FIRN Secure Internet Bundled Services:

Transcription

1 FIRN INTERNET SECURITY BUNDLE SERVICES AND NEW ADVANCED SECURITY OPTIONAL SERVICES (New Services and Prices Available July 1, CSAB Orders can be placed as early as March 1, 2014) Ethernet Bandwidth Erate Eligible Cost Priority 1 Bundled Cost - Core + Access + CPE + Basic Firewall Security FIRN Secure Internet Bundle* Monthly Pricing - Table 1.0 DMS Admin Fee Total For Basic Internet & Security Non-Erate Eligible Additional Cost for Advanced Security and Content Filtering and URL blocking 10 Mbps $1, $78.47 $1, $ Mbps $2, $ $2, $ Mbps $2, $ $2, $ Mbps $3, $ $3, $ Mbps $4, $ $4, $ Mbps $5, $ $5, $1, Mbps $5, $ $6, $1, Mbps $6, $ $6, $1, Mbps $6, $ $6, $1, Mbps $6, $ $7, $2, Mbps $6, $ $7, $2, Mbps $6, $ $7, $2, Mbps $10, $ $11, $4, Mbps $15, $1, $16, $6, Mbps $22, $1, $24, $9, *Not available in all FIRN service areas. Engineering evaluation required to determine availability. DMS will generate a service availability inquiry once a CSAB order is received or upon customer request. FIRN Secure Internet Bundled Services: Secure Internet Services: Secure Internet Services for end users are Services combined with a cloud-based basic firewall protection, using a uniform approach and tools, against unauthorized use and access. Page 1 of 12

2 FIRN Secure Internet includes: a) Internet Access b) Local Transport Facilities c) Premise Router d) Cloud Based Basic Firewall Service The cloud-based basic firewall provides the following security functions for all virtual contexts: a) The Sandbox Analyzer to identify and analyze targeted and unknown files for malicious behaviors. It shall generate and automatically deliver protection for newly discovered malware via signature updates. Signature update delivery shall include integrated logging/reporting. b) Geo Blocking to prevent network based access to internal resources by blocking based on geographic location. c) Application Blocking to identify and block unwanted applications without regard to the port they are using for communication. d) Security Information and Event Management (SIEM): Secure Internet Services will include detailed information provided by the MyFloridaNet QRadar tool. DMS and each Secure Internet Services end user will receive two QRadar login accounts allowing them accurate, correlating information regarding network flows (500:1 sampling), session data, packet captures, reputation white/black listing and endpoint system vulnerability results providing the maximum amount of detail to traffic traversing their network connection. This access shall give Secure Internet Services end users visibility into their Internet connection activity, virtual activity, user activity and application activity, giving them intelligence into their FIRN Secure Internet connection. The cloud-based firewall will provide the following optional more advanced security functions for all virtual contexts subscribing to the Advanced Security and Content Filtering service at the pricing listed in the second column of Table 1.0. a) NextGeneration IPS & IDS: By proactively applying deep packet and application inspection of network activity at the border of the FIRN and the internally protected zones, service will provide better analysis and overall security for each FIRN Organization. Automated correlation and Intrusion Analysis by this service will provide notifications of suspected unauthorized network activity and has the ability to prevent the activity from ever reaching the end user s internal network. This feature is part of the advanced cloud-based firewall deployment. b) Malware & Anti-Virus detection: This service feature provides real time antivirus and anti-malware protection. End users will have the ability to automatically take action on malicious files currently in transport across the network. This feature will block unwanted malware and viruses at our edge devices before they consume Internet bandwidth or threaten the local network and ultimately desktop endpoint systems users depend on to access the Internet. This feature is part of the advanced cloud-based firewall deployment. c) Next Generation Content Filtering/URL Blocking is enabled upon request. This service helps End users enforce their protection policies and block inappropriate, Page 2 of 12

3 illegal, and dangerous web content. It will have the ability to block multiple categories of objectionable web content, providing the necessary combination of control and flexibility to protect important resources. The service will deliver sophisticated reporting and visually descriptive monitoring through dashboards, graphs, charts, and data search functionality. This feature is part of the advanced cloud-based firewall deployment. FIRN Help Desk a) FIRN Secure Internet includes access to our standard FIRN helpdesk to provide assistance directly to FIRN end users to answer questions related to all FIRN Secure Internet service tools and services. b) The helpdesk will work directly with the end user to provide advice on remediation methods and industry best practices as they relate to services FIRN provides as part of our Secure Internet offering. c) The helpdesk will be staffed live and/or offer immediate call back within thirty (30) minutes 24x7x365. d) The Secure Internet Service staff will perform daily eyes on glass real-time monitoring and analysis of security events. Monitoring and analysis shall span multiple sources including but not limited to events from the security tools (SIEM), MFN network tools, NetFlow logs, firewall logs, and router logs. New Secure Internet and Advanced Security & Content Filtering Secure Internet services shall be offered based on the rates provided in Table 1.0 below. All current FIRN Internet Services shall remain with the exception of the following changes: 1) Pricing for Secure Internet Services is flat rate (included in Table 1.0) in the AT&T, CenturyLink and Verizon LATA areas. This new pricing shall be an addition to the flat rate and mileage band pricing originally available under the FIRN contract. The new flat rates in Table 1 may not apply outside of these areas. Any connections outside of the AT&T, Century Link, and Verizon LATAs shall be priced as an individual case basis (ICB). ICB pricing shall never be more than the original flat rate pricing available under the original FIRN contract. 2) A FIRN managed CPE router is included in the standard service. However, the FIRN end-user may choose to manage the FIRN CPE router or provide and manage their owned CPE router as long as it is certified by the FIRN Service Provider. The option to manage the CPE router is at no additional cost to the end user. 3) The FIRN Secure Internet service bundle introduces performance measures via Service Level Agreements for Install, Moves, Adds, Changes and Outages with the following Table 2.0 Page 3 of 12

4 Service Performance Measures Table 2.0 SLA Performance Target Liquidated Damages Install, Moves, Adds, Changes ( IMAC ) Site Outage & Service Troubles Restore 64kbps to T1 = 60 days >T1 to 45Mbps = 80 business days >45Mbps = 180 business days Within twenty-four (24) hours Monday Friday. 10% MRC of Service* if performance is not met. 5% MRC of the entire service if outage > 24 hours *MRC of Service = MRC of (Core Port + CPE + Access) for each site Measurement Measured and calculated per incident based on the operational tools provided. FIRN will not be liable where facilities do not exist for access types (excluding Ethernet) greater than 12 Mbps. Measured using the trouble ticketing system. SLA clock will start when the trouble has been reported in the ticketing system. The SLA clock will stop when the site has been restored and verified with the end user. For all service troubles, FIRN must open trouble tickets pro-actively and immediately when the outage has been discovered. The time between the actual outage and the opened trouble ticket was opened will be counted towards SLA restoral time. For example: if an outage occurred at 1:00PM and the trouble ticket was opened at 1:30PM, 30 minutes of this time will be counted towards the SLA restoral time. Note: Secure Internet service shall be available and pricing effective July 1st, FIRN Advanced Security Offerings (ASO): A. ASO can be purchased by end users as an Advanced Security Bundle (ASB) (see B.). Some of these ASB as well as other Advanced Security Offerings may also be purchased separately (See I-J.). B. Advanced Security Bundle (ASB): ASB includes, for each end user selected location (district headquarters): Page 4 of 12

5 1) Fully Managed Device for On-site Intrusion Prevention System (IPS) Device and Service. 2) Fully Managed Device for On-site Premise Firewall Event Logging Management, Analysis and Notification of end user District Area Network (DAN) Firewall. 3) Fully Managed Device for On-site end user Device Event Logging Management and Analysis for up to 15 devices per end user location. 4) Fully Managed Counter Threat Appliance (CTA) to assimilate logging information from all end user selected sources passing on significant events for further analysis. 5) Fully Managed Cloud Based Security Information and Event Management (SIEM) Correlation via forwarded information from the CTA. 6) End User Portal for detailed information regarding their Security incidents and security posture. C. Intrusion Prevention System (IPS): IPS helps eliminate malicious inbound and outbound traffic 24x7x365, without device or signature management, and without increasing in-house headcount. IPS service lets the end user comply with data loss regulations to protect against threats to sensitive data by centralizing the analysis of all devices including firewall logs and provides comprehensive reporting via the FIRN s end user portal to demonstrate the effectiveness of the end user s security controls. The IPS device can be attached to the End User network to provide Intrusion Detection with the onus then on the end user to implement appropriate corrective action. Alternatively, the IPS can be placed in-line of Internet traffic, in which case the FIRN service provider shall implement recommended security response to the intrusion. IPS includes: 1) Configuration and implementation. 2) Administration and tuning. 3) 24x7x365 Real-time security event and device health monitoring. 4) Upgrade, change, and patch management. 5) Thousands of unique countermeasures. 6) Daily audits of existing rules. 7) Advanced analysis and blocking techniques, including advanced statistical analysis, suspicious activity correlation and expert security analysis of patterns. 8) Twice weekly countermeasure updates. 9) Intelligence-enhanced threat protection. 10) On-demand security and compliance reporting. D. Firewall Event Logging: Monitoring of any supported end user premise firewall listed below and support for next generation and HA Firewall pairs at no additional charge. Log information shall be incorporated into the provided SIEM and any SIEM indications of a problem are analyzed by security professionals in near real time and end user are notified Page 5 of 12

6 of any significant firewall events complete with recommended firewall configuration changes. End users desiring a full proactively managed firewall solution can combine this offering with existing FIRN contract firewall management options. Supported firewall devices are: 1) Cisco 2) Juniper Networks 3) Palo Alto Networks 4) Dell SonicWALL 5) Check Point 6) Fortinet E. End User Device Event Logging: The 15 devices can be any mixture of any supported devices (servers, routers, etc.) capable of sending log information to the provided logging device. The logging information shall be fed into the SIEM similar to the Firewall log information and proactively responded to the same way, resulting in notification of the end user of any suspicious activity complete with recommended actions. F. Counter Threat Appliance (CTA): The CTA resides on the end user s network and shall be responsible for maintaining connections to all sources an end user needs monitored and managed. The CTA shall collect logs from these sources and handles parsing, normalization, de-duplication and filtering of collected events. Security events of interest are sent from the CTA to the FIRN s Security Operations Centers (SOC) via a secured connection, where they are prioritized and, if needed, reviewed by the FIRN s service provider certified Security Analysts to determine if any malicious or suspicious activity is occurring. Additionally, the CTA is a secure point from which FIRN s Security Analysts can provide device management. Through the secured connection, the CTA shall have the capability to enable communications and administrative activities for vendor managed devices. G. End User Portal and Reports: The End User Portal shall provide the intelligence and analytics needed to easily understand the risks, demonstrate compliance and make better security decisions. The Portal shall give end users full visibility into their security and compliance posture with advanced reporting functionality integrated across all proffered Advanced Security Offerings. The End User Portal shall include a mobile application ensuring security data is always at the end user s fingertips. H. Advanced Security Bundled Pricing Page 6 of 12

7 ASB Monthly Pricing Table 2.0 Bandwidth Monthly Recurring 10 Mbps $3, Mbps $3, Mbps $3, Mbps $3, Mbps $4, Mbps $4, Mbps $4, Mbps $4, Mbps $4, Mbps $4, Mbps $4, ,000 Mbps $4, ,000Mbps* $9, ,000Mbps* $23, ,000Mbps* $47, *Where available Standalone Advanced Security Options. End user may purchase any of the products and services described below. 1) IPS Monitoring is as described in C. 3) above. Pricing for those wishing to buy as a standalone product is as follows: IPS Monitoring Monthly Pricing - Table 3.0 Internet Bandwidth Monthly Recurring 0 Mbps to 100 Mbps $ Mbps to 1000 Mbps $1, Mbps to 2000 Mbps $1, ) IPS Management was included and described in the bundled offering. Pricing for those wishing to buy as a standalone product is as follows: Page 7 of 12

8 IPS Management Monthly Pricing - Table 4.0 Internet Bandwidth Monthly Recurring 0 Mbps to 100 Mbps $1, Mbps to 500 Mbps $2, Mbps to 1000 Mbps $3, Mbps to 2000 Mbps $4, Mbps to 4000 Mbps $6, Mbps to Mbps $9, ) End User Device Event Monitoring was included and described in for up to 15 devices in the bundled offering. For those wishing to buy monitoring for additional devices or as a standalone offering pricing is as follows: Device Monitoring Monthly Pricing - Table 5.0 Device Count Monthly Recurring 1 $ $1, $12, $23, ) Vulnerability Management service identifies exposures and weak spots in end user environments by performing highly accurate external scanning and internal scanning across the network. Vulnerability Management shall enable vulnerability scanning without the hardware, software and maintenance requirements of scanning products. Vulnerability results shall be integrated into FIRN s other Managed Security Services, allowing threats against vulnerable and non-vulnerable systems to be assessed and prioritized accordingly. The Vulnerability Management technology shall be fully managed and maintained by the FIRN s dedicated vulnerability management team, eliminating administration and maintenance burdens so end users can better focus on protecting assets and reducing risks. Vulnerability Management includes: a) Highly accurate internal and external vulnerability scanning. b) Support for physical, cloud and virtual infrastructure. c) Dedicated vulnerability management team to provide expert guidance and support. d) Flexible reporting and remediation workflow tools via on-demand portal. Page 8 of 12

9 e) 24x7x365 expert support by certified security analysts. Vulnerability Management service Monthly Pricing - Table 6.0 Network or Server Device Count Monthly Recurring 128 $ $1, $12, Application Count Monthly Recurring 10 $ $1, $3, ) Log Retention Services shall be a fully-managed service that provides support for a wide range of sources, allowing capture and aggregation of the millions of logs generated every day by critical information assets such as servers, routers, firewalls, databases, applications and other systems. The Log Retention Services shall support hundreds of devices per appliance. Log Retention Services Include: a) Log Retention device with 13TB of compressed storage (3.8TB uncompressed). b) Capturing and storing end user-specified system logs from the IT devices, systems and other network assets to the Log Retention Appliance. c) Implementing software upgrades and security patches to Log Retention Appliance Monitor the information security, system health and performance of Log Retention Appliances 24x7x365. d) Provide end user client access to the Logs. e) Configure any Log Retention Appliance native alerting functionality to provide alerting to notify end user of any such end user Devices no longer transmitting Logs to the Log Retention Appliances. f) Act as the initial point of contact for end user support. End User Device Count Log Retention Services Monthly Pricing - Table 7.0 (13TB Compressed Capacity) Monthly Recurring 25 $2, $2, Page 9 of 12

10 500 $3, Additional 13/3 8TB Capacity $1, Security Incident Response and Consulting: 1) The Incident Response and Digital Forensics practice shall help provide rapid containment and eradication of threats, minimizing the duration and impact of a security breach. Leveraging elite cyber threat intelligence and global visibility, FIRN shall help end users prepare for, respond to and recover from even the most complex and largescale security incidents. The rate is based upon a response tailored to the particular event and is on a per-end user basis. Incident Response Service Monthly Pricing - Table 8.0 Minimum 50 hours Hourly Rated 1 $449.40* *Includes travel and expenses, discounts may be available for additional hours needed during same on-site visit The FIRN s Security and Risk Consulting (SRC) group shall help customers solve security and compliance challenges. FIRN shall provide services listed below: Regulatory and Compliance Testing and Analysis GLBA (Gramm-Leach-Bliley Act) Gap Analysis HIPAA (Health Insurance Portability and Accountability Act) Gap Analysis FISMA (Federal Information Security Management Act)/NIST (National Institute of Standards and Technology) Gap Analysis PCI (Payment Card Industry) Gap Analysis QSA (Qualified Security Assessor) On-Demand ISO (International Organization for Standardization) 2700x Gap Analysis General Controls Audit Information Security Assessment Security Architecture Review Governance Review Facility Clearance Readiness Review E-Discovery (Electronic Discovery) Security and Compliance Attestation Reporting Third-Party Diligence and Vendor Management IT (Information Technology) Risk Assessment Vulnerability Assessments Penetration Testing Web Application Assessments Network Security Assessment Physical Security Assessment Wireless Network Testing Social Engineering War Dialing Data Discovery and Classification Page 10 of 12

11 Note: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to develop, implement, and maintain a comprehensive written information security program that protects the privacy and integrity of end user records. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) includes: the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. Payment Card Industry (PCI) Gap Analysis are designed to combat identity theft and to better secure credit card data. Credit card associations created the Payment Card Industry (PCI) Data Security Standard (DSS) and expect organizations that process, store or transmit cardholder data to comply with these standards. ISO (International Organization for Standardization) 2700x is a series of specifications which include Information Security Management Systems whose focus is based on evaluating process rather than content. These standards contain a Code of Practice consisting of a comprehensive set of information security control objectives and a menu of best practice security controls. Security Risk Consulting Service Monthly Pricing - Table 8.0 Minimum 50 hours Hourly Rated 1 $385.20* * Includes travel and expenses 2) All CSAB orders shall include a statement-of-work to be reviewed and approved by DMS and end user. The statement-of-work template shall be defined in the operational and user guide. Service Level Objectives: Security Risk Consulting Service Service Level Objectives - Table 9.0 SLO Type Description Action Security Monitoring (applicable to ASB and Standalone options) End user shall receive a response (according to the escalation procedures defined in the End User Portal or in the manner pre- 1/30th of monthly fee for Service for the Page 11 of 12

12 Active Health Monitoring (for all FIRN provided devices) selected in writing by End user, either through the help desk ticketing system, , or by telephone) to security incidents within fifteen (15) minutes of the determination by the Service Provider that given malicious activity constitutes a security incident. This is measured by the difference between the time stamp on the incident ticket created by the SOC personnel or technology and the time stamp of the correspondence documenting the initial escalation. A security incident is defined as an incident ticket that comprises an event (log) or group of events (logs) that is deemed high severity by the SOC. The most up-todate version can always be found in the Real-Time Events section of the End User Portal). Automatically created incident tickets (via correlation technology) and event(s) or log(s) deemed low severity will not be escalated, but will be available for reporting through the End user portal. Active health checks identifying the following conditions are subject to the following SLAs: affected device 1/30th of monthly fee for Service for the affected device Device Unreachable 30 minute response (via phone, ticket, or ) from identification of the device being unreachable. This is measured by the difference between the time stamp on the device unreachable ticket created by the SOC personnel or technology and the time stamp of the correspondence documenting the initial escalation. Page 12 of 12