G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Transcription

1 G-Cloud Service Definition Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

2 Atos Infrastructure Vulnerability Scanning (Outpost24) SaaS Atos Infrastructure Vulnerability Scanning SaaS is powered by the leading scan engine from Outpost24. This cloud based SaaS service ensures the latest scanning technology is deployed to defend the organisation from the ever evolving cyber threat. The fully managed service helps protect an organisations external perimeter by finding the vulnerabilities before the cyber criminals do. Remediation workshops ensure that the actions necessary to fix the vulnerabilities are tracked, monitored and driven through to completion. The service provides comprehensive testing of the external perimeter through infrastructure scanning, web application scanning and PCI ASV Compliance Reporting to identify the organisation vulnerability to cyber-attack. Benefits Atos Infrastructure Vulnerability Scanning (Outpost24) SaaS Fast implementation The service can be setup, configured and deliver scan results without the need to install hardware or software in the target organisation. Effective remediation The managed service monitors and tracks the remediation of vulnerabilities to ensure full benefit of scan detection is realised through a reduction in vulnerability profile. There is an option for monthly remediation workshop with stakeholders and IT support providers. PCI DSS ASV SaaS Quick and easy setup of PCI DSS compliance scanning as a cloud service from Outpost24. A quick and efficient solution to verify the infrastructure against the industry standard for PCI-DSS. Four compliance reports per year are sent direct to the authorising bank. There is an option for more frequent scans between quarterly compliance report scans. Globally recognized scan engine In February 2014 Frost & Sullivan s Analysis of Global Vulnerability Management market report named Outpost24 as Notable Global Competitor - Recognition that the Outpost24 solution is successfully challenging the existing scanning vendors. Advanced scan technology February 2014 Frost & Sullivan s Analysis of Global Vulnerability Management market report rated Outpost24 as having the best scan accuracy rate with a low initial scan failure rate of just 0.28%. Low scan failures means fewer false positives and better targeting of effort on the real vulnerabilities. Simple coverage based pricing Simple pricing bands based on number of IPs or web applications covered. Large discounts on 2 nd year of scanning service. Internal network scan options Atos Security Professional Services offers Outpost24 technology for internal infrastructure scanning solutions to complement this external infrastructure scanning service. ii

3 Service summary The Atos Infrastructure Vulnerability Scanning (Outpost24) service diagnoses external IT infrastructure network vulnerabilities that threaten the security of sensitive data and systems. The solution uses award winning Outpost24 scanning engine with certified Atos security specialists to deliver a managed security service for protecting the external infrastructure perimeter from cyber threats. What is it? The service examines the external network perimeter from outside the organisation and identifies vulnerabilities that are exposed to cyber criminals wanting to penetrate the infrastructure network. The output provides the business with a list of the vulnerabilities and prioritises the actionable remedies for mitigating the vulnerability risks. Regular frequent scans of the infrastructure means that new vulnerabilities caused by configuration changes, new services and new cyber-attack methods are discovered and remedied before cyber criminals can take advantage and threaten the security of the customers infrastructure. The service options are: External Network Scan of the infrastructure at the external perimeter PCI DSS Approved Scanner Vendor (ASV) Scan External Web Application Scan of web apps at the external perimeter. What makes us unique? This solution allows organisations to benefit from an advanced scanning solution for mitigating the cyber security threat to external network infrastructure in a managed security SaaS. Atos provide the leading infrastructure scanning SaaS solution from Outpost24, together with a managed security service from certified security professionals at Atos UK Security Centre. Infrastructure vulnerabilities found from scan engines are often ignored either through lack of understanding or failure to drive through to remediation. The Atos managed service ensures that the results are communicated regularly and effectively through to organisation stakeholders and IT support teams responsible for closing vulnerabilities in the infrastructure. The result is that vulnerabilities are actively tracked and managed through to removal. The managed service ensures that vulnerabilities are diagnosed, understood and mitigated to progressively improve the overall security of the infrastructure over the life of the service. What s included Atos Infrastructure Vulnerability Scanning (Outpost24) is a managed SaaS and includes: Proof of Concept Service configuration Service Delivery Agreement Reporting and remediation monitoring Alerts via SMS and Notice of threat alerts between scans. iii

4 The service comes in 3 service variants: External network scan A monthly scan and reporting service using Outpost24 OUTSCAN SaaS to diagnose external network vulnerabilities. PCI ASV scan A quarterly PCI ASV scan and compliance report using Outpost24 OUTSCAN PCI SaaS to diagnose external network vulnerabilities for compliance with PCI DSS requirements. Delivered from Outpost24, an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council. External Web Application scan A monthly scan and reporting service using Outpost24 WAS a web application scanning service All 3 service variants can add options for: Increased scan frequency Remediation workshops Additional reporting Annual executive report. Who can benefit The service benefits organisation CxOs who are responsible for verifying that an organisations IT infrastructure is not unwittingly exposed to known cyber threats. The service provides scan results and a clear prioritised list of remediation actions to reduce the organisations exposure to cyber threats. The prioritised action list and remediation workshops allow the CxO to push remediation through to a successful conclusion and see the results in subsequent scans. The PCI DSS scan option is a cost effective solution to verifying PCI DSS compliance and output of compliance report to the authorising bank. The service benefits the organisation s security team by releasing them from routine scanning and reporting and allows them to focus on addressing critical security issues and risks. The service benefits organisations with responsibility for implementing appropriate cyber security controls on the IT infrastructure but with no in-house security team. This service can communicate directly with infrastructure stakeholders and IT support teams to ensure that the infrastructure vulnerabilities are understood and acted upon. The service can perform as an independent third party to diagnose and advise management teams on mitigating cyber threats at the infrastructure perimeter. The remediation workshop option delivers guidance and prioritisation direct to the responsible infrastructure teams. iv

5 v

6 Contents 1. Introduction Service summary How this product can be used Service overview Service features External Network Scan PCI DSS Approved Scanner Vendor (ASV) Scan External Web Application Scan Further Deployment Options Service Roadmap Contractual commitment Backup/restore and disaster recovery On-boarding and off-boarding On-boarding Off-boarding Pricing External Network Scan PCI DSS Approved Scanner Vendor (ASV) Scan External Web Application Scan Atos Security Professional Services Service management Service constraints Service levels Financial recompense Training Ordering and invoicing process Termination terms By consumers (i.e. consumption) By the Supplier (removal of the G-Cloud Service) Data restoration / service migration Customer responsibilities Technical requirements Trial service Glossary vi

7 1. Introduction Atos provides a wide range of security solutions that help customers increase their level of IT security in a cost effective way. Atos Infrastructure Vulnerability Scanning (Outpost24) SaaS is one such service. The service is delivered by certified security specialists using the market leading product from Outpost24 for mitigating infrastructure vulnerabilities at the external perimeter. Outpost24 is PCI Approved Scanning Vendor (ASV). There are three scan services: External Network Scan of the infrastructure at the external perimeter PCI DSS Approved Scanner Vendor (ASV) Scan External Web Application Scan of web apps at the external perimeter. 1.1 Service summary The service is a subset of Atos and Outpost24 infrastructure scanning capabilities designed specifically as a managed SaaS service for G-Cloud to ensure that the identified vulnerabilities do not get ignored by the parties responsible for resolution. Successful protection requires that the vulnerabilities are not only identified but then managed through to successful remediation. Outpost24 scan technology and Atos service management ensure the results are communicated effectively to support teams and stakeholders. Regular reports of vulnerability discovery and remediation allow the organisation to track vulnerability elimination and mitigation by their IT support partners. Organisations requiring PCI DSS compliance for their authorising bank can contract the PCI ASV service. Outpost24 is an Approved Scanning Vendor (ASV) for PCI DSS compliance. The ASV service generates quarterly compliance reports which can be sent direct to the authorising bank. Key features: Proof of Concept available Fully managed scanning service requires no security expertise from contracting organisation Award winning scanning technology from Outpost24 Independent third party assessment of infrastructure and web applications exposed to external cyber threats Additional options for: Increased scan frequency Remediation workshops Ad-hoc scans Atos Security Professional Services to facilitate and enable service adoption and utilisation. 1

8 1.2 How this product can be used The three service options are used to: Provide regular detection of external infrastructure vulnerabilities at risk of cyber-attack Inform management of the vulnerabilities and provide prioritised remediation advice to improve the protection of the infrastructure to cyber threats Prioritise the remediation actions and interface with the organisations IT infrastructure support teams to ensure that vulnerabilities are identified, tracked and managed through to closure Give independent third party assessment of infrastructure vulnerability Provide a managed security service for diagnosing infrastructure and web application vulnerabilities for organisations that cannot spare valuable internal security resources for this routine but essential task Generate quarterly PCI ASV compliance report demanded by authorising bank for PCI DSS compliance (PCI ASV scan only) Diagnose vulnerabilities specific to externally facing web applications (web application scan only). 2

9 2. Service overview 2.1 Service features As organisations increase their dependency on timely, correct and confidential digital information, their exposure to cyber threats increase. Coupled with increased connectivity and interoperability of IT delivery eco-systems, the surface area of potential attack is further increased. Historically, online and network security technologies such as anti-malware, IDS systems and log monitoring detected infections and attack signatures, only requiring action after an incident occurred. This reactive approach is no longer sufficient given that the damage is done as soon as the vulnerability is exploited. Furthermore, security specialists are in short supply and difficult to retain. Just buying a scanning tool means that the steps for mitigating the discovered security vulnerabilities are not always understood or acted upon. The Atos Infrastructure Vulnerability Scanning (Outpost24) SaaS solves this challenge by combining the award winning Outpost24 scan engine with a managed security service to discover vulnerabilities and then help manage remediation through to completion. The result is that vulnerabilities are systematically discovered and then managed out of the infrastructure. Thus leading to a long term and sustained improvement in the organisations resistance to cyber-attack. The Atos Infrastructure Vulnerability Scanning (Outpost24) SaaS has three scan services: External Network Scan of the infrastructure at the external perimeter PCI DSS Approved Scanner Vendor (ASV) Scan External Web Application Scan of web apps at the external perimeter. 2.2 External Network Scan The External Network Scan utilises Outpost24 OUTSCAN SaaS. OUTSCAN diagnoses external network vulnerabilities; the service analyses the vulnerabilities and prioritises the remediation actions. Atos certified security professionals report on and track the remediation of the vulnerabilities discovered. The discovery, diagnosis, reporting of vulnerabilities combined with tracking the remediation actions, helps secure sensitive data against external cyber threats. The standard service provides monthly scans of the infrastructure. Outpost24 Scanless Scanning technology provides additional protection between scans by alerting immediately upon detection of new threats that can potentially exploit vulnerabilities in the organisations infrastructure. The Atos solution provides: Commissioning of OUTSCAN service against a defined list of network addresses Scan template setup, automated reporting setup and service initiation Service Delivery Agreement 3

10 Monthly scan reporting, analysis, and interpretation by Atos Security Centre. Including: Trends, risks, solutions and vulnerabilities CVSS (Common Vulnerability Scoring System) risk rating allows quick identification of critical risks, using a scale Remediation action tracking Flexible data selection in reports Alerts from new threats between scheduled scans detected by OUTSCAN scanless scanning Additional options for: More scans e.g. higher frequency or remediation scans Remediation workshops, one day workshop from security specialist to stakeholders and IT infrastructure owners to advise and consult upon remediation activities. End of year executive report. Proof of concept. 2.3 PCI DSS Approved Scanner Vendor (ASV) Scan The PCI ASV Scan uses the Outpost24 OUTSCAN PCI cloud SaaS. Outpost24 is an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council. OUTSCAN PCI is an extension of OUTSCAN designed specifically to verify and prove PCI DSS compliance. OUTSCAN PCI examines network perimeters for vulnerabilities that cause non-compliance with PCI DSS requirements. The standard service provides quarterly compliance report scans with compliance reports sent directly to the authorising bank. The service is delivered from the Outpost24 cloud SaaS, is quick to initiate and is a very cost effective means of verifying PCI DSS compliance. The Atos solution provides: Commissioning of OUTSCAN PCI service against a defined list of network addresses Scan template setup, automated reporting setup and service initiation Service Delivery Agreement Quarterly compliance scan and report Additional options for: Increased scan frequency scheduled either as monthly scans or verification scans prior to scan for PCI ASV compliance report Remediation workshops, one day workshop from security specialist to stakeholders and IT infrastructure owners to advise and consult upon remediation activities. Ad-hoc scans Failed compliance findings enquiry resolution Proof of concept. 4

11 2.4 External Web Application Scan The External Web Application Scan utilises Outpost24 WAS SaaS. Outpost24 WAS inspects web applications and detects vulnerabilities and deviations from security best practices. The majority of external cyber-attacks are against web application weaknesses. Consequently this service is invaluable for organisations with web applications delivering important information, content and services on the internet. The standard service provides monthly scans of the external facing web applications including the auditing of features like: Cross-Site Scripting SQL injection Blind SQL injection Insecure cryptographic solutions Insecure session management Incorrect server configurations Information disclosure detection (Credit Cards) Incorrect header information CRLF injections Command execution Format string exceptions Un-validated redirects AJAX support. The Atos solution provides: Commissioning of OUTSCAN WAS service against defined list of web application addresses. Scan template setup, automated reporting setup and service initiation. Service Delivery Agreement Monthly scan reporting, analysis, and interpretation by Atos Security Centre. Including: Trends, risks, solutions and vulnerabilities CVSS (Common Vulnerability Scoring System) risk rating allows quick identification of critical risks, using a scale Remediation action tracking Flexible data selection in reports Additional options for: Proof of concept More scans e.g. higher frequency or remediation scans Remediation workshops, one day workshop from security specialists to stakeholders and IT infrastructure owners to advise and consult upon remediation activities End of year executive report Security Professional Services to facilitate service adoption and utilisation. 5

12 2.5 Further Deployment Options The services described above protect the external perimeter but many security breaches are caused by those with access to internal networks, including staff, former employees, consultants, vendors and customers. Data and asset protection must be managed proactively to effectively protect sensitive information, intellectual property, service continuity and personal data. Atos will be pleased to discuss provision of internal network vulnerability solutions using the Outpost24 technology. 2.6 Service Roadmap The Outpost24 product range is under continual improvement. By adopting the SaaS solutions described in this service, the organisation is assured of remaining up to date with the latest developments in scanning technology without the need for managing software updates and new product installations in the organisations infrastructure. 6

13 3. Contractual commitment Atos is fully committed to protecting the Confidentiality, Integrity and Availability of consumer data that is entrusted to us. We provide accredited services to a wide range of UK government departments including the Home Office, Department of Work and Pensions, the Ministry of Defence, executive agencies, local authorities and other public sector and government regulated organisations. A number of our G-Cloud services have been formally accredited by the Pan Government Accreditor (PGA). We also serve many different private sector organisations, including financial services institutions and health services. Atos has a number of sites and facilities that are HMG accredited to process information at OFFICIAL, these sites meet or exceed the standards laid down in the Security Policy Framework (SPF). The Atos Data Centres are ISO27001 certified and PCI DSS certified. The Atos PaaS service has approval for connection to the PSN network. In all cases these facilities are hosted on-shore in the UK, managed by SC cleared staff and include secure office areas and secure data processing centres. In the financial services sector we provide services that meet FSA requirements. The PCI Security Standards Council and VISA Europe have classified Atos UK as a Level 1 Payment Services Provider, based on its aggregated level of Payment Card transactions. We have a company-wide strategic PCI DSS Compliance programme which defines methods and timescales for the achievement of compliance for all of Atos hosted customer accounts and support services, whose requirements include the processing of Payment Card information. Within the defence sector, Atos is approved to hold UK government OFFICIAL protectively marked information and has the capability and accreditation to host data and associated systems marked as SECRET or TOP SECRET. Atos uses customer networks for transmission where appropriate and is fully compliant with procedures relating to the manual handling of protectively marked information. 7

14 4. Backup/restore and disaster recovery Where Atos has agreement to store data from the scan it is downloaded from the scanning platform and stored securely at an Impact Level agreed with the organisation. In the event of the scanning platform failing a new platform is built from a master build image. Backup/restore and Disaster Recovery will be configured to the Organisation specific needs. Atos has extensive experience in providing these capabilities to meet or exceed the requirements of Official for people, infrastructure and locations. 8

15 5. On-boarding and off-boarding 5.1 On-boarding On-boarding the service is simple. Prior to conducting the scan the Atos security specialists will discuss the customer s needs of the scan to determine the coverage, frequency and depth of the scan activity and the type of reporting required. A Service Delivery Agreement defines the service, communication channels and escalation points to be used for the duration of the service. 5.2 Off-boarding Should the customer decide to de-commission the scanning service, all future scans are cancelled and the customer will receive a copy of the data collected in the scanning activities conducted to that date, all data held by Atos will then be destroyed. 9

16 6. Pricing 6.1 External Network Scan The table below is for between 1-10 IP addresses. Prices exclude VAT and are for year fee payable at point of order. Service Year1 Year2 Notes External Network Scan Up to 10 IP addresses Additional Monthly Written Report Remediation Workshop End of Year Executive Report Additional adhoc scans 8,195 4,295 Outpost24 OUTSCAN SaaS up to 10 IP addresses. Year1 includes Service commissioning, scan template setup, report setup, service initiation, SDA, 12 monthly scans and delivery of automatically generated scan reports. Includes automatic threat alerts between scans. Year 2 price conditional on no break in service from Year 1. 11,495 11,495 Analysis of trends, threats, issues identified in the OUTSCAN generated scan report. 17,195 17,195 Monthly one day time boxed workshop on prioritised remediation actions. Held at UK customer site. 2,595 2,595 Analysis of trends, threats, issues, and risks over the preceding 12 months. Includes recommended action plan for next 12 months. 3,595 3, ad-hoc scans of all or part of the scheduled scan IP addresses. The scans can be requested over the contract period in place at time of purchase. The table below is for between IP addresses Service Year1 Year2 Notes External Network Scan Up to 50 IP addresses Additional Monthly Written Report Remediation Workshop 16,995 12,995 Outpost24 OUTSCAN SaaS up to 50 IP addresses. Year1 includes Service commissioning, scan template setup, report setup, service initiation, SDA, 12 monthly scans and delivery of automatically generated scan reports. Includes automatic threat alerts between scans. Year 2 price conditional on no break in service from Year 1. 45,995 45,995 Analysis of trends, threats, issues identified in the OUTSCAN generated scan report. 17,195 17,195 Monthly one day time boxed workshop on prioritised remediation actions. Held at UK customer site. 10

17 Service Year1 Year2 Notes End of Year Executive Report Additional adhoc scans 5,195 5,195 Analysis of trends, threats, issues, and risks over the preceding 12 months. Includes recommended action plan for next 12 months. 13,995 13, ad-hoc scans of all or part of the scheduled scan IP addresses. The scans can be requested over the contract period in place at time of purchase. 6.2 PCI DSS Approved Scanner Vendor (ASV) Scan The table below is for between 1-10 IP addresses. Prices exclude VAT and are for year fee payable at point of order. Service Year1 Year2 Notes PCI ASV Scan Up to 10 IP addresses Additional Quarterly Written Report Remediation Workshop Additional monthly verification scans End of Year Executive Report 5,195 1,395 Outpost24 OUTSCAN PCI ASV up to 10 IP addresses. Year1 includes Service commissioning, scan template setup, report setup, service initiation, SDA, 4 quarterly compliance scans and delivery of automatically generated scan reports. Year 2 price conditional on no break in service from Year 1. 3,995 3,995 Analysis of trends, threats, issues identified in the OUTSCAN quarterly generated scan report. 5,995 5,995 Quarterly, one day time boxed workshop on prioritised remediation actions. Held at UK customer site. 1,795 1, additional compliance scans and scan results. No compliance report produced. 2,595 2,595 Analysis of trends, threats, issues, and risks over the preceding 12 months. Includes recommended action plan for next 12 months. Failed compliance findings enquiry resolution Time & materials Time & materials Security specialist to investigate PCI ASV scan non-compliance events. Rates as per SFIA rate card - Atos 11

18 The table below is for between IP addresses Service Year1 Year2 Notes PCI ASV Scan Up to 50 IP addresses Additional Quarterly Written Report Remediation Workshop Additional monthly verification scans End of Year Executive Report 8,195 4,395 Outpost24 OUTSCAN PCI ASV up to 50 IP addresses. Year1 includes Service commissioning, scan template setup, report setup, service initiation, SDA, 4 quarterly compliance scans and delivery of automatically generated scan reports. Year 2 price conditional on no break in service from Year 1. 15,495 15,495 Analysis of trends, threats, issues identified in the OUTSCAN generated scan report. 5,995 5,995 Quarterly one day time boxed workshop on prioritised remediation actions. Held at UK customer site. 6,995 6, additional compliance scans and scan results. No compliance report produced. 5,195 5,195 Analyses trends over the year including, threats, vulnerability sources, and remediation progress. Failed compliance findings enquiry resolution Time & materials Time & materials Security specialist to investigate PCI ASV scan non-compliance events. Rates as per SFIA rate card - Atos 6.3 External Web Application Scan The table below is for between 1-10 IP addresses. Prices exclude VAT and are for year fee payable at point of order. Service Year1 Year2 Notes External Web Application Scan Up to 10 web app addresses Additional Monthly Written Report 8,995 5,195 Outpost24 OUTSCAN WAS SaaS up to 10 web app addresses. Year1 includes Service commissioning, scan template setup, report setup, service initiation, SDA, 12 monthly scans and delivery of automatically generated scan reports. Includes automatic threat alerts between scans. Year 2 price conditional on no break in service from Year 1. 11,495 11,495 Analysis of trends, threats, issues identified in the OUTSCAN WAS generated scan report. 12

19 Service Year1 Year2 Notes Remediation Workshop End of Year Executive Report Additional adhoc scans 17,195 17,195 Monthly one day time boxed workshop on prioritised remediation actions. Held at UK customer site. 2,595 2,595 Analyses trends over the year including, threats, vulnerability sources, and remediation progress. 3,595 3, ad-hoc scans of all or part of the scheduled scan web app addresses. The scans can be requested over the contract period in place at time of purchase. The table below is for between IP addresses Service Year1 Year2 Notes External Web Application Scan Up to 50 web app addresses Additional Monthly Written Report Remediation Workshop End of Year Executive Report Additional adhoc scans 18,995 14,995 Outpost24 OUTSCAN WAS SaaS up to 50 web app addresses. Year1 includes Service commissioning, scan template setup, report setup, service initiation, SDA, 12 monthly scans and delivery of automatically generated scan reports. Includes automatic threat alerts between scans. Year 2 price conditional on no break in service from Year 1. 45,995 45,995 Analysis of trends, threats, issues identified in the OUTSCAN WAS generated scan report. 17,195 17,195 Monthly one day time boxed workshop on prioritised remediation actions. Held at UK customer site. 5,195 5,195 Analyses trends over the year including, threats, vulnerability sources, and remediation progress. 13,995 13, ad-hoc scans of all or part of the scheduled scan web app addresses. The scans can be requested over the contract period in place at time of purchase. 6.1 Atos Security Professional Services Atos Security Professional Services can be engaged to facilitate and enable adoption and utilisation of Atos Infrastructure Vulnerability Scanning service. Service Price Minimum order size Atos Security Professional Services At SFIA rate card - Atos Day 13

20 7. Service management The service is typically available during standard Working Hours/Days Monday to Friday 09:00 to 17:30 excluding public holidays. Scans can be scheduled out of hours or in predefined service windows and IP ranges by arrangement. Automated reports output directly from the Outpost24 product can be communicated to an agreed recipient/location on scan completion. Alerts from Outpost24 scanless scanning capability can be automatically communicated to the agreed escalation point when they are received from Outpost24. Where detailed reports are a service deliverable the detailed reports from the scans are communicated within 5 days of the scan completion. 14

21 8. Service constraints In order for the scan to be conducted the Customer will need to: Give authorisation for the scan to proceed Provide details of the IP addresses to be scanned Give access to the perimeter of infrastructure estate containing the IPs and web applications to be scanned. The service only provides information of the vulnerabilities discovered, remediation action remains a customer responsibility or that of the customer s service providers. Additional remediation advice can be arranged via Atos Security Professional Services to assist the organisation s IT support functions in the remediation of vulnerabilities discovered. 15

22 9. Service levels The standard service level is: Service measure Typical service level Service Availability 95% Service Availability Window Support Availability Window (second line) Support Language Report generation 09:00-17:00 Mon-Fri Business Days 5*9 hours: Business Days, 08:00-17:00 h English Inform stakeholders that a report is readily available within 5 days after scan has been conducted 16

23 10. Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the service. All Atos services are provided on a reasonable endeavours basis. Please refer to the Atos Supplier Terms. In accordance with the guidance within the CCS G-Cloud Framework Terms and Conditions, the Customer may terminate the Call-Off Agreement at any time, without cause, by giving at least thirty (30) Working Days prior notice in writing. The Call-Off Agreement terms and conditions and the Atos Supplier Terms will define the circumstances where a refund of any pre-paid service charges may be available. 17

24 11. Training No training is required to benefit from this service although the scan report should be communicated to security and infrastructure specialists in the customer s organisation or that of the service providers in order to remedy the vulnerabilities discovered. Atos security specialists will discuss the coverage and benefit from the various scan options prior to scanning the estate. Options are available for remediation workshops and advice. If training and guidance to customer staff and providers is required it can be provided at the rates defined in our Atos Security Professional Services SFIA Rate Card - Atos that was submitted as part of our G-Cloud submission. Please get in touch for details (gcloud@atos.net). 18

25 12. Ordering and invoicing process Ordering this product is a straightforward process. Please forward your requirements to the address GCloud@atos.net. We will prepare a quotation and agree that quotation with you, including any volume discounts that may be applicable. Once the quotation is agreed, we will issue you with the necessary documentation (as required by the G-Cloud Framework) and ask you to provide us with a purchase order. Once we have received your purchase order, the services will be configured to the requirements agreed. If you are a new customer, additional new supplier forms may need to be completed. Invoices will be issued to you and Shared Services (quoting the purchase order number) for the services procured. On a monthly basis, we will also complete the mandated management information reports to Government Procurement Services detailing the spend that you have placed with us. Cabinet Office publish a summary of this monthly management information at: 19

26 13. Termination terms 13.1 By consumers (i.e. consumption) Termination shall be in accordance with: The G-Cloud Framework terms and conditions Any terms agreed within the Call Off Agreement under section 10.2 of the Order Form (termination without cause) where the Crown Commercial Service (CCS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Agreement Atos Supplier Terms for this Service as listed on the Digital Marketplace. For this specific service, by default Atos ask for at least thirty (30) Working Days prior written notice of termination as per the guidance within the CCS G-Cloud Framework Terms and Conditions By the Supplier (removal of the G-Cloud Service) Atos commits to continue to provide the service for the duration of the Call-Off Agreement subject to the terms and conditions of the G-Cloud Framework, the Call-Off Agreement and the Atos Supplier Terms. 20

27 14. Data restoration / service migration Not applicable as there is no data to restore and no service to migrate. 21

28 15. Customer responsibilities The principal customer responsibilities are: Provide all required authorisation for scanning the Customer infrastructure. Where access disputes arise, the consumer will mediate the dispute and inform Atos of the outcome Ensure that the Security Specialists conducting the scan have access to all areas of the customer infrastructure needed to fulfil the service Provide all possible assistance to allow the Atos security specialists to operate at the specified infrastructure sites Escalate and manage the actions required to deal with any security remediation or mitigation recommended from the scan service. 22

29 16. Technical requirements Technical requirements will be discussed and agreed with customer and their representatives prior to the first scan. 23

30 17. Trial service Trial services are available for all 3 service variants: External Network Scan 2 week proof of concept against a single IP on the external perimeter and output of a sample report PCI ASV Scan 2 week proof of concept against a single IP scan and output of a sample report Web Application Scan - 2 week proof of against a single web application on the external perimeter and output of a sample report. 24

31 18. Glossary Term 2FA APT ASAC-S ASV CEH CISM CISSP GPS IL IP LDAP OATH RADIUS RSA SAML Security+ SMS SSCP SSL SSO TCO VPN Explanation Two Factor Authentication Advanced Persistent Threat Atos Secure Authentication for Cloud SafeNet Approved Scanning Vendor for PCI DSS Certified Ethical Hacking Certified Information Security Manager Certified Information Security Professional Government Procurement Service Impact Level Internet Protocol address, a numerical label assigned to each device on the network. Lightweight Directory Access Protocol Open AuTHentication an open source standard Remote Authentication Dial-In User Service Product Vendor Security Assertion Markup Language CompTIA Security+ certification Short Message Service Systems Security Certified Practitioner Secure Socket Layer Single Sign On Total Cost of Ownership Virtual Private Network 25

32 26