I AM SPE Identity Access management – Phase 1-2 (Governance structure, request portal, data governance, access certifications) March 2014

Executive Summary Deloitte 11 week study of SPE’s IAM Program (Sept 2012- Jan 2013) Benchmarked progress against the 2004 Roadmap and Industry practices Assessed and documented Current state and future requirements and objectives Assessed and documented the current environment with respect to infrastructure, policies, procedures, processes, constraints, and risks Key Findings: Undefined Governance and Ownership of Workforce types Full time employees are owned by P&O and globally managed in Workday (all other workforce types lack centralized ownership and tracking) Recurring audit issues stemming from inconsistent processes and lack of governance (application controls, asset management and reconciliation, physical security controls) Decentralized Onboarding/Offboarding Process Lack of a standard process for onboarding and offboarding for multiple user types and across the regions On average it takes 3-4 weeks to onboard a new joiner Lack of an authoritative source for identity data Inconsistent and inaccurate data Manual entry of identity data across applications leads to audit issues (there is no clear number of identity stores) Detailed Process Work and Program/Project Planning (Jan 2013- Oct 2013) Designed the approach for future state Identity LifeCycle Management, including Global Template Comprehensive assessment for all workforce types and scenarios (new hire, change/update, termination, rehire) Recommended a phased project approach – Phase 1 and 2 are ready for greenlight

Request application access Request privilege access IAM Proposed Solution ServiceNow “Launch in Context” with SailPoint Default access Workday SailPoint IIQ AD/Outlook Onboarding Create in authoritative source Automatic create in IDM P & O & Backlot Admins Notify manager to initiate further requests Manager Create Non-FTE user Request Access Manager & Badge ServiceNow Access Request Portal Systems Applications Assets Automated Provision Access Request application access Request Request privilege access ServiceNow Manual Manager Request assets Certify Access Access Review Tool Provisioning Teams Revoke access Generate certification events Terminate Access Application Admins/ Mangers Default access terminated AD/Outlook Off-boarding Workday Terminate in authoritative source Automatic Terminate in IDM Pinnacle (devices), Provance (desktop access), etc. P & O Backlot Admins Terminate Non-FTE user Notify manager to collect physical assets Manager & Badge Manager

Financial Summary Year One Project Costs   Five-Year Summary and Payback Software: $82,500 Five-Year Total Cost: $3,338,277 Hardware: $0 Five-Year Total Benefit: $11,406,875 Internal Labor: $159,676 Five-Year Net Benefit: $8,068,599 External Labor $1,802,366 Internal Rate of Return: 56% Inception Funding (FY14): $190,000 Net Present Value at 10%: $4,087,668 TOTAL $2,139,962 Payback in Months: 15.8 FY1 Project Benefits Funding by Fiscal Year Hard $ Benefits FY15 $2,139,951 (cost reduction, cost avoidance, and operational efficiencies) $791,021 FY16 $345,270 $2,485,221 Depreciation: Ongoing Costs: $842,750 ** Five-Year Benefit is a total of the Quantifiable Business and IT Benefits explained in the slides to follow

Benefits Cost Reduction / Avoidance Risk Mitigation Operational Efficiency Eliminated data entry into the multiple systems (i.e. Ariba, Notes, Email, paper forms) Time savings across multiple groups including: GAA, Regional Admins, Desktop Support (i.e. multiple service now tickets that are manually created will be auto-generated) Reduction in turnover costs due to streamlining onboarding process (based on AberdeenGroup’s 2009 ‘Onboarding Benchmark Report’)¹ Automation of IT Consultant On-Boarding (Lotus Notes Star and IT Facilities & Admin replacement, as well as PPM) Automated Ariba COFA approval will be trigged by IAM solution (closed loop) Cost Reduction / Avoidance Elimination of Support /Maintenance for end of life solution (throwaway customizations) Cost for additional future assessment Risk Mitigation Audit findings Consolidation of access requests, approvals /workflow, enabling closed loop for audit ¹85% of new hires decide, within the first six months, whether or not they will stay with their new employer. (2% decrease in turnover due to streamlining onboarding, ~400 new Regular employees from ‘12-’13, avg. $40,000 salary, using conservative 1x salary to replace employee is $1.4M)

Competitive Analysis Recent studios implemented the following: Paramount Pictures -Microsoft/ ServiceNow Other SailPoint customers: RBS, BNP Paribas, Fidelity, Wellpoint, Bank of America, JP Morgan Chase, MGM Resorts, Cardinal Health, Adobe, ING DIRECT, Sallie Mae, OfficeMax, Exxon Mobil, UBS, UPS, Travelers, New York Life Scotia Bank, Exxon and Anadarko Petroleum Foundation use SailPoint and ServiceNow (“Launch in Context”)

Governance/Data Governance IAM SPE Timeline Q4 FY14 Q1 FY15 Q2 Q3 FY16 Jan 2014 Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec 2015 June July 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Project Kickoff Phase 0 Planning Design Implementation Hypercare Greenlight Phase I Project Kickoff Planning Design Development SIT UAT Cutover Go Live Governance/Data Governance Change Management Design Phase II Development SIT UAT Cutover Go Live Hyper Care

Appendix

Security, Risk and Compliance Considerations Multiple SEHS audit issues resolved by automated provisioning/deprovisioning to OnGuard Active badge accounts that should have been terminated due to termination in IDM Mismatched badge accounts to IDM accounts due to manual errors Badge accounts are active in Onguard but terminated in IDM Accounts are terminated in IDM for users who return as badge-only and the IDM account is never reactivated (out of sync) Cost /time associated with manual access reviews will decrease due to automated certifications (required per SOX compliance). Historically deficiencies have been reported year to year for inaccurate or incomplete user reviews. Resolves deficiencies FY13: C401.2.3,C205.3.1, C401.2.3. Audit issues related to Privileged Account Management will be resolved. Per GISS Monitoring, Section 3 - critical information systems and related events should be monitored. Per SOX, resolves deficiencies: C404.1.1, 404.1.2, 404.1.3, C20531. Audit issues surrounding Access Control will be resolved. Per GISS, Access Control, SPE systems (SOX and non-SOX) should be appropriately restricted. IAM will provide a record of critical sox. vs. non-sox systems to enforce proper access control, including terminations in a timely manner. Relates to findings: SOX C40131 and C40133, etc.

Scope and Benefits By Phase