IBM Hosted Application Scanning

Transcription

1 IBM Hosted Application Scanning Service Definition IBM Hosted Application Scanning 1

2 1. Summary 1.1 Service Description IBM Hosted Application Security Services Production Application Scanning Service (called Services ) is designed for IBM to provide the Services Recipient with the ability to initiate and perform application scans of production environments. The Service provides access to a hosted and managed IBM environment and includes training of your personnel to help them understand the features of the Service. Scans of customer environments are performed either by IBM or by the Services Recipient depending on the details of the customer order. The Services are intended to be leveraged to assess the security posture of an application that is in a production environment and can be assessed using non-intrusive application checks. The size of an application directly affects the time required to properly assess the security posture of the application. For this reason, applications to be scanned under the IBM Hosted Application Security Services Production Application Scanning are classified by application size: Level 1 Small (page count <1000) Level 2 Large (page count >1000) The upper limit on the number of pages of a Level 2 application is 10,000. An application that exceeds that limit shall be considered 2 applications. Please note that form filling and login are not supported for either application size. 1.2 Service Characteristics Lot Applicability Hosted Application Scanning Any private or public sector organisation with applications that require security scanning. Contract Duration Contract Price Lead time to start Flexible to be agreed in the Call-Off Order Variable based on time and materials depending on agreeing, with the Contracting Authority, the resources required for the Call-Off Order, based on the IBM SFIA rate table. The price will be subject to VAT and out of pocket expenses incurred outside the M25. 4 weeks IBM Hosted Application Scanning 2

3 Related Lot(s) /Offering(s) IBM Hosted Vulnerability Management VMS 1.3 Why IBM IBM is able to provide a solution that uses a blend of both its products and experience to provide a holistic approach to managing operational security risks within any system environment. Our solution is flexible that it can be integrated with existing or non-ibm solutions. We provide experienced staff to support and monitor operational environments and who can interpret system threats and support customers where incidents arise. IBM has been a member of the CESG Listed Adviser Scheme (CLAS) since 2002 and currently employs a total of 11 CLAS consultants as well as high quality independent contractors. In addition to CLAS, our consultants hold qualifications such as CISSP, CISM, CISA, IISP, ISO27001 Lead Auditor & Implementer, CSSLP, CRISC, Certified Data Protection Practitioner, CEH and Tiger Scheme as well as IBM Certification at Experienced and Expert levels as Security Consultants and Security Architects. As a List X organisation IBM has a full time List-X Security Controller with access to the full Security Policy Framework. We work closely with the security authorities to implement physical and personnel security as well as information security. As a result of this our CLAS consultants are able to advise on vetting and physical security matters, undertaking a Security Assessment for Protectively Marked Assets (SAPMA) where appropriate. Our approach to documenting and delivering information security controls, processes and procedures consistently is in accord with ISO/IEC27002:2005. We have extended this with technical standards for implementation and configuration of security functions, based on our extensive experience of deploying solutions in high assurance environments. This approach, together with other applicable industry standards, including ISO/IEC27003, ISO/IEC 27005, SAS70, COBIT and ITIL, provides a unique integrated management system that fully meets specific security requirements. This approach was used to great effect on recent projects including IABS for the UKBA which was accredited for live operations in February Accreditation included signing the GSI Code of Connection and interconnecting with POISE (Home Office IT system) and the UKBA Warnings Index. IBM Hosted Application Scanning 3

4 1.4 Contact Contact Name Steve Cliff Title IBM UK Cloud Alliances Executive Address PO Box 41 North Harbour Portsmouth Hants, PO6 3AU Contact Contact Phone IBM Hosted Application Scanning 4

5 2. Delivery 2.1 Context Scanning allows for a thorough assessment of the quality of the security surrounding an organisation s applications, enabling vulnerabilities to be identified swiftly and the gaps filled by counteractive measures. This facilitates the safeguarding of any business or personal confidential data present on these applications. 2.2 What we will deliver IBM offers both the tools and the expertise to provide thorough, directed, automated application scanning to assess the vulnerabilities of its clients Web-based applications. Depending on the terms of the agreement, the client organisation can either opt for a comprehensive, professional scanning service, with IBM resources performing the scans, or else purchase the tools and knowledge to enable their own employees to do so. The Service can offer the following measurable features, gauged using Service Level Agreements: IBM Scanning Platform availability 99.9% IBM Managed Security Services (MSS) Portal Availability 99.9% Authorised Security Contacts 3 users Scan Initiation Response 1 or 2 business days Critical Priority Issue Alert Notification 60 minutes Scan Review Initiation 1 business day False Positive Rate 0% Request to Re-Scan Execute 1 or 2 business days Response to Inquiry 4 business hours The Service features here described are dependent on the availability and supportability of the products and product features being utilised. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non- IBM-provided hardware, software, and firmware. The Services will be provided using IBM AppScan Enterprise Edition Software (the Scanning Software ). IBM Hosted Application Security Services are delivered by resources located in IBM facilities. The Scanning Platform is available 24 hours/day, 7 days/week; however, access to Application Security Analysts for Services is provided during normal business hours, IBM Hosted Application Scanning 5

6 2.3 Commercials This will be a Time and Materials contract however, following the first phase of the work, there could be the opportunity to discuss the conversion of the initial quote into either a Fixed Price or Risk/Reward based contract in order to provide increased flexibility for the customer. Initial work will be carried out under the Strategy and Architecture category of the IBM SFIA rate table unless agreed otherwise. Follow on work will be under the appropriate category(ies) of the IBM SFIA rate table. The scope of work will be set out in the Call Off Order Form and agreed by both parties. Follow on services to enable you to complete implementation of cloud services can be provided by IBM. Details should be agreed via the Call-Off Order and priced using the IBM SFIA rate card. 2.4 Key Points Other key points to note are as follows: This offering is subject to availability of IBM resources. The Charges for this Service are on the basis that no Parent Company Guarantee is required. If one is required and agreed to by IBM then the Charges will be revised accordingly. For Fixed Price offerings, Travel and Subsistence (T&S) costs are included for work within the M25. For work outside the M25, T&S will be payable using the Contracting Body s standard T&S rates. The pricing and terms on individual call-off orders should be handled as commercially sensitive by the Contracting Body. Where work is of a sensitive and secure nature, security standards will be agreed between IBM and the Contracting Body, and if necessary IBM will ask the Contracting Body to issue a Security Aspects letter. Whilst we do not propose to handle or have access to any personal data, we will suggest and agree alternative approaches such as the use of anonymised data for testing purposes. The work is subject to IBM s Terms of Business, which are attached separately to this catalogue item. IBM Hosted Application Scanning 6

7 IBM Hosted Application Scanning 7