WIXLIB

Section IIManagement CriteriaControl ActivitiesComputer Model Certification2.An eligible investment expert has provideda written certification that meets thefollowing requirements:a.Be in writing;b.Contain –(1) An identification of the methodology ormethodologies applied in determiningwhether the computer model meets therequirements of paragraph (b)(4)(i) ofLabor Regulation 2550.408g-1(the “Regulation”);(2) An explanation of how the appliedmethodology or methodologiesdemonstrated that the computer modelmet the requirements of paragraph(b)(4)(i) of the Regulation;2.1Management performs a domestic due diligencereview prior to selecting an eligible investmentexpert to perform the computer model certificationwhich is documented and retained to determinewhether the eligible investment expert hasappropriate technical training or experience andproficiency to analyze, determine and certify thecomputer model as required under the Regulation.2.2Management monitors computer model changes todetermine if a new certification is required. Changetypes that warrant recertification are documentedand a recertification is performed by an eligibleinvestment expert.(3) A description of any limitations that wereimposed by any person on the eligibleinvestment expert's selection orapplication of methodologies fordetermining whether the computer modelmeets the requirements of paragraph(b)(4)(i) of the Regulation;(4) A representation that the methodology ormethodologies were applied by a personor persons with the educationalbackground, technical training orexperience necessary to analyze anddetermine whether the computer modelmeets the requirements of paragraph(b)(4)(i) of the Regulation; and(5) A statement certifying that the eligibleinvestment expert has determined thatthe computer model meets therequirements of paragraph (b)(4)(i) of theRegulation; andc.Be signed by the eligible investment expert.8

Section IIManagement CriteriaControl ActivitiesAuthorization by Plan Fiduciary3.A plan fiduciary (the “Authorizing Fiduciary”) has3.1expressly authorized the arrangement pursuant towhich advice is provided to participants. The3.2Authorizing Fiduciary shall not be Fidelity or any ofits affiliates except with respect to a plansponsored by Fidelity or its affiliates.Plan sponsor authorization is received from anauthorizing fiduciary prior to advice being provided.Standard template language for fiduciaryauthorization within contracts and amendments isreviewed by legal to ensure required contentis included.3.3Advice in the Investment Strategy Tool issystematically restricted to plan participants withplan sponsor authorization on file. Participantswithout plan sponsor authorization on file are limitedto education only.3.4Fidelity performs vendor oversight activitiesincluding review of the vendor’s SOC 1 report toevaluate the related controls.4.1Management reviews and approves the audit reportdistribution list to ensure inclusion of at least onefiduciary contact for plans that authorized Fidelity toprovide investment advice during the audit period.Annual Audit4.Fidelity will engage an independent auditor, atleast annually, to conduct an audit anda.Within 60 days following completion of theaudit, issue a written report to the fiduciaryadviser and to each fiduciary who authorized 4.2.the use of the investment advice arrangementwhich (1) identifies the fiduciary adviser, (2)indicates the type of arrangement (i.e.,computer model), (3) indicates the date of themost recent computer model certification, andidentifies the eligible investment expert thatprovided the certification, and (4) sets forth4.3the specific findings of the auditor.4.4Within 60 days following completion of the audit,Fidelity provides a direct link to the audit report viaemail to identified fiduciary contacts with an emailaddress on file. The e-mail content and link arereviewed, tested and approved prior to distribution.Undeliverable email messages are monitored andevaluated for additional action.Within 60 days following completion of the audit,Fidelity coordinates mailing a paper copy of theaudit report to identified fiduciary contacts whereemail is unavailable or undeliverable. Mailing of thereport is performed by a third-party vendor, RRDonnelley. Fidelity reviews and approves themailing prior to distribution. Fidelity monitorscompletion of the mailing using reporting providedby the vendor and performs follow-up, if needed, toensure successful completion.Within 60 days following completion of the audit,Fidelity posts the audit report to Plan SponsorWebstation accessible via direct link for plansponsors to access.9

Section IIManagement CriteriaControl ActivitiesDisclosure to Participants5.Fidelity’s Fiduciary Adviser Disclosure is providedto plan participants no later than the provision ofinvestment advice and includes:a.the role of any party that has a materialaffiliation or material contractual relationshipwith Fidelity in the development of theinvestment advice program and in theselection of investment options availableunder the plan;b.that Fidelity will be providing investmentadvice services as a fiduciary under theEmployee Retirement Income Security Act(“ERISA”) and the Internal Revenue Code(“Code”), as applicable; andc.that Fidelity, its affiliates, and parties withwhom Fidelity Investments has a materialfinancial relationship will be providing servicesfor which they will be compensated, whichinclude: investment management, transferagent, brokerage, custodial, recordkeepingand shareholder services for some/all theinvestment funds available under the plan;d.the types of services provided by FBS inconnection with the provision of thisinvestment advice;e.any material affiliation or material contractualrelationship of Fidelity or any affiliate thereofin the security or other property offered as aninvestment recommendation;f.all fees or other compensation that Fidelity orany affiliate thereof is to receive in connectionwith the provision of the advice, the sale,acquisition, or holding of any security or otherproperty pursuant to such advice, or anyrollover or other distribution of assets or theinvestment of distributed assets in anysecurity or other property pursuant tosuch advice;g.that the advice recipient may separatelyarrange for the provision of advice by anotheradvisor that could have no material affiliationwith and receive no compensation inconnection with the investment funds orproducts offered under the plan;h.the availability of past performance andhistorical rates of return of the designatedinvestment options available under the planon netbenefits.com;i.the manner, and under what circumstancesany customer information provided under thearrangement will be used or disclosed.5.1Required disclosures are automatically presentedwithin the Planning and Guidance Tool to selfdirected plan participants prior to initial provision ofinvestment advice.5.2Required disclosures are provided to representativeassisted plan participants no later than the provisionof investment advice.5.3Disclosure content provided to self-directed andrepresentative-assisted plan participants is reviewedand approved by Fidelity legal to ensure requiredcontent is included.10

Section IIManagement CriteriaControl ActivitiesDisclosure to Authorizing Fiduciary6.Fidelity shall provide the Authorizing Plan6.1Fiduciary a written notice informing the AuthorizingPlan Fiduciary:a.That Fidelity intends to comply with theconditions of the statutory exemptions forinvestment advice under section 408(b)(14)and 408(g) of ERISA and Labor Regs.Section 2550.408g-1;b.That, as required, the advice arrangementssubject to those exemptions will be auditedannually by an independent auditor forcompliance with the requirements of thestatutory exemption and relatedregulations; andc.That a copy of the auditor’s findings will bemade available within 60 days followingcompletion of the audit.6.2Written disclosures are provided to plan sponsorsvia the signed contract and/or contract amendmentas well as via the audit cover letter distributedannually and posted to Plan Sponsor Webstation.Standard template language for fiduciary disclosurewithin contracts, amendments and cover letters isreviewed by legal to ensure required contentis included.Other Conditions7.Fidelity and its affiliates provide appropriatedisclosure, in connection with the sale, acquisition7.1or holding of securities offered as an investmentrecommendation, in accordance with all applicablesecurities laws.For purposes of this assertion, “all applicablesecurities laws” is defined as the Securities Act of1933 and the Securities Exchange Act of 1934and self-regulatory organization rules thereunderas those securities laws may apply to planparticipants’ 401(a), 401(k) and 403(b) retirementplan accounts.All sales, acquisitions, or holding of a securityoccur solely at the discretion of the recipient ofthe advice.Plan Participant DisclosuresDisclosures in connection with the sale, acquisitionor holding of securities for self-directed planparticipants are provided through the InvestmentStrategy Tool. Disclosures are reviewed andapproved by legal to ensure that required contentis included.Compensation7.2Management performs an annual review of Fidelitycompensation received in connection with sale,acquisition, or holding of a security related to theadvice provided in the Investment Strategy Tool toensure such compensation is reasonable and atleast as favorable to the plan as an arm’s lengthtransaction would be.The compensation received by Fidelity and itsaffiliates in connection with the sale, acquisition orholding of a security is reasonable. For thispurpose, reasonableness is measured by themarket value of the particular services, rightsand other benefits delivered to the participantor beneficiary.The terms of the sale, acquisition, or holding of asecurity is at least as favourable to the plan as anarm’s length transaction would be.11

Section IIManagement CriteriaControl ActivitiesRecord Retention8.Fidelity retains, for a period of not less than sixyears after the provision of investment advice,records necessary for determining whether thecriteria noted above have been met.8.1Investment advice provisioned to participants via theInvestment Strategy Tool is automatically capturedand configured to be maintained for no less than 6years from document creation.8.2Fidelity Planning and Guidance Center InvestmentStrategy Methodology document, the FiduciaryAdviser Disclosure, Fiduciary Authorization, ToolCertification from an eligible investment expert andthe Report of Independent Accountants (subsequentto the first annual audit) are configured to bemaintained for no less than 6 years fromdocument creation.8.3Fidelity performs vendor oversight activitiesincluding review of the vendor’s SOC 1 report toevaluate the related controls.12

Section IIManagement CriteriaControl ActivitiesInformation Technology General Controls – System Development & Maintenance9.Information technology general controls are inplace to support the criteria above.Application and database controls9.1Changes to systems are requested, documentedand authorized in a formal ticket initiation andmanagement tool. Changes are tested by therequired business and/or systems personnel. Testexceptions are appropriately recorded, monitoredand tracked for resolution.9.2Changes are approved by appropriate personnelprior to production implementation.9.3Access to migrate changes into production isperiodically reviewed to ensure access is restrictedto personnel who are independent of thedevelopment team.Infrastructure controls9.4Automated change migration tools have beenimplemented to migrate changes into productiononly after all approvals are received. Changes to theconfiguration of these tools are tested and approvedprior to implementation.9.5Changes to systems are requested through a formalticket initiation and management tool. Changes aretested by the required business and/or systemspersonnel. Test exceptions are appropriatelyrecorded, monitored and tracked for resolution.9.6Changes are approved by appropriate personnelprior to production implementation.9.7Requests for changes to the permanent jobscheduler require the submission of a change ticket.Each change ticket must contain the installdate/time, description of the job, system, andinstructions for executing the production schedulingchange. Appropriate approvals must be obtained inthe formal ticket initiation and management toolbefore modifications are made to the job schedule.9.8Batch job override requests for the Mainframeplatform are entered into the production job streamafter required approvals are obtained through theformal ticket initiation and management tool. Ad hoccommand line changes to production batch jobs forthe Distributed systems are performed by the BatchServices group. The request to submit a one-timechange to the production batch jobs for theDistributed systems must be fully approvedthrough the change management system beforebeing implemented.9.9Fidelity performs vendor oversight activitiesincluding review of the vendor’s SOC 1 report toevaluate the related controls.13

Section IIManagement CriteriaControl ActivitiesInformation Technology General Controls – Computer OperationsApplication and database controls10.1 Additions and changes to scheduled production jobsand scheduling definitions are requested through aformal ticket initiation and management tool. Testingis performed for permanent schedule changes andjobs with dependencies. Test exceptions arerecorded, monitored and tracked for resolution.10.2 Job schedule changes are approved by appropriatepersonnel prior to production implementation andare fully documented within a formal ticket initiationand management tool.10.3 Production processing incidents are logged andmonitored. Any incidents identified are researchedand resolved in a timely manner.Infrastructure controls10.4 The FSC monitors the processing and performanceof critical production data and systems on acontinuous basis through the use of variousmonitoring tools. Incident monitoring software isused to produce automated alerts in the event ofsignificant system interruption.10.5 Incident tickets are opened by operators whensignificant processing issues are identified. Incidenttickets are then escalated to the appropriate groupsfor resolution.10.6 The Enterprise Service Desk provides Help DeskOperations on a 24x7 basis. Service Desk operatorsutilize the formal ticket initiation and managementtool to support incident management, escalation,and notification.10.7 Critical and high impact incidents and associatedproblems are discussed during the Major IncidentReview meeting. Technology management supportteams utilize the forum to review incident root causeand resolution, and if necessary, discuss anymeasures to prevent reoccurrence. Problemsassociated with critical and high impact incidentsare tracked and managed through the formal ticketinitiation and management tool.14

Section IIManagement CriteriaControl Activities10.8The Batch Services group utilizes an IncidentMonitoring application to monitor the execution andcompletion of the MVS and Distributed productionjob cycles in accordance with the productionschedule. Controls are in place within the IncidentMonitoring application to alert operators in theevent of a job abnormally ending (abend). Incidenttickets are automatically opened for all job abendscaptured by the Incident Monitoring tool and isaddressed appropriately for resolution.10.9Requests for changes to the permanent jobscheduler require the submission of a changeticket. Each change ticket must contain the installdate/time, description of the job, system, andinstructions for executing the production schedulingchange. Appropriate approvals must be obtained inthe formal ticket initiation and management toolbefore modifications are made to the job schedule.10.10 Batch job override requests for the Mainframeplatform are entered into the production job streamafter required approvals are obtained through theformal ticket initiation and management tool. Adhoc command line changes to production batchjobs for the Distributed systems are performed bythe Batch Services group. The request to submit aone-time change to the production batch jobs forthe Distributed systems must be fully approvedthrough the change management system beforebeing implemented.10.11 Fidelity performs vendor oversight activitiesincluding review of the vendor’s SOC 1 report toevaluate the related controls.15

Section IIManagement CriteriaControl ActivitiesInformation Technology General Controls – Logical SecurityApplication and database controls11.1To obtain access to systems, a formal request issubmitted and approved by appropriate personneland provisioned by the appropriate provisioningteam.11.2The Information Security group utilizes reportsgenerated from Human Resource systems toidentify potential terminated users. A request isinitiated and routed to the appropriate personnelfor access removal or modifications.11.3Following a validated job change, user access isrecertified and removed or modified if necessaryin a timely manner.11.4On a periodic basis user access privileges arereviewed and re-certified.11.5On a periodic basis job roles are reviewed and recertified.11.6On a periodic basis operational accounts arereviewed and re-certified.11.7Application and database password configurationsfor Fidelity systems are reviewed on an annualbasis to ensure compliance with Fidelity enterprisestandards. Exceptions are filed for noncompliantpassword settings and appropriate remediationmeasures are identified.Infrastructure controls11.8To obtain access to systems, a formal request issubmitted and approved by appropriate personneland provisioned by the appropriate provisioningteam.11.9To create or modify a Mainframe Standard AccessDefinition (SAD), a formal request is submittedand approved by appropriate personnel prior toimplementation.11.10On a periodic basis, Mainframe Standard AccessDefinitions (SAD) are reviewed, updated andapproved.11.11On a periodic basis, user access privileges arereviewed and recertified.11.12On a periodic basis, operational accounts arereviewed and recertified.11.13The Information Security group utilizes reportsgenerated from Human Resource systems toidentify potential terminated users. A request isinitiated and routed to the appropriate personnelfor access removal or modifications.16

Section IIManagement CriteriaControl Activities11.14Following a validated job change, user access isreviewed, recertified and removed or modified ifnecessary in a timely manner.11.15Termination events are monitored throughpredefined business rules. Upon a validatedtermination, user access is auto

Authorization by Plan Fiduciary . 3. A plan fiduciary (the "Authorizing Fiduciary") has expressly authorized the arrangement pursuant to which advice is provided to participants. The Authorizing Fiduciary shall not be Fidelity or any of its affiliates except with respect to a plan sponsored by Fidelity or its affiliates. 3.1 3.2 3.3 3.4