EXHIBIT 10.3

TRANSITION SERVICES AGREEMENT

THIS TRANSITION SERVICES AGREEMENT (this “Agreement”) is made as of August 31,
2007, by and between ARCELOR S.A., a Luxembourg corporation with an address at
19, avenue de la Liberté, L-2930 Luxembourg (“Arcelor”) and NOBLE EUROPEAN
HOLDINGS B.V., a private limited liability company (besloten vennootschap)
organized under the laws of the Netherland with an address at 28213 Van Dyke
Avenue, Warren, Michigan 48093 USA (“Noble BV”).

Recitals

A. Noble International, Ltd. (“Noble”) and Arcelor have entered into a Share
Purchase Agreement, dated March 15, 2007 (the “Purchase Agreement”), providing,
among other things, for the acquisition by Noble of the laser-welding assets and
certain related liabilities of Arcelor (the “TBA Business”) in exchange for
cash, a subordinated promissory note and 9,375,000 shares of common stock of
Noble (the “Acquisition”). Execution and delivery of this Agreement is a
condition to the effectiveness of the Acquisition. Capitalized terms used herein
and not otherwise defined herein have the meanings specified in the Purchase
Agreement.

B. At the request of certain commercial lenders, Noble, Noble BV, Noble TSA,
LLC, a Delaware limited liability company (“Noble, LLC”) and Arcelor have
entered into an Assignment and Assumption Agreement on the date hereof whereby
Noble assigned its contractual rights under the Purchase Agreement with regard
to purchasing TB Holding, BV, a private limited liability company (besloten
vennotschap) organized under the laws of the Netherlands to Noble BV and Noble
assigned its contractual rights in the Purchase Agreement with regard to
purchasing Tailor Steel America, LLC, a Delaware limited liability company to
Noble, LLC.

C. In order to provide a smooth transition of the TBA Business from Arcelor to
Noble BV, the parties desire to enter into an interim arrangement for the
provision of certain transition services on the terms and conditions set forth
herein.

Terms of Agreement

Accordingly, the parties hereby agree as follows:

1. General Cooperation. During the term of this Agreement, the parties shall use
their reasonable efforts to cooperate with each other with a view to achieving a
smooth transition following the Acquisition, including (a) permitting Noble BV
to manage the TBA Business efficiently while integrating the TBA Business into
Noble BV’s business, and (b) permitting Arcelor to fulfill any contractual or
other obligations not transferred to Noble BV that would, but for the
Acquisition, have been be fulfilled by Arcelor through the TBA Business.

2. Services to be Provided. Subject to the terms and conditions of this
Agreement, (a) Arcelor, directly or through one or more of its Affiliates, shall
provide to Noble BV the corporate, financial, legal, human resources,
accounting, controlling, administrative, on-site support, payroll management,
training, SAP software and maintenance support, software and hardware supply,
support and



--------------------------------------------------------------------------------

maintenance, network access and other services and support described on
Schedule A to this Agreement (collectively, the “Arcelor Services”), in each
case, on the same terms and conditions as such services were provided to the
Group Members effective as of January 1, 2007; and (b) Noble BV, directly or
through one or more of its Affiliates, shall provide to Arcelor all such
reasonable transition services as Arcelor and its Affiliates need or that are
desirable in order to fulfill any contractual or other obligations not
transferred to Noble BV that would, but for the Acquisition, be fulfilled by
Arcelor or its Affiliates with use of the personnel and assets of the TBA
Business and the other services and support (if any) described on Schedule B to
this Agreement (collectively, the “Noble BV Services”, and together with the
Arcelor Services, the “Services”). The Arcelor Services are services which
Arcelor, directly or through one or more of its Affiliates, provided to the TBA
Business during the 24 months prior to the date of this Agreement. Each of Noble
BV (with respect to the Arcelor Services listed on Schedule A) and Arcelor (with
respect to the Noble BV Services listed on Schedule B) acknowledges and agrees
that the services listed are, to the best of its knowledge and belief, all of
the services it will require the other party to perform under this Agreement.

3. Transition. During the term of this Agreement, each party shall use
commercially reasonable efforts to obtain the Arcelor Services or the Noble BV
Services, as applicable, independently of the other party as soon as reasonably
practicable. Arcelor shall provide such assistance as may be reasonably
requested by Noble BV to transition the Arcelor Services to Noble BV or a third
party provider. Noble BV shall provide such assistance as may be reasonably
requested by Arcelor to transition the Noble BV Services to Arcelor or a third
party provider. Arcelor shall terminate, at no cost to Noble BV, all agreements
between any Group Member, on one hand, and Arcelor or any of its non-Group
Member Affiliates, on the other hand, under which the Arcelor Services were
provided prior to the date hereof.

4. Compensation for Arcelor Services. In consideration for the Arcelor Services,
Noble BV shall pay to Arcelor the prices invoiced by Arcelor from time to time,
which prices shall equal the prices paid by the Group Members for such services
as of January 1, 2007; provided, that the aggregate amount charged to Noble BV
for the Arcelor Services for each of the first two years of the Term shall not
exceed €3,300,000 (the “Maximum Annual Fee”). During the first six months of the
Term, Arcelor shall pay any and all one-time fees payable to third-party
providers in connection with the transition of the Arcelor Services to Noble BV,
and such costs shall be included in the Maximum Annual Fee. Thereafter, Arcelor
may charge to Noble BV, and Noble BV shall reimburse Arcelor for, any such
one-time fees payable to third-party providers without regard to the Maximum
Annual Fee. Arcelor shall invoice Noble BV at least quarterly for the Arcelor
Services. Except as otherwise expressly set forth in Schedule A to this
Agreement, all amounts due under this Section 4 shall be paid by Noble BV within
30 days after the end of the month in which the Arcelor invoice is issued.

5. Compensation for Noble BV Services. In consideration for the Noble BV
Services, Arcelor shall pay to Noble BV the prices invoiced by Noble BV from
time to time, which prices shall not exceed the direct internal cost (excluding
overhead) actually incurred by Noble BV to provide such Noble BV Services,
without mark-up. Noble BV shall invoice Arcelor at least quarterly for the Noble
BV Services. Except as otherwise expressly set forth in Schedule B to this
Agreement, all amounts due under this Section 5 shall be paid by Arcelor within
30 days after the end of the month in which the Noble BV invoice is issued.

 

- 2 -



--------------------------------------------------------------------------------

6. Performance Standard. Each party shall provide, or cause its Affiliates to
provide, the Arcelor Services or Noble BV Services in accordance with all
applicable laws and otherwise in the same general manner as the same or similar
services were provided in connection with the TBA Business immediately prior to
the date of this Agreement.

7. Employee Obligations. Except as expressly set forth in the Purchase Agreement
or the Schedules hereto, each party and its Affiliates (a) shall be solely
responsible for payment of compensation to their employees for the provision of
services hereunder; (b) shall be solely responsible for maintenance of and
payment for such party’s employee benefits including retirement plans, health
insurance and life insurance; (c) shall be solely responsible for any injury to
such employees suffered in the course of providing services hereunder other than
injuries arising from the gross negligence or willful misconduct of employees or
agents of the other party, compensation for which shall be the sole
responsibility of such other party; and (d) shall have full responsibility for
payment of all federal, state and local taxes or contributions imposed or
required under unemployment insurance, social security and income tax laws with
respect to such party’s or its Affiliates’ employees.

8. Audit of Books and Records.

(a) During the Term and for a period of 9 months thereafter, each party (the
“Audited Party”) and its Affiliates shall permit the other party (the “Auditing
Party”) and its Affiliates and the Auditing Party’s employees, auditors and
other representatives to have reasonable access, during normal business hours
and upon reasonable advance notice, to the books and records of the Audited
Party and its Affiliates, to the extent such access is reasonably required to
verify the accuracy of the amounts charged by the Audited Party or its
Affiliates pursuant to Section 4 or Section 5 of this Agreement. Audits pursuant
to this Section 8(a) may be requested no more frequently than once per calendar
year.

(b) If an audit pursuant to Section 8(a) reveals an overcharge, and the Audited
Party or its Affiliates do not successfully justify any charge questioned by
such audit, the Audited Party or its Affiliates shall promptly pay to the
Auditing Party or its Affiliates the amount of such overcharge, together with
interest from the date of receipt of such overcharge to the date of payment at a
rate per annum equal to LIBOR, plus 100 basis points. (For purposes of this
Agreement, “LIBOR” means, at the time in question, the rate per annum appearing
on Barron’s Online Money Rates
(http://online.barrons.com/public/page/mlab_money_rates.html) (or any successor
Internet site) as the latest LIBOR Interbank Rate in U.S. dollars for
a six-month term.) In addition, if any such audit reveals an overcharge of more
than 10% of the audited invoices in the aggregate for the audited period, the
Audited Party or its Affiliates shall promptly reimburse the Auditing Party or
its Affiliates for the actual out-of-pocket cost of such audit (including
auditor’s fees).

 

- 3 -



--------------------------------------------------------------------------------

(c) Upon request by either party, the parties shall meet promptly upon the
completion of any audit or the issuance of an interim or final report to the
parties following such audit (but in no event more than 15 days after the later
thereof). The parties shall develop and agree upon an action plan to address and
resolve any issues discovered through such audit within 30 days, unless a
shorter resolution time is mutually agreed to by the parties in writing, and
shall implement any remedial action required to avoid the making of overcharges
in the future.

(d) During the Term and for a period of 9 months thereafter, the Audited Party
and its Affiliates shall permit the Auditing Party and its employees, auditors
and other representatives to have reasonable access, during normal business
hours and upon reasonable advance notice, to books and records and appropriate
personnel of the Audited Party and its Affiliates with respect to the TBA
Business, to the extent such access is reasonably requested by the Auditing
Party in order to permit the evaluation of, and any required reporting,
certifications and attestations with respect to, internal controls, processes
and systems in connection with the provision of the Services for purposes of
compliance with the Sarbanes-Oxley Act of 2002, as it may be amended from time
to time. Nothing in this Section 8(d) shall require an Audited Party to maintain
its books and records relating to the Services in a manner inconsistent with the
manner that it maintains its books and records with respect to its other
businesses. If the Auditing Party requests a change to the Audited Party’s
internal controls, processes or systems, the Auditing Party shall bear the cost
of any change that is agreed to by the Audited Party.

9. Coordination Meetings. The parties agree to meet not less frequently than
quarterly to discuss the Services as well as problems that arise in connection
with the Services. Each party agrees to provide the other party reasonable
advance notice of any issues to be addressed at such coordination meetings. Each
party shall be represented at these meetings by an executive authorized to
resolve disputes that may arise under this Agreement or in connection with the
Services. These meetings may overlap with coordination meetings required under
other Ancillary Agreements.

10. Confidentiality Obligations.

(a) During the Term and thereafter, each party and its Affiliates shall maintain
the confidentiality of all confidential and proprietary information of the other
party and its Affiliates (collectively, “Confidential Information”) and shall
not disclose such Confidential Information without the prior written consent of
the other party, except for (i) disclosures that are required by applicable law,
(ii) disclosures that are required to enforce the rights of such party under
this Agreement, and (iii) disclosures to any of such party’s Affiliates or other
representatives and agents that such party reasonably believes needs to know
such Confidential Information to perform its obligations hereunder; provided,
that, before any disclosure is made pursuant to applicable law, the disclosing
party shall, if permitted by applicable law, give advance written notice of such
disclosure to the other party so that such other party may seek a protective
order against such disclosure. In the absence or unavailability of any such
protective order, the disclosing party shall take all reasonable and lawful
actions to seek confidential treatment for such disclosure and, to the extent
practicable, to minimize the extent of such disclosure. Without limiting the
foregoing, the parties and their Affiliates shall utilize the same methods and
practices in the protection of the other’s Confidential Information as each
utilizes in protecting its own Confidential Information.

 

- 4 -



--------------------------------------------------------------------------------

(b) Upon the earlier of the expiration of this Agreement or the written request
of the owner of the Confidential Information, (i) all Confidential Information
received by a party and its Affiliates shall be returned to the owner thereof;
(ii) no copies of Confidential Information shall be retained by any receiving
party or any of its Affiliates; and (iii) no receiving party nor any of its
Affiliates shall thereafter utilize the Confidential Information of the other
party in any respect whatsoever.

(c) The parties shall be responsible for any breach of this Section 10 by their
respective Affiliates, representatives and agents. The parties’ obligations
under this Section 10 shall survive the expiration or termination of this
Agreement.

11. Termination.

(a) Unless the parties mutually agree to extend the term of this Agreement, the
term of this Agreement (the “Term”) shall commence on the date hereof and shall
continue for a period of three years for all Arcelor Services and Noble BV
Services other than Arcelor Services that are information technology-related
services which shall continue for a period of four years.

(b) Noble BV may terminate any Arcelor Service, in whole or in part, prior to
the expiration of the Term, by providing to Arcelor written notice of
termination not less than 90 calendar days (or any shorter period to which
Arcelor has consented in writing) before the effective date of such termination,
in which case the provision of such Arcelor Service hereunder shall terminate at
the end of the period specified in such notice; provided, that termination of
any or all Arcelor Services shall not operate as a termination of this
Agreement.

(c) Arcelor may terminate any Noble BV Service, in whole or in part, prior to
the expiration of the Term, by providing Noble BV written notice of termination
not less than 90 calendar days (or any shorter period to which Noble BV has
consented in writing) before the effective date of such termination, in which
case the provision of such Noble BV Service hereunder shall terminate at the end
of the period specified in such notice; provided, that termination of any or all
Noble BV Services shall not operate as a termination of this Agreement.

(d) Subject to the provisions of Section 12 of this Agreement, this Agreement
may be terminated by either party if:

(i) the other party is in material breach of any provision of this Agreement;
provided that the party seeking to terminate this Agreement for breach shall
notify the other party in writing of such breach and provide such other party
with 30 calendar days to cure such breach; or

(ii) (A) the other party files a petition for bankruptcy or is otherwise
declared or adjudicated to be bankrupt or insolvent, (B) a petition for
bankruptcy is filed against the other party and such petition is not dismissed
within 90 calendar days, or (C) either party discontinues its business or
voluntarily submits to, or is ordered by a bankruptcy court to undergo
liquidation pursuant to Chapter 7 of the U.S. Bankruptcy Code, as amended, or
any successor thereto.

 

- 5 -



--------------------------------------------------------------------------------

(e) Termination of this Agreement shall not release any party from any
obligation accrued prior to the date of such termination.

(f) The agreements set forth in Section 4 (Compensation for Arcelor Services),
Section 5 (Compensation for Noble BV Services), Section 8 (Audit of Books and
Records), Section 10 (Confidentiality), Section 12 (Indemnification) and
Section 13 (Miscellaneous) hereof shall survive termination of this Agreement
for any reason.

12. Indemnification. Each party shall indemnify, defend and hold harmless the
other party and the other party’s shareholders, Affiliates, and its and their
respective directors, officers, employees, controlling persons and agents (each
an “Indemnified Party”), from and against all claims asserted against, resulting
to, imposed upon or incurred by such Indemnified Party, directly or indirectly,
by reason of, arising out of or resulting from (a) the breach of any
representation, warranty or covenant made by such party in this Agreement or
(b) the gross negligence or willful misconduct on the part such party or any of
its Affiliates, employees, agents, representatives or licensees in connection
with the performance of such party’s obligations under this Agreement. Any such
indemnification shall be subject to the procedures set forth in Section 14.6
(Procedure for Indemnification Claims) of the Purchase Agreement.

13. Relationship of Parties. The parties understand and agree that this
Agreement does not make either of them an agent or legal representative of the
other for any purpose whatsoever. No party is granted by this Agreement any
right or authority to assume or create any obligation or responsibilities,
express or implied, on behalf of or in the name of any other party, or to bind
any other party in any manner whatsoever. The parties expressly acknowledge that
(a) the parties and their respective Affiliates are independent contractors in
all respects, including with respect to the provision of the Arcelor Services
and the Noble BV Services; and (b) the parties are not partners, joint
venturers, employees or agents of or with each other.

14. No Third Party Beneficiaries. This Agreement is for the sole benefit of the
parties hereto, and nothing herein expressed or implied shall give or be
construed to give any other person any legal or equitable rights.

15. Miscellaneous.

(a) Notices. All notices, requests, claims, demands or other communications that
are required or may be given to Noble BV or Arcelor pursuant to the terms of
this Agreement shall be given in accordance with Section 17.3 (Notices) of the
Purchase Agreement.

(b) Entire Agreement. This Agreement (including the Schedules attached hereto)
contains the entire agreement between the parties with respect to the subject
matter hereof and supersedes all prior agreements, written or oral, with respect
thereto.

(c) Waivers and Amendments. This Agreement may be amended, superseded, canceled,
renewed or extended only by a written instrument signed by all of the parties.
The provisions hereof may be waived only in writing signed by the party or
parties waiving compliance. No delay on the part of any party in exercising any
right, power or privilege hereunder shall operate as a waiver thereof, nor shall
any waiver on the part of any party of any such right, power or privilege, nor
any single or partial exercise of any such right, power or privilege, preclude
any further exercise thereof or the exercise of any other such right, power or
privilege.

 

- 6 -



--------------------------------------------------------------------------------

(d) Severability. If any provision of this Agreement for any reason shall be
held to be illegal, invalid or unenforceable, such illegality shall not affect
any other provision of this Agreement, but this Agreement shall be construed as
if such illegal, invalid or unenforceable provision had never been included
herein.

(e) Assignment; Binding Effect; Benefit. No assignment by any party of its
rights nor delegation by any party of its obligations under this Agreement shall
be permitted unless the other party consents in writing thereto, except that
Noble BV may, in its sole discretion and without the consent of Arcelor, assign
any or all of Noble BV’s rights, interests and obligations under this Agreement
to any assignee of Noble BV’s rights under the Purchase Agreement, provided that
no such assignment shall relieve Noble BV of any obligation hereunder. This
Agreement shall be binding upon and shall inure to the benefit of the parties
and their respective successors and permitted assigns.

(f) Governing Law; Submission to Jurisdiction. This Agreement shall be governed
by, and construed and enforced in accordance with, the laws of France other than
conflict of laws principles thereof directing the application of any law other
than that of France. The provisions of Section 17.7, subsections (b), (c),
(d) and (e) (Venue; Waiver of Jury Trial), of the Purchase Agreement are hereby
incorporated in this Agreement, mutatis mutandis, as if fully set forth herein.

(g) Interpretation. The parties have participated jointly in the negotiation and
drafting of this Agreement. In the event an ambiguity or question of intent or
interpretation arises, this Agreement shall be construed as if drafted jointly
by the parties, and no presumption or burden of proof shall arise favoring or
disfavoring any party by virtue of the authorship of any provisions of this
Agreement.

(h) Rules of Construction. All definitions shall apply equally to both the
singular and plural forms of the terms defined. Whenever the context may
require, any pronoun shall include the corresponding masculine, feminine and
neuter forms. The words “include,” “includes” and “including” shall be deemed to
be followed by the phrase “but not limited to.” “Or” shall be disjunctive but
not necessarily exclusive. All references herein to Sections and Schedules shall
be deemed references to Sections of and Schedules to this Agreement unless the
context otherwise requires. Words such as “herein,” “hereof,” “hereto,” “hereby”
and “hereunder” refer to this Agreement and to the Schedules, taken as a whole.
Except as otherwise expressly provided herein, any reference in this Agreement
to any agreement shall mean such agreement as amended, restated, supplemented or
otherwise modified from time to time. The captions to Sections and subdivisions
thereof shall not be deemed to be a part of this Agreement.

(i) Counterparts. This Agreement may be executed and delivered (including by
facsimile transmission) in one or more counterparts, and by the different
parties in separate counterparts, each of which when executed and delivered
shall be deemed to be an original but all of which taken together shall
constitute one and the same agreement.

[Signature Page Follows]

 

- 7 -



--------------------------------------------------------------------------------

Execution

IN WITNESS WHEREOF, the undersigned have duly executed and delivered this
Transition Services Agreement as of the date first written above.

 

ARCELOR S.A. By:  

 

Name:   Title:   By:  

 

Name:   Title:   NOBLE EUROPEAN HOLDINGS B.V. By:  

 

Name:   Title:  

 

- 8 -



--------------------------------------------------------------------------------

SCHEDULE A

TO TRANSITION SERVICES AGREEMENT

Arcelor Services

Attached.

 

- 9 -



--------------------------------------------------------------------------------

SCHEDULE B

TO TRANSITION SERVICES AGREEMENT

Noble BV Services

Attached.

 

- 10 -



--------------------------------------------------------------------------------

SCHEDULE A

TO TRANSITION SERVICES AGREEMENT

Arcelor Services

This Schedule A sets forth a summary description of the Arcelor Services to be
provided under the terms of this Agreement and is comprised of the following
parts:

a. Part I which is a non-exclusive and illustrative description of the Arcelor
Services; and

b. Part II which contains more detailed descriptions of those services described
on Part I and written descriptions of certain oral arrangements for services not
described on Part I.



--------------------------------------------------------------------------------

Confidential

 

LOGO [g80433image_ex103p13.jpg]   List of Contracts* with Arcelor entities

 

--------------------------------------------------------------------------------

 

#   

Service

  

ATB party

  

Arcelor party

  

Written
document

  

Document

collected

  

Signature date

  

End date

  

2007 Cost
(BP)

1       TB Lorraine    Arcelor SA    Yes    No    Perpetual    Perpetual       8
Corporate Service Contracts    Sidmar    Arcelor SA    Yes    No    Perpetual   
Perpetual       including services in: Financial, Legal, Human Resources    TB
Genk    Arcelor SA    Yes    No    Perpetual    Perpetual       +    TB Zaragoza
   Arcelor SA    Yes    No    Perpetual    Perpetual    €500K    8 Sector fee
contracts (support    TB Bremen    Arcelor SA    Yes    No    Perpetual   
Perpetual       on accounting, controlling and    TB Senica    Arcelor SA    Yes
   No    Perpetual    Perpetual       other sector level issues)    TSA   
Arcelor SA    Yes    No    Perpetual    Perpetual    16       LWB    Arcelor SA
   Yes    No    Perpetual    Perpetual    17       TB Gent    Sidmar    Yes   
Yes    Renewed yearly    Renewed yearly    €1012K 18    4 administrative and
on-site    TB Genk    Sikel    Yes    Yes    Renewed yearly    Renewed yearly   
€665K 19    support contracts    TB Bremen    Arcelor Bremen    Yes    Yes   
Renewed yearly    Renewed yearly    €305K 20       TB Zaragoza    Arcelor Spain
   Yes    Yes    Renewed yearly    Renewed yearly    ~€40K 21    1 Payroll
Management contract    TB Lorraine    USP    Yes    Bill    No info    No info
   €36K 22    1 Training contract    TB Zaragoza    Arcelor Univ    Yes    No   
No info    No info    0 23       TB Lorraine    Arcelor Systems    Yes    Yes   
End 2006    End 2007    24    5 SAP software support and    Sidmar    Arcelor
Systems    Yes    Yes    End 2006    End 2007    25    maintenance contracts   
TB Genk    Arcelor Systems    Yes    Yes    End 2006    End 2007    ~€200K 26   
   TB Zaragoza    Arcelor Systems    Yes    Yes    End 2006    End 2007    27   
   TB Senica    Arcelor Systems    Yes    Yes    End 2006    End 2007    28    4
Office soft & hardware supply,    TB Lorraine    Arcelor Techno.    Yes    Yes
   No info    No info    29    support and maintenance    Sidmar    Arcelor
Techno.    Yes    Yes    No info    No info    30    contracts    TB Genk   
Arcelor Techno.    Yes    Yes    No info    No info    31       TB Senica   
Arcelor Techno.    Yes    Yes    No info    No info    32       TB Lorraine   
Arcelor Techno.    Yes             ~€550K 33    7 Network access    Sidmar   
Arcelor Techno.    Yes             34    Agreements (no written    TB Genk   
Arcelor Techno.    Yes    N.A    N.A    N.A    35    contract)    TB Senica   
Arcelor Techno.    Yes             36       TB Zaragoza    Arcelor Techno.   
Yes             37       TB Bremen    Arcelor Techno.    Yes            

 

=> 37 contracts and agreements   TOTAL   €3.3M

Note: (*) These contracts do not include services covered by the steel supply &
service agreement, nor the supply of energy, transport to customers and
insurance



--------------------------------------------------------------------------------

SCHEDULE A

TO THE TRANSITION SERVICES AGREEMENT

Part II

ARCELOR SERVICES

 

A. Services Provided by Arcelor Steel Belgium N.V. (Genk Site) to Arcelor
Tailored Blank Genk N.V. B

 

B. Services Provided by Arcelor Bremen GmbH to Arcelor Tailored Blank Bremen

 

C. Services Provided by Steel Service Center of ArcelorMittal to Arcelor
Tailored Blank Senica in connection with lease for industrial premises

 

D. Legal Services Provided by ArcelorMittal Legal Affairs to TBA Companies

 

E. Human Resources Services and Various Support to TBA Companies

 

F. Services Provided by Arcelor Atlantique et Lorraine et al. to ATB Lorraine

 

G. Services Provided by Arcelor Spain Holding SL to Arcelor Tailored Blank
Zaragoza

 

H. IT Services

Appendix 1 – ATB Corporate

Appendix 2 – ATB Gent

Appendix 3 – ATB Bremen

Appendix 4 – ATB Senica

Appendix 5 – ATB Lorraine

Appendix 6 – List of People to be Contacted

Appendix 7 – ArcelorMittal Information Security Policies



--------------------------------------------------------------------------------

A. SERVICES PROVIDED BY ARCELOR STEEL BELGIUM N.V. (GENK SITE) TO ARCELOR
TAILORED BLANK GENK N.V.

1: Delivery of externally purchased natural gas

- Terms and conditions: same as those of the Arcelor Steel Belgium (Genk Site)
contract with Distrigas.

- Measurement:

 

  •  

The meter reading at the purchase point of Arcelor Steel Belgium (Genk Site) is
used as reference for the monthly billing for the consumption of gas by Arcelor
Tailored Blank Genk

 

  •  

The warehouse clerks of Arcelor Steel Belgium (Genk Site) records this meter
reading every first work day of the month and send it on to the bookkeeping
office at Arcelor Steel Belgium (Genk Site).

 

  •  

They then transmit these data to Arcelor Tailored Blank Genk.

- Fee: Costs in proportion to Arcelor Tailored Blank Genk’s consumption with
respect to Arcelor Steel Belgium (Genk Site)’s total consumption, increased by
10% as compensation for the fixed costs sustained by Arcelor Steel Belgium (Genk
Site). The cost of natural gas is not included in the annual cap under Section 4
of the Transition Services Agreement.

2: OWB processing, as follows:1

- Arcelor Tailored Blank Genk may give an order to Arcelor Steel Belgium (Genk
Site) for the processing of steel coils (SP-quality) on the rewinding inspection
line at Arcelor Steel Belgium (Genk Site). This processing may consist of:

 

  •  

Rewinding of steel coils

 

  •  

Inspecting of steel coils

 

  •  

Oiling of steel coils

 

  •  

Edge cutting of steel coils

 

  •  

Client coil shaping (slitting, welding) of steel coils

- Planning:

 

  •  

Orders must be communicated with 14 days notice to the planning department at
Arcelor Steel Belgium (Genk Site)

 

  •  

These coils are planned for the end of an Arcelor Steel Belgium (Genk Site) SP
campaign

- Price:

 

  •  

Processing of the coils on the rewinding line: unit price per processed ton 40
€/ton; including oil applied

 

  •  

Packing costs: calculated per coil in accordance with the desired packing code
and the applicable price list of the packing company

With respect to the foregoing, any services provided under the Steel Supply and
Arcelor Auto Services Agreement are excluded from the Transition Services
Agreement.

 

2



--------------------------------------------------------------------------------

3: Delivery of Demineralized water

Delivery of demineralized water, as follows:

- Purchase point:

Outside at the storage tank demiwater N001R

- Collecting:

 

  •  

Arcelor Tailored Blank Genk notifies the production team leaders in advance.

 

  •  

The quantities of water taken are transmitted to Arcelor Steel Belgium (Genk
Site)’s guest team leader.

 

  •  

The Arcelor Steel Belgium (Genk Site) installations are left in proper order,
care is taken that water does not flow away needlessly.

- Price: free of charge to the extent that collection remains restricted to a
maximum of 1 m3/week; collections exceeding 1 m3/week to be paid at 10 €/m3. Any
cost of demineralized water is not included in the annual cap under Section 4 of
the Transition Services Agreement.

4: Delivery of fuel oil

Delivery of fuel, as follows:

- Purchase point:

Pump at the height of gate 231 of the coil warehouse

- Inventory/use measurement:

 

  •  

Inventory/use measurement is be done on weekdays between 08:00 and 16:00 hours.
Arcelor Tailored Blank Genk must be accompanied by an Arcelor Steel Belgium
(Genk Site) warehouse clerk who must be advised in advance.

 

  •  

The tanked quantities each time are recorded by the warehouse clerk, signed for
receipt by Arcelor Tailored Blank Genk and transmitted to Arcelor Steel Belgium
(Genk Site)’s bookkeeping service.

- Price: spot price on the day of delivery. The cost of fuel oil is not included
in the annual cap under Section 4 of the Transition Services Agreement.

5: Delivery of Externally Provided Electricity2

Delivery of electricity as follows:

- Counter positions:

 

  •  

The meter readings of active and reactive energy in the rooms at Arcelor Steel
Belgium (Genk Site) to be used as reference for calculating the invoice for
electricity use by Arcelor Tailored Blank Genk.

 

  •  

The electricity office at Arcelor Steel Belgium (Genk Site) to record these
meter readings every first working day of the month and send them on to the
bookkeeping office at Arcelor Steel Belgium (Genk Site).

 

  •  

This office to then transmit these data to Arcelor Tailored Blank Genk.

- Price: 75.5 €/MWh The cost of electricity is not included in the annual cap
under Section 4 of the Transition Services Agreement.

 

3



--------------------------------------------------------------------------------

6: Use of physics lab

- Limited use, as follows, of the physics lab at Arcelor Steel Belgium (Genk
Site) for the following applications:

 

  •  

Performing Ericson tests

 

  •  

Performing tensile tests

 

  •  

Making a metallographical cross-section

Permission to use the lab and accessory apparatus must be separately requested
for each occasion from the responsible executives at Arcelor Steel Belgium (Genk
Site) (J. Bollen and S. Engelsen), who provide a written permit specifying the
stipulations (validity period, type of application, hours allowed, supervision
or guidance on the part of Arcelor Steel Belgium (Genk Site) personnel required
or not, permitted consumption of Arcelor Steel Belgium (Genk Site) goods, etc.).
In case of urgent or unexpected need for use of the physics lab, the consent of
the aforementioned executives must still be requested in advance. If this should
happen outside of the normal office working hours, the consent may only be given
by the engineer on duty.

Each time that Arcelor Tailored Blank Genk effectively wants to make use of
this, the production team leaders present must be advised and the written
consent must be submitted. The names of the Arcelor Tailored Blank Genk persons
present are recorded, together with the nature and duration of the activities
performed.

Arcelor Tailored Blank Genk sends trained and competent operators. The Arcelor
Steel Belgium (Genk Site) premises are left neat and clean. All refuse is placed
in the locations designated for that purpose. Any consumption of goods is
communicated to Arcelor Steel Belgium (Genk Site).

- Price:

 

  •  

per intervention: fixed cost of 50 €/hour of use (hours to be rounded up to the
higher unit)

 

  •  

assistance by Arcelor Steel Belgium (Genk Site) personnel: 30 €/hour

7: Spare parts warehouse

Limited use of the spare parts warehouse at Arcelor Steel Belgium (Genk Site),
as follows:

- Arcelor Tailored Blank Genk follows Arcelor Steel Belgium (Genk Site)’s
internal procedure.

- Access to the warehouse must be restricted to week days from 08:00 to 16:00.
Outside of these hours access may only be granted for urgent reasons by Arcelor
Steel Belgium (Genk Site)’s engineer on duty via the production team leaders.

- Price: actual purchase price of the spare parts taken + 15% The cost of spare
parts is not included in the annual cap under Section 4 of the Transition
Services Agreement.

8: Stocking pallets with blanks

Use of the Arcelor Steel Belgium (Genk Site) coil warehouse in order to
temporarily store pallets with blanks, as follows:

 

4



--------------------------------------------------------------------------------

- Terms and Conditions:

 

  •  

Arcelor Tailored Blank Genk each time contacts Arcelor Steel Belgium (Genk Site)
(shipping office) in advance in order to ascertain whether there is storage
capacity available at Arcelor Steel Belgium (Genk Site).

 

  •  

The quantities and the time periods are fixed in advance (a maximum of 2
months).

- Transportation:

 

  •  

Transportation of these pallets between Arcelor Tailored Blank Genk and Arcelor
Steel Belgium (Genk Site), both bringing them in and picking them up, is handled
by Arcelor Tailored Blank Genk with lift fork devices belonging to Arcelor
Tailored Blank Genk.

 

  •  

The normal routine at Arcelor Steel Belgium (Genk Site) may not be compromised
during this process.

 

  •  

This transportation preferably takes place between 08:00 and 16:00 hours, at
times when no rail cars are present in Arcelor Steel Belgium (Genk Site)’s
storage hall.

- Location:

 

  •  

A limited number of zones between the columns of column row C may be made
available if needed.

 

  •  

The normal passageways must at all times be kept free for both personnel, rail
cars and trucks.

- Protection:

 

  •  

Arcelor Tailored Blank Genk ensures that the stored goods are safely left in
place.

 

  •  

There may be no risk with regard to the safety of personnel.

 

  •  

Any protective devices against moisture and dust are installed by Arcelor
Tailored Blank Genk.

- Price: 300 €/month per zone between 2 columns that is used.

9: Road Salt

- Inclusion of the roads and the parking lot at Arcelor Tailored Blank Genk in
Arcelor Steel Belgium (Genk Site) road salt rounds.

Contact person:

All practical appointments regarding spreading of the salt to be made via the
Arcelor Steel Belgium (Genk Site) coordinator, Mr. L. Van Reusel

- Price: 20% of the total spreading cost (purchase of road salt and hours of
spreading service) The cost of road salt is not included in the annual cap under
Section 4 of the Transition Services Agreement.

10: Use of the First Aid station

Availability of First Aid services to Arcelor Tailored Blank Genk, as follows:

- The use of the Arcelor Steel Belgium (Genk Site) First Aid station to be
allowed in exceptional cases of urgent basic assistance where no direct
intervention of a physician is required. The station may also be used for
consultations with the company doctor.

- Arcelor Steel Belgium (Genk Site)’s production team leaders who are present
must be advised in advance.

 

5



--------------------------------------------------------------------------------

- Arcelor Tailored Blank Genk to always have the injured person assisted by a
trained and competent industrial consultant. This does not relieve Arcelor
Tailored Blank Genk from its obligation to prepare a First Aid station of its
own.

- Price: 30 €/treatment or consultation

11: On-Site Transportation

On-site transportation services, as follows:

- The moving of Arcelor Tailored Blank Genk’s rail cars from place to place on
the company grounds of Arcelor Steel Belgium (Genk Site) and Arcelor Tailored
Blank Genk is handled by personnel members and equipment of Arcelor Steel
Belgium (Genk Site). The central dispatching of all rail cars is handled by the
clerks of the shipping service at Arcelor Steel Belgium (Genk Site). All contact
with the N.M.B.S. for the bringing in and picking up of rail cars is done by the
clerks of the shipping service at Arcelor Steel Belgium (Genk Site). This manner
of operating is necessary because Arcelor Tailored Blank Genk does not have a
direct connection to the railroad network of the N.M.B.S. and is therefore not
considered a client by the N.M.B.S.

- Price:

 

  •  

50% of all direct costs of Arcelor Steel Belgium (Genk Site)

 

  •  

any demurrage charged by the NMBS to Arcelor Steel Belgium (Genk Site) and
caused by rail cars intended for Arcelor Tailored Blank Genk: to be invoiced to
Arcelor Tailored Blank Genk. The cost of demurrage is not included in the annual
cap under Section 4 of the Transition Services Agreement.

12: Security

Security services, as follows:

- Security service for the company grounds is handled by security guards of an
external firm (presently GROEP 4 Securitas). These guards perform the following
tasks, among others, for Arcelor Tailored Blank Genk:

 

  •  

Reception of visitors;

 

  •  

Inspection of vehicles and persons;

 

  •  

Management of incoming and outgoing freight transport;

 

  •  

Central dispatching

- Price:  1/3 of the costs of the security firm + 15% as coverage for costs
associated with the security station.

13: Infrastructure

Use of infrastructure, as follows:

- The road infrastructure, property of Arcelor Steel Belgium (Genk Site), is
made available to Arcelor Tailor Blank Genk.

- Price:

 

  •  

25% of the total direct costs that Arcelor Steel Belgium (Genk Site) spends on
track work, work on lighting, …

 

  •  

10% of the total direct costs that Arcelor Steel Belgium (Genk Site) spends on
maintenance work on public gardens and canals.

 

6



--------------------------------------------------------------------------------

14: Delivery of municipal (external) water

Delivery of municipal water as follows:

- Terms and Conditions: the same as those of the Arcelor Steel Belgium (Genk
Site) contract with VMM.

- Measurement:

 

  •  

The meter reading on the meter at the purchase point of Arcelor Steel Belgium
(Genk Site) is used as reference for the monthly billing for the consumption of
water by Arcelor Tailored Blank Genk

 

  •  

The warehouse clerks of Arcelor Steel Belgium (Genk Site) record this meter
reading each first work day of the month and send it on to the bookkeeping
office at Arcelor Steel Belgium (Genk Site).

 

  •  

They shall then transmit these data to Arcelor Tailored Blank Genk.

- Price: in proportion to Arcelor Tailored Blank Genk’s consumption with respect
to Arcelor Steel Belgium (Genk Site)’s total consumption. The cost of municipal
water is not included in the annual cap under Section 4 of the Transition
Services Agreement.

15: Copying

Services regarding copying of plans, as follows:

- Rates:

 

  •  

A0: 5 €

 

  •  

A1: 4 €

 

  •  

A2: 3 €

 

  •  

A3/A4: 2 €

 

7



--------------------------------------------------------------------------------

C. SERVICES PROVIDED BY ARCELOR BREMEN GmbH (“ABG”) TO ARCELOR TAILORED BLANK
BREMEN (“ATBB”)

NOTE: Prices for the services described in Items C.1 through C.12 appear after
Item C.12.

1: Supply of Outside Resources/Applicable Terms of Delivery

ABG permits ATBB to use the facilities of ABG listed below:

 

  a) internal plant road network and access to the rail network

 

  b) weighing facilities at the entries to the plant

 

  c) electric power network

 

  d) pipes

 

  e) sewer lines and canals

 

  f) telecommunications

In connection with its existing third-party supply agreements, ABG supplies ATBB
with the amounts of electricity, natural gas and drinking water required by
ATBB. To that extent, the terms of delivery agreed between ABG and the suppliers
of these media and the normal delivery restrictions also apply to ATBB. ATBB may
inspect the specific terms of delivery and the delivery restrictions.

If ATBB no longer wants to be supplied by ABG with electricity, natural gas or
drinking water, or if ABG is not, or will in the future no longer be, authorized
to supply electricity, natural gas and drinking water to ATBB, ABG allows ATBB
to procure its own supply of the respective media. ATBB indemnifies ABG against
all costs incurred as a result of the construction and operation of
corresponding supply facilities.

2: Delivery of Resources Produced by the Plant

ABG delivers the purified water that ATBB requires for its operations from ABG’s
own internal network.

The purified water to be delivered under paragraph 1 shall be delivered over the
existing pipes of the plant network and shall be measured using new meters still
to be installed by ATBB.

3: Scope of Delivery/Delivery Restrictions

The resources described in sections 1 and 2 are delivered using existing
production facilities, pipe networks, transformer substations and cable networks
in accordance with the capability and capacity of ABG. A prerequisite, in
particular, is that ABG continues to be supplied under its existing contractual
relationships with its providers.

In the event of damage to the production facilities/transformer substations used
for the media purchased by ABG or to the pipe networks/cable networks on the
plant site, ABG is released from its obligation to supply ATBB with the
aforementioned media for the interruption period. To that extent, ATBB has
claims for damages or compensation against ABG only if ABG has failed to
exercise the care that it applies in its own affairs.

 

8



--------------------------------------------------------------------------------

ABG informs ATBB of any damage sustained by its production
facilities/transformer substations or pipe network/cable network. Furthermore,
ABG does everything necessary to restore operability of the affected facilities.
Any maintenance work required is coordinated in advance with ATBB and is
performed expeditiously.

ATBB informs ABG in a timely manner if its requirements are expected to increase
significantly. ABG delivers the additional amounts required, unless operational
concerns prevent it from doing so. Any costs that may accrue in connection with
the delivery of additional amounts is borne by ATBB.

ATBB is familiar with the meaning of the  1/4-hour billing maximum in connection
with the electricity supply agreement between the electric utility and ABG and
the effect this has on the price of electricity. It is also familiar with the
standard operational control measures taken by ABG, such as disconnecting
individual power consumers. At this time, ATBB is not participating in the
automatic disconnection procedure. ABG reserves the right to include ATBB in the
automatic disconnection procedure if necessary and to charge it for all the
consequences of exceeding the  1/4-hour billing maximum that are attributable to
the electricity consumption of ATBB.

4: Other Resources

At the request of ATBB ABG may supply ATBB with other resources to the extent
possible and after prior coordination. ATBB is responsible for installing the
required line networks.

5: Waste Disposal

ATBB conducts its domestic sewage through a line directly into the public sewage
system.

The terms and conditions for waste disposal are as follows:

- Trash

ATBB shall purchase a suitable container at its own expense. Trash is collected
by a third-party company selected by ABG (currently Nehlsen) up to 3 times per
week if necessary. ATBB coordinates collection frequency with the environmental
department of ABG. An allocation key defined based on the number of containers
and collections is used for billing purposes.

- Recyclable materials (cardboard, oil, cardboard packaging)

ATBB purchases two suitable containers at its own expense. Recyclables are
collected every two weeks on Thursdays by a third-party company selected by ABG
(currently Nehlsen). ABG may change the collection day if necessary for
organizational reasons. An allocation key defined based on the number of
containers and collections is used for billing purposes.

- Batteries (including button batteries, starter batteries, etc.)

ABG supplies ATBB with a suitable container at no charge. Batteries are
collected as needed at ATBB’s request by the environmental department of ABG.
Collection and disposal are free of charge for ATBB as long as the battery
vendors are required by law to accept the used batteries at no charge.

 

9



--------------------------------------------------------------------------------

- Oil-containing supplies (e.g. cleaning rags)

ATBB has two containers within the plant (referred to as ASP800s), which are
emptied as needed. Collection is at ATBB’s request, or regularly if necessary,
by ABG’s service department [Einsatzbetrieb]. Disposal costs are billed based on
the average weight of a completely filled bin. The average weight is determined
by ABG during the first two months after signature of the Transition Services
Agreement.

- (Old) lumber

Old lumber is collected by the transportation service of ABG. At the request of
ATBB the transportation service provides a suitable container (dumpster with a
capacity of 4.4 m3) for transport, which ATBB is to fill with the (old) lumber
within a reasonably short period. If the time normally required to fill the
container is significantly exceeded, ATBB shall pay rent for the container to
ABG. ABG is entitled to use recyclable (old) lumber free of charge for its own
purposes after collection. At the time of collection, the weight of the (old)
lumber is determined and recorded on a weight card. The disposal costs are
billed based on the weights determined.

- Toner (e.g. toner cartridges, ink ribbons)

ATBB purchases a suitable bin at its own expense and shall label it accordingly.
Toner is collected by ABG only as needed at ATBB’s request. Collection and
disposal are free of charge to ATBB as long as the toner materials are accepted
by a recycling company free of charge.

- Other types of waste (e.g. fluorescent tubes)

The disposal of other types of waste by ABG may be agreed from time to time on a
case-by-case basis. ATBB ensures disposal as required by law.

6: Transportation

ABG provides the transportation services by rail or truck that are necessary for
the operations of ATBB at the request of ATBB and performs the transshipment in
the [Hüttenhafen] requested by ATBB within a scope that is operationally
reasonable.

7: Weighing

Incoming and outgoing deliveries for and from ATBB may be weighed on the
plant-owned scales, which are certified by the Board of Weights and Measures.
The weight cards are provided to ATBB and are valid for internal as well as
external transportation between ATBB and third parties.

If ATBB uses its own scales for weighing, ATBB provides the weight information
to ABG.

 

10



--------------------------------------------------------------------------------

8: Other Services

ABG provides ATBB with the following services of its technical service
departments:

 

  •  

Energy maintenance

 

  •  

Service Center electrical

 

  •  

Service Center mechanical

 

  •  

Crane maintenance

 

  •  

Construction

 

  •  

Quality Assurance services (TQ)

ATBB has the right to procure material from ABG’s warehouses and spare parts
stockrooms within a scope that is operationally reasonable for ABG.

If ATBB desires additional services, ABG shall meet its requests to the extent
possible.

9: Flat Cost Fee

ABG provides the following services to ATBB within the scope of its existing
capacities:

 

•  

services of the fire department for regular fire fighting, including ambulance
service (preventive fire protection measures, e.g., inspection of fire
extinguishers are not included in this flat fee and is billed when these
services are provided)

 

•  

inclusion of ATBB in the emergency management of the site

 

•  

plant security

 

•  

use of general plant facilities (plant road network, including snow clearance,
etc.) weighing facilities

 

•  

upon request advice and support by ABG personnel regarding waterways, waste
disposal, emissions, noise, hazardous materials and work safety

 

•  

the plant’s internal telephone network

 

•  

messenger/mail service

 

•  

use of the cafeteria

 

•  

use of Lotus Notes server and IT services, such as VPN and fixed lines, etc.

Other services (e.g., health services, landscaping, work safety) are billed when
these services are provided.

10: Spheres of Responsibilities

The boundaries of the spheres of responsibility between the facilities of ABG
and those of ATBB as well as the delivery points for the delivery of resources
are determined based on the criteria of ownership and use and as identified in
planning documents.

11: Compliance with Statutory Provisions and Other Regulations

In connection with its activities on the plant site, ATBB complies with the
relevant federal and state laws, regulations and government ordinances and
directives. ATBB also complies with accident prevention regulations, accepted
engineering standards and the accident prevention and other relevant
environmental and safety regulations applicable in this connection.

 

11



--------------------------------------------------------------------------------

12: Plant Inspections

ATBB complies with the plant regulations of ABG and submits to the standard
inspections by plant security. This also applies to incoming and outgoing
shipments of material.

ATBB complies with the instructions of the environmental department of ABG to
the extent that ATBB’s activities affect the interests of ABG.

 

PRICES   AS OF JANUARY 2007 Price for drinking water   2.35 €/m3

This is the actual purchase price paid by ABG, including costs of internal
conduction as determined by ABG’s cost center accounting. The price does not
include the sewage charge, which is to be billed separately. The price is
adjusted monthly. The cost of drinking water is not included in the annual cap
under Section 4 of the Transition Services Agreement.

 

Price for domestic sewage   2.79 €/m3

This is the actual sewage charge paid by ABG as determined by ABG’s cost center
accounting. The price is adjusted monthly. The amount of sewage is determined
based on the amount of drinking water delivered.

 

Price for electricity   36.96 €/MWh

The electricity price is based on the purchase price paid by ABG, including
costs of internal conduction as determined by ABG’s cost center accounting. The
price is adjusted monthly. The electricity price is based on a power consumption
of 400 kW ( 1/4-hour maximum). This is based on an annual consumption of
3.0 million kWh/a. If there is an appreciable change in the annual consumption
(deviation of ±10%), the  1/4-hour maximum to be redefined by common agreement.
The cost of electricity is not included in the annual cap under Section 4 of the
Transition Services Agreement.

For purposes of monthly billing, a preliminary electricity price shall be
estimated at the beginning of each calendar year. The final electricity price to
be determined and settled at the beginning of the following calendar year.

 

Price of electricity tax (environmental tax)   12.30 €/MWh

The then applicable electricity tax (environmental tax)—the currently reduced
rate is 12.30 €/MWh— is billed in addition to the electricity price. The cost of
the electricity tax is not included in the annual cap under Section 4 of the
Transition Services Agreement.

 

12



--------------------------------------------------------------------------------

Price of EEG charge (charge under the Renewable Energy Act)   8.90 €/MWh

The EEG charge to be billed in addition to the electricity price. The EEG charge
is not included in the annual cap under Section 4 of the Transition Services
Agreement.

 

Price for natural gas   23.38 €/MWh

This is the actual purchase price paid by ABG, including internal conduction
costs as determined by ABG’s cost center accounting. The price is adjusted
monthly. The cost of natural gas is not included in the annual cap under
Section 4 of the Transition Services Agreement.

 

Price of energy tax on natural gas   3.66 €/MWh

The energy tax on natural gas to be billed in addition to the natural gas price.
The energy tax is not included in the annual cap under Section 4 of the
Transition Services Agreement.

 

Price for purified water   7.89 €/1000 m3

These are the actual full costs incurred by ABG, including internal conduction
costs as determined by ABG’s cost center accounting. The price is adjusted
monthly. This price does not include the sewage charge, which is to be billed
separately only if the purified water is discharged through ABG’s own sewage
system.

 

Price for sewage   7.95 €/1000 m3

This is the actual sewage charge paid by ABG, including internal costs for
conducting the sewage into the Weser as determined by ABG’s cost center
accounting. The price is adjusted monthly. The amount of sewage is based on the
amount of purified water delivered.

Prices for the disposal of trash and recyclables

Trash and recyclables are removed by a third-party company selected by ABG. The
invoice issued by that company is charged to ATBB.

Prices for the disposal of oil-containing supplies

Oil containing supplies are disposed of by the service department of ABG at the
request of ATBB or regularly if required. Disposal costs are billed based on the
average weight of a completely filled bin. The average weight is determined by
ABG during the first two months after the date of the Transition Services
Agreement. Transportation costs are billed separately.

Price for the disposal of old lumber

Old lumber is disposed of by the transportation department of ABG. The disposal
costs are billed based on the determined weights. Transportation costs are
billed separately.

Prices for transportation services

These prices are applicable for calendar year 2007 and are reviewed annually and
adjusted to reflect the actual full costs as determined by ABG’s cost center
accounting.

 

13



--------------------------------------------------------------------------------

Plant railroad    0.24€/tkm Transport operations, including driver:   

•     Wheel loader

   €81.68/h

•     Dump truck

   €62.44/h

•     Tractor

   €43.22/h

•     Trailer

   €4.00/h

•     Other vehicles

   per agreement

Prices for technical services

Based on use. Technical services are billed based on the “full costs of actual
rates” as determined by ABG’s cost center accounting. Any machine hours are
billed based on actual use.

 

Flat cost fee in accordance with section 9   €4,400/month

Against payment of a monthly flat cost fee ATBB may use the services listed in
section 9. The monthly flat fee is based on 53 employees. If the number of
employees changes by ±20%, the flat fee shall be adjusted accordingly. In
addition, the monthly flat fee shall be reviewed annually and adjusted based on
the following escalator clause:

 

  •  

80% through personnel costs. Escalation is based on the development of the union
wage rate, wage group 7 of the collective bargaining agreement applicable to
ABG, basis €11.53/h (January 2007).

 

  •  

20% through cost of materials. Escalation is based on the Consumer Price Index
for Germany published on the web site of the German Federal Statistical Office
www.destatis.de (January 2007: 110.9).

Prices for materials in stock

Moving average of the book value plus 10% administrative costs.

Prices of other services

Based on use. The price is coordinated with the respective department of ABG.

13: Occupational Health Services

ABG makes occupational health services available to ATBB employees, particularly
under § 3 of the German Occupational Health and Safety Act (ASiG), to include
the following services:

 

  •  

Occupational safety committee meetings

 

  •  

Plant inspections

 

  •  

Workstation inspections

 

  •  

Counseling if a job change is necessary for health reasons and integration and
re-integration of the handicapped in the work process

 

  •  

Comments on all occupational health questions

 

  •  

First aid organization within the plant

 

14



--------------------------------------------------------------------------------

  •  

Preventive screenings, particularly pursuant to § 3(1) No. 2 of the German
Occupational Health and Safety Act and § 15 and 16 of the German Hazardous
Substances Regulation (GefStoffV) and BGV A 2 and BGI 504 (selection criteria
for special occupational health screenings).

Occupational health services are provided by the plant physician working for ABG
and/or by his deputy, who has corresponding qualifications. The plant physician
is authorized to perform preventive screenings.

ATB retains the plant physician in accordance with § 2 of the German
Occupational Health and Safety Act and BGV A 2 “Plant Physicians” (version of
01 July 2005) for the minimum number of hours defined therein. Accordingly, the
required service hours of the plant physicians are as follows:

Group A (including metal workers): 0.6 hrs. per year and employee

Group B (all sectors except those listed in Group A or C): 0.5 hrs. per year and
employee

Group C (business and administrative sector): 0.2 hrs. per year and employee

The non-specific preventive occupational health screenings are included in these
service hours. These screenings currently include, for example:

G 23 Obstructive respiratory disease

G 24 Skin disorders (except skin cancer)

G 25 Driving, controlling and monitoring jobs

G 37 Jobs using display terminals

G 41 Work involving the risk of falling

The specific occupational health screenings (e.g. screenings for G 7 “carbon
monoxide,” G 15 “chromium,” G 20 “noise,” G 26 “respiratory protection,” G 30
“heat,” G 39 “welding smoke,” or G 42 “infection hazards”) are not included in
the service hours (in accordance with the Federal Minister of Labor and Social
Affairs). For these services, the following additional service hours are
estimated:

0.38 hrs. per year and employee for Group B (2007)

0.0 hrs. per year and employee for Group C (2007)

At 01 July 2007 there were 53 employees, 42 in Group B and 11 in Group C.
Accordingly, for calendar year 2007, the service hours total 23.20 (per year).

The required service hours are reviewed once a year (in January) and adjusted if
necessary. For this purpose, ATBB notifies ABG of the number of its employees as
of 31 December of each year on its own initiative by 15 January at the latest
(even if there has been no change).

For the following year, ATBB retains the plant physician for the defined minimum
number of hours in accordance with BGV A 2 no later than by 31 December of the
previous year.

 

15



--------------------------------------------------------------------------------

14: Other Medical Services

The services of ABG further include other medical services, including the
following:

 

  •  

Primary care office hours, including physical therapy with infrared light
therapy, inhalation therapy and drug therapy for minor infections, sprains, etc.
provided that the medications are available in stock

 

  •  

Vaccinations

 

  •  

Pre-employment medical examinations, including medical examinations of minors as
provided for under the German Youth Protection Act

 

  •  

Training of first aid personnel of ATB

 

16



--------------------------------------------------------------------------------

D. SERVICES PROVIDED BY STEEL SERVICE CENTER OF ARCELORMITTAL (“A3S”) TO ARCELOR
TAILORED BLANK SENICA (“ATB Senica”) IN CONNECTION WITH LEASE FOR INDUSTRIAL
PREMISES

A3S is the owner of Industrial premises situated in Senica, province of Trnava,
Slovakia (“Industrial Leasehold Premises”).

ATB Senica rents and leases a part (with the following dimensions: 30 meters of
width, 60 meters of lengths and 9 meters of height) of this Industrial Leasehold
Premises, at a rate of 60 €/m2/year.

ATB Senica uses and occupies the Industrial Leasehold Premises for Industrial
Manufacturing purposes only and for no other purpose.

A3S provides the following services:

PHONE: installation and maintenance of telephone service at least for 4 lines,
and furnishing of the phone numbers.

IT: installation and maintenance of IT cable service and furniture of the
available network channels. Service fees required for the installation of these
utilities are covered by A3S.

GAS, ELECTRIC AND WATER: A3S provides the gas, electrical and water installation
and the monthly costs during the period of Industrial lease contract. A3S
provides a separate electrical meter for the electrical consumption of
production line. The cost of gas, electricity and water is not included in the
annual cap under Section 4 of the Transition Services Agreement.

SAFETY and SECURITY: A3S provides safety and security of Industrial premises.
Fire extinguisher, smoke detectors are provided by A3S and installed in this
industrial premises. A3S maintains its appliance including testing periodically
and replacing all safety equipment and batteries as recommended by the
manufacturer and applicable law. In the event the detector is missing or
inoperative, ATB Senica has an affirmative duty to notify A3S immediately.

CLEANING: A3S keeps and maintains the cleaning and the Leasehold Premises,
parking, toilets, offices, and locker room area in a clean and sanitary
condition at all times. Any related service cost is covered by A3S. ATB Senica
keeps and maintains the manufacturing area.

1. ATB Senica pays for the electrical consumption of production equipments
(welding line, shear centre etc.) and monthly phone and internet charges.

2. A3S provides a locker room for workers of ATB Senica. Any service fees
required for the installation of these utilities and maintenance to be covered
by A3S.

3. A3S provides parking spaces for 10 motor vehicles in the parking lot at a
space to be designated by A3S. Any rules or regulations established by A3S
relating to parking are strictly observed by TB Senica and may be subject to
change at A3S’s discretion.

4. A3S provides for the necessary repairs and maintenance of the Industrial
Leasehold Premises. ATB Senica does not provide nor arrange for any repair or
maintenance of the Leasehold Premises, and A3S is not responsible or liable to
ATB Senica, or to any other person, for the costs of any repair or maintenance
provided or arranged by ATB Senica.

 

17



--------------------------------------------------------------------------------

5. A3S provides garbage containers. A recycling container is also provided to
ATB Senica for paper, glass, and plastic and aluminum cans.

 

18



--------------------------------------------------------------------------------

E. LEGAL SERVICES PROVIDED BY ARCELORMITTAL LEGAL AFFAIRS (“AMLAF”) TO TBA
COMPANIES

1. Day-to-day and general assistance

AMLAF carries out and deal with legal matters on behalf of and for the TBA
Companies, including commercial law, company law, merger & acquisitions, real
estate law, labour law, environmental law, etc.

2. Litigation

AMLAF deals with litigation, i.e: litigation with customers, suppliers, public
authorities, resulting from accidents, occupational illness, injury, transport,
debt collection, insolvency, etc.

A litigation report which describes outstanding cases (company involved, status,
type and summary, coverage by insurance policy, provisions set up) is available
upon request. AMLAF gives its opinion about the reserves which have to be set up
in the TBA Company’s accounts.

 

19



--------------------------------------------------------------------------------

F. HR SERVICES AND VARIOUS SUPPORT TO TBA COMPANIES

1. Payroll, etc.

Services of Colette Quéva, Guido Van Assche and Roseline Meulemann to the HR
manager of TBA, Béatrice Morel, for the starting implementation of the payroll
of the company Noble Metal Processing Belgium and the starting implementation of
the payroll of the establishment of the company ATB Lorraine in Saint-Denis.

Carrying out of the payroll of ATB Lorraine by USP Montataire and the
establishment of Saint-Denis

Payroll–related management and labor law counseling provided to Arcelor Tailored
Blank Zaragoza by Arcelor España SA

2. Training

Access to the vocational training of ArcelorMittal University

Client Team School

3. International Mobility Platform

Management of Expatriates

4. Other Services

Offices at Saint-Denis + Dalkia services (mail service, management of grounds,
photocopying, electrical maintenance, …)

Employment-related medical and infirmary services at Saint-Denis

Corporate dining services at Saint-Denis

Car rental management

 

20



--------------------------------------------------------------------------------

G. SERVICES PROVIDED BY ARCELOR ATLANTIQUE ET LORRAINE ET AL. TO ATB LORRAINE

1. Industrial Safety Services.

Arcelor Atlantique et Lorraine Florange offers its industrial safety services
(annual extinguisher verification, anti-intrusion rounds, periodic
safety/evacuation exercises) and makes available firefighting services for all
planned interventions and in case of casualty. (38,000 euros per year in 12
equal monthly payments.)

2. Medical Service.

Arcelor Atlantique et Lorraine Florange offers its work-related medical services
and accident management (infirmary, ambulance, examinations, certain
vaccinations, etc.). (145 euros per person, in equal quarterly installments.)

3. Travel Services.

ATB Lorraine benefits from car rental reservation services, airplane and train
ticketing services and hotel reservation services linked to the contract between
Arcelor and the travel agency retained by Arcelor.

4. Arcelor Human Resources Services.

ATB Lorraine benefits from payroll and monthly reporting to social institutions
and mutual insurance companies, annual reporting to the institutions TDS-DAS,
DADS et CRC, planning, handicapped declarations, IRR, IPP, profit sharing, FCP
and [bonus] CET placement.

5. Services by the Unité de Service Partagée Mobilité et Recruitment (USMR) of
Florange in the framework of PSE started in May 2007 (there remain some
personnel to reclassify).

6. Tax accounting services by the Unité de Service Partagée Comptabilité (USPC)
are offered for 2008 only, with regard to fixed assets (depreciation,
dispositions, audit), deferred tax, tax consolidation for 2007.

7. Industrial food services by Services Généraux de Florange (SGE).

 

21



--------------------------------------------------------------------------------

H. SERVICES PROVIDED BY ARCELOR SPAIN HOLDING SL TO ARCELOR TAILORED BLANK
ZARAGOZA

1. Legal Services

Legal advice, other than labor law

2. Tax Services

Tax affairs counseling

 

22



--------------------------------------------------------------------------------

I. IT SERVICES

IT Services

 

23



--------------------------------------------------------------------------------

TABLE OF CONTENTS

 

1. SERVICES DELIVERED BY ARCELOR TECHNOLOGIES

   29

1.1. LIST OF SERVICES

   29

1.1.1. Service catalogue

   29

1.1.2. Application Infrastructure Services

   29

1.1.3. Network Services

   33

1.1.4. Technologies Enabler Services

   33

1.2. SLA

   35

1.3. Price – Compensation rules

   36

2. Services Delivered By Arcelor Systems

   37

2.1. List of Services

   37

2.1.1. Applications in scope

   37

2.1.2. Recurrent maintenance

   37

2.1.3. Evolutive maintenance

   37

2.2. SLA

   37

2.3. Price

   38

3. Additional Services Delivered by Arcelor Systems to ATB Gent

   38

3.1. List of Services

   38

3.1.1. Applications in scope

   38

3.1.2. Services

   39

3.2. SLA

   39

3.3. Price

   40

4. Services Delivered by Arcelor Steel Belgium N.V. (Genk Site)

   40

4.1. List of services

   40

4.2. Price

   40

APPENDICES TO THE IT SECTION OF SCHEDULE A

   41

APPENDIX 7 TO THE IT SECTION OF SCHEDULE A:

   48

 

24



--------------------------------------------------------------------------------

ARCELORMITTAL INFORMATION SECURITY POLICIES

   48

1. INFORMATION SECURITY POLICIES FRAMEWORK

   49

1.1 Background

   49

1.2 Scope

   49

1.3 Key actors

   49

Corporate information Security Officer

   49

Local Information Security Officer

   49

Security Workgroups

   50

IT Steering Committee

   50

Internal audit

   50

Three operational responsibilities: Owner, Custodian and User

   50

1.4 The baseline policies and their target

   52

1.5 Legal Affairs link

   52

1.6 Critical systems

   52

1.7 Non-compliance

   53

1.8 Definitions

   53

Policy

   53

Standard

   53

Guideline

   53

2. PROTECTION AGAINST MALICIOUS CODE POLICIES

   53

2.1 Abstract

   53

2.2 Definitions

   54

System Assets

   54

Malicious code

   54

Virus

   54

Worm

   54

Trojan horses

   54

 

25



--------------------------------------------------------------------------------

Macro Viruses

   54

Anti-Virus Software

   54

Signatures

   55

Red Alert State

   55

Hoax

   55

2.3 Protection Against Malicious Code policies

   55

2.4 Protection Against Malicious Code Standards

   56

2.5 Protection Against Malicious Code Guidelines

   57

3. VULNERABILITIES AND SECURED CONFIGURATION MANAGEMENT POLICIES

   58

3.1 Abstract

   58

3.2 Definitions

   58

Vulnerability

   58

Threat analysis

   58

Secured configuration

   58

3.3 Vulnerabilities and Secured Configuration Management policies

   58

3.4 Vulnerabilities and Secured Configuration Management Standards

   59

3.5 Vulnerabilities and Secured Configuration Management Guidelines

   60

4. LOGICAL ACCESS CONTROL POLICIES

   60

4.1 Abstract

   60

4.2 Definitions

   61

Identification and User ID

   61

Authentication

   61

Authorization

   61

4.3 Policies

   61

4.3.1. IDENTIFICATION

   61

4.3.1.1 User registration

   61

4.3.1.2 Automatic terminal Identification

   62

 

26



--------------------------------------------------------------------------------

4.3.1.3 Log-on procedures

   62

4.3.1.4 Log-on procedure guidelines

   63

4.3.2. AUTHENTICATION

   63

4.3.2.1 User Password Management

   63

4.3.2.2 User Password Management guideline

   63

4.3.2.3 Password management systems

   63

4.3.2.4 Password management guidelines

   64

4.3.3. AUTHORIZATION

   64

4.3.3.1 Privilege management

   64

4.3.3.2 Privilege management guideline

   65

4.3.3.3 User access rights

   65

4.3.4. MONITORING

   65

5. NETWORK SECURITY POLICIES

   66

5.1 Abstract

   66

5.2 Policies

   66

5.2.1 General principles

   66

5.2.2 Internet connections

   66

5.2.3 Remote accesses

   67

5.2.4 Wireless LAN

   67

5.2.5 Physical and Logical Access to Network devices

   67

5.2.6 Application system design

   67

5.2.7. Network monitoring

   68

5.2.8 Critical networks and servers

   68

6. DATA BACK-UP POLICIES

   68

7. BCP/DRP SECURITY POLICIES

   69

7.1 Abstract

   69

7.2 BCP/DRP Security Policies

   69

 

27



--------------------------------------------------------------------------------

7.3 BCP/DRP Security Guideline

   70

8. BEHAVIOR ADVICE TO USERS TO IMPROVE THE SECURITY LEVEL

   71

8.1 Password management

   71

8.2 Locking an unattended workstation

   71

8.3 Social engineering

   71

8.4 Data back-ups

   71

8.5 Virus protection

   72

8.6 Security incident reporting

   72

8.7 Confidential information protection at printing time (as well in
communicating and storing the information)

   72

 

28



--------------------------------------------------------------------------------

1. SERVICES DELIVERED BY ARCELOR TECHNOLOGIES

To:

ATB Genk

ATB Gent (to be added)

ATB Lorraine

ATB Zaragoza

ATB Senica

ATB Bremen

ATB Belgium & France (to be added)

1.1. LIST OF SERVICES

1.1.1. Service catalogue

Services delivered from service catalogue contains end-user access product
services, such as

 

  •  

Workstations, printers, peripheral devices described in the document ‘Arcelor
Technologies North—Catalogue Site Ghent’. For the French perimeter (Lorraine and
Paris), the catalogue is accessible through the services portal
http://web-itcatalogue.atech.agn/pssoft/portal/

 

  •  

On demand, Arcelor Technologies supplies a detailed list of all current, active
workstations and setup (what software). Also the cost is detailed per user and
service.

1.1.2. Application Infrastructure Services

1.1.2.1. Application Hosting Services

Arcelor Technologies provides application hosting services on several platforms:
Mainframe (z/OS), SAP on AIX servers, Windows Servers, OpenVMS Servers, Lotus
Notes Domino Servers, …. As such Arcelor Technologies performs the operational,
planning, design, build and test, monitoring and reporting processes.

 

  •  

Operational processes

Assure the operations to keep the solutions running

 

  •  

Incident management:

Solve incidents that have been detected either by the customer, by the provider
or that have been submitted automatically.

Arcelor Technologies subscribes to underpinning contracts with Vendors to solve
incidents with hardware configurations and to solve incidents with
malfunctioning software.

 

  •  

Problem management

Evaluate incidents and propose proactive measures.

 

29



--------------------------------------------------------------------------------

  •  

Performance management and tuning

Evaluate response times and propose corrective measures.

 

  •  

Release management

ARCELOR Technologies carries out all the operations to install the updates
needed to keep the systems running.

This includes applying relevant upgrades, releases, service packs, patches,
hotfixes, …

This includes state of the art software to secure the infrastructure against
malicious code.

Arcelor Technologies subscribes—with regard to the software that is managed
directly by Arcelor Technologies—to contracts with Vendors to obtain the media
and the non exclusive right to use new versions, releases, service packs,
patches hotfixes, .

Arcelor Technologies foresees the necessary tools so that the customer is able
to install third party/customer’s software on the servers managed by Arcelor
Technologies. In case the existing deployment tool (for the moment only present
on MES-servers in Genk, Lorraine and Senica) cannot be used to install the
software, Arcelor Technologies installs the software. It is important that all
the software on the servers is known by Arcelor Technologies to be able to give
the necessary support.

 

  •  

Planning processes

 

  •  

Availability

Planned interventions are possible on request.

These interventions occur:

 

  •  

As needed to deploy a new functional release

 

  •  

Once per month to apply security patches (duration < 1 hour)

 

  •  

Two per year to maintain the RDBMS (durations depends on the size of the
database).

 

  •  

They need to be validated by the Noble service coordinator, A&M development team
and I&O delivery manager. A warning is published also on the IS/IT supply
intranet.

Urgent interventions are possible on request (with at least 2 hour advance
warning)

These interventions can occur to prevent a pending incident. The frequency
depends on the nature of the risk involved. They need to be validated by the
local Noble service coordinator, A&M development team and I&O delivery manager.
A warning is published also on the IS/IT supply intranet.

Unavailability impact:

When the system is unavailable during service hours, A&M development team and
I&O delivery manager warn the local Noble service coordinator by e-mail.

 

30



--------------------------------------------------------------------------------

  •  

Capacity management

Arcelor Technologies plans and proposes configurations to provide to the
customer the needed capacity.

Arcelor Technologies define programs to adapt (replacements and evolution) the
infrastructure.

 

  •  

IT Service Continuity management

Backup services

Restore services

Disaster Recovery Services

Storage management

 

  •  

Design, Build and Test

Arcelor Technologies designs the server environments needed to host the
applications in close cooperation with customer representatives.

 

  •  

Arcelor Technologies performs the impact analysis to cope with planned changes,
and proposes optimal solutions.

 

  •  

Arcelor Technologies builds and tests the ordered solutions, based on the
proposals that are the result of a previous impact analysis.

 

  •  

Arcelor Technologies implements the requests that have been ordered through
request management applications such as

 

  •  

For the Ghent perimeter: “PC Bestellingen”, “Autorisatie Aanvragen”, “IBO
aanvragen”

 

  •  

For the French perimeter: “Cyberforms”, “Le panier commercial”

 

  •  

As such Arcelor Technologies performs the system administration, the user
administration, the storage administration processes

 

  •  

Monitoring processes

Server and storage infrastructure is supervised and controlled continuously
(24h/24 and 7 days/week), using appropriate tools.

 

  •  

Mainframe: the supervision is operated by a central and a local team. Ghent,
Lorraine, Paris

 

  •  

Unix/SAP, Open VMS, Windows, Domino Servers, SAN Storage, Tape Libraries,…: the
supervision is operated by several dedicated and specialized teams in Ghent and
Dunkerque.

1.1.2.2. Application Support Services

Application Support Services are delivered on several platforms: Mainframe, SAP
on AIX servers, Windows Server, OpenVMS Servers, Domino Servers,

Related services are delivered to the customer in cooperation with the developer
community:

 

  •  

Development environment:

 

  •  

Development on z/OS (Assembler, PL/I, Cobol, Rexx,…)

 

  •  

Development on SAP (ABAP,…)

 

31



--------------------------------------------------------------------------------

  •  

Development on OpenVMS (Fortran, C, C++, DECForms, FMS,…)

 

  •  

Development on Windows (VB6, Visual Studio .net, …)

 

  •  

Development using CASE tools (AllFusion:Gen,…)

 

  •  

Fault & Debug management tools

 

  •  

Source configuration and release management: on z/OS, SAP and Windows

 

  •  

Database administration and performance tuning:

 

  •  

DB2 on z/OS,

 

  •  

SQLServer and Oracle Server on Windows Server,

 

  •  

Oracle RDB, Oracle CDD,… on OpenVMS,

 

  •  

Oracle Server on AIX

 

  •  

General accounting, application performance management & application tuning:
z/OS SAP and Windows

 

  •  

Capacity planning & Trend Analysis.

1.1.2.3. Commodity Application Services

Several commodity applications are delivered and operated:

 

  •  

Document Management

 

  •  

Mainframe End User Computing

 

  •  

Support end user with the conception of some special operations

 

  •  

QMF-DB2 query and Reporting support

 

  •  

Interfacing with OFFICE and other reporting Products,

 

  •  

Data Base administration

 

  •  

PROMA (Ghent perimeter)

 

  •  

The PROMA application is used to support the incident and the problem management
processes.

 

  •  

The Service Desk uses PROMA to register manually the incidents that end users
submit by phone.

 

  •  

The end users of the customer can use a PROMA interface to register and handle
incidents they detected.

 

  •  

All other incidents (detected automatically) can be (and are) registered
automatically in PROMA.

 

  •  

CSD (French perimeter)

 

  •  

Consolidated Service Desk by Ps Soft; this module replaces the actual incident
handling module of Qualiparc.

1.1.2.4. Development and Customization Services

Development services and Customization services are delivered to bridge the gap
between the operating system software and the layered software products as they
are acquired, and the operational conditions needed for the hosted applications.

Development services occur to develop middleware components on all platforms.
Examples are SIVAX on OpenVMS, UCM tools on Windows,…

Customization services occur to shape the conditions to operate third party
products. Examples are customizations of Axways’ Inter.Pel on all platforms,
Development lifecycle support tools to operate AllFusion.Gen on z/OS and
OpenVMS,…

 

32



--------------------------------------------------------------------------------

1.1.3. Network Services

All the services described hereafter are parts of the categories LAN, WAN,
Internet +RAS and Div. Infrastructure + cabling services.

 

  •  

Supervision

 

  •  

Hardware supervision

 

  •  

Availability of the functionalities

 

  •  

Network Services management

 

  •  

LAN and WAN study and implementation

 

  •  

LAN and WAN management

 

  •  

Remote Access Services

 

  •  

Internet services

 

  •  

Firewall and Proxy management

 

  •  

Security management and rules

 

  •  

User administration

 

  •  

Other hardware supported by Network service

 

  •  

VT terminals

 

  •  

Thermal Transfer printers

 

  •  

Badge readers (access control systems, time registration systems)

 

  •  

IP Camera’s, Barcode Scanners, Hand-held terminals

 

  •  

Other services provided by Network team

 

  •  

Infrastructure computer room management (power, climatization, …)

 

  •  

Server infrastructure: racks, cabling, power distribution, …)

 

  •  

Coordination of the cabling projects and management of the external suppliers

1.1.4. Technologies Enabler Services

 

  •  

Service Desk

 

  •  

For Ghent perimeter:

 

  •  

The service desk in Ghent can be reached 24hours/day 7days/week at a central
telephone number: +32 (9) 347 3037 or by e-mail: helpdesk@sidmar.arcelor.com

 

  •  

The service desk uses a tool (PROMA) to register all the calls of the end users
and all the events that need a problem management.

 

  •  

The PROMA-tool is used for manual and automatic registration of incidents.

 

  •  

Whenever a registered incident needs immediate intervention, the Service Desk to
call the relevant specialist to solve the problem. Therefore Arcelor
Technologies organizes duty guards.

 

  •  

For French perimeter

 

  •  

The Service Desk in Dunkerque can be reached 24hours/day 7days/week at a central
telephone number: +33 (0) 3 28 59 59 59

 

  •  

The service desk uses a tool CSD (Consolidated Service Desk) to register all the
call of the end-users and all the events that need a problem management.

 

33



--------------------------------------------------------------------------------

  •  

For any other country

  •  

access to the service desks can be found on the site http://web-it.arcelor.fr/
in the tab “End-user support/Help Desk”

 

  •  

Incident management

 

  •  

Incident declaration procedure

 

  •  

Incident handling and solving can be invoked through the AT Service Desks

 

  •  

Incidents can be declared as well by automated monitoring services. Events
causing alert situations are detected automatically and forwarded to the
incident management system, where they are treated according to their
criticality.

 

  •  

Incident handling

 

  •  

Incident handling starts within 4 working hours.

 

  •  

When a fatal hardware incident occurs, AT diagnoses the problem and calls the
hardware provider within 2 working hours.

 

  •  

The hardware service provider then starts intervention within 4 working hours
following AT’s request. As a consequence, remedial action starts within 6
working hours.

 

  •  

Escalation

 

  •  

When a critical incident cannot be solved timely, it is escalated.

 

  •  

Warning and subsequent concertation of these incidents is assigned to:

 

  •  

The corporate Noble service coordinator

 

  •  

Engagement manager

 

  •  

Application and Maintenance Delivery

 

  •  

Infrastructure and Operations Delivery

They jointly decide on an appropriate action plan, setting actions and
priorities and reporting on incident solution status.

 

  •  

Provide Technology, know-how and competence

 

  •  

All platforms

 

  •  

Deliver consulting services in the context of their know-how and competence.

 

  •  

Contacts with the suppliers and designers

 

  •  

SAP Team

 

  •  

Netweaver, R/3, Oracle, BW, APO, Enterprise Portal, …

 

  •  

Active role in the customer SAP competence center

 

  •  

Assets Management, Configuration Management, Change Management

 

  •  

All the assets are registered in a local tool (Configuration Management) used by
the Service Desk and the “Work Place Infrastructure” services.

 

  •  

Proposals for cost-reductions and optimizations on a yearly basis

 

34



--------------------------------------------------------------------------------

  •  

ATB employees whose mailboxes are hosted on the consolidated ArcelorMittal
messaging infrastructure, are able to use the ArcelorMittal contact database.
For other users, a solution can be designed to deliver the same contact database
in a form that can be loaded by Noble. This service is not included in the
current agreement.

1.2. SLA

 

  •  

SLA’s are defined as follows:

 

  •  

Operational requirements

For products in the catalogue counting from receipt of the approved request up
to signature for the installation report by the user.

 

Standard user requests

  

Reference Level of Service

(working days)

New workstation

   10

Network printer

   20

Moving an existing user within the same infrastructure environment

   5

Moving an existing user outside the infrastructure environment

   10

Creation of a new user

   10

Teledistribution of software (*)

   2

Urgent teledistribution of software (*)

   1

Extension of drive

   2

Extension of Mailbox

   2

Authorization to shared folder

   2

--------------------------------------------------------------------------------

(*) on condition that there is no need for compatibility investigation, thus not
for new or complex program groups

 

  •  

Incident reactions

The maximum period agreed for resolving an incident is defined in relation to
the type of hardware and the level of maintenance required by the customer.

 

Incident

  

Reference Level of Service

(working days)

Workstation

   Next business day

Network printer

   Next business day

PDA (Blackberry, Qtek)

  

Next business week, but phone

functionality within next business day

Infrastructure servers

   Next business day

Software

   Next business day

LAN

   Next business day

WAN

   Next business day

 

35



--------------------------------------------------------------------------------

  •  

An official request for quotation or related demands sent to Arcelor
Technologies should be replied to within 5 working days, in order to define a
time frame for final delivery of the proposal.

 

  •  

Arcelor Technologies to foresee a SLA follow-up report.

Arcelor Technologies to assure that all measures to ensure the security of data
and communications are in force on the date of the starting up, and that the
general principle of confidentiality and Arcelor Technologies safety policy are
applied and respected. Noble must respect ArcelorMittal security policies and
assure that all users of information systems delivered by Arcelor Technologies
respect the “ArcelorMittal Security Charter” (see attached Appendix 7).

1.3. Price – Compensation rules

General

Each month the compensation is split in two parts.

Part 1 to compensate the services that correspond with the consumption of
services as defined in the current service catalogue.

Part 2 to compensate services based on a budget charge-back mechanism. The
repartition of the services that are subject to both parts and the corresponding
reference budget is specified in appendices 1 through 6 to this Schedule A to
the Transition Services Agreement.

Specific services with respect to certain ATB entities appear in Appendices 1
through 6

Adaptations to appendices 1 through 6 (adding service, adding site, changing
from part, etc.) can be realized on month boundaries, upon mutual, written
agreement of both parties to replace the current attachment with a new version.

Specific compensation rules for part 2

The following principles apply:

 

•  

The amount of the invoice is 1/12 of the yearly budget specified in the then
governing appendix

 

•  

The invoice only mentions one line with the provision of the month

 

•  

The provision is detailed as specified in the then governing appendix

 

•  

At the end of the year, a review is made for basic recurring services, for the
next year.

 

•  

New projects (extensions) not included in this document, to be invoiced
additionally.

 

36



--------------------------------------------------------------------------------

2. Services Delivered By Arcelor Systems

To:

ATB Genk

ATB Gent (to be added)

ATB Lorraine

ATB Zaragoza

ATB Senica

ATB Bremen

ATB Belgium + France (to be added)

2.1. List of Services

2.1.1. Applications in scope

Recurrent and Evolutive Maintenance of following applications:

 

Applications

  

Quick description in functional terms

SAP Leverage    Integration of TBA in the commercial application Leverage (Order
entry, MDI, Invoicing and claims handling). In scope for so far the
cost/developments are not covered by CVT. SAP Aristos    Back office system of
TBA, implemented in SAP (modules: FI, MM, CO, AA) RFQ-database    Library for
quotes

2.1.2. Recurrent maintenance

 

  •  

Application administration and system monitoring

 

  •  

Bug fixing

 

  •  

User assistance

2.1.3. Evolutive maintenance

 

  •  

Budget + time spent implementation and follow-up of every request for minor
evolution (estimate delivery, estimate validation by the client)

 

  •  

Adaptation of team size depending on workload and time changes requested by the
client

 

  •  

Management of budget progress all over the year

Arcelor Systems reserves the right to charge any additional costs for the
training and working-in period of new persons who have not worked on this
perimeter before. This in case if Arcelor Systems has to strengthen its
maintenance team in order to respond to increasing activities requested by the
customer and not foreseen in the previous quarter.

2.2. SLA

On the perimeter of the proposal, the following indicators are set up and
managed.

 

37



--------------------------------------------------------------------------------

    

During office

hours

  

Outside office
hours

Response Time Service desk

   Immediately    Immediately

Response Time preferred consultant

   During office hours    —  

Fix Time (problem solved or work-around established)

   During office hours    —  

Noble must respect ArcelorMittal security policies and guarantees that all users
of information systems delivered by Arcelor Technologies to respect the
“ArcelorMittal Security Charter” attached as Appendix 7 to this Schedule A.

2.3. Price

695€/Day

3. Additional Services Delivered by Arcelor Systems to ATB Gent

To: ATB Gent

3.1. List of Services

3.1.1. Applications in scope

 

Applications

  

Quick description in functional terms

NIPOS    System for order management and material follow-up. This system allows
the different production orders to be put on the process-systems, managed by
IAM-department. These process-systems monitor and capture the processes and send
their information back to the NIPOS system. This system allows to have a
material genealogy & traceability. ISLA    This mainframe application prints out
the necessary dispatching documents and registers the dispatching PROMA   
Problem management system for IT VERA    Dispatching application on regional
computer, managed by IAM, that interfaces with ISLA & KLOVIS RIMSES    System to
track the maintenance activities

Database Welding

Parameters

   Storage of welding and machine set-up parameters per blank. Metal Balance   
System that tracks the materials consumption and production

Mainframe end-user

environment

   All production data are available for the end-user on a separate platform

 

38



--------------------------------------------------------------------------------

3.1.2. Services

 

  •  

The provider maintains all the used software packages and informs the customer
well in advance of all modifications with noticeable impact for the customer.
Upward compatibility is foreseen.

 

  •  

If inevitable modifications must be performed, no extra costs for the customer
to originate from this, if those modifications are irrelevant to the customer.
If these modifications should involve production limitations, these should be
minimized and pre-validated by the customer

 

  •  

The provider gives the necessary training and documentation to the customer to
permit the customer to use the software services put at its disposal in an
efficient way.

3.2. SLA

 

  •  

For interventions on critical applications, the provider’s staff is available
according to the principles of the providing of helpdesk functionalities. This
helpdesk coordinates application and infrastructure responsibilities who are on
call for these applications.

 

  •  

For interventions of non-critical applications, the provider’s staff is
available during normal office hours. The tool to be used for recurrent
maintenance is for Arcelor Systems: PROMA (problem management) or via call to
helpdesk (tel + 32 9 347 30 37).

Following severity codes are defined:

 

                 

 

Priority

  

Scope

1    The system cannot be used, with critical consequences for the production
environment, the situation requires a rapid solution 2    The system is
operational. The critical activities supported by the application can be carried
out, but the fault must be repaired as soon as possible.    Production is not
adversely affected by the fault

Priority 1

 

     During office
hours    Outside office
hours

Response Time Service desk

   Immediately    Immediately

Response Time preferred consultant

   30 minutes    30 minutes

Fix Time (problem solved or work-around established)

   2 Hours    4 Hours

 

39



--------------------------------------------------------------------------------

Priority 2

 

     During office
hours    Outside office
hours

Response Time Service desk

   Immediately    Immediately

Response Time preferred consultant

   During office


hours

   —  

Fix Time (problem solved or work-around established)

   During office


hours

   —  

Arcelor Systems shall aim to remedy/deal with priority 1 incident:

 

•  

within 2 hours in 90% of cases

 

•  

within 4 hours in 95% of cases

 

•  

within 8 hours in 98% of cases.

 

•  

Within 16 hours in 100% of cases. If this last result is not reached, following
escalation procedure is foreseen:

a management team meeting is set up as soon as possible, this team consists of
Arcelor Systems, and ATB Gent. They set up an action plan and make decisions
immediately.

This result should be measured per calendar year.

3.3. Price

Based on budget chargeback mechanism of total cost. Budget reviewable at end of
every year.

4. Services Delivered by Arcelor Steel Belgium N.V. (Genk Site)

To: ATB Genk

4.1. List of services

 

•  

Network infrastructure, including dataline between TB Genk, Sikel and Arcelor
Gent

4.2. Price

 

  •  

33% of total costs dataline, 15% if total costs use and maintenance network
infrastructure

 

  •  

100% of costs for interventions on infrastructure only of interest to TBA Genk

 

40



--------------------------------------------------------------------------------

APPENDICES TO THE IT SECTION OF SCHEDULE A

APPENDIX 1 – ATB Corporate

This Appendix 1 to Schedule A to the Transition Services Agreement is the result
of the validation of the Service Catalogue “End User IT Access Products” on
May 11th, 2006

PART ONE

SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.

 

Service Description

   Estimated Value (€)

On demand project services

   mandays at 77,5 €/Hr

Workstation Services provided by AT Gent

   30.000 €/year

Workstation Services provided by AT France

   20.630 €/year

SAP services

   1.860 €/year

 

  •  

To start execution of on demand projects, both parties must agree in writing.

 

  •  

Charge back of “Workstation Services” is based on the implementation of the pay
for service model as specified in the Service Catalogue “End User IT Access
Products”.

 

  •  

Before applying changes to the Service Catalogue “End User IT Access Products”,
both parties must agree in writing.

 

  •  

For the Gent perimeter: the Lotus Notes Application “PC Bestellingen” is needed
to order items on the service catalogue. As a result of those change requests
the estimated budget changes accordingly.

 

  •  

For the French perimeter: for the moment, Cyberforms is used, but this is
phasing out and is to be replaced by “le panier commercial”

PART TWO

YEARLY BUDGET: BASIC RECURRING SERVICES

 

Service Description

   Value (€)

SAP services

  

LAN

  

WAN

  

INET + RAS

  

Div. Infrastructure

  

Lotus Notes + Mails

  

Windows servers

  

Appl. Support Mainframe

  

Mainframe EUC

  

Mainframe services

  

Application Helpdesk

        Global charge    44.939

Service Description

   Value (€)

RFQ                                                                 database

  

(2006-04-CRM-2212 TBA Domino database RFQ)

   600

 

41



--------------------------------------------------------------------------------

 

•

 

This budget does not include the new project costs nor its impact on the
recurrent services, for such new projects as are initiated by ATB Gent for
corporate since January 1st, 2007.

 

  •  

To change the perimeter of the now current portfolio of services, both parties
must agree in writing.

 

42



--------------------------------------------------------------------------------

APPENDIX 2 – ATB Gent

This Appendix 2 to the Section 1 of the Chapter 7 is the result of the
validation of the Service Catalogue “End User IT Access Products” on May 11th,
2006

PART ONE

SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.

 

Service Description

   Estimated Value (€)

On demand project services

   mandays at 77,5 €/Hr

Workstation Services

   100.920 €/year

 

  •  

To start execution of on demand projects, both parties must agree in writing.

 

  •  

Charge back of “Workstation Services” is based on the implementation of the pay
for service model as specified in the Service Catalogue “End User IT Access
Products”.

 

  •  

Before applying changes to the Service Catalogue “End User IT Access Products”,
both parties must agree in writing.

 

  •  

The Lotus Notes Application “PC Bestellingen” is needed to order items on the
service catalogue. As a result of those change requests the estimated budget
changes accordingly.

PART TWO

YEARLY BUDGET: BASIC RECURRING SERVICES

 

Service Description

   Value (€)

Open VMS Servers

   22.862

Service Description

   Value (€)

LAN

  

WAN

  

INET + RAS

  

Div. Infrastructure

  

Lotus Notes + Mails

  

Windows servers

  

Appl. Support Mainframe

  

Mainframe EUC

  

Mainframe services

  

Application Helpdesk

       

Global charge

   88.019

 

 

•

 

This budget does not include the new project costs nor its impact on the
recurrent services, for such new projects as may be initiated by ATB Gent since
January 1st, 2007.

 

  •  

To change the perimeter of the now current portfolio of services, both parties
must agree in writing.

 

43



--------------------------------------------------------------------------------

APPENDIX 3 – ATB Bremen

This Appendix 3 to Schedule A to the Transition Services Agreement is the result
of the validation of the Service Catalogue “End User IT Access Products” on
May 11th, 2006

SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.

 

Service Description

   Estimated Value (€)

On demand project services

   mandays at 77,5 €/Hr

 

  •  

To start execution of on demand projects, both parties must agree in writing.

 

44



--------------------------------------------------------------------------------

APPENDIX 4 – ATB Senica

This Appendix 4 to Schedule A to the Transition Services Agreement is the result
of the validation of the Service Catalogue “End User IT Access Products” on
May 11th, 2006

PART ONE

SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.

 

Service Description

   Estimated Value (€)

On demand project services

   mandays at 77,5 €/Hr

 

  •  

To start execution of on demand projects, both parties must agree in writing.

PART TWO

YEARLY BUDGET: BASIC RECURRING SERVICES

 

Service Description

   Value (€)

Windows Server Infrastructure

  

2006 07 CRM 2211 TBA Serveurs Senica

   4.700

 

 

•

 

This budget does not include the project costs nor its impact on the recurrent
services, for projects that as may be initiated by ATB Senica since January 1st,
2007.

 

  •  

To change the perimeter of the now current portfolio of services, both parties
must agree in writing.

 

45



--------------------------------------------------------------------------------

APPENDIX 5 – ATB Lorraine

This Appendix 5 to Schedule A to the Transition Services Agreement is the result
of the validation of the Service Catalogue “End User IT Access Products” on
May 11th, 2006

PART ONE

SERVICES CORRESPONDING TO THE SERVICE CATALOGUE.

 

Service Description

   Estimated Value (€)

On demand project services

   mandays at 77,5 €/Hr

Workstation Services provided by AT France

   104.500 €/year

Messaging

   5.000 €/year

Printers

   5.400 €/year

 

  •  

To start execution of on demand projects, both parties must agree in writing.

 

  •  

Charge back of “Workstation Services” is based on the implementation of the pay
for service model as specified in the Service Catalogue “End User IT Access
Products”.

 

  •  

Before applying changes to the Service Catalogue “End User IT Access Products”,
both parties must agree in writing.

 

  •  

For the French perimeter: for the moment, Cyberforms is used to order items on
the service catalo, but this is phasing out and is to be replaced by “le panier
commercial”. As a result of those change requests the estimated budget changes
accordingly.

PART TWO

YEARLY BUDGET: BASIC RECURRING SERVICES

 

Service Description

   Value (€)

Data storage

   6.223 €/year

Network Services

   285 €/year

AS400

   39.681 €/year

Application Servers

   20.563 €/year

Global charge

   66.752 €/year

 

 

•

 

This budget does not include the new project costs nor its impact on the
recurrent services, for such new projects as may be initiated by ATB Lorraine
since January 1st, 2007.

 

  •  

To change the perimeter of the now current portfolio of services, both parties
must agree in writing.

 

46



--------------------------------------------------------------------------------

APPENDIX 6 – List of people to be contacted

1. Escalation Procedure in incident management

 

•  

Corporate Noble service coordinator:

Leen Van Aken; Tel. +32 (0) 9 210 03 39 / / Cell phone +33 (0) 475 461 590

 

•  

Engagement Manager:

Silvia D’Haenens; Tel. +32 (0) 9 347 37 71

 

•  

Infrastructure and Operations Delivery:

 

  •  

for Belgian perimeter:

Philippe Van Rietvelde; Tel. +32 (0) 9 347 40 68 / Cell phone +33 (0) 476 900
167

 

  •  

for French perimeter:

Dominique Duport; Tel. +33 (0) 386 21 31 41 / Cell phone +33 (0) 61 103 50 86

2. Escalation Procedure in persistent non-compliance of SLA’s

 

  •  

Head of Customer Care:

Nicole Peton; Tel +33 (0) 171 92 15 47 / Cell phone +33 (0) 615 47 47 89

 

  •  

CFO:

Eric Goascoz; Tel. +33 (0) 171 92 14 18 / Cell phone +33 (0) 616 57 11 65

 

  •  

Regional manager:

for North Region:

Marc Mathei; Tel. +32 (0) 9 347 32 13 / Cell phone +32 (0) 476 98 88 87

for Centre Region:

Philippe Barolat; Tel. +33 (0) 328 25 75 05 / Cell phone +33 (0) 616 54 38 60

for the Factory:

Régis Delrue; Tel. +33 (0) 328 25 75 08 / Cell phone +33 (0) 611 05 00 29

3. Coordination of the customer relationship management

At the signature of the Agreement, the Agreement Manager designated by the
Provider is:

Engagement Manager: Silvia D’Haenens; Tel. +32 (0) 9 347 37 71

and the Agreement Manager designated by the Customer is:

Leen Van Aken; Tel. +32 (0) 9 210 03 39

 

47



--------------------------------------------------------------------------------

APPENDIX 7 TO THE IT SECTION OF SCHEDULE A:

ARCELORMITTAL INFORMATION SECURITY POLICIES

LOGO [g80433image_ex103.jpg]

ARCELORMITTAL INFORMATION

SECURITY POLICIES

 

--------------------------------------------------------------------------------

Date: 2003-12-01 / version n°

 

48



--------------------------------------------------------------------------------

1. INFORMATION SECURITY POLICIES FRAMEWORK

1.1 Background

ARCELORMITTAL is critically dependent on information and information systems. If
important information were disclosed to inappropriate persons, the company could
suffer serious losses. The good reputation that ARCELORMITTAL enjoys is also
directly linked with the way that it manages both information and information
systems. For example, if private customer information were to be publicly
disclosed, the organization’s reputation would be harmed. For these and other
important business reasons, the IS/IT steering committee has initiated and
continues to support an information security effort. One part of that effort is
the definition of the information security policies.

1.2 Scope

Involved Persons

Every worker at ARCELORMITTAL must comply with the information security policies
and related information security documents.

Every internal or external service provider must also comply with these
policies.

Involved Systems

These policies apply to all computer and network systems owned by or
administered by ARCELORMITTAL. These policies apply to all operating systems,
computer sizes, and application systems. They cover only information handled by
computers and networks.

1.3 Key actors

Corporate information Security Officer

The Corporate Information Security Officer is responsible for:

 

  •  

Establishing and maintaining ARCELORMITTAL-wide information security policies,
standards and guidelines (see definitions in point 1.8 below) in a collaborative
manner with the ARCELORMITTAL entities representatives. See Security Workgroups
below.

 

  •  

Checking compliance to ensure that organizational units are operating in a
manner consistent with the policies.

 

  •  

Managing information security training and awareness programs to ARCELORMITTAL
users.

Local Information Security Officer

There is one Local Security Officer function per IT Delivery Organization. Their
main tasks are setting up the local security compliance plan, following it up,
communicating and promoting the policies within their local entity (See point
1.4 below). In order to fulfill these tasks, the Local Security Officer must
have a global view across all security domains within his or her entity. There
is one security domain per security policy. The seven security domains are:

 

49



--------------------------------------------------------------------------------

  1. Protection against malicious code

 

  2. Vulnerabilities management and secured configurations

 

  3. Logical access controls

 

  4. Network security

 

  5. Data back-up

 

  6. Disaster recovery

 

  7. Charter.

Security Workgroups

Each security domain is tackled by one specific security workgroup. This
workgroup contains technical experts from ARCELORMITTAL IT Delivery
Organizations having the best knowledge about one security domain.

These small workgroups first main task is defining the security policies with
the corporate security officer.

Following the security policies validation by the IT Steering Committee, this
workgroup to possibly choose the best technology to implement them and to write
the implementation standards and best practices to be used by all the IT
delivery organizations. E.g. writing system hardening checklist in the framework
of the secured configurations policies.

IT Steering Committee

The IT Steering Committee validates the information security policies.

Internal audit

The internal audit can be asked by a Business Unit to audit their security
position against the security policies.

Three operational responsibilities: Owner, Custodian and User

In order to make the policies operational, three categories of persons are
defined, at least one of which applies to each ARCELORMITTAL Group member. These
categories are Owner, Custodian, and User. These categories define general
responsibilities with respect to information security.

Owner Responsibilities

Information Owners are the department managers, members of the top management
team, or their delegates within ARCELORMITTAL who bear responsibility for the
acquisition, development, and maintenance of production applications that
process ARCELORMITTAL information. Production applications are computer programs
that regularly provide reports in support of decision making and other business
activities.

All production application system information must have a designated Owner.

For each application, Owners, based on the information sensitivity, define which
users to be granted access, and approve requests for various ways in which the
information to be utilized.

 

50



--------------------------------------------------------------------------------

Custodian Responsibilities

Custodians are in physical or logical possession of either ARCELORMITTAL
information or information that has been entrusted to ARCELORMITTAL. While IT
department staff members clearly are Custodians, local system administrators are
also Custodians. Whenever information is maintained only on a personal computer,
the User is also a Custodian. Each type of production application system
information must have one or more designated Custodians.

Custodians are responsible for safeguarding the information, including
implementing access control systems to prevent inappropriate disclosure, and
making backups so that critical information not to be lost. Custodians are also
required to implement, operate, and maintain the security measures defined by
information Owners.

User Responsibilities

Users are responsible for familiarizing themselves with and complying with all
ARCELORMITTAL policies, standards and guidelines dealing with information
security. Particularly the ARCELORMITTAL Charter when it will be completed. In a
first step, advices in using the data processing resources to be published. A
recurrent awareness program, managed by the Information Security Committee, to
help in maintaining good user behavior.

 

51



--------------------------------------------------------------------------------

1.4 The baseline policies and their target

The priority policies that have been worked out by small group of technical
people (member of the above custodian category) cover the following information
security topics:

 

•  

Protection against malicious code

 

•  

Vulnerabilities management and secured configurations

 

•  

Logical access control

 

•  

Network security

 

•  

Data back-up

 

•  

Business Continuity Planning and Disaster Recovery Planning (BCP and DRP)

 

•  

Advices to users in using the data processing resources

These policies to be communicated according the following chart:

 

     Owner
(Within the
Business
Community)   

Custodian

(Within the IS/IT
community)

   Users

Protection against malicious code

      X   

Vulnerabilities management and secured configuration

      X   

Logical access control

   X    X   

Network security

   X    X   

Data back-up

   X    X   

BCP and DRP

   X    X   

Advices to users in using the data processing resources

   X    X    X

Every ARCELORMITTAL Group member to receive only the policies in which they are
involved.

The Local Information Security Officers to relay the policies within their
scope.

1.5 Legal Affairs link

The present Policy must be notified to every Service Provider or external entity
that is granted an access to our internal network, prior to any access.
Notification can be made via the contract: for that purpose, the present policy
may be attached to the contract with said entity as a binding document.

1.6 Critical systems

Beyond the baseline controls applied to every data processing platform, the
information owners to identify additional needs in security measures in order to
increase the security level of critical systems. In that case, risk analysis to
be used to be sure the extra cost to be less than the risk itself.

 

52



--------------------------------------------------------------------------------

1.7 Non-compliance

In rare cases, a business case for non-compliance can be established. In all
such cases, the non-compliance situation must be approved in advance through a
risk acceptance process. This process requires a risk acceptance memo signed by
a department manager and approved by the Information System Security Committee.

1.8 Definitions

Policy

A policy is typically a document that outlines specific requirements or rules
that must be met. In the information/network security realm, policies are
usually point-specific, covering a single area. For example, an “Acceptable Use”
policy would cover the rules and regulations for appropriate use of the
computing facilities.

Standard

A standard is typically collections of system-specific or procedural-specific
requirements that must be met by everyone. For example, you might have a
standard that describes how to harden a Windows NT workstation for placement on
an external (DMZ) network. People must follow this standard exactly if they wish
to install a Windows NT workstation on an external network segment.

Guideline

A guideline is typically a collection of system specific or procedural specific
“suggestions” for best practice. They are not requirements to be met, but are
recommended.

2. PROTECTION AGAINST MALICIOUS CODE POLICIES

2.1 Abstract

Computer viruses and other forms of malicious code are constantly being
developed and transmitted via many methods to unsuspecting computer users around
the world. The purpose of this policy is to ensure that ARCELORMITTAL-controlled
system assets are suitably protected. This can be accomplished via an
appropriate mix of preventive measures, including policy, anti-virus software.
Education and awareness programs can also play an important role.

 

53



--------------------------------------------------------------------------------

2.2 Definitions

System Assets

System assets include information, hardwares, softwares and services required to
support the functions of the ARCELORMITTAL Business Units

Malicious code

Malicious code is a catch-all term used to refer to various types of software
that can cause problems or damage computers. The more common classes of program
referred to as malicious code are viruses, worms, Trojan horses and macro
viruses.

Virus

A virus is malicious code that replicates itself. New viruses are discovered
daily. Some exist simply to replicate themselves. Others can do serious damage
such as erasing files or even rendering the computer itself inoperable.

Worm

A worm is similar to a virus. They replicate themselves like viruses, but do not
alter files like viruses do. The main difference is that worms reside in memory
and usually remain unnoticed until the rate of replication reduces system
resources to the point that it becomes noticeable, e.g. when they generate high
network traffic.

Trojan horses

A Trojan horse is called such as a reference to the story of the Trojan horse
from Greek legend. It is a malicious program disguised as a normal application.
Trojan horse programs do not replicate themselves like a virus, but they can be
propagated as attachments to a virus. Such a malicious code can be used for an
unauthorized person to get remote control of the platform on which it has been
furtively installed.

Macro Viruses

A macro virus is a computer virus that “infects” a Microsoft Word or similar
application and causes a sequence of actions to be performed automatically when
the application is started or something else triggers it. Macro viruses tend to
be surprising but relatively harmless. A typical effect is the undesired
insertion of some comic text at certain points when writing a line. A macro
virus is often spread as an e-mail virus. A well-known example in March, 1999
was the Melissa virus.

Anti-Virus Software

A commercially available computer program that detects and eradicates malicious
code.

 

54



--------------------------------------------------------------------------------

Signatures

Known virus patterns used by anti-virus software to detect known viruses. The
signatures are contained in a file regularly updated with new viruses
information by the anti-virus software provider.

Red Alert State

The Red alert state is declared when a new virus has been detected somewhere in
the world, and new signatures are not yet available from the anti-virus
provider. Should this new virus enter the internal ARCELORMITTAL network, it
would be impossible for the used anti-virus software to detect it. So, it’s a
critical period of time until the new signatures are received and made
operational.

Hoax

A virus hoax is a false warning about a computer virus. Typically, the warning
arrives in an e-mail note or is distributed through a note in a company’s
internal network. These notes are usually forwarded using distribution lists and
they will typically suggest that the recipient forward the note to other
distribution lists.

2.3 Protection Against Malicious Code policies

2.3.1. Any software or files entering the ARCELORMITTAL internal network must be
screened for virus by anti-virus software before general distribution, whatever
the media.

2.3.2. Anti-virus software must be installed and continuously enabled on all
ARCELORMITTAL Internet gateways, FTP servers, mail servers, infrastructure
servers, application servers and desktop machines. MVS Operating Systems are out
of scope.

2.3.3. Signatures updates must be done automatically on a regular basis without
any user action. System administrator must take care to update the engine when
necessary. See standard 2.4.1. on next page.

2.3.4. All emails entering the ARCELORMITTAL internal network must be screened
by an anti-virus software package.

Anti-virus update frequency must be very high at these entry points. See
standard 2.4.1. on next page.

2.3.5. Compliance with software licenses is mandatory, in case of new
installation as well as extension of a product already used. Prohibiting the use
of unauthorized software is a key factor in malicious code protection.

2.3.6. All file sharing must be access control protected.

2.3.7. Any systems without anti-virus software must be isolated from the
ARCELORMITTAL network in order to avoid potential spreading of virus. These
systems can only have access to a restricted number of protected devices inside
the ARCELORMITTAL internal network. MVS Operating Systems are out of scope.

 

55



--------------------------------------------------------------------------------

2.3.8. Systems that are virus-infested must be immediately cleaned or
disconnected from the ARCELORMITTAL network.

2.3.9. All known executable files attached to an external e-mail must always be
blocked in order to mitigate any new virus spreading. See standard 2.4.2 on next
page.

2.3.10. The present Policy must be notified to every Service Provider or
external entity that is granted an access to our internal network, prior to any
access. Notification can me made via the contract: for that purpose, the present
policy may be attached to the contract with said entity as a binding document.

The following statements are user oriented, but must be taken in account by this
policy target people working in the malicious code protection area:

2.3.11. Users must not attempt to remove a computer virus from any system unless
they do so while in communication with a system administrator.

2.3.12. Users must not employ any electronic mail addresses other than official
ARCELORMITTAL electronic mail addresses for all company business matters.

2.3.13. Users must not open electronic mail attachments unless they were
expected from a known and trusted sender, and unless these attachments have been
scanned by an approved anti-virus software package.

2.3.14. When users receive unwanted and unsolicited electronic mail, they must
forward the message to the electronic mail administrator, or to their ordinary
contact, only and not respond directly to the sender.

2.4 Protection Against Malicious Code Standards

2.4.1. These updates and scan frequencies must be applied to the different
platforms:

 

Platform

  

Update frequency

  

Scan frequency

SMTP relay    At least every three hours    N/A Internet interface (http, ftp,…)
   At least every three hours    N/A Infrastructure servers    Every day    Once
per week Application servers    Every day    Once per week Workstations    Every
day    Not mandatory

2.4.2. All the following known attachments must be blocked:

 

56



--------------------------------------------------------------------------------

BAT    Batch File CHM    Compiled HTML Help File CMD    Windows NT Command
Script COM    MS-DOS Application CPL    Control Panel Extension EXE   
Application HLP    Help File HTA    HTML Applications INF    Setup Information
File INS    Internet Communication Settings ISP    Internet Communication
Settings JS    JScript File JSE    JScript Encoded Script File LNK    Shortcut
MSC    Microsoft Common Console Document MSI    Windows Installer Package MSP   
Windows Installer Patch PCD    Photo CD Image or Microsoft Visual Test Compiled
Script PIF    Shortcut to MS-DOS Program REG    Registration Entries SCR   
Screen Saver SCT    Windows Script Component SHB    Document Shortcut File SHS
   Shell Scrap Object VB    VBScript File VBE    VBScript Encoded Script File
VBS    VBScript Script File WSC    Windows Script Component WSF    Windows
Script File WSH    Windows Scripting Host Settings File

2.5 Protection Against Malicious Code Guidelines

2.5.1 In case red alert:

 

•  

All incoming mail should be blocked;

 

•  

Alert messages towards the end users at the time the red alert state is
discovered and at the end of this state should be sent.

2.5.2. In case of high virus activity period, the server anti-virus should be
activated for all in-going and out-going flows.

2.5.3. The e-mail pre-view function should be disabled for incoming and
suppressed mail, in order to avoid automatic code execution.

 

57



--------------------------------------------------------------------------------

3. VULNERABILITIES AND SECURED CONFIGURATION MANAGEMENT POLICIES

3.1 Abstract

System components security vulnerabilities and exposures are regularly
discovered and documented on Internet. Approximately six vulnerabilities are
published per day across all type of platforms. Moreover, platform default
configuration parameters are not security minded. These policies prescribe
preventive measures to ensure that at any time, the platforms security levels
are maintained at an optimum level. Particularly for the more exposed platforms
in the DMZ, that is to say, the platforms the nearest of Internet.

3.2 Definitions

Vulnerability

A flaw or weakness in system design that can be exploited to violate the system
security.

Threat analysis

A vulnerability measurement that includes the susceptibility of a particular
system to a specific attack, and the opportunities available to a threat agent
to mount that attack.

Secured configuration

A secured configuration is a configuration whose default security parameters
leading often to low platform security level have been scrutinized in order to
reinforce the platform security level. This system hardening process include
also the removal of all unnecessary system features or services in order to
dissuade and defeat intrusion or security breach attempts

3.3 Vulnerabilities and Secured Configuration Management policies

3.3 1. Every ARCELORMITTAL computers or computers used inside the ARCELORMITTAL
infrastructure must be configured according to security requirements published
by the ARCELORMITTAL Information Security Committee.

3.3.2. There must be a vulnerability management process in place in each
ARCELORMITTAL IS/IT entity. This process must include:

 

•  

Vulnerabilities capturing from warnings, provider alarms or attack simulation
(scan) on a regular basis.

 

•  

Vulnerabilities threat analysis whose conclusion can be to apply or not to apply
security measures such as patches or reconfiguration,…

 

•  

Applying security measures in the framework of change management process.

3.3.3. All critical systems, especially those directly connected to the Internet
must be subjected to an automated threat analysis

 

58



--------------------------------------------------------------------------------

performed by vulnerability identification software at least once a month.
Moreover, this threat analysis must also be performed immediately after any
change in system or software configuration.

3.3.4. Any vulnerability identification software or other tools that could be
used to compromise the security of information systems must not be found on any
computer without formal authorization by the local information security officer.

Detailed inventory of such tools must be maintained by the local security
officer.

3.3.5. Specific information about information system vulnerabilities, such as
the details of a recent system break-in, must not be distributed to persons who
do not have a demonstrable need to know.

3.3.6. Any information about information systems security events is to be
considered as confidential, unless compelled by the law. As a consequence, any
public disclosure is strictly prohibited.

3.3.7. Everybody must report all suspected information security incidents as
quickly as possible through the approved ARCELORMITTAL internal channels only,
that is to say not to discuss about with other people.

ARCELORMITTAL internal channels are based on local IS/IT specific coordination
and its link to the ARCELORMITTAL Information Security Committee.

3.3.8. When a new and serious information systems security vulnerability
associated with a particular vendor’s hardware or software is discovered, it
must be immediately documented in detail and reported in written to the vendor
by the IT staff. All elements that could be used as a direct or indirect
evidence of the problem and its consequences have to be immediately archived and
secured.

3.4 Vulnerabilities and Secured Configuration Management Standards

3.4.1. As an example, security standard configuration documents must at least
contain these following items:

 

•  

All vendor-supplied default passwords must be changed before any computer or
communications system is used for ARCELORMITTAL business.

 

•  

Services to let open

 

•  

Remove unused software

 

•  

……

3.4.2. There must be one security standard configuration per platform type.

As far as the servers are concerned, the NT4, 2000, 2003 and LINUX platforms
must at least be covered.

As far as the workstation are concerned, the NT4, 2000 and XP platforms must at
least be covered.

 

59



--------------------------------------------------------------------------------

3.4.3. There must also be one security standard for all used application
platform, such as SQL server, Oracle, IIS, Apache, ……

3.5 Vulnerabilities and Secured Configuration Management Guidelines

3.5.1. All ARCELORMITTAL critical computers and servers should run on a regular
basis integrity checking software that detects changes in configuration files,
system software files, application software files, and other system resources.

3.5.2. When vulnerability identification software is not being actively used, it
should be removed from the system on which it has been run.

4. LOGICAL ACCESS CONTROL POLICIES

4.1 Abstract

The logical access control consists of four pillars: These are identification,
authentication, authorization, and last but not least monitoring.

Authorization is based on a person identified by a user ID well authenticated,
whom are granted the system privileges and / or the access rules necessary to
perform her / his task.

In terms of baseline controls, authentication by password can be considered as a
good minimum security level, provided the management of the user IDs, password
and authorization are compliant with the policies presented below.

By ensuring that only an involved end user knows his or her own password, it
permits system activity logged with a corresponding personal user ID to be
uniquely attributable to a certain user.

The information owner is responsible for validating access requests to her or
his applications and data.

The hereafter policies are structured based on the four access control pillars:

 

1. Identification

 

2. Authentication

 

3. Authorization

 

4. Monitoring

 

60



--------------------------------------------------------------------------------

4.2 Definitions

Identification and User ID

In order to get access to an information system, a user has to identify himself
to the information system access control system by entering a specific code
called user ID. This user ID is defined and provided by a local security
administration team based on a validated request.

Authentication

Authentication is the process of determining the true identity of someone. Basic
authentication is simply using a password to verify that a user is who he says
he is. In that case, authentication is based on something the user knows.
Stronger authentication mechanism can also be used accordingly to the
sensitivity of information accessed:

 

  •  

Tokens and smart cards are authentication devices authenticating a user based on
something he knows (Personal identification number comparable to a password) and
something he has (the token or the smart card).

 

  •  

Biometrics devices are device authenticating a user based on what he is, e.g.
based on fingerprints or retina scans.

Authorization

Once a user has been authenticated, authorization establishes what resources he
can access and what he is allowed to do with these resources.

4.3 Policies

4.3.1. IDENTIFICATION

4.3.1.1 User registration

4.3.1.1.1. All user IDs on ARCELORMITTAL computers and networks must be
constructed according to the user ID construction standard used by local IS/IT
delivery organization registering the user for the first time.

4.3.1.1.2. Each computer and communication system user ID must uniquely identify
only one user.

Shared or group user IDs must not be created or used except in the cases where
personnel is working in shifts with restricted access. In that latter case, a
responsible has to be namely designated. Any other exception must be approved by
the Local Security Officer.

4.3.1.1.3. Every user must have a single unique user ID and a personal secret
password for access to ARCELORMITTAL multi-user computers and computer networks.
Whenever possible, these user IDs must be the same on every computer system. The
user IDs must not be reassigned after a user terminates her or his relationship
with ARCELORMITTAL.

 

61



--------------------------------------------------------------------------------

4.3.1.1.4 When a user moves from one entity to another inside the ARCELORMITTAL
Group, he or she keeps his or her user ID.

4.3.1.1.5. Every user ID established for a non-ARCELORMITTAL employee must have
a specified expiration date, with a default expiration of 30 days when the
actual expiration is unknown. In the case userID expiration is not automated,
the contracting authority must alert the IT Delivery Organization for explicit
expiration at the time the non-ARCELORMITTAL employee contract is terminated.

4.3.1.1.6. All ARCELORMITTAL information systems user IDs must be promptly
terminated at the time that a worker ceases to provide services to
ARCELORMITTAL.

4.3.1.1.7. All user IDs must automatically be revoked after a 90-day period of
inactivity.

4.3.1.1.8. Whenever ARCELORMITTAL opens a new user ID, authentication of the
user identity must be done in a definitive manner.

4.3.1.1.9 All requests for a user ID on ARCELORMITTAL multi-user systems must be
submitted on a completed system access request form that is authorized by the
user’s immediate manager.

4.3.1.2 Automatic terminal Identification

4.3.1.2.1 When terminal identification is used to authenticate a terminal
connection to a specific location, the physical access to the terminal must be
restricted to those workers with a need to know. These terminals can only be
found in an assembly line function in a manufacturing facility to ensure an
uninterrupted flow of product and services.

4.3.1.3 Log-on procedures

4.3.1.3.1. All workstations including, but not limited to, personal computers,
portable computers, transportable computers, and handhelds, must employ an
access control system approved by the ARCELORMITTAL Information Security
Committee.

4.3.1.3.2. Password-protected screensavers must be configured and permanently
activated on any active terminal such as workstation.

4.3.1.3.3. ARCELORMITTAL application systems developers must consistently rely
on the access controls provided by operating systems, commercially-available
access control systems that enhance operating systems, gateways or firewalls,
and must not construct other mechanisms to collect access control information,
or construct or install other mechanisms to identify or authenticate the
identity of users without the advance permission of the ARCELORMITTAL
Information Security Committee.

 

62



--------------------------------------------------------------------------------

4.3.1.4 Log-on procedure guidelines

4.3.1.4.1. When logging into an ARCELORMITTAL computer or data communications
system, if any part of the logon sequence is incorrect, the user should be given
only feedback that the entire logon process was incorrect.

4.3.1.4.2. Every logon screen for multi-user computers should include a special
notice that must state that the system may only be accessed by authorized users,
users who logon represent that they are authorized to do so.

4.3.1.4.3. At logon time, every user should be given information reflecting the
last logon time and date.

4.3.2. AUTHENTICATION

4.3.2.1 User Password Management

4.3.2.1.1. First or newly issued passwords must expire, forcing the user to
choose another password during the first logon process.

4.3.2.1.2 The initial password for a new user must be securely provided.

4.3.2.1.3. All ARCELORMITTAL computer systems that employ fixed passwords at log
on must be configured to permit only six attempts within a day to enter a
correct password, after which the user ID is deactivated and can only be reset
by the Help Desk staff or system administrator after authenticating the user’s
identity.

4.3.2.1.4. Passwords must never be hard-coded into software.

4.3.2.1.5. Security administrators may only disclose passwords to a user
provided his or her identity has been proven, and only in the following cases: a
new user ID is being assigned, the involved user has forgotten or misplaced her
or his password, the involved user is locked out.

4.3.2.2 User Password Management guideline

4.3.2.2.1. All fixed password resets or changes must be promptly confirmed by
regular mail so that the authorized user can readily detect and report any
fraudulent or abusive behavior. This mail must contain instructions to the user.

4.3.2.2.2 If a privileged user ID has been compromised by an intruder or another
type of unauthorized user, all passwords on that system should be immediately
changed.

4.3.2.3 Password management systems

4.3.2.3.1. All passwords must have at least six characters and its length must
always be checked automatically at the time that users construct or select their
password.

 

63



--------------------------------------------------------------------------------

4.3.2.3.2. Users must not construct passwords that are identical to the five
passwords that they had previously employed.

4.3.2.3.3. Users must not be able to successfully modify their password more
than one time a day.

4.3.2.3.4. All user passwords must not be easily guessable.

4.3.2.3.5. The display and printing of passwords must be masked, suppressed, or
otherwise obscured so that unauthorized parties not to be able to observe or
subsequently recover them.

4.3.2.3.6. Unencrypted passwords must not be recorded in system logs.

4.3.2.3.7. Passwords must always be encrypted when held in storage.

4.3.2.3.8. ARCELORMITTAL information systems must never store any access control
information in cookies deposited on, or stored on, end-user computers.

4.3.2.4 Password management guidelines

4.3.2.4.1 All users should be automatically required to change their passwords
at least once every 90 days.

4.3.3. AUTHORIZATION

4.3.3.1 Privilege management

4.3.3.1.1. The computer and communications system privileges of all users,
systems, and programs must be restricted based on the need to know.

4.3.3.1.2. System administrators managing multi-user computer systems must have
at least two user IDs, one that provides privileged access, and the other to
perform her or his normal day-to-day work.

4.3.3.1.3. Current records reflecting all the system privileges the users have
on all the computer systems must be maintained.

4.3.3.1.4. The system privileges granted to every user must be reevaluated by
the user’s immediate manager every year to determine whether currently-enabled
system privileges are needed to perform the user’s current job duties.

4.3.3.1.5. The number of privileged user IDs must be strictly limited to those
individuals who absolutely must have such privileges for authorized purposes.

4.3.3.1.6. Attribution of system privileges must be approved by the IS/IT
management.

 

64



--------------------------------------------------------------------------------

4.3.3.1.7. Special system privileges, such as the ability to examine the files
of other users or to change the security state of the system, must be restricted
to those directly responsible for system management or security, and granted
only to those who have attended an approved system administrator training class.

4.3.3.2 Privilege management guideline

4.3.3.2.1. When technically possible, system privileges should be defined so
that non-production staff including, but not limited to, internal auditors,
information security administrators, and computer operators are not permitted to
update production business information.

As far as the programmers are concerned, their intervention must be fully
justified and documented.

4.3.3.3 User access rights

4.3.3.3.1. Users access rights must be restricted based on the need to know.

4.3.3.3.2. Users access rights must be approved by the information owner.

4.3.3.3.3. The users access rights to sensitive information must be reevaluated
by the information owner every year to determine whether currently-enabled
access rights are needed to perform the user’s current job duties.

4.3.3.3.4. All requests for user access rights to ARCELORMITTAL multi-user
systems must be submitted on a completed system access request form that is
authorized by the user’s immediate manager.

4.3.4. MONITORING

4.3.4.1. All computer systems running ARCELORMITTAL production application
systems must include logs that record, at a minimum, user session activity
including user IDs, logon date and time, logoff date and time, and applications
invoked, changes to critical application system files, additions and changes to
the privileges of users, and system start-ups and shut-downs)

4.3.4.2. All production application systems that handle sensitive ARCELORMITTAL
information must generate logs that capture every addition, modification, and
deletion to such sensitive information.

4.3.4.3. Computer systems handling sensitive, valuable, or critical information
must securely log all significant security relevant events including, but not
limited to, password guessing attempts, attempts to use privileges that are not
authorized, modifications to production application software, and to system
software.

4.3.4.4. Computerized logs containing security relevant events about critical
systems must be securely retained for at least three months, during which time
they must be secured such that they cannot be modified, and such that they can
be read only by authorized persons. If more than three-month retention is
requested by the information owner, it is mentioned in an SLA contract.

 

65



--------------------------------------------------------------------------------

4.3.4.5. All user ID creation, deletion, and privilege change activity performed
by system administrators and others with privileged user IDs must be securely
logged.

5. NETWORK SECURITY POLICIES

5.1 Abstract

Communication networks vehicle information and provide access to information
systems. They are highly vulnerable to disruption and abuse. So, safeguarding
business communications require robust and secure network design and strict
control by ARCELORMITTAL over all types of access paths.

5.2 Policies

5.2.1 General principles

5.2.1.1 Only ARCELORMITTAL controlled computers are allowed to access the
ARCELORMITTAL internal network.

5.2.1.2 All computer systems and network segments must meet the security
criteria established by Information Security Committee before it can be
connected to the ARCELORMITTAL network.

5.2.1.3 No one is allowed to modify the network and telecommunication
infrastructure, except under control of the local IT team.

5.2.1.4 The establishment of a direct connection between ARCELORMITTAL systems
and computers at external organizations must be secured.

5.2.2 Internet connections

5.2.2.1 There must not be any direct connection between internal network and
Internet. Two levels of different gateways (internal, external) must be
implemented to ensure optimum protection. E.g. one router and a firewall.

5.2.2.2 All web servers accessible through the Internet must be protected by a
secured gateway and must be placed on subnets separate from internal
ARCELORMITTAL networks.

5.2.2.3 All Internet access from computers in ARCELORMITTAL offices must be
routed through a secured gateway.

5.2.2.4 Secured gateway configuration rules must only be changed based on
business needs, documented, and in compliance with the ARCELORMITTAL security
rules.

 

66



--------------------------------------------------------------------------------

5.2.2.5 All publicly-modifiable directories on ARCELORMITTAL Internet-connected
computers are prohibited. If a need to deposit and share information among the
ARCELORMITTAL community appears, the ARCELORMITTAL portal usage is mandatory.

5.2.2.6 User Internet access must be approved by the relevant user direct
manager who assures that the user has a demonstrable business need for such
access.

5.2.3 Remote accesses

5.2.3.1 Usage of modems is prohibited on computers connected to the internal
network.

5.2.3.2 All remote accesses through a public network to the ARCELORMITTAL
internal network with full access, privileged access or access to sensitive
information must employ stronger user authentication.

(This statement is still pending)

5.2.4 Wireless LAN

5.2.4.1 ARCELORMITTAL wireless installation must be approved by the local IT
team

5.2.4.2. ARCELORMITTAL wireless networks must always be configured to employ
encryption and access control.

5.2.5 Physical and Logical Access to Network devices

5.2.5.1 All business-critical devices supporting the ARCELORMITTAL telephone
system, intranet, local area networks, and the wide area network must be
centralized in dedicated rooms with at least physical access controls and
environmental monitoring systems.

5.2.5.2 All ARCELORMITTAL internal network devices must be password-protected
and passwords must be changed from installation defaults.

5.2.6 Application system design

5.2.6.1 ARCELORMITTAL systems designers and developers must restrict their usage
of external network interfaces and protocols to those that have been expressly
approved by Information Security Committee.

5.2.6.2 When designing ARCELORMITTAL Internet web application gathering of
personal data, compliance with local laws must be ensured.

5.2.6.3 The internal system addresses, configurations, and related system design
information for ARCELORMITTAL networked computer systems must be restricted such
that both systems and users outside the ARCELORMITTAL internal network cannot
access this information

 

67



--------------------------------------------------------------------------------

5.2.7. Network monitoring

5.2.7.1 All Internet-connected web servers must be protected by a network-based
intrusion detection system approved by the Information Security Committee.

5.2.7.2 The Local Security Officer must maintain a current inventory of all
connections to external networks.

5.2.8 Critical networks and servers

5.2.8.1 All ARCELORMITTAL critical network services must be identified by the
business community. These critical servers to have their security level improved
with the hereafter policies.

5.2.8.2 In terms of availability, management must design communications networks
so that no single point of failure could cause critical network services to be
unavailable.

5.2.8.3 Due to the ARCELORMITTAL trusted network across all the ARCELORMITTAL
entities which is crossing national and organizational boundaries, there must
have separately-defined logical domains, each protected with suitable security
perimeters and access control mechanisms in order to host critical servers.

5.2.8.4 All critical internal networks must be configured such that they can
prevent or detect attempts to connect unauthorized computers.

5.2.8.5 Every high-security and high-reliability system managed by or owned by
ARCELORMITTAL must have its own dedicated computers and networks

5.2.8.6 All critical Internet-connected systems used for production purposes
must employ integrity assessment tools.

5.2.8.7 A host-based intrusion detection system approved by the Information
Security Committee must be continuously running on all ARCELORMITTAL critical
servers that are connected to any outside network.

6. DATA BACK-UP POLICIES

6.1. In order to prevent loss of essential information and software, back-up
versions of essential information and software used by the applications must be
taken regularly, according to a defined cycle.

6.2. The retention period for essential business information, and also any
requirement for archive copies to be permanently retained, must be determined.
Retention period is a key factor in case of logically corrupted data.

 

68



--------------------------------------------------------------------------------

6.3. In order to be compliant with the needs of the business continuity planning
/ Disaster recovery planning (disaster), information and software backups must
be stored in an environmentally protected and access-controlled site that is a
sufficient distance away from the originating facility.

6.4. Nomad users must make their own data backup accordingly to the local
procedures.

6.5. Back-up information must be given an appropriate level of physical and
environmental protection similar to the one applied at the main site.
Particularly, all areas where backup media is stored must be kept fully closed
when not in active use.

6.6. Data back-ups should be given a level of logical access similar to the one
to the data backed-up.

6.7. Back-up media should be regularly tested, where practicable, to ensure that
they can be relied upon for emergency use when necessary.

6.8. Computer media storage procedures must assure that back-up or archive
information stored for prolonged periods of time are not lost due to
deterioration, and are periodically tested for reliability.

7. BCP/DRP SECURITY POLICIES

7.1 Abstract

An ARCELORMITTAL Business Unit process for developing and maintaining both
business contingency plans and computer contingency plans must be documented and
maintained by Information Systems management in order to be compliant with the
hereafter policies 1 to 7.

It is worth mentioning that the planning process itself ordinarily would involve
areas such as:

 

•  

identification and prioritization of critical business processes, based on risk
analysis,

 

•  

documentation of procedures and processes,

 

•  

identifying and assigning responsibility for handling emergencies and disasters,

 

•  

education of staff,

 

•  

periodic testing of plans.

7.2 BCP/DRP Security Policies

7.2.1. In conjunction with the information Owners, Information Systems
Management must perform a business impact analysis that will specify the degree
of criticality of all production multi-user computer applications. The
criticality must be representative of the maximum period that the ARCELORMITTAL
BU can go without critical information processing services, the time period in
which management must decide whether to activate the recovery plan, and the
minimum acceptable production information systems recovery configuration.

 

69



--------------------------------------------------------------------------------

7.2.2. Information Systems management must establish and use a logical framework
for classifying all information resources by recovery priority that will permit
the most critical information resources to be recovered first.

See guideline 1.

7.2.3. Management must prepare, periodically update, and regularly test a
business recovery plan that specifies how alternative facilities to be provided
so that workers can continue operations in the event of a business interruption.
Updating must be done after any modification relative to any theme of the plan.
Testing must be done every year.

In addition of the normal services restoration procedures, the business recovery
plan must include:

 

•  

The roles and responsibilities for both information systems contingency planning
and information systems recovery. These roles and responsibilities must also be
reviewed and updated by Information Security management.

 

•  

Manual procedures in case of critical business activities could reasonably be
performed in that way.

 

•  

A call tree indicating every available telephone number for every worker
involved in information-systems-related contingency planning, and disaster and
emergency response. This call tree must also be tested and updated.

7.2.4. The workers playing a role in recovery operations with an ARCELORMITTAL
Business Unit information systems must be identified and must have the technical
knowledge needed to perform each essential recovery task.

7.2.5. User department management and Information Technology management must
agree and document the support levels that to be provided in the event of a
disaster or emergency.

7.2.6. The business recovery test must be followed up with a brief report to top
management detailing the results.

7.2.7. Business and information systems contingency plans must be continuously
accessible.

7.2.8. All contracts to be signed with Service Providers in the scope of the
present Policy are subject to close legal scrutiny from ARCELORMITTAL’s Legal
Affairs, e.g. as regard to liability and insurance Clause.

7.3 BCP/DRP Security Guideline

7.3.1. Levels of criticality (as an example)

 

•  

highly critical (very high availability – strategic level) The maximum period
that the ARCELORMITTAL BU can go without critical information processing
services is less than four hours without data loss.

 

70



--------------------------------------------------------------------------------

•  

Critical (high avaibility – critical level)

The maximum period that the ARCELORMITTAL BU can go without critical information
processing services is less than one day without data loss.

 

•  

Sensible (Standard avaibility – sensible level)

The maximum period that the ARCELORMITTAL BU can go without critical information
processing services is less than two days. Data loss less than one working day.

 

•  

Weak (low availability – low level)

 

•  

The maximum period that the ARCELORMITTAL BU can go without critical information
processing services is more than two days. Data loss less than one working day.

8. BEHAVIOR ADVICE TO USERS TO IMPROVE THE SECURITY LEVEL

8.1 Password management

8.1.1. Always choose a password not guessable.

8.1.2. Never write down your password and leave it in a place where unauthorized
persons might discover it.

8.1.3. Change regularly your password. Change it immediately if you suspect an
unauthorized usage of your user ID by another person (The last connection date
and time can prove it).

8.1.4. By keeping your password not guessable and confidential, you ensure
somebody else can not use your user ID in order to benefit from your information
access.

8.2 Locking an unattended workstation

8.2.1. Always activate the password-protected screensaver when you leave your
desk.

8.2.2. Configure the screensaver so that it will automatically activate itself
after 10 to 15 minutes.

8.3 Social engineering

8.3.1 Never answer request for any confidential information such as your
password from somebody you do not know, even if he or she claims to be, for
example, an expert who needs it for troubleshooting.

8.4 Data back-ups

8.4.1 Make regular data backups accordingly to the local procedure in order to
prevent loss of your information. If you use a desktop, this can be done
automatically by your local IS/IT team procedures. In that latter case, please,
ensure it.

 

71



--------------------------------------------------------------------------------

8.5 Virus protection

8.5.1 Always keep your anti-virus up-to–date (in the case it is not yet done
automatically by the infrastructure).

8.5.2 Never open a mail and attachments coming from unknown source.

8.5.3 Be aware that an encrypted documents are not virus screened.

8.5.4 If you suspect an infection by a virus, immediately shut-down your PC,
make no attempt to eradicate the virus and call the help desk.

8.5.5 When receiving a virus alert message which is not coming from your local
IS/IT team, do not send this message all around you. Instead, transfer it only
to the IS/IT team for analysis.

8.5.6 Be aware that creating non-protected share can cause virus spreading
through the share. So, if you create a share, always protect it by a password.

8.6 Security incident reporting

8.6.1 Always call your local help desk.

8.7 Confidential information protection at printing time (as well in
communicating and storing the information)

8.7.1 Confidential information is to be protected not only on your workstation
and during communication, but also when you print it on a shared printer.

*                                *      
                          *                                 *

 

72



--------------------------------------------------------------------------------

SCHEDULE B

TO THE TRANSITION SERVICES AGREEMENT

NOBLE SERVICES

1. SERVICES PROVIDED BY ATB BREMEN (“Storage Provider”) TO ARCELOR BERMEN GMBH
(“ABG”)

1. Preamble:

Connecting rail: Connecting rail Tailored Blank Bremen

Opening hours of the storage: Monday to Friday from 6 AM to 10 PM and by
individual agreement

Services generally, logistics, turnover

The storage and the timely delivery of steel, delivered in coils and packages to
ABG customers.

ABG handles the transportation to the storage by truck, train, coil carrier,
etc.

Any and all turnover activities by the Storage Provider must be carried out in a
material protecting, corrosion avoiding manner, and, if possible, indoors. The
storage must be clean and free of odor.

The outdoor handling of material that is sensitive to rain must be carried out
in dry weather.

2. Tasks of the Storage Provider:

Storage:

Acceptance, inspection and unloading of goods from the respective transportation
facility.

Immediate inspection of the goods for their correspondence with the shipping
documents.

AGB must be informed of any discrepancy without undue delay.

Immediate inspection of the incoming steel deliveries for obvious defects in the
material. The defect must be noted on the storage- and freight documents (kind
and quantity of the defect).

ABG must be informed of any defects without undue delay.

Initiating of any necessary measures in order to ensure ABG’s claims: e.g., the
reservation of any rights vis-à-vis the delivering carrier, preparing a facts
report in case of external train deliveries, providing information to the
shipping department in case of internal deliveries or, upon approval by ABG, the
involvement of a claims agent paid by ABG or the transportation insurance.

Storage/ Turnover/ Handling:

Adequate storage and protection of the steel goods with adequate resources:

Lifting accessories for packages: belts and strapping



--------------------------------------------------------------------------------

Lifting accessories for coils: Coil magnet attached to gantry crane

In general, chains must not be used. A chain-rope combination can only be used
if damage to the stored goods is prevented.

At maximum three coils are stored on top of each other, provided, however, the
following conditions are met:

 

•  

thickness of the material > 1,5 mm – no shiny or polished surfaces

 

•  

width of the coils > 1000 mm – only un-galvanized material

Should just one of the forgoing conditions not be fulfilled, only two coils may
be stored on top of each other. Only two coils from the company BREGAL are
stored on top of each other, unless ABG agrees in writing that three can be
stored on top of each other.

 

•  

Coils with a thickness of <= 1,2 mm are only to be stored on top of a pile or
separately.

At most eight packages are stored on top of each other, provided, however, the
measurement is at minimum 1000—2000 mm, otherwise only four.

Heating must be provided to avoid corrosion resulting from change in temperature
and humidity.

Dispatch of Stored Goods:

ABG prepares the necessary accompanying documents for the delivery to the
customer.

Delivery, inspection and loading of the goods on the trucks, freight car, coil
carrier, etc.

Immediately after dispatch of the goods from storage ABG receives copies of all
bills of delivery (dispatch from storage shall be deemed delivery) by data
submission [DFÜ]. In case DFÜ submission is impossible it shall be sent by
Telefax to No. 0421/648-3244.

Administration:

Accounting of all incoming and outgoing goods in a storage bookkeeping system

Preparation of an inventory and turnover list

Notification of incoming and outgoing goods according to guidelines

Ongoing inventory

ABG remains owner of all documents and materials of the storage bookkeeping
conducted for ABG. The Storage Provider keeps these documents on behalf of ABG
as part of its responsibilities as diligent storage provider. However, it is
obliged to hand them over to ABG at any time upon ABG’s request.

At any time, upon the Storage Provider’s consent, ABG is granted access to the
part of the storage facility where ABG’s goods are stored in order to inspect
the inventory.

In order to guarantee proper administration, the Storage Provider must only hire
trained personnel, and must, in addition to the updated notifications of
incoming and outgoing goods, prepare a turnover protocol on a monthly basis. The
turnover protocol is prepared on the last day of the month and contains the
following information: inventory, additions, disposals, weight, identification

 

2



--------------------------------------------------------------------------------

number of the general terms and conditions, package number and coil number, and
shall be sent to ABG (shipping department) by data processing [DFÜ] or e-mail.
The Storage Provider is responsible that the turnover protocol is delivered to
ABG on the third business day following the last day of the month, at the
latest.

3. Tasks of ABG:

ABG coordinates the delivery of the goods to the storage facility in a timely
manner, so that all data related to the goods (EDI) are updated in the Storage
Provider’s data system before the goods arrive. In case of non-compliance with
this, the goods are not unloaded until such data are provided.

In case goods are delivered for which no EDI is available (e.g., coils without
commission, OK), ABG announces such delivery separately and agrees with the
Storage Provider on an adequate handling. The Storage Provider is allowed to
charge further costs for this. ABG announces the delivery of such goods to the
storage in a timely manner.

ABG ensures that all delivered goods are marked by the producer in a clear way
and can be identified easily.

The responsibilities of the Storage Provider according to Section 2 remain
unchanged by this Section 3.

4. Insurance:

The Storage Provider is obliged to obtain adequate insurance for property and
liability risks, or be itself responsible for such risks.

Exhibit 1 of point 1

Infrastructure and equipment of the storage

 

1.   Delivery by   x  truck    x  freight car    ¨  barge   
¨  ocean-going vessel   addresses for:   truck deliver    Walzwerkstraße    
freight car delivery    Anschlußgleis Tailored Blanks Bremen     ship deliver   
     max. Truck number per day approx. 50   max. Freight car number per day: 20
capacity of connecting rail: 20 freight cars 2.   Dispatch by   x  truck   
x  freight car    ¨  barge    ¨  ocean-going vessel 3.   Storage location  
x  hall         

 

3



--------------------------------------------------------------------------------

  x  heated   ¨  not heated   min./max. Temperature     °C   max. humidity
            %   x  totally closed   x    loading-/unloading in possible in hall:
  ¨  open, quay side      x  per truck   x  isolated      x  per freight car  
¨  Cement walls        x  Metal walls        ¨  OTHERS              what:       
x  Roof isolation        x  lockable doors      4.   Storage (floor)       
¨  Cement floor        x  Other Asphalt              max. Floor loading 10 to /
m²                  point loading 30 to / m²   Coils stored on:   ¨  Cement
floor     ¨  Wood     x  Coilstorage out of wood     ¨  others   Pile heights
for Coils:   ¨  single   x  threefold (max.) according to special arrangement in
agreement   Pile heights for packages:   x  eightfold (max.) according to
special arrangement in agreement 5.   Turnover equipment/ lifting equipment  
x  gantry crane   Pieces: 2    carrying capacity: 35 to.   x Other, Magnet  
Pieces: 2    carrying capacity: 30 to.

 

4



--------------------------------------------------------------------------------

  ¨  Coil gripper        ¨  C-hook        ¨  steel mat        ¨  [Stroppen]     
  x  forklift   Pieces: 1    carrying capacity: 5,5 to.   ¨  Coilcarrier  
Pieces:    carrying capacity t:   ¨  [Staplerdorn]        ¨  Coil shoes for für
[Gabeln]   ¨  Forks for forklift, not encased 6.   Facility Security   Fire
protection System   x  yes    ¨  no   x  Fire Extinguisher   x  Fire Alarm   
¨  Sprinkling system   x  own fire dept. (company operated fire dept. Arcelor
Bremen)   Responsible Person in the company        ¨  yes            ¨  no 7.  
Quality Standards   Storage Administrator:   Quality manager in the company   
¨  yes            x  no, in preparation   Company certificate according to EN
ISO 9002    ¨  yes            x  no, in preparation   Storage Provider:     
Quality manager in the company    ¨  yes            x  no, in preparation  
Company certificate according to EN ISO 9002    ¨  yes            x  no, in
preparation

 

5