IBM Security in the Software Development Lifecycle

Transcription

1 IBM Security in the Software Development Lifecycle Service Definition 1

2 1. Summary 1.1 Service Description This offering is provided by IBM Global Technology Services, Security and Privacy, for the design and implementation of security measures, professionally tailored to meet your organisation s specific needs through each stage of the development lifecycle. IBM offers thorough, end-to-end security services designed to identify and address the specific needs of client software development projects. Its highly knowledgeable team of registered CLAS consultants and security architects have between them many years experience of implementing security programmes across both the public and private sectors, as well as for organisations of many different sizes, representing a spectrum of industries. They offer in-depth, personalised consultations, with the aim of forming a good understanding of the client s business, style of working and the focus of the specific project. The IBM team then formulates a bespoke roadmap of security activities, tailored to ideally fit with the phases of the project and suit the specific requirements of the client. The service incorporates advice and guidance on all areas of security including: Physical security e.g. secure perimeters Information security e.g. firewalls, password protection Personnel security e.g. access control Network security Architecture and solution designs Specifications in which IBM has a great deal of prior experience include the design and implementation of security processes on projects that ensure compliance with recognised standards such as ISO We also tailor our methods to those that fit best with the client s modus operandi, for example endeavouring to keep system outages to a minimum in order to maintain key live environments. Dependent on our clients requirements and budget, we offer full management of security roadmap implementation or continued consultation support for clients own implementation teams. 2

3 1.2 Service Characteristics Lot Applicability Security in the Development Lifecycle Any medium-large public or private sector organisation embarking on a development project, for which they require comprehensive security protection. Contract Duration Contract Price Lead time to start Related Lot(s) /Offering(s) Flexible to be agreed in the Call-Off Order Variable based on time and materials depending on agreeing, with the Contracting Authority, the resources required for the Call-Off Order, based on the IBM SFIA rate table. The price will be subject to VAT and out of pocket expenses incurred outside the M25. 2 weeks IBM Hosted Vulnerability Management 'VMS' IBM Host Security Event and Log Management (SELM) 1.3 Why IBM IBM has been a member of the CESG Listed Adviser Scheme (CLAS) since 2002 and currently employs a total of 11 CLAS consultants as well as high quality independent contractors. In addition to CLAS, our consultants hold qualifications such as CISSP, CISM, CISA, IISP, ISO27001 Lead Auditor & Implementer, CSSLP, CRISC, Certified Data Protection Practitioner, CEH and Tiger Scheme as well as IBM Certification at Experienced and Expert levels as Security Consultants and Security Architects. As a List X organisation IBM has a full time List-X Security Controller with access to the full Security Policy Framework. We work closely with the security authorities to implement physical and personnel security as well as information security. As a result of this our CLAS consultants are able to advise on vetting and physical security matters, undertaking a Security Assessment for Protectively Marked Assets (SAPMA) where appropriate. Our approach to documenting and delivering information security controls, processes and procedures consistently is in accord with ISO/IEC27002:2005. We have extended this with technical standards for implementation and configuration of security functions, based on our extensive experience of deploying solutions in high assurance environments. This approach, together with other applicable industry standards, including ISO/IEC27003, ISO/IEC 27005, SAS70, COBIT and ITIL, provides a unique integrated management system that fully meets specific security requirements. This approach was used to great 3

4 effect on recent projects including IABS for the UKBA which was accredited for live operations in February Accreditation included signing the GSI Code of Connection and interconnecting with POISE (Home Office IT system) and the UKBA Warnings Index. IBM has a strong catalogue of experience in designing and implementing security processes for all types of organisations. We have a constant presence in numerous large-scale public sector projects and also do a great deal of security work for private companies in the telecommunications, financial and industrial spheres. Our consultants have backgrounds in various types of project and are skilled at assessing an organisation s business and project requirements and designing bespoke security solutions accordingly. 1.4 Contact Contact Name Steve Cliff Title IBM UK Cloud Alliances Executive Address PO Box 41 North Harbour Portsmouth Hants, PO6 3AU Contact stevecliff@uk.ibm.com Contact Phone

5 2. Delivery 2.1 Context During a development project, numerous new security vulnerabilities inevitably arise: the creation or application of intellectual property in a new capacity necessitates the implementation of protective measures; involvement with other organisations may pose a risk to personal or business data security, possibly even requiring adherence to prespecified standards such as ISO27001; and access control must be considered to protect against asset loss or mismanagement. When all hands are occupied with development work, it is often all too easy to let security considerations slip, and yet this could store up potentially serious problems for the future. 2.2 What we will deliver With this service offering, IBM takes responsibility for identifying and assessing all the potential security threats applicable to a project and provides detailed professional guidance on the measures that may be taken to address these. IBM will work with you to fully understand the nature and complexities of your business in order to provide the most closely-applicable, thorough and watertight security solutions possible. Our highly experienced consultants have extensive knowledge of applying security measures to many different types of organisation, so they offer a clear, tested, and sharply-defined service, which delivers palpable value quickly. Some of the specific services IBM offers as part of its package are: Thorough analysis of the potential security issues at each stage of the development lifecycle. This can be achieved using the Capability Maturity Model Integration (CMMI) standard Tailored and documented strategies, covering physical, personnel, network and information security Continued consultations with CLAS consultants as required throughout each stage of the project Pen testing Managed Security Working Group (SWG) meetings to ensure regular communication with your organisation and keep track of new security-related issues We will work with you to define the initiatives that will enable you to achieve your security goals, whether these are determined by yourselves, your clients or government or global standards, such as the ISO We will craft a realistic roadmap, which will 5

6 include a proposal of how we can support you in achieving the desired outcome by applying a number of skilled IBM delivery professionals into your delivery organisation to give you some short term delivery capacity, allowing you to free up your own team to deliver the changes required. 2.3 Commercials This will be a Time and Materials contract however, following the first phase of the work, there could be the opportunity to discuss the conversion of the initial quote into either a Fixed Price or Risk/Reward based contract in order to provide increased flexibility for your organisation. Initial work will be carried out under the Strategy and Architecture category of the IBM SFIA rate table unless agreed otherwise. Follow on work will be under the appropriate category(ies) of the IBM SFIA rate table. The scope of work will be set out in the Call Off Order Form and agreed by both parties. Follow on services to enable you to complete implementation of cloud services can be provided by IBM. Details should be agreed via the Call-Off Order and priced using the IBM SFIA rate card. 2.4 Key Points Other key points to note are as follows: This offering is subject to availability of IBM resources. The Charges for this Service are on the basis that no Parent Company Guarantee is required. If one is required and agreed to by IBM then the Charges will be revised accordingly. The pricing and terms on individual call-off orders should be handled as commercially sensitive by the Contracting Body. As the work is of a sensitive and secure nature, security standards will be agreed between IBM and the Contracting Body, and IBM will ask the Contracting Body to issue a Security Aspects letter. The work is subject to IBM s Terms of Business, which are attached separately to this catalogue item. 6