:    
(a)       Reviewing the circumstances regarding an External Actor’s rejection of
requests for service where the pricing and other terms are already specified in
such Actor’s service agreement, and working with the applicable Actor to resolve
such matters;     (b)      Tracking and providing the requisite notices and
other contract-based information to the applicable Actors;     (c)      Tracking
and reporting actual costs incurred against contractual commitments;     (d)    
Monitoring and verifying performance with respect to all Actor obligations;    
(e)      Obtaining budgets and budget projections in the appropriate format;    
(f)       Validating the assessment, calculation and payment of credits related
to service level failures and other types of credits and rebates;     (g)     
Validating the assessment, calculation and payment of variable unit rate charges
and adjustments (e.g., ARCs, RRCs and actual volumes versus baseline volumes);  
  (h)      Monitoring and validating COLA adjustments;

 

 

 

[image_072.jpg] Page 29 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



    (i)        Reviewing and negotiating to conclusion the proposed contract
changes of External Actors to implement requested change to the IT environment
or IT services;     (j)        Reviewing the outcomes of dispute-based
processes, forums and committees, and developing and negotiating to conclusion
the corresponding contract changes (if any) to implement the agreed-to changes;
    (k)       Revising service agreements with Actors to reflect properly
authorized changes in scope, services, service levels and other conditions; and
    (l)        Monitoring and reporting on expiring contracts and contracts
intended to be renewed, re-competed or restructured;     4.         Recording
the decisions and accommodations made with respect to External Actors and
providing such information to the applicable Process owner(s);     5.        
Inspecting, examining and auditing the systems, records, data, practices and
procedures of External Actors used in rendering IT services or pertain to IT
services (e.g., invoices for services, allocation of credits, determination of
costs, asset counts, regulatory compliance, service level reports, number of
personnel or FTE, quality and skill sets of personnel, personnel turnover rates,
service continuity plans, procedure manuals);     6.         Identifying,
documenting, and reporting instances of External Actor noncompliance with
standards or contracted terms to the applicable Process owner(s) and other
personnel as appropriate;     7.         Attending all Actor disagreement and
dispute forums and presiding over those of a commercial nature; and    
8.         Performing the oversight and administrative functions associated with
Third Party Contract Managers, including:     (a)       Providing the applicable
notices regarding the addition or removal of Third Party Contracts from the
pool(s) of such contracts to be managed by Third Party Contract Managers;

 

 

 

[image_072.jpg] Page 30 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (b)       Developing and promulgating the commercial policies and standards
to be enforced and performed by Third Party Contract Managers;     (c)     
 Developing and promulgating the guidelines for Third Party Contract Managers to
use in negotiating, documenting, implementing and revising Third Party
Contracts, including, as applicable, providing or reviewing contract templates;
    (d)       Reviewing the strategic and operational plans of Third Party
Contract Managers pertaining to the management of Third Party Contracts, and
providing feedback, including advice and consent;     (e)       Reviewing the
supplier selection processes and negotiation strategies of Third Party Contract
Managers and providing feedback, including advice and consent;     (f)      
 Issuing orders to Third Party Contract Managers to revise the terms of a Third
Party Contract (e.g., scope, performance, pricing, commercials) and
appropriately reviewing and approving such modifications;     (g)     
 Reviewing the assessments and recommendations of Third Party Contract Managers
pertaining to poorly performing Third Party Contracts and providing feedback,
including advice and consent; and     (h)       Reviewing reports developed by
Third Party Contract Managers showing the Third Party Contracts with upcoming
term-based events (e.g., renewal, expiration) and providing feedback regarding
the desired outcome for each. 2.1.4 Actor Integration

The purpose of “Actor Integration” is to integrate the non-technical aspects of
Actors into a cohesive IT service delivery fabric that is prepared with adequate
knowledge of the traditions, customs and policies of the IT environment and
Client perception of the IT services.

 

Actor Integration includes the following activities:



 

 

 



[image_072.jpg] Page 31 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    1.         Obtaining from the applicable Process owner(s) (e.g., IT
Management, Client Relations), Clients, Actors and other personnel as
appropriate, insight and information regarding the fit of Actors and their
personnel within the enterprise and the IT environment;     2.         Providing
Actors with the information necessary to operate within the IT environment in an
informed manner, including the:     (a)      Relevant policies, procedures and
standards;     (b)      Roles and responsibilities of all Actors;     (c)     
Leadership and governance structures, including the assignment and manner of
enforcement of decision rights;     (d)     Cultural norms of the IT environment
and the relevant similar aspects of the enterprise;     (e)      Business(es) of
the enterprise, including its general drivers, risks, direction, priorities,
concerns and trends; and     (f)       Confidentiality requirements of each
Actor as it pertains to other Actors needing to access its owned or managed
facilities and resources;     3.         Providing External Actors with the
applicable information (e.g., policies, procedures, controls, regulatory
requirements, standards, guidelines) regarding:     (a)      Accessing the
networks or facilities in the IT and Client environments;     (b)      Screening
of External Actor personnel as required, including the collection of relevant
biometric data (e.g., fingerprints, retina scans) before such personnel perform
IT services within, or in support of, the IT or Client environments;    
(c)      Off-boarding of External Actor personnel, including, as applicable, the
return of security badges, keys and confidential information, and terminating
access privileges to systems and data within the IT and Client environments;    
(d)     Subcontracting; and

 

 

 

 

[image_072.jpg] Page 32 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (e)      Accessing, using and managing Client information;     4.        
Informing Actors of the expectations regarding their assimilation into the
non-technical aspects of the IT environment; including the:     (a)     
Mechanisms to be used in evaluating such assimilation; and     (b)      Methods
by which issues occurring between Actors are expected to be resolved;    
5.         Facilitating communication, role clarity and non-technical process
definition between and among Actors, certain strategic Internal Actor Process
owners, Clients and other personnel as appropriate, including:     (a)     
 Maintaining updated contact information for the relevant personnel associated
with all Actors, relevant Client personnel and other personnel as appropriate;
and     (b)      Maintaining current organizational information for the IT
environment and the enterprise;     6.         Establishing methods and forums
in which Actors can exchange information and ideas to:     (a)      Enhance the
camaraderie among the personnel of all Actors; and     (b)      Improve the
mechanisms used to keep Actors informed of relevant changes;     7.        
Obtaining, analyzing and, as appropriate, sharing with Actors, information from
Clients regarding relevant Actor characteristics (e.g., stakeholder satisfaction
surveys);     8.         Providing a forum for the resolution of disagreements
and disputes among Actors and between Actors and Clients, including acting as a
central point of contact for:     (a)      Registering Actor and Client
disagreements and disputes;     (b)      Scheduling Actor disagreement and
dispute forums and informing Actors, Clients and other personnel of their need
to participate in such forums;

 

 

 

[image_072.jpg] Page 33 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (c)       Requesting Actors to provide information and resources in advance
of or during Actor disagreement and dispute forums to help facilitate orderly,
efficient and valuable analysis and discussions; and     (d)       Publishing
the outcomes from Actor disagreement and dispute forums to the applicable
Actors, Process owner(s), Clients and other personnel; and     9.        
Attending all Actor disagreement and dispute forums and presiding over those
that are not of a commercial nature. 2.2 Portfolio Management   2.2.1 Service
Catalog Management

The purpose of “Service Catalog Management” is to develop and maintain a
complete list of the IT services offered to Clients.

 

Service Catalog Management includes the following activities:



    1.         Developing, documenting and communicating policy regarding the
content to be maintained within the Service Catalog;     2.         Producing
and maintaining a Service Catalog and its contents, in alignment with the
applicable Processes;     3.         Defining, for each item listed in the
Service Catalog the relevant information, including:     (a)      A description
of the service;     (b)      The expected timeframe or service level for
fulfilling the service;     (c)      Who is entitled to request the service;    
(d)     The charge (if any) of obtaining the service; and     (e)      How to
order the service, including the required approvals; and     4.        
Interacting with the applicable Process owner(s) to obtain insight into changes
to be incorporated in the Service Catalog.

 

 

[image_072.jpg] Page 34 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

2.2.2 Performance Management

The purpose of “Performance Management” is to develop a performance regime that
provides systems of measurement for IT services.

 

Performance Management includes the following activities:



    1.         Obtaining the performance requirements, including through
discussions with the applicable Process owner(s) of Client Relations, Services
Management, Incident Oversight, Service Delivery Management, Commercial
Management and Actor Integration;     2.         Developing performance measures
and associated levels to help meet the business requirements of Clients and to
help verify that the IT environment functions as designed;     3.        
Developing performance terms to be included in SLAs (e.g., performance
reporting, changes to measures and levels, financial and non-financial
implications of non-performance) and providing such information to the
applicable Process owner(s);     4.         Developing SLAs for the:    
(a)      IT service responsibilities of Actors; and     (b)      IT services to
be provided to Clients;     5.         Developing, maintaining and analyzing
stakeholder satisfaction surveys (e.g., IT executives, Client executives, Client
end users) designed to understand the extent to which the services of IT or a
specific Actor are meeting the needs;     6.         Reviewing Actor-developed
plans to resolve shortcomings identified by stakeholder satisfaction surveys and
related mechanisms, and providing feedback to the applicable Process owner(s),
including Services Management and, as appropriate, the relevant Actors and
Clients;     7.         Assessing various technologies, products and services
related to the management of performance-based information;     8.        
Establishing and promulgating requirements for performance measurement,
reporting and integration;

 

 

 

[image_072.jpg] Page 35 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    9.         Obtaining performance reports, including:     (a)      SLA
reporting from the applicable Process owner(s), including Service Level
Management; and     (b)      Quality control reviews performed by the applicable
Process owner(s);     10.       Reviewing performance reports to identify
performance and quality shortfalls, trends and other information of value to the
performance regime, Actors or other Process owners, including:     (a)     
 Verifying the correct calculation of incentive and disincentive
payments/credits;     (b)       Validating the information provided and
comparing such information with Client-perceived experience; and     (c)     
 Verifying that adequate quality control reviews are performed by the applicable
Process owner(s) and that the results of such reviews are captured, analyzed and
used by the Process owner(s) to implement the necessary corrective action(s);  
  11.       Discussing performance results and reporting with the applicable
Process owner(s), including those of Service Level Management, to understand the
underlying issues, problems and shortfalls and, to the extent applicable,
commitments by Actors to resolve such matters;     12.       Developing
recommendations regarding the acceptance or waiver of specific service level
credits;     13.       Identifying SLA-enabled changes (e.g., re-balancing the
allocation of service level credits, changing the portfolio of critical service
levels, adding/deleting service measures) to Actor-specific performance
requirements to help achieve the desired outcomes; and     14.      Developing
and publishing reports and recommendations for the applicable Process owner(s)
to discuss, as appropriate, performance related matters with Actors and Clients,
including changes to be made to SLAs, stakeholder satisfaction surveys and
quality control reviews.

 

 

 

[image_072.jpg] Page 36 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



2.2.3 Benchmarking

The purpose of “Benchmarking” is to determine performance characteristic
differences between those produced by the IT environment and other applicable
operations and standards.

 

Benchmarking includes the following activities:

 

    1.         Maintaining knowledge of the relevant geographic-, Client- and
industry- specific measurements and associated standards;     2.        
Identifying the appropriate performance measures (e.g., operational, financial,
organizational) to be benchmarked;     3.         Advising the applicable
Process owner(s) of the information required to be provided for benchmarking
purposes;     4.         Obtaining and reviewing the relevant IT environment
performance results;     5.         Determining the most appropriate manner to
perform benchmarkings;     6.         Performing benchmarking exercises,
including, to the extent applicable, providing appropriate oversight of external
benchmarking specialists; and     7.         Analyzing and reporting the results
of benchmarking exercises to the applicable Process owner(s). 2.2.4 (a)
Knowledge Oversight The purpose of “Knowledge Oversight” is to develop and
document the objectives and policies to guide the development and execution of
Knowledge Management and to monitor and encourage Actor contribution and use of
Knowledge Management processes and tools. 2.2.4 (b) Knowledge Management

The purpose of “Knowledge Management” is to gather information regarding the IT
and Client environments and the IT services and make such information available
to the applicable Process owner(s) for reuse, awareness and learning across the
IT environment, and to cause institutional knowledge to be documented and
retained.

 

Knowledge Management includes the following activities:



 

 



[image_072.jpg] Page 37 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



    1.         Based on objectives and policies provided by Knowledge Oversight,
developing plans for identifying, retaining and increasing institutional
knowledge of the IT environment;     2.         Assessing various technologies,
products and services related to the management of knowledge, including the
storage, update and accessibility of knowledge;     3.         Establishing a
uniform set of practices, methodologies and tools for the preservation of IT and
Client knowledge, including:     (a)       Making knowledge of the IT and Client
environments and IT services available, as appropriate, to those requiring such
information to perform their designated roles;     (b)       Preserving
organizational memory and decision-making;     (c)       Leveraging the
knowledge and expertise of Actors and their personnel to facilitate
organizational learning and innovation;     (d)       Preserving and managing
knowledge in the workforce (e.g., the expertise and know-how possessed by
certain individuals), including when key personnel retire, when functions are
sourced from one Actor to another, and when personnel shift to other positions
or pursue other employment opportunities; and     (e)       Obtaining
appropriately approved updates to IT policies and procedures from all Process
owners and Actors and maintaining a library of such information on a current and
historical basis;     4.         Causing lessons learned and best practices to
be appropriately captured after operational events (e.g., Incidents, Problems,
changes); and     5.         Establishing and managing the channels through
which knowledge flows (e.g., town hall meetings, round-table discussions,
mentoring programs), and key attributes of such flows (e.g., processes,
timeframes, format, media). 2.3 Domain Architecture  

 

 

 

[image_072.jpg] Page 38 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

2.3.1 Information Architecture Development

The purpose of “Information Architecture Development” is to design the
Information Architecture so as to enable a common, shared, distributed, accurate
and consistent data resource, including through (a) the design of data models
and databases that serve the applicable participants, and (b) the development of
strategies, standards and policies required to develop and implement such models
and databases.

 

Information Architecture Development includes the following activities:



    1.         Developing high-level Information Architecture alternatives that
comply with the Enterprise Architecture and selection criteria (e.g., cost
performance, complexity, risk) and selecting the best choice from among the
alternatives, including:     (a)       Identifying benefits, potential risks and
mitigating responses for each alternative; and     (b)       Documenting the
rationale for using each alternative;     2.         Selecting Information
Architecture alternatives that best satisfy the selection criteria, including:  
  (a)       Evaluating each alternative against the selection criteria;    
(b)       Assessing, based on the evaluation of the alternatives, the adequacy
of the selection criteria and updating these criteria as necessary; and    
(c)      Identifying and resolving issues with the alternatives and
requirements;     3.         Completing, based on the selected Information
Architectures, Information Architecture deliverables defined by the applicable
Process owner(s) of Enterprise Architecture Development, which may include:    
(a)       Architecture-level deliverables (e.g., vision statement, industry best
practices);     (b)       Conceptual-level deliverables (e.g., conceptual data
models, high-level use cases, high-level event process models, data
entity-process relationship models);

 

 

 

[image_072.jpg] Page 39 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



    (c)       Solution-level deliverables (e.g., logical data model, detailed
event process models, package evaluation criteria, data attribute-process
relationship models); and     (d)       Implementation-level deliverables (e.g.,
database design, presentation layer design, designed application modules); and  
  4.         Reviewing and updating the Information Architecture as required or
in response to new technologies or as directed by the applicable Process
owner(s) of Enterprise Architecture Development. 2.3.2 Application Architecture
Development

The purpose of “Application Architecture Development” is to design the
Application Architecture, including the data and business process models to
reflect applications, that will (a) simplify and facilitate the work activities
of the applicable Client processes, (b) specify the requirements of information
storage and retrieval required to accommodate the applicable objectives, and (c)
appropriately address geographic considerations and how the information will be
used.

 

Application Architecture Development includes the following activities:

 

    1.         Developing high-level Application Architecture alternatives that
comply with the Enterprise Architecture and selection criteria (e.g., cost,
performance, complexity, risk) and selecting the best choice from among the
alternatives, including:     (a)       Identifying benefits, potential risks and
mitigating responses for each alternative; and     (b)       Documenting the
rationale for using each alternative;     2.         Selecting Application
Architecture alternatives that best satisfy the selection criteria, including:  
  (a)       Evaluating each alternative against the selection criteria;    
(b)       Assessing, based on the evaluation of the alternatives, the adequacy
of the selection criteria and updating these criteria as necessary; and

 

 

 

[image_072.jpg] Page 40 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



Processes Definitions

 

 

  (c)      Identifying and resolving issues with the alternatives and
requirements;     3.         Completing, based on the selected Application
Architectures, Application Architecture deliverables defined by the applicable
Process owner(s) of Enterprise Architecture Development, which may include
producing:     (a)      Architecture-level deliverables (e.g., vision statement,
industry best practices);     (b)      Conceptual-level deliverables (e.g.,
high-level application design, major business process diagrams, high-level event
process models);     (c)      Solution-level deliverables (e.g., application
system evaluation documentation, middleware design diagrams and solution
requirements, detailed event process models); and     (d)    
Implementation-level deliverables (e.g., distributed systems diagram,
application - server mapping diagram); and     4.         Reviewing and updating
the Application Architecture as required or in response to new applications or
as directed by the applicable Process owner(s) of Enterprise Architecture
Development. 2.3.3 Infrastructure Architecture Development

The purpose of “Infrastructure Architecture Development” is to design the
Infrastructure Architecture, including identifying the technology platforms that
will link the Information Architecture and the Application Architecture, and
define operational and performance attributes, including backup, redundancy and
availability in accordance with industry best practices and Client requirements.

 

Infrastructure Architecture Development includes the following activities:

 

    1.         Developing high-level Infrastructure Architecture alternatives
that comply with the Enterprise Architecture and selecting the best choice from
among the alternatives, including:

 

 

[image_072.jpg] Page 41 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (a)      Identifying benefits, potential risks and mitigating responses for
each alternative; and     (b)      Documenting the rationale for using each
alternative;     2.         Selecting Infrastructure Architecture alternatives
that best satisfy the selection criteria, including:     (a)       Evaluating
each alternative against the selection criteria;     (b)       Assessing, based
on the evaluation of the alternatives, the adequacy of the selection criteria
and updating these criteria as necessary; and     (c)       Identifying and
resolving issues with the alternatives and requirements;     3.        
Completing, based on the selected Infrastructure Architectures, the
Infrastructure Architecture deliverables defined by the applicable Process
owner(s) of Enterprise Architecture Development, which may include producing:  
  (a)       Architecture-level deliverables (e.g., vision statement, IT industry
best practices);     (b)       Conceptual-level deliverables (e.g., high-level
technology design, major business process diagrams, high-level event process
models);     (c)       Solution-level deliverables (e.g., system technology
evaluation documentation, network topology diagram); and     (d)    
  Implementation-level deliverables (e.g., Client location map, server location
map, object expected/maximum volume requirements); and     4.         Reviewing
and updating the Infrastructure Architecture as required or in response to new
technologies or as directed by the applicable Process owner(s) of Enterprise
Architecture Development.

 

 

 

[image_072.jpg] Page 42 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



2.3.4 Security Architecture Development

The purpose of “Security Architecture Development” is to design the Security
Architecture, including the plans, principles and specifications that describe
(a) the security services that a system is required to provide to address the
security policies, (b) the technologies required to implement such security
services, and (c) the performance levels and configurations required of such
technologies and services.

 

Security Architecture Development includes the following activities:



    1.         Developing Security Architecture alternatives that comply with
the security policies and the Enterprise Architecture and selection, criteria
(e.g., cost, performance, complexity, risk) and selecting the best choice from
among the alternatives, including:     (a)       Identifying benefits, potential
risks and mitigating responses for each alternative; and     (b)     
 Documenting the rationale for using each alternative;     2.         Selecting
Security Architecture alternatives that best satisfy the selection criteria,
including:     (a)       Evaluating each alternative against the selection
criteria;     (b)       Assessing, based on the evaluation of the alternatives,
the adequacy of the selection criteria and updating these criteria as necessary;
and     (c)      Identifying and resolving issues with the alternatives and
requirements;     3.         Completing, based on the selected Security
Architectures, the Security Architecture deliverables defined by the applicable
Process owner(s) of Enterprise Architecture Development, which may include
producing:     (a)       Architecture-level deliverables (e.g., vision
statement, industry best practices);     (b)       Conceptual-level deliverables
(e.g., high-level technology design, major business process diagrams, high-level
event process models);

 

 

[image_072.jpg] Page 43 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (c)       Solution-level deliverables (e.g., system technology evaluation
documentation, network topology diagram); and     (d)       Implementation-level
deliverables (e.g., Client location map, server location map, object
expected/maximum volume requirements); and     4.         Reviewing and updating
the Security Architecture as required, in response to uncovered threats, or as
directed by the applicable Process owner(s) of Enterprise Architecture
Development. 2.4 Process Architecture   2.4.1 Process Architecture Development

The purpose of “Process Architecture Development” is to define the framework
that will guide process development for Process groupings 1.3 (Enterprise
Architecture) and 2.3 (Domain Architecture) through 3.14 (Project Management)
for the applicable Process owners and promulgate specific linkages between and
among such Processes.

 

Process Architecture Development includes the following activities:



    1.         Maintaining an awareness of the work of the relevant best
practice organizations and standards bodies;     2.         Assessing various
technologies and products related to the management of IT processes;    
3.         Understanding the then-current process configuration of the IT
environment, its levels of performance and its compliance with the process
architecture;     4.         Understanding the needs of those who will receive
the outcomes of the Processes (e.g., interaction, information, speed, location,
quality, cost);     5.         Providing instructions, objectives, guiding
principles, performance levels, templates, toolsets, standards and other related
information to enable the applicable Process owner(s) to develop linkages to
other Processes;     6.         Performing an advise and consent role with
respect to Actors’ process development work; and

 

 

 

[image_072.jpg] Page 44 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0



 

Processes Definitions

    7.         Defining, for use by the applicable Process owner(s), specific
linkages between and among various Processes (e.g., inputs, outputs, sequence,
flow). 2.5 Standards   2.5.1 Standards Policies Establishment

The purpose of “Standards Policies Establishment” is to develop, document and
maintain a set of guiding principles for the development or adoption of
technical specifications, practices and procedures.

 

Standards Policies Establishment includes the following activities:



    1.         Determining the requirements (e.g., Client, regulatory, security,
audit, contractual) and factors (e.g., Internal Client business relationships)
on which the policies will be based;     2.         Maintaining a repository of
the current and historical policies and exceptions, and the underlying
supporting material on which they were derived;     3.         Identifying and
developing policies, including guidelines for exceptions to standards;    
4.         Establishing timelines for the development or adoption, review and
maintenance of standards;     5.         Instructing the owner of Standards
Development with respect to the content, adoption criteria, timing and quality
expectations of standards; and     6.         Identifying and establishing
policies for measuring compliance with standards. 2.5.2 Standards Development

The purpose of “Standards Development” is to develop, identify for adoption,
document and maintain standards in accordance with the applicable policies.

 

Standards Development includes the following activities: 

    1.         Obtaining the policies, exceptions and guiding principles from
the applicable Process owner(s) of Standards Policies Establishment;

 

 

 

[image_072.jpg] Page 45 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    2.         Identifying the applicable criteria on which the development of
standards will be based;     3.         Maintaining ongoing knowledge of the
relative components of the relevant marketplace, including the manufacturers,
their goods, and the performance of such goods in similar environments;    
4.         Obtaining information as required to develop standards, including
information promulgated by the applicable Process owner(s) of Enterprise
Architecture and Domain Architecture;     5.         Developing standards and
documenting the factors on which such standards were based, including, as
appropriate, alternatives considered and the rationale for the decisions;    
6.         Providing standards and supporting material to the applicable Process
owner(s) of Standards Approval;     7.         Reviewing and revising standards
based on new factors, new policies and requests for modification from the
applicable Process owner(s) of Standards Policy Establishment and/or Standards
Approval; and     8.         Publishing approved standards to the applicable
Process owner(s). 2.5.3 Standards Approval

The purpose of “Standards Approval” is to perform the activities necessary to
evaluate and approve proposed standards developed by Standards Development.

 

Standards Approval includes the following activities:



    1.         Confirming that the proposed standards:     (a)      Comply with
the requirements of the Enterprise Architecture;     (b)      Comply with the
requirements of the relevant Domain Architecture(s);     (c)      Comply with
the policies established by the applicable Process owner(s) of Standards
Policies Establishment;     (d)     Meet the underlying business requirements;
and

 

 

 

[image_072.jpg] Page 46 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    (e)      Do not create operational or technical conflicts with other
standards;     2.         Advising the applicable Process owner(s) of Standards
Development of proposed standards that are not accepted and providing
information regarding why such conclusions were reached and/or the types of
changes required to be made;     3.         Obtaining approvals from the
appropriate personnel designated to approve standards; and     4.        
Communicating, when warranted, approval of proposed standards to the applicable
Process owner(s) of Standards Development. 2.5.4 Standards Audit

The purpose of “Standards Audit” is to determine the extent to which standards
have not been followed.

 

Standards Audit includes the following activities: 

    1.         Maintaining a complete listing of current and historical
standards;     2.         Developing methods for auditing compliance with
standards, including addressing the measurement policies developed by Standards
Policies Establishment;     3.         Measuring noncompliance with the
applicable standards;     4.         Identifying, documenting, and reporting
instances of noncompliance with standards to the offending Process owners and
other personnel as appropriate; and     5.         Escalating, as applicable,
noncompliance with standards to the applicable Process owner(s) and other
personnel as appropriate. 2.6 Solution Requirements  

 

 

 

[image_072.jpg] Page 47 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



2.6.1 Business Requirements Documentation

The purpose of “Business Requirements Documentation” is to document business
requirements (e.g., inputs, outputs, scheduling, performance).

 

Business Requirements Documentation includes the following activities:



    1.         Identifying stakeholders and documenting their needs,
expectations and constraints (including quality, schedule and cost);    
2.         Documenting business drivers and relevant business interfaces,
including those that are internal and external to the enterprise, as well as
those that are automated and manual);     3.         Documenting schedule and
business case requirements;     4.         Transforming expressed stakeholder
needs, expectations, constraints, and interfaces into documented business
requirements; and     5.         Providing business requirements to the
applicable Process owner(s) of Solution Integration. 2.6.2 Security Requirements
Development

The purpose of “Security Requirements Development” is to analyze business and
security requirements and refine them to a sufficient level of detail so that
solutions can be developed.

 

Security Requirements Development includes the following activities:



   

1.         Obtaining, reviewing and analyzing business and security requirements
from the applicable Process owner(s) of Business Requirements Documentation and
solution requirements from the applicable Process owner(s) of Security
Oversight, Security Policy Development, Security Operations and Security
Analysis;

   

2.         Establishing and maintaining required capabilities lists;



   

3.         Analyzing and quantifying functional capabilities required by
Clients;





 

 

 



[image_072.jpg] Page 48 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions



   

4.         Analyzing and quantifying non-functional capabilities required by
Clients (e.g., availability, performance, adaptability to change, re-use); and

   

5.         Establishing solution requirements, including:

   

(a)       Specifying required alignment with the reference Security
Architecture(s), approved standards and risk mitigation objectives

   

(b)      Developing technical requirements for solution design;

   

(c)      Identifying system interface requirements, both internal and external
to such solutions;

   

(d)     Developing functional, performance, maintenance, support and disposal
concepts, and scenarios;

   

(e)      Defining environments in which solutions will operate, including
boundaries and constraints;

   

(f)       Documenting and providing technical requirements and associated
material to the applicable Process owner(s); an

   

(g)       Revising technical requirements based on feedback from the applicable
Process owner(s), including the Process owner(s) of Security Solution
Development, Security Operations and Security Analysis

2.6.3 Solution Integration

The purpose of “Solution Integration” is to develop integrated solutions that
meet their respective business requirements.

 

Solution Integration includes the following activities:



    1.         Developing an approach to produce integrated solutions that are
consistent with the required level of quality, schedule and cost;



 

 



[image_072.jpg] Page 49 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

 

  2.         Developing solution requirements and constraints (e.g., technical,
financial, geographic, process) specific to business requirements, including
obtaining the External Compliance Requirements and feedback regarding risk and
control applicable to such business requirements from the applicable Process
owner(s) of Compliance Management and Risk Management;     3.         Providing
solution requirements and business requirements to the applicable Process
owner(s) of Technical Requirements Development;     4.         Resolving
development and integration issues pertaining to technical requirements and
solutions;     5.         Reviewing solutions and interactions between solution
components, and confirming that overall solutions meet their respective
underlying requirements, including obtaining, as applicable, advice and consent
from the applicable Process owner(s);     6.         Reviewing estimates
provided by the applicable Process owner(s) of Resource Estimation and
confirming they contain the information necessary to develop the required
business cases and are otherwise reasonable;     7.         Informing the
applicable Process owner(s) of Solution Formation of errors or required changes,
including those pertaining to technical requirements, solutions or
sub-components of solutions and estimations;     8.        Confirming that the
costs and benefits of solutions meet the relevant hurdles for investment
approval;     9.        Confirming that the risk profile of solutions are
reasonable and in-line with the relevant requirements; and     10.    
  Consolidating solutions into comprehensive business cases, including the
applicable development of financial information, that describe the relevant
information necessary for the applicable Process owner(s) of Solution Approval
and other personnel as appropriate to make sound business decisions.

 

 

 

[image_072.jpg] Page 50 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

2.6.4 Security Solution Approval

The purpose of “Security Solution Approval” is to provide a final review of
solutions developed in response to security requirements or proposals presented
by Actors on an unsolicited basis and, as applicable, providing feedback,
including advice and consent.

 

Security Solution Approval includes the following activities:



    1.         Reviewing the applicable aspects of security solutions;    
2.         Confirming that the security solutions are consistent with their
respective security requirements;     3.         Confirming that the applicable
Process owner(s) of Risk Management and Compliance Management find that each
solution adequately addresses the associated risks, controls and compliance
requirements;     4.         Confirming that the financial and other terms to
implement each solution on a commercial basis are either:     (a)     
 Consistent with the then-current terms of the service agreement(s) with the
applicable External Actor(s) (i.e., no changes are necessary); or     (b)      
Negotiated and documented to the satisfaction of the applicable Process owner(s)
of Commercial Management and the applicable External Actor(s);     5.        
Advising the applicable Actors and Process owner(s) of Security Solution
Approval if changes to solutions, solution sub-components or commercial terms
are needed;     6.         Obtaining approvals from the appropriate personnel
designated for approving solutions as and when appropriate; and     7.        
Communicating, when warranted, the final disposition (e.g., approved,
disapproved) of solutions to the applicable Actors, Process owner(s) and other
personnel as appropriate.

 

 

 

[image_072.jpg] Page 51 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

2.6.5 Solution Approval

The purpose of “Solution Approval” is to provide a final review of solutions
developed in response to business requirements or proposals presented by Actors
on an unsolicited basis and, as applicable, providing feedback, including advice
and consent.

 

Solution Approval includes the following activities:



    1.         Reviewing the applicable aspects of solutions and their
respective business cases;     2.         Confirming that the business cases are
consistent with their respective business requirements;     3.        
Confirming that the applicable Process owner(s) of Risk Management and
Compliance Management find that each solution adequately addresses the
associated risks, controls and compliance requirements;     4.        
Confirming that the financial and other terms to implement each solution on a
commercial basis are either:     (a)       Consistent with the then-current
terms of the service agreement(s) with the applicable External Actor(s) (i.e.,
no changes are necessary); or     (b)       Negotiated and documented to the
satisfaction of the applicable Process owner(s) of Commercial Management and the
applicable External Actor(s);     5.         Advising the applicable Actors and
Process owner(s) of Solution Integration if changes to solutions, solution
sub-components or commercial terms are needed;     6.         Obtaining
approvals from the appropriate personnel designated for approving solutions as
and when appropriate; and     7.         Communicating, when warranted, the
final disposition (e.g., approved, disapproved) of solutions to the applicable
Actors, Process owner(s) and other personnel as appropriate. 2.7 Service
Management  

 

[image_072.jpg] Page 52 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

2.7.1 Service Delivery Management

The purpose of “Service Delivery Management” is to manage the performance of
Actors to optimize the delivery of IT services.

 

Service Delivery Management includes the following activities:



    1.         Setting the service delivery expectations for Actors, including:
    (a)       Developing, documenting, disseminating and monitoring actions to
be implemented, including with regard to designated timeframe(s); and    
(b)       Discussing action compliance and noncompliance with the relevant
Actors;     2.         Coordinating work between and among Actors and Processes
so that IT services are performed appropriately, including establishing
recurring and one-time meetings;     3.         Establishing and maintaining a
close working relationship with the applicable Process owner(s) of Services
Management;     4.         Coordinating with the applicable Process owner(s) of
Services Management and implementing directions provided by such Process
owner(s);     5.         Establishing frameworks for measuring Actor delivery
and contribution to optimized IT services;     6.         Obtaining and
analyzing information regarding the performance of Actors;     7.        
Developing recommended change in Actor responsibility and discussing such
changes with the applicable Process owner(s) and other personnel as appropriate;
    8.         Developing proposed projects and initiatives based on strategic
direction provided by the applicable Process owner(s);     9.         Advising
Actors as to the extent to which their performance meets expectations;    
10.       Addressing Actor performance issues on an ongoing basis (e.g.,
performance trends, project delivery);

 

 

[image_072.jpg] Page 53 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    11.      Reviewing proposed changes to Actor SLAs and providing feedback to
the applicable Process owner(s);     12.      Providing feedback regarding Actor
performance remediation requirements to the applicable Process owner(s);    
13.      Obtaining and analyzing information from the applicable Process
owner(s) regarding expected future change to IT services and/or the IT
environment and:     (a)       Developing or modifying the appropriate
strategies and activities necessary to adequately address the required change,
including making recommendations for change in the allocation of Actor
responsibility or change in the portfolio of Actors;     (b)       Obtaining the
advice or approval of the appropriate personnel designated to approve IT
environment and IT service changes; and     (c)       Implementing appropriately
approved IT environment and IT service changes by communicating such changes to
the applicable Process owner(s); and     14.     Attending Actor disagreement
and dispute forums regarding matters pertaining to service delivery. 2.7.2
Incident Management

The purpose of “Incident Management” is to direct the restoration of service in
response to Incidents, to minimize the adverse impact on Clients as a result of
Incidents, and to maintain the required levels of service.

 

Incident Management includes the following activities:



    1.         Defining the Incident management processes (e.g., detection,
investigation, diagnosis, escalation, notification, resolution, recovery,
closure, reporting), which are to include specification of the individuals to be
involved in each aspect of managing Incidents;     2.         Establishing and
maintaining a close working relationship with the applicable Process owner(s) of
Incident Oversight;

 

[image_072.jpg] Page 54 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Processes Definitions

    3.        Reviewing the severity levels assigned to Incidents, and revising
such levels as appropriate;     4.         Assessing service restoration plans
to confirm development of comprehensive solutions that take into account the
relevant conditions, events and needs;     5.         Reviewing Incident
recovery actions developed by the applicable Process owner(s) of Incident
Management Execution and providing guidance as required;     6.        
Coordinating the roles and responsibilities of the Processes to be involved in
the resolution of Incidents, including, where appropriate, establishing separate
teams to concentrate on specific Incidents or sub-components of Incidents;    
7.         Coordinating with the applicable Process owner(s) of Incident
Oversight and implementing directions provided by such Process owner(s);    
8.        Confirming the appropriate closure of Incidents;     9.        
Reviewing the process models and/or workflows developed by the applicable
Process owner(s) of Incident Management Execution for pre-defined Incidents
(e.g., recurring Incidents, Incidents requiring special handling) and providing
guidance as required;     10.      Conducting Incident management review
meetings with the applicable Process owner(s), Clients and other personnel as
appropriate; and     11.      Identifying Process owners and Clients requiring
training to reduce the number of Incidents, detect Incidents earlier and restore
normal service following Incidents faster.

 

 

[image_072.jpg] Page 55 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

2.7.3 Problem Management

The purpose of “Problem Management” is to direct the resolution of Problems to
minimize the adverse impact on business operations, maintain the required levels
of service and prevent the recurrence of Problems.

 

Problem Management includes the following activities: 

    1.         Defining the Problem management processes (e.g., root cause
analysis, determination, investigation, diagnosis, resolution, recovery,
closure, reporting), which are to include specification of the individuals to be
involved in each aspect of managing Problems;     2.         Maintaining
information about Problems and their appropriate workarounds to reduce the
number and impact of Incidents over time (e.g., known error database);    
3.         Classifying Problems in terms of their adverse impact on Clients; and
    4.         Coordinating the roles and responsibilities of the Processes to
be involved in the resolution of Problems, including where appropriate,
establishing separate teams to concentrate on specific Problems or
sub-components of Problems;     5.         Confirming the appropriate closure of
Problems;     6.         Conducting Problem management review meetings with the
applicable Process owner(s) and Clients to identify ways to avoid such Problems
occurring in the future, including capturing post-resolution knowledge; and    
7.         Identifying Process owners and Clients requiring training to reduce
the number of Problems, detect Problems earlier and restore normal service
following Problems faster.

 

 

[image_072.jpg] Page 56 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

2.7.4 Configuration and Asset Management

The purpose of “Configuration and Asset Management” is to direct the activities
necessary to collect, categorize, track, manage, maintain and report on the
physical presence, financial information, contractual terms, configuration
states and associations among the assets/CIs in the environment.

 

Configuration and Asset Management includes the following activities:



    1.         Obtaining the objectives and requirements for asset and CI
information from the applicable Process owner(s);     2.         Establishing
the detailed specifications for what asset and configuration information is to
be maintained and obtaining approvals from the appropriate IT personnel
designated to approve such specifications;     3.         Establishing criteria
for categorizing assets based on criticality and business value;     4.        
Providing, implementing and operating a CMDB and the appropriate tools to:    
(a)       Record and track the applicable asset and configuration information
and categorization through the full lifecycle (e.g., purchase, configuration,
installation, repair, redeployment, removal, disposal);     (b)       Understand
how CIs, when combined, constitute broader categories of technology (e.g.,
network, system, storage);     (c)       Determine the associations between CIs
themselves and, as applicable, with other relevant items (e.g., personnel,
business units, buildings, Client or IT services);     (d)       Forecast
changes in asset populations and configurations;     (e)       Identify the
underlying components or sub-components;     (f)        Monitor changes made to
the CMDB and advise the applicable Process owner(s) of inconsistent or suspect
information; and     (g)      Facilitate the redeployment and/or reuse of
assets;     5.         Developing policies for how the information is to be
maintained in the CMDB;

 

 

[image_072.jpg] Page 57 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 







    6.         Developing requirements for how various activities of other
Processes are to interface with the CMDB;     7.         Making asset and
configuration information available to the applicable Process owner(s);    
8.         Compiling, and making available for review and/or publication,
management reports regarding assets and their association with other information
in the CMDB;     9.         Monitoring and enforcing software license
compliance, including:     (a)       Monitoring the IT environment for software
and reporting instances of detected and undetected licenses, as well as
instances of unapproved software;     (b)      Fulfilling inquiries regarding
the extent to which specific software signatures are present within the IT
environment;     (c)       Fulfilling inquiries requiring the validation of the
presence and version of specific software installed on a particular Element or
group of Elements within defined boundaries; and     (d)       Developing
periodic reporting of license information and the level of compliance with the
terms of the licenses and providing such reporting to the applicable Process
owner(s);     10.     Monitoring hardware and software warranties within the IT
environment, including:     (a)       Developing periodic and ad hoc reporting
regarding the status of such warranties (e.g., in force, about to expire);    
(b)       Identifying Elements that, based on then-current objectives, merit the
purchase or renewal of warranties or similar mechanisms; and     (c)     
 Advising the applicable Process owner(s) of warranty optimization strategies
and obtaining approvals from the appropriate personnel designated to approve and
implement such strategies; and     11.     Performing, as necessary, audits of
the CMDB and the practices of Process owners that provide input into the CMDB,
to:

 

 

 

[image_072.jpg] Page 58 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (a)      Determine if the required level of accuracy is being produced by
the overall system of configuration management processes performed by the
applicable Process owner(s); and     (b)      Provide useful input regarding
CMDB accuracy to the applicable Process owner(s). 2.7.5 Change Management

The purpose of “Change Management” is to control changes to the IT environment
or IT services in a manner that minimizes the number and impact of associated
Incidents and Problems.

 

Change Management includes the following activities:



    1.         Maintaining a well-grounded understanding of the type, reason,
volume and frequency of change made to the IT environment;     2.        
Maintaining awareness of the pipeline of change to the IT environment;    
3.         Understanding the applicable Client policies and change procedures
and aligning the relevant IT change processes as appropriate;     4.        
Developing, documenting and maintaining the processes by which change is
introduced to the IT environment, including:     (a)       Policies for the
classification of change requests;     (b)       Activities for all classes of
change (e.g., standard, recurring, special handling, emergency);     (c)     
 Policies for change approval, including, as applicable and appropriate for
specific Clients and classes of change, those that can be implemented in an
expedited or pre-approved manner;     (d)      Activities to be taken to handle
unanticipated events that may occur during change execution;     (e)      
Identification of dependencies;     (f)        Identification of the Process
owners required to be involved in the change-based processes and their
respective roles;     (g)        Expected timeframes and thresholds for the
completion of the change processes;

 

 

[image_072.jpg] Page 59 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (h)      Escalation and notification procedures; and     (i)       
Requirements for preserving and/or archiving of change records;     5.        
Obtaining and assessing change requests, including those obtained from the
applicable Process owner(s) of Change Management Execution, and identifying
impractical or unnecessary change requests, and providing feedback to the
requestors;     6.         Classifying and prioritizing change requests,
including assessing the appropriate factors (e.g., risk, cost, impact, security)
applicable to such requests;     7.         Verifying the consistency and
compatibility of the documentation for changes compiled by the applicable
Process owner(s) of Change Management Execution;     8.         Scheduling
changes;     9.         Registering completed changes and closing change
requests;     10.       Developing, maintaining and documenting linkages with
other Processes to establish traceability of changes, detect unauthorized
changes and identify change-related Incidents and Problems;     11.    
  Developing, maintaining, documenting and publishing change schedules; and    
12.       Reviewing (on a post-implementation basis) change requests and
verifying that the change objectives were met without unexpected adverse impact.
2.7.6 Release Management

The purpose of “Release Management” is to plan, review, approve and coordinate
releases.

 

Release Management includes the following activities:



    1.         Developing and maintaining the policies, standards and processes
to be followed for the lifecycle of releases and communicating such information
to the applicable Process owner(s);     2.         Establishing roadmaps for
releases and communicating such information to the applicable Process owner(s);

 

 

 

[image_072.jpg] Page 60 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    3.         Obtaining and reviewing release packages from the applicable
Process owner(s) of Release Management Execution;     4.         Auditing
release packages and identifying dependencies or schedule conflicts with other
release packages;     5.         Coordinating the testing of releases;    
6.         Coordinating release schedules;     7.         Confirming that the
required change approvals have been obtained;     8.         Confirming that
release packages can be tracked, installed, tested, verified, and/or uninstalled
or backed out as appropriate;     9.         Providing feedback to the
applicable Process owner(s) of Release Management Execution regarding proposed
release packages;     10.       Obtaining approvals from the appropriate
personnel designated to approve release packages;     11.       Communicating,
when warranted, approval of proposed release packages to the applicable Process
owner(s) of Release Management Execution;     12.     Developing communication
notices regarding releases for publication to Clients and the applicable Process
owner(s); and     13.     Archiving release information, including, as
applicable, release images. 2.7.7 Capacity Management

The purpose of “Capacity Management” is to perform the functions necessary to
determine the appropriate levels of IT services and resources to be available
and matched to current and anticipated future business needs.

 

Capacity Management includes the following activities:



    1.         Developing, maintaining and documenting capacity plans;    
2.         Forecasting the volume of IT services based on the applicable
criteria;     3.         Developing predictive and ongoing capacity indicators,
including obtaining information and feedback from the applicable Process
owner(s) of Client Relations;

 

 



 

[image_072.jpg] Page 61 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    4.         Analyzing utilization and trend forecasts produced by the owner
of Capacity Reporting and proactively developing recommendations regarding
change to the IT environment (e.g., upgrades, downgrades, enhancements,
reconfiguration) to correctly align the performance and availability needs with
IT service capacity;     5.         Responding to capacity-related “threshold”
events and initiating the appropriate activities;     6.         Notifying the
applicable Process owner(s) of recommended changes to the levels of IT services
and resources to address current and forecasted capacity and capacity-related
performance issues;     7.         Assisting with the diagnosis and resolution
of performance and capacity-related Incidents and Problems;     8.        
Obtaining information regarding the short, medium and long term plans for change
to the IT environment; and     9.         Assessing the impact of change in the
IT environment on capacity plans. 2.7.8 Availability Management

The purpose of “Availability Management” is to understand the availability
requirements, develop availability plans, analyze availability performance and
develop recommendations for change to improve availability.

 

Availability Management includes the following activities:



    1.         Understanding the Clients’ requirements for the availability of
IT services, including obtaining information from the applicable Process
owner(s) of Client Relations;     2.         Developing, maintaining and
documenting IT availability plans;     3.         Developing and providing
availability management reports to the applicable Process owner(s);    
4.         Analyzing risks to availability;     5.         Analyzing
availability information and developing recommendations for improvement; and    
6.         Assessing the impact of change in the IT environment on availability
plans.

 

 

 

[image_072.jpg] Page 62 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

2.7.9 Service Level Management

The purpose of “Service Level Management” is to enact and integrate the
performance regime established by Performance Management.

 

Service Level Management includes the following activities:



    1.         Obtaining the performance measurement, reporting and integration
requirements;     2.         Obtaining, reviewing and monitoring the relevant
SLAs;     3.         Making the applicable Process owner(s) aware of changes to
the performance requirements and SLAs;     4.         Coordinating and
integrating the performance reporting activities of Actors so that performance
reporting to the enterprise is consistent;     5.         Obtaining
Actor-produced performance reports and:     (a)       Verifying the reports are
consistent with the performance reporting requirements;     (b)       Validating
the information obtained;     (c)       Comparing the performance results with
the applicable SLAs;     (d)       Determining which, if any, of an Actor’s
performance measures require special handling (e.g., service level credit,
service level bonus);     (e)       Validating or determining, as necessary, the
correct calculation of incentive and disincentive payments/credits; and    
(f)        Tracking the elections and payments of service level credits to and
from the applicable Actors;     6.         Discussing performance results and
reporting with Actors to understand the underlying issues, problems and
shortfalls and, to the extent applicable, their commitments to resolve such
matters;     7.         Performing relevant analysis of the performance results
(current and historical) to identify trends that could signal systemic and/or
structural issues;

 

 

 

[image_072.jpg] Page 63 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    8.         Determining, for performance measures that cross the boundaries
of multiple Actors, the apportionment of service level responsibility to the
appropriate Actor(s) in cases where service level failure has occurred;    
9.         Aggregating Actor-specific performance reports into unified reports
consistent with the performance reporting requirements, including those
established by the applicable Process owner(s) of Performance Management;    
10.      Publishing unified performance reports and the associated observations
and recommendations to the applicable Process owner(s);     11.      Discussing
performance results holistically with the applicable Process owner(s) of
Performance Management; and     12.      Observing the underlying service
delivery mechanisms and Actor behavior and making recommendations to the
applicable Process owner(s) on ways to provide incentive for Actors to achieve
the desired performance outcomes.

 

 

 

[image_072.jpg] Page 64 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

2.7.10 (a)

Technology Continuity Management

 

The purpose of “Technology Continuity Management” is to confirm that the
technology continuity plans developed at the hardware, software, system and
platform levels, will collectively meet the continuity requirements.

 

Technology Continuity Management includes the following activities:



    1.         Developing and providing technology continuity plan guidelines
(e.g., objectives, requirements, timeframes, format, process) to the applicable
Process owner(s) of technology continuity plan development;     2.     
  Reviewing technology continuity plans;     3.        Determining if technology
continuity plans individually and collectively meet the Client and technical
continuity requirements;     4.         Providing advice and guidance regarding
adjustments of technology continuity plans so that activities within and across
plans are appropriate and compatible;     5.         Compiling and publishing
finalized technology continuity plans into an integrated IT Business Continuity
Plan (“ITBCP”);     6.         Obtaining approvals from the appropriate
personnel designated to approve the ITBCP;     7.         Coordinating,
scheduling and monitoring the performance and results of contingency plan
testing, including the development of recommendations for change to the ITBCP;  
  8.         Monitoring Actors to verify that their applicable personnel are
appropriately trained in the ITBCP and are able to successfully implement the
plan; and     9.         Developing recommendations to improve the system of
technology continuity. 2.7.10 (b) Service Continuity Management

The purpose of “Service Continuity Management” is to confirm that the service
continuity plans developed at the Client levels will collectively meet the
continuity requirements.

 

Service Continuity Management includes the following activities:





 



[image_072.jpg] Page 65 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



    1.         Developing and providing service continuity plan guidelines
(e.g., objectives, requirements, timeframes, format, process) to the applicable
Process owner(s) of Service Continuity Plan Development;     2.        
Reviewing service continuity plans;     3.         Determining if service
continuity plans individually and collectively meet the Client and technical
continuity requirements;     4.         Providing advice and guidance regarding
adjustments of service continuity plans so that activities within and across
plans are appropriate and compatible;     5.         Compiling and publishing
finalized service continuity plans into an integrated Service Business
Continuity Plan;     6.         Obtaining approvals from the appropriate
personnel designated to approve  the Service Business Continuity Plan;    
7.         Coordinating, scheduling and monitoring the performance and results
of contingency plan testing, including the development of recommendations for
change to the Service Business Continuity Plan;     8.         Monitoring Actors
to verify that their applicable personnel are appropriately trained in the
Service Business Continuity Plans and are able to successfully implement the
plan; and     9.         Developing recommendations to improve the system of
service continuity. 2.8 Security Management   2.8.1 Security Oversight

The purpose of “Security Oversight” is to oversee Information Security to ensure
appropriate implementation and operation of the security methods and controls
with coordination both within the Information Security processes and between the
Information Security Actors and other Actors within the IT environment.

 

Security Oversight includes the following activities:





 

 

[image_072.jpg] Page 66 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    1.         Obtaining from Risk Management a comprehensive understanding of
Client and IT leadership risk tolerance and potential Risk Issues identified by
Risk Management;       2.         Reviewing and approving security policies
prepared by the Process Owner of Security Policy Development.     3.        
Gaining and maintaining a comprehensive understanding of each delivery Actor’s
role as it pertains to the management of Information Security, relevant
methodologies, processes and tools;     4.         Establishing and maintaining
a close working relationship with the applicable Process owner(s) of Incident
Oversight, Incident Management, Security Operations, Security Analysis and
Security Incident Response;     5.         Acting as an advocate on Information
Security issues for the demand side of the IT environment, including:    
(a)       Gaining and maintaining an understanding of the perspectives and
preferences of Clients, External Clients and IT leadership regarding Information
Security;     (b)        Establishing and communicating the demand-side
Information Security expectations to the applicable Process owner(s); and    
(c)       Enforcing accountability among the applicable Information Security
Process owner(s) for meeting the enterprise’s demands for action, quality,
cooperation and urgency pertaining to the management of Information Security;  
  6.         Reviewing proposed Security Incident Response solutions and
providing input and preferences to the Process owner(s) of Incident Oversight
and Incident Management;     7.         Requesting alternative Security Incident
Response solutions from the Process owner(s) of Security Incident Response when
proposed solutions do not meet the needs and preferences of Clients, the
enterprise or IT leadership;     8.         Mandating specific actions and/or
solutions to be implemented by the Process owner(s) of Security Operations and
Security Incident Response in response to a security incident;

 

 

[image_072.jpg] Page 67 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



   

9.         Providing ongoing, operational and tactical day-to-day business and
enterprise risk mitigation context to the Security Operations and Security
Analysis Process owners; and

   

10.      Providing strategic business and enterprise risk mitigation context to
the Security Requirements Development Process owner(s).

2.8.2 Security Policy Development

The purpose of “Security Policy Development” is to develop and document the
policies and strategies related to Information Security.

 

Security Policy Development includes the following activities:



    1.         Identifying the guiding principles and applicable drivers (e.g.,
cybersecurity threats, vulnerabilities, access risk, third party systems,
industry standards, regulatory environment, etc.) that impact Information
Security policy;     2.         Obtaining current information on cybersecurity
threats and security and industry best practices through multiple channels
including risk sharing forums;     3.         Developing security policies;    
4.         Obtaining approvals from the appropriate personnel designated to
approve Information Security policies; and     5.         Documenting the
security policies, including:     (a)      Maintaining the security policies in
an appropriate repository; and     (b)      Publishing the security policies to
the applicable Process owner(s). 2.9 Program Office 2.9.1 Program Management

The purpose of “Program Management” is to prioritize the projects to be
performed, manage linkages between projects, and oversee Project Management.

 

Program Management includes the following activities:



    1.         Establishing policies to which projects must conform (e.g.,
methodology, reporting, tools);



 

[image_072.jpg] Page 68 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    2.         Maintaining awareness of the pipeline of projects, their
respective stakeholders, their purpose, and their expected benefits;    
3.         Determining the sequence and/or priority of projects;     4.        
Informing project stakeholders of the prioritization of their projects and
re-prioritizing as appropriate based on feedback;     5.         Auditing
projects to confirm compliance with the applicable policies and guidelines;    
6.         Determining stakeholder satisfaction with the handling of projects;  
  7.         Tracking and analyzing project performance, including:     (a)     
Monitoring project progress based on major milestones; and     (b)      Meeting
with project stakeholders and project managers to review project findings and
recommendations;     8.         Developing and disseminating stakeholder
communications, including:     (a)      Determining the information and
communications needs of stakeholders (e.g., who needs what information, when
they need it, and how will it be given to them);     (b)      Making needed
information available to stakeholders; and     (c)       Helping Clients and
stakeholders understand the implications of programs, projects and other change
on their personnel;     9.         Assessing risk on projects of high-importance
and on the collection of projects, including:     (a)       Identifying,
analyzing, and responding to project risk;     (b)       Determining risks
likely to affect projects and documenting the characteristics;     (c)     
 Performing a qualitative analysis of risks and conditions to prioritize their
effects on project objectives; and     (d)       Tracking identified risks,
monitoring residual risks, identifying new risks, executing risk plans and
evaluating their effectiveness in reducing risk; and

 

 

 

[image_072.jpg] Page 69 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    10.     Integrating projects to provide proper and adequate coordination of
the linkages between them. 2.9.2 Project Management

The purpose of “Project Management” is to supervise, monitor and manage
projects, so that projects are performed in accordance with established plans,
budgets and timelines.

 

Project Management includes the following activities:



    1.         Planning projects, including:     (a)      Forming project teams;
    (b)      Defining the specific activities that must be performed to produce
the various project deliverables;     (c)      Sequencing the activities and
documenting dependencies among the activities;     (d)     Estimating the time
needed to complete individual activities;     (e)      Analyzing the activity
sequences, activity durations, and resource requirements;     (f)      
Performing risk management planning;     (g)      Determining which resources
(e.g., people, hardware, materials) and which quantities of each should be used
to perform project activities;     (h)      Working with the applicable Process
owner(s) and other personnel as appropriate to identify and assign the personnel
needed to perform project activities;     (i)        Developing estimates of the
resource costs required to complete projects;     (j)        Identifying which
quality standards are relevant to projects and how they can be satisfied;    
(k)      Identifying, documenting, and assigning project roles,
responsibilities, and reporting relationships;     (l)        Determining the
information and communications needs of stakeholders;

 

 

[image_072.jpg] Page 70 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (m)      Identifying quantitative and qualitative risks and documenting the
characteristics of each;     (n)       Developing procedures and techniques to
enhance project success and to reduce threats to projects;     (o)     
 Determining, in conjunction with the applicable Process owner(s) of Acquisition
and other applicable Processes, and Third Party Contract Managers, what to
procure, how much to procure, and when to procure;     (p)       Developing
project plans by taking the results of the above and incorporating them into
consistent, coherent documents, including planning inputs, historical
information, organizational policies, constraints and assumptions, that can be
used to guide both project execution and project control;     (q)     
 Submitting draft project plans to the applicable stakeholders and Process
owner(s), including those of Program Management, for approval; and     (r)      
 Revising draft project plans as directed by the applicable stakeholders and
Process owner(s), including those of Program Management;     2.        
Monitoring and controlling projects, including:     (a)      Managing personnel
assigned to projects;     (b)      Implementing appropriate project management
methodology including the use of approved project management tools;     (c)     
Preparing performance, financial, utilization and other status reports;    
(d)      Providing appropriate access to information and project management
templates;     (e)      Coordinating changes across/within projects;    
(f)       Controlling changes to project scope;     (g)      Controlling changes
to project schedules;     (h)      Controlling changes to project budgets;

 

 

[image_072.jpg] Page 71 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (i)        Determining if projects comply with relevant quality standards
and identifying ways to eliminate unsatisfactory performance; and     (j)       
Tracking identified risks, monitoring residual risks, identifying new risks and
executing risk plans and evaluating their effectiveness in reducing risk; and  
  3.         Executing projects, including:     (a)       Executing project
plans by causing the assigned personnel, including those associated with other
Process owners, to perform the applicable project activities therein;    
(b)       Evaluating overall project performance on a regular basis to verify
that projects will satisfy the relevant quality standards and causing the
applicable Process owner(s) to address deficiencies;     (c)       Developing
individual and group skills/competencies to enhance project performance;    
(d)      Verifying performance of project activities, including those performed
by other Process owners (e.g., Quality Assurance);     (e)      Closing out
projects and resolving open items; and     (f)       Providing administrative
closure by generating, gathering, and disseminating information and formalizing
phase or project completion, including evaluating projects and compiling lessons
learned for use in planning future projects or phases. 3 Service Delivery   3.1
Solution Formulation   3.1.1 Technical Requirements Development

The purpose of “Technical Requirements Development” is to analyze business
requirements and refine them to a sufficient level of detail so that solutions
can be developed.

 

Technical Requirements Development includes the following activities:



 

 



[image_072.jpg] Page 72 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



    1.         Obtaining, reviewing and analyzing business requirements from the
applicable Process owner(s) of Business Requirements Documentation and solution
requirements from the applicable Process owner(s) of Solution Integration;    
2.         Establishing and maintaining listings of required capabilities,
including:     (a)      Analyzing and quantifying functional capabilities
required by Clients; and     (b)      Analyzing and quantifying non-functional
capabilities required by Clients (e.g., availability, performance, adaptability
to change, re-use);     3.         Establishing solution requirements,
including:     (a)      Specifying required alignment with the relevant
reference Domain Architecture(s) and approved standards;     (b)      Developing
technical requirements for solution design;     (c)      Identifying system
interface requirements, both internal and external to such solutions;    
(d)     Developing functional, performance, maintenance, support and disposal
concepts, and scenarios; and     (e)      Defining environments in which
solutions will operate, including boundaries and constraints;     4.        
Documenting and providing technical requirements and associated material to the
applicable Process owner(s); and     5.         Revising technical requirements
based on feedback from the applicable Process owner(s), including the applicable
Process owner(s) of Solution Integration. 3.1.2 Security Solution Development

The purpose of “Security Solution Development” is to design solutions that
satisfy the business and security requirements (e.g., business, integration,
technical, risk mitigation) provided by the Security Requirements Development
Process owner.

 

Security Solution Development includes the following activities:



   

6.         Analyzing requirements to confirm they are necessary and sufficient,
and adequately balance the objectives and constraints of Clients and IT;





 

 

[image_072.jpg] Page 73 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



   

7.         Designing solutions that comply with and leverage the Security
Architecture(s) and industry best practice, and that will satisfy the
requirements;

   

8.         Developing operational details that define the interaction of
solutions, their Clients and the environment; 

   

9.         Identifying ongoing maintenance, support and re-use attributes of
solutions;

   

10.       Identifying attributes of solutions that have a significant influence
on cost, schedule, timing, functionality, performance, and risk;

   

11.      Validating that solutions will perform appropriately in their
intended-use environment;

   

12.      Identifying interactivity dependencies and other assumptions related to
solutions; 

   

13.      Performing risk analysis for the development, implementation, operation
and disposal of solutions;

   

14.       Documenting and providing solutions and associated material to the
applicable Process owner(s); and 

   

15.       Revising solutions based on feedback from the applicable Process
owner(s), including the applicable Process owners of 4.1 (Security Management).

3.1.3 Solution Development

The purpose of “Solution Development” is to design solutions that satisfy the
requirements (e.g., business, integration, technical).

 

Solution Development includes the following activities:



    1.         Analyzing requirements to confirm they are necessary and
sufficient, and adequately balance the needs and constraints of Clients and IT;
    2.         Designing solutions that comply with and leverage the relevant
Domain Architecture(s) and that will satisfy the requirements;     3.        
Developing operational details that define the interaction of solutions, their
Clients and the environment;     4.         Identifying ongoing maintenance,
support and re-use attributes of solutions;



 

 

[image_072.jpg] Page 74 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    5.         Identifying attributes of solutions that have a significant
influence on cost, schedule, timing, functionality, performance, and risk;    
6.         Validating that solutions will perform appropriately in their
intended-use environment;     7.         Identifying interactivity dependencies
and other assumptions related to solutions;     8.         Performing risk
analyses for the development, implementation, operation and disposal of
solutions;     9.         Documenting and providing solutions and associated
material to the applicable Process owner(s); and     10.       Revising
solutions based on feedback from the applicable Process owner(s), including the
applicable Process owner(s) of Solution Integration. 3.1.4 Resource Estimation

The purpose of “Resource Estimation” is to develop estimates of the resources
and time required to develop, implement, operate and dispose of solutions.

 

Resource Estimation includes the following activities:



    1.         Identifying the types and estimated quantities and pricing of the
resources (e.g., personnel, hardware, software, services, facilities) required
to develop, implement, maintain and support solutions;     2.         Estimating
the time necessary to build and implement solutions, including obtaining
feedback as applicable from the applicable Process owner(s) of Program
Management and Project Management;     3.         Documenting and providing
estimates of resources and time in the appropriate form required by the
applicable Process owner(s) of Solution Integration; and     4.         Revising
estimates based on feedback from the applicable Process owner(s) of Solution
Integration and other applicable Processes. 3.2 Infrastructure Engineering  

 

 

[image_072.jpg] Page 75 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.2.1 Platform Engineering

The purpose of “Platform Engineering” is to design and develop the technology
infrastructure platforms in use, or in development, within the IT environment.

 

Platform Engineering includes the following activities:

    1.         Evaluating, optimizing and specifying hardware, infrastructure
software and services CIs;     2.         Assessing the feasibility of and risks
associated with proposed introduction or changes of CIs to the IT environment;  
  3.         Performing optimal matching of technical requirements with
hardware, infrastructure software and services CIs available in the marketplace;
    4.         Testing configured hardware and infrastructure software for
satisfaction of the requirements and compatibility with other CIs;    
5.         Testing manufacturer’s in-model revisions to hardware and
infrastructure software to confirm proper operation within the IT environment;  
  6.         Evaluating and recommending or developing solution designs that
keep the data assets accessible and recoverable, and meet the requirements for
performance, protocol conversion and translation;     7.         Tuning and
optimizing platform performance, including with respect to changes (i.e.,
additions, removals and modifications) of or to software in the IT environment;
    8.         Developing specifications for physical and logical network
addressing in coordination with other interconnected and third party networks;  
  9.         Developing and maintaining documents describing the physical and
logical networks, including security components and addressing schemes;    
10.      Developing and documenting configuration parameters in a manner
consistent with maximizing the use, performance and availability of the IT
environment within the capabilities of CIs;

 

 

[image_072.jpg] Page 76 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    11.      Developing, documenting and maintaining the configuration
parameters and implementation guidelines for the building of Elements and their
sub-components, and providing such information to the applicable Process
owner(s);     12.      Specifying the type and quantity of hardware, software,
facilities and services as required to meet actual and forecasted business
demand;     13.      Testing to verify the successful inclusion of availability
mechanisms (e.g., redundancy, failover, service continuity);     14.    
 Developing, testing and documenting architecturally consistent implementations,
configurations and connections;     15.      Developing, testing and documenting
configuration policy objects that implement the applicable approved enterprise,
IT, security and Client policies;     16.      Specifying the environmental
(e.g., power, facilities, temperature, humidity) requirements for design,
development and operation;     17.      Identifying and reviewing new types of
hardware and infrastructure software applicable to the IT environment and
determining compliance with the relevant standards and requirements;     18.    
 Providing input to and assisting with the development of standards; and    
19.      Performing forward-looking assessments of emerging technology(ies) to
assess applicability and potential benefit. 3.3 Software Engineering   3.3.1
Software Design

The purpose of “Software Design” is to transform software-based business,
solution, technical requirements into complete, detailed system specifications.

 

Software Design includes the following activities:



    1.         Developing detailed alternative software designs and selection
criteria (e.g., cost, technical performance, complexity, risk), including:

 

 

[image_072.jpg] Page 77 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (a)      Establishing and maintaining a process or processes for identifying
software design alternatives, selection criteria, and design issues;    
(b)      Identifying software design alternatives;     (c)      Developing
criteria for selecting the best software design alternative;     (d)    
Identifying and characterizing design issues for software design alternatives;  
  (e)      Identifying technologies in the IT environment and other technologies
as they relate to software design alternatives;     (f)       Identifying
potential risks and developing mitigating design features for software design
alternatives;     (g)      Documenting the rationale for using particular
software design alternatives; and     (h)      Developing timelines for Client
interaction with software development activities;     2.         Evolving, to an
appropriate degree of detail, operational concepts, scenarios, and environments
to describe conditions, operating modes, and operating states for software
designs;     3.         Selecting software designs that best satisfy the
applicable selection criteria, including:     (a)      Evaluating alternative
software design against the applicable selection criteria;     (b)     
Assessing, based on evaluation of alternatives, the adequacy of the selection
criteria and updating these criteria as necessary;     (c)      Identifying and
resolving issues with alternative software designs and requirements;     (d)    
Selecting software design alternatives that best satisfy the established
selection criteria;     (e)      Establishing requirements for software design
alternatives;     (f)       Identifying software designs that will be retired,
reused or acquired; and

[image_072.jpg] Page 78 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (g)      Establishing and maintaining documentation for software designs,
evaluations and rationale for decisions;     4.         Developing software
designs, including:     (a)      Designing the data storage and access for the
data layer;     (b)      Designing the user interface at the presentation layer;
    (c)      Designing the business rules layer and the application logic;    
(d)      Identifying, designing and documenting interfaces associated with other
solution components, including those from application to application, and
application to database;     (e)      Identifying and designing interfaces
associated with external applications or data sources;     (f)      
Establishing and maintaining criteria against which designs can be evaluated;  
  (g)      Identifying and implementing design methods appropriate for the
solution;     (h)      Adhering to the applicable design standards and criteria;
    (i)        Adhering to the allocated requirements; and     (j)       
Documenting designs;     5.         Establishing and maintaining technical data
packages (e.g., solution requirements description, allocated requirements,
solution component descriptions, solution-related life-cycle process
descriptions, key solution characteristics, interface requirements, rationale
for decisions and characteristics), including:     (a)      Determining the
number of levels of design and the appropriate level of documentation for each
design level;     (b)      Basing detailed design descriptions on the allocated
solution requirements, architecture, and higher level designs;     (c)     
Documenting the design in the technical data package;     (d)     Documenting
the rationale for significant decisions affecting cost, schedule, or technical
performance; and     (e)      Revising the technical data package as necessary;

 

 

[image_072.jpg] Page 79 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    6.         Developing application design documents that identify the steps
used in design of applications;     7.         Developing and documenting
design, conversion, migration, and transition strategies; and     8.        
Evaluating whether solutions should be developed, purchased, or reused based on
established criteria, including:     (a)      Developing criteria for the reuse
of solution designs;     (b)      Analyzing designs to determine if solutions
should be developed, reused, or purchased; and     (c)       Planning for how
maintenance will be performed when purchased or non-developmental (e.g.,
commercial off-the-shelf, reuse) solutions are selected. 3.3.2 Software
Development

The purpose of “Software Development” is to convert a software design into a
complete application program or application system.

 

Software Development includes the following activities: 

    1.         Performing software development;     2.         Selecting,
tailoring and using methods, tools, and computer programming languages for
performing software development activities;     3.         Developing software,
including:     (a)       Developing and documenting each unit of the software;  
  (b)       Developing and documenting the data model and database schema
associated with the software;     (c)       Developing and documenting the test
requirements and procedures for testing each unit and system;     (d)    
  Updating the test requirements;     (e)       Evaluating software to confirm
internal consistency, feasibility of operation and integration, and consistency
with applicable requirements;     (f)       Revising software as necessary; and

 

 

[image_072.jpg] Page 80 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (g)      Performing unit testing (e.g., statement coverage testing, branch
coverage testing, predicate coverage testing, path coverage testing, boundary
value testing, special value testing) of the software as appropriate;    
4.         Developing plans to install software in the applicable target
environments; and     5.         Developing and maintaining the applicable
software documentation, including:     (a)      Reviewing the requirements,
design, product, and test results to confirm issues affecting the installation,
operation, and maintenance documentation have been identified and resolved,
including creating known error records when software is to be released into
production with known errors;     (b)      Developing the installation,
operation, and maintenance documentation, including development of preliminary
versions of such documentation during the early development phases for review
and comment by the relevant stakeholders;     (c)      Conducting peer reviews
of the installation, operation, and maintenance documentation; and     (d)    
Revising the installation, operation, and maintenance documentation as
necessary. 3.3.3 Software Integration

The purpose of “Software Integration” is to assemble software from software
units, confirm the software, as integrated, functions properly and delivers the
solution.

 

Software Integration includes the following activities:



    1.         Determining software integration sequences, including:    
(a)      Identifying the software to be integrated;     (b)      Identifying the
methods by which the definition of the interfaces between software units will be
verified;     (c)      Identifying alternative software integration sequences;  
  (d)     Selecting the optimal integration sequence; and

 

 

[image_072.jpg] Page 81 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (e)      Reviewing, periodically, the software integration sequence and
revising as appropriate;     2.         Determining the environments required
for integration of software, including:     (a)      Identifying the
requirements for the software integration environment;     (b)      Identifying
the testing criteria and procedures for the software integration environment;
and     (c)      Deciding whether to make or buy the needed software integration
environment;     3.         Reviewing interface descriptions for coverage and
completeness, including:     (a)      Reviewing interface data for completeness
and confirming complete coverage of all interfaces; and     (b)     
Periodically reviewing the adequacy of interface descriptions;     4.        
Managing internal and external interface definitions, designs, and changes for
software including:     (a)      Maintaining the compatibility of the interfaces
throughout the life of the software;     (b)      Resolving conflict,
noncompliance and change issues; and     (c)      Maintaining a repository for
interface data;     5.         Confirming, prior to assembly, that software
units required to assemble the software have been properly identified, function
according to description, and interface in compliance with interface
requirements, including:     (a)      Tracking the status of the software units
as they become available for integration;     (b)      Delivering the software
units to the integration environment in accordance with the integration sequence
and available procedures;     (c)      Confirming the receipt of each software
unit and that each meets its description; and

 

 

 

[image_072.jpg] Page 82 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (d)     Checking the configuration status against the expected
configuration;     6.         Assembling software units according to the
integration sequence, including:     (a)      Confirming the readiness of the
integration environment; and     (b)      Revising the software integration
sequence as appropriate;     7.         Evaluating software for interface
compatibility, including:     (a)      Conducting the evaluation of software
following the integration sequence; and     (b)      Recording the evaluation
results; and     8.         Packaging software and delivering it to the
applicable Process owner(s), including:     (a)      Reviewing the requirements,
design, software, verification results, and documentation so that issues
affecting the packaging and delivery of the software or software units are
identified and resolved;     (b)      Packaging and delivering the software and
related documentation to the applicable Process owner(s); and     (c)     
 Satisfying the applicable requirements and standards (e.g., type of storage and
delivery media, required documentation, copyrights, license provisions, security
of the software) for packing and delivering the software. 3.3.4 Logical Database
Administration

The purpose of “Logical Database Administration” is to perform design-related
database functions required to support the applicable Processes.

 

Logical Database Administration includes the following activities:



    1.         Designing, implementing and maintaining database schema;    
2.         Maintaining design consistency across databases associated with
different software and identifying data redundancies;     3.         Designing,
developing and maintaining entity relationship diagrams;

 

 

 

 

[image_072.jpg] Page 83 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    4.         Reviewing database schema that are the subject of an Incident or
Problem and:     (a)      Determining the underlying defects; and     (b)     
Revising database schema to restore full functionality; and     5.        
Updating existing documentation to record changes to database schema. 3.3.5 Peer
Review

The purpose of “Peer Review” is to evaluate software and data models so as to
maintain or enhance the quality and verify adherence to the applicable
specifications and standards.

 

Peer Review includes the following activities:



    1.         Conducting structured walkthroughs of software and data models;  
  2.         Developing insight into the suitability of software and data
models, including:     (a)      Obtaining the perspectives of those with
applicable backgrounds and experience;     (b)      Identifying errors in
coding;     (c)      Identifying inconsistencies or inefficiencies in how data
is managed;     (d)     Assessing the degree of compliance with requirements and
applicable standards; and     (e)      Developing suggestions for improvement;
and     3.         Documenting and sharing the results of peer reviewed software
and data models with the applicable Process owner(s) and other personnel. 3.4
Quality Assurance   3.4.1 Testing

The purpose of “Testing” is to confirm that solutions to be added to the IT
environment meet their requirements.

 

Testing includes the following activities: 

    1.         Developing testing methods to test solutions, including:

 

 

 

[image_072.jpg] Page 84 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (a)      Identifying the requirements to be satisfied by each solution;    
(b)      Identifying the testing methods that are available for use; and    
(c)      Defining the testing methods to be used for each solution;    
2.         Defining test environments, including:     (a)      Identifying the
testing environment responsibilities;     (b)      Establishing the test team
and developing the test files and data;     (c)      Identifying the testing
resources (e.g., test scripts) that are available for reuse and modification;
and     (d)      Identifying the testing hardware and tools;     3.        
Establishing and maintaining test procedures and criteria, including:    
(a)       Generating the set of comprehensive, integrated test scripts;    
(b)       Developing and refining the test criteria when necessary; and    
(c)       Identifying the expected results, any tolerances allowed in
observation, and other criteria for satisfying the requirements;     4.        
Testing solutions, including:     (a)       Performing testing of solutions or
solution components against their requirements;     (b)       Recording the
results of testing activities;     (c)       Identifying action items resulting
from testing of solutions or solution components; and     (d)       Documenting
the “as-run” testing method and the deviations from the available methods and
procedures discovered during its performance; and     5.         Analyzing test
activity results and identifying corrective actions, including:     (a)     
 Comparing the actual results to expected results;

 

 

[image_072.jpg] Page 85 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (b)      Identifying, based on the established testing criteria, those
portions of the solution and solution sub-components that have not met their
requirements and identifying issues with the methods, procedures, criteria, and
verification environment;     (c)      Analyzing the testing data related to
defects;     (d)     Using testing results to compare actual measurements and
performance to technical performance parameters; and     (e)      Providing
information on how defects may be resolved (e.g., verification methods,
criteria, and verification environment) and preparing a plan for such
resolution. 3.4.2 Environment Integration Testing

The purpose of “Environment Integration Testing” is to perform those activities
necessary to confirm that solutions will perform as required in the proposed
environment.

 

Environment Integration Testing includes the following activities:



    1.         Applying the solutions to the appropriate test environments;    
2.         Validating, for solutions that are tested in a test environment, that
solutions perform as intended when:     (a)      All solution components
comprising the required system (e.g., hardware, software) are tested together,
and     (b)      Tested in a model production environment; and     3.        
Validating, for solutions that are tested in the production environment, that
solutions perform as intended when all solution components comprising the
required system (e.g., hardware, software) are tested together. 3.4.3 User
Acceptance Testing

The purpose of “User Acceptance” is to perform those activities necessary to
confirm that solutions will perform as required by the applicable Clients.

 

User Acceptance includes the following activities: 

    1.         Confirming that solutions satisfy the applicable test criteria;  
  2.         Confirming that solutions meet the applicable usability
requirements (e.g., user interface, performance, reporting);

 

 

[image_072.jpg] Page 86 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    3.         Confirming that solutions satisfy the applicable business
requirements; and     4.         Confirming that the introduction of solutions
does not adversely impact pre-existing functionality other than as planned. 3.5
Client Support   3.5.1 Service Desk

The purpose of “Service Desk” is to provide the primary point of contact related
to IT services for Clients, regardless of the channel (e.g., phone, web, email,
software-generated events) used for activities such as requesting information,
registering complaints, requesting IT services or reporting IT-related
performance issues such as Incidents or Problems (where all such activities are
collectively “IT Events”). Service Desk acts as an advocate for Clients and
provides an information link between and among Clients, the IT environment,
other parts of the enterprise, Actors and third parties.

 

Service Desk includes the following activities:



    1.         Providing the ability for Clients to:     (a)       Submit IT
Events, including complaints regarding the quality of IT services (e.g.,
non-functioning hardware, system access needs, other issues with hardware or
software) and other inquiries regarding hardware, software and IT services; and
    (b)       Submit orders for items within either the Service Catalog (e.g.,
IMACs) or other applicable mechanisms;     2.         Collecting information
from the applicable Process owner(s) regarding resolution status and other
activities that may impact or have already impacted Clients;     3.        
Providing status updates to Clients (or their designees) on matters previously
reported;     4.         Logging relevant details regarding IT Events and, as
applicable, assigning categorization and prioritization codes;     5.        
Making initial assessments of IT Events to determine whether they can be
answered or resolved by the applicable Process owner(s) of Service Desk;

 

 



[image_072.jpg] Page 87 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

 



 

  6.         Answering and resolving IT Events that can be performed by the
applicable Process owner(s) of Service Desk, and transferring responsibility for
resolution to the applicable Process owner(s) of other Processes for the
remainder;     7.         Managing the lifecycle of IT Events, including
opening, closing, verifying, documenting and communicating with Clients
regarding IT Events, regardless of whether the actions in response to such IT
Events are performed by the applicable Process owner(s) of Service Desk or other
Processes;     8.         Updating the CMDB as applicable and appropriate;    
9.         Obtaining approval, where necessary, for Client requests submitted to
the applicable Process owner(s) of Service Desk;     10.       Developing and
maintaining a repository of applicable knowledge regarding the IT environment so
as to maximize the number of IT Events that can be handled by the applicable
Process owner(s) of Service Desk (i.e., without the need of assistance from
other Process owners;     11.      Publishing approved communication notices,
developed by the applicable Process owner(s) of Service Desk and other
applicable Processes, regarding the IT services (e.g., software release
schedules, planned outages);     12.      Coordinating the handoff of
information between and among Clients, the IT environment, other parts of the
enterprise, Actors and third parties to facilitate an effective and efficient
delivery of IT services;     13.      Obtaining Client feedback regarding the
performance of IT services via appropriate and applicable means; and     14.    
  Developing and producing comprehensive periodic management information
packages regarding the delivery of IT services to Clients, including:    
(a)       The various operations of Service Desk (e.g., call statistics, call
durations, call abandonment, assistance resolution rates); and     (b)     
 Observations regarding IT service delivery and recommendations for improvement.

 

 

[image_072.jpg] Page 88 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.5.2 Technical Support

The purpose of “Technical Support” is to provide technical input and assistance
regarding the IT environment and technology in general to Clients and the
applicable Process owner(s) of Internal Client Relationship Management and
External Relationship Management, as directed by the applicable Process owner(s)
of Internal Client Relationship Management, External Client Relationship
Management and other Processes.

 

Technical Support includes the following activities:

    1.         Working with Clients to provide technical input to the
identification and specification of high-level IT-related business missions,
objectives and concepts;     2.         Providing technical input and guidance
regarding new business opportunities or requirements that could affect the IT
environment, including general guidance on technical solutions in the
pre-business requirements development phase and generating related sourcing and
pricing information;     3.         Attending periodic or ad hoc Client
management meetings to provide technical support and feedback regarding IT
technology plans and status; and     4.         Providing technical input and
guidance into the development of Internal Client responses to requests for
proposals and other similar constructs used by its customers for goods and/or
services. 3.5.3 Business Systems Support

The purpose of “Business Systems Support” is to provide input and assistance to
Clients in their understanding and use of their business systems.

 

Business Systems Support includes the following activities: 

    1.         Maintaining a working knowledge of the business and industry of
Clients;     2.         Understanding the business processes and systems of
Clients, including how they are used collectively to achieve the desired
business outcomes;

 

 

[image_072.jpg] Page 89 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



    3.         Understanding the current configuration of the business systems
of Clients and maintaining knowledge regarding the fuller capabilities of such
systems;     4.         Developing ad hoc reports for Clients, including the
provision of softcopy files for direct use and manipulation by Clients;    
5.         Assisting Clients with developing strategies for the use of their
business systems, including associated data, configuration options, system
upgrade and system replacement;     6.         Assisting Clients with
articulating their business system requirements and assessing the solutions
developed to achieve such requirements, including those proposed by the
applicable Process owner(s) of Solution Integration and other Processes;    
7.         Assisting Clients with the design of their testing regime and scripts
for their business systems;     8.         Identifying opportunities where
Client training, change in business process or change in system configuration
would likely improve the efficiency and effectiveness of Client operations and
communicating such opportunities to the applicable Clients and Process owner(s);
    9.         Assisting Clients in revising their operational procedures based
on change in technology; and     10.       Providing Clients with information
and instructions necessary to perform system functions required to handle
infrequently occurring and highly complex business functions. 3.6 Acquire  
3.6.1 Procurement Management

The purpose of “Procurement Management” is to develop, enter into, and manage
purchasing agreements (including master purchasing agreements and item-specific
agreements under existing master purchasing agreements) for Elements and
ancillary goods and services (e.g., warranties, Spare Parts, Consumables).

 

Procurement Management includes the following activities:



    1.         Serving as the primary point of contact for Internal Actors for
the interpretation and modification of purchase agreements with suppliers for
Elements and ancillary goods and services;

 

 

 

[image_072.jpg] Page 90 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    2.         Obtaining and reviewing properly approved sourcing strategies and
requirements for Elements and ancillary goods and services in the IT
environment;     3.         Obtaining information regarding procurement
standards, objectives and requirements from the applicable Process owner(s) of
Commercial Management;     4.         Determining the need to develop or modify
purchase agreements for Elements and ancillary goods and services;    
5.         Establishing procurement and management strategies for purchase
agreements for Elements and ancillary goods and services;     6.        
Obtaining approval for procurement strategies from the applicable Process
owner(s) of Commercial Management and, as applicable, other personnel designated
to approve procurement strategies;     7.         Maintaining a knowledge base
of the relevant supplier community (e.g., companies, pricing, procurement issues
and trends, new services and products) for Elements and ancillary goods and
services;     8.         Negotiating purchase agreements with suppliers,
including the associated pricing and service levels, for Elements and ancillary
goods and services;     9.         Obtaining approvals from the appropriate
personnel designated to approve new or modified purchase agreements for Elements
and ancillary goods and services;     10.      Converting negotiated deals for
Elements and ancillary goods and services into either standalone purchasing
agreements, where an existing agreement is not in force, or contractual
amendments to existing purchasing agreements as applicable;     11.    
  Administering the lifecycle of purchase agreements (e.g., renew, modify,
renegotiate, terminate, replace) for Elements and ancillary goods and services,
including:     (a)      Tracking and providing the requisite notices and other
contract-based information to the suppliers;

 

 

[image_072.jpg] Page 91 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (b)      Monitoring and verifying the performance of supplier obligations;  
  (c)      Validating the assessment of charges; and     (d)      Maintaining
ongoing relationships with suppliers, with which purchasing agreements are in
place, to facilitate resolution of issues and implementation of changes; and    
12.       Reporting instances in which Actors or Clients are found not using the
appropriate purchasing agreements for the purchase of Elements and ancillary
goods and services, and advising the applicable Process owner(s) or other
personnel as appropriate. 3.6.2 Acquisition

The purpose of “Acquisition” is to use purchasing agreements developed, entered
into or managed by Procurement Management to fulfill the acquisition of Elements
and ancillary goods and services.

 

Acquisition includes the following activities:



    1.         Obtaining orders for Elements and ancillary goods and services
from the applicable Process owner(s) and:     (a)      Validating such orders
for correctness and approval from the appropriate personnel;     (b)     
Determining whether the items requested are already in the IT inventory; and    
(c)      Acquiring the items through purchasing agreements already in force and,
as applicable, other means;     2.         Tracking the status of orders for
Elements and ancillary goods and services and escalating delays or other matters
associated with such orders to the applicable Process owner(s) and other
personnel as appropriate;     3.         Processing appropriately approved order
changes for Elements and ancillary goods and services;     4.         Reporting
the status of orders for Elements and ancillary goods and services to the
applicable Process owner(s); and

 

[image_072.jpg] Page 92 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    5.         Advising the applicable Process owner(s) of Procurement
Management of problems or issues with the purchasing agreements for Elements and
ancillary goods and services, and interacting with the underlying suppliers as
necessary. 3.7 Deploy   3.7.1 Configuration

The purpose of “Configuration” is to configure Elements according to the
specifications for build and operational function provided by the applicable
Process owner(s).

 

Configuration includes the following activities:



    1.         Building Elements, including the integration of applicable
sub-components (e.g., software, hardware);     2.         Performing operational
selections, on or with respect to the Element, required to properly implement
the required features, functionality and constraints, including the association
of the Element or the user(s) of the Element with the applicable
non-security-based policy objects; and     3.         Updating the CMDB as
applicable and appropriate. 3.7.2 Implementation

The purpose of “Implementation” is to coordinate, manage and execute the
activities necessary to perform change to Elements in the IT and Client
environments, including adding and removing Elements and sub-components of
Elements from such environments.

 

Implementation includes the following activities:

 

    1.         Obtaining, from the applicable Process owner(s) (e.g., Service
Desk), appropriately approved implementation requests;     2.         Performing
those functions necessary to verify that the applicable attributes of the IT and
Client environments can support the implementation requests, including:    
(a)       Conducting, when applicable, site surveys and informing the applicable
Process owner(s), Clients and other personnel as appropriate of issues (e.g.,
physical space limitations and requirements, changes to the cabling
infrastructure);     (b)       Developing implementation plans; and

 

 

[image_072.jpg] Page 93 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (c)      Coordinating with the applicable Process owner(s), Clients and
other personnel as necessary;     3.         Optimizing performance from
financial, timing and Client-disruption perspectives, including combining or
disaggregating activities when applicable;     4.         Proposing, when
applicable, implementation windows to, and as necessary obtaining approval for
such windows from, the applicable Process owner(s) of Change Management
Execution;     5.         Dispatching, when applicable, the appropriate
personnel to the applicable location(s);     6.         Fulfilling
implementation requests, including:     (a)      Obtaining, when applicable,
items (e.g., Elements, sub-components of Elements, release packages) from the
applicable Process owner(s);     (b)      Confirming, when applicable, that
obtained items are properly configured;     (c)       Installing, moving,
adding, changing, removing and releasing, when applicable, obtained items and
existing Elements;     (d)      Connecting, when applicable, obtained items and
existing Elements to the applicable IT and Client environments;     (e)     
 Performing, or when applicable, requesting to be performed by the applicable
Process owner(s), security, file access, directory and other administrative
procedures as applicable;     (f)       Activating and deactivating, when
applicable, obtained items and existing Elements, including their underlying
services;     (g)      Notifying, when applicable, the applicable Process
owner(s) of the readiness for supplemental activities to be performed to
complete requests, including notifying the applicable Process owner(s) of
Configuration and Security Administration regarding implementation of the
associated non-security- and security- based policies and access rights;

 

 

[image_072.jpg] Page 94 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (h)      Backing up and copying data when applicable, including, when
appropriate, notifying Clients of self-service data restoration procedures;    
(i)        Confirming that requests have been implemented as required;    
(j)        Performing tests to confirm that fulfillment of requests provides the
expected functionality, including, as applicable, with respect to other
Elements;     (k)      Taking corrective action when necessary, including
providing and executing appropriate back-out procedures for unsuccessful
implementations; and     (l)        Confirming that Client and IT operational
capabilities are not adversely impacted as a consequence of fulfilling requests;
    7.         Returning, when applicable, to the applicable Process owner(s),
Elements and sub-components of Elements removed from the IT and Client
environments;     8.         Advising the applicable Process owner(s) of
performance problems or other issues that are unrelated to the proper
fulfillment of implementation requests;     9.         Updating the CMDB as
applicable and appropriate; and     10.       Notifying the applicable Process
owner(s), Clients and other personnel of the completion of implementation
requests. 3.8 Maintain   3.8.1 Maintenance Administration

The purpose of “Maintenance Administration” is to determine the activities
necessary to maintain Elements in accordance with the applicable specifications,
including from their manufacturers and applicable standards organizations.

 

Maintenance Administration includes the following activities:



 

 



[image_072.jpg] Page 95 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0 

 

    1.         Obtaining, throughout the full lifecycle of Elements, the
publications (e.g., bulletins, alerts, manuals, software, firmware) from the
applicable organizations (e.g., manufacturers, standards organizations)
regarding recommended maintenance activities (e.g., firmware updates, software
patches/upgrades, physical cleaning, inspection of parts and connections, output
testing, replacement of Consumables) to be performed (“Recommended
Maintenance”);     2.         Determining the applicability and appropriateness
of implementing Recommended Maintenance, including requesting the applicable
Process owner(s) to review, test and propose recommendations for the
modification, use and implementation of Recommended Maintenance;     3.        
Aggregating and reporting recommendations regarding Recommended Maintenance to
the applicable Process and Element owner(s) and soliciting feedback;    
4.         Developing and revising maintenance requirements based on the
feedback obtained from the applicable Process and Element owner(s) (“Maintenance
Requirements”);     5.         Obtaining approvals for implementing recurring
and one-time Maintenance Requirements from the appropriate personnel designated
to approve such maintenance;     6.         Submitting appropriately approved
Maintenance Requirements to the applicable Process owner(s) (e.g., Corrective
Maintenance, Adaptive Maintenance, Release Management Execution, Local
Maintenance & Repair, Remote Maintenance & Repair) to be implemented; and    
7.         Maintaining complete records of Recommended Maintenance and the
associated approvals and rejections for the performance of Maintenance
Requirements. 3.8.2

Local Maintenance & Repair

 

The purpose of “Local Maintenance & Repair” is to coordinate, manage and execute
the activities requiring physical intervention to perform approved Maintenance
Requirements and correct Incidents and Problems.

 

Local Maintenance & Repair includes the following activities:



 

 



[image_072.jpg] Page 96 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    1.         Developing, when applicable, the appropriate mechanisms to
provide, as required, for the ready availability of Spares, Spare Parts and
Consumables;     2.         Obtaining, from the applicable Process owner(s)
(e.g., Maintenance Administration, Service Desk), appropriately approved
maintenance and repair requests;     3.         Performing those functions
necessary to verify that the applicable attributes of the IT and Client
environments can support the maintenance and repair requests, including:    
(a)      Conducting, when applicable, site surveys and informing the applicable
Process owner(s), Clients and other personnel as appropriate of issues (e.g.,
physical space limitations and requirements);     (b)      Developing
maintenance and repair plans; and     (c)      Coordinating with the applicable
Process owner(s), Clients and other personnel as necessary;     4.        
Proposing, when applicable, implementation windows to, and as necessary
obtaining approval for such windows from, the applicable Process owner(s) of
Change Management Execution;     5.         Dispatching, when applicable, the
appropriate personnel to the applicable location(s);     6.         Fulfilling
maintenance and repair requests, including:     (a)       Obtaining, when
applicable, items (e.g., Maintenance Requirements, Elements, sub-components of
Elements, Spares, Spare Parts, Consumables, release packages) from the
applicable Process owner(s);     (b)      Confirming, when applicable, that
obtained items are properly configured;     (c)      Performing, when
applicable, the applicable Maintenance Requirements;     (d)      Diagnosing,
when applicable, Incidents and Problems within the IT and Client environments
and formulating corrective actions designed to restore and/or repair the
applicable IT services;

[image_072.jpg] Page 97 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (e)      Performing repair activities as required, including, when
applicable and appropriate, replacing malfunctioning sub-components with Spare
Parts, replacing Consumables, installing patches and firmware updates,
re-installing malfunctioning software, and restoring and reconfiguring the
applicable settings;     (f)       Replacing Elements with Spares, subject to
appropriate approval and prior performance of applicable repair methods;    
(g)      Performing, or when applicable, requesting to be performed by the
applicable Process owner(s), security, file access, directory and other
administrative procedures as applicable;     (h)      Connecting, when
applicable, obtained items and existing Elements to the applicable IT and Client
environments;     (i)        Activating and deactivating, when applicable,
obtained items and existing Elements, including their underlying services;    
(j)        Notifying, when applicable, the applicable Process owner(s) of the
readiness for supplemental activities to be performed to complete requests,
including notifying the applicable Process owner(s) of Configuration and
Security Administration regarding implementation of the associated non-security-
and security- based policies and access rights;     (k)       Backing up and
copying data when applicable, including, when appropriate, notifying Clients of
self-service data restoration procedures;     (l)        Confirming that
requests have been implemented as required;     (m)     Performing tests to
confirm that fulfillment of requests provides the expected functionality,
including, as applicable, with respect to other Elements;     (n)      Taking
corrective action when necessary, including providing and executing appropriate
back-out procedures for unsuccessful maintenance and repair; and

 

 

[image_072.jpg] Page 98 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (o)      Confirming that Client and IT operational capabilities are not
adversely impacted as a consequence of fulfilling requests;     7.        
Returning, when applicable, to the applicable Process owner(s), Elements and
sub-components of Elements removed from the IT and Client environments;    
8.         Advising the applicable Process owner(s) of performance problems or
other issues that are unrelated to the proper fulfillment of maintenance and
repair requests;     9.         Updating the CMDB as applicable and appropriate;
and     10.     Notifying the applicable Process owner(s), Clients and other
personnel of the completion of maintenance and repair requests. 3.8.3 Remote
Maintenance & Repair

The purpose of “Remote Maintenance & Repair” is to coordinate, manage and
execute the activities not requiring physical intervention to perform approved
Maintenance Requirements and correct Incidents and Problems.

 

Remote Maintenance & Repair includes the following activities:

 

    1.         Obtaining, from the applicable Process owner(s) (e.g.,
Maintenance Administration, Service Desk), appropriately approved maintenance
and repair requests;     2.         Performing those functions necessary to
verify that the applicable attributes of the IT and Client environments can
support the maintenance and repair requests, including:     (a)      Validating
the availability of required network access and bandwidth;     (b)     
Developing maintenance and repair plans; and     (c)      Coordinating with the
applicable Process owner(s), Clients and other personnel as necessary;    
3.         Proposing, when applicable, implementation windows to, and as
necessary obtaining approval for such windows from, the applicable Process
owner(s) of Change Management Execution;     4.         Fulfilling maintenance
and repair requests, including:

 

 

 

[image_072.jpg] Page 99 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (a)      Obtaining, when applicable, items (e.g., Maintenance Requirements,
Elements, sub-components of Elements, release packages) from the applicable
Process owner(s);     (b)      Confirming, when applicable, that obtained items
are properly configured;     (c)      Performing, when applicable, the
applicable Maintenance Requirements;     (d)      Diagnosing, when applicable,
Incidents and Problems within the IT and Client environments and formulating
corrective actions designed to restore and/or repair the applicable IT services;
    (e)       Performing repair activities as required, including, when
applicable and appropriate, installing patches and firmware updates,
re-installing malfunctioning software, and restoring and reconfiguring the
applicable settings;     (f)        Performing, or when applicable, requesting
to be performed by the applicable Process owner(s), security, file access,
directory and other administrative procedures as applicable;     (g)     
Connecting, when applicable, obtained items and existing Elements to the
applicable IT and Client environments;     (h)      Activating and deactivating,
when applicable, obtained items and existing Elements, including their
underlying services;     (i)        Notifying, when applicable, the applicable
Process owner(s) of the readiness for supplemental activities to be performed to
complete requests, including notifying the applicable Process owner(s) of
Configuration and Security Administration regarding implementation of the
associated non-security- and security- based policies and access rights;    
(j)        Backing up and copying data when applicable, including, when
appropriate, notifying Clients of self-service data restoration procedures;    
(k)      Confirming that requests have been implemented as required;

 

 

[image_072.jpg] Page 100 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (l)        Performing tests to confirm that fulfillment of requests provides
the expected functionality, including, as applicable, with respect to other
Elements;     (m)    Taking corrective action when necessary, including
providing and executing appropriate back-out procedures for unsuccessful
maintenance and repair; and     (n)      Confirming that Client and IT
operational capabilities are not adversely impacted as a consequence of
fulfilling requests;     5.         Advising the applicable Process owner(s) of
performance problems or other issues that are unrelated to the proper
fulfillment of maintenance and repair requests;     6.         Updating the CMDB
as applicable and appropriate; and     7.         Notifying the applicable
Process owner(s), Clients and other personnel of the completion of maintenance
and repair requests or the need for the applicable Process owner(s) of other
Processes (e.g., Local Maintenance & Repair, Implementation) to perform
activities to resolve matters that cannot be performed remotely. 3.9 Software
Maintenance   3.9.1 Corrective Maintenance

The purpose of “Corrective Maintenance” is to (a) modify software (using the
applicable Processes and controls of Software Engineering) and data to correct
discovered defects, recover from Incidents, resolve Problems and implement
Maintenance Requirements, (b) work with software manufacturers regarding defects
they are responsible to correct, and (c) develop recommendations regarding
Recommended Maintenance software designed to address defects (e.g., patches).

 

Corrective Maintenance includes the following activities:



    1.         Reviewing software that is the subject of an Incident or Problem
and determining the underlying defects, including those:     (a)      Resulting
from errors in design, logic, coding or other comparable issues;

 

 

[image_072.jpg] Page 101 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0 

 

    (b)      Resulting in or from errors and inconsistencies in the underlying
data being produced or processed; and     (c)      Causing abnormal system
performance characteristics;     2.         Restoring full functionality
prevented by defects, including:     (a)      Developing changes to software
(e.g., patches, fixes); and     (b)      Working, when applicable, with the
underlying software manufacturers to cause them to develop and publish changes
to software for which they are responsible;     3.         Developing, as
required, additional software and other methods to:     (a)      Rectify
erroneous results (e.g., data, reports) on both a current- and, as applicable,
historical- basis;     (b)      Restore system integrity; and     (c)     
Enable normal use;     4.         Documenting and providing to the applicable
Process owner(s), detailed actions required to be performed by such owner(s) in
support of the recovery from Incidents and the resolution of Problems with
software and data (e.g., rollback of data, re-running of jobs, running of
additional software to correct contaminated data);     5.         Reviewing,
testing and analyzing Recommended Maintenance software and providing
recommendations for use, including modifications to Recommended Maintenance
software and, when applicable, other software, to the applicable Process
owner(s) of Maintenance Administration;     6.         Developing changes, when
applicable, to software to implement Maintenance Requirements;     7.        
Updating supporting documentation to conform with changes to software;    
8.         Providing the applicable Process owner(s), including those of
Business Systems Support, with information regarding the scope of and potential
impact from software changes;     9.         Developing and publishing testing
schedules to the applicable Process owner(s);

 



[image_072.jpg] Page 102 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0 

 

 

 

  10.     Providing changed software to the applicable Process owner(s) for
testing, packaging, implementation and use within the IT and Client
environments;     11.     Modifying software and associated documentation based
on test and implementation results;     12.     Submitting changes to the
applicable Process owner(s) of Change Management Execution; and     13.    
Updating the CMDB as applicable and appropriate. 3.9.2 Adaptive Maintenance

The purpose of “Adaptive Maintenance” is to (a) modify software (using the
applicable Processes and controls of Software Engineering) such that it remains
operationally useful within the IT and Client environments over time in response
to changing circumstances and needs, including implementing Maintenance
Requirements, and (b) develop recommendations regarding Recommended Maintenance
software designed to provide changed capabilities (e.g., upgrades).

 

Adaptive Maintenance includes the following activities:



    1.         Developing changes to software to allow it to adapt over time as
necessary, including complying with ongoing change in:     (a)       Client
policy, procedure, process, staffing, organization, location, time and other
business changes and requirements;     (b)       Client functionality
requirements, including those that would (i) modify or remove then-current
features and capabilities, and (ii) add new features and capabilities;    
(c)       Connectivity requirements with systems both internal and external to
the IT environment (i.e., interfaces);     (d)      Regulatory requirements and
applicable industry standards; and

 

 

[image_072.jpg] Page 103 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (e)      IT policy and technology (e.g., security, architecture, platform,
hardware, configuration, tools), including (i) upgrades and changes to the
hardware and infrastructure-based software in which the software must run, and
(ii) changes to the interfaces the software must make with hardware or other
software (e.g., storage, messaging systems, databases);     2.        
Reviewing, testing and analyzing Recommended Maintenance software and providing
recommendations for use, including modifications to Recommended Maintenance
software and, when applicable, other software, to the applicable Process
owner(s) of Maintenance Administration;     3.         Developing changes, when
applicable, to software to implement Maintenance Requirements;     4.        
Populating and updating data tables, configuration settings and other adjustment
mechanisms associated with software that are not designed to be performed
directly by Clients;     5.         Updating supporting documentation to conform
with changes to software;     6.         Providing the applicable Process
owner(s), including those of Business Systems Support, with information
regarding the scope of and potential impact from software changes;    
7.         Developing and publishing testing schedules to the applicable Process
owner(s);     8.         Providing changed software to the applicable Process
owner(s) for testing, packaging, implementation and use within the IT and Client
environments;     9.         Modifying software and associated documentation
based on test and implementation results;     10.       Submitting changes to
the applicable Process owner(s) of Change Management Execution; and     11.    
  Updating the CMDB as applicable and appropriate.

 

 

 

[image_072.jpg] Page 104 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.9.3 Perfective Maintenance

The purpose of “Perfective Maintenance” is to modify software (using the
applicable Processes and controls of Software Engineering) to improve its
efficiency, reliability and maintainability.

 

Perfective Maintenance includes the following activities:



    1.         Monitoring the operation and use of software to gain an
understanding of how it performs in the IT and Client environments;    
2.         Reviewing the underlying code and determining if change from various
methods (e.g., programming language, compiler optimization, code reorganization)
could be used to achieve beneficial outcomes;     3.         Developing changes
to software that will allow it to:     (a)      Perform its then-current
functions using less IT resources (e.g., compute power, memory, bandwidth,
storage);     (b)      Operate at higher levels of availability; and    
(c)      Require less effort to be maintained, enhanced, adapted or corrected
over time;     4.         Updating supporting documentation to conform with
changes to software;     5.         Providing the applicable Process owner(s),
including those of Business Systems Support, with information regarding the
scope of and potential impact from software changes;     6.         Developing
and publishing testing schedules to the applicable Process owner(s);    
7.         Providing changed software to the applicable Process owner(s) for
testing, packaging, implementation and use within the IT and Client
environments;     8.         Modifying software and associated documentation
based on test and implementation results;     9.         Submitting changes to
the applicable Process owner(s) of Change Management Execution; and     10.    
  Updating the CMDB as applicable and appropriate.

 

 

 

[image_072.jpg] Page 105 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.9.4 Preventive Maintenance

The purpose of “Preventive Maintenance” is to modify software (using the
applicable Processes and controls of Software Engineering) to reduce the
probability of future failure from defects.

 

Preventive Maintenance includes the following activities:



    1.         Monitoring the operation and performance of software under
scenarios designed to provide early warning signals of potential defects (e.g.,
memory leaks, maximum number of records to be processed, file size thresholds,
input error handling);     2.         Developing changes to software to:    
(a)      Correct latent defects before such defects become Incidents or
Problems; and     (b)      Improve error identification and error handling;    
3.         Updating supporting documentation to conform with changes to
software;     4.         Providing the applicable Process owner(s), including
those of Business Systems Support, with information regarding the scope of and
potential impact from software changes;     5.         Developing and publishing
testing schedules to the applicable Process owner(s);     6.         Providing
changed software to the applicable Process owner(s) for testing, packaging,
implementation and use within the IT and Client environments;     7.        
Modifying software and associated documentation based on test and implementation
results;     8.         Submitting changes to the applicable Process owner(s) of
Change Management Execution; and     9.         Updating the CMDB as applicable
and appropriate. 3.10 Operations  

 

 

 

[image_072.jpg] Page 106 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.10.1 Operations Scheduling

The purpose of “Operations Scheduling” is to develop and maintain a schedule for
applications and services (e.g., production control) that meets Client
requirements and appropriately takes into consideration dependencies and Client
priorities.

 

Operations Scheduling includes the following activities:

 

    1.         Obtain scheduling requirements from Client. Resolving scheduling
conflicts;     2.         Identifying and resolving errors with the execution of
jobs, including:     (a)       Causing erroneous job activities to be
circumvented and jobs to be restarted or rerun; and     (b)       Escalating
errors that cannot be resolved to the applicable Process owner(s) to remove the
underlying defects in software, hardware and data;     3.         Assessing the
feasibility of and risks associated with proposed changes that could affect
processing schedules or other activities;     4.         Implementing changes to
processing schedules that are approved by the applicable Process owner(s); and  
  5.         Proactively preparing for processing deadlines to meet Client
requirements. 3.10.2 Computer Operations

The purpose of “Computer Operations” is to perform the functions necessary for
operation of computing platforms.

 

Computer Operations includes the following activities:



    1.         Providing the required environments (e.g., production,
development, quality assurance, training), including:     (a)      Making online
systems and applications for such environments available for access during
scheduled hours; and     (b)      Maintaining the environments at the required
release levels;     2.         Assessing the feasibility of and risks associated
with proposed changes that affect the systems, platforms and applications;

 

 

 

[image_072.jpg] Page 107 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    3.         Implementing changes to systems in a controlled manner,
including:     (a)      Facilitating the orderly turnover of systems, platforms
and applications;     (b)      Adhering to documentation standards;     (c)     
Informing stakeholders of the changes; and     (d)       Providing coordination
of the implementation, integration, testing and acceptance of new systems,
platforms and applications;     4.         Initiating and executing online and
batch applications, including scheduled, unscheduled and on-request
applications, as well as Client-initiated processing;     5.         Terminating
applications as appropriate;     6.         Issuing operator commands;    
7.         Performing back-ups;     8.         Performing the allocation and
placement of files;     9.         Monitoring the usage of files;     10.    
Logging off Clients;     11.     Initiating and terminating utilities;    
12.     Canceling transactions as appropriate;     13.     Transmitting and
receiving information to and from external organizations;     14.     Operating
master console functions, including responding to program requests for
intervention;     15.      Handling abnormal terminations and similar situations
resulting from errors and conditions that can be resolved by correctly
performing or re-performing the jobs (e.g., restarts, reruns) in accordance with
documented procedures or workarounds, and escalating the errors and conditions
that cannot be resolved to the applicable Process owner(s), including those of
Operations Scheduling;     16.     Performing computer shutdowns and restarts as
required;

 

 

[image_072.jpg] Page 108 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    17.     Executing utility functions; and     18.     Providing security
related data to the Process owner(s) of Security Operations. 3.10.3 Network
Operations

The purpose of “Network Operations” is to perform the functions necessary for
operation of separate or combined voice and data networks.

 

Network Operations includes the following activities:



    1.         Inventorying and assigning network addresses, and updating naming
and other systems;     2.         Verifying that network-related software is
maintained at the required release levels and causing the applicable Process
owner(s) to address deficiencies;     3.         Assessing the feasibility of
and risks associated with proposed changes that affect the network(s);    
4.         Collecting and analyzing logged network data;     5.        
Reconfiguring or rerouting network traffic, including by using available
alternative routing and back-up facilities, to:     (a)      Achieve increased
throughput or improved balance among network segments to accommodate
unanticipated demand;     (b)      Circumvent a failed component;     (c)     
Prevent denial of service to legitimate Clients; and     (d)     Provide network
service to alternate locations in conjunction with disaster recovery tests and
actual disasters;     6.         Performing back-ups and restorations of
configurations;     7.         Verifying proper operation of interfaces with
affiliated networks, both internal and external to the enterprise, and causing
the applicable Process owner(s) and external network owner(s) to address
deficiencies;     8.         Troubleshooting and executing diagnostic tests,
analyzing the test data and making recommendations for improvements in
performance; and

 

 

 

[image_072.jpg] Page 109 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    9.         Providing security related data to the Process owner(s) of
Security Operations. 3.10.4 Media Operations

The purpose of “Media Operations” is the management of the media providing input
to and producing output from server-based peripherals.

 

Media Operations includes the following activities: 

  1.         Checking output queues, changing output priorities, taking
media-based Elements in and out of service, and displaying, starting, spooling
and draining output queues;     2.         Monitoring print performance and
taking remedial action where required to meet the applicable performance
objectives, including control of print queues, queue capacity and print request
prioritization;     3.         Initiating and completing media mounts, including
inserting and ejecting volumes associated with automated libraries;    
4.         Executing off-site and on-site media storage processes, including
logging and tracking of media on- and off-site, complying with physical
specifications and retention periods, performing required cycling/rotation of
media and security, packaging and transportation of media (and/or electronic
transmission of information and data) to and from storage and remote computer
recovery centers;     5.         Obtaining off-site media when required;    
6.         Maintaining media library system inventory information;    
7.         Responding appropriately to media reliability threshold error events,
including replacing media;     8.         Archiving data on the applicable
media;     9.         Executing programs to retrieve data from archived media;  
  10.       Initializing new media and obtaining media inventories as required
to fulfill operational needs;     11.       Monitoring and reporting media
utilization;

 

 

[image_072.jpg] Page 110 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    12.     Testing retrieval and restoration capabilities (e.g., retrieving a
randomly selected data file as a test and verifying that the data can be
restored in a usable fashion);     13.     Separating, packaging, labeling and
tracking printed output;     14.     Delivering printed output to required
locations;     15.     Finding, tracing or replacing lost printed output; and  
  16.     Providing security related data to the Process owner(s) of Security
Operations. 3.10.5 Physical Database Administration

The purpose of “Physical Database Administration” is to manage data, including
data contained in files and databases.

 

Physical Database Administration includes the following activities:



    1.         Planning for and changing the size of databases as required
(e.g., change in business volume, addition or retirement of new software,
software capabilities) and allocating storage space;     2.         Monitoring
database and file performance;     3.         Monitoring space utilization;    
4.         Improving database and file access performance;     5.        
Designing, implementing, reorganizing and maintaining databases and file
archives to provide data integrity and meet applicable business requirements;  
  6.         Recovering damaged or corrupted databases and files;     7.        
Maintaining physical database definitions;     8.         Implementing, testing
and promoting into production database structural changes;     9.        
Updating the CMDB as applicable and appropriate;     10.       Copying, moving
and updating the information contained within databases and files to meet the
appropriately approved needs of other Process owners and Clients; and

 

 

[image_072.jpg] Page 111 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    11.      Diagnosing and repairing damage to the information contained within
databases and files as a result of actions arising from the storage (i.e., not
from use) of such information, and escalating damage that cannot be repaired to
the applicable Process owner(s). 3.10.6 Operations Monitoring

The purpose of “Operations Monitoring” is to monitor and report on the operation
of Elements and their relevant sub-components.

 

Operations Monitoring includes the following activities:



    1.         Monitoring functionality and performance (including monitoring of
related manual processes) to:     (a)      Verify compliance with operational
design characteristics; and     (b)      Identify causes of performance
degradation;     2.         Monitoring the flow of demand on the IT environment
and the achievement of the expected individual and systemic outcomes;    
3.         Identifying abnormal circumstances that could be indicative of
potential Incidents or Problems and requesting review, circumvention or repair
by the applicable Process owner(s);     4.         Reporting Incidents and
Problems to the applicable Process owner(s); and     5.         Providing
reports on the operational status of Elements. 3.11 Service Support   3.11.1
Incident Management Execution

The purpose of “Incident Management Execution” is to restore normal service
following detection of an Incident.

 

Incident Management Execution includes the following activities:



    1.         Obtaining Incident information, including the corresponding
classification, from Incident Management;     2.         Reviewing Incidents and
identifying the applicable Process owner(s) to identify the appropriate recovery
actions;     3.         Forming teams comprised of personnel from the applicable
Processes;

 

 

[image_072.jpg] Page 112 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0



 

    4.         Diagnosing Incidents and developing Incident recovery actions,
including assessing the impact of Incidents, and estimating recovery time and
costs;     5.         Notifying the applicable Process owner(s) of Incident
Management of Incident recovery actions;     6.         Notifying the applicable
Process owner(s) of their role(s) in performing Incident recovery actions;    
7.         Monitoring and directing Incident recovery actions, including
coordinating the applicable Processes;     8.         Updating Incident recovery
logs as recovery actions are undertaken, including notifying the applicable
Process owner(s);     9.         Registering Incidents as closed upon successful
recovery, including notifying the applicable Process owner(s), Clients and other
personnel as appropriate;     10.      Matching Incidents against known errors
and Problems and informing Problem Management of the existence of unmatched or
multiple Incidents;     11.       Escalating Incidents and notifying the
applicable Process owner(s) and other personnel as appropriate;     12.    
  Participating in Incident Management review meetings;     13.       Developing
and maintaining Incident process models and/or workflows for:     (a)     
Pre-defined Incidents (e.g., recurring Incidents, Incidents requiring special
handling);     (b)      Major Incidents (often referred to as “severity 1” or
“priority 1” Incidents); and     (c)      Preserving Incident evidence; and    
14.        Establishing and maintaining a close working relationship with the
applicable Process owner(s) of Incident Oversight.

 

 

 

[image_072.jpg] Page 113 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.11.2 Problem Identification and Resolution

The purpose of “Problem Identification and Resolution” is to identify Problems,
direct the resolution of Problems, proactively and reactively minimize the
adverse impact of Problems on Client operations, and prevent the recurrence of
Problems and resulting Incidents.

 

Problem Identification and Resolution includes the following activities:



    1.         Performing formal root cause analysis of Incidents as
appropriate;     2.         Determining the existence and nature of workarounds
and/or circumventions necessary to eliminate or reduce the adverse effects of
Problems while more permanent solutions are developed;     3.         Initiating
actions to minimize the adverse impact of Problems;     4.         Communicating
the identification and assessment of the Problems to the applicable Process
owner(s) of Problem Management and other applicable Processes;     5.        
Updating records in a database or similar information repository to capture new
or changed details regarding Problems;     6.         Identifying actions and/or
potential areas of change to prevent the recurrence of Incidents related to
identified Problems (e.g., performing historical Incident trend analysis); and  
  7.         Participating in Problem Management review meetings. 3.11.3
Configuration Management Execution

The purpose of “Configuration Management Execution” is to develop the procedures
by which the CMDB is updated and maintained accurate.

 

Configuration Management Execution includes the following activities:



    1.         Developing configuration taxonomies (i.e., the CI information to
be maintained);     2.         Developing procedures for the applicable Process
owner(s) to capture and record CI information in the CMDB;

 

 

[image_072.jpg] Page 114 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    3.         Monitoring changes made to the CMDB and providing feedback to the
applicable Process owner(s); and     4.         Verifying the physical existence
of items recorded in the CMDB, updating the CMDB as appropriate and informing
the applicable Process owner(s) of such updates. 3.11.4 Change Management
Execution

The purpose of “Change Management Execution” is to perform tasks supporting the
delivery of Change Management.

 

Change Management Execution includes the following activities:



    1.         Obtaining requests for changes from Process owners and Clients,
including those arising from:     (a)      Incidents or Problems;     (b)     
Externally imposed requirements (e.g., legislative changes); and     (c)     
 Business initiatives or programs, projects or service improvement initiatives
(e.g., initiatives to improve efficiency or effectiveness);     2.        
Performing initial classifications of requests for change that take into account
the relevant factors (e.g., risk, cost impact) and are in accordance with the
applicable guidelines;     3.         Performing quality control of change
requests, including identification of:     (a)      Adequate change testing;    
(b)      Appropriate back-out and remediation procedures; and     (c)     
Impractical or unnecessary change requests;     4.         Providing feedback
and guidance to Process owners that submit unsatisfactory change requests;    
5.         Providing properly formed change requests to Change Management;    
6.         Monitoring the performance of changes and invoking back-out or
remediation activities as applicable;     7.         Registering completed
changes as closed, including notifying the applicable Process owner(s); and

 

 

 

[image_072.jpg] Page 115 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    8.         Performing post-implementation reviews when issues arise during
implementation. 3.11.5 Release Management Execution

The purpose of “Release Management Execution” is to construct release packages
for Elements and provide appropriately approved release packages to the
applicable Process owner(s) to be implemented within the applicable portions of
the IT and Client environments.

 

Release Management Execution includes the following activities: 

    1.         Obtaining release components from the applicable Process
owner(s);     2.         Preparing proposed release implementation plans;    
3.         Compiling release notification lists;     4.         Developing
release back-out plans;     5.         Submitting requests for change to the
applicable Process owner(s) of Change Management Execution for release packages;
    6.         Constructing release packages for release components, including,
as applicable, appropriate implementation plans, notification lists, back-out
plans and change approvals;     7.         Testing release packages and revising
such packages as needed, including, if required, obtaining modified release
components from the applicable Process owner(s);     8.         Submitting
proposed release packages to the applicable Process owner(s) of Release
Management;     9.         Modifying proposed release packages based on input
from the applicable Process owner(s) of Release Management;     10.    
  Obtaining approval for release packages from the applicable Process owner(s)
of Release Management;     11.       Submitting approved release packages to the
applicable Process owner(s) (e.g., Implementation) to be deployed in the IT and
Client environments;     12.       Modifying release packages to resolve
problems encountered during implementation; and

 

 

[image_072.jpg] Page 116 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    13.       Performing post-implementation reviews and closing activities,
including cataloging and preparing release information for archival. 3.11.6
Capacity Reporting

The purpose of “Capacity Reporting” is to perform tasks supporting the delivery
of Capacity Management.

 

Capacity Reporting includes the following activities:



    1.         Obtaining utilization reports from the applicable Process
owner(s);     2.         Tracking performance, utilization and throughput,
including service workloads and transactions, and confirming that collected data
is recorded, analyzed, assessed relative to established limits and thresholds
and reported to Capacity Management;     3.         Analyzing utilization and
trend forecasts, along with the applicable established thresholds, and
proactively developing change recommendations (e.g., upgrades, downgrades,
enhancements, reconfiguration), including the associated impact on space, power
and personnel to correctly align performance and availability needs with IT
service capacity; and     4.         Providing capacity reports and analyses to
Capacity Management. 3.11.7 Availability Analysis

The purpose of “Availability Analysis” is to perform tasks supporting the
delivery of Availability Management.

 

Availability Analysis includes the following activities: 

    1.         Obtaining operational reports from the applicable Process
owner(s);     2.         Measuring availability based on operational
information;     3.         Performing availability analyses, including:    
(a)      Monitoring, measuring, analyzing and reporting availability;    
(b)      Determining availability levels in comparison to established
availability-based service levels; and

 

 

 

[image_072.jpg] Page 117 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0 



 

    (c)      Investigating unavailability; and     4.         Providing
availability reports to Availability Management. 3.11.8 Service Continuity Plan
Development

The purpose of “Service Continuity Plan Development” is to evaluate potential
risks and prepare service continuity plans and procedures to be integrated into
the ITBCP.

 

Service Continuity Plan Development includes the following activities:



    1.         Obtaining and reviewing service continuity plan guidelines from
the applicable Process owner(s), including those of Service Continuity
Management;     2.         Conducting risk assessments, including collecting
input from the applicable Process owner(s);     3.         Conducting Client
impact analyses of potential faults;     4.         Developing service
continuity plans, including the specification of recovery point objectives and
recovery time objectives;     5.         Submitting service continuity plans for
approval to the applicable Process owner(s) of Service Continuity Management;  
  6.         Revising service continuity plans based on input from the
applicable Process owner(s) of Service Continuity Management;     7.        
Developing measures to reduce the chances of the occurrence and impact of
disasters, including providing disaster recovery planning capability and
procedures that are consistent with the applicable performance requirements;    
8.         Reviewing and auditing the performance of the service continuity plan
and addressing issues; and     9.         Maintaining recovery plans and options
up-to-date. 3.11.9 Service Continuity Plan Execution

The purpose of “Service Continuity Plan Execution” is to execute the ITBCP
during disaster recovery tests and actual disasters, and to test and execute
contingency plans as requested by the applicable Process owner(s) (e.g., Service
Continuity Management, Incident Oversight).

 

Service Continuity Plan Execution includes the following activities:



 

 



[image_072.jpg] Page 118 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    1.         Implementing the applicable processes and procedures described in
the ITBCP during disaster recovery tests and actual disasters;     2.        
Documenting the recovery times, results and issues, if any, encountered and
providing such information to the applicable Process owner(s), including those
of Service Continuity Management and Service Continuity Plan Development; and  
  3.         Coordinating with the applicable Process owner(s) to resolve
problems, if any, in implementing the ITBCP. 3.12 Security   3.12.1 Security
Engineering

The purpose of “Security Engineering” is to develop and implement the methods,
mechanisms and devices necessary to comply with security policies and standards
or as directed by Security Oversight Actor.

 

Security Engineering includes the following activities:



    1.         Developing methods and mechanisms to implement security policies
and standards;     2.         Developing security rules to be used in
conjunction with the security features and functions of hardware and software;  
  3.         Directing the assigned Service Delivery Actor to implement or
change  security mechanisms, including the configurations and deployments of
security rules to be used in conjunction with security features and functions of
hardware and software; and     4.         Directing the assigned Service
Delivery Actor to implement or change, when applicable based on security policy,
security devices and software, including the configuration, installation,
maintenance, and disposition of such devices and software in accordance with the
applicable activities of the relevant Processes (e.g., Deploy, Maintain,
Software Maintenance) and controls appropriate for such work.     5.        
Modify methods, mechanisms, rules, configurations, etc. based on input from the
Process owner(s) of Security Operations, Security Analysis and Security
Oversight.

[image_072.jpg] Page 119 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



3.12.2 Security Credentials Management

The purpose of “Security Credentials Management” is to manage compliance with
the security policy(ies) and standards and to implement authorized security
credentials and access rights.

 

Security Administration includes the following activities:



    1.         Managing the provision of security credentials and access,
including issuance, replacement and revocation of individual access and
authentication and authorization credentials, as authorized by the applicable
Process owner(s), including those of Credentials Authorization and Security
Operations;     2.         Implementing security policies and standards,
including the association of the Element or the user(s) of the Element with the
applicable security-based policy objects; and     3.         Maintaining
historical data on security-related access changes. 3.12.3 Credentials
Authorization The purpose of “Credentials Authorization” is to authorize the
granting (including issuance, replacement and revocation) of security
credentials and access entitlements, individual access authentication and
authorization credentials to Clients, Actors and other personnel as appropriate.
3.12.4 Physical Security

The purpose of “Physical Security” is to implement and operate solutions that
ensure physical access to Elements is restricted to individuals authorized to
have physical access.

 

Physical Security includes the following activities:



   

1.         Implementing and maintaining appropriate physical barriers and access
solutions that limit access to authorized individuals;

   

2.         Granting physical access to authorized individuals;

   

3.         Escorting and monitoring individuals granted physical access as
required by Security Policies; and

   

4.         Monitoring physical access, taking appropriate action to protect
against unauthorized attempts to gain physical access and reporting all
unauthorized attempts to Security Operations.



 

 

[image_072.jpg] Page 120 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

3.12.5 Security Operations

The purpose of “Security Operations” is to implement and operate solutions that
reduce the likelihood of security threats, reacts to threats identified, and
minimizes the harm caused by security threats.

 

Security Operations includes the following activities:



    1.         Implementing, maintaining and operating a data collection
process, including:     (a)      Directing the assigned Service Delivery
Actor(s) to configure the Element’s data collection tool(s) to enable proper
consolidation, recording and normalization of data in accordance with the
security solution; and     (b)      Collecting data from the identified sources;
    2.         Implementing, maintaining and operating vulnerability scanning
functions, including:     (a)      Configuring scanning tool(s) according to the
published Client security policy;     (b)      Scheduling and executing scans;
and     (c)      Distributing scan results to the Vulnerability Assessment
Process owner;     3.         Monitoring and reacting to security alerts,
including:     (a)      Implementing the alert criteria as defined by the
Security Analysis process;     (b)      Accepting and processing automated and
derived alerts (e.g., rogue device detection, and Distributed Denial of Service
Attack (DDOS) alerts);     (c)      Determining the preliminary impact of the
Security Incident;     (d)      Directing, through the Incident Management
process, the appropriate assigned Service Delivery Actor(s) to take event
related actions;     (e)      Following the alert escalation process; and    
(f)       Distributing escalated alerts to the Security Analysis, Security
Oversight and Incident Management Process owners; and     4.         Operating
the security-specific application software, in accordance with established
Change Management Processes, by using the application software user interface,
including:

 

 

 



[image_072.jpg] Page 121 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

  

  (a)      Manipulating rules and data entries;     (b)      Designing and
ordering reports;     (c)      Designing and requesting queries; and    
(d)      Setting data collection parameters.     5.         Reviewing security
policies and standards and recommending areas for improvement to Security Policy
Development.     6.         Maintaining historical data on security-related
matters and Incidents, including performing and reporting on the applicable
analyses (e.g., trends).     7.         Providing feedback to the Process
owner(s) of Security Operations and Security Oversight regarding opportunities
to reduce security risk and/or improve detection. 3.12.6 Security Analysis

The purpose of “Security Analysis” is to analyze, disseminate and employ
security information to protect against security threats and Security Events.

 

Security Analysis includes the following activities:



    1.         Analyzing data to detect anomalies using rules and parameters
established by the Security Oversight process;     2.         Monitoring
compliance with the security solution, including:     (a)      Monitoring
security settings to ensure that they meet or exceed relevant standards; and    
(b)      Assigning proper remediation activities to the appropriate Service
Delivery Actor(s);     3.         Monitoring service, system and device access,
including:     (a)      Detecting misuse of access, with the highest level of
scrutiny employed for monitoring misuse of privileged access;     (b)     
Detecting inappropriately obtained access, with the highest level of scrutiny
employed for monitoring inappropriately obtained privileged access;     (c)     
Detecting unusual or inappropriate access by External Clients;     (d)     
Generating and distributing appropriate alerts; and     (e)      Following
appropriate escalation mechanisms;     4.         Detecting and reporting data
leakage, including:     (a)      Detecting data leakage events;

 

 

[image_072.jpg] Page 122 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (b)      Reporting data leakage events to Incident Management and Security
Incident Response Process owner(s);     (c)      Measuring the effectiveness of
the security solutions and/or controls in preventing data leakage; and    
(d)      Making recommendations to improve controls through enhancements to the
Security Solution Development Process;     5.         Monitoring data traffic
for malicious code and mobile code;     6.         Analyzing Security Events,
including:     (a)      Analyzing Security Events for potential security
incidents; and     (b)      Reporting event analysis to Incident Management and
Security Incident Response Process owner(s) in accordance with the Security
Event analysis process;     7.         Integrating external threat intelligence
into the analysis process, including:     (a)      Acquiring and utilizing
appropriate external threat intelligence;     (b)      Evaluating for technical
need and business context; and     (c)      Notifying stakeholders of
context-normalized external threats; and     8.         Analyzing environment
resiliency, including:     (a)      Evaluating new deployments and technologies
for security risks;     (b)      Proactively testing the environment for
security defects; and     (c)      Coordinating with the appropriate Actor(s) to
remediate based on the findings. 3.12.7 Security Incident Response

The purpose of “Security Incident Response” is to contain and investigate
security threats, Security Events and Incidents related to security.

 

Security Incident Response includes the following activities:



    1.         Planning for Security Events including ensuring all appropriate
Actors, Clients and External Clients are aware of their roles and the
communications and coordination protocols to be followed in the case of a
Security Incident;     2.         Making a preliminary determination of the
impact of the Security Events;     3.         Containing a Security Event,
including:

 

 

[image_072.jpg] Page 123 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    (a)      Identifying and recommending mechanisms for limiting the spread of,
and exposure to, a Security Incident; and     (b)      Escalating threat alerts
to Incident Management Process owner(s) for execution of threat response; and  
  4.         Conducting a formal forensic investigation into the Security Event,
including:     (a)      Analyzing Security Event to determine impact and
appropriate containment approach;     (b)       Documenting Security Event
analysis to support root cause analysis (RCA) efforts in accordance with Problem
Management process;     (c)       Recreating and/or reverse engineering Security
Events, as necessary; and     (d)       Documenting and sharing with appropriate
Actors, Clients and/or External Clients newly discovered vulnerabilities that
need to be addressed and recommendations as to how they should be addressed.
3.12.8 Security Incident Recovery

The purpose of “Security Incident Recovery” is to develop and maintain the
processes to be followed to recover from a Security Incident including ensuring
restoration activities are coordinated with all Actors, Clients and External
Clients and other stakeholders.

 

Security Incident Recover includes the following activities:



    Developing and maintaining plans for executing the processes necessary to
recover from a Security Incident including addressing coordination and
communication between all relevant Actors, Clients and other third parties.  In
addition to recovery of operations, plans should address public relations,
regulatory and other brand protection activities;     Developing criteria for
assessing the level of response needed to a Security Incident and ensuring
Actors and Clients are aware of their roles and responsibilities under different
response levels; and     Overseeing the execution of recovery activities
performed by others including enabling communications and coordination between
appropriate Actors, Clients and other third parties.

 

 

 

[image_072.jpg] Page 124 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 



3.12.9 Vulnerability Assessment

The purpose of “Vulnerability Assessment” is to assess the vulnerability of the
environment to security threats.

 

Vulnerability Assessment includes the following activities:



   

1.         Evaluating scans to detect exposure to security threats;

   

2.         Prioritizing remediation tasks;

   

3.         Assigning remediation tasks in accordance with Incident Management
Process owner(s);

   

4.         Conducting Penetration Tests and analyzing results; and

   

5.         Assessing and reporting the effectiveness of remediation efforts.

3.13 Logistics   3.13.1(a)

Remove / Repurpose

 

The purpose of “Remove / Repurpose” is to prepare Elements and their
sub-components to be reused, returned to third parties or disposed.

 

Disposition includes the following activities:



    1.         Obtaining Elements and sub-components of Elements that have been
de-installed from the IT environment;     2.         De-installing software from
applicable storage media (fixed or removable);     3.         Repairing Elements
and sub-components of Elements that are operationally and financially worthy of
repair, including:     (a)      Determining whether such repair work is covered
by a warranty; and     (b)      Causing warranty work or the financial
equivalent to be performed/obtained when applicable;     4.         Upgrading
Elements and sub-components of Elements to current standards that are
operationally and financially worthy of upgrade;     5.         Returning
Elements and sub-components of Elements to the applicable third parties (e.g.,
lessors) or sending to Process Owner of Disposition;



 

 

[image_072.jpg] Page 125 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

    6.         Providing repurposed, repaired and appropriately cleaned Elements
and sub-components of Elements to be retained within the IT environment to the
applicable Process and Element owner(s);     7.         Disposing of Elements
and sub-components of Elements that are no longer required within the IT
environment; and     8.         Updating the CMDB as applicable and appropriate.
3.13.1(b) Disposition

The purpose of “Disposition” is to dispose of Elements.

 

Disposition includes the following activities:



    Removing and destroying data from the applicable storage media (fixed or
removable);     Disposing of Elements and sub-components of Elements that are no
longer required within the IT environment; and     Updating the CMDB as
applicable and appropriate. 3.13.2 Warehouse Management

The purpose of “Warehouse Management” is to securely store, track and manage the
inventories of Elements, Spares, Spare Parts and Consumables.

 

Warehouse Management includes the following activities:



    1.         Maintaining secure physical storage facilities;     2.        
Performing receiving and shipping functions;     3.         Updating the CMDB as
applicable and appropriate;     4.         Providing inventory reports as
requested by other Process owners;     5.         Analyzing usage patterns and
recommending changes to optimal inventory levels to the applicable Process
owner(s);     6.         Developing and maintaining, with input obtained from
the applicable Process owner(s), threshold levels for the replenishment of the
various warehouse inventories; and     7.         Notifying the applicable
Process owner(s) when the level of an inventory item reaches its predefined
threshold.

 

 

 

[image_072.jpg] Page 126 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0 

 

3.13.3 Distribution The purpose of “Distribution” is to physically transport
Elements, Spares, Spare Parts and Consumables to and from the physical storage
locations under the control of Warehouse Management and other Client locations.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

[image_072.jpg] Page 127 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

II.       Embedded Processes

 

Except to the extent specifically identified elsewhere in the Agreement and
formally assigned to another Actor or entity, the following activities are
“embedded” within each of the Processes defined above and are to be performed by
each Actor for each Process for which it is responsible:

 

1. Developing the procedures underlying the Process, subject to and in
compliance with any requirements and constraints dictated by Triple-S and in
alignment with the approved policies and procedures of other Processes so as to
enable the IT services to function cohesively and in a coordinated manner;

 

2. Performing the activities comprising the Process in accordance with approved
policies and procedures;

 

3. Providing and maintaining the necessary non-human resources (e.g., hardware,
property, plant, supplies, software, tools, infrastructure) and human resources
(including to provide training) to perform the Process;

 

4. Retaining all financial, operational and administrative responsibility for
the Process, including the resources necessary for its performance;

 

5. Performing the required activities necessary to manage the Process, including
(i) supervising and reporting, including reporting to other personnel within the
Process, (ii) measuring and reporting on the performance of the Process (or
parts thereof) to other Actors, Clients and/or third parties as required, (iii)
developing and distributing operational reporting related to the Process,
including any reporting related to Service Level Agreements, (iv) developing and
providing budgets and forecasts in accordance with the guidelines and parameters
established by the applicable Process owner(s) of Budgeting and Forecasting, and
(v) complying with the requests and/or instructions from the applicable Process
owner(s) of Services Management and Incident Oversight;

 

6. Managing documents and data (including data acquisition, data entry, data
recording and data distribution) related to the Process;

 

7. Performing quality control reviews of the Process, including testing the (i)
accuracy, reliability and quality of work, (ii) compliance with approved
policies and procedures, and (iii) performance and correction of issues
identified during such reviews;

 

[image_072.jpg] Page 128 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

8. Engineering the Process, including performing those actions necessary to
maintain or improve the underlying activities based on (i) then-current best
practices, and (ii) how it is intended to interact with other Processes and/or
Client processes;

 

9. Notifying other Actors as required of output or other findings or information
developed or learned through the Process, including notifying the applicable
Process owner(s) of the readiness for activities to be performed by such Process
owner(s) that are necessary to either complete or progress a function that spans
multiple Processes;

 

10. Notifying other Actors as required of detected security incidents or
vulnerabilities learned through the Process;

 

11. Responding to queries and requests concerning activities associated with the
performance of the Process, including making the applicable subject matter
experts, documentation and other relevant content available as necessary to be
responsive;

 

12. Handling all IT Events (including, if applicable, directly from Clients)
relevant to the Process that cannot be adequately responded to by the applicable
Process owner(s) of Service Desk or other Processes due to their lack of subject
matter expertise regarding such IT Events, including (i) providing the
information necessary for such Process owner(s) to respond directly to the
Clients, (ii) accepting the transfer of such IT Events from such Process
owner(s) and responding directly to the Clients, (iii) updating, when
applicable, the service management system(s) of record regarding the tracking of
such IT Events, and (iv) providing, to the applicable Process owner(s),
information regarding IT Events that are likely to be recurring in nature so as
to increase such Process owner’s(s’) ability to address such matters in the
future without assistance;

 

13. Handling all aspects of Incidents and Problems relevant to the Process,
including (i) receiving notification of and resolving Incidents and Problems,
(ii) providing other applicable Process owner(s), including those of Incident
Management, Problem Management and, to the extent requested, Incident Oversight,
and other personnel as appropriate with updated information regarding the status
of such Incidents and Problems and the associated resolution efforts, (iii)
escalating Incidents and Problems that cannot be resolved, and (iv) responding
to requests and complying with instructions from the applicable Process owner(s)
of Incident Management and, to the extent applicable for a given Incident,
Incident Oversight;

 

[image_072.jpg] Page 129 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0



 

14. Interacting and coordinating as needed with other Process owners that are
responsible for related functions, including (i) integrating the Process with
the activities of such other Process owners such that the overall delivery of IT
services is optimized (i.e., not sub-optimized within the confines of the
Process), and (ii) monitoring the activities performed by other Process owners
to mitigate negative impact on the Process;

 

15. Providing advice and guidance on the Process to other Process owners (e.g.,
best practices, operational issues, impact from other Processes) so as to enable
such other Process owners to optimize the linkages of their Processes with the
Process;

 

16. Adhering to the applicable documentation standards;

 

17. Managing all aspects of third parties who perform all or part of a Process
assigned to the Actor (i.e., as if the Actor performed the Process itself); and

 

18. Using the Actor disagreement and dispute forum to resolve issues among
Actors and between Actors and Clients, including (i) registering disagreements
and disputes with the applicable Process owner(s) of Actor Integration, (ii)
participating, as reasonably requested by the applicable Process owner(s) of
Actor Integration, in Actor disagreement and dispute resolution forums, (iii)
providing information and resources reasonably requested by the applicable
Process owner(s) of Actor Integration that might be useful to the resolution of
disagreements and/or disputes, and (iv) cooperating in the implementation of the
final resolution of disagreements and disputes.

 

[image_072.jpg] Page 130 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0



 

III.       Glossary

 

Terms Definitions Actor Means an entity or individual that is responsible for
performing or providing part of the IT services. Application Architecture Means
the data and business process models that reflect Applications that: (i)
simplify and facilitate the work activities of the business processes and
provide automated procedures; (ii) specify the management of information storage
or retrieval required to accommodate the enterprise objectives; and (iii)
address location considerations and how information is used. Client Means an
entity or individual that receives or uses IT services. Configuration Items or
CIs Means the configuration records of an Element, hardware, software, IT
service or designated item (e.g., personnel, business units, buildings, Client
service), including its respective components. Consumables Means physical items
that are designed to work in conjunction with Elements and are intended to be
consumed through use (e.g., toner, paper, ink, batteries) rather than subject to
repair. CMDB Means a database that contains all relevant information about the
components of the information system used in an organization’s IT environment
and the relationships between those components. Delivery Model Means the
allocation of Actors to various levels of Processes and Elements that will be
use to deliver the IT services. Domain Architecture Means the domain-specific
architectures that form part of the Enterprise IT Architecture.  The Domain
Architectures as of the Effective Date consist of Information Architecture,
Application Architecture, Infrastructure Architecture, and Security
Architecture.

 

 

[image_072.jpg] Page 131 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Terms Definitions Element or Elements Means entries on the span axis of a
Delivery Model or scope model.  Elements may represent a category of components
(e.g., Unix Servers), services (e.g., Managed WAN), individual products (e.g.,
Riverbed WAN Compression Appliance) or individual applications (e.g., SAP HR
Module). Enterprise Architecture Means the underlying IT framework of a
business, which defines and describes the applicable characteristics of the IT
platforms, information, applications and security required by the enterprise to
attain its objectives and achieve its business vision. IT Event or IT Events Has
the meaning provided in Process 3.5.1 (Service Desk). External Actor Means an
Actor that is external to the Triple-S organization. External Actor Compliance
Requirements Means the regulations, directives, recommendations, orders, rulings
and other similar requirements that are applicable to an External Actor by
virtue of the Services being provided by that Actor from entities legally
authorized to enact or enforce such requirements (including via contract and/or
through the External Actor organization’s membership in a trade association with
enforcement authority over its members).  [Examples include the enforcement of
HIPAA regulations directly onto Business Associates by the Dept. of Health &
Human Services, the enforcement of PCI DSS requirements by the Payment Card
brands, relevant privacy and data security laws and regulations applicable to
data held or processed by the External Actor.] External Client Means a Client
that is a customer or third party business partner external to the Triple-S
organization. External Compliance Requirements Means the laws, regulations,
directives, recommendations, orders, rulings and other similar requirements that
are applicable to the Triple-S organization from entities legally authorized to
enact or enforce such requirements (including via contract and/or through the
Triple-S organization’s membership in a trade association with enforcement
authority over its members).

 

 

[image_072.jpg] Page 132 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Terms Definitions IMAC or IMACs Means a request for the installation, movement,
addition, change or removal of Elements and sub-components of Elements (e.g.,
moving physical or virtual Elements from one location to another, “racking and
stacking” Elements, installing physical Elements, adding physical sub-components
to Elements, installing software patches, installing software on an Element,
performing software configuration changes, establishing logical connections,
installing virtual Elements). Incident Means an event that causes or may cause
interruption to or a reduction in the service delivered through or by an Element
or Process. Information Architecture Means the data models and databases that
serve all participants in the enterprise business environment, and the
strategies, standards and policies required to develop and implement them, which
enable the enterprise to develop a common, shared, distributed, accurate and
consistent data resource. Infrastructure Architecture Means the interoperable
technology platforms that link the Information Architecture and the Application
Architecture and meet the needs of the various Client roles at identified work
locations. Internal Actor Means an Actor that is internal to the Triple-S
organization. Internal Client Means a Client that is within the Triple-S
organization (i.e., business units or departments such as HR, F&A or Purchasing,
including its respective personnel). ITBCP Has the meaning provided in Process
2.7.10 (Service Continuity Management). Maintenance Requirements Has the meaning
provided in Process 3.8.1 (Maintenance Administration). Problem Means the
underlying cause of one or more Incidents, which may include defects related to
or arising from the IT infrastructure, human errors and external events.

 

 

 

[image_072.jpg] Page 133 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Terms Definitions Process or Processes Means the groupings of activities
identified in this definition document and identified on the process axis of a
Delivery Model or scope model.  May pertain to an individual (level 3) process
(e.g., Infrastructure Architecture Development, Solution Development) or a group
of related (level 2) processes (e.g., Domain Architecture, Solution Formation).
Recommended Maintenance Has the meaning provided in Process 3.8.1 (Maintenance
Administration). Risk Issues Means the IT-related events and threats that could
negatively impact the enterprise strategically or operationally or change the
risk calculation for the enterprise, including security breaches, system
failures, external events, technology investment mistakes, system development
and implementation problems, and capacity shortages. Security Architecture Means
the plan and set of principles that describe: (i) the security services that a
system is required to provide to meet the needs of its Clients; (ii) the system
elements required to implement the services; and (iii) the performance levels
required in the elements to deal with the threat environment. Security Event
Means an occurrence (or a number of occurrences) that deviates from expected
performance or exceeds the applicable operational performance threshold, which
may lead to an Incident. Service Catalog Means a repository in which the IT
services available to Clients are identified, including a definition of the
service, SLAs associated with the service, who is entitled to use or receive the
service, the costs or charges for the service and the procedures for requesting
the service. Service Level Agreement or SLA Means an agreement describing: (i)
the quantitative standards of performance an Actor or entity is required to meet
or exceed in providing the IT services (e.g., availability, quality, speed); and
(ii) a definition of the terms controlling various aspects of performance (e.g.,
measurement definition, priorities, responsibilities, guarantees,
changes).  SLAs can be between Actors, between Actors and IT, or between IT and
Clients.

 

 

[image_072.jpg] Page 134 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

[image_042.jpg] 

IT Process Definitions



Version 3.3.0

 

Terms Definitions Spare Parts Means an inventory of hardware-based
sub-components of Elements (e.g., memory, motherboard, hard disk) that are
currently not in use and are maintained in reserve to replace failed
hardware-based sub-components of Elements used to provide the IT services.
Spares Means an inventory of hardware-based Elements used to provide the IT
services that are currently not in use and are maintained in reserve to replace
or supplement failed hardware-based Elements used to provide the IT services.
Third Party Contract Means a contractual arrangement with (i) an External Actor
for the provision of IT services, and (ii) suppliers that provide Elements and
ancillary goods/services. Third Party Contract Manager Means an entity that
performs contract management functions with respect to Third Party Contracts.

 

 

[image_072.jpg] Page 135 of 135

Pillsbury Winthrop Shaw Pittman LLP 

© 2003 – 2016 

U.S. Patents 7,308,414 and 7,979,303B2

 



 





SOW 02 Exhibit A-1-2 (Element Definitions)



 

CONFIDENTIAL TREATMENT REQUESTED 

FINAL EXECUTION COPY

 



 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

 

 

 



STATEMENT OF WORK #2

 

EXHIBIT A-1-2

 

ELEMENT DEFINITIONS

 

 

 

 

 

Triple-S / Supplier Confidential

 



 

 

 



CONFIDENTIAL TREATMENT REQUESTED

SOW 4 Exhibit A-1-2 

Element Definitions

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Element Definitions 

SOW #02 (IT) 

Exhibit A-1-2



Scope Model Elements Definition [***] (Software) "[***] Software" means the
[***] Application and related Applications and interfaces listed in Schedule X
that are designated as "[***] Software" and are hosted in the Triple-S data
center. Healthcare Applications (3rd Party)   "Healthcare Applications (3rd
Party)" means the Applications listed in Schedule X that are designated as
“Healthcare Applications & Interfaces (3rd Party)" including the required
Interfaces and any Application(s) Supplier implements in the future to replace,
augment, or supplement any of such Applications. Healthcare Applications
(In-House) "Healthcare Applications (In-House)" means the Applications listed in
Schedule X that are designated as “Healthcare Applications & Interfaces
(In-House),” including the required Interfaces and any Application(s) Supplier
implements in the future to replace, augment, or supplement any of such
Applications. Non-Healthcare Business Applications "Non-Healthcare Business
Applications" means the Applications listed in Schedule X that are designated as
“Non-Healthcare Business Applications" . Non-Healthcare Business Applications
Infrastructure    "Non-Healthcare Business Applications Infrastructure" means
the Compute and Storage devicies on which Non-Healthcare Business Applications
run including the devices or services used to replace such devices. Triple-S
SAAS        "Triple-S SAAS" means third party hosted software delivered as a
bundled service (i.e., hardware and software and other services) by remote
connection typically over the Internet. Data Exchanges    "Data Exchanges" means
the software used to exchange structured data between different computers under
a source schema and transforming it into data structured under a target schema,
so that the target data is an accurate representation of the source data.
Infrastructure SW "Infrastructure Software" means the third party software
installed on Compute & Storage - End User Devices & Servers
Elements.  Infrastructure Software excludes [***] (Software). Infrastructure
Software includes any non-Applications software including Applications
Development Tools, DBMS, Infrastructure Management Tools, Security Management or
Systems software that exists within Day 1 and Steady State for all locations
(Triple-S Data Center, Triple-S Offices,  Azure Cloud, as of the Commencement
Date and including future versions, upgrades or releases as necessary to
maintain technical currency to support the Applications and commercially
available replacements and/or replacements necessary to support changes in
Applications.  For clarity, Infrastructure Software includes: (i) Infrastructure
Management Tools; (ii) Systems Software; (iii) Application Development Tools;
(iv) Collaboration and Productivity Tools; (v) DBMS; (vi) Security Software; and
(vii) Azure Services. Compute & Storage ---End User Devices, Servers "Compute &
Storage - End User Devices, Servers" means (i) a computing platform utilizing
the Operating System including the CPU, memory, internal hard disk, related
peripherals, KVM cabling and the NIC. A server may perform a  general computing
or specific purpose (e.g., Access Control Server, Applications Server, Data Base
Server, eMail Server, Extranet Server, File and Print Server, Infrastructure
Server, Replication Server, Web Server, etc.).  A Server may be a physical box,
blade or a Virtualized Instance; (ii) x86 Servers; (iii) End User Devices; (iv)
Azure Services; (v) Network UPS; and (vi) Storage. Compute & Storage - [***] &
[***] Related Servers "Compute & Storage - [***] & [***] Related Servers" means
(i) x86 servers (physical, blade or a Virtualized Instance) that are used to
host the [***] & [***] Related - TS Data Center applications.  [***] Servers
exclude x86 Servers; (ii) [***] and [***] Related - TS Data Center; (iii) [***]
and [***] Related  - CTS Data Center; and (iv) Storage. Network - Network Edge
Router & Network and Security Devices or Appliances “Network - NetworkEdge
Router & Network and Security Devices or Appliances” means (i) a Router that
routes data between one or more local networks at a physical site and the wide
or metropolitan area network serving the site; and (ii) Network and Security
Devices or Appliances. Network -Private Network Access & Transport and Public
Network Access "Network - Private Network Access & Transport and Public Network
Access" means (i) the Private Network Access (i.e., Access Circuit) and the
service for transmitting data and voice/video traffic over a WAN (e.g., MPLS
Service); and (ii) Public Network Access. Telecomm "Telecomm" means (i) Servers,
Software, Appliances and/or other specialty devices used to provide voice,video
(including both centralized and distributed equipment); and (ii) Local Voice
Equipment.

 



Triple-S/Supplier Confidential

Page 136

 

 



CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



Element Definitions 

SOW #02 (IT) 

Exhibit A-1-2 



Scope Model Elements Definition Facilities Triple-S (includes Kiosks) "Triple-S
Facilities(includes Kiosks)" means (i) a data center facility provided by
Triple-S (or Triple-S contracted third party provider) which may include
specialized flooring, cabling, access security, fire detection and suppression,
primary and backup power provisioning and distribution, heating, ventilation,
and air conditioning (i.e., any Elements listed in the Supporting Element
Definitions categorized as "Data Center" as deemed necessary by Triple-S); (ii)
Kiosks; and (iii) the Computer Room.   

 



Triple-S/Supplier Confidential

Page 137

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 



Category Element Definition Data Center Battery “Battery” means a battery used
to power equipment. Data Center Cable Management Drop Box to Server “Cable
Management Drop Box to Server” means the series of physical conduits, hangars,
ladder racks, finger brackets, etc. that neatly thread/bundle horizontal
copper/fiber cable runs and shorter fiber/copper cable patch-cords from the
end-device connection point (Premise Distribution System (PDS) box) to the
active server/end-device. Data Center Cable Plant “Cable Plant” means the cable
or fiber that carries voice, video, or data signals between computing and
communications devices within a building. Data Center Cabling “Cabling” means
the physical cables in a data center, including voice, video and data LAN
cabling and wiring. Data Center Colocated Third Party Equipment “Colocated Third
Party Equipment” means Appliances and other Servers, Storage or Network
hardware, together with associated Software, which Customer elects to have
Provider provide only Data Center Managed Service. Data Center Data Center LAN
"Data Center LAN" means all networking devices and connectivity required within
a Data Center to support the hardware Elements in the Data Center. Data Center
Data Center Router “Data Center Router” means a Router that is used to connect
computing platforms. Data Center Data Center Switch “Data Center Switch” means a
networking device that transmits data to multiple network connected computing
devices and that primarily provides Layer 2 functionality (as defined by the OSI
Reference Model).  A Data Center Switch includes the NIC.   Data Center Data
Center Switch Port Aggregation “Data Center Switch Port Aggregation” means a
device that aggregates patches from network switches to allow the use of shared
sniffers, probes, network traffic analyzers and other network inspection and
diagnostic devices across a large scale data center network. Data Center Data
Center Switch Port Aggregation “Data Center Switch Port Aggregation” means a
device that aggregates patches from network switches to allow the use of shared
sniffers, probes, network traffic analyzers and other network inspection and
diagnostic devices across a large scale data center network. Data Center
Electrical Distribution “Electrical Distribution” means a device used to
distribute electric current in the IT Environment. Data Center Equipment Rack
“Equipment Rack” means a cabinet that holds IT equipment (e.g., Servers,
Routers). Data Center Facilities Equipment “Facilities Equipment” means a
category of devices that create a suitable computing environment at a data
center. Data Center Fire Detection “Fire Detection” means a device used to
detect fires and includes associated cabling. Data Center Fire Suppression “Fire
Suppression” refers to a category of devices used to prevent and/or suppress
fire outbreak and includes associated cabling. Data Center Furniture/Fixture
“Furniture/Fixture” means any item of furniture or a fixture used in the data
center.    Data Center Generator “Generator” means a device used to generate and
monitor a power supply (e.g., transformer, inverter, uninterruptible power
supply device), including associated cabling. Data Center Heating, Ventilation
And Cooling (HVAC) “Heating, Ventilation And Cooling” or “HVAC” means a device
that controls temperature, humidity, air cleanliness and air motion within a
physical space. Data Center PDU “PDU” means a power distribution unit and
includes associated cabling. Data Center Physical Access Control “Physical
Access Control” means any device used to restrict access to the data center,
including locks, card readers, and man traps. Data Center Uninterrupted Power
Supply (UPS) “Uninterrupted Power Supply” or “UPS” means a device that supplies
power to a computer or other electrical equipment on a temporary basis when
electricity from a primary power source is lost or degraded, including all
communication cables as well as providing protection from power surges.  UPS can
be designed to serve a data center or portion thereof or designed to be mounted
on an Equipment Rack. End User Desktop “Desktop” means a computing platform that
is not portable and is primarily used directly by an end user, whether networked
or standalone, PC or Macintosh.  A Desktop includes a central processing unit,
Operating System, video display monitor, modem, related cables (e.g., patch
cords), and related peripherals (e.g., keyboard, pointing device). End User
Desktop Phone "Desktop Phone" means a standard or VOIP handset located at an End
User's workstation.

 

EmblemHealth/Supplier Confidential

Page 1

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition End User Mobile Computing Device "Mobile Computing
Device" means a small, handheld computing device, typically having a display
screen with touch input and/or a miniature keyboard and designed to be carried
with little effort.  A Mobile Computing Device has an operating system (OS), and
can run various types of application software. Most are equipped with Wi-Fi,
Bluetooth, and GPS capabilities that can allow connections to the Internet and
other Bluetooth-capable devices. End User Mobile Phone “Mobile Phone” means a
mobile handheld device the primary purpose of which is enabling voice or data
communication over a cellular network.   End User Notebook “Notebook” means a
computing platform that is portable, and is primarily used directly by an end
user, whether networked or standalone, PC or Macintosh, laptop or tablet PC,
desk-based or mobile.  A Notebook includes a central processing unit, operating
system, video display monitor, modem, related cables (e.g., patch cords), and
related peripherals (e.g., keyboard, pointing device). End User Personal
Computer (PC) “Personal Computer” or “PC” means a computing platform primarily
used directly by an end user, whether networked or standalone, a Desktop or
Notebook.  A Personal Computer includes a central processing unit, operating
system, video display monitor, network interface card, modem and related cables
(e.g., patch cords), and related peripherals (e.g., keyboard, pointing device).
End User Thin Client “Thin Client” means a device that:  (a) enables end users
to remotely enter information into one or more computing platforms; (b) displays
but does not process data; and (c) includes a web browser. End User Workstation
Attached Printer “Workstation Attached Printer” means a printer that is directly
connected to a Desktop, Notebook or other similar end user device.  Workstation
Attached Printers may include built in scanning, copying, facsimile and similar
features and functionality. Network B2B Connection “B2B Connection” means a
connection between the enterprise and a business partner of the enterprise that
is provisioned and managed by the business partner. Network Certificate
Appliance “Certificate Appliance” means an Appliance whose primary purpose is to
manage the certificates required by the Public Key Infrastructure (PKI)
environment. Network Client Extranet “Client Extranet” means a virtual
connection between the enterprise and a business partner of the enterprise that
is provisioned and managed by the enterprise. Network Data Leakage Protection
(DLP) Appliance “Data Leakage Protection Appliance or DLP Appliance” means an
Appliance that is between the trusted and untrusted portions of a network and
enables manual and automated inspection of network traffic for violations of
data distribution policies. Network Database Encryption Appliance “Database
Encryption Appliance” means a device connected to the network that uses
purpose-built hardware and software to encrypt full duplex data at multi-gigabit
line speeds. Network DHCP “Dynamic Host Configuration DHCP Protocol” means a
device that provides IP addresses and other network configuration information to
other network devices. Network configuration provided typically includes DNS
servers, a default gateway, an IP address to use, and a subnet mask. Other
information may include a TFTP server for firmware download, NTP servers, etc.
In addition, a DHCP server manages the expiring of the leases for IP addresses
can also provide reservations and exclusions. Network Domain Name Services (DNS)
“Domain Name System” or “DNS” means an Appliance that provides DNS services to
resolve hostnames to IP addresses and vice versa. DNS can also contain records
for discovering the location of other services such as mail servers, proxies,
XMPP gateways, etc. DNS servers used by internal devices must also be able to
provide resolution of external Internet IP addresses. Network Firewall
“Firewall” means a device or software, including the network interface, that
prevents unauthorized access to a network. Network Internet Proxy Appliance
"Internet Proxy Appliance" means an Appliance positioned between users on a
network and the Internet which serves as a central point of control over
employee Internet use and applies policy-based controls to Web traffic and
requests before delivering content to end users.

 

EmblemHealth/Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Network Intrusion Detection Appliance “Intrusion
Detection Appliance” means a device, including the network interface, that
monitors and analyzes user and system configuration and activities to detect
unauthorized access to a network or other attacks designed to adversely affect
the performance of the network or systems connected to such network.   Network
Load Balancer “Load Balancer” is an Appliance or device that applies the
technique in computer networking of spreading work between two or more
computers, network links, CPUs, hard drives, or other resources, in order to get
optimal resource utilization, throughput, or response time. The balancing
service is usually provided by a dedicated hardware device or via a functional
blade service within a high-end Ethernet switch (e.g., Cisco Content Switch
Module (CSM) Blade). Network LogLogic "LogLogic" means a log management
Appliance that collects and correlates user activity and event data. Network
Miscellaneous Telecommunications Devices “Miscellaneous Telecommunications
Devices” means various items of hardware used to provide telecommunications and
call center services, including air cards, PBXs, PDAs, telephones, ACDs, ECDs,
VRUs, CTI equipment, wallboards and headsets. Network Multimedia “Multimedia”
means telecommunications services, including all required hardware, systems, and
software, that facilitate the audio and video transmissions of two or more
people over either dedicated audio-visual equipment or publicly switched
equipment.   Network NAC "Network Access Control" ("NAC") is an Appliance which
restricts access to network resources to those endpoint devices that comply with
a defined security policy Network Netflow Appliance “Netflow Appliance” means a
device and solution used to examine traffic across a network to aid in the
diagnosis of troubles within the network or attached nodes. Network Network
Intrusion Detection and Prevention System (Network IDPS) “Network Intrusion
Detection and Prevention System” or “Network IDPS” means an Appliance that
monitors and analyzes user and system configurations and activities to detect
unauthorized access to a network, malicious activities or other attacks designed
to adversely affect the performance of the network or systems connected to such
network. The functions of intrusion prevention systems include identifying
malicious activity, logging information about said activity, attempting to
block/stop activity, and reporting activity. Network Network Performance
Management Platform “Network Performance Management Platform” means a device
that aggregates  statistical information from network routing and switching
devices for reporting and analysis purposes. Network Router   “Router” means a
networking device that transmits data to multiple network connected devices,
that provides Layer 1, Layer 2, and Layer 3 functionality (as defined by the OSI
Reference Model), and that includes the capability to create VLANs.  A Router
includes the NIC.  A router has interfaces for different physical types of
network connections, such as copper cables, fiber optic, or wireless
transmission. A Router contains firmware for different networking communications
and routing protocol standards. Network Security Appliance “Security Appliance”
means a server or Appliance whose function is to “aggregate” security events
within the processing center prior to sending to an off-site SIM portal.  The
SIM Portal and Security Appliance will be managed by a third-party provider of
Security services. Examples of “aggregation” include but are not limited to
parsing of logs, analysis of host-based intrusion detection events, etc. Network
SIEM Appliance “SIEM Appliance” means a Security Information and Event
Management Appliance which provides real-time analysis of security alerts
generated by network devices and applications as well as log and data reporting
and analysis. Network Switch “Switch” means an Ethernet network switch that is a
computer networking device that connects Ethernet network segments.  Ethernet
Network Switches are capable of inspecting data packets as they are received,
determining the source and destination device of that packet, and forwarding it
appropriately.  Most Ethernet switches operate at Layer 2 (as defined by the OSI
Reference Model) and are used as the access layer connection point of networked
end-devices.  Layer 3 functionality is common in Ethernet Switches deployed as
building “core” devices and access layer Switch aggregation points. Network
Telecom Server “Telecom Server” means any Windows/Unix based server which
supports the network services infrastructure.  Examples of Telecom servers could
contain anything from network monitoring servers to servers that help manage
network routers and switches.

 

 

EmblemHealth/Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Network VM Appliances "VM Appliance" means a
pre-integrated, self contained system that is made by combining a software
application (e.g., server software) with just enough operating system for it to
run optimally on industry standard hardware or a virtual machine (e.g., VMWare,
VirtualBox, Xen HVM, KVM). Network VPN “VPN” means a network Appliance that uses
IP protocols to host a secure network for authorized users on either privately
or publicly owned equipment and infrastructure.   Network VPN Concentrator “VPN
Concentrator” means a network Appliance that uses IP protocols to host a secure
network for authorized users on either privately or publicly owned equipment and
infrastructure.   Network VPN Tunnel and Clients "VPN Tunnel and Clients" means
the connection of two PCs or networks that allows data to be transmitted over
the Internet as if it were still within those networks. It is a connection
secured by encrypting the data sent between the two networks.   Network
Vulnerability Assessment Scanner “Vulnerability Assessment Scanner” means an
Appliance that executes Vulnerability Scanning. Network WAN Optimizer “Wan
Optimizer” means a physical or virtual appliance that combines monitoring,
traffic prioritization, data deduplication, compression, protocol spoofing,
transmission blocking and other techniques to improve the performance of wide
area telecommunications facilities. Network Web Application Firewall "Web
Application Firewall" means a Firewall that protects Web servers from malicious
traffic and blocks attempts to compromise the system including preventing
attacks that include cross-site scripting, SQL injection, forceful
browsing,cookie poisoning and invalid input. Network Wide Area Application
Service (WAAS) Wide Area Application Service (WAAS) means a device that
accelerates applications, optimizes bandwidth, and reduces latency. Network
Wireless Access Point (WAP) “Wireless Access Point (WAP)” means a device that is
specially configured on wired local area networks that allows individuals to use
wireless networking cards in their computers and other electronic devices.
Network Wireless Controller "Wireless Controller" means a controller is used to
centrally manage access points in large quantities by the network administrator
or network operations center. Network Wireless Intrusion Prevention System
(WIPS) “Wireless Intrusion Prevention System (IPS)” means a device that monitors
the radio spectrum of a WAP for the presence of unauthorized access points and
can automatically take counter measures. Network Wireless LAN (WLAN) “Wireless
LAN (WLAN)” means  a wireless local area network (WLAN) that links two or more
devices using some wireless distribution method (typically spread-spectrum or
OFDM radio). Network Transport Access Circuit “Access Circuit” means:  (a) a
physical (i.e., not logical or virtual) telecommunications connection that is
used to carry voice, video and/or data signals between a client location and the
telecommunications backbone; and (b) the logical voice or data communications
circuit or path (i.e., PVC) used to carry voice, video and/or data signals
across the physical connection. Network Transport Access Switch "Access Switch"
means a Switch that provides and entry point into an enterprise or service
provider core networks (typically into carrier and service provider networks).
Network Transport Internet “Internet” means the connection provided by an
Internet service provider enabling the enterprise and its employees to access
the public Internet. Print High-Speed Print “High-Speed Print” means a
centralized printing device directly attached to a server that prints large
volume print jobs. Print Multi Function Product/Printer/Peripheral (MFP) “Multi
Function Product/Printer/Peripheral” or “MFP” means a multifunctional,
all-in-one (AIO), or Multifunction Device (MFD), office machine which
incorporates the functionality of multiple devices in one, to provide
centralized document management, distribution, and production.  An MFP typically
incorporates the functions of printers, scanners, photocopiers, and facsimile
machines and may also provide eMail capability and is attached to the LAN. Print
Printer “Printer” means a device that accepts digital output from a queue and
transfers the output to paper form. Server Access Control Server (ACS) “Access
Control Server (ACS)” means a dedicated server hosting Access Control software.

 



EmblemHealth/Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Server Applications Server (HDW) “Applications
Server (HDW)” means any computing platform (mainframe, midrange, entry
level/blade) the primary purpose of which is to host Applications Software.  An
Applications Server (HDW) includes the Central Processing Unit (“CPU”), memory,
related peripherals, internal hard disk, keyboard video mouse (“KVM”) cabling,
and the NIC. Server Blade Chassis "Blade Chassis" means a blade enclosure which
can hold multiple blade Servers and provides services such as power, cooling,
networking, connectivity and management to each blade Server. Server Console
Servers "Console Server" means a machine that you can use to monitor the
consoles of many other machines, instead of a bunch of serial terminals Server
Data Base (DB) Server “DB Server” means a real or virtual instance of a server
that is designated to be used exclusively to host one or more DBMS instances and
that provides access to connected data via the DBMS from applications and other
data consumers executing on other servers. Server eMail Server “eMail Server”
means a computing platform that manages the distribution of electronic messages,
including receipt, delivery, and prioritization. Server ESX Servers with
Compellent "ESX Servers with Compellent" means and environment built with ESX
Servers connected to a Compellent SAN. Server Extranet Server “Extranet Server”
means any Windows/Unix based server which supports the extranet services
infrastructure.  Examples of Extranet servers could contain anything from
network monitoring servers to servers that help manage firewalls, proxies and
other Extranet services. Server File & Print Server “File & Print Server” means
a computing platform that performs the functions of a File Server and a Print
Server. Server File Server “File Server” means a computing platform (including
the CPU, memory, related peripherals, internal hard disk  and the NIC)
that:  (a) centrally stores network files; (b) controls the movement of files
and data between workstations across the network; and (c) enables users to
freely access such files.    Server Infrastructure Server “Infrastructure
Server” means any computing platform (mainframe, midrange, entry level/blade)
the primary purpose of which is to serve traditional infrastructure
services.  An Infrastructure Server includes the Central Processing Unit
(“CPU”), memory, related peripherals, internal hard disk, keyboard video mouse
(“KVM”) cabling, and the NIC. Server POS Controller “POS Controller” means a
server that controls POS devices. Server Print Server “Print Server” means a
computing platform that:  (a)  provides users or a network with access to a
central printer; (b) holds the information to be printed out in memory until the
printer is available; (c) prints jobs in a programmable sequence and queue; and
(d) provides notice of a print job completion to the requesting user. Server
Proxy Server "Proxy Server" means a Server that acts as an intermediary for
requests from clients seeking resources from other Servers. Server Replication
Server “Replication Server” means a server which provides bi-directional,
heterogeneous replication, and synchronization between separate servers that
support the same application. Server Web Accelerator “Web Accelerator” means a
proxy server whose purpose is reduce web site access times. Server Web Security
Proxy “Web Security Proxy” means a device, situated between a client
application, such as a web browser, and a real Server, that:  (a) intercepts all
requests to the real server; (b) authenticates potential users; and (c) denies
access to certain computers, URLs and IP addresses. Server Web Server “Web
Server” means a computing platform that:  (a) stores documents and files for use
on one or more Internet or intranet websites; and (b) makes such documents and
files accessible to users of such websites by providing interfaces between
different access protocols.   Service Archiving Disk "Archiving Disk" means a
Storage device that is dedicated to storing data back-ups. Service Data Center
Managed Service “Data Center Managed Service” means the delivery as a service of
the Data Center Elements for the housing and operation of computing, storage,
telecommunications, and ancillary equipment.  The service includes the building
and all Data Center Elements including specialized flooring, cabling, access
security, fire detection and suppression, primary and backup power provisioning
and distribution, heating, ventilation, and air conditioning, "smart hands"
hands and escort services.

 



EmblemHealth/Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Service Disaster Recovery Management Services
"Disaster Recovery Management Services" means the contracted services for
providing Data Center Facility Managed Services and hardware and software to
meet specific recovery objectives for a temporary period in case of a disaster.
Service Shared Network Services "Shared Network Services" means Provider
provided LAN capability provided on an "as needed" basis and leveraged across
multiple Provider customers. Service Shared Storage Services “Shared Storage
Services” means Provider provided storage utilizing a storage solution shared
with other Provider customers. Storage Backup and Recovery (BUR) “Backup and
Recovery” or “BUR” means an Appliance or infrastructure solution that performs
data backup onto and recovers data from DASD.  BUR may be an Appliance or a
solution that includes servers, silos, and software. Storage Data Base Logging
and Compliance “Data Base Logging and Compliance” means a device that (1)
monitors all database changes, including changes to data structures, (2)
monitors the activity of privileged users, and (3) provides compliance reports
on all privileged user database activity. Storage Data Replication “Data
Replication” means the process of sharing data across storage platforms as to
ensure consistency between redundant resources.  This includes both hardware and
software methods. Storage Disk Based Back-up "Disk Based Back-up" means a
back-up solution that first backs up to disk before the data is backed up to
other disk or tape. Storage Exadata Machine "Exadata Machine" means a database
Appliance engineered for high performance and availability running the Oracle
DBMS and includes scale-out industry-standard database servers, scale-out
intelligent storage servers, and high speed InfiniBand internal fabric that
connects all servers and storage.  Includes software algorithms in storage, PCI
based flash, and InfiniBand networking.   Storage SAN Clone/Snapshot "SAN
Clone/Snapshot" means the Clones and Snapshots on the SAN. Storage SAN
Replication Appliance "SAN Replication Appliance" means an Appliance that is
operating system and storage array agnostic and enables one-time and continuous
data replication needs, while allowing applications to continue processing
without data loss or to recover with minimal downtime. Storage Tape “Tape” means
a Storage device that:  (a) stores, reads and writes data on on-line magnetic
media (e.g., magnetic tapes); and (b) is sequentially accessed by a server.
Storage Virtual Tape Appliance “Virtual Tape Appliance” means a device that
provides the capability to emulate tape files on a random access storage device.
Storage Virtual Tape Library (VTL) “Virtual Tape Library" or "VTL” means a
server that temporarily stores data, previously residing on tapes for, use in
batch processing, onto attached hard disks.  Virtual Tape Library includes the
CPU, memory, internal hard disk, related peripherals, KVM cabling and the NIC.  
Voice / Video Analog Gateway "Analog Gateway" means a device that connects
enterprise telephony equipment to a service providers VoIP network using an
analog connection or connecting legacy PBXs, or alternatively connects analog
phones, faxes and modems directly into the VoIP network using FXS interfaces.
Voice / Video AV Teleconference “AV Teleconference” means the equipment used to
provide group audio and visual presentation and teleconferencing to multiple
locations in both conference and/or specialized meeting rooms.   Voice / Video
Calabrio QM "Calabrio QM" means Cisco Unified Workforce Optimization - Quality
Management; a call center call recording platform that records audio and video
for all call center inbound calls Voice / Video Call Manager Server "Call
Manager Server" means a Server dedicated to hosting Cisco's CallManager. Voice /
Video CVP "CVP" means Cisco Unified Customer Voice Portal (Cisco CVP) that can
be used as a standalone interactive-voice-response (IVR) system or integrated
with a contact center Voice / Video EIM "EIM" means Cisco Unified E-Mail
Interaction Manager Voice / Video PBX “PBX” means a telecommunications server
that manages and operates the switches, internal lines, and pooled external
lines of a private branch exchange telephone system. Voice / Video PG "PG" means
Cisco Intelligent Contact Management (ICM) Peripheral Gateway (PG) Voice / Video
UCM Publishers "UCM Publishers" means Cisco Unified Messaging publisher is the
database to store the phone configuration Voice / Video UCX TAPS "UCX TAPS"
means Cisco Tool for Auto-Registered Phones Support (TAPS) Voice / Video Unity
Subscribers & Connections "Unity Subscribers & Connections" means Cisco Unified
Messaging Voice Mail

 



EmblemHealth/Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Voice / Video Voice Gateway "Voice Gateway" means a
device for connecting voice over IP (VoIP) calls to, and from, traditional
analog or digital PSTN or private branch exchange (PBX) calls. Applications
Development Application Development Tools “Application Development Tools” means
Infrastructure Utility Software the primary purpose of which is to assist in the
creation of software programs and programming, such as development environments,
compilers, debuggers, and editors.   Applications Development CASE Tool “CASE
Tool”means Application Development Computer-aided Software Engineering Tools
Software that automates methods for designing, documenting, and producing
structured computer code in the desired programming language. Applications
Development Compiler/Interpreter “Compiler/Interpreter” means an Application
Development Tool that takes the source code a programmer has written and
translates it into object code the computer can understand. Applications
Development Debugger “Debugger” means an Application Development Tool used to
identify and resolve coding errors (i.e., bugs).   Applications Development
Development Tool “Development Tool” means an Application Development Tool that
assists programmers in designing, creating or documenting computer programs.
Applications Development Load Test “Load Test” means an application development
tool used to test and determine total capacity at which applications software
can operate without failure. Applications Development Program Documentation
“Program Documentation” means Infrastructure Utility Software that provides the
tools required to develop and maintain documentation, including metadata, about
computer programs. Applications Development Programming Library “Programming
Library” means an Application Development Tool containing a pre-defined set of
functions that are accessed and utilized by another program. Applications
Development QA “QA” means an Application Development Tool used to facility
quality assurance with respect to code development (i.e., testing tools).
Applications Development Query/Analysis/OLAP “Query/Analysis/OLAP” means
Infrastructure Utility Software that enables a user to selectively extract, view
and report data from different points-of-view.   Applications Development
Runtime Libraries “Runtime Libraries” means Infrastructure Utility Software or
Application Software housed in a special purpose library the primary purpose of
which is used by a compiler, to implement functions built into or to extend a
programming language, during the runtime (execution) of a computer program.
Applications Development Source Control “Source Control” means an Application
Development Tool used to manage applications source code under development by
multiple developers. Applications Development Version Control “Version Control”
means an Application Development Tool used to manage and control correct
versions of applications source code under development by multiple developers.
Business Applications Speech Processing “Speech Processing” means Infrastructure
Utility Software the primary purpose of which is to provide ability to
speech-enable business applications. Business Applications Standard
Collaboration Applications “Standard Collaboration Applications” means those
applications that are on the standard image and used for End User collaboration
(e.g., eMail).   Business Applications Standard Productivity Applications
“Standard Productivity Applications” means those applications that are on the
standard image and used for End User productivity (e.g., MS Office). DBMS DB2
Universal Database (DB2) “DB2 Universal Database” or “DB2” means the proprietary
DB2 Universal Database Management System produced by IBM. DBMS Integrated
Database Management System (IDMS) “Integrated Database Management System” or
“IDMS” means the network DBMS proprietary to CA Technologies. DBMS MS SQL “MS
SQL” means the DBMS product produce by  Microsoft that implements a relational
database management system that is accessed using the structured query language
(SQL). DBMS Oracle “Oracle” means the proprietary DBMS produced by Oracle that
implements a relational database management system and that is accessed using
the structured query language (SQL). eMail eMail “eMail” means Infrastructure
Utility Software that manage the distribution of electronic messages, including
receipt, delivery, storage and prioritization. eMail eMail Archiving “eMail
archiving” means Infrastructure Utility Software or a third party service that
manages the archival of eMail messages for legal compliance purposes as well as
to keep older, less frequently accessed emails off of Tier 1 storage. eMail
eMail Content Scanning “eMail Content Scanning” means a device or software that
searches for and quarantines in-bound eMail messages containing potential spam,
phishing e-mails, malware and viruses.

 



EmblemHealth/Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Operations Application Enabling Services
“Application Enabling Services” means the utility functions that provide
software solutions, processes, and capabilities allowing business applications
to interoperate with the infrastructure hardware and software.  These are shared
services leveraged by multiple applications, business units, or affiliates.
Operations Application Server (SFTW) “Application Server (SFTW)” means a
software framework that provides an environment where applications can run and
allows execution of procedures (programs, routines, scripts) for supporting the
delivery of applications.  An Application Server behaves like an extended
virtual machine for the running of applications, managing connections to the
database at one side and connections to a Web client at the other. Operations
Audit Tool “Audit Tool” means Infrastructure Utility Software the primary
purpose of which is to inspect a computing resource and compare its
configuration state to a compliance model and log or report discrepancies.
Operations Automation “Automation” means an Infrastructure Utility Software that
enables the unattended operation of a computer or of an Application. Operations
Batch Processing Tool “Batch Processing Tool” means Infrastructure Utility
Software that manages and executes a series of non-interactive data processing
jobs all at one time.   Operations Business Process Management “Business Process
Management” means Infrastructure Utility Software the primary purpose of which
is to define and operationalize the flow of work through a network of activities
or organized tasks to achieve the desired outcome of a business process.
Operations Certificate Management “Certificate Management” means Infrastructure
Utility Software the primary purpose of which is to manage the certificates
required by the Public Key Infrastructure (PKI) environment. Operations
Chargeback Utility “Chargeback Utility” means Infrastructure Utility Software
the primary purpose of which is to analyze, summarize and allocate resource
consumption accounting information for use in recovering the cost of the
resources from the user or customer consuming the resources. Operations Cluster
Utility “Cluster Utility” means Infrastructure Utility Software that joins
together two or more computers to operate jointly or as a cluster. Operations
Clustering “Clustering” means Infrastructure Utility Software that is used to
couple multiple computer systems so that they, in many respects, appear and
operate as a single computer system for the purposes of load balancing or higher
availability. Operations Compression Tool “Compression Tool” means
Infrastructure Utility Software that reduces the size data files by means of
algorithmic analysis, such that the same file can be restored to its original
form without minimal or no loss of information. Operations Computer Telephony
Integration (CTI) “Computer Telephony Integration” or “CTI” means Infrastructure
Utility Software that enables increased productivity by utilizing information
from the telephone system to automate certain call center processes. Operations
Configuration Management “Configuration Management" means the Infrastructure
Utility Software (tools or databases) that facilitates the task of tracking,
controlling and storing of changes in Configurable Items. Operations
Connectivity “Connectivity” means Infrastructure Utility Software that
facilitates the transfer of data between servers and other devices, including
verifying that the circuit is operational and the devices are compatible,
monitoring data transmission, sequencing, and receipt, and correcting
transmission errors. Operations Content Filter “Content Filter” means
Infrastructure Utility Software that screens or filters content to identify
certain types of data (e.g., a spam filter). Operations Content Management
“Content Management” means Infrastructure Utility Software that collects,
catalogs, stores and serves content destined for use in conjunction with web
sites. Operations Database Administration “Database Administration” means
Infrastructure Utility Software that configures and controls databases and
restructures, backs-up and restores data contained with the database. Operations
Data Entry “Data Entry” means Infrastructure Utility Software that provides a
configurable means of capturing and validating data entered by an operator at a
keyboard. Operations Diagnostic Tool “Diagnostic Tool” means Infrastructure
Utility Software that assists operations or development personnel to investigate
and perform problem determination and isolation.  

 



EmblemHealth/Supplier Confidential

Page 8

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Operations Directory Services “Directory Services”
means Infrastructure Utility Software the primary purpose of which is to provide
a shared information repository for locating, managing, administering, and
organizing common items and network resources, which may include volumes,
folders, files, printers, users, groups, devices, telephone numbers, and other
objects. Operations Disaster Recovery “Disaster Recovery” means Infrastructure
Utility Software that is used to build and manage Disaster Recovery plans.
Operations Distributed Computing “Distributed Computing” means Infrastructure
Utility Software the primary purpose of which is to provide a framework for the
development and operation of business applications using the client/server
model. Operations Document Management “Document Management” means the
Infrastructure Utility Software that tracks and stores electronic documents
and/or images of paper documents and different versions created by different
users (history tracking). Operations Editor “Editor” means Infrastructure
Utility Software that allows the viewing and changing of text files. Operations
ETL Tool “ETL Tool” means Infrastructure Utility Software the primary purpose of
which is to extract data from is place of residence, transform it to meet the
needs of the target data store, and load into the target data store. Operations
Event Management “Event Management” means Infrastructure Utility Software the
primary purpose of which is to detect abnormal operational situations (events),
notify designed touchpoints and perform event correlation. Operations Fax Output
“Fax Output” means Infrastructure Utility Software that allows facsimile
messages to be sent programmatically from a computer. Operations File System
“File System” means Infrastructure Utility Software that provides a structure
for storing to and retrieving files from direct access storage media. Operations
File Transfer “File Transfer” means Infrastructure Utility Software that
transmits data files to or from a computer system to one or more other computer
systems, generally over telecommunications (e.g., LAN, MAN, WAN) facilities.
Operations File Utility “File Utility” means Infrastructure Utility Software
that enables the viewing, back-up, restoration, copying, moving or manipulating
of data and files.   Operations Fonts “Fonts” means Infrastructure Utility
Software the primary purpose of which is to provide outline and raster fonts and
associated utility programs for use on certain IBM printers. Operations FTP/SFTP
“FTP/ SFTP” means Infrastructure Utility Software that is used to transfer data
from one computer to another over the Internet, or through a network, including
over an encrypted transport. Operations Global Resource Serialization “Global
Resource Serialization” means Infrastructure Utility Software that serializes
access between computers to shared resources to protect their integrity.
Operations Help Tool “Help Tool” means Infrastructure Utility Software that is
used to author, maintain and make available information that allows end users to
understand how to utilize computer and software systems. Operations Job
Entry/Management “Job Entry/Management” means Infrastructure Utility Software
the primary purpose of which is to provide supplementary job management, data
management, and task management functions such as: scheduling, control of job
flow, and spooling. Operations License Manager “License Manager” means
Infrastructure Utility Software the primary purpose of which is to record
license information associated with compliance, audits, and proof of ownership.
Operations Log Utility “Log Utility” means Infrastructure Utility Software the
primary purpose of which is to provide a mechanism for making and analyzing
operational log entries. Operations Machine Accounting “Machine Accounting”
means Infrastructure Utility Software that accounts for the usage of a computer
and its associated peripheral devices. Operations Messaging “Messaging” means
Infrastructure Utility Software that provides a communication mechanism to
transmit data messages between applications on different platforms.  Messaging
is intended to connect different computer systems, diverse geographical
locations, and dissimilar IT infrastructures.  

 



EmblemHealth/Supplier Confidential

Page 9

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Operations Network Management “Network Management”
means Infrastructure Utility Software that facilitates the monitoring and
administration of a computer network including inventory (discovery),
configuration, detecting faults, providing alerts, and performance tracking.
Operations Object Cache “Object Cache” means Infrastructure Utility Software the
primary purpose of which to is cache frequently accessed Java objects in order
to improve the performance of e-business applications. Operations OL Transaction
Processing “OL Transaction Processing” means Infrastructure Utility Software
that facilitates and manages transaction-oriented applications, typically for
data entry and retrieval transactions.   Operations Online Survey “Online
Survey” means Infrastructure Utility Software that is used to author, maintain,
distribute and analyze inquiries intended to obtain end user feedback and
opinion. Operations Output Management “Output Management” means Infrastructure
Utility Software that controls the packaging and distribution of printed reports
or maintains a structured repository of reports in electronic form and controls
viewing access. Operations Password Management “Password Management” means
Infrastructure Utility Software that provides for adding, changing and deleting
credentials for access to and entitlements within computing and application
systems. Operations Patch Management “Patch Management” means Infrastructure
Utility Software that applies software changes to and tracks the current state
of software products. Operations Performance Management “Performance Management”
means Infrastructure Utility Software that manages (including by allowing users
to observe, monitor, measure and improve) the availability and throughput of
components of the infrastructure. Operations Presentation Management
“Presentation Management” means System Software that locally executes
applications on a server and enables remote access to such applications over
telecommunications facilities by end users on suitably equipped client devices.
Operations Presentation Server “Presentation Server” means System Software that
locally executes applications and enables remote access to such applications
over telecommunications facilities by end users on suitably equipped devices.
Operations Protocol Mediation “Protocol Mediation” means Infrastructure Utility
Software that allows two systems employing incompatible data communications
protocols to exchange information. Operations Remote Control “Remote Control”
means Infrastructure Utility Software that allows one computer system to control
the operations of another computer system over a data communications connection.
Operations Replication “Replication” means Infrastructure Utility Software that
duplicates the data stored in computing platforms. Operations Search Utility
“Search Utility” means Infrastructure Utility Software that allows a user to
search through an archive of data looking for information with particular
contents or characteristics. Operations Session Management “Session Management”
means Infrastructure Utility Software that manages and implements the single
sign-on of a user to multiple applications on multiple devices. Operations
Software Distribution “Software Distribution” means Infrastructure Utility
Software that is used to control and transmit software changes to remote
computing devices. Operations Sort “Sort” means Infrastructure Utility Software
that rearranges the sequence of individual records in data files.   Operations
Storage Management “Storage Management” means Infrastructure Utility Software
that provides monitoring and control of data storage devices, including
identification of occupied and available space and its owners including trending
of future disk utilization, IOPS and other metrics. Operations System
Administration Tools “System Administration Tools” means Infrastructure Utility
Software used by Systems Administrators to install, maintain, monitor and
control computer systems or networks. Operations System Log Aggregator “System
Log Aggregator” means an Appliance that assembles the logs from diverse devices
into a uniform, normalized format so that coherent and correlated reports and
statistics can be produced for a complex heterogeneous computing environment.
Operations Systems Management “Systems Management” means Infrastructure Utility
Software that provides the ability to monitor, control and report on the
computing and network infrastructure.  Systems Management includes tools that
are used to automate processes, including  problem, incident, change,
performance, and capacity management.

 



EmblemHealth/Supplier Confidential

Page 10

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Operations Tape Encryption “Tape Encryption” means
hardware or software that encrypts the data within the recording device.  The
point at which the encryption occurs is dependent upon the underlying technology
capabilities. Operations Tape Management “Tape Management” means Infrastructure
Utility Software that keeps track of and controls the inventory of tape media
and may catalog the contents of selected units of media. Operations Terminal
Emulation “Terminal Emulation” means Infrastructure Utility Software that allows
a computer to perform the functions of keyboard/display device for the purpose
of programmatically accessing a computing system with which the keyboard/display
device is compatible. Operations Time Management “Time Management” means
Infrastructure Utility Software that is used to capture the correct time and
date set those parameters of the computing system. Operations Workload
Automation Schedules “Workload Automation Schedules” means the executable output
from job scheduler software that defines workflows and/or job dependencies,
automates submission of executions, monitor executions and priorities and/or
queues to control the execution order of unrelated jobs. Security Management
Access Control “Access Control” means Infrastructure Utility Software that
performs authentication of users attempting to access systems and maintains
access entitlements to systems. Security Management Access Control (Application
Level) “Access Control (Application Level)” means Infrastructure Utility
Software that performs authentication of users attempting to access applications
and maintains access entitlements to applications. Security Management Access
Control (System Level) “Access Control (System Level)” means Infrastructure
Utility Software that performs authentication of users attempting to access the
O/S and maintains access entitlements to the O/S. Security Management
Authentication Server “Authentication Server” means security software that
examines and verifies the credentials assigned to network users, servers, and
devices prior to allowing access to other network resources. Security Management
Authentication Service (Application Level) “Authentication Service (Application
Level)” means security software that examines and verifies the credentials
assigned to application users, servers, and devices prior to allowing access to
other application resources. Security Management Authentication Service (System
Level) “Authentication Service (System Level)” means security software that
examines and verifies the credentials assigned to network users, servers, and
devices prior to allowing access to other network resources. Security Management
Encryption “Encryption” means Infrastructure Utility Software or Appliance that
encodes data so that it systematically scrambled so that it cannot be read
without knowing the decoding key. Security Management Encryption (File Level)
“Encryption (File Level)” means Infrastructure Utility Software or Appliance
that encodes data at rest so that it systematically scrambled so that it cannot
be read without knowing the decoding key. Security Management Encryption
(Transmission) “Encryption (Transmission)” means Infrastructure Utility Software
or Appliance that encodes data in transit so that it systematically scrambled so
that it cannot be read without knowing the decoding key. Security Management
Forensics “Forensics” means Infrastructure Software used to conduct
network-enabled computer investigations, e-discovery requests, internal
investigations, regulatory inquiries, as well as data and compliance auditing.
Security Management Identity Management “Identity Management” means the software
to provide a broad administrative service that identifies individuals and
controls their access to resources by associating their established identity
with user rights, entitlements and privileges. Security Management Intrusion
Detection (Software) “Intrusion Detection (Software)” means the Infrastructure
Utility Software that that monitors and analyzes user and system configuration
and activities to detect unauthorized access to a network or other attacks
designed to adversely affect the performance of the network or systems.  
Security Management Penetration Testing “Penetration Testing” means
Infrastructure Utility Software used in  penetration testing to simulate an
attack from malicious outsiders (who do not have an authorized means of
accessing the organization's systems) and malicious insiders (who have some
level of authorized access). Security Management Security Administration
“Security Administration” means Infrastructure Utility Software that allows for
the configuration and control of the security apparatus of a computer system or
an Application.

 



EmblemHealth/Supplier Confidential

Page 11

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Security Management Security Exits “Security Exits”
mean certain types of Client software that attaches to the security software to
allow the behavior of the product to be customized at predefined places or exit
points.  Exit functions, for example, include issuing messages, accepting or
rejecting various programmatic requests, changing or rerouting the processing
flow or modifying the default behavior of the security software. Security
Management Security Monitoring “Security Monitoring” means Infrastructure
Utility Software that enables the detection, managing, handling, registering and
recording of security-related breaches and Incidents including intrusion
detection and hacking. Security Management Virus Detection “Virus Detection”
means Infrastructure Utility Software that monitors for, scans, detects,
quarantines and removes viruses.  Virus Detection includes virus signature
files. Security Management Vulnerability Scanning “Vulnerability Scanning” means
a process by which you scan operating systems, databases, applications,
networks, etc. to assess security weaknesses to enumerate the vulnerabilities
present in one or more targets. System Software CentOS "CentOS" means a version
of Linux(x86) developed by the CentOS Project. System Software Exits “Exits”
mean certain types of Client software that interfaces with the O/S to allow the
behavior of the product to be customized at predefined places or exit
points.  Exit functions, for example, include issuing messages, accepting or
rejecting various programmatic requests, changing or rerouting the processing
flow or modifying the default behavior of the O/S. System Software Hypervisor
“Hypervisor” means an Operating System that allows the simultaneous operation of
multiple instances of the same or different subordinate Operating Systems (e.g.,
zVM or VMWare). System Software Linux (Unix) “Linux (Unix)” means a computing
platform with a central processing unit that implements the instruction sets on
various platforms designed to run UNIX and utilizing the Linux or compatible
Operating System. System Software Linux (x86) “Linux (x86)” means a computing
platform with a central processing unit that implements the x86 instruction set
and utilizing the Linux or compatible Operating System. System Software
Operating System (O/S) “Operating System” or “O/S” means software that is the
main control program of a computer device and that manages communication between
the hardware and other software, including scheduling tasks, managing storage,
and handling communication with peripherals. System Software OS400 “OS400” means
the proprietary OS400 Operating System produced by IBM. System Software OSX
“OSX” means an operating system for desktop computers, workstations, and network
servers developed by Apple, Inc. that operates only on Apple Macintosh
computers. System Software Solaris “Solaris” means an operating system for
certain workstations and servers, which is a proprietary product of Oracle, Inc.
and operates on computers based on SPARC and x86 processors. System Software
UNIX “UNIX” means the UNIX Operating System. System Software Virtual Memory
System (VMS) “Virtual Memory System” or “VMS” means a multi-user, multi-tasking,
virtual memory Operating System for the VAX series from Digital Equipment
Corporation.   System Software Virtualization “Virtualization” means software
that allows user to run multiple instances of the same or different operating
systems on a single machine. System Software VM Ware “VM Ware” means virtual
machine software that allows users to run multiple virtual machines on physical
machine and is published by VMware Corporation.   System Software Windows
“Windows” means a computing platform with a central processing unit that
implements the x86 or x86-64 instruction set and utilizing the Windows 2003,
2008, 2012 or future versions or compatible Operating Systems System Software
Windows for PC “Windows for PC” means a computing platform with a central
processing unit that implements the x86 or x86-64 instruction set and utilizing
the Windows XP, 7, 9 or future versions or comparable Operating System.
Definition Commercial Off The Shelf (COTS) “Commercial Off The Shelf” or “COTS”
means commercial off-the-shelf software or hardware products that are ready-made
and available for sale to the general public.

 



EmblemHealth/Supplier Confidential

Page 12

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Definition Internally Developed “Internally
Developed” means software developed internally by the customer or at the
direction of the customer (i.e., not COTS software). Definition Instance
"Instance" means  single copy of a running program. Multiple instances of a
program may be running on a single machine at the same time.  (See
"Virtualization") Definition Network and Network Devices "Network" means
telecommunications network that allows computers to exchange data.  The
connections (network links) between network  points are established using either
cable media or wireless media.  "Network Devices" may include any of the
physical Elements categorized as Network. Definition Network Transport "Network
Transport" means the devices and/or services necessary to transport voice or
data over a broad area (i.e., any network that links across metropolitan,
regional, state or national boundaries) and may include any of the Elements
categorized as Network Transport. Definition Security Devices "Security Devices"
means those Servers, Appliances or Network Devices which are dedicated to
performing IT security functions (e.g., Intrusion Detection Appliance, Web
Application Firewall). Definition Applications Development "Applications
Development "means a category of Infrastructure Software that is designed to
facilitate the designing, building and testing of software. Definition Security
Management "Security Management" means a category of Infrastructure Software
that is designed to prevent unauthorized access or manipulation of data
including access control as well as monitoring, detecting and managing viruses
and intrusions.  Security Management may include any of the Elements categorized
as Security Management. Definition Provider Provided Tools "Provider Provided
Tools" means a category of Infrastructure Software that is provided by the
Provider as part of the Provider's solution and included in the delivery of the
Services. Definition Appliance “Appliance” means integrated and specifically
designed software and hardware that provide a narrow range of functions and are
typically provided as a bundled unit. Definition Applications “Applications"
shall mean an executable software component or tightly coupled set of executable
software components (one or more), deployed together, that deliver some or all
of a series of steps needed to create, update, manage, calculate, or display
information for a specific business purpose.  Applications includes all
interfaces to/from the Application. Definition Collaboration and Productivity
Tools "Collaboration and Productivity Tools" means Infrastructure Software that
are used to enable collaboration between 2 or more End Users and/or improve
operational and End User productivity. This includes eMail, instant messaging,
discussion boards, shared document managers, etc.    Definition DBMS “Database
Management Software” or “DBMS” means software that stores information in a
database in an organized manner allowing data to be added, updated, and
retrieved as individual items or to be queried in a structured
manner.  Additionally, a DBMS maintains metadata, which describe the schema or
the organization and relationships between the individual data items. Definition
Infrastructure Management Tools   “Infrastructure Management Tools” means a
category of Infrastructure Software that is used to control devices and other
software and to facilitate communication, scheduling and execution of computer
commands.  Infrastructure Management Tools may include any of the Elements
categorized as Operations Software. Definition Systems Software   “System
Software” means a category of Infrastructure Software designed to operate the
computer hardware and to provide a platform for running application
software.  Systems Software includes but is not limited to: (a) the operating
system, (b) utility software used to analyze, configure, optimize, maintain, and
connect to the system; and (c) middleware which provides additional common
services, beyond those of the operating system, to Application
Software.  Systems Software may include any of the Elements categorized as
Systems Software.

 



EmblemHealth/Supplier Confidential

Page 13

 

CONFIDENTIAL TREATMENT REQUESTED 

SOW 4 Exhibit A-1-2 

Element Definitions

  

Supporting Element Definitions CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR
WHICH CONFIDENTIAL TREATMENT HAS BEEN REQUESTED IS OMITTED AND MARKED WITH
“[***]”. AN UNREDACTED VERSION OF THE DOCUMENT HAS ALSO BEEN FURNISHED
SEPARATELY TO THE SECURITIES AND EXCHANGE COMMISSION AS REQUIRED BY RULE 24B-2
UNDER THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED.

 

Category Element Definition Definition x86 Servers “x86 Server” means a
computing platform utilizing a Windows or Linux(x86) Operating System, including
the CPU, memory, internal hard disk, related peripherals, KVM cabling and the
NIC. A server may be any of the Elements categorized as Server and may perform
a  general computing or specific purpose (e.g., Access Control Server,
Applications Server, Data Base Server, eMail Server, Extranet Server, File and
Print Server, Infrastructure Server, Replication Server, Web Server, etc.).  A
Server may be a physical box, blade or a Virtualized Instance. x86 Servers
exclude [***] Servers.
Definition Storage “Storage” means a category of Elements that records and
provides access to computing data including NAS, SAN, DASD, ATL, etc.  Storage
may include any of the Elements categorized as "Storage" in the Supporting
Element Definitions. Definition Storage Area Network (SAN) "Storage Area
Network" means a high-speed, special-purpose network (or sub-network), including
all required hardware and software, that interconnects different kinds of data
storage devices with associated data servers on behalf of a larger network of
users.  A SAN may be clustered in close proximity to other computing resources,
such as Servers, or may extend to remote locations for backup and archival
storage using wide area network carrier technologies, such as asynchronous
transfer mode or synchronous optical. Definition Direct Attached Storage Device
(DASD) "Direct Attached Storage Device" means digital storage directly attached
(i.e., not connected through a network) to a server including USB connected
devices. Definition Network Attached Storage (NAS) “Network Attached Storage”
means a file-level computer data storage connected to a computer network
providing data access to heterogeneous network clients. Definition Automated
Tape Library (ATL) “Automated Tape Library” means a device that stores, reads
and/or writes magnetic tapes used to store data and utilizes automated tape
robots, which are mechanical handlers capable of storing multiple pieces of
removable media and loading and unloading them from one or more drives in
arbitrary order in response to electronic commands.  An Automated Tape Library
includes the media necessary to provide the required storage and recovery
functionality.  An Automated Tape Library may be attached to a SAN. Definition
Public Network Access   “Public Network Access” means an Access Circuit that
provides connection to a public network (i.e., the Internet). Definition Azure
Services "Azure Services" means hardware, software, database, or other services
that are procured from Microsoft Azure. Definition Local Voice Equipment "Local
Voice Equipment" means PBX's and other voice equipment that supports external
and internal voice communication at one location. Definition End User Devices
"End User Devices" means (i) hardware and the related Infrastructure Software
that is used by individuals on any devices categorized as "End User" on the
Supporting Element Definitions as well as directly or Bluetooth connected
peripherals including locally connected UPS; (ii) Corporate Mobile Applications;
and (iii) Agent/Broker PDAs. This include employee provided phones (i.e., BYOD)
that utilize Triple-S applications or collaboration and productivity tools
(e.g., e-mail, MS Office). Definition Agent / Broker PDAs "Agent / Broker PDAs"
means iPads and other PDAs that are used by agents and brokers to perform remote
enrollment and other processes in the field. Definition Computer Room   
"Computer Room" means a room provided by Triple-S and modified to enable the
housing of Server, Storage and/or Network devices in an appropriate environment
including the Equipment Racks and cabling necessary within the room and between
devices as necessary to connect to the LAN.  Computer Rooms are also referred to
as an MDF (main distribution facility) or IDF (independent distribution
facility) reflecting the primary purpose of the equipment in the room.  Computer
Room may include Uninterrupted Power Supplies for the non-Network devices (e.g.,
servers, BAC devices) housed within the Computer Room Facilities. Definition
Network UPS "Network UPS "means an Uninterrupted Power Supply (UPS) that is
dedicated to supporting the Network devices in a Computer Room. Definition
Kiosks   "Kiosks" means a network connected device with specifically designed
software and hardware that allows a user to interact with and perform specific
self-service activities.   

 

EmblemHealth/Supplier Confidential

Page 14

 



SOW 02 - Exhibit A-2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



STATEMENT OF WORK #2

 

EXHIBIT A-2

 

IT Solution DesCription

 

 

 

 

 

 

 

 

 

 

 

 



Statement of Work #2 (IT Services) Triple-S / Supplier Confidential



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-2 (IT Solution Description





 





EXHIBIT C

 

IT Solution Description

 

TABLE OF CONTENTS

 



 



1.   INTRODUCTION 1 1.1   General 1 1.2   Definitions 1 2.   day one it solution
2 2.1   Day One IT 2 2.2   Supplier Personnel 2 2.3   Reports 3 2.4   Security 3
2.5   Disaster Recovery / Business Continuity 3 3.   Assessment 3 3.1   General
3 3.2   Reports 4 3.3   Security 4 3.4   Technology Management 4
3.5   Application Management (Development and Maintenance) 5 3.6   Network
Capacity 5 3.7   Storage Administration / Backup 5 3.8   Server (Physical &
Virtual) Management 6 3.9   Workplace Services/Desktop Management 6
3.10   Application Decommissioning 6 3.11   Additional Assessment Deliverables 7
4.   solution build and transition 7 4.1   Solution Build 7 4.2   Transition,
General 9 4.3   Transition Project Management 9 4.4   Transition to Cloud
Environment 10 4.5   Migration Services 11

 



Triple-S / Supplier Confidential

Page xv

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-2 (IT Solution Description









 

4.6   Security 11 4.7   Technology Management 11 5.   SOLUTION FOR managed it
services 12 5.1   Environments 12 5.2   Solution 13 5.3   Solution Environment
13 5.4   Capacities. 13 5.5   Anti-Virus, Intrusion Detection / Prevention 14
5.6   Identity & Remote Access and Control Services 14 5.7   Operations and
Monitoring Services 14 5.8   Disaster Recovery and Business Continuity 14
5.9   Software Development Life Cycle (SDLC). 15 6.   training End users 15
6.1   Managed IT Services 15 6.2   Training Details 15 7.   TRIPLE-S
RESPONSIBILITIES 15 8.   claims related it Functions 16



 

 

 

Triple-S / Supplier Confidential

Page xvi

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 



EXHIBIT A-2

 

IT sOLUTION description

 



 

 

1. INTRODUCTION

 

1.1 General

 

Supplier will deliver the scope of Services assigned to the Supplier on the
Scope Model (Exhibit A-1) using a common set of processes, technologies and
resources as described in this IT Solution Description. Supplier’s Solution has
been designed to meet or exceed the Service Levels described in Exhibit B-1
(Service Level Metrics).

 

(a) Overview

 

(i) On the Service Commencement Date, Supplier will assume responsibility for
the Functions within the scope of IT Services assigned to Supplier on the Scope
Model (Exhibit A-1).

 

(ii) As further described in Section ‎3 below, Supplier will conduct a detailed
review and assessment of the Triple-S information technology environment and
operational processes and make recommendations to consolidate, eliminate, and/or
transition the In-Scope Applications to Supplier’s data center or cloud
solution(s) and propose other changes to the IT Environment to improve
operational performance and security as part of Supplier’s Solution (the
“Assessment”).

 

(iii) As further described in Section ‎4 below, Supplier will develop a detailed
transition strategy and plan (including updating the transition strategy and
plan as set forth in SOW #2, Exhibit A-3-1 (Transition and Transformation
Project Plan)) to implement the Assessment recommendations agreed by the Parties
and implement the transition plan (the “Transition”). The Transition implements
a migration from current Triple-S information technology environment to the
Supplier’s future state Solution (the “Managed IT Services”).

 

(iv) In connection with the IT Services, Supplier will also manage certain
Managed Third Parties providing information technology services to Triple-S as
of the Service Commencement Date (“Vendor Management”), as further described in
Schedule A (Cross Functional Services). Managed Third Parties for which Supplier
will perform Vendor Management may be updated according to the process described
in Schedule A (Cross Functional Services).

 

(b) The IT Services are described in this IT SOW and include the Cross
Functional Services set forth in Schedule A (Cross Functional Services).

 

1.2 Definitions

 

Capitalized terms not defined in this Exhibit A-2 (IT Solution Description)
shall have the meanings given them in Schedule AA (Glossary) or elsewhere in the
Agreement. Capitalized terms used in this SOW to define the IT Services are
defined as follows:

 

Triple-S / Supplier Confidential

Page 1

 







CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 



(a) “Capacity” or “Capacities” means the maximum capacity of each item of
Equipment, including each virtual and physical server, in the Environments.

 

(b) “Supplier Data Center” means Supplier’s co-located, leased and/or owned
computing facility or facilities used to provide the Managed IT Services.

 

(c) “Environments” shall mean, as applicable:

 

(i) the following Supplier-provided environments for the Managed IT Services:
(a) one (1) production environment (“Production”), (b) one (1) test/quality
assurance environment, which may also be used for Training and support
(“Test/QA”), (c) one (1) development environment (“Development”), and (d) one
(1) Disaster Recovery/business continuity environment (“DR Environment”), each
as further described herein; and

 

(ii) to the extent applicable, certain (a) Triple-S environments; and (b)
Triple-S Vendor environments.

 

Environments shall be provided by Supplier in Supplier’s data center, in
Supplier contracted collocation facilities or through Supplier contracted Azure
Services as appropriate and necessary to support Triple-S business and
application requirements for the In-Scope Applications.

 

All Environments must be listed in Schedule E (Supplier Facilities) or otherwise
approved by Triple-S under Section 4.2 of the General Terms and Conditions.

 

(d) “Infrastructure Architecture” shall mean, collectively, the totality of the
items of hardware and Infrastructure Software Elements in the Environments which
are used as part of the Managed IT Services.

 

(e) “SOP” shall mean the then-current applicable “standard operating procedure”
which is (i) (a) provided by Triple-S to Supplier; and/or (b) developed by
Supplier as part of the Services in conjunction with Triple-S and the Managed
Third Parties, as applicable; and (ii) step by step instructions needed to
accomplish a specific Function effectively and accurately as relates to the
delivery of the IT Services.

 

2. day one it solution

 

2.1 Day One IT

 

(a) “Day One IT” refers to the Services Supplier will provide within the
existing Triple-S data centers. The Day One IT commences with a “walk-in
take-over” of the Triple-S Environments on the Service Commencement Date and
continues in parallel with the Assessment and Transition until the Transition is
complete and all IT Services have migrated to Managed IT Services.

 

(b) The Day One IT consists of Supplier taking over management and operation of
the In-Scope Applications in accordance with the Scope Model and using the
following: (i) Supplier Personnel described in this Section ‎2; and (ii)
Triple-S policies, procedures and methodologies (including existing SOPs) in
existence as of the Service Commencement Date and (iii) Triple-S personnel as
further described in Schedule G (In-Scope Employee Agreement). Supplier will
perform the Day One IT in accordance with all applicable Service Levels and
other terms and conditions in the Agreement.

 

2.2 Supplier Personnel

 

Triple-S / Supplier Confidential

Page 2

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(a) Supplier will manage existing resources (Triple-S employees plus current
vacant positions) that have been performing the Services prior to the Services
Commencement Date to perform Supplier’s Day One IT Services during the period
described in Schedule G (In-Scope Employee Agreement).

 

(b) Supplier will provide Supplier Personnel with Training, knowledge management
and evaluation as reasonably necessary for such Supplier Personnel to perform
the Day One IT Services.

 

2.3 Reports

 

During performance of the Day One IT Services, Supplier will provide the reports
denoted as applicable to the Day One IT Services and described on Schedule K
(Reports). Supplier will, as may be agreed to by Triple-S in writing or provided
in Schedule K (Reports), discontinue providing such reports and/or replace such
reports with reports to be provided during Supplier’s performance of the Managed
IT Services.

 

2.4 Security

 

Supplier shall leverage Triple-S’s existing IT security solution (i.e.,
hardware, software and third party services) until such time as Supplier
replaces the existing IT solution with Supplier’s recommended solution as
approved by Triple-S. Supplier shall provide supplemental subject matter experts
in the security processes and technology during the Day One IT Services. In
addition, upon reasonable request by Triple-S, Supplier will provide information
in support of Triple-S IT security management program, including security
architecture design and monitoring.

 

2.5 Disaster Recovery / Business Continuity

 

Supplier shall leverage Triple-S’s existing disaster recovery solution (i.e.,
hardware, software and third party services) until such time as Supplier
replaces the existing IT solution with Supplier’s recommended solution as
approved by Triple-S. The Supplier’s future disaster recovery solution for
Supplier’s IT Services will be developed based on the framework provided in
Schedule A (Cross Functional Services).

 

3. Assessment

 

Supplier will perform the Services described in this Section ‎3 as part of
Assessment. The Assessment will be used to identify opportunities for
improvements and efficiencies in the In-Scope Applications and Triple-S SOPs,
staffing, security, and capacities. Supplier will perform the Assessment using
Supplier Personnel that will work with Triple-S at Triple-S locations. In
performing the Assessment, Supplier will review Supplier and third party best
practices and assess how such practices may be leveraged for Triple-S.

 

3.1 General

 

Supplier will perform the following as part of the Assessment:

 

(a) Identify key Supplier leaders and subject matter experts who will act as
primary points of contact to work with Triple-S related to the Assessment.

 

(b) Designate Supplier representatives to conduct meetings with Triple-S to
begin Assessment and Transition planning.

 

(c) Review and validate Triple-S’s existing (as of the Service Commencement
Date) technology environments including Triple-S’s current applicable SOPs.
Supplier will use the results of such review and validation to confirm the
requirements of the Environments to be implemented as part of the Managed IT
Services.

 

Triple-S / Supplier Confidential

Page 3

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(d) Review the following Triple-S documentation and processes:

 

(i) Individual intake methods and processes.

 

(ii) Workforce management, training, knowledge management, tool evaluation, and
quality assurance.

 

(iii) Service level and operational help desk metrics.

 

(iv) Triple-S Change, Incident and Problem processes, particularly war room
and/or high priority Incident management.

 

(v) Vendors and vendor management processes.

 

(vi) Dedicated command center process, or if one does not exist, evaluate the
need for the same.

 

(vii) Current systems monitoring tools, use and effectiveness.

 

(viii) Existing software development life-cycle (SDLC) processes and
documentation

 

(e) Prioritize Assessment findings in mutual agreement with Triple-S.

 

(f) Evaluate the consolidated support approach and processes in place as of the
Service Commencement Date as part of the Day One IT Services for the In-Scope
Applications.

 

(g) Document and review findings with Triple-S, including functions performed by
the existing Triple-S resources (Triple-S employees plus current vacant
positions) that are not included in or directly related to the scope allocated
Supplier on the Scope Model.

 

(h) Evaluate effectiveness of Triple-S systems monitoring as of the Service
Commencement Date and provide recommendations to Triple-S for improvements.

 

(i) Collect mutually agreed upon infrastructure availability statistics on
Triple-S’s infrastructure for six (6) months starting from the Service
Commencement Date or as soon as monitoring can be put in place to capture the
statistics if they are not already captured in the normal course of operations.

 

(j) Based upon the Assessment, work with Triple-S to develop and finalize the
Transition Plan, as more fully described in Section ‎4 (Transition) below, and
the Transition Documents.

 

3.2 Reports

 

The Parties will document reports, and provide recommendations for reports, to
be provided by Supplier as part of the Managed IT Services following a review of
Triple-S reports and reporting processes in place as of the Service Commencement
Date.

 

3.3 Security

 

In cooperation with Triple-S, Supplier will evaluate the security of (a) the
Triple-S Systems, Triple-S Tools, Triple-S Software, Triple-S Equipment,
Triple-S data center Facility and Triple-S security related processes and
procedures; and (b) to the extent permitted, the Triple-S Vendor systems,
software, equipment, tools and facilities included in the Day One IT Services or
that are contemplated to be part of the Managed IT Services. Based on such
evaluation, Supplier will make recommendations to Triple-S for improvements. 

 

3.4 Technology Management

 

Triple-S / Supplier Confidential

Page 4

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

Supplier will perform the following Services during the Assessment related to
Technology Management:

 

(a) Evaluate Triple-S’s SOPs in place as of the Service Commencement Date
applicable to technology management, including operations and support, to create
a baseline for requirements, obligations and support by Supplier as part of the
Managed IT Services. Supplier will document opportunities for improvements in
the technology management operations and support and make recommendations to
Triple-S for improvements. 

 

(b) Evaluate and document observed unsupported operating systems in the
equipment, software, Triple-S Tools, Triple-S Systems, and Triple-S
infrastructure.

 

3.5 Application Management (Development and Maintenance)

 

Supplier shall, in cooperation with Triple-S and the Managed Third Parties,
perform the following Services during the Assessment related to application
management for In-Scope Applications in the Health Plan Portfolio:

 

(a) Evaluate and document Triple-S’s, and the applicable Managed Third Parties’,
policies, procedures, processes and controls in place as of the Service
Commencement Date related to development, implementation, testing, access and
use, updating, supporting and maintenance of such In-Scope Applications; it
being understood that quality assurance for application management applies to
all In-Scope Applications.

 

(b) Document such In-Scope Applications and release levels in use as of the
Service Commencement Date.

 

(c) Supplier will work with Triple-S to create a baseline standard of expected
In-Scope Application release levels and identify gaps between such desired
release levels and Supplier’s documented findings described in Section 3.5(b)
above related to such In-Scope Applications.

 

(d) Document such In-Scope Applications that are, as of the Service Commencement
Date, in the process of being (or scheduled to be) (i) implemented or installed
for the first time; (ii) updated or upgraded; (iii) repaired or corrected; (iv)
configured or modified for use in Triple-S’s environments; and/or (v)
decommissioned. Document the work effort that is underway (or scheduled)
applicable to each category described in subparts (i) – (v), and the timeline
for, as applicable, the commencement and completion of such work effort.

 

(e) Evaluate and document Triple-S’s, and the applicable Managed Third Parties’,
infrastructure (including the hardware and software) for such In-Scope
Applications as of the Service Commencement Date.

 

(f) Document the access procedures in place as of the Service Commencement Date
related to such In-Scope Applications.

 

3.6 Network Capacity

 

Supplier shall evaluate Triple-S’s network capacity requirements and make
recommendations for changes in the network devices and/or transport to meet
capacity requirements.

 

3.7 Storage Administration / Backup

 

Supplier shall perform the following Services during the Assessment related to
storage administration and backup:

 

Triple-S / Supplier Confidential

Page 5

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(a) Evaluate the storage administration, and backup and recovery policies and
procedures in place as of the Service Commencement Date related to (i) storage
administration and backup recovery Services; (ii) overall backup and recovery
approach; and (iii) alignment with Disaster Recovery and business continuity
plans in effect and covering (a) In-Scope Applications and the Environments; and
(b) operating systems, configuration files, database, code tree/software
repositories, software, tools/utilities, hardware configurations, and
virtualization configurations.

 

(b) Evaluate effectiveness of Triple-S storage administration, and backup and
recovery policies and procedures as of the Service Commencement Date and provide
recommendations to Triple-S for improvements.

 

(c) Supplier will evaluate information related to SAN, file servers, and
additional storage technologies in use as of the Service Commencement Date.

 

3.8 Server (Physical & Virtual) Management

 

(a) Supplier will evaluate the server lifecycle process and capacities currently
deployed in support of Day One IT Services related to server operating system
templates, tools, and SOPs for (i) In-Scope Applications; (ii) security
settings; (iii) availability, response time, and performance metrics; (iv)
deploying server images; and (v) server management and monitoring tools.

 

(b) Supplier will evaluate the effectiveness of Triple-S server lifecycle SOP’s
as of the Service Commencement Date and provide recommendations to Triple-S for
improvements.

 

(c) Supplier will evaluate information related to the following in use as of the
Service Commencement Date relating to servers: (i) physical and virtual
technology, (ii) operating systems, (iii) tools, and (iv) processes and
procedures.

 

3.9 Workplace Services/Desktop Management

 

(a) Supplier will evaluate the workplace and desktop lifecycle process and
capacities currently deployed in support of Day One IT Services related to
desktop operating system templates, tools, and SOPs for (i) In-Scope
Applications; (ii) security settings; (iii) availability, response time, and
performance metrics; (iv) deploying desktop images; and (v) desktop management
and monitoring tools.

 

(b) Supplier will evaluate the effectiveness of Triple-S desktop lifecycle SOP’s
as of the Service Commencement Date and provide recommendations to Triple-S for
improvements.

 

(c) Supplier will evaluate information related to the following in use as of the
Service Commencement Date relating to desktops: (i) physical and virtual
technology, (ii) operating systems, (iii) tools, and (iv) processes and
procedures.

 

3.10 Application Decommissioning

 

Supplier and Triple-S will develop an agreed-upon retirement strategy for all
In-Scope Applications identified for decommissioning from Schedule X (Source of
Truth), including a high-level run out period and overall timeline for
decommissioning of applicable In-Scope Applications. The applications
development work that is required to decommission In-Scope Applications in the
Health Plan Portfolio and approved by Triple-S shall be performed using the
Application Support Pool hours defined in Schedule C (Charging Methodology). Any
work other than applications development work (e.g., infrastructure project
work) is included in the

 

Triple-S / Supplier Confidential

Page 6

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

scope of the Transition.

 

3.11 Additional Assessment Deliverables

 

In addition to the recommendations and other Assessment Deliverables described
in this Section 3, as part of the Assessment Supplier will provide the following
Deliverables:

 

(a) Validated inventory of applications, SOPs, tools (application monitoring and
development) in use by Triple-S as of the Service Commencement Date;

 

(b) Updated SOPs based on knowledge gained during Assessment;

 

(c) Validated staffing model including roles and responsibilities; and

 

(d) Recommended SDLC methodology based on a multi-phase approach to plan,
develop, test and deploy various software solutions as part of the SDLC for
Triple-S.

 

4. solution build and transition

 

Commencing upon the conclusion of the Assessment and ending upon completing
transition of all Elements to the Managed IT Services, Supplier will perform the
following Services as part of the Transition and in accordance with the
Transition Plan set forth in SOW #2, Exhibit A-3-1 (Transition and
Transformation Project Plan) (as updated by the Parties as a result of the
Assessment).

 

4.1 Solution Build

 

In preparation for the Transition from the Triple-S technology environment
existing as of the Service Commencement Date to a hybrid cloud solution
environment provided by Supplier as part of the Managed IT Services, Supplier
will perform the Services described in this Section 4.1.

 

(a) Solution Architecture & Design Services

 

(i) Supplier shall perform the following solution architecture and design
Services for the Managed IT Services:

 

(A) Supplier shall develop and deliver a detailed system logical design for each
Environment described in Section ‎5.1 (Environments) below that includes
Development, Test/QA, Production and DR Environment. 

 

(B) Supplier shall develop and deliver a network diagram which details (i) IP
space, (ii) DMZs, (iii) virtual LANs (VLANs), (iv) DNS zones, (v) port group
policies; (vi) functionality of components utilized at the Data Center; (vii)
core networking capabilities including multitenant firewall, (viii) F5 GTM, (ix)
LTM devices; and (x) virtual firewall devices specific to the Managed IT
Services for Triple-S.

 

(b) Availability Model/Plan

 

(i) Supplier shall develop and deliver an availability plan for the Managed IT
Services consisting of the following:

 

(A) Availability architecture for high-availability that includes a load
balancing strategy, clustering strategy and component redundancy.

 

(B) Availability of Supplier’s support staff to meet or exceed the IT Service
Levels and comply with Triple-S’ Policies and Procedures.

 

Triple-S / Supplier Confidential

Page 7

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(C) Monitoring strategy for providing availability monitoring.

 

(D) Availability strategy for the Environments.

 

(E) Process for proactively creating Incident tickets (within the agreed
ticketing system) if availability issues are pending or reactively if an
availability issue has occurred.

 

(F) Processes, calculations and activities for reporting and alerting for
failure to meet applicable Service Levels.

 

(c) Solution Build

 

(i) Supplier shall develop and deliver a solution build for the Managed IT
Services consisting of the following:

 

(A) Environment and Instance Build Sheets  

 

(1) Supplier will develop and deliver for each physical and/or virtual machine
(organized by Environment) a detailed listing of the redeploy/rebuild process. 
This will include operating system install, system accounts and base levels of
services, agents installed for anti-virus/backup recovery and initial
application configurations.  Build sheets shall include both server and
application level details to establish a baseline install and configuration
document for each separate physical/virtual machine. Supplier will also provide
the following: 

 

a. Initial sizing recommendations for the Environments.

 

b. Monitoring strategy for providing trend analysis, baseline, predictive
capacity analysis, early warning (proactive) thresholds.

 

(B) Implementation Base Capacity and Environments Services (Redeploy)

 

(1) Supplier will use the design and architectural artifacts developed above to
initiate the redeployment of all Environments into the Managed IT Services. 
Redeployment activities will be completed on an Environment by Environment
basis, ending with an approved test plan which provides that core installation
and configurations are validated by Triple-S. There shall be no Production data
transitioned into the Managed IT Services Production Environment during this
redeployment.  Operating systems, system account provisioning, core Managed IT
Services capabilities (ex: anti-virus, backup recovery), application
configurations as well as networking and storage configurations are to be in
place and functioning as designed. 

 

(d) Release & Deployment Management Plan 

 

(i) Supplier shall develop and deliver applicable release & deployment
management plan(s) (each being a “Release Management Plan”).  The Release
Management Plan(s) shall be specific to the In-Scope Applications, Software,
Equipment, Architecture and Infrastructure in Supplier’s performance of the
Managed IT Services.

 

Triple-S / Supplier Confidential

Page 8

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

4.2 Transition, General

 

Supplier will perform the following as part of Transition:

 

(a) Implement the Transition Plan described in the applicable Transition
Documents.

 

(b) Transition Deliverables. The Transition Deliverables described in SOW #2,
Exhibit A-3 (Transition and Transformation). Acceptance of such Transition
Deliverables will be in accordance with the process outlined in Schedule N-1
(Deliverable and Milestone Acceptance Procedures).

 

(c) Transition Milestones. The Transition Milestones set forth in SOW #2,
Exhibit A-3-3 (Transition and Transformation Milestones) shall apply to the
Transition.

 

(d) Determine the process and timelines for migration of Triple-S Data,
including Member and Provider information, from those systems and services used
by Triple-S and the Managed Third Parties to Supplier and the Managed IT
Services.

 

(e) Develop a plan for onboarding End Users, database tuning, and stability
testing.

 

(f) Develop the SOPs applicable to the areas of Triple-S’s and the Triple-S
Vendors’ business operations which are included in, or contemplated to be part
of, the Managed IT Services, including SOPs related to Availability Management,
Capacity Management, Service Level tracking and updated SDLC methodology.

 

(g) Identify and provide Training of Triple-S and Triple-S Vendor local subject
matter experts to prepare for Transition.

 

(h) Collaborate with Triple-S and the Managed Third Parties to develop
appropriate technology support knowledge and process flows.

 

(i) Determine if one (1) or more dedicated high-priority support “war room”
process(es) are needed, and if so, develop the framework for the same and a plan
for determining if and when each may need to be implemented as part of the
Managed IT Services.

 

(j) Implement systems to monitor the functionality and operations of the Managed
IT Services infrastructure, Infrastructure Architecture, Environments and
Supplier Facilities used in performance of the Managed Hosting Services.

 

4.3 Transition Project Management

 

Supplier will provide the following project management Services to Triple-S
related to the Transition of the IT Services:

 

(a) Provide project management for Supplier Personnel delivering Services. This
includes providing leadership, direction, and day to day oversight.

 

(b) Designate an individual to serve as the “Supplier Implementation Lead” who
will: (i) serve as primary interface for the provision of implementation project
Services by Supplier; (ii) have day-to-day responsibility for, and authority to
manage, the implementation project Services and the project management plan
(PMP) for Supplier; and (iii) serve as the primary point of contact for all PMP,
implementation project, Transition Milestones and Transition Deliverables
related questions and issues.

 

(c) In consultation with Triple-S’s project manager(s), Supplier shall develop
those Services related project implementation and/or management plans detailed
in the Transition Documents, representing the Parties’ high level activities and
tasks, as well as the processes (including those noted below), milestones and
timelines involved, related to

 

Triple-S / Supplier Confidential

Page 9

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

Supplier’s provision of (and Triple-S’s receipt of) the IT Services during the
Transition. Each PMP will, as appropriate, detail each Transition Deliverable
and Transition Milestone to be delivered. The timelines for Supplier’s delivery
of, and Triple-S’s review and approval of, each PMP shall be as set forth in the
applicable Transition Document(s).

 

In addition to those Functions described herein, in each PMP and in the
Transition Documents, Triple-S shall do the following:

 

(a) Designate an individual to serve as the “Triple-S Project Manager” who will:
(i) serve as the primary interface related to the Transition Services, including
having day-to-day responsibility for, and authority to manage, Triple-S’s
responsibilities detailed in the PMP; and (ii) serve as the primary point of
contact for all implementation project, PMP, Transition Deliverables and
Transition Milestone related questions and issues.

 

(b) Participate in project planning activities and identify responsibilities of
Triple-S staff.

 

(c) Participate in PMP development by, including, providing technical
information and guidance.

 

(d) Monitor and control activities according to each PMP.

 

(e) Review and approve Transition Deliverable and Transition Milestone
Acceptance Criteria in accordance with Schedule N-1 (Deliverable and Milestone
Acceptance Procedures).

 

(f) Ensure all Triple-S personnel working on the implementation project,
including but not limited to, the Triple-S Project Manager, (i) are available
when needed or requested by Supplier; and (ii) provide timely responses to
requests for information and data.

 

The PMPs shall describe the manner in which Supplier performs its day-to-day
activities, including its processes, procedures, policies, guidelines,
goals/objectives, definitions and tools used for the Functions related to the IT
Services.

 

4.4 Transition to Cloud Environment

 

In addition to the obligations set forth in Section ‎4.1 above, as part of the
Transition Plan, Supplier will provide Triple-S with a process, including
Transition Deliverables and Transition Milestones, by which Supplier will
transition Triple-S In-Scope Applications and Environments to a cloud
environment. Supplier will use the results of the Assessment to identify and
prioritize those In-Scope Applications and Environments that will transition to
the cloud environment. The Transition Plan will include the following:

 

(a) Details regarding connectivity size and mapping recommendations.

 

(b) Recommended regions, sites and types of technology environments for hosting
the transitioned In-Scope Applications and Environments.

 

(c) Requirements for storage, compute and network capacities to support the
transition to the cloud environment and performance of the Managed IT Services.

 

(d) Creation of a test cloud environment, including firewalls, load balancers,
and connectivity in accordance with SOC 2 Type II requirements. Testing and
problem solving regarding performance of such cloud environment.

 

(e) Creation of a production cloud environment, including firewalls, load
balancers, connectivity, and back-ups in accordance to SOC 2 Type II
requirements. Testing and problem solving regarding performance of such cloud
environment.

 

Triple-S / Supplier Confidential

Page 10

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(f) Milestones for the transition, including cut over date, warm state
shutdowns, and final termination of non-cloud Environments.

 

(g) A plan to decommission the current Triple-S data center.

 

(h) Recommended solutions for any In-Scope Applications and Environments that
will not transition to the cloud environment but will instead be transitioned to
Supplier’s Data Center.

 

4.5 Migration Services     

 

(a) Systems. Supplier will migrate and Transition the In-Scope Applications and
End Users from Triple-S’s legacy system(s), providers and Triple-S Facilities
(e.g. data center) to the Managed IT Services and the applicable
Environment(s). 

 

(b) Data. Supplier will migrate required Triple-S Data from Triple-S’s legacy
system(s) to the appropriate Managed IT Services Environment. This will include
database RMAN backups and specific encryption wallets and log files.

 

4.6 Security

 

Supplier shall transition Triple-S from the security solution in place as of the
Service Commencement Date to an updated Triple-S IT security policy and SOP
created through Supplier’s Assessment and recommendations and based on mutual
agreement of the Parties as intended to support the Managed IT Services.

 

4.7 Technology Management

 

Supplier will perform the following to transition technology management in place
as of the Service Commencement Date to processes and procedures for the Managed
IT Services consistent with the Transition Documents and knowledge gained during
Assessment:

 

(a) Helpdesk/Command Center

 

(i) Supplier will use the results of the Assessment to transition to Supplier’s
Help Desk / Command Center Solution by:

 

(A) Defining and setting up a technology help desk and centralized command
center, including a ticketing system for support requests, into which Triple-S
employees will submit requests for Incident resolution assistance and in which
Supplier will track such service requests and their resolution. Providing
Services to operate and maintain the ticketing system.

 

(B) Providing 24 x 7 technology support and Incident and Problem resolution
assistance.

 

(C) Providing a dedicated help desk toll free telephone number for use by
Triple-S employees.

 

(b) The Helpdesk/NOC will be located in Puerto Rico in one of the Supplier
Facilities, which will be a continuation of Triple-S’s current Helpdesk/NOC that
is currently in place as of the Service Commencement Date. Supplier’s Command
Center in Chaska/Plymouth, MN will run any escalations/war rooms in support of
the Helpdesk/NOC and work place services (WPS) (as described in Section ‎3.9
above) team in Puerto Rico. The solution for all ticketing and self-service will
be done through ServiceNow, which is a SaaS based tool running in ServiceNow’s
cloud. Supplier will continue the WPS model that is currently in place at
Triple-S, where there will be a

 

Triple-S / Supplier Confidential

Page 11

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

Supplier resource on premise at each of the main facilities as well as resources
that will float between buildings for support of End Users as needed. The
Helpdesk/Command Center will be staffed 24x7 and WPS teams will operate during
normal business hours.

 

5. SOLUTION FOR managed it services

 

Supplier will provide the Managed IT Services based on the Scope Model and using
the methodologies and resources described below (the “Solution”). The Solution
is built upon Triple-S’s information technology systems as of the Service
Commencement Date and as these systems will be updated during the Assessment and
Transition to meet the overall goal of increasing efficiencies, scalability and
flexibility of Triple-S technology systems. The Solution will consist of a
hybrid managed IT hosted solution. The Solution is a hybrid managed IT hosted
environment. Schedule X (Source of Truth) identifies the location where each
In-Scope Application will be hosted, whether a Supplier Facility identified in
Schedule E (Supplier Facilities), a Triple-S data center or the environment of a
third party software or service provider that contracts directly with Triple-S
(e.g., a SaaS provider).

 

5.1 Environments

 

(a) Supplier will deliver a Solution that includes the Environments described
below provided through Microsoft Azure and other Supplier Facilities described
in Schedule E (Supplier Facilities) or approved by Triple-S under Section 4.2 of
the General Terms and Conditions and will support the In-Scope Applications.
Only Supplier will have administrative and root access and use of the
Environments, including databases.

 

(b) Production: Support consisting of operating system patching, file system
management, security controls (includes scanning), firewalls, SAN, network, load
balancers, backups, Disaster Recovery, monitoring, database administration
(upgrades/patching, data-loads, tuning), helpdesk/command center access
including dedicated toll-free number for the Triple-S team.

 

(c) Test/QA: Used to perform more detailed testing of code. Joint support and
same patching/security controls as Production to protect the Test/QA
Environment.  Triple-S acknowledges and agrees that the Test/QA Environment (i)
shall not be equivalent in size to the Production Environment; and (ii) may be
used as a support Environment and/or a Training Environment to provide Training
to Triple-S and/or its End Users.

 

(d) Development: Used as a platform for development efforts related to the
Managed IT Services. Third-party developers will deploy code into this
Environment. Includes joint support of Triple-S and Supplier teams for operating
system and database support, same patching/security controls as Production to
protect the Test/QA Environment.  Triple-S acknowledges and agrees that the
Development Environment shall not be equivalent in size to the Production
Environment and that the Parties will mutually agree on the size and scope of
this Environment. Triple-S also further acknowledges that the Development
Environment does not support PHI and neither Party will transmit or store any
PHI in the Development Environment. The Parties will work together to determine
the timing of the creation of the Development Environment and the completion of
the Triple-S data de-identification project to confirm that PHI will not be
transmitted or stored in the Development Environment. Supplier will not be
responsible for any PHI transmitted or stored in the Development Environment by
Triple-S. Supplier will be responsible for any liability arising from PHI being
transmitted or stored in the Development Environment by Supplier or any of its
Affiliates or Subcontractors.

 

Triple-S / Supplier Confidential

Page 12

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(e) Disaster Recovery (DR) Environment: Used by Supplier as a platform for
providing Managed IT Services in the event of a disaster. The DR Environment
shall include a full mirror of the Production Environment, which mirror, may
then be activated and brought into production (even temporarily) so as to
continue to provide the Managed IT Services during a disaster and as more fully
described in the Disaster Recovery and Business Continuity Plan described in
Schedule A (Cross-Functional Services).

 

5.2 Solution

 

Following the Assessment and the Transition, Supplier will provide the Solution,
including the Environments described above, in accordance with the SOPs and the
Policies and Procedures that will be developed and updated during the Assessment
and Transition and the other requirements in the Agreement, including:

 

(a) the Supplier Facilities described in Schedule E (Supplier Facilities);

 

(b) the Supplier Personnel described on the organizational chart provided by
Supplier to Triple-S pursuant to Section 6.3(f) of the General Terms and
Conditions, and any personnel leased by Supplier from Triple-S pursuant to that
separate employee lease agreement between the Parties set forth in Schedule G
(In-Scope Employee Agreement);

 

(c) the Approved Subcontractors set forth in Schedule R (Approved
Subcontractors); and

 

(d) the Software and Tools set forth on Schedule X (Source of Truth).

 

5.3 Solution Environment

 

Supplier will use the following in providing the Solution:

 

(a) An Azure gateway in order to facilitate data transfer from/to Triple-S.

 

(b) Firewall rules, both from physical firewalls and virtual firewalls that are
exportable in a fashion such that they can be imported into another third
party’s firewall platform based on a mutually agreed upon approach.

 

(c) Triple-S SSL certificates from Entrust SSL for public facing certificates.

 

(d) An SMTP service from Microsoft Azure to enable email generated by various
application elements to be sent on behalf of the Triple-S email domain.

 

(e) Multi-tenant storage that will segregate date between Triple-S and other
tenants.

 

(f) Shared Capacity for assets such as the underlying storage array, firewall,
load balancing, backup/restore, and anti-virus that are logically isolated from
tenants, such that one tenant does not have visibility or exposure to other
tenant resources.

 

(g) Log forwarders on each server to facilitate operating and infrastructure
system level log delivery to Triple-S.

 

5.4 Capacities.

 

Supplier shall provide Capacities for each of the Environments as part of the
Managed IT Services. The existing Capacities are those used by Triple-S as of
the Service Commencement Date. Thereafter, Supplier shall provide Capacities
necessary for providing the Managed IT Services to support the In-Scope
Applications and the Solution. Infrastructure Software Upgrades

 

Triple-S / Supplier Confidential

Page 13

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

Supplier shall upgrade the infrastructure software components of the Managed IT
Services Equipment in accordance with N-2 versions (provided more frequent
software refresh will be performed as necessary to remain on versions supported
by applicable third party licensors).

 

5.5 Anti-Virus, Intrusion Detection / Prevention

 

(a) Supplier shall use and keep updated anti-virus/anti-malware software for all
Environments and on desktops and laptops of employees that access the
Environments.

 

5.6 Identity & Remote Access and Control Services

 

(a) Pursuant to applicable policies and procedures, Supplier shall use secure,
remote access for Supplier Personnel and Service Recipients, including
provisioning and de-provisioning remote access.

 

(b) Upon implementation of ServiceNow, Supplier shall use a real time dashboard
for the following elements related to the Environments:

 

(i) View real-time and historical performance statistics for each virtual
machine in all of the Environments.

 

(ii) vCPU utilization percentages

 

(iii) Memory utilization

 

(iv) Disk/data store latency

 

(v) Network transmit/receive rates, network packets dropped

 

(vi) Access to view Environment reports.

 

(A) Backup reports

 

(B) Results of internal scanning and availability monitoring of all
Environments.

 

(C) Capacity management reports.

 

(c) Supplier will use a process to manage tickets associated with requested
changes to the Environments or suspected Environment issues impacting the
In-Scope Applications.

 

5.7 Operations and Monitoring Services

 

(a) Supplier shall use transaction tracking and log analysis capabilities within
the Production Environment, according to the capabilities of each application
component.

 

(b) Supplier will use a process to categorize, manage and respond to alerts
generated by Supplier monitoring tools for the Environments, including an
Incident ticket based system per event. 

 

(c) Supplier shall use Tools to monitor various layers in the Environment that
collects, compiles, and provides information about the capacity, performance,
availability, security and configuration of the Environments and about the
operation of hardware, operating systems.

 

5.8 Disaster Recovery and Business Continuity

 

As part of Managed IT Services, Supplier shall implement and comply with the
Disaster Recovery and business continuity requirements set forth in Schedule A
(Cross-Functional Services) and the BC/DR Plan.

 

Triple-S / Supplier Confidential

Page 14

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

5.9 Software Development Life Cycle (SDLC).

 

After the Service Commencement Date, Supplier shall use its Agile SDLC
methodology, as it will be modified as a result of the Assessment to provide
applicable Services to Triple-S. Supplier will evaluate each project and
determine the appropriate SDLC for that project to follow, leveraging Agile,
Waterfall, Dev Ops, or a hybrid approach, which evaluation will occur during the
Assessment. Scaled Agile is a modern work process embracing Agile practices
across product/application and infrastructure that has been adapted for scale
work. Work using this Scaled Agile Method (OSAM) will be focused on driving
application modernization. Some primary drivers behind the determination of
which SDLC to leverage by project will be determined by the stabilization of
current production, application technology, scale of modernization or changes
being applied, and risk associated with the changes to a production instance.
Supplier will review Triple-S teams (IT and business), projects and applications
to determine the best candidates to tie to the specific development methodology.

 

6. training End users

 

6.1 Managed IT Services

 

Supplier shall provide the following Training relating to the Managed IT
Services:

 

(a) Train designated Triple-S End Users on ServiceNow, including how to access
and use ServiceNow.

 

(b) Train designated Triple-S End Users in new procedures and tools.

 

6.2 Training Details

 

With respect to the Training described in Section ‎6.1 above, the Parties will
mutually agree on (i) the number of Training sessions; (ii) the dates and times
of each Training session; (iii) the location and format (e.g. on-site, online
training portal or website, etc.) of each Training session; (iv) the number of
attendees for each Training session; and (v) the language(s) in which each
Training session will be provided.

 

7. TRIPLE-S RESPONSIBILITIES

 

As it relates to Supplier’s IT Services Solution, Triple-S shall have the
following responsibilities:

 

(a) Informing Triple-S employees that they are responsible for the purchasing,
support and replacement of non-Triple-S issued mobile devices, but excluding
support of In-Scope Applications in the Health Plan Portfolio.

 

(b) Defining the process and approve the decommissioning of any data,
applications, and facilities, including Triple-S data center.

 

(c) Designating points of contact for each In-Scope Application, who shall (i)
be subject matter experts for such applications and systems; (ii) be reasonably
available to Supplier and Supplier Personnel; (iii) provide expertise,
information and support to Supplier and Supplier Personnel related to such
applications; and (iv) work with Supplier to resolve Incidents and other issues
with such applications and/or data within such application. Triple-S shall
provide Supplier with full contact information for each point of contact.

 

(d) Approve private IP address space to be used within the Environments.

 

(e) Triple-S shall provide at least thirty (30) days’ advance written notice for
any increase in forecast user volume greater than fifteen (15) percent for any
Environment as measured against the prior month.

 

Triple-S / Supplier Confidential

Page 15

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



CONFIDENTIAL TREATMENT REQUESTED

 

Statement of Work #2

Exhibit A-2 (IT Solution Description

 

(f) Supplier, Triple-S and applicable Triple-S Vendors shall cooperate in the
establishment and running of a technical war room during Tier 1 or Tier 2
Incidents to support Incident response activities.

 

(g) Each of (i) Supplier; (ii) Triple-S; and (iii) the Managed Third Parties
will provide designated security representative contact information to the other
parties, as applicable. Triple-S shall cause each Managed Third Party to comply
with this requirement. Each party will update the other parties within thirty
(30) calendar days of changes to its security personnel contact information.

 

(h) Triple-S will continue to have contracts in place for procuring all laptops,
desktop computers and Triple-S supplied mobile devices (including applicable
manufacturer or supplier support) used by its employees.

 

(i) Triple-S will manage Tripe-S existing HIPAA, HITECH, minimum use, customer
audit activity, annual self-assessment for Federal Information System Controls
Audit Manual and Federal Information Security Management Act of 2002, compliance
with all corrective action plans, and remediation programs. Triple-S will
identify information system scope and device inventory for OPS Federal
Information System Controls Audit Manual compliance requirements.  Triple-S will
manage the remediation programs. Supplier will provide cooperation related to
the foregoing.

 

(j) Triple-S will continue to provide networking capacity and redundancy and is
responsible for approving & procuring network infrastructure outside of the
Supplier Environments to support future Services.

 

(k) Triple-S will be responsible for purchasing extended support for its Windows
and Unix servers. Supplier and Triple-S will mutually agree upon whether to
accelerate migrations/upgrades to bring such operating systems current to a
release version that is then-supported by the manufacturer.

 

8. claims related it Functions

 

Supplier will perform the IT Services to perform batch processes as they relate
to the Claims Services, as described in Appendix 1 (Certain IT Functions Related
to Claims Services) to Exhibit A (IT Services). As of the Service Commencement
Date, Supplier will perform such processes using Triple-S’s current processes.
During the Assessment, Supplier will evaluate such batch processing and whether
such processes will be modified as the In-Scope Applications migrate to the
hosted cloud environment pursuant to Schedule X (Source of Truth). Supplier will
continue performing such Services for these batch processes as they evolve
during such migration and the Parties will work in good faith to update the
description of such processes set forth below to reflect any such modifications.

 



Triple-S / Supplier Confidential

Page 16

 





SOW 02 - Exhibit A-3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 

 



STATEMENT OF WORK #2

 

EXHIBIT A-3

 

IT SERVICES TRANSITION DESCRIPTION

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Statement of Work #2 (IT Services) Exhibit A-3 Triple-S / Supplier Confidential





 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)





  



1   Introduction 1 2   High Level Description of the IT Services Transition 1
2.1   Phases 1 2.2   Schedule 2 2.3   Major Work Stream(s) 3 2.4   Milestones 4
2.5   IT Services Transition Deliverables 4 3   Knowledge Transfer 4
4   Continuity of Operations 4 5   Transition Management 5 5.1   Transition
Management Activities 5 5.1.1   Status Reporting 5 5.2   Triple-S Provided
Transition Workspace 7 6   IRAD Tool 7



 

 



Triple-S / Supplier Confidential

Page xvii

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



1 Introduction

 



Commencing upon the conclusion of the Assessment, Supplier will perform the
Application Management; Infrastructure Transition Services (“Infrastructure
Transition”); Vendor(s) Contracting Transition Services (“Vendor(s) Contracting
Transition”) as part of transition to the Managed Hosting Services for certain
portions of Triple-S’s information technology systems (the “IT Services
Transition”).

 

2 High Level Description of the IT Services Transition

 

Supplier’s IT Services Transition approach provides a framework to manage and
execute the applicable IT Services Transition activities using project
management best practices. Using this approach, Supplier will provide a project
management framework, best practices, lessons learned, and other resources
necessary to complete the IT Services Transition.

 

2.1 Phases

 

Supplier’s methodologies will align with industry standard project management
methodologies.

 

Figure 2-1 – IT Services Transition Phases

 





 

Triple-S / Supplier Confidential

Page 1

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)

 



 

[sowa3_p2.jpg]

 



2.2 Schedule

 

The IT Services Transition schedule will be based on the project plan (a draft
of which is provided in Exhibit A-3-1 to this Statement of Work), and will be in
accordance with the Critical Transition Milestones provided in Exhibit A-3-3 to
this Statement of Work.

 

The following view is an example of the schedule anticipated as of the Effective
Date for the IT Services Transition. In the event of any conflict between the
schedule provided in the chart below and Exhibit A-3-1, Exhibit A-3-1 will
control.

 



Triple-S / Supplier Confidential

Page 2

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)





 

Figure 2-2 Example Schedule 



 

[sowa3_p3.jpg]

 



*Dates in the plan are based on an Effective Date on or around August 15, 2017.
A change to the Effective Date will result in a revised plan.

 

2.3 Major Work Stream(s)

 

Outline of major work streams for the IT Services Transition, subject to
refinement based on the Assessment:

 

Work Stream Description Applications Management Applications Management
activities involve application enhancement or correction, preventative
maintenance, and technical refresh cycles. Technology Management Management of
essential operation components, such as policies, processes, equipment,
infrastructure, business continuity and disaster recovery. Migration Services
Process of moving data and applications to a hybrid cloud environment. Resource
Management Integrated set of processes that enable employee productivity.



 

 

 

Triple-S / Supplier Confidential

Page 3

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)

 



Work Stream Description IT Service Levels Reporting of IT status, metrics and
Service Levels Program & Project Management Planning, executing, controlling and
closing work streams to achieve goals and objectives of in scope elements

 



2.4 Milestones

 

Descriptions and due dates for the Critical Transition and Transformation
Milestones are provided in Exhibit A-3-3 (IT Services Critical Transition and
Transformation Milestones).

 

2.5 IT Services Transition Deliverables

 

Supplier will provide the IT Services Transition Deliverables, which will be
provided in Exhibit A-3-3 to this Statement of Work.

 

3 Knowledge Transfer

 

Supplier will use a comprehensive knowledge transfer process to track receipt of
necessary information and guidance from Triple-S and to identify and escalate
requests for missing information. Supplier understands that Triple-S may not
have all the information Supplier requests. Triple-S will provide the
information it has reasonably available. Initial knowledge transfer will begin
after the Effective Date.

 

Supplier and Triple-S will inventory and assess existing processes and
documentation and create updated documentation resources to enable a successful
IT Services Transition.

 

4 Continuity of Operations

 

Supplier will provide the IT Services Transition services in a manner that
minimizes disruption to the Triple-S operations in place as of the Effective
Date as follows:

 

· Maintain ongoing dialogue with the IT Services Transition manager to
proactively address concerns.

 

· Submit the Assessment Findings Risks and Mitigation report to Triple-S after
completing the Assessment.

 

· Monitor real-time operational systems and processes to make adjustments as
needed to avoid service degradation.

 

The IT Services Transition Plan, Transition Schedule, and subsequent status
updates will contain Critical Transition Milestones and applicable Deliverables.
Supplier and Triple-S will conduct weekly implementation status meeting to
identify and address IT Services Transition risks.

 





 

Triple-S / Supplier Confidential

Page 4

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)

 



5 Transition Management

 

5.1 Transition Management Activities

 

5.1.1 Status Reporting

 

The following provides an example of the weekly status report:

 

Figure 5-1-1 – Sample Weekly Status Report

 



[sowa3_p5.jpg] 

 

Triple-S / Supplier Confidential

Page 5

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)

 



The following provides an example of the executive status report:

 

Figure 5-1-2 - Sample Executive Status Report

 



 [sowa3_p6.jpg]

 

 

 



Triple-S / Supplier Confidential

Page 6

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)

 



5.2 Triple-S Provided Transition Workspace

 

Supplier and Triple-S will coordinate to fulfill reasonable workspace needs for
Supplier’s IT Services Transition personnel within Triple-S facilities.
Workspace requests will be submitted by Supplier to Triple-S in the following
format:

 

Date Needed/Expected Duration Workspace Type Location      

 

6 IRAD Tool

 

Supplier will use the IRAD (Issues, Risks, Actions, and Decisions) tool built
into Planview to identify and manage risks and issues during the IT Services
Transition. Planview is a system designed to drive more predictable outcomes by
identifying key risk areas across a product or project development initiative.

 

Figure 6-1 outlines the elements of Supplier’s risk management process for the
IT Services Transition. As risks or problems are identified during the course of
the IT Services Transition, Supplier will document and address them in a manner
to support the success of the IT Services Transition. Supplier will communicate
risks to the Supplier and Triple-S IT Services Transition teams in a timely and
effective manner, and risks and issues analysis and reporting will be a feature
of the weekly transition status meeting.

 

Figure 6-1: Supplier Risk Management Approach. Supplier’s approach requires that
risks be identified, assessed, and assigned to a responsible owner, and that a
risk mitigation approach developed and implemented.

 

 

 



Triple-S / Supplier Confidential

Page 7

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3 (IT Services Transition Description)

 



Figure 6-1 - Risk Management

 



 

 [sowa3_p8.jpg]

 



The risk management plan will include our strategy for issue management,
including tracking, impact analysis, mitigation plans and escalation procedures.
A mitigation plan will be formulated for each identified issue, with clear
responsibilities identified and assigned between Supplier and Triple-S.

 



 

Triple-S / Supplier Confidential

Page 8

 



 SOW 02 - Exhibit A-3-1

 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 

 

 

 

 

 

 

 

 

 

 

 

STATEMENT OF WORK #2 (IT SERVICES)

EXHIBIT A-3-1

TRANSITION AND TRANSFORMATION PLAN

 

 

 

 

 

 

 

 

 

 



SOW #2 (IT Services) Triple-S / Supplier Confidential



 

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION 



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 1 1 ITO Cloud Transition Requirements Exhibit   519
days Fri 9/1/17 Wed 8/28/19     2 1.1 ITO Cloud Transition Deliverables   457
days Tue 11/28/17 Wed 8/28/19     3 1.1.1 PMP Initiate 0 days Tue 11/28/17 Tue
11/28/17 20 Optum 4 1.1.2 Transition Plan Initiate 0 days Tue 11/28/17 Tue
11/28/17 33,26 Optum,Triple S 5 1.1.3 Knowledge Transfer Plan Design 0 days Fri
6/29/18 Fri 6/29/18 212 Optum 6 1.1.4 New Operations Model Design 0 days Fri
6/29/18 Fri 6/29/18 16 Optum 7 1.1.5 Readiness Plan Design 0 days Fri 6/29/18
Fri 6/29/18 16 Optum 8 1.1.6 Transition Confirmation Transition 0 days Tue
7/30/19 Tue 7/30/19 211 Triple S 9 1.1.7 Operations Reports Stabilize 0 days Tue
7/30/19 Tue 7/30/19 8 Optum 10 1.1.8 Quarterly Business Report (QBR) Managed
Hosting Services 0 days Wed 8/28/19 Wed 8/28/19 18SS+21 days Optum 11 1.2 ITO
Cloud Transition Critical Milestones   498 days Fri 9/1/17 Tue 7/30/19     12
1.2.1 Effective Date   0 days Fri 9/1/17 Fri 9/1/17   Triple S 13 1.2.2 Critical
Milestone: Kick Off Meeting Initiate 0 days Tue 11/21/17 Tue 11/21/17 31   14
1.2.3 Critical Milestone: Day One IT Services Initiate 0 days Tue 11/28/17 Tue
11/28/17 49 Optum 15 1.2.4 Critical Milestone: Assessment Deliverables - As Is
Operations Model Assessment 0 days Wed 2/14/18 Wed 2/14/18 154 Optum 16 1.2.5
Critical Milestone: Solution Build Deliverable Design 0 days Thu 5/31/18 Thu
5/31/18 155 Optum 17 1.2.6 Critical Milestone: Implementation of the Managed IT
Services Environments Transition 0 days Wed 7/25/18 Wed 7/25/18 247 Optum 18
1.2.7 Critical Milestone: Migration of In-Scope Applications and Triple-S Data
to the Managed IT Services Environment Transition 0 days Tue 7/30/19 Tue 7/30/19
279 Optum 19 1.3 Initiate   61 days Tue 9/5/17 Tue 11/28/17     20 1.3.1 PMP  
29 days Wed 10/18/17 Tue 11/28/17     21 1.3.1.1 Develop PMP   10 days Wed
10/18/17 Tue 10/31/17 43 Optum 22 1.3.1.2 Review PMP   5 days Wed 11/1/17 Tue
11/7/17 21 Triple S 23 1.3.1.3 Revise PMP   5 days Wed 11/8/17 Tue 11/14/17 22
Optum 24 1.3.1.4 Finalize PMP   5 days Wed 11/15/17 Tue 11/21/17 23 Optum,Triple
S 25 1.3.1.5 PMP   0 days Tue 11/28/17 Tue 11/28/17     26 1.3.2 Kick Off
Meeting   25 days Wed 10/18/17 Tue 11/21/17     27 1.3.2.1 Develop Kick Off
Meeting Materials   10 days Wed 10/18/17 Tue 10/31/17 43 Optum 28 1.3.2.2 Review
Kick Off Meeting Materials   5 days Wed 11/1/17 Tue 11/7/17 27 Triple S 29
1.3.2.3 Revise Kick Off Meeting Materials   5 days Wed 11/8/17 Tue 11/14/17 28
Optum 30 1.3.2.4 Finalize Kick Off Meeting Materials   5 days Wed 11/15/17 Tue
11/21/17 29 Optum,Triple S 31 1.3.2.5 Kick Off Meeting   0 days Tue 11/21/17 Tue
11/21/17 30  

   



Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 32 1.3.2.6 Critical Milestone: Kick Off Meeting   0
days Tue 11/21/17 Tue 11/21/17 31   33 1.3.3 Transition Plan   29 days Wed
10/18/17 Tue 11/28/17     34 1.3.3.1 Develop Transition Plan   10 days Wed
10/18/17 Tue 10/31/17 43 Optum 35 1.3.3.2 Review Transition Plan   5 days Wed
11/1/17 Tue 11/7/17 34 Triple S 36 1.3.3.3 Revise Transition Plan   5 days Wed
11/8/17 Tue 11/14/17 35 Optum 37 1.3.3.4 Finalize Transition Plan   5 days Wed
11/15/17 Tue 11/21/17 36 Optum,Triple S 38 1.3.3.5 Transition Plan   0 days Tue
11/28/17 Tue 11/28/17     39 1.3.4 Current State SOP (Standard Operating
Procedure) Transition - Day 1 Services Deliverable   61 days Tue 9/5/17 Tue
11/28/17     40 1.3.4.1 Release current skill set map   1 day Tue 9/5/17 Tue
9/5/17   Triple S 41 1.3.4.2 Capture all current SOP’s   20 days Wed 9/6/17 Tue
10/3/17 40 Optum 42 1.3.4.3 Review SOP’s for completeness or validi   5 days Wed
10/4/17 Tue 10/10/17 41 Optum,Triple S 43 1.3.4.4 Identify any SOP Gaps within
each organization   5 days Wed 10/11/17 Tue 10/17/17 42 Triple S 44 1.3.4.5 SOP
Standardization Gap Analysis   30 days Wed 10/18/17 Tue 11/28/17     45 1.3.4.5
Develop SOP Gap Analysis   15 days Wed 10/18/17 Tue 11/7/17 43 Optum 46 1.3.4.5
Review SOP Gap Analysis   5 days Wed 11/8/17 Tue 11/14/17 45 Triple S 47 1.3.4.5
Revise SOP Gap Analysis   5 days Wed 11/15/17 Tue 11/21/17 46 Optum 48 1.3.4.5
Finalize SOP Gap Analysis   5 days Wed 11/22/17 Tue 11/28/17 47 Optum,Triple S
49 1.3.4.5 SOP Gap Analysis   0 days Tue 11/28/17 Tue 11/28/17 48   50 1.3.4.5
Critical Milestone: Day One IT Service   0 days Tue 11/28/17 Tue 11/28/17 49  
51 1.4 Assessment   129 days Fri 9/1/17 Wed 2/28/18     52 1.4.1 In–Flight
Projects Transition - Assessment Deliverable   60 days Tue 9/5/17 Mon 11/27/17  
  53 1.4.1.1 Obtain list of in-flight projects that are In-Scope   10 days Tue
9/5/17 Mon 9/18/17   Triple S 54 1.4.1.2 Review all in-flight project plan
Status including those on hold, in process, in staging, or that are to be
cancelled   10 days Tue 9/19/17 Mon 10/2/17 53 Optum 55 1.4.1.3 In-Flight
Project Transition Plan - Assessment Deliverable   40 days Tue 10/3/17 Mon
11/27/17     56 1.4.1.3 Develop In-Flight Project Transition Pl   10 days Tue
10/3/17 Mon 10/16/17 54 Optum 57 1.4.1.3 Review In-Flight Project Transition Pla
  10 days Tue 10/17/17 Mon 10/30/17 56 Triple S 58 1.4.1.3 Revise In-Flight
Project Transition Pla   10 days Tue 10/31/17 Mon 11/13/17 57 Optum 59 1.4.1.3
Finalize In-Flight Project Transition Pla   10 days Tue 11/14/17 Mon 11/27/17 58
Optum,Triple S

   

 

Page 2

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 60 1.4.1.3 In-Flight Project Transition Plan   0
days Mon 11/27/17 Mon 11/27/17 59   61 1.4.2 Vendor Management Transition -
Assessment Deliverables   129 days Fri 9/1/17 Wed 2/28/18     62 1.4.2.1 Release
validated Triple-S vendor contracts 'in process'   20 days Fri 9/1/17 Thu
9/28/17   Triple S 63 1.4.2.2 Assess Triple-S Vendor contracts in process   129
days Fri 9/1/17 Wed 2/28/18     64 1.4.2.2 Identify “In-Scope” systems contracts
  30 days Fri 9/1/17 Thu 10/12/17   Optum 65 1.4.2.2

Identify systems to be

 

decommissioned contracts

 

  30 days Fri 10/13/17 Thu 11/23/17 64 Optum 66 1.4.2.2 Identify risks within
existing Triple-S contracts   30 days Fri 11/24/17 Thu 1/4/18 65 Optum 67
1.4.2.2 Identify all types of Triple-S contracts (examples; SOW, Resource, or  
80 days Fri 9/29/17 Thu 1/18/18     68 1.4.2.2 SOW based   80 days Fri 9/29/17
Thu 1/18/18     69 1.4.2.2 Review contract expiration dates for each vendor   20
days Fri 9/29/17 Thu 10/26/17 62 Optum 70 1.4.2.2 Identify risks related to
expiration for each vendor   20 days Fri 10/27/17 Thu 11/23/17 69 Optum 71
1.4.2.2 Identify hours or time related to operations or support of each vendor  
20 days Fri 11/24/17 Thu 12/21/17 70 Optum 72 1.4.2.2 Cross reference cost
against scope of PMPM   20 days Fri 12/22/17 Thu 1/18/18 71 Optum 73 1.4.2.2
Resource based   80 days Fri 9/29/17 Thu 1/18/18     74 1.4.2.2 Review number of
current resou   20 days Fri 9/29/17 Thu 10/26/17 62 Optum 75 1.4.2.2 Assess the
hours by application per resource   20 days Fri 10/27/17 Thu 11/23/17 74 Optum
76 1.4.2.2 Assess the skill level/type by resource per application   20 days Fri
11/24/17 Thu 12/21/17 75 Optum 77 1.4.2.2

Define all resource needs by

 

application/SOW

 

  20 days Fri 12/22/17 Thu 1/18/18 76 Optum 78 1.4.2.2 License based for each
Vendors application   35 days Fri 9/29/17 Thu 11/16/17     79 1.4.2.2 Number of
licenses   5 days Fri 9/29/17 Thu 10/5/17 62 Optum 80 1.4.2.2 License schedules
  15 days Fri 10/6/17 Thu 10/26/17     81 1.4.2.2 Expiration of licenses   5
days Fri 10/6/17 Thu 10/12/17 79 Optum 82 1.4.2.2 Cost of licenses   5 days Fri
10/13/17 Thu 10/19/17 81 Optum

  

 

Page 3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 83 1.4.2.2 Evaluation of licenses   5 days Fri
10/20/17 Thu 10/26/17 82 Optum 84 1.4.2.2 Pricing comparison (Optum vs. Vendor)
  15 days Fri 10/27/17 Thu 11/16/17 83 Optum 85 1.4.2.2 Vendor Contract List-
Assessment Deliverable   39 days Fri 1/5/18 Wed 2/28/18     86 1.4.2.2 Develop
Vendor Contract List   10 days Fri 1/5/18 Thu 1/18/18 67FF Optum 87 1.4.2.2
Review Vendor Contract List   5 days Fri 1/19/18 Thu 1/25/18 86 Triple S 88
1.4.2.2 Revise Vendor Contract List   14 days Fri 1/26/18 Wed 2/14/18 87 Optum
89 1.4.2.2 Finalize Vendor Contract List   10 days Thu 2/15/18 Wed 2/28/18 88
Optum,Triple S 90 1.4.2.2 Vendor Contract List   0 days Wed 2/28/18 Wed 2/28/18
89   91 1.4.2.2 Vendor Risk Mitigation Plan - Assessment Deliverable   39 days
Fri 1/5/18 Wed 2/28/18     92 1.4.2.2 Develop Vendor Risk Mitigation Pla   10
days Fri 1/5/18 Thu 1/18/18 67FF Optum 93 1.4.2.2 Review Vendor Risk Mitigation
Plan   5 days Fri 1/19/18 Thu 1/25/18 92 Triple S 94 1.4.2.2 Revise Vendor Risk
Mitigation Plan   14 days Fri 1/26/18 Wed 2/14/18 93 Optum 95 1.4.2.2 Finalize
Vendor Risk Mitigation Plan   10 days Thu 2/15/18 Wed 2/28/18 94 Optum,Triple S
96 1.4.2.2 Vendor Risk Mitigation Plan   0 days Wed 2/28/18 Wed 2/28/18 95   97
1.4.2.2 Vendor Inventory List - Assessment Deliverable   60 days Fri 9/29/17 Thu
12/21/17     98 1.4.2.2 Develop Vendor Inventory List   20 days Fri 9/29/17 Thu
10/26/17 67SS Optum 99 1.4.2.2 Review Vendor Inventory List   15 days Fri
10/27/17 Thu 11/16/17 98 Triple S 100 1.4.2.2 Revise Vendor Inventory List   15
days Fri 11/17/17 Thu 12/7/17 99 Optum 101 1.4.2.2 Finalize Vendor Inventory
List   10 days Fri 12/8/17 Thu 12/21/17 100 Optum,Triple S 102 1.4.2.2 Vendor
Inventory List   0 days Thu 12/21/17 Thu 12/21/17 101   103 1.4.2.2 Plan to
Renew or Replace vendor contracts   10 days Fri 10/13/17 Thu 10/26/17 64 Optum
104 1.4.2.2 Review completed evaluation of content maintenance ongoing of host
environment   10 days Fri 10/27/17 Thu 11/9/17 103 Triple S 105 1.4.2.2 Review
remediation for any other gaps identified in SOW, Resource, or Licensed vendors
  10 days Fri 11/10/17 Thu 11/23/17 104 Optum 106 1.4.2.2 Review SOP using UHG
Standard Process for ES&P   20 days Fri 11/24/17 Thu 12/21/17 105 Optum 107
1.4.2.2 Vendor Recommendation Plan - Assessment Deliverable   39 days Fri 1/5/18
Wed 2/28/18    

  

 

Page 4

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 108 1.4.2.2 Develop Vendor Recommendation plan   10
days Fri 1/5/18 Thu 1/18/18 67FF Optum 109 1.4.2.2 Review Vendor Recommendation
P   5 days Fri 1/19/18 Thu 1/25/18 108 Triple S 110 1.4.2.2 Revise Vendor
Recommendation Pl   14 days Fri 1/26/18 Wed 2/14/18 109 Optum 111 1.4.2.2
Finalize Vendor Recommendation P   10 days Thu 2/15/18 Wed 2/28/18 110
Optum,Triple S 112 1.4.2.2 Vendor Recommendation Plan   0 days Wed 2/28/18 Wed
2/28/18 111   113 1.4.3 SLA/SLO’s Transition - - Assessment Deliverable   129
days Fri 9/1/17 Wed 2/28/18     114 1.4.3.1 Receive current state SLA/SLO from
Triple-S   20 days Fri 9/1/17 Thu 9/28/17   Triple S 115 1.4.3.2 Assess over
last 6 months utilization of SLA/SLO’s using Triple-S Tools   50 days Fri
9/29/17 Thu 12/7/17 114 Optum 116 1.4.3.3 SLA/SLO Recommendation Plan   59 days
Fri 12/8/17 Wed 2/28/18     117 1.4.3.3 Develop SLA/SLO Recommendation P   30
days Fri 12/8/17 Thu 1/18/18 115 Optum 118 1.4.3.3 Review SLA/SLO Recommendation
Pla   8 days Fri 1/19/18 Tue 1/30/18 117 Triple S 119 1.4.3.3 Revise SLA/SLO
Recommendation Pla   11 days Wed 1/31/18 Wed 2/14/18 118 Optum 120 1.4.3.3
Finalize SLA/SLO Recommendation Pla   10 days Thu 2/15/18 Wed 2/28/18 119
Optum,Triple S 121 1.4.3.3 SLA/SLO Recommendation Plan   0 days Wed 2/28/18 Wed
2/28/18 120   122 1.4.4 Inventory Validation Transition - - Assessment
Deliverable   129 days Fri 9/1/17 Wed 2/28/18     123 1.4.4.1 Obtain current
inventory report   20 days Fri 9/1/17 Thu 9/28/17   Triple S 124 1.4.4.2 Utilize
Triple-S Tools to validate Triple-S Tools in place   5 days Fri 9/29/17 Thu
10/5/17 123 Optum 125 1.4.4.3 Complete physical inventory walk throug   30 days
Fri 10/6/17 Thu 11/16/17 124 Optum 126 1.4.4.4 Inventory Validation Plan   74
days Fri 11/17/17 Wed 2/28/18     127 1.4.4.4 Develop Inventory Validation Plan
  10 days Fri 11/17/17 Thu 11/30/17 125 Optum 128 1.4.4.4 Review Inventory
Validation Plan   10 days Fri 12/1/17 Thu 12/14/17 127 Triple S 129 1.4.4.4
Revise Inventory Validation Plan   15 days Fri 12/15/17 Thu 1/4/18 128 Optum 130
1.4.4.4 Finalize Inventory Validation Plan   1 day Fri 1/5/18 Fri 1/5/18 129
Optum,Triple S 131 1.4.4.4 Inventory Validation Plan   0 days Thu 1/4/18 Thu
1/4/18 129   132 1.4.4.4 Tag Inventory   39 days Fri 1/5/18 Wed 2/28/18 131  
133 1.4.5 Resource Mapping and Transition - As is Operations Model   119 days
Fri 9/1/17 Wed 2/14/18     134 1.4.5.1 Evaluate Triple-S staff and current
roles/responsibilities   30 days Fri 9/1/17 Thu 10/12/17     135 1.4.5.1 Release
all organizational charts   20 days Fri 9/1/17 Thu 9/28/17   Triple S

   

 

Page 5

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 136 1.4.5.1 Review all organization charts   10 days
Fri 9/29/17 Thu 10/12/17 135 Optum,Triple S 137 1.4.5.2 Resource Application
Skill Set Assessmen   80 days Fri 9/1/17 Thu 12/21/17     138 1.4.5.2 Release
Current Roles and Responsibilities Documents   20 days Fri 9/1/17 Thu 9/28/17  
Triple S 139 1.4.5.2 Identify any gaps based upon skill sets and needs   10 days
Fri 9/29/17 Thu 10/12/17 138 Triple S 140 1.4.5.2 Complete gap analysis against
each organization   30 days Fri 10/13/17 Thu 11/23/17 139 Optum 141 1.4.5.2
Provide Triple-S with a skill set matrix and remediation plan to close gaps   20
days Fri 11/24/17 Thu 12/21/17 140 Optum 142 1.4.5.3 Updated Organizational
Chart - Assessment Deliverable   39 days Fri 12/22/17 Wed 2/14/18     143
1.4.5.3 Develop Updated Organizational Char   10 days Fri 12/22/17 Thu 1/4/18
141 Optum 144 1.4.5.3 Review Updated Organizational Chart   5 days Fri 1/5/18
Thu 1/11/18 143 Triple S 145 1.4.5.3 Revise Updated Organizational Chart   14
days Fri 1/12/18 Wed 1/31/18 144 Optum 146 1.4.5.3 Finalize Updated
Organizational Chart   10 days Thu 2/1/18 Wed 2/14/18 145 Optum,Triple S 147
1.4.5.3 Updated Organizational Chart   0 days Wed 2/14/18 Wed 2/14/18 146   148
1.4.5.4 Updated Roles and Responsibilities - Assessment Deliverable   39 days
Fri 12/22/17 Wed 2/14/18     149 1.4.5.4 Develop Updated Roles and
Responsibilities   10 days Fri 12/22/17 Thu 1/4/18 141 Optum 150 1.4.5.4 Review
Updated Roles and Responsibilities   5 days Fri 1/5/18 Thu 1/11/18 149 Triple S
151 1.4.5.4 Revise Updated Roles and Responsibilities   14 days Fri 1/12/18 Wed
1/31/18 150 Optum 152 1.4.5.4 Finalize Updated Roles and Responsibilities   10
days Thu 2/1/18 Wed 2/14/18 151 Optum,Triple S 153 1.4.5.4 Updated Roles and
Responsibilities   0 days Wed 2/14/18 Wed 2/14/18 152   154 1.4.5.5 Critical
Milestone: Assessment Deliverables   0 days Wed 2/14/18 Wed 2/14/18 153   155
1.5 Design   195 days Fri 9/1/17 Thu 5/31/18     156 1.5.1 Cloud Application
Identification Transition - As Is Transition Model   195 days Fri 9/1/17 Thu
5/31/18     157 1.5.1.1 In Scope Applications for Cloud Hosting   45 days Thu
3/1/18 Wed 5/2/18     158 1.5.1.1 Develop In Scope Applications for Cloud
Hosting   15 days Thu 3/1/18 Wed 3/21/18 122 Optum

   

 

Page 6

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 159 1.5.1.1 Review In Scope Applications for Cloud
Hosting   10 days Thu 3/22/18 Wed 4/4/18 158 Triple S 160 1.5.1.1 Revise In
Scope Applications for Cloud Hosting   10 days Thu 4/5/18 Wed 4/18/18 159 Optum
161 1.5.1.1 Finalize In- Scope Applications for Cloud Hosting   10 days Thu
4/19/18 Wed 5/2/18 160 Optum,Triple S 162 1.5.1.1 In Scope Applications for
Cloud Hostin   0 days Wed 5/2/18 Wed 5/2/18 161   163 1.5.1.2 Knowledge Transfer
Plan   14 days Fri 9/1/17 Wed 9/20/17     164 1.5.1.2 Develop Knowledge Transfer
Plan to Cloud   5 days Fri 9/1/17 Thu 9/7/17   Optum 165 1.5.1.2 Review
Knowledge Transfer Plan to Cloud   5 days Fri 9/8/17 Thu 9/14/17 164 Triple S
166 1.5.1.2 Revise Knowledge Transfer Plan to Clo   3 days Fri 9/15/17 Tue
9/19/17 165 Optum 167 1.5.1.2 Finalize In- Scope Applications for Cloud Hosting
  1 day Wed 9/20/17 Wed 9/20/17 166 Optum,Triple S 168 1.5.1.2 Knowledge
Transfer Plan to Cloud   0 days Wed 9/20/17 Wed 9/20/17 167   169 1.5.1.3
Transition Plan to Cloud   14 days Thu 5/3/18 Tue 5/22/18     170 1.5.1.3
Develop Transition Plan to Cloud   5 days Thu 5/3/18 Wed 5/9/18 157 Optum 171
1.5.1.3 Review Transition Plan to Cloud   5 days Thu 5/10/18 Wed 5/16/18 170
Triple S 172 1.5.1.3 Revise Transition Plan to Cloud   3 days Thu 5/17/18 Mon
5/21/18 171 Optum 173 1.5.1.3 Finalize In- Scope Applications for Cloud Hosting
  1 day Tue 5/22/18 Tue 5/22/18 172 Optum,Triple S 174 1.5.1.3 Transition Plan
to Cloud   0 days Tue 5/22/18 Tue 5/22/18 173   175 1.5.1.4 Architecture
requirements   24 days Mon 4/30/18 Thu 5/31/18     176 1.5.1.4 Develop
Architecture requirements   12 days Mon 4/30/18 Tue 5/15/18   Optum 177 1.5.1.4
Review Architecture requirements   5 days Wed 5/16/18 Tue 5/22/18 176 Triple S
178 1.5.1.4 Revise Architecture requirements   5 days Wed 5/23/18 Tue 5/29/18
177 Optum 179 1.5.1.4 Finalize Architecture requirements   2 days Wed 5/30/18
Thu 5/31/18 178 Optum,Triple S 180 1.5.1.4 Architecture requirements   0 days
Thu 5/31/18 Thu 5/31/18 179   181 1.5.1.5 Gap Analysis   16 days Thu 5/10/18 Thu
5/31/18     182 1.5.1.5 Develop Gap Analysis   12 days Thu 5/10/18 Fri 5/25/18
170,164 Optum 183 1.5.1.5 Review Gap Analysis   5 days Wed 5/16/18 Tue 5/22/18
176 Triple S 184 1.5.1.5 Revise Gap Analysis   5 days Wed 5/23/18 Tue 5/29/18
177 Optum 185 1.5.1.5 Finalize Gap Analysis   2 days Wed 5/30/18 Thu 5/31/18 178
Optum,Triple S 186 1.5.1.5 Gap analysis   0 days Thu 5/31/18 Thu 5/31/18 179  
187 1.5.1.6 Risk Remediation Plan   16 days Thu 5/10/18 Thu 5/31/18    

   

 

Page 7

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 188 1.5.1.6 Develop Risk Remediation Plan   12 days
Thu 5/10/18 Fri 5/25/18 170,164 Optum 189 1.5.1.6 Review Risk Remediation Plan  
5 days Wed 5/16/18 Tue 5/22/18 176 Triple S 190 1.5.1.6 Revise Risk Remediation
Plan   5 days Wed 5/23/18 Tue 5/29/18 177 Optum 191 1.5.1.6 Finalize Risk
Remediation Plan   2 days Wed 5/30/18 Thu 5/31/18 178 Optum,Triple S 192 1.5.1.6
Risk Remediation Plan   0 days Thu 5/31/18 Thu 5/31/18 179   193 1.5.1.7
Recommendation Plan   16 days Thu 5/10/18 Thu 5/31/18     194 1.5.1.7 Develop
Recommendation Plan   12 days Thu 5/10/18 Fri 5/25/18 170,164 Optum 195 1.5.1.7
Review Recommendation Plan   5 days Wed 5/16/18 Tue 5/22/18 176 Triple S 196
1.5.1.7 Revise Recommendation Plan   5 days Wed 5/23/18 Tue 5/29/18 177 Optum
197 1.5.1.7 Finalize Recommendation Plan   2 days Wed 5/30/18 Thu 5/31/18 178
Optum,Triple S 198 1.5.1.7 Recommendation Plan   0 days Thu 5/31/18 Thu 5/31/18
179   199 1.5.1.8 Operations Reports Templates   16 days Thu 5/10/18 Thu 5/31/18
    200 1.5.1.8 Develop Operations Reports Template   12 days Thu 5/10/18 Fri
5/25/18 170,164 Optum 201 1.5.1.8 Review Operations Reports Template   5 days
Wed 5/16/18 Tue 5/22/18 176 Triple S 202 1.5.1.8 Revise Operations Reports
Template   5 days Wed 5/23/18 Tue 5/29/18 177 Optum 203 1.5.1.8 Finalize
Operations Reports Template   2 days Wed 5/30/18 Thu 5/31/18 178 Optum,Triple S
204 1.5.1.8 Operations Reports Template   0 days Thu 5/31/18 Thu 5/31/18 179  
205 1.5.1.9 Readiness Plan   16 days Thu 5/10/18 Thu 5/31/18     206 1.5.1.9
Develop Readiness Plan   12 days Thu 5/10/18 Fri 5/25/18 170,164 Optum 207
1.5.1.9 Review Readiness Plan   5 days Wed 5/16/18 Tue 5/22/18 176 Triple S 208
1.5.1.9 Revise Readiness Plan   5 days Wed 5/23/18 Tue 5/29/18 177 Optum 209
1.5.1.9 Finalize Readiness Plan   2 days Wed 5/30/18 Thu 5/31/18 178
Optum,Triple S 210 1.5.1.9 Readiness Plan   0 days Thu 5/31/18 Thu 5/31/18 179  
211 1.6 Transition   319 days Thu 5/10/18 Tue 7/30/19     212 1.6.1 Assessment
of Help Desk Application Training and Knowledge Transfer Transition - Readiness
Plan Deliverable   16 days Thu 5/10/18 Thu 5/31/18     213 1.6.1.1 Help Desk
Process   16 days Thu 5/10/18 Thu 5/31/18     214 1.6.1.1 Develop Help Desk
Process   12 days Thu 5/10/18 Fri 5/25/18 170,164 Optum 215 1.6.1.1 Review Help
Desk Process   5 days Wed 5/16/18 Tue 5/22/18 176 Triple S 216 1.6.1.1 Revise
Help Desk Process   5 days Wed 5/23/18 Tue 5/29/18 177 Optum 217 1.6.1.1
Finalize Help Desk Process   2 days Wed 5/30/18 Thu 5/31/18 178 Optum,Triple S
218 1.6.1.1 Help Desk Process   0 days Thu 5/31/18 Thu 5/31/18 179   219 1.6.1.2
Application Training Knowledge Transfe   16 days Thu 5/10/18 Thu 5/31/18     220
1.6.1.2 Develop Application Training Knowledge Transfer   12 days Thu 5/10/18
Fri 5/25/18 170,164 Optum

    

 

Page 8

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 221 1.6.1.2 Review Application Training Knowledge
Transfer   5 days Wed 5/16/18 Tue 5/22/18 176 Triple S 222 1.6.1.2 Revise
Application Training Knowledge Transfer   5 days Wed 5/23/18 Tue 5/29/18 177
Optum 223 1.6.1.2 Finalize Application Training Knowledge Transfer   2 days Wed
5/30/18 Thu 5/31/18 178 Optum,Triple S 224 1.6.1.2 Application Training
Knowledge Trans   0 days Thu 5/31/18 Thu 5/31/18 179   225 1.6.2 Implementation
of Help Desk Application Training and Knowledge Transfer Transition -
Implementation Deliverable   303 days Fri 6/1/18 Tue 7/30/19     226 1.6.2.1
Process Implementation   69 days Fri 6/1/18 Wed 9/5/18     227 1.6.2.1 Implement
Service-Now, Bomgar and Help Desk processes   39 days Fri 6/1/18 Wed 7/25/18
224,210 Optum 228 1.6.2.1 Data/Open tickets closed or transition   15 days Thu
7/26/18 Wed 8/15/18 227 Optum 229 1.6.2.1 Work flow configuration   15 days Thu
8/16/18 Wed 9/5/18 228 Optum 230 1.6.2.2 Capability map   39 days Fri 6/1/18 Wed
7/25/18     231 1.6.2.2 Develop Capability Map   15 days Fri 6/1/18 Thu 6/21/18
224 Optum 232 1.6.2.2 Review Capability Map   10 days Fri 6/22/18 Thu 7/5/18 231
Triple S 233 1.6.2.2 Revise Capability Map   10 days Fri 7/6/18 Thu 7/19/18 232
Optum 234 1.6.2.2 Finalize Capability Map   4 days Fri 7/20/18 Wed 7/25/18 233
Optum,Triple S 235 1.6.2.2 Capability Map   0 days Wed 7/25/18 Wed 7/25/18 234  
236 1.6.2.3 Training Gap Identification   39 days Fri 6/1/18 Wed 7/25/18     237
1.6.2.3 Develop Training Gap Identification   10 days Fri 6/1/18 Thu 6/14/18
227SS Optum 238 1.6.2.3 Review Training Gap Identification   10 days Fri 6/15/18
Thu 6/28/18 237 Triple S 239 1.6.2.3 Revise Training Gap Identification   10
days Fri 6/29/18 Thu 7/12/18 238 Optum 240 1.6.2.3 Finalize Training Gap
Identification   9 days Fri 7/13/18 Wed 7/25/18 239 Optum,Triple S 241 1.6.2.3
Training Gap Identification   0 days Wed 7/25/18 Wed 7/25/18 240   242 1.6.2.4
Application Transition Training   39 days Fri 6/1/18 Wed 7/25/18     243 1.6.2.4
Develop Application Transition Traini   10 days Fri 6/1/18 Thu 6/14/18 227SS
Optum 244 1.6.2.4 Review Application Transition Trainin   10 days Fri 6/15/18
Thu 6/28/18 243 Triple S 245 1.6.2.4 Revise Application Transition Training   10
days Fri 6/29/18 Thu 7/12/18 244 Optum 246 1.6.2.4 Deliver Application
Transition Trainin   9 days Fri 7/13/18 Wed 7/25/18 245 Optum,Triple S 247
1.6.2.4 Application Transition Training   0 days Wed 7/25/18 Wed 7/25/18 227  
248 1.6.2.4 Critical Milestone: Implementation of the Managed IT Services   0
days Wed 7/25/18 Wed 7/25/18 247  

   

 

Page 9

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION



ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 249 1.6.2.5 IT Business Application Support and
Maintenance Transition - Solution Build Deliverable   264 days Thu 7/26/18 Tue
7/30/19     250 1.6.2.5 Data Requirements   70 days Thu 7/26/18 Wed 10/31/18    
251 1.6.2.5 Develop Data Requirements   30 days Thu 7/26/18 Wed 9/5/18 227 Optum
252 1.6.2.5 Review Data Requirements   10 days Thu 9/6/18 Wed 9/19/18 251 Triple
S 253 1.6.2.5 Revise Data Requirements   20 days Thu 9/20/18 Wed 10/17/18 252
Optum 254 1.6.2.5 Finalize Data Requirements   10 days Thu 10/18/18 Wed 10/31/18
253 Optum,Triple S 255 1.6.2.5 Data Requirements   0 days Wed 10/31/18 Wed
10/31/18 254   256 1.6.2.5 Security and Risk Assessment   42 days Thu 11/1/18
Fri 12/28/18     257 1.6.2.5 Develop Security and Risk Assessm   30 days Thu
11/1/18 Wed 12/12/18 255 Optum 258 1.6.2.5 Review Security and Risk Assessme   5
days Thu 12/13/18 Wed 12/19/18 257 Triple S 259 1.6.2.5 Revise Security and Risk
Assessmen   5 days Thu 12/20/18 Wed 12/26/18 258 Optum 260 1.6.2.5 Finalize
Security and Risk Assessme   2 days Thu 12/27/18 Fri 12/28/18 259 Optum,Triple S
261 1.6.2.5 Security and Risk Assessment   0 days Fri 12/28/18 Fri 12/28/18 260
  262 1.6.2.5 Technology Standardization Mapping   130 days Mon 12/31/18 Fri
6/28/19     263 1.6.2.5 Develop Technology Standardization Mapping   70 days Mon
12/31/18 Fri 4/5/19 261 Optum 264 1.6.2.5 Review Technology Standardization
Mapping   20 days Mon 4/8/19 Fri 5/3/19 263 Triple S 265 1.6.2.5 Revise
Technology Standardization Mapping   20 days Mon 5/6/19 Fri 5/31/19 264 Optum
266 1.6.2.5 Finalize Technology Standardization Mapping   20 days Mon 6/3/19 Fri
6/28/19 265 Optum,Triple S 267 1.6.2.5 Technology Standardization Mappi   0 days
Fri 6/28/19 Fri 6/28/19 266   268 1.6.2.5 Integration Architecture View   47
days Mon 5/6/19 Tue 7/9/19     269 1.6.2.5 Develop Integration Architecture V  
30 days Mon 5/6/19 Fri 6/14/19 264 Optum 270 1.6.2.5 Review Integration
Architecture Vie   10 days Mon 6/17/19 Fri 6/28/19 269 Triple S 271 1.6.2.5
Revise Integration Architecture Vie   5 days Mon 7/1/19 Fri 7/5/19 270 Optum 272
1.6.2.5 Finalize Integration Architecture Vi   2 days Mon 7/8/19 Tue 7/9/19 271
Optum,Triple S 273 1.6.2.5 Integration Architecture View   0 days Tue 7/9/19 Tue
7/9/19 272   274 1.6.2.5 Future state IT Business and Support Maintenance
Operational Model   62 days Mon 5/6/19 Tue 7/30/19     275 1.6.2.5 Develop
Future state IT Business and Support Maintenance Operational Model   30 days Mon
5/6/19 Fri 6/14/19 264 Optum

    

 

Page 10

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

ITO Cloud Transformation ID WBS Task Name Phase Duration Start Finish
Predecessors Resource Names 276 1.6.2.5 Review Future state IT Business and
Support Maintenance Operational Model   10 days Mon 6/17/19 Fri 6/28/19 275
Triple S 277 1.6.2.5 Revise Future state IT Business and Support Maintenance
Operational Model   12 days Mon 7/1/19 Tue 7/16/19 276 Optum 278 1.6.2.5
Finalize Future state IT Business and Support Maintenance Operational Model   10
days Wed 7/17/19 Tue 7/30/19 277 Optum,Triple S 279 1.6.2.5 Future state IT
Business and Support Maintenance Operational   0 days Tue 7/30/19 Tue 7/30/19
278 Optum,Triple S 280 1.6.2.5 Transition Confirmation   0 days Tue 7/30/19 Tue
7/30/19 278 Triple S 281 1.6.2.5 Critical Milestone: Migration of In-Scope
Applications and Triple-S Data to the Managed IT Services Environment   0 days
Tue 7/30/19 Tue 7/30/19 279   282 1.7 Stabilize   22 days Mon 7/1/19 Tue 7/30/19
    283 1.7.1 Operations Reports   22 days Mon 7/1/19 Tue 7/30/19     284
1.7.1.1 Develop Operations Reports   10 days Mon 7/1/19 Fri 7/12/19 267 Optum
285 1.7.1.2 Review Operations Reports   5 days Mon 7/15/19 Fri 7/19/19 284
Triple S 286 1.7.1.3 Revise Operations Reports   5 days Mon 7/22/19 Fri 7/26/19
285 Optum 287 1.7.1.4 Finalize Operations Reports   2 days Mon 7/29/19 Tue
7/30/19 286 Optum,Triple S 288 1.7.1.5 Operations Reports   0 days Tue 7/30/19
Tue 7/30/19 287   289 1.8 Managed Hosting Services   22 days Mon 7/1/19 Tue
7/30/19     290 1.8.1 Quarterly Business Report (QBR)   22 days Mon 7/1/19 Tue
7/30/19     291 1.8.1.1 Develop Quarterly Business Report (QBR   10 days Mon
7/1/19 Fri 7/12/19 267 Optum 292 1.8.1.2 Review Quarterly Business Report (QBR)
  5 days Mon 7/15/19 Fri 7/19/19 291 Triple S 293 1.8.1.3 Revise Quarterly
Business Report (QBR)   5 days Mon 7/22/19 Fri 7/26/19 292 Optum 294 1.8.1.4
Finalize Quarterly Business Report (QBR   2 days Mon 7/29/19 Tue 7/30/19 293
Optum,Triple S 295 1.8.1.5 Quarterly Business Report (QBR)   0 days Tue 7/30/19
Tue 7/30/19 294  

 

 

 



Page 11

 



SOW 02 - Exhibit A-3-3

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION

 



 

 

 

 

 



STATEMENT OF WORK #2

 

EXHIBIT A-3-3

 

TRANSITION AND TRANSFORMATION MILESTONES

 



 

 

 

 

 

 

 

 

 

 



SOW #2 (IT Services) Exhibit A-3-3 Triple-S / Supplier Confidential



 

 





CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

FINAL EXECUTION VERSION 



 



SOW #2 (It Services)

 

Exhibit A-3-3

 

Transition AND TRANSFormation Milestones

 



 



In accordance with SOW #2, Supplier will provide the Transition Services for IT
Services in accordance with the Transition Milestones set forth below.

 

Based upon the knowledge and information gained during, and outcomes of, the
Assessment, the Parties may mutually agree to modify one (1) or more of the
Transition Milestone Completion Date(s) set forth below.

 

#

 

Critical Milestone Acceptance Criteria Critical Milestone Completion Date 1 Day
One IT Services Supplier commences performance of the Day One IT Services 30
days after the Effective Date 2

Assessment Deliverables

 

Supplier delivers to Triple-S the Deliverables required in connection with
Assessment. 7 months after the Effective Date 3 Solution Build Deliverables
Supplier delivers to Triple-S the Solution Build Deliverables described in
Section [4.1] of Schedule A-2 (IT Solution Description). 10 months after the
Effective Date 4 Implementation of the Managed IT Services Environments Supplier
completes implementation of the Managed IT Services Environments (as the
Environments are defined following completion of Assessment) according to the
Transition Plan. 12 months after the Effective Date 5 Migration of In-Scope
Applications and Triple-S Data to the Managed IT Services Environment Supplier
completes migration and begins productive use of the Managed IT Services
Environment. 20 months after the Effective Date

 

[***] Hosting

 

Triple-S may elect to enter into a new agreement with [***] for the transition
of [***] to a new hosting environment (e.g., [***] may host [***] at a [***] or
third party data center).   If Triple-S does not do so, Triple-S will remain
responsible for (i) hosting [***] in its existing data center or in a new
Triple-S hosting environment; and (ii) continuing to provide data center space
for the servers and storage supporting any In-Scope Applications that cannot be
migrated to a new environment due to such election

 



 

Triple-S / Supplier Confidential

Page 1

 



CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Statement of Work #2

Exhibit A-3-3 (Transition and Transformation Milestones)

 





by Triple-S.  In any case, Supplier will continue to provide the Services that
require the use and support of [***] and continue to cooperate with Triple-S in
identifying the optimal hosting solution.

 

Dependencies

 

The Parties acknowledge that there are certain dependencies for achieving the
Transition Milestone Completion Dates, as such dependencies are set forth below.
Supplier may seek relief for such dependencies only to the extent (a) Supplier’s
delay in achieving a milestone results directly from the occurrence of one or
more dependencies, (b) Supplier provides Triple-S with reasonable notice of such
occurrence and the anticipated impact on milestone completion, and (c) Supplier
uses Commercially Reasonable Efforts to timely achieve the milestone
notwithstanding such occurrence.

 

1. Triple-S to obtain Required Consents necessary for Supplier to access and use
resources to be provided by Triple-S in accordance with Section 9.7 of the
General Terms and Conditions.



2. Triple-S to provide business strategy and decommissioning requirements for
the In-Scope Applications.

 



 

Triple-S / Supplier Confidential

Page 2

 



 SOW 02 Exhibit B (IT Service Levels)

 

FINAL EXECUTION VERSION

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

 

 

 

 

 

 

 



STATEMENT OF WORK #2

 

EXHIBIT B

 

IT SERVICE LEVELS

 

 

 

 

 

 

 

 



This Exhibit B consists of the following attachments:
- Exhibit B-1: Service Level Metrics
- Exhibit B-2: Service Level Definitions

 

 



Triple-S / Supplier Confidential

 



 

 

  SOW 2 Exhibit B-1

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



# Category Service Level Name Description Service Level Metric (all Long-Term
SLAs, unless otherwise indicated) Formula Measurement Window Measurement Tool
CPI / KPI Service Points Continuous Improvement (Y/N)   Applications            
      [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]   Medicare
Advantage B2B                   [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***]   Infrastructure / Help Desk                   [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***] [***]
[***] [***] [***] [***] [***]

 

 

 



SOW 2 Exhibit B

Service Levels

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 



EXHIBIT B-2  

SERVICE LEVEL DEFINITIONS

 



Term Definition Actual Uptime The aggregate time during the Scheduled Uptime in
any calendar month during which the applicable Equipment, Software, network
devices, Services, or Triple-S Data are Available for Use. Availability The
extent to which such Equipment, Software, network devices, Services and Triple-S
Data are actually Available for Use. Available for Use The ability of Equipment,
Software, network devices, Services, or Triple-S Data (and all applicable
functionality) to be accessed and used by Triple-S and all of its applicable end
users in accordance with normal operations (including, as applicable, Equipment
and Software specifications and committed levels of service), and without
degradation of performance. Baseline Indicates a Service Level for which the
Service Level Metric will be set using the baselining methodology set forth in
Section 3.5 of Schedule B. Batch Processing Completion Time The time of day at
which the last data bit of the output of a completed processing job is Available
for Use. Configuration or Configuration Change A Configuration or Configuration
Change includes updates / upgrades to versions of installed software packages
and hardware. Criticality 1 Application Means an Application marked as "1" in
the "SLA Criticality" column in the Application tab of Schedule X. Criticality 2
Application Means an Application marked as "2" in the "SLA Criticality" column
in the Application tab of Schedule X. Criticality 3 Application Means an
Application marked as "3" in the "SLA Criticality" column in the Application tab
of Schedule X. Criticality 4 Application Means an Application marked as "4" in
the "SLA Criticality" column in the Application tab of Schedule X. Criticality 5
Application Means an Application marked as "5" in the "SLA Criticality" column
in the Application tab of Schedule X. Criticality 6 Application Means an
Application marked as "6" in the "SLA Criticality" column in the Application tab
of Schedule X. Criticality 7 Application Means an Application marked as "7" in
the "SLA Criticality" column in the Application tab of Schedule X. Incident   An
event that causes or may cause interruption to or a reduction in the service
delivered through or by an Element or Process. Patch A piece of software
designed to update a computer program or its supporting data, to fix or improve
it. This includes fixing security vulnerabilities and other bugs, and improving
the usability or performance. Priority 1 Incident Priority 1 Incident means an
Incident that severely impacts or has the potential to severely impact mission
critical business operations or has high visibility to customers. Priority 2
Incident Priority 2 Incident means an Incident that significantly impacts
mission critical business operations or has moderate visibility to external
customers.  

 

Triple-S/Supplier Confidential

Page 1

 

SOW 2 Exhibit B

Service Levels

  

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Term Definition Priority 3 Incident Priority 3 Incident means an Incident that
impacts (i) a non-critical (a) In-Scope Application; (b) system; or (c)
component for a limited number of End Users; or (ii) the ability of one or a
limited number of End Users to perform their primary function. Priority 4
Incident Priority 4 Incident means an Incident that impacts a single End User’s
ability to perform his or her job function. Resolution Time For any Incident,
the elapsed time between (i) the earlier of the moment that an Incident is
reported (by an end user, monitoring log or other automated alert) or the moment
that Supplier otherwise becomes aware of such Incident; and (ii) the moment that
the affected Equipment, Software, network device, or Service is restored to
normal operations in accordance with applicable Service Levels and
specifications. Response Time For any Incident, the elapsed time between (i) the
earlier of the moment that an Incident is reported (by an end user, monitoring
log or other automated alert) or the moment that Supplier otherwise becomes
aware of such Incident, and (ii) the moment the relevant Supplier Personnel is
assigned such Incident Ticket and Triple-S is notified. Root Cause Analysis
Report A completed analysis or action plan for root cause remediation that: (i)
identifies, in a level of detail and at a level of accuracy that is reasonably
complete under the circumstances, the actual root cause(s) of a Priority 1
Incident or Priority 2 Incident, and (ii) describes the means by which Supplier
proposes to address such root cause(s) of such Incident (including appropriate
measures to prevent recurrence of such problems and minimize risks to
Triple-S).  For the avoidance of doubt, a Root Cause Analysis determines the
analysis performed by Supplier and not the remediation Services themselves.
Scheduled Uptime With respect to a Service Level, the time during which the
applicable corresponding Equipment, Software, network devices, Services or
Triple-S Data for which Supplier is responsible are scheduled to be Available
for Use during the applicable Measurement Period.  Scheduled Uptime is 24x7,
less mutually agreed scheduled maintenance windows.  The Parties will document
such scheduled maintenance windows in the Desktop Procedures Manual. Service
Request A user request for information or advice, or for a minor/standard change
(a pre-approved change) or for access to an IT service. (E.g., password reset)
Security Incident Has the meaning provided in Schedule L (IT Security Addendum).
SR Completion Time For a Service Request, the elapsed time between (i) the
earlier of the moment that an Service Request is submitted; and (ii) the moment
that the Service Request is satisfactorily completed.

 

Triple-S/Supplier Confidential

Page 2

 

SOW 2 Exhibit B

Service Levels

 

CONFIDENTIAL TREATMENT REQUESTED. INFORMATION FOR WHICH CONFIDENTIAL TREATMENT
HAS BEEN REQUESTED IS OMITTED AND MARKED WITH “[***]”. AN UNREDACTED VERSION OF
THE DOCUMENT HAS ALSO BEEN FURNISHED SEPARATELY TO THE SECURITIES AND EXCHANGE
COMMISSION AS REQUIRED BY RULE 24B-2 UNDER THE SECURITIES EXCHANGE ACT OF 1934,
AS AMENDED.

 

Term Definition SR Response Time For a Service Request, the elapsed time between
(i) the earlier of the moment that a Service Request is submitted, and (ii) the
moment the relevant Supplier Personnel is assigned such Service Request and
Triple-S is notified. "timely" or "on a timely basis" With respect to a Service
Level, within the timeframes set forth within the "Description" column or
"Service Level Metric" column of Exhibit B-1, as applicable.

 



Triple-S/Supplier Confidential

Page 3

 

 