Lot 1 Service Specification MANAGED SECURITY SERVICES

Transcription

1 Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013

2 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services across the private and public sectors. We bring real experience forged by over 40 years of delivering secure information services to a wide customer base including UK government departments and FTSE250 companies. Fujitsu provides essential security capabilities to its customers, supporting their drive to protect information assets in the face of emerging strategic and operational business challenges. We are a critical component of our customers approach to their regulatory and legislatory demands, assisting them in managing their information security risks flexibly and effectively. Fujitsu takes responsibility for the ongoing management of specific security capabilities on behalf of customers. We use market leading security products and expert professional services to support the assessment of risk, define requirements, provide technical and service design and architecture, as well as ensuring effective deployment and operation of the Managed Security Services (MSS). Our broad range of MSS can provide defence-in-depth solutions ranging from network protection technologies such as firewalls, web security and intrusion prevention systems, through to host encryption services and endpoint protection services (e.g. anti-malware and anti-spam). All our services give customers the 24x7 cover needed. DELIVERABLES The Managed Security Services that Fujitsu provide include: Boundary Protection Managed Firewall Services and Intrusion Detection / Prevention Systems (IDS/IPS) that provide protection against unauthorised access to critical information assets and monitor/block network traffic for malicious activity providing security alerts for analysis and remediation. Web and Security Protects against: Web-based threats and malicious code as well as enabling the filtering of web content Inbound and outbound threats including spam, malware, phishing etc. Security Information and Event Management (SIEM) Provides real-time visibility of risks, threats and critical operations issues that are otherwise undetectable in any practical way. This enables the customer to detect and swiftly respond to: Sophisticated intrusions Insider threats Fraud Compliance violations Disruptions to IT Services Many other critical events. SIEM underpins security compliance (including PCI DSS and CESG Good Practice Guide 13) as well as enabling retrospective analysis to support security investigations. Endpoint Protection and Encryption Ensures consistent endpoint protection across the enterprise to meet malware threats. The service can include: Anti-Virus and Anti-Spyware, application and device control, desktop firewalls, host intrusion prevention, network access control and endpoint encryption. Data Loss Prevention (DLP) Protects brand and reputation through the enforcement of defined policies to mitigate the risk of sensitive data loss and also to report on compliance requirements. Page 2 of 7 Fujitsu Services Limited, 2013

3 Vulnerability Management Scans the IT infrastructure to identify, prioritise and report any known vulnerabilities, which can then be used to drive the remediation activity and enhance the protection of critical information assets. ON-BOARDING AND OFF-BOARDING PROCESSES/SCOPE On Boarding Fujitsu s approach would be work with the G Cloud Customer to define the detailed requirements, which would then be used to derive a quotation and agreed scope and delivery approach. Fujitsu s on-boarding process has five overarching phases: Define the scope Discover: conduct a detailed analysis of the current estate Design the new infrastructure based on definition and discovery Develop the solution Deploy and release The approach is underpinned by the following key components: Project/programme management activities aligned to PRINCE2/Managing Successful Programmes (MSP) Robust change management Externally verified risk management processes Active security management Staged approach with formal entry and exit criteria controlling stage progression. Once transitioned into service, the Managed Security Services would be supported from our Security Operations Centre Off Boarding Fujitsu will work with the G Cloud Customer to define the scope and timescales required as part of the Off Boarding. The approach to off boarding will ensure an orderly transition of the transferring services to the replacement supplier. A key priority for Fujitsu in any service exit event is maintaining the contracted levels of service for the remaining period of the Term. As such, Fujitsu would look to work with the new incoming supplier to: Agree a strategy for exit arrangements that is cost effective and risk adverse to maintain the integrity of the service Agree the commercial terms of the exit of Fujitsu with the Customer Agree the new supplier s transition timescales, with the aim of ensuring a seamless transfer of services. Page 3 of 7 Fujitsu Services Limited, 2013

4 SERVICE LEVELS The response and target fix times provided for the Fujitsu Managed Security Services are outlined below. Term Technical Response Time Incident: Severity 1 30 minutes 4 hours Incident: Severity 2 1 hour 8 hours Target Fix Time Incident: Severity 3 4 hours 16 hours Incident: Severity 4 1 day 3 days SERVICE CREDITS N/A SERVICE MANAGEMENT The Fujitsu Managed Security Services are operated under an ITIL-aligned, ISO/IEC compliant service management framework. Fujitsu will implement and maintain the agreed policies for the MSS and any changes to the policies shall be managed through the Managed Service Change process. The MSS shall contain the following principal elements: Incident Management Problem Management Change Management Release Management Configuration Management Service Level Management Quality Management Availability and Capacity Management Service Continuity Management Continuous Improvement Third Party Management, where required. Fujitsu s SOC will react to security incidents using the following approach: Event Analysis Upon detection, events which impact on security shall be analysed to ascertain whether they need to be upgraded to a Security Incident for further action Security Incident Categorisation If the event is defined as a Security Incident, it shall be categorised considering the cause, priority, potential impact and the urgency of response Security Incident Response The security analysts, resolver groups and service management team, plus identified Customer stakeholders as defined within the overarching Service Design and communications plan, shall agree on the most appropriate course of action. When a course of action has been implemented, its effectiveness in resolving the incident shall be assessed so that if the chosen course of action is not effective, further course/s of action can be taken. The Security Incident shall be tracked to resolution Post Incident Analysis - After each Security Incident, post incident analysis shall be undertaken to: Ensure that the conduct of the investigation was appropriate Consider lessons identified, where conduct of the investigation could be improved Ensure that all mitigating actions have been taken Page 4 of 7 Fujitsu Services Limited, 2013

5 PRICING As an indicative cost for one of the Managed Security Services that Fujitsu could provide: There would a fixed charge of 15,673 for the provisioning activity for a new High Availability Security fully managed service including requirements definition, design, build, install and test (excluding hardware, licensing and vendor support, which will be defined and agreed as part of the requirements definition) for up to 10,000 users. Should any additional effort be required in order to complete work or carry out additional work which is out of the scope of this Service Definition then such additional effort and any applicable charges will be agreed by both parties in the form of a new statement of work. There would also be a charge of 28,743 per annum for the ongoing management of the service. (Indicative cost for typical service). These charges are exclusive of Value Added Tax (VAT) and any other applicable sales taxes. Customer agrees to pay amounts equal to any VAT or other levy. Detailed requirements would need to be defined and agreed prior to a formal quotation being provided to the Customer. ORDERING AND INVOICING PROCESS The Customer will be invoiced for the Charges on completion of the set up and provisioning of the Managed Security Service and then monthly in arrears for the ongoing management of the service. When remitting payment, the Customer will include the applicable Fujitsu invoice that the payment applies to. INFORMATION ASSURANCE Fujitsu s Managed Security Services are provided from an ITIL aligned ISO certified support organisation and Fujitsu provides Managed Security Services from its Security Operations Centre to a number of Public Sector customers up to and including IL4. LEVEL OF BACKUP/RESTORE AND DISASTER RECOVERY Fujitsu will retain configuration back-up to enable rebuild/restoration in the event of failure/fault. Fujitsu s standard environment platform backup processes shall be utilised and tested. DATA RESTORATION / SERVICE MIGRATION Fujitsu has extensive experience of transitioning services. Transition of services will include definition of the scope, detailed analysis of the current estate and the definition of the required activities as part of an overarching transition plan to ensure that services are assured during the transition phase. TRAINING N/A DETAILS OF ANY TRIAL SERVICE AVAILABLE N/A SERVICE CONSTRAINTS Each of the respective Managed Security Services has specific service constraints. These shall be provided as part of the process of producing a definition of requirements. MINIMUM AND MAXIMUM TERMS There is a minimum term of 12 months. TERMINATION TERMS The Customer or Fujitsu may terminate a Managed Security Service (MSS) by giving not less than ninety (90) days notice to the other party. Page 5 of 7 Fujitsu Services Limited, 2013

6 Should the Customer decide to terminate the service, termination fees shall apply, which will be detailed as part of the contract and will be dependent upon the specific MSS being subject to termination. Additionally, should the Customer terminate a MSS, the Customer shall be liable for any Software Licensing or Hardware support costs that arise as a result of the early termination. CONSUMER RESPONSIBILITIES Successful delivery of the Fujitsu Managed Security Service is subject to the following dependencies upon the Customer: The Customer shall maintain the applicable Customer Security Policy regarding the MSS Advise Fujitsu prior to any security testing The Customer shall notify Fujitsu of potential Security Incidents via the Service Desk using the agreed method of incident logging The Customer shall ensure that all Security Incidents are logged with all of the required details of the Security Incident The Customer shall use all reasonable endeavours to ensure that it does not report incidents under this agreement which relate to equipment and services that is not within the scope of the Support Services Software components deployed onto servers for log file collection (for example agents) may require certain prerequisite patches and applications to be installed The Customer will provide Fujitsu with access to the equipment for the purpose of undertaking its obligations as described herein The Customer shall utilise the Fujitsu-provided software in accordance with the prevailing licence terms. TECHNICAL REQUIREMENTS As part of the definition of the Managed Security Service (MSS) requirements with the G Cloud Customer, Fujitsu shall define the technical requirements, which will be dependent upon the specific MSS to be delivered, and document and agree them with the Customer. SERVICE CONSTRAINTS Fujitsu shall not be liable for Customer s take up, non-take up or other discretionary use of the information provided by Fujitsu or of any of the recommendations or options generated from the Service and activities under this Service Definition. Page 6 of 7 Fujitsu Services Limited, 2013

7 DEFINITIONS Any terms used in this Service Specification have the meaning assigned to it by the Fujitsu Cloud Service Agreement Terms and Conditions. Additional terms used have the meaning assigned by this paragraph. In the event of any conflict between the terms of this Service Specification and the other documents that comprise the Agreement, the provisions of this Service Specification shall prevail. Table 1: DEFINITIONS Definition CESG Good Practice Guide 13 IDS/IPS MSS PCI DSS Security Incident Service Design SOC Meaning HMG security guidance on Protective Monitoring Intrusion Detection Systems / Intrusion Prevention Systems Managed Security Service Payment Card Industry Data Security Standards The outcome of the analysis of security events which are not part of standard operation and/or may cause a breach of security policy. Defines how the Managed Security Service integrates with the wider service management framework. Security Operations Centre SERVICE EXCLUSIONS The following elements are not included or applicable as part of the offered Service and are therefore not included within this Service Definition: Hardware and software plus ongoing licensing and support. These would need to be defined as part of the initial requirements definition with the Customer. Page 7 of 7 Fujitsu Services Limited, 2013